An internal audit is an independent evaluation of a business’s internal controls and processes including critical areas like corporate governance, compliance, accounting and finance. An effectively implemented audit can ultimately identify workflow or procedural problems, as well as provide a risk management tool against potential fraud, financial abuse and business inefficiencies.
Dependent on the structure of an organisation, an auditor will periodically (usually annually) work within a particular division or business unit. Using previous data as a baseline, they’ll work towards building and testing a working understanding of the current internal control process. During this “fieldwork” stage, real workflows will be broken down into individual steps allowing the internal auditor to:
(a) Evaluate if workflow controls are still compliant/sufficient when compared to a previous audit?
(b) Identify and note issues and risks within the controls (Audit points)
(c) On completion of the audit, document results and work with the management team to resolve audit points raised and arrange follow up meeting
Business areas typically audited include Operations, Finance, IT/Infrastructure and HR.
Within each of these areas, a company will have set policies and procedures which form a framework for the benefit and protection of both the company and the individuals working for the company. Part of the audit function is to test the actual process against those policies or procedures.
Internal audit, operations and authorised signers post Covid
What is an operational audit?
In contrast to other types of internal audit, an operational audit is usually much more comprehensive and covers all organisational units, processes and policies. Whilst a regular audit assesses the financial strength of an organisation, an operational audit evaluates the entire business and aims to improve its overall effectiveness and performance.
The 3 primary objectives of the internal operational audit are to:
1) Provide critical assurance – Ensure that the organisation is operating as efficiently as possible
2) Advise management – Identify and test new ways to improve internal controls and processes
3) Anticipate emerging risks – Effective operational audit can identify any potential operational risks like fraud, cyber and health threats
Operational audit during Covid-19
As the world navigates the Covid-19 pandemic and slowly moves back to the old normal, internal auditors continue facing a number of challenges and risks and will need to remain as agile as possible to support the business in the most efficient way.
Deloitte has identified the following key risk areas internal auditors need to consider when carrying out their duties:
-
User access controls: Due to remote working, user access controls may be compromised and conflicts of interest may arise. Internal auditors, should make sure there’s an effective monitoring process in place with a clear audit trail on any changes made.
-
Finance: Auditors should perform working capital assessments against scenario planning assumptions and cash flow forecasts, ensure access and implications of government fiscal support, and facilitating year-end financial reporting.
-
Internal controls: Understand the changes, both temporary and permanent, to the organisation’s control environment, with particular focus on Management review, Accounting judgement, Transaction processing, Cash payments, Insider trading, Remote working and key personnel authorisation controls.
-
Cyber risk: Are there sufficient controls in place to tackle the increasing threat of cyber security crime?
-
Insurance cover: Are health and safety regulations still being compiled with whilst working remotely?
-
Risk management: Is the organisation meeting all regulatory requirements and adapted its risk assessment and monitoring processes and policies?
-
Transactions: Does the company have an efficient procedure and business continuity plan to continue implementing its business and contractual transactions remotely? How are signatory authorisation rights granted, managed and transferred between relevant employees?
What internal auditors need to know about authorised signers?
Before we discuss the role of authorised signers in internal audit, we’ll take a look at what exactly an authorised signer is.
Designated officers/employees within an organisation who are authorised to process and approve official documents and third-party agreements on behalf of the organisation are often referred to as “authorised signers” or “authorised signatories”.
The process of signature authorisation usually forms part of a broader “Delegation of Authority Policy” that establishes an internal procedure for appointing approval and signing authority, and defining the level of scope of that authority. The policy also includes a list of general responsibilities for authorised signers to follow when reviewing, approving and processing company contracts and official documentation.
Many organisations, for example, restrict signature authorisation to directors or senior employees and set contract value limits applying at different seniority levels. Typical signatory duties include:
-
Dealing with resolutions
-
Signing and delivering official documents and agreements with third parties and serving as a company’s agent
-
Signing/authorising goods/product orders
-
Signing/authorising permits, passes or time-sheets
-
Giving any notices
-
Executing any specific undertakings and approvals
Below we’ve identified the 2 key areas internal auditors should consider when assessing the management and execution of authorisations within an organisation:
1) Who has the authority to sign binding documentation on behalf of the company?
-
Is the company authorised signatory list up to date?
-
Are individuals aware of their designated authority limits?
-
Periodic sub-audit of the signatory lists.
2) Who has access rights to company systems?
-
How is access granted, edited or revoked?
-
Is the current access level relevant to the current role?
-
What is the process for checking for individuals who do not have conflicting legacy rights when moving internally?
A failure in any of the above areas might result in a number of operational risks and threats like fraud, cybercrime, and human or technical error. Generally, an auditor should seek an answer to the following questions:
-
Is physical documentation still readily available?
-
What evidences the signatory data is up-to-date?
-
How can the data be shared internally and externally in a secure way?
-
How can the processes be reviewed in action?
-
Are e-signatures adopted and how? Has the authorised signatory management policy been extended to cover e-signatures too?
The Cygnetise signatory management application is now increasingly used as a complementary solution to e-signature protocols as, when the two applications are combined, a safe, efficient and dynamic process is the result.
Organisations are adopting new technology that, when adopted in a collaborative manner, provide a secure and efficient method to review and test controls for audit purposes.
The core test here is to demonstrate that wherever an authorised signature is required, at whatever level, the signature is valid. The Cygnetise application overcomes the traditional audit issues to do with manually maintained signatory lists as well as the current issues created by Covid-19 lockdowns and remote working.
With all signatory updates maintained in real-time generating a complete, time-stamped audit trail, organisations adopting Cygnetise are significantly improving their control over the signatory process.