đ
Internal Audit Lifecycle | Fundamentals of Internal Auditing | Part 3 of 44 - YouTube
Channel: unknown
[0]
Welcome. In this episode, weâre going to take a look
[3]
at the internal audit lifecycle,
[5]
weâre also going to take a look at the different things
[8]
that happen during a typical internal audit.
[18]
Today weâre going to take a look at the steps
[21]
in internal audit lifecycle and to help me explain that
[24]
and cover that in more detail,
[25]
I have with me Kathleen Crawford
[27]
who has a lot of experience in internal audit
[29]
and sheâs going to help us better understand these elements
[32]
that feed into what happens during an internal audit.
[34]
Welcome, Kathleen.
[35]
Thanks, Hernan. Good to be here.
[38]
So weâre gonna start off with the lifecycle.
[44]
The graphic that youâre looking at here
[46]
covers all five steps of the internal audit lifecycle.
[50]
Everything begins and ends with risk assessment.
[53]
Youâll see a little arrow that goes from follow-up,
[57]
back to risk assessment.
[59]
So we start with risk assessment and we end with risk assessment.
[62]
So weâre thinking about the process system
[65]
or functional area that we have been invited to,
[69]
or have decided to audit,
[72]
and we look at whatâs going on inside the operation,
[78]
whatâs going on outside the operation
[80]
that may have an effect on how well it works.
[83]
What are some of the documents
[85]
that you usually look for to better understand
[88]
how things are being done within the area
[90]
thatâs going to be reviewed?
[91]
Sure. Well internally, of course,
[93]
I want to know about policies, procedures,
[96]
I want to know things about staffing,
[99]
I want to know strategy, things of that sort.
[103]
Outside, Iâm also interested in the broader environment
[108]
within which they operate.
[111]
So, what industry are they in, whatâs moving
[114]
and changing and shaking in their industry,
[116]
what about laws regulations of different kinds of requirements
[120]
that are imposed from the outside of the organization.
[124]
Is this the face also when you announced the audit
[128]
and how does that get done anyway?
[129]
How do you notify the parties that are going to be involved
[132]
that this is going to happen?
[134]
Different organizations will do it differently
[136]
but I would say a good proportion of them
[140]
will typically give a number of weeksâ notice
[143]
that theyâre going to be doing this project,
[145]
and having that period of time,
[147]
that much notice also gives them the opportunity
[151]
to communicate with the stakeholders
[153]
and see whatâs maybe new or different
[155]
so that whatever we do, once we move into planning
[159]
and once we move into fieldwork, will be relevant
[162]
to what is actually going on, not what we imagined
[168]
but what is actually going on.
[171]
So you mentioned that thereâs a risk assessment that is done,
[175]
sounds like thereâs one at the enterprise level,
[177]
looks like thereâs one when you decide,
[179]
âOkay, this is what weâre going to review,â
[181]
and then thereâs that risk control matrix also
[184]
that is done at the project level
[186]
when you decide what youâre going to review,
[188]
where youâre going to review,
[189]
you already told everyone about it,
[190]
now you have a risk control matrix.
[192]
Is that related to the risk assessment as well?
[194]
- Kind of on a micro level of sort?
- Sure, absolutely.
[197]
And weâll be able to see all of those different levels
[202]
in an upcoming segment specifically on risk assessment.
[205]
So every one of these stages, as a matter of fact,
[208]
has a lot more detail than weâre going to talk about right here.
[212]
So risk assessment is going to have several chapters,
[216]
if you will, several segments for us to explore,
[219]
planning as well.
[221]
So itâs a very detailed, very methodical way of deciding
[229]
what to look at any given point in time.
[232]
It looks like a lot of auditors will probably spend
[235]
most of their time doing field work.
[237]
- Can you tell us a little bit more about that?
- Yeah. Well I see you picked up
[240]
on the orange contrasted with the gray, thatâs absolutely true.
[244]
So beginning internal auditors are probably trying to find
[248]
that they donât get to see as much of the risk assessment
[251]
and maybe not as much of the planning as their colleagues do,
[254]
so that the supervisors and auditors in charge,
[258]
these beginning stages are more of their responsibility.
[263]
So an internal auditor coming in at the ground level
[267]
is definitely going to spend
[268]
most of his or her time in field work.
[271]
Theyâll be working at the direction of one or more people
[274]
who will essentially explain to them the rationale
[278]
for why theyâre doing what theyâre doing,
[280]
theyâll give them some direction
[281]
in terms of how theyâre supposed to carry out
[283]
this responsibility,
[285]
and letâs take a quick look at the graphic
[287]
because it gets into a little bit more detail.
[291]
Theyâre going to be doing interviewing
[294]
so thereâs some interpersonal activity going on,
[298]
they will read through things and prepare narratives,
[301]
maybe even flowcharts.
[303]
So flowcharts are really terrific to see in field work
[307]
in terms of making a distinction between
[309]
what you expected to find and what you actually did find.
[313]
Are walkthroughs like the physical walking around,
[319]
touring, observing the facilities,
[321]
or is that something different?
[324]
Well, thatâs a particular turn of phrase
[327]
thatâs specific to internal audit.
[331]
A walkthrough may not involve walking at all.
[333]
It usually involves sitting at a desk
[336]
next to someone who is explaining to you
[340]
how a process or system works
[341]
and while they explain how it works,
[344]
you ask them for screenshots of some of the actions,
[349]
the decisions, the activity of a system or a process.
[353]
So if I were auditing a resort or a cruise operation,
[359]
I will still be able to walk around and observeâŠ
[363]
Oh, youâre just angling for a nice vacation.
[366]
Well, I just donât want to think of an auditor
[368]
just sitting in a conference room looking at ledgers all day.
[371]
So they do get to go out sometime, yes?
[374]
Yes, they do. Yes, they do.
[376]
- Okay, good. Okay, okay, thank you,
[377]
- I feel much better now.
- Actually, any activity, any endeavor
[385]
if it is foundational to the success of the organization,
[390]
auditors are going to be involved.
[391]
So letâs take your resort example.
[396]
Thereâs certainlyâŠ
[399]
the tourism industry is huge and there are auditors in it.
[403]
And theyâre making sure
[404]
that the customer experience is as presented,
[408]
but theyâre also making sure
[409]
thatâs what whatâs behind the curtain is operating
[412]
the way itâs supposed to as well.
[415]
Thatâs very important, of course.
[416]
Auditors need to make sure that the food is safe
[419]
- and that the credit card information
- It is. Absolutely.
[422]
- is properly taken care of.
- All of that, all of that.
[426]
While theyâre doing the fieldwork, if they find any issues,
[429]
do they get documented and captured during fieldwork?
[434]
Help us understand what happens if they find anomalies.
[437]
Sure. Absolutely, it should be captured during fieldwork,
[442]
and this is another aspect of internal auditing
[446]
that I really appreciate,
[447]
is the amount of communication.
[452]
So letâs say Iâm a new auditor and I read the procedure
[457]
and it says that that when the food is delivered to the table,
[462]
it should look like this.
[464]
And I observed that, but it doesnât look like that.
[468]
Thereâs something different about it.
[470]
I know Iâm making a silly example
[472]
but you can see the rationale
[475]
between what we what we pay attention to,
[477]
where auditing against a procedure or against a policy
[482]
then if we notice something is different,
[484]
we need to see, does it matter?
[488]
What does it matter
[488]
if thereâs a piece of garnish or not a piece of garnish.
[495]
So it means that the auditor needs to communicate
[499]
with the folks that heâs been communicating with,
[502]
to better understand is this a problem, is this not a problem.
[506]
So the communication starts during fieldwork,
[509]
as soon as something unusual or unexpected is noticed,
[512]
asked the question why.
[514]
Why is this different than what I expected to see.
[517]
And I would imagine that the procedure begins,
[520]
following along with your example of the food preparation,
[522]
it starts in the kitchen and the storage of the food
[525]
what needs to be kept cold is cold, and warm is warm,
[529]
and frozen is frozen, and so on.
[531]
So all of these things so that it is safe, sanitary,
[534]
and then we look into the presentation.
[537]
We make sure that itâs also going to meet those requirements.
[539]
So thereâs a whole pipeline of elements there.
[541]
Okay, great.
[542]
So as they find issues they will discuss them with individuals
[546]
who are familiar with the process and were responsible for it.
[549]
So what happens in that last stageâŠ
[551]
well, not quite the last stage I guess, is a reporting phase,
[554]
is that an official communication occurs
[558]
about the results of the review?
[560]
Yes. So the communication that I mentioned
[563]
in terms of meetings and interviews
[565]
and all sorts of things happens during field work
[568]
will also have conversations as we bridge
[571]
from field work to come to the reporting phase.
[575]
So anything that has been unresolved
[580]
is going to go in a draft audit report.
[582]
So the draft audit report is going to include
[585]
all of those different observations
[587]
and hopefully some context for why these issues are there.
[592]
Those will be discussed with management of the area,
[595]
process or system, informed with the information
[600]
that we received as we conversed with the people
[602]
who are on the front lines of this area processor system,
[606]
and then thereâs some discussion,
[608]
thereâs some debate, thereâs some discussion,
[610]
what would we recommend that they change,
[613]
what would we recommend
[615]
that they put in place that isnât in place,
[618]
in terms of some kind of control or some kind of action.
[622]
And that discussion happens and finally,
[627]
the report morphs into the final deliverable,
[630]
the outward facing deliverable of our audit work.
[633]
The inward facing deliverables of our audit work
[636]
will be our working papers
[637]
which will tell the story of what the auditors did,
[640]
what the auditors found, and what the auditors concluded.
[643]
So it will always be possible for us to follow that path
[647]
that the auditors themselves followed
[650]
and determine whether or not their observations were sound.
[654]
And then the follow up phase
[656]
is where now the auditors verify
[658]
that the issues identified were corrected appropriately,
[662]
is that what happens then?
[663]
Absolutely, absolutely.
[664]
And youâll notice that line
[666]
from follow-up back to risk assessment,
[669]
âWe confirm or refute whether or not
[672]
the agreed upon corrective action was taken
[674]
and taken in the way that that management of the area
[678]
or processor system agreed to.â
[680]
That may affect our risk assessment
[683]
because if there were some matters of significance
[687]
in our audit report, then we want to be able
[690]
to level set risk assessment in future to make sure
[695]
that it is now reflecting
[698]
the landscape of risk for this particular area,
[702]
once the corrective action has been taken.
[706]
Okay. So if the issues keep coming back,
[708]
that theyâre recurring,
[709]
then thatâs concerning
[711]
because they havenât taken appropriate actions
[713]
and the problem is still going on
[715]
so certainly an indication that perhaps
[717]
we havenât gotten to the source of the problem,
[719]
the root cause of it.
[720]
Or they just havenât been diligent enough
[723]
in attending to those things.
[724]
So there are so many things
[726]
that we just covered in that life cycle.
[729]
Could you break it down into some more discrete steps for us
[731]
so you have a little bit of a list of sort.
[734]
- Just maybe the top 10 steps or so.
- Sure.
[737]
Actually the top 10 steps begin with risk assessment,
[741]
not unlike the graphic that we just spent some time with.
[745]
Risk assessment happens at multiple levels,
[749]
thatâs a topic that weâll get into in another session.
[753]
But for now let me just say that risk assessment
[756]
is looking at the entire enterprise
[758]
and its balance of risks and concerns
[761]
and deciding what the audit group, the audit department,
[766]
the audit division, and its members have the expertise,
[771]
the time, and the appropriate level of risk to look at.
[776]
So we select auditable areas almost like pulling
[780]
a volume off the shelf of software or of reading material.
[786]
So we select an auditable area and a client,
[790]
we move into review of those policies, procedures.
[794]
This is setting us up for some success
[798]
in terms of what weâre going to do in field work.
[801]
Holding an opening meeting.
[803]
This is an opportunity for us to converse with different stakeholders,
[807]
let them know the fundamentals of our approach,
[810]
what are we going to do.
[812]
And then we get into fieldwork and we start studying up
[817]
and sampling on transactions and different activities.
[822]
We could call that performing testing
[824]
and that is performing testing
[826]
but we also want to make sure
[828]
that we document internal controls
[830]
so we have an understanding of risk
[832]
now we want to know how is the risk balanced?
[835]
So we have to look at the system internal controls
[838]
and prepare some kind of documentation around that,
[841]
a risk control matrix is typically the result.
[845]
The audit program flows from that,
[848]
and then we perform our testing.
[850]
As Hernan and I discussed on the previous graphic,
[855]
we prepare any issues, observations that need to be addressed,
[859]
need to be discussed with the client, we wrap things up,
[863]
we have some kind of exit meeting or exit conference,
[868]
and then and then were able to draft the audit report,
[871]
issue it, and perform follow up.
[876]
Excellent, thank you very much.
[878]
That was very helpful to come up
[880]
with a succinct [inaudible] like that
[881]
and then just be able to narrow it down a little bit,
[883]
just so we can put our hands around this world.
[886]
But as weâre thinking
[887]
about the different things that auditors review,
[889]
we understand now that not every internal auditor
[893]
is an accounting or finance expert.
[895]
You have a lot of compliance elements
[897]
and other kinds of reviews that are performed.
[899]
So if you think in terms of what things are reviewed, right?
[902]
We just talked about food preparation
[904]
and looking at a cruise operator or resort and so on so,
[908]
it looks like thereâs quite a broad selection of areas to review.
[911]
What are some of the auditable areas
[913]
that auditors are likely to engage in reviewing.
[917]
Well, everything is auditable, everything is auditable.
[922]
But, we donât have all time in the world
[926]
and if we want to give enough attention to anything,
[931]
we have to be very deliberate, very tactical.
[934]
So some of the ways
[936]
in which we determined what weâre going to audit
[939]
is to look at policies and procedures,
[942]
practices around the enterprise.
[945]
Another way that we might look for areas
[950]
that are right for being audited
[952]
is to look at profit centers, cost centers.
[955]
We could also consider the general ledger
[958]
of the institution that we that we are employed by.
[963]
Information systems.
[965]
In my non-profit work, I spent a lot of time
[970]
looking at major programs and major contracts
[973]
across the two states
[974]
that the non-profit that I worked for operated in,
[979]
and what were those requirements,
[981]
and then making sure through a series of audits
[984]
that those requirements were being met.
[987]
Iâm also a huge fan of looking
[990]
at organizational charts and job descriptions
[993]
to get a feel for how different lines of service
[998]
or different products are rolled out.
[1001]
So I might be interested in functional units
[1004]
and how they fit into the larger enterprise.
[1008]
We might also look at transaction systems
[1012]
so how does money flow?
[1017]
Where our purchases flow within an organization?
[1020]
How do our payments flow?
[1022]
So that leads to financial statements in a broader context.
[1027]
I also mentioned earlier that from an external perspective,
[1032]
we want to make sure that the organization
[1034]
is operating in a way that is faithful
[1039]
to the rules of the industry
[1042]
or the rules particular subset of the industry.
[1045]
So we look at laws, we look at laws, we look at regulations.
[1048]
Any and all of these things can help us determine
[1053]
what deserves to be audited at any given point in time.
[1057]
Itâs also a way to bring in some creativity
[1062]
because we could find ourselves doing the same thing
[1067]
over and over again,
[1069]
maybe not likely because of what I said earlier
[1072]
about risk assessment.
[1073]
Having some creative thinking
[1075]
around all of these different areas I think is really warranted.
[1081]
Great. Thank you, Kathleen.
[1083]
So this is very helpful in helping us understand,
[1085]
and I like your expression that anything can be audited.
[1088]
But then again, we have the risk assessment process
[1090]
thatâs going to help to decide what needs to be reviewed,
[1094]
how often, and to what extent.
[1096]
Now your last list of items,
[1098]
you have a number of items mentioned there related to compliance,
[1102]
you have some accounting, some finance,
[1104]
some business, some IT,
[1106]
maybe a little legal elements there with the contracts as well.
[1109]
So, it definitely shows that internal auditors
[1112]
do a lot of different things and that their work is quite diverse.
[1116]
So thank you very much for helping us better understand
[1118]
the lifecycle of an internal audit
[1120]
in areas that are usually reviewed by their work.
[1123]
So thank you so much. I appreciate it.
[1125]
My pleasure. If you like this series,
[1127]
subscribe the ACI Learning YouTube channel
[1130]
to enjoy more audit related content.
Most Recent Videos:
You can go back to the homepage right here: Homepage