Internal auditing has long since taken the step from a purely controlling body to a management instrument for top management. The tasks and topics that internal auditing handles today are more varied and multi-facetted than ever before. In part this is because internal auditing can inspect and improve almost all operational processes and control systems including information technology (IT) and the risk management system (RMS) and compliance management system (CMS) of the organisation. It also plays a decisive role in avoiding liability and exculpation of the board and the supervisory bodies.
We support you in this either within a co-sourcing / partnering or by outsourcing the entire auditing function at your company. Our specialists offer comprehensive business, technical and IT expertise. The interdisciplinary cooperation of auditors, engineers, Certified Internal Auditors (CIA) and Certified Information System Auditors (CISA) as well as tax consultants allows the intensive and neutral assessment of your organisation and the audited sub-sections and ensures an efficient auditing process.
High vulnerability for external attacks on their company and for system outages results from the close interconnection of all business areas with IT and rapid development in the sector of Industrie 4.0 through the interlinking of customers and suppliers. Regular potential consequences of undiscovered IT risks are the loss of immaterial assets, increased liability, for example during violations of the data protection regulations as well as financial penalties and substantial loss of reputation with customers because of the the infringement of contractual agreements. Weak points in your IT security architecture allow internal and external actors to undertake attacks on your company and to steal or damage data. Missing internal regulations and processes can lead to errors, fraudulent acts and embezzlement.
Mastery of the permanently increasing IT and cyber risks place the highest demands on your organisation. The transparency of risks in the IT systems and projects is the prerequisite for effective IT risk management. Use our audits to get an overview of the performance, security and compliance situations in your company’s IT. Comprehensive IT auditing can make valuable contributions to this.
Many recent company crises underline the importance of effective risk management. The ‘tone at the top’ is decisive. The board and the supervisory board are the protagonists and are responsible for the fact that the management and responsible offices stand for a positive attitude towards risk management and transparent company processes and their monitoring. The core question is whether the existing risk management satisfies your increased requirements and is also robust enough to withstand the many challenges of globalised markets and the regulatory environment. Are you familiar with all the important strategic and operational risks, including the risks of overlooking business opportunities? Does your company reporting department deliver detailed and reliable information for the assessment of your risks?
We support you in the development of your systems in accordance with recognised standards and to supplement them in such a way that your company can have the correct risk control method for all important business risks and can effectively tackle increasing liability risks for boards and supervisory boards.
Jurisdiction, public authorities, law and economics and all relevant stakeholders see the requirement of compliance management as one of the fundamental tasks of company management. This is another reason why larger medium-sized organisations are increasingly aware of the necessity of systematic compliance management. Somewhat exaggerated, the following question poses itself: ”How much compliance can I afford or how much non-compliance can I afford?”.
Planned costs and the use of experienced specialists favour targeted external support in the introduction and auditing of your compliance management system (CMS). The advantages of a CMS are obvious because you are controlling and monitoring your compliance-related risks in a documented and professional manner. We make a significant contribution to making your company more secure, protecting your material and ideal values and avoiding liability risks. Our services range from the initial identification of fraud and compliance risks through to the design and implementation of overall compliance management systems and the auditing of any system that might already be established.
The consultancy and audit approach of Mauer Unternehmensberatung GmbH Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft is oriented towards the requirements of larger medium-sized, internationalised companies and groups. In this work we advise boards, managing directors and their managers, particularly in the areas of legal, IT and accounting, supervisory boards, administrative boards and advisory boards as well as compliance officers and risk managers.
A larger medium-sized group with approximately 140 million Euros turnover and approximately 1,000 employees appointed us, first for a full inventory of the existing compliance risks and regulations in the group and to take stock of and evaluate the risks and regulations. A package of realisations and measures was then to be defined on the basis of this work, allowing the introduction of a systematic compliance management system in accordance with ISO 19600. The objective was to be able to integrate the then implement CMS into the already existing risk management of the group.
Creating the prerequisites for the introduction of a systematic compliance management system. This necessitated interviews and workshops with all relevant departments and functions within the group. The results of the stock taking of risk and inclusion of the necessary internal regulations and laws resulted in a risk matrix for each of the company departments/functions, on the basis of which a valuation of the identified compliance risks could be undertaken and then measurements defined to control the risk.
Subsequently a comprehensive package was defined in order to introduce the monitoring and control functions to improve risk control for the compliance risks. We also developed and coached an independent internal audit for the group for this purpose. Comprehensive software-supported training sessions were carried out for the employees. A survey and the formulation of a compliance culture, based on the tone at the top for the board and the supervisory board were also included.
- This resulted in a comprehensive risk matrix with documented net risks that could be integrated into the existing risk management system.
- Comprehensive organisational regulations on de-central and central control of the compliance risks at home and abroad were defined and responsibilities allocated.
- Reporting cycles were defined: Risk-oriented auditing emphasis was agreed for monitoring and to improve the CMS together with the newly installed audit.
- The preliminary work also resulted in corresponding improvements and the development of an internal control system. Particular attention was paid to improvement of the IT-based controls.
- Formulation of comprehensive guidelines and internal regulations, primarily the Code of Ethics, Code of Conduct, anti-corruption guidelines, acquisition guidelines, definition of comprehensive representation and management regulations and responsibilities.
A larger medium-sized group with approximately 250 million Euros turnover and almost 1600 employees, highly globalised with production and distribution branches in China, India, Brazil, the USA and some eastern European countries as well as a complex structure of holdings including Switzerland commissioned us, together with a new legal function within the group, to carry out a thorough survey and investigation according to DIW PS 960 of the newly developed and formalised compliance management system.
We produced and documented a comprehensive evaluation of the processes and structures in the group with regard to the systematic collection and monitoring of all risks and regulations, instruments to monitor and control compliance risks, training and reporting measures and the presence of a compliance culture.
- The result of our analysis, based on workshops and interviews and on a comprehensive evaluation of all the documents provided to us and generally accessible information, was that we were able to report in detail on blank areas of the ‘map’ so that these can now be processed in a structured manner.
- The most important result was the commitment of the board to look into the topic of compliance in a structured and thorough manner through the comprehensive evaluation and recording of relationships with suppliers and clients, including the use of IT-based processes, with Anomalies being investigated. This includes all the important clients and suppliers, at home and abroad. This foundation should then form a higher level of security for further relationships with these stakeholders, particularly by ensuring comprehensive observation of the anti-corruption guidelines of the group. In conjunction with this (direct) liability risks at home and abroad should also be minimised.
- Increased attention towards anti-corruption regulations and observation of the national regulations in the most important countries where the group is active (e.g. Brazil, China and the UK).
- Another result of our commission was the rapid creation and development of IT compliance and tax compliance within the group.
Internal auditing (outsourcing) at a large maximum medical care clinic (9,000 employees and a turnover of approx. 500 million) in the sectors MDK (medical services of the health funds), international business, purchasing and acquisition as part of an audit plan over several years.
As part of an audit plan over several years we carried out a critical analysis of the above sectors, concentrating on certain main points, and investigated potential improvements. The background to this audit plan was a risk-oriented observation of important operational functions in the hospital. The extremely high ‘bow wave’ of the MDK cases that were still open was the reason to investigate this sector intensely and critically and to generate a corresponding package of measures that could be implemented right away. These measures made it possible to realise seven-digit sums with ‘quick wins’ in order to rapidly improve the liquidity of the hospital. At the same time stable processes were established at the hospital to ensure professional relations with the MDK and the different health funds in the future.
In the procurement sector substantial deficits were discovered in risk-oriented issues with regard to procurement and investment processes for medical technology. All this against the backdrop of unclear responsibilities and weak documentation. Also there were no anti-corruption regulations that made it possible for manufacturers to initiate investment processes in a relatively aggressive manner and avoid the basic principles of an internal control system (dual control principle, separation of functions).
In the area of foreign business weak processes were also discovered in accounting and in the monitoring of the guidance processes for external service providers.
- Significant reduction of MDK cases.
- Rapid improvement of liquidity through structured and professional negotiations with the MDK and the health funds.
- Formulation of comprehensive procurement and anti-corruption guidelines.
- Transparent procurement and investment processes that were developed in cooperation with the management and the corresponding specialist departments.
- Comprehensive reorganisation of the administration of foreign business at the hospital, formulation of comprehensive procedural rules with clear responsibilities (representation regulations and regulations for internal management) with the aim of also applying the existing, stable accounting and financial accounting processes at the hospital in the foreign business department.
- Comprehensive dunning process and rapid invoicing of the closed patient files, establishment of a professional dunning process.
Internal auditing (outsourcing) for a large supply operation producing mainly components for the automobile industry (approx. 200 million turnover, approx. 1,000 employees).
The objective of the commission was to discover irregularities (criminal behaviour/fraud).
The management commissioned us together with a renowned law firm to investigate irregularities in the accounting conduct of a supplier (second tier). It became obvious that non-conforming raw materials had been procured for years avoiding the existing IT systems and exploiting the poor control environment and internal control system and that these did not conform to contracts. These non-contractual procurement processes with sub-quality material were invoiced at excessive prices. Also delivery to a first tier client with subsequently defectively equipped and produced components that may have caused a comprehensive recall from several OEMs in relation to the first tier supplier.
Comprehensive examination of the accounting processes resulted in full transparency in a complex, fraudulent accounting system, in which both the Management of the client company and management at the relevant supplier were involved. It was shown that the existing authorisation concepts could be leveraged with only little IT knowledge in order to be able to carry out the corresponding manipulations to the merchandise management system.
- Our audit brought comprehensive transparency into the fraudulent settlement processes with the result that the internal persons who were responsible for this and the managers at the supplier companies could be removed. This created the opportunity to comprehensively redevelop the relevant areas.
- The cases of fraud that are now known and the possible quantification of the corresponding damage were communicated to the first tier professional in a professional and transparent negotiation and offset. The existing business relationship could then be continued and redeveloped in different ways so that it was possible to reestablish a functioning and trusting relationship.
- The procurement sector was completely restructured and the old systems were replaced with the result that a new ERP system was introduced.
- The personnel changes that were made enabled the establishment of a corresponding control structure and culture with the right employees. Further advantages for the client were that it was possible to establish comprehensive reorganisation of the internal quality control and has a substantial learning effect in production in relation to industrial production behaviour.
- Formulation of comprehensive anti-corruption and procurement guidelines.
- Expansion of the internal audit function that was created by our findings (outsourced to other operational processes with the objective of identifying further improvement potential and establishing a professional monitoring system with regard to all group activities at home or abroad).
The examination of the authorisation concepts in the productive SAP ERP systems was planned in the holding of a medium-sized group with approx. 100 million Euros turnover as part of the audit plan agreed with the management.
The audit order included the evaluation of the ERP systems with regard to general system security, processes for the establishment, modification and removal and the user authorisations for function separation aspects. For this it was necessary to investigate systems and processes with regard to orderliness, security and efficiency and to develop measures for system orientation and risk minimisation.
- Our audit work covered all safety-relevant system and client settings and role concepts in the individual programme modules and all critical authorisation objects, user profiles and their combinations.
- Regular operation, maintenance and emergency scenarios were taken into account.
- In addition to the evaluation of processes and authorisation concepts in the departments and IT areas a security evaluation was carried out on the ERP systems based on the regulatory framework conditions.
- Besides the specific corporate guidelines, which were also audited, the COSO, COBIT and ISO 27001 standards were also applied.
Our analyses led to the discovery of a series of security-relevant weak points, some of which are important under aspects of risks, and to determine their causes:
- Missing restrictions were found in the extent of authorisations in the departments. Excessive authorisation scopes were identified in several cases in the IT area and in the external project staff that was used.
- Defects were also determined in the security configuration with regard to external project staff.
- Overall there was missing documentation in the authorisation concept.
It was possible to use the results of our IT audit directly as a guideline for the management and it will continue to be used as a basis for the success and progress monitoring of the improvement measures.
Internal auditing (outsourcing) in the holding of a medium-sized group with approximately 150 million Euros turnover - exposure of irregularities / criminal behaviour (fraud).
By chance it was discovered by the central accounting department at a group of companies that a supplier had sent a fraudulent invoice when a donation receipt was requested. In the course of several discussions with the supplier it was found that staff in the central purchasing department of the group had undertaken regular fraudulent business with this supplier. We were commissioned to examine all central purchasing for further irregularities. This also includes the formulation of improvement proposals to the organisation, the processes and the systems of central purchasing for the group, which comprises 15 individual companies.
- Our audit showed that five further suppliers had sent incorrect invoices in the last eight years with criminal intent. Managers in central purchasing and also suppliers enriched themselves in the process. In the course of our investigations we were also able to determine that that some dubious or unexecuted services had been charged multiple times in fictitious transactions and at astronomical prices.
- We created conclusive documentation of the procedures for the management that could also be used in court. This was sent to the company lawyers, in part in cooperation with suppliers that had themselves been defrauded by their own top managers.
- With regard to communication with the compliance department of a large OEM we were also commissioned to communicate the events in good time and comprehensively so that further damage could be deflected from the medium-sized group. The active and comprehensive communication of the events was evaluated positively by the OEM.
- We then redefined and realised the structural and process organisation, the control structures and the contract management of the group. We also determined the structured control design that included both the dual control principle and consistent separation of functions. In this context we were also able to optimise the application-related controls prescribed in the SAP system.
- We formulated an informative and workable procurement handbook in cooperation with the client that describes a clear allocation of responsibilities and process descriptions (verbal descriptions and flow diagrams) of all procurement processes and is stored on the Internet. Clear signature regulations and consistent limitations with regard to the ordering behaviour are also included and shown in the system.
The interdisciplinary cooperation of auditors, engineers, certified internal auditors and certified information systems auditors and tax consultants allows a comprehensive and neutral evaluation of your organisation and your compliance risks. In this way you profit from our benchmarks and synergy effects. We cooperate with specialised and renowned firms of lawyers and IT consultants as needed and where required. For example with the company it.sec, who advise companies and state and non-state institutions in more than 30 countries on questions regarding information security, data protection and compliance. More: www.it-sec.de