Internal Audit Procedure in Retail Industry - Consulting, Outsourcing

Internal auditors plan their audits with a risk-based approach, paying close attention to the areas and issues that pose the highest risk to the company. Internal auditors evaluate risks independently, taking into account the risks assessed by management and statutory auditors and the auditable units involved in the company's risk management framework and processes.

Internal controls are systems and procedures that aim to manage risks, prevent errors and irregularities, and ensure accurate financial reporting. They are available in either manual or automated form.

The risk of financial exposure is mitigated by financial controls (IFCs), while operational risks are mitigated by operational controls (OCs). IT general controls ensure automation system security and application controls check transactions at an application level, while manual controls require human intervention.

The assessment of an entity's internal controls and control environment by internal auditors leads to the development of an efficient audit approach.

The objective of internal audit procedures is to ensure compliance with laws and regulations and provide assurance to management and the organisation.

The internal auditor will evaluate the design, implementation, and operational effectiveness of the company's formal compliance framework in certain instances.

In the event that the company does not have a formal compliance framework, the internal auditor will design and conduct audit procedures to identify any areas of non-compliance and make recommendations to improve compliance.

Internal Audit (IA) is a vital component of organisational governance, ensuring compliance, minimising risks, and improving efficiency. The Institute of Chartered Accountants of India (ICAI) issued SIA 140 on governance to provide a common terminology, clarify the Internal Auditor's role in providing assurance, and explain the duties of the Board, Management, and Audit Committee.

To conduct an independent IT risk assessment and determine necessary controls to mitigate risks before starting any IT audit activities, internal auditors must meet certain requirements to gain an understanding of the business operations and IT environment.

Two main components of Information Technology Environment includes:

• IT Infrastructure (includes hardware, IT architecture, operating systems, communication network storage systems;) and
• Application software and data (including but not limited to interface, business resource planning, customer relationship management, dealer and channel management system, electronic commerce applications, robotic process automation.)

Performing audit procedures to provide assurance in the areas of:

• Security and reliability of information
• Analysing and reporting information
• Efficiency and effectiveness of information processing
• Continuous access and availability of information
• Compliance with IT-related laws and regulations

To conduct an independent IT risk assessment and determine necessary controls to mitigate risks before starting any IT audit activities, internal auditors must meet certain requirements to gain an understanding of the business operations and IT environment.

It is a major risk in the retail industry. Security in a retail industry can be categorised into two components:

IT Security

Data can be at risk from various sources, including the following:

• Natural Calamity: Equipment and storage devices can suffer damage from fires, floods, earthquakes, and other natural disasters.
• Theft of Data: Employees can often misuse, steal, copy and/or delete part of the information when they leave the company or while they are still in employment.
• System Crash: System crash is a condition where a program stops performing its expected function and stops responding to other parts of the system.
• Computer Fraud: The data can be stolen or misused by hackers, scammers, and other criminals.
• System Bugs: Errors in code can cause unexpected results and data loss.
• Telecommunication Failure: Telecommunication failures can freeze the flow of data to and from computing systems, preventing operations.
• Virus Problem: Viruses are computer programs that can duplicate themselves and infect a computer.
• Hacking: Hacking can involve stealing passwords, encrypted data, or software packages.

Physical Security

The entity is responsible for protecting its customers, staff, and properties. Physical security, such as surveillance systems and access control, is employed to deter crime and safeguard assets.

It could include the security of the following areas:

• In store: POS, cash-handling areas, displays, customers, and employees.
• Back office and warehouse: Equipment, assets, time and attendance, productivity, and safety.
• Parking and outdoor premises: Entry and exit points, suspicious vehicles, and deliveries.

For any entity operating in the retail industry, there are significant operating costs that need to be taken into account:

• Lease Expenses
  The success of the store can be influenced by the rental charges for office buildings, property, or employee housing. The rental costs can be determined by the store's location.
• Advertising and Marketing Expenses
  Branding is one of the key aspects in development of any entity’s reputation and a strong brand name. In an increasingly competitive market, an effective brand strategy can give a significant advantage.

The following are the marketing strategies that the entity may use:

• Loyalty Programs
  Retail loyalty programs reward customers with discounts and other benefits for repeat business, and program managers are responsible for monitoring customer activity and developing strategies to improve engagement.
• Multi Channel Marketing
  Multi-channel marketing uses multiple channels to reach customers and requires a well-coordinated supply chain management system to ensure consistency and effectiveness.
• Penetration Analysis
  Determining stock requirements at a particular location and developing promotion strategies can be improved by managing by analyzing the extent of a commodity's reach.
• Store Maintenance Expenses
  Stores must be maintained to ensure customer satisfaction and prevent goods from perishing prematurely. This requires significant maintenance expenditures, which can be reduced through annual maintenance contracts (AMCs) with professional agencies.
• Finance Charges
  The entity must borrow funds with cost-effectiveness, which may include external commercial borrowings for foreign currency expenses.

Measuring Operational Efficiency

Measurement of operational efficiency can be done by the internal auditor using the following methods:

• Operational research - based method
• Data Envelopment Analysis (DEA)

A retail store is considered efficient when it produces the highest amount of output relative to inputs when compared to other similar stores. Internal auditors are responsible for verifying expense capture procedures and controls, ensuring fair allocation of common expenses, and conducting analytical procedures to identify inconsistencies.

• Total Fixed Cost
  

  The growth in total fixed cost signals expansion activity. In these cases, an internal auditor may verify the sufficiency of controls with respect to the growth entity.

• Operating Cost to Revenue (undertaking wise)
  

  The internal auditor calculates the entity's operating costs based on revenue in various legal environments, even though there are challenges.

• Variable cost per man hour per Undertaking
  

  The total undertaking cost is divided by man hours to calculate the variable cost per man hour. Comparing it across periods can reveal significant changes in expenses and help identify the reasons.

• Interest Cost to Loans
  

  Internal auditors can verify if the interest paid on loans is significantly high by comparing it to existing rates, which is the basis for estimating the average cost of borrowing.

Visual merchandising

Visual merchandisers create displays using colour, lighting, space, product information, and sensory inputs like smell, touch, and sound. They also incorporate technologies like digital displays and interactive installations.

Managing shrinkages

Retail stores can experience shrinkage due to a variety of factors, including:

• Process Lapse:Process lapses like this can cause stores to experience shrinkage:
  • Incomplete or inaccurate receipt verification
  • Manual bills not updated in POS
  • Returns not accounted for promptly
  • Consumer promotions not updated in the system
• System Lapse: Poor quality of scanners or stickers and duplicate SKU Code would force manual intervention at POS. Errors and shrinkage can be caused by manual intervention.
• Vendor Fraud:The warehouse would likely experience shrinkage due to the vendors' short supply compared to the quantity in the Goods Received Note (GRN). Moreover, any such malpractice adopted by DSPs (direct supplies to stores) would also amount to shrinkages.
• Employee Fraud:This is the most common means of fraud causing shrinkages. The followings could be types of malpractices:
  • Improper Invoicing: billing lesser quantity / non-billing of certain products / billing products with lower prices as against actual selling price of products sold.
  • Theft by employees in their own workplace.
  • Fraudulent practice in handling home deliveries.
  • Fraud concerning products exchanged by clients.
• Customer Shoplifting:Retailers face a significant challenge in preventing the theft of small, high-value items by customers, but corrective measures can mitigate the risk.

Handling of Products and Disposal of Damages and Expiries/ Product nearing expiry/ Obsolescence

• Handling product - Handling products would be an important part in activities carried by a retail industry. It involves activities such as pushing, pulling, carrying, lifting and holding.

  The internal auditor may perform assessment of each manual task and the following factor may be considered in framing his internal audit procedures:

  • Nature of the objects being handled.
  • Actions and Movements involved in the task.
  • Duration and Frequency of the task.
  • Analysis of relevant injury and statistics.
  • Training and experience of the employees.
  • Age of the employee doing the tasks.
• Disposal of Damages and Expiries -In case of disposal of damages and expiries/ product nearing expiry/ Obsolescence, the internal auditor would assess the following:
  • Storage systems and manuals of the entity.
  • Periodicity of verification of stock.
  • Controls on disposal of such goods.
  • Methods to prevent damages and its sufficiency.
  • Treatment of identified damages and its disposal.
  • Adequacy of controls to record these losses and disposals.

The internal auditor may verify the sufficiency of controls related to maintenance of accounts by entity. The Internal Auditor also verifies the controls for allocation of costs between different departments in every store and verifies whether it is adequate and trustworthy when it comes to the overall business operations.

A management information system (MIS) that can provide sufficient information for decision making could be the best fit for the entity if the accounting system is comprehensive enough and enable the entity to understand complexities of business, status of implementation of new ideas and status of operations of the entity.

The notification system should be sufficiently comprehensive and capable of providing the following information:

Sales and Collection

• Daily statements of sales through cash, credit card, coupons, debit card across individual stores.
• Department wise sales
• Reconciliation between sales and collection statutes with outstanding debtors.
• Benefits of ads through additional revenue and customer loyalty.
• Trends of sales in a particular location.
• Consumption vs sales analysis.

Inventory management

• Loss of inventory due to stolen, damaged or lost assets.
• Inventory at cash store, warehouse and storage centres.
• Inventory ageing system.

Supplier Analysis

• Status of all pending orders.
• Tracking credit period of each distributor.
• Matrix of orders placed for each product throughout the services.

Others

• Customer feedback review analysis.
• Sensitivity analysis for price and discounts, and non-availability of key products.
• Gross profitability ratio across different products.

Mystery shopping is an evaluation conducted by a mystery shopper posing to be a regular customer to experience and inspect the level of customer service being provided by the entity. Mystery audit has an objective to overview the business with the eyes of customers.

Mystery shopping provides management a detailed assessment of employee’s performance and variables that affect a customer’s experience and satisfaction with the business.

Mystery shopping assessments can be completed with tools such as simple questionnaires to complete audio and video recordings. Mystery shopping can be used in any industry, with the most common venues being retail stores, hotels, movie theatres, restaurants, fast food chains, banks, gas stations, car dealerships, healthcare facilities, etc.

Internal audit in the Retail Industry plays a vital role in helping businesses to achieve their goals. By identifying and addressing risks and inefficiencies, internal auditors can help them to improve their bottom line and protect their reputations. In the retail - industry, internal auditors should focus on key areas such as financial audits, compliance audits, inventory management, point-of-sale systems, and customer loyalty programs.

By focusing on these areas, internal auditors can help retailers to improve their operational efficiency, reduce risk, and protect their bottom line.