Creating and executing a dynamic audit program Nov 08, 2014 Dynamic vs. Static Dynamic Pattern of change or growth of an object, or force or intensity of a phenomenon. Static Fixed or stationary condition; showing little or no change. Dynamism in Internal Auditing As the evolution of the internal audit function accelerates, the portfolio of skills and attributes that determine professional success transform. Technical skills remain absolutely necessary, but they are no longer sufficient on their own. The most effective “Internal Auditor of the Future” possesses a broad range of non-technical attributes in addition to deep technical expertise. Internal Auditors Attributes Diversity Integrity Relationship Building Team Work communication partnering Types of audit programs 1. Static audit programs: Is a pre-prepared listing of objectives and tests which may be used in any audit. A consistent approach to all audits. It increases risks that processes are omitted. 2. Dynamic audit programs: Some audit programs need to be tailored to the specific circumstances of an engagement as all clients are different. The design of the audit procedures to be followed match exactly to the actual system of the entity. Reference can be made from SOP, policy & procedures documents. Audit program • Work plan- time of doing work and how to do the works. • Audit procedures • Senior staffs prepare audit program to junior staffs on the basis of experience. • Generally accepted points are included in the audit program • Junior staffs put tick marks in the completed tasks Purposes of Audit Programme • Guiding audit staff in audit work. • Provide evidence of proper planning recording of audit work to be done. • Provide the basis for coordinating supervising audit work and controlling time spent. • It Standardize the data collection evaluation process. and and the and Audit Objective Preliminary Survey Planning Process Mapping Walkthrough Transaction Testing Pre Exit Meeting Issue Draft Report Exit Meeting Final Report Field work Dynamic Audit Program Identify Management goals Assessing risks Recommendations Audit Objective Compliance of Policies Evaluating controls Preliminary Survey (Kick-off meeting) The area’s mission, major functions, goals, and objectives. Auditee’s requests or suggestions for items to be included in the audit. Fixing of scope Understanding of audit area Collect information's like: Organizational chart of the area, Policies and procedures manuals, applicable laws and regulations etc. Planning Understand the job descriptions for the operations area Identify key functions Review prior audit reports Prepare audit program Preparation of Budget Identify the need for specialized skills and allocation of Staff Process Mapping Select the process Scope the process Establish the process boundary Gather Information Develop data gathering plan Map the process Validate the understanding Walkthrough Confirm the understanding of the process flow. Evaluate the effectiveness of the design of controls. Confirm the understanding of design of controls. Whether controls have been placed in operation? Understand the key areas in the process where a material miss-statement could occurs Risk Assessment Model Shared by management Audit feedback Known Risk Unknown by company Shared discovery by CSA Hidden Risk Discovered Risk Others’ observation Unknown Risk Self-discovery Unknown by internal auditor Known by internal auditor Known by company © VK Panicker Ascertaining & Recording the System The main reasons for describing the system are: • To confirm the auditor’s understanding of the process / system objectives. • To establish any interfaces between systems • To establish how the system fits within the Organisation • To provide a basis for assessing the extent to which internal controls prevent or detect and correct errors. System Objective Controls Risk Identification Control vs. Risk Compliance test Report Process Mapping Skill Conducting Interviews with Process Owner • In every engagement, someone on the team will conduct an interview. There is always someone who has information that the team needs; an executive, supervisor or process owner. • You can learn a lot from reading Process documents, SOP’s and previous audit reports, but to get the nittygritty on process, you have to ask questions of and get answers from the people on the front line. • When you go into an interview, be prepared. You may have only 30 minutes with a person. • Objective of Interview: Access to the information, experience and knowledge. Contd. • Write an interview guide. You must think on following levels when constructing your guide – What are the questions to which you need answers? Write then all down in any order. – What do you really need from this interview? – What are you trying to achieve? – Why are you talking to this person? • Define your purpose will help you put your questions in the right order and phrase them correctly. • It helps to know as much as possible about the interviewee in advance. • As a rule, an interview should start with general questions and move on to specific ones. Contd. • Don’t dive right into sensitive area like “What are your responsibilities? • Start with impersonal questions, say, the industry overall. This will help the interviewee warm up and allow you to develop rapport. • When deciding on which questions to ask, you might want to include some to which you know the answer. This will give you some insights into interviewee’s honesty or knowledge. – For complex issues, you may think you know the answer, but there may be more you find out as possible. Contd. • Once you’ve written your guide, look at it and ask yourself: – What are the three things I most want to know by the end of the interview? These are the things you will focus on when you go into the interviewee’s office. • For conclusion of interview, always ask the interviewee if there’s anything else he’d like to tell you or any question you forgot to ask. • “Always let the interviewee know you are listening”. • Fill the gaps in the interviewee’s conversation with verbal placeholders such as “yes” or “I see” or “uh-huh”. Contd. • Always remember that the other person has a separate agenda, and needs to be kept on track. • The main thing to remember when trying to get information from other: – – – – Make them feel that your listening. You’re interested in what they say. Use positive body language. Always take notes. • Final Trick: If you want people to say more than they have, if you think they have left out something important but you’re not sure what it is, say nothing. Let the silence hang. Chances are they will start talking, just to fill the gap. Contd. • Points to remember during interview process: – Respect the interviewee’s anxiety. – Remember that you’re there to understand the process and not for interrogation. – Avoid asking person questions. Like “So what is it that you do, exactly?” – Demonstrate the interviewees, how audit will benefits them, make their job more efficient. – No need to flash your authority like a police badge. – If auditee's is hostile and not cooperating after repeated attempts, its time to “Pull Ranks”. – After interview, always thanks the person for his time, effort and cooperation. Transaction Testing Test of Controls Test of Detail Analytical procedure • Test transaction for control testing approach. • Test transaction for in-depth approach other than analytical approach. • Scanning directed at class of transactions. Pre-Exit Meeting Before reaching the pre-exit stage, all the observations should be validated from process owner. Validate the observations from the management Understand the perspective of the management