What should the relationship of internal and external audit look like?

Not every organisation has both an external audit and internal audit. In some jurisdictions you can get companies that have internal audit but no external audit, while in most countries you get quite a prevalent external audit with far less incidence of internal audits. Russia is a prime example of the latter case.

External audits done under ISAs are supposed to plan and carry out work in order to have a reasonable expectation of detecting fraud and other irregularities, and certainly the expectation of users has traditionally been that external auditors are responsible for finding fraud.

I work both as external auditor and I also carry out internal audits for clients who don’t have their own departments or who do but still need to be beefed up locally by brought-in experts. Therefore I have no particular axe to grind, but I will say this – a lot seems to be expected of external auditors with relation to fraud without giving them the tools necessary to find instances of fraud.

Internal audit departments can, within reason (they cannot supercede data protection law or labour law, etc, or contravene people’s basic human rights when monitoring them) have whatever tools they like if they are within budget. I can just imagine what my clients would think if I as an external would start installing cameras, GPS trackers on company vehicles, doing spot checks for alcohol, lifestyle checks on managers, and all the other things that internals can do. And yet if you take the standards literally I have to do a job not far off that of a policeman as an external auditor.

All we are usually given as external auditors is a couple of generic questionnaires which we try to go through with the client’s management adapting it to the specifics of their business, then we have the duty and hopefully also the ability to map out and analyse the systems of the client, including the controls and to perform walk-through tests and seek to identify key controls. The way an external auditor assesses a key control and the way an internal auditor assesses a key control are also different in a number of ways, and how we define a key control for our respective purposes differs, and then the timing and frequency of checks on that control will differ. Many people who have worked only in external audit won’t know how or why they differ and therefore their ability to get the best from internal if it is even there will be in many cases limited.

Actually most of the fraud questionnaires in use are a good start because they are based in fact on the fraud triangle originally talked about by notable criminologist Donald Cressey back in the 1960s and 70s. This is the triangle of means, motivation and rationalisation or self-justification. It is based on the idea that if a person hasn’t got the opportunity to get around the system, doesn’t really need to and thinks it would be wrong to, then the chances of that person committing fraud are extremely remote. If on the other hand a person thinks that they know how to get away with it, need the money and also think they deserve to do it, then the fraudulent activity by that person is virtually certain. Various permutations of this give varying degrees of likelihood of fraud. The questions in fraud questionnaires would be good at helping to build a “fraud triangle” exercise in a given context, but only as long as the person doing it knows what they are doing both in theory and in practice. Often it is given to quite junior people to carry out and also very often in assessing audits I have seen that the answers don’t necessarily carry through to specific tests relevant to those answers, but instead increase general risk meaning that there is a likelihood that the sample sizes for other detailed substantive tests (by the way the weakest set of tests for detecting fraud) will be higher. And sometimes you are lucky to even get that much of a response.

Externals go on to make their control tests if they do recognise a key control (and on a worldwide scale I would hazard a guess that tests of controls are still done on only a small minority of audits, with most defaulting to the substantive route based really on lack of time or confidence with control work by the external audit team) and also the other big weapon they have in the arsenal is substantive analytical review. But SAR is only as good as the in-depth knowledge of the branch or business, so externals – especially those which are not branch specific as some Big Four externals are – don’t really have the sector knowledge that the internal audit team have and so their chance of noticing something that doesn’t stack up as they go through their analyses of ratios, or building of expectations and confronting to reality is not as good as that of the internal in many cases.

And then auditors finish every section by mopping up whatever needed assurance they could not derive from the earlier procedures by other substantive procedures based if done properly on a statistical sample, which is designed to get them from the assurance they got from less time-consuming procedures through to within their tolerable error (a function of risk and materiality from their perspective, which again differs from the internal auditor’s perspective which may not even be couched in money figures but in non-monetary terms). However the chances of getting at fraud looking through sampled accounting documents is miniscule, and here many external auditors do the bulk of their work.

So naturally if there is an internal audit team, an enlightened external auditor should be ver anxious to understand how they decided their work plan, what they did, and how many key controls have been checked thoroughly and how many risks are still open. If they want to give the organisation real value for money they will design tests that supplement, rather than duplicate the work of internal auditors.

Internal auditors will encourage this – they too will want to see that the organisation’s budget for external audit work goes on procedures that help to improve the risk heat map and the overall picture for the organisation. This call only be done when each side understands the other and “speaks their language”. Many internals have worked as external but not many are continually doing both types and therefore able to think through an assurance issue from both perspectives.

The Money Value of Time

According to page 2 of today’s UK Financial Times, a UK National Audit Office report shows over 6.5m people waited more than 10 minutes to get their calls answered by HMRC, adding £33m to customer’s phone bills and wasting £103m of their time last year.

This snippet of information triggered a few things that I wanted to say to you this morning. The first of these is, that, despite the fact that it is obviously pretty dire that people need to wait so long to get their calls answered by the service they are paying taxes to fund in the first place, at least in the UK there is a body which is concerened at the loss of time and places a value, in monetary terms, on that loss of time by the customer.

Anyone who has spent any time either in government offices, or even banks or supermarkets in this part of the world will probably confirm that the idea that the customer’s time is valuable and should be respected is a rather alien concept. Not so long ago it was an utterly alien concept, but even today it is still a concept which they find rather hard to grasp.

Not as bad as China, though, from what I heard and also saw. People being expected to queue all day outside the Chinese consulate for their visa and then at the very moment that the scheduled closing time of the office came the shutters come down like with Kiosk Keith and that was that. The spare time of the employees was utterly sacrosanct, that of the customer not at all. This of course shows an elitist mentality, which can be found in almost all state sector offices to one or another degree anywhere in the world. Expect it and try somehow to deal with it.

Much less acceptable is the wasting of the customer’s time in business. If the customer is paying then they have a right to have their matters expedited and people who keep people waiting ought either to invest in more infrastructure to avoid it or to wonder if they are in the right business. Continue reading “The Money Value of Time” →

Is your business in the “ivy league”?

variegated ivy leaves — 'Hedera' of reference?

I was recently reminded of something my old gardener told me about ivy. I had been surprised at how slow some lovely variegated ivy that had been planted by my fence was coming on, and his words were as follows:

With ivy, the first year it is put in, it does nothing, it just sulks at having been put in a new place. The second year is starts to spread out horizontally along the ground by the bottom of the fence, and in the third year it starts to grow upward, like a curtain.

Wise words, from someone who knew his onions. And his ivy. It seems to me that this is a great analogy for many new businesses. Entrepreneurs obviously look for a rapid return on capital employed. They want their profits and the cash back to invest in the next thing. But nature takes its course with some businesses just like it does with the ivy, and you cannot rush it.

The first year, you have set up costs, people are getting used to each other in a new team with a new product, new identity. This is like the ivy “sulking” – just establishing a new root system and adapting to the chemistry of the soil and the direction of the light.

The second year you start to see sales pick up but the prices are not that good yet and also the volumes don’t allow the contribution to cover fixed costs. You get growth but you don’t get the profit. It is like the ivy growing along the ground by the bottom of the fence. It is obviously going somewhere, but you aren’t getting the effect of it yet.

The third year you reach a certain critical mass, you break even you start to nudge into profit, your cash flows turn the corner and you start paying back your seed finance. This is like the ivy making its curtain up the fence.

If the ivy survives at all, it will certainly produce the coverage in time. The same with these new businesses. They simply need to be nurtured and for nature to be allowed to take its course. If the soil is right, the light is there, and the water, the plant healthy, then it will do what it is programmed to do in its own time. Micro-managing it will not help. Restructuring the team which is only starting to gel will not help. it will be like transplanting the ivy at the end of the second year for failing to raise – it will only go through its sulking and creeping years all over again in the new position.

Poison ivy risks fade if you take precautions (seattletimes.nwsource.com)
On Poison Ivy Patrol (webnerhouse.com)
Frugal Ways to Prevent Poison Ivy (suddenlyfrugal.com)
Can you lose a natural resistance to poison ivy as you get older? (zocdoc.com)

It pays to avoid the BBBs (Bargain Basement Bookkeepers)

Violent Storm Strikes Western Europe — Is a storm brewing over your books and records?

I am writing to relate a story based on true events which came to light last week when one gentleman came into one of our offices and spoke to me. To keep matters confidential, I won’t say the country – the same can happen in any country – or identify anything about this company the gentleman had – even the sector. It can happen to many sectors.

This gentleman had given his company bookkeeping and tax affairs to an outsourced book-keeper for his business in that particular country. He used outsourcing back home in his own country (I’m not saying where that is either) and he appreciated the benefit of being able to have his bookkeeping professionally handled by experts without needing to employ anyone, worry about holiday cover, etc etc.

Some time ago this gentleman had included our firm in his search, and we gave him a price entirely fair for a company with our niche in the market, that is, internationally trained people, with English, with proper quality assurance, supervision and back-up. In other words, a peer-reviewed, branded service tailored absolutely to the needs of West European businesses in the middle tier coming to start up in East Europe, and also very good for businesses not exactly in the middle tier and from places outside West Europe.

That means that the fee offered was not nearly as high as a Big Four service would cost, but certainly higher than a purely local service.

Now I’m not knocking the purely local services – many of them are very good, but for purely local clients as they don’t tend to be claiming proficiency in foreign languages or have the ability to engage cross-culturally with the client (a source of just as many miscommunications as the language barrier on its own). They are not a great fit with the international client, and often their cheaper price becomes a false economy as frustrations rise on both sides of the desk.

The problem in this case wasn’t lack of English – this gentleman’s chosen bookkeeper spoke English, apparently.

But she was in business just on her own. With no back-up employees, probably very little insurance, probably very few resources to turn to, and very few overheads hence enabling a price no quality firm could ever compete with. That was the price that tempted this gentleman to take her bid over mine.

But since then, it became apparent that this bookkeeper was not entirely what she seemed to be.

Neither this gentleman nor myself are qualified psychiatrists, and we could only speculate on what might have gone wrong, or been wrong all along with this person. The fact is, though, that mental illness happens in the human population. We’ve probably all had employees or acquaintances who have had a mental illness, and in a larger company they quickly get noticed by colleagues, and steps taken to look after them and safeguard the clients’ affairs. When they are on their own, no such controls exist.

Suffice it to say this lady no longer was answering emails or picking up the telephone when he was calling, and when he rang from another number she didn’t know, she put the phone down when she heard his voice – the person entrusted with his company’s books and records and processing a VAT reclaim for more money than she would normally earn in many years. As you can see, the situation is now much harder – and therefore more costly – for us to repair than if he had simply given us the work in the first place.

It simply doesn’t pay to use these Bargain Basement Bookkeepers. You know what you get if you pay peanuts, and if a price looks too good to be true, it probably is.

Can you get bookkeeping services for Quickbooks (wiki.answers.com)
Got an Accounting Headache? It May Be Time to Hire a Bookkeeper (blogs.sitepoint.com)
Bookkeeping Mondays (tashitales.wordpress.com)

Don't keep us a secret!

Don't keep us a secret!

Related articles

Don't keep us a secret!

Related Articles

Don't keep us a secret!