The audit and review process provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives.

• Insight comes from a catalyst(s), analyses and assessments by the auditor.
  

The audit and review process is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes.

• Objectivity comes from the application of integrity, accountability and independence

HOW MUCH ASSURANCE?

The answer to this question depends simply on the amount of evidence available and the time cost that can reasonably be spent in seeking and evaluating that evidence.  There are TWO levels of assurance, one of which should be chosen for each project or globally in forming the audit strategy and plan:

“Reasonable Assurance Engagement” means an assurance engagement where the assurance practitioner’s [auditor’s] objective is a reduction in compliance engagement risk to an acceptably low level in the circumstances of the compliance engagement as the basis for a positive form of expression of the assurance practitioner’s conclusion.  Reasonable assurance means a high, but not absolute, level of assurance.  A reasonable assurance engagement is commonly referred to as an audit. [Paragraph 11(k)]

“Limited Assurance Engagement” means an assurance engagement where the assurance practitioner’s [auditor’s] objective is a reduction in compliance engagement risk to a level that is acceptable in the circumstances of the assurance engagement but where that risk is greater than that for a reasonable assurance engagement, as the basis for a negative form of expression of the assurance practitioner’s conclusion.  A limited assurance engagement is commonly referred to as a review. [Paragraph 11(i)]

(See:  Australian Auditing Standard ASAE 3100 Compliance Engagements.)

In addition to assurance, the audit or review may also provide a range of key facts and particulars of processes and performance that the governing board or senior management may not be aware of in any detail.  These types of projects usually also provide assurance of a kind less tangible than referred to above but it is, nevertheless, useful as additional relevant inputs to decision-making.

THE AUDIT OR REVIEW PROCESS

• A risk-based, cyclical audit strategy is developed, usually covering three years;
• An annual audit plan and cost budget is taken from the strategy and updated for any changes in risk assessments, staff mix, costs, etc;
• Audit work is programmed in detail and research, interviews and testing are conducted;
• A draft report is prepared, including the audit objective, methodology, findings, conclusions and recommendations;
• The draft report is discussed with management; management comments, action plans and responsibilities are added for each recommendation;
• The final report is issued for discussion by the governing board or its audit committee; and
• Each recommendation adopted is added to a register for future follow-up by the auditor to determine the extent of implementation.

TOOLS

Audits performed for management by Strategic Assurance Services include relevant choices of tools and techniques from the following list as required:

• Published auditing standards and practice guidance published in Australia and overseas;
• Risk management policy, strategy, identification, assessment and treatment templates;
• Control assessment questionnaires for each key system of controls or operations;
• Audit working paper templates to ensure audit meet professional standards;
• Audit reporting templates – clients can see what to expect in advance;
• Spreadsheet templates for audit testing and data analyses;
• Random sampling formulae to gain representative samples for cost-effective testing;
• Linear regression analysis to identify trends in data and time series;
• Transaction population interrogation to identify outliers;
• Other internet-based resources as required;

FREQUENTLY ASKED QUESTIONS

1.     Why outsource your internal audit service requirements?

Traditionally, internal audit services were only available to larger companies and big government departments and agencies.  Smaller organisations could not usually afford to pay for such a service.  But when internal audits began to be required by law for many government agencies in Australia, accounting and auditing firms of various sizes began to offer an outsourced service to meet most organisations’ audit and review needs.  As it involved a contractual arrangement rather than using full-time employees, cost savings became available and services could also be tailored to meet the needs of all but the smallest organisations.  So, outsourcing brings availability according to need, broadly based experience from many organisations, efficient costs, flexibility (providers can be changed relatively easily) and flexibility in approach to each audit or review.  These features are much harder to obtain and maintain from an internal audit team of employees.

2.     How much does an internal audit cost?

The cost is based on time spent and is estimated before work starts, so giving the client an early warning about the cost.  Usually the cost is based on a fixed fee, subject to variation only in circumstances where the needs and project scopes have changed significantly.  There is a minimum efficient cost but it would generally be affordable to most organisations that are likely to benefit from the outlay.  I cannot give a figure because every organisation’s situation, needs and risks are different.

3.     How do I know the cost will be worth it?

I can’t generalise about the cost but I can say that, with effective audit planning and consultation with your auditor, the costs and benefits will be known to you in advance and, usually, will more than justify the cost, particularly in improved systems, reduced risks, enhanced structures and operations and access to ad hoc advice and assistance on a wide range of business issues.

4.     How do I appoint an auditor for management – an internal auditor?

A first desirable step is to talk to a colleague in a similar organisation or one in a similar sector to yours and obtain some names of firms.  The Chartered Accountants’ website is also a useful source.  Choose between a public tender process and approaching a short-list of firms to provide a detailed submission.  To guide the firms being asked to submit a proposal or tender, you will need to prepare a detailed specification of the services required and any other factors relevant to the appointment.  When the submissions are received and interviews completed, management is then in a position to recommend an appointment to the governing board.  After reference checking and contract negotiation, the appointment can be finalised.  A large organisation would usually complete the process over a few months whereas a smaller organisation might make a thoroughly researched and documented appointment in six to eight weeks.  The appointment does not have be finalised before the start of a period to which it relates because audit examinations are generally conducted in relation to the recent past.

5.     What happens if I need to change my auditor?

Unlike the complex legal requirements to change a statutory auditor, an auditor for management can be given notice of termination of the contract at any time, in accordance with the provisions of that contract.  Then it is a simple matter of following the above process to appoint another firm of your choice, supported by a transition plan negotiated with both the incoming and outgoing firms of auditors.

6.     How do I know which areas need to be audited or reviewed?

This is an important question because there are always more audit opportunities than there is money to pay for them.  So, the decision is based on a comprehensive identification and assessment of risks the organisation faces – documented in detail in a risk register.  Then the audit or review can be focussed on the areas of highest risk first.  This approach provides a good start to controlling the costs of the whole process – and dealing with most serious issues without delay.

There are usually also a small number of areas that require auditing or review simply to meet legal or policy compliance requirements, irrespective of perceived risk; taxation compliance is often such an area.

Firms submitting proposals for the audit or review work should be asked to provide their preliminary view of the areas that they consider should be addressed based on their initial, outsiders’ views of the risks.  Those firms would usually be asked to submit a preliminary draft audit plan with costs to give you a good idea of where the exercise is heading.

7.     When the auditor has reported, can I be sure everything is correct and properly organised, authorised, etc?

Unfortunately it’s not that simple.  That’s why the auditing standards use the term ‘assurance’ rather than ‘certainty’.  Time required, costs and availability of skilled auditors are only three of many reasons why it is not possible for an auditor to attest with ‘certainty’.  In addition, most things, including systems and controls change over time, so the auditor’s report can only relate to the period covered by the audit or review work done.  Even though systems might be very well controlled, no-one can be sure that an individual’s behaviour will not contravene those controls so as to cause errors or irregularities that may cause losses and remain undetected, at least for a time.  But that’s only the negative side.

The good news is that auditors use a range of techniques to maximise the amount of assurance they can provide to your governing board and senior management.  Those techniques include:

• a focus on high and extreme risk areas;
• representative sampling to enable conclusions to be drawn about a group of transactions or balances without examining every one; sometimes only a small sample may be required and so significant audit costs can be saved;
• using an experienced eye to review key reports to identify variances from budgets and targets; and
• examining variances and departures from accepted policies, procedures and other norms, including industry or sector trends.

So it can be seen that a lot can be done but there is no absolute certainty, either at a point in time or over time.  For that reason, the audit and review process for management is one important element of the intelligence available to the governing board and senior management but it must not be considered alone.  Senior personnel must also take account of the structures, systems, controls and processes in place across the whole organisation to provide optimal assurance cost-effectively.

8.     Where can I get expert help with auditing for management or internal auditing?

Simply .  .  .

Call me on:  +61 417 373 589

Email:  peter@strategicassurance.com.au

Visit (by appointment only):  Level 7, 470 Collins Street MELBOURNE VIC 3000 | ABN 62 064 547 275