In general, the objective of an internal audit is to assess the risk of material misstatement in financial reporting. Material misstatements can arise from inadequacies in internal controls and from inaccurate management assertions. As such, testing the validity of various implicit managerial assertions is a key objective of an internal auditor.
While this applies to all financial cycles, this article is the first in a series focusing on the General Control Activities for Short Term Cash Management. The most important general control areas for Short Term Cash Management include:
- Performance Management
- Cash Forecasting
- Cash Disbursements and Cash Receipts
- Check Receipts
- Bank Statement Reconciliation
- Other Cash Management Activities
In this post, we’ll focus on the General Control Activities for the Organization of Short Term Cash Management.
Personnel Responsibilities and Accountabilities
It is important for the business to properly define and communicate personnel responsibilities and authority limits. Effectively doing so provides clarity on employee roles and responsibilities, reporting lines, and enhances communication. The following should be included in any audit:
- Make sure an organization chart available to all staff and there is a process for periodically updating
- Verify that the authority schedule is available to all staff and there is a process for periodically updating.
- Confirm that there are clear job descriptions and there is a process to regularly update.
- Validate that there is a regular review that compares business structure with the business activities and responsibilities.
Segregation of Duties/System Access Rights
Segregation/separation of duties and segregation of system access rights is a critical internal control for any process, especially when there are inherent conflicts of interest. Critical functions must be adequately segregated, properly supported by logical user access authorizations, and access to critical vendor master data must be restricted to the appropriate personnel. The following should be included in any audit:
- Validate that there is a periodic review of roles and responsibilities of purchasing staff.
- Verify that the organizational chart and authority schedule are available to all staff.
- Confirm that the following critical functions are segregated with the operating system:
- Conflicting tasks in the ERP system (Segregation of Duties (SoD) conflict matrix) is periodically reviewed.
- Compensating control for SoD conflicts have been documented and implemented.
- Access to critical master data properly restricted and tailored within the system.
- Ex-post controls are in place to monitor master data changes (e.g. log files to catch changes of vendors; review of aged creditor reports generated from ERP system).
- Adhere to the multiple eyes principle with respect to changes of critical master data.
- Periodically review user access rights for adequacy (are functions properly reflected in the user access rights matrix).
Key processes must be defined and include detailed procedures explaining how the main purchasing processes are carried out. The following should be included in any audit:
- Validate that there is clear definition of procedure ownership.
- Confirm that procedures and documented and accessible to all relevant parties.
- Verify that there are regular formal reviews and updates of key procedures.
- Assure that procedure compliance audits are regularly completed.
- Make sure there are regular training sessions relevant employees (training plan in place).
- Validate that policies and procedures are stored in SharePoint or equivalent document management system with automatic reminders sent to owners for review.
Adequacy of Staffing
Obviously it is critcal for businesses to be adequately staffed. It is important to be able to predict and assess staffing needs and evaluate the hiring, training, and compensation model. The following should be included in any audit:
- Verify that there is a budget for replacing vacant job positions.
- Make sure there is a defined succession plan in place.
- Assess whether there are defined procedures staff promotions.
- Evaluation the design and effectiveness of a management development program.
- Validate that there is a training program in place and that is monitored.
- Confirm that employee satisfaction surveys are used.
- Verify that personal development process has been implemented.
- Make sure there is an adequate incentive structure established.
Code of Conduct/Competition Compliance Training
A well-written code of conduct clarifies an organization’s mission, values and principles, linking them with standards and expectations for employee conduct. The business goal is to embed the code of conduct (CoC) within working practices. The following should be included in any audit:
- Make sure all employees receive CoC training within 6 months of joining the business.
- Verify that sales staff are required to comply with competition laws and that a mechanism is in place for them to periodically acknowledge/certify their compliance.
- Confirm that there is face-to-face CoC training for all customer facing staff.
- Validate that there CoC training is repeated for each employee every 3 years or as needed to meet compliance requirements.
- Confirm that HR has an effective system for tracking course completion.
- Make sure there are procedures and/or effective monitoring controls to detect violations of competition law.
- Lastly, verify that there are defined and communicated repercussions to adequately deal with violations of competition law.
In conclusion, auditing standards require that auditors test basic underlying management assertions implicit in the financial statements. Key objectives to these assertions are; Existence and Completeness, Rights and Obligations, Valuation or Allocation, and Presentation and Disclosure.