At this year’s InsideNGO conference, Deby MacLeod, Audit and Assurance Principal at Clark Nuber PS recently shared her perspective on how a document management system can simplify the audit process for both parties. She discussed 4 key areas of audit focus along with controls you can put in place that will help you pass with flying colors.
Auditors are looking for inconsistencies, inefficiencies, errors, and incidents of unethical conduct in your company. A minor mistake can cost you hundreds of thousands of dollars. A major one can shut you down.
Here are the four main compliance categories where MacLeod says you need to be perfect:
1. Access and Authentication
Primary Concern:
Proper approval and authorization of contracts, agreements, payment reports, and other similar documents.
What should you do about it?
- Appropriate logins and passwords to restrict access
- Implement timed lockouts
- Include lockouts for failed login attempts
- Lock documents for editing after approval
- Retain the “envelope” for electronically signed documents
- Don’t put faith in email – email approval is WEAK audit evidence
2. Document Management
Primary Concern:
Availability and access to complete and accurate records.
What should you do about it?
- Make sure documents are searchable and retrievable
- Set up a consistent document retention period, so documents are available upon request during an audit
- Stay up to date on Federal compliance regulations
- Establish a solid form of version control
3. Security and Integrity of Documents
Primary Concern:
Protection of your documents from intentional or accidental modification or deletion, while knowing that you can access them when you need to.
What should you do about it?
- Reliable active directory management that includes mobile devices
- Limit access through use of logins and passwords
- Limit “super user” or admin rights
- Make sure to include version control
- Perform regular and timely backups
- Perform periodic restore or other tests to ensure document integrity
4. Retention and Destruction
Primary Concern:
Compliance with Federal regulations and organizational policies to ensure documents are readily available when necessary and destroyed in a timely manner.
What should you do about it?
- Have a disaster recovery plan in place
- Make sure your record retention policy addresses electronic documents and data
- Establish a process to monitor compliance with your policy
- Destroy records/documents in an orderly and timely manner, and in accordance with your policy
Make Sure You Are in Control of Your Files – Not the Other Way Around
Adequate audit evidence revolves around having consistent control over the conversion and maintenance of original documents, and auditors need this to move forward on the items listed above. The auditors will test these internal controls. Make sure they’re tight.
Want to learn more about why going paperless is a key strategy for increasing operational efficiency and reducing risk? Download the full InsideNGO presentation now.