Reduce Cost of Monitoring

Increased focus on financial reporting has changed the way Internal Audit is being done nowadays. Hence, risk consulting firms like PWC and protiviti consulting have suggested adopting a balanced approach to Internal Audit, i.e. balancing the Internal Audit between Risk & Control Assessment focus and Business Performance Assessment focus so that Internal Audit resources are allocated appropriately between value protection and value enhancement objectives of the Internal Audit.

However question arises: Are these two focus or objectives, means to a same end? If so, do resources allocation between these would be amounting to duplication? Instead of a balancing act, I am in favour of hybrid approach just as a strategy to corroborate and substantiate various internal control/ risk assertions. Mind well, your cost of monitoring and cost of SOX or SARBOX compliance efforts are mainly driven by the kind of Risk Assessment you do and thus Control Activities you define within your business processes.

Many Internal Auditors who adopt risk based audit use following logic to reduce their monitoring cost. When they place higher reliance on Effectiveness of controls whether based on their subjective judgment or on basis of some kind of risk scoring, they reduce extent of testing Existence of control. Lesser the net risk score, lower it will be in the priority list. If we apply this logic in a situation where Internal Auditor has designed the controls, he will rely on Effectiveness of controls more and thus extent of testing Existence will be less. When the Management designs controls, IA test controls to provide assurance to the Management of its Existence and Effectiveness.

Now many would see a contradiction here and they may like to question as to how Existence of control is connected to its Effectiveness of control. Mind well, whether a control is Effective or not Effective, if a control exists on the list (List of Primary Controls), they have to be tested for its Existence to reduce the Audit Risk. In other words, there is no connection.

Now let's again turn to the main topic as to how we can reduce the cost of monitoring and achieve various objective of IA within available time and budget.

More we under rely controls, our strategy will be for deploying more procedures and will entail more cost. If we over rely controls to reduce our costs, we are responsible for not exercising appropriate diligence. Controls and Risks are affected by the type of industry, location, volume of business, type and value of assets, segregation of duties, past performance and efficiency of risk or process owners, etc. These controls and risk are owned by the Business Managers and they can influence the Effectiveness and Existence of controls.

Management Accounting concept used in designing a Performance Measurement System suggests that one should not be made responsible for inefficiencies of others. Clearly, Internal Audit is made responsible for the higher costs of audit when controls are ineffective or not complied with due to delinquent Business Managers.

Second problem within the Industry is testing Existence entails more cost than testing Effectiveness assertion of Internal Control. However, introduction of technology have solved this problem to some extent, bigger leaps are still to be taken.

So how would we reduce cost of monitoring while achieving appropriate level of deterrence for ensuring compliance and how we can free up IA resources for extending IA program to other non attended priorities? How inefficiency of Business Managers which increases IA cost be reduced or taken care of.

Many have adopted balance scorecard incorporating control objectives with its framework but in reality this management method is just diversifying the risk of the business managers who may have personal objectives that may not be in sync with the business objectives. An another management method named Control Self Assessment proving to be an exercise which is just enhancing controlling skills of a business managers instead of helping them achieve the business objectives in an optimum way.

We are suggesting below an Innovative Method which is proposed to reduce the cost of monitoring while keeping the deterrence level among the auditees and assurance provided to the management at the same level. This will make the business managers more business oriented who will then serve the business as a separate business unit and their performance and efficiency will measured as if they are an outside professional service provider.

Monitoring cost mainly depends on no. of transactions (sources of risk) to be tested and frequency of testing to provide the required level of comfort or assurance to the management.

IA determines a control liability score on basis of no. of non-compliant sources found. Say if IA founds 1 unauthorized credit note, it will give a score (-1). Thus when 10 credit notes are found unauthorized, it will give a control liability score (-)10 to the process owner concerned.

These scores may be connected to KPI of the process owner under his due knowledge which may create required level of deterrence. Unit Score may differ based on the type of risk or transaction to produce desired deterrence or incentive to comply with the controls. The entire score system may be designed by the top management or audit committee.

How new method will work:

We will take retail industry example. Say there are 5 SKUs in a period which should be correctly coded and approved by the Warehouse Manager. Assume that IA imposes control liability score of (-)10 upon the Warehouse Manager for each incorrect coding or non- approval.

Let's say, there are 2 of the 5 SKUs not coded correctly and checked. The IA could choose to iteratively test all the SKU sheets to inspect each for the appropriate authorization and coding; given that 2 are incorrectly coded, it would assess total control liability score of (-)20, if IA were to do a 100 % testing.

Instead, under our proposed method, the IA could randomly select fewer samples to determine control liability score and apply that outcome to determine control liability score for all 5 SKUs.

If the IA randomly selected 1 SKU as a sample and found it be with incorrect coding, the auditee would bear total control liability score of (-) 50. And, if the selected SKU is correctly coded, then auditee would bear a control liability score 0(Zero). Notably, using this approach, the process owner would be subjected to the same aggregate expected control liability score of (-) 20. 40% probability of (-) 50 and 60% probability of 0 of total control liability score. Thus even testing 1 SKU, IA can generate the same level of deterrence for the process owner. Similarly, whether you test two or three or four or all the five, control liability would remain same when you apply average result of the sample so tested to the entire population.

Sample Size One
Probability of sample selected with risk present: 2/5 = 0. 4
Probability of sample selected without risk present: 3/5 = 0.6
Control Liability Score: 2/5*(-50)+3/5*(0)= -20

Sample Size Two
Probability of both samples selected with risk present: 2/5*1/4 = 0.1
Probability of one sample with risk present: 2/5*3/4 + 3/5*2/4 = 0.6
Probability of samples without risk present: 3/5*2/4 = 0.3
Control Liability Score: 0.1*(-50)+0.6*(-25)+0.3*(0)= -20

Sample Size Three
Probability of two samples selected with risk present: 2/5*1/4*1+2/4*3/4*1/3+3/5*2/4*1/3 = 0.3
Probability of one sample with risk present: 2/5*3/4*2/3 + 3/5*2/4*2/3+ 3/5*2/4*2/3 = 0.6
Probability of samples without risk present: 3/5*2/4*1/3 = 0.1
Ctrl Liability Score:0.3*(-33.33)+0.6*(-16.67)+0.3*(0) = -20

Thus whatever may be the sample size 1 or 1000, the final control liability score will remain same.

Size of sample may be determined based plan approved by the management or the audit committee to ensure adequate assurance within the available time and budget. The size of sample can be negotiated between the parties concerned before the audit period.

The method will also reduce the frequency of audit or monitoring as well. However, the method should only be applied for past transactions and not for prospective transactions. This method will reduce cost of testing Existence of Control so that IA can deploy resources freed up to other compelling IA priorities.

Remember, in real life scenario, the auditor may not know the exact no. of non-complied risk sources within a risk population but size of risk source population, sample size and degree of control liability score for the type of control risk would determine the action, discipline and efficiency of the concerned process owner even before the start of the audit. The method provides adequate incentive to the process owners to remain complied while optimizing the business results to be achieved. They should be trained with various risk reduction techniques to reduce their control liability score and optimize the business results. Thus IA can become proactive in coaching the process owners with controlling skills as well as help them improve the business performance.

The control liability scores should reflect the kind of assurance required and facilitate achievement of business objectives. The scores have to evolve for each industry or type of business or transaction so that they can be benchmarked across the industry or the business segments appropriately.

This new concept is at the idea incubation stage and thus any suggestion or critical comments are welcome from the IA community and members of management around the globe interested in reducing the cost of monitoring or SOX / J-SOX / Clause 49 Compliance while achieving increased value addition.

If you have any confusion with the new method suggested, let me know how you are positioned looking at the SERMON cartoon below.