Hard-pressed by bearish markets and skittish customers, many businesses in the throes of an uncertain economy continue to tighten their belts while keeping a wary eye on sales orders, revenue trends, inventory levels and countless other factors likely to affect the course of their performance.
Looking at internal operations, companies seek to identify cost savings and protect working capital and profitability. In some organizations, the pressure to reduce costs extends to the internal audit department. Fortunately, based on informal surveys from recent audit conferences ACL has attended, this seems to occur in a minority of cases. Many organizations recognize that reducing internal audit resources is risky in times of uncertainty. However, not all organizations recognize the significant value add that internal audit can provide.
There are two immediate things internal audit can do to demonstrate the high impact it has on the organization:
- Help the business find instances of fraud, error, abuse and leakage that negatively impact the bottom line.
- Demonstrate the value it adds in measurable terms. As a consequence, internal audit is less likely to be subject to resource pressures and potential downsizing and can continue to perform its role of providing assurance while adding value.
In recent times, we have encountered many instances where internal audit departments make significant quantifiable contributions to their organization’s performance. By testing all the transactions that flow through a particular system, internal audit can identify specific instances of error, abuse, inefficiency and fraud. In many cases, the funds can be recovered and the control system fixed to prevent similar problems from resurfacing.
One government department, the British Columbia Ministry of Finance, is on record as saving CAD$20 million a year for the last three years as a result of ongoing analysis and testing of its purchase-to-payment cycle.
In another example, a telecommunications company discovered that its billing system was not working correctly: not all calls were being billed at the correct rate, and in some cases, certain types of switch transactions were missed altogether. By fixing the problem, the organization was able to immediately increase revenues by many hundreds of thousands of Euros, an impressive ROI for the amount of work involved.
Internal audit is, of course, defined by The IIA as “an independent, objective assurance and consulting activity designed to add value to an organization’s operations.” The current challenge is how to most effectively combine the assurance and value-add components.
The question is often where to start in terms of the greatest potential value-add. The area that is likely to provide the best return varies according to the organization, but it is clear that certain business process areas are particularly prone to control problems, especially those involving high-volume transactions and complex distributed systems. Most internal audit departments find the largest returns within the purchase-to-pay cycle, the use of procurement cards and in the revenue cycle.
The Key to Providing Value and Greater Assurance
So how do internal audit departments produce such benefits to the organization? As many surveys and reports from the profession during the past few years have shown, it is through the use of technology – specifically data analysis technology.
Traditionally, internal audit has looked at controls that appear to be in place and performed a walkthrough to review a sample of documentation and control evidence and assess whether the controls appear to be effective. But the crucial point with data analysis is to use it to examine every transaction that flows through a system and test it to make sure it is in compliance with the control that should be in place. Under such an approach, internal audit is in position to glean specific quantified insight on the dollar impact of, and risk associated with control failures. This means identifying, for example, out of the total number of records processed in a given period, how many transactions were in error because of duplicate payments or at risk of fraud because of attempts to circumvent the system and get around purchasing order approval limits.
Another key benefit of using data analysis to examine 100 percent of transactions is to determine whether something’s happening within a business cycle that no one had anticipated when designing the control systems. This can be a major flaw in the traditional controls-based audit approach – since it is based on the premise that all necessary controls have been identified in the first place. It is often the case that by examining what has actually occurred, the auditor realizes there are aspects of the system that had not been taken into account and for which no specific control had been designed. Not finding any significant issues allows audit to move forward with confidence. By the same token, if analyzing transactions in an inventory system uncovers discrepancies between inventory and billing records, that red flag is a good indication of a problem. The result of using data analysis is not only finding quantified instances of error but also gaining a higher level of assurance than can be gained through traditional procedures.
In order to determine whether controls are working effectively, as well as to support cost savings/cost recovery initiatives and pinpoint key areas of risk, we recommend development and processing of a comprehensive suite of analytical control tests to support given areas. It is the combination of transactional and statistical analysis that provides the greatest level of insight into the integrity of business activity.
The Risk of Fraud
Consider the role of data analysis specifically as a means of detecting and ultimately preventing fraud. The propensity for fraud increases during times of economic turmoil.
The Association of Certified Fraud Examiners (ACFE) reports the amount an average organization loses due to fraud ranges from six to seven percent of annual revenue – a number that has increased during the past five years. A recent survey by the association titled “Occupational Fraud: A Study of the Impact of an Economic Recession” also shows that the majority of respondents have recently experienced an increase of fraud within their organization, and they expect this trend to continue through the next 12 months.
This is not surprising in an economic environment where some employees are suffering dramatically increased personal financial pressure. Nor is it surprising in an organization that has gone through downsizing and budget cutbacks. Reduced personnel and resources often mean less oversight, less segregation of duties and weaker control systems overall.
If the ACFE report statistics are close to being accurate, the amount of loss due to fraud is staggering. If the risk is now greater because of the economic downturn, then even a relatively small reduction in fraud will lead to significant improvements to an organization’s bottom line. There is of course, a cost to establishing an effective fraud detection program based on transactional analysis and continuous auditing. The cost includes that of people’s time in establishing and performing analysis processes, as well as technology. But the total of these costs is almost always going to be a small fraction of the cost of fraud itself.
Consider the Benefits
It is not hard to build a business case for the use of data analysis as an integrated part of the audit process. Analytic procedures, whether one-off or applied continuously, often provide a sizeable positive quantifiable return in a short period of time. Then there is a larger ongoing return that can be harder to quantify. This is based on the assumption that when transactional errors are found, the control system can be improved to prevent the exception from occurring in the future.
A simplistic way to quantify the ongoing benefit may be to calculate the Net Present Value (NPV) of the most likely ongoing stream of errors that would have occurred. But who knows how much the error may have grown or how much the control deficiency may have been exploited by employees, vendors or customers. There is also the value gained from avoiding fines in areas where regulatory compliance is an issue. As some recent events have shown, the size of such fines, for contravention of the Foreign Corrupt Practices Act for example, can be dramatic.
Another issue to consider is the potential damage to the organization’s reputation that may arise should a control problem escalate and become known to the media.
One benefit that we hear about from time to time is the somewhat intangible, but valuable, use of transactional testing analytics, particularly when performed on a continuous basis, which can create a positive shift in culture. When it becomes evident that audit is able to examine transactions in a broad range of ways, the response of business departments is often to take controls and the risk of error and fraud a lot more seriously.
Finally, there is the value of increased assurance gained by the CAE, by the audit committee, the CFO and the CEO. Perhaps this is the hardest benefit to quantify, but it may be the one that provides the strongest business case of all.
A Call to Action
In spite of the overwhelming and consistent view of the profession that data analysis should be an essential part of the audit process, only about a quarter to a third of internal audit organizations have made real progress and embraced the analysis, continuous auditing and monitoring techniques discussed here. By taking such an approach, internal audit can elevate its profile with management, prove the size of the contribution it makes to the financial success of the organization and deliver a higher level of assurance to all stakeholders. Rather than being tempted to simply bunker down and ride out the economic storm, internal audit has a great opportunity to make a difference here and come out of the recession with a newfound recognition as a department that provides real insight into the integrity of business activity.