- Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
- How is independence maintained when working for the company as an internal auditor?
- When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
Kevin Berg says
1.Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I have been a part of an ISO9001 audit so I am not sure if that is the same thing. However I will share that the auditor reviewed our skills matrix process by me having to walk him through the tables, the security and the stored procedures that controlled the process. After demonstrating to him that if a spec document gets updated on SharePoint then the stored procedure that runs every fifteen minutes would find the update and invalidate employees trained on that document. That way they cannot assemble a product that an engineer has made a change to until the engineer trains the group leader who then retrains the assemblers
Michelangelo C. Collura says
So this appears like the auditor was checking the process in your department and actually providing some feedback? Perhaps I misunderstood, but this shows that the auditor in your firm is apparently capable of strong autonomy, being allowed to speak to whoever at any time to investigate within the scope of the audit. I would wonder if a firm’s auditors tend to make their scope parameters known to those they interview, so as to avoid overstepping their authority.
Kevin Berg says
2.How is independence maintained when working for the company as an internal auditor?
I see the internal auditors come in but do not interact with them. By my observation, they get their own conference room and setup their base. Every once in awhile the accountant will provide requested documents for purchase orders, customer orders, inventory records and payroll. We also have a third party consultant that comes in and reviews the financial statements once a month that give even more transparency into our accounting.
Parneet Toor says
Great observation Kevin, ultimately, everything auditor does is to assist the business to reduce risk identified or not. They should maintain independence as well as report on findings and recommendations to implement better control in respective areas.
Jing Jiang says
Good internal audit examples. You refer to many examples related to the collection of evidence, which is an important part of auditing process to provide reasonable opinions on company’s operation and financial situation. Third party consultant as your mentioned to review the financial statement and provide transparency is also a good way to maintain the independence of the internal audit work. A third party will provide a more objective opinion and less opportunity to be impacted by the operating of the company.
Andres Galarza says
In addition to what you said, my organization enshrines the separation in board-level policies. We use the “Three Lines of Defense” concept to put walls up between the Lines of Business, Internal Audit and External Audit from a compliance perspective.
Kevin Berg says
3.When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
As mentioned in my previous post, we have a third party consultant come in once a month. The reason for this is that the owners put the finance in the power of 2 people: The Controller (Main accountant) and human resources.. They spend about $2000 a month on a 3rd party consultant plus a yearly audit. Judging the costs here, it would seem that they could hire a 3rd person to reduce collusion but they feel that these measures are adequate to deter fraud and collusion without having to hire somebody that will require salary + benefits.
Michelangelo C. Collura says
Very good point about costs for hiring. Third party allows the firm to having auditing as a service without all those costs like healthcare as you mention. Those are huge costs to a firm, particularly if someone has a family, so it does indeed make sense to stick to a fixed rate with a third party – a rate lower than the alternative.
Lezlie Jiles says
1. Have you ever been involved in an internal audit or audit of your process/project? Briefly, describe.
Yes, I was the auditee. We typically go through an internal audit every two years or so. Depending on the areas involved, we will request an introductory/opening meeting. The open meeting identifies the areas under review, as well as, provide an opportunity to request other areas are included. Once all the areas are identified we receive a request for documentation or to schedule a meeting to begin the review. After the review and depending on what was identified during the review, a closing meeting may be requested. The closing meeting usually is driven only by what was revealed the audit report. After the closing meeting has concluded a final audit report is generated and sent to our Board members and C-level management.
Binju Gaire says
Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I have not been involved with an internal audit or audit process. However, I have been involved in an audit process as an external auditor. I worked as a staff auditor for the Missouri State Government and audited local governments and state agencies. A typical audit process for us would start with an entrance conference followed by a survey, audit plan, time summary, internal controls, test works, communicate findings with the auditee at exit conference and report writing. The external process would take up to two-three months to complete depending on the size of the local government or state agencies.
Binju Gaire says
2 .How is independence maintained when working for the company as an internal auditor?
I am not certain how the independence is maintained when working for the company as an internal auditor since I have not been involved in the internal audit process. However, when I was involved in the audit process as an external auditor, we maintained independence by agreeing and signing a statement that indicated none of the employees at local governments and state agencies (our clients) were related to us. Also, we would be given a room to set up our work and we used to have our own lockers to put the documents.
Parneet Toor says
Agree with you Binju. Internal or external auditor’s independence is maintained by their ability to maintain objectivity. They should have no personal or professional involvement with the area of being audited that is why statement is signed by auditors. Overall auditors should have access to records and personnel as necessary, and be allowed to employ appropriate techniques without impediments.
Michelangelo C. Collura says
The controls they put in place for your team seem pretty straightforward, providing some risk mitigation without causing hardship or unnecessary complexity. As an external team, you aren’t capable of being involved in the operations of the audited organization (though you may have worked there before). I imagine the forms you signed cover this possibility, but you didn’t specify that, so perhaps this is a potential weakness in the forms the organization used to ensure independence and objectivity. All in all, I would personally like to try my hand at the external auditor role simply because of that objectivity – it seems a lot easier to handle that type of relationship to the audited entity.
Parneet Toor says
2. How is independence maintained when working for the company as an internal auditor?
Maintaining Independence is crucial for an internal auditor of the company because they should not be involved with the procedures since they will be the ones conducting audit on them. They must be independent of what they could be auditing so that they remain unbiased when making decisions. In this way their audit decisions are not influenced by management. Company should consider auditors as advisors, advocates, and partners in the business of control monitoring and strengthening governance.
Khawlah Abdulaziz Alswailem says
I agree with you, Parneet
In order to maintain the necessary independence, auditors should consider the following:
• Maintaining the appropriate distance while crafting relationships with other business units is important for internal auditors.
• Proper reporting relationships and following industry standards and CPA ethical guidelines.
• Outsourcing audit work may be necessary to avoid the appearance of impropriety or a conflict of interest.
Binju Gaire says
Great points, Pareneet. It is important that auditors maintain independence to make an unbiased decision. In order for an organization to be successful the internal auditors should independent of any other tasks that are performed within the organizations. Even the internal auditors should strictly comply with the SOD control.
Lezlie Jiles says
How is independence maintained when working for the company as an internal auditor?
Independence during the internal audit activities is maintained by the audit commission by utilizing dual reporting relationship to management and the organization’s senior executives. The internal auditors should have access to accounts, records, and employees if required. They should also have the ability to implement appropriate probing techniques without any obstructions. Also, an auditor cannot be involved in creating policies and procedures.
Michelangelo C. Collura says
The obstructions point is very good, particularly since auditors might audit the very management they’re reporting to. This means everyone involved needs to have some level of civility and professionalism to avoid conflict of interest and to ensure that proper oversight and application of recommendations occurs.
M. Sarush Faruqi says
Lezlie,
Great points. In my eyes, audits are designed to finds gaps in the processes. For that to happen, having proper data and people are needed to conducts tests. As an internal auditor, one might be more experienced with the internal processes of the company compared to an external auditor who is looking in from the outside. Internal auditors should be given the proper necessities to find gaps before the external auditors do. From my experience, I’ve seen internal auditors being given the opportunity to create audit specific login credentials for certain applications to conduct their tests. They could perform the needed the tests with this credential and all of their activities would be logged under the audit login credential.
Andres Galarza says
Your comment made me think of something that came up at my company’s last conference/outing. My CISO reports to the CIO, which I don’t like conceptually. The CIO has a potential conflict of interest with the CISO, and his or her ability to trump the CISO because of the organizational structure doesn’t sit well with me.
Lezlie Jiles says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control is higher than the benefit obtained when the cost of the loss linked to the compliance risk is less than the cost of actualizing the control. To ensure efficiency and profitability a risk assessment should be performed to calculate the possible loss which will assist the organization in making a decision about what controls to implement.
Khawlah Abdulaziz Alswailem says
I agree with you, Lezlie
The first step towards implementing a compliance control is to decide whether to accept, mitigate, avoid or transfer risk. cost-benefit analysis must be performed to access if compliance control cost is higher then the benefit obtained.
The situation in which the compliance control cost is higher then the benefit obtained (the potential risk far exceeds the potential benefits) the risk should be avoided and no compliance should be put in place for such risk as it is simply adding cost for the organization.
Parneet Toor says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance is higher than the benefit obtained when, for an organization, the cost of the loss associated with the compliance risk is less than the cost of implementing the control. A risk based approach in such a situation will enable organizations to manage risks in a balanced and efficient way that reflects the value that is being protected. If the threat is low impact and likelihood would be low ,which means the threat does not have capability to cause significant harm.
M. Sarush Faruqi says
Parneet,
Great post. I absolutely agree on taking a risk based approach when deciding to implement specific controls . This is where a risk matrix will help in the evaluation process. A risk matrix can be used during the risk assessment process to decide the level of risk for certain activities based on the likelihood and consequences if the risk was to actually occur. The one thing to note is that not all risks can be eliminated. If a compliance control is too expensive to implement considering the loss, one should consider implementing less expensive compensating controls to alleviate the impact of the risk or to get some level of mitigation for it.
Michelangelo C. Collura says
Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I have not audited a process, but I have been on the receiving end of some quality control in a warehouse operation. Performance metrics were used to ensure staff were moving a minimum number of items every hour; these were logged using individual scanner guns as you’d see in grocery stores. When a new item is taken, a scan logged its location and who took it. These metrics then went to the QC staff who followed up as needed. If a given department was falling behind, they might get audited to locate the weakest staff with the lowest numbers, either replacing those staff or doing some sort of intervention to get their numbers up.
Binju Gaire says
Michelangelo, that seems like a through procedure in ensuring quality control in a wearehouse operation. Scanner guns are helpful tool in the procedure an avoids any errors in logging in items. I agree with the following up with employees who fall behind in the procedure because it avoids fraud, theft and misuse of items.
Andres Galarza says
This is a good illustration of how audit and quality control/assurance interact.
Michelangelo C. Collura says
How is independence maintained when working for the company as an internal auditor?
In an audit charter, clear reporting responsibilities should show that the auditors must report to both management and the most senior oversight group, such as the board. This charter should also clearly explain the auditor’s purpose, authority and responsibility, so that everyone in the firm has a clear understanding of their capabilities. The auditors should maintain an objectivity to their work, and this means they can’t audit processes or activities that they’ve been personally involved with. My understanding is that a year or more must act as a buffer. Finally, an auditor should adhere to the firm’s code of ethics and any regulatory requirements that exist for their industry.
https://global.theiia.org/about/about-internal-auditing/_layouts/mobile/dispform.aspx?List=2775e335-7dae-41e3-ac49-be4dbe45c804&View=cc3a7887-16e8-45f6-891b-8730c4dc771c&ID=2
Parneet Toor says
I agree with you Michelangelo, I think Independence and objectivity are two critical components of an effective internal audit activity. Therefore, the internal audit activity should have a mandate through a written audit charter that establishes its purpose, authority, and responsibility to support its independence and objectivity within an organization.
M. Sarush Faruqi says
Michelangelo,
Great points. You seem make some salient points. If the roles and responsibilities are put into a document such as an audit charter, everyone from the auditor to the management will be on the same page as to what the audit entails and the activities which are going to be conducted during the audit. It is important that the auditor act as a consultant and provide feedback rather than be involved in the implementation of certain controls. This will eliminate the point of being involved in certain activities before auditing them. An auditor should be given the power to obtain documentation and conduct tests if needed which I feel should be outlined in the audit charter.
Michelangelo C. Collura says
When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
This really depends on the firm and the specific situation. The cost is likely measured in dollars lost, so we would need to look at the cost to lost revenue from adopting that control vs. the risks tied to non-compliance. For example, designing, implementing and controlling a SOX control might cost $1 million a year, but the cost to the firm from non-compliance would be millions in fines and litigation costs and possible prison time for the CEO or CFO (however unlikely). The probability of the risk might be deemed low enough to take the hit and save the million. Another example would be a shipping company disregarding safety compliance controls to get more drivers out on the road. At the end of the day, a firm’s culture determines what level of risk tolerance they have to either accept risk or mitigate it. In my experience, this almost always leans toward profitability and away from compliance.
Jing Jiang says
Good comparison between the compliance and non-compliance costs, also the good example of the shipping company. In my words, the cost of implementing the compliance control is higher than the benefit obtained when company those controls are working in an effective and affordable way. Standardizing the process and using improved process template would be helpful to receive a cost-efficient result.
Jing Jiang says
Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I have not been involved with an internal audit, but I have many class projects related to the internal audit. Conducting an internal audit of the project usually begins with an audit plan. The plan usually includes audit scope, objectives, audit timeline, and other information or important document needed such as policies and procedures, existing controls, etc. Then, conducting the risk assessment, which usually includes the risk identification, the analysis of the impact, testing the effectiveness of the controls. With the risk assessment, we can know the risk priority so that provide control advice from the highest risk. Audit document is required to maintain which records the planning, performance procedures, gathered evidence and main findings. In real world, after providing mitigations, to continue the monitoring is important.
Xiaomin Dong says
Great point Jing. I have never been involved with an internal audit or audit of my process/project either, and like you said, I did some internal audit project in class as well. You explain everything I did during the project literally, so I think i don’t have any thing to add.
Binju Gaire says
Jing, your explanation of the audit process is right. As someone who has been a part of the audit process, I agree with the steps you have outlined for a thorough conduct of audit. The process involves a plan, doing the test controls and communicating the results of the tests with recommendations with the auditee. The recommendations can be verbal and in writing as well.
Jing Jiang says
How is independence maintained when working for the company as an internal auditor?
Internal auditors are independent when they conduct their work without bias or no personal involvement with the area being audited. I don’t know how the independence maintained in real world since rare working experience related to internal auditor. But I think a policy with Code of Ethics that requires the internal auditor to be independent should be established. The policy would a good way to restrict and standardize employee’s behaviors. Before the auditor starts his work, having a document records the purpose, authority, and responsibility of the internal auditor with the signed name of the auditor would also an effective way to enforce the independence. In addition, an internal auditor should communicate the findings directly to the board such as audit committees and the auditing work should be properly segregated from the duties of operating to reduce potential frauds and errors.
M. Sarush Faruqi says
Jing,
Great points. A Code of Ethics agreement is definitely a good way to ensure that auditors perform their work independent of the specific department or process they are auditing. In addition, it may also be beneficial for auditors to go through audit specific ethics trainings to create awareness on how important it is to have a sense of independence during the auditing process. It is important that the auditing department as a whole should not report to a specific business unit within the organization. The department should be independent and should report to the Audit Committee on the Board of Directors. As you mentioned, a segregation of the auditing work will reduce the risk of fraud if there is no personal connections between the auditors and auditees.
Mengting Li says
I agree with you, Jing. The audit charter should establish independence of the internal audit activity by the dual reporting relationship to management and the organization’s most senior oversight group. Specifically, the CAE should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability. The internal auditors should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
Jing Jiang says
When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control higher than the benefit obtained when the expensive compliance costs cannot result in corresponding effectiveness and benefits of the compliance.
To ensure the efficiency and profitability, an organization should understand the costs and try to reduce them. The compliance costs include all costs associated with investments (direct & indict costs) such as capital investment, labor costs, leasing costs, and etc. To reduce the costs, a company should conduct a proper risk assessment and optimize the effectiveness of the business process. The risk assessment includes risk identification, analysis, evaluation, and control. A risk assessment can result in good awareness of potential risks, the priority of the risks, existing controls and new controls required, and meet proper compliance. The effectiveness of the business process can be achieved by standardizing the business process with formalized conceptual models and representation languages. The standardized process will make the work process easier so that increase the work efficiency, also save money than dealing with disharmonious processes. For example, when expanding or adding new functions into a system, an organization can rapidly deploy the compliance architecture based on the existing templates and language. Proper risk assessment and a standardized process and language will help an organization to build strong business continuity and focus on future development by saving money and time. In this way, an organization would ensure the efficiency and profitability when implementing the compliance.
M. Sarush Faruqi says
How is independence maintained when working for the company as an internal auditor?
From my observation, independence is maintained starting from the organizational structure of the organization. The audit department is generally led by the Chief Audit Executive (CAE) who ultimately reports to the Audit Committee of the Board of Directors. The auditing department does not report to a specific business unit where particular business processes are carried out on a daily basis. When an audit is set to begin, auditors are typically given a designated area to work in. There are specific people who they can reach out to for requested documentation. Although these documents may be stored in a central location, a designated employee usually a senior or manager provides the documents to prevent auditors from having access to documents they should not be able to view and see. If an application audit is taking place, I’ve experienced auditors being given the right to create their own ‘audit specific’ login credentials and get into the application to go through the items in the scope of the audit. Any activity they do within the application is logged under the specific audit login credentials. For this to occur, special requests are given with the auditor’s name and information. Since multiple audits take place throughout the year, many auditors are not assigned to audits where they know someone personally within the department. This is to eliminate conflict of interest and maintain independence.
Xiaomin Dong says
Internal auditors must maintain independence in order to provide objective assessments of a company’s processes. These auditors should report directly to an audit committee or board, rather than any company executives. This will ensure that internal auditors are not pressured from the top in a way that may influence their work. In addition, internal auditors should have a professional, but not overly close, relationship with business units they may have to audit.
Xiaomin Dong says
2. How is independence maintained when working for the company as an internal auditor?
Internal auditors must maintain independence in order to provide objective assessments of a company’s processes. These auditors should report directly to an audit committee or board, rather than any company executives. This will ensure that internal auditors are not pressured from the top in a way that may influence their work. In addition, internal auditors should have a professional, but not overly close, relationship with business units they may have to audit.
Khawlah Abdulaziz Alswailem says
I agree with you, Xiaomin.
Adding to your points, Independence is further enhanced if the CAE reports to the board through its audit committee on the planning, execution, and results of audit activities. The audit committee is also responsible for the appointment, removal, and fixation of compensation of the CAE. The committee should safeguard the independence by approving the internal audit charter and mandate periodically.
https://na.theiia.org/about-us/about-ia/Pages/frequently-asked-questions.aspx
Binju Gaire says
Xiaomin, I agree with your explanation. Internal auditors should indeed have professional relationship with the employees from the departments/units they audit within an organization. I believe this will help them to make an unbiased decision and does not influence their work in any form.
Qiyu Chen says
Rightly said, xiaomin. Auditors should report directly to an Audit committee rather than a Company executive who’s position and interests could end up affecting the Auditor’s assessment. Since you have been an Auditor / on an Audit team, could you tell if the organization had a culture whereby Auditors were encouraged to act and assess independently ?
Xiaomin Dong says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
Often times, the cost of implementing a compliance control remain a sore point for corporate executives, but consultants say the whirlwind of regulations surrounding businesses means skimping on compliance could end up costing a lot if regulators catch you out. Then, the company will face not only dollar costs, but the cost in time as well, because the time you are spending responding to and monitoring these regulations is increasing. By comparing with skimming implementing a compliance control, reducing the costs is a good way to ensure efficiency and profitability within an organization. The best practices to reduce the compliance: streamline gap analysis, kick spreadsheet to the curb, mesh compliance and security practices, prepare for consultants and auditors, provide executives with business-friendly information.
Mengting Li says
Great point, Xiaomin. I agree with the best practices to reduce the compliance:
1. Streamline Gap Analysis: Streamline gap analysis to quickly find requirement changes in updated regulations and additional requirements in new regulations that are currently unmet by existing IT security practices.
2. Kick Spreadsheets to the Curb: Eliminate spreadsheets and automate the information-gathering process necessary to prove compliance with specific regulatory requirements.
3. Mesh Compliance and Security Practices: Overlay security practices on top of compliance efforts to avoid “checkbox compliance” mentality and maximize real security effectiveness through required compliance spending.
Khawlah Abdulaziz Alswailem says
Q2. How is independence maintained when working for the company as an internal auditor?
In order to maintain independence, the internal auditor should contain objectivity as their mental attitude. To maintain objectivity, internal auditors should have no personal/professional involvement with or allegiance to the area being audited; and should maintain an unbiased and impartial mindset in regard to all engagements. In addition, the internal auditor should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability. They also should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
https://www2.fin.ucar.edu/faqs/ia/how-does-internal-auditor-maintain-independence-and-objectivity
Khawlah Abdulaziz Alswailem says
Q3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
In my opinion, the cost of implementing a compliance control is higher than the benefit obtained when, for an organization, the cost of the loss associated with the compliance risk is less than the cost of implementing the control. Risk assessments, including impact and likelihood analysis of each risk, must first be performed, which can help to measure the expected loss from each risk. Once understanding the cost associated with the risk itself achieved, an organization can make more informed decisions regarding what controls will be beneficial to implement.
Mengting Li says
Have you ever been involved with an internal audit or audit of your process/project? Briefly describe.
For me, I also don’t have any experience related to internal audit or audit process. Based on my research, the audit process begins with planning the audit. During this phase, the audit team will perform the following: Distribute Audit Notification, Conduct Pre-Audit Meeting, Interview Department Personnel, Review Policies and Procedures, Understand and Document the Business Processes. Perform Risk Assessment
Prepare a Detailed Audit Program, Prepare audit budget (in hours), and Select items to be Audited (samples, not 100%).
The second phase of the audit is called fieldwork. During this phase, the audit team will physically be on site at the audit client’s location performing the audit. The following are some of the procedures generally performed during fieldwork.Review Supporting Documentation, Interview department personnel, Perform analyses, Identify Exceptions, Identify Recommendations for Improvement, Prepare Written Audit Comments (i.e., findings), Department Provides Written Response and Corrective Action Plan for findings.
The third phase of the audit is reporting. During this phase, the auditor in charge will prepare the written audit report which summarizes and communicates the audit results.Issue a draft report, Discuss draft report on unit management, Issue final report, Report is factual, clear, concise, and appropriate tone, Report distribution.
Matthew J. Dampf says
“The following are some of the procedures generally performed during fieldwork…. Interview department personnel”
Good answer overall, but I wanted to comment on this part. While it’s definitely true that this needs to be performed, it’s important not to disturb the daily operations of the department you’re auditing. The auditor is there to do a job, but so are the employees.
Mengting Li says
How is independence maintained when working for the company as an internal auditor?
As far as I know, the internal auditor should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability. The internal auditor should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment. Objectivity is a mental attitude that internal auditors should maintain while performing engagements. To maintain objectivity, internal auditors should have no personal or professional involvement with or allegiance to the area being audited; and should maintain an unbiased and impartial mindset in regard to all engagements.
https://www2.fin.ucar.edu/faqs/ia/how-does-internal-auditor-maintain-independence-and-objectivity
Mengting Li says
When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The reason why an organization put a control in the system is that risks may incur financial loss. In order to decrease the risk, the best way is to have a control in the system. The control might cost a certain amount of money, as long as the cost is lower than the financial loss might occur in the risk. However, it is possible to reduce its cost by applying some standards and techniques improving the efficiency and effectiveness of compliance processes.
Matthew J. Dampf says
1. Have you ever been involved with an internal audit or audit of your process / project?
As an IT worker, the one type that we’re prepared for is a software licensing audit. We’ve never actually been audited, but we’re ready for it if it happens. We prepare for this by having documentation for each piece of software we have installed – whether it’s paid software or if it’s free.
We have a few controls that help keep us in compliance with licensing policies. The first is that we require the licensing to be provided for any software that users need installed. It’s easy to manage this for paid software because we’re ordering it right from the vendor, but more difficult for free software, as some software is free for home usage, but not in a business environment. IT will verify the terms of the license in cases like these. The second control is that users cannot install software on their own machines. This ensures that users can’t circumvent the first control on their own.
Binju Gaire says
This is a great explanation, Matthew. I was not aware about the software licensing audit. From your explanations it seems that preparing for software licensing audit is similar to preparing for other audit types in one way which is retaining documentation. Auditors always look for documentation that serve as a supporting file of the context they are auditing. Also, with the help of the documentation they can determine if the controls are in proper place or not.
Matthew J. Dampf says
2 .How is independence maintained when working for the company as an internal auditor?
I’ve never personally been involved in this, nor have I interacted with internal audit, but I imagine it’s important to be physically separated from the departments you’re going to be involved in auditing. Personal relationships can cloud judgement, and minimizing these relationships between auditors and auditees can help maintain objectivity.
Reporting lines are also important. Audit and the departments being audited shouldn’t be reporting to the same people. Audit should report to a committee that reports to the CEO while departments report to their normal chains. This keeps audit truly independent, as no senior manager is responsible for essentially auditing himself.
Matthew J. Dampf says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The likelihood of a risk coming to fruition multiplied by the actual cost if it does should be lower than the cost of implementing a control. If not, then the cost of control implementation is too high. A risk assessment calculating the costs of risks and control implementation should be performed and used as a guide to maintain profitability and efficiency.
Andres Galarza says
Excellent point. At the end of the day, it’s a math problem and a question of value.
Binju Gaire says
This is a great explanation, Matthew. I was not aware about the software licensing audit. From your explanations it seems that preparing for software licensing audit is similar to preparing for other audit types in one way which is retaining documentation. Auditors always look for documentation that serve as a supporting file of the context they are auditing. Also, with the help of the documentation they can determine if the controls are in proper place or not.
Qiyu Chen says
1.Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
When I am involved with the Internal audit, the process is like following steps:
Planning, Preliminary Survey & Risk Assessment: Client engagement and Acceptance. Define audit scope and objective. Identify areas of Fraud Risks and potentials responses. Understand business process and IT Involvement Environment. Understand current controls. Develop preliminary audit plan.
Testing and Fieldwork: Review and evaluate controls already in place to make sure they work properly. Develop processes and procedures for data gathering. Identify areas of deficiencies or non-compliance.
Reporting: Communicate areas noted for improvement during testing phase. Develop along with business units’ actionable corrective action plan for deficiencies identified. Develop along with business unit’s timeline to address deficiencies identified. Develop final report. Disseminate report to appropriate business entities.
Follow-up: Send request to business entities asking for update and selected random evidence to show progress on implementing action plan. Evaluate if re-resting may be necessary. If all checks out, close the audit plan.
Qiyu Chen says
2. How is independence maintained when working for the company as an internal auditor?
Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.
https://na.theiia.org/standards-guidance/topics/Pages/Independence-and-Objectivity.aspx
Qiyu Chen says
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
In my opinion, for some industries where companies are highly regulated, such as pharmaceutical companies, depending on some cases their cost of implementation of a compliance control would be much higher than the benefit that they would obtain. However, for a long-term goal, if the compliance control would benefit the whole company, then I think they should proceed to implement it. For example, if a pharmaceutical company is planning to create a medicine that will help cure many of patients who are suffering from the very specific brain cancer. But the government puts a strict regulation to the company in researching those kinds of medications. The pharmaceutical company should place a compliance control that would most perfectly prevent them from violating the government’s regulation, which might cost them so much money. It might not seem beneficial for them to implement those highly cost controls; however, after they succeed to create the medication for that specific brain cancer, they will have a lucrative market to make revenue. In short, sometime, a company should invest much to meet all the requirement that authorization suggests in order to go for higher benefits.
Andres Galarza says
Q1: Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I’ve had to facilitate an audit on our documentation writing. My organization is in the midst of updating a lot of policies. During the course of that process, I was responsible for submitting the policies to our internal audit team. They, in turn, were responsible for ensuring that the policies would pass an external audit/regulatory challenge. In addition, they inspected the documents for issues such as discrepancies with previously published versions, changes that would impact the organization, etc.