REMOTE INTERNAL AUDIT: SOME THOUGHTS ON ENHANCING IT
By Roger Clark FCA PIIA [25.4.20]
WHAT IS REMOTE INTERNAL AUDIT?
My definition of Remote Internal Audit is “auditing your organisation (say entity A) from outside your organisation using computing and other devices at your home or elsewhere outside of A”.
By way of illustration, let’s suppose you are Chief Internal Auditor of entity A. You probably always had permission from IT Security of A to read-only access a whole range of internal systems such as general ledger, purchases day book, fixed asset register in order to carry out internal audits of those areas. It’s quite likely that that you also were granted access to many of those systems from your devices at your home. Your access level will have always been read-only: you were not able to change anything. More junior staff tend to have still more restricted access, being granted access only as and when needed to carry out a particular audit. After the audit is concluded, access may well be withdrawn. As CIA, your access probably continues unabated.
Some systems and programs such as payroll and sales invoicing may be outsourced and run by outside entities on two or three year renewable contracts. To facilitate audits of these outsourced programs you need access to those systems: you will need two permissions: (1) the permission of A’s IT Security, and (2) the permission of the outsourced provider’s IT Security. When you have those two permissions (read-only of course), you will be able to carry out all manner of audits on payroll, including statistical sampling. You will able to check that the CEO of your entity is being paid the correct salary.
This is not quite the same as auditing outside the organisation. This where you carry out an audit within a customer or supplier or other entity that is not entity A. One reason for doing that could be that a supplier is on a ‘cost plus’ contract to supply special equipment urgently, for example a Covid-19 vaccine. Months after the supply, it may be necessary to check what the supplier’s costs were, to ensure entity A has not paid the supplier too much. You will almost certainly have to go into the supplier’s offices to do that.
There are two main features of Remote Internal Audit: (1) Conversations and (2) Remote Access.
This feature is old, not new. We have always had conversations with our boss, our colleagues, our auditee managers and their staff in order to conduct an audit professionally, to find out what the risks and internal controls are, to test that the internal controls are adequate and in place, to test, to discuss, to challenge, to report, to follow up implementation. These conversations have been by face to face contact for millennia, by post for 350 years, by telephone for 140 years, by cable / telex / telegram for about as long as that, by fax for about 60 years, by email for about 26 years, and by webcam /Skype / Whatsapp and so on for 5-15 years. So there’s nothing new about Internal Audit ‘conversations’. What’s new is that, because of Covid-19 pandemic face to face is much more difficult, and in some cases impossible. The others continue, and fax may even make a comeback.
Remote Access to Systems
Many internal audits will be hindered and their quality adversely affected if remote access to systems is denied or not available. There is no risk to system data with read-only access: the internal auditor needs read-only access and does not need nor seek to change data; wants access only to view, check, verify, compare, reconcile, then consider whether internal controls address the risk, and finally report back with recommendations for change if any. This is a pragmatic adaptation of internal auditing. Now that we are at home, we must adapt.
IMPACT OF COVID-19 PANDEMIC
We are being implored every day to stay at home. So we oblige and try to work from home. The editor of this journal, Ruth Prickett, told me she has worked from home for 10 years quite successfully. The rest of us have been used to going where we needed to go to audit. Now we cannot so we adapt.
We must use new techniques and behaviours. If we find that face to face is prevented, we must use email, post, telephone, Skype, Whatsapp and fax more.
HOW TO TURN DISADVANTAGE TO ADVANTAGE
Internal audits that lend themselves to remote access include:-
- Fixed assets; bank accounts; debtors and creditors (for later verification); actual versus budget variances; a review seeking ‘the unusual’; plus some of the other verification work that is normally done by external auditors
- Control accounts
- Suspense accounts
Profit and Loss:
- Travel expenses claims, royalty income
- Significant actual versus capital budget variances
- There will be risk, compliance and quality assurance aspects requiring to be looked at. Risk registers can be updated remotely by email Q&A and over the ‘phone by an Internal Auditor who knows risk management
- Writing / updating of procedures manuals such as travel expenses claim rules, staff manual, translation from one language to another
- Consultancy: a Project for Exiting Covid-19 lockdown
As usual, questions will be posed, and answered by ‘phone, email and post. It’s much as before! Pretty easy! Pretty straightforward! ”
Go for it!
Roger is a member of CIIA and a chartered accountant. In his career to date he has been both an employed Internal Auditor and a self employed outsourcer of Internal Audit. Telephone: 0758 287 1143 Email: info@CorporateGovernance.Shop Web: www.ManagementAudit.co.uk