Simplifying the application of the risk-based audit methodology.

It is very common today that audit professionals have doubts about the application of the risk-based audit methodology. 

Another day in the CONBRAI 2018, I heard a prominent speaker put in doubt the real need to have a plan and / or audit planning.

That is why I was motivated to write this article where I present my vision about the methodology that should be applied in an audit work, in line with the IIA audit definition.

The definition given by the IIA for Internal Audit indicates that:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

This systematic and disciplined approach we call the audit methodology. In order to facilitate understanding, I will divide this methodology into two phases: the first as the preparation of the Annual Audit Plan and the second is the Execution of the audit. Both should always be applied in a risk-based view.

It is important to mention that risk-based auditing is nothing a new approach, it has always existed. I remember when I was an audit trainee in a big 10 audit company, in 1980, in Brazil, that this approach was already used, so, it is not new or neither a different audit approach.

Anyway, the first phase is when we build an audit plan for a predetermined period, which normally, but not necessarily, for 12 months, based on a corporate risk view, considering business cycles, operational processes, programs, projects or transactions which will be assessed for compliance or performance. The concept here is simple, since the audit has limited its activity by the available hours and budget, in order to demonstrate effectiveness by managing audit resources, those resources should be applied in objects which bring higher risk to the company; risk of not achieving its strategic objectives.

Once the plan is defined, we move to a second phase. This phase may be divided into three distinct stages: 

  • Work planning, 
  • Execution and collection of evidence,
  • communication of results. 
Those steps will be applied for all kind of audit job: compliance, accounting or performance, also known as operational.

The planning the audit could be subdivided into three moments:

  1. Moment 1 - Elaboration of the planning memorandum, where we define the objectives and scope of the audit, determine the team and, if it is the case, the need for specialists, budget the costs of the work, prepare an audit time schedule. In this moment we search and collect all the information about the audit object that is available in the corporate environment, like policies and procedures, risk matrix, organization chart, IT system applications, and etc.
  2. Moment 2 - It is to get more detailed understanding of the object under evaluation. It may be done through interviews with who executes the transactions. The idea is to have a complete picture of the process under review, transaction by transaction. The formalization of the understanding may be by narrative or by the graphical form using flowchart. In this step, the risk matrix (inherent, IT, fraud) and the control matrix (identifying all existing controls) are prepared.
  3. Moment 3 - It is the preparation of the audit program, where, based on risk and control matrix, are defined the audit procedures and techniques which will be applied to get evidence of the effectiveness of the control or conformity of the audited process.
At this level of the work, we will have the following working papers: audit memorandum, flow chart or narrative of the evaluated object, risk matrix, control matrix and audit program.

The next stage is the audit execution, also known as fieldwork job. In this stage where we apply the audit procedures and techniques defined in the audit program to collect and formalize the necessary evidence which will be base to achieve the pre-defined audit objectives. At this point, all audit findings should be listed in the findings matrix. This matrix is the support for the preparation of audit recommendations.

Once the execution is completed, we proceed to the stage of reporting the results. This is the moment where the audit report will be prepared. The suggestion is to divide the report into three documents: Audit opinion, executive summary and audit recommendations (with action plan aligned with the manager).

After submission of the final report, the implementation of the action plan should be monitored to verify that it has been implemented as agreed with the audit.

All audit documentation in those various stages are considered as a workpaper, all of them must be appropriately reviewed by an experienced auditor and referenced and organized in folders, even in electronic or physical format.

Of course, the planning stage of the audit work is the most important, since the better the work is planned, the more efficient the execution will be, and better will be the quality of the auditor's opinion and consequently the results of the audit, thus fulfilling its mission of adding value to the company.

Finally, I recall that an audit work will only be finalized when all actions regarding the recommendations are properly implemented.

Be happy!

Share this:


0 comentários:

Postar um comentário