Ah, internal auditors. The “guardians of trust,” as Institute of Internal Auditors President and CEO Richard Chambers likes to call you. So how much money do “guardians of trust” make these days? Let’s take a look at the latest salary data from Randstad, Robert Half, and Accounting Principals. Randstad Randstad organizes non-executive accounting and finance […]
Even this guy is like, “What are you guys doing?” Read anything online and you’re likely to be told some variation of “The rapid pace of technology is disrupting X.” And since those words appear on the internet, adjacent to stock images of word clouds, or an illuminated light bulb, or a smug nerd with […]
A typical job that an eager-to-leave Big 4 auditor might come across is that of an internal auditor. These jobs are plentiful within public companies large and small, but there tends to be a stigma that internal auditors are merely corporate hall monitors with limited upward mobility. After speaking to Megan Scheiderich, director of internal […]
I don't know if anyone else has noticed this, but reading about audit procedures is incredibly dull. It's nearly as dull as actually performing some of these procedures which probably explains why the PCAOB was forced to release Part II for the 2008 and 2009 inspection reports. Luckily, reading about the failure of the most […]
The ex-CFO of Enron, oh humbly, asks: "If the internal and external auditors and lawyers sign off on it, does that make it okay?" History has shown us that, "that all depends." However, maybe things have changed? [via HBR]
Many finance departments would grind to a halt if forced to do without spreadsheets. They’re quick, easy and inexpensive tools for manipulating and analyzing data that just about anyone can master.
However, these attributes also mean that spreadsheets create a tremendous risk, particularly if their results are incorporated into the company’s financial reports or used to support a business’ operations.
With this in mind, the Institute of Internal Auditors (IIA) in June issued GTAG (global technology audit guide) 14, a guide for auditing what it calls “user-developed applications,” or UDAs. While spreadsheets are the most visible type of UDA, the term also can include applications like user-developed databases and reports. UDAs are “…created and used by end users to extract, sort, calculate, and compile organizational data to analyze trends, make business decisions or summarize operational and financial data,” the IIA states.
By their nature, UDAs present three types of risk. One is data integrity – the old “garbage in, garbage out.” User developed applications don’t follow a structured application development cycle, and lack any sort of change management or version controls – that is, any number of individuals may be able to update a spreadsheet. All this increases the risk of inaccurate data making its way into the application.
Next is the risk that confidential data is compromised. Many UDAs can easily be attached to an email and sent to someone who shouldn’t have access to the data.
Finally, there’s what the IIA calls “availability risk.” Because many UDAs reside on flash drives and individual PCs, they’re easy to overlook when the company is backing up data. Or, the information can easily be lost altogether.
Internal auditors can take several steps in their audits to reduce the risks any UDAs in use pose to their firms. A starting point is identifying key UDAs. These typically are those that are part of the financial or management reporting processes, or use to comply with regulations. One-off spreadsheets used on an ad-hoc basis probably aren’t key.
The auditors also need to assess the risks posed by the key UDAs. To understand this, they’ll need to know who uses the applications, and how. From this, they can estimate the financial, operational and regulatory risks the UDAs present. The more complex the applications are, the more embedded they are in organizational processes, and the greater their complexity, the more risk they present.
Next up is examining the controls in place around the UDAs to determine if they reduce the risks to an acceptable level for the organization.
Spreadsheets and other user-developed applications play a valuable role in many organizations. At the same time, they can expose companies to a great deal of risk. Appropriate management and control is critical to mitigating the risks they present.
Galleon’s Rajaratnam Said He Was Duped in Illegal Tax Shelter [Bloomberg Businessweek]
Raj Rajaratnam, who is awaiting trial in an insider trading case set to take place this fall, claimed that he was “tricked into investing in an illegal tax shelter,” that was developed by KPMG and “tax shelter promoter” Diversified Group, according to a lawsuit from 2005.
Rajaratnam and Galleon co-founder Gary Rosenbach won a $5.8 million in an arbitrator’s judgment against Diversified Group and its president in 2009. KPMG was not mentioned in the judgment and neither Rajaratnam’s attorney nor KPMG would comment on the current r if the firm had made a payment to Raj.
Rajaratnam and Rosenbach said they were induced to invest in a shelter called “OPS,” or Option Partnership Strategy, which was developed by KPMG and Diversified as a way to generate fees for the firms.
“The OPS shelter was essentially an illegal basis-shifting scheme which — unbeknownst to plaintiffs — relied upon a disingenuous reading of the federal tax code,” his lawyers wrote in the complaint.
Prosecutors will be interested to know what Rajaratnam said under oath in his suit against KPMG to determine if any of his statements will be useful in their insider trading case.
United, Continental Agree to Combine [WSJ]
United Airlines and Continental Airlines have agreed to combine, in a stock swap valued at $3 billion.
The “merger of equals” would create the world’s largest airline that would control 21% of the total domestic capacity and be 8% larger than Delta Air Lines in terms of miles flown, serving 370 destinations. Assuming the deal does not raise any antitrust concerns and contracts for employees are approved in a timely fashion, the companies plan to complete the transaction in the 4th quarter of this year.
iPad for business – the taste test [ZDNet]
Dennis Howlett tested out an iPad and since some of you have, at the very least, wondered about it for your own professional use, here’s his take on Numbers, a spreadsheet application that he says is “gorgeous to look at” but has several drawbacks:
I found it was possible to create a confusing error formula. Ahem. That will require fixing. While Numbers has masses of functions (see illustration), there is no ability to create Pivot Tables. Those are the accountant’s stand by for reporting and the like. It’s boring but essential stuff. Without Pivot Tables, the iPad won’t get a sniff in the hands of this powerful and influential group. There is an alternative for the future. Some smart developers out there will build reporting applications that can run over the Internet. It is one of the gaping holes in the SaaS/cloud story requiring urgent attention.
Any other thoughts on iPad for accountants? Weigh in.
IIA Proposes New Standards for Internal Auditors [Compliance Week]
The Institute of Internal Auditors is requested comment on proposals for new standards that would include a requirement for internal auditors to provide audit opinions and to additional explanation of the responsibility of internal auditors for the work of contractors.
Grant Thornton closing Triad office, moving operations to Charlotte [Triad Business Journal (subscription required for full article)]
Grant Thornton finally got around to announcing the closure of its Greensboro/Triad office. We reported on the closure back in February. The firm announced that the “vast majority” of its approximately 30 employees would be moving to the firm’s offices in either Charlotte or Raleigh. The TBJ reports National Director of Communications, John Vita’s comments: “We remain committed to the Triad marketplace, however, we believe it can be best served over the long term by attracting the highest quality professionals who wish to work out of our larger offices in Charlotte and Raleigh.”
Editor’s Note: Robert Stewart is a former Big 4 auditor and ex-Marine who has since served in several executive management roles in both Internal Audit and Corporate Finance. He is also the founder and chief contributor to the online accounting and audit community, The Accounting Nation. Outside of work, he is a husband, father, brother, writer, uate aspiring triathlete.
You can always count on CFO.com for logic flaws and surface reporting. It’s like drinking that concentrated orange juice in a can when you add three parts too much water and then put ice cubes in it because it’s warm, which makes it even more watery which… Where was I going with this?
Oh yeah. In one of their latest articles, entitled “As Internal Audit Staffs Shrink, Will Fraud Rise?“, the author portends — based on a Deloitte survey and subsequent interview — that the decrease in internal audit personnel somehow increases the risk of organizational exposure to fraud. What? Ever hear the phrase “Correlation is not Causation”? Symptom or cause.
Here’s my $0.02: such staffing reductions may increase the risk that fraud will go undetected (though only nominally given that IA only uncovers about 12% percent of frauds according to the ACFE’s Report to the Nation), but the risk to the organization more than likely remains constant, right? Am I missing something here?
After all, Internal Audit is a downstream event unless you make the argument that the organizational perception of being “watched” has diminished with the reductions in internal audit/compliance staffing, thus emboldening would-be fraudsters (i.e. strengthening the “opportunity” leg of Cressey’s Fraud Triangle). But this article doesn’t make that argument.
The article further states that:
Despite the reduction in compliance personnel, 50% of respondents to the Deloitte survey, who included CFOs, CEOs, board members, and middle managers in finance and risk management, said their compliance and ethics programs are strong. Another 36% said they are adequate. Many public companies and some private companies invested significantly in their compliance programs after the passage of Sarbox in 2002, notes Francis, and they may now feel confident that those programs are effective even with a reduced staff. But that confidence may not always be justified.
Confidence? I would hardly call the above percentages “confidence” on the part of the respondents. If I told you that 50% of the airline pilots felt that their pre-flight checklist procedures were strong, how would you feel about flying? No F*#$ing way I’m getting on that plane.
The words wrapped around the survey results and subsequent interview quotes don’t at all support the conclusion that this article is trying to draw. Perhaps it’s because the survey was designed and administered by a firm (Deloitte) that has a vested interest in drumming up some business through fear tactics? After all, you’re never going to hear a burglar alarm company extolling the improvements in public safety.
And you’re never going to hear a company that sells risk-related services conducting and publicly releasing results that don’t support their strategic objectives. Or perhaps it’s just bad writing at CFO.com in order to satisfy a quota? The World may never know (I think the World will be fine with this). Either way, I’ve wasted double the amount of time that I should have on this topic (i.e. read it and wrote about it). And so with that…I bid you adieu.
• Breaking Media, LLC Announces Jonah Bloom, Editor of Advertising Age, Will Join Company as Chief Executive Officer and Editor in Chief – Welcome to Jonah and our new Executive Editor, Matt Creamer! [Breaking Media Press Release]
• Haddrill: We don’t need a Big Five – One man’s opinion. [Accountancy Age]
• S Corporation Basis: Is It Time for an S Corporation Holding Company? – Consider this if you have multiple S-Corps tossing money back in forth. Joe Kristan explains. [Tax Update Blog]
• As Internal Audit Staffs Shrink, Will Fraud Rise? – More with less is a trend everywhere. [CFO]
• Chart of the day, hedonic treadmill edition – For those of you doing the debits and credits at hedge funds, apparently you’re paid the least but happiest with your comp. Who knew it was possible? [Felix Salmon]
• Sarbanes-Oxley for Everyone: To Be or Not To Be? – Check out Francine’s latest contribution to HuffPo. [Huffington Post]
Editor’s Note: Robert Stewart is a former Big 4 auditor and ex-Marine who has since served in several executive management roles in both Internal Audit and Corporate Finance. He is also the founder and chief contributor to the online accounting and audit community, The Accounting Nation. Outside of work, he is a husband, father, brother, writ dequate aspiring triathlete.
Alright, CFO.com, with your latest contribution you’ve satisfied your requirement to pander to your internal audit constituents. If you put a little more effort into the headline, they might read it too. With an article paraphrase like:
A biotherapy firm’s continuous controls monitoring program, which is essentially run by its internal audit team, is credited with creating numerous (though unquantifiable) benefits
you’ve assured that nobody will read further. Talk about hard hitting journalism. Grabs ya’ right by the goods and begs you to read more…doesn’t it? Well, I did read more. Because I am an idiot. Because I need to get out more. Because I’m an internal audit junkie. And mostly because I just love the apathy directed at internal audit by “real” business people.
This article touts the benefits of implementing a Continuous Controls Monitoring system through the “success” story of Talecris Biotherapeutics, a $1.4 billion provider of injectionable medical treatments.
Here’s what I have to say about some points in the article:
• The quote that exemplifies why there is such apathy toward Internal Audit: “‘We can’t help [management] design controls or tell them that a control is the right one to have in place, but we can help them monitor it,’ states Mary Anne Tourney, IAD at Telecris.” This, of course, is bullshit. YOUR JOB IS TO HELP MANAGEMENT.
Don’t twist the IIA Standards to relinquish one of the tenets of your responsibilities (i.e. to offer “advisory” services to management). Hiding behind the independence argument is cowardice. Maybe if you acted like a member of management, they’d treat you like a member of management (and CFO.com might capitalize your title in its article).
• As for the program’s ownership, Tourney states that management designs the controls, ‘But we control the program in internal audit so the parameters of the tests don’t get changed without our knowledge.’ WTF? Where is your independence argument now? Listen, you can’t just apply the standards when they suit you and bend them when they’re inconvenient.
• Miklos Vasarhelyi, a Rutgers professor, states that quantification of the CCM program’s effectiveness is difficult and it’s “flaky” to do too much quantification. At another point in the article, Talecris declined to comment on how much it has spent on the CCM system.
This illustrates another point that internal audit practitioners need to understand better: it’s not just about having an en vogue system that you can brag to your fellow IA geeks about at the local IIA chapter meeting. It’s about spending the company’s money where you get the greatest return on investment. Calling the act of quantifying the ROI of the system “a bit flaky” illustrates why this guy is a professor instead of a CFO. Shareholders don’t care if you have the Cadillac of internal control systems unless it translates into increased shareholder value. This may not always drive the best behavior but let’s face it, that’s how the game works.
Look, the jury on CCM is still out in my book. Although I believe the foundation is sound, I’m not sure about the relative importance in the web of controls chosen by an organization to mitigate its risk. It is, after all, still a back-end monitoring tool that detects anomalies after they have occurred and I’m inclined to spend more of my money on the preventative controls rather than detective controls.
And to all you Internal Auditors out there, stop being afraid to consult management on their internal controls and make control recommendations. THAT’S. YOUR. JOB. You can’t implement or own the controls, but for god’s sake, share your knowledge to improve the organization. It’s the only way for internal audit to start getting some respect (it’s a good start anyway).