The following posts is part 2 of “Adding Value to Compliance Audits”
Given a good understanding of the current level and sources of risk, the next step is to look at the requirement for, and the adequacy and effectiveness of, the control to mitigate the risk. This requires an understanding of the cause and source of the risk and the operation of the control. Is the control still required? Does the current control address the root cause? Are there better ways to mitigate the risk? By answering these questions the audit may identify unnecessary controls, ineffective controls, or identify better controls to address the current risk. All of which may reduce the cost of compliance, while improving risk mitigation. Recommendations such as automating a control can save time and effort and been seen as a real value add.
The next step would be to verify that the control activities are being performed (i.e. compliance). However, you are not done yet. If you find non-compliance it is still not sufficient to recommend “Do A”. Audit recommendations should address the root cause. Identifying a lack of compliance is not the same as determining why management is not complying (i.e. determining the cause). Was management aware of the requirement? Are they capable of complying? Are there compensating controls that have been implemented?
In order to determine the cause of non-compliance asking “Why” (usually several times) is often sufficient to determine the cause. You should also determine the impact of non-compliance. Then instead of “Do A” audit can provide a rationale and make a recommendation that actually assists management in complying.
The next step is to ensure that you are doing the audit right – this means maximizing your use of all your resources available to you, including analytics. Data analytics can be defined as the application of analysis techniques to understand business processes, to identify and assess risks, to test controls, to assess efficiency and effectiveness, and to prevent, detect and investigate fraud. Data analytics techniques, ranging from simple categorization and stratification to sophisticated predictive and prescriptive models, can assist organizations in focusing their risk responses on the areas in which there is a higher risk – including compliance risk.
Existing levels of risk can be assessed and trends identified to determine if the risk is increasing or decreasing. For example, environmental compliance could examine spills (number and quantity), cleanup costs, and lawsuits (quantity and value); production compliance could examine material, personnel, maintenance and operational costs. By examining measures over several months or years, a trend line can be produced to assess the effectiveness of mitigation efforts and identify emerging risks.
Rather than relying solely on substantive tests, the effectiveness of controls can also be tested with analytics. In addition, you can look at trends that will have positive or negative effects on compliance. For example, environmental compliance can examine the control over the purchasing of hazardous materials – ensuring that the purchase quantities match requirements – thereby avoiding environmental compliance issues around disposal. Compliance with hiring practices could review staffing methods, staffing rates (by gender, by race, etc) to ensure proper procedures are being followed and address employment equity requirements before they become non-compliance issues.
Sometimes compliance with a poor control can increase risk and dysfunctional behaviour; and cultural issues can make enterprise-wide compliance difficult for global companies and increase risk. Doing the right compliance audit – not simply “did we do A” and doing it efficiently and effectively can result in significant value to the organization and remove the “got ya” stigma of compliance audits. However, it requires auditors to re-look at the compliance-related risk and controls and use analytics.
Richard Chambers, President of the IIA, identified his top ten imperatives of the decade which highlight the challenges that auditors must face to provide value to management. These include enhancing proficiency with data mining and analytics; providing assurance on risk management effectiveness; and enhancing and leveraging a continuous focus on risk. These challenges can be applied to all types of audits from compliance to operational. He encouraged auditors to look at business objectives, risks to the achievement of objectives and design audits that provide assurance over the governance, risk management and control/compliance frameworks put in place by management. A compliance audit should not be any different: it should identify and assess risk; and examine the effectiveness and efficiency on the controls to mitigate the risk. By doing so, it will add-value to the company as well as provide assurance to senior management.
Accounts Payable Example
In an Accounts Payable audit there was a requirement to formally authorize invoices for payment by stamping and signing the original invoices. The stamp and approval verified that goods/services had been received in accordance with the contract and that the invoice could be paid. Falsifying this approval had serious legal repercussions – including up to 5 years imprisonment.
The audit covered numerous accounts payable offices spread across the globe. As a part of the audit we verified that invoices had been properly approved i.e. stamped and signed by the authorized approval authority. At several locations we noted that the invoices were not being properly authorized (stamped and signed). But the reasons for non-compliance differed. In one small office (AP1) they were unaware of the requirement. We identified an underlying problem with corporate communication of financial regulations, including a lack of translated procedures. In another office (AP2), they had been told by the legal department that the stamp that was being used did not contain the appropriate wording and they should immediately stop using the stamp and obtain the official corporate stamp with the correct wording. The local A/P manager had been trying for months to obtain an official corporate stamp – he even showed us numerous emails – to no avail. At another location (AP3) they had converted to electronic invoices and authorization – so they were no longer stamping and signing invoices.
A compliance audit that did not ask “why” might easily have issued the simple recommendation “stamp and sign all invoices” – adding zero value to the A/P process. Adding value to this compliance audit would have had very different recommendations.
Starting with the risk: The control was put in place to ensure that we were not paying for goods/services we did not receive; and that goods/services were of the quality, quantity, and price agreed to in the contract. Given the nature of decentralized contracting, the risk still existed and a control was required.
The second step would have been to determine if the control was effective and efficient. At AP1, the control was not working because of a problem in the corporate communication area – we had acquired a new overseas operation and regulations had not been translated. This required a different recommendation; one that would address the root cause – corporate communication – and did not penalize the local A/P manager.
At AP2 non-compliance was attributed to a breakdown between the legal and finance departments. Legal was reviewing all official stamps and finance was responsible for updating, revising and supplying them. Unfortunately, the two departments were not coordinating their work and finance was unaware of the problem with the invoice authorization stamp. This recommendation addressed the communication between departments.
At AP3, the physical stamping and signature of the invoice had been replaced by an automated approval. Recommending compliance with the current regulation would be ludicrous. However, the automated controls needed improvement to verify the authority of the person providing the electronic approval. As a result, a recommendation was made to address the weakness in the automated control.
The result of the compliance audit improved the corporate communication processes, interdepartmental activities, and IT controls. The recommendations were seen as having value – much more than “Stamp and sign all invoices” would have received.
In addition, the audit of the efficiency and effectiveness of the A/P process can benefit from the use of analytics. The controls over approval can easily be done by matching the electronic approval with a database of approvers. Examining actions by users can identify instances where separation of duties was not achieved. Totals by payment terms or payment method can quickly highlight inefficient practices or even fraud. The resulting recommendations can improve compliance and reduce business risks while adding value.