With an organization’s internal controls being tested more than once a year via external auditors and regulatory requirements, such as the U.S. Sarbanes-Oxley Act of 2002, what additional value does an internal auditor bring? Internal auditors can look beyond the financial statement’s accuracy and focus on control reviews to ensure its alignment with management’s objectives and strategies — specifically in the revenue and receivables process.
External auditors and in-house Sarbanes-Oxley auditors perform test procedures to validate various assertions related to revenue transactions, receivables balances, and their presentation and disclosures in the financial statements. Internal auditors can work with management to ensure that the revenue and receivables processes are set up and controlled effectively to achieve the organization’s goals. There are several areas on which internal audit can focus to help achieve this objective.
Internal auditors should interview senior management to get insight over the assumptions, historical sales growth analysis, customers’ feedback and forecasts, and other resources tapped to gain the pulse of the market. This insight will help internal auditors assess if the pricing strategy is moving in the right direction to help the organization achieve its goals. If not, internal audit should discuss with management how to improve the analysis and pricing strategy.
Once satisfied with the pricing strategy, internal auditors should then evaluate transformation of this strategy into the actual pricing structure, assess whether the framework provided to the sales team for negotiating with customers aligns with the pricing strategy, and ensure that the approvals for pricing structure and negotiations include exceptions to the pricing strategy.
Having the Right Customers
In a business-to-business model, working with profitable and creditworthy customers is a sign of sustainability and consistent growth year over year. When reviewing the customer selection process, internal audit should:
- Check the existence and adequacy of customer selection policies approved by the appropriate level of management.
- Ensure adherence to these policies.
- Assess the adequacy and reliability of resources used to check customers’ credit rating (good credit provides reasonable assurance over revenue collection).
- Evaluate profitability at a customer level and question management on loss-making deals (profitability analysis provides visibility over profitable deals).
- Review the effectiveness of controls over updating customer data in the organization’s customer database to ensure data validity.
This area is more applicable to organizations that provide a complex bundle of services. Such sales need a well-drafted contract detailing all performance obligations. Internal auditors should check for the existence of a control where contracts are reviewed by legal experts, an accounting policy team, and an operations team, and are approved by the appropriate management level to protect the company from unwanted obligations and commitments.
If a contract template with standard clauses is already developed, the auditor’s job is to focus on any nonstandard terms agreed upon by customers and assess their reasonability and approval process effectiveness. Internal audit should risk-rank the contracts based on their contribution to the organization’s objectives and then develop a testing strategy to review the reasonableness of key nonstandard terms. The higher the number of nonstandard terms, the greater the challenge for internal auditors.
Conversion of Orders to Invoices
Internal auditors should confirm that a process exists to capture the goods or services provided to customers and to invoice them for these goods or services. Prices for goods and services sold by the organization should be updated in the price database, and the revenue system must capture all goods and services sold to customers for accurate invoicing.
Usually, internal auditors test these processes on a sample basis. To make the sample selection effective, internal auditors should pick up on clues about process gaps, control weaknesses, and system constraints through process map reviews, data analytics, rework queues, pain points, and process improvement ideas communicated by management. These areas could reveal missing management oversight and potential revenue leakages, such as not invoicing for services provided or generating invoices with lower-than-negotiated rates.
Tracking Receivables and Collection Efforts
The receivables aging report is a good source to determine tracking process efficiency. External auditors and Sarbanes-Oxley auditors review the aging report for valuation and to reconcile with the financial statements, while internal auditors can assess the effectiveness of its collection efforts. Does follow-up with customers happen with sufficient frequency and is there a process to escalate problematic dues with senior management? Also, are the receivables that are handed over to collection agencies, either under litigation or from bankrupt customers, being tracked to protect the company’s interests?
Although write-off approvals are reviewed by external auditors and Sarbanes-Oxley auditors, internal auditors should analyze write-off data to identify outliers, such as the same employee writing off certain customers’ dues frequently or the same customers’ dues getting written off often. The root causes of these outliers will help reveal the process control issues.
Recording Cash Receipts
Recording cash receipts is vulnerable to misappropriation of cash received from customers and is reviewed by external auditors and Sarbanes-Oxley auditors. Cash receipts include electronic fund transfers, checks, credit cards, and physical cash receipts. Internal auditors can focus on the timeliness of recording the collection of cash in addition to the adequacy of segregation of duties and sufficient oversight in receiving, depositing, and recording cash funds.
Last but not least are the metrics developed by management to measure the performance of revenue and receivables processes. Internal audit should review the accuracy of key metrics to ensure that the data used for metrics calculations are correct and current. Internal auditors also can suggest additional metrics that will be useful to management.
Focus on What Matters
By reviewing end-to-end processes and questioning the alignment of various policies, procedures, and performance metrics with management’s corporate objectives, internal audit can enhance the work of external and Sarbanes-Oxley auditors. Working with management to finalize the objective and scope of audits will help auditors focus on the risks that really matter to management, in addition to reviewing key internal controls that matter to internal auditors.