The Why Factor
Too often auditors are satisfied with only finding symptoms of process weaknesses but not actual causes for found symptoms. The result being their recommendations fall short of assisting management to improve controls and reduce future risk.
If we take accounts payable as an example these types of audits often look like this:
Objective: Verify that we are not paying the same invoice twice
Criterion: invoices should not be paid twice
Condition: Invoices are being paid twice
Impact: based on the sample of 100 invoices, we estimate that there are $20K in duplicate payments.
Recommendation: Recover duplicate payments
This audit may recover the expense and cash, but it will not provide lasting value to the manager of accounts payable. The audit should look beyond the mere existence of duplicate payments - to ‘why’ they are occurring. And the process should also be looking
at more than a sample of invoices.
First, I would like to point out the importance of having a proper audit objective. The audit objective sets the “raison d’être” (why are you doing the audit). I hope that you are not doing an accounts payable audit to simply find duplicate invoices and recover funds. The objective should consider the business objective: to pay approved invoices accurately, timely and to the correct vendors. Thus, a better objective would be to assess the controls for the accounts payable process to ensure approved invoices are paid accurately, in a timely manner, and to the correct vendor.
Secondly, given the audit objective, the auditor should develop appropriate criteria and design a program that has the necessary steps to allow the auditor to deliver on the object. It should have steps to look at whether invoices were approved, paid in a timely manner (not early and not late), accurately (right amount and not twice), and to the correct vendors (not in correct or fictitious vendors). The steps should also maximize the use of data analytics to review 100% of the transactions.
Third, given the objective, the auditor conducts the necessary steps to allow them to deliver on the audit objective. Strong analytics will find duplicates, calculate late or early payments, verify amounts to purchase orders or contracts, and look for fictitious vendors. They will also provide a critical aspect for driving process change in the enterprise: financial impacts. The audit must be able to demonstrate the negative financial impact of current conditions to support the implementation of the recommendations. With the use of analytics, we are better able to quantify the financial impact of the symptom; not just estimate it.
Fourth, develop impactful recommendations to address the cause of the symptoms. This is where we apply the “why factor”. Given that we have found duplicates, the auditor should ask “why are there duplicates”? Not just once, but repeatedly until they get to the root cause:
Why do we have duplicates?
The ERP test for duplicates is failing to identify the duplicate transactions.
Why is the ERP preventative/detective test failing?
The duplicates are being paid to the same vendor, but under different vendor numbers.
Why do the same vendors have multiple vendor numbers?
All A/P clerks can create vendors, and many are not doing a proper check to ensure that the vendor does not already exist.
After three ‘why’ questions, we have arrived at one of root cause of duplicates: poor controls over the creation of vendors in the vendor master table. Now the recommendation could be ‘recover duplicate payments and restrict create/modify/delete access to the vendor master table to a single, properly trained user’. Not only will the process recover the duplicate payments, but it will reduce the risk of invoices being paid twice in the future. By the way, the “why factor” not just for for audit purposes - those who are responsible for internal controls should also be utilizing the technique to correct for any process weaknesses in their controls.
Take time at the beginning of the audit to consider the audit objective. Ensure that the audit objective includes finding the root causes of the risks in the various business processes. Ensure that you have the proper criteria and audit steps to allow you to deliver on the audit objective.
Ensure that your analysis allows you to identify the financial impact of the symptoms found so that you will be able to gain support for the recommended process changes. Maximize the use of analytics to improve the efficiency, effectiveness and scope of the audit and provide a quantified, defensible financial impact statement. And repeat the ‘why’ question to get to the root cause of the symptoms to eliminate future risks.
I’ve learned the effectiveness of this “why factor” step in my audit process. At CTRLmatters, we’ve automated this entire process, including the “why” factor, to significantly reduce costs and risks for all types and sizes of enterprises. I encourage you to leverage this process for your own audits and to check out what we’re doing at CTRLmatters to see how we can help you and your organization.