The systems approach to internal audit - part one

Systems auditing should be the main approach that is adopted by internal auditors. This series of four articles aims to outline the key aspects of this approach to internal audit and to provide an insight into undertaking internal audit more effectively. It also seeks to demonstrate how the objectives and methodology of internal audit differ fundamentally from those of external audit.

The higher profile of risk management in recent years has led some internal auditors to consider developing a risk-based approach to internal audit. However, risks do not exist in isolation. They are the results of the objectives of the organisation or system not being achieved. Risks should be considered as an integral part of the systems approach to internal audit. This should allow the adequacy and reliability of the existing controls to be considered within the context of the overall system that is being audited.

Systems auditing was originally developed as a more efficient approach to external audit. However, this systems-based approach had to be further developed and refined before it could form an effective internal audit methodology. The objective of external audit is to form an opinion on the organisation’s financial statements. Internal audit has the very different objective of working with managers to improve and optimise their internal control, risk management and corporate governance processes. These differing objectives mean that internal auditors cannot just adopt the approach used by external audit. Internal auditors have therefore developed their own approach to systems auditing that differs in many respects to the one that may be adopted by external auditors.

Internal Audit – A Step By Step or an Iterative Approach
Systems auditing is often described in a step by step fashion. However, this description should not be taken literally, each step should not be considered as a discrete stage to be fully completed before the next stage of the audit is commenced. Systems auditing should, in contrast, be considered as an integrated whole. The knowledge base of the auditor will gradually expand through an iterative approach to the audit. At each stage in the audit the auditor should reconsider their approach, review their understanding of the system and if necessary report significant findings to relevant managers.
Systems auditing is frequently broken down into the following aspects:

• assignment planning;
• identifying the system and its controls;
• documenting existing controls;
• control evaluation;
• testing key controls;
• developing conclusions and recommendations;
• reporting.

At the assignment planning stage any previous internal audit work and knowledge of the system should be considered and used to ensure that all key areas are included within the scope of the audit. Although an audit brief may be agreed with the system managers, auditors should not be embarrassed to go back and amend this in the light of new knowledge and understanding gained later during the assignment.

Previous system notes should be an important source of knowledge if the system has been reviewed recently. Nothing is more annoying than for managers to have to explain their system from scratch to a new auditor each time it is reviewed. However, gaining a full and clear view and understanding of the system will only occur gradually, it will not be complete until after the audit is completed. Auditors should consider their knowledge and understanding to be like a jigsaw, they should try and finish the edge pieces and the easy parts immediately. They can always come back and complete the more difficult central parts later on.

The extent that auditors can document the system will obviously reflect the knowledge and understanding they have developed. Auditors should record basic details as soon as they have discovered them, but should not try to produce perfect system notes at this stage. Audit testing will provide further details, and report writing and discussions with staff will usually enhance the auditor’s understanding of the system. It is often a good idea to delay writing the system notes until the end of the assignment. At the very least they should be critically reviewed, and amended as necessary, after the final report has been issued.

Control evaluation is an important stage of each audit and this should be completed before testing is started. This is to ensure that only controls that actually exist, and are likely to reduce significant risks, are tested. However, this evaluation is only a guide to testing, the testing programme may need to be revised as a greater understanding of the detail of the system is gleaned during the testing itself. Tests should be stopped immediately if auditors realise the control is not working. If other key controls are identified then further testing should be performed to confirm the reliability of these controls.

For internal auditors, testing should be designed to determine whether a particular control should provide reasonable assurance that the objectives of the system are achieved. Or, putting it the other way round, whether the control will reduce potential risks to acceptable levels. Controls are not necessarily a good thing in themselves and should only be tested as long as they are considered to be working effectively and likely to have a significant impact on the success of the system. Thus the testing undertaken should reflect the overall nature of the system, the auditor’s understanding of it and the interdependencies of the different controls.

Developing conclusions and recommendations is usually one of the last aspects of internal auditing to be described, but it may be one of the first to be undertaken. Prior knowledge of the system, and certainly initial meetings with the system's managers, will lead most experienced auditors to begin to develop their opinions of the control environment and possible improvements. These ideas should be developed and refined at each stage of the audit.

Audit reporting, writing the formal report and holding discussions with managers, provides an important stage in the auditor’s understanding of the system, its weaknesses and the practicality or otherwise of potential improvements. Audit reporting should also allow the true importance of each aspect of the control system to be viewed more dispassionately and in the context of the whole system. Writing the report should enable auditors to stand back and see ‘the wood for the trees’.

Care should be taken to ensure that this greater understanding of the whole system and the inter-relationship of all its controls is used to refine the conclusions and consider the practicality of possible additional controls. If necessary, queries should be answered and further testing may need to be undertaken at this stage.

Inexperienced auditors may need to approach systems auditing one step at a time. As their experience grows, a more sophisticated approach should develop that recognises the iterative nature of auditing. Greater knowledge and understanding develops gradually throughout each audit assignment. This knowledge should be used to adapt the auditing techniques used, the extent and nature of testing undertaken and the timing of audit reporting.

Assignment Planning
Internal auditors expect their organisations to be efficient and achieve value for money. To ensure that they cannot be accused of being hypocritical they have to make sure that they adequately plan all their audit assignments and so ensure that they can be completed efficiently. Internal auditors need to be careful that they review all significant aspects of the system and that all risks are being adequately managed with suitable controls.

For these reasons, internal auditors should undertake their audits in co-operation with the relevant managers. Thus, it is usually considered appropriate for these managers to be sent an outline of the proposed audit work a couple of weeks or so before the audit assignment is due to start. This should give the managers adequate time to reflect on the proposed scope and objectives of the audit and will give them advanced notice and allows them to plan their work around the audit.

At the beginning of each internal audit assignment there should be a meeting between the auditors (usually including an audit manager and the auditor who is to undertake the review) and the manager(s) who is responsible for the particular system. The objectives of this meeting are for the internal auditors to:

• discuss the systems objectives and appreciate the significant risks involved in their achievement;
• obtain an overview of the roles, responsibilities and reporting lines of staff and managers within the system;
• consider any concerns or particular areas managers would like internal audit to address during the review;
• agree in broad terms the scope and objectives of the audit.

Internal auditors should be as flexible as possible about the actual timing of each systems audit assignment. It should rarely be necessary to undertake ‘surprise’ audits. Most managers are busy people, internal auditors should recognise this and, whenever possible, should try and fit their reviews around the managers’ timetables. Therefore, internal audit visits should be planned so that the normal work of the system is disrupted as little as possible.

Clear budgets should be agreed for each audit assignment as part of the, usually annual, planning process. These should be treated as flexible budgets. It should be possible to exceed the allotted time for an audit, but only if this is necessary to ensure comprehensive coverage of all significant aspects of the system. Additional testing may be required or even requested by the system’s manager. In addition, extra time may be needed to develop guidance and write up the numerous recommendations that may be necessary when a poorly controlled system is audited.

However, the staff budget for internal audit needs to be adequately controlled. If internal auditors need extra time on one assignment then this time should be recovered on later assignments. Some audits will inevitably take longer than expected, others should be completed quicker than planned. Internal auditors should be flexible about the amount of time they spend on individual audits. However, internal auditors expect managers to deliver their services within budget. Auditors cannot have lower standards for their own service. The audits planned to be delivered each year should be completed in the year, and within the total number of budgeted days. If this cannot be achieved, internal audit should be accountable to the audit committee and provide suitable explanations of the problems encountered and other reasons for not achieving the audit plans.

Audit managers need to ensure that all audit assignments are undertaken by auditors who are appropriately experienced or have the necessary specialist knowledge. Auditors need not (and indeed cannot) be experts in each of the systems that they review. However, they need to have the basic background experience that will allow them to appreciate the significance of the control environment they are reviewing and any short-comings that may exist within it. For some audits, especially those of computer systems and capital contracts, specialist knowledge may be essential. Without it, the auditors will not be able to identify weaknesses within the control system and may be unaware of technical controls that are appropriate to effectively manage the risks identified during the audit.

The level of guidance or supervision that will be necessary during each audit will depend on the level of experience of the auditor, the complexity of the system and its technical or specialist nature. Before each assignment is started the audit manager should ensure that all auditors have a clear understanding of the work they are to undertake; the approach to be adopted; and the level of enquiry or size of sampling which is required. In addition, all auditors should be encouraged to discuss their findings and any problems or uncertainties they encounter during their audit. Discussion is an effective problem-solving tool for internal auditors and has the bonus of spreading experience across the audit team.

Audit planning is necessary for internal audit work to be completed successfully, within budget and with maximum co-operation from the staff
whose system is subject to review. Planning should be viewed positively in this light and not just seen as a bureaucratic chore that stops internal auditors finishing their real work. As the saying goes ‘‘prior planning prevents possible pitfalls’’.

Andy Wynne is Head of Public Sector Technical Issues at ACCA. He is editor of the ACCA e-mail Bulletin for internal auditors.

You can register to receive the Bulletin by sending an e-mail to: info@accaglobal.com putting the word 'REGBULL' in the subject line. Please include your full name, clearly state the type of organisation that you work for and whether you are an ACCA student or member.

Back issues of the Bulletin can be downloaded from www.accaglobal.com/publications

Andy can be contacted by e-mail at andy.wynne@accaglobal.com