THE SYSTEMS APPROACH TO INTERNAL AUDIT - PART ONE
Andy Wynne -
Systems auditing should be the main approach that is adopted by internal auditors. This series of four articles aims to outline the key aspects of this approach to internal audit and to provide someinsights into undertaking internal audit more effectively.The higher profile of risk management in recent years has led some internal auditors to consider developing a risk-based approach to internal audit. However, risks do not exist in isolation. Theyare the results of the objectives of the organisation or system not being achieved. Risks should beconsidered as an integral part of the systems approach to internal audit. This should allow theadequacy and reliability of the existing controls to be considered within the context of the overallsystem that is being audited.Systems auditing was originally developed as a more efficient approach to external audit.However, this systems-based approach had to be further developed and refined before it couldform an effective internal audit methodology. The objective of external audit is to form an opinionon the organisation's financial statements. Internal audit has the, very different, objective of working with managers to improve and optimise their internal control, risk management andcorporate governance processes. These differing objectives mean that internal auditors cannot just adopt the approach used by external audit. Internal auditors have there fore developed their own approach to systems auditing that differs in many respects to the one that may be adopted byexternal auditors.
Internal Audit - A Step By Step or an Iterative Approach
Systems auditing is often described in a step by step fashion. However, this description should notbe taken literally, each step should not be considered as a discrete stage to be fully completed beforethe next stage of the audit is commenced. Systems auditing should, in contrast, be considered as anintegrated whole. The knowledge base of the auditor will gradually expand through an iterativeapproach to the audit. At each stage in the audit the auditor should reconsider their approach, reviewtheir understanding of the system and if necessary report significant findings to relevant managers.Systems auditing is frequently broken down into the following aspects:
identify the system and its controls
documenting existing controls
testing key controls
develop conclusions and recommendations
reporting At the assignment planning stage any previous internal audit work and knowledge of the systemshould be considered and used to ensure that all key areas are included within the scope of the audit. Although an audit brief may be agreed with the system managers, auditors should not beembarrassed to go back and amend this in the light of new knowledge and understanding gainedlater during the assignment.
Page 1 of