If you're like most auditors out there, creating an audit work program from scratch is a daunting task, even under the best of circumstances. Striking the balance between summary and detail while at the same time trying to satisfy the idiosyncratic likes and dislikes of your boss can be truly challenging to say the least. Rest assured, however...you're not alone. Creating an effective audit work program takes years of practice and experience. Fortunately, there are many auditors out there that have traveled down this path before and can lend you the benefit of their expertise, saving you valuable time and needless frustration. Having said this, there is one thing that most senior auditor-types will agree on: Having an effective framework and some sound advice at your fingertips can go a long way towards consistently generating high-quality risk-based internal audit work programs.
Let's start with a general discussion about the purpose and objective of an audit work program in order to clarify the goals that you are hoping to achieve. An internal audit work program is used to guide you or your staff through the audit process and ensure thorough and complete coverage and documentation of the audit itself. In general, it should illustrate the overall work performed, the work paper references for any applicable support papers, the person who performed the work, the person who approved the work, and any applicable summarization notes needed to clarify points and/or results along the way. As a general guide, the individual steps or actions to your audit will be laid-out down the left-hand column of your program and the work paper references, auditor initials/approvals, and any summary notes will be represented by subsequent columns, creating a matrix or table-like effect for your program. For this reason, many work programs are often created in table or spreadsheet formats like Microsoft Word or Excel.
Next, let's address the general framework and methodology of the generic audit program. Your audit work program should broadly follow the flow and methodology of a typical risk-based internal audit engagement. In terms of methodology, most internal audits generally follow an iterative series of steps that approximate the following:
1. Understand and document the processes and procedures of the function or area being audited.
2. Define the objectives of the area or function being audited.
3. Define the risks or threats to the achievement of those objectives.
4. Understand the controls in place to mitigate the risks to an acceptable level or the control weaknesses that exist in support of the risk.
5. Test the controls for adequate design and operating effectiveness and/or quantify the impact of control weaknesses or gaps.
6. Report your findings and offer recommendations for control and/or operating efficiency improvements.
7. Monitor and report managerial mitigation efforts for control weaknesses identified that were outside of management's risk tolerance level.
2. Define the objectives of the area or function being audited.
3. Define the risks or threats to the achievement of those objectives.
4. Understand the controls in place to mitigate the risks to an acceptable level or the control weaknesses that exist in support of the risk.
5. Test the controls for adequate design and operating effectiveness and/or quantify the impact of control weaknesses or gaps.
6. Report your findings and offer recommendations for control and/or operating efficiency improvements.
7. Monitor and report managerial mitigation efforts for control weaknesses identified that were outside of management's risk tolerance level.
These processes or steps generally fall into one of four buckets or stages typically associated with the internal auditing process; Planning, Fieldwork, Reporting, and Follow-Up. Aligning the activities within your audit program with these categories and steps will help to ensure thorough and diligent completion of the entire audit cycle.
Remember, too, that the audit work program is only a guide and is not intended to be a static document. The activities and tests that you perform throughout the audit cycle are bound to deviate from the original plan based on the results of your audit work. Don't be afraid to stray off the path as long as you evaluate your activities in light of your overall objectives, maintain perspective on your resource limitations, and communicate the nature of your activities to your supervisor or manager.
No comments:
Post a Comment