If audit reporting is so important, why isn’t it higher on every CIO’s agenda?
You can learn a lot from talking to customers.
It’s the best part of my day, when I get to discuss real problems with real people. But I find it best to listen – which some salespeople could be well advised to do more of!
Once we get over the initial chat about being stuck at home, and what’s happening with the virus, we can get down to business. This last couple of weeks there’s been a recurring theme: “Audit reporting – is it a good thing? Why is it so difficult? These auditors come in once a year asking stupid questions, but we’ve got a clean bill of health. Why do I have to do it?”
I was struggling to fit this together yesterday, but as usual, in my early morning shower today some clarity set in. Let me explain.
Let’s start with the role of Internal Auditors
In my mind, Internal Audit is often the most difficult department for people to understand.
These folks are there for pretty good reasons. The Institute of Internal Auditors website defines Internal Auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Or in other words, they sit outside of the organization’s operational departments, and are responsible for independently evaluating how well the company is managing risk, reporting directly to senior management or the audit committee.
As well as assessing the quality of risk management processes, they can act as internal consultants to help management improve them – so they play an important part in making sure the numbers add up, reducing the risk of fraud, and ensuring efficient use of resources and good governance and compliance.
But because they are independent from operational departments, they seldom have any budget. What real power they have will depend on where they sit in the organization, and the backing they get from the CFO and CIO.
I see risk assessment as a critical part of what they do – i.e. identifying potential risks, assessing the likelihood of them happening, and the impact they would have on the business.
Audit reporting: identifying and understanding risks
Not all companies have an internal audit team, but every company, no matter how small, should be doing some risk assessment – but it isn’t easy to get it right. In my small business we do it formally once a year, which isn’t enough – and no, we didn’t have the risk of a global epidemic high on the list! But there again, it seems that neither did most of the governments in the Western World…
Audit reporting is about identifying and understanding some of those risks, so that you can decide what you need to do to mitigate them.
For example, could someone in the business commit the most common fraud on an ERP system? If you don’t know the answer to that question, and you’re responsible for the system, your job is at risk. In my next blog, I’ll tell a story about a very good ERP Director and what happened when someone defrauded his company because of too little control over access to the ERP system.
So why aren’t fraud control and audit reporting a critical issue for all CFOs and CIOs?
Balancing many demands on their resources, some CIOs tend to avoid doing anything about it until either their external auditors force them to, or a fraud occurs, but I fail to understand why. In the past, risk analysis and audit reporting were problematic and difficult to get right; but nowadays there are solutions for most ERP systems that make it very easy.
So what stops them?
It isn’t sexy? It isn’t perceived to deliver business benefits? It costs money?
I can’t do anything about the first point, but I can argue against the other two.
Putting in place internal controls that reduce risk saves money for any business; there is certainly a Return on Investment in terms of preventing fraud. The average value of an internal fraud is $100k, and every organization has a 50% chance every year of a fraud occurring, so you can work it out.
But most importantly how do internal controls help a business in terms of efficiency?
We have a little model we use with our clients. It isn’t complex – in fact it’s a very small spreadsheet.
How long does it take you to onboard users to the system, to approve SoD?
How long does it take to do the annual sign-off of access, often referred to as Periodic Access Review, or User Certification?
How much effort is needed to answer your auditors’ questions on access? And how much do your auditors charge?
Obviously, the ROI will depend on company size, but by deploying modern tools for internal controls and audit reporting, you can deliver significant efficiencies.
But finally, I will give you the most important but intangible argument. Putting in place efficient, repeatable controls for risk analysis and audit reporting will help you to sleep at night. No worrying about fraud on your watch. No wondering how to find resources to SQL data out for the auditors. And a pat on the back from the CFO for introducing efficiencies into the business.
I wish I had thought about pandemics during my last risk analysis session in August last year. But, in reality, what could I have put in the columns for “controls”, i.e. what I would have done to stop it effecting my business? And what would I have put in the “actions” column?
But you do have an affordable and pragmatic way to analyze your business risks.
Audit reporting is easy.
Find out more about powerful audit reporting solutions for JD Edwards, Oracle E-Business Suite and Oracle ERP Cloud.