Internal Audit of Information Technology (IT) Organisation 

Background :

The top management of an Information Technology (IT) organisation, whose turnover is Rs.350 crores, plans to set up an internal audit function for the organisation. It has recently been listed on the stock exchange after a successful public issue. The organisation already has three semi-qualified accountants on its payroll, who are conducting transaction audit. The Managing Director in his earlier organisation had dealt with a professional firm specialising in internal audit and invites the partner-in-charge of internal audit for a preliminary discussion. During discussions it is agreed that the partner-in-charge will become the outsourced Chief Audit Executive (CAE) and two chartered accountants will be deputed on a continuous basis for conducting internal audit. Further, the partner-in-charge shall also monitor and manage the three semi-qualified accountants who are presently looking after the internal audit function.

The Managing Director is satisfied with the arrangement since the function is a combination of both — in-house and outsourced and ensures professional guidance and supervision.

The focus of internal audit will be :

• To review processes to make them efficient and effective (including cost reduction exercises).

• Help in laying down systems and procedures for all processes and also identifying risks and controls for key processes.

• Compliance with applicable policies laid down by the organisation and compliance with laws and regulations.

Methodology :

Based on the above background, the partner-in-charge of the firm had a meeting with his audit team to chalk out a plan to achieve the above objectives. Initially, there was some apprehension from the internal audit staff on company payroll about their future role, since they would be reporting to an outsourced departmental head (Chief Internal Auditor — partner-in-charge of Chartered Accountant firm). This was cleared with one-to-one meetings with all in-house staff and it was decided that for the first year, the performance appraisal would be jointly carried out by the Chief Internal Auditor and the Chief Financial Officer.

The methodology adopted was the following :

Continuous internal audit would be carried out with the five-member team being present on site throughout the year. Risk criteria for risk-based internal auditing was developed but it was kept on hold, since this was the first year and the team would take time to integrate with the organisation. It was decided to utilise this criteria from the second year.

Interviews were conducted with all functional heads in the company to take in inputs in terms of critical areas for internal auditing. On analysing the balance sheet, it was clear that billings and collections formed 95% of all income and the treasury operations contributing the balance 5%. Similarly, on the expense side, payroll was number one expenditure followed by travel and communications. Capital expenditure was another key cash outflow.

It was decided to review processes for contract review, billing and collection, treasury operations, payroll, capital expenditure projects and purchases, communication facilities and travel. Business continuity plans were also included in the annual internal audit plan. Similarly, it was decided to test the IT infrastructure using COBIT (Control Objectives of Information and related Technology) framework by ISACA (Information Systems Audit & Control Association).

In addition to above, the partner in charge also visited two/three internal audit departments of IT companies in India.

Gist of observations of few areas undertaken for internal audit :

Contract review :

• All contracts were not in place and available for review. Billing was being carried out on the basis of e-mails from project managers who were working on site in absence of contracts by the Accounts Department.

• Contracts were signed by Marketing personnel on site without being vetted by Legal and/or Finance Departments. It was a high risk to the company as the technical personnel may also sign contracts with unlimited liability or terms which were unacceptable. This could happen as there would always be pressure on marketing not to lose a contract to competition.

• Certain contracts were in foreign languages and their being on record was of no help as accounts staff could not be able to understand them for e.g.. Contracts in German language. English translations were not on record.

(It was recommended that a proper contract review system be put in place with all contracts being available in a single location. Also the contracts could be finalised only after vetting by Legal and Finance Departments to avoid any unlimited liability.)

Billing and Collections :

• Billing was delayed for certain projects as project managers did not send information on time. This led to delayed billings and delayed collections.

• Certain projects were not billed as the marketing carried out pilot projects to get the contracts. It was decided with customers that the pilot projects would be carried out for one month, but actually they were carried out for over six months without billings and without informing the CFO or MD.

• Based on billings, incentives were offered to marketing staff. These were offered in spite of billings not getting converted to collections and even in the event of bad debts.

• Collections were overdue from many customers and follow-up procedures were weak.

• There was no proper correlation between resources employed on jobs and billing. This process was weak.

(Recommendation — Appraisal system for project managers to also include data on timely execution, billing and collection. All pilot projects to be approved by MD only and in case of extension of any pilot project, was also to be approved by MD. In case any pilot project exceeds predetermined cost, it is to be also approved by MD. Incentives to marketing staff are to be linked to collections rather than billings. Proper follow-up procedures to be put in place for collections. Proper correlation to be made to ensure that billing was carried out for all resources used on the job.)

Payroll :

• Payroll was handled by in-house staff in Human Resources Department rather than Finance Department and there were excess payments to the tune of few lacs. This was due to improper control over personnel travelling and stationed on site who were earlier working in India.

• Cases observed where staff loans were not recovered.

• Cases observed where staff had left and full and final settlement did not take care of statutory and outstanding loans deductions.

(Recommendation — Payroll to be shifted to Finance Department and also proper tracking of on-site and offshore resources (staff) to ensure that payments were proper and no excess payment was made. Staff loans to be monitored properly for deductions to be made on timely basis. Full and final settlement to be strengthened to ensure that all deductions to be made before the full and final settlement was made out.)

Travel :

• Travel was outsourced to external travel agency which maintained a desk within the company, as there was considerable domestic and overseas travel due to large movement of resources (staff) to different countries and back. It was observed that the payments being made to the travel agency were not reconciled in terms of credit being received for cancellations.

• No discounts were negotiated for domestic travel from airlines like Jet Airways or Indian Airlines.

• There were no quotations received for overseas travel and only one quote received from the travel desk was accepted. This resulted in no competition and the travel vendor charged higher rates and did not pass any discounts which the agency would be entitled to.

(Recommendation — Reconciliation process to be set up to ensure that all payments to travel agency were against valid bookings made and also that credits were received for all cancellations. Discounts to be negotiated with domestic airlines for certain volume of travel to be undertaken in one year. One other vendor to be introduced and quotes to be received from two travel vendors for overseas travel to ensure that competitive rates were quoted by both and company to benefit from lower rates.)

Business Continuity Plans :

Review of Business Continuity Plans showed that it was more a statement of desire than a working plan. This could be highly risky for the company in IT business.

(Recommendation and Action Plan — A proper BCP to be made which should also be workable and institutionalised.

The internal audit team benchmarked and visited few organisations like other IT companies and travel companies to understand the BCP they had in place and how they had made the same.

Based on this, the internal audit department and Netadmin (IT) department of the IT company worked together to put together another document and also institutionalised the same. This was a workable BCP.

This was also appreciated by overseas customers who looked at this document and practices followed.)

Conclusion :

The departmental heads who were earlier sceptical of the role of internal audit were appreciative of the internal audit reviews carried out and also started making number of requests for internal auditing of all new processes including new computer applications. They also requested internal auditors for continuous assurance work including reviews of all processes from time to time. This led the Chief Internal Auditor to prioritise internal audit work based on availability of resources and also on the criticality of process.

The Managing Director appreciated the efforts of the internal audit team, because it led the internal auditing function to be integrated with the company operations of the entity and lead to business solutions.

Article by Deepjee Singhal, & Manish Pipalia, both are renowed Chartered Accountants