Internal audit is one of those areas that, for big companies, can be a legal requirement, depending on the geographical location of the entity. It is therefore a must-have.
Sometimes the size of the internal audit team can be really small compared to the size of the company. I was once working for one of the world’s leading electrical equipment providers that were present in over 20 locations, with over 40K employees. The internal audit department, however, had less than 10 people in it. This is why auditors usually spend up to 70% of their time flying.
If we think about the number of far-flung locations, then we might wonder how on earth 10 people can reasonably control what is going on in all of those different places.
The diagram to the left is familiar to all auditors. It is from the Institute of Internal Auditors and it is called the “Three lines of defence”. You might argue that auditors are the third line of defence, so therefore they are not expected to be very numerous. In fact, it is rather the internal controllers that should be doing all of the nitty gritty controls and the detailed testing and the auditors are there to check that those controls are being done.
When people tell me this, I like to get out the IAASB (International Auditing and Assurance Standards Board) handbook, “International standard on auditing 240”, “The auditor’s responsibility relating to fraud in an audit of financial statements”.
Haha! I hear you say – but that isn’t for internal auditors. That is for the auditors that do the audit of the financial statements… notably the external auditors. It’s true that the external auditors are there to sign-off the financial statements. Therefore, they have a responsibility for making sure that those financial statements are correct. Meaning that they should be fairly sure that all of the transactions within the General Ledgers of all of the major entities of the Group being audited (probably around 100 million lines of transactions at least) do not contain any that would arise to fraud. This is obviously too much of a task for the less than ten people in internal audit!
But then again – wouldn’t it be a shame that, as an internal auditor, you missed some really important fraud going on.
A friend of mine is the internal audit director for a major retail group. They had a case in South America, whereby the CFO had been entering strange journal entries around closing, in order to boost the figures a bit. They had the big 4 auditors there to do the audit for years on end, but no one ever noticed the needle in the haystack, which actually, in value terms, was more like an elephant in the teacup.
But the internal auditor had something up his sleeve; he had data analytics. Running the millions of lines of journal entries through his data analytics program, it was actually very easy to list out the users that had been entering journal entries (BKPF_USNAM for SAP…). It was then very easy to compare this list to the list of people that work in the company and their actual real names (table USR21 in SAP gives the mapping from user ID to personnel name).
From there, it’s really not very difficult to sort the journal entries by value (BSEG_DMBTR) and user, in order to see who is entering the journal entries of the highest amount, even if entering rather few transactions. And, being a bit awake, whilst doing the audit, recognising the name of the CFO in the list of users entering journal entries was also not that difficult.
Much to say that the big 4 audit firm did receive a fine for not noticing.
So, there is a lot to do in a big organization in order to really be able to help the company to recognize fraud and avoid fines and prosecution. But often management does not give internal audit the resources that they need.
Obviously, you cannot expect people to look through millions of lines of data. Especially if your team is small.
This is why it is essential for internal auditors to be able to automate their work. The data analytics program that detected the fraud in South America can be re-used for all the other entities. Nothing is stopping that audit team from running such controls automatically in the background and setting up alerts when things look strange.
The more experienced, the more ideas, and the more tests can be put in place to pick up on known/ previously seen fraud cases.
This is why at Aufinia we decided to put all of our 20 years’ experience into one platform, called AuditZOOM. The AuditZOOM platform has 300 must-have data-analytics tests for audit. These tests are very simple but powerful. They are straightforward and they provide a very simple, quick to understand overview of all business processes from financial reporting through to purchasing, sales, inventory, fixed assets, HR and even user access.
Screening your data across entities with these 300 must-have dashboards enables the auditors, that are few in number, to be able to dive into the entity, department, transaction that looks very risky and identify the issue in the quickest possible time.
What’s more, you can easily add any additional dashboards that you like to our platform, and our data analytics and SAP experts will assist you with unlimited service.
For now, maybe you do think that your boss does feel like Internal audit is a waste of time. Maybe Internal audit is sometimes only seen by your boss as a legal necessity rather than a value-added service.
But, when auditors get their hands on some data analytics, they can show-up their Big 4 external audit friends and zoom straight into the country, entity, operating unit and transaction that is fraudulent and that is why they are so valued.
Thanks for reading!
Click below to download our free eBook and we can guarantee it will help you become a recognised leader by starting the transformation of internal control and internal audit!