micro audit - purpose
definition - process of preparing an individual audit purpose - each assignment require effecive planing to focus on area and best use resource the assignment plan is develope from the strategic and annual audit plan. It covers: scope - extent of the audit and its limitations also boundaries help to pinpoint conrol area and risk to be examined and tested objective location audit team start and finish date considerations reporting procedure for collating, analysing, testing Audit approach - risk based linked to key risk in org meeting it objectives?
IPPF performance std
2200 Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement's objectives, scope, timing and resource allocations. 2201 Planning Considerations In planning the engagement, internal auditors must consider: The objectives of the activity being reviewed and the means by which the activity controls its performance; The significant risks to the activity, its objectives, resources and operations and the means by which the potential impact of risk is kept to an acceptable level; The adequacy and effectiveness of the activity's governance, risk management and control processes compared to a relevant framework or model; and The opportunities for making significant improvements to the activity's governance, risk management and control processes.
IPPF performance std Pt 2
2210 Engagement Objectives Objectives must be established for each engagement. 2210.A1 Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. 2210.A2 Internal auditors must consider the probability of significant errors, fraud, non-compliance and other exposures when developing the engagement objectives.
IPPF performance std pt 3
2220 Engagement Scope The established scope must be sufficient to achieve the objectives of the engagement. 2230 Engagement Resource Allocation Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints and available resources. 2240 Engagement Work Programme Internal auditors must develop and document work programmes that achieve the engagement objectives.
how and with who audit brief/assignment is agreed
Typically audit manager develops audit plan, collate doing complex and high profile audit and senior team meember do medium or smaller audit Final work plan is agreed by HIA or sub-delegated to AM the engagement work plan details risk area, controls,reason for work cross ref to working papers Testing papers detail work performed Summary of audit engagement is in term of reference which tell client what audit is about. With participative client focussed approach - TOR is agreed with client. to give clarificiation and gain a shared understandig to add more value, clarify expectation and share commonalities
Source of material
Risks id from: Risk registers - see effectiveness of risk mitigation/response, contact for owner and timeliness of managing documented risk in light of risk policy written report, minutes, policies, manual - previous audit report indicate high and low previous considered, confirms previous improvements, supporing information, cover matters outside scope result of survey and focus groups analytical review interview meeting why - understand purpose and link to response/risk IA approach and context area being reviewed wider org context risk maturity critical to approach - to determin reliance on org's rm process or IA own assessment background research for discussino with SM actual risk maturity is expected lower report HIA can update AC on periodic plan
statistical data and analytical review
Analytical: Trend analysis Ratio analysis Is variance acceptable Trends consiten use of interogation software Provide range of figure, local for examination - to measue deviation, trends Output reassurance of reduced risk, benchmarking to march diff org to similar activities Gives specific information Trend consistend reduces margins - since year 2 incidence of accidenced reduced x - give illustrations - graphs
How risk arise can be assessed
Preparation provided outlien of plan of intended work Thus where risk ranked in terms of likelihood and ipact if occur (its 2 key measure) on axis. then assess: if scoring technique is applied - high medium, low or number sacel on axis frm 1-9, 1 negligble risk and 9 disastorous TO NOTE : common methods should follow RM framework as make possible to puick up significant risk to achieve obj to review validate agreement with mgmt
how risk assessment set boundaries or scope of au
Definition scope - extent of audit and its limitation Purpose - scope determine aread audit will cover or note 2220 Engagement Scope The established scope must be sufficient to achieve the objectives of the engagement. Key focus on area where greatest loss occure limit work to provide most gain e.g. revised framework not implemented thus audit will focus on governance arranged in place to agree decision in interim various influence on boundaries - area my have several procedural system e.g. purchasing has selection,order, receipt, invoice and payment consider: consider system end to end - what are significant risks each element can form audit on it own - exclude some from scope otherwise if too wide then time consuming and resource intensie - once auditor review obj AGREE CHANGES WITH HIA
Assurance engagement process - 7 steps
Preliminary research Ascertaining Documenting Confirming Evaluating Testing Assessing Reporting Follow up
Scope - agreement process + addressing concerns Q1
Agreement process Meet mgmt team communicate audit authority (charter), IA audit objectives - gov, rm and control assurance promote engagement as part of assurance framework with added value for all set obj based on scope + recognise limitations consider know governance, risk and conrol issues review other assuranace activities Addressing concerns promotin of Ia as professing thru comm of Charter and staff resources review IA planng porcess to meet IPPF requirements for strategic, annual and engagement Need for formal service agreement with T&Cs of IA in Charter, time, cost, quality comply IPPF est audit universe linked to RR ensure governance, risk and control understood and address in mgmt team agreed resources, frequency and time of visits Comm results and follow up process file recodig and storing supporting dpa/ introduce client feedback forms end of engagement
Audit obj and mitigation to manage risk
Obj are goal, justification and purpose - confirms what is to be achieve 2220 Engagement Scope - The established scope must be sufficient to achieve the objectives of the engagement. 2220.A1 - The scope of the engagement must include consideration of relevant systems, records, personnel and physical properties, including those under the control of third parties. 2220.A2 - If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards. OBJECTIVE SHOULD BE SMART:The SMART acronym is a useful way of getting objectives right: Specific - state a desired outcome what needs to be achieved? Measurable - how will the manager and employee know when an objective has been achieved? Achievable - is the employee capable of achieving the target, but at the same time is it challenging? Relevant - to the team/department/business? Timebound - when does the objective need to be achieved?
outcome of SMART obj
Requires evidence + reassurance control + risk noted exist function as inteded fit for job - is control maintained achievable within time frame
Risk mitigation - strategies
Defined - MANAGEMENT OF RISK BY APPLYING RISK REDUCTION (TREATMENT) STRATEGIES TERMINATE - avoide - end costly project TOLERATE - acceptance - low level theft as reduciton cost are too excessive TRANSFER - Insurance - 3rd parter take/share risk TREATMENT - reduce with a control - action taken within risk appetite of org
Example of risk and responses
Potential risks and responses 1. A lack of appreciation among staff of how performance appraisals will help the organisation achieve its objectives and help them personally in the work they do and their development. Potential impact - Strategic plans and priorities may not be achieved having a significant impact upon the organisation's reputation and financial performance. Possible response - Corporate and departmental objectives are clearly communicated throughout the organisation. Design a framework with written guidelines that requires standard documentation to be completed to ensure the relevant areas are covered. Training is provided to be both staff and managers on the performance appraisal process - objective setting, monitoring, etc.
Example of risk and responses Pt 2
2. Sections, departments or subsidiaries may fail to complete staff appraisals or miss deadlines. Potential impact Denying some people access to the training and development they need having an adverse impact upon performance in specific departments, sections and teams. Potential response Timetable to be implemented and responsibility allocated for monitoring to ensure that performance appraisals are completed on time. HR Department enforces strict schedules/guidelines and checks upon progress.
Link scope, obj, mitigation, test strategy in plan
2310 Identifying Information Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement's objectives. Evaluation shoudl justify IAs focus on thorough and effective testing . This considers and exams what mgmt planc to do to mitigate their risks TESTING IS TIME CONSUMING - if assurance from reliable 3rd party found no further testing is gained Decisions regarding testing related to the level of risk and materiality/criticality of area reviewed
How audit resource are determined as result of pla
2230 Engagement Resource Allocation Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints and available resources.
How audit resource are determined as result of pla
2230 Engagement Resource Allocation Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives. Based on an evaluation of the nature and complexity of each engagement, time constraints and available resources. Key are people periodic plan has est start and finish date HIA must factor availability of poepl, naure, complexity and time to decide who to allocate to in required time. DETERMINING SPECIALIST AREAS WITHIN PLANNED AUDIT WORK SKILLS AND STAFF LEVELS REQ - LEAVE/DELAYS/HOURS AVAILABLE IN PLAN
*6 stages of planning AND LINK WITH STRATEGIC OBJ
Prepare - put in context link to risk, IA approach Objective - to help refine Scope - to further refine Information gathering - to support review, finding and enable final assessment of opinion Resources - time allocated by client and auditee also costs Programme of work Clear link between engagement objecive, the risk, responses and org obj STRATEGIC OBJ > STRATEGIC RISKS> RISK RESPONSES >ENGAGEMENT OBJS
Terms of Reference - weblink incl
BACKGROUND > OBJECTIVES> SCOPE> RISK BEING REVIEWED>LOGISTICS http://www.docstoc.com/docs/41565147/TERMS-OF-REFERENCE-FOR-EXTERNAL-AUDITOR