Developing an Audit Program By Rodney Kocot President Systems Control and Security Incorporated Copyright © 2005 Rodney Kocot
2 Session Outline Introduction Standards and Legal Considerations Objectives Policies Standards Audit Department Identifying the Audit Universe Risk Ranking the Universe Developing an Audit Plan The Audit Process Determining the Scope of Audits Continuous Monitoring Tracking Issues Quality Assurance and Monitoring the Audit Program Sources of Information
3 Introduction Your approach may differ and still be correct for your organization.
4 Standards and Legal Considerations This slide is just a reminder that there are laws, standards, and requirements that must be considered and dealt with. The requirements may be different for each organization. Auditing –?????? Accounting –?????? Taxation –?????? The Business –??????
5 References - Information Systems Audit and Control Associationhttp:// - American Institute of Certified Public Accountantshttp:// - The Institute of Internal Auditorshttp:// - International Federation of Accountantshttp:// ….
6 Objectives Assurance Services Internal vs Public Type of Audit The Public Interest Owner and Shareholder Interests Employee Interests
7 Objectives (continued) According to the COSO Enterprise Risk Management — Integrated Framework Executive Summary: This enterprise risk management framework is geared to achieving an entity’s objectives, set forth in four categories: –Strategic – high-level goals, aligned with and supporting its mission –Operations – effective and efficient use of its resources –Reporting – reliability of reporting –Compliance – compliance with applicable laws and regulations.
8 Audit Policies Standards and Procedures Formalized policies, standards and procedures Criteria for achieving objectives and measuring performance. Many organizations maintain policies, standards and procedures in a database
9 Audit Department Organization Politics –Selling services –Funding negotiations Skills –Financial –Operational –IT –Compliance
10 Identifying the Audit Universe Starting with a list of all organization units group units into auditable entities. Interview management to identify all auditable entities. Identify auditable entities from financial statements.
11 Organizing the Universe Using a database –Lotus Notes –MS Access –SQL –??????
12 Risk Ranking the Universe Ensure that audit resources are allocated to meet the objectives of the organization. Select audits based on risk and resources Risk factors: –Compliance and regulatory requirements –Results of prior audits –Staffing issues –Complexity –Financial impact –…
13 Developing an Audit Plan Legal Requirements and Regulators Required Audits Prioritization based on Risk Scheduling Hours Budget
14 Reporting the Audit Universe By risk By group by risk By audit manager by risk By hours By type of audit
15 The Audit Process Planning –Risk Assessment –Determine scope –Identify resources Fieldwork Issues Reporting –Rating –Distribution Follow-up
16 Determining the Scope of Audits Risk Assessment Developing an Audit Program Performing the Audit Reporting Audit Results
17 Continuous Monitoring Monitoring is a management responsibility and audit must be careful not to become a control.
18 Tracking Issues When are issues closed? –When the auditee says they are closed. –When the auditor validates they are closed. Implications: –Open issues may not be reported to management and the audit committee. –Fewer repeat issues when the issues are closed by auditors.
19 Reporting Open Issues Distribution List Frequency Issue reporting based on: –Risk –Days open –Days past due
20 Quality Assurance and Monitoring the Audit Process Work paper reviews Peer Reviews Client Surveys Personnel Reviews
21 Sources of Information Professional associations listed above Internet searches
22 For More Information: Rodney Kocot President Systems Control and Security Incorporated P.O.Box 0531 Tujunga, CA Using technology to audit technology