Audit teams often struggle to determine why projects get delayed, and they fail to understand resulting client concerns. Most of the time, this happens due to poor project planning or inexperience, leading audit teams to overlook critical steps in preparing for the audit. Often in practitioners’ experiences, two of the most frequent examples of poor project planning are not monitoring a project throughout the life cycle of the audit and not giving enough thought to the audit team members’ skill sets and expertise when putting together teams for specific audits. These oversights often result in delayed audit completion and add to the confusion and frustration of the client as they then must dedicate their time to additional audit discussions and provide documents to auditors outside of their demanding schedules and daily duties.
To address these challenges, there are five essential steps that audit teams can follow to execute audits efficiently and add value for stakeholders.
Step 1: Understand the Expectation
Understanding what is expected of the audit is crucial for the senior level of audit management. Audit management assigns the yearly audit plan to audit teams. There should be clear communication between audit management and the audit team at this stage to ensure that the audit team has a clear direction and can then be efficient and effective. When setting expectations, audit management should clarify the following:
- Type of audit—It should be determined whether the audit is a consulting or assurance engagement. It should also be clear whether it is a security audit (i.e., IT general controls vs. US Gramm-Leach-Bliley Act [GBLA]), governance audit (i.e., IT governance vs. corporate governance), operational audit (i.e., IT vs. business) or regulatory audit (i.e., compliance to organization standards vs. relevant regulatory standards such as those established by the US National Institute of Standards and Technology [NIST] or the US Federal Financial Institutions Examination Council [FFIEC] or the International Organization for Standardization [ISO]/International Electrotechnical Commission [IEC] standard ISO/IEC 27000 Information Security Management).
- Deliverables to audit management—Deliverables can include sending weekly audit status reports to highlight the progress of the audit’s tasks and timelines and notify audit management of any roadblocks that may inhibit timely completion of the audit.
- Deliverables to the client—Deliverables can include sending periodic updates such as a weekly audit status, which can be used as an opportunity to highlight the progress of the audit and note any outstanding artifacts due from the client and preliminary audit findings; a draft audit report, which can facilitate the verbiage for the final report such as the background of the client, in-scope process areas, audit findings, the root cause of the findings and the report distribution list; and final audit reports.
- Audit team members—An audit team should be assigned based on experience, skill set and expertise. For new auditors, guidance and training should be provided prior to and also throughout the audit.
- Stakeholders—The stakeholders can include client contacts, senior enterprise management, the audit committee and board members.
- Budget—The audit plan should note the hours approved for the project and should ensure that each task has allocated time.
Audits are no longer completed in siloed functions because there is so much interdependency between systems.
Step 2: Know the Audit Area
The audit team should familiarize itself with the area to be audited (this will help the team meet client expectations). Audits typically fall into one of two main categories: recurring audit (documents from previous years are available for this type of audit) or new audit (as the name suggests, there are no documents from prior years). If the audit team is conducting a recurring audit, it can use several techniques to become more knowledgeable of the audit area:
- Review the previous year’s audit report.
- Review the previous year’s process walkthrough documentations and audit program, including test procedures.
- Determine if risk self-assessment is available for the audit area.
- Determine if any external or regulatory information is available for the audit area.
- Determine if there were any changes since the previous year that may change the audit procedures. These changes can include organizational change, process or technology change, any new regulatory standard impacting the audit area or any other emerging risk that might impact the audit area. For example, if there is an organizational change in the audit area and the entire management has changed, this may change how the controls operate. For a manual control that was in place for years, such as for checking file totals, there might now be an automated control of hashing in place.
If the audit team is conducting a new audit, it can use several techniques to become more knowledgeable of the audit area:
- Examine the organization’s intranet to find relevant information about the audit area.
- If it is a new topic or emerging risk area, research to gain broader understanding of the topic.
- If the audit is of a new product or service, research the vendors’ websites.
- Gather any additional information, such as audit programs, relevant articles, webinars and whitepapers from relevant organizations such as ISACA® or The Institute of Internal Auditors (IIA).
- Review relevant frameworks to determine industry-wide best practices such as COBIT®, Committee of Sponsoring Organizations of the Treadway Commission (COSO), NIST, ISO/IEC 27000 or FFIEC. Audits are no longer completed in siloed functions because there is so much interdependency between systems. Therefore, there are other key considerations to keep in mind such as fraud risk, whether the audit is an integrated audit and the possibility of using data analytics.
Audits are no longer completed in siloed functions because there is so much interdependency between systems. Therefore, there are other key considerations to keep in mind such as fraud risk, whether the audit is an integrated audit and the possibility of using data analytics.
- Fraud risk—Discuss fraud risk when assessing the design of controls and determine any audit steps specifically required to test the operating effectiveness of controls of areas where there might be an opportunity for fraud.
- Integrated audit—Determine whether the risk for the audit requires communication across other teams such as IT risk, operational risk and regulatory risk. If so, engage with relevant teams to obtain knowledge for the appropriate risk control testing.
- Data analytics—Determine controls that might require data analytics to assess the risk impact. For example, if the organization is in the insurance business, the claims filed (i.e., amount, frequency, providers) are good candidates for using data analytics. With the use of data analytics tools (e.g., the Microsoft Excel vlookup function, the Audit Command Language [ACL] tool), the entire population of claims filed can be sampled to determine any anomalies. Ensure that the specific steps for data analytics are embedded within the relevant controls test procedure.
Step 3: Connect With the Auditee
Being prepared is key to connecting with the client and can ensure that the audit runs smoothly. Several actions can be taken to connect with the auditee:
- Schedule a kick-off meeting with the client and include audit team members. Weekly touchpoint meetings can also be scheduled with the client, if needed.
- Keep the meeting agenda clear and concise. The purpose of the kick-off meeting is to:
- Introduce the audit team and the point of contact for the audit.
- Share the audit process.
- Discuss the timelines and client availability.
- Outline the next steps.
- If clients are either new to audit or perceive it as a challenge, then the auditor must convey that this project is one of the many projects of the audit team. The client may feel at ease knowing that they are not the only ones being audited and that the audit process is similar to any other business function. It may also be helpful to convey that audit is approved by the board.
Step 4: Planning the Audit
Auditors must conduct a preliminary assessment of the risk relevant to the activity under review. Engagement objectives must reflect the results of this assessment. The IIA assurance standard 2210.A1 can be used to determine how a client’s management has assessed risk and whether the background information of the area in review is in line with the management’s risk assessment.1 These risk factors should be part of the engagement objectives. In addition, several factors should be considered when planning for the audit, such as:
- Risk—Determine the risk and severity of the risk associated with the audit area, such as financial, operational, security, strategic or reputational.
- Walkthrough—Conduct walkthrough meetings to gain an understanding of the audit process. During the walkthrough, controls in place for the area of the audit can be determined and additional risk areas can be discovered.
- Test procedures—For risk areas in scope, develop thorough test procedures to test the controls in place. For example, regarding the risk that confidential data can be compromised, ensure that the controls such as access (i.e., only required personnel have access) and security (i.e., confidential data are encrypted at rest and in transit) are tested. If there are no controls in place for the risk areas in scope, determine any compensating controls. If no controls are noted, this is a possible exception, and it should be confirmed with the client.
- Objective and scope—Prepare and distribute the objective and scope document for the audit; this document may also be referred to as the final planning memo. This objective and scope document will act as the focus of the audit.
Step 5: Conduct the Audit and Monitor Progress
Once planning is completed, the fieldwork phase of the audit can begin. For efficiently carrying out the testing for the audit, it is essential that the client provides appropriate documents. Therefore, it is helpful to make clear requests for evidence to avoid any client confusion. The audit team should send a comprehensive list of documents required to test the audit procedures to the client. Once most of the evidence is received, additional evidence can be requested as needed during the testing phase.
Monitoring the audit and scheduling periodic touchpoints with the audit team ensures that key milestones within the project are tracked for completion in a timely manner.
If any exceptions are noted during testing, there should be open dialogue with the client and discussions should continue throughout the testing process. This ensures transparency of issues and leaves no room for any surprises for the client at the end of the audit.
Once testing is complete, the audit report should be prepared using the information from the testing and any findings should be vetted and communicated with the client. It is important to have a draft audit report reviewed by audit management and client management prior to publishing the final audit report. The audit report is the final deliverable for most audits; therefore, it is essential to ensure that the verbiage of the report is factual and accurate.
Setting key milestones in the audit project helps monitor the progress. Monitoring the audit and scheduling periodic touchpoints with the audit team ensures that key milestones within the project are tracked for completion in a timely manner. If the project is not monitored, especially for larger and more complex engagements, the milestones might get missed, impacting the final deliverables and resulting in delayed audit completion.
Conclusion
It is essential for auditors to understand their roles and responsibilities and convey to the client that the objectives of an audit are to assess the process area and mitigate any risk associated with a process or activity. The stakeholders of an audit report can range from shareholders to the board of directors, vendors, customers and financial institutions. Any inaccuracies in the audit report can have negative consequences on the reputation of the auditors and the audit client. These tips and techniques can be used in any audit (IT or non-IT audits) to increase audit efficiency and result in valuable recommendations to clients.
Endnotes
1 The Institute of Internal Auditors (IIA), Engagement Planning: Establishing Objectives and Scope, International Professional Practices Framework Supplemental Guidance Practice Guide, 2017, http://www.iia.nl/SiteFiles/PG-Engagement-Planning-Establishing-Objectives-and-Scope.pdf
SUSHMA UNIYAL | CISA, CA
Is a senior practice manager at 360 Advanced. She is an audit professional with external and internal audit experience in IT, operational and financial audits. She has led large audit engagements focusing on helping clients add value to their business by assessing controls design and operating effectiveness through risk-based integrated systems reviews. In addition, she has led initiatives to standardize audit process workflows to accomplish efficiencies in audit deliverables. Uniyal has worked in Canada, India and the United States for various industries across multicultural environments.