Internal Audit
Every successful audit is based on sound planning and an
atmosphere of constructive involvement and communication between the auditor and
the auditee. The purpose of writing this article is to provide insights on the
use of a tool for organisations with dispersed geographical locations,
especially the retail sector.
Any corporate body establishes Internal Controls & Procedures
to ensure that employees abide by laws, regulations and human resources policies
when performing tasks. One of the many tools available to gauge internal control
effectiveness for organisations is the Control Self Assessment (CSA) activities.
Definition of Control :
The Institute of Internal Auditors (IIA) defines control and
control processes as :
“A control is any action taken by management, the board, and
other parties to manage risk and increase the likelihood that established
objectives and goals will be achieved. The management plans, organises, and
directs performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.
Control processes are the policies, procedures, and
activities that are part of a control framework, designed to ensure that risks
are contained within the risk tolerances established by the risk management
process. Risk management is a process to identify, assess, manage, and control
potential events or situations to provide reasonable assurance regarding the
achievement of the organisation’s objectives.”
Generally, controls are of two types :
Preventive controls :
Designed to discourage errors or prevent irregularities from
occurring. They are proactive controls that help prevent a loss. Examples :
Separation of duties, proper authorisation, adequate documentation, and physical
control over assets.
Detective controls :
Designed to find errors or irregularities after they have
occurred. Examples : Reviews, analyses, variance analyses, reconciliations,
physical inventories and audits.
Internal controls are policies and instructions within an
organisation that top leadership puts into place to prevent losses resulting
from malfunction, employee carelessness, error, fraud and neglect. The
Sarbanes-Oxley Act of 2002, introduced as a consequences of internal control
failures across the globe, has emphasised that the need for internal control
compliance & documentation.
From a retail perspective, there is an increased attention to
governance, compliance and risk management spread across many thousands of
locations. This necessitates retailers to implement an appropriate store
compliance process in order to monitor the identification of issues and remedial
measures. Primary focus of retailers is on reducing costs, increasing margins,
reducing shrinks, balancing inventory levels, managing vendors, tackling
regulators and attracting customers.
An effective store compliance process can be achieved through
traditional store audits or through a self assessment technique.
Traditional Audits :
-
In a traditional audit, the internal audit team
identifies issues and suggests remedial measures. The field work is
undertaken by the audit team which visits the stores. The major challenge in
this traditional approach is that all stores may not be visited and/or there
can be infrequent coverage. The audit team personnel require training,
travel budgets and their presence ‘interrupts’ store operations. Undoubtedly
such an approach is costly, untimely and at times ineffective.
Control self assessment :
- Control self assessment is operations oriented. It provides auditors with
additional hands and eyes, specialised expertise, operational knowledge and a commitment to implement internal audit recommendations. To
implement the CSA methodology, it is imperative that there is a buy-in by
the top management. Training to all operating managers is another critical
pre-requisite. CSA is a cost effective and efficient alternative for wider
store audit coverage. Wider coverage leads to increased availability of
information for managing and monitoring retail operations. CSA significantly
increases the accountability of the store managers who, in any case, are the
control owners and places the responsibility of control in their hands.
Why CSA ?
Who is responsible for internal control? The auditors, right?
Wrong! Everyone plays a part in the internal control system. Ultimately, it is
the management’s responsibility to ensure that controls are in place. That
responsibility is delegated to each area of operation, which must ensure that
internal controls are established, properly documented and maintained. Every
employee has some responsibility towards the functioning of this internal
control system. Therefore, all employees need to be aware of the concept and
purpose of internal controls. Internal audit’s role is to assist management in
their overlooking and operating responsibilities through independent audits and
consultations designed to evaluate and promote the systems of internal control.
This is where CSA, as a technique, can play an important
role. Modern Internal Auditors need to understand and practise this technique.
CSA defined :
The Institute of Internal Auditors (IIA) defines Control Self
Assessment as :
“Control self assessment (CSA) is a technique that allows
managers and work teams directly involved in business units, functions or
processes to participate in assessing the organisation’s risk management and
control processes. In its various forms, CSA can cover objectives, risks,
controls and processes.”
Internal auditors can utilise CSA programmes for gathering
relevant information about risks and controls; for focussing audit work on high
risk, unusual areas; and to forge greater collaboration with operating managers
and work teams. Business Managers can utilise CSA programmes to clarify business
objectives and to identify and deal with the risks in achieving those
objectives.
Internal auditors, in a consulting role, often act as facilitators to help managers in the assessment of risks and controls. Involvement of people working in evaluation of risks and controls utilises the expertise of the organisation, increases buy-in to any action items and focusses efforts on important business activities.
However, CSA is not a complete process by itself. It does not substitute the auditing effort. The audit function has to validate the CSA results, develop the remedial action plan and ensure a timely follow-up on issues identified during the CSA process. This combined effort is the most cost effective and result-oriented method of monitoring all stores on a regular basis.
Benefits of CSA in retail:
- Better buy-in of results because of the participative and collaborative approach.
- Does not require a battalion of internal auditors.
- Ensures complete coverage of all stores.
- Optimum utilisation of all resources for an audit.
- Better appreciation of issues since the store managers have a more intimate eye on store operations.
- Focus is on key risks & controls which is monitored by the corporate audit team.
- Store managers can give more appropriate remedial measures requiring corporate audit only to review and follow-up on the remedial plans.
- Helps store managers to understand and assume responsibility and accountability for effective control and risk.
Pre-requisites of an effective CSA in retail:
- Mature state of operations.
- Corporate culture should support and value communication, openness and trust.
- Organisation should have clear objectives.
- Internal Audit should study existing processes deeply.
- Clearly defined parameters for CSA.
- System to collect, corroborate and analyse information collected through CSA.
Lastly, ‘above par’ facilitation skills of the Internal Auditor. In most successful implementation of CSA, the top-most reason for successes has been the facilitation skills of the Internal Auditor.
Undoubtedly, CSA is an integrated part of the audit process for mitigating risks and adding value to the organisations, especially in retail.
|
|
Sr.
|
Review
area
|
Compliance status
|
|
|
|
No.
|
|
|
|
|
|
|
|
(Yes/No/NA)
|
|
|
|
|
|
|
|
|
|
|
Cashiering
|
|
|
|
|
|
|
|
|
|
|
1
|
Entire cash sales for the day is deposited
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
2
|
All
credit card sales for the day are supported by credit card slips
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
3
|
Sales
through other mode of payments (MOP) such as gift coupons, etc. are
|
|
|
|
|
|
backed by the MOP
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
4
|
Petty
cash, float cash & sales cash are kept separately
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
5
|
Petty
cash expenditure is authorised by store manager
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
6
|
Petty
cash expenditure is recorded on a daily basis
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
|
Inventory
|
|
|
|
|
|
|
|
|
|
|
7
|
Goods
receipt notes are prepared for all goods received in the store
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
8
|
Damaged
goods are segregated and kept separately in the backroom
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
9
|
Expired
goods are identified and kept separately in the backroom
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
10
|
All
damaged and expired goods received during the month are sent back to the
|
|
|
|
|
|
distribution centre/vendor in the last week of the month
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
11
|
Physical
inventory verification is carried out as per plan
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
|
Front Office Management
|
|
|
|
|
|
|
|
|
|
|
12
|
Goods
are arranged on the shelves as per the planogram of the store
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
13
|
Correct
labels are displayed on the shelves
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
14
|
High-shrink
items are kept near the cashier
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
15
|
Near-expiry
items are identified and marked down as per policy
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
17
|
Promotion
schemes launched in the store are properly updated in the billing
|
|
|
|
|
|
software
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
|
Legal & Compliance
|
|
|
|
|
|
|
|
|
|
|
18
|
All
certificates requiring mandatory display are displayed
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
19
|
All
certificates expiring during the month are sent for renewal
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
20
|
Notice,
if any, received from any government department is immediately
|
|
|
|
|
|
communicated to the central legal department of the company
|
Yes / No / NA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
