On-line control assessment

On-line control assessment

Peter Perriam. The Internal Auditor. Altamonte Springs: Oct 1998. Vol. 55, Iss. 5; pg. 21, 3 pgs

Abstract (Summary)
Internal audit departments worldwide face the double-edged challenge of servicing a growing audit universe with limited staff resources. Curtin University of Technology in Perth, Australia, is now using a Windows-based control assessment tool (CAT) which is ideal for its control assessment needs. By adapting the online CAT to its specific needs, Curtin University's internal audit shop has greatly enhanced its control reviews. Not only did the new tool include features that would improve the timeliness of reviews, but it also enabled some degree of self-assessment.

By adapting an on-line assessment tool to their specific needs, Curtin University's internal audit shop has greatly enhanced its control reviews.

INTERNAL AUDIT DEPARTments worldwide face the double-edged challenge of servicing a growing audit universe with limited staff resources. Our internal audit staff at Curtin University of Technology in Perth, Australia was no exception. While we relied on a combination of systems, operational, EDP, and compliance-based audits to cover our broad territory, reviews of Curtin's ISO faculty and administrative areas, 50 university functions, and 70 EDP-related issues remained infrequent and inadequate. We desperately needed a tool that would enhance our control assessment process.

We were obviously elated when we learned that halfway around the world the University of Illinois, with funding from the Association of College and University Auditors (ACUA), had developed a Windows-based control assessment tool (CAT) using Microsoft Access. With a little tweaking that included customizing it to the Curtin environment and moving to on-line administration via our Web site, CAT proved ideal for our control assessment needs. Not only did it include features that would improve the timeliness of our reviews; it also enabled some degree of self-assessment, which we hoped would help process owners recognize and accept responsibility for internal controls and inculcate risk management into the overall business culture at Curtin.

TOOL ADAPTATION

When we originally received the CAT, it was divided into II separate sections or modules representing each process within a departmental area. The sections included organization and management; budgeting, accounting, and reporting; purchasing, contracting, and leasing; expenditures other than payroll; personnel and payroll; inventory; moveable equipment; revenue and transfer of expenses; cash receipts; administration of gifts and grants; and petty cash. Several of these modules contained procedures, questions, and policies that were applicable only to the University of Illinois and, therefore, had to be removed.

After we had manually identified and extracted the unusable aspects of the software, we further adapted the CAT to reflect Curtin's own policies, practices, and procedures. To do so, we referenced relevant process manuals and confirmed correct operating procedures with staff in various functional areas. We benchmarked with other Australian university internal control models and perused relevant internal audit textbooks and journals to determine whether additional modules should be added to our base. We further "Curtinized" the tool by changing the CAT's "Americanisms" to "Australianisms." Our resulting Curtin-specific modules included organization and management; budgeting; purchasing; non-payroll expenditures; recruitment; personnel/payroll; accounts receivable; cash receipts; petty cash; fixed assets; inventory; and electronic data processing.

GOING ON-LINE

Customizing the modules was only the first step in adapting the software for our use. After a few pilot cases, we quickly realized how difficult implementing the CAT in its disk-based form would be. In order for users to complete the assessment, it was necessary to physically install the five-disk CAT onto a host computer at each audit site. This time-consuming activity was slowed even further as a result of the variety of computer platforms used across the University. In addition, the policies, procedures, guidelines, and organizational structure throughout the University changed often, making it necessary to update the CAT frequently.

Our need for a flexible communications medium that would enable quick dissemination and frequent updates was answered by the Internet. The disk-based version of the CAT was converted to HTML format and placed on the Curtin University Internal Audit Web site at www.curtin.edu.au/curtin/audit/iad7.htm# Curtin Control Assessment.

THE ON-LINE PROCESS

After modifying the software to fit our needs, we began administering the tool to the various departments. Depending on the module being completed, any staff member possessing the requisite knowledge could complete the assessment. However, we requested that the department heads review the answers whenever possible, since University policy gives them ultimate financial responsibility for their areas.

As the user worked through the program, each module posed a series of questions pertaining to a particular policy or procedure. The questions required "yes," "no", or "NA" answers. "Yes" indicated a positive situation, and "no" suggested that the area might be experiencing control problems. Sample questions included:

NON-PAYROLL EXPENDITURES Are vendor invoices checked for accuracy and agreed to purchase orders, contract terms, receiving reports, or other documents to ensure proper payment?

CASH RECEIPTS Are pre-numbered or cash register receipts promptly issued to individuals for in-person payments?

FIXED ASSETS Is the asset register reviewed to ensure that all additions, disposals, losses, or thefts are properly recorded?

EDP Is access to computer terminals and equipment restricted to authorized personnel?

To ensure an accurate picture of the effectiveness of the department's internal control system, users were required to answer all the questions in a module. However, participants completed only those modules that were applicable to their particular department. For example, if an area had no inventory, there would be no need to complete the corresponding module.

ADDED BENEFITS

Moving to Web distribution allowed several process enhancements. For example, to help users answer questions, hyperlinks were added referring users to relevant procedures or guidance. These links may be to on-line policies and guidelines from the users' own departments or from other areas of the University, including legal and administration, human resources, financial services, and the academic registrar's office.

In addition, a limited "comments field" next to each question enabled users to further explain answers to the modules' questions. For example, if a respondent answers "no" to a question, he can support his response by referring to documentary evidence that he found confusing, misleading, or contradictory to an established policy. We believed this additional field would help the heads of the schools and departments and their staffs, as well as the internal audit function, in reviewing why a question was answered negatively.

NEW CHALLENGES

While placing the CAT on the Internet provided many benefits, it also created a new set of challenges. For example, since logging off the Internet browser deleted all the answers in a module, users had to complete the entire survey in one sitting. This process proved inefficient because users needed the flexibility to work on the assessment as time allowed. In addition, they had to print a hard copy of their screen once the assessment was completed both for their records and to be reviewed by the department head and internal audit function.

Another complication involved confidentiality. We wanted to keep an individual area's assessment answers confidential, but at the same time be able to share our accomplishment with our ACUA and Australian and New Zealand University Internal Audit Group (ANZUIAG) peers.

Both issues were addressed through additional programming changes. We provided for module answers to be maintained indefinitely by creating a separate database for each school and department. These databases were developed by a consultant using Perl, a programming language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on the information (see http://language.perl.com/info/synopsis.html).

To address the confidentiality issue, we divided the CAT into two areas-one where guests like ACUA and ANZUIAG members could obtain access for information purposes only, and a restricted area for schools and departments that required a password for access. Each area's password granted them access only to their specific database and answers.

ASSESSING CONTROLS

Once we had determined an efficient and effective method for users to complete the assessment, we turned our attention toward using the responses to identify control weaknesses and provide timely advice to our customers. First of all, we needed to be able to easily determine when areas had completed the modules. While we could use the passwords to access the databases and monitor progress, doing so for more than i5o areas was inefficient. Instead, an e-mail notification facility was added at the end of each module to alert us when a particular school or department had completed the questionnaires.

Next, we developed two reporting formats for the CAT. The first report indicates how a particular school or department responded to each module's questions and highlights potential problem areas. Instead of reprinting all the questions in a model, the report flags those to which the respondent's answers indicate a less-than-satisfactory control situation. The second report provides a control snapshot of a particular practice or procedure by merging responses to a specific module from all the schools and departments at Curtin University.

By enabling us to distinguish between isolated or University-wide problems, the reports have helped us more effectively dispense suggestions for an improved control environment. For example, by using the second report we have been able to identify common problems, common misunderstandings of a particular control, or existing policies or procedures that might need amending. This information could subsequently be communicated throughout the University.

THE NEXT WAVE

To date, we have been pleased with the results of our on-line assessment efforts. Future adjustments will make the CAT even more relevant to the University's planning and review processes, as well as more vital to the achievement of department objectives. For example, we plan to expand the software to incorporate soft controls based on concepts from coso and CoCo. Academic administrative controls relative to specific aspects of the University's operations, including admission and enrollment of students, scheduling of classes, and testing and exam procedures, will also be added.

Further enhancements may include clips from an ACUA video relating to specific modules and links to better practice guides, such as those issued by the Australian National Audit Office and New South Wales Treasury. In addition, the internal audit department is considering the adoption of a facilitation role in the area of control self-assessment, where we would use CAT as a base and incorporate other tools, such as computer-based, confidential voting databases, for support.

At least one other ACUA-member university has adopted a similar approach to control assessment (see the University of Florida's Web site at www.nerdc. ufl.edu/~ufoig/services/cat.html); and we have received a number of inquiries about the CAT from other universities, state government organizations, and mining businesses. If our success and the growing interest in the CAT are any indication, using the Internet for an efficient, on-line self-- assessment of an organization's individual departments may just be the next wave of the future.