Hello, everyone! I know your secret fantasy is to spend more time with auditors. While we would like to spend more time with you as well, I think we can both agree that it would be more enjoyable to spend that time sharing a good meal, relaxing at a happy hour, or something like that, rather than doing the testing. So, I’ve compiled the top five ways that we typically find clients spending time with us, not because they want to but because they have to.
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
That’s a myth in Sarbanes-Oxley (SOX) and in internal audit. In particular, we commonly see evidence or support that’s not readily available because the files we ask for are in your personal email account. Or it takes you time to sort through your emails when we ask, “Did you review such and such reconciliation?” And you’ll say, “Yes, I sent an email, and I asked a bunch of great questions.” Then our follow up question is “Please show me.”
And if you’re like most of us, we get lots of emails and we file them away. I file things in very safe places and never remember where those safe places are, so the risk then is that you’re going to lose the historical information. Imagine that you’re the controller, you get promoted to VP of Finance, you get promoted to CFO, or you’re the sole source of this information.
No one else has it. So, the best practice that we consistently tell our clients is to print and/or save the supporting approval, explanation, exception, reports, transactions, invoice, whatever it is, in a centralized folder. Whether it’s Q1, name it something so that its easy for you to access it. Sometimes, we realize that some spreadsheet contains larger information, and they’re not in soft copy. You can place it in a SOX binder so that you can easily find it in the future.
Really common with narratives or flowcharts is the inaccurate procedures or the controls that you’re performing or the incompleteness of it. It just happens because, let’s say in the first quarter, you implemented something and it worked fine, but then for the second quarter, you found a better process, a better way of doing it, hence, a better way of running the report.
You make some changes to it and, now, the documentation doesn’t agree. Unfortunately, since the auditors weren’t there when it transpired, the new process is not known. So, when the old control language is pulled up and an attempt is made to verify it’s still accurate, the steps will be questioned like, “Oh, it looks like you pull up the AR Aging from this particular system, and this is the report name.” Then you say, “No, I don’t use that report. I don’t use that system anymore.”
It throws everybody off and, now, the procedures don’t match, which makes us have to spend more time with you.
So our suggestion is to review the process narratives or the flowcharts in detail and provide comments where they are needed. So, if you aren’t the owner of that particular narrative and you notice something about the process and the control that needs tweaking, let the control owner know or if you do own it, then update the narratives or the flowcharts.
It will save you time in updating. Take notes as things are happening because it will save time two or three months later when you are retracing why this control doesn’t match up with what you’re doing.
We commonly see supporting documents that don’t fit the story. Imagine that someone goes on a leave of absence. Now, the reviewer has to endorse the documents to another person. When you present the documents for review and approval and the information is not accurate, it will pose a problem for the next reviewer. Hence, this is a pitfall why documents do not match.
Even worse if there are missing screenshots, reports, or anything that supports that explanation. Imagine that you’re telling a story and explaining to the next reviewer why puzzle pieces don’t fit together. So, the best practice recommendation is to look through each of these documents before you pursue your own documentation or conclusion.
A third person may be needed to review your work while understanding the trail of events. Write a note that expounds on the discrepancies. Describe it, tell us why it’s acceptable or not accurate.
So often, we see files, documents, spreadsheets that contain formula errors. Sometimes, those formula errors don’t mean anything. They may be on the side, but what that does is it leads us to believe – maybe your review wasn’t sufficient. Worse yet, the formulas do matter, and it throws everything off.
So, our suggestion is to build in cross checks in that spreadsheet. We know, it’s commission and bonus spreadsheets typically that are linked to multiple places, and it’s so easy for someone to accidentally delete a cell. If that happens, it causes errors throughout the spreadsheet. Though we know that you have diligence, one error found will lead us to do more work. We don’t really want to have to do that either.
Our suggestion is to scan the cells, check the formulas, or where things are hardcoded for accuracy. Then lock or password-protect certain cells, certain spreadsheets, so it prevents anyone from having access to confidential information or accidentally deleting a particular formula that you’ve worked so hard to put together.
Finally, drum roll, please
This is happening to all of our clients. I know it’s not easy because we know that you do your work really well. Yet when we don’t see initials/signatures or dates, it’s seen as the non-existent or vague wording of the procedures that you’ve reviewed.
As an example, let’s say you were looking at a bank reconciliation and there is an outstanding check that’s been here for six months. You probably asked about it the first month, and then just wrote, “Asked about this. This check hasn’t cleared yet. Will clear next month.”
You need something that would help when we see no evidence and there’s a reconciling item or something there that prompts the question. In such cases, we would think: “Did you really review it or did you just sign something to push it out the door?” So sign and date the final version, write brief notes of the procedures that were performed, and identify the items that you’ve reviewed.
Circle it. Box it. Mark it. Use tick marks. Do something to show us that you’ve asked questions or write the following phrases as you see appropriate: “Not material; passed;l asked a question; and here’s the result.”
So, here’s a quick recap on the five ways that you could spend more time with auditors.
Instead of using one of the above five ways to spend more time with us, how about eliminating those reasons and scheduling an lunch or happy hour with us? As I’m sure you’ll agree, we’d enjoy those occasions much more than having to dig through emails or discussing inconsistencies in procedures or documentation.
Have a great day!