Planning, planning, planning! Never forget how important planning is in making sure that an audit runs smoothly. This includes what is being audited; notifying the auditee (person being audited); collecting and analysing the data being audited; identifying key risks and scoping the audit. There are audits that must be performed so, when planning for the year, these audits are factored in. Then every year, when planning assignments, input is received from management, as to the risk areas in the business, and audits based on high-risk areas are planned for that year. The scope of the audit normally covers the previous six to twelve months and must include current transactions indicate what is happening now. Audits by their nature are past orientated but must also be present and future focused.
It is vital to inform management or the auditee of the upcoming audit and to request reports and samples before commencing the audit. Also, to ensure that the relevant personnel are available to be interviewed. Data analytics and CAATS (Computer Aided Audit Techniques) should be performed prior to fieldwork to highlight exceptions and errors in transactions. It is not the primary purpose of Internal Audit to root out fraud but this must always be on the radar. If a risk is identified during the audit (particular a fraud risk) then the scope can be amended to concentrate on this area. There has to be some flexibility in planning and conducting the audit to allow for “drill down” into these areas.
When planning – a task plan needs to be set with all tests to be performed, the person responsible, budgeted hours and the target completion for each task. Tasks and tests can be allocated points to monitor the productivity of the auditors on a daily and weekly basis. It is important to set targets to give something to work towards. Every auditor from intern, clerk and junior upwards is an “executive” and has to act in this capacity and think in a strategic way. It is important that the entire team is involved in planning. This “grows” juniors and gives them the big picture. All juniors and clerks are executive material and should be treated this way. They should take responsibility for their work and be able to THINK. It is vital that an auditor is able to think and not just “tick and bash”. You have to know the “why” of the controls tested, “what” the risks being mitigated are, “how” the processes work and “who” is responsible.
When going into the area to be audited it is important to understand the business landscape. Sometimes there are past audit files but, no matter, it is vital to flow-chart the current processes and activities in the area. This we call a process narrative whereby all process and activities, as well as the controls surrounding them are documented. In conjunction with the process narrative, a risk assessment is performed. At this stage it is easy to pick up gaps in controls, where a risk has been identified but there is no control associated with this risk. These should be immediately brought to management attention.
Once all risks and the business landscape have been documented, the programme of tests to be performed is prepared. This should be focused on risk areas, as well as covering all compliance issues. Where time is a factor and some areas are not covered (or these were previously covered and are not high risk) then a limitation of scope is communicated to management. Up until this stage we have been planning the audit. The planning should not be confused or meshed in with the fieldwork itself. The failure to differentiate between planning and fieldwork is one of the key reasons why audits fail, over-runs occur and confusions result. Planning is a distinct cycle of action, separate from fieldwork. The audit must be structured is such a way that the entire audit team and the auditee is aware of this distinction.
Now fieldwork can start. The audit team is delegated specific tests to perform and the fieldwork commences. The work should be performed in sequence as per the audit programme. This prevents stops and blockages in performing the audit. Unfortunately, in reality there is often kick-back from the employees being audited. These must be cleared up without delay. This is why planning is so important to ensure that all documents, reports, information and employees are available during the audit. If the auditee still does not cooperate then the auditor must immediately go to their superior to resolve this. Most delays come from waiting for the client or auditee and these delays must be nipped in the bud (immediately stopped from growing longer). If these delays are not stopped the auditor will start several cycles or tests without completing them. This creates a mass of incomplete cycles and makes the work go much slower.
The supervisor and manager need to monitor and review work on a daily basis and auditors must be given targets and deadlines in which to complete tests. The target includes deadline dates and hours taken on each task.
PLAN, TARGET, DELEGATE, DO, MONITOR AND REVIEW.
So, we come to the end of the first instalment on the anatomy of an audit. We will continue with wrapping up the audit, handling queries, reporting and finalisation in the next article.