Inappropriate P-card Practices

Inappropriate P-card Practices

Courtenay Thompson. The Internal Auditor. Altamonte Springs: Jun 2004. Vol. 61, Iss. 3; pg. 97, 3 pgs

Abstract (Summary)
At a major research university, the internal auditors were tasked with performing routine documentation reviews for the university's procurement card (p-card) program. The lessons to be learned about p-cards from a fictional case study include: 1. Routine audits, although not glamorous, may provide opportunities for internal auditors to identify material control weaknesses in routine processing systems that can have wide ranging impact. 2. The p-card process should have an outlet, by hotline or anonymous e-mail, to allow individuals involved in transaction processing and oversight to report suspected abuse without fear of retribution. 3. Budget pressures may so impact established internal controls that the control is eliminated, resulting in significantly increased risk of fraud.

An understaffed university accounting department gets some much needed help from campus internal auditors and uncovers fraudulent use of procurement cards.

AT A MAJOR RESEARCH UNIversity, the internal auditors were tasked with performing routine documentation reviews for the university's procurement card (p-card) program. Although the audit director was not generally in favor of his department performing routine monitoring, he had agreed to the reviews as a service to the accounting director, whose department recently had been a target of budget cuts.

The accounting department had only one person assigned to review p-card transactions processed through the accounting office. With 1,200 p-cards in staff and faculty hands, the review clerk was responsible for manually reviewing nearly 71,000 transactions totaling more than $11 million from the previous year. The p-card program relied solely on internal control processes in user departments and the monitoring practices of one accounting clerk to ensure the cards were used only for appropriate university expenses.

Previous documentation reviews in other departments had revealed random missing documents, a few instances of card use by someone other than the person to whom the card was assigned, and occasional pyramiding of transactions. (Pyramiding is the use of multiple, or split, transactions - for example, multiple card swipes - in an attempt to break transactions into smaller pieces to circumvent card limits.) These transactions are usually easy to identify with data sorts by vendor and date, or by date, vendor, and accounting transaction number. They are also usually fairly easy to spot by their even-dollar amount and by data extraction that highlights purchase amounts reasonably close to the transaction limit. Despite these occurrences, no evidence of fraud had been identified.

As the current round of documentation reviews was drawing to a close, the internal audit director decided to review one of the university's remote locations that had several p-cards assigned to staff and faculty. His reasoning was that the location had not been visited in recent years by internal auditing, had a history of "creative" accounting related to other transactions, and perhaps was in need of a control-awareness wake-up call.

Using the automated financial system query capabilities, the p-card transactions for the previous year were downloaded, and approximately ioo transactions were selected for document verification. Among those transactions were several suspected instances of pyramiding and unusual descriptions of items purchased.

The audit director scheduled a visit to the remote unit for Tuesday morning. The unit was notified in advance and asked to schedule approximately four hours for documentation verification. Upon arrival, the audit director presented the accounting clerk with a list of transactions to be reviewed and asked the clerk to pull the appropriate documentation. The first receipt document pulled was from a well-known discount store and listed, along with the items that would be used by the university, several children's DVDs and video games. The audit director also noticed several items that were crossed out, with a different description handwritten on the receipt. When queried about the appropriateness of the purchases, the accounting clerk responded that the purchaser had told her the chain's receipt didn't always actually describe the item purchased, and what appeared to be unauthorized purchases were actually different items that were authorized.

The audit director, recognizing that the discount chain's financial success "lived and died" by the accuracy of its inventory control, suspected something was wrong. The director continued reviewing the remaining receipts, identifying an additional 12 questionable purchases, which totaled more than $1,200. he contacted the local chain store manager and verified that "if the receipt says video game, it is a video game," and that the manager could specifically identify each game. After visiting with the manager and identifying all the questionable items, the internal auditor contacted the university police department, as was standard practice, to coordinate a criminal investigation of what was now a suspected p-card fraud.

The auditor identified and downloaded all p-card purchases made by the individual since he had received his card three years earlier and identified multiple suspected unauthorized purchases. The following week, the internal auditor, along with an experienced investigator from the university police department, returned to the unit to review documentation of these transactions and to interview individuals involved. While the auditor reviewed and documented scores of unauthorized purchases, the investigator interviewed staff, and through the senior administrator responsible for the unit, scheduled an interview with the suspect for the following day.

When the accounting clerk was asked whether she had wondered about the appropriateness of the purchases, she became very emotional, commenting that she knew they were wrong, but, "it's a small town and I need my job." After questioning several of the earliest transactions, she had quit doing so. Apparently, management pressured her to ignore the discrepancies because the suspect reported to the dean, and "we don't question what the dean was believed to know about."

The audit director, investigator, and senior administrator arrived for the interview with the suspect the following day armed with the internal auditor's documented evidence of suspected unauthorized transactions dating back three years, just one week after the p-card was issued to the suspected individual. Early in the interview, the suspect admitted purchasing unauthorized items for personal use, but also indicated that many of the purchases were for the university but were being "stored" by him at no cost because the school had limited storage space.

Using a search warrant obtained by the university police department, the audit director and university police removed nearly four van-loads of suspected unauthorized purchases from the suspect's home and personal vehicle. he was terminated immediately.

The total estimated loss from the fraud was more than $60,000, but only $32,000 was considered provable. Many other purchases, though apparently excessive and clearly unnecessary, were not traceable because they could not be individually identified. The suspect was arrested, and the university is currently pursuing the case through the courts.

LESSONS LEARNED

* Routine audits, although not glamorous, may provide opportunities for internal auditors to identify material control weaknesses in routine processing systems that can have wide ranging impact. The p-card process was designed as a pilot program of 30 cards and 15 users and was never truly updated to reflect the growth in the process. As a result, controls that worked for a small program were inadequate for a full-scale program.

* The p-card process should have an outlet, by hotline or anonymous e-mail, to allow individuals involved in transaction processing and oversight to report suspected abuse without fear of retribution. Economic realities often shape actions, and even the most honest people will overlook or ignore fraud if they suspect their job or livelihood will be in jeopardy if they report the suspected abuse. When the tone from the top does not encourage and support ethical actions, fraud can grow rapidly.

* Budget pressures may so impact established internal controls that the control is eliminated, resulting in significantly increased risk of fraud. In the search for efficiency, the first activity to be cut is often the control activity, because practicing good internal controls takes time and doesn't normally contribute to processing efficiency in a budget-conscious environment. This can be a costly decision when control processes become overwhelmed by transaction activity.

* Financial system capabilities must be used to allow detective internal controls to effectively identify and evaluate high-risk transactions. Having one clerk assigned to review all p-card transactions - if the clerk does nothing other than review transactions eight hours a day, five days a week - results in just over one minute per transaction for review. Analysis of buying trends and usage patterns through data extraction and analysis, or periodic system queries, should be implemented to identify potentially fraudulent transactions.

* Individuals responsible for p-card use and monitoring must be continually trained and made aware of fraud risk in card use. Annual refresher courses, including fraud awareness, for all individuals involved in p-card processes should be required. No infraction of p-card rules should be considered minor, and management must be made aware of even seemingly accidental infractions.

* Real consequences for misuse of p-cards need to be formalized and enforced. The tone at the top must clearly convey that fraudulent use of p-cards will be prosecuted. A p-card program without "teeth" to address misuse is a "fraud waiting to happen." Even the best run and most well-controlled p-card program will experience fraud.

* P-card fraud may be indicative of fraud in other areas of purchasing.

P-cards are just one purchasing method. A purchasing card fraud investigation should include review of other purchasing methods available to suspected fraudsters. In this fraud, the suspect was also making unauthorized purchases, totaling many thousands of dollars, through direct-billed purchases and standing (framework) orders, as well as using other individuals' p-cards to which he had access.

Read More....

The Importance of Data Audits

Risky Business: The Importance of Data Audits for Content Security

Sue Marquette Poremba. EContent. Wilton: Oct 2008. Vol. 31, Iss. 8; pg. 32, 5 pgs

Abstract (Summary)
Database security is a serious issue that affects every business or organization, and most IT security personnel state one of the most effective means of database security is good database auditing. There are four key categories to database auditing: server security, database connections, table access control, and restricting database access. The federal government and some industries have begun to realize the severity of database breaches and have begun to institute data privacy regulations. Companies are expected to follow these regulations and are regularly audited to make sure they are properly securing their databases. Despite the regulations and governance councils, companies are slow to respond to the need for better database auditing. Not every data breach is caused by criminal intent, but for every accidental breach, there is a disgruntled employee who is looking for revenge or a crime ring eager to make a few thousand dollars selling the information on the black market.

In early July, a Texas man was arrested for allegedly filing more than 160 false tax returns using the Social Security numbers of University of California-Irvine graduate students. The Social Security numbers were reportedly stolen while the man worked for the Student Resources Department of United HealthCare Services, Inc.

In June, a California man was sentenced to nearly 5 years in prison after he was found guilty of hacking into the protected computer system of his former employer, Council of Community Clinics, multiple times, disabling the backup system and deleting files. (He was angry after receiving a negative performance review.) His actions destroyed personal medical records of patients, putting their lives at risk.

This spring, online mortgage loan marketplace Lending Tree, LLC sent a letter to its customers to inform them of a possible data breach caused by former employees providing passwords and access to personal information to other mortgage lenders.

Even members of the Supreme Court aren't safe from identity theft: Justice Stephen Breyer's personal information was made public when someone in an investment firm used peer-to-peer networking and inadvertently provided a gateway to a database. The breach wasn't discovered for 6 months.

Troubling as they are, these stories are just a few of what seems like a never-ending list of companies experiencing data breaches, which can lead to the theft of information ranging from a customer's Social Security number to a corporation's secret designs for a new product.

A 2007 study of 494 IT security personnel conducted by the Computer Security Institute found that, while the numbers are slowly decreasing, 46% of the respondents said their company experienced a security incident in the past year. Fraud caused, in part, by the loss of customer and proprietary data is the number one reason for financial loss within companies (overtaking computer viruses for the first time).

Database security is a serious issue that affects every business or organization, and most IT security personnel state one of the most effective means of database security is good database auditing. Too often, however, data is left vulnerable, partly because companies are more concerned with protecting the network from the outside and invest in technologies such as firewalls to prevent attacks. What gets overlooked is that information from a database is more likely to be hacked by a current or former employee than from a virus injection.

"Essentially, we are guarding the front door, while the bad guys are walking in the back door," says Rick Kam of ID Experts.

THE DATA TRAIL

In order to ascertain risk, companies must track data usage, which is commonly referred to as database auditing. There are four key categories to database auditing: server security, database connections, table access control, and restricting database access.

Server security limits user access to the database server. Database connection involves knowing who has access to a database and how and when it is accessed, while table access control dictates what the user can do within the database itself. Restricting database access refers to protecting the database from outside sources, such as malware that can manipulate code on an internethoused database.

Perhaps the biggest breakdown in database auditing is the lack of governance over user accounts. Too often, when an employee leaves a company or even transfers from one department to another, the person's account isn't closed or changed.

In fact, user access is the number one IT security concern among healthcare workers, according to a study taken at the Healthcare Information and Management Systems Society (HIMSS) 2008 Annual Conference and Exhibition by Courion Corp. Of the 136 people questioned, 64% cited access as their main security issues, while 60% were concerned about passwords being shared between personnel and 52% admitted that orphaned accounts were not properly disabled.

While providing doctors, nurses, and other caretakers easy access to the data they need improves patient care, Kurt Johnson, vice president of corporate development at Courion, adds, "It also opens a whole new concern in the organization to exactly who has access to this information."

There are three phases to a database audit, according to Robert Grapes, chief technologist with Cloakware's data center. "There's the upfront work, the tactical things to be done day-by-day, and the post-forensic or the real audit of what happened on the system," he explains.

The upfront phase involves password issues and who has access to accounts. "While a lot has been done to address password management from an engineering standpoint, we're finding that very little has been done to correct password issues for human administrators who need access to the database," Grapes continues.

So upfront, the idea is to look at who exactly has access to a database and to regularly do audits to account for everyone who has access to the database.

Automated software functions control the tactical daily audits. This can include closing a person's access to the network or changing the fields an employee should have access to, depending on the job duties. The software also dictates when passwords should be changed.

After applications have been run and the database logs have been recorded for the day, the audit occurs. Software, such as Grapes' Cloakware, can be used to record every time the data had been manipulated or a password changed. This information should then be verified on a regular basis to make sure the people working with the database had the authorization to do so.

Unfortunately, financial issues often drive database auditing best practices. It costs money to manage thousands of passwords, Grapes says, yet password management is the best way to protect data.

"Automating the process can improve the security profile," he says. Software, for example, can produce new passwords but not release the new code until the user is ready to log in.

However, if the funds don't exist for automated auditing software, there is a relatively low-tech way to go to protect database information: Make sure that multiple people have access to the database. Too often, companies will assign control to one person, and there are no checks and balances in place.

"In San Francisco recently, a guy was able to lock out an entire system," Grapes says, "and that scenario is not uncommon. One person has all the privileges, like the fox protecting the hen house, and in this case, the fox is able to set up new accounts. Financial institutions are worried about this."

PRIVACY PLEASE

The federal government and some industries have begun to realize the severity of database breaches and have begun to institute data privacy regulations. They include best practice requirements and industry guidelines regarding usage and access to customer data. Financial institutions are currently regulated by the Gramm-Leach-Bliley Act (GLBA), which requires the protection of nonpublic personal data while in storage and implements a variety of access and security controls. Payment Card Industry Data Security Standard (PCI DSS) requires that merchants who accept credit cards follow certain standards of security protection for consumers. The Sarbanes-Oxley Act of 2002 is a congressional response to the Enron and similar accounting scandals and establishes new and enhanced standards for publicly held companies. Perhaps the bestknown privacy effort is the Health Insurance Portability and Accountability Act (HIPAA), which is meant to further protect patient information as more medical records are shared via electronic means.

In addition, the IBM Data Governance Council was formed to create best practices around risk assessment and data governance. The IBM Data Governance Council is an industry group comprising about 50 members representing financial companies such as American Express, Deutsche Bank, Citibank, MasterCard, and others.

Companies are expected to follow these regulations and are regularly audited to make sure they are properly securing their databases.

"IT security is a strategic part of the company, but business people haven't recognized that yet," explains Steve Adler, chairman of the IBM Data Governance Council. "We think that the current methods used for calculating risk need to be automated and a normal part of business."

He says that every individual in an organization needs to be aware of the security risks, which is not usually the case. "There are many people who work in the IT department who are unaware of the security strategy," he says. "There needs to be more operational awareness." Despite the regulations and governance councils, companies are slow to respond to the need for better database auditing. For example, the PCI DSS had a June 30th deadline requiring that web application security testing be upgraded from a best practice to mandatory compliance, yet IT security firms helping with this transition say that only a handful of firms were prepared to meet the requirement, despite being notified of this requirement in 2006.

Rick Kam blames the inefficient database auditing on the natural disconnect between what the executive teams think they are doing for security and what's really happening in the IT and privacy offices.

"There's a tendency to compartmentalize functions," Kam says, "and this has provided easy opportunities to steal information."

THINK LIKE A THIEF

One thing Kam recommends is for organizations to think like a bad guy when protecting data. "We think very differently from crooks," he says. "We think, 'how would a rational person break into the system,' and we invest heavily to protect where we think the vulnerabilities lie. The problem is, the crooks don't view it the same way and will find other ways to access the information they want."

What the company can do instead, Kam says, is bring in a person who can look at database security from a different perspective, such as an auditor hired to investigate fraud risks.

Good training is another vital step toward database auditing. Too often, Kam explains, a person may detect potential fraud early on, such as improper access to certain information, but then not know what steps to take to stop the breach.

Kam has three tips for putting a database-auditing plan into action:

1. Do an information security assessment.

2. Have an up-to-date instant response plan. "Most companies have information security plans and disaster recovery plans, but when they have to respond to lost or stolen information, they scramble like crazy," Kam says.

3. Have an insurance policy to cover the risk. "You have insurance policies to cover employee accidents or other financial loss," he adds. And with nearly half of all companies experiencing a database violation or theft of information, it makes sense to be prepared to cover the costs involved.

Of course, contrary to popular belief, data theft has been around as long as there has been data to steal, and criminals still use low-tech methods, such as stealing mail with personal checks inside or recording credit card information during a restaurant transaction. Computers and the internet have simply provided the bad guys with access to more information stored in one place.

SEPARATE, NOT EQUAL

For that reason, Yuval Ben-Itzhak, CTO of Finjan, Inc., says it is important to segment the data. For a simple database, multiple users may have access to a database, but for each application, each person will use a specific credential to only access the information that is needed.

"The majority of data breaches happen because most applications provide access to all the information in the database," he says. "But once you segment the data, even if it is compromised, the hacker will have limited access to the information."

Encryption is another important and often overlooked tool, he says. Good encryption tools will make information from a violated database useless to a cyber criminal.

Ben-Itzhak suggests companies be creative when it comes to the way they create their databases too. "There's no reason to have all customer data or medical records in one place that's easy to access," he says. Providing different avenues to access the data will better protect it.

He also disagrees with those who say that the costs of better database auditing prohibit companies from making changes. Instead, he says, these practices should be included as the database is being built, that companies need to plan for better security from the get-go. "You don't need to buy other products," he says. "It's a design issue. The developers aren't educated in how to provide security; their job is to provide functionality. And in ignoring security in the design, it becomes a playground for hackers. "

He also recommends frequently checking the information that is in the database. If a customer's information hasn't changed within a specified period of time, it should be considered outdated and removed. "You can't focus on just one element of database auditing," he adds, "or you will end up with a weak link in your security efforts."

COMMUNICATING THE RISK

Customers understand the risks involved when it comes to database breaches, and reports of a breach affect their relationship with the company. According to a study the Ponemon Institute and issued by ID Experts, nearly one-third of consumers notified of a security breach terminate their relationship with the company.

"We found that most people do care about security breach notifications and are concerned," says Larry Ponemon, founder of the Ponemon Institute. "And their concerns are identity theft, financial losses, and the inconveniences that the breaches cause."

Not every data breach is caused by criminal intent, but for every accidental breach, there is a disgruntled employee who is looking for revenge or a crime ring eager to make a few thousand dollars selling the information on the black market. Smart companies realize their reputations and their financial growth depend on ongoing database security.

Read More....

Compliance Automation

Compliance Automation

Suzanne Dickson. The Internal Auditor. Altamonte Springs: Feb 2007. Vol. 64, Iss. 1; pg. 27, 2 pgs

Abstract (Summary)
For many organizations, regulatory compliance has become the principle focus of information technology (IT) spending. An effective compliance framework must combine people, business processes, and IT in a way that is integral to the organization's ongoing business strategy -- rather than being a special project. A key challenge organizations face in today's compliance environment is how to tie together all the tools and information to provide a universal view of compliance. Finding and documenting security gaps and exposures is one of the most cost- and labor-intensive aspects of compliance. Just as business performance improvement is an ongoing objective that requires continual attention and effort, regulatory compliance is an unending business process. By using automated tools, internal auditors can help their organization meet complex regulatory requirements more efficiently, improve accuracy, reduce costs, and measure performance improvements from compliance efforts.

Software tools can give auditors more insight into the controls and policies their organization needs to meet regulatory mandates.

FOR MANY ORGANIZATIONS, REGULAtory compliance has become the principle focus of information technology (IT) spending. More money is being spent on meeting compliance requirements than on protecting against security threats and filling business-related needs, according to SecurityCompliance.com, a security research Web site.

An effective compliance framework must combine people, business processes, and IT in a way that is integral to the organization's ongoing business strategy - rather than being a special project. A major component of an effective compliance framework is having a set of IT applications that tracks regulatory compliance automatically. Moreover, IT tools can help groups from all parts of the company leverage compliance-related measurements and controls as a means of identifying and improving inefficient internal business and technology controls on a continuous basis.

A key challenge organizations face in today's compliance environment is how to tie together all the tools and information - across all relevant regulations and a common set of actionable IT controls - to provide a universal view of compliance. Internal auditors can meet this challenge because they have a broader view of the overall stability of the organization's compliance efforts.

AN AUTOMATED APPROACH

Finding and documenting security gaps and exposures is one of the most cost- and labor-intensive aspects of compliance. Some businesses try to leverage homegrown, manual methods such as spreadsheets, hoping to cut costs and implement compliance controls within the required time frame. Although the low cost of implementing this approach is initially appealing, organizations may struggle over time with scalability and reliability. Such manual processes are error prone and often overlook policy deficiencies.

Implementing an automated, consistent, and repeatable process for testing, measuring, updating, and reporting on IT security controls can result in continual performance improvement. Automation can help auditors identify and eliminate deficiencies in such critical areas as customer service, sales, invoicing, and inventory controls; information access, storage, and archive policies; and other processes and supporting technologies. In addition, automated processes can enable auditors to bring together compliance initiatives managed by different groups in separate departments, eliminating duplicate efforts to test and measure the same IT control function across the organization.

Automation can also improve end-user awareness and policy enforcement. Internal auditors should educate information systems users about compliance requirements and policies.

IT TOOLS

With so many different regulations to consider across an entire enterprise, it is nearly impossible to correlate business requirements with regulations and policies without an automated tool set. Internal auditors can use these products to automatically perform tasks such as auditing and examining the IT control environment in real time; developing and publishing reports to measure the effectiveness of IT security controls in meeting standards and regulations; demonstrating due care of compliance; mapping control information to specific policies to recommend improvements to the control environment; and collecting, integrating, and retaining trend analyses and evidentiary information from disparate control mechanisms for audits and documentation requests.

POLICY MANAGEMENT Automated applications enable organizations to define, create, and disseminate policies and track end-user acceptance. Because many organizations are impacted by more than one mandate, a growing number of products map policies to multiple frameworks, standards, and regulations. When integrated with infrastructure assessment software, these tools can supply auditors proof of the organization's policy compliance.

VULNERABILITY DETECTION Identifying IT security risks is made easier through technology that evaluates critical applications and operating systems and intelligently assesses and reports deviations in areas such as password strength, default accounts, user rights and permissions, and vulnerability and patch status. These products automatically identify and prioritize security threats that affect applications, enabling auditors to assess the effectiveness of security policies and recommend ways to strengthen them.

ASSESSMENT Technology tools can help organizations establish, test, measure, and remedy control deficiencies and give auditors a view of IT compliance progress. Assessing and managing IT technical controls is eased by tools that establish baseline configurations for all major operating systems and identify exceptions to configuration standards. Many tools also leverage global networks of Internet activity sensors and security professionals to respond to fast-moving threats.

GOVERNANCE Automated software can streamline governance of a compliance and performance improvement environment. Some tools have compliance assessment and reporting capabilities that integrate data from a variety of sources through a single interface that auditors could use to assess and demonstrate IT policy compliance and identify deficiencies. Some products report gaps in coverage of key regulations and frameworks automatically, while other tools capture and report on user acceptance and waivers to policies.


A UNIVERSAL VIEW

Just as business performance improvement is an ongoing objective that requires continual attention and effort, regulatory compliance is an unending business process. By using automated tools, internal auditors can help their organization meet complex regulatory requirements more efficiently, improve accuracy, reduce costs, and measure performance improvements from compliance efforts.

Read More....

A Continuous View of Accounts

A Continuous View of Accounts
David Coderre. The Internal Auditor. Altamonte Springs: Apr 2006. Vol. 63, Iss. 2; pg. 25, 4 pgs

Abstract (Summary)
In fiscal year 2004-2005, The Royal Canadian Mounted Police (RCMP) performed an audit to assess the appropriateness and effectiveness of the control framework in place to support accounts payable (AP) activities. The overall goal of the audit was to provide reasonable assurance that AP policies and procedures comply with central agency policies and regulations, the control framework effectively supports AP activities, and financial transactions are processed in a way that complies with applicable policies, procedures, and regulations. Continuous auditing supported several of the RCMP auditors' objectives, including identifying and assessing risks and control deficiencies in the AP process, examining trends related to performance and efficiency, and searching for anomalies and fraud. In this audit, continuous auditing contributed to improvements in the AP operation; reduced financial errors and potential for fraud, waste, and abuse; and provided a sustainable and cost-effective means to support compliance with policies and procedures and perform risk and control assessments.

Royal Canadian Mounted Police auditors ride to the rescue of a complex accounts payable function.

N FISCAL YEAR 2004-2005, THE ROYAL Canadian Mounted Police (RCMP) performed an audit to assess the appropriateness and effectiveness of the control framework in place to support accounts payable (AP) activities. As a result of regionalization, the law enforcement agency's AP function is performed primarily by seven AP groups and a network of satellite offices located in five regions across Canada. The function processes almost 500,000 payments for goods and services totaling approximately C $1.5 billion (US $1.31 billion) each year.

The overall goal of the audit was to provide reasonable assurance that AP policies and procedures comply with central agency policies and regulations, the control framework effectively supports AP activities, and financial transactions are processed in a way that complies with applicable policies, procedures, and regulations. Given the electronic nature of the data, the wide variety of transactions, and the large number of AP offices, the audit team planned to maximize its use of information technology to identify and assess risks, test key controls, and check for potential areas of fraud, waste, and abuse. These factors made the project a good candidate for using continuous auditing techniques.

Continuous auditing is a unifying structure that brings together risk and control assessment, audit planning, digital analysis, and other audit technologies and techniques. It supports macro-audit issues, such as using risk to prepare the annual audit plan, and micro-audit issues, such as developing the objectives and criteria for an individual audit. Continuous auditing not only measures transactions against a defined threshold, such as a maximum value, as they are being processed, it also compares those transactions to all transactions over time. Auditors also can use it to compare one set of transactions with another set, such as comparing transactions at one office with another office. These abilities allow auditors to test the consistency of a process by measuring the variability of each dimension.

IN SUPPORT OF AUDIT OBJECTIVES

Continuous auditing contributes to individual audits by supporting the identification and assessment of risk and the development of scope and objectives (see "Key Steps to Continuous Auditing" on page 26). Further, it can be used to determine which locations auditors will visit and to identify specific audit criteria.

During the planning phase of the RCMP's AP audit, auditors used data extracted from the financial and human resources systems to review the operations of regional AP offices before traveling to perform the on-site work. AP personnel in the RCMP's regional offices are responsible for processing a wide variety of transactions, including invoices, purchase card (p-card) expenses, interdepartmental settlements, journal vouchers, emergency salary advances, travel expenses, and relocation claims. In addition, they respond to inquiries from vendors and others within the RCMP, resolve payment issues and disputes, categorize expenses to the appropriate general ledger accounts, and keep the master file of suppliers up-to-date.

The quality of the AP process' design and how well the regional offices execute the process impacts two important areas: supplier relationships and cash management. Control design quality is also directly related to the cost of the AP function; appropriately designed controls will ensure that risks are mitigated at an acceptable and cost-effective level.

Continuous auditing supported several of the RCMP auditors' objectives, including identifying and assessing risks and control deficiencies in the AP process, examining trends related to performance and efficiency, and searching for anomalies and fraud.

RISK IDENTIFICATION

The RCMP's auditors included a variety of risk factors - culled from policy reviews, interviews, reviews of previous audit results, and Internet searches - in the initial risk assessment. The audit compared the performance attributes - cost, quality, and time-based performance measures - of each AP office. Labor cost for accounts payable was the primary cost-based measure. Quality-based measures, which assessed how well the organization's products or services met customer needs, included the average number of errors per invoice. Time-based measures, focusing on the efficiency of the AP process, included the average number of days to pay an invoice and late payment charges. Auditors extracted data from the RCMP's ERP system and imported it into audit software to calculate the elapsed days between the receipt and payment of the invoice and the total of late payment charges.

Using continuous auditing for each AP office, the auditors also determined dollar amounts for each type of transaction. The transaction-type analysis gave the audit team a better understanding of the operations of each office, including how many different types of transactions were being processed. This analysis supported the risk assessment, because operations tend to have greater complexity when more transaction types are processed. The audit also compared the number of correcting journal entries and manually produced checks per office, which indicated additional workload that contributed to the overall level of risk. Using the extracted ERP data, a cross tabulation showing the number and dollar value of each type of transaction for each regional AP office was produced.

Finally, the audit used data extracted from the human resources (HR) database to compare the organizational structure of each office, including reporting relationships, number and classification of staff, length of time in job, retention rates, and training received. The combination of the HR data with the transaction types and volumes helped to identify areas of risk, such as understaffing and lack of staff trained to handle complex transaction types.

Auditors considered the risks associated with the transaction types, volumes, and dollar amounts to determine which types of transactions would be included in the audit. They also used the overall risk assessment to select the locations for on-site audit work.

CONTROL ASSESSMENT

The flip side of risk is control. Control deficiencies can increase risk levels, and unmitigated risks are usually the result of control deficiencies. The audit team reviewed the financial software system to identify key control points in the AP module. Next, auditors used the Internet to research the control rules for that module and used audit software to develop analytical tests to ascertain whether or not the controls were working as designed. For example, audit software was used in one test to compare transaction types processed by each AP clerk to verify that ,separation of duties existed. Additional analyses verified that all invoices over C $5,000 referenced a purchase order, validated that only authorized users were creating or modifying vendor records, and determined whether the goods receipt amount equaled the invoice and contract amounts. Auditors created scripts that enabled tests to be run at any time.

PERFORMANCE TRENDS

Trending data identified performance and efficiency concerns. For example, the audit team used continuous auditing to compare the AP offices, looking at the number and job classification of employees involved in the process and the efficiency of operations. Audit software was used to calculate efficiency measures, including the number of invoices processed per user, number of days and average dollar cost to process a payment, percentage of invoices paid late, percentage paid early, percentage of recurring and electronic funds transfer (EFT) payments, percentage of manual checks, and percentage of invoices for less than C $500. Analyzing trends across years also helped to identify both problems and areas where improvements had been made.

ANOMALIES AND FRAUD

To assist the continuous auditing process, the audit team used brainstorming techniques to identify anomalies and areas of potential fraud. For example, the team theorized that an inadequate separation of duties would permit an AP clerk to create a vendor record, enter a purchase order, and process an invoice to make a payment to that vendor, which could pay a kickback to the clerk. Another concern was that satellite AP offices could process duplicate invoices.

For items identified in the brainstorming session, auditors developed specific automated tests to search for possible fraud, waste, and abuse. Auditors tested for duplicate payments and compared current-year payments to previous years to see if operations were improving. They looked for invoices processed against backdated purchase orders and split purchase orders intended to avoid financial limits. The audit also examined the number and dollar value of invoices going to suspense accounts, where funds are stored temporarily until a decision about their allocation is made.

Finally, auditors ran tests to determine if there were cases where:

* Vendors were created and only used by a single AP clerk.

* The entry user was the same as the user who approved payment.

* The payee was the entry or approving user.

* There were duplicates in the vendor table or vendors with names such as C.A.S.H., Mr., and Mrs.

* Vendors had no contact information, such as phone numbers or addresses.

Although auditors did not discover any instances of fraud, they did identify control weaknesses and instances of noncompliance with policies. In particular, weaknesses in the vendor table and poor controls over the entry of invoices resulted in more than C $100,000 in duplicate payments that were recovered by the auditors.

AUDIT RECOMMENDATIONS

The final use of continuous auditing was to follow up on audit recommendations to determine whether or not management had implemented them and whether they were having the desired effect. During the review, auditors identified data-driven indicators for each recommendation. For example, auditors found that most regional offices processed a large number of invoices of less then C $500. Many studies have shown that the use of p-cards can significantly reduce the costs of processing such payments. The auditors recommended promoting p-card usage for low-dollar purchases and training cardholders to use them appropriately. Six months after issuing their report, the auditors measured usage for transactions under $500 and found that the percentage of p-card payments for low-dollar transactions had increased, indicating that this recommendation was implemented effectively.

Additional tests revealed a reduction in the number of duplicates in the supplier master table, a decrease in the number and dollar value of duplicate invoices, and an increase in the number of invoices referencing purchase orders.

A CHANGE OF THINKING

In this audit, continuous auditing contributed to improvements in the AP operation; reduced financial errors and potential for fraud, waste, and abuse; and provided a sustainable and cost-effective means to support compliance with policies and procedures and perform risk and control assessments. Continuous auditing helped the team to better understand the regional offices. The overview analysis determined that AP was decentralized with no standard processes and that different regional offices processed different transaction types. Auditors also identified concerns in efficiency and effectiveness of transaction processing at certain offices.

As the RCMP discovered, implementing continuous auditing places certain demands on internal auditors. In particular, the audit organization must develop and maintain the technical competencies necessary to access and manipulate data in multiple information systems. If the auditors are not already using data analysis techniques to support audit projects, the audit department will need to purchase analysis tools and develop and maintain analysis techniques. To realize its full benefits, all audit staff members need to adopt the continuous auditing concept. The benefits are substantial and can reduce the time needed to perform audit planning, increase risk and control assessment capability, and allow auditors to a widen their scope of audit activities and use existing corporate data cost effectively and efficiently.

Read More....

Survey Benchmarks Internal Audit Direction

Survey Benchmarks Internal Audit Direction

J Whitley. The Internal Auditor. Altamonte Springs: Feb 2006. Vol. 63, Iss. 1; pg. 15, 2 pgs

Abstract (Summary)
Standards and regulatory mandates are among a host of factors impacting internal auditors in Australia and New Zealand, according to the second annual benchmarking survey, Trends in Australia and New Zealand Internal Auditing. Risk-based audit planning has become widespread in the two countries. According to the survey, many organizations are seeking auditors with a variety of experiences and backgrounds, including engineers and strategy consultants. The use of automated audit tools by internal audit departments jumped from 46% in 2004 to 73% in 2005. Survey findings suggest that public companies in Australia and New Zealand are seeking greater assurance of their internal audit activity.
span class="fullpost":>
Reputation Risk Increasing... EU Amends Accounting Laws ... Study Compares IT PCAOB Critical of AS2 Progress ... DOD to Authenticate Electronic Devices ... Diamond Dispute Settled ...

STANDARDS AND REGUlatory mandates are among a host of factors impacting internal auditors in Australia and New , Zealand, according to the second annual benchmarking survey, Trends in Australian and New Zealand Internal Auditing. The new report from IIA-Australia, IIA-New Zealand, and Ernst & Young (E&Y) compiles information about the audit activities of more than 170 organizations to provide a better understanding of how internal audit functions in both the public and private sectors are progressing to meet demands and expectations. The report compares the survey's findings and observations with results of the 2004 survey.

The report's authors say the internal audit profession is at a crossroads in Australia and New Zealand. "Internal auditors have the opportunity to capitalize on the new visibility and sponsorship they enjoy," the report states. "However an inability to live up to these new expectations may see an erosion of their resource base and a loss of credibility and diminishing support from stakeholders."

Risk-based audit planning has become widespread in the two countries. Eighty-four percent of organizations base their annual audit plan on the management principles of AS/NZS 4360:2004 Risk Management, the Australia and New Zealand standard that provides a generic guide for managing risk. In 57 percent of organizations, internal auditing works with other assurance functions to provide a summary of key risks and assurance coverage to management and board committees.

More than three-fourths of internal audit functions report to either the audit committee or the chief executive officer (CEO). Although primary reporting lines are often split, there are generally mechanisms to ensure that internal audit objectivity and independence are preserved. Among private-sector respondents in New Zealand, for example, 76 percent have audit committees that satisfy the requirements specified by the New Zealand Stock Exchange's Corporate Governance Best Practice Code, issued in 2003. The code requires audit committee members to have an accounting or financial background.

According to the survey, many organizations are seeking auditors with a variety of experiences and backgrounds, including engineers and strategy consultants. Respondents report that 54 percent of audit staff have a financial background, down from 66 percent in 2004. On the other hand, the use of automated audit tools by internal audit departments jumped from 46 percent in 2004 to 73 percent in 2005. Seventy-seven percent of respondents say their organization outsources parts of their internal audit activity, largely to obtain needed specialty skills.

Survey findings suggest that public companies in Australia and New Zealand are seeking greater assurance of their internal audit activity. Thirty-two percent of organizations have had an independent review of their internal audit function within the past two years, up from 25 percent last year.

Read More....

On-line control assessment

On-line control assessment

Peter Perriam. The Internal Auditor. Altamonte Springs: Oct 1998. Vol. 55, Iss. 5; pg. 21, 3 pgs

Abstract (Summary)
Internal audit departments worldwide face the double-edged challenge of servicing a growing audit universe with limited staff resources. Curtin University of Technology in Perth, Australia, is now using a Windows-based control assessment tool (CAT) which is ideal for its control assessment needs. By adapting the online CAT to its specific needs, Curtin University's internal audit shop has greatly enhanced its control reviews. Not only did the new tool include features that would improve the timeliness of reviews, but it also enabled some degree of self-assessment.

By adapting an on-line assessment tool to their specific needs, Curtin University's internal audit shop has greatly enhanced its control reviews.

INTERNAL AUDIT DEPARTments worldwide face the double-edged challenge of servicing a growing audit universe with limited staff resources. Our internal audit staff at Curtin University of Technology in Perth, Australia was no exception. While we relied on a combination of systems, operational, EDP, and compliance-based audits to cover our broad territory, reviews of Curtin's ISO faculty and administrative areas, 50 university functions, and 70 EDP-related issues remained infrequent and inadequate. We desperately needed a tool that would enhance our control assessment process.

We were obviously elated when we learned that halfway around the world the University of Illinois, with funding from the Association of College and University Auditors (ACUA), had developed a Windows-based control assessment tool (CAT) using Microsoft Access. With a little tweaking that included customizing it to the Curtin environment and moving to on-line administration via our Web site, CAT proved ideal for our control assessment needs. Not only did it include features that would improve the timeliness of our reviews; it also enabled some degree of self-assessment, which we hoped would help process owners recognize and accept responsibility for internal controls and inculcate risk management into the overall business culture at Curtin.

TOOL ADAPTATION

When we originally received the CAT, it was divided into II separate sections or modules representing each process within a departmental area. The sections included organization and management; budgeting, accounting, and reporting; purchasing, contracting, and leasing; expenditures other than payroll; personnel and payroll; inventory; moveable equipment; revenue and transfer of expenses; cash receipts; administration of gifts and grants; and petty cash. Several of these modules contained procedures, questions, and policies that were applicable only to the University of Illinois and, therefore, had to be removed.

After we had manually identified and extracted the unusable aspects of the software, we further adapted the CAT to reflect Curtin's own policies, practices, and procedures. To do so, we referenced relevant process manuals and confirmed correct operating procedures with staff in various functional areas. We benchmarked with other Australian university internal control models and perused relevant internal audit textbooks and journals to determine whether additional modules should be added to our base. We further "Curtinized" the tool by changing the CAT's "Americanisms" to "Australianisms." Our resulting Curtin-specific modules included organization and management; budgeting; purchasing; non-payroll expenditures; recruitment; personnel/payroll; accounts receivable; cash receipts; petty cash; fixed assets; inventory; and electronic data processing.

GOING ON-LINE

Customizing the modules was only the first step in adapting the software for our use. After a few pilot cases, we quickly realized how difficult implementing the CAT in its disk-based form would be. In order for users to complete the assessment, it was necessary to physically install the five-disk CAT onto a host computer at each audit site. This time-consuming activity was slowed even further as a result of the variety of computer platforms used across the University. In addition, the policies, procedures, guidelines, and organizational structure throughout the University changed often, making it necessary to update the CAT frequently.

Our need for a flexible communications medium that would enable quick dissemination and frequent updates was answered by the Internet. The disk-based version of the CAT was converted to HTML format and placed on the Curtin University Internal Audit Web site at www.curtin.edu.au/curtin/audit/iad7.htm# Curtin Control Assessment.

THE ON-LINE PROCESS

After modifying the software to fit our needs, we began administering the tool to the various departments. Depending on the module being completed, any staff member possessing the requisite knowledge could complete the assessment. However, we requested that the department heads review the answers whenever possible, since University policy gives them ultimate financial responsibility for their areas.

As the user worked through the program, each module posed a series of questions pertaining to a particular policy or procedure. The questions required "yes," "no", or "NA" answers. "Yes" indicated a positive situation, and "no" suggested that the area might be experiencing control problems. Sample questions included:

NON-PAYROLL EXPENDITURES Are vendor invoices checked for accuracy and agreed to purchase orders, contract terms, receiving reports, or other documents to ensure proper payment?

CASH RECEIPTS Are pre-numbered or cash register receipts promptly issued to individuals for in-person payments?

FIXED ASSETS Is the asset register reviewed to ensure that all additions, disposals, losses, or thefts are properly recorded?

EDP Is access to computer terminals and equipment restricted to authorized personnel?

To ensure an accurate picture of the effectiveness of the department's internal control system, users were required to answer all the questions in a module. However, participants completed only those modules that were applicable to their particular department. For example, if an area had no inventory, there would be no need to complete the corresponding module.

ADDED BENEFITS

Moving to Web distribution allowed several process enhancements. For example, to help users answer questions, hyperlinks were added referring users to relevant procedures or guidance. These links may be to on-line policies and guidelines from the users' own departments or from other areas of the University, including legal and administration, human resources, financial services, and the academic registrar's office.

In addition, a limited "comments field" next to each question enabled users to further explain answers to the modules' questions. For example, if a respondent answers "no" to a question, he can support his response by referring to documentary evidence that he found confusing, misleading, or contradictory to an established policy. We believed this additional field would help the heads of the schools and departments and their staffs, as well as the internal audit function, in reviewing why a question was answered negatively.

NEW CHALLENGES

While placing the CAT on the Internet provided many benefits, it also created a new set of challenges. For example, since logging off the Internet browser deleted all the answers in a module, users had to complete the entire survey in one sitting. This process proved inefficient because users needed the flexibility to work on the assessment as time allowed. In addition, they had to print a hard copy of their screen once the assessment was completed both for their records and to be reviewed by the department head and internal audit function.

Another complication involved confidentiality. We wanted to keep an individual area's assessment answers confidential, but at the same time be able to share our accomplishment with our ACUA and Australian and New Zealand University Internal Audit Group (ANZUIAG) peers.

Both issues were addressed through additional programming changes. We provided for module answers to be maintained indefinitely by creating a separate database for each school and department. These databases were developed by a consultant using Perl, a programming language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on the information (see http://language.perl.com/info/synopsis.html).

To address the confidentiality issue, we divided the CAT into two areas-one where guests like ACUA and ANZUIAG members could obtain access for information purposes only, and a restricted area for schools and departments that required a password for access. Each area's password granted them access only to their specific database and answers.

ASSESSING CONTROLS

Once we had determined an efficient and effective method for users to complete the assessment, we turned our attention toward using the responses to identify control weaknesses and provide timely advice to our customers. First of all, we needed to be able to easily determine when areas had completed the modules. While we could use the passwords to access the databases and monitor progress, doing so for more than i5o areas was inefficient. Instead, an e-mail notification facility was added at the end of each module to alert us when a particular school or department had completed the questionnaires.

Next, we developed two reporting formats for the CAT. The first report indicates how a particular school or department responded to each module's questions and highlights potential problem areas. Instead of reprinting all the questions in a model, the report flags those to which the respondent's answers indicate a less-than-satisfactory control situation. The second report provides a control snapshot of a particular practice or procedure by merging responses to a specific module from all the schools and departments at Curtin University.

By enabling us to distinguish between isolated or University-wide problems, the reports have helped us more effectively dispense suggestions for an improved control environment. For example, by using the second report we have been able to identify common problems, common misunderstandings of a particular control, or existing policies or procedures that might need amending. This information could subsequently be communicated throughout the University.

THE NEXT WAVE

To date, we have been pleased with the results of our on-line assessment efforts. Future adjustments will make the CAT even more relevant to the University's planning and review processes, as well as more vital to the achievement of department objectives. For example, we plan to expand the software to incorporate soft controls based on concepts from coso and CoCo. Academic administrative controls relative to specific aspects of the University's operations, including admission and enrollment of students, scheduling of classes, and testing and exam procedures, will also be added.

Further enhancements may include clips from an ACUA video relating to specific modules and links to better practice guides, such as those issued by the Australian National Audit Office and New South Wales Treasury. In addition, the internal audit department is considering the adoption of a facilitation role in the area of control self-assessment, where we would use CAT as a base and incorporate other tools, such as computer-based, confidential voting databases, for support.

At least one other ACUA-member university has adopted a similar approach to control assessment (see the University of Florida's Web site at www.nerdc. ufl.edu/~ufoig/services/cat.html); and we have received a number of inquiries about the CAT from other universities, state government organizations, and mining businesses. If our success and the growing interest in the CAT are any indication, using the Internet for an efficient, on-line self-- assessment of an organization's individual departments may just be the next wave of the future.

Read More....