Even if the auditor does a great job of planning, conduct, analysis, and follow-up, the real value of the audit will be absent if the recommendations miss the mark. Audit planning should be focused on two main objectives: identify the risk and design an audit program that will assess the risk. Risk affects the achievement of organizational goals and objectives. Capitalizing on positive risks will increase the achievement of these…
When I am asked, “What does an internal auditor do?” my response is usually, “How much time do you have for me to answer that question?” As a long time internal auditor (35 years), I have often been disappointed by the perception of management (and others) regarding the purpose and value of internal audit. Ask management about internal audit and their response if usually that audit reviews financial statement and…
After years and years of mistakes, missteps, or invalid analysis, I have developed a series of steps that can reduce the likelihood or errors and increase the success of analytics for audit purpose. The first step is to ensure that you understand the goals and objectives of the audit. Then the following steps should be performed: Based upon the audit objectives and risks, and mitigating controls identify analytics that will…
Here are my top eight best practices for creating better internal audit reports that hit the mark: Audit Objective: ensure that the audit objective addresses the risks to the goals and objectives of the organization. It should drive the risk identification and assessment; and be a foundation for the audit workplan and the conduct of the audit. And ultimately, is it the statement upon which the audit concludes. Audit Workplan:…
This is the seventh in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: recommendation. The focus will be on the use of data analytics to assist you in determining the recommendation. In simple terms, the recommendation is the action that management should take – putting in a control, changing a business process, etc. If the other components of the finding…
This is the fourth in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: Condition. The focus will be on the use of data analytics and how the condition supports the development of the recommendation. In simple terms, the condition is “what is.” Typically, the analytics are testing for the existence of something, and the results are the condition. For example,…
This is the third in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: Criteria. The focus will be on the use of data analytics and how the criteria play an important role in the development of analytics to support and inform the audit. IIA Standard 2210.A3 states that “adequate criteria are needed to evaluate controls.” Simply put, the audit criteria…
Setting the proper objective is critical to delivering on a quality, value-add audit. It must be strongly linked to the goals and objectives of the entity being audited; drive the risk identification and assessment; and be a foundation for the audit workplan and conduct of the audit. And ultimately, is it the statement upon which the audit concludes. Yet too many audits have poor objectives. I have performed analysis in…
Study after study has shown that data analytics is effective and efficient at detecting risk and identifying control weaknesses, non-compliance, and inefficient business processes. Chief Financial Officers (CFOs) and Chief Audit Executives (CAEs) have repeatedly stated that data analysis expertise is a much-needed skill, and surveys by the ACFE and CPA firms over the past 10 to 15 years have rated data extraction, data analysis, and analytical software as critical…
The Risk-Base Audit Plan (RBAP) is an important output of Internal Audit. Not only is it a requirement of the IIA standards, but it also focuses audit on the most significant risks affecting the organization. In addition, it gives the Chief Audit Executives (CAEs) everything they needed to determine which audits will be performed and when; and to identify the required audit resources. However, developing a robust RBAP is not…