It’s amazing that in today’s age, with the amount of technology, security and surveillance in place, that someone thinks they can get away with fraud, absolutely blows my mind. Nonetheless, its situations like this which keep us auditors in a job, and on our toes.
For background, a JetBlue gate attendant was using her position to essentially upgrade flights for family and friends. You can read the full article here, but essentially, it cost the airline an estimated US$785,000.
This whole situation amazes me, not because of how long this went on for or how much was lost, but rather how this wasn’t caught earlier. Which leads me to the three parts which I want to discuss further:
The importance of a good quality walkthroughs;
The need for auditors to do more around fraud; and
Why we should be performing more regular “mini” audits.
Before I jump too far in, its probably worthy to note that each organisation is obviously different. Some organisations have great control frameworks supported by annual control attestation reporting and a robust SOX compliance programme, whereas others are quite lax or “developing” in their organisational controls programs. Regardless of where your organisation sits on the scale of control maturity, the three parts which I will discuss further can be applied at any organisation during any audit. Of course, the level at which the audit team is willing to undertake each of these items depends on the risk appetite of the business.
The importance of good quality walkthroughs
I place a huge amount of emphasis on walkthroughs during every process audit. It’s one of the first items which should be completed during fieldwork and sets you up primarily for the rest of the audit.
It’s important to first obtain any process or policy documents. This is baked into the planning templates which I have developed here. Once we have fully understood the policy and process notes, we should have a solid understanding of what the process is, what controls are in place and what weaknesses may exist. This will help us have a good quality walkthrough with the actual business area.
When performing the walkthrough, its important to do it with the right level team member. A team leader or manager, in my opinion, isn’t the best. For standard process work, they may be too disconnected and not in touch with the day to day operations. They may also know what you want to see, rather than doing the job as they would normally. Given this, sitting with a “normal” team member, is always a good start. I find it best to simply sit and watch the person perform their tasks. We will do this a number of times. Once so you can just see what they are doing and for them to be comfortable. It can be daunting having someone sit next to you at your desk watching your every click, so by not asking questions every two seconds and interrupting them, the auditee can become more eased and hopefully more open. By taking the back seat on the first run you can also note any inconsistencies between their actual process and what the process notes or policy state.
For the second round, we can begin to ask more questions and be more probing.
By the third round, we can now “break the system”. This is one major point I believe auditors fall down on. Too often are we reliant on just trusting what the auditee say’s, and whilst there needs to be a level of trust in the people who work for the business (after all – we wouldn’t have given them the job if we didn’t trust them), we need to see for ourselves that the control actually does what they have said it does. If the auditee says they can’t change the code, attempt to change it. If the auditee says they can’t raise and post a journal, try and do it. If the auditee says they can’t create a fake employee, try and create a fake employee. Never be afraid if it actually happens. That’s the purpose of the audit, and once you know the failure exists, you should have this immediately rectified (and whatever damage you have just caused reversed).
The second area we fall over during a walkthrough is we don’t go far enough. Without knowing the full details of what happened at JetBlue, lets assume that a walkthrough was only performed over the reporting and monitoring process of flight changes and upgrades. There may be great controls over the monitoring and reporting of flight upgrades, with oversight of who has the ability to make these changes, but without actually understanding how a flight upgrade is processed, can we trust solely the reporting and monitoring process? In this instance, there could have been great value in performing a walkthrough of a gate agent, call centre operator and other employees with this ability, just to understand what first line controls are in place to prevent fraud or instances such as those at JetBlue.
For me, there are two things which I love to do for every walkthrough to evidence my work:
Process Map – Creating a high level flow chart of the process can really help to ensure we have covered everything. On this process map, I like to reference my actual documented walkthrough.
Documented Walkthrough – For each point we have referenced on our process map above, we should have a documented process, complete with screenshots and copies of the items we have followed from start to end. I like to use the following acronym (HORNET) when performing a walkthrough:
H - How is the control performed.
O – Occurrence. How often is it performed (daily, weekly, monthly, etc).
R – Risk. What risks exist in the process and are there any mitigating controls?
N – Nature of the risks. What is the nature of the risks? Inherent Risk, Detection Risk, Control Risk? You can read about these risks here.
E – Experience of those performing the control
T – Technology. What technology and reporting exists in the process.
You can view our walkthrough templates here.
The need for auditors to do more around fraud
It’s been everywhere lately, that auditors potentially are not doing enough to address fraud. I have previously written a post regarding fraud and who’s responsibility it is to investigate and detect fraud. Whilst I firmly believe it is not audits role to detect fraud, nor should be actively be looking for it, we should be doing enough to ensure that there are good controls and processes in place to prevent and detect fraud.
Too often, I believe auditors don’t question controls or process enough in relation to fraud. This is something that can be easily done during the walkthrough phase. It’s important, as always, to document what we have performed and the results we have reached.
During fieldwork however, when presented with large data sets, we should be able to interrogate the data to identify any inconsistencies or things out of the norm. Be sure to keep the original data set untouched to ensure there are no integrity issues, however the opportunities are often endless when “playing with the data”. Where possible, cross check data across sources.
In the case of JetBlue, a simple check to see how much people are processing flight changes by employee, location, and flight routes, would quickly identify any outliers to be investigated.
Why we should be performing more regular “mini” audits
My “mini” audits are something which I believe can really help an organisation where controls and risk management are quite poor. Audit teams often have limited time and resources, and therefore, it is not possible for us to gain coverage across an entire organisation each year; hence why we have risk based audit plans. However , mini audits allow us to keep on top of high risk areas until our next scheduled deep dive / end to end audit.
Care needs to be taken to ensure we are not crossing from first line to third line of deference, however if an organisation does not have good controls, or the implementation of controls is slow, having internal audit perform a desktop “mini” audit, can help provide management gain some level of comfort that there is no “hidden bombs”.
A “mini” audit over this topic at may not identify this issue, however a simple check that management is actively reviewing flight upgrade reports, or alternatively, the audit team performing data analytics to identify outliers our strange trends, may have prevented this. The deliverable would be a one page unrated audit report sent to the business area and relevant management with a range of questions or the business area to address. Contrary to a standard audit report where you work with the business area, this “mini” audit would simply identify potential issues and note these have not been verified with management and that management has been requested to validate or disapprove the identified issues. Management would then be tasked with providing a response to each of the items within 2 weeks and their response noted with action taken accordingly by the audit team (if necessary).
The purpose of these “mini” audits is to not to give absolute assurance, but as mentioned earlier, to help reduce the risk of any surprises. They can also be used as an educational tool, particularly in organisations where there are limited or no controls, as they can help the business area think about risk and controls.
I will be providing a post at a later date regarding my “mini” audit concept.
The incident at JetBlue is a timely reminder as to why we, as auditors, need to ensure that we remain diligent and perform all our work thoroughly. It’s also a reminder for us to really question our audit plans and audit universe to ensure we are appropriately considering and responding to all the risks within our businesses.
Of course, these are only some of my opinions on ways which audit can address or prevent these situations occurring. There are multiple things which we can (and probably should) be doing during each audit.