Riskd – Risk Management Blog

1 – Do you need a centralized facility to model your audit universe?

2 – What are your expectations with respect to work papers automation?

3 – What type of audit planning do you engage in and how do you do it?

4-  How does your audit process integrate with the company wide ECM strategy?

Read more about how these questions can help you with selecting your audit software here.

Under the Framework there are three basic audit objectives:

• to determine whether controls provide reasonable assurance of effective and efficient operations;
• to determine whether controls provide reasonable assurance as to the reliability of financial data and reports; and
• to determine whether controls provide reasonable assurance of compliance with laws and regulations.

Each of these objectives has five components of control:

• A sound Control Environment;
• A sound Risk Assessment Process;
• Sound Operational Control Activities;
• Sound Information and Communications System; and
• Sound Monitoring Practices

1. For the Control Environment Component auditors assess

• whether managers and employees possess integrity, ethical values and competence;
• whether the nature of management’s philosophy and operating style is appropriate;
• whether there is proper assignment of authority and responsibility;
• whether there is proper organization of available resources;
• whether there is proper training and development of people; and
• whether there is proper attention and direction from management.

2. For the Risk Assessment Component auditors assess

• whether management has established a set of objectives that integrate all the organization’s resources so that the organization operates in concert;
• whether there is an awareness of and ability to deal with the risks and obstacles to successful achievement of business objectives; and
• whether management identifies, analyzes and manages the risks and obstacles to successful achievement of business objectives.

3. For the Operational Control Activities Component auditors assess

• whether management has established and executed policies and procedures to help ensure effective implementation of the actions they have identified as being necessary to address risks and obstacles to achievement of business objectives;

4. For the Information and Communications Systems Component auditors assess

• whether the information system produces the financial, operational and compliance reports needed to run the business;
• whether the reports that are produced deal with internal and external activities, conditions and events necessary to informed business decision making and external reporting;
• whether the organizations people are able to capture and exchange the information they need to conduct, manage and control operations;
• whether pertinent information is identified, captured and communicated in a form that enables people to effectively carry out their responsibilities;
• whether communications flows in all directions throughout the organization;
• whether management has made it clear to all employees that control responsibilities are to be taken seriously;
• whether employees understand their own roles in the internal control system, as well as how their individual activities relate to the work of others;
• whether all employees have the means of communicating significant information upstream; and
• whether their is effective communication with external parties.

5. For the Effective Monitoring Component auditors assess

• whether the entire control system is monitored to assess the quality of the system’s performance over time;
• whether there is on-going monitoring in the normal course of doing business, such as regular supervisory and management activities, and actions employees take in performing their normal duties;
• whether internal deficiencies are reported upstream, with serious matters reported directly to top management;
• whether there are separate, independent evaluations of the internal control system.

STEP 1 – Preparation

1. Review relevant control information
2. Review Systems and Material Account Balance for the controls
3. Review Financial Reporting and Disclosure Risks

STEP 2 – Assessment

1. Assess Control Environment
2. Entity level controls
3. Process controls

STEP 3 – Conclusion and Disclosure

1. Assess findings and make appropriate disclosures

It is very important to clearly distinguish the following when you do an assessment (step2).

• The overall control environment including the ‘tone from the big guys’ and the extent and nature of involvement of the audit committee and board of directors. Remember that the ‘tone’ gives the direction on how internal controls are setup.
• Controls over the preparation of financial statements, including controls regarding accounting estimates, closing adjustments and the application of accounting principles in the preparation of financial statements and the information disclosed in the notes to the financial statements.
• Controls in the various accounting systems that capture, summarize and record the routine accounting transactions (e.g., recording of revenue, expenses, etc.) on which the financial statements are based. These are referred to as process controls.