Читать книгу Beyond Audit - Robert L. Mainardi - Страница 17

Remember during any type of audit, the auditor will be required to perform independent research regarding the business process under review. The key during this research period is to ensure that you are focused on the activities in the area assigned. Do not waste time trying to build an understanding of the processes like the personnel in the business unit. No matter how hard you try and how much time you dedicate to learning any business process, you will never know the detailed workings of the operation like someone who is actually doing the job in the current environment. Your objective during this research period is to ensure that you are reviewing the most up-to-date information available regarding the business operations and are creating a foundation of general knowledge of the process. You will then use your communication skills to fill in the detailed nuances to the process.

The next step in this research part of planning is going to focus on any previous audit activity, external exams or reviews, as well as open and closed action items. The easiest one of these is going to be the previous audit activity. This information is readily available to you along with the supporting evidence and access to the individuals who performed the actual audit. I would suggest reaching out to whoever completed the last review to get their perspective on the area, business personnel, challenges encountered during the audit, and the final report. Discussing these topics with the person directly involved with the project will yield much more valuable information than just reading through the documentation. Plus, it will save you time, and we all know that in every audit, that is a precious commodity.

Another component during this phase that must be included is understanding the rules that the business operation is required to follow. These rules include the established policies and procedures and all federal, state, and local laws. It is important to note, especially during a remote audit, when looking at the policies and procedures that you must be especially aware of the details surrounding workaround scenarios. These types of scenarios include exception processes, manual overrides, management discretion decisions, and supervisory overrides. While all of these exist in most business processes, it is important to ensure that you understand the situations that allowed these types of transactions to occur.

The other critical detail that must be explained is what level of standard, formal documentation is required when one of these workaround processes is selected. Consider, the business team is performing their job by going outside the normal order of processing. The documentation included must clearly explain why this occurred and exhibit some level of approval. Hopefully, all workaround scenarios are fully explained in the policies and procedures and included the required documentation and approval required for each type. The final workaround point to discuss is the validity of this type of transaction. The key distinction in determining the appropriateness of a workaround is pretty straightforward. While workarounds exist and are necessary in business processes because no business process will be the same every day of the year, the validation of workarounds is determined by the control environment. What that means is that a workaround is appropriate if, and only if, it does not bypass a critical control. If a workaround procedure is used to avoid a critical or key control (approval, review, etc.), then it should be flagged and discussed as part of the standard policies and procedures. Keep an eye out for these types of controls and be sure to inquire as to the frequency of their occurrence. This type of information will provide insight to the day-to-day operations.

As you complete your independent research of the business process and prepare to set up a meeting (in our remote audit, this will be a call), you must obtain and verify that you have the appropriate client contact. During the initial stages of a remote audit, you must ensure you have a client contact person who can be reached for any process validation, system access, sample selection, and data and documentation questions. Having an established client contact from audit kickoff will expedite the critical step of information sharing throughout the audit. Be aware and quickly raise the question within your own audit team if you have been assigned a business partner contact who does not have the time, information, or detailed knowledge to effectively and efficiently address specific audit questions. Without an effective business contact, the remote audit will stall on a regular basis. Keep your ears focused on identifying traits of a business contact who is not ready for primetime during your audit.

If your contact is not reachable during normal business hours, is not able to answer process questions without having to validate the information before providing a response, and is consistently missing established deadlines for providing requested data, system access, or samples, you need to discuss the situation with your audit team and determine the root cause. Unfortunately, in these scenarios, it could be the result of a lack of experience or process knowledge or it could be because the business contact was instructed to review all requests and questions with a third party in the business unit to ensure only certain details and data are provided to the audit team. While it is usually a lack of experience or knowledge causing the delays in responding, there have been numerous instances where data and information was being scrubbed before giving it to the audit team. In the end, if your audit planning approach is complete and follows the Objective, Risk, Control process approach to be detailed in Chapter 5, ultimately the data and corresponding testing will validate the control environment and corresponding effectiveness. The only result of delaying the delivery of information to the audit team is expanding the length of the audit. So, when possible, be sure and verify you have a competent, knowledgeable business contact for your remote audit. You can accomplish this by building a rapport with the business contact during your relationship development by asking for their background and tenure in the department. This type of basic business experience knowledge usually provides a good indication of how smoothly information will be exchanged throughout the audit.