Auditing Operating Effectiveness of Internal Controls

Auditing Operating Effectiveness of Internal Controls: A case of closing the stable door after the horse has bolted (and practical uses of technology to improve it).

I have an problem with auditing operational effectiveness of controls. Not the activity itself (very important and needs to be done), but the timing. Operational effectiveness auditing generally means reviewing what has already happened.

Auditing controls is an important and necessary evil. It ensures that they have been well designed and are functioning properly, and that they are being performed in a consistent and timely manner.

However, the history of business is littered with examples of catastrophic operational failures, often stemming from a failure of controls. Pick an industry and I am sure you will be able to think of at least one memorable event.

And controls are vital. Controls ensure that assets are safeguarded and used for their correct purpose. Controls ensure that employees comply with laws and regulations. Controls ensure that important business information is accurate.

However, there are two key challenges that come with many control environments:

Firstly, a control environment involves people. A control environment is the attitude of management and employees to the importance of internal controls, and involves the philosophy, the organisation structure and the personnel policies of the organisation.

Secondly, people are inherently unreliable. They get tired, sick, lazy, greedy, afraid, jealous, angry, irrational. Employees may be your greatest asset; at other times they can be your biggest liability.

Getting this right is a balancing act, especially where there is a key dependence on people-based controls.

So, we need to check that the controls are being completed.
But this brings me back to my original point: checks tend to be in the past, after the point the control has already failed, after the horse has bolted. Then it is a matter of how quickly we caught it, how much damage has already been done. We need something that is going to predict that there is going to be a control failure and catch it before it is too late.

But before you go mad introducing sophisticated artificial intelligence and start chasing your accounts junior around the country because they were thinking about skipping the bank rec today (visions of Tom Cruise in Minority Report spring to mind), there are four very practical steps you can take first.

1. Use Automated reminders
   Most controls are performed on a regular basis, daily, weekly, monthly, quarterly. So set up automated reminders to tell someone to complete their activity. And the great thing about automated reminders is they won’t forget like you and I will, they will remind you every day, even on weekends, or bank holidays. They won’t get distracted, or need to get the 5:38 train, or put it on tomorrow’s to-do list. Nor can they be reasoned with, bargained with, argued with, bullied, or berated. They will just keep reminding you until you do your job. And if you don’t do your job, they will start telling your boss, and your boss’s boss. It doesn’t mind if you get upset and angry, it won’t get into trouble.
2. Use digital timestamps
   The great thing about electronic timestamps is that (generally) they don’t lie. Paper records on the other hand are easier to manipulate. If you are supposed to complete an important time sensitive check on a Monday and you don’t do it until the Tuesday afternoon, then it might be very easy to just write in yesterday’s date. But when something requires an electronic submission then it becomes very difficult to hide the fact that you are a day late. And what’s more, an electronic is much easier to monitor and to flag up as an exception that will call you out, so it is much harder to hide.

What’s more, this can be used as a key tool when auditing operational effectiveness. Rather than pulling a sample of control performances and checking they were completed on time, the system pushes 100% of control performances to you and tells you which ones were late or not completed on time.

3. Store control evidence digitally
   Checking timestamps is one small part of the audit work – you need to check the evidence too. So start storing the evidence digitally against every single control performance. This is an activity which would take the control performer a matter of minutes to complete but would save plenty of time later in the process.

Firstly, the initial audit fieldwork can be completed remotely, reviewing records online saves time travelling to different sites or locations. Secondly, it can be completed independently of the control performer, so there is no need to mutually convenient meetings, no time wasted collating evidence to pass over to the auditor, the ground work was already done when the control was performed.

4. Provide a feedback loop
   Often audit work uncovers issues that arose at the time an activity was performed. The trouble is, this generally happens sometime after the event. And by then, several days, weeks or months have passed, by which time the little issue may have grown into a big one, or it may already be too late.

If the control performer had an opportunity to feed back issues or comments at the time, the matter might have been caught early and fixed. And it is always easier staying out of trouble than to get out of trouble. So build a feedback loop that allows control performers to capture basic information regarding unexpected challenges that they face, and capture these digitally into a centralised log that internal audit or other central control teams can review and decide on action to take (and let’s not forget to build in automated reminders to ensure they review new items).

These are just a few simple yet practical ways to use technology to improve the speed and effectiveness your auditing of operating effectiveness. But it does require some groundwork:

• Document and assign clear ownership and accountability to your controls.
• Instil a “self assessment” approach within your control performers where they capture and log evidence of their control performances centrally – this will require a change in approach, but it will encourage best practice behaviours and save significant time in the long run.

Please leave us some comments, the good and the bad. And if don’t hesitate to get in touch in touch with us.

If you are attending the IIA 2022 London Conference 18-19 October then come across and say hello to us in person on the ICE stand.

About ICE

ICE is a nimble and practical internal control and compliance solution that focuses on engaging and

enabling all THREE LINES. For more information visit https://www.ice-control.co.uk