|
||||||||||||||
|
Steps of an Audit—Steps 4 through 7June 2007 Well, after the flurry of editions and retractions this month, I am still at it! Here is something to replace my earlier, lame June newsletter. In May, we discussed the first three steps of conducting an audit. This month, let’s review Steps 4 through 7. Here are the steps to conducting an audit:
Step 4: Perform a risk assessmentThere are two steps to conducting a risk assessment:
Now what is G.R.E.A.T. about the risk assessment SASs is that they divide financial statement universe up into bite sized chunks for you—the chunks are the elements of the financial statements and the related management assertions. Other standard setting bodies, such as the GAO (Yellow Book) and the Institute of Internal Auditors, don’t give us much help. We are left to our own devices. And believe me, some auditors are more than qualified to create some wacky devices! Every internal audit manager I talk to seems to have created or adopted a unique model for assessing risk. If you’d like to see what others are doing, see the RESOURCES page at www.auditskills.com/resources.html. If you’d like to share yours, BRING IT ON! I’ll put it up on the website. So on a performance audit or a compliance audit, you must come up with your own way to divide the universe into bite-sized pieces. This can be one of the more challenging phases of the audit. Simple example: on a compliance engagement, the chunks of the audit universe might be the 30 compliance requirements for the grant. (In the next step of the risk assessment, we’ll decide which three of the 30 chunks deserve our attention, because we can’t audit all 30!) After the Enron debacle, all of the standard setting bodies have been pushing auditors to document their thought process regarding risk assessment. You must justify why you chose to spend time in certain areas. And Step 1 of a risk assessment is to define the areas! Once you divide the universe up into chunks, you assess risk on each chunk. If you want to get technical about risk assessment, recall the risk assessment formulaAR = DR x IR x CR What are all these acronyms? AR = Audit Risk Audit risk is the risk that you will miss the boat as an auditor. It is the risk that a material misstatement will go undetected and that the financial statements will be inaccurate and unfairly stated. It is the risk that your opinion on the financial statements is no good! The formula is a bit of funny algebra. Obviously it is not real algebra because it has no numbers in it. But—just like in algebra—to get one side of the equation lower, something on the opposite side has to be low. So, in order to get one side lower—to reduce audit risk to a tolerable level—you must either have a low detection risk, low inherent risk, or low control risk. By using risk assessment techniques, you ask whether the item is inherently risky. And if so, you then ask if this risk is mitigated by controls. Now if inherent or control risk are high, in order to get AR to an acceptably low level, you must reduce DR. Detection risk is the only element of the formula that you as an auditor can control. The way you reduce detection risk—the risk that you won’t detect an error or misstatement—is to audit the heck out of it! In the past, it was much easier to go on gut feel. The new AICPA risk assessment requirements still allow your gut—or in some circles it is called your “auditor judgment”—to play, but you must, in essence, justify your gut and document your gut. This allows reviewers to see how you got from Step 1 (Receive your vague audit assignment) to Step 8 (Create an audit program). This whole risk topic deserves more time, and in future e-zines I’ll make sure to dig into it deeper. But right now, on to Step #5… Step 5: Refine the objectiveNow it is time to refine that vague audit assignment so that you can work with it. The audit universe has, up until this point, been too broad, too universal. “Express an opinion on the financial statements?” “Verify compliance with grant requirements?” Those include an awful lot of information and detail that you are not going to be able to verify. But now that you know where the risks are, you can narrow your focus. For instance, for our financial statement audit you may decide that cash receipts deserve some attention. You might even state the objective in terms of the management assertions. For instance, “Are cash receipts complete?” What you will end up with is several sub-objectives under the general header of, “Are the financial statements presented in accordance with GAAP?” Each of these sub-objectives becomes the subject of an audit program and dictates which methodologies you will use. For more on what makes a good objective, see the November 2003 newsletter. Step 6: Choose the methodologiesNow that you know your objectives, what are you going to do to answer the questions that the objectives pose? What techniques are you going to pull out of your audit hat to verify that the cash receipts are complete? The methodologies must clearly be linked to each risk identified. And they must yield strong evidence. This is another topic that deserves a lot more attention in future e-zines. Examples of methodologies include:
For more on methodologies, see the December 2004 and January 2005 newsletters. Step 7: Budget each methodologyI highly recommend, before you set yourself or your audit team to work on any given methodology, that you consider how long the methodology is going to take. Some methodologies sound really cool on paper but end up costing hours and hours of audit time. This is the time (pre-fieldwork) to figure out how much time you are going to invest in this area—not when you are in the middle of an annoying confirmation procedure that has already taken you a week to get going. In July, more steps.  |
|||||||||
|
||||||||||
© 2000 to 2010 Leita Hart-Fanta. All rights reserved. |