Internal Audit:
Change Agents in a Tough Economy
By David Chiang
As the economic downturn grips organizations around the globe, corporate governance steps into the spotlight. Boards of Directors and their designated audit committee members have a critical responsibility to be hands-on stewards of their organizations. As the board’s “agent on the ground,” Chief Audit Executives (CAEs) can provide great value to the governance process by helping audit committees monitor the impact of the financial crisis on their organizations. Using proven audit analytic techniques, CAEs can investigate and analyze – in real time – the organization’s key risks. And in the process, improve their organization’s governance best practices, and provide a higher level of business assurance.
To address these best practices, KPMG recently released “Audit committees 2009: top ten to dos,” which offers an excellent rundown of board responsibilities during the downturn. I’d like to take their to-do list a step further by demonstrating how audit analytics are a valuable proposition for uncovering real-time risks, testing the validity of financial statements, and protecting the organization from third-party exposure issues.
Monitoring financial crisis impact and early-warning indicators
The KPMG list advises audit committees to closely monitor the impact of the financial crisis on the company by focusing on financial forecasts and early-warning indicators. It also stresses the need to understand organizational exposure to third parties in financial distress, and to recognize the impact of a recession on the company’s financials – especially the balance sheet.
In my experience, both as an auditor and as a Board Member, audit analytics technology provides the most time- and cost-effective way to monitor these risks and warning signs. The CAE should establish a set of analytics that support continuous auditing and keep the audit committee informed through detailed reporting.
I would like to share a recent case. First Hawaiian Bank uses technology to eliminate manual research and processing on credit card claims. They also use this solution to quickly pull raw data from an outsourced mainframe system, extract key files, and boost efficiencies throughout the internal audit department. With full data coverage, this company has automated critical controls testing and is working to use audit analytics in every audit project – from planning through to reporting.
This type of continuous auditing enables CAEs to keep a close eye on new business risks that can emerge during a sluggish economy, such as maintaining compliance with internal policies and procedures, granting third-party credit appropriately, and targeting duplicate payments, discounts and payroll issues to prevent costly revenue leakage.
Managing shifting risk profiles
Clearly, the financial crisis is quickly changing the playing field for organizations worldwide. Risk profiles may shift and restructuring can affect the overall business environment. New business models are also being driven by technological changes. In every organization, CAEs should promote technology to improve data security, sustainability, and collaboration between auditors. Technology can be a great enabler that drives real efficiency gains and greater long-term sustainability for internal audit departments.
As KPMG suggests, it’s increasingly important for the audit committee to promote productive risk discussions with management. CAEs can assist the board by ensuring that those discussions are supported by audit analytics. The CAE should validate management’s efforts to address strategic business risks, and analytics that support key management assertions can give the audit committee more accurate, compelling information to improve ongoing communication with senior executives. With audit technology, the CAE can zero in on meaningful risk areas and ensure that management’s concerns are fairly represented to the board.
Improving audit committee effectiveness
KPMG asserts the board also has a greater responsibility to examine its own processes and practices. For example, board members should ask: “Is our governance effective?” and “Is the audit committee fully equipped to oversee financial reports, risks, controls and compliance regulations?” CAEs and the audit committee should work closely with board chairs to ensure the board’s concerns are addressed and to pinpoint areas where the CAE can make the board more effective. The audit committee plays a critical role in validating and independently testing management’s assertions to the board.
In these rocky economic times, audit committees do have higher expectations for their CAE and internal audit departments. The more a CAE can do to provide useful, objective information to audit committees, the more value the CAE can bring to the overall governance process. Equipping the CAE with appropriate audit technology is an important way to ensure effective oversight, controls testing, and independent financial monitoring. ACL, for example, has developed packaged ready-to-use analytics in conjunction with ACL AuditExchange technology. These analytics test top business risk areas, such as duplicate payments, customer credit, accounts receivable, travel and entertainment expenses, corporate credit cards, and more.
KPMG, astutely in my opinion, reminds corporate governors to be sensitive to current strains on the CFO, internal auditors, and finance organization. I would add that it’s equally important to ensure the audit team has the right experience and resources – and the budget – to do its job well in this tough environment. Again, technology can be a powerful enabler that maximizes time and shrinking staff or financial resources.
Duplicate payments, for example, represent one of the easiest areas to launch a continuous monitoring program. Most companies report that duplicate payments represent just 0.1% to 0.5% of their total payments, but those duplicates will still add up to between $100,000 and $500,000 for every $100 million in payments. That’s a significant revenue loss in today’s tight economy. Hospital Corporation of America (HCA), for example, uncovered US$17 million in duplicate payments in one year using audit analytics technology to implement a continuous monitoring plan. HCA auditors also used the technology to identify costly payroll inconsistencies, and identified billing errors on 16,000 units of medical equipment. It’s this type of insight that can efficiently lead to amazing organizational improvements.
Automated tests can quickly analyze invoice data to locate common errors such as the same vendor and amount, the same invoice number and date, the same invoice number with a different date, or the same vendor with a similar invoice number in a different format. These are just a few of the possible analytics that companies can use to protect themselves against duplicate payments and both inadvertent and intentional system overrides.
Back to the big picture, CAEs can assist the board by clearly defining the technology requirements necessary to improve their audit coverage. Effective audit technology can identify risks during the planning phase, as part of the audit program, and in presenting audit findings to the board. The CAE should develop an audit strategy that the board supports and understands – including data access protocols, analysis procedures, and business process and internal control standards. This strategy can be formalized in the audit charter document, which is approved by the audit committee.
Setting the tone at the top
Finally, KMPG suggests there is a need to monitor leadership and instill a “culture of compliance.” Industry practices have steadily improved, thanks to the U.S. government’s Sarbanes-Oxley Act and Statement of Auditing Standards (SAS) No. 99. Occupational fraud, however, still represents a significant business risk that must be mitigated. Effective fraud detection and prevention bolsters the bottom line by minimizing potential revenue leakage through under-the-radar activities.
In this case, I’m defining occupational fraud as asset misappropriations (revenue skimming, inventory theft, payroll fraud), corruption (kickbacks, conflicts of interest), and fraudulent financial statements. Of these three categories, 90% of fraud is due to asset misappropriations, with an average median loss of $150,000 (according to ACFE’s “2008 Report to the Nation on Occupational Fraud and Abuse”). Finding fraud, however, requires both skilled practitioners and specialized technology.
The CAE can help the board promote a culture of compliance by regularly monitoring key fraud indicators related to employee transactions, such as testing payroll, travel and entertainment expenses, and corporate credit cards. A battery of targeted audit analytics can test controls and identify overrides for further investigation.
In turbulent times, CAEs must clearly articulate the value of internal audit to both the audit committee and the board as a whole. The CAE should present to the audit committee – through a clear audit charter – a compelling strategy of “technology as an enabler.” With comprehensive analytics and real-time continuous monitoring, internal audit can more effectively support the audit committee’s critical governance work, providing the organization with a higher degree of assurance. Now, more than ever, that’s a valuable proposition.
David Chiang, CA.CIA, ACDA, CMC, is a recognized professional on the use of audit analytics to monitor organizational compliance. He has presented his theories and case studies at numerous internal audit and system control conferences throughout North America. He is the board chair of a large university college, and has held various governance roles as a member of several audit committees including that of a billion-dollar community organization and smaller non-profit societies.
As a Chartered Accountant, Certified Management Consultant and Certified Internal Auditor, David has extensive experience in analysis, fraud, detection, and system integration consulting. He is currently General Manager and Director, Professional Services with ACL Services Ltd. – a Vancouver-based software company that provides audit analytic technologies to the Governance, Risk and Compliance market.
David is a member of the Institute of Internal Auditors (IIA), Canadian Association of Management Consultants (CAMC) and Canadian Institute of Chartered Accountants (CICA). He was twice elected to the Council of the Institute of Chartered Accountants of BC (ICABC), which is responsible for the governance of the accounting and audit profession in BC. He currently serves on the ICABC Professional Conduct Enquiry Committee and Rulings Committee. www.acl.com
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not
necessarily reflect the opinions, beliefs and viewpoints of AuditNet®