Target Area Selectionuniverse based on risk, audit frequency, and applicability of use meets thecontinuous auditing program testing requirements.. in the testing and all aspects of the b
Trang 1Target Area Selection
universe based on risk, audit frequency, and applicability of use (meets thecontinuous auditing program testing requirements)
Document the Testing Objectives
specifically state the purpose of the continuous auditing testing
in the testing and all aspects of the business process that are not beingtested as part of the continuous auditing program
Frequency Determination
on the frequency at which the business unit transactions produce a result
population as well as the dollar values (where applicable)
completed as planned
Documentation Requirements
target area identified, thus maintaining consistency and efficiency
re-present the reason the work was performed and the associated
Mainardi & Associates Copyright 2010
Trang 2BAPP 11/25/2010 18:0:5 Page 261
documentation to support the testing conclusion Ensure that there issufficient documented evidence to support the continuous auditing testingconclusions
Test Approach Communication
partner-ship with your business management client, it should be properly mented and communicated directly to the client
the work and the business unit client understand the expectations,requirements, and deliverables of the continuous auditing methodology.Reporting Requirements
report that is issued, at a minimum, to the process owner plus one level.This ensures accountability
all continuous auditing programs executed
auditing program, will be at the discretion of the chief audit executive
At a minimum, the results should be fully distributed on a quarterly basis.Performing the Tests
The recommended continuous auditing testing schedule (for business unitsthat process multiple transactions on a daily basis) will be tested using the
‘‘6-9-12’’ audit frequency
This frequency requires monthly testing be performed every month for thefirst six months of testing and then at quarter-end at month 9 and 12 Thequarter-end test sample size is the same as the monthly testing previouslycompleted; it should incorporate all three months of the quarter being tested.This frequency allows internal audit to identify potential trends and possiblyuse the results of the testing as a predictive tool to proactively addressopportunities for improvement
Mainardi & Associates Copyright 2010
Trang 3BAPP 11/25/2010 18:0:5 Page 262
III Continuous Audit Testing Approach
All testing planning and execution will be documented in the same fashionand detail as any other full-scope audits by the responsible auditor Thedocumentation will contain the detailed planning steps and testing approaches
as well as a conclusion based on the validated testing results The tion will be completed, reviewed, and approved according to the same guide-lines as described in the current risk-based audit methodology
documenta-To announce the beginning of the continuous auditing program tobusiness unit management, internal audit will create and issue a notificationmemorandum notifying applicable personnel of the kickoff of the continuousauditing program The correspondence will include, but not be limited to, thecontinuous auditing process requirements, document requests, time frames,and corresponding expectations
The pilot program initially selected should have a specific, clear objective.Most successful continuous auditing pilot programs select a compliance-basedcontrol because of the specifically detailed acceptable performance parameters.Proper selection of the pilot program is critically important to the success of thecontinuous auditing program because of the testing frequency and interpreta-tion of the corresponding data Select a pilot program that has very specificparameters as to acceptable performance This will limit the potential debate ofexceptions noted
Because of the recurring testing time frames of a continuous auditingprogram, it is important that business unit management recognize the impor-tance of timely delivery of the requested business unit documentation for testing.The success of the continuous auditing program depends on the commitment ofboth business unit management and the responsible auditor to deliver andperform the work as requested and designed If the requested documentation isnot received in a timely manner from the business unit, it will be very difficult tocomplete the continuous auditing testing The supporting continuous auditingwork paper documentation will be in the same format and include the samecritical fields that a full-scope test document would require Those fields include,but are not limited to, date, source, scope, sampling technique, testing criteria,exceptions, conclusion, responsible auditor, and date
Mainardi & Associates Copyright 2010
Trang 4BAPP 11/25/2010 18:0:5 Page 263
IV Tracking and Reporting Results
Continuous auditing results and corresponding exceptions noted will betracked in the same process as any exceptions noted in a full-scope risk-basedaudit The responsible auditor who executed the continuous auditing programwill be responsible for populating and updating the issue-tracking databasewith any exceptions noted during the continuous auditing testing All issuesnoted during the continuous auditing testing must have an action plan, andthe action plans will be recorded, tracked, and followed up on until theirimplementation Upon plan implementation, the responsible auditor mustvalidate that the appropriate action was implemented properly as documented
in the formal report Once an independent internal audit validation has beenperformed, the open action item may be closed out of the tracking database
Mainardi & Associates Copyright 2010
Trang 5improve-Quality of Audit
audit?
& Reduced review comments
& Cluster editing of report (staff and manager edit the report at one time,together)
& Participation in scope and testing plan decisions
& Available for questions when needed
Cost of Audit
reduce costs?
Mainardi & Associates Copyright 2010
Trang 6BAPP 11/25/2010 18:0:6 Page 265
Culture Change
the audit?
Team Members
Mainardi & Associates Copyright 2010
Trang 7BAPP 11/25/2010 18:0:6 Page 266
CONTINUOUS AUDITING PROGRAM EXAMPLE:
ACCOUNT RECONCILIATIONSAccount Reconciliation Process: Foundation Phase
& To determine that reconciliations are performed accurately, completely,and in a timely manner
& Monthly—for account reconciliations executed monthly
& Quarterly—for account reconciliations executed only at quarter-end
& Combination of manual and automated
& Manual to independently validate the accuracy and completeness
of the selected reconciliations
& Automated to validate that the completed reconciliations weresubmitted to the tracking database properly
& Inquiry and inspection
& Inquiry into the tracking database and inspection to perform thecompleteness and accuracy review
Account Reconciliation Process: Approach Phase
& Receive and review policies with process owner
& Validate and verify the current account reconciliation procedures
to ensure that the continuous auditing testing program accuratelyreflects the most recent operational procedures
& Judgmental sample of financial operations
& Judgmentally select a sample of monthly and quarterly accountreconciliations that have been completed
& Identify the account reconciliations that have the largest riskregarding number of journal entries and dollar amounts beingprocessed through the selected accounts
& Request applicable reconciliations
Mainardi & Associates Copyright 2010
Trang 8BAPP 11/25/2010 18:0:6 Page 267
& Submit a request for the selected account reconciliations to be tested,and actively follow up on the receipt of the sample selected to ensuresufficient time is available to complete the required testing
& Validate compliance with policy and procedure
& Execute the specific test steps as documented in the continuousauditing program
& Validate the account reconciliations were processed in accordancewith existing policy standards
Account Reconciliation Process: Execution Phase
& Discuss and validate the approach with the process owner
& Prior to starting any testing, ensure the criteria being tested matchcurrent operational standards
& Request selected documentation
& Determine the most effective method to select, and request thecorresponding account reconciliations to be sampled
& Identify who will be responsible for physically selecting anddelivering the sample to the responsible auditor Some businessunits prefer to pull the documentation themselves while others willallow auditors to gather the samples
& Perform testing and record results
& Execute the continuous auditing program requirements, and ument the current level of compliance with policies and procedures
doc-& Note noncompliance with procedures
& Document potential exceptions that represent a difference fromthe processing standard criteria validated with the process ownerprior to the start of testing
Account Reconciliation Process: Execution Phase
& Validate findings with process owner
& Review the test result specifics with the process owner to verifywhether testing discrepancies represent true exceptions to theprocessing standard
Mainardi & Associates Copyright 2010
Trang 9BAPP 11/25/2010 18:0:6 Page 268
& Obtain action items and draft report
& Once the exceptions have been validated, perform a root causeanalysis with the business process owner and request action items
to address the root cause
& Validate that the action plan submitted will truly address the rootcause and not a symptom
& Draft the formal report and incorporate the action plans into thedraft
& Determine distribution
& Once the report has been drafted and reviewed by the businessprocess owner, discuss the final distribution list for the reportissuance
& Follow up and report on action items
& Perform ongoing follow-up on outstanding action items until fullimplementation
Mainardi & Associates Copyright 2010
Trang 10About the Author
financial services industry, Robert L Mainardi started his own pany, which develops and facilitates custom internal audit training,and evaluates, creates, and implements formal audit methodologies as well asconsults on critical projects Prior to starting his company, Mr Mainardi wasthe Vice President of Internal Audit for the Penn Mutual Life InsuranceCompany and was responsible for the direction and oversight of the InternalAudit Department He was responsible for Penn Mutual’s internal auditactivities as well as those of its subsidiaries Prior to joining Penn Mutual,
com-he was a senior audit manager for Tcom-he Vanguard Group, wcom-here com-he wasresponsible for the Investment Programs & Services and Methods & Infra-structure teams
As a professional speaker, Mr Mainardi leads programs to help clients:
Mr Mainardi is an active member of the Institute of Internal Auditors (IIA)and has been a Distinguished Faculty Member for almost 20 years He is amember of the Vision University Staff and is a featured speaker at IIA andother professional association conferences and events each year as well as MISSuper Strategies and Audit World; the IIA annual International, General Audit
269
Trang 11BABOUT 10/31/2010 16:4:55 Page 270
Management, Governance, Risk, and Compliance, All Star, Regional, andDistrict Conferences He received a BS degree from The Pennsylvania StateUniversity, where he majored in Accounting and Business Law He also earned
a master’s degree in Finance from Temple University Plus, he has merited theSix Sigma Green Belt certification from the American Society for Quality, whichrecognizes the recipient for unique expertise in problem-solving and statisticalanalysis He also has earned the Qualification in Control Self-Assessment and iscertified to perform internal audit Quality Assessment reviews
Trang 12Account reconciliation
audit objective, 65
cause statement, example, 151
condition statement, example,
148
continuous auditing program
example, 266–268
criteria statement, example, 149
effect statement, example, 152
expansion of testing, avoiding
and control limits, 4
and formal reports, 183, 261
of process owners, 146, 157–159,
166, 252
Action items See also Action plans
continuous auditing, use of to
verify newly implemented
items, 11
outstanding, 185–187, 190, 191owner, 166, 167
as source of business knowledge,
36, 40, 41tracking, 169, 185–187, 252,255–257
Action plans See also Action itemsaccountability of auditor, 159accountability of process owners,
146, 157–159, 166, 252cause-specific action, 165, 167and client relationship, 19, 20, 24closed plans, review of, 190, 191components of, 165–169
condition and cause, addressing,162–164
effectiveness, 186, 239
as goal of report, 133, 183management buy-in, 164, 165
as objective of continuous auditing,
11, 224, 226open plans, review of, 190, 191overview, 157, 158, 170ownership of, 173, 184–187perfection in, attempting, 159–161
271
Trang 13BINDEX 12/23/2010 15:50:5 Page 272
Action plans (continued )
and recommendation component of
five-component approach, 153and reporting delays, 200, 201
requirement for, 141, 185–187
review of by audit department,
190, 191and root cause, 73, 123, 125, 128,
151, 153, 157–170, 183, 199,234
symptom fixes, 161, 162
target date, 165, 167–169
and timeliness of reporting, 200,
201tracking, 169, 185–187, 191, 251,
252, 255–257validating, 11, 73, 128, 226, 227,
236, 239, 242Approach phase
91–94volumes, 80, 83–86
Audit department See Internal auditdepartment
Audit opinionoverall opinion, 131–137, 141,
142, 200 See also Formal reportsratings, 20, 131, 142–144 See alsoRatings
Audit sampling, 176, 177 See alsoSampling techniques
Audit teamcommunication, 18, 22, 23, 58,
189, 198, 228, 231evaluation, template for, 243, 248,
252, 264, 265experience, 189fit for continuous auditing, consid-erations in determining, 17, 18proficiency, 17, 18, 21, 22and root cause analysis, 119–124selling continuous auditing to,
208, 209, 215–220understanding of continuousauditing methodology, impor-tance of, 215, 216, 220, 228Audits, external, as source of businessknowledge, 36, 39, 40
Audits, traditional risk-basedcontinuous auditing compared, 9,
10, 16, 175–178, 196–199, 225methodology as guide for continu-ous auditing, 26, 27
scope of audit, 81
as source of business knowledge,36–39
Trang 14Business disruption, 10, 12, 23, 24,
92, 176, 209, 210, 233Business knowledge
business rules, 46–50
and continuous auditing, 9
developing in preparation for
con-tinuous audit, 34–46importance of developing and
maintaining, 21, 34, 35, 53, 188previous audit experience, use of,
188regulatory compliance, 50
sources of, 36–46
Business process owners See Process
ownersBusiness processes See Processes
Business rules, 46–50 See also
Policies and proceduresBusiness unit management See
ManagementBuy-in
internal audit department, 172
management, 164, 165, 173,
179–184
Cause statement, 151Challenges of continuous auditingfor business unit management,230–233
for internal audit department,224–229
overview, 223, 233, 234Client relationship See alsoManagement
Client Relationship Scorecard,19–25
communication, 20, 22, 23, 110,
114, 115, 164, 210, 230importance of, 18, 19Client surveys, 23, 25, 240Commitment
from management, 183, 184
to sell continuous auditingmethodology to external clients,
220, 221Communicationand action plan success, 186audit team, 18, 22, 23, 58, 189,
198, 228, 231and client relationship, 20, 22,
23, 110, 114, 115, 164,
210, 230exceptions, 110–115, 183, 199importance of, 67, 68, 82, 173,
215, 227, 228, 247, 249lack of in developing continuousauditing objectives, 67, 68management, educating, 173–180,
186, 187, 213process changes, 5reporting See Reporting