You can download Auditing A New Process? in your computer by clicking resolution image in Download by size:. Don't forget to rate and comment if you interest with this wallpaper.
TECHNIQUES TO HELP YOU DECIDE WHERE CONTROLS SHOULD BE
“If you can audit, you can audit anything.” Sound familiar? I’ve heard this said and have even said this to participants in my training sessions. And, while this is essentially a true statement, it is most certainly more easily said than done. Based on my own experience and conversations I have had with auditors, perhaps the most challenging situation is to audit a business, entity or process that you know nothing about.
In these situations, you know that you have to complete the audit within a reasonable (if not predetermined) amount of time. You know that the internal clients are subject matter experts and will speak to you in a language filled with acronyms you have never heard before. No pun intended but these are the riskiest types of audits to conduct. Within a relatively short amount of time, you need to form an opinion on the effectiveness of the internal control system. All in all, these conditions create a pretty stressful situation.
FOUR TECHNIQUES TO DECIDE WHERE CONTROLS SHOULD BE
If you have to audit an unfamiliar area, the following are sometime-tested techniques to use to gain a better understanding of how the risks are managed.
- Follow the Money:Understand the business objective and how the process works beforetrying to assess the risks. At a minimum, make sure you understand how the business or process can generate or lose money. I have found that by following the money trail, it is easier to remember to ask about the competitive environment and the overall business plan (assuming that a documented business plan exists). To test your understanding, see if you can draw the high-level level diagram to depict how the process works. This approach makes it easier to detect holes in the process. These holes may be real, or they may indicate that your data collection was not as complete as it should be. If there are major gaps in the flow, schedule more interviews or a walkthrough to obtain more information about how the process works.
- Focus on High Risks:Where are the most significant risks? To identify the high-level risks, invert the business objective. Example: If the business objective is “to process, record and settle trades timely”, reversing the business objective would identify the following high-level risks:
Trades are not processed completely, accurately, and timely.
Trades are not recorded completely, accurately, and timely.
Trades are not settled completely, accurately, and timely.
During your discussions with management, focus on howthese risks can occur and then discuss the types of controls that are in place.
- Match Control Objectives to the Risk Issues:When talking about control activities and monitors, make sure that they address the risk issue (completeness, timeliness, accuracy, legitimacy, asset protection, and/or people management) and that they produce evidence to indicate they are working as intended. Keep in mind that there are several types of controls:
Control environmental elements, which provide no direct assurance that what should be happening is actually occurring. Examples of control environmental elements are policies, procedural manuals, training programs, incentive compensation programs, job descriptions, and other things that create a sound environment but do nothing to directly ensurethat the process operates as intended. Generally, control environmental elements are not tested.
Control activitiesbuilt into the workflow taking effect before the transaction is completed. These may be preventive, detective or corrective.
Monitorswhich occur after the transaction is completed and affect a sample of the transactions.
- Locate the evidence:If management cannot produce evidence that the control activity or monitor is working, i.e., any substantiating documentation, consider whether the control exists. If management considers this unsubstantiated control activity or monitor to be a “key control”, consider how you will test to ensure that the control is functioning as intended.
SEVEN SHORTCUTS TO DECIDING WHERE CONTROLS SHOULD BE
The following shortcuts are helpful once you have an understanding of the business or process objective:
Input Processing: Does the area need to substantiate the amount and nature of incoming work or inputs to the department? If so, there should be some input controls that function to answer the question, “How does management know that they received all input?”
Output Processing: Does the area need to substantiate the amount and nature of outgoing work or outputs? How does the area know that its outputs meet pre-defined standards, e.g., regulating requirements, contractual agreements?
Decision Points: What types of decisions are made in the area? How critical are these decisions relative to achieving the business objectives? How bad would it be if these decisions were wrong? What impact do these decisions have on financial reporting? How does management know that the right decisions were made?
Work in Progress: Does the area need to locate a transaction at any point during the time it is in the area? How does the area know that all transactions are complete? How does management know how many items are in process at any given time?
Exception Processing: If non-standard or unique transactions are processed in the area, how does management know that they are processed correctly? Who decides when a transaction should be processed in a manner that does not conform to the standard? How does management know that the number of exceptions is not excessive? How does management know that exception items are profitable?
Accuracy and Timeliness of Information, Data and Communications: How does the area know that the right people (including the area’s management) have and use accurate and timely data, particularly if the work is performed in geographically dispersed areas? What impact does information generated by the area have on the financial statement?
Mandatory Regulatory Requirements: What requirements exist? What controls are in place to assure management that these requirements are met?
While these techniques are not exhaustive, they do make it easier to focus in on the areas that warrant controls, and should make it easier for you to audit new or unfamiliar areas. Let me know how you fare as you experiment with using these techniques or if you have a “short cut” that works well for you.