Solving Internal Control Weaknesses: Expert Analysis of NZ Audit Data

Internal control weaknesses in New Zealand have reached worrying levels. Non-compliant audit files jumped from 26% to 36% in recent reviews. Organizations must now tackle the root problems in their control environments.

Internal control weaknesses create gaps in systems that should ensure reliable financial reporting and streamline processes. Regular assessments “examine, assess, grade, and report on the environment, systems, and controls”, yet problems remain systemic. The Auditor-General’s findings revealed serious flaws in ICT controls at former District Health Boards. They specifically pointed out the “lack of appropriate monitoring processes for privileged accounts”. These findings show how complete audits can uncover internal control weaknesses. Management override risks stand out among common control weaknesses. They need careful identification of “higher risk journal entries” to assess their appropriateness. A clear understanding of control weakness types helps organizations build stronger preventive measures.

We’ll look at recent New Zealand audit data, highlight the most important weaknesses found, and share expert tips to boost your internal control environment.

Audit Trends in Internal Control Weaknesses (2024 NZ Data)

New Zealand’s recent audit data shows troubling patterns in how organizations handle their internal controls. The Financial Markets Authority’s (FMA) latest audit quality reviews reveal major changes in compliance trends throughout 2024.

Increase in Non-Compliant Audit Files (36% in 2024)

The number of non-compliant audit files rose from 26% last year to 36% in 2024. This troubling increase happened even though auditors found the same number of non-compliant files (five) in both years. A smaller review sample caused this difference – just 14 files compared to 19 in the previous cycle. Four out of these five problematic files had mostly satisfactory procedures with just one deficient area.

Common Weaknesses in Financial Reporting Controls

New Zealand organizations face several ongoing weaknesses in their financial reporting controls:

• Related party transactions: Organizations lack resilient infrastructure to identify, review, and properly disclose related party transactions. These transactions create a higher risk of material misstatements.
• Unreliable underlying data: Auditors don’t get enough evidence for key data inputs when they perform analytical procedures or rely on expert reports like valuations.
• Management override risks: Performance-based variable components in management pay systems need better safeguards.

These problems affect simple audit areas that aren’t complex, which shows these issues are systemic.

Audit Focus Areas: Bank Audits and PES 3 Implementation

The FMA prioritizes two main areas in their recent reviews. Large bank audit files need more resources due to their size and complexity. Auditors must also apply Professional and Ethical Standard 3 (PES 3), which sets requirements for firms’ quality management systems.

All reviewed firms successfully switched to suitable quality management frameworks. However, the FMA noted that “further enhancements are necessary to ensure their operational effectiveness”. Better auditor reporting remains crucial, especially about audit reports that truly reflect identified risks and completed work.

Types of Internal Control Weaknesses Identified in NZ Audits

New Zealand audit files show four major internal control problems that auditors keep flagging. These gaps hurt the quality of financial reporting and open doors to mistakes or fraud.

Inadequate Risk Assessment Procedures

Auditors often point out flaws in how organizations spot and evaluate risks. Professional standards say risk assessment procedures should include asking management questions, doing analytical work, and watching/inspecting operations. All the same, many companies don’t properly document these steps, which makes it impossible to check if they dealt with risks properly. Companies also don’t deal very well with figuring out which risks need special audit attention.

Weaknesses in Related Party Transaction Disclosures

Companies must set up internal controls to identify all related parties and their dealings. But audit reviews reveal that companies often lack:

• Ways to spot and track related party relationships
• Proper approval steps for related party transactions
• Regular conflict of interest statements from staff

The Financial Markets Authority made it clear that “auditors did not always get enough evidence to verify the accuracy and completeness of related party disclosures in financial statements”.

Unreliable Underlying Data in Analytical Procedures

Data quality issues create another big problem when teams run analytical procedures. Auditors sometimes trust automated reports from client systems too much. They don’t test general IT controls or check how these reports came together. This becomes a real issue when analytical procedures are the only test for important account balances without extra controls testing or detailed checks.

Lack of Documentation for Management Override Controls

The most worrying issue might be weak controls against management override – a problem that shows up in many audit files. Managers can change accounting records because they know how to bypass otherwise good controls. This risk gets bigger with bonus-based pay structures that might push people toward fraud. The FMA stressed that “auditors should improve their documentation on how they assess and respond to these risks”.

A reliable financial reporting system starts with spotting these internal control weaknesses.

Evaluating Systems of Quality Management in Audit Firms

The Financial Markets Authority now looks beyond individual audits to get into audit firms’ Systems of Quality Management (SQM). All registered audit firms have undergone quality management framework reviews since Professional and Ethical Standard 3 (PES 3) took effect on December 15, 2022.

Governance and Leadership Gaps in SQM

Audit firms have assigned ultimate SQM responsibility to specific persons or governance bodies. Yet problems are systemic. FMA reviews revealed that some firms lack proper ways to evaluate how well their leaders manage quality during annual performance reviews. This creates a critical gap because leadership’s approach shapes the organization’s quality management environment.

Monitoring and Remediation Process Deficiencies

The firms’ monitoring processes revealed major problems. One audit firm failed to implement a strong monitoring and remediation process across its entire SQM. This undermined the conclusion made by the person with ultimate responsibility. The monitoring teams could not access vital information like partner risk ratings to evaluate control effectiveness. Reports that highlighted control variances needing attention showed no evidence of follow-up actions.

Reliance on Network Controls Without Local Validation

Many registered audit firms are part of international networks and use network resources in their SQM. Notwithstanding that, this approach has risks. Two firms could not prove their networks’ control operations and monitoring worked effectively. These firms talked regularly with their networks about monitoring activities but lacked enough evidence from global or regional networks to confirm controls addressed local risks.

Expert Recommendations for Strengthening Internal Controls

Treasury guidance states that organizations need evidence-based approaches to fix internal control weaknesses. Professional assessments reveal four areas that need improvement.

Documenting Control Operations with Evidence

Internal controls need proper documentation with supporting evidence. Treasury expresses that “review and follow-up activities were actually performed”. Auditors don’t recognize controls without proper documentation. A standardized format for documentation and complete records of control activities are the foundations for reliable audit trails.

Improving Fraud Risk Assessment Linked to Variable Remuneration

The “three lines of defense” model is a great way to get insights into fraud risk management. Organizations should make their risk identification stronger, improve their oversight functions, and add independent reviews. Variable remuneration can create fraud incentives, so strong countermeasures need to target these risks.

Enhancing Oversight of Shared Services and Oracle Systems

Shared service centers bring unique control challenges that need special governance. Oracle systems suggest creating clear “relationships between business units” while ensuring “appropriate intercompany accounting“. The benefits include fewer control points, united processes, and reduced error risks.

Director Engagement in Reviewing Control Effectiveness

Board members should take an active role in control oversight. Their core responsibilities include providing “insight, foresight and oversight on mission-critical issues“. Therefore, a documented engagement model creates a “clear North Star” for governance.

Conclusion

New Zealand organizations show troubling patterns in their internal controls that need immediate action. Our analysis shows non-compliant audit files have jumped to 36% in 2024. While this affects the same number of files as before, the percentage tells us something’s wrong. These numbers clearly point to the need for better control systems in these organizations.

The audit findings reveal four key problems that keep coming up. Risk assessment procedures fall short. Companies don’t properly disclose related party transactions. The data behind analytical procedures isn’t reliable. There’s not enough documentation for management override controls. These problems show up in simple audit areas rather than complex ones. Basic control problems continue to persist despite regular checks.

Quality management systems in audit firms have gaps that worry us. We see issues with governance, leadership, how they monitor things, and their network control checks. This isn’t about one-off problems – the FMA points out that the whole system needs work to function better.

We need to make these improvements right away. Companies must document everything properly with solid evidence. They should get better at assessing fraud risks, especially when dealing with variable pay. Better oversight of shared services and Oracle systems would cut down many control risks. Company directors need to step up their involvement in checking how well controls work.

Strong internal controls mean more than just following rules – they protect an organization’s financial health and reputation. New Zealand organizations must act now. They should put these expert suggestions to work and keep checking their control systems regularly. Making these fixes should be a top priority for any organization that wants reliable financial reporting and operations.

FAQs

Q1. What are the main internal control weaknesses identified in New Zealand audits?

The main weaknesses include inadequate risk assessment procedures, poor related party transaction disclosures, unreliable data in analytical procedures, and insufficient documentation for management override controls.

Q2. How has the compliance rate for audit files changed in New Zealand recently?

The percentage of non-compliant audit files increased from 26% to 36% in 2024, despite reviewing fewer files overall. This indicates a concerning trend in audit quality.

Q3. What are some expert recommendations for strengthening internal controls?

Experts recommend thoroughly documenting control operations with evidence, improving fraud risk assessment (especially for variable remuneration), enhancing oversight of shared services and systems, and increasing director engagement in reviewing control effectiveness.