New System – control weaknesses

It is always important to test controls when systems and/or processes change.  Sometimes a current process may have adequate controls, but the new process may not be as secure.

Equipment Serial Numbers

A large company with several plants purchased expensive, highly specialized, equipment for use in its manufacturing plants.  A central purchasing organization made all the purchases and the inventory held until required by a plant.  The inventory manager was understandable proud of the inventory system; having recently implemented just-in-time inventory practices while maintaining a quick response time to orders from plant managers. This meant that expensive equipment was only purchased if, and when, required.  The new inventory practices were saving the company millions of dollars every year.  However, he had heard a few rumblings about inventory theft, and although he was not personally aware of any problems, he asked audit to take at look at the issue.

The audit teams conducted a thorough review of the controls and only found one area of concern – when items were shipped to the plants, they were automatically removed from the electronic inventory system.  The receiving plant manager did not have to send any proof of receipt, so there was no sure way of knowing if the item had reached its proper destination.  The inventory manager countered that if someone had ordered an item and did not receive it, he would certainly hear about it.  He even produced a few emails where the recipient had questioned the status of deliveries that were only a day late.  The audit team leader smiled as said, ‘what if they were not expecting a delivery?’.

The audit team requested a copy of all high dollar equipment that had been purchased in the last year; this included all equipment that had been shipped to the plants.  The data was sorted and a check for duplicate serial numbers performed.  The results revealed that 53 expensive items, used in the manufacturing process, had duplicate serial numbers.  The company had purchased hundreds of thousands of dollars worth of equipment – twice; and in each case, the shipping agent was the same person.

The auditors, with the help of the inventory manager, set out to catch the thief.  They noted that while all equipment had been shipped to various manufacturing plants, none of the managers at the plants had placed an order for, or received the equipment.  The next time the clerk in question prepared a shipment for delivery for which the receiving plant manager had not placed an order, audit arranged for a private security company to follow the truck.  Instead of delivering the equipment to the plant specified on the shipping receipt, the equipment was delivered to a warehouse in the city.  Two days later, the inventory manager asked the clerk to place an order for the same model equipment. The security personnel followed the truck as it delivered the same equipment back to the company warehouse.

In the weeks that followed, audit was able to prove that the clerk was placing false orders for equipment, charging the inventory to phony projects.  The equipment was delivered to a warehouse and held until a purchase order was placed for the same item.  The clerk would then arrange for the equipment to be shipped to the company – selling the company back its own inventory.  The serial number had not been changed, so it would have been identified as a duplicate if the equipment had not been removed from the inventory system when it was shipped the first time.

As a result of the investigation, the clerk was fired and the serial numbers of all new equipment were compared to those of equipment that had previously been in the inventory system.  Controls were put into effect to ensure that equipment was shipped to, and received by, project managers.


Year 16 – 2003 – Recruitment Process

People, even those that perform analytics, often think that data analysis can only be applied to financial-type audits.  I have tried to highlight other types of audits where analytics played a significant role including transportation, inventory, and hazardous materials (environmental).   In that vein, I offer you analysis that was part of an HR recruitment audit.

he organization was an international/national police force.  Like many police forces, it needed a fairly continuous flow of recruits.  The problem with this agency was that the recruitment process – which leads to a six month training program – was overly long. In fact it was 18-22 months from the time a potential recruit entered the process until they were offered begin the training program.  During this time, they were not paid, and, as a result, many suitable recruits exited the recruitment process because they found other jobs.

Working with the HR section, the auditors determined that they were 36 separate steps in the recruitment process.  Some were fair minor – like completing an application form – while other were more time consuming – like the security clearance process.  I was able to obtain the recruitment data for the past 3 years.  The data contained the start and end date for each step for each recruit.  In reviewing the recruitment data I was able to determine that the steps were done in series – not in parallel.  This meant that before a recruit could enter step “n”, step “n-1” had to be completed.  Our first recommendation was to change the process to permit steps to be done in parallel.  For example, rather than waiting for the results of the written test (which could take up to two weeks), recruits could start on the physical test phase.

Continue reading Year 16 – 2003 – Recruitment Process

Year 16 – 2003 – Accounts Receivable

It was beginning to almost become routine – get data, perform analysis, identify significant results, make recommendations and, often, transfer the analysis jobs to management for continuous monitoring.  This doesn’t mean that there were problems: obtaining the data, persuading audit teams to use analysis, and sometimes convincing management to address the control problems.  It was a challenge and it kept the job interesting.

I was also performing consulting from time to time.  This year I was asked to assist an audit team in a retail company with branches across the country.  The company was having cash flow problems and the Vice President of Finance had questions about the efficiency of the accounts receivable department. I explained that an aging of the A/R transactions in ACL would quickly identify all invoices that were past the due date by 30, 60, 90 days, or any cut-off point he chose to specify.  We performed that analysis and confirmed the Vice President’s concerns, but the team leader decided to take the analysis a step further and calculate the average time each account was past due for each branch office.  Again, this was easy to do using the break field on the AGE command. In addition, he calculated the carrying cost associated with borrowing money to finance the shortfall in revenues.

Continue reading Year 16 – 2003 – Accounts Receivable

Year 15 – 2002 – Part 2 – IT Audit

Second part of article on making IT Audits more effective and value-added ….

The next area that will need to be address by CAEs is ensuring that risk-based audit plans are relevant and that selected audits provide maximum value to senior management.  Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk-based audit plan must keep pace with this rapid change if it is to properly identify and assess emerging risks that can impact the achievement of business objectives.

ISACA standards state that appropriate risk assessments approach should be used when developing the overall IS audit plan.  Risk should also guide IT auditors in determining priorities for the allocation of resources to provide assurance regarding the state of the IT control processes.  This means that risk should drive the IT audit plan and the focus of IT audit resources.  IT audit should use a top-down approach that starts with the identification of the business objectives.  The next step should be the identification of the key controls required, in both the application system and the business process, to provide assurance for the business objectives.  Finally, IT audit should identify the applications where the IT controls need to be tested in order to focus IT audit effort where it is needed most.

IT audit plans also need to lay the groundwork for integrating IT audit expertise within non-IT auditor to ensure that the risks associated with the IT systems are considered when assessing the overall risk in a business process.  Conversely, you should also be looking at the risks in the business processes and determining the IT controls that are mitigating these risks.

Continue reading Year 15 – 2002 – Part 2 – IT Audit

Year 15 – 2002 – Part 1 – IT Audit

Many audit shops rely on IT auditors to support their use of data analytics; however, the IT audits typically focus on general and application controls.  Around this time I wrote an article for the EDPACS magazine which encouraged IT auditors to look beyond the black box – to look at how IT supports, drives, and impact business processes.  I have included below.

IT Auditors need to come out of the black box

Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more?  Then you need to wake-up to today’s business environment and step out of your comfort zone.  You also will probably need to pull the general auditor away from the safety of pure compliance audits.  The notion of the integrated auditor was usually applied to the need for the general auditor to increase his/her knowledge of IT.  Alternatively, general audit teams were encouraged to include an IT auditor to assess the IT controls.  It was a one-way street that added IT expertise to the operational audit program.

Today, we are going through yet another time of economic and organizational upheaval.  IT auditors need to look at how they are contributing to the organization’s flexibility and sustainability.  They need to ensure that information systems supporting business processes are not obstructing the very improvements in operations that they are supposed to achieve.  IT auditors need to better understand the operations of the organization and how IT contributes to their effectiveness and efficiency.

As IT becomes more and more integrated with business operations, the role of IT audit is changing, moving beyond the black box, to a role that is tied directly to the achievement of business objectives.   Business processes rely on automated systems for controls and to support efficient and effective processes.  As a result, IT risks are a part of, not separate from, business risks.  In the current market conditions, marked by rapidly changing risks and tough economic conditions, testing of IT controls by IT auditors and compliance testing by general auditors cannot separately address risks and opportunities resulting from the integration of complex technology into multiple business processes.

Continue reading Year 15 – 2002 – Part 1 – IT Audit

Year 13 – 2000 – Back to Work after a Year of Consulting

This was another exciting year for me.  First, in 1999, I had decided to take a year off without pay and do some sub-contracting for ACL (I forgot to mention this in 1999 post).   It gave me the opportunity to really expand my analysis skills.  Also, I worked on the development of DirectLink for SAP which really forced me to develop a better understanding of SAP – something that has been valuable ever since.

I also submitted short articles to the IIA’s Internal Auditor magazine and won two Honourable Mention Roundtable Awards for stories on “Travel Bonus” and “It is Really a Good Deal”.  In 2001 I would garner my first Ted Keys Roundtable Award for “who’s Managing the Goods” and my second in 2005 for “of Mice and Money”.   My last honourable mention was in 2005 for “Winning over the CIO”.   The article highlighted audits I had worked on where – surprise – analytics was instrumental in arriving at the audit findings.

Continue reading Year 13 – 2000 – Back to Work after a Year of Consulting

Year 6 – 1993 – Promoting Analytics

Analysis had proven to be successful in not only supporting the conduct phase of internal auditors but also during the planning phase. More and more we were being asked by audit teams to perform analytics to support the development of the audit scope and objectives. However, there were still team leaders that avoided the use of analytics.  “Analytics won’t be of any use in this audit” was still a familiar response to “can we help you?” As part of a sales push, I produced a monthly report describing the new data sets /applications that had been accessed that month. Audits were listed and detailed of the types of analysis, the results, and the benefits of analytics in time, cost, efficiency, consistency, coverage, etc. were highlighted. Typically, six to seven audits were featured each month and the analysis covered HR, IT, operations, finance and administrative audits. But we had to keep expanding our capabilities and what we could access.

The challenge this year was accessing and understanding the legacy pay system which was still used for about 70% of the employees. The application created an IBM 25,000 byte variable block data set for each employee. The first 500 bytes were a fixed block with basic employee information such as name, employee number, address, etc. The remaining portion of each record consisted of a variable number of 50 byte segments that were one of 26 different types – each with its own layout (e.g. type “A” was a regular pay segment which had the paid date, pay rate, and pay amount; “B” was an adjustment record type with the pay date, adjustment amount, and reason; “C” was an allowance record with the pay date, start and end date of the allowance, type of allowance, and amount; etc.). The hardest part of the analysis was building and testing the table layout. But, not only were we able to read the record and produce a fixed block output for further analysis, we were also able to produce the employee’s summary pay information, including the income tax filing data. Currently, this was done manually by the pay clerks because the complicated legacy system had not been updated to reflect changes in tax laws for several years.

Continue reading Year 6 – 1993 – Promoting Analytics

Year 4 – 1991 – Up and running

By 1991 the idea of using data analytics to support internal audit was firmly in place in the organization.  I was producing monthly reports which described how analytics was used by various audit teams to improve efficiency, to expand the scope, to arrive at better findings and to fully test controls (i.e. not using samples).   The analytics team (still only two people) had developed CAATTs (Computer-Assisted Audit Tools and Techniques) manuals to describe the financial and Inventory data to which we had access; and we were working on a manual for the HR system.  These manuals included a series of standard tests that could be requested by the auditors as well as a description of the fields that were available so that ad hoc requests could be performed.  We were accessing approximately 25-30 information systems a year; 7-8 were accessed on a regular basis and the others were used occasionally or on a one-time basis.  For the regular systems, we had arranged for standard extracts to be produced on a monthly basis and we were beginning the process of creating multi-year summaries (e.g. summary by General Ledger account by Year for the past 3 years).  This allowed us to start looking at trends in the data such as the usage of overtime or professional services compared to regular salary dollars.  In the future, we would be able to use this information to contribute to the annual risk-based audit plan (but I am getting ahead of myself).  For now, it supported the planning phase of the audit – expanding the analytics input beyond the conduct phase.

The analytics team tried to meet team leaders early in the planning phase to determine their data requirements and to encourage the use of analytics during planning, conduct and even reporting.  It was still very much a “push” rather than a “pull” so we had to understand their requirements and sell them on the use of analytics – but it was getting easier as we racked-up success stories which we published every month.

Continue reading Year 4 – 1991 – Up and running