How to Scope an Audit of Thingamajigs

This week, I was asked for advice on auditing an area that was new to the auditor and had a number of complex operations. While it happened to be of the Investments function, my answer should work for pretty much any business function. It is based on the premise that the objective of the audit is to provide assurance related to the more significant business risks; in other words, this was not an audit of operational efficiency, etc.

This is what I advised:

I would start with a traditional top-down risk and controls matrix.

  • What are the business objectives and strategies?

  • What are the more significant risks to achieving them?

  • Of those, which shall I audit? I will make that decision based on looking at both the inherent and residual risk levels. This will tell me whether risks are currently being managed effectively (the residual risk level, assuming the controls are designed and operating ok), and what the impact could be if the controls failed (the inherent risk, also known as potential exposure).

  • What are the key controls to managing those risks within organizational tolerances? Consider all forms of control at all levels, including entity-level and IT general controls.

  • What is my plan for auditing those controls? Do I address them in a single audit, perhaps with a team of IT and operational auditors, or do I rely on multiple audits (e.g., separate audits of hiring processes, ethics policies, investment department activities, finance activities – such as account reconciliations – and IT) and pull the results together?

  • Execute.

I then advised the auditor to have a look at the IIA’s GAIT-R methodology. While it is in the Technology section of the IIA’s guidance, it is really about taking an integrated approach to defining the controls to be included in an audit of a business risk.

Do you agree with this advice for an assurance engagement?

Posted on May 1, 2011 by Norman Marks

Share This Article:    

  1. If its an area new to the auditor, I'd suggest first gaining an understanding of the function and significant activities and processes.  Or, bring in someone who has area expertise.

    Determine the business objectives and value drivers. Obtain and review related company policies, job descriptions, and work with the process owners to flowchart the processes and controls.  Objective-risk-control matrices (ORCM) can then be developed more knowledgeably and with greater confidence in their completeness and accuracy. 

  1. While I agree with the above process, but domain knowledge do help to understand the risks and control better. They also help to understand the responses given by the auditee especially if the guy is not willing to cooperate and thinks that the auditor is good enough  only to understand the expiry date of the fire extinguisher.

    The above solution also assumes that a lot of documentation is in place, which may not be the case most of the time. With all the documentation it surely will be a better performance, but does it really replaces the domain knowledge?

  1. Norman, this was very useful, thank you.

Leave a Reply