Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 105|Likes:
Published by Andy Wynne
Systems auditing should be the main approach that is adopted by internal auditors. This series of four articles aims to outline the key aspects of this approach to internal audit and to provide some insights into undertaking internal audit more effectively.
Systems auditing should be the main approach that is adopted by internal auditors. This series of four articles aims to outline the key aspects of this approach to internal audit and to provide some insights into undertaking internal audit more effectively.

More info:

Published by: Andy Wynne on May 20, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less





Andy Wynne -
Systems auditing should be the main approach that is adopted by internal auditors. This series of four articles aims to outline the key aspects of this approach to internal audit and to provide someinsights into undertaking internal audit more effectively.The higher profile of risk management in recent years has led some internal auditors to consider developing a risk-based approach to internal audit. However, risks do not exist in isolation. Theyare the results of the objectives of the organisation or system not being achieved. Risks should beconsidered as an integral part of the systems approach to internal audit. This should allow theadequacy and reliability of the existing controls to be considered within the context of the overallsystem that is being audited.Systems auditing was originally developed as a more efficient approach to external audit.However, this systems-based approach had to be further developed and refined before it couldform an effective internal audit methodology. The objective of external audit is to form an opinionon the organisation's financial statements. Internal audit has the, very different, objective of working with managers to improve and optimise their internal control, risk management andcorporate governance processes. These differing objectives mean that internal auditors cannot just adopt the approach used by external audit. Internal auditors have there fore developed their own approach to systems auditing that differs in many respects to the one that may be adopted byexternal auditors. 
Internal Audit - A Step By Step or an Iterative Approach
Systems auditing is often described in a step by step fashion. However, this description should notbe taken literally, each step should not be considered as a discrete stage to be fully completed beforethe next stage of the audit is commenced. Systems auditing should, in contrast, be considered as anintegrated whole. The knowledge base of the auditor will gradually expand through an iterativeapproach to the audit. At each stage in the audit the auditor should reconsider their approach, reviewtheir understanding of the system and if necessary report significant findings to relevant managers.Systems auditing is frequently broken down into the following aspects:
00000000assignment planning
identify the system and its controls
documenting existing controls
control evaluation
testing key controls
develop conclusions and recommendations
reporting At the assignment planning stage any previous internal audit work and knowledge of the systemshould be considered and used to ensure that all key areas are included within the scope of the audit. Although an audit brief may be agreed with the system managers, auditors should not beembarrassed to go back and amend this in the light of new knowledge and understanding gainedlater during the assignment.
Page 1 of 
Previous system notes should be an important source of knowledge if the system has been reviewedrecently. Nothing is more annoying than for managers to have to explain their system from scratch toa new auditor each time it is reviewed. However, gaining a full and clear view and understanding of the system will only occur gradually, it will not be complete until after the audit is completed. Auditorsshould consider their knowledge and understanding to be like a jigsaw, they should try and finish theedge pieces and the easy parts immediately, they can always come back and complete the moredifficult central parts later on.The extent that auditors can document the system will obviously reflect the knowledge andunderstanding they have developed. Auditors should record basic details as soon as they havediscovered them, but should not try to produce perfect system notes at this stage. Audit testing willprovide further details and report writing and discussions with staff will usually enhance the auditor'sunderstanding of the system. It is often a good idea to delay writing the system notes until the end of the assignment. At the very least they should be critically reviewed, and amended as necessary,after the final report has been issued.Control evaluation is an important stage of each audit and this should be completed before testing isstarted. This is to ensure that only controls that actually exist, and are likely to reduce significantrisks, are tested. However, this evaluation is only a guide to testing, the testing programme may needto be revised as a greater understanding of the detail of the system is gleaned during the testing itself.Tests should be stopped immediately if auditors realise the control is not working. If other keycontrols are identified then further testing should be performed to confirm the reliability of thesecontrols,For internal auditors, testing should be designed to determine whether a particular control shouldprovide reasonable assurance that the objectives of the system are achieved. Or, putting it the other way round, whether the control will reduce potential risks to acceptable levels. Controls are notnecessarily a good thing in themselves and should only be tested as long as they are considered tobe working effectively and likely to have a significant impact on the success of the system. Thus thetesting undertaken should reflect the overall nature of the system, the auditor's understanding of itand the interdependencies of the different controls.Developing conclusions and recommendations is usually one of the last aspects of internal auditing tobe described, but it may be one of the first to be undertaken. Prior knowledge of the system, andcertainly initial meetings with the system's managers, will lead most experienced auditors to begin todevelop their opinions of the control environment and possible improvements. These ideas should bedeveloped and refined at each stage of the audit. Audit reporting, writing the formal report and holding discussions with managers, provides animportant stage in the auditor's understanding of the system, its weaknesses and the practicality or otherwise of potential improvements. Audit reporting should also allow the true importance of eachaspect of the control system to be viewed more dispassionately and in the context of the wholesystem. Writing the report should enable auditors to stand back and see the wood for the trees.Care should be taken to ensure that this greater understanding of the whole system and the inter-relationship of all its controls is used to refine the conclusions and consider the practicality of possibleadditional controls. If necessary, queries should be answered and further testing may need to beundertaken at this stageInexperienced auditors may need to approach systems auditing one step at a time. As theiexperience grows, a more sophisticated approach should develop that recognises the iterative natureof auditing. Greater knowledge and understanding develops gradually throughout each auditassignment. This knowledge should be used to adapt the auditing techniques used, the extent andnature of testing undertaken and the timing of audit reporting.
Assignment Planning
Page 2 of 
Internal auditors expect their organisations to be efficient and achieve value for money. To ensurethat they cannot be accused of being hypocritical they have to make sure that they adequately planall their audit assignments and so ensure that they can be completed efficiently. Internal Auditorsneed to be careful that they review all significant aspects of the system and that all risks are beingadequately managed with suitable controls.For these reasons, internal auditors should undertake their audits in co-operation with the relevantmanagers. Thus it is usually considered appropriate for these managers to be sent an outline of theproposed audit work a couple of weeks or so before the audit assignment is due to start. This shouldgive the managers adequate time to reflect on the proposed scope and objectives of the audit and willgive them advanced notice and allows them to plan their work around the audit. At the beginning of each internal audit assignment there should be a meeting between the auditors(usually including an audit manager and the auditor who is to actually undertake the review) and themanager(s) who is responsible for the particular system. The objectives of this meeting are for theinternal auditors to:
00000000discuss the systems objectives and appreciate the significant risks involved in their achievement;
obtain an over view of the roles, responsibilities and reporting lines of staff and managers withinthe system;
consider any concerns or particular areas managers would like internal audit to address duringthe review;
agree in broad terms the scope and objectives of the audit.Internal auditors should be as flexible as possible about the actual timing of each systems auditassignment. It should rarely be necessary to undertake surprise audits. Most managers are busypeople, internal auditors should recognise this and, whenever possible, should try and fit their reviewsaround the managers’ timetables. Therefore, internal audit visits should be planned so that thenormal work of the system is disrupted as little as possible.Clear budgets should be agreed for each audit assignment as part of the, usually annual, planningprocess. These should be treated as flexible budgets. It should be possible to exceed the allottedtime for an audit, but only if this is necessary to ensure comprehensive coverage of all significantaspects of the system. Additional testing may be required or even requested by the system'smanager. In addition, extra time may be needed to develop guidance and write up the numerousrecommendations that may be necessary when a poorly controlled system is audited.However, the staff budget for internal audit needs to be adequately controlled. If internal auditorsneed extra time on one assignment then this time should be recovered on later assignments. Someaudits will inevitably take longer than expected, others should be completed quicker than planned.Internal auditors should be flexible about the amount of time they spend individual audits. However,internal auditors expect managers to deliver their services within budget. Auditors cannot have lower standards for their own service. The audits planned to be delivered each year should be completedin year and within the total number of budgeted days. If this cannot be achieved internal audit shouldbe accountable to the audit committee and provide suitable explanations of the problemsencountered and other reasons for the non-achievement of the audit plans. Audit managers need to ensure that all audit assignments are undertaken by auditors who areappropriately experienced or have the necessary specialist knowledge. Auditors need not (andindeed cannot) be experts in each of the systems that they review. However, they need to have thebasic background experience that will allow them to appreciate the significance of the controlenvironment they are reviewing and any short-comings that may exist within it. For some audits,especially those of computer systems and capital contracts, specialist knowledge may be essential.Without it, the auditors will not be able to identify weaknesses within the control system and may be
Page 3 of 

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->