Today I am starting a series where I discuss risk and control issues of potential significance that are often overlooked by internal audit. These are issues that, for whatever reason, are not considered and therefore not included in the audit plan.
#1 – Information required to run the business
A while back, I was talking to a fellow CAE about continuous monitoring and auditing. He said that continuous monitoring or auditing was not cost-effective for his company, because every location had different systems. They used different systems for manufacturing, financial transactions (GL, AP, AR, etc.), human resources, procurement, sales and billing, etc. When it came to preparing period financial and operating statements, they used a host of spreadsheets.
Not only is this grossly inefficient, there is a high risk of error in the use of spreadsheets. Furthermore, by the time the information is pulled together, it is old.
Years ago, a chief financial officer told me that he was tired of "managing through the rear-view mirror." He was referring to the need to have prompt information on corporate-wide activity and conditions with which to run the business. That was 15 years ago, and the pace of change has accelerated since then. The need for information today on current activity is greater than at any time in our history.
So this leads to questions for auditors to consider:
Does management at all levels have the information they require to run the business and optimize performance available when they need it? Is it timely?
Are the processes and related controls over the information adequate? Is the information reliable?
When the sources of information are fragmented, from multiple sources and systems, are there adequate controls to ensure the appropriate consolidation of like information? For example, is the aging of accounts receivable consistent? Are vendor and customer balances across multiple divisions properly consolidated so management can see exposures? Is total inventory consolidated so that it can be managed and optimized? Are there controls to ensure completeness?
Is the information gathering process efficient? Would upgrades to the process and systems be cost-justified?
Does management receive sufficient timely information to recognize risks and take advantage of opportunities?
Have you addressed information deficiencies in a formal report to management and the audit committee?
For a technology slant, consider this.