On-Time Audits – How Internal Audit add value in designing preventative controls

on time aduits

The reviews conducted by internal auditors on processes or activities are retrospective in nature, in that a review is conducted on activities that have already occurred, with a view that recommendations or solutions will assist the organisation going forward. This indicates the retrospective view with prospective solutions.  The other perspective that assists in being proactive is the risk nature of the reviews, that allows for the mitigation of risks before they penetrate the organisation. Resulting in development of preventative controls and not just a focus on detective controls. The phrase used in our practise to emphasise the above scenario is On-Time-Audits.

Ensuring audits remain on-time and relevant

In this article a case scenario will be used to demonstrate how we ensure that audits remain on-time and relevant, leaning towards development of preventative control framework rather than just a detective control framework. This case scenario is from a real organisation, where internal audit services have been provided and solutions have been offered:

Case Scenario: System Migration Scenario

A manufacturing client was moving from one system to the other, as the system that was used was ineffective and outdated. Further, the system administrator could not provide support to assist the client with the experienced deficiencies.  This impacted the financial statements produced by the organisation on an annual basis, as the inventory figures could not be relied on. With this background in mind the organisation took a decision to change from one manufacturing system to the other.   This was a planned move and allowed for the system to be phase-out over a period. The internal audit function made recommendations on change management controls to have in place to ensure that there is no loss of data as the organisation migrates from one system to the other. This included an establishment of a steering committee, with a defined mandate of identifying risks, and establishing mitigating controls.

Furthermore, the role of this steering committee, would ensure that at the future date known as the system-go-live date, all controls are in place to ensure that the users of the system have received training on how the system will operate to avoid any downtime. Furthermore, that the data from the old system would be retrieved and accurately integrated to allow for a smooth transition into the new system. Also that the infrastructure needed for the system to operate efficiently will also be in place, and processes documented to ensure that manual exists for future reference.

The move from one system to the other takes a while, in some cases the planning associated with the process could take up to a year. This is a significant amount of time to proactively advice on issues relating to data security and integrity as the transition takes place. It would be redundant for Internal Audit to come at a later stage and detect issues that could have been prevented. This is just one example of how internal audit can add value.

This is one of the ways where tangible value add can be offered, however, for internal auditors to be at a level of providing this wholistic advice an enabling environment must be in place.  The auditors must be at a level where they are able to provide these proactive solutions.  Some of the ways is in ensuring that they have access to key decision makers and to key strategy documents, as this allows for the internal auditors to be aware of the key changes, and the direction the organisation is taking.

Leave a Reply