This is the next post in a series that discusses the importance of having a proper audit objective, defining the business goals and objectives, and the risks to the achievement of those objectives. This article will discuss the identification and assessment of risk. The next series of articles will look at the audit finding statement: Criteria, Condition, Cause, Impact and Recommendation. The focus will be on the use of data analytics.
AS mentioned in my post on ‘Better Recommendations’ (https://caats.ca/2022/01/20/better-audit-recommendations/), setting the proper objective is critical to delivering on a quality, value-add audit. It must be strongly linked to the goals and objectives of the entity being audited; drive the risk identification and assessment; and be a foundation for the audit workplan and conduct of the audit. And ultimately, is it the statement upon which the audit concludes. Yet too many audits have poor objectives.
Once you have clearly defined the business goals and objectives, you are in apposition to examine the risks to the achievement of these. In the early 1990’s when the notion of risk was introduced to internal audit (that’s right, before this internal audit focused on controls not risk), risk was presented as the flipside of controls. This made some sense since controls are typically in place to prevent risk. If you have a risk, you implement a control to mitigate the risk. Controls whose purpose is not to mitigate risk should be re-examined; this includes compliance measures. (See my post on compliance audit: https://www.linkedin.com/pulse/getting-more-value-from-compliance-audits-david-coderre/).
While I would agree that controls are often the flip side of risk, I submit that there are risks for which controls might not exist – such as emerging risks. Take for example, a manufacturing company that relies of external suppliers for critical parts. I was in this situation years ago – when supply chains were much more stable. However, by looking at trends internal audit alerted management to an emerging risk. The number of suppliers providing parts had dwindled from a high of ten to three in less than four years and two of the remaining three were merging. Aggressive procurement practices had reduced profitability of several firms and they stop producing our required parts to focus on more beneficial items.
Emerging risks can be harder to identify, but the continued evaluation of trends over time can be useful. In addition to number of suppliers, lead times, quality measures (mean time to failure, returns, etc.), employee turnover, number of grievances, environmental and legal actions, social media scrapping, etc. These and other data analytics can spot emerging risks. It is not an easy task, and you won’t identify all emerging risks, but that shouldn’t mean that you don’t try. It just means to start small and in focused areas.
Risks related to specific IT or business process controls can be much easier to identify and assess with data analytics. I sked the procurement manager which IT controls that he relied upon to mitigate contracting risks. He stated, will a level of confidence “SAP will not allow any invoice over $25Kto be paid.” The notion was the larger invoices should be preceded by a robust contracting process that included having purchase order. A purchase order would commit funds, making budgeting more accurate, and a competitive bidding process. This allowed me to perform a simple analytic – identify all invoices greater than $25K that did not have a purchase order. The analysis identified thousands of such invoices for millions of dollars – providing irrefutable evidence that the IT control was not working as intended. This affected senior management ability to mange cash flow, created situations where budgets were overspent, and instances of contracts that did not provide value for money.
The payroll manager answered a similar question with the statement that “the pay of each employee should fall within the pay ranges of their classification or job code.” Again, this made the analysis easy, identified people whose pay was more than the range for their classification. I identified an entry level clerk (pay range $32-40K) making more than $72K. The manager had changed the pay range for the employee highlighting a weakness in the authorities over who could change pay rates on employees.
Throughout my career I have identified many analytics that tested IT and manual controls. I should clarify that not finding a transaction that failed the control does not mean the controls working. Maybe no one ever tried to break the control. However, finding even one transaction that was permitted proves that the control is not preventing the activity from happening. Often the impetus for the analytic was a simple question, “What controls should be in place?”
Given the assumption that most controls are the flip side of risk, identify the risk and the control that should be in place, and look for evidence that the control is not working. According to the ACFE Report to the Nation 2021 (https://acfepublic.s3-us-west-2.amazonaws.com/2020-Report-to-the-Nations.pdf), the top three causes of control weaknesses (and fraud) was a lack of internal controls (35%), lack of management review (19%), and management override (14%). In the case of the SAP controls over invoice greater than $25K, the control had been turned off by the SAP team because it was impacting system performance. In other cases, management override was used to bypass the controls. However, proactive data analytics can reduce the loss and duration of the fraud.
In the next article I will start looking at how analytics can support the audit finding statement.