“A stitch in time saves nine”

GardaWorld, a service agency entrusted with the work of distributing the monies (mostly coins) on behalf of various banks. In the process, GardaWorld maintains the stock in its warehouses, accounts for what is being maintained, and carries out the distribution with its resources which include armored trucks and people. All went well till it was reported that some of the money went missing. Who stole the money, without being noticed?

The very first thought would be a robbery or someone stealing it. Robberies cannot go unnoticed and stealing truckloads of money from a secure & guarded location also equally ruled out. Employees taking money every day, filling their pockets while changing duties? It has to be a daily activity, as obviously one cannot carry bags full of money from a guarded vault. So many people and so many days of theft – sounds crazy! May not be the cause.

If no one steals anything – physically – where is the money gone? Before getting into the fundamental question, let us see how money(coins) are measured, monitored, and secured – in general – across various financial entities, while storing or distributing. While currency is generally counted before changing hands, coins are “weighed” when dealt in large quantities. However, weighing is not practical when container loads of coins are handled, as packing material would alter the calculations. So, the first issue here is – coins are generally counted as boxes/ containers/ drums when stored or transferred in large quantities. So the possibility of accurate accounting is less.

Secondly, the warehouse stores money from different banks – just like a regular warehouse storing different products like electronic items or meat products. The difference here is all the items are the same from different owners – at least the content within the packages. So, practically no need to segregate the boxes based on the owner bank. The second issue is lack of seriousness on segmentation and at any point in time, the accountability would be on “total” and not on detail.

Next, comes, where do you get this money from? Always receive from the mints/bank vaults or sometimes from your customers too? Is it always an issue to customer/branch or sometimes the receipt as well? It is more complex to handle issues and receipts both, why? The reason being whatever received from the banks are always in standard sizes/volumes/ quantities and simple measurement of packs will give a full measurement of value. The same cannot be true in the case of customer/branch receipts. So, the third issue is difficulty in quick measurements. This can be easily translated into a time-consuming handover/takeover process for each shift. So what? Practically ignored by its employees! A weak control obviously paves way for fraud. When no one knows how much money lying in all those hundreds of boxes, some crooks will make use of the opportunity.

Now, the chances of fraud. The money belongs to multiple owners (banks) and obviously, some inspection or audit takes place periodically by individual banks, as a global best practice adopted by all banks, almost. When you have a warehouse with similar items stocked everywhere – everything is the same in terms of value- what inspection do you do count a few items, which you think belongs to you? How easy it is to show the inspecting officer and tell him – “see, all those 25 boxes are yours”. Practically, every auditor can be given a similar reply and possibly they leave happily forever.

This kind of fraud happened at numerous places across the Globe where the custodian keeps huge sums of money on behalf of many banks or different branches on the same bank. Typically, they are given tasks like refiling ATM machines or maintain local vaults. At any given point in time, the fraudster (who manages the money) can show any visiting auditor, his money. Even when there is a shortfall, he can always make good from the huge balances he is maintaining. Unless and until all banks plan a single audit, this kind of fraud is hardly detected by auditors.

While fraud cannot be ruled out, another culprit could be weak systems and processes for accounting, transitioning, and reporting. As already discussed, the systems issues will multiply when money from different banks is pooled and stored together; money consists of receipts and payments as well; all packages will not be containing equal amounts of money and finally when the employees are overburdened with work.

Weak systems and faulty accounting practices could be a major culprit. It is likely that the money could be lying somewhere in some of the vaults, perhaps unnoticed/unreconciled, and not bothered about its existence. Also, it could be an issue of undercounting of packages like a box that may contain higher denomination but labeled as a lower denomination. The second probability, less likely, could be a major fraud where the money is siphoned out temporarily with an intention to replace it at a later date.

By and large, the episode talks about the need for a carefully designed and monitored system and associated processes. “A stitch in time saves nine”. Truetech’s Consultants helped many of its global clientele in designing and strenghtne their systems and process.

How New Information Technology Will Transform Auditing

An interesting insight on automated governance & control techniques and how they influence internal auditors.

Reblogged from ventanaresearch :

A recent news release by Robert Half, a staffing company that specializes in accounting and finance personnel, covered what it sees as the most important attributes required for auditors in the 21st century. “7 Attributes of Highly Effective Internal Auditors” covers the people dimension of the profession and focuses on the non-technical requirements of the role, including relationship-building, teamwork, and diversity.

Read more… 965 more words

Top IT Challenges & Audit: Protiviti Survey 2012

Information Security (including data privacy, storage and management) ranked #1 among the top technology challenges faced by organisations, according to 2012 IT Audit Benchmarking Survey conducted by Protiviti, a global consulting firm operating in over 20 countries. Protiviti conducted the survey at the end of September 2012 with 1,000 people from companies with 100+ employees.

Cloud computing, social media, risk management & governance and regulatory compliance followed the list of top technology challenges.

IT Audit

The survey hints that a large of number of organizations may be understaffed in terms of IT Audit capabilities in their internal audit functions. Organizations are meeting this gap with guest auditors, co-source providers and outsource IT audit function. 


While the survey indicates a significant gap in the IT audit capabilities of many organizations, 48% of small companies are  not using any outside resources, clearly indicating  that these organizations lack necessary skills and resources to manage IT risk. 

 

In-house internal audit department lacking the specific skill sets seems to be the major reason for organizations using external resources to meet the IT audit requirements. 67% of the participants expressed this opinion, which stood at 62%  in 2011. This clearly indicates, the organizations are increasingly looking forward to avail the services of experienced and qualified IT auditors, while keeping the costs low.

 

Considering the fact that a significant number of companies have limited or no resources devoted to IT Audit,   the survey concludes that a number of  organizations are not in compliance with Standard 1210.A3 stipulated by the IIA. 

IIA Standard 1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

 IT Audit Risk Assessment

Considering the pace of technology proliferation in organizations IT implementation and business models as well as the changing threat scope in general, IT audit risk assessment needs to be carried out on an ongoing process and at least in a quarter. Interestingly, only 13% of the organizations are conducting the risk assessment at this frequency and as many as 65% of the organizations conduct at annual intervals !! This clearly indicates,  majority of organizations are NOT keeping pace with the rate of technology change, emerging new threats and innovations in the organizations.

Frameworks

On a positive note, 86% of the organizations adopted a framework to based their IT Audit Risk Assessments with COBIT (63%) and COSO (43%) leading the list.

IT Governance

The survey tested the organizations’ IT Governance processes as against the IIA standard to ensure the internal audit function assesses whether the IT Governance sustains and supports organization’s business strategy and objectives.

IIA Standard 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.

Unfortunately, responses from about three fourths of the organizations indicate that IT Governance process is NOT a priority.

The survey also covered other aspects like training, gaps in audit plan and can be accessed  from http://www.protiviti.com/en-US/Documents/Surveys/2012-IT-Audit-Benchmarking-Survey-Protiviti.pdf