ArticlePDF Available

Sniffing out errors: increasing internal audit effectiveness through error discovery rather than compliance based auditing

  • December 2007
Authors:
Christopher C Kelly at Kelly Partners LLP
Christopher C Kelly
  • Kelly Partners LLP
Download full-text PDFDownload full-text PDF
Read full-text
Download citation

Abstract

The full article is appended below. Scroll down and click the blue button 'View full text". If it helps your research, please give it a ‘Recommend’. Traditional approaches to audit testing, reinforced by the Combined Code on Corporate Governance and the provisions of the Sarbanes-Oxley Act, focus on the existence and effectiveness of internal controls and the reporting of errors if found. This short paper outlines a change of emphasis whereby the audit methodology is deliberately orientated towards finding errors as a more meaningful illumination of the effectiveness of internal control. Published in Internal Auditing & Business Risk, Journal of the Institute of Internal Auditors UK.
2007 12 01 Sniffing out erro
rs.pdf
Content uploaded by Christopher C Kelly
Author content
All content in this area was uploaded by Christopher C Kelly on Jan 25, 2020
Content may be subject to copyright.
2007 12 01 Sniffing out erro
rs.pdf
Content uploaded by Christopher C Kelly
Author content
All content in this area was uploaded by Christopher C Kelly on Oct 30, 2014
Content may be subject to copyright.
Internal Auditing & Business Risk | December 2007
42
FEATURE
T
RADITIONALAPPROACHES
to audit testing, reinforced
by the Combined Code on
Corporate Governance
and the provisions of the
Sarbanes-Oxley Act, focus on the
existence and effectiveness of
internal controls and the reporting
of errors if we find them.
So auditors typically do
walk-throughs, test samples of
transactions, interview
management and staff,
analytically review
reasonableness and so forth. This
testing tends to focus on finding
evidence that controls operated
throughout the period under
review. As a result of this
mindset, confirmation bias can
set in reducing the effectiveness
of the audit.
Where enquiries lead internal
audit to have doubts about the
existence or effectiveness of
controls, it usually argues the
point with management at the
close-out meeting. Some internal
audit wins and some it loses.
This ends up in a table of
recommendations, implications
and management responses that
sometimes fall short of what
internal audit would have liked.
As to the timely completion of
the actions management signed
up to, those actions tend to
linger on unfinished, or may get
implemented in a way different
to what was intended at the time
of the audit or, in the worst
cases, not at all.
When consideration is taken
of the personalities of those who
choose a career in internal audit
and those who claw their way up
the managerial ladder, the odds
are on management winning
most of the debates. This may
help to explain why so many
organisations – Enron, Barings,
Parmalat and so forth – have
suffered significant control
breakdowns despite being
audited internally and externally.
Not only so, but if the
auditor’s arguments at the close-
out meeting are
based on the
possibility of
control
breaches,
management
may debunk
these as
hypothetical arguments on the
grounds that they have never
occurred and are unlikely to do
so. There is also a risk that any
control breakdowns the auditor
does find are dismissed as
immaterial or explained away. So
in the worst cases the auditor
leaves the close-out meeting
perhaps belittled, with a report
and a set of management actions
that may never be meaningfully
implemented, and the sub-
optimal state of internal
Most internal auditors check controls and report on errors.
Chris Kelly prefers to go out looking for trouble, as he explains
Sniffing out
errors
“Boards of directors, and society generally,
expect more from internal auditors than the
negative assurance that no material errors
were found in the course of their work”
December 2007 | Internal Auditing & Business Risk 43
FEATURE
Internal Auditing & Business Risk | December 2007
44
FEATURE
controls largely intact.
Boards of directors, and
society generally, expect more
from internal auditors than the
negative assurance that no
material errors were found in the
course of their work. As utopian
as it may seem, society wants
positive assurance that nothing
has gone wrong nor can go
wrong. When things do go
wrong, society is not averse to
suing an audit firm and, as in the
case of Parmalat, sending an
internal auditor to prison.
Errors
One way to address the
shortcomings of controls-based
testing is error-based testing. That
is, to seek the very errors the
controls were intended to prevent.
If an error is shown to have
occurred, then
any claims that
controls are
adequate are
clearly
disproved. Only
one error need
be found to prove that a control,
or often a series of controls, did
not function as intended.
Any debate with
management is now reversed
with management having to
explain why the errors occurred
and what actions they are going
to implement to prevent
recurrence. I have seen
management so keen to improve
their controls that they have
done so even before the report
was issued and then invited the
auditors to come back in the near
future in the hope of being able
to produce a clean audit report.
Counter intuitively, the
relationship with management is
improved when evidence of
errors can be produced. Putting
to one side the delightful role
change, testing for errors can
make for punchier reports and is
an effective way to meaningfully
improve internal controls.
Testing for errors is as
rigorous as testing controls.
Specific error conditions need to
be defined and tested. This
involves a change of mindset
requiring the auditor to
hypothesize about the error
types that could occur if controls
were not operating as intended.
Note that the controls may exist,
but they may not be complete, or
performed consistently, or on a
timely basis. Even simple,
obvious errors can dramatically
increase the power of audit
reports. The problem is, unless
internal auditors are looking for
them they can mysteriously
evade detection.
There are an infinite number
of error conditions, so part of the
skill is in identifying those that
present the highest risk in terms
of likelihood or impact.
Examples of error conditions
could include authorised limit
excesses, mis-postings, erroneous
duplications, over-estimations,
fraudulent transactions,
inappropriate access privileges
or abilities, critical operational
databases with contradictory or
missing or outdated data,
overdue or unperformed control
actions such as back-ups or
reconciliations. It is preferable
any significant errors are found
through work carried out or
sponsored by internal audit
rather than coming to light
through other means.
Methods for substantiating
error hypotheses include cross-
matching data that is not normally
cross-matched in the ordinary
course of events, error isolation in
voluminous data using IDEA, and
finding the personnel who may be
willing to divulge information
about circumstances when
controls are bypassed. Internal
audit has a key advantage here in
that it tends to have the necessary
skills and tools at its fingertips;
and, whereas many employees
are limited to the perspective of
their own department, internal
audit gets a fuller view of end-to-
end processes during the course
of its enquiries.
Value
Once an error is known to have
occurred, finding out why can
illuminate the realities of how
the process works. Some of these
error conditions could involve
incorrect payments to suppliers,
subcontractors, employees, or
other parties over a long period
of time; so zoning in on those
errors may lead to tangible
financial recoveries. Using these
techniques over the past 15 years
across a number of companies, I
have overseen, for example, £4m
in uncollected debtors which had
escaped credit control’s
attention, £1m in duplicate
payments to suppliers, £1m in
unbilled customers and
unauthorised discounts, and
£8.5m in erroneous payments to
sub-contractors consisting of
around 50 separate error
findings. There were also
countless other errors that did
not have direct financial
consequences. In most cases
significant financial recoveries
were possible, in other cases
future losses were stopped.
Common to all error findings
were immediate and meaningful
responses by management to
lock down internal controls. For
internal audit it was pay rises,
rewards and credibility in the
eyes of management and the
board. For the directors and
audit committees it was tangible
financial savings, risk reduction
and significant improvements to
internal control allowing them to
sleep better at night.
Supplementing controls
testing with error testing can
throw light on how processes
really work. Often the controls
management claim to be in place
are not as watertight as they
seem. Such findings can be
equally surprising to
management. Controls break
down when staff take short cuts,
or over-ride controls, or go on
leave, or misunderstand the full
scope of their responsibilities, or
do not comprehend processes
end-to-end and so forth. Even if
the auditor tests for errors and
finds none, that in itself is a
strong form of assurance that
controls have been effective.
Chris Kelly is an
internal auditor.
chriskellyca@gmail.com
“Once an error is known to have occurred,
finding out why can illuminate the realities
of how the process works”
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.