Auditing Best Practices
Segregation of Duties
Duties within the department or function should be separated so that one person does not perform processing from the beginning to the end of a process. Duties that should be segregated include:
- Custody of the assets
- Recording transactions
If an adequate segregation of duties does not exist, the following could occur:
- Misappropriation of assets
- Misstated financial statements
- Inaccurate financial documentation (i.e., errors or irregularities)
- Improper use of funds or modification of data could go undetected
Design a system of checks and balances to decrease the likelihood of errors and irregularities.
The person who prepares documentation should not be the same person to authorize and execute the transaction (i.e. one person should not be able to accept cash, record deposits for banking, make the bank deposits, and reconcile the account).
Policies and Procedures TOP
Written policies and procedures codify management’s criteria for executing an organization’s operations. Developing and documenting policies and procedures is the responsibility of management, thus, they should document business processes, personnel responsibilities, departmental operations, and promote uniformity in executing and recording transactions. Thorough policies and procedures serve as effective training tools for employees.
If written policies and procedures do not exist, are inaccurate, incomplete, or simply not current, the
following could result:
- Inaccurate and unreliable financial records due to inappropriate recording of transactions
- Inconsistent practices among employees and/or department
- Processing errors due to a lack of knowledge
- Inability to enforce employee accountability
- Document all significant business practices, processes, and policies.
- Make the policies and procedures available to all personnel
- Ensure they are accurate, complete, and current at all times.
- Revise policies and procedures for changes in business processes and policies. This is particularly important when new systems are developed and implemented or other organizational changes occur.
- Communicate significant changes to all affected personnel immediately to ensure they are aware of any revisions to their daily duties and responsibilities.
- In the event that there are changes in personnel (i.e. new employees are hired, promotions granted, etc.), documented policies and procedures will facilitate training and provide guidelines for the respective positions.
- Policies and procedures are only effective if people are aware and understand them.
Assets are the economic resources a business owns that are expected to be of benefit in the future. Cash, office supplies, merchandise, furniture, equipment, land, buildings, and sensitive or confidential data are some examples. Protective measures must be taken to ensure that assets are maintained in a properly controlled and secured environment. The most important type of protective measure for safeguarding assets is the use of physical precautions. If physical precautions are not in place the following could occur:
- Items may be lost or misplaced
- Fraud may be committed using unauthorized data
- Unauthorized transactions or processing could occur if data is not adequately safeguarded
- The University could incur added expenses and loss of revenue.
The following should be performed to ensure assets are adequately safeguarded:
- Store all assets in a secure, locked area
- Cash should be stored preferably in the fire-proof safe.
- Restrict access to data and other assets to a limited number of individuals within the department or organization
Ensure proper access controls are in place in systems (i.e., user IDs and passwords that are unique and forced to be changed frequently by the system)
Efficiency and Effectiveness TOP
Efficient performance accomplishes goals and objectives in an accurate and timely fashion using minimal resources. Inefficiencies in operations occur when processes are performed that provide no additional benefit or value. Operations are considered effective when they are functioning as intended. If, for example, two individuals are both responsible for executing the same function within a process, a duplication of efforts would exist. This is an inefficient and ineffective use of time and resources.
Inefficiency and ineffectiveness may result in a lack of resource availability and may cause a unit to
be unable to meet its objectives. Frequently, this results in added operational costs to the
organization. Those costs could be measured in additional overtime wages needed to accomplish
goals and objectives, unmet targets, lost productivity, or the inability to accept additional
responsibility. Accordingly, inefficiencies result in the inability to be effective in attaining objectives.
In an effort to promote operational efficiency and effectiveness, departments and/or organizations should consider the following:
- Analyze business processes and identify and eliminate any duplicated efforts
- Streamline processes by reducing any non-valued added procedures
- Identify any processes that have been done merely because “that’s the way we’ve always done it". Determine if those processes are still needed. If they are, identify methods that would allow steps to be completed either more timely or effectively.
- Strive to process documents and/or transactions in a minimum required time to increase the efficiency and effectiveness of the unit.
- Employ a cost-benefit methodology when analyzing and developing new processes. If the costs outweigh the benefits, then consider eliminating the procedures or significantly reducing the number of steps needed to complete the process.
- Think “outside of the box”. Look for more innovative ways to accomplish goals and objectives.
- Automate where possible
Review and Approval
When a process is performed within a department, there should always be another level of review and approval performed by a knowledgeable individual independent of the process. The approval should be documented to verify that a review was done. Review and approval are controls that help management gauge whether operational and personnel goals and objectives are being met.
The lack of or inadequate review and approval could result in the following:
- Errors may be overlooked resulting in misstatements that could affect financial, as well as, operational decisions.
- Inaccurate or incomplete information in accounts and/or reports
- The inability to detect irregularities
- A thorough review of processes, transactions, and reports should be performed for accuracy, completeness, and timeliness
- The reviewer should be someone who is knowledgeable about the items or areas being performed such that they are able to readily identify errors and/or omissions
- The reviewer should preferably be someone who has the authority (e.g., supervisory role) who is able to authorize, provide direction, and make decisions about the items under review
- The reviewer should be someone who does not perform the process
- Evidence of the review and approval should be documented (e.g., signed or initialed and dated by the reviewer/approver)
Reporting is defined as disclosing facts about an entity. These facts could be financial, regulatory, or statistical in nature. Decision makers use these facts to make assumptions about an entity.
Inaccurate or incomplete reporting could result in the following:
- The loss of research funding and state appropriations
- Difficulty obtaining debt financing
- Reduced creditability
Since decision makers rely on the facts provided in reports, it is imperative that the information be:
- Accurate, complete, and current
- Fully disclosed
- Provided on a timely basis
Accounting is a system that measures business activities, processes that information into reports, and communicates these findings to decision makers. Two major controls of an accounting system are accurate posting of transactions and adequate account review and reconciliation.
Inadequate controls over an organization’s accounting system could result in:
- Misstated financial reports
- Inaccurate and unreliable financial records
To help ensure strong accounting controls exist, management should ensure:
- Employees are properly trained on performing accounting functions
- Only authorized personnel can establish or modify accounting ledger attributes (e.g., accounts, object codes, transaction codes)
- Transactions, adjusting journal entries, and reports are reviewed for accuracy, completeness, and timeliness of processing before they are authorized
- Accounts are reconciled monthly
- Individuals performing account reconciliations are independent of the cash receipts or cash disbursements process
- Reconciling items, errors and omissions are identified and corrected on a timely basis
- Account reconciliations are documented
- Reconciliations are reviewed and approved
- Automated accounting systems are properly developed by knowledgeable accounting and computing staff
- Automated accounting systems have the proper level of input and processing controls to ensure the integrity of the financial data being reported.
- A proper segregation of duties exists within the accounting function
In simple terms, timeliness means meeting prescribed deadlines.
When deadlines are not met, the following could occur:
- Inefficiencies could result
- Fines or penalties could be imposed
- Prospective projects or customers could be lost
- Other operational processes could be negatively impacted
Frequently, the timeliness of processing is not a major priority on an individual’s “to do” list. As organizations continue to push to do more with less and create increased operational efficiencies and profits, timeliness has become important to the overall success of the organization as whole. It’s the one area where all employees can analyze their workflows and identify ways to work smarter and save time.
Here are a few tips:
- Obtain an understanding of all the required deadlines particularly those that are “not negotiable” such as regulatory due dates.
- Build in adequate lead times to ensure the work product or report is complete, accurate, and has been reviewed before it is submitted. Meeting the deadline is great, but providing a quality product on time is better. If it has to be returned for corrections or omissions, the deadline has not been met.
- Prioritize activities when critical deadlines are imminent
- Ensure adequate resources are available, trained, and able to complete the tasks in order to meet the deadlines.
- If deadlines cannot be met, notify the appropriate parties in advance. Determine if the deadline is negotiable. Commit to the new date and be willing to do whatever it takes to meet it.
- Create a synergy within the unit or organization that embraces the Kaizen philosophy that continuous process improvement means that a product is quality if it’s great and on time