IT is a valuable asset for businesses

Information technology (IT) is one of the most valuable, yet often least understood assets in a business. It takes an insightful enterprise to recognise the benefits of information technology and use it to drive stakeholder value.
Moreover, successfully managing information technology in a business also means understanding and mitigating the risks associated with it, including increased regulatory compliance and the critical dependence of many business processes on information technology.
Catherine Berry, senior underwriter: Financial and Professional Lines at Camargue explains further: “IT Governance falls under the mandate of a business’ executives and its board of directors. The King Code on Corporate Governance states that IT risk should form an integral part of an organisation’s risk management plan.”
The role of information technology in the economic and social prosperity of the country is expounded in the Electronic Communications and Transactions Act No. 25 of 2002.
“The Act strives to ensure that electronic transactions in South Africa conform to the highest international standards; and that a safe, secure and effective environment for the consumer, business and government is developed wherein electronic transactions can be conducted and utilised,” Berry explains.
To achieve this, the Act seeks to ensure compliance with accepted international technical standards in the provision and development of electronic communications and transactions.
To this end, the long awaited Protection of Personal Information (POPI) Bill aims to bring South Africa in line with international data protection laws.
Berry predicts that the impact of this legislation will be far reaching, with a significant impact on the manner in which companies collect, store, use and disseminate personal information. In addition, King III recommends that formal disaster recovery and contingency planning should form a vital part of good corporate governance practices.
“As the online environment becomes ever more complex, it has become almost impossible for businesses to address all the risks inherent in operating a computer network. Moreover, as technology evolves, so the crimes associated with it become increasingly complex.
“As such, the importance of prioritising risk management procedures specific to a business’ information technology structures cannot be more highly emphasised,” Berry insists, adding that these procedures are an integral part of combating and mitigating the effects of cybercrimes.
Berry argues that despite the fact that society has adapted quickly to sophisticated technology, a startling majority of small to medium sized enterprises do not have formal disaster recovery or business continuity procedures in place.
“Perhaps this avoidance is due to the complexity of information technology systems. It could also be that smaller businesses are reluctant to hire outside professionals to assist with compiling such contingency plans,” she surmises.
Whatever the reasons, it has become clear that it is no longer sufficient to rely on back-up drives alone – particularly if these are stored on the premises. Indeed, the more reliant an organisation is on its computer network and systems, the more complex its risk management programme is likely to be.
To this end, IT service providers are positioned not only to provide expert advice, but also to assist with the compilation of a comprehensive information technology strategy, including costing analysis and budgeting.
“There is a wealth of information that is freely available and easy to obtain that can be used to assist a business to conduct a risk assessment and prepare an information technology risk management framework,” Berry points out.
For example, the Information Systems Audit and Control Association (ISACA) has compiled a Control Objectives for Information and Related Technology (COBIT) framework which specifically addresses information technology management and IT governance.
Furthermore, the PCI Security Standards Council incorporates and cites a number of methodologies that are available to assist organisations in developing their risk assessment process: International Organisation of Standardisation (IS), The National Institute of Standards and Technology (NIST) and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE).
“In this climate, business managers who have not implemented sufficiently detailed disaster recovery and business continuity plans are not only in contravention of good corporate governance, but are also placing the business in a precarious position that responsible management would not risk,” she concludes.
Camargue is an underwriter of niche insurance products and a provider of risk management solutions to a broad spectrum of industries in southern Africa. Camargue’s unique M3 approach focuses on managing, mitigating and migrating critical business risks.

Risk appetite – inputs and outcomes

Part two in a three part series by Dr David Hillson and Ian Huntly, CEO of Rifle-Shot Performance Holdings.
We have seen that risk appetite is an internal tendency within an individual or a group and that it cannot be seen or measured directly. It represents a hunger for risk in a given situation, a desire or drive to take on a certain level of risk exposure. But where does this internal tendency comes from? What influences risk appetite?
One obvious input to risk appetite is the situation that is being faced. Risk appetite does not exist in a vacuum or in isolation. It is defined as “tendency of an individual or group to take risk in a given situation”, so clearly that situation is influential.
In fact it is not just the situation in general that influences risk appetite, but the specific objectives that an individual or organisation wishes to achieve in or from that situation. For a project manager, the situation is the project, and the objectives are the project objectives.
In addition to the situation and its associated objectives, there are two other factors that influence risk appetite. Both of these are to do with people, which is unsurprising since risk appetite is an internal tendency. The first factor relates to individuals and the other arises from the group context:
* On the individual side, the appetite for risk in a particular situation is affected by the general tendency of each individual to take risk in any circumstances. This is called risk propensity, and it in turn is driven by a range of risk-related personality traits, or innate motivations, known as risk preferences.
* Another influence on risk appetite is the culture of the group or organisation in relation to risk, describing the set of shared beliefs, values and knowledge that a group has about risk. This is called risk culture, and it results in a set of norms and behaviours that are naturally adopted by the group when situations are faced that are perceived as risky and important.
One interesting fact to notice about these inputs to risk appetite is that they are all internal and they are not chosen by the individuals separately or the group acting together, they just are what they are. The effect of individual risk propensity and corporate risk culture on risk appetite is subtle and invisible, it is essentially unmanaged, and it cannot be seen or measured externally.
The resulting risk appetite therefore arises unconsciously and without the deliberate choice or intentional intervention of the individual or group concerned. That is why we describe risk appetite as a tendency – because it is internal and unmanaged.
As well as considering the inputs that affect risk appetite, we should also look at its outcomes. Just as we have no units to measure or describe physical appetite, the same is true for risk appetite. We also need an external proxy for risk appetite, something that can be seen and measured objectively. This role is taken by risk thresholds, which are external expressions of risk appetite.
And just as risk appetite is defined in terms of the objectives associated with a specific situation, risk thresholds are expressed in the same way. There should be a risk threshold set for each objective, reflecting the overall risk appetite in the situation.
Once we have defined risk thresholds for a given situation (how much risk we are willing to take), we can then compare these with the overall risk capacity of the organisation to bear risk, either in this specific situation or in aggregate. This will tell us whether our risk appetite can be fully satisfied or not. We might find that our appetite for risk leads us to set risk thresholds that exceed our capacity to take risk.
This could lead to a problem if left unmanaged, since we might end up taking on too much risk, exceeding our risk capacity. Alternatively our risk appetite may lead us to be too cautious, setting low risk thresholds which are well within our risk capacity, and which do not stretch or challenge the organisation or make best use of its resources.
Considering inputs first, the chosen risk attitude is influenced by the perception of the degree of risk exposure associated with a given situation, and risk perception in turn is affected by a complex Web of factors, referred to as the “triple strand” of influences (conscious, subconscious and affective factors).
It is common to speak about only a few specific risk attitudes, such as risk-averse, risk-seeking, risk-tolerant or risk-neutral. But in fact risk attitude exists on a continuous spectrum with an infinite number of possible positions. Faced with a given risky situation, a particular individual or group might exhibit a risk attitude anywhere on this spectrum.
Turning to outputs from risk attitude, two things are important in the context of making decisions in risky and important situations. The first is that our attitude to risk affects the degree of risk we are willing to take, as expressed in risk thresholds.
Clearly if we are comfortable with the perceived exposure to risk (i.e. our attitude is risk-seeking) then we will wish to set higher risk thresholds than if we are uncomfortable with the uncertainty (risk-averse).
But the influence of risk attitude is much wider than simply affecting the chosen level for risk thresholds and tolerances – it also affects our risk actions. In fact every action we take in relation to the perceived level of risk exposure is driven by our position on the risk attitude spectrum. Each step in the risk process is affected by the risk attitude we adopt in the situation, including:
* Identifying threats and opportunities;
* Assessing and prioritising identified risks; and
* Selecting and implementing appropriate risk responses.
Our risk actions modify the degree of risk exposure associated with the situation, leading to a revised perception of risk. As a result we may wish to change our risk attitude, to give us the best chance of achieving our objectives in the light of the new risk challenge that we now face. So in fact there should be a cycle between the current level of risk exposure, our chosen risk attitude, and the risk actions we take.
Changing risk attitude is a simple matter of making a different choice. Earlier work (Murray-Webster & Hillson, 2008) has described how applied emotional literacy can be used to modify risk attitude in an intentional way, using a framework called the “Six As” model.
This starts with “awareness” of the existing risk attitude that we have initially chosen in a given situation, together with “appreciation” of the factors that have influenced that choice. Next we “assess” whether the risk attitude is helping us to achieve our goals or not.
If the existing risk attitude is assessed as being “appropriate”, then we “accept” it and continue without change. But if a change in risk attitude is required, then we “assert” the need for change and take “action” to modify our chosen risk attitude.

Why companies need IT to combat fraud

Information technology is an essential tool for combating fraud. Without using the predictive power of analytics, it isn’t possible to prevent fraud before it happens, says Colin Hill, senior solution manager, Financial Crimes and Risk Solutions, SAS South Africa.
The majority of large companies have fraud budgets in place. These budgets are not, as you might expect, for detecting or combating fraud, but rather, simply, for absorbing the costs of fraud when it is committed.
I’ve had risk managers proudly tell me that they are within their fraud budget for the year, which is a disingenuous comment for them to make, considering that a fraud budget that allows for “acceptable” levels of fraud is nothing to be proud of – even if the department comes in under budget.
Of course, anti-fraud measures do exist, but they tend to take the form of careful screening of job applicants and customers, and educational campaigns. None of these are utilising the vast potential of technology to detect – but more importantly to prevent – fraud, and to protect the reputation of the business.
There are three key areas in which technology can make a difference:
Prevention
Fraud perpetrators are becoming more sophisticated. Fraud syndicates have state-of-the-art technology, and the extremely qualified computer programmers and statisticians. In addition, the latest Kroll report published in the United States indicates that 60% of fraud committed has an internal link in the organisation.
If you take all of this into account, its absolute madness that organisations aren’t dedicating the same levels of expertise and technology to preventing and combating internal and external fraud. If a company’s controls and mechanisms are not of the latest design, this could mean that multiple layers of firewalls and authentication layers are not of a high standard.
Hackers could get into the systems, and transact, steal information or even destroy the systems. Antivirus software and detection controls should be in place and should be tested regularly by external parties specialising in hacking prevention.
Only reporting the number of attacks, and having a budget in place to absorb the fraud is leaving the company open to repeated attacks, and doing nothing to solve the ongoing problem.
The impact of fraud on the company is more than just a financial loss it impacts companies much wider than just having the ability to detect the fraud and catching the perpetrator. Impacts to the company strategic objective, customer impact, data handling capability, risk management process, compliance risk etc. should be assessed as well.
Detection
It seems like a no-brainer to say that an organisation should have mechanisms in place to detect fraud. But many organisations still use the outdated model of understanding the modus operandi of a fraudster who has been caught and questioned, and using this set of rules to pick up similar activities.
The chances of another fraudster using the same mechanisms are very slim. Instead, companies should be using advanced statistical methods to scroll through large amounts of data in a short period of time and alert the business to possible acts of fraud. These methods don’t rely on previous incidents of fraud, but rather on detecting behaviour that is out of the ordinary.
The big question here is: can you do this in a big data environment, and at what cost and speed?
Risk management
Many organisations do not show fraud as a line item on their balance sheet – it is often hidden in credit losses or some operational loss. But fraud isn’t only a financial loss or a broken control that needs to be evaluated as part of the operational risk management process.
Any individual customer’s loss due to fraud, as well as any massive company-wide breach is a threat to a company’s reputation. Businesses are failing to measure the impact on their customers, their reputations and their entire business models of leaving themselves open to fraud by budgeting for it rather than detecting and preventing it.
Customers need to feel safe, and they need to be confident that their information is protected.
Simply put, not having the proper technology in place to detect and prevent fraud before it happens is leaving companies vulnerable, allowing fraudulent activities to continue and fraudulent employees to keep their jobs, and leaving customers feeling insecure about their assets and personal information.

Risk-based internal auditing best practices

In designing risk-based auditing and monitoring activities, it is important that the internal auditor works closely with the organisation’s senior leadership and the board, or committee of the board, to gain a clear understanding of auditing and monitoring expectations and how these activities can be leveraged together to help minimise and mitigate risks for the organisation. 
These discussions should also include leadership from the legal, compliance and risk management functions, if they are not already a part of the senior leadership team.
This is according to Sheryl Vacca, senior VP and chief compliance and audit officer at the University of California (UC), and Ian Huntly, CEO of Rifle-Shot Performance Holdings, representatives in sub-Saharan Africa of SoftExpert, a market leader in software and services for enterprise-wide business.
This process should include performing periodic audits to determine compliance with respect to applicable regulatory and legal requirements and to provide assurance that management controls are in place for the detection and/or prevention of noncompliant behaviour.
Additionally, risk-based auditing and monitoring should include mechanisms to determine that management has implemented corrective action through an on-going performance management process to address any noncompliance.
Once the common framework for the risk-based auditing and monitoring program has been established, four key tasks must be performed:
* Assessment and prioritisation of risks, conducted enterprise-wide;
* Development of a risk-based auditing and monitoring plan;
* Execution of a corrective action plan developed by management to mitigate risks and/or resolve risks; and
* Periodic assessment of the overall process for effectiveness.
Risk assessment
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) helped to define “risk” as any event that can keep an organisation from achieving its objectives. According to the COSO model, risk is viewed in four major areas:
* Operational (processes and procedures);
* Financial (data rolling up to internal/external statements);
* Regulatory (federal, state, local, organisational policy); and
* Reputation (institutional).
There are several ways in which risk assessments in these areas can be conducted. These include the use of:
* Focus groups to assist in the identification of risks;
* Interviews of key leadership and the board;
* Surveys; and
* Reviews of previous audit findings, external audits conducted in the organisation, and identifying what is occurring within the industry and the local market.
Once risks have been identified, a prioritisation process is needed to identify the likelihood of the risk occurring, the ability of management to mitigate risk (that is, are there controls in place for risk, regardless of the likelihood of those risks of occurring), and the impact of risk on the organisation.
Risk prioritisation is an on-going process and should include periodic reviews during the year to ensure that previous prioritisation methods, when applied in real time, are still applicable for the risk.
It is important that senior leadership participate in, and agree with, the determination of the high-risk priorities for the audit and monitoring plan. This will ensure management buy-in and focus on risk priorities. Also, with managers involved at the development stage of the plan, they will be educated as to the type of activities being planned and the resources needed to conduct these activities.
Hence, during the plan year, if there are changes, management will understand the need for additional resources or a change in focus in the plan as the business environment and priorities may change.
Developing the plan
Risk assessments and prioritisation are important elements in the development of a risk-based auditing and monitoring plan. Considerations related to the plan should also include:
* Review of other business areas in the organisation which may be conducting an audit or monitoring activity in this area;
* Resources available to implement plan;
* Hours needed to complete the plan;
* Projected timeframes;
* Defined auditing or monitoring activities and determination as to whether they are outcomes or process oriented; and
* Flexibility incorporated into the plan to address changes in risk priorities and possibly unplanned compliance risks/crises which may need an immediate audit or monitoring to occur.
The process of risk assessment continues through the execution of the plan where the engagement objectives would reflect the results of the risk assessment. Risk-based auditing and monitoring is on-going and dynamic with the needs of the organisation.
Execution of the plan
Each activity should have a defined framework which will provide management with an understanding of the overall expectations and approach as users execute the plan. The framework for these activities should include the following actions:
* Set the purpose and goal for the activity (audit or monitoring);
* Conduct initial discussion with the business area for input related to audit attributes, timing and process;
* Finalise the approach and attributes;
* Conduct the activity;
* Identify preliminary findings and observations;
* Provide an opportunity for findings and observations to be validated by the business area;
* Finalise the report;
* Identify processes for the follow-up after management has taken corrective action related to activity findings and observations;
* Data collection and tracking are critical because they provide trend analysis and measurement of progress; and
* Determine the key points of activity that may be provided to leadership and/or in reporting to the board.
The overall process of developing the audit and monitoring plan should be documented. This would include a description of how the risk assessment was conducted and the methodology for prioritisation of risks. Working papers to support the audit findings, reports, and corrective action plans should be documented and filed appropriately.
Prior to the audit activity, be sure to define and document what should be considered as part of the working papers.
At the end of each plan year, it is important to conduct an evaluation of the overall effectiveness of the plan. Questions to consider may include:
* Was the plan fully executed?
* Were appropriate resources utilised for the plan’s execution?
* Were the activities conducted in a timely manner?
* Did the plan “make a difference” in regard to the organisation’s strategy and business?
* Did the plan reach the goal of detecting, deterring, and/or preventing compliance research risks from occurring?
Annual evaluations may be conducted through self-reviews or independently of the internal audit function by a third party, that is a peer review conducted with auditors from other organisations, Quality Assessment Review conducted according to IIA standards (every five years), etc.
However, while self-reviews are less resource intensive, it is recommended that an independent review be conducted at least every other year to assess the effectiveness of auditing and monitoring efforts.

How to move a company to SOX Compliance?

In this topic, I'll be sharing with you some basic requirements which a company shoudl consider when going for SOX Compliance.

Pls share in case you have other tips to add.

Step 1: Embedding compliance firmly in ongoing operations will require:

• an organizational structure with clear accountability,
• an efficient operating structure, and
• an enabling technology structure

Step 2: First-year Section 404 compliance is all about project management, with companies organizing teams to:

• Identify significant business units, financial statement accounts and related processes
• Update or create process-flow documentation
• Assess risks related to financial reporting and identify control activities in place to address those risks
• Validate processes and controls via walkthroughs or other means
• Develop and execute test plans
• Evaluate test results and remediate design and/or operating control deficiencies where necessary

Step 3. A typical company having accomplished this successfully would now have the following areas addressed:

• basic documentation in place,
• key controls identified,
• test plans developed and,
• most importantly, control issues that needed remediation

Step4:  How to establish a mechanism that both confirms the evaluation of DC&P (Disclosure Control & Procedures) on a quarterly basis to support the Section 302 certification, and provides for the periodic testing of controls over financial reporting for the annual Section 404 assertion. (Under Section 404, management demonstrates through testing that internal controls over financial reporting operate effectively as of year-end. Under Section 302, management certifies that it has evaluated its DC&P as of quarter-end. Section 302 also requires management to report material changes to its internal control over financial reporting). Given the level of regulatory oversight, this is a decision that should not be taken lightly. Alternatives can be:

• Although testing is not specifically prescribed in order to comply with the requirements of Section 302, executing test plans throughout the year, allowing for timely recognition of control issues, remediation and retesting, if needed, as well as for the updating of the control evaluation at year-end can be an option. Through testing, management attains comfort with regard to quarterly reporting, while at the same time accomplishing the work required for the year-end assertion.
• Perform tests quarterly for higher-risk processes and controls, supplemented by self-assessments for other processes.
• A third possibility is to rely solely on a self-assessment process for quarterly reporting, with no reliance on testing for the evaluation of DC&P.
Complicating consideration of these alternatives are the nature and frequency of the control activities performed, which can dictate the timing and extent of testing. Choosing from among these alternatives is dependent on management’s comfort with the alternatives. Fundamentally, the chosen approach must enable the identification of material changes in internal control over financial reporting and provide reasonable assurance that controls over financial reporting are effective at quarter-end, as well as at the end of each fiscal

Step 5: Several elements must be considered in developing a compliance process that is responsible, cost-efficient and effective. These can be classified into three major categories:

• An accountability structure that ensures the appropriate level of oversight and process ownership and drives the right attitude throughout the business.
• An operating structure that facilitates cost-effective and streamlined processes for execution of Sarbanes-Oxley requirement.
• A technology support structure that supports the efficiency and effectiveness of compliance processes

Step 6: Accountability Structure


The accountability structure needs to:
• Define ownership of the design and operation of controls within the organization
• Create the appropriate tone at the top to reinforce delegation without allowing abdication.
• Define appropriate organizational roles and responsibilities
• Communicate what people are supposed to do and
• Reinforce accountability to ensure that they do it.

Key Traits of a Successful IT Auditor

As you begin your search to build out your audit team, here are some of the key traits of a successful IT auditor:

Ability to dig into technical details without getting lost in those details.

Analytical skills. It is critical for the auditor not only to understand technologies but also to be able to use that knowledge to uncover risk to the business and apply judgment regarding degrees of risk. This often is not a black-and-white job-you need people who can really think through a process or technology and frame up the risk to the company.

Communication skills (both written and oral). This is a huge emphasis for this job. An auditor must be able to help all levels (from the most detailed technical person to the highest level of management) understand exactly why he or she has a concern with something. This means that he or she must be able to lay it out logically in layperson's terms for management but also explain all the technical details of his or her concern to the people who work in the area day to day.

The ability to quickly learn the key concepts of new technologies and identify key risk points within those technologies.

Willingness not to be touching a specific technology daily. It's important for people to understand that while there is a lot of hands-on work when performing audit analyses, they won't be acting as the administrator of a production Unix box, managing routers, etc.

The Internal Audit Process from A to Z: How It Works!

Every successful audit is based on sound planning and an atmosphere of constructive involvement and communication between the client and the auditor. I see quite a few audit organizations that include a Web-based explanation to their clients how the audit process works. The purpose of providing this page is for those audit organizations that have not explained to their clients how, in general, the audit process works. It also is designed to provide a resource for sharing tools and techniques for each of the distinct phases of the audit process. If you have tools or resources that you would like added to these pages please send them to editor@auditnet.org.

Thanks to Terry Radke, Director Indiana University - Internal Audit for allowing AuditNet® to "borrow" the audit process description they use for their customers. I also added links to other sites to help illustrate or clarify the process.

Click here for sample documents used in the audit process.

For a brief overview including a summary of types of audits click here.

Audit Process

Although every audit project is unique, the audit process is similar for most engagements and normally consists of four stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report, and Follow-up Review. Client involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of time being diverted from your department's usual routine. One of the key objectives is to minimize this time and avoid disrupting ongoing activities. Following are some sample flowcharts of the process from other organizations that you may find helpful:

Central Queensland University Internal Audit Process

European Space Components Internal Audit Procedure guide includes a flow chart of the audit process.

University of Illinois Audit Process Flowchart

Top of Page

Planning

During the planning portion of the audit, the auditor notifies the client of the audit, discusses the scope and objectives of the examination in a formal meeting with organization management, gathers information on important processes, evaluates existing controls, and plans the remaining audit steps.

Announcement Letter

The client is informed of the audit through an announcement or engagement letter from the Internal Audit Director. This letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information.

Initial Meeting

During this opening conference meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, equipment, funds), and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. It is important that the client identify issues or areas of special concern that should be addressed.

Preliminary Survey

In this phase the auditor gathers relevant information about the unit in order to obtain a general overview of operations. S/He talks with key personnel and reviews reports, files, and other sources of information.

Internal Control Review

The auditor will review the unit's internal control structure, a process which is usually time-consuming. In doing this, the auditor uses a variety of tools and techniques to gather and analyze information about the operation. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section. Click here for an annual internal control review plan.

Audit Program

Preparation of the audit program concludes the preliminary review phase. This program outlines the fieldwork necessary to achieve the audit objectives.

Top of Page

Fieldwork

The fieldwork concentrates on transaction testing and informal communications. It is during this phase that the auditor determines whether the controls identified during the preliminary review are operating properly and in the manner described by the client. The fieldwork stage concludes with a list of significant findings from which the auditor will prepare a draft of the audit report.

Transaction Testing

After completing the preliminary review, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions. Various techniques including sampling are used during the fieldwork phase.

Advice & Informal Communications

As the fieldwork progresses, the auditor discusses any significant findings with the client. Hopefully, the client can offer insights and work with the auditor to determine the best method of resolving the finding. Usually these communications are oral. However, in more complex situations, memos and/or e-mails are written in order to ensure full understanding by the client and the auditor. Our goal: No surprises.

Audit Summary

Upon completion of the fieldwork, the auditor summarizes the audit findings, conclusions, and recommendations necessary for the audit report discussion draft.

Working Papers

Working papers are a vital tool of the audit profession. They are the support of the audit opinion. They connect the client’s accounting records and financials to the auditor’s opinion. They are comprehensive and serve many functions.

Working Paper Documentation

Top of Page

Audit Report

Our principal product is the final report in which we express our opinions, present the audit findings, and discuss recommendations for improvements. To facilitate communication and ensure that the recommendations presented in the final report are practical, Internal Audit discusses the rough draft with the client prior to issuing the final report. For an audit report template including an executive summary click here.

Discussion Draft

At the conclusion of fieldwork, the auditor drafts the report. Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client for comment. This discussion draft is prepared for the unit's operating management and is submitted for the client's review before the exit conference.

Exit Conference

When audit management has approved the discussion draft, Internal Audit meets with the unit's management team to discuss the findings, recommendations, and text of the draft. At this meeting, the client comments on the draft and the group works to reach an agreement on the audit findings.

Formal Draft

The auditor then prepares a formal draft, taking into account any revisions resulting from the exit conference and other discussions. When the changes have been reviewed by audit management and the client, the final report is issued.

Final Report

Internal Audit prints and distributes the final report to the unit's operating management, the unit's reporting supervisor, the Vice President for Administration, the University Chief Accountant, and other appropriate members of senior University management. This report is primarily for internal University management use. The approval of the Internal Audit Director is required for release of the report outside of the University.

Client Response

The client has the opportunity to respond to the audit findings prior to issuance of the final report which can be included or attached to our final report. However, if the client decides to respond after we issue the report, the first page of the final report is a letter requesting the client's written response to the report recommendations.

In the response, the client should explain how report findings will be resolved and include an implementation timetable. In some cases, managers may choose to respond with a decision not to implement an audit recommendation and to accept the risks associated with an audit finding. The client should copy the response to all recipients of the final report if s/he decides not to have their response included/attached to Internal Audit's final report.

Client Comments

Finally, as part of Internal Audit's self-evaluation program, we ask clients to comment on Internal Audit's performance. This feedback has proven to be very beneficial to us, and we have made changes in our procedures as a result of clients' suggestions.

Top of Page

Audit Follow-Up

Within approximately one year of the final report, Internal Audit will perform a follow-up review to verify the resolution of the report findings.

Follow-up Review

The client response letter is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. All unresolved findings will be discussed in the follow-up report.

Follow-up Report

The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding, the original audit recommendation, the client response, the current condition, and the continued exposure to Indiana University. A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. The follow-up review results will be circulated to the original report recipients and other University officials as deemed appropriate.

Top of Page

Internal Audit Annual Report to the Board

In addition to the distribution discussed earlier, the contents of the audit report, client response, and follow-up report may also communicated to the Audit Committee of the Board as part of the Internal Audit Annual Report.

Top of Page

The Process: A Collaborative Effort

As pointed out, during each stage in the audit process--preliminary review, field work, audit reports, and follow-up--clients have the opportunity to participate. There is no doubt that the process works best when client management and Internal Audit have a solid working relationship based on clear and continuing communication.

Many clients extend this working relationship beyond the particular audit. Once the audit department has worked with management on a project, we have an understanding of the unique characteristics of your unit's operations. As a result, we can help evaluate the feasibility of making further changes or modifications in your operations.

--------------------------------------------------------------------------------

Administration

Audit Planning

Audit Fieldwork (Testing)

Audit Sampling

Audit Reporting

Customer Survey

Audit Follow-Up

Read more: http://www.auditnet.org/process.htm#ixzz0vefY1tZG