Download to read offline
Uploaded bySALIH AHMED ISLAM
Internal Audit Methodology
The document outlines a framework for a risk-based audit (RBA) approach, detailing stages from defining scope to producing audit reports. It emphasizes the importance of identifying material risks and controls, utilizing various sampling and testing techniques, and documenting findings effectively. Key components include mappings, risk evaluations, and audit tracking tools to assess control effectiveness and ensure comprehensive evaluations.
More Related Content
Similar to Internal Audit Methodology
Internal Audit Methodology
- 2. AUDITOR’S DILEMMA 2 Giving alevel of confidence that IA has captured and assessed ‘all’ material risk that threaten the company
- 3. Risk Based Audit 3 TypeStage 1 Stage 2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage 8 RBIA Framework Defining Scope Mapping Risk Registration/ Identificatio n Control Identifica tion Control Investigation Audit Test Audit Report Risk profiling Risk taxonomies Business unit mapping Risk register Risk evaluation Control owner Volume Value Complexity Cost SOP SOD Past losses IT Risk definition card: Description Includes Excludes Driver Impact Processes Systems KPIs Function boundaries Transactions All risks Risk type Risk levels Risk Sizes Statistical tools Material and potential loss from control weakness Criteria to assess whether the control has been operated effectively or compromised by staff What to sample? How much to sample?
- 4. My Risk BasedAudit 4 Type Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage 8 RBIA Framework Defining Scope Mapping Risk Registration/ Identificatio n Control Identificatio n Control Investigati on Audit Test Audit Report My IA Financial Scoping Mapping Top 3 Risks Control identificatio n Checkpoin ts Testing Audit report Trial balance Common size statement Identificatio n of major items groups Identifica tion of Major Items with in group Compliance, FA, Bank Tools Pareto Rule Audit Tracker, Excel (Pivot, Sort, Index, vlookup), Benford Law, Pareto Rule (80:20) Audit Report
- 5. Tools Audit Tracker 1. Contacts (ofauditee/ audit team) 2. Status Tracker (Scope, Start Date, Completion date, Reason for Pending, responsibility, Population, Sample, Sample methodology, remarks) 3. Review Notes 4. Requirement Tracker (Requirement, Area, Responsibility, Request Date, Received date, Time Lag in receipt of data, days lapsed) 5. Checklist (Scope, Sub scope, Risk, Control, Checkpoints, Population, Sample, Exceptions, Observations, Backup paper) 6. Query Sheet (Query, Financial Impact, Risk, recommendations, Area, Annexure, Resolved, Response, Responsibility, Reportable/ Dropped, Backup paper) 7. Audit Completion Checklist 5 Control Failure Vs. impact of business control failure Traffic Light vs. specific financial amounts
- 6. Tools Audit Report 1. Cover letter, 2.Background and Objective of audit 3. Scope and approach 4. Detailed Observation (High, Medium, Low) 5. Other Points for Management Attention 6. Positive assurance Audit Presentation 1. Audit Summary (Area, Location, Audit Period, Audit Team, Function Head, Scope, Field audit dates/ period) 2. Scope, Sampling and Limitation to scope 3. Positive Assurance 4. Key Observations 5. Other observations 6
Editor's Notes
- #5 What is a compliance audit? A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit. What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, SOX requirements mean that any electronic communication must be backed up and secured with reasonable disaster recoveryinfrastructure. Healthcare providers that store or transmit e-health records, like personal health information, are subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often generated by data from event log management software. Compliance auditors will generally ask CIOs, CTOs and IT administrators a series of pointed questions over the course of an audit. These may include what users were added and when, who has left the company, whether user IDs were revoked and which IT administrators have access to critical systems. IT administrators prepare for compliance audits using event log managers and robust change management software to allow tracking and documentation authentication and controls in IT systems. The growing category of GRC (governance, risk management and compliance) software enables CIOs to quickly show auditors (and CEOs) that the organization is in compliance and will not be not subject to costly fines or sanctions. Quality audit is the process of systematic examination of a quality system carried out by an internal or external quality auditor or an audit team. It is an important part of organization's quality management system and is a key element in the ISO quality system standard, ISO 9001. Quality audits are typically performed at predefined time intervals and ensure that the institution has clearly defined internal system monitoring procedures linked to effective action. This can help determine if the organization complies with the defined quality system processes and can involve procedural or results-based assessment criteria. With the upgrade of the ISO9000 series of standards from the 1994 to 2008 series, the focus of the audits has shifted from purely procedural adherence towards measurement of the actual effectiveness of the Quality Management System (QMS) and the results that have been achieved through the implementation of a QMS. Audits are an essential management tool to be used for verifying objective evidence of processes, to assess how successfully processes have been implemented, for judging the effectiveness of achieving any defined target levels, to provide evidence concerning reduction and elimination of problem areas. For the benefit of the organisation, quality auditing should not only report non-conformances and corrective actions, but also highlight areas of good practice. In this way other departments may share information and amend their working practices as a result, also contributing to continual improvement. Quality audits can be an integral part of compliance or regulatory requirements. One example is the US Food and Drug Administration, which requires quality auditing to be performed as part of its Quality System Regulation (QSR) for medical devices (Title 21 of the US Code of Federal Regulations part 820[1]). Several countries have adopted quality audits in their higher education system (New Zealand, Australia, Sweden, Finland, Norway and USA) [2] Initiated in the UK, the process of quality audit in the education system focused primarily on procedural issues rather than on the results or the efficiency of a quality system implementation. Audits can also be used for safety purposes. Evans & Parker (2008) describe auditing as one of the most powerful safety monitoring techniques and 'an effective way to avoid complacency and highlight slowly deteriorating conditions', especially when the auditing focuses not just on compliance but effectiveness. [3] The processes and tasks that a quality audit involves can be managed using a wide variety of software and self-assessment tools. Some of these relate specifically to quality in terms of fitness for purpose and conformance to standards, while others relate to Quality costs or, more accurately, to the Cost of poor quality. In analyzing quality costs, a cost of quality audit can be applied across any organization rather than just to conventional production or assembly processes[4]