How to Increase the Value-Added Portion of Internal Audits and Acceptance of Recommendations

October 16, 2020


As most internal auditors will agree, auditors should strive to provide value-added recommendations to every audit client. This will demonstrate to management that the resources allocated to internal audit are well spent, particularly now with the tight budget environment resulting from the pandemic. The bigger question is how to balance potentially fewer resources with compliance-type matters that need to be audited at most institutions. Below are a few simple suggestions to get started. Keep in mind, preventative controls provide lasting value and are generally more reliable than detective controls.

Preventative controls provide lasting value and are generally more reliable than detective controls.

System Access and Segregation of Duties

Reviewing access to key information systems is required by Sarbanes-Oxley; however, many institutions of higher education and non-profit organizations may not have formal policies that require such reviews. Consequently, the business functions at these organizations may not focus on reviewing system access and may inadvertently increase the risk of fraud. This risk provides an opportunity for internal audit to discuss the need for periodic reviews of system access.

Simply having a business user review a system access list to verify all users are current has limited value to an organization. The access review should evaluate the permissions granted for each user to determine whether they are in line with current operational requirements and identify possible conflicting access rights. It is possible that the business user (e.g., department manager) may not know how to interpret the system access reports; therefore, it is helpful to have a representative from the Information Technology (IT) group included during these reviews. The IT professional will also be able to answer technical questions, such as which access permissions may be removed, as opposed to predefined roles that cannot be separated.

When working with business users, access permissions that would create a segregation of duties conflict can be defined and easily identified. The auditor should be prepared to provide a few examples of conflicting roles that should be avoided to start the conversation. A few examples of conflicting rights within cycles include:

  • Disbursement Cycle – Approving payments and recording the disbursement
  • General Ledger Close (Financial Reporting) Cycle – Ability to record post-closing or manual journal entries and opening or closing an accounting period
  • Accounts Receivable (AR)/Revenue Cycle – Approving AR write-offs and recording the write-off transactions

In certain instances, granting access permissions might be necessary to cover for vacationing employees. Access should be limited to the vacation period and then removed.

If the auditor agrees that it would not be possible to separate the conflicting roles due to limited staff or system restrictions, the need for strong monitoring controls is critical. It would be helpful to obtain exception reports that highlight when the conflicting duties occur (e.g., approving and writing-off accounts receivable) so that these items can be monitored. Allowing conflicting roles to exist without strong monitoring controls increases the risk of errors and fraud. 

Defining the Value Added

Implementing a robust access review process provides value to the organization; however, this value may need to be clarified to senior management or the audit committee.

Implementing a robust access review process provides value to the organization; however, this value may need to be clarified to senior management or the audit committee. One suggestion is to state the purpose and benefits achieved as part of an access review, which include:

  • Educating the business users about the need for periodic system access reviews
  • Educating the business users about conflicting access permissions
  • Providing a methodology to review system access in subsequent periods and correct any conflicting permissions
  • Improving access controls, which are key preventive controls
  • Monitoring controls, such as reviewing exception reports​
  • Reducing risk of errors or fraud
  • Evaluating the risk of errors or fraud and considering these risks in future audits

The initial access review may be time-consuming, as possible conflicts must be defined and removed. Once the review is completed, subsequent reviews should be less tedious.

Review the Process, Not Just the Results

A second area to consider when planning audits is conducting a walkthrough of the key process steps to identify nonexistent or ineffective controls. Again, this may add time to the project, but consider which audit tests add value to the institution, such as the following:

  1. Reconfirming the accounts receivable balance is accurate
  2. Identifying possible breakdowns in controls, possibly due to having segregation of duties issues (as described above)
  3. Identifying where data needs to be re-entered into the system, which is a manually intensive process, and subject to more errors

All these tests are important to the organization; however, external auditors confirm the accuracy of the accounts receivable balance, if material. Accordingly, the value of re-testing the accuracy of the balance is limited unless there is a reason to believe the processes or technologies supporting these accounts have changed since the last review. Identifying key potential control breakdowns in item number 2, or the need for possible process improvements in item number 3, would deliver more value to the organization. In addition, the auditor would likely be viewed more as a business partner by senior management.

Document the processes along with the related controls, or missing controls, that support the accounts receivable balances. The choice of using a flow chart or a process narrative depends on the skills of the auditor and the preference of the process owners.  The following include a few suggestions for documenting processes:

  • Start at the beginning of the process to determine if the original data inputs are automated or paper-based
  • Interview the staff members who perform the various tasks
  • Plan to flowchart the key activities to visually organize the presentation (this often discloses control exceptions that may not otherwise have been apparent)
  • Request and review examples of the processes performed and get copies of screen shots/other documents to verify that all key process steps are documented
  • Inquire how exceptions are handled, as these processes may be very different from routine transactions
  • Ask process owners what causes the exceptions and how to prevent them (process owners have a wealth of knowledge and their input can be helpful in developing recommendations)
  • In all the above steps, confirm internal audit’s understanding by submitting draft memos, spreadsheets, and flow diagrams to management for accuracy
  • Once the observations and recommendations are summarized, ask the process owners to help quantify the non-value-added time spent re-entering data or correcting processing exceptions, which may help make the case for management if additional resources are necessary to improve the process

Reviewing and documenting the process flow along with the related controls provides value to the organization. When reporting to management or the audit committee, give process owners credit for taking the time to collaborate with the audit team. Lastly, confidently explain process improvements and time savings resulting from internal audit’s recommendations.


About the Author

Joseph Iannini

Joseph Iannini is the Executive Director of Internal Controls and Management Analysis at Fashion Institute of Technology in New York City. He is a Certified Public Accountant (CPA) and Certified Management Accountant (CMA) with more than 30 years...
Read Full Author Bio

Joseph Iannini

Joseph Iannini is the Executive Director of Internal Controls and Management Analysis at Fashion Institute of Technology in New York City. He is a Certified Public Accountant (CPA) and Certified Management Accountant (CMA) with more than 30 years of audit and consulting experience specializing in process reengineering and improvement. Previous employers include, KPMG, ADP, Cytec Industries, Bard Medical Devices and CohnReznick. Joe is onthe Board of the IIA North Jersey Chapter and a member of the Academic Relations Committee. In addition, he is an adjunct professor, teaching fundamentals of internal auditing and risk management. You can reach Joe at joseph_iannini@fitnyc.edu.

Articles
How to Increase the Value-Added Portion of Internal Audits and Acceptance of Recommendations
Preliminary Information Gathering (PING)