AuditNet Ask the Auditor Forum
Best Practices
Question:
I'm the internal auditor of a mobile telecommunication company. Is there any
possibility to advise me what is the best practice in auditing Call Centre
(customer service) of mobile telecom?
Response:
There are several audit programs in the AuditNet®
audit programs section covering
call center audits. I
suggest you network with other telecommunication companies internal auditors and
ask them for assistance on auditing
call centers. They
may have done work in this area that has not been shared on AuditNet®
(meta information resources are sometimes the best path to answers for difficult
questions). Finally, check the following sites which contain a wealth of
information on best practices for
call centers. (If you
develop an audit work program please share it with AuditNet®).
-
ACD Call Center Online Learning Center
-
Call Centre Management Association (UK)
-
Twelve Traits of the Best Managed Call Centers
Question:
Where can I find best practice information for work flow process for a
skilled nursing facility (SNF)? I am looking in particular for donations,
pledges, recognizing revenue, and pharmacy - medicare-d.
Response:
You should begin by defining the objectives purpose and scope of your audit. Best practice information for specific industries or operations is sometimes difficult to find and you may have to develop your own by surveying facilities or finding a trade association. Many states have healthcare facility associations and that may be a way to develop a best practice benchmark for your audit.
When doing research on best practices it is important to look at the industry as well as the function. In this case you should approach it by looking at healthcare facilities as well as the specific areas mentioned; donations, revenue recognition etc. For industry best practices I suggest looking at healthcare associations and government agencies. They usually have best practices for areas such as patient care, professionals per patient, etc. For the other areas I would recommend researching each individually such as pharmacy best practices, medicare best practices, etc. In many cases functional area best practices cross industry sectors.
I did a search using Google and found the following:
http://www.cms.hhs.gov/snfpps/08_bestpractices.asp
http://www.medpac.gov/publications/congressional_reports/Mar04_Ch3C.pdf
http://www.oig.hhs.gov/authorities/docs/cpgnf.pdf
Question:
Is it a best practice for the auditors to be evaluated by the client/auditees
after each audit engagement, considering that this evaluation is included in the
balanced scorecard?
Response:
There are many different approaches to evaluating staff performance on
projects and questionnaires represent one alternative. If you are using the
balanced scorecard management system for evaluating performance then IMO it
would be a best practice for a client evaluation of the audit project team.
There are sample satisfaction surveys available from
AuditNet® that demonstrate different types of questions that could be included
in a questionnaire.
Question: I
have had some push back from management regarding the necessity of submitting
receipts for travel charged on the corporate AmEx cards. Management and sales
employees have AmEx cards for travel that are billed directly to the company.
Reports of each card holders spending are reviewed monthly by the regional
controllers. What is your opinion as to whether or not receipts should be
submitted to support the charges?
Response:
There are varying opinions on the necessity of providing receipts in
support of travel charges. The first thing to determine is the organizational
policy for this issue. I have seen the gamut from no receipts to including
receipts for all expenditures over a certain dollar amount. Perhaps you should
find out the policy followed by other organizations within your industry sector.
The question revolves around the exposure and risk that management is willing to
accept that employees will exercise sound judgment for travel expenses. Travel
expense reports should require the employee's signature and evidence of
supervisory review and approval. If the employee is provided an AmEx (or other
type of corporate credit card) and does not have to submit a travel expense
report then perhaps the regional controllers should be documenting their
approval of the card holders expenses by signing the credit card statements
(accountability). While employees may not have to submit receipts they should be
required to retain receipts and other documentation for audit purposes. It may
be possible to restrict card usage to only those categories authorized by
management. Some corporate card programs allow for charges only to authorized
merchant category codes. If you suspect that employees are "padding" their
travel expenses or charging items not authorized by your policy then perhaps an
audit is warranted. There are several audit programs in the AuditNet inventory
for auditing this area.
Question: I
am the Head of the internal audit (Risk Management Dept) and was authorized to
open envelopes for sealed bidding. Purchasing procedures are not complete
because it lacks the internal control, what are the internal control in bidding?
What is the role of an internal auditor in the bidding process?
Response:
Internal auditors are responsible for evaluating controls and should
not be involved directly in any line function such as the procurement process.
The role of the internal auditor would be to review the integrity of the bidding
process. This would be primarily a review of compliance with the organizations
competitive bidding procedures. Internal audit's active participation in the
bidding procedure would be a potential conflict of interest. Should the bid
process be compromised and challenged by one or more vendors the auditor would
be precluded from auditing this area.
Following are some internal controls in the bidding process:
A formal bidding process should be open and fair, encourage competition, and provide the purchasing entity with the best product at the lowest possible price.
Develop a checklist for the review of various requirements for formal bids, including insurance, bonding, specifications, and evaluation and award. The person responsible for ascertaining the requirements, as well as the person performing the supervisory review, should sign and date the checklist.
Establish a system to monitor compliance with the bid tabulation procedure, including the rules and controls for accepting bid changes after the bids are opened.
Develop and implement an effective filing system for bid files, including (1) a consistent numbering system, (2) an indexed and consistent arrangement of bid file contents, and (3) a checklist indicating the types of documents each file should contain.
Require that all purchase specifications clearly state the bid evaluation criteria and ascertain that the staff use only the evaluation criteria included in the purchase specifications.
Criteria for bids should be laid out in the request for proposal
Formal bidders list should be maintained
Bid tabulation sheets should be prepared
Bids should be opened and recorded by someone not involved in the bid evaluation process.
Retain the bid envelope, which shows the dates and times of bid receipt and opening, and file it with the other bid documents.
For more guidance check out the State of Arizona's audit program for bidding.
For additional guidance check out David McNamee's Auditing the Purchasing Function.
Question: Our
IA department is currently focusing on improving our internal MIS and
measurement procedures. As part of the project, we looking to implement a
technology solution which will effectively document, distribute and track audit
findings. Could you provide insight into the tools/ systems/solutions available
that are currently being used in practice by internal audit departments to do
this?
Response:
Documenting, distributing and tracking audit findings is a common dilemma
for audit departments. Many audit departments have formalized procedures
for tracking audit findings. One example is East Carolina University's Audit
Tracking System. Protiviti
KnowledgeLeader, a fee based subscription service also has excellent
information on audit tracking options.
There is audit management software that can automate this process. The following audit software vendor products include solutions for tracking audit findings:
Most audit automation solutions now include functionality for tracking issues. AutoAudit and TeamMate both offer web based issue tracking modules which allow the auditees to go to a website, log in, and then see any outstanding issues they have. The auditee can then document their progress against the recommended action and mark the issue as read for audit review. Auditors receive e-mail notification that an issue is ready for their review. The can then verify it and close the issue. Paisey Consulting sells their Issue Track product as a stand alone module if you do not wish to buy the complete AutoAudit system.
AuditLeverage offers follow up tracking capability and Galileo Software allows auditors to track recommendations and findings and provides optional on-line input of management clearance by auditees, track status and progress of reports, and forward recommendations by e-mail.
Question:
I am an internal auditor and have been asked to review the network logging
procedures for adequacy. What kinds of things should a company log and review?
Response: This
is a difficult question to answer as asked because network logging does not have
a specific definition. What I suspect you are asking is related to audit trails
of network activity which can mean many things - for example from the "topical" list -
- Legitimate activity on an internal network - when they log in, what transactions they do, when they log out
- Intrusion attempts - failed password attempts, attacks on specific ports etc.
- Employee internet usage
Network logs in general act as "detect controls" and provide an audit trail for many events that take place in an IT system environment. Perhaps more important from a system security standpoint are the "prevent controls" for access to the system and transactions.
The following was a response to a question posed in another forum regarding what should be logged in a networked environment:
The SANS Institute Reading Room has the following articles which should also be reviewed for auditors interested in the subject of network logging:
System
Administrator Security Best Practices - check under Monitor Your System
Periodically
Event Logs: Defining Their Purpose in Today’s Network Security Environment
Question:
I am looking for a best practice related to the segregation of duties for the
actual testing performed during the SDLC process. For example, who should
perform parallel testing? Can this person then perform other areas of testing or
would this be a conflict of interest?
Response:
The traditional SDLC is a structured step-by-step approach to developing systems
that creates a separation of duties among IT specialists and knowledge workers.
Program developers however should be segregated from program testers, and each of their activities should be conducted on “test” data only. This will assist in ensuring an independent and objective testing environment without jeopardizing the integrity of production data.
So in answer to your question as long as you separate program test personnel from program development personnel you would have an adequate segregation of duties. The individuals that developed the system should not be testing the system.
For further information on this subject from the Sans Institute click here. For a general IT controls questionnaire from Maricopa County Internal Audit click here.
Question:
When a customer's bank statement is returned to the bank with a yellow
sticker indicating that the customer is now at a new address, what is the best
procedure that should be in place to gain the customers approval for the address
change?
Response:
The following are responses received by posting the question on the Audit-l
listserv discussion forum:
The bank should contact the customer and reconfirm the details of the new address. This could be accomplished by sending a letter to the customer at the "previous address". No statements should be sent to the 'new' address based on the address change from the post office. Send a letter of notification to that address asking the customer to please contact the bank to properly change the address. (This address change could be done over the phone using the standard verification methods of a pass-phrase, SS# or other such thing).
Until the customers contacts the financial institution, all statement information should be stored in a controlled area. The risks are:
1) You don't want to make it easy to change the address and forward a customers financial information into the wrong hands.
2) You don't want 'inside' employees to be able to gain knowledge of those
customers that were not currently 'watching their accounts'. (for obvious
reasons).
If after a short period of lost contact with the customer, the accounts should
be 'locked down' and rolled into the standard escheatment process.
Another solution provided by a bank auditor is as follows:
First check the contents of the statement to see if the customer changed the address line on any checks written to merchants and if this agrees with the yellow label, change the address on the system. Mail the customer's statement to the new address along with an address change form. If there is nothing in the statement to support the yellow label address, mail a change of address form to the customer at their OLD address for completion. The address on the system is changed to show returned mail. Hold the bank statement in a secured file until a new address change is received. After a year of holding statements, they are destroyed knowing that a new statement can be created through our imaging.
Question:
Can you please recommend some sites and/or resources that specifically
address global coverage assurance. We're looking for best practices that may
give us some guidance on how to structure our department to efficiently,
economically, and effectively execute international audits.
Response: Here
are some sites we found that you should contact for more information about how
they structure their departments:
Sara
Lee Corp (Best looking data!)
Time
Warner out sources global audit services
Ryder
& KPMG
You should also check out the IIA's GAIN (Global Auditing Information Network). They compile best practice and benchmarking for auditors. They may be able to help on structuring your department for the environment you are in.
Visit global company Web sites and search for this type of Internal Audit information. See Fortune Global 500 list to use for this.
Finally visit Andersen's Knowledgespace Internal Audit. This is a fee based subscription site but AuditNet users can sign up for a free 30 day trial. A search on "global audit" turned up articles on Daimler Chrysler, Citigroup and profiles of audit executives from 16 leading companies.
Question:
I am looking for best practice information on promotional spending for the
household appliances industry. I am looking for suggestions on controls and best
practices in such areas as
1. Source Rebate Credits (coop advertising),
2. Advertising subsidies
3. Customer promotion subsidiaries (such as 0% financing or free delivery or
cash rebate promotions or coupons)
4. Brand building subsidies
5. New product launches
6. Other marketing support (point of sale brochures, merchandise books etc)
7. Display allowances
8. Volume rebates
Response: You
should network with other auditors in the household appliance or retail
industry. Contact the IIA for industry groups or other auditors that work in
this sector. Use Internet meta-information to locate other auditors in the
retail sector that could provide helpful information and best practices.
Question:
We are in the process of preparing an internal audit manual for a
divisionalised manufacturing compay. Business activities are divisionalised but
fianancial accounting is done at central level. Could you suggest a structure
for the manual?
Response:
There are numerous examples of audit manuals available on the Internet.
Question:
I am looking for best practice information on inventory management and
controls for inventory at third parties. I have read the inventory work
programs, but am looking for more detailed suggestions on controls, such as
reconciliation, physical inventory confirmations, etc. Thanks.
Response:
KnowledgeSpace
would be the best starting point policies, procedures and controls for
outsourcing. This is a fee based subscription service but they offer a
free 30 day trial. I also found this article
from Andersen's site on outsourcing strategy which may help. There is a report
entitled Best
Practices in Managing the Outsourcing Relationship which could also be
useful. The Procurement and Supply Chain
Benchmarking Association is another possible source for information.
Question:
Is there an online special interest group (or something similar) where
auditors can share experience and good practice relating to the audit of SAP
R/3?
Response:
There is an SAP User Group site on the Internet at http://www.asug.com/.
There is an International SAP Users Audit forum. Contact hans-dieter.scheuermann@sap-ag.de
for information. There is also a site at http://isds.bus.lsu.edu/cvoc/learn/bpr/mprojects/bp/bpsap.html
that covers best practices for SAP.
Question:
I am currently doing an Accounts Payable Review and I am trying to find out
what Dollar Amount of checks require a Managerial Approval. Currently the policy
here is $10,000 but we were thinking of recommending changing it to $15k or
$20K. What is the $ threshold at
other Companies?
Response:
A threshold dollar amount should be established that requires two signers for
all checks that meet or exceed that threshold.
Requiring two signatures helps to reduce potential fraud by insiders and
makes it more difficult for outsiders. Every
organization within a particular industry has a different risk tolerance level
which therefore makes it difficult to say what the threshold should be at your
organization. You should therefore
survey other organizations within your industry to find out what levels exist
and then confer with management as to their risk tolerance comfort level.
Question:
What resources/publications are available to assist with identifying the
internal controls for community banks in regards to repossessing collateral
(assets) within the lending function?
Response:
The Financial Managers Society has 228 audit programs available for purchase.
There is one specifically for Consumer Loan Losses & Repossessions. Go
to https://www.fmsinc.org/lkk.htm
You might also try the FDIC Resources for Bankers at http://www.fdic.gov/regulations/resources/index.html
Also the Office of Thrift Supervision Compliance Handbooks may help at http://www.ots.treas.gov/pagehtml.cfm?catNumber=42
Question:
My organization is trying to formulate a Fraud Prevention plan. We would
like to benchmark with the best practice and was wondering if you would share
what you have in this regard?
Response:
The Independent Commission Against Corruption has a Practical
Guide to Corruption Prevention. Also the Commonwealth of Australia has Fraud
Investigation Model Procedures a Best Practice Guide for Commonwealth
Agencies.
There are links to fraud policies available as well on the AuditNet site. Go to the AuditNet Library and look under Fraud Resources.
Question: What are the best practices in the audit trails on a computer application system?
Response: Click here.
Question: What is corporate governance?
Response: Click here.
Question: What are the best practices in the leather industry? Especially in the case of a manufacturer of leather footwear?
Response: Click on the link to an article on Best Management Practices in the Leather Industry you can purchase from the Journal of the American Leather Chemists Association.
Question: I am setting up a new internal audit division in a disk drive manufacturing company. Please advise the necessary steps required: e.g., setting up an audit committee, committee charter, internal audit charter, written of audit manual etc., as they are all quite new to me. Any useful links and comments/advise for each steps are very much appreciated.
Response: You're in luck.
- Institute of Internal Auditors' Audit Committee Recommendations
- Sample Audit Committee Charters
- Sample Internal Audit Department Charter
- Internal Audit Manual Shell on Disk
Need more? Then click here.
Question: Why the transition from systems based to a risk based audit approach? Implications for modern auditing?
Response: Click on the link for a review of IIA-UK Professional Briefing Note 13 - Managing Risk, which contains a good discussion of the subject.
Question: Management is asking our Audit Department to rate the auditee in the audit report. Such as Excellent, average or A. B+ etc. Can you give me references?
Response: Click here.
Question: Examples of report writing for audits.
Response: Please click here for a discussion of the format of our audit reports, which includes a sample report.
Question: I have been assigned to research internal audit's best practices and I am having trouble finding information. Could you please give me some websites to check out.
Response: Check these out:
-
Guidance (Institute of Internal Auditors (IIA))
- IIA Global Auditing Information Network (GAIN) Benchmarking Service
- Steps to do your own benchmarking
- Internal Auditor Magazine article on best practices
Question: Our firm is expanding into internal control evaluation engagements and trying to find authoritative guidance. We are questioning if we should perform the evaluation under a consulting engagement, agreed upon procedures, or attestation engagement. What is being done in the market place? Suggestions?
Response: Here are some resources that may help you:
Question: What is corporate governance?
Response: Click on this link:
Corporate Governance .
Question: Myself and my fellow auditor have been assigned to research the topic of Audit Project Management with the objective to identify possible process / product improvements. We have read and extracted relevant material from some project management and time management books. Is there any information or advice which you or other readers can share with and guide us? There also seems to be a new article "15 ways The Internal Audit Department can Add Value" on iiajamica.com website but it cannot be accessed as of now. Will greatly appreciate feedback and advice.
Response: A good internal auditing book, such as Sawyer's Internal Auditing, The Institute of Internal Auditors, 4th Edition, 1996, will provide information regarding audit project management. For a more thorough treatment of the general subject of project management, the Project Management Institute has published a A Guide to the Project Management Body of Knowledge that covers generally accepted best practices related to project management. Knowledge areas covered include:
- Project Integration Management
- Project Scope Management
- Project Time Management
- Project Cost Management
- Project Quality Management
- Project Human Resource Management
- Project Communications Management
- Project Risk Management
- Project Procurement Management
To obtain a free copy of this document in PDF format, just click on the above link.
Question: Should each member of an Internal Audit staff be evaulated to determine if they are performing value-added activities? How do you identify value-added activities from the "non value-added" activities? Or is value-added more of a high level departmental approach that will trickle down to make everything the department is doing value-added?
Response: For a discussion of value-added internal auditing, see the following question. As far as evaluating members of the audit staff, Standards for the Professional Practice of Internal Auditing, No. 540, require that each internal auditor's performance be appraised at least annually. In addition, the Standards require that internal audit management provide counsel to internal auditors on their performance and professional development.
Of course, to evaluate each internal auditor, management and the auditor should jointly establish realistic goals for the auditor that are in line with and contribute to the value-added goals of the department. To ensure internal auditors are performing "value-added" activities, they must be evaluated against goals that are also value-added.
Question: Define value-added internal auditing.
Response: A revised definition of internal auditing was recently approved by The Institute of Internal Auditors
(IIA) Board of Directors. This new definition clearly reflects the dramatic changes that have occurred in the profession over the past decade. It describes the services that forward-moving, visionary auditing departments are currently providing.
The new definition, developed by The IIA's Guidance Task Force and Internal Auditing Standards Board with input from IIA members around the world:
Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control, and governance processes.
As contrasted with primarily financial and compliance-oriented auditing of the past, today's internal auditing is vibrant, diverse, and broad-based. It serves as a proactive, value-added management function that embraces a multitude of responsibilities. Internal auditing is vital to the organization in its role of protecting shareholder value by delivering accurate and reliable information and service to management, the board, and the audit committee.
As noted by KPMG Peat Marwick, one of the Big 5 public accounting firms, to facilitate this evolution, leading internal audit organizations have increased their focus on five important areas of internal auditing:
- Audit customers - Develop a value-added customer focus that will drive the internal audit function.
- Communication strategies - Use communication strategies that improve audit reports as well as motivate knowledge sharing and organizational learning.
- The audit process - Reengineer the internal audit organization to continuously improve the audit process.
- Professional characteristics of internal auditors - Ensure that internal auditors have traditional and nontraditional audit backgrounds.
- Technology that can enhance the audit process - Integrate technology into all aspects of the audit process to increase effectiveness and efficiency.
By concentrating on these five areas, internal auditors can bring more value to audit customers and create more significant and lasting improvement in business process performance.
Question: Our audit reporting expect us to give a quantitative assessment of the audited department in percentage terms, say 60%. What are the likely quantifiable yard sticks for doing this?
Consider a full scope audit consisting of Compliance, Accomplishment of Program Objectives, Reliability and Integrity of Information, Economy and Efficiency of Operations and Safeguarding of Corporate Assets. Each audit area could have a multitude of objectives, some could be more general in nature. For example, in the compliance area, if I were responsible for complying with 10 significant laws and I only comply with 9 do I get 90% or 0%? (Company management may insist on nothing less than full compliance with the laws.)
I am not aware of any audit departments using the quantitative % method described but there are audit departments that assign letter grades (A,B,C, etc.) or other capsule ratings (see next paragraph). I would be cautious about assigning a quantitative "grade" to your assessment of an audited department's activities. Although it can be done, the audit team's subjective judgement is still required. For example, you could assign a percentage and mathematical weight to each of the department's activities audited. Compute the weighted average and come up with an overall percentage. Of course the percentage and weight assigned to each activity are subjective.
Larry Sawyer, in his book, Response: The best quantifiable yardstick would always be the Audit
objective(s) and scope. For example, if my audit objective was to ensure people in a department were being paid correctly, I could test 100% and give the department 100% if I found no errors. Unfortunately, I do not believe such a system is really meaningful unless you have very specific objectives.
- Excellent - No deficiencies (A)
- Good - Relatively minor deficiency (B)
- Fair - Relatively major deficiency (C)
- Poor - More than one major deficiency (D)
- Unsatisfactory - Failure to accomplish major missions of the activity (F)
Question: I am a pioneer auditor of a new bank. How can I enrich my audit report? I will appreciate a sample departmental audit report.
Response: Audit reports are our most important product. Over the years our audit reporting process has gone through several changes, as we continually seek to improve the process. Please click here for a discussion of the format of our audit reports, which includes a sample report.
Question: How can our internal audit department improve service to our auditees?
Response: One way is to think of them as your customers. You need to develop a strong customer focus in planning and performing your audits. Ask for feedback, before, during and after an audit. For example, you could send them a short
questionnaire after completing the audit, in which they would rate the quality of the audit in a number of areas, including communications, conduct of the audit team, audit process, results, reporting or other important areas.
It's critical that when you ask for feedback, be sure to follow up and address any areas needing improvement.
The Ask the Auditor question answers highlight general information on a particular matter and are not exhaustive reviews of such subjects. Accordingly, the information in this website is not intended to constitute legal, accounting, tax, investment, consulting, or other professional advice or services. Before making any decision or taking any action which might affect your business or personal finances , you should consult a qualified professional advisor.