THE INTERNAL AUDIT PROFESSION OFTEN FALLS INTO THE TRAP OF USING canned control checklists and segregation of duties charts that, while sufficient in some cases, do not address seemingly minor control issues. In the age of risk-based auditing, some might argue that lack of materiality might outweigh the time involved in auditing low-level risk areas. But when left unchecked, "minor" issues can sometimes lead to major fraud. Several hypothetical examples help illustrate the consequences of overlooking such issues and show that, in some instances, auditors miss them by failing to ask the right questions.
Take, for instance, an employee tasked with opening the organization's incoming mail--a low-level responsibility that in some instances might carry negligible risk. If the same employee were also responsible for coding and approving invoices, however, that risk is compounded significantly. This combination of responsibilities would allow the employee to process personal expenses using existing vendors.
Risks associated with another relatively menial task, delivering deposits to the bank, might also be underestimated during audits. In particular, inexperienced auditors may neglect to pose the right questions during reviews that encompass this task. If the auditors merely ask, "Who handles deposits?" for example, they could miss key details pertaining to the deposit process. They could potentially overlook how long the deposit money remains in the office, whether it's stored in a secured place, and other factors that would indicate vulnerability to theft or fraud.
Finally, some audits fail to consider the full scope of client staff members' responsibilities, particularly if those responsibilities seem mundane or trivial. If someone's job consists of...