Our analytics team was running on all cylinders and achieving significant results. There was not just my opinion, we received an ISACA Award of Excellence at the Info Tech Audit ’95 conference for leadership and contribution to IT Audit Community. Amazingly, it was a $1,000 cash award. The team (3 people) went for out for a celebratory dinner and donated the remaining funds to a local charity.
By how we had a steady stream of auditors seeking data extractions from 30+ information systems. We had standard monthly extracts in place for the major systems (8-10) that we accessed on a regular basis; and we were able to handle one-offs fairly well. We still heard the usual arguments from IT (you do not have authority to access the data, it contains personal info, you don’t have the security, etc.) when we sought access to a new system, but we were getting better at countering their arguments with solid facts and obtaining the necessary access. The more difficult issue was changes to existing applications. We were not informed when things like record layouts, file names, transaction types, etc. changed. This meant that we had to constantly be verifying the integrity of our standard extracts and scripts that we had developed.
To date we had used the personnel data to verify pay rates as part of a payroll audit; to determine personnel costs for a cost recovery audit; and for a number of other audits that required HR information.
The first HR audit to use data analysis was an audit of an employee reduction program. The company was downsizing and eligible employees were being offered a buyout package. The package was made available to full time employees and the buyout was based on years of service (including casual or part time employment) and current salary rate. The initial audit objective was to determine if the buyouts were for the correct amount.
We obtained a file which had the employee number and the buyout amount for each employee who had been offered a package. We matched this with the HR file which included the years of service, current salary level, employee status, and other information such as key dates – start date, status date, salary level date, etc.
The initial results looked promising. Everyone who had been offered a package was a full time employee (Status “A”); however we did identify a few people whose buyout amount (years of service * annual salary rate) was off by a few thousand dollars. By examining the details we determined that HR had not subtracted time when people were on leave without pay from their overall years of service. So we had met the initial audit objectives, but we did not stop here.
Our risk assessment had identified two additional risks – one related to eligibility and one related to the buyout amount. Our first analysis verified that all employees were eligible, but we wanted to look a little closer at the “eligibility” criteria. While all employees were full time employees when they received the buyout, we decided to determine if any employees that had been offered the buyout package was not a full time employee when the reduction program was announced. We identified 23 employees who were converted from part time to full time employees after the reduction program was announced and, therefore, should not have been eligible for the buyout. In one case when we attempted to recover the package amount, the ex-employee told us we would have to ask his manager for 50% since the manager had made a deal – make the employee full time in exchange for 50% of the buyout amount. This was referred to the fraud investigators.
The second criterion was related to the salary. All employee buyout were consistent with their current salary, but we decided to examine when the last salary increase had been given. Again we found employees whose annual rate had been increased by one or even two rate levels – after the announcement of the reduction program. This meant that the buyout amount was thousands more than it should have been. In two cases, the same manager who had converted a part time employee to full time had also increased the salary levels of employees in exchange for 50% of the increased buyout amount. The total recovery amounted to $621K.
We decided to take the audit objective a step further. The intent of the reduction programs was to reduce employee levels across the organization and at all levels. While this was not an objective of the audit, we also did some analysis to determine who had accepted the buyout package. Not surprisingly, a lot of people who were more senior and close to retirement had accepted. In addition, a number of fairly junior employees (less than 5 years experience) had accepted the offer. We also compared the buyout rates in headquarters and the regions – significantly higher percentage of buyouts in headquarters than in the regions. Next, we looked at the rates by job classifications and once again we noted certain classifications (where jobs were more easily found) that had higher reduction rates than others. Lastly, we look at the ranges of the buyout amounts – overall and by employee classification. Overall, the audit concluded that while the targeted reduction levels had been achieved, it was not in accordance with the reduction program objectives. Further, the audit expressed concern that there would be a requirement to hire people at certain levels and job classifications where the reduction rates were well above the 10% planned levels. Within six months the audit concerns were a reality – hiring in certain areas was happening – and by the end of two years, employment levels were back to pre-reduction program levels. In some cases, employees who were offered a buyout package had been rehired less than 6 months later.
ACL commands: FILTER, JOIN, EXPRESSION, CLASSIFY and STRATIFY
Lessons-learned: It is important to considered not only the risk of non-compliance (employees who were not eligible being offered packages) but also the circumstances around the determination of compliance. Sufficient controls were in place to ensure compliance, but there was a lack of control over the ability of managers to alter conditions such that non-eligible employees complied with the requirements of the program. Also, one needs to consider the assumptions and intentions of the program or activity. In this case, the letter of the law was being met (only full time employees had received the buyout package), but this was not the sole objective of the reduction program (reduction rates varied in different locations and job categories and levels; and employees who should not have been considered eligible). Audit needs to consider the objectives of the activity or program when setting the audit objectives. Additional value can be added to audit work when the audit objectives come beyond mere compliance and consider the risks to the objectives of the client area.
The analysis team identified additional areas of risk – both the timing of fulltime status and annual salary rates and the impact of the reduction program. This demonstrated the value of having data analysts who understand not only the data, but also role internal audit. It was the analyst who pushed the audit team to do more than test for compliance and to address other risks associated with the reduction program. If your data analysts do not understand the risks and the role of internal audit – then you need to make sure that the auditors and analysts work together closely throughout the audit but particularly in the planning phase.
Lastly, I strongly believe that it is not sufficient for the audit teams to email the data analysts asking for them to “obtain HR data and match it to employees who accepted the buyout to verify that they were fulltime employees”. Auditors that simply email requests are tying the hands of the data analysts. The auditors and data analysts must work together as a team to understand and discuss the audit objectives and the objectives of the operational activity; the risks associated with the activity; the data elements and analysis possibilities. When this happens, data analysis can more fully contribute to the efficiency, effectiveness and value of the audit.
This article has 1 Comment
“It was the analyst who pushed the audit team to do more than test for compliance and to address other risks associated with the reduction program”… great lesson Dave. Frankly, I think the profession has devolved in this in many respects. With 10+ years now of focus on SOX, I see more auditors than ever focused entirely the exact wording of documented internal controls and debating “letter of the law” compliance with those controls. Understanding actual risk and data is taking a back seat way too often.