Before the Financial Audit, Check IT First

At accounting firm Mazars, some audit engagements start well before the financial auditor cracks open a single ledger. It sends specialists like Christopher Hock to first examine the client’s information technology systems.

“My work begins and ends prior to any of the year-end audit procedures commencing,” says Hock, who has been relocated to China from Munich. “It’s called an IT Audit for good reason, as it’s a detailed assessment of controls within the IT infrastructure as well as within the software systems clients use to execute their business processes.”
Hock spoke with CFO Innovation’s Angie Mak about the intricacies of IT audits, the benefits it can yield for companies, how much an engagement can cost and other issues.
How do you go about performing an IT check-up?         
Before we conduct an IT audit or IT review, we have a discussion with the financial auditor, who knows the client best. The auditor knows the requirements of the CFO, what is important for the CFO. We do this to determine the scope of the IT audit, because it’s never possible to review all parts of an IT system. 
The second step would be to obtain an understanding of the company’s business processes. That means the accounting, sales, and warehouse management process, for example. It is important to see what part of the business process is performed inside the IT system, and what part is performed manually. 
If a process is performed by the IT system, you need to test it only one time, and you can say, “OK, if it works in one test transaction, it also works in a million test transactions.”
For manual controls, you have to do sampling. That means you have to select a sample of, let’s say, 30 transactions and check all of them. That’s a lot of work for the client, if the auditor asks for documents on 30 transactions. It benefits the CFO and the company [to have the IT system perform the process], because if we can do a sample size of one in the IT system, it’s much more efficient for the client.
There’s quite a huge difference between how it’s done in Europe and how it’s done in China. In Europe, especially in Germany, there is a high degree of automated processing. In China, companies are still on their way to do more automation. More and more companies are implementing IT systems to achieve a higher degree of automation in their business processes. But there are still some clients which still have a very high degree of manual work.
So you might find, after the IT audit, that one of the things that companies need to do is automation?         
Not only is it better for efficiency, it is also better in terms of security. Let me give you an example: the approval of expense reports from employees. I have often seen that employees have printed a hard copy of the expense report, and then have to go to four different people to get their signatures. This is very inefficient.
If there is an automated workflow system with set approval limits – for [small amounts], for example, the assistant manager can approve and, above 100 yuan to 10,000 yuan, the manager can approve, and above that, the department head has to approve – [those four people] are just required to press a button and give a [digital] signatures. Manual signatures on hard copies can easily be falsified and copied. In an IT system it is not so easy. It makes it more efficient and more secure.      
What are some of the problems you unearthed in your IT audits?         
There seems to be a lack of risk or security consciousness among people, especially in China. We often see employees sharing passwords in the accounting department. I have often seen companies whose employees are not aware of the need to back up [files] or create a security copy. If they do it, they do so only do it monthly or yearly. They are not aware that they need to do it daily.   
If you use a back-up system, this is an automated process, this works in the background. There is some additional time and cost in implementation, but the actual work [after that] is very minimal. Normally, the backup systems run overnight on a tape or on a second disk; somebody just has to take out the disk or the tape and bring it to another location.
The third top finding in China and actually also in Europe would be user authorisations in the IT system. Users are allowed to do too many transactions or have too many rights that are not related to their positions. For example, warehouse employees should not be allowed to make postings in the accounting department. Employees should be allowed to do only the transactions related to their work.
The CFO is always interested [in ensuring] that there is a proper segregation of duties. But user authorisation in IT systems is a very complex topic. You need a specialist to keep your user authorisations running, and this requires quite a lot of technical knowledge, which not many CFOs have. Therefore an IT audit provides a perfect method to help the CFO with this part.
Do you see increased efficiency after an IT audit?           
Yes. I can say for all clients, they are always very thankful if we give them recommendations to increase security and [enhance] the reliability and efficiency of systems. All apply most of our recommendations.
How much faster could the financial process become after the IT audit is performed?         
I think by 20%, 30%, because all the manual testing of controls could be reduced – that means sampling of 30 transactions in manual control testing can be reduced to only one, an acceleration for the auditors’ process. Later, after the audit, if the financial auditor can rely on an effective control environment, he can do less work.
If the CFO has a limited budget, can a few areas be implemented first and the rest of the recommendations later? 
Yes, this is a common practice. We always [grade our] recommendations [as] high-, medium-, and low-risk. The high- and medium-risk ones are implemented very fast. Sometimes this doesn’t involve too many costs. It may be a recommendation noting that an employee has a lot of authorisations in the system, and the recommendation is to check if this is really required. That can be done in ten minutes. But some things can be expensive to implement. For example, a back-up procedure takes some time.
How long does it take to complete an implementation?
When new systems have to be selected, tested, set up according to the client’s special requirements, this takes at least one year. It also depends on the complexity.
Automating some business processes, for instance the expense approval process as mentioned above – this would be when the company already has an IT system in place – also takes some time, because the whole process has to be redesigned. It also has to be set up in the system and has to be tested, and maybe an additional system has to be purchased.
Let me give you another example for implementation work: We have seen a company that uses different IT systems for logistics (including sales and purchasing) and accounting. . The logistics system generates client invoices and delivery documents, which have to be inputted into the accounting system. This has to be done manually, and manual work is always inefficient and error-prone. Our recommendation in this case would be to implement an interface – an automatic data transfer between these two systems. Something like this could take up to one year, and it also costs money, but there is a long term benefit, namely that the data is automatically transferred into the accounting system. 


During the implementation process, would you work quite closely with your clients through the process?   

I would say yes. However, we are not allowed to actually do the implementation. There is always the independence issue. We are available to give advice, and if our clients have questions they can always contact us. We can [go onsite] to do a review as a separate check. But what we are not allowed to do is actually doing the set-up of the system. We are the reviewer; we only assess the process. As auditors we have to be independent. If we helped them we would be auditing our own work and implementation.
How much would a typical implementation cost?
It’s very difficult to say. It depends on the size of the company: what systems they target in implementation. For example, for ERP systems, implementation costs could start from RMB 200,000 [HK$29,480], and there is no upper limit – RMB5 million, RMB10 million [US$736,960, US$1.5 million]. It depends on the system and the complexity, and the license cost and the consultancy cost – usually the big part is the consultancy cost for the consultants who implement the system.
For updating the system or for changing settings, there could be a moderate financial impact. If the company has the expertise in-house for setting up the system, or for changing the parameters, it can be very fast. But it strongly depends on the nature. On the other hand, the company should always have a look at the benefits – the improvement of processes, efficiency and also effectiveness, security and reliability of processes.          
How about the IT audit itself, how much would that cost?
It is also very difficult to say. From RMB 20,000 [US$29,480] upwards, but it depends on the scope and demands of the client, and the systems involved. This assumes a small- to medium-sized entity with a not-too-complex IT environment.  
Is an IT audit more common in certain companies and industries than in others?
It is most necessary for financial institutions – for banks, insurance companies. The second most common industry is manufacturing. Sometimes important customers would demand an IT audit or an internal control review in general, because they are interested that their suppliers have proper and reliable processes, as well as the confidentiality of data.   
This is very common in Germany, especially when companies process the data of their business partners. For instance, a customer could tell its supplier: “We would like to see a certificate of an effective control environment, because you process our confidential data.” So we [the IT auditor] would issue a control certificate.
In a big project in Germany, a company was doing document management for some banks, and this company got all the paper documents, scanned it, and converted them to electronic documents – filed them on an electronic database. There were bank contracts [between banks] and contracts with the banks’ customers. Therefore, the banks were very interested that the service company process these data confidentially and reliably, and demanded this kind of internal control certificate. We have written a report – with a conclusion, after reviewing the internal control systems and the IT environment, that it is reliable.   
The most common kind of certification for such service companies is called SAS (Statement on Auditing Standards) 70.

What advice can you give to CFOs regarding IT audits?

The challenge for the IT auditor is to write an IT audit report with findings and recommendations that are clear and understandable to the CFOs and the financial auditor. On the other hand, it must be concrete enough for the IT manager of the company to actually implement. This is something where a CFO can distinguish a good IT auditor from a bad IT auditor.The IT auditor must be able to formulate the findings and recommendations in a non-technical way that the CFO understands.         
Have a preliminary discussion with [the IT auditor] and ask some questions to see whether he or she has a strong understanding of financial audit of the finance and accounting side, of the business side, and also of the IT side. The other point is during the onsite work, especially at the end of it, we usually have a discussion with the client’s CFO or IT manager where we discuss our findings. This is another opportunity for the client to see the quality of the work.  

Suggested Articles

Some of you might have already been aware of the news that Questex—with the aim to focus on event business—will shut down permanently all media brands in Asia…

Some advice for transitioning into an advisory role

Global risks are intensifying but the collective will to tackle them appears to be lacking. Check out this report for areas of concern