Logo en.artbmxmagazine.com

Internal audit, a systemic approach and continuous improvement

Table of contents:

Anonim

Foreword

This monograph is not intended to repeat widely developed concepts, but rather to present a new approach and vision around the new internal audit and internal controls. For this reason, the advantages of outsourcing in internal audit work, the systemic vision of internal controls, the role of internal audit in the processes of continuous improvement and elimination of wastage / waste in the company, the new tools to be used with a vision of total quality management, and lastly, new approaches to be incorporated in light of changes in both technological, productive and commercial matters; which is a product of the incorporation of Just in Time, outsourcing, teleworking,internet and computing (for this last item a more detailed development of the controls to be verified is given).

1. introduction

From the experience that is accumulating day by day it is surprising the serious deficiencies that companies suffer in terms of auditing and internal control, including not only small and medium-sized companies, but also large companies, for this the famous example is enough the case of Barhing Bank, or that of large state-owned companies.

Firstly, we must underline the lack of compliance with the basic and fundamental rules on internal control, but on the other hand, there is the lack of broad concepts regarding the heritage to protect, and the methods and instruments of analysis to be used. by internal auditors.

As in quality control, the lack of planning and prevention is the norm in many companies regarding both internal control and the actions of internal audit. Therefore, it is not surprising to see the auditors trying to analyze what went wrong, why, and what to do to avoid their repetition, when the right thing is to act preventively, and if some detrimental event occurs, do not stay in the most superficial aspects. but to go deeper until reaching the root cause, trying to unravel in such a way the reasons that led the system to generate these shortcomings.

Another important aspect to question in audits is that it is perceived as an entity dedicated only to inspection (and sometimes even with a police perspective), and not to advice with the aim of protecting and improving the operation of the organization.

It is necessary to shape a new vision of the company from a systemic approach, in such a way to locate the audit as a component of said system, in charge of protecting the proper functioning of the internal control system (subsystem at company level), but also, to safeguard the proper functioning of the company for the purposes of its survival and achievement of the proposed goals.

Interestingly, only the leader who recognizes the need to view the company as a set of interrelated and interlocking systems will have discovered the key to understanding how the company really operates.

Many companies have ceased to exist as a result of their shortcomings in internal control, and in the lack of an internal audit that effectively evaluates it. The lack of good internal controls (not merely normative, but applied) have not only led to scams or fraud (be it by executives, employees or clients), but also to serious errors in decisions resulting from serious errors in information matter.

Now, when it comes to custody of assets or assets, traditional internal auditing places all its emphasis on the physical assets, rights and obligations of companies, leaving unprotected assets as valuable as customers and their levels of satisfaction, the personnel and their intellectual capital, and the quality of the goods and services produced by the company.

Another very important aspect is the location of the Internal Audit within the organizational framework regarding its degree of independence. That the Management or Department of Internal Audit remains at a level of negotiation or pressure, prevents reaching the objectives that motivate its reason for being.

In the new vision of internal auditing, it must be integrated into Total Quality Management making full use of the different instruments and management tools in order to achieve higher levels in the provision of its services.

2. Definitions and objectives

2.1. Internal audit

The United States Institute of Internal Auditors defines internal audit as “an independent activity that takes place within the company and that is aimed at reviewing accounting and other operations, in order to provide a service to management ”

It is a management control that aims to measure and evaluate the effectiveness of other controls.

The internal audit arises after the external audit due to the need to maintain permanent and more effective control within the company and to make the function of the external auditor faster and more effective. Generally, the classic internal audit has been mainly dealing with the internal control system, that is, the set of measures, policies and procedures established in companies to protect the asset, minimize the possibilities of fraud, increase operational efficiency and optimize the quality of economic-financial information. It has focused on the administrative, accounting and financial fields.

The need for internal audit becomes evident in a company as it increases in volume, geographic extension and complexity and makes direct control of operations by management impossible. Previously, control was exercised directly by the company's management through permanent contact with its middle managers, and even with the company's employees. In modern large companies this peculiar way of exercising control is no longer possible today, and hence the emergence of the so-called internal audit.

The main objective is to assist management in fulfilling its functions and responsibilities, providing objective analyzes, evaluations, recommendations and all relevant comments on the operations examined. This objective is fulfilled through other more specific ones such as the following:

a) Verify the reliability or degree of reasonableness of the accounting and non-accounting information generated at the different levels of the organization.

b) Monitor the proper functioning of the internal control system (which implies its survey and evaluation), both the accounting and operational internal control system.

2.2. Internal control

Internal control is a function that aims to safeguard and preserve the assets of the company, avoid undue disbursement of funds and offer the assurance that obligations will not be incurred without authorization.

A second definition would define internal control as “the system made up of a set of procedures (regulations and activities) that, interrelated with each other, aim to protect the assets of the organization.

Among the objectives of internal control we have

  1. Protect the assets of the organization avoiding losses due to fraud or negligence. Ensure the accuracy and veracity of accounting and off-the-shelf data, which are used by management for decision-making. Promote the efficiency of the operation. Stimulate the monitoring of management-mandated practices Promote and evaluate safety, quality, and continuous improvement.

Among the elements of a good internal control system are:

  1. An organizational plan that provides an appropriate functional distribution of authority and responsibility A plan of authorizations, accounting records, and adequate procedures to provide good accounting control over assets and liabilities, income, and expenses Effective procedures with those who carry out the projected plan. Staff duly instructed in their rights and obligations, which must be in proportion to their responsibilities.

Internal Audit is part of Internal Control, and has as one of its fundamental objectives the improvement and protection of such internal control.

2.3. Internal control evaluation techniques

The main and most commonly used techniques for evaluating internal control are:

  1. Procedural Memoranda Fluxograms Internal Control Questionnaires Statistical Techniques

To these must be added the management tools, among the main ones we have: Ishikawa diagram (also called “Fishbone”), Pareto diagram, scatter diagram, histogram and fluxograms (the last three are already contained in the aforementioned), stratification, and the Internal Control Matrix among others.

2.4. Advantages of internal audit

  1. It provides primary assistance to management by evaluating the organization and administration systems relatively independently. It facilitates a comprehensive and objective assessment of the company's problems, which are generally interpreted in a partial way by the departments concerned. Management disposition a deep knowledge of the operations of the company, provided by the work of verification of accounting and financial data. It contributes effectively to avoid the routine activities and bureaucratic inertia that generally develop in large companies. It favors the protection of the interests and assets of the company against third parties.

2.5. Internal audit engagement requirements

  1. Reviews should be carried out by persons possessing adequate technical knowledge and training as auditors. The auditor should maintain an independent mental attitude. Both in conducting the examination and in preparing the report due professional rigor should be maintained. Work should be planned Properly exercising due supervision by the most experienced auditor. Sufficient information must be obtained (through inspection, observation, investigation and confirmations) as the basis of the work.

3. Independence

It is essential to consider who the internal auditor should report to. In a company it will depend directly on the owner of the same or on a committee. In a large company, it must report to the Trustee and an Internal Control Committee (whose members do not exercise executive functions). It is essential that the members of the internal audit do not have relations with the Personnel Management (for topics such as search and recruitment of audit personnel, for training plans, ranking, liquidation and payment of salaries, vacations or special permits, etc.), you must not have commercial relations with the entity for which they work. In this way, the total independence of judgment and observation is protected, also avoiding internal "politicking" that tends to distort information and protect personnel of the entity.It is also essential that there are no direct family ties between the members of the audit and the personnel to be audited, if there is any relationship this should be recorded in the respective audit reports.

Failing to preserve the independence and objectivity (although every subject tends to subjectivity) of the auditors, prevents an optimal and effective exercise of the functions entrusted to it.

Imagine what would happen in a banking institution if the auditors requested credits or other services from that institution, it is logical to think of exchange or negotiation of favors.

4. Outsourcing

For all the above and due to lower costs, higher productivity levels and better quality levels, it would be convenient to use outsourced internal audit services. In this way, fixed costs are avoided (salaries, physical space, computers, telephone expenses), if the services are not adequate, it is easier to change the audit, when serving in different companies, the auditors have a higher level of experience, training of auditors is not the responsibility of the company but on the part of the service provider, high technology can be used as a result of which the cost of it can be subdivided among numerous clients, services with a high level of specialization can be achieved (the provider The service may have specialists in: computer auditing, security,in tax matters, in fraud, in quality and consumer satisfaction, and even auditors by type of activities), which results in better quality levels.

5. Scope of the new audit

The new audit no longer includes only traditional controls, but in the search to protect the assets of the organization it audits compliance with regulations (whether internal or external), policies and guidelines, and fundamental principles of modern business management, in everything related to the quality of products and services, levels of customer satisfaction, efficiency of administrative and production processes. In the case of quality, the internal auditor will not proceed to carry out measurements or quality controls, his function in this case is to verify the existence of said controls and they are correctly carried out.In the case of administrative and productive processes, there must be auditors duly trained in these areas and their reports will have a purely advisory focus.

In addition, due account must be taken of the effects on internal control of the following new ways of operating:

  1. Teleworking Outsourcing Internet use Use of computer networks (ATMs, electronic transfers) Globalization of markets Balanced Scorecard (need to confirm the correctness of data and the proper functioning of the computer system) Contribute to the elimination of waste and waste, contributing to their advice to the improvement of processes and activities

6. Teamwork

The best use of capacities and experiences for a more effective evaluation of internal control, as well as the investigation of special cases, make it necessary to implement teamwork, including Quality Circles in the area of ​​internal audit, as a way of improving procedures, thus achieving controls, proposals, analysis and reports of higher quality and lower costs.

7. Use of management tools

Either individually, in teams or in quality circles, use must be made of the management tools applied in terms of quality and productivity. We are referring to the seven classic tools, as well as the new tools and others that audit personnel may devise in the exercise of their tasks.

Thus we have the Ishikawa Matrix, which can be used to analyze shortcomings, detect causes of errors or illicit, search for solutions or improve internal control.

The Pareto Diagram allows, among other important functions, the prioritization of controls based on the preponderance that the different factors have, as well as the use of it to discover the cause of problems, or to solve them.

The Six Why? allows successive questions to get to the root cause of problems while avoiding being in the most superficial features.

Statistical Process Control (CEP) makes it possible to determine the capacity of the process to generate external and internal products and services that satisfy the required levels. Thus, the accounting or inventory differences or the lack of correct completion in the credit portfolios in the case of banking institutions are due to different causes, the CEP allows us to know if the number of failures is within what is natural to the system or if their causes are special, adopting, as appropriate, the respective analysis and correction measures.

The flow chart is a fundamental element not only to evaluate the internal control system, but also to evaluate the efficiency of activities or processes.

The Scatter Diagram allows testing the interrelation between different factors, such as the number of receipts received per box with the differences in the box.

The histogram allows analyzing the distribution of the errors or shortcomings detected.

Stratification improves the levels of completion and detects reasons for irregularities. If, when controlling credit arrears in a Bank, there are higher levels in a credit line, this may be due to the sector to which it is destined or to failures in granting them, and if the levels are concentrated in certain bank branches, this may be due to a lack of training of credit personnel or problems specific to certain economic zones.

Preventive Analysis. Consisting of using brainstorming by internal auditors in order to detect for each process, service, product or activity where or what problems may arise, analyzing how to prevent them from occurring and setting systems for their detection.

The method of the Six Fundamental Questions, made up of: What? As? Who? Where? When? and the Why? for each of the previous answers, it allows improving internal control, detecting irregularities and improving the efficiency of processes and activities. Thus, it may be discovered that currently unnecessary tasks are being carried out, or that the person performing it is too expensive personnel to perform it, or that the place where it is performed is inappropriate for security reasons (Treasury location), or how it is done is costly or unsafe.

8. Knowledge and Skills

As for knowledge, as is obvious from what has been previously expressed, auditors must have knowledge of management tools, statistics, statistical process control (SPC), problem solving, benchmarking, teamwork, quality circles, brainstorming, systemic thinking, survey and evaluation of internal control, planning, administration, finance, apart from legal, accounting and knowledge regulations in information systems.

Benchmarking as a methodology that aims to detect best practices and procedures for the purposes of their analysis and subsequent implementation is very interesting for the purposes of adapting methods or procedures applied by other audits. The performance of benchmarking is facilitated by the existence of Associations of Internal Auditors at a general level and by sector.

Regarding skills, the internal auditor should have:

  1. Interest and aptitude for research Statistical analysis capacity Specific (technical) knowledge in internal audit, internal control and in relation to the sector Organizational behavior and neuro-linguistic programming Analysis capacity Ability to work in a team Proactive attitude High ethical level

9. Planning

Above all, the values ​​and the mission of the Internal Audit must be clearly defined. You need to be completely clear on who your customers are and what they require. For which it is extremely interesting to implement a system to verify the quality of the work and audit reports, as well as measure the satisfaction levels of the users of the information provided. It turns out to be using resources to after a while become aware that the reports were not of importance or significance to the recipients of the reports.

Returning to the central element of planning, it is fundamental in that it provides the vision to be shared by the members of the audit, which will be the central axis that will mobilize the capacities and resources for a more effective and efficient achievement of the objectives.

10. Continuous improvement in auditing

The auditing sector cannot escape the slogans of the moment, which are to achieve better levels every day in terms of quality, cost, productivity and deadlines.

For this reason, carrying out audits with the best use of resources (especially considering that internal audit activities do not have added value for the external client), the highest level of quality and in peremptory terms is essential. For this, the use of resources should be concentrated in the most efficient way possible, continuously improving performance levels. Controls must focus on significant issues or elements with an increasing impact on the organization.

11. Internal control and economic results

In the last line of the Results Table is the truth, which shows how well the company has operated. Many companies with a more than optimal result in productive and commercial matters see their profits decrease and even in some cases they reach the numbers in red as a result of negligence, fraud, theft and theft. Among the negligence we can mention the lack of insurance either for fires or accidents among others, also the lack of adequate controls when qualifying a client for credit granting. No less costly are losses due to miscalculations or lack of formal tax compliance. These are just a few examples of the most common occurrences in organizations. In the same way, it is necessary to avoid fraud, theft and theft,as well as destructive actions that may affect the assets of the company. Only a good internal control, which must be properly reviewed and evaluated by the company's auditors, can prevent the decrease in profits or their conversion into losses.

In a Banking Institution, not having updated the amount of stamp tax for checkbooks, led to a lower perception of said tax, and therefore to pay less to the Collecting Entity, the Financial Institution then having to pay the most difference. the respective interests and penalties.

Not less effect have on the results of the company, both in its calculation, and in the quality of the information handled for decision-making, an internal control that ensures correct, accurate and timely information.

As an example, we could mention the case of a Banking Institution that, by erroneously calculating its Daily Minimum Cash Levels, took interbank funds to cover them with the high cost that this implied, when in reality its real situation allowed it to grant funds to other banking institutions. with the consequent obtaining of juicy benefits.

Another example of serious results is incorrect information regarding Sales Debtors. Claiming someone who has paid can lose the client, and not doing it to someone who is not up to date with their payments also implies loss of liquidity and results.

Having reliable inventory information is very important, especially even in a time of high financial costs and in the face of the need to apply methodologies such as Just in Time.

We can see with this small number of examples the serious consequences that a lack of effective internal control can bring to the company in terms of results.

12. Audit and control of computer processes

Computer processes have significantly changed the internal conditions of organizations, thereby motivating important consequences in terms of internal control.

In order to prevent fraud, it is advisable to separate the functions between those who are in charge of managing the system, the programmers and those who control the inputs, which should be carried out by three different technicians or groups of computer technicians. However, both due to the size of the companies and the new characteristics that take place in the manufacturing and service processes, the controls must adapt to this new situation. The creation of parallel and independent mechanisms to the system for comparative control is where the new methodologies aimed at safeguarding computer processes point.

Putting computer systems safe from the actions of "pirates" as well as "viruses" is essential because of the enormous losses that they can cause to the company.

No less important is not only the control of access to information, but the possibility of accessing files of great strategic value such as those related to customers and their respective business developments. Many have an interest in acquiring such databases for the purpose of sale to the competition.

In the control of electronic data processing (EDP) systems we can differentiate three aspects:

a) Controls on the organization of the data process. We can study in four aspects:

  1. Division of responsibilities Control over computer operators Program library Safety systems against fires or other accidents

In order to maintain the integrity of the system when the authorization and registration functions are included in the program itself, it is necessary to separate the operation and handling functions of the machines and the maintenance function of the program and the memory or library. This separation of functions is important in that it provides effective cross-checking of the accuracy and correction of changes made to the system, prevents operations personnel from making revisions without full authorization and verification, prevents non-operation personnel from having access the team, and finally improves efficiency, since the skills and training required to carry out such diverse activities differ.

The separation between the personnel in charge of the libraries and that of the data acquisition and control section is important.

b) Procedural controls. They refer to four specific points:

  1. Source data and output controls. It is necessary to control the input data to verify that they have been authorized and entered only once. The function of the output controls is to determine that the processed data does not include any alteration unauthorized by the computer operations section and that the data is correct or reasonable. Process controls. The main objectives are to discover the loss of data or the lack of its processing, to determine that the arithmetic functions are executed correctly, to establish that all the transactions settle in the indicated register, to ensure that the errors discovered in the data processing are corrected satisfactorily File or library controls. If these are defective they can distort the accounting.

c) Administrative controls. They refer to the design, programming and operations of the EDP.

Physical security. The basic precautions for this purpose are:

  1. Duplicates of all files, programs and basic documentation must be kept elsewhere. Protection against excess humidity, temperature variations, voltage drops, power cuts, magnetic fields, criminal acts, etc. Protection against fires, floods, disasters natural, etc. Emergency plan that foresees the basic actions and alternative means available before different levels of catastrophic events. Appointment of a person in charge of security and periodic review of the operation of the available means. Insurance that covers the risk of business interruption and the cost of rebuilding files.

13. The Internal Control Matrix

It is a way of thinking, planning, delegating, making decisions and solving problems, and seeing the organization as a whole.

It is a way of thinking, because analyzing the interrelation of the company's various products, services and areas with external and internal regulatory provisions, as well as with the principles of internal control and security, leads both to officials and to internal (or external) auditors and the managers of the various areas to ask themselves how, if at all, the various regulations affect their processes and activities, or inquire about the existence or not of regulations that are related to the same.

It should be asked how many times organizations are liable to financial penalties for non-compliance with formal duties only for the fact of not having made the inquiries or not having planned the controls and the respective actions.

It is a way of planning inasmuch as the organization's officials establish the number of controls to be carried out per period of time, what elements or resources are to be counted, what questionnaires are to be used and who will prepare them. On the one hand, the delegation assigns those who are responsible for carrying out the controls.

As the matrix system makes use of efficacy scores, the aspects or areas of greatest risk, which arise from the lowest scores, are those in which adjustments and corrections must be prioritized, in addition through the analysis of the reasons from the low scores it is possible to know the reasons that originate them and in this way adopt the best actions tending to their resolution.

14. Bibliography

  • Soriano Guzmán, Genaro - The internal audit in the administrative process - CENAPEC Editorial - 1992Suárez Suárez, Andrés - The modern audit - McGraw Hill - 1991Skinner and Anderson - Analytical Audit - Book Publishers - 1969Madariaga, JM - Practical Notions of Auditing - Deusto - 1986Rusenas, Rubén Oscar - Internal Control Manual - Editorial Cangallo - 1978Pongitore, José Luis - Administrative Systems and Internal Control - Study Club - 1994 Poch, Ramón - Internal control manual - Management 2000 - 1997Lefcovich, Mauricio L. - Internal Control Matrix - Gestiopolis.com - November / 2003
Download the original file

Internal audit, a systemic approach and continuous improvement
Administration

Editor's choice

Features of radical innovation

Features of radical innovation

Characteristics of the best companies to work mept

Characteristics of the best companies to work mept

Characteristics of probability and non-probability samples

Characteristics of probability and non-probability samples

Features of one to one or one to one marketing

Features of one to one or one to one marketing

Roots and beacons of the leader's light

Roots and beacons of the leader's light

Characteristics of the microentrepreneur

Characteristics of the microentrepreneur

© Copyright en.artbmxmagazine.com, 2024 October | About site | Contacts | Privacy policy.