Value added Auditing

It’s the same situation every summer. Potholes get filled and road constructions cause more traffic than usual. We often must listen to the local news to know which roads are blocked; you almost cannot drive without having very good apps that could help you take the shortest routes in real-time so you can avoid the construction zone. The delays caused by these yearly road constructions seem very annoying many times and could be very costly; especially if you want to catch a flight and somehow forgot about a road closure. How do you deal with these construction delays? My wife and I often use the commute time to listen to audiobooks, nice music or to catch up on some gests and good laughter.

It is however very comforting to know that these constructions often extend the useful life of our vehicles, at least might save your tires and save many drivers from dangerous driving conditions. Can you imagine if nobody does anything to the roads after all the salting and snow plowing stress the roads experience during the winter season? I believe you would notice that in a matter of time, no one will be able to drive on those roads anymore. It makes sense that the cities spend money and time watching out for road damages and potholes to address road construction needs (based on the city’s budget). I have even seen situations where the city asks residents to report potholes around their neighborhoods to help the city plan the projects. Good roads come at a price and the price is often a continuous, but sometimes annoying road construction. This is the same reason why companies spend time on risk assessment.  The price of staying successful in business is knowing the actual (not expected or assumed) state of your business processes and permit me to say; your IT environment (and any other function that drives the success of your business). 

Why continuous risk assessment? 

In the light of recent events, it should be expected that most company’s report on compliance with the U.S Sarbanes- Oxley Act of 2002 would reflect a couple, if not a lot of changes in previously identified key controls from past SOx audits. The frequency of risk assessments however varies from one organization to another and depends on many factors which are beyond the intended scope of this post.

While annual risk assessment might have been sufficient in managing risk exposures for many organizations in the past, the impact of the recent unprecedented changes requires a change in the risk assessment approach. Among the challenges which demand a shift in risk assessment methods are the following recent incidents: 

• the shift in technology use (more migration to cloud computing and therefore more third-party involvement)  

• more than usual remote work arrangements due to the COVID-19 pandemic outbreak 

• and the increase in cybersecurity and privacy-related issues, especially affecting third-party service providers.  

• Disaster recovery and some other pandemic driven concerns. 

• The pressure to safely return employees (including the employees involved with information technology and other employees in key business functions) back to the office environment or the decision to stay remote while still keeping businesses profitable.

To keep track of these changes above and the impact they could have on an organization, an informal risk assessment method which is performed on an ongoing basis could help the organization stay on track in its effort to achieve its set objectives. The focus is to integrate this risk assessment into the day-to-day business process. Most IT auditors already perform risk assessments either on annual basis or on a project basis, the focus in the continuous approach is not to replace an annual or more comprehensive risk assessment in an organization, but the main objective is to: 

• To identify threats or vulnerabilities in an IT environment of any other area of interest with the purpose of immediately treating the possible risk. 

• To collect relevant information which could be used as to feedback to issue-based risk assessment; and 

• To gather information to feed back to the baseline risk assessment. 

In other words, this activity is meant to be a quick fix for issues that require immediate attention and also serve as a complement to a more elaborate risk assessment.  

Some ways to achieve this include:

• A questionnaire sent to employees in management positions as well as employees with first-hand knowledge and experience of the systems, processes, and activities in an IT environment or any area of interest. The context of the questionnaire should address vulnerabilities and threat awareness. 

• Use of inspection checklist. A brief checklist of issues or weaknesses found on prior audit engagements could be a great guide in coming up with this kind of list. 

• A brainstorming session between employees in management positions as well as employees with first-hand knowledge and experience of the systems, processes, and activities in an IT environment Employees with first-hand knowledge of the systems. The topic of the brainstorming sessions should include controls addressed in the control procedures used by the IT audit team to conduct the audit of the IT environment of interest. 

       The documentation of the result of this risk assessment should cover hazard identification, vulnerabilities, and threat awareness, as well as brief impact analysis.  It is very important that the documentation is in a brief format so as not to defeat the purpose of the assessment. You should not document in such a way that seems like you are performing a comprehensive risk assessment. The important guideline should be that major potential issues should be transferred to a priority list from which a more thorough or comprehensive assessment would be made. One important requirement for the execution of a continuous risk assessment is that it must be easy to conduct to achieve its objectives.

Brevity but conciseness is key to making this approach yield good success, we like road constructions but we would prefer when they don’t last forever.

The importance of controls in an enterprise, especially in the IT environment.

It was Labor Day, just a few days after I arrived in the US for my PhD program. I had to do some things at the laboratory but did not have a drivers’ license neither did I know how to drive a car. Since the school bus was not working, I decided to use my brother’s bike. What could go wrong? It’s only been a few years since I last rode a bicycle so I thought I could just put my legs on the floor to stop the bike if I sensed any danger, but it was not that simple. I rode the bike down a hill in West Virginia; lots of hills around. I went down the hill screaming my head off, I had lost control of the bicycle. It was a mere miracle that I ran the bike into a parked car and not a moving one. That day I realized the value of knowing where the brakes are on a bike before attempting to ride one. I believe anything that moves at a speed above 10 miles an hour requires a brake; just my conservative opinion though.

Controls are measures designed to manage and mitigate risks around process in a business or IT environment, just like the brakes on a bike. 

IT Controls are very important in any enterprise for many reasons, a few of which are: 

Financial Objectives: Well-designed controls that operate effectively could help an organization maintain completeness, accuracy, validity, and authorization of transactions and thereby prevent financial losses. Controls are very important even in financial reporting as the fundamental characteristics of financial reporting (relevance and faithful representation) can only be attained in the premise of IT general controls and application controls which are well designed and operating effectively. 

Operational and IT objectives: The objectives of the IT group must be in alignment with the organization’s objectives for the organization’s operational and strategic goals to be achieved. Well-designed controls around the IT environment could help enhance the confidentiality of information, the privacy of data, data integrity as well as the availability of data. With the right controls in place, the organization can meet its requirements for the effectiveness and efficiency of operations, as well as achieve necessary compliance with applicable laws and regulations. 

To be more precise, it is very difficult if not impossible for an enterprise to achieve its objectives without the presence of IT general controls and application controls that are well designed and operating effectively. 

Fraud prevention: The three elements of the fraud triangle (opportunity, pressure, and rationalization) would have limited avenues to find expression in an organization with good controls in place. As said earlier, well-designed controls that operate effectively are required for the accuracy and fairness of presentation in financial reporting; which also enhance fraud prevention.

Reducing the likelihood of Cyberattacks: While some attacks on information assets use simple techniques like phishing or social engineering, others could adopt special tactics like the Golden SAML attack. Whatever the tactics used in a cyberattack, whether on-premise or in the cloud; even the most sophisticated cyberattacks could be prevented with the appropriate controls. I am not saying attacks would be impossible, but their likelihood and impact could be minimized with controls that are designed appropriately and operate effectively. 

Loss of reputation: The consequence of a cyberattack is the fear of a loss of reputation or a bad public image associated with the victim (the attacked company). Companies involved with major fraud often lose their public image over time.

Impairment of goodwill: Goodwill is an intangible asset that accounts for the excess purchase price of another company based on its proprietary or intellectual property, brand recognition, patents, or some vital technology. An Impairment to goodwill has been seen in situations where some of these assets acquired no longer generate the financial results that were previously expected of them at the time of purchase. Weak controls could be implicated in the inability to generate expected financial results. When goodwill impairment occurs investors and creditors often do not look favorably at such companies. 

To sum it all up, appropriate controls can help build a competitive advantage, as a business is able to take more risks when the right mitigating controls are in place. Competitors of such businesses would have to avoid the same risk and lose the reward associated with such investment. Some organizations with the appropriate controls can successfully expand their business operations to countries and regions of the world with high corruption index while the company’s competitors may avoid such expansion. Controls can contribute greatly to a company’s risk appetite. 

Top companies focus on continuous risk assessment to identify the changing risk affecting their business, but much more they do so to adopt the appropriate response to the identified risks, which often involved improving on the controls in the business and IT environment. 

My bicycle crash experience taught me that it’s not just enough to know that your bicycle has a brake, but it’s more important to know where the brakes are and how to use those brakes. Just as bicycles brakes protect the rider from unpleasant events (like crashes), the right controls can protect your organization from events which could adversely affect your ability to achieve your business objectives or execute your strategies. 

A Great Model for Building Your Audit Team

I wish I own the lake behind my house. If I did, then I could fish all day without having to travel miles from my house to a bigger lake. My family is just blessed with the view of the lake and nothing more. I think the house cost us more just due to the lake view, but we haven’t gotten much benefit from the lake yet. Right at the bank of the lake is a big sign that reads: “No fishing, no swimming and no throwing of rocks”. “What exactly is anyone allowed to do on this lake?”, I wondered and asked around, since I really like fishing. It happens that the lake is an artificial one and the homeowners’ association would like to keep the population of the fishes in the water growing and the sign was meant to achieve that objective. You can imagine the temptation of seeing lots of fishes like carp and trout but not able to touch them. Sometimes the best talents are just like that. Recruiters see their profiles on LinkedIn, and you may hear such talents speak at your professional events, but it could be a little difficult convincing them to join your team. Some enticing compensation and benefit packages could do the trick, but do you really need the best and the brightest? The answer would depend on what you really want to accomplish on your audit team.

     I am sure you know where to find the right talents to fill up each need in your organization. I mean who doesn’t? Just look on “Monster.com” or “Indeed”. If not those common places, you would rather pay a recruiter to do the talent sourcing for you, at least you can’t go wrong using an expert, right? While all these are great ways to recruit talents, it is very important to note that they are all just tools to help get the right candidate into your door. Should you recruit from the top and highly rated schools or should you just settle for applicants from less expensive colleges who are more likely to stay with your company longer? Do you want to hire from the Big4 or regional firms? 

The types of projects or audits you perform would determine the kind of auditors you would need and where you should be looking for the right candidates. 

I like the recruiting model used by one of the firms that I was opportune to have worked with. The company hires several associate level auditors and experienced associates to do the day-to-day audit work, being supervised by senior associates and managers, forming the core audit team. The senior associates are mostly from regional accounting and consulting firms. Aside from the core audit team, the firm has a team of subject matter experts that are consulted whenever the auditors have some challenging issues to resolve. These experts are mostly from ivy league colleges and top consulting firms or have a wealth of experience in a particular sphere to be considered subject matter experts. The model although simple appears to be very effective. 

I see two main advantages: 

• The cost of recruiting is reduced as most of the talents are sourced directly out of colleges, referrals or from direct applicants on job boards like “Indeed” or “Monster.com.” The recruiters ensure that all candidates being recruited have degrees in accounting, finance and information systems but also have a plan to get certified in CPA, CIA, CISA, CISSP (depending on the role). The recruiting criteria (a college degree from less expensive but accredited colleges and relevant certifications) seem cheaper than recruiting these kinds of candidates from ivy league colleges. The recruiters have built a working relationship with some colleges as well as professors from those colleges who can recommend candidates to recruit. Everybody wins; the college can boast of the number of graduates that get hired by an elite company, while the company gets a pool of talents easily each year with much more confidence than just interviewing thousands of online applicants. 
• The expert team focus on continuous improvement and strategic planning for the core audit team. They keep up with the changes in the regulations and developments affecting the industry as well as the company. These expert teams also build programs for knowledge sharing in the company, making the best resources available to anyone in the company needing their services. 

I really like this model and wanted to share it with you just in case it might help in building your audit team. Although it might work better for a big company, a small company can also benefit from it. There are obvious costs to building a team like this, but if you want to fish for the right talent this might be a good model to adopt.

Just like you, I would really love to know as much as possible about the Bermuda triangle. I mean the 500,000 square mile body of water bordered by Puerto Rico, Florida, and Bermuda. Many scientists are still baffled by the strange occurrences reported around this triangle; it is still a mystery. Like these scientists, I do not have an explanation yet for why ships and air crafts tend to disappear in this region. I guess I just like the sound of the name Bermuda, yeah! just kidding!

There is still good news for us though. While we might not have an explanation or any useful application of theories behind the phenomena surrounding the mysteries of the Bermuda triangle, some decades ago, Donald R. Cressey, a well-known criminologist, developed a very useful triangle called the Fraud Triangle. While this triangle is not as mystical as the Bermuda triangle, it holds a lot of answers for preventing fraud in an organization.

Cressey studied the circumstances that led embezzlers to temptation and he came up with this hypothesis: “Trusted persons become trust violators when they conceive of themselves as having a financial problem which is non-sharable, are aware this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation verbalizations which enable them to adjust their conceptions of themselves as trusted persons with their conceptions of themselves as users of the entrusted funds or property.” Cressey then came up with the elements of the fraud triangle which are: Opportunity, Pressure (incentive or motivation) and Rationalization (sometimes called justification or attitude).

While the fraud triangle can be easily applied to the different processes involving direct access to or custody of financial assets, I wish to consider the value of the triangle in the information technology environment; focusing on IT general controls (ITGC), especially for employees at the center of applying controls in the IT environment. I would like to highlight two of the IT general controls and the importance of evaluating the opportunity, pressure, and rationalization which could encourage fraud in an IT environment (directly or indirectly as seen when IT personnel colludes with other employees that have direct access to financial resources)               

Access controls:

These controls are for preventing unauthorized access to an IT environment. However, in terms of business objectives, these controls directly or indirectly prevent fraud. It is harder to modify or delete data from a system you cannot access. On the other hand, a trusted person (which could be someone with authorized access) could become a trust violator, if there are some other elements of the fraud triangle present along with the opportunity to commit fraud. For instance, pressure due to financial challenges or some form of rationalization could encourage a system administrator to grant more access than necessary to a fraud perpetrator. An administrator colluding with someone in the purchasing department who could make unauthorized purchases or create a fictitious employee account is a good example. This could happen in an IT environment with limited audit trails as well as unsupervised opportunity for employee who perform incompatible duties with a lot of freedom within the access control environment.

Possible solutions:

• Segregation of incompatible duties is really important in the access control environment. If this is too costly to achieve, then activities log review by someone like a supervisor of employees performing incompatible duties could help reduce the opportunity element of the fraud triangle.
•  It is key to include in the risk assessment matrix the elements of the fraud triangle which could be relevant to the people applying the access controls in an IT environment. This would be part of the control environment component of the COSO framework.
• It is paramount to monitor hiring and compensation practices that could create undue pressure or serve as incentives to allow fraud.
• Although, it is not a good idea to poke into the personal affairs of employees, it is beneficial to provide support programs for employees with financial difficulties or other form of support such as counselling to help manage mental or emotion issues which could lead to some rationalizations common to fraud perpetrators.

 Change Managements Controls:

These controls are meant to ensure that changes are authorized, tested before implementation, and are approved before being migrated to the production environment. The change management controls also assist in preventing the opportunity element of the fraud triangle from existing in an IT environment (although this seems like a secondary purpose).

Most of the possible solutions mentioned for access controls also apply to change management controls.

In conclusion, if you are looking for a way to add more value to your audit process, preventing fraud by assessing the existence of the three elements of the fraud triangle within an IT environment will be a good move.

While the Bermuda triangle seems mystical and scary, there is a useful triangle that is not as mystical which could help your organization in the journey of preventing or mitigating risks around fraud, the fraud triangle.   

On my first audit engagement, I asked my manager during an annual HIPPA compliance audit for a client; “who does the director of the internal audit department of our client report to?” his answer was; “the CFO”. “That means the internal audit team is not independent”, I responded. That answer was an indication that if there were conflicts relating to any finding or audit issue, there is no direct communication with the audit committee.

As we further discussed the issue, my manager pointed out the fact that there are compensating controls in place at the client’s company to address conflicts of material impact.

To inspire public confidence, an auditor must be not only independent (intellectually honest) but also recognized as independent (free of any obligation to, or interest in, the client, management, or owners). This requirement stems from the professional ethics committee of the AICPA. The above requirement is a strict rule applied to AICPA members in public practice when performing professional services. In other words, this is more strictly applied to external auditors and highly monitored and scrutinized by the PCAOB.

The idea or principle of independence increases the confidence conveyed by the work of an auditor (external or internal auditors). The purpose of an auditor being independent is to reduce influences that might compromise professional judgement to enhance the auditor’s ability to act with integrity and exercise professional skepticism. The idea is that the auditor should not be influenced or controlled by others in matters of opinion or conduct; but should be able to think and act for him/herself.

I was under the assumption that if an internal audit team reports partially to the audit committee; they are therefore free from the influence or control of others. I discovered two main reasons why internal auditors might not be independent:

• Budget and Compensation: The Budget of the audit department as well as the compensation of the audit team is controlled by the management and not the audit committee, so we can say the management could still pull some strings about audit issues (like audit scope and areas to audit, audit issues and findings to address, etc.). Most people would prefer not to have conflict with someone who could decide on such issues.
• Hiring decisions: In case a member of the audit decides to take up roles in other department (such as the ones being audited), the knowledge of past conflicts with audit issues might work against such an internal applicant.

So, if internal auditors are not independent, how can they avoid being influenced or controlled by others in matters of opinion or conduct?  Can we really think and act for ourselves in our capacity as internal auditors?

There are indeed compensating controls which helps the internal audit teams to be objective even though they might not be independent. They could report unresolved conflicts to the audit committee with an expectation of the committee’s protection. Also, with regards to hiring decisions for internal candidates, while past conflict with the team could have some impact on such decisions, the direct manager of the applicant as well as colleagues should be consulted to make the decision.

In conclusion, even though internal auditors may not be independent, they could still be objective in their role. The focus is on how they contribute value to the organization while being unbiased in their opinion and conduct.