To execute the audit the internal auditors are required to perform the audit procedures including the control testing and identification of findings. Internal auditors obtain an understanding of the design of the engagement client’s internal controls. The auditors then conclude whether internal controls are designed adequately to achieve management’s control objectives.
These preliminary conclusions are used to determine whether the system of internal control is so poorly designed that testing it would serve no purpose, or the auditors should test internal controls to determine whether they are operating as intended. Thereafter, the audit procedures are performed.
Identification of Findings
Risk assessment procedures are performed to obtain an understanding of the entity and its environment including internal control. Further audit procedures include tests of controls and substantive procedures.
Tests of controls measure the operating effectiveness of controls in preventing, or detecting and correcting, instances of noncompliance whether they take the form of a material misstatement in the financial statements, failure to comply with a law, or regulation, or some other undesired outcome.
They are required when either:
The auditor’s risk assessment is based on an expectation of the operating effectiveness of controls or
Substantive procedures alone do not provide sufficient appropriate evidence.
Substantive procedures are used to detect material misstatements at the relevant assertion level. They include tests of details and substantive analytical procedures.
They should be performed for all relevant assertions about each material transaction class, account balance, and disclosure.
A management specialist is an individual or organization having expertise in a field other than accounting or auditing that assists in preparing the financial statements. The client may rely on a management specialist to prepare information used as audit evidence. An example is an estimation of the fair value of securities.
The auditor should evaluate the competence, capabilities, and objectivity of such specialists. They should obtain an understanding of their work relevant to the audit and evaluate its appropriateness.
Types of Audit Procedures
The internal auditor should use the following, singly or in combination, as risk assessment procedures, tests of controls, or substantive procedures:
Vouching tracks a result back to the originating event, ensuring that a recorded amount is properly supported.
Tracing follows a transaction forward from the triggering event to a resulting event, ensuring that the transaction was accounted for properly.
Inspection of records or documents in whatever form they may be in.
Inspection tangible assets. This is the physical examination of assets to test existence. For example, it is combined with observation of inventory counts.
Observe. This is to look at a process or procedure being performed.
Inquire about financial information from knowledgeable persons within the entity or outside the entity.
Get external confirmation. This is to obtain audit evidence as a direct, written response to the auditor from a third party. For example, a confirmation of account balances or the terms of agreements.
Recalculate (check mathematical accuracy)
Reperformance. This is the execution of procedures or controls.
Analytical procedures. For example, scanning is an analytical procedure used to review accounting data to identify significant or unusual items for testing.
As part of analytical procedures, the internal auditor evaluates unexpected results or relationships identified. This evaluation includes determining whether the difference from expectations could be a result of fraud, error, or a change in conditions. The auditor may ask management about the reasons for the difference and should corroborate the explanation. For example, the auditor may modify expectations and recalculate the difference or apply other audit procedures.
Maturity Models
Audit procedures may require the internal auditor to assess the maturity of a business process (that is, where the process currently lies on a predefined maturity scale) and compare results with management’s expectations for that process. The internal auditor may use a maturity model to perform this procedure.
“Maturity models establish a systematic basis of measurement for describing the ‘as-is’ state of a process.” Thus, they provide the criteria for assessing the current state of a business process.
Generally, maturity models have five levels of maturity, which are as follows:
Initial level. Here the process is defined.
Repeatable level. Here the process is established.
Defined level. In this stage, the standards that govern the process are developed.
Managed level. On this level, the performance measures are defined.
Optimizing level. All expectations are met, and continuous improvement is enabled at this level.
The following are the three steps for creating a maturity model:
The first step is to determine the model’s purpose and components.
The considerations in the determination include what management wants to assess, the business processes involved, and how the expected outcome can be stated in terms of a metric or qualitative statement. Components are the categories of attributes related to the process. For example, if a maturity model is used to assess an organization’s ethics program, a component could include the organization’s code of ethics.
The second step to create the maturity model is the determination of the model’s scale (that is the number of levels).
The final step is to develop expectations for each component level.
All the above procedures would result in the accumulation of the audit findings.
Final Thoughts
Effective communication of audit results fosters a positive relationship between management and internal audit, increases the rate of resolution of observations and recommendations, and improves the internal audit department’s efficiency.
Reports serve as a window into daily operations for management, a means to evaluate operating performance, a source of objective information about controls and operations, and a facilitator for gaining upper management support for issues that require attention. Internal auditors use reports to follow up on audits, teach and train audit staff, summarize audit results, and support the auditor’s performance evaluation.