How Data Analysis Tools Empower the Internal Audit Function
BY: DONALD E. SPARKS, CIA, CISA, CRMA
Our ominous economic situation has prompted many companies to rethink how they conduct business, which includes taking a closer look at business expenses in an effort to monitor and control costs. Accountants and internal auditors work to identify redundant, weak, missing or gaps in controls, reduce risk and detect fraud in an effort to offset the lower revenues many companies are experiencing.
While system and data errors can serve as a breeding ground for fraud and abuse, internal auditors can apply data analysis techniques to identify issues within the organization’s data. Data analysis tools allow the auditor to interrogate large volumes of data, and run multiple queries to look for and extract unknown information, which assists in detecting internal control violations, errors and potential fraud.
For example, travel and entertainment (T&E) expenditures are often a significant business expense and may be the difference between generating a profit or loss for the period. By conducting regular audits of T&E expenses, organizations can improve internal con-trols over employee costs and establish a tone of compliance for all employees to follow.
When auditing T&E expenses, the auditor needs to gain a clear under-standing of processes for approving, recording and reimbursing expenses. Data analysis may be used during the planning phase by providing summary information for scoping purposes, such as calculating average amounts. If the data is available in electronic format, the auditor may use a pivot table to prepare summaries of expense types by employee and extract the most frequently reimbursed employees or those who charge the majority of their travel expenses to “miscellaneous,” which should be a rarely used option on expense reports. This preliminary information can be shared with management to justify the time and re-sources needed for a full review.
As risk assessments are conducted each year, internal auditing and management should look for gaps in controls, and work to improve expense monitoring activities. Data analysis tools can help identify the root causes of why procedures are redundant, missing, deficient or defective.
An appropriate risk based methodology will help set audit priorities based on probability of occurrence and impact. Areas to review and test may include business information systems and the business units that own or maintain each system, data life cycles for each system, and system permis-sion levels.
Obtaining T&E expense reporting data is a key step for auditors and management, including how the data is collected and managed. With adequate and reliable data, internal au-dit to assess T&E processes and look for opportunities to leverage savings, or identify fraud. Some data sources to consider are: employee reporting forms, pre-trip booking, travel agency booking, credit cards, budgets, travel advances, authorization levels and foreign exchange currency rates.
While internal auditors are responsible for telling management where controls are working as designed, they are also responsible for uncovering significant errors, irregularities or noncompliance, and be alert to fraud. The first step in developing a response is deter-mining the level of response needed – extensive, moderate or minimal. The application of data analysis can assist in these areas to help search for errors and irregularities, and tests may be used by the operating units to improve internal controls.
While general office applications such as spreadsheets are familiar to most staff, they may not be sufficient for auditing techniques including acquiring, merging, sorting and sampling data. Data analysis tools are designed specifically for conducting audits – to match and join data from multiple sources, search for specific text and use date and time fields. They can em-power the auditor to design tests and uncover a myriad of T&E reimburse-ment abuses.
During the testing phase, internal au-dit should identify, analyze, evaluate and record sufficient information to achieve the engagement’s objectives. Testing should cover the accuracy and propriety of the expense report transactions, as well as integrity and reliability of the performance management information system. Various volume and service level agreements may require testing as well.
Auditors must provide the necessary documentation to support findings and communicate the engagement conclusions. Report writing is another audit area where data analysis can be used to align the test results with the re-port requirements. Data analysis tools help maintain the history of analysis activities to support audit conclusions and assure the auditing work did not introduce data integrity and reliability issues into the work papers.
During the closing conference, the internal audit team should share experiences that will help strengthen monitoring activities and improve future audits. This should include recommendations to management about how to be sure that past or new problems do not arise, which may be accomplished by weekly, monthly or periodically through continuous auditing and monitoring.
Continuous auditing is not a tool, but rather a process for auditors to follow for planning, risk assessments, control assessments and use of technology to perform audit work. It can bridge the gap between the audit report and the practice of assuring the identified issues have been rectified.
Following is a brief case study example of how expense reports became a start-ing point of development of a continuous auditing approach that helped reduce risk and improve overall controls:
A company tested expense reports by random selection, examining larger dollar charges to travel expense categories. While exceptions were found, no significant conclusions were drawn and the area was assigned for review again in three years, in which time the company experienced substantial growth. Internal audits used data analysis tools to summarize T&E expense details for 60 cost centers, nothing which had higher instances of exceptions or anomalies in multiple test areas. Test areas included data on late expense reports, high dollar amounts charged to miscellaneous, high airfare, high bonus, duplicate payments, etc. One third of the cost centers with the highest instances of exceptions and anomalies were related to marketing, and identified three individuals with infractions.
The internal auditors created scripts from the data analysis tests so the high risk areas/employees could be monitored for possible continuing fraud or abuse. The risk ranking allowed the auditors to select which cost centers and employees to audit more frequently. In this case, continuous auditing was used to help internal audit determine when and where to deploy internal auditing resources and learn what issues and patterns exist so future audit plans focus on specific areas of abuse.
As internal auditors are tasked with more work and fewer resources, companies need to utilize available technologies to mitigate risk and identify potential fraud. T&E expenditures require the same attention, testing and evaluation as other significant accounts payable activities. Data analysis helps focus on potential violation areas, quantify the impact, and can be used to generate continuous auditing processes that help reduce future incidents of fraud.
Internal audit adds the greatest value when they are able to inform management of issues (good or bad) they were not aware of, but should be. Data analysis allows internal audit to review transaction-level data, share findings with management and ultimately impact the bottom line.
Donald E. Sparks brings more than 30 years of experience in finding significant errors and fraud using data analysis software to his role as vice president with Audimation Services, Inc. He may be contacted at [email protected]