Irreconcilable differences: an insurance rep receives undeserved credit, and auditors find clerical workers asleep at the wheel - Roundtable

Internal Auditor, August, 2002 by J. Mike Jacka

ACCOUNT REPRESENTATIVES AT a corporate health-insurance company were responsible for reconciling monthly premium invoices against actual payments received from client firms. One representative found herself with a three-month backlog, and management began pressuring her to update the lagging account. After repeated prompting, she reported that the account was current. Her manager confirmed the account's status by noting that outstanding payments no longer appeared on his aging report. He awarded a bonus to the representative for her excellent work.

The account eventually changed hands, and the new representative immediately reported some disturbing news. She discovered that the account was not current, that it had not been reconciled for several months, and that several million dollars in premiums was missing.

When confronted, the previous representative admitted that the outstanding payments had been applied to an invoice for a different account - one that had been cancelled four years earlier. Internal auditing was called in to determine how this occurred.

During their review, the auditors learned that the company held premium payments in suspense before applying them to a specific account. Management monitored suspense payments to ensure they were applied to the correct account within 48 hours. Separate members of management investigated any unidentified suspense payments and outstanding balances more than 30 days old. Although these controls appeared to be effective, the auditors decided to dig deeper in light of the problems found with the account in question.

After further investigation, the auditors discovered that the aging report listed only current accounts and those cancelled within the previous year. The outstanding payments made by the former representative, therefore, escaped detection because they resided on a dosed account and were applied toward an invoice that had been reconciled several years earlier.

After the auditors reported their findings, management terminated the account representative. Other representatives later reconciled her accounts independently, and the aging reports were reprogrammed to include all accounts with payment applied but not reconciled.

Fortunately, the employee's only financial gain was her undeserved bonus. Management learned a valuable lesson from this experience - the pressure of falling behind can cause some employees to seek Out cracks in the company's control structure.

PHOENIX CHAPTER

SYSTEM CONTROLS REVISITED

While evaluating several Web-based utilities under his control, an e-business manager - who had previously been an internal auditor - discovered that one of the company's vendors could not support the password requirements of the current control structure. As a result, most users shared passwords.

After carefully examining the exposure that resulted from this control limitation, the manager concluded that the level of risk was acceptable. He learned that the vendor could not support any other password structure and decided that the functionality of the system was more important than the associated risk. Upper management concurred, and the password system continued to work without incident.

One year later, internal auditors performed a review of the system. They noted the password issue and discussed it with the manager, who explained his findings from the previous year. The auditors accepted this explanation, but decided to review the situation in greater depth.

Since the manager's review, the company had undergone a number of changes, many of which severely impacted the manager's original recommendations. Exposures had increased over the past year, and the auditors determined that the level of risk was no longer acceptable. In addition, the vendor had improved its capabilities and was now able to provide the individual passwords necessary for best controls.

The auditors shared their findings with the manager. As a former auditor, he understood how control structures helped to mitigate risk. However, he had become so immersed in the details of his day-to-day job that he neglected to monitor the system controls. He appreciated internal auditing's assistance and was reminded of the value of an objective, independent review.

SAN FERNANDO CHAPTER

PAYROLL CRISIS AVERTED

Internal auditors were assigned to test the validity of social security numbers in their organization's payroll file. The testing program included a routine to determine whether or not the numbers were issued after each employee's date of birth. Although the results showed that only about I percent of payroll records contained errors, the potential security implications and financial impact exceeded expectations.

The test revealed that a resident alien on the organization's payroll had social-security-number and birth-date errors stemming from inaccurate immigration documentation maintained by the hiring department. Another employee, test results showed, was a minor who had a falsified social-security number issued decades before his birth. A number of birth-date errors and omissions raised questions about several of the organization's policies and procedures, as well as internal controls in the payroll system.