Undergoing an internal audit for Sarbanes Oxley, or any other audit for that matter, can be stressful. Everyone wants to do a good job and wants to feel like their area is well run and under control. It can be easy to get caught up in the sloganeering of “no exceptions” or “no more than five exceptions”, etc.
As comforting as it may be to have zero exceptions (often an audit red flag itself), what actually matters to executives is something different. It is the character and severity of control exceptions that make the difference and that garner the attention of the executive suite.
After performing internal audits for decades, our staff has come up with what we believe truly matters as far as control exceptions. Please note that these are not simply our own views, but those of countless executives who have validated these points time and again. With that, let’s jump right into the control exceptions that matter:
Authorization levels ignored/don’t exist
Having a delegation of authority (DOA) is about as basic as it gets. If your organization does not decide who can do what…then it means that anyone can do anything. A basic delegation of authority lists the approval levels required to bind the company for each type of major transaction, e.g. purchases, real estate leases, customer contracts, etc. Not having a DOA is a major control flaw as the organization is not effectively managing the process of entering into transactions.
Of course, after developing a DOA, the organization must adhere to it. If an organization does not follow their DOA then you can’t really say that they have full control of their business.
The bottom line is to get a DOA in place, distribute it, train and get your transactions locked down.
A failure of automated controls
Automated controls are definitely something to work towards and they are great…when they work. The issue is when an automated control fails, this casts doubt upon the voluminous number of transactions that were processed by the failed control. The old “garbage in; garbage out” saying here applies. If your IT systems are doing something wrong, then they are simply producing garbage faster.
On the surface this may not seem like a particularly serious exception. If the transaction was approved and executed properly, then why is it a big deal that we are missing some paperwork? These types of exceptions are serious because without the underlying paperwork that supports the reality of the transaction, we cannot be sure that the transaction is genuine and/or accounted for correctly.
When there are audits there will be exceptions. The key is to evaluate the types of exceptions that have occurred and then prioritize to your team which exceptions need the most attention. It is also important to communicate to upper management which control exceptions you are focused on and which require less attention. As a control owner, you want to make sure that you make this distinction clearly and prioritize your work accordingly. As an auditor you want to make sure you are prioritizing your communications to stress the fact that all exceptions are not created equal!Contact us today to learn more about making control exceptions work for your business.