Too often auditors are satisfied with only finding the problem. In fact, it is usually only ‘evidence that there is a problem’ and not the actual problem. At which point their recommendations fall short of providing value and helping management improve controls and reduce risk.
These types of audits often look something like this:
- Objective: Verify compliance with “A”
- Criterion – you are supposed to do “A”
- Condition – the audit found you were not doing “A”
- Impact -N/A
- Recommendation – Do “A”
If we take account payable (audit #1) as a concrete example of where audits fail to provide real value:
- Objective: Verify that we are not paying the same invoice twice
- Criterion: invoices should not be paid twice
- Condition: Invoices are being paid twice
- Impact: based on the sample of 100 invoices, we estimate that there are $20K in duplicate payments.
- Recommendation: Recover duplicate payments
This audit might recover loss revenue (duplicate payments), but it will not provide value to the manager of accounts payable. It should be looking beyond the mere existence of duplicate payments to ‘why’ are they occurring. It should also be looking at more than “duplicate payments”; and more than a sample of invoices. To do this, the audit should follow the steps below.
First, I would like to point out the importance of having a proper audit objective. The audit objective sets the “raison d’être” (why are you doing the audit). I hope that you are not doing an accounts payable audit to simply to find duplicate invoices and recover funds. The objective should consider the business objective: to pay approved invoices accurately, timely and to the correct vendors. Thus, a better objective would be (Audit #2): to assess the controls over the A/P process that ensure approved invoices are accurately paid, in a timely manner, and to the correct vendor.
Secondly, given the audit objective, the auditor should develop appropriate criteria and design an audit program that has the necessary steps to allow the auditor to conclude on the audit object. This further shows the importance of having a good audit objective. Audit #1 objective – verify we are not paying the same invoice twice – would only have steps to search for duplicates. Audit #2 – when the audit objective looks at the objectives of the accounts payable process, it would have steps to look at whether invoices were approved, paid in a timely manner (not early and not late), accurately (right amount and not twice), and to the correct vendors (not fictitious vendors). The steps should maximize the use of data analytics to review 100% of the transactions.
Third, given the objective and audit steps, the audit conducts the necessary work to allow him/her to conclude on the audit objective. In both audits described above, data analytics should play an important part in assessing whether the A/P transactions are meeting the objectives or not. Analytics can easily find duplicates, calculate late or early payments, verify amounts to purchase orders or contracts, and look for fictitious vendors. They can also deal with a critical aspect of encouraging change: the impact. The audit must be able to demonstrate the negative impact of the current conditions to support the implementation of the recommendations. With analytics, we can quantify the problem and not provide an estimate based on a sample of invoices.
Four, develop appropriate recommendations. This is where we have the “Why” factor. In Audit #1 – we will likely find duplicates. Without considering the “Why” the recommendation will be: “recover duplicate payments and stop paying duplicates”. Given that we have found duplicates, the auditor should as why. Not just once, but repeatedly until we get to the root cause:
- Why do we have duplicates?
- The ERP test for duplicates is failing to identify the duplicate transactions.
- Why is the ERP preventative/detective test failing?
- The duplicates are being paid to the same vendor, but under different vendor numbers.
- Why do vendors have duplicate vendor numbers?
- All A/P clerks can create vendors, and many are not doing a proper check to ensure that the vendor does not already exist.
After only three ‘why’ questions we have arrived at a root cause of duplicates: poor controls over the creation of vendors in the vendor master table is allowing for vendors to be created with more than one vendor number. Now the recommendation could be ‘recover duplicate payments and restrict create/modify/delete access to the vendor master table to a single, properly trained user’. Not only will this recover the duplicate payments, but it will reduce the risk of invoices being paid twice in the future.
In Audit #2, we would also be looking at payment terms, matching invoice amounts to purchase orders, and a series of tests to verify the validity of the vendor. If these indicated a problem we would be asking ‘why’: why is the payment terms incorrect (changed by clerk at time of entry or not properly entered on the vendor master record?); why did we pay the wrong vendor (A/P clerk-vendor collusion, failure to approve invoices prior to payment?); why di we pay the incorrect amount (no matching of invoice and purchase order?) etc.)
- Take time at the beginning of the audit to consider the audit objective. If we have “A” as an audit objective what will we be able to say at the end of the audit. Ensure that the audit objective addresses the risks in the business process.
- Ensure that you have the proper criteria and audit steps to allow you to conclude on the audit objective. If we do steps 1, 2, and 3, will we be able to conclude on “A”.
- Ensure that you analysis allows you to identify the impact of the current situation so that you will be able to support the recommended changes.
- Maximize the use of analytics to improve the efficiency, effectiveness and scope of the audit and provide a quantified, defensible impact statement.
- Ask ‘why’ repeated until to go beyond ‘evidence of a problem’ and find the ‘root cause of the problem’, otherwise your recommendations will not address the true issue.
I believe that auditors, as a group, try to add value. Don’t let a poor audit objective and a reluctance to ask ‘why’ to detract from this goal. An extra couple of hours to set a good audit objective that is supported by sufficient audit steps is well worth the time. Analytics will improve your ability to perform the audit effectively and provide the evidence necessary to encourage control improvements.
President CAATS, Chief Data Analyst, RiverAA.
This article has 1 Comment
How I wish every internal auditor would feel this way. I agree 100% that internal auditors are at times so satisfied with just finding any type of problem that they forget the ultimate objective of Internal Audit. We are there to provide assurance and improve, not merely to find problems, but to provide insight on why there are problems in the first place.