If you have been involved with reporting or have some exposure around financial or business reports, you will note that there are always areas where a report will reflect an individual’s interpretation or understanding of the requirements. This can be a challenge for new auditors in determining what to consider and not to consider in the report. In order to address this common issue in Internal as well as IS audits, I have put together a sample question that encapsulates this.
Ransom’s Question on 15/09/2017 – Data Governance and reporting.
You have been assigned to perform an IS and Internal audit of the production and manufacturing department. You realise that the Overall Equipment Effectiveness (OEE) reported by the Manufacturing department is different from the OEE calculated and reported in the management report. You also noted that the definition of OEE used by the two departments was different. What should you recommend first?
Select an answer:
A – Review the User Acceptance Testing (UAT) of the equipment.
B – A company data definition policy should be implemented.
C – A SCADA software should be used to compute OEE.
D – Management should review and sign-off the management reports as well as the manufacturing reports.
Let us apply the K-E-C approach in answering this question.
Please note that the K-E-C approach is as follows:
K = Keyword, phrase or stem of the question
E = Eliminate two incorrect options
C = Choose the best answer for the remaining two options, linking the answer to the Key or K.
So let us approach this question.
K = Key – The key phrase here is “recommend first”. This question is about being able to determine the root cause of the problem and recommend a solution that will resolve the root cause of the problem. The problem is that the same data is used to determine the OEE for the plant but the results are different.
E = Eliminate two options – If we go through the options above, we can easily eliminate answers A and D.
Option A refers to a review of the UAT of the equipment. This really does not address the issue of different calculations and results for OEE. This is thus not a good answer.
Option D refers to the review and sign-off of the management and production reports. It may be a good control, but it is not the appropriate control to address the differences in the OEE results as the assumptions used to determine OEE would still be different. This is thus not a good answer.
C = Choose the correct answer that lines up with the KEY – We are thus left with options B and C to choose from.
Option C refers to an automated control. It recommends that the computation of the OEE be automated, however, this may not solve the problem as the formulas used and assumptions used in the scripts may still differ which may give us different OEE results. This option also not the best answer.
Option B refers to data definition policy. This should be your first point of call. Before thinking of automating or reviewing report, management should clearly define how OEE should be computed and what data should be used and assumptions that must be considered. This is the framework that must be laid out for a consistent and accurate computation of OEE.
The correct answer is thus D – “data definition policy”. It agrees with the Key “should be recommended first”.
For more exam questions and tips,
Please subscribe to receive daily CISA and CIA exam tips.