Just like a wholesome meal keeps us going to meet the core objective of being alive, a wholesome audit ensures that the overarching goal of complete reassurance to the stakeholders is met.

Undeniably, just as a fabulous meal requires the perfect blend of spices and careful preparation, cooking, boiling, and grilling at just the right temperature, a successful audit depends on thoroughly covering the right areas and conducting the necessary checks with precision.

Variation and experimentation bring additional flavour and novel taste to standard dishes and a culinary kick to our palate. Looking at things differently in an audit keeps our grey cells tingling, and we experience a eureka or wow moment that adds value for our stakeholders.

Let’s examine how, in addition to examining processes, related risks, and consequent control expectations (existence or adequacy or effectiveness), the additional focus brings a different perspective.

Long ago, we used to make PowerPoint presentations with a file extension of “.ppt,” which metamorphosed into “People, Process, and Technology.” Now, the file extension is “.pptx,” so an additional ‘X’ Factor is involved.

People: While carrying out any audit, it is vital that throughout the audit tenure, but more so during the initial stages, we focus on the following:

• Organisation Structure: Understand the whole organisation structure to determine whether the reporting structure does not inadvertently lead to Segregation of Duties conflict, e.g. Inventory Verification or Reconciliation at Sub-Contractor Location being done by a team closely integrated with the Manufacturing Team. Similarly, one should comment upon the tenure of employees in a particular role (especially when it is vendor or B2B customer-facing) and the related risks.
• Key Performance Indicator (KPI)/Key Results Area (KRA):This is a crucial yet mostly ignored area. It is very critical to understand individuals’ and departmental KRA and KPI to evaluate whether they are aligned with each other. It also helps in understanding the risks impacting the objectives of the function. For example, in a logistics audit, we always look at load optimisation to see if the cost per delivery is optimised. However, if there is a business (say customer eyecare products) where delivery to the customer is a greater priority, in such cases, ensuring that the customer’s committed delivery timelines are met and related risks should be much more important than Cost per Delivery.
• Agency Roll Employees:How many critical activities are being performed by Agency Roll Employees, and what risks do they entail since they do not go through the rigorous background check, etc. The risk of shared or generic user IDs often compounds this risk. One could also see if these employees have their IDs to perform the activity. If not, there could be User ID sharing activity, compromising accountability and system integrity.

 

 

Process: This area is usually well covered in the audit, and the following nuances can be further considered:

• Accounting Linkages:Linking all operational and accounting records is critical. I have witnessed countless instances where the auditor has done a brilliant job of reviewing the Price Discovery Process during the Procurement audit, doing a detailed 3-way matching analysis, but overlooked to consider separate manual credit notes [can be traced only in the ledger] given to the Vendor, which unwarrantedly inflated the cost. Similarly, a detailed Billed vs. Shipped review in sales is not integrated with a review of Customer, Sales, and Inventory Ledgers to see if any other area impacts the overall accounting and related financial aspects.
• Trial Balance Scrutiny:This is a critical area that needs to link all the accounting ledgers impacted by operational activities and examine the Trial Balances (including movements and Debit and credit Entries) to identify pockets of process gaps or leakages.
• Controllership Role and Other 2^nd Line Activities:This is usually covered by chance instead of being incorporated as a focus check point. All activities performed by the Controllers Team as well as looking at IFC controls and Statutory Compliances should become an area to check at the time of performing audit procedures.

Technology:

The most glamorous yet grey area in our field of work. Here, we are talking about technology used by businesses in operations and not the use of technology in internal audits. Some aspects that should be included are:

• System Behaviour (beyond output): Looking at the output (like reports) without testing the functional specifications and configuration is passé. As an auditor, it is critical to perform multiple iterations in Quality Server during each audit, and then aberrations noted need to be tested under the Production Environment.
• Batch Uploads: All activities that happen as batch uploads or data flows from A system to B system need to be checked from all angles, and conventional checks like Hash Total, etc., should be applied diligently.
• Report Accuracy: The reports and logic behind them may be incorrect in several places, primarily where such reports are used as a monitoring control. For example, the average rate used could be erroneous during product conversions, impacting margin reports. Similarly, BOM vs. actual consumption may be miscalculated.

 

X-Factor: These take care of emerging risks and trends, such as:

• Social Media: Use Technology to crawl the web and understand where there are user/customer complaints, ratings, etc., and identify issues raised that may impact or be impacted by the audit area. For example, customer complaints about delayed deliveries can be a good insight while doing a logistics audit. Similarly, Pricing concerns may indicate potential issues in Schemes and Discounts or Quality processes.
• Audit Trail Requirements: Instead of doing a separate review, ascertain all areas where system logs are not available for all the activities carried out and whether this has impacted the Audit Trail log. For example, if the Sales Price Master changes log is not available, will it impact the audit trail requirement? This is a question that many Internal Auditors deliberate with Finance.
• BRSR Requirements: This area is generating a lot of waves, and instead of waiting for one specialist audit to cover this area fully, one should ascertain whether the area under audit is impacting/or impacted by the BRSR aspect. For e.g. if you are doing an audit of Retail Operations, which generates a lot of marketing material scrap – whether there are enough ways and means to capture the same for the BRSR reporting.

In the end I would like to conclude that by

• Adapting to an evolving ecosystem
• Understanding the emerging risks
• Demonstrating a comprehensive approach
• Integrating all the nuances
• Transitioning to newer technologies

We end up doing a wholesome Audit.

I would also like to submit that these are my humble thoughts. Most of you would already be doing a large part of the above and perhaps even more, and I shall be grateful to be enriched with your experience and practices.

The views articulated above are the author’s personal views only and should not be construed as the author’s current or past organisation’s views.

---

About the author:

Sivaram Subramoniam

Chief Internal Auditor, Titan Company Limited

ssivaram@titan.co.in

Sivaram Subramoniam, Head of Internal Audit at Titan Company Limited, brings 30 years of leadership in consulting and industry. Renowned for driving corporate governance, he excels in audits, compliance, and risk management, collaborating with diverse stakeholders. Sivaram’s expertise spans Indian and international organisations, and he leads large, multidisciplinary teams to deliver strategic results.