It is very
common today that audit professionals have doubts about the application of the
risk-based audit methodology.
Another day in
the CONBRAI 2018, I heard a prominent speaker put in doubt the real need to
have a plan and / or audit planning.
That is why I
was motivated to write this article where I present my vision about the
methodology that should be applied in an audit work, in line with the IIA audit
definition.
The definition
given by the IIA for Internal Audit indicates that:
"Internal
auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes."
This systematic
and disciplined approach we call the audit methodology. In order to
facilitate understanding, I will divide this methodology into two phases: the
first as the preparation of the Annual Audit Plan and the second is the
Execution of the audit. Both should always be applied in a risk-based view.
It is important
to mention that risk-based auditing is nothing a new approach, it has always
existed. I remember when I was an audit trainee in a big 10 audit company, in
1980, in Brazil, that this approach was already used, so, it is not new or neither
a different audit approach.
Anyway, the
first phase is when we build an audit plan for a predetermined period, which
normally, but not necessarily, for 12 months, based on a corporate risk view,
considering business cycles, operational processes, programs, projects or
transactions which will be assessed for compliance or performance. The concept
here is simple, since the audit has limited its activity by the available hours
and budget, in order to demonstrate effectiveness by managing audit resources,
those resources should be applied in objects which bring higher risk to the
company; risk of not achieving its strategic objectives.
Once the plan
is defined, we move to a second phase. This phase may be divided into three
distinct stages:
- Work planning,
- Execution and
collection of evidence,
- communication of
results.
Those steps will be applied
for all kind of audit job: compliance, accounting or performance, also known as
operational.
The planning
the audit could be subdivided into three moments:
- Moment 1 - Elaboration of the planning memorandum, where we define the
objectives and scope of the audit, determine the team and, if it is the
case, the need for specialists, budget the costs of the work, prepare an
audit time schedule. In this moment we search and collect all the
information about the audit object that is available in the corporate
environment, like policies and procedures, risk matrix, organization
chart, IT system applications, and etc.
- Moment 2 - It is to get more detailed understanding of the object under
evaluation. It may be done through interviews with who executes the
transactions. The idea is to have a complete picture of the process under
review, transaction by transaction. The formalization of the understanding
may be by narrative or by the graphical form using flowchart. In this
step, the risk matrix (inherent, IT, fraud) and the control matrix
(identifying all existing controls) are prepared.
- Moment 3 - It is the preparation of the audit program, where, based on risk
and control matrix, are defined the audit procedures and techniques which
will be applied to get evidence of the effectiveness of the control or
conformity of the audited process.
At this level
of the work, we will have the following working papers: audit memorandum, flow
chart or narrative of the evaluated object, risk matrix, control matrix and
audit program.
The next stage
is the audit execution, also known as fieldwork job. In this stage where we
apply the audit procedures and techniques defined in the audit program to
collect and formalize the necessary evidence which will be base to achieve
the pre-defined audit objectives. At this point, all audit findings should
be listed in the findings matrix. This matrix is the support for the
preparation of audit recommendations.
Once the
execution is completed, we proceed to the stage of reporting the results. This
is the moment where the audit report will be prepared. The suggestion is to
divide the report into three documents: Audit opinion, executive summary and audit
recommendations (with action plan aligned with the manager).
After
submission of the final report, the implementation of the action plan should be
monitored to verify that it has been implemented as agreed with the audit.
All audit
documentation in those various stages are considered as a workpaper, all of
them must be appropriately reviewed by an experienced auditor and referenced
and organized in folders, even in electronic or physical format.
Of course, the
planning stage of the audit work is the most important, since the better the
work is planned, the more efficient the execution will be, and better will
be the quality of the auditor's opinion and consequently the results of the
audit, thus fulfilling its mission of adding value to the company.
Finally, I
recall that an audit work will only be finalized when all actions regarding the
recommendations are properly implemented.
Be happy!
0 comentários:
Postar um comentário