| Written by Stan E. Wilmer,
|
In our world of ever-diminishing audit resources and ever-increasing demands for accountability in government, we find ourselves as internal auditors faced with the daily challenge of doing more with less. More, not only in the quantitative aspects of audit production but also in the qualitative measures we use as professionals. These increasing demands are the result of changes in economics, demographics and the social and political values of our communities; and to assume that the changes or the rates thereof will diminish in the foreseeable future is probably naive. If we can accept the fact that these changes are inevitable, then our only hope for survival is to improve the efficiency of what we do to satisfy the demands of our profession.
Common definitions of efficiency include “the quality or property of being efficient” and efficient is defined as “acting or producing effectively with a minimum of waste, expense, or unnecessary effort.” With this in mind, I believe that efficiency in the audit process is producing the audit with a minimum of
waste, expense, or unnecessary effort. In my thirty-two years of audit experience, I have seen many successful and also unsuccessful audit engagements. As a matter of policy I have tried to forget the failures and concentrate on the successes. But without question, even the successful engagements were made more memorable if they were efficient in their operation.
As I look at the efficient audits completed in my resume of experience, I see common threads among them: similarities that cause me to believe that if we approach our work in the proper manner, we can usually assure ourselves of a successful result. As I consider the approach necessary for audit success,
my experience reminds me that the basic and fundamental key to audit success is in the planning. Consequently, I’m going to share with you those elements that I consider most important to planning the successful audit. In addition I will try to point out the pitfalls which commonly result in audit failure.
I believe the first step on the road to planning for audit success is to clearly establish the audit scope and objective. Keep in mind that the audit objective must be subject to independent analysis and measurement. I like to prepare a separate document in the planning section that defines the scope and
objective, and I make it a practice to revisit that document as the audit progresses. By continually reminding myself of the audit objective, I find that I am not so likely to fall victim to what I call “scope creep.” Scope creep is the condition that often occurs in an audit where we perform procedures that do
not necessarily contribute to the achievement of our audit objective simply because they are easy and comfortable to us. As each process within the audit is concluded, we must evaluate the results of the procedures performed and determine what additional procedures are necessary to most efficiently
achieve our objective. In effect, we find ourselves “drilling down” towards our audit objective by continually refining and re-defining the audit plan.
Once I have clearly established the scope & objective of my audit, I can begin the actual planning process. The audit scope and objective will serve as the basis for my audit plan, and it’s important to remember that all elements of the audit plan should contribute directly to the achievement of the audit objective. Elements I consider most significant to the audit plan include, but are not necessarily limited to the following:
• Engagement risk assessment
• Review and follow-up on prior audit findings
• Assessments of internal accounting and administrative controls
• Consideration of the potential for fraud or abuse
• Determination of the reliability of computer generated data
• Results of analytical procedures applied
• Need for reliance upon the work of other auditors of experts
• Requirements arising from contracts or local, state and federal laws
Experience and professional judgment should be exercised in the planning process to see that the elements considered are necessary for the achievement of the audit objective. Most importantly, if my assessments reveal that one or more of my initial planning consideration does not apply, I want to formally exclude it from the plan and document the reasons for exclusion.
Assessing Audit Risk – Here at the City & County of Denver, we perform a risk-based audit plan on an annual basis. The plan covers a two-year period and considers an audit universe of almost four hundred potential audits. The attributes evaluated in assessing audit risk included the size of the entity in terms of assets and or revenues and expenditures; liquidity or negotiability; compliance with contracts or regulations; public exposure; complexity of the transactions or environment; management accountability; quality of internal controls; age of the program or operation; the time expired since the
last audit; and management experience. These considerations are measured and then given weights based upon the combined judgments of the audit supervisors. The results are then quantified in a risk score for each potential audit in the universe. During the planning process, the risk score should be carefully evaluated to determine potential problems within the audit. In any event, concerns resulting in an elevated risk-assessment score should be considered in the audit planning process.
Review and Evaluation of Prior Audit – Prior audit files and the assessment of the results of the followup process provide valuable information for the audit plan. This is especially true when there have been minimal changes in the audit subject. However, auditors should be careful not to repeat the mistakes of
prior engagements and should be proactive in finding more efficient ways to achieve audit objectives. I find that interviews with key personnel early in the audit planning stage can quickly establish the status of prior audit findings; and, if the follow-up process was appropriate, only limited documentation
procedures should be necessary.
Assessing and Evaluating Controls – Perhaps now more than ever, we are concerned with the assessment and evaluation of internal accounting and administrative controls. This assessment and evaluation is required by professional standards as part of the process of gaining an understanding of the control environment. By documenting the processes used and controls in place we can determine the significance of control weaknesses. I like to begin with an organization chart followed by the analysis of job descriptions and duty assignments. Further, since I can see better with illustrations, I’ll either create
or update the flowcharts for the entity. It is essential that the flowcharts clearly identify the control points within the organization. Once we’ve identified the control points, we can determine their significance and design appropriate tests. However, all tests should bring us closer to our audit objective.
Considering Fraud, Waste, and Abuse – Recent events have proven that even the largest and most powerful governments or businesses can fall victim to fraud, waste, and abuse. The integrity of management must be continually evaluated and the potential for fraud, waste, and abuse must be considered in all phases of the audit. I like to begin with an open discussion of the potential for fraud or
abuse in the planning memo followed by that same discussion in the entrance conference. While my audit objective may not be the discovery of fraud, waste, or abuse, I want management to clearly understand my responsibilities for the detection of such under professional standards. As the audit progresses, status meeting agendas should include periodic reassessments of concerns in this area.
Assessing the Reliability of Data – The reliability of computer-generated data must be determined if the audit process is to be considered credible. This requires that we as auditors gain a basic understanding of how data is controlled and how our computers process that data. In addition, we must satisfy ourselves that the information is complete, accurate, and authentic. I don’t think you have to be an IT auditor to assess the reliability of this data, but I do believe you must understand what to do, how to do it, and why it must be done. In my case, it took several classes, a little “show and tell,” and then some “hands-on” instruction. I have learned that if there is ever a question as to what is required by standards,
most peer professionals will gladly lend a hand.
Analytical Procedures – More times than not, the value of analytical procedures is grossly understated. Careful thought applied to the relationships between data and the changes therein can often reveal serious problems that might otherwise go undetected. Perhaps just as, if not more, important than collecting, comparing, and analyzing the data is the process of understanding the data. Once collected, I like to allow management personnel the opportunity to explain to me what the data means to them. Many times I gain far greater insight into the skills and abilities of staff by letting them roam free over the analytical data during a routine interview. Further, by allowing personnel to talk about the data, their responsibilities to the data, and the difficulties they encounter in providing the data, they will often reveal design or implementation flaws in control systems.
Reliance Upon Other Auditors or Experts – It is rare that we begin an audit or examination of an entity, process, or allegation that has not been somehow or some way affected by an external expert. The traditional wisdom in using the product of other auditors or external experts is to reduce the scope or
depth of our examination by accepting their work and relying upon their conclusions. While this is certainly a worthy goal, with a little more effort we can use their results to enhance our work; not by supplanting our audit procedures but by supplementing them, and refining and re-directing our efforts in more efficient and effective ways. As auditors we should make every effort to determine what other auditors or experts have done and to include the results of their work in planning our examination.
Legal and Contractual Requirements – Virtually every engagement we encounter in the governmental arena will include compliance requirements with local, state, or federal laws and or contracts. I think it goes without saying that determining substantial compliance with such requirements is absolutely
essential to the audit process. However, note the word “substantial.” Professional standards repeatedly refer to terms such as “reasonable assurance” and “significance” when considering compliance audit procedures. Accordingly, I try to identify the “significant” requirements and design “reasonable” audit
procedures to determine compliance. Admittedly, significant and reasonable are subjective terms and require professional judgment in their practical definition. I evaluate requirements based upon the risks associated with non-compliance and determine significance in terms of their impact on the operation of the audited entity or contract. As a result, I make judgments as to what is and is not significant and what constitutes reasonableness in the circumstances. I believe this is necessary because total and complete
assurance is neither cost effective nor practical.
The eight elements listed above are by no means all inclusive to the audit plan or to the preparation of the planning memo. Traditionally, my planning memo starts with a brief summary of the scope and objective followed by a discussion of the background of the audited entity. I include a brief discussion of planning materiality and or audit significance as well as the anticipated timing of the engagement.
The final and most important section of the planning memo is where we document the “significant audit areas and areas of risk.” This section includes the evaluated results of the eight elements above in terms of audit significance and identifies what we must examine to accomplish our audit objective.
Once the audit planning memo is complete, we can move on to the “audit approach.” I use a tabular format for this document listing the significant audit areas on the left followed to the right by summary analytical data, information on population, sample size and method. This information is included to
document and justify the planned audit approach. Finally, I provide a brief discussion of the planned audit approach which outlines how I will examine significant audit areas in order to achieve the desired audit result. The planned audit approach is the basis for my audit program, and I will reference my
approach to specific areas of the program in order to document the consistency between the plan and the procedures being performed.
In theory, if the engagement has been accurately defined in the scope and objective, and if it has been properly planned, all that remains necessary is the execution of the audit plan through the audit program. However, this is rarely the case as the very best of plans can and will change in real life. At this point,
the key to a successful engagement lies within the ability of the audit manager to effectively deal with audit results. My experience tells me that there are three critical factors in play in the effective management of audit results; communication, negotiation, and imagination
In the operation of any engagement, we continually make inquiries of management and perform audit procedures necessary to achieve our audit objective. Understanding and ultimately reporting on the results of our efforts is a matter of communication. Whether it’s how we make our inquiries and what
we document as the response to them, or what we record in our audit documents from the interview, deficiencies in our communication skills can devastate the audit process. The effective audit manager will maintain a level of communication with staff so as to know when they are experiencing difficulties
and possibly jeopardizing the overall efficiency of the engagement.
I believe that contemporaneous review of those procedures completed as well as those not completed, coupled with open discussions with staff on the results of their efforts is the most effective way to resolve difficulties in the audit process. A timely, proactive approach by management usually results in
satisfactory resolution of the difficulties. And remember, it’s important to be a part of the process and not a critic of the process. Criticism, whether or not unfair, is the quickest way I know to destroy communications in a relationship. So keep the lines of communication open with the audit entity and staff during the entire engagement in order to minimize the impact of the unexpected on the engagement.
However, ultimately we will reach an impasse in an engagement where all the polite communications we can muster will not resolve an issue. Some issues will never be resolved to the satisfaction of all parties and sooner or later we will have to give something up to get what we want. It’s here where we refer to the age old art of negotiation in order to achieve our audit objective. The extent to which we must negotiate is strongly influenced by our ability as auditors to sell behavior modification. In any event, professional judgment will determine what we can or cannot do and it’s important to note that the negotiation process should never jeopardize the integrity of the engagement.
Effective management of the negotiation process rests with knowing before hand what you can and cannot accept without impairing your professional integrity. In simple terms, always be prepared when you find yourself in a position requiring compromise and avoid lost time and effort by having a back-up plan for every scenario.
Developing an effective back-up plan is where imagination, coupled with professional judgment can save the day. I like to think through the possible alternatives that can arise during a discussion and plan my responses in advance. I find that imagination and creativity bundled with a little light humor can
usually keep the discussion on track and the tempers at bay.
In summary, achieving efficiency in the audit process starts and ends with proper planning. It is naive to think that an audit engagement can be efficiently completed without a plan, but perhaps even more unrealistic to believe that the plan will survive the engagement without substantial modification.
Effective execution of the proper audit plan can usually render an efficient result. Finally, remember that sending a team to do an audit without a plan is like sending a ship with no rudder to sea. Much like the ship, our team will eventually arrive in port; not the port of design but a port of chance without purpose or significance.
Stan Wilmer is an Audit Supervisor with Internal Audit for the City and County of Denver.
|
Quarterly Articles