Auditing an organisation's policies and policy framework

In my experience, I have seen an organisation's policies in two forms: standalone documents (in Word, PDF  or [rarely] Excel format); or on the intranet as inter-linked documents. There are advantages to both: the former is more portable and archivable; the latter allows an understanding of the interrelationships between policy. On balance, I would prefer the latter, particularly where there is a robust mechanism to create a portable offline copy using website downloading tools (if these are permitted by your organisation's IT team!).

Some criteria for assessing policies and the policy framework:

• Is it complete? Does it cover every eventuality?
• Is is up-to-date? All policy documents should note a last review date.
• Is there ownership in place? All policy documents should note an owner (which should be up-to-date)
• Are archived copies kept when (major) changes are made?
• Does the policy comply with the relevant legislation?
• Is the policy strong enough to address the risk?
• Is the policy understandable? Is there only one possible interpretation?
• Are all hyperlinks current?

Interrelationships between preventive, corrective, directive and detective controls

Both detective and corrective controls are preventive in the sense that they can enable the prevention further events or the continuation of the detected event. For example, a control that detects fraud by an employee will prevent further frauds by that employee and will reduce the likelihood of fraud by other employees through deterrence.

Directive controls (i.e. policy and procedures) support controls at all stages.

It may be helpful to visualise the action of different controls on a timeline:

[Definition of corrective controls: act to reduce the impact of a detected event]

Not one, but two definitions of risk

I think two definitions of risk are necessary to successfully explain risk management:

a risk - countable abstract noun - an event, occurence, circumstance, situation or outcome that may occur and would impact on the achievement of objectives (either positively or negatively)

risk - uncountable abstract noun - the likelihood and impact of an event, occurrence, circumstance, situation or outcome. In some cases the word may be used to refer to just the likelihood e.g. "what is the risk of dying in plane crash?" (the impact is defined, therefore the risk reflects the likelihood) or just the impact "what is the risk associated with touching this wire?" (the probability is ignored and therefore risk reflects just the impact.

Adding risk management to job descriptions

In addition to cooperating with audit, risk management should be included in the job descriptions of all people of manager grade and above (and possibly for all employees for some organisations). The responsibilities should include risk identification and reporting upwards, and developing/maintaining control response (where this has been assigned to the person).

Strategy audit

I've not seen much in the way of strategy audit, but it seems an interesting area (particularly for the auditor). Perhaps the reason that it is not subject to frequent audit is that it tends to be the domain of senior management, that don't want audit sniffing around.

Some questions I'd want to ask:

• Is the strategy formation (and update) process documented?
• Is there an up-to-date organisational strategy?
• Has the strategy been communicated to the right people?
• Are all the necessary inputs to strategy formation in place (market information, competitor information, technology information, internal information)? (this would use PESTLE, Porters 5 Forces, 9Ms, etc)
• Are the right people involved in strategy formation? (sales, marketing, finance, risk management, technology, research & development)
• Do the strategy formers have the right qualifications, experience and skill?
• Are there any training requirements? Are these being met?
• Does the strategy flow through from the single-line mission statement to more detailed objectives, and right down to individual performance objectives?
• Is there a feedback loop on performance that allows validation of the strategy?
• Is there a process to accommodate significant events into the strategy?

Single line journal report

Journal auditing can be hard work. Say you have a general ledger dump and you want to identify all journals to cash accounts. That's easy enough, just apply a filter to the account code. But then you've only got one side of the journal. To get both, you need to extract that filtered set of journals, then reapply to the original dataset as a join, matching on the journal identifier.

What would be really useful is a report from the accounting system that gives both sides of the journal entry in one line of the report. One column would should the account code debited, and another the account code credited. Applying filters to each of these columns makes it very easy to see where journals are going.

To get this work, the system would need to force all journals to be two-entry only equal and opposite (rather than those that say debit two accounts and credit one). But having such a rule would be not bad thing, as it would give a granularity of data in the ledger.

Net transaction view

Often, trying to understand what comprises the balance on a GL account can be challenging, particularly where there a lots of journal entries (e.g. reclassifications and reversing journals).

Reclassification and reversing journals should be linked on the system. The user should be able to pick up a line entry (in the case of a reclassification) or a double entry (for reversing journals) and then execute an action (e.g. change the account code or cost centre, or reverse, etc). Such an action should still go through the journal segregation of duty/authorisation process and supporting documentation be retained.

The advantage of a system that links entries on the GL is that it allows a "net transaction view", i.e. only showing where transactions ended up (not how they got there). The full audit trail is there on the system if needed, but the "net transaction view" allows the contents of the ledger to be more easily understood.