Navigation:


DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
Thread Title: Control Gaps
Created On Wednesday July 11, 2012 9:46 AM
  Control Gaps
  Control Gaps
  Control Gaps


KelKra


Posts: 14
Joined: Feb 2011

Wednesday July 11, 2012 9:46 AM

User is offline View thread in raw text format

In a recent audit, our Internal Audit department was conducting a test to identify invalid payees (testing focused on missing federal id #'s and changes made to payee information). During our walkthroughs and testing we discovered that some payees were missing federal id #'s. This would be expected as not all payees will have an id #; however, we found that some that were missing this information were service providers that should have had this information included. In addition, we found that changes in payee name were not being investigated (sometimes payments were made to the operating business name while other times it was to the DBA name).

In the end, we did not find support in our testing to confirm that invalid payments were being made (support in the file showed that payments appeared legitimate); however, since our walkthroughs and discussions revealed no one is reviewing payee changes or ensuring payees have a valid federal id entered (when necessary) we still believe that this should be outlined as a control gap in our audit report (i.e. just because our testing didn't uncover an invalid payment, doesn't mean the risk isn't there).

Management feels that since we didn't find errors in testing, it is not a control gap and shouldn't be included in our audit report.

We believe it should be included as a control gap, and we should disclose that management is willing to accept the risk associated with not addressing the issue.

How do your companies handle situations like this?

Reply
Quote
Top
Bottom



hopingtopass


Posts: 17
Joined: Jul 2012

Wednesday July 11, 2012 10:19 AM

User is offline View thread in raw text format

As Internal Auditors, I believe we have an obligation to report internal control weaknesses that we uncover, even though we may not always be able to find examples of negatives impacts of such weaknesses (i.e., situations where weaknesses resulted in issues).

The IIA Standards require that we report all relevant information. This would include internal control weaknesses identified. In fact, if we don't report such weaknesses, we are in non-compliance with the Standards.

Imagine what would happen if in a year, something went wrong as a result of lack of control in this area. The Board/management may ask, "I though IA looked at this. Why was this not identified as a potential issue?".

When management attempts to discount findings by saying that we did not find any situations where there was a resulting issue from an internal control weakness, we simply state that something COULD HAVE HAPPENED (and perhaps they just "got lucky").

Ultimately, it is the decision of the Audit Committee to determine if your finding is appropriate.

It is much better to report a finding that the AC deems to be not appropriate, than to keep this information from the AC, then later be asked why it was not reported.

In summary..........If you feel you have a valid finding that is based on strong internal controls, report it. Do not allow management to push you away from a valid finding.

Auditors tend to report all valid issues noted (as that is their job). Management wants to reduce the number of findings, as increased findings may cause others to view management in an unfavorable manner. So, management's disagreements are a basic element of the audit report process. Auditors must be prepared to support their findings with evidence. If you have evidence (either to show proof of errors, or support an internal control best practice), an auditor should be confident to report what they have identified.

For this specific situation, perhaps consult SOX or another internal control framework. You may possible encounter the "but we don't have to follow SOX, as we are not a public company" argument. However, your response can be quite simple...."Even though we are not legally required to follow elements of SOX, the SOX guidelines are simply a formalized compilation of strong internal control practices which reduce risks, and therefore, the concepts communicated by SOX really apply to all organizations that wish to strengthen their internal controls."

My Internal Audit Department definitely reports internal control weaknesses in audit reports (and we make no attempt to determine if errors actually exist, as we feel that is not relevent).

Reply
Quote
Top
Bottom



KelKra


Posts: 14
Joined: Feb 2011

Wednesday July 11, 2012 10:37 AM

User is offline View thread in raw text format

I could not agree more! Thank you for your response. Dispite the "kick back", our department agrees that we are fully obligated to report this up to the Board Audit Committee. This was stated to management during our meeting to discuss our findings. Whether they see it as a gap or not, I explained that we have reporting standards that we are required to follow. If they choose to accept the risk it is still documented that we made the recommendation and informed management of the risks we feel are there (even if management feels exposure is low).

Thanks!

Reply
Quote
Top
Bottom

DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
The Institute of Internal Auditors • 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA
+1-407-937-1100 • FAX +1-407-937-1101 • www.theiia.org