4 Gui Gui dan dance fo ce for in r intern ternal a al a udi udit st t st aff aff
4.3.3 Testing and verification Testing and verification
Much more detail on the methodology to be used is available from the internal auditMuch more detail on the methodology to be used is available from the internal audit manual on
manual on www.internalaudit.bizwww.internalaudit.biz..
4.3.2
4.3.2 Maturity of Maturity of the risk the risk management processes management processes
Draw up a draft scopeDraw up a draft scope,, basing it on the aubasing it on the audit plan and the dit plan and the risks in the risk and arisks in the risk and auditudit universe.
universe.
Examine the risk Examine the risk management processes:management processes:
Use the audit questions in appendix A to determine the risk maturity of the area
Use the audit questions in appendix A to determine the risk maturity of the area beingbeing audited.
audited.
If considered necessary,If considered necessary, scrutinise the risks identified scrutinise the risks identified by managementby management to ensureto ensure they are complete. This can be done by an auditor competent in the area concerned, they are complete. This can be done by an auditor competent in the area concerned, by an independent member of staff seconded to the audit, or by an
by an independent member of staff seconded to the audit, or by an external expert. If external expert. If risks are missing, they
risks are missing, they should be found during the audit.should be found during the audit.
Conclude on the risk maturity of Conclude on the risk maturity of the processes being auditedthe processes being audited.. Do Do ririsksk management processes exist to:
management processes exist to:
Identify all significant risks?Identify all significant risks?
Correctly assess all risks, that is score and prioritise them?Correctly assess all risks, that is score and prioritise them?
Implement appropriate responses to risks (Implement appropriate responses to risks (tolerate, transfertolerate, transfer, treat, , treat, terminate)?terminate)?
Report significant risks to the Report significant risks to the board?board?
Establish a robust system of Establish a robust system of monitoring internal controls?monitoring internal controls?
Decide on the audit approachDecide on the audit approach based on the above conclusions. The optionsbased on the above conclusions. The options available and action to be taken will be discussed with the HIA and are included in available and action to be taken will be discussed with the HIA and are included in section 3.4.3. The work to be carried out will depend on the risk maturity of the area.
section 3.4.3. The work to be carried out will depend on the risk maturity of the area.
Where an individua
Where an individual audit is to l audit is to be carried out the options are:be carried out the options are:
Risk management processes are acceptable: evaluate the Risk management processes are acceptable: evaluate the processes andprocesses and determine how management gain assurance that
determine how management gain assurance that the risk the risk management activitiesmanagement activities are being carried out as
are being carried out as intended.intended.
Risk management processes are unacceptable: facilitate risk identification andRisk management processes are unacceptable: facilitate risk identification and assessment to determine inherent risks, response and residual risks.
assessment to determine inherent risks, response and residual risks.
4.3.3 Testing and verification 4.3.3 Testing and verification
Interview staff:Interview staff: obtain documentation and carry out risk workshops, as obtain documentation and carry out risk workshops, as necessary, tonecessary, to determine the detailed objectives and risks. The audit plan will have provided determine the detailed objectives and risks. The audit plan will have provided high-level risks; this task is to
level risks; this task is to obtain more detail about the objectives and targets of theobtain more detail about the objectives and targets of the processes involved and the risks that
processes involved and the risks that threaten them. An example process map, fthreaten them. An example process map, for or expense purchases, is shown in appendix G
expense purchases, is shown in appendix G
Agree the scope of the audit wAgree the scope of the audit with the managers involvedith the managers involved.. The scopThe scope will ine will includclude:e:
Reasons for the audit.Reasons for the audit.
The objectives of the processes being audited.The objectives of the processes being audited.
The principal risks being audited (from the risks and audit universe) and other The principal risks being audited (from the risks and audit universe) and other significant risks that have been mentioned during the discussion of the draft significant risks that have been mentioned during the discussion of the draft scope, or obtained from documentation.
scope, or obtained from documentation.
The processes involved, and The processes involved, and those specifically excluded.those specifically excluded.
The main stages of the audit.The main stages of the audit.
The staff involved, with their responsibilities, and time to The staff involved, with their responsibilities, and time to be spentbe spent
The primary client contact (sometimes known as the The primary client contact (sometimes known as the ‘client sponsor’)‘client sponsor’)
The timetable for the The timetable for the audit. Staaudit. Stating the expected dates of ting the expected dates of circulation for the draftcirculation for the draft and final reports, and who will receive them.
and final reports, and who will receive them.
Obtain relevant documentationObtain relevant documentation on processes in sufficient detail to on processes in sufficient detail to ensure:ensure:
All the risks have been identified and assessed (scored) correctly byAll the risks have been identified and assessed (scored) correctly by
management against agreed standards. Use walkthrough tests as appropriate to management against agreed standards. Use walkthrough tests as appropriate to confirm the processes. It is probable that these tests will identify new risks not confirm the processes. It is probable that these tests will identify new risks not previously identified by managers. In this event, agree t
previously identified by managers. In this event, agree t he existence of the he existence of the risksrisks with management and facilitate their
with management and facilitate their scoring.scoring.
Controls that should be operating to manage the risks have been identified.Controls that should be operating to manage the risks have been identified.
Processes which management use to monitor the proper operation of controlsProcesses which management use to monitor the proper operation of controls have been identified
have been identified
Tests to check the effectiveness of the controls and monitoring can be defined.Tests to check the effectiveness of the controls and monitoring can be defined.
Set up an Set up an audit database to record processesaudit database to record processes,, the risks ththe risks that threaat threaten theten them,m, controls, tests and conclusions. An example is shown in appendix H for an audit of controls, tests and conclusions. An example is shown in appendix H for an audit of expense purchases in a risk defined organisation. Depending on the audit software expense purchases in a risk defined organisation. Depending on the audit software being used, these details may be
being used, these details may be added to a single database containing all risks. Smalladded to a single database containing all risks. Small audit teams could use a
audit teams could use a spreadsheet.spreadsheet.
Carry out the testsCarry out the tests to check whether the controls to check whether the controls and management monitorinand management monitoring areg are effective. Where reliance is being placed on management’s assessment of risk, effective. Where reliance is being placed on management’s assessment of risk, thethe emphasis will be on ensuring the monitoring is taking place. In all circumstances, view emphasis will be on ensuring the monitoring is taking place. In all circumstances, view evidence that controls are operating as expected and
evidence that controls are operating as expected and pay particular attention topay particular attention to controls with a high control score.
controls with a high control score.
Assess management’s scoring of the residual riAssess management’s scoring of the residual ri skssks,, takitaking into acng into accouncount thet the controls actually in
controls actually in operation.operation.
4.3.4 Reporting 4.3.4 Reporting
Draw preliminary conclusionsDraw preliminary conclusions on the effectiveness of the management of each of on the effectiveness of the management of each of the risks. Figure
the risks. Figure 2 shows the relationship between the residual scores and the2 shows the relationship between the residual scores and the conclusion on the managemen
conclusion on the management of the t of the risks. For each of the risks covered, the auditrisks. For each of the risks covered, the audit should give reasonable assurance that:
should give reasonable assurance that:
The risk is being managed to within the risk appetite of the organisationThe risk is being managed to within the risk appetite of the organisation ((acceptableacceptable)) or or ,,
The risk is not being managed within the risk appetite (The risk is not being managed within the risk appetite ( unacceptable, issue,unacceptable, issue, supplementa
supplementary ry issueissue)) andand
Action has been agreed to bring to the risk within the risk appetite or,Action has been agreed to bring to the risk within the risk appetite or,
The risk will have to be tolerated or,The risk will have to be tolerated or,
The risk is being terminated or transferred, or The risk is being terminated or transferred, or
The risk is not being managed to within the risk appetite, and no suitable actionThe risk is not being managed to within the risk appetite, and no suitable action is being taken.
is being taken.
List ‘issues’ for List ‘issues’ for discussion with managementdiscussion with management where residual risks are above thewhere residual risks are above the
Discuss the resultsDiscuss the results with the appropriate people during the audit and in a meeting atwith the appropriate people during the audit and in a meeting at the end of the f
the end of the fieldwoieldwork, noting action they will take to rk, noting action they will take to bring any risks within the riskbring any risks within the risk appetite, or risks they will terminate, transfer, or tolerate. These last three risks should appetite, or risks they will terminate, transfer, or tolerate. These last three risks should be included in the
be included in the report and referred to senior management, or the report and referred to senior management, or the audit committee,audit committee, to
to ensure that they are satisfied the respensure that they are satisfied the response is appropriateonse is appropriate. Where risks are to be. Where risks are to be tolerated, check the existence, and testing,
tolerated, check the existence, and testing, of any contingency plans.of any contingency plans.
Write and issue the draft reportWrite and issue the draft report,, in order in order to obtain ato obtain agreement on agreement on anyny recommendatio
recommendations, and the ns, and the conclusionsconclusions. The f. The format of the ormat of the report, and method of report, and method of communication, will be defined by the organisation.
communication, will be defined by the organisation.
Based on the Based on the conclusioconclusions against each risk, ns against each risk, it will be it will be possible to provide assurancepossible to provide assurance that:
that:
Management have identified, assessed and responded to risks above the riskManagement have identified, assessed and responded to risks above the risk appetite.
appetite.
That the responses, especially the system That the responses, especially the system of internal controls treating the risks,of internal controls treating the risks, are effective in reducing the inherent risks
are effective in reducing the inherent risks to below the risk to below the risk appetite.appetite.
That, where residual risks are above the risk appetite, action is being taken toThat, where residual risks are above the risk appetite, action is being taken to reduce them to within the risk appetite, or the board has been informed that they reduce them to within the risk appetite, or the board has been informed that they will be tolerated, transferred or terminated.
will be tolerated, transferred or terminated.
Risk management processes are being monitored by management to ensureRisk management processes are being monitored by management to ensure they continue to operate effectively.
they continue to operate effectively.
Or indicate why assurance cannot be given. Guidance on how to decide on the Or indicate why assurance cannot be given. Guidance on how to decide on the conclusion against each of the above points is provided in appendix J.
conclusion against each of the above points is provided in appendix J.
Write and issue the final Write and issue the final reportreport having amended the draft report as having amended the draft report as necessary. Issuenecessary. Issue the final report t
the final report to the parties defined by o the parties defined by the Internal Audit Department’s Charter.the Internal Audit Department’s Charter.
Update the risk and audit universeUpdate the risk and audit universe,, after obtaiafter obtaining mananing management agement agreement.greement.
4.3.5 Documentation 4.3.5 Documentation
The audit should be documented in such a way that:
The audit should be documented in such a way that:
Evidence for the audit conclusions is complete and easily found.Evidence for the audit conclusions is complete and easily found.
Issues can be easily traced back to the reasons, and evidence, for raising them and toIssues can be easily traced back to the reasons, and evidence, for raising them and to the action being taken to
the action being taken to address them.address them.
Risks, their controls, the audit tests and conclusions are linked in such a way that theRisks, their controls, the audit tests and conclusions are linked in such a way that the conclusion on any risk can ea
conclusion on any risk can easily be found. The audit database is the key dosily be found. The audit database is the key document cument toto enable this.
enable this.
Important decisions from meetings are noted.Important decisions from meetings are noted.
4.4
4.4 What’s What’s in in it it for for me me – – the the pluses pluses and and minuses? minuses?
Since RBIA provides assurance onSince RBIA provides assurance on all all risks, risk based audits can risks, risk based audits can involve areas notinvolve areas not usually examined. This is particularly true when previous audit work involved
usually examined. This is particularly true when previous audit work involved completing audit programmes on financial controls,
completing audit programmes on financial controls, or carrying out or carrying out compliancompliance audits.ce audits.
The new areas to be audited will be unused to auditors, and there will be much more The new areas to be audited will be unused to auditors, and there will be much more involvement with managers throughout the audit, not only at the end when presenting involvement with managers throughout the audit, not only at the end when presenting findings. Auditors will have to understand more about t
findings. Auditors will have to understand more about t he practicalities of business andhe practicalities of business and facilitate the
facilitate the implementaimplementation of tion of controls accordinglycontrols accordingly..
4.5
4.5 I’ve I’ve got got some some questions questions
What skills do I need?
What skills do I need?
If you are
If you are moving away from old-style or traditional audit programmes, then you moving away from old-style or traditional audit programmes, then you are likelyare likely to develop the following skills:
to develop the following skills:
Marketing yourself, your ideas and your Marketing yourself, your ideas and your expertise, since you will be working withexpertise, since you will be working with people who have never had contact with
people who have never had contact with internal auditors. This includes presentationinternal auditors. This includes presentation skills.
skills.
Interviewing and listening skills, since you will have to understand the business you areInterviewing and listening skills, since you will have to understand the business you are auditing.
auditing.
Running meetings and workshops, since these will provide you with your basic buildingRunning meetings and workshops, since these will provide you with your basic building blocks of objectives, risks and
blocks of objectives, risks and controls.controls.
AA wider knowledwider knowledge of your organisation, since yoge of your organisation, since you will be auditing high levu will be auditing high level risks youel risks you will need to understand the
will need to understand the high level objectives. This includes understandinhigh level objectives. This includes understanding theg the external risks threatening your
external risks threatening your organisatioorganisation.n.
What techniques should I use?
What techniques should I use?
RBIA doesn’t necessarily change the auditing techniques to be used, but
RBIA doesn’t necessarily change the auditing techniques to be used, but wherewhere they willthey will be used. Physical verification is still vital to ensure what people are telling you should be used. Physical verification is still vital to ensure what people are telling you should happen is actually happening. Thus you will still continue to use walkthrough tests, happen is actually happening. Thus you will still continue to use walkthrough tests, sampling of transactions, examination of
sampling of transactions, examination of authorising signatures and verifying balances.authorising signatures and verifying balances.
The reason for carrying out these tests is to ensure that t
The reason for carrying out these tests is to ensure that t he controls that treat risks, andhe controls that treat risks, and the monitoring controls that ensure these controls are
the monitoring controls that ensure these controls are operating, are effective. The testsoperating, are effective. The tests are not designed specifically to detect incorrect,
are not designed specifically to detect incorrect, or fraudulent, transactions. That isor fraudulent, transactions. That is management’s job.
management’s job.
What about computer assisted audit techniques (CAAT)?
What about computer assisted audit techniques (CAAT)?
Their use is justified if they are intended to prove controls are effective. If their intention is Their use is justified if they are intended to prove controls are effective. If their intention is to detect errors, or
to detect errors, or fraud, then management should take responsibility for operating them.fraud, then management should take responsibility for operating them.
to detect errors, or fraud, then management should take responsibility for operating them.fraud, then management should take responsibility for operating them.