Risk and Control Issues Commonly Overlooked by Internal Auditing 1: Information required to run the business

Today I am starting a series where I discuss risk and control issues of potential significance that are often overlooked by internal audit. These are issues that, for whatever reason, are not considered and therefore not included in the audit plan.

#1 – Information required to run the business

A while back, I was talking to a fellow CAE about continuous monitoring and auditing. He said that continuous monitoring or auditing was not cost-effective for his company, because every location had different systems. They used different systems for manufacturing, financial transactions (GL, AP, AR, etc.), human resources, procurement, sales and billing, etc. When it came to preparing period financial and operating statements, they used a host of spreadsheets.

Not only is this grossly inefficient, there is a high risk of error in the use of spreadsheets. Furthermore, by the time the information is pulled together, it is old.

Years ago, a CFO told me that he was tired of "managing through the rear-view mirror." He was referring to the need to have prompt information on corporate-wide activity and conditions with which to run the business. That was 15 years ago, and the pace of change has accelerated since then. The need for information today on current activity is greater than at any time in our history.

So this leads to questions for auditors to consider:

  • Does management at all levels have the information they require to run the business and optimize performance available when they need it? Is it timely?
  • Are the processes and related controls over the information adequate? Is the information reliable?
  • When the sources of information are fragmented, from multiple sources and systems, are there adequate controls to ensure the appropriate consolidation of like information? For example, is the aging of accounts receivable consistent? Are vendor and customer balances across multiple divisions properly consolidated so management can see exposures? Is total inventory consolidated so that it can be managed and optimized? Are there controls to ensure completeness?
  • Is the information gathering process efficient? Would upgrades to the process and systems be cost-justified?
  • Does management receive sufficient timely information to recognize risks and take advantage of opportunities?
  • Have you addressed information deficiencies in a formal report to management and the audit committee?

For a technology slant, consider this.

Posted on May 26, 2010 by Norman Marks

Share This Article:    

  1. Re: #1 – Information required to run the business

    The major question is does management even know what information it needs to run the business? Has it specified it as part of initial system and process design, especially IT systems? Or does it create systems willy-nilly and then try to establish if they can provide the information they "suddenly discover they want"? It would seem that management would benefit from a visit to the concepts of Data Architecture as a pillar of an Enterprise Architecture a la John A Zachman.

Leave a Reply