New System – control weaknesses

It is always important to test controls when systems and/or processes change.  Sometimes a current process may have adequate controls, but the new process may not be as secure.

Equipment Serial Numbers

A large company with several plants purchased expensive, highly specialized, equipment for use in its manufacturing plants.  A central purchasing organization made all the purchases and the inventory held until required by a plant.  The inventory manager was understandable proud of the inventory system; having recently implemented just-in-time inventory practices while maintaining a quick response time to orders from plant managers. This meant that expensive equipment was only purchased if, and when, required.  The new inventory practices were saving the company millions of dollars every year.  However, he had heard a few rumblings about inventory theft, and although he was not personally aware of any problems, he asked audit to take at look at the issue.

The audit teams conducted a thorough review of the controls and only found one area of concern – when items were shipped to the plants, they were automatically removed from the electronic inventory system.  The receiving plant manager did not have to send any proof of receipt, so there was no sure way of knowing if the item had reached its proper destination.  The inventory manager countered that if someone had ordered an item and did not receive it, he would certainly hear about it.  He even produced a few emails where the recipient had questioned the status of deliveries that were only a day late.  The audit team leader smiled as said, ‘what if they were not expecting a delivery?’.

The audit team requested a copy of all high dollar equipment that had been purchased in the last year; this included all equipment that had been shipped to the plants.  The data was sorted and a check for duplicate serial numbers performed.  The results revealed that 53 expensive items, used in the manufacturing process, had duplicate serial numbers.  The company had purchased hundreds of thousands of dollars worth of equipment – twice; and in each case, the shipping agent was the same person.

The auditors, with the help of the inventory manager, set out to catch the thief.  They noted that while all equipment had been shipped to various manufacturing plants, none of the managers at the plants had placed an order for, or received the equipment.  The next time the clerk in question prepared a shipment for delivery for which the receiving plant manager had not placed an order, audit arranged for a private security company to follow the truck.  Instead of delivering the equipment to the plant specified on the shipping receipt, the equipment was delivered to a warehouse in the city.  Two days later, the inventory manager asked the clerk to place an order for the same model equipment. The security personnel followed the truck as it delivered the same equipment back to the company warehouse.

In the weeks that followed, audit was able to prove that the clerk was placing false orders for equipment, charging the inventory to phony projects.  The equipment was delivered to a warehouse and held until a purchase order was placed for the same item.  The clerk would then arrange for the equipment to be shipped to the company – selling the company back its own inventory.  The serial number had not been changed, so it would have been identified as a duplicate if the equipment had not been removed from the inventory system when it was shipped the first time.

As a result of the investigation, the clerk was fired and the serial numbers of all new equipment were compared to those of equipment that had previously been in the inventory system.  Controls were put into effect to ensure that equipment was shipped to, and received by, project managers.


Year 15 – 2002 – Part 2 – IT Audit

Second part of article on making IT Audits more effective and value-added ….

The next area that will need to be address by CAEs is ensuring that risk-based audit plans are relevant and that selected audits provide maximum value to senior management.  Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk-based audit plan must keep pace with this rapid change if it is to properly identify and assess emerging risks that can impact the achievement of business objectives.

ISACA standards state that appropriate risk assessments approach should be used when developing the overall IS audit plan.  Risk should also guide IT auditors in determining priorities for the allocation of resources to provide assurance regarding the state of the IT control processes.  This means that risk should drive the IT audit plan and the focus of IT audit resources.  IT audit should use a top-down approach that starts with the identification of the business objectives.  The next step should be the identification of the key controls required, in both the application system and the business process, to provide assurance for the business objectives.  Finally, IT audit should identify the applications where the IT controls need to be tested in order to focus IT audit effort where it is needed most.

IT audit plans also need to lay the groundwork for integrating IT audit expertise within non-IT auditor to ensure that the risks associated with the IT systems are considered when assessing the overall risk in a business process.  Conversely, you should also be looking at the risks in the business processes and determining the IT controls that are mitigating these risks.

Continue reading Year 15 – 2002 – Part 2 – IT Audit

Year 15 – 2002 – Part 1 – IT Audit

Many audit shops rely on IT auditors to support their use of data analytics; however, the IT audits typically focus on general and application controls.  Around this time I wrote an article for the EDPACS magazine which encouraged IT auditors to look beyond the black box – to look at how IT supports, drives, and impact business processes.  I have included below.

IT Auditors need to come out of the black box

Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more?  Then you need to wake-up to today’s business environment and step out of your comfort zone.  You also will probably need to pull the general auditor away from the safety of pure compliance audits.  The notion of the integrated auditor was usually applied to the need for the general auditor to increase his/her knowledge of IT.  Alternatively, general audit teams were encouraged to include an IT auditor to assess the IT controls.  It was a one-way street that added IT expertise to the operational audit program.

Today, we are going through yet another time of economic and organizational upheaval.  IT auditors need to look at how they are contributing to the organization’s flexibility and sustainability.  They need to ensure that information systems supporting business processes are not obstructing the very improvements in operations that they are supposed to achieve.  IT auditors need to better understand the operations of the organization and how IT contributes to their effectiveness and efficiency.

As IT becomes more and more integrated with business operations, the role of IT audit is changing, moving beyond the black box, to a role that is tied directly to the achievement of business objectives.   Business processes rely on automated systems for controls and to support efficient and effective processes.  As a result, IT risks are a part of, not separate from, business risks.  In the current market conditions, marked by rapidly changing risks and tough economic conditions, testing of IT controls by IT auditors and compliance testing by general auditors cannot separately address risks and opportunities resulting from the integration of complex technology into multiple business processes.

Continue reading Year 15 – 2002 – Part 1 – IT Audit