It starts with an audit finding:
Assume for this article that you’re a new compliance, AML, or fraud officer who joined the company about three months ago. When you joined, you were informed of an audit finding a year ago about the need to enhance procedures for issuing internal reports, meaning the monthly and quarterly reports your area sends to various committees or even the Board.
Fair enough, you say. You gain an understanding of the reports your area issues along with who produces them, what system is used, and when they are due. Over the past three months you’ve ensured that the reports are sent to the committee liaisons timely, and you haven’t missed a beat. You’re actually looking forward to the next audit with enthusiasm.
What the auditors really wanted:
Fast forward to mid-audit when the enthusiasm has waned. Although the auditors weren’t clear in the prior audit, they had specific expectations regarding internal reporting, and your written procedures and current practices didn’t hit the mark. Note that the expectations are sometimes unwritten. If you have doubts about the expectations, ask questions.
Below is what the auditors were expecting regarding the issuance of internal reports:
- Address cross-training in the process. Typically, there is one key person who creates the monthly and quarterly reports and has been doing it for years. Who is this person’s backup and when is the last time this backup person created the reports, start-to-finish, for a particular period?
- Address the completeness and accuracy of information received from other departments or other systems that your department uses (in full or in part) to create your reports.
- Address desk procedures for how each internal report is created. What are the inputs and where do they come from? What parameters are chosen when running systems reports?
- Address the reconciliation of the many reports the department submits. (Nothing is worse than submitting conflicting information on two separate reports.)
- Address trends or anomalies and be proactive with explaining them in reports. Ensure that desk procedures are written for this.
- Address proofing-reading, QC, and general “is it complete and accurate” issues that go beyond spot-checking the reports.
- Address “Excel risk.” How frequently are formulas, pivot tables, V-Lookups, and other Excel features tested in any Excel reports that are issued, and who does the testing? Moreover, do procedures specify that spreadsheets need to be cell-protected, edit-protected, and even protected from accessing? Where are they stored and who can access them?
- Address the need to come out of the weeds and perform “reasonableness checks” on the reports you issue. You’ll want to be sure the report presents useful information produced through a sensible process.
- Be sure to have an inventory of reports that you issue, the frequency, and who receives the report. You’ll want to make this inventory foolproof, so include as many descriptive columns of information as you can in this inventory and be sure to include a screenshot of the first page if you can. Seeing is believing.
- Address the transfer of information between reports. When you transfer that information manually from one report to your final report, how is that controlled? Address this in a procedure.
The consequences of poor procedures:
Errors in reporting can lead to a loss in the credibility column for your leadership over the area. Executive management and the Board could lose confidence in the information you are reporting and audits and examiners could scrutinize your reports heavily. Most importantly, if auditors or examiners find incorrect reports that feed risk ratings, then the risk ratings will be called into question, too. Finally, the errors could lead to a repeat finding, assuring another cycle of close review of this subject.
Be proactive and get in front of these risks with enhancements to written procedures surrounding the creation of your monthly and quarterly reports. Auditors and examiners are happiest when there are written procedures, but be careful to follow those procedures once they are written.