Understanding the Audit Cycle: A Comprehensive Guide
Explore the audit cycle with a focus on planning, preliminary survey, fieldwork, reporting, and follow-up stages. Learn about engagement planning, resource allocation, audit objectives, and more, presented in an easy-to-follow manner. Dive into the world of internal audits with insightful details and practical tips.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
PEM PAL IA COP Audit in Practice Working Group Introduction to the audit cycle Jean-Pierre Garitte Budapest 29 March 2017 1
Agenda Part 1: Introduction to audit cycle Part 2: How does audit cycle connect to our IAM template? Part 3: Types of audit Part 4: ISPPIA 2210 on audit objectives 2
Agenda Part 1: Introduction to audit cycle Part 2: How does audit cycle connect to our IAM template? Part 3: Types of audit Part 4: ISPPIA 2210 on audit objectives 3
Audit cycle is a rather generic process 1 2 3 4 5 6 Action Plan (includes quality satisfaction) Preliminary Survey Planning Fieldwork Reporting Follow-Up Planning Execution Reporting Rule of thumb: 20% for planning and preliminary survey (1, 2) 60% for fieldwork (3) 20% for reporting (4) 4
1. Planning 1 2 3 4 5 6 Preliminary Survey Planning Fieldwork Reporting Action Plan Follow-up Scheduling of the engagement Announcement of the engagement Opening meeting 5
Standard 2200 Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement s objectives, scope, timing, and resource allocations. 6
Planning the engagement 1. When to do the audit? 2. Who will do the audit? Resources: time budget Resources: auditors Competency and skills (align to subject to be audited) 3. First draft of audit objectives and scope (this will be revised!) 4. Announce the engagement to the auditee: Announcement letter (may include scope, logistics, contacts) Mutual expectations document 5. Arrange a first meeting to gain an understanding of the area to be audited and its objectives and key risks; discuss broad/general audit objectives and scope; logistics 7
2. Preliminary Survey 1 2 3 4 5 6 Preliminary Survey Planning Fieldwork Reporting Action Plan Follow-Up Desk review Risk (re-)assessment Engagement planning memorandum Preparation of audit program Kick-off meeting with auditee 8
Standard 2310 Identifying information Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement s objectives. 9
Preliminary survey Familiarisation Desk review Interviews of main actors Risk (re-)assessment Engagement planning and scoping Audit objective(s) Key risks Audit scope Kick-off meeting 10
Key principles: audit work plan or programme What? A detailed list of audit steps (tasks) to be performed by the auditor in order to obtain sufficient evidence to be able to reach conclusions in respect of the audit objectives. Audit steps : Why? What? How? Who? When? Where? Location of audit What are the objectives of this audit Audit procedures, tests and evidence gathering Sampling or full population Auditor(s) Timing (interim or at year-end) 11
3. Fieldwork 1 2 3 4 5 6 Preliminary Survey Planning Fieldwork Reporting Action Plan Follow-Up Detailed review of internal control system Test of control design Test of operating effectiveness Formalising observations Validation meeting 12
Standard 2320 Analysis and Evaluation Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations. 13
Fieldwork Detailed review of the internal control system Reviewing the activities, processes, management's objectives, risks, and internal controls Are we responding to risk in the right way? Are these being achieved? Activities Processes under review What is the internal control system? Risk Response Management s Objectives Are these being managed? Effective? Mitigating Controls Risks 14
Key principles: working papers Attributes Five attributes of quality working papers' documentation Complete Clear Concise Neat Structured What is the purpose of a working paper? Automated audit workflow systems, e.g. TeamMate. 15
Key principles: working papers Content of working papers Purpose/objectives/tests Test Test Test Evidence Evidence Scope Test results/findings Risk control matrix matrix matrix Risk control control Risk Conclusions /recommendations Source/references /evidence Cross references to Audit programme Supporting documents Working papers 16
Fieldwork Audit documentation = audit working papers Audit working papers are organised in audit files Can be in paper form, maintained in computerised files or both. Working papers must always be cross-referenced (paper files as well as electronically) Audit documentation Audit documentation is the principal record of: Auditing procedures applied Evidence obtained and conclusions reached by the auditor in the engagement Main objective: To aid the auditor in providing reasonable assurance that an adequate audit was conducted in accordance with auditing standards 17
4. Reporting 1 2 5 3 4 6 Preliminary Survey Planning Fieldwork Reporting Action Plan Follow-Up Draft audit report Contradictory process Final audit report Assessment of auditee satisfaction 18
Standard 2400 Communicating Results Internal auditors must communicate the results of engagements. Standard 2410 Criteria for communicating Communication must include the engagement s objectives and scope as well as applicable conclusions, recommendations, and action plans. Standard 2420 Quality of Communications Communication must be accurate, objective, clear, concise, constructive, complete, and timely. 19
Reporting Standard 2410.A1 Communicating Results Final communication of engagement results must, where appropriate, contain the internal auditor s overall opinion and/or conclusions. Types of opinion: No opinion (consulting engagements, desk reviews, risk assessments) Disclaimer of opinion (scope limitation) Satisfactory Qualified (satisfactory except for ) Unsatisfactory/negative/adverse 20
The reasoning behind a recommendation Criteria What should exist - The standards, measures, or expectations used in making an evaluation and/or verification Condition What does exist - The factual evidence that the auditor found in the course of the examination Cause (Root) Why the difference exists - The (real) reason for the difference between the expected and actual conditions Consequence (Effect) The impact of the difference - The risk or exposure the organisation and/or others encounter because the condition is not consistent with the criteria Recommendation What, Who and When ? - Action linked to responsible, date/timing, priority, and severity Yes, agree / Yes, but alternative / No, disagree Management Response Action Plan designed by Management Follow-Up by Internal Audit 21
5. Action plan 1 2 3 4 5 6 Preliminary Survey Planning Fieldwork Reporting Action Plan Follow-Up Drafting the action plan Establishing responsibilities and deadlines 22
6. Follow up 1 2 3 4 5 6 Preliminary Survey Planning Fieldwork Reporting Action Plan Follow-Up Performing follow-up audits 23
Standard 2500 Monitoring Progress The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. 24
Agenda Part 1: Introduction to audit cycle Part 2: How does audit cycle connect to our IAM template? Part 3: Types of audit Part 4: ISPPIA 2210 on audit objectives 25
Connection audit cycle to IAM template Engagement planning Audit objectives and audit scope Audit program Audit field work Reporting on internal audit engagement 28
Agenda Part 1: Introduction to audit cycle Part 2: How does audit cycle connect to our IAM template? Part 3: Types of audit Part 4: ISPPIA 2210 on audit objectives 29
Types of audit assurance engagements Financial auditing looks at the past to determine if financial information was properly recorded and whether financial statements present a fair, accurate and reliable view. They are based on the analysis of the economic activities of an entity as measured by accounting methods. Compliance audits look at both financial (audits on financial management) and operating controls and transactions to assess if they conform to laws, regulations, standards and procedures. Performance auditing is an independent and objective assessment of an entity's activities, processes and internal controls systems, with regard to one or more of the three aspects of economy, efficiency and effectiveness (the "3 E s"), aiming to lead to improvements. 30
Types of audit assurance engagements Other names sometimes used: IT audit Security audit Value-for-money audit Operational audit System based audit Comprehensive audit 31
Agenda Part 1: Introduction to audit cycle Part 2: How does audit cycle connect to our IAM template? Part 3: Types of audit Part 4: ISPPIA 2210 on audit objectives 32
ISPPIA 2210 2000 Managing the Internal Audit Activity 2100 Nature of Work Performance Standards 2200 Engagement Planning 2300 Performing the Engagement 2400 Communicating Results 2500 Monitoring Progress 2600 Communication and acceptance of risks 33
ISPPIA 2210 2201 Planning Considerations 2200 Engagement Planning 2210 Engagement Objectives 2220 Engagement Scope 2230 Engagement Resource Allocation 2240 Engagement Work Program 34
2210 Engagement Objectives Objectives must be established for each engagement.
2210 Engagement Objectives 2210.A1 Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. 2210.A2 The internal auditor must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.
2210 Engagement Objectives 2210.A3 Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board. Interpretation: Types of criteria may include: Internal (e.g., policies and procedures of the organization). External (e.g., laws and regulations imposed by statutory bodies). Leading practices (e.g., industry and professional guidance).
2210 Engagement Objectives 2210.C1 Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client. 2210.C2 Consulting engagement objectives must be consistent with the organization's values, strategies, and objectives.
