Internal Audit Archives

Retail Analytics using Computer-Assisted Audit Tools and Techniques

Internal Audit

Introduction :

Retail Performance Management enables decision-making for
retailers of all sizes and segments, by empowering them with comprehensive
relevant Enterprise Business Intelligence, across technology platforms.

With Computer Assisted Audit Tools (CAATs), users can
jumpstart their analytic journey, and enjoy improved margins, better customer retention, inventory efficiency, promotion
effectiveness with fewer markdowns.

CAATs help accelerate your retail organisation’s analytic
maturity, taking you one step closer to achieving excellence. CAATs creates such
business benefits by delivering enhanced usability, speaking and thinking
retail, anticipating the evolving
needs of decision-makers, and ensuring a faster adoption rate.

Through simple screen guided analytics, CAATs empowers every
decision-maker in every role in your retail organisation. And it takes the load
off the IT Group, by being easily extendable and maintainable.

By implementing CAATs, you avoid the latency, cost and
project management challenges associated with a traditional BI deployment, and
enjoy unparalleled speed to benefits.

CAATs transform business intelligence from being a ‘Decision
Support System’ to a ‘Decision-Making System’. CAATs make business intelligence
pervasive across the retail business by impacting the top line and bottom line
performance of the business.

CAATs take on a whole new revolutionary role in retail
analytics where the tool is used for continuous monitoring by process owners
rather than the erstwhile traditional continuous auditing by Internal Auditors.
The significance of the CAAT is greatly accentuated by the understanding of the
underlying business process by the process owner.

Retail analytics can deliver immeasurable business benefits :

Merchandising & Assortment :

It’s a well known fact that shoppers prefer to visit places
that offer them the maximum options, deals and not to forget a good shopping
experience.

As a retailer, one does everything to retain their customers
— providing excellent customer service, providing variety, running regular
promotions, ensuring products have been priced appropriately and not to forget
ensuring customers are satisfied. While one aims at providing a range of
products, it is not possible to offer everything.

Here is where merchandise and assortment planning comes in.
CAATs provide merchandisers an analytic framework to plan and analyse business
activities related to merchandise and assortment planning.

Compare historical, planned or forecasted data against actual data to define
and optimise merchandise plans

Analyse merchandise hierarchy across departments, categories, product lines
and Stock Keeping Units (SKUs)

Increase customer loyalty by providing merchandise that caters to their
requirements

Provide a range of optimally priced products, including private labels

Analyse performance of new products and their impact on similar products in
the same category

Determine seasonal and store-specific product assortments.

Loss prevention :

In the retail industry, it is well known that losses due to
fraudulent transactions, theft, pilferage, excessive stocking, wastage,
shoplifting, internal theft, refunds, exchanges and excessive discounting are
inevitable. While one can’t do away with these problems, retailers are always on
the look-out for ways to minimise losses while keeping costs minimum.

Loss prevention analytics help you diagnose the root cause of
the problem, identify exceptions, take corrective measures. CAATs substantiate
its analyses with historical, geographic, and demographic trends.

Incorrect or fraudulent refunds

Spoilage, damage and write-offs

Price overrides and improper discounting

Supplier or warehouse issues

Administrative errors

Fraudulent sales to customers with dubious shopping records

Erroneous entries for product returns.

Supplier performance :

Being able to forecast optimal levels of inventory, optimise
lead time, manage orders, improve fill rates, negotiate trade promotions, manage
risks and improve supply chain efficiency — these are just a few challenges
faced by retailers when it comes to managing supplier performance.

While supplier performance management is an area that tends
to get neglected, focussing on this area can help you bring down operation costs
drastically.

CAATs provide a decision-making framework that enables you to
identify new areas of synergy and avenues for bringing about operational
excellence.

Optimally manage inventory by tracking slow and fast moving goods, measuring loss due to out of stock situations and optimising lead time for a product

Manage vendors more effectively by tracking lead time, fill rate, service levels, customer satisfaction levels and product returns per vendor

Reward performing vendors, improve performance of, or replace non-performing vendors

Negotiate trade promotions to get better deals, longer credit periods and shorter delivery cycles

Fraudulent sales to customers with dubious shopping records

Identify ways and opportunities to streamline operations, reducing operation costs

Manage supply-related risks and take corrective measures proactively.

Store productivity and benchmarking?:

To survive in today’s ever-changing retail world, it is essential for retailers to understand their business, know their customers, recognise their edge over competition, identify potential for growth, and realise their weaknesses. In an endeavor to stay ahead, retailers are proactively gathering data about how they are performing vis-à-vis market trends and analysing ways to improve and optimise store productivity.

CAATs provide retail operation managers a framework to analyse store performance and productivity.

Reclassify stores by local demographics, competitive density, store locations, size and age

Reclassify merchandising categories based on the relationship between the customer, product and store

Analyse group peer and merchandising assortment

Measure contribution and competence of store employees by monitoring their contribution to total sales

Benchmark, compare and rank peer groups based on metrics like yield per square area and average price per item sold.

Customers?:

Customer data has long been touted as a key determinant in better merchandising decisions; however it is an asset most retailers have struggled to use to its maximum potential. CAATs provide you with the critical platform you need to leverage customer loyalty data, sales transaction data, and store data to improve merchandise planning and tactics.

CAATs unveil hidden relationships between your customer, product and store data sets. These deep and significant insights help you implement key emerging practices such as consumer-centric merchandising, store-specific assortments and micro-merchandising.

Promotion performance :
Analyses plan v. achievement across key metrics in pre-promotion, during and post-promotion periods.

Campaign effectiveness :
Once a campaign is launched, then its effectiveness can be studied across different media and in terms of costs and benefits.

Loyalty analysis :
Provides insights on retention, churn and acquisition of trends across segments.

RFM scoring :
Identifies your company’s best customers based on recency, frequency and monetary value.

Product affinity and market basket :
Product affinity and market basket analysis involves leveraging point -of-sale data to improve business strategies and uncover hidden relationships between products. Point- of-sale data provides insight into the types of products customers typically buy together, the time of year sales for a combination of products go up, destination items that pull customers to the store, and reasons for boost in product sales.

CAATs provide an analytic framework for identifying patterns in customer product purchases and store visits, improving the effectiveness of marketing, sales and merchandising strategies, and understanding links between tactical initiatives like allocation, shelf presentation, promotions, price changes and purchase determinants.

Understand product affinity i.e., identifying products that are likely purchased together

Identify and manage destination items i.e., items that cause a customer to visit your store

Identify seasonal sales trends for items i.e., time of the year when sales for a particular item go up or down

Analyse customer purchase behaviour to understand the role a product plays in a basket i.e., an impulse item or a destination item

Analyse trips by purchase patterns and classifying shopping trips into categories like weekly grocery trips or special occasions

Analyse the impact of promoted products on the overall basket with emphasis on parameters like cross-selling and cannibalisation

Analyse brand affinity, penetration, switching and private label impact

Define baskets that allow you to up-sell and cross-sell

Correlate store performance with overall market performance.

Conclusion :
CAATs create an environment where the process owners can make informed decisions real-time on :

Which customer segments are the most profitable ?

Which prospects should my campaign target ? When should I communicate with a customer, and how ?

Which customers should I spend money on retaining ?

To which customers should I cross-sell, and what products ?

We are at the dawn of mature retail analytics for the discerning retail customer.

Nirav Shah

Computer-Assisted Audit Tools (CAATs) — Effective use of CAATs by Audit Firms

Internal Audit

Preface :

Dhruva is a Practice Director — Data Analytics with M/s.
Assurance & Associates. M/s. Assurance & Associates are Practice leaders in the
field of governance, risk management and control analytics for the last 5 years.
In a short span of 5 years this dynamic firm had managed to establish a
footprint in the accounting and finance segment which was the erstwhile arena
for large accounting and audit majors. This fast-paced growth was fuelled by a
small group of ‘razor sharp’ smart professionals who delivered consistent value
propositions to all their clients by riding on the backbone of contemporary
audit technology.

M/s. Assurance & Associates leveraged audit technology like
general audit softwares, audit administration tools and enterprise risk
management applications to deliver above-the-board, high-return results to all
the clients from retail to manufacturing, to logistics and healthcare.

Dhruva was solely responsible for overseeing all data
analytic projects, assignments and academic ventures for the firm.

In a recent meet of mid-rung audit firms, Dhruva was
presenting on the role of ‘The Power of Analytics’ and ‘Analytics made Simple’.
Dhruva spoke firmly, confidently and charismatically about his association with
general audit tools and the outstanding benefits which accrued to him and the
firm over the last 5 years through the power of analytics. There was a twinkle
in his eye as he drew a colorful picture about his journey with general audit
softwares. His oration captivated the audience and laid the foundations for
prolific use of CAATs by all audit firms in the days to come.

Dhruva presented on general audit softwares and their lineage with
manufacturing entities :

Manufacturing companies have many of the standard ledgers;
purchasing and payroll can be key concerns. However, the main business area is
inventories.

Inventories (stocks) and work-in-progress :

There is normally a master or balances file that contains
details of inventory holdings at a particular date. Costs may be held in a
separate file. Transaction history can be particularly useful although file
sizes are often quite large. Selling prices normally have to be picked up from a
separate file.

Tests conducted included, but were not limited to :

Analysis :

Age stock by date of receipt

Compute the number of month’s stock of each item held, based on either sales
or purchases. Produce a summary of this information

Stratify balances by value bands

Statistically analyse usage and ordering to improve turnover

Summarise products by group, location, type, etc.

Report of products in order of profitability

Reconcile physical counts to computed amounts

Calculations :

Total the file, providing sub-totals of the categories of inventory

Re-perform any calculations involved in arriving at the final stock quantities
and values

Re-perform material and labour cost calculations on assembled items

Exception tests :

Identify and total stock held in excess of maximum and minimum stock levels

Identify and total obsolete or damaged stock

Identify any items with excessive or negligible selling or cost prices

Identify differences arising from physical stock counts

Test for movements with dates or reference numbers not in the correct period
(cut-off)

Identify balances which include unusual items (e.g., adjustments)

Identify work in progress which has been open for an unreasonable period

Identify stocks acquired from group companies

Isolate products with cost greater than retail price, with zero quantities or
with zero prices

Gaps and duplicates:

Test for missing stock ticket numbers
Test for missing transaction numbers
Identify duplicate stock items

Matching and comparing:

Compare files at two dates to identify new or deleted stock lines or to identify significant fluctuations in cost or selling price
Compare cost and selling price and identify items where cost exceeds net realisable value
Compare value of physical counts to generate ledger amounts
Check work orders for accuracy against original sales orders

Other typical areas of tests include:

Cash disbursements:

Reconcile intercompany transfers
Summarise cash disbursements by account, bank, group, vendor, etc.
Generate vendor cash activity summary for contract negotiations

Purchase orders :

Extract pricing and receipt quantity variations by vendor and purchase order
Track scheduled receipt dates versus actual receipt dates
Identify duplicate purchase orders or receipts without purchase orders
Reduce inventory by comparing projected receipts to available stock
Analyse late shipments for impact on jobs, projects or sales orders due
Reconcile receipts by comparing accrued payable to received items

Work-in progress:

Use net demand analysis against inventory and purchase orders to generate a quick material requirement planning report
Check work orders, by size, priority, for lease to shop floor
Produce shop floor activity report by any item
Generate comparison of planned versus actual labour, materials and time
Reconcile job tickets or time cards to work order line items

Dhruva glorified general audit software and its power in working analysis with retail entities:

Retailers often have point-of-sale systems which collect large volumes of useful data which audit tools can analyse. The main tests on inventories are similar to manufacturing companies with perhaps more emphasis on movement, margins and shrink-age.

Additional tests include:

Gross profit analyses
Items past their shelf life
Comparisons between stores on holdings and inventory turnover per product line
Price adjustment transactions

Other typical areas of tests include:

Cash disbursements:

Monitor cash disbursements for stores
Track cash disbursements for contractor and vendor services
Summarise cash disbursements by account, bank, group, vendor, etc.

Loss prevention:

Compare ‘No Sale’ transactions to cash voided transactions by associate
Identify stores with significant allowances
Isolate duplicate return transactions
Identify incomplete exchange transactions
Look for check purchases and refunds within 15 days
Find credit card purchases and refunds to different credit cards (same day)
Identify potential fraudulent or improper transactions through selling price differences between stores

Purchase order management:

Reconcile order received to purchase order to identify shipments not ordered
Extract pricing receipt quantity variations by vendor and purchase order
Track scheduled receipt dates versus actual receipt dates
Compare vendor performance by summarising item delivery and quality

Compare accrued payable to received items to reconcile to general ledger

Distribution and Service:

Typical areas of tests include:

Sales analysis:

Generate sales/profitability reports by sales representative, product, customer
Recap product sales by region, customer, category, etc.
Identify high volumes by region, customer, category, etc.
Extract all sales data for audit by customer, product, region, etc.
Compare ratios of current sales to open receivable (high-low; low-high)
Summarise shipments by warehouse for product distribution analysis

Sales order control:

Report on correlation between items shipped and items ordered
Analyse open orders and open invoices by customer for credit control
Isolate detail and average backlog by customer, item, location, etc.
Reconcile booked items to inventory reserved (on hold) items
Control profits by calculating line item margins before shipment
Analyse product demand by summarising products ordered by due date

Service management:

Create real-time service tracking reports in any format to manage fieldwork
Co-ordinate multiple service personnel to maxi-mise performance in real time
Quickly recap routes and times of service calls by employee, area, etc.
Compare arrival and service times for field service representatives
Calculate cost of service by call for labour, materials and transportation
Compare service report time to time-sheet hours from payroll

Dhruva exemplified general audit software and their relevance to the healthcare segment:

Typical areas of tests include:

Accounts receivable, Patient billing and Managed care:

Calculate average days from discharge to bill, bill to payment, by payer or department
Determine appropriate level of contractual allowance and doubtful accounts reserves
Age receivables on date of service rather than invoice date to recalculate cash flow
Analyse rejected payments by financial class, procedure code, cost centre
Evaluate managed care payer performance
Identify underpaid managed care accounts
Determine profit margin by physician, financial class, etc.

Charges:

Identify late charges by department, by month, etc.
Look for invalid, high dollar or duplicate charges on patient bills
Look for lost charges by matching supplies used to supplies billed
Check procedure codes and billed charges to identify inappropriately billed charges
Clinical subsystems:
Compare patient visit data on clinical sub-systems to patient master
Identify interface failures
Identify pricing discrepancies between sub-systems and master

Marketing:

Develop patient statistics by post codes or other demographic data
Look for incomplete or miscoded patient demographic information
Identify profitable segments of patient population

Materials management:

Analyse usage and ordering to improve inventory reordering
Report on stock and high-value balances using any selection criteria
Identify obsolete inventory by turnover analysis
Compare speed and accuracy of delivery by product and vendor
Profile supply usage by month, by department, etc.

Medical claims :

Analyse timeliness of claims payments by comparing claim date, date claim received, and date claim paid

Look for duplicate billings and claim payments based on patient, provider, date of service and amount

Medical records :

Identify duplicate medical records for same patient
Track diagnosis coding deficiencies, incomplete records, etc.
List incomplete records and incompatible coding
Report on procedure codes by physician, department or patient

Specialists:

Determine specialist! doctor contract compliance
Evaluate specialist! doctor practice history by patient type, payer, etc.
Report on incomplete specialist! doctor profiling information

Purchase order management:

Report on purchasing performance by location
Identify pricing and receipt quantity variations by vendor and purchase order
Identify duplicate purchase orders and receipts without purchase orders
Reconcile receipts by comparing accrued payables to received items

Compare vendor performance by summarising item delivery and quality

Brilliant ending:

Dhruva received a standing ovation from the group. He ended his presentation in all humility by citing that General Audit Tools are time-tested, stable, robust, powerful, internationally acclaimed and user-friendly applications. He added that no Tool is a ready substitute for the auditor’s acumen and judgment, but is a powerful, cost-effective facilitator. He encouraged all the members present to embrace Tools and reap the benefits of an idea whose time has come.

Nirav Shah

Computer-Assisted Audit Tools (CAATs) — Effective use of CAATs by Bank Auditors in conducting Compliance Audits

Preface :

George is a Director — Analytics, with Control Analytics Inc. Control Analytics Inc. are market leaders in the field of governance, risk management and control analytics for the last decade and pioneers in the implementation of audit process tools. In a short span of time this bell weather firm has managed to establish a footprint in the accounting and finance segment which was the erstwhile arena for large accounting and audit majors. This fast paced growth was fuelled by a group of professionals who delivered consistent value propositions to all their clients by riding on the backbone of contemporary assurance technology.

Control Analytics Inc. leveraged audit technology like general audit softwares, data mining tools, work paper administration tools, reporting applications and enterprise risk management applications to deliver value-added, high-return results to all the clients from retail, to manufacturing, to information technology and healthcare.

Control Analytics Inc. was solely responsible for overseeing all data analytic projects, and applied research projects for the firm.

In a recent banking conclave, George was presenting on the role of ‘Compliance Reviews through CAATs’.

Introduction :

The importance of internal control in banks cannot be over-emphasised. Banks deal primarily with cash and readily encashable documents. It is essential that they take every precaution to guard themselves against errors and frauds committed by their constituents or by its own employees.

The following are the main principles of internal control in a bank :

Every transaction should be checked and authorised by authorised persons before it actually takes place.

Every transaction should be entered in the books before the next transaction is authorised.

The routine procedure should be such as to prevent and detect errors and frauds in the normal course and before interests of the bank are adversely affected.

There should be a regular as well as surprise checks by inspectors and internal auditors who should constantly review the working of all departments.

The Statement on Standard Auditing Practices (SAP) 1, Basic Principles Governing an Audit, issued by the Institute of Chartered Accountants of India, states (paragraphs 19-20) :

“The auditor should gain an understanding of the accounting system and related internal controls and should study and evaluate the operation of those internal controls upon which he wishes to rely in determining the nature, timing and extent of other audit procedures. Where the auditor concludes that he can rely on certain internal controls, his substantive procedures would normally be less extensive than would otherwise be required and may also differ as to their nature and timing.”

Internal control evaluation is a key phase in Compliance Audits. In the case of audit of banks, it assumes even greater importance due to the enormous volume of transactions entered into by banks. Evaluation of the design and operation of internal control system enables the auditor of a bank to perform more effective audits. Therefore, the auditor of a bank should study and evaluate the design and operation of internal controls. This would assist him in determining the nature, timing and extent of substantive procedures in various mainstream bank areas, depending upon whether the internal controls are adequate and observed in practice.

CAATs facilitate the internal control evaluation through deployment of comprehensive analytical routines to detect control failures and missing controls.

Presentation on compliance review of controls in Banks through CAATs :

George wanted to drive home the efficacy of general audit tools to the conclave of banking participants comprising auditors, investigators, risk managers, IT security professionals and more. He decided to help the participants visualise the utility of audit tools (GAS) through a few live banking case studies and discussions. These case studies served as a primer for a general awareness and appreciation amongst the participants.

Banking case studies presented were :

Introduction of current accounts by an account-holder other than current :

Account maintenance procedures require a current account-holder to be introduced by another current account-holder from the same bank.

In this case the ‘Retail Liability Account Master’ file was taken up for scrutiny within the GAS.

Here George juxtaposed the introducer customer number, corresponding account number/s, and product type/s to the primary current account and product type through file join operations.

He then performed an ‘extraction-query’ with the condition ‘Introducer product type is not a current account and the introduced account product type is a current account’.

George was able to cull out a number of current accounts introduced by a savings account holder and also some accounts introduced by staff members from the branch.

Non-resident saving accounts where a resident Indian is a joint-holder :

Account maintenance procedures mandate through statutory regulation that a non-resident savings account-holder cannot have a resident Indian as a joint account holder.

Here George took up the ‘Joint Holder Account Master’ file as the base file for monitoring within the GAS.

He performed a ‘summarisation – consolidation’ on the constituent member product types for the non-resident saving account-holders. Based on the summarisation result George filtered out queried product types containing the sub-string character representation ‘Resident’.

This exercise yielded negative non-compliances.

Incorrect interest application on premature closure of term deposits:

Revenue charge procedures stipulate that in case of premature closure of term deposits, the Core Banking System must apply the Rate of Interest (ROI) for the deposit tenor actually run, less the penalty rate as decided by the Bank. The penalty rate is generally metered as 1% or 2%.

In this control assertion the ‘Term Deposit Account Master File’ was imported into the GAS.

The ROI applicable on the deposit for the contracted tenor is readily available in the master file. ROI applicable on premature withdrawal is a variable/ system computed field which varies from case-to-case depending on the tenor of the deposit run.

This data is normally not available as a ready native field within the database. This field may be computed through Database Query Logic like SQL and provided for further analysis along with the native fields.

Premature deposits are term deposits where the maturity date of the deposit is greater than the system date and account closure date is before the deposit maturity date.

George wrote a ‘Criteria – Query’ within the GAS to identify specific premature instances where the contracted ROI was paid in place of the actual ROI. A few premature withdrawal instances were identified where incorrect interest i.e., contracted ROI was applied and paid. In some of the cases, the term deposit was closed within 15 days of opening and contracted ROI was still paid. Based on George’s representation/findings, the branch accepted the error in interest application which was due to over-sight. The excess interest paid was reversed through a manual interest adjustment entry.

Tax Deducted at Source (TDS) not deducted in respect of interest payments/accruals above Rs. 10,000 per annum:

The Income Tax Rules stipulate that interest accruals/payments on term deposits exceeding Rs. 10,000 This test revealed specific loan and loan collaterals per annum per customer should attract TDS. The which had not been insured.

Rules also lay down that TDS should not be deducted where the deposit holder submits either Form l5G or Form ISH for a given previous year.

Here the ‘Term Deposit Ledger’ File was captured within the GAS.

Then the file was summarised by ‘interest debits’, customer number wise through the ‘Summarisation-consolidation’ function.

From the above summarisation result, all customer numbers having sum of interest debits greater than Rs.10,000 for a given financial year were extracted through ‘Data Extraction – Query’.

The file generated above was joined with the ‘Tax Waiver File’ i.e., File for Form l5G/15H submissions using the ‘Join File’ utility within the tool.

Finally, all term deposits where the tax waiver flag was not enabled (non-waiver cases) were matched with the ‘TDS Ledger File’ using the ‘Join File’ utility within the tool. ‘Records with no Secondary Match’ were selected and specific customers were culled out where interest debits were more than Rs. 10,000 per annum for which TDS had not be deducted at all.

The test revealed certain deviations which were primarily on account of non-updation of the submit-ted Form l5G/Form ISH Certificates within the Core Banking System.

Loans have collateral security where insurance not taken by borrower:

Retail assets are secured through collateral security like stock, plant and machinery, building, etc. These collateral securities need to be insured on an ongoing basis and the details of insurance coverage need to be submitted to the branch for updation within the ‘Collateral Security Insurance Master’ in the Core Banking System.

George imported the ‘Loan Collateral Insurance’ File into the GAS.

He detected missing insurance policy numbers in the ‘Loan Collateral Insurance file’ for specific loans and loan collaterals using the ‘Extraction-Query’ command in the GAS.

This test revealed specific loan and loan collaterals which had not been insured.

This control condition breach presents a clear and present risk for the bank in case of any untoward incident on the secured collateral.

George also concluded that at times the collateral is insured but not in time and not within the grace period for premium payment. He recognised that breaks in insurance coverage could be as perilous as non-insurance coverage.

He set out identifying instances of break in insurance from the ‘Loan Collateral Insurance’ file. George added an additional field to the file upon import. In this field he extracted the date component from the ‘Maturity Date’ for example ’25’ was extracted into a new field from ‘25.06.2009’.

With dates available for the same loan collateral for a period of 5 years, George was able to successfully pull out unique instances of ‘Same Collateral Different Date’. In one such instance a ‘Special Watch Borrower’ having multiple credit facilities had delayed the renewal of insurance on a cache of 5 collaterals. The delay coincided with a natural calamity which fully damaged the collateral. This situation posed a common threat to the Branch leading to material financial exposures.

Conclusion:

George culminated his presentation by reiterating that general audit tools are time-tested, stable, robust, powerful, internationally acclaimed and user-friendly applications designed by auditors for auditors. He added that no tool is a ready substitute for the Auditors’ acumen and judgment, but is a powerful, cost-effective facilitator. He encouraged all the bank auditors present to embrace tools and reap the benefits of an idea whose time has come. He closed his presentation with a parting remark Reserve Bank of India’s Department of Banking Supervision also uses audit tools in their banking supervisory role and we should draw inspiration from the regulator themselves in this matter’.

Nirav Shah

Control Self Assessment — A Case Study

Internal Audit

Background :

An engineering manufacturing company was facing competition
from small and medium-size operations despite its product having impeccable
quality. The margins were under pressure and it was even perceived that the
operations may have to be scaled down or closed. The internal audit was being
conducted by a firm of chartered accountants. The Managing Director of the
company discussed the situation with the partner in charge, who had been there
for the last several years. As a matter of fact the partner in charge had for
the last two years been reporting on increasing costs and loss of market share.

The internal auditor instead of carrying out a detailed
survey himself suggested to the Managing Director to approach the problem by
adopting ‘Control Self Assessment’ approach with the internal auditor acting as
a facilitator. He suggested the creation of teams for different areas and
involving the teams in finding solutions. He identified the following areas for
creating teams :

1. Accounts Receivables

2. Accounts Payables

3. Inventory Management

and he himself acting as facilitator during discussions.

Methodology :

Before we go into the operations and results of the effort
let us briefly understand what is ‘Control Self Assessment’.

‘Control Self Assessment’ is a workshop facilitation
technique where the internal auditor acts as a facilitator. The internal auditor
selects certain objectives to be achieved and then selects participants, of the
area concerning the objectives, from amongst the employees. The internal auditor
also conducts walkthroughs and does some data analysis prior to holding
workshops (usually two to three workshops) for the selected participants, with
the objective of arriving at action points for the selected objective/s. The
internal auditor basically facilitates the discussion focussing on the
objective/s and the employees themselves arrive at the action points for
achieving the objectives.

In the engineering company since Accounts Receivables was
considered to be a problem area, the internal auditor studied this area from the
time the material leaves the organisation to the time the payment come — that is
received. The ‘team for receivables’ comprised representatives from sales
department, accounts department, stores — inventory management, specially for
goods returned and transportation There were number of issues which came up
during the four one-day workshops conducted over three weeks and the action
points for improvements which came up by employees themselves are given below :

Objectives of the Control Self Assessment — CSA workshop are :

à
To reduce duplication.

à
Increase revenue.

à
Avoid control weaknesses in form of likely weak control — leakage points.

Action points decided in the workshop :

1. Cancelled invoices report to be generated from the
software.

2. Manual checking of total value — cross-checking by
accounts department on daily basis for assessable value, excise duty and sales
tax (from customer for receipt of goods) to be strengthened.

3. All acknowledgements to be received for passing of freight
bills within the country — No control over double billing of freight payable
presently and to be brought in by amending software to ensure that each
transporter bill is tagged to each despatch. Further reconciliation required for
all outwards vs. freight bills vs. acknowledgements vs.
service tax paid input credit taken.

4. Proper freight register to be maintained by shipping
department.

Details of register

Invoice No.

Date

Transporter Bill No.

Date

Amount

Acknowledge with Tpt

Signature/Initial

Freight D. Note No.

Date

Amount

Initial

Date of Submission Document with Bank

5. Debit Note to be raised on timely basis on the party for
any charges as per purchase order of the party — double-check through outwards
register. Major control which is lacking at present if someone misses out on
raising debit notes.

6. Time taken to submit the documents to the customer to be
tracked by accounts and deviation report to be given to head of department’s
office if delayed beyond 2-3 days.

7. Delay in clearance of documents by customer — to be
tracked by accounts.

8. Details of cheque/DO received from customer – register as well as excel sheet – duplication of efforts – to be done only by Shipping. Recording of reasons for short receipts – tagging of ‘on account’ payments received to be done properly to avoid problems in debtors accounts where credit and debit both are lying untagged. The details of cheque/DO may be entered by shipping on receipt rather than again sending it to accounts for entry purposes.

9. Bank charges to be debited to customer for cheque bounced immediately on cheque getting bounced – management policy for amount to be charged to the customer – presently not followed.

10. Timely clearance of outstation cheques.

a) Whether payment through RTGS possible?

b) To claim interest from bank for delayed clearance of outstation cheques.

c) To get at par cheques from customers.

d)Whether the cheques can be deposited locally by customers in core banking environment.

This will save substantial interest on working capital.

11. Weekly review of debtors – meeting to be held with aging analysis, presently not being held regularly.

12. Weekly reminders to debtors about payments duel overdue – by email.

13. Policy for write-offs – authority levels to be decided.

14. Debtors’ confirmation to be obtained on yearly basis – once the records of accounts and shipping department are reconciled.

15. Details of sales tax forms to be fed in ERP – separate excel records/register to be closed/ stopped – to be reconciled and separate records/ excel sheets to be stopped. Presently 3 registers being maintained – one by shipping, one by accounts and one by sales tax in accounts who compute this again manually invoicewise – waste of manpower efforts.

16. To track commission payment to agents to avoid double payment.

The suggestions when implemented resulted in

1) Reducing receivable from an average of 65 days to 45 days, thus reducing interest costs.

2) Increased customer satisfaction as customers’ complaints were attended to at short notice, as the defect was rectified or equipment replaced.

3) Improvement in transaction costs for receivable area.

4) Improved control over billings by vendors, thereby avoiding duplicate billings and raising of debit notes which were missed out.

Conclusion:

This exercise of facilitating discussion amongst employees from different departments and the employees themselves arriving at action points for improvements was a success and resulted in number of improvements. Since it meant that solution came from employees with internal auditor acting as facilitator, the acceptability and respect for the internal audit function was quite high. The management also commended the excellent work done by internal auditor and requested the partner of the firm to extend this to other important problem areas.

The effort of the internal auditor in creating a multi-disciplinary team to solve the problem by involving the concerned people and by creating a sense of solution ownership was very much appreciated not only by the managing director but also by the Board of Directors.

Nirav Shah

Audit of transport and logistics

Nirav Shah

Exploring Benford’s Law — Digital Analysis with Computer-Assisted Audit Tools (CAATs)

Nirav Shah

CONTROL SELF ASSESSMENT IN RETAIL STORE AUDITS

Internal Audit

Every successful audit is based on sound planning and an
atmosphere of constructive involvement and communication between the auditor and
the auditee. The purpose of writing this article is to provide insights on the
use of a tool for organisations with dispersed geographical locations,
especially the retail sector.

Any corporate body establishes Internal Controls & Procedures
to ensure that employees abide by laws, regulations and human resources policies
when performing tasks. One of the many tools available to gauge internal control
effectiveness for organisations is the Control Self Assessment (CSA) activities.

Definition of Control :

The Institute of Internal Auditors (IIA) defines control and
control processes as :

“A control is any action taken by management, the board, and
other parties to manage risk and increase the likelihood that established
objectives and goals will be achieved. The management plans, organises, and
directs performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.

Control processes are the policies, procedures, and
activities that are part of a control framework, designed to ensure that risks
are contained within the risk tolerances established by the risk management
process. Risk management is a process to identify, assess, manage, and control
potential events or situations to provide reasonable assurance regarding the
achievement of the organisation’s objectives.”

Generally, controls are of two types :

Preventive controls :

Designed to discourage errors or prevent irregularities from
occurring. They are proactive controls that help prevent a loss. Examples :
Separation of duties, proper authorisation, adequate documentation, and physical
control over assets.

Detective controls :

Designed to find errors or irregularities after they have
occurred. Examples : Reviews, analyses, variance analyses, reconciliations,
physical inventories and audits.

Internal controls are policies and instructions within an
organisation that top leadership puts into place to prevent losses resulting
from malfunction, employee carelessness, error, fraud and neglect. The
Sarbanes-Oxley Act of 2002, introduced as a consequences of internal control
failures across the globe, has emphasised that the need for internal control
compliance & documentation.

From a retail perspective, there is an increased attention to
governance, compliance and risk management spread across many thousands of
locations. This necessitates retailers to implement an appropriate store
compliance process in order to monitor the identification of issues and remedial
measures. Primary focus of retailers is on reducing costs, increasing margins,
reducing shrinks, balancing inventory levels, managing vendors, tackling
regulators and attracting customers.

An effective store compliance process can be achieved through
traditional store audits or through a self assessment technique.

Traditional Audits :

In a traditional audit, the internal audit team
identifies issues and suggests remedial measures. The field work is
undertaken by the audit team which visits the stores. The major challenge in
this traditional approach is that all stores may not be visited and/or there
can be infrequent coverage. The audit team personnel require training,
travel budgets and their presence ‘interrupts’ store operations. Undoubtedly
such an approach is costly, untimely and at times ineffective.

Control self assessment :

Control self assessment is operations oriented. It provides auditors with
additional hands and eyes, specialised expertise, operational knowledge and a commitment to implement internal audit recommendations. To
implement the CSA methodology, it is imperative that there is a buy-in by
the top management. Training to all operating managers is another critical
pre-requisite. CSA is a cost effective and efficient alternative for wider
store audit coverage. Wider coverage leads to increased availability of
information for managing and monitoring retail operations. CSA significantly
increases the accountability of the store managers who, in any case, are the
control owners and places the responsibility of control in their hands.

Why CSA ?

Who is responsible for internal control? The auditors, right?
Wrong! Everyone plays a part in the internal control system. Ultimately, it is
the management’s responsibility to ensure that controls are in place. That
responsibility is delegated to each area of operation, which must ensure that
internal controls are established, properly documented and maintained. Every
employee has some responsibility towards the functioning of this internal
control system. Therefore, all employees need to be aware of the concept and
purpose of internal controls. Internal audit’s role is to assist management in
their overlooking and operating responsibilities through independent audits and
consultations designed to evaluate and promote the systems of internal control.

This is where CSA, as a technique, can play an important
role. Modern Internal Auditors need to understand and practise this technique.

CSA defined :

The Institute of Internal Auditors (IIA) defines Control Self
Assessment as :

“Control self assessment (CSA) is a technique that allows
managers and work teams directly involved in business units, functions or
processes to participate in assessing the organisation’s risk management and
control processes. In its various forms, CSA can cover objectives, risks,
controls and processes.”

Internal auditors can utilise CSA programmes for gathering
relevant information about risks and controls; for focussing audit work on high
risk, unusual areas; and to forge greater collaboration with operating managers
and work teams. Business Managers can utilise CSA programmes to clarify business
objectives and to identify and deal with the risks in achieving those
objectives.

Internal auditors, in a consulting role, often act as facilitators to help managers in the assessment of risks and controls. Involvement of people working in evaluation of risks and controls utilises the expertise of the organisation, increases buy-in to any action items and focusses efforts on important business activities.

However, CSA is not a complete process by itself. It does not substitute the auditing effort. The audit function has to validate the CSA results, develop the remedial action plan and ensure a timely follow-up on issues identified during the CSA process. This combined effort is the most cost effective and result-oriented method of monitoring all stores on a regular basis.

Benefits of CSA in retail:

Better buy-in of results because of the participative and collaborative approach.

Does not require a battalion of internal auditors.

Ensures complete coverage of all stores.

Optimum utilisation of all resources for an audit.

Cost effective.

Better appreciation of issues since the store managers have a more intimate eye on store operations.

Focus is on key risks & controls which is monitored by the corporate audit team.

Store managers can give more appropriate remedial measures requiring corporate audit only to review and follow-up on the remedial plans.

Helps store managers to understand and assume responsibility and accountability for effective control and risk.

Pre-requisites of an effective CSA in retail:

Mature state of operations.

Corporate culture should support and value communication, openness and trust.

Organisation should have clear objectives.

Internal Audit should study existing processes deeply.

Clearly defined parameters for CSA.

System to collect, corroborate and analyse information collected through CSA.

Training of staff.

Lastly, ‘above par’ facilitation skills of the Internal Auditor. In most successful implementation of CSA, the top-most reason for successes has been the facilitation skills of the Internal Auditor.

Undoubtedly, CSA is an integrated part of the audit process for mitigating risks and adding value to the organisations, especially in retail.

Sr.

Review
area

Compliance status

No.

(Yes/No/NA)

Cashiering

Entire cash sales for the day is deposited

Yes / No / NA

All
credit card sales for the day are supported by credit card slips

Yes / No / NA

Sales
through other mode of payments (MOP) such as gift coupons, etc. are

backed by the MOP

Yes / No / NA

Petty
cash, float cash & sales cash are kept separately

Yes / No / NA

Petty
cash expenditure is authorised by store manager

Yes / No / NA

Petty
cash expenditure is recorded on a daily basis

Yes / No / NA

Inventory

Goods
receipt notes are prepared for all goods received in the store

Yes / No / NA

Damaged
goods are segregated and kept separately in the backroom

Yes / No / NA

Expired
goods are identified and kept separately in the backroom

Yes / No / NA

All
damaged and expired goods received during the month are sent back to the

distribution centre/vendor in the last week of the month

Yes / No / NA

Physical
inventory verification is carried out as per plan

Yes / No / NA

Front Office Management

Goods
are arranged on the shelves as per the planogram of the store

Yes / No / NA

Correct
labels are displayed on the shelves

Yes / No / NA

High-shrink
items are kept near the cashier

Yes / No / NA

Near-expiry
items are identified and marked down as per policy

Yes / No / NA

Promotion
schemes launched in the store are properly updated in the billing

software

Yes / No / NA

Legal & Compliance

All
certificates requiring mandatory display are displayed

Yes / No / NA

All
certificates expiring during the month are sent for renewal

Yes / No / NA

Notice,
if any, received from any government department is immediately

communicated to the central legal department of the company

Yes / No / NA

Nirav Shah

Using Generalised Audit Software (GAS) for Fraud Detection

Internal Audit

Introduction :

Ray the Head — Audit, Risk Management and Forensics of a
manufacturing major — ‘D & B’ was making a presentation on ‘Role of Internal
Audit and Management Assurance Services in detecting indicators of frauds — that
is — red flags’ to the Audit Committee, because the Audit Committee had
queried :

“To what extent should internal audit be responsible to
detect indicators of frauds and provide early warning signals ?”

The presentation sought to present the role of the internal
auditor in the context of the new IT-enabled business environment and the focus
of the assurance teams on IT controls, risk management, physical document-based
audits and compliance requirements under various regulations. One important tool
that could be used in this scenario is Generalised Audit Softwares (GAS). These
tools aid an assurance team to identify trends, patterns and query data for
other indicators of fraud while maintaining the cost of review and timeliness of
conclusions.

The Audit Committee was supportive of the presentation made
by Ray and asked him to implement the GAS and present the red flags detected as
a result of the forensic review in the next quarter meeting.

Methodology :

The Chief Internal Auditor set up a mid-size team within the
department to take the initiative of implementing the GAS in the Company. The
team comprised 2 senior audit officials (who among them had a wide range of
experience in various process activities of the company like procurement, sales,
finance and administration), a Certified Fraud Examiner and an Information
Systems Auditor. The team also retained the services of a retired CBI Officer
who was an expert in economic offence interrogations.

The entire audit manual was reviewed and specific forensic
objectives were mapped for possible audit tests that could be conducted using a
GAS and otherwise. The method of using the GAS was debated and discussed by the
group in a way that data integrity, confidentiality and availability of the
production server was not compromised and the objectives were also met.

While it was not possible to log onto the production server
due to access restrictions maintained by the Database Administrator, the team
was faced with a challenge to import data for further analysis.

The team decided to connect to specific data dumps (Print
Report Dumps from various modules of the ERP like materials, sales, etc.)
provided by the DGM-IT. The data dump was provided by running a File Transfer
Protocol (FTP) on the Reporting Server, which is also used for reporting tools
like Discoverer.

Illustrative observations highlighting the red flags detected

(In all these instances, the audit scope was suitably
modified and was followed through to its conclusion)

Accounts payables :

Potential employee-vendor nexus :

The engagement team obtained key master data concerning
vendors and employees. The vendor master data had crucial field data like
telephone number, address, tax code, and bank account number. The employee
master data had vital fields like date of birth, bank account number, PAN, etc.

The team solicited special approvals from the ‘Supply Chain
Management Wing’ and the ‘Human Resources Wing’ to obtain confidential and
privileged master data. Upon getting the data in hand, the team extracted the
data into the GAS and set up the imported data for key comparisons.

The JOIN function was used to link the two databases on the
telephone number and bank account field individually. A quick review of the
result indicated some unexpected linkages, for example, the
address fields for some of the vendors and employees seemed to resemble each
other — similar but not the same. Interrogation followed this crucial data
crunching exercise, where surprise calls were placed to the registered telephone
numbers. On the basis of voice recognition and investigative visits, it was
conclusively stated that key vendor-employee links existed within the company.

Payroll :

Employees who have not availed of sick leave, casual leave or
travel leave in the last 3 years.

The investigation team consulted with the Human Resources
Wing of the company. Employees who tend to attend work regularly without leave
are normally watched by forensic auditors. These employees could be at the heart
of a long-drawn, deep-rooted system fraud as they normally assume key roles in
the organisation without much segregation of duty for long tracts of time. Their
supervisors never suspect their actions and continued service is considered a
merit.

The data under consideration was ‘leave availed’ data for the
last 3 years and employees on company rolls for the last 3 years.

Upon flat file report import, all the employees who had
consumed leave in the last 3 years were summed up. This summation file was
excluded from the file of all employees on the company rolls for the last 3
years using the JOIN function.

The resultant file brought to the fore existing employees of
long-standing nature, who had never consumed leave. In fact on a closer review
with the HR Wing, many of the cases detected were also on the CLOSE-WATCH
OVERTIME list.

The input was used to modify the audit objectives and tests
for identifying any irregularity.

Accounts Receivables :

Inconsistent scheme discount rates offered by Billing to different customers against the same scheme.

The fields of reference relevant to the red-flag being tested were identified as :

Authorised by

Scheme number

Scheme discount rates

Gross sale value.

The process of interrogation followed was as such:

Field manipulation, appending a computed virtual numeric field discount % with the criteria (Scheme discounts*100/Gross sale value), rounded off to the nearest integer.

Navigating to analysis in the menu tool bar and selecting duplicate key exclusion – Celebrated De-Dup Test.

In duplicate key exclusion, identifying different discount % values for the same scheme number.

A list of cases where varying discount % had been applied for the same scheme number was easily identified.

Some cases were extremely glaring, with the discount % being as high as 45%, where the scheme warranted a discount of 15% only.

These cases were taken up for one on one interrogation with the Billing clerks, to ascertain their motive.

Information Technology:

Detecting transactions out of office hours in Access Logs

The fields of reference relevant to the objective being tested were:

Start time

End time

User ID

User name

Particulars

The process of interrogation in the GAS was elaborate and clear.

Extraction on the Access Log File.

A criterion was designed using the function .NOT. @betweenagetime(StartTime, 1/10:00:001/, 1/22:00:001/) .OR… NOT. @betweenagetime(End Time, 1/10:00:001/, 1/22:00:001/)

This criterion helped isolate all transactions out of the normal working hours of 10 AM to 10 PM. Here both Start time and End time were trapped.

The Indexed Direct Extraction function of GAS is very popular on large databases, say, upwards of 100 million transactions. The function first sorts the entire database and then runs the equation through the sorted database. Hence, the results are processed faster as compared to running a direct extraction command on an unsorted database.

Cases observed revealed extensive prolonged login sessions by the Database Administrator during late night sessions. Few cases revealed attempted access by an unknown user with super-user rights. It was later discovered that this user was created during the last system migration with unlimited access and change modification rights. Ironically his user profiles had not been deleted or disabled permanently within the system.

Conclusion:

Some of the indicators that were highlighted using the GAS existed all these years. But the auditor did not have the tool to identify the same within a reasonable timeframe and also provide assurance in other areas. It therefore allowed the audit team to move beyond the ‘priority’ set by the Audit Committee. The IT was also excited about the possibilities which such a tool could have for their forensic security reviews also on a regular basis and initiated a review of the same with special watch on cyber security. Further, Ray made it mandatory for the company’s outsourced internal auditors to use a GAS for their branch audits using similar methodologies as them.

As a seasoned user of the GAS, Ray laid down the structure for Continuous Control Monitoring of specific forensic objectives through automation of tasks and scheduling within the GAS.

The Audit Committee appreciated the innovative steps taken by Ray, including his efforts at clarifying the role of internal auditor in fraud identification. All audit plans included some dimension of fraud reviews without going in for full investigation.

Nirav Shah

Banking Revenue Assurance using CAATs

Internal Audit

Introduction :

The Banking Regulation Act, 1949 requires the auditor of a
banking company to state whether the profit and loss account shows a true
balance of profit and loss for the period covered by such account.

The profit and loss account as set out in Form B of the Third
Schedule to the Act has three broad heads : income, expenditure and
appropriations.

Interest/discount on advances/bills and interest on deposits
form a valuable component of income.

The auditor should, on a systematic sample basis, check the
rates of interest, etc., with sanctions and agreements and physical existence of
collateral security.

He should examine with the aid of Computer Assisted Audit
Tools (CAATs) — General Audit Software whether :

Interest has been
charged on all performing accounts up to the date of the balance sheet.
According to the guidelines for income recognition, asset classification,
etc., issued by the Reserve Bank of India, a bank cannot take to income
unrealised interest on any non-performing advance;
Discount on bills
outstanding on the date of the balance sheet has been properly apportioned
between the current year and the following year;
Interest on
inter-branch balances has been eliminated in the consolidated profit and loss
account of the bank; and
Any interest
subsidy received (or receivable) from the Reserve Bank of India in respect of
advances made at a concessional rates of interest is correctly computed.

The CAAT auditor may also co-relate the interest on
advances/deposits with the amount of outstanding advances/deposits outstanding
using advanced statistical functions like correlation.

Practical case studies on use of CAATs — Illustrations on
banking revenue assurance :

Account maintenance :

Control objective : Non-recovery of service charges on
non-maintenance of minimum balance in saving and current accounts.

Control objective description : Saving and current
account holders need to mandatorily maintain a minimum quarterly balance in
their accounts.

The minimum balance to be maintained depends upon the type of
account (Saving general, current etc.), type of customer (Individual, staff,
pensioner, corporate salary account, etc.), cheque book issue status (issued,
not issued) and type of branch (urban, rural, etc.).

The minimum balance required to be maintained by each account
holder is entered in the core banking system by the branch under the field
‘minimum balance required’, in the CASA Master. Since this activity is performed
at the branch level and not the central IT level, it may be subject to branch
errors of commission.

Non-maintenance of the required minimum balance attracts a
system-levied service charge. Once again this service charge may be waived with
due permission (in case of dormant accounts for instance) or possibly with
certain mal-intentions at the account level by the branch by applying a flag ‘N’
in the field ‘SC MIN BAL FLAG’ in the CASA Master.

The bank auditor must verify the accuracy of both the
‘minimum balance required’ and ‘SC MIN BAL’ to be maintained in the CASA Master.

Procedure within GENERAL AUDIT SOFTWARE?:

Open the CASA Master file within GENERAL AUDIT SOFTWARE.
SAVING ACCOUNT WITH CHEQUE BOOK AND INCORRECT MIN BALANCE REQUIRED TO BE MAINTAINED — Perform data — Direct extraction on the CASA Master by applying the command?:

[@list(product code, “SB GEN”) .AND. cheque-book issued flag = “Y” .AND. @nomatch(customer type code, “STAFF”, ‘EX STAFF”, “PENSIONER”)

.AND. minimum balance required <> 1000].

This report will provide a list all saving accounts (other than NRE), who are not STAFF, EX-STAFF, PENSIONER, having a cheque-book facility and where minimum balance required to be maintained in the account as per the system is other than

Rs.1000. Rs.1000 is defined by the bank policy.

SAVING ACCOUNT WITHOUT CHEQUE-BOOK AND INCORRECT MIN BALANCE REQUIRED TO BE MAINTAINED — Perform data — Direct extraction on the CASA Master by applying the command?:

[@list(product code, “SB GEN”) .AND. chequebook issued flag = “N” .AND. @ nomatch(customer type code, “STAFF”, ‘EX STAFF”, “PENSIONER”) .AND. minimum balance required <> 500].

This report will provide a list all saving accounts (other than NRE), who are not STAFF, EX-STAFF, PENSIONER, having no cheque book facility and where minimum balance required to be maintained in the account as per the system is other than Rs.500. Rs.500 is defined by the bank policy.

CURRENT ACCOUNT WITH CHEQUE BOOK AND INCORRECT MIN BALANCE REQUIRED TO BE MAINTAINED — Perform data — Direct ex-traction on the CASA Master by applying the command?:

[@list(product code, “CURRENT”) .AND. chequebook issued flag = “Y” .AND. minimum balance required <> 5000].
This report will provide a list of all current accounts, having a cheque-book facility and where minimum balance required to be maintained in the account as per the system is other than Rs.5000. Rs.5000 is defined by the bank policy.

Transaction maintenance:

Control objective: Non-recovery of folio charges on saving accounts.

Control objective description: Folio charges are to be recovered in case of saving accounts having withdrawals in excess of 50 numbers/lines per half year. The charges per withdrawal in excess of 50 may differ from bank to bank and the type of saving account.

Procedure within GENERAL AUDIT SOFTWARE:

1. Open the CASA Ledger within GENERAL AUDIT SOFTWARE.

2. SAVING ACCOUNT WITH WITHDRAWALS FOR HALF YEAR — Perform data — Direct extraction on the CASA Ledger by applying the command:

[@isini(“SAVING”, product name) .AND. @ list(tran code, 1001, 6101, 1006, 1013) .AND. @betweendate(tran date, “20080401”, “20080930”)]

This intermediate report will provide a list of all withdrawals through cash (1001), cheque (6101), debit funds transfer (1006) for all Saving accounts for the half-year transaction period April 2008 to September 2008.

3. SAVING ACCOUNTS WITH CUMULATIVE WITH- DRAWALS FOR HALF YEAR — Perform Analysis — Summarisation on the above intermediate report. “Fields to Summarise” to be selected from drop down field list as “account number”. This intermediate report will provide an account wise summary of all withdrawals — cash, cheque, debit funds transfer for all SAVING accounts for the transaction period 8th April to 8th September 08 along with the number of withdrawals (i.e., entries).

4. COMPUTATION OF SERVICE CHARGES — Perform — Data — Field manipulation — Append
— Virtual numeric field having name “Service Charges” to the intermediate report generated at Step 3 above. Enter the command no_of_recs

* 1 in the parameter. This new field will provide service charges (folio charges) to be recovered from the account holder towards excess with-drawals over 50 entries.

5. IDENTIFYING SAVING ACCOUNTS WITH WITH-DRAWALS IN EXCESS OF 50 — Perform data — Direct extraction on the intermediate report generated at step 4 above by applying the command:

(no_of_recs > 50)

This final report will provide all SAVINGS ac-counts where half-yearly withdrawals are greater than 50 entries along with service charges to be recovered.

These cases can be checked physically with the Statement of Accounts for the relevant saving accounts in the final report for recovery of folio charges and the accuracy of charges recovered.

Cheque maintenance:

Control objective: Non-recovery of cheque-book issue charges on saving accounts.

Control objective description: Cheque-book issue charges are to be recovered in case of saving accounts, having a cheque leaves issued in excess of 60 numbers per year. The charges per cheque leaf issued in excess of 60 may differ from bank to bank and type of saving account.

Procedure within General Audit Software:

1. Open the Cheque Report within the General Audit Software.

2. SAVING ACCOUNTS WITH CHEQUES ISSUED DURING ANY YEAR — Perform data — Direct extraction on the Cheque Report by applying the command:

[@isini(“SAVING”, product name) .AND. @ betweendate(cheque issue date, “20080101”, “20081231”) .AND. cheque leaves > 60 .AND. .NOT. @isini( “staff”, product name)]

This intermediate report will provide a list all cheque leaves issued in excess of 60 leaves for SAVING NON STAFF accounts in the transaction period of January 2008 to December 2008.

3. COMPUTATION OF CHEQUE ISSUE CHARGES — Perform — Data — Field Manipulation — Append — Virtual numeric field having name “Cheque Issue Charges Savings” to the intermediate report generated at step 2 above. Enter the command (cheque leaves-60) * 2. This new field will provide cheque issue charges to be recovered from the account holder.

4. CHEQUE-BOOK ISSUE CHARGES RECOVERED DURING ANY YEAR — Perform data — Direct Extraction on the CASA Ledger by applying the command:

[tran descp = “SC For Cheque-Book Issue” .AND. @isini(“SAVING”, product name)]

This intermediate report will provide a list of transactions on SAVING accounts where service charges for cheque-book delivery have been recovered.

5. CHEQUE-BOOK ISSUE CHARGES NOT RECOV-ERED DURING ANY YEAR — Perform — File —Join — select the intermediate report generated in step 2 above as the Primary File. Select the intermediate report generated in Step 4 above as the Secondary File. Click on Match. Match the two files on matching key — “account number” in Primary file and “account number” in Secondary file. Use the Join condition “Records with no Secondary Match”.

This final report will provide a list of saving accounts where cheque leaves issued in any year are more than 60 (annual free cheque leaves entitlement) and cheque-book issue charges have not been recovered.

Temporary Overdraft Interest Charges:
Non-recovery of interest on Temporary Overdrafts (TODs) granted to saving accounts.

Introduction:

TODs are granted by the bank to an account holder when the account holder is short of available balance to meet specific payments on his account. The TOD is granted under the assurance by the account holder that the temporary overdraft would be made good through incoming funds in transit. TODs can be System TODs or Adhoc TODs. An account holder should normally not be granted multiple TODs, until earlier TODs are regularised. TODs which are not regularised within the limit end date should be specially taken up for scrutiny. Consistent delay in regularisations on few accounts should be dealt with strictly through punitive action.

Method within General Audit Software:
1. Open CASA TOD Ledger within the General Audit Software.

2. SAVING ACCOUNT TOD INSTANCES GRANTED — Perform data — Direct extraction on the CASA TOD Ledger by applying the command — (product name = “SAVING”)

3. Open CASA ledger within GENERAL AUDIT SOFTWARE.

4. INTEREST CHARGED on SAVING ACCOUNT TOD INSTANCES — Perform data — Direct extraction on the CASA Ledger by applying the command– (tran code = 5002 .AND. product code = 101)

Tran code 5002 stands for INTEREST DEBITS and PRODUCT CODE 101 stands for SAVING GENERAL accounts.

5. ACCOUNT SUMMARY LIST OF SAVING TODs – Perform Analysis — Summarisation on the intermediate report generated at Step 2. Select ‘account number’ as Fields to Summarise.

6. ACCOUNT SUMMARY LIST OF INTEREST CHARGED ON SAVING TODs — Perform Analysis — Summarisation on the intermediate report generated at Step 4. Select ‘account number’ as Fields to Summarise.

7. INTEREST NOT CHARGED ON SAVINGS TODs GRANTED — Perform — File — Join — select the intermediate report generated in Step 5 above as the Primary file. Select the intermediate report generated in step 6 above as the Secondary file. Click on Match. Match the two files on matching key — “account number” in Primary file and “account number” in Secondary file. Use the Join condition “Records With No Secondary Match”.

Conclusion:
General Audit Software Programmes are time-tested, stable, robust, powerful, internationally acclaimed and user-friendly applications designed by auditors for auditors. No tool is a ready substitute for the Auditors acumen and judgment, but tools are a powerful, cost-effective facilitator to large-scale electronic data analysis running into millions of records.

Revenue assurance in the banking sector can be made convenient and effective through the use of such tools.

Under a more evolved Enterprise Wide Continuous Monitoring Framework, General Audit Software Programmes can be used to automate the process of exception generation, issue escalation, resolution, feedback and learning for the business process handling Revenue Assurance.

Nirav Shah

Using Computer-Assisted Audit Tools (CAATs) for IT Audits

Nirav Shah

Internal Audit Planning – A Case Study

Background

An external audit firm is conducting internal audit in an engineering company since the last two years. The audit committee chairman had a one to one meeting with the partner–in-charge for a review of the present internal audit reports and the internal audit process. During the discussions, the chairman asked the internal auditor to present an annual internal audit plan that takes into account the bigger picture rather than smaller issues and really adds value to the business. Based on recent corporate events and the Board’s responsibilities in the matter of Transparency and Control, the Audit Committee Chairperson enquired with the – Chief Audit Executive – CAE, the status of implementation of Standards of Internal Audit of ICAI.

The CAE highlighted that a Risk Based Audit Planning process is being currently followed. However, the process has not been benchmarked against the Standards. The CAE affirmed that the entire activity will be aligned with Indian Standards and a report presented in the next Audit Committee.

Methodology

The internal audit function has a five member team. The internal auditor therefore has to select projects (areas) with high risk to the organisation and direct the limited resources towards such projects. Frequency of high risk areas needs to be high – maybe twice a year whereas in cases of low risk or almost zero risk areas, the frequency may be once in three years and so on.

A benchmark against the standard was carried out by the team to identify further areas for improvement.

Opportunities for Improvement

Overall, the Standard sought to address Audit Planning from 2 dimensions –

1. Overall Annual Audit Plan

2. Audit engagement or each specific audit project

For the Overall Annual Audit Plan, the areas identified were –

1. The existing Audit Charter adequately explained the ‘purpose, authority and responsibility’ of the Internal Audit function. The Audit Charter designed earlier had not been reviewed and revised for the last two years. During the last two years, the auditee had implemented an ERP and adopted a Balanced Scorecard strategy for evaluating performance. Efforts of Cost Reduction have rationalised middle level management.

a. The CAE and the team felt that the focus of audit needed to be revised through use of Audit Tools and the possibility of taking on a leading role in implementing Continuous Auditing.

b. One of the overall objectives that the standard expects the Internal Audit to achieve is to “strengthen overall governance, particularly strategic risk management”. The Audit Charter had not mentioned any specific responsibility for this objective. The audit team appreciated the following fact however with this objective that:

i. When strategic risks are taken, there is no audit involvement.

ii. The operating management does not perceive any specific role of the internal auditors in strategic risk management.

iii. The Internal Auditor is expected not to be a part of the decision. In this way, he/she retains their independence. If he is a part of this process, it may be a barrier to his independence at a later date, when the decision might not achieve the desired objectives. The Internal Auditor’s role as an assurance provider may get compromised if the internal auditor is involved in decision making.

One of the internal audit team members pointed out however that if he gets additional information at a later date, should he not then advise review of the decision rather than wait for issuance of the report?

This change was therefore sought to be introduced and highlighted specifically for discussion. The CAE took a stand that while the Internal Auditor could be a part of the Strategic Risk Management process, it should be seen as a ‘facilitator role’ and not as member of the decision making team.

2. While the Audit Plan was provided to the Audit Committee for approval, there was hardly any debate on the same and it was approved. The CAE thought that in the current practice, they were not really benefiting from the experience and knowledge of the Audit Committee Members. He therefore thought it fit to arrange for meetings with each of the Audit Committee Members to gain individual input prior to the next Audit Committee Meeting, where his first report would be presented. These meetings helped the CAE improve the audit plan.

3. The Risk Based Audit Planning process as currently implemented ( Refer article of BCAJ IAS article in March/April, 2003) was generally found to be robust. The process included the following –

a. Identify the Audit Universe (comprehensive list of Audit Areas),

b. Established weights and ranks for criteria which will form the basis of ranking the audit areas and cut off score

c. Applying criteria to the various audit areas

d. Arrive at scores for each area

e. Applying the Cut off criteria and shortlisting the areas of audit for the year. This forms a part of the Annual Audit Plan.

4. The revised Annual Audit Plan was also reviewed alongwith the first report. In order to ensure continuing relevance of the audit plan, a process of a half yearly review of the audit plan with the Audit Committee was suggested and approved.

For the Audit Engagement or Each Specific Audit Project –

A brainstorming on the issues and difficulties faced by the Audit Team Members in Audit Engagements was undertaken. A few of the difficulties that came up from all members was –

the general appreciation of raising the right business issues in the audit reports,

the adequacy of time for performance of the audit – at times, key areas of audit were left out given the demands of completing the report.

the team members voiced their concern that the response that the CAE gets from officials was not the same as that received by them. They felt that the auditees employees did not give the required seriousness, which resulted in avoidable delays.

The team thought of the options that the Standard provided towards overcoming these difficulties. The following were the guidelines that they felt could overcome the difficulties –

1. Preliminary Review – A visit by the CAE along with the audit team members of the audit area was planned to be conducted 15 days prior to the actual start date. This audit visit was to understand the business process area and operational realities within which the team performs, the expectations of the auditee and the auditor are discussed and firmed up, the data and time requirements from the auditees are discussed and the JOINT objectives of the audit process are laid down. The auditee’s person-in-charge is made aware of the audit objectives, methodology and the ways that risk and control needs to be looked at within the Risk Management Framework implemented. Apprehensions of the Auditee team are laid to rest in these interactions. This meeting is also sought to be used as a means to improve auditee’s person-in-charge responses.

2. Audit Engagement Planning – The Prelimi-nary Review meeting was also to be used to study past reports . The larger participa-tion of all team members in identification of potential risk and control focus in each area was scheduled for at least once a fortnight in such a way that no area is taken up without the inputs received from all team members.

These measures would also ensure that the issues that are relevant to the organisation and the auditee team are addressed. This will also ensure that there is an ongoing value addition out of the audit process.

3. The CAE decided to improve the following areas –

a. Resource allocation in line with the scope

The knowledge and skills required for each audit was sought to be formally identified and matched with the ability of the team members. In case there was a mismatch, the CAE considered the option of training a team member in the area in advance and also involving an outside professional for the specific aspect of audit as part of the on the job training for the team. The option of including a guest auditor from within the organisation also was considered.

b. Detailed Audit Programme with specific priority for audit checks

Normally the Audit Programmes were packed with all possible tests to be con-ducted during an audit for all identified risks and controls. The team decided to identify which controls significantly mitigate the risk (Key Control). Single control mitigating multiple risks were also sought to be specifically identified in a list of controls. The audit priority was focused on key controls. This focus improved audit effectiveness.

Conclusions

These measures were implemented in the quarter and some significant improvements were observed. The gaps identified vis a vis the standard and the measures already taken and thus impact were shared with the Audit Committee. The initia-tives taken were highly appreciated by the Audit Committee members.

All the action of CAE were based on Internal audit standard issued by the Institute of Chartered Accountant of India.

EXHIBIT 1 – Standards of Internal Audit – 1 of The Institute of Chartered Accountants of India The internal auditor should, in consultation with those charged with governance, including the audit commit-tee, develop and document a plan for each internal audit engagement to help him conduct the engagement in an efficient and timely manner.

The internal audit plan should be comprehensive enough to ensure that it helps in achieving of the above overall objectives of an internal audit. The internal audit plan should, generally, also be consistent with the goals and objectives of the internal audit function as listed out in the internal audit charter as well as the goals and objectives of the organisation. An internal audit charter is an important document defining the position of the internal audit vis a vis the organisation. The internal audit charter also outlines the scope of internal audit as well as the duties, responsibilities and powers of the internal auditor(s). In case the entire internal audit or the particular internal audit engagement has been out-sourced, the internal auditor should also ensure that the plan is consistent with the terms of engagement.

A plan once prepared should be continuously reviewed by the internal auditor to identify any modifications required to bring the same in line with the changes, if any, in the audit environment. However, any major modification to the internal audit plan should be done in consultation with those charged with governance. Further, the internal auditor should also document the changes to the internal audit plan.

Internal audit plan should cover areas such as:

Obtaining the knowledge of the legal and regulatory framework within which the entity operates.

Obtaining the knowledge of the entity’s accounting and internal control systems and policies.

Determining the effectiveness of the internal control procedures adopted by the entity.

Determining the nature, timing and extent of procedures to be performed.

Identifying the activities warranting special focus based on the materiality and criticality of such activities, and their overall effect on operations of the entity.

Identifying and allocating staff to the different activities to be undertaken.

Setting the time budget for each of the activities.

Identifying the reporting responsibilities.

The internal audit plan should also identify the benchmarks against which the actual results of the activities, the actual time spent, the cost incurred would be measured.

The internal auditor should obtain a level of knowledge of the entity sufficient to enable him to identify events, transactions, policies and practices that may have a significant effect on the financial information.

The audit universe and the related audit plan should also reflect changes in the management’s course of action, corporate objectives, etc. The internal auditor should periodically, say half yearly, review the audit universe to identify any changes therein and make necessary amendments, to make the audit plan responsive to those changes.

The establishment of such objectives should be based on the auditor’s knowledge of the client’s business, especially a preliminary understanding and review of the risks and controls associated with the activities forming the subject matter of the internal audit engagement.

The internal auditor should also document the results of his preliminary review so conducted.

For this purpose, the internal auditor should prepare an audit work schedule, detailing aspects such as:

activities/ procedures to be performed;

engagement team responsible for performing these activities/ procedures and

time allocated to each of these activities/ procedures.

18. While preparing the work schedule, the internal auditor should have regard to aspects such as:

any significant changes to the entity’s missions and objectives, business processes, and management’s strategies to counter these changes, for example, changes in the entity’s controls structure or changes in the risk assessment and management structures

any changes or proposed changes to the governance structure of the entity. The engagement work schedule should, however, be flexible enough to accommodate any unanticipated changes as well as professional judgment of the engagement team in the components of the audit universe as discussed above. The work schedule should also reflect the internal auditor’s assessment of risks associated with various areas covered by the particular internal audit engagement and the priority attached thereto.

19. The internal auditor should also prepare a formal internal audit programme listing the procedures essential for meeting the objective of the internal audit plan. Though the form and content of the audit programme and the extent of its details would vary with the circumstances of each case, yet the internal audit programme should be so designed as to achieve the objectives of the engagement and also provide assurance that the internal audit is carried out in accordance with the Standards on Internal Audit.

Nirav Shah

Using Computer-Assisted Audit Tools (CAATs) for Prevention and Detection of Frauds in Healthcare Industry

Internal Audit

Introduction :

’Health and Wellness’ is a private general insurance company.
Jacob — head of ‘Claims Forensics department was presenting on the role of his
department in detecting indicators of frauds and red flags to the Board of
Directors The question asked to Jacob was “To what extent should evidence be
gathered to provide assurance on the indicators of frauds ?” Jacob’s attempt was
to explain the role of the investigator in terms of IT control, review of risks
in assurance services, physical document based investigations,
cross-examinations apart from compliance with various directives and statutes
and requirements of regulatory authorities.

As a means of increasing the extent of evidence gathering —
quantity and quality by his investigation team and reducing cost of operations,
Jacob proposed the implementation of a Generalised Audit Software (GAS) which
could help the inspection team query the system for better results and help in
identifying trends, patterns, and indicators of fraud.

The Board was supportive of the presentation made by Jacob
and asked him to implement the GAS and present the red flags detected as a
result of the forensic review at the next quarter meeting.

Methodology :

Jacob set up a mid-size team within the department to take
the initiative of implementing the GAS. The team comprised of 2 senior audit
officials who had a wide range of experience in various process activities like
claim acceptance, settlement, dealing with surveyors and key business functions
of finance and administration, a Certified Fraud Examiner and an IT auditor (CISA).
The team also retained the services of a retired medical expert from the Red
Cross, who was an expert in complex medical diagnostics.

The entire audit manual was reviewed and specific forensic
objectives were mapped for possible audit tests that could be conducted using
GAS and otherwise. The method of using the GAS was debated and discussed by the
group in a way that data integrity, confidentiality and availability of the
production server was not compromised and the objectives were also met.

While it was not possible to log on to the production server
due to access restrictions maintained by the Database Administrator, the team
was faced with a challenge to import data for further analysis.

The team decided to connect to specific data dumps (Print
Report Dumps from various modules of the Medical Management System like Claims
Acceptance, Claims Settlement, etc.) provided by the DGM-IT. The data dump was
provided by running a File Transfer Protocol (FTP) on the Reporting Server,
which is also used for Reporting Tools like SAS.

Bird’s-eye view of red flags which were detected using the
GAS

Excessive procedure billing for same diagnosis, same
procedures

Objective :

To identify instances of excessive medical procedure billing
for the same diagnosis and medical procedure.

Method :

In this exercise, the Healthcare Claims transaction file was
linked with the master file on the basis of the Diagnosis Code.

A computed numeric field was added to arrive at instances
where excessive procedural charges had been claimed by the insured, in
comparison to the current master charge list.

Cases were extracted where the difference exceeded 15%
(Hypothetical acceptable variance norm across hospitals).

GAS functionality covered :

The exercise used the following GAS functionalities :

l
Join files :

The Healthcare Claims transaction file is opened and chosen
as the active database. This file is the primary database. The master file for
procedure rates is chosen as the secondary file.

The two files are linked together based on the similar field
Diagnosis Code. The field is named differently in both the primary and secondary
file as Diagnosis Code and Diagnosis Reference Code, respectively. The link is
still possible as both the fields are the same in nature.

The option ALL RECORDS IN PRIMARY FILE is used as the joining
command.

l
Append a computed numeric field :

As the existing field values could not be altered in the
joined database without disturbing the data integrity, a computed field of
numeric nature was added to the existing database. This computed field contained
the values linked to diagnosis code from the master file.

l
Use the Equation Editor to write the criteria in the computed numeric
filed :

A command is entered through the Equation Editor to arrive at
the difference in medical procedure charges as per the transaction file and
masters captured from the master file.

The command can be checked for syntax and validated for field
nomenclature and construction.

l
Data extraction to filter out the exceptions :

Data extraction involves filtration of transactions from the
joined file which meets the filtration command criteria. The values in the
computed numeric field above are filtered for non-zero cases.

Zero values indicate billing of medical procedure charges as
per the master table of charges. Non-zero cases represent deviations from the
master table of medical procedure rates.

Non-zero cases were trapped through the Data extraction —
Equation Editor facility using the command “Audit Charge <> 0”. Here “<>” refers
to NOT EQUAL TO.

Normally billings should proceed as per the master table of rates. However, options are available within the Med-Plus software for overriding the master charges and applying manual charges on a case-to-case basis. These manual overrides were specifically investigated to determine reasons for change.

Identify excessive number of procedures per day or place of service per day/per patient:

Objective:

To identify instances of excessive number of medical procedures conducted per day or place per patient.

Method:

In this exercise, the Healthcare Claims transaction file was used as the basis for the red-flag check.

A duplicate check was run on the insured name, policy number, and hospitalisation date to identify possible duplicate claims for excessive medical procedures for the same insured patient. This test was further corroborated by a summarisation/ consolidation of claims based on the insured name and policy number to generate multiple claim instances in excess of one hospitalisation/medical procedure.

Cases were identified where multiple medical procedures had been conducted on the same insured at the same hospital. The cases were referred by the team to the expert medical officer who clearly identified the claims as unrelated and fictitious. For ” example – a cornea transplant of the eye was followed by a hernia operation which was medically absurd.

GAS functionality covered:

The exercise used the following GAS functionalities :

• Duplicate detection:

In the duplicate test, exact vertical matches are detected within specific field or fields designated.

The transactions file was used as the basis for the test.

The insured name, policy number, and hospitalisation date were selected as the key fields on the basis of which duplicates were to be detected.

In the GAS, an auto key field indexing was performed on the insured name, policy number, and hospitalisation date to fasten the process of duplicate key detection.

The duplicate test revealed a list of vertical matches which were to be investigated.

• Summarisation:

The GAS had a popular transaction consolidation function called summarisation. The advantage of this function was that multi-field summarisation was possible with generation of valuable insightful statistics like MIN, MAX, AVG, VAR, DEVIATION and more. This superior functionality was accompanied by generation of multi-chart and multi-graph utilities in user-friendly colour-rich formats which could be ported across office applications.

Summarisation/ consolidation of claims was performed based on the insured name and policy number to generate a report of multiple claim instances in excess of one hospitalisation/medical procedure. Here the key statistic used was COUNT rather than SUM.

Just like in the first stage duplicate test, summarisation was also preceded by an auto index facility on the key objective fields to increase the through-put of results.

• Data extraction to filter out the exceptions:

Data extraction involves filtration of transactions from the joined file which meets the filtration command criteria.

Multiple claim instances in excess of one hospitalisation/medical procedure were trapped through the Data extraction – Equation Editor Facility using the command “Count > 1”.

These vital cases and potential red-flag indicators were immediately taken up for scrutiny with the Chief Medical Officer at the concerned hospital. Patient health history reports were also studied to provide allowance for multi-health issues and failures on the same day warranting multi-medical procedures.

Identification of diagnosis and treatment that was clearly inconsistent with patient age and / or gender:

Objective:

To identify diagnosis and treatment that was clearly inconsistent with the patient/ insured age and gender.

Method:

The team set up value bands from the Claim Trans-action file. The value bands were set up for 0-20000, 20001-50000, 50001-100000, 100001-200000, and more. The high-value bands were designated as “A Class High Risk”. “A Class High Risk” band cor-responded to 10, 00,000 to 20,00,000. All the claims in this category were culled into a separate dump within the GAS.

All the claims in the A Class category were examined through the search function for the insured details like age, gender, past medical history.

Specific instances were observed with the assistance of the ace team medical expert, wherein open-heart surgeries were conducted for minors even though the medical history suggested otherwise. In one critical high-value instance, the insured (a male) had claimed large amounts for complex medical procedures normally conducted on elderly women.

GAS functionality covered:

The exercise used the following GAS functionalities :

• Stratified Random Sampling:

In Stratified Random Sampling credence is given to distribution of individual transaction values between low, medium and high.

Judgment on the interpretation of low, medium and high rests with the GAS user based on consultation with the medical expert and past industry experience of the team members.

The team set up intervals from the Claim Transaction file. The intervals were set up for 0-20000, 20001-50000, 50001-100000, 100001-200000, and more. The high-value bands were designated as “A Class High Risk”. “A Class High Risk” band corresponded to 10, 00,000 to 20, 00,000. All the claims in this category were culled into a separate dump within the GAS using the random number table within the GAS.

The random number table generates a list of random numbers from the” A Class High Risk” interval based on its internal algorithms and generates a separate file of such instances.

• Data search:

Data search is an advanced tool within the GAS which can undertake simple, complex, structured, unstructured, fuzzy, single word or multi-word searches quite similar to a web portal search engine.

Here with the aid of the medical expert specific key strings and character occurrences were trapped. Suspicious transactions were studied in depth along with the patient’s casepaper file.

Conclusion:

While specific audit reports gave regular feedback to the process owners about process flow control gaps, the identification of potential red flags in the process were greatly met using the GAS, which went beyond the set standard traditional norms. Further, it allowed the audit team to move beyond the ‘priority’ set by the Board and were able to complete their investigations within time, with specific unusual drill-down capabilities and results through a third-eye watch. The IT was also excited about the possibilities which such a tool could have for their forensic security reviews on a regular basis and initiated a review of the same with special watch on cyber security i.e., lodging of e-claims, Further, the Head – Forensics also made it mandatory for the Company’s outsourced medical examiners to use a GAS for their branch audits using similar methodologies as them.

As a seasoned user of the GAS, Jacob laid down the structure for Continuous Control Monitoring of specific forensic objectives through automation of tasks and scheduling within the GAS.

Nirav Shah

Our perspective

Internal Audit

Introduction :

1.1 Corporate governance, as we all know, has been under a
strong and critical public spotlight currently and in recent years, because of a
succession of blows to capital market confidence, particularly in the United
States but also echoed in India and other countries. The stakeholders’
expectations of boards and senior management, and of those charged with
providing an independent review of a company’s operations and
financial statements, have increased. To meet those expectations,
governments and regulatory authorities around the globe have initiated concerted
efforts to improve standards of corporate behaviour and transparency through :

stress on efficacy of internal controls both in the Sarbanes-Oxley Act in the
U.S.A. and clause 49 of the listing agreement in India.

mandatory compliance with accounting standards to ensure adequacy and
uniformity in disclosure practices — this will further get strengthened with
the adoption of IFRS in India.

emphasis on risk assessment and risk mitigating procedures.

1.2 Clause 49 of the Listing Agreement casts an obligation on
the ‘Audit Committee’ to :

Ensure adequacy of internal controls.
Review internal audit reports.
Recommend appointment and remuneration of internal auditors.
Ensure independence of internal auditors.

Clause 49 also requires CEO and CFO to certify the
effectiveness of the internal controls in the company.

1.3 With the emphasis on the above issues internal audit has
become an integral tool of corporate governance. An internal auditor today
reviews not only accounting procedures, but also reviews and reports on the
effectiveness of manufacturing and marketing function. Hence, internal audit in
the present context is a multi-disciplinary function.

1.4 This article offers our perspective on the role of
internal audit and its structure.

The role of Internal Audit :

2.1 Paragraph 3.1 of the Preface to the Standards on Internal
Audit, issued by the Council of the Institute of Chartered Accountants of India
in 2004, describes internal audit as follows :

“Internal audit is an independent management function,
which involves a continuous and critical appraisal of the functioning of an
entity with a view to suggest improvements thereto and add value to and
strengthen the overall governance mechanism of the entity, including the
entity’s strategic risk management and internal control system.”

2.2 The definition of internal audit approved by the Board of
Directors of the Institute of Internal Auditors is :

“Internal auditing is an independent, objective assurance
and consulting activity designed to add value and improve an organisation’s
operations. It helps an organisation accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes.”

2.3 The above definitions are highly contextual as a
distinction between internal audit and risk management needs to be drawn. As
we see it, the basic function of internal audit is an independent appraisal of
an organisation’s internal controls, including controls over financial reporting
and business processes having financial ramifications. It does not stop at only
pointing out weakness, but extends to making of recommendations on internal
control and process improvements that could be made to increase efficiency of
operations.

2.4 Risk management, on the other hand, is about
identifying and assessing inherent risks in the products and activities of an
organisation, and ensuring that appropriate risk management limits, control
mechanisms and mitigation strategies are in place to contain risk within the
organisation’s risk appetite and capital adequacy. A monitoring function
(similar to internal audit) is often involved to ensure that the risk control
framework is in place and operating as intended. Internal audit plays a
facilitative role in evaluating whether the controls are practical and
functional and whether they can be circumvented. The distinction is that ‘risk
management’ team has the continuous responsibility of understanding how actual
risks facing the organisation are changing. This requires continuous review by
the management.

2.5 The function of the internal auditor in risk
management is to review and report on the adequacy of the procedures and report
on adherence to the limits prescribed by the Board or senior management. Barring
of U.K. went down because limits prescribed by senior management in London were
not adhered to by a dealer in Singapore. Recently, the century-old France Union
General — a financial institution — failed because of speculative lending where
internal control limits were not adhered to.

2.6 The above view is in line with what is prescribed in Para
15 of the Internal Audit Standard 4 dealing with ‘Reporting’ amongst other
issues includes as a function of internal audit :

‘evaluating the overall entitywide risk management and
governance framework.’

2.7 This cooperation between the internal auditor and risk management team is also recognized in an alternative definition which is given in an HA Research Foundation publication of 1999 – Competency : Best Practices and Competent Practitioners.

“Internal auditing is a process by which an organisation gains assurance that the risk exposures it faces are understood and managed appropriately in dynamically changing contexts.”

This is a functional definition and in our view a direct appreciation of the current expectations from internal audit.

Structure and resources, independence and approach:

3.1 The starting point is evaluating whether the internal audit function is in-house or outsourced, and whether this arrangement is appropriate in given circumstances. The following crucial benchmarks need to be in place for internal audit team keeping in mind the standards and professional practice advisories and guidelines of The Institute of Internal Auditors.

i) Structure and resources:

The structure of the internal audit function is established and an assessment made about the key internal audit personnel, their roles and responsibilities, skillsand experience, irrespective ofwhether the internal audit function is ‘in-house’ or ‘outsourced.’

ii) Independence:

Firstly, the company board should ensure that independence of the internal audit function is maintained. The internal auditor should not report to CFO,but should report to CEO and the audit committee or the Board of Directors.

It needs to be mentioned that managements in India have been resisting the concept of internal auditor reporting directly to the CEO or the audit committee. However, we believe it is essential to have direct reporting to ensure independence. We also believe that reporting to the CEO or the audit committee should be after discussion and having obtained response of the management, because the CEOand/ or the audit committee would callfor the response of the management on any issue reported by the internal auditor. This mode of reporting also meets with the criteria of transparency.

Secondly, the internal auditor should not be directly involved in execution of risk management or operations. The internal audit function may provide valuable input to those responsible for risk management or operations, but should not have direct risk management responsibilities. In practice, some organisations (particularly small ones) may give internal audit initial responsibility for developing a risk management programme. Where this is the case, organisations should see that the responsibility for day-to-day risk management is an independent function. We reiterate that internal auditor should in no manner be involved in operations, though the internal auditor should understand operations.

Thirdly, significant issues raised by the internal auditor even if satisfactorily resolved need to be reported to the CEO and the audit committee.

Fourthly, where the internal audit function is outsourced there should not be any conflicts of interest – for example – internal auditor should not be involved in rendering other services. The Institute of Chartered Accountants of India have recently barred an internal auditor from being appointed even as a Tax auditor.

iii) Approach:

The approach taken by internal audit should be clear. It could be :

risk-based – the focus is on the high-risk areas of the organisation;

review-based – the focus is on review of various parts of the organisation, usually chosen both at random or in line with a predetermined internal audit plan;

compliance-based – the focus is on compliance with policies and procedures.

It could however be a combination of all three. Normally, it would be a combination of at least two of the above.

The board and/ or the audit committee should approve the approach. However, there should be sufficient scope to change the emphasis where necessary on an ongoing basis in order to react quickly to issues that get identified and require internal audit involvement – for example – recent losses incurred by companies in foreign exchange derivatives. In short, the internal auditor has to be agile to respond to changing environment. He should always be vigilant.

i) Establishing the authority of internal audit:

The CEO must send out a clear message that internal audit function is necessary and not a compliance gimmick. The seriousness and the attitude of the CEO is the only means of establishing internal auditor’s authority.

Internal audit must be recognised as a core part of governance and not as some form of necessary burden or add-on. On the other hand, the internal auditor by the professionalism and quality of internal audit work should show boards, management, regulators and even those whose work he reviews and comment on that the function does add value. It should be understood that the message that internal audit sends will not carry weight unless it can be demonstrated that the message is founded on both technical and commercial competence – a balancing of technique and real world experience.

In other words the internal auditor has to establish that his function goes beyond compliance. To achieve this the team skill mix needs to be broad embracing accounting, compliance checking, industry specialist, IT skills and if possible to include a strategist – CAATs. This at times can be achieved by:

where necessary, ‘in-sourcing’ or ‘out-sourcing’ (if not already done) by having specialist skills to supplement full-time audit resources;

ensuring that internal audit technology keeps pace with developments in the business – for example – use of Balanced Score Card, Self Assessment, CAATs; and

demonstrating professionalism and objectivity by standing strong amidst the management and others, when this is justified in the interests of other stakeholders.

ii) Conflict situation:

Regulators can cite many examples where weak corporate governance exists because of an overbearing CEO who has undermined the financial soundness of an organisation, whether through unfocussed expansion – that is – pursuit of growth for growth’s sake, or the dominant desire to always give ‘good news’ – show growth where there is none or cover up losses. The recent Satyam fiasco is a startling example of an overbearing CEO. Internal auditor should be alert to such and similar signs of weakness and raise these issues with the Audit Committee. This kind of approach, though at times goes beyond the normal call of duty, will add immense value. Let us not forget that virtually all analysts have come to the conclusion that the current financial crisis which has gripped the world economy is because of the desire of CEOs and the corporate managements to achieve one of the two or both the objectives. Somewhere in fulfilling these objectives both the internal control procedures and risk limits have been violated. We believe that though it may be a tough call, the internal auditor will have to bite the bullet. The newspapers report that in the case of Satyam, SEBI’s investigation is being extended to Satyam’s internal auditors – Business Standard 16 Jan. 2009.

3.2 To retain his independence and effectiveness the internal auditor should also be conscious of the fact that:

no controls are absolutely perfect and will always require improvement.

managements are always tempted to by-pass controls, sometimes in the interest of business and at times in self-interest.

Hence, he should be aware of what is happening in the entity and should also never lose sight of ‘professional skepticism’.

3.3 Ultimately, it is the board, which has to take ownership of problems and institute appropriate remedies. The issues is :

What should the internal auditor do where the organisation is facing major problems and the management continues to ignore or take remedial action?

There is no easy answer, since each situation is unique. Nonetheless, it is surely incumbent on the internal auditor to take the right professional action and not let the situation fester. In the end, the head of internal audit or the internal auditor might have to step down and part ways gracefully if the organisation’s culture does not allow internal audit to function appropriately and serious problems are not being addressed. This is the ultimate test of the professionalism and ethics. This is a hard decision. The fact is that after any failure the internal auditor is inevitably one of the sacrificial lambs on the altar of accountability. In these difficult situations, professional standards, support from the professional body and peers and where appropriate, support of the regulators can help to strengthen the position of the internal auditor. Internationally regulators have required external auditors to whistleblow to the regulator in extreme circumstances, while granting them protection in the form of qualified privilege. We may need to consider similar protection for internal auditor in our environment.

Concluding remarks :

The ever-increasing pressure on organisations to manage their affairs and risks prudently poses considerable challenges for corporate governance structures including internal audit, a key line of defence in these structures. Every challenge, however, is an opportunity. For ‘internal audit’ as a profession, the current business environment is both an opportunity and a challenge to cement our presence in corporate India to demonstrate our skills and resolve to play a contributory role. We have full support of the regulator and the audit committees. We perceive that in addition to an opportunity and challenge the ‘internal audit profession’ has an obligation to assist in making corporate governance transparent and effective. Let us therefore “look at the right things, whilst doing the right thing”.

Nirav Shah

Journal

Resources

About

Reach Us

Audio Version

Category: Internal Audit

Retail Analytics using Computer-Assisted Audit Tools and Techniques

Computer-Assisted Audit Tools (CAATs) — Effective use of CAATs by Audit Firms

Computer-Assisted Audit Tools (CAATs) — Effective use of CAATs by Bank Auditors in conducting Compliance Audits

Control Self Assessment — A Case Study

Audit of transport and logistics

Exploring Benford’s Law — Digital Analysis with Computer-Assisted Audit Tools (CAATs)

CONTROL SELF ASSESSMENT IN RETAIL STORE AUDITS

Using Generalised Audit Software (GAS) for Fraud Detection

Banking Revenue Assurance using CAATs

Using Computer-Assisted Audit Tools (CAATs) for IT Audits

Internal Audit Planning – A Case Study

Using Computer-Assisted Audit Tools (CAATs) for Prevention and Detection of Frauds in Healthcare Industry

Our perspective