You see if one agent has tendencies to

You are part of an investigation team visiting an office branch to conduct
surprise audit on the staffs and the processes running there. Office branches
helps the daily operation at different cities and consist of these activities:
– Onboarding staffs: Recruiting new drivers
– Driver Support Unit staffs: Handling driver’s complaints and updating existing
driver’s data with new information
– Inventory staffs: Managing inventory
– Driver Exit Management staffs: Collecting penalties and outstanding installment
of terminated drivers
a) What are the key areas that you would investigate during the audit and how
would you do it?
b) What are the basic internal controls that should be placed for each activity
mentioned above?
c) What are potential fraud scenarios committed by internal staffs there that you
have in mind?
a)
Onboarding staffs
1. To ensure that proper background check of new driver has been done
by sample-checking on background checklist done by agent and has been
acknowledged by supervisor
2. To ensure that no discriminatory hiring process has been done by
obtaining acknowledgement letter from supervisor that the agent has been
informed not to do discriminatory hiring. Checking the new drivers’ basic
information and grouped by agent to see if one agent has tendencies to recruit
based on one religion or race etc.
3. To ensure the complete, accurate, and proper documentation of new
driver’s record has been done. We will have to check if recruiting agent and
management has approved the new driver’s record. Sample checking on new
driver’s record forms from document storage and matched it with database.
Ensure that there is no duplication for drivers’ information. Check that the new
driver’s information has been reflected in the next month of drivers’ list
4. To ensure that the hiring contract has been received and acknowledged
by both company and driver by checking on physical hiring contract form that
signed by driver and agent and acknowledged by management
5. To ensure that the new driver’s record and installment amount has
been properly and accurately stored in the database by sample checking on new
driver’s record from database and matched it with document storage. Ensure
that there is no duplication for drivers’ information
6. To ensure confidentiality policies of drivers’ record in the database has
been properly done by testing the IT security controls such as ensuring that
periodic change password for every IT user has been done by checking on
password history record, management approval requirement for any new user
by checking on new database user approval form and see if it has already signed
by management, ensuring segregation of duties for IT access by re-performance
of accessing database using different type of user based on its access privileges,
timely review if each user’s control access has been appropriate by checking on
user accounts’ review form and signed by management
7. Checking existence of new driver by calling or meeting the driver
Driver Support Unit Staffs
1. To ensure that the updated driver’s record has been properly and
accurately updated in the database. We will have to check if the driver’s update
request form has supporting evidence of the new information (e.g copy of new
drivers’ ID or vehicle’s license) attached and has been approved by recruiting
agent and management. Sample checking on update request form from
document storage and matched it with database. Sample checking on update
request from database and matched it with actual request form. Ensure that
there is no duplication for drivers’ information. Check that the driver’s updated
information has been reflected in the next month of drivers’ list
2. To ensure the accuracy of new information of the driver by calling the
driver using new phone number or sighting to the actual update driver
information form to check if supporting evidence is sufficient as supporting
document for new information
3. To ensure that the driver’s installment record has been properly and
accurately updated in the database by checking on installment and settlement
record of a driver and recalculate to ensure its accuracy and completeness. Check
also whether the bank credit or deduction from GO-PAY account has been
justified and accurate according to the installment or penalty settlement record
by crosscheck to GO-PAY account or bank statement transfer list and signed by
management. Check if the updates have been reflected to next month driver’s
installment record from database
4. To ensure confidentiality policies of drivers’ record in the database has
been properly done (e.g using restricted access or segregated users control) by
testing the IT security controls such as ensuring that periodic change password
for every IT user has been done by checking on password history record,
management approval requirement for any new user by checking on new
database user approval form and see if it has already signed by management,
ensuring segregation of duties for IT access by re-performance of accessing
database using different type of user based on its access privileges, timely review
if each user’s control access has been appropriate by checking on user accounts’
review form and signed by management
5. To ensure that driver’s complaint has been properly handled and
documented by agent and reviewed by operation manager and relevant
department’s manager (ensuring segregation of duties) by checking on
complaint form filled by agent and ensure that it has been reviewed and signed
by management
6. To ensure that the complaint has been properly followed up by relevant
department and ensuring that such complaint has lesser frequency occurrence
by checking on complaints’ statistics trend and inquire to management on the
follow ups that has been implemented so far
7. To ensure that proper complaint handling has been conducted in
adherence with company policies, including keeping its confidentiality, by
inquire with the agent and re-performance of complaint handling process to
ensure if the company has keep its anonymity
Inventory staffs
1. To ensure that proper storage control against theft has been
implemented by observing and enquiring on the security system implemented in
the storage. We need to see if the control on locks and CCTVs are implemented
periodically by sighting to review records and also re-perform control on locks
and CCTVs. We also need to check if all truck drivers’ movement list, delivery
order and good delivery notes has been signed by security guard and inventory
manager by sample check the documents and observe if they have already signed
accordingly
2. To ensure reliable and accurate inventory and accounting record with
acknowledgement by inventory manager and finance manager by conducting
periodic stock count and match its existence to database and vice versa. Other
controls such as labeling and inventory placement to avoid any human error
must also be done.
3. To ensure inventory movements have been accurately and completely
recorded in the inventory and accounting record (ensuring accurate transfer of
ownership cut-off period) by checking on the first and last few batches of
inventory in and out and match it with delivery order and goods receiving notes
signed by inventory manager and relevant department manager. We need to
check if the latest several batches in and out can be matched with actual
inventory amount by performing inventory counts. The timing of sending and
receiving inventory must also be checked to ensure the cut-off transfer of
ownership of inventory has been appropriately recorded
4. To ensure that inventory officers have conducting inventory
management properly in adherence to company and government law by
reviewing periodic training conducted by the company ensuring full attendance
and signed by the trainer
5. To ensure that damaged or expired useful life inventory has been
written off from database by sighting at database and trace it to inventory
located at area assigned for damaged or expired useful life inventory
6. To ensure that unauthorized personnel should not be granted access by
reviewing visitors’ list that acknowledged by security guard and inventory
manager and checking on permission slip as supporting evidence for sampled
visitor to be granted access to the storage facility
7. To ensure that inventory is sent or received in proper amount and
condition by checking on delivery order signed by customer, deliveryman, and
inventory manager and goods delivery notes signed by deliveryman, inventory
manager, and customer
Driver Exit Management Staffs
1. To ensure that the penalty detail list and outstanding installment
record have been properly and accurately documented in database and
periodically reviewed by the driver agent’s supervisor and operation manager
(ensuring segregation of duties) by inspecting if management has been aware
and reviewed the records and inquire the management on the follow ups of the
outstanding balance
2. To ensure that terminated driver’s record has been completely
removed from database since the next month of termination period and
acknowledged by agent’s supervisor and operation manager (ensuring
segregation of duties) by checking on management-approved termination form
and trace it back to the database to ensure its removal
3. To ensure that the payment of outstanding installment and penalty has
been checked and received by the agent with its amount has been acknowledged
by operation manager and finance manager (ensuring segregation of duties) by
checking whether bank credit, GO-PAY account deduction, or cash payment
record has been justified and accurate according to the settlement record via
cross-checking to GO-PAY account, bank statement transfer list, or cash payment
record and signed by management. Check if the updates have been reflected to
next month driver’s installment record from database. Inquire with management
on how to follow up or dispose on any outstanding balance beyond termination
date
4. To ensure that terminated driver’s penalty and installment record has
been completely removed from database if settled and acknowledged by agent’s
supervisor and operation manager (ensuring segregation of duties) by tracing
onto the database for the record
b)
Onboarding staffs
1. Background checklist form must been done by recruiting agent and
acknowledged by recruiting supervisor
2. Checking the new drivers’ basic information and grouped by agent to
see if one agent has tendencies to recruit based on one religion or race etc.
3. New Driver’s record form must been obtained by the recruiting agent
and acknowledged by recruiting supervisor
4. Hiring contract (including installment contract) must have been
received and acknowledged by the driver and recruiting supervisor
5. New drivers’ information list in the database is reviewed periodically
and its supporting evidences (new driver registration form) are attached and
reviewed by recruiting supervisor and operation manager (enhancing
segregation of duties) before stored into database
6. Periodic audit of existence of new driver by calling or meeting the
driver
7. Drivers’ database has restricted access or segregated users control
assigned by IT department. IT security controls such as periodically change
password for every IT user, management approval requirement for any new
user, change of user privilege, and terminated user, ensuring segregation of
duties for IT access, timely review if each user’s control access has been
appropriate, and conducting investigation if there is any inappropriate attempt
to access the database
Driver Support Unit Staffs
1. Update request driver’s record form with its supporting evidences for
new information must be obtained by the recruiting agent and acknowledged by
recruiting supervisor
2. List of updated drivers’ information retrieved in database is audited
periodically and its supporting evidences (update request driver form) are
attached and audited by recruiting supervisor and operation manager (e.g calling
the driver if it is new phone number or sighting to supporting evidence) before
updated in the database
3. Drivers’ installment information list is reviewed periodically and
acknowledged by finance manager and operation manager (enhancing
segregation of duties). Any updates on installment or penalty outstanding
balance must be cross-checked and matched to the deposit in the bank statement
or deduction from GO-PAY account by finance officer and acknowledged by
finance manager and operation manager before updating the installment
information in the database
4. Drivers’ database has restricted access or segregated users control
assigned by IT department. IT security controls such as periodically change
password for every IT user, management approval requirement for any new
user, change of user privilege, and terminated user, ensuring segregation of
duties for IT access, timely review if each user’s control access has been
appropriate, and conducting investigation if there is any inappropriate attempt
to access the database
5. Drivers’ complaint form has been properly handled and documented by
agent. The form must be reviewed by operation manager and relevant
department’s manager (ensuring segregation of duties)
6. Periodic review of drivers’ complaint list by operation manager and
relevant department’s manager (ensuring segregation of duties) to enforce
follow-ups
7. Using anonymity on the complaint form
Inventory staffs
1. Using proper locks, CCTVs and hire security guards to prevent any theft
from external party. Periodic check on locks and CCTVs to ensure that everything
is in working condition. For every movement of the inventory, security guard
should check and sign delivery order form that acknowledged by inventory
manager and relevant department manager before granting permission to access
the storage. Also truck driver should sign the truck driver movement list for
every entry to and departure from storage facility and acknowledged by security
guard and inventory manager
2. Periodic stock count must be done by inventory officer and supervised
by inventory manager, finance officer and sales officer. Proper labeling and
location segregation based on inventory category must be done in order to avoid
any human error when inventory counting.
3. Periodic stock movement count must be done by finance and sales
officer and crosscheck to inventory database and relevant delivery order and
invoice so that to ensure the movement has been reflected in the database
4. Periodic training and testing of inventory handling management to
inventory officers to ensure its adherence to government and company policy
5. Any inventory that has already passed its useful life must be notified by
finance officer to inventory manager with acknowledgement by finance manager
to place the inventory in assigned location for every damaged or expired useful
life items before dispose and update to database
6. Any inventory that is damaged and cannot be sold must be notified by
inventory officer to finance officer with acknowledgement by inventory manager
to dispose the inventory accordingly. After acknowledgement from finance
manager has been obtained, the inventory is disposed in assigned location for
every damaged or expired useful life items before dispose and update it to
database
7. Any visitor with permission by management should fill up visitors’
form and acknowledged by security guard and inventory manager. Security
guard needs to ask for management approval form shown by visitor before
giving the access
8. Any inventory sent to customer, deliveryman should obtain delivery
order signed by customer, inventory manager, and deliveryman to ensure the
inventory sent and received by customer as per delivery order. Any inventory
sent from customer, inventory manager should obtain goods delivery note
signed by inventory manager, and customers ‘deliveryman to ensure the
inventory received by inventory officer as per delivery order.
Driver Exit Management Staffs
1. Drivers’ installment information and penalty list is reviewed
periodically and acknowledged by at least two relevant departments (enhancing
segregation of duties). Any updates on installment or penalty outstanding
balance must be cross-checked and matched to the deposit in the bank
statement, deduction from GO-PAY account or cash payment record by finance
officer and acknowledged by finance manager and operation manager before
updating the installment information in the database
2. Driver’s termination form must be raised by agent and approved by at
least two relevant departments (ensuring segregation of duties) before the
removal of driver from database. Periodic review of drivers’ list in the database
must be done by at least two relevant departments to check if the termination of
previous month has been reflected in the current month list.
3. Periodic review of outstanding installment and penalty. If the
outstanding installment and penalty has not been settled until last day, the agent
officer may raise transfer approval form and seek acknowledgement from
agent’s supervisor and operation manager to deduct the outstanding revenue
earned by driver in order to settle the outstanding balance. After deduction has
been successful, the outstanding balance shall be removed from database and
acknowledged by management
c)
Onboarding staffs
1. Registering fake new drivers to fulfill KPI (reach monthly minimum
number of new driver)
2. Registering one driver several time to fulfill KPI (reach monthly
minimum number of new driver)
3. Inappropriate access to driver’s database to edit outstanding or penalty
amount
4. Registering personal family using fake vehicle’s ID to fulfill KPI (reach
monthly minimum number of new driver)
5. Registering blacklisted driver due to personal reason
Driver Support Unit Staffs
1. Inappropriate access to driver’s database to edit outstanding or penalty
amount or any essential details of the driver
2. Ignoring or deleting complaints from driver
Inventory staffs
1. Theft or damage done by internal staff for personal reason
2. Theft done by deliveryman and/or inventory officer upon shipment
from supplier to the storage for personal reason
3. Inappropriate training on inventory officer, causing accident at work,
increasing human error on inventory counting, damaging the inventory due to
inappropriate care of inventory handling, or increased case of security system
bypassed by officer so their job can be finished faster
Driver Exit Management Staffs
1. Driver exited without settling the outstanding penalty or installment
due to GO-JEK
2. Driver is still included in the database even though the driver has been
terminated due to database internal staff did human error or deliberately not
remove the driver for personal reason
3. If penalty is collected by cash, it is easier for internal staff to steal the
money without providing sufficient record