Printer Friendly

A day of reckoning.

AN INTERNAL AUDIT PROGRAM IS an excellent way for a company to find out whether departments or facilities are complying with company policy and whether they are using sound business practices and recommended operating procedures.

Before a company implements an audit program, it should decide on the program's expectations and goals. Decisions about what actions to take if a department is not in compliance should be discussed before the program is implemented. And management needs to decide which department will conduct audits--the accounting department, the security department, or both.

For this article, the assumption will be made that the audit responsibility falls under the jurisdiction of the director of security.

An audit should have three components: a formal investigation process, the exit interview, and the report. The format of the audit can vary.

THE SURVEY CAN BE PERFORMED USING A checklist, a fill-in-the-blank form, or a detailed report tailored to each facility. Some companies use a combination of formats.

Tho checklist audit. The checklist audit format is the easiest to perform and review. It is not, however, the most interesting to conduct or read.

This type of audit is comprised of a list of standards the company thinks each facility should comply with and the policies and procedures that should be used to accomplish these required tasks.

As the auditor walks around the facility, he or she fills in the form by checking a "yes" or a "no" to indicate whether a facility is complying with company policies.

Although the checklist audit gives the company some measure of how management at the facility is performing, this type of document is difficult to quantify because it relies totally on the auditor's observation.

It is also hard to measure items against each other. For example, not complying with cash handling procedures is far more damaging to a unit than not breaking down boxes before they are thrown in the trash. Yet, both carry equal value on the form. In reading the final report, management tends to ignore the "yes" answers and concentrate on the "no" answers.

The fill-in-the-blank audit. This type of audit format provides a standard form, as does the checklist, but instead of checking a "yes" or "no," the auditor writes comments.

An example of this type of audit used by one retail company was designed to determine the proficiency with which refund forms were being completed.

The audit form was made up of a line listing for each section, box, or blank on the refund slips plus a listing of the required procedures. In this case, procedures included attaching the original sales slip to the copy retained at the service desk, validating the slip at the register where the slip was redeemed, and accounting for all refund books in the store via a log.

The auditor merely counted the number of completed refund slips and entered the total. Then for each section, the total number of slips on which that section was left blank was listed.

This type of audit is tedious, time-consuming, and usually reveals a number of exceptions. In this instance, most managers thought the audit was a waste of time.

However, the overall objective was to ensure that the paperwork was being completed properly, so the audit proved effective. By concentrating on each blank on the form, the habit of completing paperwork accurately was developed. This, in turn, allowed the security department and auditors to go back later and establish an accurate paper trail to check for fraudulent refunds.

An effective audit relies on the accuracy of the paperwork documenting the business transaction. Both the checklist and fill-in-the-blank audits are easy to use. The auditing document becomes the audit report, and neither requires much, if any, documentation.

The formal audit. A formal audit is one where the auditor performs a check of all operations in a facility and then writes a report detailing the problems. Since many operations are examined at once, the possibility of a large number of exceptions being noted is high.

As a result, this type of audit can be misinterpreted by upper management. Not only can the document embarrass the unit manager by making him or her appear incompetent, it can also call for extreme action and, in the end, throw the facility into a panic.

This kind of reaction can be avoided by concentrating on only the major exceptions in the report and including the manager's corrective or planned corrective action in the document. The problem can also be avoided by developing an audit format that examines only specific areas of responsibility--for example cash handling, warehouse operation, register operation, and paperwork.

By dividing a facility's entire operation into segments, an auditor can give a detailed report on ways to improve that one area of operation. Then on his or her next visit a different operation can be examined.

The advantage of a smaller audit is that, if problems are found, the manager has a list of fewer exceptions to be corrected and does not have the hopeless feeling of being handed an insurmountable number of problems to correct.

The size and extent of any audit is determined by the number of locations an auditor is responsible for and the distance between those locations. However, performing the same type of audit in all locations is not advisable because managers tend to compare notes. The facility next on the list to be audited will be alerted to what the auditor will be reviewing, and that manager will try to cover up problems before the auditor arrives. This results in a false impression of the second facility's operation.

In situations where auditors are responsible for a number of facilities or large geographical areas and will not return to a particular unit for a while, a more extensive audit or combination of smaller audits can be performed. In these cases, an auditor would spend several days at one location, examining every system that requires compliance.

The following are examples of other types of audits that can be performed:

Paperwork audit. This audit involves scrutinizing paperwork generated at a facility to ensure that it was properly completed and its preparation complied with company policy.

Procedural audit. A procedural audit examines operations. It can study efficiency, or it can evaluate compliance with safety standards. A loss prevention audit that measures such procedures as opening, closing, and trash removal falls into this category.

Paper hammer audit. This term refers to an audit that measures one facility's compliance to everything. It often results in a lengthy report with numerous exceptions.

This type of audit is useful when a facility is performing poorly compared to other facilities or where a new manager is assuming responsibility of a problem unit.

Follow-up audit. An audit that has numerous or severe exceptions should have a follow-up audit to ensure that the manager and his or her supervisor have taken corrective action and the problem has been eliminated.

Where possible, all exceptions should be studied within the parameters of a stated sample. For example, in a retail company, if the auditor selected every fifth refund to examine and found 10 exceptions in 20 documents, this should be stated and a projected error rate established.

In this example, the projected error would show that 50 percent of the documents were in error. If only a single error were found in a large sample, yet if the mistake was big, the auditor should not be afraid to expose that one error (for example, one $2,000 error).

The sample should include all people involved in an operation because it can detect one or two individuals in a sample of 20 who are performing below standard. The auditor can then select more examples of these individuals' paperwork to examine further and state the percentage of error at which each is performing.

The auditor should also gather the documentation necessary to answer any questions that may arise later, especially if the auditor thinks the problem might lead to an internal investigation.

AT THE CONCLUSION OF AN AUDIT, THE auditor should schedule an interview with the facility manager. During this meeting the findings and possible resolutions to problems should be discussed.

The exit interview serves several purposes. Most important, the manager will not be surprised when the report is published. If the manager disagrees with the findings, the two can discuss the matter. And if more documentation is needed, it can be obtained and reviewed by the manager before the auditor leaves the unit.

During the exit interview, solutions to the problems should be discussed. Suggestions for corrective action that will bring the unit up to company standards should come not only from the auditor but also from the manager whose facility is being audited.

The auditor has the benefit of knowing what has worked and not worked. The manager, however, has a better handle on the unique qualities of his or her own facility and is more committed to solutions he or she formulates.

THE AUDIT SHOULD BE DOCUMENTED BY a report detailing the survey's findings. Reports should begin with a brief statement identifying the type of audit used, the facility examined, the date performed, and the purpose of the audit.

Reports should be factual and, where possible, refer to areas or functions and not people or positions. The auditor should refrain from editorializing or patronizing the reader. He or she should also not try to explain how important the exception was. After all, the targeted audience is upper management. It is qualified to determine the importance of each finding.

The findings or exceptions section should list all major deviations from company policy in order of importance or severity. Each finding should be brief and clear.

Often the findings are grouped by function or topic of responsibility with a heading for each section. The purpose of the document is to be read, so any aid to make the report easier to understand or more interesting should be used.

The last section of the report should contain recommendations to prevent violations from recurring. The best solutions to problems come from exit interviews and are tailored to the specific needs of the facility and management team.

Distribution of the final report is important. The audit report should be addressed to the facility manager with copies sent to the auditor's supervisor and the manager's supervisor to ensure follow-up. The distribution should escalate one step higher in the management line if a poor follow-up audit indicates no action has been taken by the facility manager or the supervisor.

No matter how large or small a company is, proper auditing procedures can be established that will benefit the facility.

E. Floyd Phelps, CPP, is assistant director of the department of public safety at Southern Methodist University in Dallas. He is a member of the ASIS Standing Committee on Educational Institutions.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:internal auditing
Author:Phelps, E. Floyd
Publication:Security Management
Date:Sep 1, 1992
Previous Article:A disaster waiting for a place to happen.
Next Article:High technology: the glue between government and industry.

Related Articles
Internal audit.
Internal audit.
Extracting energy from Sarbanes-Oxley: auditors at Chevron became internal consultants when management took responsibility for performing...

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters