RIAM:Conduct of the Very Large Audit

From RiskWiki
Jump to: navigation, search


This article covers the approach to delivery of Internal Audit assignment in very large organisations. Many of the sections and discussions are shared with the other papers on internal audit throughout the RiskWiki, but in this topic tree we enhance that coverage with issues specific to the larger more complex organisational structures.

The term "very large" does not so much apply to organisation size as organisation complexity.

RIAM distinguishes very large organisations from other organisations because the former frequently have:

  1. Separate units covering:
    • Risk,
    • Compliance, and
    • Internal Audit;
  2. Multiple locations/campusses across a variety of geographic locations;
  3. Multiple (sometimes competing) jurisdictional responsibilities;
  4. Multiple autonomous or semi-autonomous divisions/corporate entities;
  5. Mixed legal and organisation types within the group (eg trusts, companies, joint-ventures, partnerships, partially owned subsidiaries, legislation enabled agencies, etc);
  6. Mixed management organisation structures (divisional, matrix, project, etc); and
  7. Separated (geographically and managerially) internal audit units with differing possible competing reporting lines.
  8. Internal audit teams with an internal critical mass for self sustainability (i.e. they are big enough to train their own staff and provide a career path), but requiring of dedicated internal administration, HR and management teams (as opposed to a one to five-man consulting team) .

While the method of analysis at the individual review level may be essentially the same, regardless of client organisation size, internal audit service delivery in the very large organisation will require some unique strategies for management and planning of the internal audit project across a large and diverse organisation (often involving mutliple auditors on the one project) and across an extended (or even multiple) time period(s).

Not responsible for a very large organisation audit? No matter - you may be surprised how much of this applies to you anyway.

This volume is, therefore, about doing the internal audit project once it has been identified during the strategic planning phase. It is NOT about conducting strategic planning in large organisations as that is the topic of a separate paper.

This Volume of the Manual does not attempt to prescribe in detail how each type of audit or aspect of an audit should be conducted, rather the issues involved in undertaking audits and a common approach and set of skills are presented. For specific types of reviews appendices are provided detailing the steps to be applied. Internal Auditors are expected to make reference to the Internal Audit Technical Library and elsewhere for technical details. This manual, with specific work programs/field audit plans should form the core reference for the conduct of the audit. Theoretical discussion and specialist techniques should be the subject of further research.

For example, under the section on sampling and testing, testing methods are discussed and reference made to the application of testing; however, the manual does not go on to describe the theoretic probability basis for assessing sample results or provide the reference tables necessary to apply a testing approach. We do provide the formulae with worked examples demonstrating the calculation of sample sizes.

Other Sources of Information

The following documents will be of use:

  • Procedural Directions
    • Institute of Internal Auditors Standards, Statements & Pronouncements
    • RIAM Strategic Planning For Internal Audit
    • RIAM Internal Audit Charter & Terms of Reference
    • RIAM Audit Manual
    • RIAM Audit Guidelines
    • External Auditor (if corporate)/ Auditor General (if government) Audit Guidelines and sundry publications
    • National (insert country) Accounting Standards
    • International or National (insert country) Statements of Auditing Practice

  • Technical References
    • (Gleim, 1989) - CIA Examination Review - 2 Vols, 3rd Ed. IIA 1988
    • (Sawyer, 1988) - Sawyer's Internal Auditing, Sawyer and Sumners, IIA 1988
    • (Brink, 1982) - Modern Internal Auditing, 4th Ed, Brink and Witt, Wiley & Sons 1982
    • (Wilson, 1989) - Systems: Concepts, Methodologies and Applications, 2nd Ed, Wilson, Wiley & Sons 1991
    • (Valbahaneni, 1988) - Information Systems Concepts and Foundations, EDPAA
    • (Settler) - Stettler's Systems Based Audits
    • Theory and Practice of Australian Auditing

  • Legal Compliance
    • Audit Act (as appropriate to your jurisdictions)
    • Finance Regulations and Directions (as appropriate to your jurisdictions)

While the Internal Auditor should adhere to his/her professional responsibilities, the auditor must also comply with organisation specific directives. These are generally contained in the Audit Charter and this Manual.

  • The Audit Charter / Audit Policy Manual

One of the critical documents, the Charter forms "the constitution" governing the audit committee and the audit function. It details the functions, obligations and responsibilities of the various members of the audit process. [The Charter is reproduced at the front of this manual.]

Audit Strategy & Systems Based Audits

The structure of this Volume will broadly follow the major parts of a Systems Based Audit (SBA) in order of conduct. The applicability of each part to the other types of audits to be conducted by DRT will be briefly discussed in each function. The major parts are:

  • Planning
  • Interviewing & Documenting the System
  • Evaluating the System of Internal Controls
  • Review and Quality Assurance
  • Reporting
  • Follow-up

In addition to the actual conduct of the audit it is necessary to accurately present the results of the audit review. Following the descriptions of the audit phases is a section on documentation and the preparation of working papers.

The Very Large Audit in Four Phases