August 24th, 2010
In the Key Success factors for Capital Projects Blog, I have mentioned the importance and value added of Construction Project Audits.
If you or your audit team would like to learn about auditing of Construction Projects, there is an “Introduction to Construction Auditing” course presented by well known Construction Project Audit Experts and offered through AUSPICIUM.
If you are interested, please follow the link below.
http://www.auspiciumco.com/training.html
Posted in Capital Project Audits | No Comments »
August 21st, 2010
Auditing of capital projects, due to their nature, requires specialized skills and extensive planning. Historically, internal audit departments do not have significant experience in capital project audits. Without the burden of completeness, I have identified three Key success factors (Audit timing, Scope definition and Multidisciplinary audit team) as it relates to Capital project audits.
Key Success Factor # 1
Timing of the Capital Project Audit
- At what stage of the project completion should the audit take place?
If the capital project has already started, it is at about 30% completion when the audit should take place. At that stage, IA can verify whether the necessary controls are in place and are working effectively. In addition, it allows enough time for the audit recommendations to have a meaningful positive impact on the project completion. The later the capital project audit takes place the less the value added, since certain processes might have gotten too much out of control (time and budget overruns etc.) by that time.
Key Success Factor # 2
Definition of the Audit Scope
It is critical to define whether the capital project audit strictly focuses on the project management aspect (whether the project is on time, project risk management etc.) or goes beyond and also verifies the controls around project accounting, safety on site etc.
Key Success Factor # 3
Composition of the Audit Team
It is key for the capital project audit team to have members from multiple disciplines such as: Engineers, Project Management Professionals (PMPs), Internal Auditors and on an as required basis, Legal and Tax Experts.
Posted in Capital Project Audits | No Comments »
August 3rd, 2010
Reputational risk is usually associated with unfair labor practices or certain unethical or anticompetitive behaviour, which could have a negative impact on the company’s image. Organizations tend to overlook reputational risk caused by association, for example: when a company pays sales commission to an independent agent whose taxation practices are highly questionable.
Even though, many reputational risks seem to have a remote likelihood of occurrence, if any one of them materializes it can have major negative impact on the company’ share price. Without the burden of completeness, let me list some of the key reputational risks:
- Price fixing arrangements that can result in breach of antitrust regulations
- Unfair labor practices such as: use of child labor
- Sub-standard working conditions
- Hiring of illegal immigrants
- Transfer pricing arrangements that can be challenged by Tax Authorities
- Payment to sales agents whose bank account is in a tax heaven
Organizations should carry out a systematic review of their reputational risk areas. This review could identify exposures that have not been covered by any means of risk transfer such as: specific insurance and carry out targeted audit mandates to cover those areas.
Posted in Risk Assessment | No Comments »
July 18th, 2010
Companies in every industry face the challenge of how to monitor the activity of Domain and System Administrators.
One school of though is that having separate user profiles (regular and admin user profile) of Domain and System Administrators would make their activity log shorter and easier to review to detect any unauthorized activity. However, the length of these admin user logs and their review frequency makes this detective control quite ineffective.
What is the ultimate risk in Domain and System Administrators having unrestricted access?
- I think the ultimate risk is that Domain and System Administrators can pass on their Admin profile, even if on temporary basis, to other users who can grant excessive user access privileges to themselves or others. Basically, the risk is that regular users can become Domain or System Admins for a period of time.
In order to mitigate this risk, I suggest the following:
An on-time preventive control should be put in place to notify senior management (maybe in an automatic e-mail), whenever a System Administrator grants Admin profile to any other user.
Posted in IT Audit Ideas | No Comments »
June 20th, 2010
How many times have we heard that it is really challenging to hire and retain competent Internal Audit staff?
Internal Audit departments are struggling to build a professional audit team with low level of staff turnover. The root causes as all of us know are the following:
1, Many organizations consider IA as solely a training ground for newly hired high potential finance and accounting graduates. As a result, after couple of years in the IA Dept. many of these recruits leave to other positions within the organization.
This arrangement is favorable for the organization as a whole but quite disruptive to the effective operation of the Internal Audit function.
2, IA departments of companies with diverse geographical locations; face the challenge of having a quite extensive travel schedule. Travel in the 50 to 75% range tends to enhance audit staff turnover as time pass by.
How could IA tackle these two negative forces influencing its effectiveness and efficiency?
In my opinion, IA departments should systematically target establishment of a core career auditor base within their team. These career auditors should have a lower percentage of travel than the group as a whole to ensure their better work-life balance. Since career auditors realistically could make up only about 20 to 30% of the IA team, junior team members should be complemented with Internal Audit Consultants (Subject Matter Experts) in order to enhance their efficiency and effectiveness.
Do you agree that Internal Audit Consultants can add significant value to the audit function of any organization?
Posted in Internal Audit Staffing | No Comments »
May 30th, 2010
I firmly believe that IT General Controls testing can add significant value beyond its SOX 404 compliance purpose.
- Have you ever wondered, how IA could apply IT General Controls testing to effectively mitigate not only financial but also operational risks?
Through effective use of IT General Controls testing, IA could analyse operational risks of the R&D area.
- Why did I choose R&D, as the number one function to audit for its IT General Controls?
The answer is simple, every company’s survival depends on the protection of its proprietary R&D information. The risk of loosing research data affects every single sector and industry.
Let me outline, couple practical IT General Control audit steps that can help to evaluate the security of your R&D information:
1, Verify that the organization has detailed R&D information protection policies and procedures in place
2, Ensure that security background check of all R&D staff is in good order
3, Validate that both physical and computerized access to R&D information is restricted to authorized personnel only
4, Verify that e-mails, especially the ones which include attachments, sent by R&D employees is monitored
5, Corroborate that changes made to R&D information is electronically logged, so individual accountability can be established
6, IA should ensure that R&D staff can not make copies of R&D data to portable devices such as: USB keys or the hard drive of Laptop computers
Posted in Risk Management Ideas | No Comments »
May 24th, 2010
Time has come for companies to take a closer look at their Expatriation process. Expatriation at multinational companies should be viewed from two different angles.
Expatriation of Employees from Developed Countries to Less Developed Countries:
- The notion of moving our best employees to less developed counties makes a lot of sense, if the local talent pool is limited and/or do not have the required language skills.
Expatriation of Employees from Developed Countries to other Developed Countries:
- Expatriation to developed counties raises a number of questions that could and should be audited:
1, Is the developed country’s local talent pool really so limited that we can not find qualified candidates?
2, Have the company genuinely analyzed and justified the cost differential between hiring an expatriate employee or promoting or hiring someone locally ?
3, Bringing an expatriate boss, especially if this occurs in the company’s Head Office, could send the wrong message to local employees about their chances of promotion. Local talent can get really de-motivated by this notion. As a result, significant employee turnover and efficiency loss could occur.
4, The significant sunk costs incurred per expatriate employee, could also make it harder for organizations to objectively evaluate their expatriate employee’s performance. Annual performance evaluation of expatriates is naturally distorted by the fact that they usually take only a fixed-term (3 to 5 year) assignment. Should not Internal Audit, with the help of a CAAT tool, analyze expatriate employees’ annual performance scores distribution against the company’s population and identify anomalies, if any?
Based on the four points above, Internal Auditcould identify marked cost saving opportunities within the expatriation process, especially by focusing on transfers to developed countries.
Posted in Cost Saving Ideas | No Comments »
May 12th, 2010
Cost Savings by Targeted Internal Audits
There has never been a better time for companies to deploy their best Internal Audit resources to tackle the bottom line. I suggest that the frequently overlooked Corporate Human Resources Department should be the place to start.
- Have you ever wondered, how come Corporate HR does not make it to the Internal Audit plans of many companies?
Based on my experience in diverse manufacturing sectors, if risk exposure does not validate a Corporate HR audit potential cost saving certainly do.
Let me explain me give you, without the burden of completeness, specific Corporate HR audit scope ideas that can bring significant recurring cost savings:
- Review the costs and value added of outsourced employee background checks and estimate the savings by moving this process in-house
- Audit the expatriation process to evaluate its necessity (value added), analyze fairness of benefits among expatriate employees and hidden costs of employee repatriation
- Verify excessive employee turnover by analyzing both its direct costs in the form of recruiter fees and hidden costs of efficiency loss
Regarding the last scoping point, I have developed an HR model, which both calculates employee turnover probabilities, identifies high likelihood candidates for departure and quantifies the total costs of departures to the company.
If you have comments related to Corporate HR audits and the potential cost savings, please read my Blog on my website www.professionalriskauditors.com and post your thoughts.
Posted in Cost Saving Ideas | 3 Comments »
-->
