This article covers the following seven processes for conducting Internal audits comprehensively.
· 1. Preparing the Internal audit charter
· 2. Identifying the “Types of internal audits” in Business /functional areas
· 3. Develop internal audit checklists for performing internal audits of each type
· 4. Carrying out S-O-D (Severity-Occurrence-detectability) analysis
· 5. Assigning scores in a logical/rational manner to determine risk impact and Risk likelihood /frequency
· 6. Develop a Heat Map to classify business activities as High or Medium Low risk (abbreviated as H, M, or L)
· 7: Methodology for developing Risk register to determine the frequency & priority of internal audit - Activities in Brief (3)
Activities (including unethical) that can adversely impact business.
Process 1: Preparing the Internal audit charter (16 activities)
A robust internal audit charter must include the 16 aspects listed in my book, such as Vision & mission, Quality policy, audit scope, auditors’ profile and team structure, report structure, Board presentation, and follow-up audits. In chapter 14 of my book, as per the Amazon link given.
My book's Title is “Profitability and Ethics -The key ingredients for business success.
Paper back-amazon link : India
Amazon link-Global
As per the best practices, the Internal audit function should be independent, and the chief internal auditor (CIA) must report directly to the Board sub-
Process 2: Identifying the “Types of internal audits” in Business /functional areas (5 types of audits)
· Based on this author’s experience, the following are the functional areas where internal audits must be conducted.
1. Commercial Audits
2. Financial audits (Conventional
3. Technical Audits
4. IT/ERP audits
5. Legal audits
The broad functional aspects covered in each are listed below and should be a part of the internal audit yearly calendar.
1. Commercial Audits in:
· Co’s Sales Depot/warehouse (Already shown as an illustration in earlier para)
· Marketing offices
· Authorized Distributors or wholesalers or Dealers, Service providers or Retailer
· Exports division
· Management consultancy
2. Financial Audits in:
· Sales & Marketing functions
· Materials management, Including Imports
· Finance and accounts functions
· Corporate Services function
· Production & assembly function
· R&D function
· Quality control function
· Human resource development function
· Administration function
· Management Consultancy
3. Technical Audits in:
· Manufacturing or assembly plants
· Out-sourced Assembly plants
· R&D/New product development division
· Quality assurance -and Receipt Quality control
· Quality assurance -WIP & product quality
· Service Head Quarters
· sales & service depot
· Dealer’s Service rendering workshop
· Vendor’s manufacturing plant or the Job worker
· Construction Project -site construction works
4. IT/ERP audits in:
· IT Infrastructure at Plants, Offices, warehouses/depots/sales outlets
· Server rooms/IT infrastructure Control room
· IT Security Policy & security infrastructure
· Outsourced software developers/service provider
5 Legal audits in:
· Legal & secretarial functions
· All manufacturing plants, including outsourced, are under company management.
· Corporate Office, All other types of offices
· Sales depots and warehouses under company management
· SEZ operations.
Process 3: Developing internal audit checklists for performing internal audits (18 sources)-
To develop checklists, a list of 18 sources needs to be tapped as per the summary below in my book.
· Common for all audits=5
· Unique to Commercial audits=2
· Unique to financial audits=4
· Unique to technical audits=2
· Unique to legal audits=5
As per this author’s experience, there is a potential to develop the internal audit checklists to 900-1200 points for each type of audit for a medium-sized multi-product, multi-plant/multi-office organisation.
This article briefly includes twenty-four lead points for developing a checklist in the four business aspects mentioned previously.
My book includes examples of 174 checklist points as below.
Financial /commercial areas = 60 narrated in Annex 29
Technical areas = 60 in Annex 30
T/ERP areas= =24 Annex 31
Legal areas= =30 in Annex32
As per this author’s experience, there is a potential to develop the internal audit checklists to at least 3600 checklist points ( @ 900 -1200 for each of Financial/commercial + Technical +IT/ERP+ legal functions ) for a medium size multi-product, multi-plant/multi-office organisation.
Further, the internal audit checkpoints for statutory Acts would be in addition to the 3600 internal audit checklist points mentioned above.
Process 4: Carrying out S-O-D (Severity-Occurrence-detectability) analysis (6 activities)
1. Forming cross-functional teams of functional experts vis each functional area for which the Risk register is to be prepared
2. CFT, Referring to the checklists prepared (in the last process), deliberates and finds answers to one question, ”What is the adverse impact on the business in case the operation being performed goes wrong?
3. Analyzing answers compiled on the above questions using S-O-D analysis as highlighted and captured below.
The following need to be analyzed by the CFT vis a vis adverse impact on business for each type of internal audit.
Severity Parameters-5 nos
Occurrence parameters-10 nos
Detectability parameters-5 stages
4. Identifying and analysing Severity parameters.
The adverse impact on Business can be of any one or a combination of the five aspects listed below.
i). Profitability
ii). Statutory regulations & compliances
iii). The strategic value of company & customer retention
iv). Financial statement accuracy /Single operational circular for
listing obligations and disclosure requirements- LODR from SEBI
v). Reliability /effectiveness of process being audited/assessed
5. -Occurance Parameteres -Ten aspects that can cause activity to go wrong and hence trigger adverse impact
CFT analyzing which one or more combinations of causes can contribute/lead to adverse impact vis a vis each business activity performed.
· 1. Inadequate skills or & resources
· 2. Improper segregation of duties initiating, modifying, editing, deleting, and approving responsibilities)
· 3. Incorrect or incomplete execution of work/activity.
· 4 No or inadequate verification of output
· 5. Incorrect source data or input parameters
· 6. Weak internal controls
· 7. Non-robust system /non-implementation of SOP
· 8. Not ensuring the availability of appropriate authority norms
· 9. Process logic not configured properly
· 10. Process complexity, malicious intent, lack of diligence, change management, etc
6 Identifying and analysing. Detectability parameters -5 stages where error can be detected
CFT analyzes at what stage “wrong “was/can be detected vis a vis each business activity performed. (one illustration of sales invoicing & shipping an end product to a customer )
· Stage 1: At the very early stage, i.e., at the sales delivery stage (by the functional user himself who initiates, i.e., makes the sale invoice
· Stage 2: At the subsequent stage, i.e., sales invoice approval ( say by Sales Mgr.), who is part of the sales & distribution function
· Stage 3: At the Mgr. In the finance- stage, while entering sales invoices in financial books, Mgr-Finance is an “Outside sales- function “within the same Business unit.
· Stage 4: During the internal audit stage, during a random internal audit, the internal auditor detects the invoice error after invoicing -maybe weeks/months later within the Business unit.
· Stage 5: At the customer end -who is outside the business unit and receives incorrect invoice along with shipment)
·
Process 5: Assign scores in a logical/rational manner to determine risk impact and likelihood frequency. (4 activities)
1. First, a CFT (cross-functional team) must be formed to assign scoring to determine the risk impact logically.
2. CFT must look at the Business activity performed and review each checklist critically to find an answer to a simple question,” What is the adverse impact on the business in case business activity goes wrong?
3. For each business activity performed where training can go wrong, a scoring model is proposed below, where a score is to be assigned by CFT on a scale of 1-10 for each of the following.
Severity Parameters =Scale on a 1-10 point
Occurrence parameters = Scale on a 1-10 point
Detectability parameters. = Scale on a 1-10 point
4. Impact vs. Exposure matrix to be developed based on the following definitions
· Adverse impact score = severity score multiplied by detectability score
· Risk exposure score = occurrence score (Likelihood factors)
Illustration - “sale invoicing activity” case by the company’s sales depot.
· Based on close observations of the billing systems at Depot, let us assume the CFT assigns the score below.
Severity Parameters = 10 (in case the invoice is billed at a lower rate)
Occurrence parameters = 8 (as many parameters out of 10 are not ok)
Detectability parameters. =7(assume Accounts may miss catching it due to sale rates not being updated instantly on rate change announced by the Sales team
· So the Score on business impact would be =10 x 7 ie 70 scores on -severity x detection
· So the Score on risk likelihood would be= 8
Combining these scores can enable classifying the risk level in the “Heat Map “proposed in the following points.
Process 6: Develop a Heat Map to classify business activities as High or Medium Low risk abbreviated as H or M, or L- Activities-8
1. “Heat map” is proposed to classify risks as High, Medium, or Low as per the measurement scale below based on the score computation below.
· Adverse Impact on a (0-100 scale severity score multiplied by detectability score
· (Exposure likelihood) on a (0-10 scale) = occurrence score
2. The classification of risks vis a vis each audit activity into High, medium, or low (H, M, or L) can be guided by combined scores on impact and likelihood.
3. Some need-based risk classification adjustments can be made in borderline scores.
4. In consultation with the HOD of the respective function, the CFO (along with the company-level risk coordinator) may change the above table and decide the heat matrix accordingly.
5. Each cell has been classified as High, Medium, or Low (“Red,” “Brown or Yellow,” and “Green” colors ) based on the combination of scores abbreviated as shown in the table.
In the table below, Y-Axis includes a score on Impact on a 100-point scale. The X-axis denotes the likelihood score on a 10-point scale.
0-2 | 2.1-4 | 4.1-5 | 5.1-6 | 6.1-8 | 8.1-10 | |
81-100 | IH & EL | IH & EL | IH & EM | IH & EM | IH & EH | IH & EH |
61-80 | IH & EL | IH & EL | IH & EM | IH & EM | IH & EH | IH & EH |
51-60 | IM & EL | IM & EL | IM & EM | IM & EM | IM & EH | IM & EH |
41-50 | IL & EL | IL & EL | IL & EM | IL & EM | IL & EH | IL & EH |
21-40 | IL & EL | IL & EL | IL & EM | IL & EM | IL & EH | IL & EH |
0-21 | IL & EL | IL & EL | IL & EM | IL & EM | IL & EH | IL & EH |
X- Exposure (Likely Hood) of Risk
6. In the above table, the abbreviated words indicate the following:
I denote “Impact “in Y-Axis,
E denotes “Exposure or likelihood” in X-Axis.
H, M, and L denote “High,” “medium,” and “Low, “respectively.
· As is evident from the above heat map, Risk is classified into three. Categories are High, medium, or low, abbreviated as H, M &L, respectively.
7. So the activity of “sales invoicing” in the illustration will fall under the “High”-Risk zone as the scores assigned in the previous point were assessed as below:
Impact score =70 (severity score =10 multiply detectability score=7 ), exposure -Likelihood score=8
8. Thus, risk assessment is to be done by the CFT for each business activity in each business function. A risk register will be prepared to depict High, Medium, or Low-risk categories.
Process 7: Methodology for developing Risk register to determine the frequency & priority of internal audit - Activities in Brief (3)
1. The Internal audit team to prepare an extract of a proposed simple “Risk Register” is enclosed.
2. Risk Classification would vary as per the score assessment of the relevant auditors.
3. Based on the above sample Risk register, the internal audit team may decide the audit frequency as below.
· High-risk activities: Say Qtrly
· Medium-risk activities: Say six monthly.
· Low-risk activities: Say annually.
The above frequencies are only indicative, and the CIA can change them at
their absolute discretion based on manpower /resources and other priorities.
My book carries illustrations for developing risk registers for each type of audit, as shown below.
A) Developing risk registers -Annex 29 -Financial & commercial audits, each with six queries
· Auditee: sales & marketing function. Auditor’s profile: CA or MBA
· Auditee: Materials management function. Auditor’s profile: CA or MBA
· Auditee: Finance & accounts function. Auditor’s profile: CA or MBA
· Auditee: Corporate services function. Auditor’s profile: CA or MBA
· Auditee: Production & assembly function. Auditor’s profile: CA or MBA
· Auditee: R&D function. Auditor’s profile: CA or MBA
· Auditee: Quality control function. Auditor’s profile: CA or MBA
· Auditee: HR function. Auditor’s profile: CA or MBA
· Auditee: Administration function. Auditor’s profile: CA or MBA
· Auditee: Management function. Auditor’s profile: CA or MBA
B) Developing risk registers -Annex 30 -Technical audits, each with six queries
· Auditee: Mfrg. or Assly. Plant. Auditor’s profile: Production Engineer
· Auditee: outsourced assly. Plant. Auditor’s profile: Production Engineer
· Auditee: R&D. Auditor’s profile: Design Engineer
· Auditee: Receipt Quality control. Auditor’s profile: Quality Engineer
· Auditee: Final Product or WIP product. Auditor’s profile: Quality Engineer
· Auditee: Service Head Qtr. Auditor’s profile: Service Engineer
· Auditee: Co. managed service depot. Auditor’s profile: Sales & Service Engineer
· Auditee: Dealer’s workshop. Auditor’s profile: Sales & Service Engineer
· Auditee: Vendor’s manufacturing plant. Auditor’s profile: Purchase Engineer
· Auditee: Construction Project. Auditor’s profile: construction engineer
C) Developing risk registers -Annex 31 -IT/ERP audits, each with six queries
· Auditee: IT Infrastructure at plants, offices, sales depots, etc. Mfrg. or Assly.
Auditor’s profile: IT engineer/Professional
· 2. Auditee: Server room/IT Infrastructure control room
Auditor’s profile: IT engineer/Professional
· 3. Auditee: IT Security Policy & Security Infrastructure
Auditor’s profile: IT engineer/Professional
· 4. Auditee: outsourced Software developer/service provider
Auditor’s profile: IT engineer/Professional
D) Developing risk registers -Annex 32 -Legal functions with six queries
· Auditee: Legal and secretarial function. Auditor’s profile: law professionals
· Auditee: All plants. Auditor’s profile: law professionals
· Auditee: Corporate & all other offices. Auditor’s profile: law professionals
· Auditee: Sales depots & warehouses. Auditor’s profile: law professionals
· Auditee: SEZ operations. Auditor’s profile: CA or MBA
More can be developed directly by the internal audit team/CFT
Activities (including unethical) that can adversely impact business.
1. Audit charter non-comprehensive vis a vis five types of audits mentioned above.
2 Chief internal auditor’s reporting to some functional head can compromise their independence, thus possibly diluting objectivity in reporting the findings. *
3. Deliberately keeping some business areas out of the bounds of internal audit. *
4. Not taking inputs from HODs of functions or specialists, and hence, checklists not comprehensive. *
5. Not referring to statutory Acts, applicable regulations, or Quality Standards (for technical audits), thus making incomplete or incorrect checklists. *
6. Making mundane checklists that have no or little focus on the following aspects:
Profitability
sales revenue
Statutory regulations & compliances
Quality, Delivery, and Costs
End customer satisfaction
and so on
7. Inadequate training to the internal audit team, who would be responsible for using S-O-D analysis.
8. Biased or inaccurate assessment of the impact & exposure scores
9. Incorrect classification of Risks as High or medium or low.
10. Inaccurate preparation of Heat Map
* Indicates activity with unethical or statutory implications
Comments