A Continuous View of Accounts

A Continuous View of Accounts
David Coderre. The Internal Auditor. Altamonte Springs: Apr 2006. Vol. 63, Iss. 2; pg. 25, 4 pgs

Abstract (Summary)
In fiscal year 2004-2005, The Royal Canadian Mounted Police (RCMP) performed an audit to assess the appropriateness and effectiveness of the control framework in place to support accounts payable (AP) activities. The overall goal of the audit was to provide reasonable assurance that AP policies and procedures comply with central agency policies and regulations, the control framework effectively supports AP activities, and financial transactions are processed in a way that complies with applicable policies, procedures, and regulations. Continuous auditing supported several of the RCMP auditors' objectives, including identifying and assessing risks and control deficiencies in the AP process, examining trends related to performance and efficiency, and searching for anomalies and fraud. In this audit, continuous auditing contributed to improvements in the AP operation; reduced financial errors and potential for fraud, waste, and abuse; and provided a sustainable and cost-effective means to support compliance with policies and procedures and perform risk and control assessments.

Royal Canadian Mounted Police auditors ride to the rescue of a complex accounts payable function.

N FISCAL YEAR 2004-2005, THE ROYAL Canadian Mounted Police (RCMP) performed an audit to assess the appropriateness and effectiveness of the control framework in place to support accounts payable (AP) activities. As a result of regionalization, the law enforcement agency's AP function is performed primarily by seven AP groups and a network of satellite offices located in five regions across Canada. The function processes almost 500,000 payments for goods and services totaling approximately C $1.5 billion (US $1.31 billion) each year.

The overall goal of the audit was to provide reasonable assurance that AP policies and procedures comply with central agency policies and regulations, the control framework effectively supports AP activities, and financial transactions are processed in a way that complies with applicable policies, procedures, and regulations. Given the electronic nature of the data, the wide variety of transactions, and the large number of AP offices, the audit team planned to maximize its use of information technology to identify and assess risks, test key controls, and check for potential areas of fraud, waste, and abuse. These factors made the project a good candidate for using continuous auditing techniques.

Continuous auditing is a unifying structure that brings together risk and control assessment, audit planning, digital analysis, and other audit technologies and techniques. It supports macro-audit issues, such as using risk to prepare the annual audit plan, and micro-audit issues, such as developing the objectives and criteria for an individual audit. Continuous auditing not only measures transactions against a defined threshold, such as a maximum value, as they are being processed, it also compares those transactions to all transactions over time. Auditors also can use it to compare one set of transactions with another set, such as comparing transactions at one office with another office. These abilities allow auditors to test the consistency of a process by measuring the variability of each dimension.

IN SUPPORT OF AUDIT OBJECTIVES

Continuous auditing contributes to individual audits by supporting the identification and assessment of risk and the development of scope and objectives (see "Key Steps to Continuous Auditing" on page 26). Further, it can be used to determine which locations auditors will visit and to identify specific audit criteria.

During the planning phase of the RCMP's AP audit, auditors used data extracted from the financial and human resources systems to review the operations of regional AP offices before traveling to perform the on-site work. AP personnel in the RCMP's regional offices are responsible for processing a wide variety of transactions, including invoices, purchase card (p-card) expenses, interdepartmental settlements, journal vouchers, emergency salary advances, travel expenses, and relocation claims. In addition, they respond to inquiries from vendors and others within the RCMP, resolve payment issues and disputes, categorize expenses to the appropriate general ledger accounts, and keep the master file of suppliers up-to-date.

The quality of the AP process' design and how well the regional offices execute the process impacts two important areas: supplier relationships and cash management. Control design quality is also directly related to the cost of the AP function; appropriately designed controls will ensure that risks are mitigated at an acceptable and cost-effective level.

Continuous auditing supported several of the RCMP auditors' objectives, including identifying and assessing risks and control deficiencies in the AP process, examining trends related to performance and efficiency, and searching for anomalies and fraud.

RISK IDENTIFICATION

The RCMP's auditors included a variety of risk factors - culled from policy reviews, interviews, reviews of previous audit results, and Internet searches - in the initial risk assessment. The audit compared the performance attributes - cost, quality, and time-based performance measures - of each AP office. Labor cost for accounts payable was the primary cost-based measure. Quality-based measures, which assessed how well the organization's products or services met customer needs, included the average number of errors per invoice. Time-based measures, focusing on the efficiency of the AP process, included the average number of days to pay an invoice and late payment charges. Auditors extracted data from the RCMP's ERP system and imported it into audit software to calculate the elapsed days between the receipt and payment of the invoice and the total of late payment charges.

Using continuous auditing for each AP office, the auditors also determined dollar amounts for each type of transaction. The transaction-type analysis gave the audit team a better understanding of the operations of each office, including how many different types of transactions were being processed. This analysis supported the risk assessment, because operations tend to have greater complexity when more transaction types are processed. The audit also compared the number of correcting journal entries and manually produced checks per office, which indicated additional workload that contributed to the overall level of risk. Using the extracted ERP data, a cross tabulation showing the number and dollar value of each type of transaction for each regional AP office was produced.

Finally, the audit used data extracted from the human resources (HR) database to compare the organizational structure of each office, including reporting relationships, number and classification of staff, length of time in job, retention rates, and training received. The combination of the HR data with the transaction types and volumes helped to identify areas of risk, such as understaffing and lack of staff trained to handle complex transaction types.

Auditors considered the risks associated with the transaction types, volumes, and dollar amounts to determine which types of transactions would be included in the audit. They also used the overall risk assessment to select the locations for on-site audit work.

CONTROL ASSESSMENT

The flip side of risk is control. Control deficiencies can increase risk levels, and unmitigated risks are usually the result of control deficiencies. The audit team reviewed the financial software system to identify key control points in the AP module. Next, auditors used the Internet to research the control rules for that module and used audit software to develop analytical tests to ascertain whether or not the controls were working as designed. For example, audit software was used in one test to compare transaction types processed by each AP clerk to verify that ,separation of duties existed. Additional analyses verified that all invoices over C $5,000 referenced a purchase order, validated that only authorized users were creating or modifying vendor records, and determined whether the goods receipt amount equaled the invoice and contract amounts. Auditors created scripts that enabled tests to be run at any time.

PERFORMANCE TRENDS

Trending data identified performance and efficiency concerns. For example, the audit team used continuous auditing to compare the AP offices, looking at the number and job classification of employees involved in the process and the efficiency of operations. Audit software was used to calculate efficiency measures, including the number of invoices processed per user, number of days and average dollar cost to process a payment, percentage of invoices paid late, percentage paid early, percentage of recurring and electronic funds transfer (EFT) payments, percentage of manual checks, and percentage of invoices for less than C $500. Analyzing trends across years also helped to identify both problems and areas where improvements had been made.

ANOMALIES AND FRAUD

To assist the continuous auditing process, the audit team used brainstorming techniques to identify anomalies and areas of potential fraud. For example, the team theorized that an inadequate separation of duties would permit an AP clerk to create a vendor record, enter a purchase order, and process an invoice to make a payment to that vendor, which could pay a kickback to the clerk. Another concern was that satellite AP offices could process duplicate invoices.

For items identified in the brainstorming session, auditors developed specific automated tests to search for possible fraud, waste, and abuse. Auditors tested for duplicate payments and compared current-year payments to previous years to see if operations were improving. They looked for invoices processed against backdated purchase orders and split purchase orders intended to avoid financial limits. The audit also examined the number and dollar value of invoices going to suspense accounts, where funds are stored temporarily until a decision about their allocation is made.

Finally, auditors ran tests to determine if there were cases where:

* Vendors were created and only used by a single AP clerk.

* The entry user was the same as the user who approved payment.

* The payee was the entry or approving user.

* There were duplicates in the vendor table or vendors with names such as C.A.S.H., Mr., and Mrs.

* Vendors had no contact information, such as phone numbers or addresses.

Although auditors did not discover any instances of fraud, they did identify control weaknesses and instances of noncompliance with policies. In particular, weaknesses in the vendor table and poor controls over the entry of invoices resulted in more than C $100,000 in duplicate payments that were recovered by the auditors.

AUDIT RECOMMENDATIONS

The final use of continuous auditing was to follow up on audit recommendations to determine whether or not management had implemented them and whether they were having the desired effect. During the review, auditors identified data-driven indicators for each recommendation. For example, auditors found that most regional offices processed a large number of invoices of less then C $500. Many studies have shown that the use of p-cards can significantly reduce the costs of processing such payments. The auditors recommended promoting p-card usage for low-dollar purchases and training cardholders to use them appropriately. Six months after issuing their report, the auditors measured usage for transactions under $500 and found that the percentage of p-card payments for low-dollar transactions had increased, indicating that this recommendation was implemented effectively.

Additional tests revealed a reduction in the number of duplicates in the supplier master table, a decrease in the number and dollar value of duplicate invoices, and an increase in the number of invoices referencing purchase orders.

A CHANGE OF THINKING

In this audit, continuous auditing contributed to improvements in the AP operation; reduced financial errors and potential for fraud, waste, and abuse; and provided a sustainable and cost-effective means to support compliance with policies and procedures and perform risk and control assessments. Continuous auditing helped the team to better understand the regional offices. The overview analysis determined that AP was decentralized with no standard processes and that different regional offices processed different transaction types. Auditors also identified concerns in efficiency and effectiveness of transaction processing at certain offices.

As the RCMP discovered, implementing continuous auditing places certain demands on internal auditors. In particular, the audit organization must develop and maintain the technical competencies necessary to access and manipulate data in multiple information systems. If the auditors are not already using data analysis techniques to support audit projects, the audit department will need to purchase analysis tools and develop and maintain analysis techniques. To realize its full benefits, all audit staff members need to adopt the continuous auditing concept. The benefits are substantial and can reduce the time needed to perform audit planning, increase risk and control assessment capability, and allow auditors to a widen their scope of audit activities and use existing corporate data cost effectively and efficiently.