Internal Audit Guidebook (updated August 2012).pdf

I nternal Audit Gu Guidebook Providing a framework for understanding and delivering Grant Thornton’s Internal Audit Services Services in a consistent, consistent, high-quality high-quality way way 2012

Internal audit guidebook

1

Contents

Page Introduction

2

Common service delivery methodology

6

Determine client needs

8

Scope and arrange work

10

Plan

13

Analyze and assess

20

Report and recommend

28

Implement

32

Evaluate

33

Determine business and technology context

36

Manage engagement performance, quality and risk

38

Communicate and enable change

40

Appendix

42

Internal audit engagement checklist

43

© Grant Thornton LLP. All rights reserved.

Updated August 1, 2012


1

Contents

Page Introduction

2


6


8

Scope and arrange work

10

Plan

13

Analyze and assess

20


28

Implement

32

Evaluate

33


36


38


40

Appendix

42

Internal audit engagement checklist

43




2

I ntrodu troducti tion on

What is internal audit?

The The Ins Institute of Int Internal Au Aud dito itors (II A) defin fines internal auditi uditing as: I nternal auditing uditing is an indepe independent, obje objective ctive assurance and consulti consulting ng activi ctivity ty designed to add value and im improve prove an orga organizatio nization's n's operations. tions. It I t helps an an orga organiza nization tion accomp accompllish its objectives objectives by bringing bringing asystematic, tic, discipl discipliined approa pproach to evaluate and improve improve the effectivene tiveness of risk risk management, contr control ol,, and governance proces processes. (1010) An internal internal audit obj obje ecti ctively vely assesses the management of of ri risks sks that that a company face faces. (2100 series) s) T The he aim is to understand the the curre current state, assess the current st sta ate using appropr ppropriiate standards and cri criteria teria, and develop fi findings ndingsand recommendations tions for for management and/ or the audit committee. • •

•

An internal internal audit audit helps identi identiffy voids, voids, shortcomings and iinhe nherent risk risk potential in in polici policie es, proce process sses and informa information tion technolo technolog gy in time times of business businessstabili stability and change. An An internal audit recommends improvem improvements. Objectivity is vital to performing a high-quality internal audit. Objectivity bjectivity me means a focus on the the best interes interests of the company, rather tha than on individua ndividuals’ inte interes rests. ts. Objectivi Objectivity ty off offers a way to takea fresh look look at how things things can be accomplishe ccomplished, rather tha than accepting pting conventional conventional wisdoms and old habits. © Grant Thornton LLP. All rights reserved.

An internal audit is is apowerful rful tool tool that hel helps manage the threats to an orga organizati nization’ on’s s success. Dueprof professional care must be exercise xercised by all staff at all tim times (1220) (1220).. Similarly, staff should only only conduct review reviews that the they are competent to perform. (1210) Fraud

The The responsibil ibilit ity y for for safeguarding ing assets and for pre prevention ntion and detecti tection on of fraud, raud, error rror and non-compli non-complia ance with with law or reg regula ulations tions rests with with management. Non-compliance with IIA standards

At any point point duri during an engagement, nonnoncompli complia ancewith I I A standards should be addressed by th the e engagement partn partner er and the the resoluti resolution on appropri ppropria ately documented. (1322, 2431) Added value

The The engagement should be managed to ensure that it it addsvalue to the organizatio nization n and contribute contributes to the the improvem improvement of the clie client's management of risk, risk, using using asystematic atic approa pproach and the methods in in thi this s manual. I n del delive ivering ring internal audit service rvices, weshould assist the organizati nization on by evaluating ting control control effectivene ctiveness and efficiency ciency, by prom promoting oting continuous continuous improvem improvement in in the interna internal control control environme environment, the thereby increasing sing the



orga organizati nization’ on’s s ri risk management maturi turity. (2100) Risk management (2120)

An internal internal audit’s audit’s goal is the management of of business risk risk (i.e., (i.e., to preve prevent negative tive things things from rom happening to a company and to enable ble positi positive ve things things). Thi T his s goal does not mean a compa company will ill eliminate all risk. risk. Com Complete risk risk elim limination ination is neither practica ctical nor nor econom onomically feasibl sible. Rather, the goal is is to reducerisks risks to leve levels that are sensible nsible and acceptable acceptable to a company’s management. nt. For example, risks risks to the integrity rity of financia financiall reporti eporting ng may be seen as managed to to an acceptable level when interna internal contr control ols s effective ctively prevent and detec detectt signifi significant errors errors in the fina financial statements. Inf I nforma ormation tion Tec Technolog logy (IT) perfor formance may be regarded as managed to an acceptable leve level if I T operating operating proce procedures, control controls and infrastructur nfrastructure e are effectively ectively designed to meet agreed-upon leve levels of service rvice to users. Risks Risks vary with regard to 1) likeli likelihood hood of occurrence occurrenceand 2) severity. verity. For For example, ple, the likelihoo kelihood d that a company’s headquarte rters might might be destroyed stroyed is remote; however, the the impact would be severe. In In contrast, the like likelihood of incorrectl ncorrectly y applying pplying acash receipt is is much higher, but the severity rity of such an an error is much lower. So, it it is is important important to keep in in mind that that lik like elihood ihood and and severity rity infl influencerisk risk management. Internal controls (2130)

I nternal controls controls manage risk. risk. An internal audit itself is a form of internal contr control ol because it evaluates the design and effective ctiveness of inte internal control controls s and develops recommendations tions for for improvement. Much of the focus of inte internal audit work is is risk risk assessment: determining termining inhere inherent risks, risks,


3

identif ntifying mitiga itigating ting contr control ols, s, evaluating ting control control design effective ctiveness, testing control operating eff effectivene ctiveness and evaluating ting the nature ture and severity verity of residual ri risks, if any. I nternal auditors uditors must be highly hly skil killed in 1) the assessment of of risk risk and 2) the the inte internal control control technique techniques s and tools tools tha that miti mitigate risk. risk. I nternal auditors uditors must also behig highly skill skilled in the standards, pol poliicy and functi functional onal areas they are evaluating ting (e.g., Generally rally Acce Accepted Auditi uditing Standards, IT I T network management, privacy privacylaws, manufa nufacturing cturing processes, industry industry issues). They T heyneed to be able ble to assess risk risk in in theseareas and to ide identif ntify appropri ppropria ate control controls. (1210) An important internal control principle is that . the cost of contr ontrols shoul should d not ex ex ceed the thei r benefits Productivit roductivity y should be amajor jor conside consideration when evaluating ting specif cific control control techniques and tool tools. s. When properl properly y designed and, where possi possible, integ integrated into into routine routine operating procedures, control controls s will will enhanceproductivit productivity y throug through the prevention ntion and detecti tection on of of errors, rrors, omissi omissions and irreg irregularities. ularities. The The continuing continuing operation operation of controls controls will be more reli relia able. Costs Costs will be reduced throug through improvem improvement in 1) exception ption handling, handling, 2) appropri appropriate and time timely decisio cisionn-ma making king based on reli relia able ble and relevant inf informa ormation, tion, and 3) 3) confi confidencein the results results of processing, reporting reporting and management action actions. s. One unde undervalue rvalued d attribute attribute of a stro trong ng internal controll system is accountabil contro bilit ity. y. By By ensuri ring ng that properl properly y segregated duties duties are appro ppropri pria ately aligne aligned with with access to inf nforma ormati tion on asse assets (e.g., I T appli pplica cati tion on systems, data, etc.) etc.),, management prot protects ects empl ployee oyees fro rom m the temptati tion on of engaging in im impro proper per acti ctions. ons. This This aspect of interna internal control control is fundamental to preventing fraud. fraud.



Types of internal audit service delivery

Gra rant nt Thornton T hornton deli delive vers inte internal aud udit it services servi ces in three threefundamental ways: Outsourcing – Grant Thornton performs the entire ntire internal audit function. function. Co-sourcing – Grant Thornto Thornton n augments an existi xisting ng internal audit group roup throug through additional people people and skills skills (e.g., .g., I T auditing uditing, pri privacy, fra fraud, industry, etc.). etc.). One-off Projects Projects – This is a variation on co-sourcing co-sourcing where Grant Thornton hornton provide provides inte internal audit audit resources ources for for specific projects. •

•

•

Types of service offerings

Our interna internall audit servi service ces help in the the creation tion and implementation of of interna internall controls that safeguard our clients’ business assets, as well as incr incre ease the efficiency ciency, effective tivene ness ss and overall performa rf ormance of the internal audit function. (1010) (1010) T These hese services include the following: • • • • • • • • • • • •

I nternal audit tra transform nsformation tion I nforma nformation tion technology auditing uditing Process ocess mapping pping and assessment Operational audits Quality assurance revie views I nternal controls controls documentation tion and testing ting Specia cialized audits udits Startrt-up and development advice dvice I nternal audit tra training Annual audit planning Risk assessments Fraud risk risk assessments

Training requirements (1200 series)

Prior rior to being being ateam member for for an internal internal audit engagement, fi f irm staff staff and managers should completeGrant rant Thornton T hornton Univers University ity courses to ensure basic internal internal audit knowledge. More ore advanced courses courses may be taken to enhance staff and management kno knowl wledg edge


4

of the inte internal audit process as well as other technology, process and industry subjects, but they they are not prerequisites prerequisites to serving serving as a team member on internal audit udit engagements. IIA Standards1

Conform Conforma ancewith The TheI I A’s I nternational rnational Standards for for the Prof Profe essiona ional Practice Practice of I nternal Auditing Auditing (Standards ) is is essentia ntial in meeting ting theresponsibi responsibilliti ities of internal auditors uditors and the interna internal audit activi ctivity. ty. The The purposes of the Standards are to 1. Delinea elineate basic pri principl nciples esthat represent the practice ctice of inte internal audit auditing; ing; 2. Provide rovide a framework for for performing performing and promoti promoting ng abroa broad ra rangeof value-added inte internal audit auditiing; 3. Establish blish thebasis for for the the evaluation tion of internal audit perf perfor orma mance; and 4. Foster improve improved organizati nizational onal processes and operations. tions. The The Standards are principl principle es-focuse s-focused, mandatory tory requirements consisting consisting of Statements of basic require requirements for for the profe professional practi practice ce of inte internal auditing uditing and for for evaluating ting the effectivene ctiveness of perfor performa mance, which are internationall internationally y applica pplicable at org organiza nizationa tional and indivi individua dual levels. I nterpreta nterpretations, tions, which clarify clarif y terms or concepts withi within n the the statements. •

•

The The structure of the Standards is is divided between Attr Attriibute and Perf Perfor orma mance Standards. Attri ttribute Standards addressthe attri ttributes butes of organiza nizations tions and iindivi ndividua duals performing performing internal auditi uditing. The Performa erformance Standards describe scribe the nature ture of internal auditi uditing ng and provi provide de quality criteri criteria a against which the 1 IIA

Standards are are parenthetically renthetically refe referenced

throughout the the Guidebook Guidebook where appropria ppropriate.



performance of these services can bemeasured. The Attribute and Performance Standards apply to all internal audit services.

5

and agreement to adhere to the Code of Conduct upon hiring. Additional IIA Guidance

Implementation Standards are also provided to expand upon the Attribute and Performance standards, by providing the requirements applicable to assurance(A) and consulting (C) activities. N ote: When performing consulti ng services, the in ternal audit or should maint ain objectivit y and not assum e m anagement responsibi li ty. (1120)

In addition to the Standards theIIA has published “strongly recommended guidance” which provides internal auditors with detailed assistance in the implementation of the IIA Definition of Internal Audit, Code of Ethics and Standards . This“stronglyrecommended guidance” is available to all IIA members on theIIA website and includes: Position Papers – to assist internal audit practitioners and others in understanding significant issues in governance, risk and controls and the related roles and responsibilities of the internal audit function. Current position papers include: Role of I nternal Auditing in Enterprisewide Risk Management Role of Internal Auditing in Resourcing theInternal Audit Activity Practice Advisories – to provide detailed approaches, methodologies and considerations related to specific international, country or industry-specific issues as well as engagement-specific and legal/ regulatory issues. Practice Guides – to provide detailed guidance on processesand procedures, tools and techniques, programs, and stepby-step approachesfor conducting internal audit activities. Practice Guidesare organized into threesections: General Practice Guides (PG) Global Technology Audit Guides (GTAG) Guide to the Assessment of IT Risk (GAIT) •

IIA Code of Ethics

The purpose of The Institute of Internal Auditor’s Code of Ethics is to promote an ethical culture in the profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, based on the trust placed in its objective assurance about governance, risk management and control.

−

−

•

ThisCode of Ethics applies both to entities, such as Grant Thornton and our clients, and individuals that perform internal audit services. The fact that a particular conduct may not be mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the IIA member, IIA certification holder, or Grant Thornton employee can be liable to disciplinary action. Adherenceto theIIA’s Code of Ethics is mandatory for all Grant Thornton BAS internal audit practitioners. The practice leaders in conjunction with the respective regional solution group leader are responsible for ensuring that all BAS internal audit practitioners have acknowledged their review


•

− −

−



6


Overview (2040)

•

Grant Thornton’s Business Advisory Services has adopted a common service delivery methodologyfor all BAS serviceofferings, including internal audit.

•

Thismethodology: is based on best practice standards, compliant with the Instituteof Internal Audit and other professional standards; has been developed to address risk management and control assurance requirements; uses astandard, risk-based approach to audit, supported by detailed guidance; facilitates afully planned audit program, developed in advance of fieldwork using partners and managers in the process to utilize their experienceto ensure audit effort is correctly targeted; •

•

•

•


includes stringent quality control procedures to ensure that our report findings and conclusions aresupported by the detailed work; and uses highly qualified, trained and properly supervised staff. (1210, 1230)

The graphic depicts the BAS common service delivery methodology, and accommodates both audit services, such as internal audit, as well as solution services, which may involve the design and implementation of deliverables(e.g., information security architecture, IT asset management, data mining systems, etc.). This common service delivery methodology presents the internal audit asan end-to-end engagement process. It is divided into two “stages” (Prefieldwork and Fieldwork) with a life cycle of interrelated “phases” starting with Determine



7

Client Needs through to Evaluate. The three bottom arrows represent ongoing activities that happen through several phases. Note the Implement phaseis grayed out. For independence reasons, the Implement phase is typically not directly relevant to delivering internal audit services. But it appears in the methodologyframework in order to reinforce the fact that internal audit findings and recommendations (articulated in the Report and Recommend phase) should be expressed in a way that promotes successful implementation by clients. As the diagram shows, the ongoing activities span multiple phases. For example, Determining Business and Technology Context is important to understanding the environment in which a client operates, which, in turn, influences the nature and severity of potential risks, the nature of mitigating controls and the potential success of improvement recommendations. Carrying out theseactivities starts during initial contact with the client (Determine Client Needs) and continues through the Scopeand Arrange Work, Plan, and Analyze and Assess phases. Each phaseand the ongoing activitiesof the internal audit service delivery methodology are explained in the remainder of this Guide.




8


Objectives and key tasks

Thisphase occurs during the Pre-fieldwork stage. We can learn that an existing or prospective client has a need for internal audit services through a variety of channels: Grant Thornton contact with members of management or the audit committee Direct solicitations by Grant Thornton in connection with marketing campaigns The receipt of requests for information (RFI), requests for proposal (RFP), or less formal inquiries

Other Grant Thornton personnel with skills and experiencerelevant to the client’s needs (e.g., industry matters, regulatory matters, functional expertise, IT, etc.) may also be involved.

•

•

•

Communications with clients or prospects during this phase are typically the responsibility of Grant Thornton partners and managers having internal audit delivery experienceand, often, experience in the client’s industry.


Here are the objectivesand key tasks occurring during theDetermine Client Needs phase: 1. Thoroughlyprepare for the initial and follow-on meetings with prospective clients (leveraging Grant Thornton contacts, available company information and third-party business intelligence resources) to provide afoundation understanding of the organization, its industry and other circumstances, events and trends that not only provide a relevant context for understanding the client’s needs and our services, but also demonstrate our professionalism and care.



2. Listen to and understand theclient’s articulation of the issues, opportunities and risks that are prompting the need for internal audit services. 3. Translatethe client’s needsinto general internal audit engagement issues and deliverablesto ensure a Grant Thornton services are relevant, b weare capable of performing desired services and in the time frameneeded, and c our services are well-tailored to address the client’s specific needs. (1200) 4. Preliminarily determine whether anyissues exist that would preclude or argue against Grant Thornton providing internal audit services to the client (e.g., independence, ethics considerations, service capacity, skills, experience, profitability, client reputation). 5. Based on the above, determine the desirability to pursue the service opportunity. 6. Obtain preliminary approval to pursue a client / engagement relationship through discussion with the BAS regional partner (and subject matter experts, where appropriate). 7. Establish and strengthen professional relationships with the client or prospect to promote confidencein Grant Thornton’s ability to understand the client’s needs and effectively meet or exceed those needs.

9

documentation (e.g., RFP, annual report, company website) consistent with activities in Determine Business and Technology Context, and to facilitate performanceof the Scope and ArrangeWork phase. Relationship with other phases and activities

The Determine Client Needs phase provides direct input to the following related methodology phases and activities: Scope and Arrange Work Phase

Assuming Grant Thornton can serve the client, information gathered in the Determine Client Needs phasefacilitates development of a tailored proposal/ letter of engagement that must meet the client’s expectations, be profitable for Grant Thornton and protect the Firm’s interests. Determine Business and Technology Context Activities

Information gathered during initial discussions with the client helps build a context that is important to developing a tailored set of services and facilitating audit execution (see pages 36-37). Manage Engagement Performance, Quality and Risk Activities (1100 series)

Determining the client’s needs helps in the assessment of independence, ethical considerations, service capacity, skills, experience, profitability, client reputation and other matters that we must consider before making adecision to deliver services to the client (seepages 38-39).

8. Gather additional information, as needed, through interviews and review of




10

Scope and arrangework

We must first determine thescope of the project, as communicated by the prospective client. The appropriate level of partner, manager and competency expertise must be included during the scoping effort.

acceptanceprocess using the Advisory Services Engagement Acceptance (ACEA) tool, including the following documents in the ACEA file – Form 1 profitability tool documentation of successful independence, conflicts and background checks draft engagement letter (or statement of work [SOW] under an existing Master Services Agreement [MSA]) obtain approval(s) through ACEA before finalizing the Engagement Letter and before beginning fieldwork.

− −

The sequence of key tasks in this phase isto complete conflicts, independence and background checks begun in the Determine Client Needs phase, as needed; prepare adraft proposal responsive to the prospective client’s needs, incorporating the BAS standard legend covering confidentiality, restrictions on use and nonbinding commitment; deliver and discuss finalized proposal with the client; upon acceptanceof our proposal by the client, initiate theclient / engagement •

•

•

•


−

•

Prepare proposal and engagement letter

In the proposal we describe our understanding of the client’s needs for internal audit work. The proposal is the precursor to the Updated August 1, 2012


engagement letter. If the client accepts our proposal, we translate it into an engagement letter with any modifications agreed to by the client and us. Any proposed modifications to our standard terms and conditions must be reviewed and approved byour Risk, Regulatory and Legal Affairs (RRLA) group. The engagement letter includes all the contractual terms that wetypically do not put into a proposal. The engagement letter then becomes our roadmap for what we do. Once weare in the field, we go back to the engagement letter as the foundation for what wedo. The aim is to do precisely what we have agreed to do. (2201 & 2020)

11

engagement acceptance and the other is BAS client or engagement acceptance. As aBAS practice, wedeliver attestation services (other than financial statement audits), such as Service Organization Control (SOC) examinations, performance of agreed-upon procedures and audits of compliancewith agreements and standards. Theseattestation services must go through audit client engagement acceptance using theclient acceptancefunction in the VI S Tracking tool. Internal audit services go through the Advisory Services Engagement Acceptance (ACEA) tool. After engagement acceptanceprocedures are complete and an engagement letter has been signed, a client/ assignment is set up in CMS to capture fees and expenses.

Engagement acceptance procedures (1210)

Before aproposal can be sent to a prospective client, it must be approved and signed by a partner or managing director, preferably the individual who will lead the engagement should we win the work. The engagement letter should also be signed and approved by the engagement partner or managing director who is responsible for signing off on the quality and service delivery aspects of the engagement.

The internal audit charter (1000)

If an internal audit charter exists, we examine it during the Scope and ArrangeWork phase. If it does not exist, then wework with management to develop a charter as part of the Planning phase. Elements of the internal audit charter include Purpose, approval and role of internal audit Responsibilities of management Responsibilities of internal audit Relationship with external auditors Status, scope and authority of internal audit work Planning and reporting • •

In the engagement acceptance process, there are certain points at which wedecide to go forward or not with the whole process of entering into a contractual relationship with the client. This is “client acceptance” rather than engagement acceptance, and requires a different timeand materials investment. There are cases where we have completed client acceptance, but then obtain asignificantly different project from what the acceptancewas based on. I n such cases, we must go through engagement acceptance again. There are two different forms of engagement or client acceptance. One is assurance or audit


• • •

•

If the client engagement is an outsourced or co-sourced internal audit function, consideration should be given to creating an internal audit charter. The internal audit charter sets out internal audit’s purpose, authority and responsibility. It should be consistent with aspects of the terms of reference of the audit committee in respect



to the internal audit. The internal audit charter is not a replacement for the engagement letter. The engagement letter sets out our terms of business to which the client commits and is a legal document or contract. The charter shouldbe prepared by the engagement manager, reviewed asappropriate, signed off on the engagement checkpoints and reviewed by the audit committee. In practice, the internal audit charter may bedrafted at any stage during thePlanning phase. (1010) Additionally, the engagement partner / managing director or acting chief audit executive (CAE) for the client should discuss the definition of internal auditing, the Codeof Ethics, and theIIA Standards with senior management and the board. (1111) The client may already have an internal audit charter, which we may have obtained and reviewed as part of the pre-appointment research, from interaction with the client, or during theDetermine Client Need phase. I n this instance, we should review it for content and ensure our relationship is covered.


12

On an annual basis, the engagement partner should consider the applicability of the content of the charter to ensure it reflects the services being delivered, and continues to enable internal audit to accomplish its objectives. (1110) Non-conformance with the Standards (1322 & 2431)

In aco-sourced engagement Grant Thornton must determine whether the client’s internal audit function conforms to theIIA Standards. In situations where the client’s internal audit function does not conform to the Standards the engagement team should consult with the engagement partner and client contact to determine and disclose the following: Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance wasnot achieved Reason(s) for nonconformance Impact of nonconformanceon the engagement and the communicated engagement results. •

• •



13

Plan

Determine the audit universe

• •

In developing the audit plan, we determine what will be audited. In an out-sourced internal audit engagement we takethe information that we learn about the company through early discussions with management and outline the areas that should be audited to support overall enterprise risk management. The audit universe might include • • • • •

Processes Departments Functions Product lines Legal entities


• • • •

Supplier/ vendors Major contracts Laws and regulations Information systems Stock transactions Senior management/ board policiesand procedures

In a co-sourced internal audit engagement the client may determine the particular areas to cover or may ask for our assistance with this process. For example, the scope of work might involve information technologyand manufacturing processes. We start with a highlevel view of the audit targets.



Within the actual audit, wemight develop work programs in several areas. Each program will have specific objectives, a scopeand procedures to be performed. (2200) The way management has defined the roleof internal audit plays a part in determining how detailed the audit will be. Is management looking for an overview with only highlights? Or do theywant an in-depth analysis of a specific areawhere they have questions and concerns? The approach will depend on how much responsibility is assigned to the process owner within the company to develop processbased remediation vs. how much management wants the internal audit to identify theroot causeof a problemand develop specific remediation for that root cause. The type of engagement (out-sourced vs. cosourced) and the amount of detail required by management will determine what Grant Thornton does. To assess timing, we need to think through management’s availability and the availability of personnel who will be


14

involved. We also need to take into account our own internal resources. (2230) We must establish what skill sets will be required. We must consider the tools and technology that we want to use, particularly any tools that may intrude on client’s technology environment. We may need analytical tools like Access or ACL to analyze transactional data. (2030) Planning includes selecting an appropriate framework to evaluatewhat we plan to audit or determining the framework used by the client (in aco-sourced engagement). If wewill be auditing controls over financial reporting, then the framework might be COSO. If weplan to do a detailed audit of IT, it might be a combination of COSO and COBIT. If weare going to audit infrastructure management and IT operations, it might be ITIL. If weare going to audit the client’s ability to develop software, it might be CMM. Grant Thornton must follow an evaluation framework in order to produce a gap analysis that will provide useful feedback to the client. (2200)



15

Applying the Quadrant Model

The Quadrant Model is a visual way to represent large amounts of information from risk assessments that we conduct. We assign relative weight to the risks that wehave identified based on L ik eli hood and Significance . The audit plan should consist primarily of thosethingsthat show up in the top right quadrant, which means that there is ahigh likelihood they will occur with significant adverseeffect on objectives. (2210) The model provides a sustainable, replicable assessment tool, as well as an inventory of enterpriserisks for ongoing and continuous monitoring, evaluation and prioritization. As the assessment and analysis matures, the tool will also evolve and mature. This approach will arm you with a flexible, but sound foundation upon which to build. © Grant Thornton LLP. All rights reserved.

Results clients seein the quadrant analysis often surprisethem. Pictures often communicate better and more quickly than words. Using the model, wecan say, “Look at the top right quadrant. The dots that are in that quadrant are the ones about which you need to be concerned.” The model can be used either for risks that are preliminarily determined or for residual risk that wesee as part of the audit process. It is primarily used early in the risk assessment. The model helps clients take ownership. Internal audit is sensitive and welike to keep the lines very clear between management’s and Grant Thornton’s responsibilities. We do this by gaining management’s solid agreement on our assessment of the risks in the organization.



For public clients, wetypically seeSarbanesOxley compliance items in the upper right quadrant. If it is a non-public entity, but falls within some other regulatory body (for example, HIPAA), compliancewith the applicable regulatory standards appears in the upper right quadrant. I f it were afinancial services company, for example, it would be Gramm-Leach Bliley complianceitems. Audits of any financial applications would also be in the upper-right quadrant. Assessing risk in different categories

There are several categories of risk: Financial risk (price, liquidity, credit) Operations risk (capacity, cycle time, sourcing) Information processing/ technology risk Integrity risk (fraud, unauthorized use, reputation) Compliance and legal risk • •

• •

•

By thinking through each of thesecategories while conducting the Risk Assessment Exercise, we identify avariety of risks that are pertinent to the organization. It is important to keep in mind that the end goal is to make certain the client’s management understands the level of importanceeach risk presents to the organization. Clients frequently have difficulty quantifying their risks. For instance, every company worries about its reputation. Theydo not want to see their name on the front pageof the newspaper for the wrong reasons. But management only has control over what theyknow, so wehelp themto ask, “What do we not know?” In this way, internal audit becomes very valuable. Entity-level risk assessment

The internal audit plan should be designed based on an assessment of risk and exposures that may affect the client’s organization. On


16

engagements where Grant Thornton is responsible for determining and documenting the audit universeto be covered, we accomplish this task by performing an entitylevel risk assessment. Components of the entity-level risk assessment can often beidentified from the organization’s strategic business plans. We identify reporting units in order to evaluate internal controls. We segregate the identified reporting units into thosefor which wewill perform controls documentation and evaluation work now, and those which will be deferred or excluded. We next identify key processes and where they are performed in the organization. We obtain the client’s materiality threshold. While not specifically associated with any reporting units or keyprocesses, we must also consider the risks within the organization related to the tone of ethics and values and the underlying information technology that supports the organization’s strategiesand objectives. The assessment of these areas should beconsidered in the creation of the audit plan and results communicated within the organization and with external auditors similar to other audit committee communications. (2110 & 2050) We obtain management or audit committee approval and, if appropriate, wemeet with the external auditor to review the entity-level risk assessment and materiality. Facilitated sessions with key members of management

During facilitated sessions, wegain in-depth understanding of the processes being audited and identify theinternal controls in place within the processes. Facilitated sessions are also a means of fully pinpointing activities that



are in place to mitigate the risks that we initially identified. Theyserve as away to build a relationship with management by showing that the internal audit is not an exercise done in isolation, but something that requires management’s involvement. Facilitated sessions can also provide more detailed information when data do not correlate or when more information is needed to fully understand answers to questions that weasked earlier. Facilitated sessions provide opportunities to ask follow-up questions. Risk Ranking Exercise

The Risk Ranking Exercise revolves around the Quadrant Model. It takes all the information that we have gathered and puts it into perspective. As an exercise, we work with management to define the criteria that will be used to evaluate audit areas. For example, the criteria could involve thesize of the business unit (either from a revenueor inventory standpoint) or the volumeof transactions that havebeen processed through the business unit since theprevious audit. An overall ranking may beassigned to the criteria. When we execute the audit plan, we do the risk assessment followed by the risk ranking, define the criteria used to evaluate what has been ranked, and determine the numbers and plot them on a graph •

•

17

Frequency is also an important aspect of risk ranking. Processes with higher risk ratings will be reviewed more frequently. Thisphase is complete after we validate our findings with management. Internal audit work plan (2240)

We next prepare an internal audit work plan, which includes Items listed in the proposal Milestonecheckpoints Identification of skill sets needed to execute the audit Audit responsibility assignments – mobilize team Project status timetracker (the manager must be provided with regular status reports, including asummary of hours incurred, estimate of future hours, and budget vs current status) • • •

•

•

We need to determine the processes within each businesscycle or department selected for auditing that will be included within the scope of our testing. Significanceand likelihood come into play here. (2201) Audit cycles are determined by how we divide the audit universeinto operational segments. The situation determines the process. We ask what things will influence what we should do first.

•

Factors weusewhen ranking include Audit history History of losses Human capital Management oversight Monitoring activities Organizational structure Quality of internal control system • • • • • •

•


Writing the plan (2240)

Writing the plan means writing the work program. A good plan summarizes what the team will do. We take the information that we have learned and put it into action steps. Is our goal to execute aformal walkthrough? Is it to obtain reports and perform an analytical review? Is the goal to identify trends through analysis? The plan specifiesthe steps that wewill take; for example, Updated August 1, 2012


• • • •

Obtain the information we need. Analyze the information. Document our analysis. Follow-up with the process owners and make recommendations for improvement. (2300, 2310 & 2320)

What wereport, with whom wetalk and how detailed wemake the walkthrough will change with each audit. The testing scope (or walkthrough scope) depends on how detailed the audit will be. For instance, when the client asks for an internal audit that is “a mile wide and an inch deep,” the walkthrough will be very important and the testing will be asimple validation. On the other hand, a more in-depth “deep dive” audit plan will be fluid and focus on specific audit areas. A well-written work plan has certain standard parts: (2220) A brief overview of what is to be audited so that the person executing the audit has a good framework to follow A well-tailored set of audit objectives Work programstepsthat are consistent with the audit objectives •

•

•

When the work plan is complete, the budget is revised as needed. Managing the audit quality and risk

The plan should go through an approval process within the engagement team, led by the manager or the partner. The purpose is to confirm that the work to be performed will be consistent with the engagement team’s expectations. Final internal planning meeting

Prior to the start of fieldwork, the complete internal audit team meets to discuss the internal audit work plan, their assignments and expectations. All team members should © Grant Thornton LLP. All rights reserved.

18

becomefamiliar with the engagement letter and gain athorough understanding of the client. Following the meeting, the internal audit annual workplan and schedule are finalized and submitted to senior management and/ or the board for review and approval. Kick-off meeting with client

The kick-off meeting will introduce the Grant Thornton internal audit team, as well as describe thevarious types of audits to be conducted, explain the internal audit processto management, confirm the nature and scope of the audit plan, identify the timetable to management and gain their agreement, explain how wewill document our work, discuss best ways to meet with members of the management teamfor interviews, discuss logistics for accessing records, describe how wewill make recommendations, and submit PBC (Prepared By Client) document request list. •

•

•

•

• •

• •

•

Determining staffing, time and field requirements (2230)

We need to ask the following: Who will do the work? How much timewill it take? Are field requirements in linewith our arrangement letter with the client? • • •

Refine requirements with the client if necessary. An important aspect of determining staffing, timeand field requirements is whether the internal audit is an outsourced or co-sourced arrangement. The nature of the arrangement will determine the resources that will be needed



from the client’s perspective. The nature of the arrangement will also determine the client’s and our responsibilities. In aco-sourced arrangement, the client’s responsibility is greater; in a fully outsourced arrangement, the majority of the responsibility falls to Grant Thornton. In the selection of staff, the following must be considered: Independenceand objectivity toward the engagement Relevant knowledge and skills (e.g., auditing techniques, IT, business processes) Experiencewith client and industry (1120, 1130, 1200, 1210) •

•

•

Independenceand objectivity are considered to be impaired if prospective staff members have previously been responsiblefor specific client operations; for example, staff that have been in a loan staff arrangement with the client in the past. (1100) The engagement partner or managing director should assemble ateam with the level of


19

experience and competenceappropriate for the engagement’s nature, size and complexity. I n somecases, a request for personnel from another region or from another Firm solution or competency areamay be necessary. For example, when reviewing IT applications, it may be necessary to involve aperson with appropriateIT skills. The intersection of pre-fieldwork and fieldwork

Pre-fieldwork is carried out by Grant Thornton personnel. We assign and tailor the roles and responsibilities that each person will have on the engagement. We discuss the areas to be audited, the goals and objectives. We also discuss with the client any issues that may have surfaced that may have an impact on our audit, including resourcelimitations. This discussion is particularly important when weare the co-source and outsourcepartner. When we are a co-source partner, and there is an existing internal audit department with its own leadership; our role is more limited and functions in the background.



20

Analyze and assess

What are the unique aspects of executing internal audits?

In an internal audit, as opposed to a traditional financial statement audit, we are not substantiating or validating numbers in the financial statements. Depending upon the objectives of an internal audit, our goal instead may be to identify control weaknesses and process improvement opportunities in the control environment. We want to identify the reasons for the control weaknesses and provide recommendations on how to mitigate them. As part of our process, we go through facilitated sessions with management to understand the processes and to identify the controls that are in place. We may draw on available intelligence to develop survey questionnaires. We document our understanding and useit to develop our audit © Grant Thornton LLP. All rights reserved.

and test plans. We may make recommendations that comein the form of process improvements or cost containments. I nternal audit does not focus on what the number is, but instead how the number got there. We develop most of our information as wemove through the initial documentation, walkthrough narratives and process flows. Because we are auditing aprocess, not merely checking numbers, the execution of an internal audit is always in flux. Our staff and the clients must work in a fluid fashion throughout the process because it may change as the audit progresses. Most people on the client side are reluctant to undergo an internal audit. Theyresist someone telling themthey are doing something wrong or they could have done something better in the past. Personal pride comes into play. We have to manageegos. We have to manage Updated August 1, 2012


perceptions. We always walk a tightrope because weneed to be candid when giving management the information that they need to run their businessbetter, but we do not want unnecessarily to damagethe client relationship. We do not want to be seen as only offering criticism or censure in our analysis. Our aim is to improve theclient’s business.

21

The first kind of testing deals with verifying the accuracyof an account balance. The latter is concerned with the existenceand functioning of controls in order to reducethe amount of substantive testing. The objective of the test is merely to determine whether the control is functioning effectively and not whether the control is thebest one possible (e.g., the most efficient control).

In internal audit, we are objective advocates for an internal constituency, whether management or the audit committee. We are applying our audit abilities, common sense and industry skills.

Financial audits represent one type of audit, but there are many other types. In contrast to financial audits, internal audits vary widely as to nature and objectives.

Types of audits

Operational Audits

When conducting an internal audit, it is important to recognize that there are three types of audits: financial, operational and compliance.

Operational audits seek to determine whether an organization’s operations are being run efficiently and effectively. It is challenging to write explicitly stated management assertions concerning operational audits. Thefocus is usually on understanding whether management is efficiently and effectively conducting business, or components of it, based on its policies, goals and objectives. Likewise, it is difficult to identify established criterion for operational audits. Usually, the overarching criterion used is good business common sense. Operational audits are much less structured and more customized for each individual audit than financial audits.

Financial Audits

Financial audits deal with determining the appropriateness of accounting treatment and the fairness of financial reporting (management assertions) based on conformity with Generally Accepted Accounting Principles (GAAP). The most prevalent type of financial audit is the one performed by an independent accounting firm of an organization’s financial statements, which results in the accounting firm issuing an opinion on the financial statements, typically included in the company’s annual report to shareholders. If the audit is of an SEC registrant that must comply with the SarbanesOxley Act of 2002, theindependent audit also opineson the adequacy of internal controls over financial reporting. Theseare commonly known as integrated audits because they combine opinions on both financial statements and internal accounting controls. In performing thefinancial audits, the auditor may perform two types of tests: Account Balance (substantive) tests and Control tests. © Grant Thornton LLP. All rights reserved.

The typical operational audit engagement may include a comprehensive reviewof the entire organization or be limited to determining whether the business processes and related controls in placeare the most efficient and effective possible. The value of operational audits lies in the potentially significant savings a company can generate in terms of reduced costs and/ or better-directed operations. For this reason, most progressive organizations have an active operational auditing function.



Compliance Audits

The first type of compliance audit determines whether an organization is in conformity with governing laws and regulations, contracts, or its own policies and procedures. An organization faceschallenges in knowing whether it is complying with the wide array of laws and regulations that affect its business. I nternal auditors can help by reviewing the organization’s compliance with laws and regulations to enable the organization to deal with any instances of noncompliance before they become major problems. Because weare not attorneys, we do not opine or concludeon compliance with governing laws and regulations, such as HI PAA. A second type of compliance audit entails verifying an organization’s compliance with contracts. Contract audits are becoming more important for companiesthat outsource significant portions of their operations. Contract audits are valuable to organizations becausethey can result in the identification of potentially significant cash recoveries from contractors. Where the contracts relate to product and services provided to customers, compliance audits may identify contractual compliance gaps the correction of which may avert potential liabilities, litigation and risks to customer retention.

22

• •

•

Organization charts Policies and procedures documented by the client Documentation produced by the independent auditor and regulatory authorities

We then conduct individual interviewsor small group meetings to understand process-level functions, determine inherent risks and identify existing controls in more detail: (2210) Perform walkthroughs to understand or validate key process functions (including the IT applications enabling those processes), reports and deliverables (documentation of walkthroughs may includenarratives and flow charts). Analyze the potential (inherent) risks associated with the nature of the processing functions and how they are performed. Identify controls (both process and automated, entity-level and activity-level) that mitigate inherent risks Document process performance issues and problems. Analyze financial data relevant to the process. Analyze company policiesrelated to the process and assess compliance with policies. Identify specific controls in placeto address fraud. •

•

•

•

•

•

•

A third typeof complianceaudit involves determining whether companypolicies and procedures are being followed. These audits can be essential to specific activities in specific industries. For example, compliance with safety operating procedures is critical in manufacturing companies.

controls (2200 series)

At this point, process maps are developed, if needed, to map controls within the IT and manual processes to associated risks. The maps address the frequency of controls and the risk of fraud. With theinformation now available, weidentify and evaluate process-level risks that may have significant exposure, and rank the risks based on significanceand likelihood.

We begin our assessment by learning more about the processes under review from existing documentation, such as:

While completing each individual audit or consulting engagement on the audit plan,

Process-level risks and existing




engagement teams must remember to review each risk identified in consideration of improving (typically optimizing rather than maximizing) the overall risk management process of the organization. The compilation of individual engagement risk evaluations support an overall assessment of management’s risk management and should be documented and communicated as appropriate. (2201) Control ratings

We next complete the control ratings, including: Control classification Control frequency Control automation Importance Cost rating Design effectiveness Operational effectiveness Related assertions COSO model elements • • • • • • • •

•

Design Effectiveness Evaluation

We now need to determine whether the risk responses (i.e., controls) areadequate to managethe relevant risks. A keypart of our internal audit work is to evaluate whether the identified controls are likely to be sufficient and effective to manage the identified risks if they are operating as intended. This element of our internal audit assignment work is critical and must becarried out rigorously. We should make thefollowing assessment of control design: Adequate - covers the risk to an acceptable level Effective - manages the risk if operating as described

23

how the hierarchy works together (i.e., foundation, specific and monitoring). We will also need to keep in mind who is responsible for implementing the control, their capability of performing allocated tasks and any impact of skills deficiencies. The team member should applyhis or her judgment and experience to objectively concludeon the appropriateness of the design of controls. Throughout thisprocess we should retain any client documentation obtained and the documentation developed by the Firm in the engagement file to complete the process maps and design effectiveness assessment. Additionally, file notes on any changes in scope and approach should be retained. (2330) The conclusion on design effectiveness should be clearly stated and a detailed description of how wearrived at our conclusion should be included in the documentation retained. The engagement manager should review and approve this documentation and conclusion prior to any testing being completed. (2340)

•

•

As part of our review of thedesign effectiveness, weshould (through the interviews and documentation reviewed to identify risks and controls) aim to understand




Testing strategy/approach

We begin by targeting process measures and controls to be validated and work with the client to identify control characteristics they will use to differentiateprimary controls from supporting controls. The next steps are to Identify test locations Define approach (e.g., inquiry and observation, sampling, computer-assisted auditing techniques [CAATs], reperformance) Define testing issues and criteria Clarify with client who is to create test procedures (obtain engagement partner’s approval) Review and obtain sign-offs of the test approach and keycontrols. (As appropriate, obtain sign-offs from senior management, external auditor, engagement partner, QA partner.) Createtest procedures/ cases/ scenarios Schedule and conduct tests Document test results • •

• •

•

• • •

CAATs should be considered when developing approaches to testing. CAATs can assist in selection and automation of testing to obtain efficiencies (where relevant) and expanded coverage. The useof CAATs requires consideration at the assignment planning stage


24

to allow for the appropriate data to be identified and obtained. Engagement team members should consult with a partner or manager when CAATs are being considered to ensure that the approach is valid and meets the test objectives. Particular attention should be given to the relevance, completeness and integrity of the company dataacquired for automated analysis and testing. The logic and integrity of the CAAT routines applied to the data should similarly be subjected to rigorous review and testing. Due professional care enhances thereliability of test results and related findingsand recommendations. CAATs can provide significant efficiencies to the audit as well asproviding greater assurances in circumstances where 100% of the population can betested. Where acontrol is automated and weare confident of the IT general controls throughout the period under review, a sample size of one may be appropriate. Consultation with your engagement manager on I T sample sizes should be undertaken. Testing methodology is based on frequency of controls (seeFigure 2).



Test plans

When determining controls to test, the higher the level of control reliance, the more important it is for therisk responses to be operating effectively. This is akeycontext for developing the test plan and for interpreting the outcome of test results. We only test the controls assessed as being designed effectively. This is becauseif the design of the control does not mitigate therisk, then the test results have no meaning. Responsibility for developing the test plan normally rests with the assignment lead. In designing the tests to be performed, the assignment lead must consider the following: Audit test objectives The testing methodology to be applied The samplesize to be used and method of selection the period of operation that should be tested The impact of the control hierarchy • • •

•

25

Once test procedures have been developed, they should be reviewed by the engagement manager before the testing begins. Once approved, tests are performed to determine whether the risk responses/ controls documented are operating effectively. The control objectives and instructions for testing, as documented in the individual test work papers (seebelow), should be reviewed and understood fully prior to performing thetests. In documenting our testing, the following elements should be captured in the test work paper for each test/ evaluation: (2330) Client name Testing period Relevant risk from risk register/ audit and risk assessment Control/ test objective (the subject of the conclusion) Purposeof risk response, relating it back to the risk Test procedure covering all the control attributes Sample size and selection method (including work performed to validate completeness of the population from which the sample is taken) Results of the testing - including columns for document reference for the items chosen and tests performed to confirm the effective operation of the control’s different attributes Conclusion asto whether the control objective is achieved as evidenced by the results of the test • • •

•

•

•

The “testing time period” isthe period of time the testing should cover. Control occurrences subject to testing typically should be selected from the entire audit period (automated controls may be tested once during the audit period in strong IT general control environments). This will largely depend on the frequency of the control but should not be longer than one year and should be agreed upon with the client.

•

•

•

Where controls have not been in operation for the whole period under review, the following should be considered and appropriate action taken: Should testing also be performed prior to the change? Is the control embedded in the operation? •

•




In documenting thetests, sufficient information should be documented / retained to enable a fully independent re-performance and corroboration of test results. Copies of client documentation should only beretained in the engagement file to support the details of any exceptions or to demonstrate the control documentation in practice (one example). Any exceptions should be documented in the individual work paper, discussed with the client, investigated and resolved, or designated as an observation, with an action plan. This should be cross-referenced to the audit findings summary and written report. Draft formal written issues and action plans (2400 series)

Thiswritten material describes what the process is, what it should be, and why a difference exists. It documents the business impact of the difference, and presents a recommended courseof action to correct the deficiency. The recommendations for improvement are documented. We discuss findings with management and consider action plansfor remediation. Each finding and recommendation for a course of action is validated with the process owner and other appropriate management.

26

All engagement work papers should be reviewed at each checkpoint to ensure they support engagement communications and that all necessary engagement procedures are performed prior to any deliverable being released. Review should be conducted by the assignment manager or assignment partner. There may also be review points where the assignment lead reviews work performed by others. Evidenceof supervisory review consists of the reviewer initialing and dating each critical work paper after it is reviewed. Other options to provide evidence of supervisory review include completing an engagement reviewchecklist; preparing amemorandum specifying the nature, extent and results of the review; or preparing electronically through the useof workflow software, such as ExpeditionGRC. All reviewpoints should be cleared at each checkpoint before progressing to the next stage of the review, and their resolution, where appropriate, should be incorporated into the work papers. No unresolved review points should be retained in the work papers.

Supervision of Work (2340)

Throughout the internal audit phases, the acting chief audit executive or engagement partner must ensure that lesser-experienced and knowledgeable staff are properly supervised, including daily interaction to answer questions and have detailed review at each of the following checkpoints: Scoping and Planning Risk Assessment Design Effectiveness Operating Effectiveness Reporting • • • • •




Analyze and assess root causes of process operating and control deficiencies

If needed, we complete additional analysis on specific issues to develop steps to improve processes and controls.


27

Activities and deliverables (2300 series)

Figure 3shows some typical Analyze and Assess activities and deliverables.



28


Reporting

Communications must be accurate, objective, clear, concise, constructive, complete, and timely. (2420)

• • • •

Final reports (2400)

We draft final reports for supervisory review and approval, ensuring all reports are delivered to the client on atimely basis. The draft report should include Executive summary Objectives and scope statement Background (in general and for each process) Summary of procedures performed Detailed findings and recommendations Management response • • •

• • •


Action plan/ owners Follow-up procedures Appendix: process maps Guidelines for useand distribution

Reports for co-sourced and outsourced engagements should also conform to the other elements of communication described in section 7.C.2 of theBAS Manual. Specifically regarding internal audit reports, the engagement teamshould use the “Conforms with the International Standards for the Professional Practiceof Internal Auditing” with caution. This statement may only be used if the results of the internal and external quality assurance programs support this statement. (For full details on the quality assurance programs, see Section 7.E in the BAS Manual.) (2430 & 1321)



If the engagement being reported on did not conform to the Definition of Internal Auditing, the Code of Ethics or the Standards, the communication of the engagement’s results must disclose the following: (2431 & 1322) •

• •

Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance wasnot achieved Reason(s) for nonconformance Impact of nonconformanceon the engagement and the communicated engagement results

Where Grant Thornton serves as the internal audit function of an organization (outsourcing or co sourcing engagements), our reports and supporting working papers are not branded. In the event we are requested to brand our reports, we should make sure to adhere to the limitation of distribution requirements in our engagement letters. We should always first try to issueonly “plain paper” reports to management and they can issue however they wish internal to the company. (2410) In both outsourcing and co-sourcing engagements (including one-off projects), our reports and other deliverables are limited to the internal use of management and the board of directors. Any distribution of or reference to our branded reports and deliverables to third-parties (including the client’s independent auditors, regulators and outside legal counsel) must be approved in advance by Grant Thornton. Similarly, the client may not associate Grant Thornton with anyunbranded reports and deliverables to third-parties without pre-approval by the Firm. (2440) Conclusions/Ratings/Opinions (2450)

Unless specifically discussed and criteria agreed upon with the client (e.g. aco-sourcing engagement where the client uses a standardized rating systemfor internal audits),


29

weshould avoid assigning an overall grade or rating. In no case, other than for an attestation engagement that adheres to the Firms’ attestation standards, should weissuean opinion. A meeting should be held among members of the Grant Thornton internal audit team to discuss the report. The purposes of the meeting are to achievea common understanding of the audit issuespresented in the report; see that the results of the work performed, and related documentation, provides sufficient support for client deliverables; make certain the actual work performed agrees with the arrangements made with the client; reviewthe report for factual or grammatical errors; and (2420) discuss next steps. •

•

•

•

•

We clear the draft report with the client sponsor and other client personnel (e.g., department auditees), as appropriate, and make revisions if needed. Following approval from the client sponsor(s), we issue thefinal report to appropriate levels of management. Although the company’s management has the responsibility for internal control communications with its independent auditor, wecan discuss internal control concerns with external auditors at the client’s discretion. (For full details on reports, see Section 7.C in the BAS Manual.) We should make sure that we have timely communications that are to the point and action oriented, which will allow management to takeappropriate corrective action. Reporting cycle times will vary by engagement, project and client; however, it



should bepointed out the reporting cycle time should be discussed in advancewith the client and managed to ensure relevant information is provided timely. (2420)

30

track electronically. This kind of process improvement recommendation is ancillary to the controls-oriented work. Higher-level findings

The executive summary

The executive summary isa brief outline of the scope and objectivesof the audit and a highlevel summary of findings. The goal should be to answer the question, “So what?” I t is important to include acall to action in the executivesummary. Management response

The audit findings are the detailed results of the tests and other analyses that have been performed. Management has the opportunity to respond to thesefindings. There may be mitigating factors of which we may have been unaware or about which we could not have possibly made an assumption. Therefore, management may say, “Yes, those exceptions were there, but webelievethey are mitigated by . . .” or, “Y es, we see theexceptions, and this is our plan to make sure these exceptions don’t happen again.” We should never have disagreements with auditeesregarding matters of fact, though there may be diverging opinions regarding the implications of audit findings, the severity of risk and recommendations for improvement. Ancillary recommendations

There may be overall process improvement opportunities that are not necessarily part of our findings, but point to actions management might take. For example, we might seepeople using paper forms rather than electronic forms for purchaseorders. If they were to implement an electronic format, it might bemore efficient because they could route for signatures and © Grant Thornton LLP. All rights reserved.

In some cases, wecan look at the full results of our tests and produce a“meta-finding.” I f we apply our tests to different parts of an overall end-to-end process, we might seea higher-level finding that says, “Collectively, given all the detailed tests, wefind that the overall process is not effective. There are some meta-risks for another area that impingeon the effectiveness of the process weare testing.” As part of Grant Thornton’s report and recommendations, we take abroader perspective, looking at the compilation of what we found and addresshigher-level or extrapolatedissues. Errors and omissions (2421)

We have a review and quality assurance process, but if any of the final communications are later found to have contained a significant error or omission, the internal audit assignment leader (partner or manager) should communicate this to all parties who received the original communication. Management’s acceptance of risks (2600)

Throughout the reporting and management response process, senior management may determine that they are willing to accept certain residual risks. When the acceptanceof these risks, from the viewpoint of the acting CAE or engagement partner, is at an unacceptable level to the client’s organization, the CAE or engagement partner should engage in additional discussion with senior management. If after additional discussion, the decision regarding theresidual risk is not resolved, the matter should bereported to the board for resolution.



Issue tracking (2500)

The audit does not end with the report. Issue tracking means following up to make certain process owners are taking action so issues can be closed and the executive team and audit committee know what has been achieved.

31

CAE or engagement partner is required to report at predetermined intervals to senior management and the board. Communication should include the following: Internal audit function’s purpose, authority and responsibility Management’s responsibility for maintaining an effective internal audit activity Performance as it relates to the approved audit plan Any significant risk exposures and/ or control issues including fraud risks, governance issues and other matters deemed by the acting CAE or engagement partner to be of significant importance Other matters as requested by senior management or the board •

•

Long-term issuetracking can bedifficult. For example, we might recommend that the client needs adisaster recovery plan, although the possibility of something happening is remote. Management might say, “We will accept that risk. We do not want to spend the funds. We do not think it is necessary to institute a disaster recovery plan.” We must keep a list of issues that management has consciously decided to accept as a risk. We do not want someone on the audit committee saying, “Had I known this, I would have forced a change. The company isgoing out of business and is being sued, and I am looking for somebody to blame.” Ongoing reporting

When the Firm is providing aco-sourced or outsourced internal audit function, the acting


•

•

•

The frequency of these communications should be agreed upon among the acting CAE, senior management and the board. Additionally, communication methods for issues that require more urgent attention should be determined and agreed upon by the parties. (2060)



32

Implement

Note the Implement phase is grayed out. For independence reasons, the Implement phase is typically not directly relevant to delivering Internal Audit Services. But it appears in the methodologyframework in order to reinforce the fact that internal audit findings and recommendations (articulated in the Report and Recommend phase) should be expressed in a way that promotes implementation by clients.




33

Evaluate

Client reaction

If management does not agreewith the initial recommendation, an alternative solution is discussed and identified. Alternative solutions are typically based on directives from executive management or the board of directors.

•

•

•

Once theclient agrees with the recommendation, Grant Thornton may monitor the recommendation status until it is implemented (2500). Recommendations are not considered implemented until verified by Grant Thornton. We might use status codes such as those below to structure the verification process:


•

I – recommendation has been implemented and verified P – partially implemented (i.e., client agrees to implement the recommendation but has not yet done so) N – not implemented and an alternative solution must be developed or a directive from the board or executive management will be required W – circumstances cause the recommendation to no longer be valid and the recommendation is withdrawn



Wrap-up

Finalize working paper documentation related to all work performed. Complete theBAS Internal Audit Engagement Checklist. Make sure work paper documentation is completed to support the findings that we have communicated, the interview processes that havebeen carried out, the identification of various controls and activities, our recommendations, and mitigation. •

34

engagement letter states that the deliverables are solely for the internal useof the client’s management, employees and board of directors. If the client wishes to refer to Grant Thornton or disclose or disseminate in any manner any portion of a deliverable to a third party, the client must have our prior written consent. (Pleaserefer to Section 2.D, Engagement Documentation, in the BAS Manual.)

•

•

•

•

Wrap-up documentation might include organizational charts, information technology diagrams, and lists of various personnel within the organization and their activities, roles and responsibilities.

One file (electronic, hard copy or combination) should be maintained for the storageof engagement documentation described in section 2.D.1, Required Documentation, in the BAS Manual. The required engagement documentation is to be retained for a period of six years. I f any other retention period is to be used, consultation is required with a BAS regional partner, who should consult with the national managing partner – BAS. (2330) Confirm client satisfaction (2340)

Distribute acustomer satisfaction form (SQM). Organize and index all relevant work papers. All work papers must be initialed by the creator and by a reviewer. These work papers are filed as part of the wrap-up process. Steps include the following: Prepare and submit completion memo using the BAS template available on the intranet. Archive file using appropriate naming conventions. Finalize Form 1 and staff performance evaluation forms. •

•

We should obtain feedback from the client in order to assess our performance and the client’s satisfaction with our work. At the start of the project, weshould have determined how to obtain feedback from theclient. (I f we anticipate along project, it may beappropriate to obtain feedback at the end of key milestones. This enables the team to address any client satisfaction issues proactively.)

•

Engagement documentation

It is important to the Firm that weretain all right, title and interest (i.e., “ownership”) with respect to the deliverables(s) developed including work papers and reports as outlined in the engagement letter. The standard


The project team should document survey results or feedback discussions in a memo. I f the client is not satisfied, we should determine the specific reasons for dissatisfaction and assess theproblem. I f the problem is minor and easily addressed, then weshould discuss with the client possible remediesand identify action steps that will prevent areoccurrence.



35

If the problemis major, consultation may be necessary with the BAS regional partner, office managing partner and Legal Group, where appropriate, to determine astrategyand remedy before making any commitments to the client. “Sunset” meeting and continuous improvement

The project team should conduct an internal “sunset” meeting to debrief, evaluate its performance and review lessons learned. Focus on lessons regarding: Dealings with client personnel Client billing process Streamlining project procedures in the future • • •




36


Objectives and key tasks

Determining aclient’s business and technology context is fundamental to our role as professionals. It is critical to understanding the factors and circumstances that influence the nature and potential severity of risks. It starts during initial discussions with the client in the Pre-fieldwork stage. I t extends through the Scopeand ArrangeWork, Plan, and Analyze and Assess phases. Because business and technology context is so important to the delivery of our services, gathering information assoon aspossible in the engagement cycle is required, but is never really complete until we have completed the Analysis and Assess phase. Therefore, priorities must be established to gather information relevant to the effective performance of each © Grant Thornton LLP. All rights reserved.

phaseof the internal audit. Quality and relevancy are more important than quantity. Pointless information gathering should be resisted to avoid wasting time and diluting focus. A wide range of businessand technology matters may be worth considering during the Pre-fieldwork stage. The client’s needs and the BAS services to be delivered provide the primary filter for identifying relevant context information. At a minimum, the engagement team should consider the following questions. The answers have implications for the nature, objectives, timing, deliverables and focus of our services. Someof these items are required by the engagement acceptance process and may be included in RFPs.



Here are the key tasks related to determining the client’s businessand technology context activities. (2310, 2320) 1. Based on the needs expressed by the client, identify thetypes of information required to support the Scope and ArrangeWork and Plan phases. 2. Identify potential sourcefor the desired information (e.g., SEC Form 10-K/ annual report, client web site, RFP, discussions with theclient, inventories of I T applications, system softwareor hardware, PBC document request, input from Grant Thornton personnel with prior client experienceor intelligence, prior audit reports, etc.). 3. Perform an information gap analysis to identify additional information requirements to be gathered during the Analyze and Assess phase. 4. Document the information that will facilitate analysis and decision-making to plan our work and execute work programs that will achieve the engagement’s objectives (e.g., narratives, technologycontext diagrams, compilations of known issues, etc.).

37

the engagement, its accuracy and its completeness. Relationship with other phases and activities

The Determine Business and Technology Context activities interrelate with other phases and other ongoing activities. Determine Client Needs

Information gathered through discussions with the client, RFPs and background information sources, such as SEC Forms 10-K and company web site. (2310) Scope and Arrange Work

Information that will help to define the scope of services, deliverables and the effort required to accomplish the objectives of the engagement. (2310) Plan

Similar to information used in the Scope and Arrange Work, but more detailed to facilitate the development of work programs. (2310) Analyze and Assess

Additional information gathering and analysis is performed in this phaseto fill in gaps in required information to support the objectives of the engagement. (2320)

5. Perform preliminary analysis of information to determine its relevancy to




38


Objectives and key tasks (1300 series)

These activities are carried out throughout the engagement, starting with the conclusion of the Determine Client Needs phase. I t comprises a wide variety of engagement administration tasks: 1. Maintain project discipline to make certain that the engagement proceeds in line with the engagement letter’s timing, deadlines, fees and deliverables. 2. Adhere to and document appropriate independence and client/ engagement acceptance policies and procedures. (1100 & 1110) 3. Staff the engagement with personnel who have appropriate levels of skill and experience, and in numbers sufficient to achieve the engagement’s objectives in the agreed-to timeframe. Additionally, staff is to perform each engagement with due professional care. (1200 & 1210) 4. Determine that each phase’s tasks and work products have been properly completed according to programmed procedures responsive to the engagement’s objectives. (1310)


5. Properly supervisestaff and review work performed, assessing timelinessand the quality of work products. (1310) 6. Maintain control and confidentiality of BAS working papers, electronic files and client documentation entrusted to the engagement team. 7. Facilitate engagement partner and manager involvement through the scheduling of oversight and reviewcheckpoints and the preparation of engagement progress reports, issuesummaries and draft deliverables. (1310) 8. Identify and resolve obstacles and conflicts that might prevent the timely completion of arranged work. 9. Consult with Grant Thornton practice directors and QA personnel to resolve auditing, consulting and reporting or deliverable issues, and document the conclusions or decisions reached. (1310) 10. Properly document the work and support findings, recommendations and other deliverables.



11. ArrangeQA review of the engagement, as appropriate, and respond to recommendations for improvement. (1310) 12. Bill the client, managescope creep, and process changeorders for additional work performed. 13. Evaluate staff performance and provide counseling, as necessary, to promote staff development and morale. All staff are required to comply with the Firm’s ContinuingProfessional Education requirements. (SeeSection 2.A.2f in the BAS Manual.) 14. Complete engagement wrap-up procedures, including the archiving required for engagement documentation, reports and other deliverables. 15. CompleteBAS Engagement Questionnaire. Independent quality control (1320 & 1311)

Periodically, an experienced partner/ experienced manager team that is independent of the engagements under review will review aselection of advisory service engagements including individual internal audit engagements to obtain ongoing assurance on the technical quality of our work and that our audit standards and procedures are being followed, based upon an agreed review program. For example, thesereviews will seek to confirm the following: The engagement has been properlyplanned and an appropriateprogram developed. The contract management and client liaison protocols havebeen complied with. •

39

•

•

•

•

•

An engagement briefing was issued ahead of the commencement of the audit. A meeting was held with management to explain the scope and objectives of the engagement and to confirmthe engagement timetable. Completion of the engagement and working papers are of a satisfactory standard. A report hasbeen prepared, if applicable, and its conclusions and findings are supported bythe detailed working papers. Engagement quality assurance procedures have been followed: working papers and the report, if applicable, have been reviewed by the audit manager and by the partner.

Additionally, every five years the Firm will have an external assessment of selected advisory service engagements which will achieve the same objectivesstated for the internal quality control. These assessments will be conducted by qualified, independent reviewers or review team. (1310 & 1312) For co-sourced and outsourced internal audit engagements, the acting chief audit executive (CAE) must communicate to the board, at least annually, the results of our quality assurance and improvement program. (2070) Relationship with other phases and tracks

ManageEngagement Performance, Quality and Risk activities interact continually with each phase and other ongoing activitiesin line with the engagement’s objectives and professional standards.

•




40


Objectives and key tasks (2000 series)

Communicate and Enable Change activities begin at the conclusion of initial discussions with the client in the Pre-fieldwork stage and continue through the remaining phases of the engagement. This track focuses on client communication issues. Sometimes communication is with third parties (e.g., outside directors, third-party serviceproviders, contractors, customers, vendors, regulators, specialists assisting Grant Thornton, etc.). Communicate any internal audit or organizational impairment of independenceor objectivity, in fact or appearance, to the appropriate parties within the client’s organization. Nature of the communication will depend on the impairment situation. Effective client communication goes beyond initial discussions with the client, the proposal, engagement letter, periodic billings and delivery of a report. I t involves theestablishment of a trusted business advisory relationship in which two-way communication occurs freely and at appropriate intervals. Candor, even “brutal honesty” at times, coupled with professional judgment based on facts, isnecessary to carry out a successful communication strategy. Communications enable the client to implement BAS recommendations in a way that promotes achievement of their objectives. Where appropriate, communications also serve


to promote the ongoing involvement of BAS in follow-on services. Here are the objectivesand keytasks that fall within the Communicate and Enable Change track: 1. Develop a communication strategy that identifies for each engagement phase opportunities for communicating with the client about the achievement of objectives and engagement team responsibilities. (2010, 2020) These communication opportunities may include thefollowing: a Engagement kickoff meeting b Discussion of interim and final findings and recommendations c Periodic status meetings d Changes in engagement scope, objectives, deliverables, allocation of responsibilities, timing, fees, etc. e Clearing periodic statements of professional fees f Sharing observations regarding matters that cometo our attention outside of the engagement’s objectives and scope g Discussion of opportunities for followon work h Establishing guidelines for communications with interested parties (e.g., shareholders, directors, client personnel, contractors and other thirdparty service providers, customers, etc.



i

j

41

Client meetings with Grant Thornton Quality Assurance/ Client Satisfaction professionals, subject matter specialists (e.g., industry, technology, business process, regulation, etc.), and leadership partners, etc. Social occasions with client personnel (consistent with standards of independenceand professional ethics)

For outsourced internal audit function engagements, this communication and interaction regarding thepoints of consideration above must be between the acting chief audit executive and the client’s board. 2. Articulate findings and recommendations in a manner that promotes their implementation practically and effectively. 3. Identify BAS knowledge-sharing opportunities to leverageengagement experiences. Relationship with other phases and activities

The Communicate and EnableChange activities take place continually during the other engagement phases to make certain communication and changemanagement are treated as priorities in the internal audit methodology.




42

Appendix




43

Internal audit engagement checklist (2000)

Internal audit objectives q q q

q

q

Understand the current state. Assess the current state using appropriate standards. Develop findings and recommendations for management and/or the audit committee.

Listen to and understand the client’s articulation of the issues, opportunities and risks that are prompting the need for internal audit services. Translate the client’s needs into general internal audit engagement issues and deliverables to − −

make certain Grant Thornton services are relevant, make certain we are capable of performing the work, and

clarify the client’s needs in comparison with our services. Determine whether any obvious issues exist that would preclude or argue against Grant Thornton providing internal audit services to the client (e.g., independence, ethics considerations, service capacity, skills, experience, profitability, client reputation). −

q


q q q

Based on the above, decide whether to scope and arrange internal audit services. Establish and strengthen professional relationships with the client or prospective client. Gather other information, as needed, through interviews and review of documentation to facilitate the performance of the Scope and Arrange Work phase and help Determine Business and Technology Context.



q q q

q q q

q

q q q q

q

q

44

Determine scope of project as communicated by the prospective client. Include the appropriate level of partner, manager and competency expertise during scoping exercise. Prepare draft proposal, incorporating the BAS standard language covering confidentiality, restrictions on use and nonbinding commitment. Prepare Form 1 and profitability tool, available on the intranet. Enter required information in the BAS Engagement Acceptance database. Prepare proposal. In the proposal, we describe our understanding of the client’s needs for internal audit work. A partner must approve and sign proposal, preferably the engagement partner who will support the engagement should we win. Submit proposal to client. Complete appropriate client acceptance procedures as part of the Engagement Acceptance Process. Proceed with client background investigation, using the BAS engagement acceptance software. If the client requests an engagement letter, prepare and submit the engagement letter using the standard BAS template located on the intranet. Set up client/assignment in CMS after Engagement Acceptance Procedures are complete and an Engagement Letter has been signed. If an internal audit charter exists, examine it during the Scope and Arrange Work phase. If it does not exist, work with client management to develop one during the Planning phase, once the engagement is accepted.




q

Determine the audit universe. The audit universe might include

45

q

−

Items we have listed in the proposal

Processes

−

Milestone checkpoints

Departments

−

Identification of skill sets needed to execute the audit

Functions

−

Audit responsibility assignments – mobilize team

− − − −

Product lines

−

Legal entities

q

Supplier/vendors

−

Major contracts

−

Laws and regulations

−

Information systems

−

Stock transactions

Senior management/board policies and procedures Assess timing, thinking through management’s availability and the availability of personnel who will be involved. Consider the tools and technology you want to use to conduct the internal audit. Select an appropriate framework to evaluate what you plan to audit, e.g., COSO, COBIT, ITIL, CMM. When conducting the risk assessment exercise, assess risk in different categories:

q q

−

q q q

−

Financial risk (price, liquidity, credit)

−

Operations risk (capacity, cycle time, sourcing)

−

Information processing/technology risk

−

Integrity risk (fraud, unauthorized use, reputation)

Compliance and legal risk Perform the entry-level risk assessment, segregating the identified reporting units into those for which the Company will perform controls documentation/evaluation work now, and those which will be delivered or excluded. Facilitate sessions with key members of management to gain an in-depth understanding of the processes to be audited and to identify internal controls in place within the processes. Conduct a Risk Ranking Exercise, using the Quadrant Model to assign relative weight to risks based on Likelihood and Significance. Factors we use when ranking include

q

q

− −

q

q

Involve complete internal audit team. Discuss internal audit work plan, assignments and expectations.

All team members should perform a background preparation review of the client. Hold a kick-off meeting with the client. −

q

−

−

q

Project status/time tracker Determine the processes within each business cycle or department selected for auditing that will be included within the scope of testing. Determine audit cycles based on how you divided the audit universe into operational segments. Write the plan, summarizing what the team will do. Take the information you have learned and put it into action steps. The plan should go through an approval process within the engagement team, led by the m anager or partner. The purpose is to confirm that the work to be performed coincides with the engagement team’s expectations. Hold final internal planning meeting prior to the start of fieldwork. −

−

q

Prepare an internal audit work plan, which includes

−

Introduce the Grant Thornton internal audit team. Describe the various types of audits to be conducted.

−

Explain the internal audit process to management.

−

Confirm the nature and scope of the audit plan.

−

− −

Identify the timetable to management and gain their agreement. Explain how we will document our work. Discuss best ways to meet with members of the management team for interviews.

−

Discuss logistics for accessing records.

−

Describe how we will make recommendations.

Submit PBC list. Determine staffing, time and field requirements. Ask the following: −

q

−

Audit history

−

History of losses

−

Who will do the work?

−

Human capital

−

How much time will it take?

−

Management oversight

−

Monitoring activities

−

Organizational structure

−

Quality of internal control system


Are field requirements in line with our engagement letter with the client? Refine requirements with the client if need be. −

q



q

Keep in mind there are three types of audits: −

Financial audits

−

Operational audits

46

q

−

Compliance audits Begin the Analyze and Assess phase by learning more about processes under review from existing documentation, such as:

−

−

q

−

Organization charts

−

Policies and procedures documented by the client

− −

−

Documentation produced by external auditor Conduct individual interviews or small group meetings to understand process-level risks and identify existing controls in more detail. −

q

−

− −

− −

− −

−

−

−

Focus on key internal controls within processes determined to be in scope. Determine frequency of controls. Perform walkthroughs to validate processes and controls. Examples of documentation include narratives and flow charts. Identify existing supporting documentation.

q

Document process performance issues and problems.

q

Define approach (e.g., inquiry and observation, sampling, CAATs, re-performance). Define testing procedures. Clarify with client who is to create test procedures. Ensure engagement partner approves. Review and obtain sign-offs of the test approach and key controls. (As appropriate, obtain sign-offs from senior management, external auditor, partner, QA partner.)

−

Create test procedures/cases/scenarios.

−

Schedule and conduct tests.

Document test results. Draft formal written issues and action plans. Include the following:

Analyze financial data relevant to the process.

−

What it should be

Determine whether there is adequate separation of duties.

−

Why a difference exists

Analyze company policies related to the process and assess compliance with policies.

Address frequency of controls.

−

Address fraud risk.

Document appropriately. Identify and evaluate process-level risks that may have significant exposure.

A recommended course of action to correct deficiency Discuss findings with management and consider remediation action plans. Validate each finding and recommendation for a course of action with the process owner and other appropriate management. Analyze and assess root causes of process operating and control deficiencies. −

q q

Map controls within the processes to associated risks.

−

−

Identify test locations.

What the process is

−

q

Work with client to identify control characteristics that they will use to differentiate primary controls from supporting controls.

−

Identify specific controls in place to address fraud. Develop process maps, if needed. −

Target process measures and controls to be validated.

−

−

q

Develop a testing strategy/approach.

q

−

Complete additional analysis on specific issues to develop specific steps to improve processes and controls.

Rank risks based on significance and likelihood.

Complete the Control Ratings, including: −

Control classification

−

Control frequency

−

Control automation

Importance

− −

Cost rating

−

Design effectiveness

−

Operational effectiveness

−

Related assertions

−

COSO Model elements




q

q q

Draft final reports for manager to review and approve, ensuring all reports are delivered to the client on a timely basis. Prepare draft final report for manager to review and approve. The report should include the following: −

q

−

Objectives and scope statement

−

Background (in general and for each process)

−

Summary of procedures performed

−

Detailed findings and recommendations

−

Management response

−

Action plan/owners

−

Follow-up procedures

−

Guidelines for use and distribution

Appendix: Process maps For outsourcing engagements, follow Grant Thornton branding guidelines. Meet with Grant Thornton management to discuss the report. −

−

−

q q q

Executive summary (a high-level summary of findings)

−

q

47

q

q

Clear draft report with key sponsors. If needed, make additional revisions. Issue the final report to appropriate levels of management. Note: Although the company’s management has the responsibility for internal control communications with its external auditor, we can discuss internal control concerns with external auditors at the client’s discretion. This can minimize the disruption to the client’s staff. Client management responds, explaining what they will do. This serves as an opportunity for management to explain mitigating factors that we were unaware of or could not have made an assumption about. Make ancillary process improvement recommendations that are not necessarily part of the findings, but point to actions that management might take. These might include “meta-findings,” i.e., a compilation of high-level or extrapolated issues based on what you found.

Achieve a common understanding of audit issues presented in the report. See that the results of the work performed and related documentation provide sufficient support for client deliverables. Make sure the actual work performed agrees with the arrangements made with the client.

−

Review report for factual or grammatical errors.

−

Discuss next steps.




48

Note: The Implement phase is grayed out. For independence reasons, the Implement phase is typically not directly relevant to delivering internal audit services.




q

q

q q q

49

If management does not agree with the initial recommendation, an alternative solution is discussed and identified. Alternative solutions are typically based on directives from executive management or the board of directors. Once the client agrees with the recommendation, Grant Thornton may monitor the recommendation status until it is implemented. Recommendations are not considered implemented until verified by Grant Thornton. Use status codes. Complete BAS Internal Audit Engagement Checklist. Make sure you have all the paper documentation to support the following: −

The findings that we have communicated

−

The interview processes that have been carried out

−

The identification of various controls and activities

Our recommendations mitigation Organize, index and reference work papers. File work papers. −

q q

−

−

Prepare and submit completion memo using the BAS template available on the intranet. Archive file using appropriate naming conventions.

Finalize Form 1 and staff performance evaluation forms. As part of the engagement wrap-up, distribute customer satisfaction survey form (SQM). Document the survey results in a memo. Conduct an internal “shut down” meeting to debrief, evaluate performance and review lessons learned. −

q

q




50

Comparison of Outsourced vs. Co-sourced Internal Audit Engagements

CSDM Phase

Determine Client Needs Scope & ArrangeWork Plan

Outsourced Internal

Co-sourced Internal

Audits

Audits

No significant differences within this phase No significant differences within this phase Internal Audit Universe: Internal Audit Universe: Grant Thornton will need to The client may provide the determine the internal audit internal audit universeor may universeappropriate to the request Grant Thornton ’s client’s businessand assistance in determining the environment. internal audit universe.

Internal Audit Risk Assessment: Grant Thornton will perform appropriate entity-level risk assessment procedures to determine the internal audit universeand assist the client with understanding the risk ratings. Evaluation Framework: Grant Thornton will need to determine the appropriate framework (COSO, COBIT, etc) to evaluate internal controls and perform the gap analysis. Work Plan: Grant Thornton will need to document all administrative aspects of the work plan (e.g., items in the proposal, milestone checkpoints, skill


Internal Audit Risk Assessment: Grant Thornton should review the risk assessment performed by theclient and/ or facilitate the client’s risk assessment procedures relevant to the internal audit areas in scope. Evaluation Framework: Grant Thornton will need to determine the framework used by the client (COSO, COBI T,etc) to evaluate internal controls and perform the gap analysis. Work Plan: Grant Thornton will need to document the work plan related to internal administrative functions (e.g. items in the proposal, milestone checkpoints, etc.);



51

CSDM Phase

Analyze & Assess

Outsourced Internal Audits

Co-sourced Internal Audits

sets, internal audit responsibility, status tracker) as well as the detailed testing work program(e.g., internal audit objectives, work program steps, etc.) Testing Strategy/ Approach: Grant Thornton will determine the appropriate testing approach and procedures to be performed.

however, the client may provide the detailed testing work program(e.g., internal audit objectives, work program steps, etc.).

Sampling Methodology: Grant Thornton must usethe samplingmethodology described in the IA Guidebook.

Testing Strategy/ Approach: The client may specify the strategy, approach or procedures to be performed. Sampling Methodology: The client may specify a desired sampling methodology to be used during the internal audit.

Test Plans: Test Plans: Grant Thornton must develop The client may provide the test detailed test plans including plans for use during the test objectives, test procedures internal audit or may have and the impact of the control specific requirements that hierarchy. must be met.

Report & Recommend

Documentation: Grant Thornton must follow the internal audit documentation standards outlined in the IA Guidebook for work-papers and test sample evidence. Report Format: Grant Thornton must follow the report format outlined in the IA Guidebook as to content, branding and useof ratings.

Documentation: The client may specify documentation requirements including requirements for work-paper format and test sample evidence(e.g., evidence retained for all samples) Report Format: The client may specify a report format and may request additional content or use of standardized ratings.

Standards Conformance: Standards Conformance: The client’s internal audit Grant Thornton must function or procedures may conform to IIA Standards not conform to theIIA throughout the engagement Standards or may comply with and must indicate alternate standards (eg., conformance within the AICPA standards only). Any internal audit report. NOTE: instances of non-conformance Any instances of nonmust bediscussed with the conformance must be engagement manager and discussed with the engagement partner to determine the © Grant Thornton LLP. All rights reserved.



52

CSDM Phase

Implement Evaluate

Outsourced Internal Audits

Co-sourced Internal Audits

manager and partner to appropriate response and will determine the appropriate generally be documented in the responseand will generally be internal audit report as to the documented in the internal areaof non-conformance, the audit report as to the areaof reason for non-conformance non-conformance, the reason and the impact to the for non-conformance and the engagement and results. impact to the engagement and results. No significant differences within this phase No significant differences within this phase



Internal Audit Guidebook (updated August 2012).pdf

Recommend Documents