Scribd Logo
Upload

Welcome to Scribd!

  • The Audit Cycle

    Uploaded by

    Dennis Bacay
    30 views2 pages
    Step by step process in completing the audit cycle.

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Step by step process in completing the audit cycle.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    30 views2 pages

    The Audit Cycle

    Uploaded by

    Dennis Bacay
    Step by step process in completing the audit cycle.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    RiBIA

    The Audit Cycle


    We saw in the previous presentation how, in large organizations, it is not possible for the
    Internal Audit function to audit every entity in its portfolio every year. In fact, in theory, it
    would be possible to do this if sufficient staff ere employed; so the point really is that,
    with the staff available Internal Audit is not able to cover the whole portfolio every
    year. This, of course, begs the question, what comes first a decision about the length of
    the Audit Cycle or a decision about the number of staff available within Internal Audit,
    which in turn would partially determine the length of the Audit Cycle.
    Lets address this issue from two standpoints; firstly from the position that we are living
    in the ideal world. In this situation we would firstly identify all of the entities in our
    portfolio and then we would rank them in order of riskiness using the factors we
    discussed on day 1 Complexity, Value, Throughput, Stability, Management, Control
    Environment and Time Since Last Audit. Now, even in the ideal world we would not ask
    the Board to authorize a budget for sufficient manpower to audit every entity; everyone
    would understand that certain areas present less risk to the business than others and so
    can be left for, say, 18 months before being audited. In our ideal world then we would
    take our list of risk ranked entities and identify those that can safely be left for >12
    months without audit, the remainder need auditing in the coming year. We then identify,
    from experience or past history, how long it will take to audit each one and simply do the
    arithmetic to work out how many staff we need.
    You will notice that in the above paragraph it was stated that we identify how areas could
    be left for, say, 18 months, if this was the figure we were actually using then our Audit
    Cycle would be 18 months. But who decides whether 18 months is the right length of
    time? The answer is the Head of Internal in conjunction with the Audit Committee decide
    this; they take into account the nature of the business they are in, the risk climate under
    which they operate and the appetite that the Main Board has for taking risks. Typically,
    Audit Cycles range from 18 months to 36 months; for the international companies I had
    responsibility for the audit of I always worked on a 36 month cycle.
    The above is the ideal situation; in reality the Internal Audit function will have budget
    constraints like everyone else and there will certainly already be an established headcount
    in place when this new Risk Based planning system is introduced. In this case the
    available man-days to some extent determine the length of the Audit Cycle. So, the
    process would be to rank the entities by risk as before and then take the riskiest entity and
    assign the relevant number of man-days to do the audit, then take the next riskiest and do
    the same and so on until all available man-days are used up. The remaining entities have
    to be done in the following year, or longer, again depending upon the available man-days.
    This is a little simplistic since if the exercise were to show that some really risky entities
    were not able to be done in the coming year an appeal could be made, via the Audit
    Committee, for additional headcount. In reality this would probably involve getting
    temporary, specialist, help from a consultancy or the organizations external auditors.
    Day 2
    HO 4
    1

    RiBIA
    Take this simple example, which is an extension of the data used on Day 1:

    If the Internal Audit function only had 180 mandays available, then only Finance, IT,
    Engineering and Marketing could be done in the coming year.
    Once the planning exercise is complete, including the establishment of the Audit Cycle, it
    has to go to the Audit Committee for approval.
    As can be seen from the above, a great deal of emphasis is placed upon risk analysis
    when determining what audits to perform in the coming year; the Internal Auditors
    systems need to include a methodology to react to the situation where an entity that was
    considered to be of, say, medium risk when the planning was done becomes a high risk
    entity at sometime during the year. If this is not recognized and reacted to then the whole
    concept of risk based audit planning is nullified. It follows on from this that risk based
    audit planning is a continuous process you must reassess your plans frequently usually
    quarterly; it also follows on from this that risk data about all entities in the portfolio needs
    to be constantly updated as well!

    Day 2
    HO 4
    2

    You might also like