Department of Internal Audit and Compliance

How to Conduct a Quick Self-Audit

1.       Identify the three to five key business objectives of your functional area.  In other words, what do you come in to work to do every day?  Let’s use the accounts payable functional area as an example, since most people understand how bills get paid.  The key business objectives  in accounts payable might include: 

Business Objective:

·   Cash disbursements are accurately and completely made and recorded on a timely basis

·   Accounts payable records and cash disbursements are safeguarded

·   Costs are reduced as much as possible

·   Management develops strategic business alliances with suppliers

·   Accounts payable and cash disbursements are properly authorized

2.       For each of the key business objectives you identified, identify three to five risks to achieving these objectives.  In other words, what is the probability that an event or action may adversely affect the organization or activity, and what is the impact to the University?  Using the first business objective above as an example, the following are some relevant risks: 

Business Objective:  Cash disbursements are accurately and completely made and recorded on a timely basis 

Risks:

·   Payments may be made to the wrong vendors or for the wrong amounts

·   Cash disbursements may be miscoded, resulting in misstated assets and expenses

·   Cash disbursements may not be made within management's required timeframe to take advantage of discounts or terms agreed upon with suppliers

·   Valid cash disbursements may not be recorded in the accounts payable subsidiary ledger or in the general ledger

·   Inputs for preparation of journal entries and cash disbursement records may be inaccurate 

3.       For each of the business risks you identified, identify one or more controls in place that reduce the likelihood of the risk occurring.  In other words, what actions are taken by the functional area to enhance the likelihood that established objectives and goals will be achieved?   Remember that management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Thus, control is the result of proper planning, organizing, and directing by management.   

          Again, using the accounts payable example above, following are some controls that may be in place to address the first risk above: 

Business Objective:  Cash disbursements are accurately and completely made and recorded on a timely basis 

Risk:  Payments may be made to the wrong vendors or for the wrong amounts

Controls:

·   All cash disbursements are required to be made on sequential and pre-numbered checks and promissory notes.

·   Individuals who sign checks are required to be different than those who approve the related invoices

·   Checks, once paid, are compared by amount, date, and payee, either individually or together

·   Daily management reports are generated from computer systems to illustrate anticipated cash disbursements by date 

4.       At this point, a judgment needs to be made.  Are the controls you identified sufficient to reduce the risk to an acceptable level?  If yes, you may choose to test a small sample of transactions to be comfortable that the controls you believe are in place are operating as you intend.  If no, you may choose to add additional controls. 

5.       Based on the results of your judgment, you may choose to implement corrective action plans, should the results of your control testing fail or you determine that insufficient controls are in place to manage risk to acceptable levels.  Your action plans may consist of reminding employees of existing policies and procedures and directing them that they must be followed.  In other cases, new controls may need to be implemented. 

          Continuing with the accounts payable example above, management may come to the conclusion that controls within the accounts payable computer system are weak.  As a result, management may choose to implement an action plan such as: 

·   Ensuring the computer system will automatically post the appropriate accounting entry to reflect payments in the accounts payable records. 

6.       It is always a prudent business practice to follow up on the status of any corrective actions implemented and test recent transactions to ensure that all controls are operating as intended. 

          There!  That wasn’t so bad, was it?  Remember that you are ultimately responsible for the quality of controls in your functional area – but don’t feel that you have to “go it alone”.  Please feel free to reach out to the Internal Audit Department to help develop self-audit procedures or to conduct a full, independent audit.  That’s why we’re here.

Back

Last Updated: 1/3/23