P3 Micro Audit Planning 5

preparing for audit

?
  • Created by: mumuna
  • Created on: 23-05-13 19:45

micro audit - purpose

definition - process of preparing an individual audit purpose - each assignment require effecive planing to focus on area and best use resource the assignment plan is develope from the strategic and annual audit plan.  It covers: scope - extent of the audit and its limitations also boundaries help to pinpoint conrol area and risk to be examined and tested objective  location audit team  start and finish date considerations reporting procedure for collating, analysing, testing Audit approach - risk based linked to key risk in org meeting it objectives?  

1 of 21

IPPF performance std

2200 Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement's objectives, scope, timing and resource allocations. 2201 Planning Considerations In planning the engagement, internal auditors must consider: The objectives of the activity being reviewed and the means by which the activity controls its performance; The significant risks to the activity, its objectives, resources and operations and the means by which the potential impact of risk is kept to an acceptable level; The adequacy and effectiveness of the activity's governance, risk management and control processes compared to a relevant framework or model; and The opportunities for making significant improvements to the activity's governance, risk management and control processes.  

2 of 21

IPPF performance std Pt 2

2210 Engagement Objectives   Objectives must be established for each engagement.    2210.A1 Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.    2210.A2 Internal auditors must consider the probability of significant errors, fraud, non-compliance and other exposures when developing the engagement objectives. 

3 of 21

IPPF performance std pt 3

2220 Engagement Scope The established scope must be sufficient to achieve the objectives of the engagement.  2230 Engagement Resource Allocation Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints and available resources. 2240 Engagement Work Programme   Internal auditors must develop and document work programmes that achieve the engagement objectives. 

4 of 21

how and with who audit brief/assignment is agreed

Typically audit manager develops audit plan, collate doing complex and high profile audit and senior team meember do medium or smaller audit Final work plan is agreed by HIA or sub-delegated to AM the engagement work plan details risk area, controls,reason for work cross ref to working papers Testing papers detail work performed Summary of audit engagement  is in term of reference which tell client what audit is about. With participative client focussed approach - TOR is agreed with client. to give clarificiation and gain a shared understandig to add more value, clarify expectation and share commonalities

5 of 21

Source of material

Risks id from: Risk registers - see effectiveness of risk mitigation/response, contact for owner and timeliness of managing documented risk in light of risk policy written report, minutes, policies, manual - previous audit report indicate high and low previous considered, confirms previous improvements, supporing information, cover matters outside scope result of survey and focus groups analytical review interview meeting why -  understand purpose and link to response/risk  IA approach and context area being reviewed wider org context risk maturity critical to approach - to determin reliance on org's rm process or IA own assessment background research for discussino with SM actual risk maturity is expected lower report HIA can update AC on periodic plan

6 of 21

statistical data and analytical review

Analytical: Trend analysis  Ratio analysis Is variance acceptable Trends consiten  use of interogation software Provide range of figure, local for examination - to measue deviation, trends Output reassurance of reduced risk, benchmarking to march diff org to similar activities Gives specific information Trend consistend reduces margins - since year 2 incidence of accidenced reduced x - give illustrations - graphs

7 of 21

How risk arise can be assessed

Preparation provided outlien of plan of intended work Thus where risk ranked in terms of likelihood and ipact if occur (its 2 key measure) on axis. then assess: if scoring technique is applied - high medium, low or number sacel on axis frm 1-9, 1 negligble risk and 9 disastorous TO NOTE : common methods should follow RM framework as make possible to puick up significant risk to achieve obj to review validate agreement with mgmt

8 of 21

how risk assessment set boundaries or scope of au

Definition scope - extent of audit and its limitation Purpose - scope determine aread audit will cover or note 2220 Engagement Scope The established scope must be sufficient to achieve the objectives of the engagement.  Key  focus on area where greatest loss occure limit work to provide most gain e.g. revised framework not implemented thus audit will focus on governance arranged in place to agree decision in interim various influence on boundaries - area my have several procedural system e.g. purchasing has selection,order, receipt, invoice and payment consider: consider system end to end - what are significant risks each element can form audit on it own - exclude some from scope otherwise if too wide then time consuming and resource intensie - once auditor review obj AGREE CHANGES WITH HIA  

9 of 21

Assurance engagement process - 7 steps

Preliminary research Ascertaining Documenting Confirming  Evaluating Testing  Assessing Reporting  Follow up

10 of 21

Scope - agreement process + addressing concerns Q1

Agreement process Meet mgmt team communicate audit authority (charter), IA audit objectives - gov, rm and control assurance promote engagement as part of assurance framework with added value for all set obj based on scope + recognise limitations consider know governance, risk and conrol issues review other assuranace activities   Addressing concerns promotin of Ia as professing thru comm of Charter and staff resources review IA planng porcess to meet IPPF requirements for strategic, annual and engagement Need for formal service agreement  with T&Cs of IA in Charter, time, cost, quality comply IPPF est audit universe linked to RR ensure governance, risk and control understood and address in mgmt team agreed resources, frequency and time of visits Comm results and follow up process file recodig and storing supporting dpa/ introduce client feedback forms end of engagement

11 of 21

Audit obj and mitigation to manage risk

Obj are goal, justification and purpose - confirms what is to be achieve 2220 Engagement Scope - The established scope must be sufficient to achieve the objectives of the engagement.  2220.A1 - The scope of the engagement must include consideration of relevant systems, records, personnel and physical properties, including those under the control of third parties.  2220.A2 - If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.  OBJECTIVE SHOULD BE SMART:The SMART acronym is a useful way of getting objectives right: Specific - state a desired outcome what needs to be achieved? Measurable - how will the manager and employee know when an objective has been achieved? Achievable - is the employee capable of achieving the target, but at the same time is it challenging? Relevant - to the team/department/business? Timebound - when does the objective need to be achieved?  

12 of 21

outcome of SMART obj

Requires evidence + reassurance control + risk noted exist function as inteded  fit for job - is control maintained achievable within time frame

13 of 21

Risk mitigation - strategies

Defined - MANAGEMENT OF RISK BY APPLYING RISK REDUCTION (TREATMENT) STRATEGIES TERMINATE - avoide - end costly project TOLERATE - acceptance - low level theft as reduciton cost are too excessive TRANSFER - Insurance - 3rd parter take/share risk TREATMENT - reduce with a control - action taken within risk appetite of org

14 of 21

Example of risk and responses

Potential risks and responses 1. A lack of appreciation among staff of how performance appraisals will help the organisation achieve its objectives and help them personally in the work they do and their development. Potential impact - Strategic plans and priorities may not be achieved having a significant impact upon the organisation's reputation and financial performance. Possible response - Corporate and departmental objectives are clearly communicated throughout the organisation. Design a framework with written guidelines that requires standard documentation to be completed to ensure the relevant areas are covered. Training is provided to be both staff and managers on the performance appraisal process - objective setting, monitoring, etc.  

15 of 21

Example of risk and responses Pt 2

2. Sections, departments or subsidiaries may fail to complete staff appraisals or miss deadlines. Potential impact Denying some people access to the training and development they need having an adverse impact upon performance in specific departments, sections and teams. Potential response Timetable to be implemented and responsibility allocated for monitoring to ensure that performance appraisals are completed on time. HR Department enforces strict schedules/guidelines and checks upon progress.

16 of 21

Link scope, obj, mitigation, test strategy in plan

2310 Identifying Information Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement's objectives. Evaluation shoudl justify IAs focus on thorough and effective testing .  This considers and exams what mgmt planc to do to mitigate their risks TESTING IS TIME CONSUMING - if assurance from reliable 3rd party found no further testing is gained Decisions regarding testing related to the level of risk and materiality/criticality of area reviewed

17 of 21

How audit resource are determined as result of pla

2230 Engagement Resource Allocation Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints and available resources.  

18 of 21

How audit resource are determined as result of pla

2230 Engagement Resource Allocation Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives. Based on an evaluation of the nature and complexity of each engagement, time constraints and available resources. Key are people  periodic plan has est start and finish date HIA must factor availability of poepl, naure, complexity and time to decide who to allocate to in required time.     DETERMINING SPECIALIST AREAS WITHIN PLANNED AUDIT WORK SKILLS AND STAFF LEVELS REQ - LEAVE/DELAYS/HOURS AVAILABLE IN PLAN

19 of 21

*6 stages of planning AND LINK WITH STRATEGIC OBJ

Prepare - put in context link to risk, IA approach Objective - to help refine Scope - to further refine Information gathering - to support review, finding and enable final assessment of opinion Resources - time allocated by client and auditee also costs Programme of work Clear link between engagement objecive, the risk, responses and org obj STRATEGIC OBJ > STRATEGIC RISKS> RISK RESPONSES >ENGAGEMENT OBJS  

20 of 21

Terms of Reference - weblink incl

BACKGROUND > OBJECTIVES> SCOPE> RISK BEING REVIEWED>LOGISTICS http://www.docstoc.com/docs/41565147/TERMS-OF-REFERENCE-FOR-EXTERNAL-AUDITOR

21 of 21

Comments

No comments have yet been made

Similar Other resources:

See all Other resources »