RIAM:VLA:FAMILIARISATION, SCOPE & PLANNING

From RiskWiki
Jump to: navigation, search

Contents

(PHASE 1:) AUDIT FAMILIARISATION, SCOPE & PLANNING

INTRODUCTION

There are two principal components of a given SBA's planning data

  1. The Broad Audit Guideline (BAG); and
  2. The Field Audit Plan (FAP).


The BAG is the "permanent" component of the plan. It contains "task specification" type data which will be substantially the same for a particular review from one year to another. The FAP is specific to a particular task and a particular year. It is prepared at the commencement of the audit drawing on the BAG for background "information and specification".


TYPES OF AUDITS

Broadly, DRT internal audits are classified as either National or Local. A National audit involves multiple states with both national and state coordinationation and quality control requirements, while a local audit is specific to a state. This division is primarilly administrative in nature. Together with the administrative class of audit, the BAG will identify the type of audit to be conducted as one or more of:


1. Organisational

Organisational audits focus on the activities of an organisational unit and the controls present over the range of activities of that unit. They tend to be longer in nature than functional audits as the look at multiple functions.


Examples include:

  • Personnel Section Review
  • Contracts Section Review
  • Receiving Section
  • Purchasing Section


These reviews generally require a high level of skill as they consider not only the transaction processing operations, but the all of 8 Sawyer's Means of Achieving Control. This means that the auditor might need to understand issues of management theory, organisation design, transaction systems design, accounting, cost accounting, industrial relations, etc.


2. Functional

These reviews follow a process from beginning to end, possibly crossing organisational lines. This audit focuses on a particular activity, operation, or document. Examples include:

  • Occupational Health & Safety Practices
  • Asset Control
  • Contracting
  • Fraud Evaluation
  • Waste Disposal Practices


3. Cycle

A cycle audit looks at an entire transaction cycle. These are broader than functional audits. The flow chart presented in Session 1 was for one such review. Examples of such cycles include:

  • Sales & Cash Cycle
  • Acquisitions and Payments Cycle
  • Inventory & Warehousing Cycle
  • Financial Capital & Payment Cycle
  • Personnel & Payroll Cycle


4. Management Study

These are specific in-depth studies focussing on management needs for additional data. Examples might include:


  • Queuing Analysis for mail and telephone handling systems in an office
  • Design of change control methodologies for software
  • Business continuity planning and exposure analysis
  • Optimisation of stores organisation to minimise costs


These studies are generally at the request of management and reflect the data collection and analysis role of audit admirably.


5. Performance/Program Results

This review collects information about the costs, outputs, benefits and effectiveness of the program under review. It generally involves both an analysis of existing performance indicators, but an identification and calculation of additional appropriate indicators. The examines the degree to which the program is achieving its critical success factors and hence its contribution to the key result areas of the department. This kind of review is generally undertaken by high level management staff, as it necessarily involves senior management and policy formation issues.


6. Other

In the unlikely event that the audit is not classifiable as one of the above, it will be classed as "other".



THE SCOPE OF WORK

The Scope of Work (Institute of Internal Auditors Audit Standard 300).

The scope of the work includes the examination and evaluation of the adequacy and effectiveness of internal controls and the quality of the performance of assigned tasks and responsibilities. Management provide a general direction as to the scope of work and activities to be audited.


The scope of work has five specific objectives (or classes of assertions) giving the acronym SCARE forming an opinion concerning:

  1. Compliance with the relevant policies, plans, legislation and directions etc;
  2. Accomplishment of established goals and objectives for plans and procedures;
  3. Reliability and integrity of data; and
  4. Economical and efficient use of resources.
  5. Safeguarding assets;


In the larger organisation, IA establishs "Broad Audit Guidelines" (BAG) to manage the audit project on a large scale and allow for successful delegation of the work and component reports to potentially many auditors while preserving the overall direction, coordination and consistency of focus and approach across the organisation.

The BAG outlines the scope of work in terms of the Statement of Audit Objectives and the Statement of Assertions.

In a smaller organisation, where direct management of all audit staff may be asserted by the direcor on internal audit, the BAG is not so critical, and the same purpose may be accomplished by a more constrained scope and planning statement.

In either case, the five specific objectives of the scope of work remain essentially the same, although not all assertion areas must be covered in every audit. In a systems based audit, however, all areas should be covered for the designated function/audit focus. It is generally preferred to restrict the boundary of the function under examination, rather than absent part of the scope of work.

These assertion areas (or objectives) are explained in turn:


1. Safeguarding assets

This refers, firstly, to the protection of assets from theft, fire, improper, unauthorised or illegal activities and exposure from nature (eg. sunshine, rain and wind etc); and secondly to the application of assets. It is commonly formulated as an assertion:

"Assets are appropriately protected and applied."

Remembering that both cash, and intellectual property are an assets, in addition to the more obvious plant, equipment, land, fittings, and stock classes; the true breadth of this assertion class becomes apparent.


2. Compliance with policies, plans and relevant legislation etc

Management is responsible for creating systems which ensure compliance with professional corporate, departmental and Government policies, plans and relevant legislation while the Internal Auditor evaluates whether the systems (procedures) thus created comply with management's objectives and the law, and determines whether operations comply with the systems model.


In smaller entities, where compliance management is not a separate function, Internal Audit directly assesses the compliance of the systems and processes with the characterictics in the previous paragraph.


In a larger entity the role of compliance management may be assigned to a dedicated group, separate from internal audit. In these organisations the internal auditor views the functions of the compliance team as one more control system (like any other process or system) and therefore should review the operations of the compliance unit to:

  1. Determine the reliability, completeness, compliance with legal and other guidleine, and efficiency of the compliance measurements, etc from the perspective of its design (just as you would an accounts payable finance system); and
  2. Determine the reliability and effectiveness of the operation of the system. I.e. The extent to which the compliance reports can be relied upon by management (and internal & external audit). To this end, Internal Audit should treat compliance management systems operated by the compliance management team in the same way they would treat a financial control system operated by the finance team - by testing assertions about the compliance management system of:
    • Accuracy of reporting
    • Completeness of recording and disclosure
    • Authorisation of the compliance component reports
    • etc. (See separate discussions on assertions)

The existance of a compliance function in no way reduces internal audit's responsibilities - it simply distributes one layer of IA's work and changes the sampling model and focus.


3. Accomplishment of established objectives and goals for the operations and programs.

Management is responsible for establishing operating and program objectives and goals while the Internal Auditors should verify whether the department or section is achieving them.


Internal Auditors can assist management in developing and evaluating these objectives and goals by evaluating whether their underlying assumptions are appropriate, accurate, and consistent with the stated objectives, and whether current and relevant information is available and being used.


4. Reliability and integrity of information.

Information systems whether manual or computerised provide data for decision making, control and compliance with external requirements. It is therefore essential that the financial and operating records contain accurate, reliable, timely, complete and useful information. In addition the controls over the record keeping and reporting must be adequate and effective.


5. Economical and efficient use of resources.

Management is also responsible for setting operating standards to measure economical and efficient use of resources. Internal auditors are responsible for determining that:


  • these standards have been established;
  • these standards are understood and are being met;
  • departures from these standards are being identified, investigated and corrected; and
  • the action has taken place to ensure the departures are not repeated.


Audits should identify:

  • under-utilised resources;
  • non-productive work or work practices;
  • uneconomical procedures;
  • inappropriate staffing; and
  • ineffective organisation design.


BROAD AUDIT GUIDELINES (BAG)

Introduction

For large audits, and generic systems audits a BAG will be prepared. For smaller audits, such as local reviews a BAG may be an unnecessary overhead. In these latter cases the Field Audit Plan and the Permanent Audit File fullfills the same purpose.


Where required Broad Audit Guidelines will be prepared and approved for the various reviews and audits as follows:

  • Program Reviews(Whole of Organisation/Group)
    • Produced by: Assigned audit manager.
    • Approved by: Director Internal Audit.
  • National Audit (Whole of National Organisation)
    • Produced by: National Functional Audit Manager (Note: For multi-org groups with separate IA teams, each national organisation may need to prepare an appropriate BAG).
    • Approved by: National Audit Manager for National Audits, Director Internal Audit for Central Office Locality Audits.
  • Locality Audit
    • Produced by: Team leader.
    • Approved by: State Audit Manager for State Audits, Director Internal Audit for Central Office Locality Audits.
  • Outlet Audit
    • Planning with Audit package modified by State/Area Audit Manager.


The proper structure and coordination of BAGs is essential in the very large organisation for coordination of IA reporting to global or national boards/governerance committees. If you get the BAG design and control method right, the global audit will run much more smoothely and report consolidation will be largely straightforward. Getting this right can save you months in report finalisation.


BAG for particular areas will normally comprise the below elements:

1. Assignment Cover Sheet
2. Statement of Management Objectives(Prioritisation of opinion basees)
3. Statement of System Objectives(Boundary of opinion formation)
4. Statement of Audit Objectives(Focus of opinion formation)
5. Statement of Audit Assertions(Logical Basis for opinion formation)
6. Desirable Control Model(Condition for opinion formation)
7. Standard Audit Budget(Cost of opinion formation)
8. Skills Matrix(Technical requirements)

1. Assignment Cover Sheet

The cover sheet provides an indication as to the continuing relevance of the BAG; when it was prepared could determine how relevant it is. A proforma Assignment cover sheet is presented on the next page. It contains the following fields:

  • Title
  • Table of contents
  • Date of preparation
  • Name and location of preparer/reviewer
  • Name and signature of officer approving the BAG
  • Type of Audit
  • Audit Budget



2. Statement of Management Objectives

(Prioritisation of opinion basees)


Ideally there should be a set of management-designated objectives for each system subject to audit from which internal audit may develop evaluation criteria for the system.


Example: In an accounts payable system management objectives might include minimising creditor complaints and credit related interruptions to supply.


3. Statement of System Objectives

(Boundary of opinion formation)


System objectives form the basis for the control model. They may be broken down to include objectives for the major sub-systems. These objectives will need to be cleared by the auditee.


Example: In an accounts payable system, system objectives may include payment of the supplier once for a given debt at the limit of the credit discount period.


4. Statement of Audit Objectives

(Focus of opinion formation)


Audit objectives are to cover what is to be achieved by the audit and should directly relate to the objectives of the area under review. These will usually be laid out in the BAG given to the field auditor at the commencement of the audit.

Example: In an accounts payable system review, the audit objectives might include formation of an opinion as to the effeciency, effectiveness, economy and integrity of the payments control system, or that payments are made only once and to the correct supplier.


5. Statement of Audit Assertions

(Logical Basis for opinion formation)


The audit objectives and assertions are closely related. The assertions describe the components of an "acceptance" opinion, and the criteria for qualifying that opinion. Assertions express a truth we wish to sustain during the audit in order to express an "acceptable" (or positive) opinion.


Example: In an accounts payable system, the audit assertions may include the statement that "payments are made for bona fide debts". This assertion addresses both the objectives of single payment and correctness of the recipient.



6. Desirable Control Model

(Condition for opinion formation)

The Desirable Control Model is a model of the systems under examination and includes system control objectives, control features and exposures; mapped to the Statement of Audit Assertions and Statement of Audit Objectives.


7. Standard Audit Budget

(Cost of opinion formation)

The budgeted audit time for the conduct of the audit addressing the complete BAG should be specified, ideally with a breakup over any discrete or severable parts of the audit. The skills required in the various parts of the audit assignment should be defined.


8. Skills Matrix

(Technical requirements for opinion formation)


The skills requirements for the conduct of the audit addressing the complete BAG should be specified, ideally with a breakup over any discrete or severable parts of the audit.



THE FIELD AUDIT PLAN (FAP)

Introduction

What is the Purpose and Functions of the Audit Program/Field Audit Plan?


The audit programs, which are prepared based upon the results of the preliminary survey are listings of the audit procedures to be carried out during the field work. Audit programs should be designed to:

  • outline what is to be done;
  • outline why it is being done;
  • outline when and where it is to be done;
  • specify how it is to be done and who is to do it;
  • provide a record as to what has been done; and
  • facilitate supervision and control over the audit.


The audit program will depend on the scope of the audit to be performed. The audit can cover the entire operations of a section or department or it may be targeted at a particular aspect of the operations of the section or department.


Preparation and Deliverable

Contents: A Field Audit Plan should be prepared by the Team Leader once an approved BAG has been received. Planning is the crucial stage in the performance of an audit. The Field Audit Plan sets out in a logical sequence the audit approach to be adopted and will normally comprise the following elements:

1. Determining the scope, boundary and assertions of the audit 2. Determining the budget 3. Obtaining background information 4. Determining the resources necessary to perform the audit 5. Determining the overall timing of the activities 6. Communicating the overall timing of the activities 7. Communicating with all personnel/sections who need to know about the audit 8. Performing a preliminary on sight survey 9. Writing the audit program 10. Determining when and to whom the draft and final reports will be issued 11. Obtaining approval of the audit work plan


  • Time Budget:

The allotted time span for the total review and any local or functionally divisible elements is indicated in the BAG. The FAP uses these time budgets to set the total budget for the specific field audit being planned in the FAP.


  • Responsibility:

For nationally conducted audits the lead State will prepare the field plan and have it approved by the Director Internal Audit.


  • Deliverable:

The deliverable from the field audit planning phase is a document/file addressing or witnessing the performance of the above


Steps in Preparing the Field Audit Plan

Step 1: Determining the scope and boundary of the audit

This stage of the planning is the most critical as it impacts on each of the other components. It is essential that the scope and boundary of the audit be determined and agreed by both the auditor and auditee prior to the commencement of the audit. This will ensure both the auditor and auditee have a consistent understanding of what is to be performed and will help ensure the objective of the audit is met.


The scope is what will be included in the audit while the boundary is the point at which the audit ceases to cover a process (in the case of cycle audits) or a section's interaction with another section (in the case of organisational audits). There, of course, could be a number of boundaries for a particular audit.


Having established the scope; discussions with management, and the BAG's Statement of Assertions will allow a proposed list of assertions defining an agreed standard of "acceptance" of the system being reviewed. Management and Audit should have a clear mutual understanding of the truths to be tested during the review.


Step 2: Determining the budget

The overall budget will be determined at the time of preparing the strategic audit plan and will be present in the BAG. At the planning stage of the field audit it is necessary to distribute the budget allocation over the following areas:

Phase of Internal AuditStandard % of time
Set up/Familiarisation/Planning
including Entrance Interview
20
Information gathering - Interviews and documentation25
Preparation of the testing program and testing20
Preparation of the report and file completion
including review of the file and the report
25
Exit Interviews and Follow-up10


The components of each phase of the audit will vary from audit to audit as will the percentage of time allocated to each phase.


It should be noted that these elements are arbitrary divisions of a review. In practice the distinction between the elements may be obscured as the reviewer uses his/her experience to efficiently gather information whilst conducting the review.

Step 3: Obtaining Background Information

Background information should be obtained and read about the area to be reviewed prior to and after the Entrance Interview, to gain as thorough an understanding of the area as possible.


Sources of background information are include documents (such as standard forms, manuals, correspondence, etc), the BAG, previous reviews, entry interviews or preliminary surveys.


  • Background information should be collected in the following classes:
    • Organisation Objectives
    • Organisation Operating Policies
    • Organisation Financial Policies
    • Performance Measures
    • Industry/Other Performance Criteria
    • Legislative Requirements
    • Record of Entrance Interviews
    • Matters held over from last audit
    • Matters specifically requested by Audit Committee
    • Matters specifically requested by the Client
    • Engagement Brief
    • Organisation structure of target sections
    • Contacts (with contact record)
    • Important Contracts and Agreements
    • Other background data

Step 4: Determining the resources necessary to perform the audit

This is tied into the preparation of the budget. The resources include the audit team personnel and skills to be utilised on the audit, plus, if required, any consultants, hire of equipment (such as computers), or other such resources.


It is also necessary at this stage to allocate to each audit staff engaged in the audit the hours to be performed during each phase.


Step 5: Determining the overall timing of the activities

A timetable including all of the phases of the Internal Audit review should be determined and agreement obtained with the auditee. Each phase should have commencement and completion dates to assist in the control of the audit as well as judging performance.


Step 6: Communicating with all personnel/sections who need to know about the audit

This is essential to ensure the smooth running of the audit. Communicating with all personnel/sections during the planning phase of the audit enables them to fully prepare themselves ensuring:

  • they have sufficient time to think about any concerns or problems they may have which they want addressed during the course of the audit;
  • the required personnel are available during the course of the review and not away on leave or at training or simply too busy. This also allows them to properly plan their work; and
  • there is sufficient workspace available.


Step 7: Performing a introductory on sight survey (entrance interviews)

This survey assists in gaining an understanding of the auditee operations and allows the auditor(s) to meet the auditee personnel in a relaxed setting. This phase is essential in obtaining an overall familiarity with the auditee and the auditee's operations, identifying areas for audit emphasis and to invite the auditee's comments and suggestions. Entrance interviews are considered in more detail in Section 5.2. --REF REQUIRED--


Step 8: Determining when and to whom the draft and final reports will be issued

This phase should be performed in conjunction with determining the overall timing of the audit activities. The reporting deadline dates should be realistically determined in view of the resources available to perform the audit and any auditee deadlines (eg. financial statements reporting deadlines).


Step 9: Obtaining approval of the audit plan

This is the final stage of the planning phase. The review and approval of the audit plan is essential to ensure particularly the objectives of the audit will be met and that all matters to be covered have been adequately considered.


Step 10: Writing the audit test program

Although this may not be performed at the commencement of the audit, it is essential that the audit (testing) program be prepared and approved prior to the commencement of the testing phase. In most cases the testing program can not be prepared until after the systems analysis has been conducted. This analysis is performed after the planning phase is completed.


In RIAM both the analysis and testing phases are treated as part of the greater Evaluation Of a System of Internal Control. In some national audits the testing strategy might be worked out centrally, while in other audits, the most appropriate testing strategy will be established at the local systems level. In either case the system being tested must be understood before the test strategy can be defined. Consequently, designing of the test program occurs during System Evaluation, after documentation and analysis, but immediately prior to the testing phase itself.


The field plan should include a reserved section for the detailed testing plan to be inserted at the appropriate time. Test plans should be approved by the preparers supervising officer, except where noted differently elsewhere in this manual.

Backlinks