When a company’s systems development staff creates a new business system, either the accounting staff or the external auditors find control problems after the fact that require either significant programming changes or major modifications to other systems that must now be relied upon as secondary controls that offset the problems found. Some of these problems are so severe that entire systems must be scrapped or entirely reworked. The worst case is when a control weakness is spotted by someone who exploits it to fraudulently part a company from its assets.
Many of these control problems can be eliminated by making an internal audit person an integral part of a systems design team. By regularly reviewing the conceptual and detailed designs of new systems, internal auditors can spot potential control problems before any significant programming time has been spent on them. This not only achieves a higher level of control in new systems, but also avoids the time that would otherwise be spent on correctional changes to systems at a later date. Proper use of this best practice requires the involvement of auditors with significant systems design and controls knowledge.