This is the sixth in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: Impact. The focus will be on the use of data analytics to assist you in determining the impact of what was observed (the condition) and to support the recommendation.
In simple terms, the impact answers the ‘why should I care.’ What is the impact of controls failing to prevent and/or detect a risk? The impact is often financial or at least has financial implications, and data analytics will identify this easily and without having to extrapolate from a sample of 30.
Determining the impact is necessary to encourage management to act on the recommendation. The cost of implementing the recommendations must be less than the cost of the current conditions. For example, we identified $50,000 in duplicate invoices (a significant reduction from the $1M identified the year before). The cost of the additional controls to prevent or detect the last $50K in duplicates was more than the savings to be gained. The payment of duplicates was at a level that management was willing to accept the risk.
But financial loss is not the only impact. In an accounts payable audit where we found the duplicates exist the immediate impact is a financial loss – we have paid invoices more than once. Paying fictitious employees or paying for unworked hours are also examples of financial impacts as with theft of gods or cash. But there are additional impacts, that could be even more significant than the monetary loss. Duplicate invoices require staff to review possible duplicates, contact vendor to obtain a refund, and process the repayment. In one company where I worked, this was a team of 5 people; people who could be used elsewhere. The salary cost was $300K and this does not include the opportunity cost – could these resources be better used elsewhere?
In an audit of overtime, we identified people who were making more than 75 percent of their annual salary amount in overtime (e.g., $60K salary and $45K in overtime). Initially we reported the financial impact of the high levels of overtime (it would be cheaper to hire more staff). But then we saw a couple of disturbing trends – people who had worked lots of overtime for several years were more likely to be injured on the job and to quit. More accidents occurred when employees were over tired, and the work-life balance was not sustainable. So, in addition to high level of overtime, we had higher levels of people on sick leave; and we had higher hiring, training new employees, and severance costs. The audit identified these and recommended the use of causal employees to reduce overtime hours.
In other cases, the financial impact is not as direct. In an audit of the hiring process for a policing organization we determined that the 38-step hiring process took over two years to complete (time from receipt of application to offer of a position). The steps were run in series (one after another) and the audit recommended running some steps in parallel which reduced the time to hire to under six months. The impact of the long hiring process was a shortage of new police candidates and the loss of some of the best candidates (they got jobs elsewhere). Not strictly a financial impact, but still highly relevant.
In an audit of an army unit’s readiness to be deployed, we look at the number, rank, and type of resources available (infantry, mechanics, cooks, etc.); the training they had received; the number and status of equipment to support them (Armoured personnel carriers, tanks, radios, etc.). In the end we determined that the unit was not ready – lack of mechanics results in many vehicles being in “under repair” status; many personnel had not completed all the required training, etc.
While data analytics – analyzing 100 percent of the transactions – will make it easy to identify the financial impact, I encourage you to also look beyond the obvious and consider the ripple effect of the finding. Also, just because the audit is not strictly speaking identifying a financial issue (e.g., HR staffing process, overtime health and safety issue, readiness for deployment, etc.) analytics can still be used. Analytics can not only identify evidence of control weaknesses, but also to identify troubling trends.
Identifying the impact is an important factor in ensuring that management action is taken. If the audit cannot quantify a current impact that is more than the cost of the recommendation management will not implement the recommendation.
It sounds like it is common for auditors to under quantify the impact. Have you ever experienced the opposite, where the auditors overestimate the impact? Back in debate club at my University, we would take everything to the extreme. “Clearly, the impact is a nuclear war if we implement my opponents’ plan of funding more solar power plants.” I’m sure auditors wouldn’t overestimate to the degree of an educational exercise, but does it happen? Or is this a conservative group?
Angela: I have times where we were include to project one-time saving across multiple years (if they don’t fix it now then it will continue for years). I think I was more concern about people focusing on the financial impact and not considering other aspects.