I want to share a couple of techniques I used when building the audit plan and then the audit scope, and for assessing the level of risk presented by a control failure.
The first is like a reverse root cause analysis when there is a control failure. (See this earlier post.) But rather than figuring out what caused the control failure, it’s about determining what the failure means, its potential effect and how significant it is.
As with a root cause analysis, this should be done in collaboration with operating management for best results.
As an example, let’s say we find that the controls over recording inventory receipts are not functioning properly.
- Receipts of raw materials may not be recorded in the company’s records, and quantities and type of materials might be recorded incorrectly.
- As a result, the financial statements are incorrect, and management may be relying on inaccurate materials inventory records.
- If inventory is overstated, there might be an impact on manufacturing. They schedule a manufacturing run to fulfil a customer’s order only to find out that the raw material is insufficient. If inventory is understated, Procurement might place an order for the materials when that order is not necessary. Finally, if there is excess inventory, some of it might deteriorate.
- A delay in manufacturing is likely to affect sales and customer satisfaction. It will also impact manufacturing costs as equipment and people are idled, waiting for materials.
- Customer satisfaction issues might affect future revenue.
- All of the above could lead to a failure to achieve financial targets.
In other words, continue to ask “what does that mean” until you get to the impact (if any) on enterprise objectives.
The other technique involves asking who needs to act, monitor the action, or be notified of the control failure and its impact.
- Is it enough for direct management to handle the situation, or
- Does it require action or monitoring by the next level of management?
- Should the next level above that (call it senior management) need to know or act? Why?
- Does the CEO or other top executive need to be informed and why? What do they need to do about it, or can they rely on lower-level management to handle it? (This is going beyond their “duty” to know about control issues or the results of internal audits. This is about whether they should spend any of their limited time on the topic.)
The more senior the people who need to act or at least know about the situation, the higher the level of “risk” in my eyes.
If only middle management needs to act, why should I include it in the audit report?
I use the same technique in my audit planning and defining the scope of an audit.
I ask this question of a potential audit: if we found that the controls were not adequate, to whom should it matter? Why?
If it is something that could be handled by middle management, I doubt I would include the area in my audit planning as I want to focus on the more significant risks to the objectives of the enterprise.
Let me add a little spice to the recipe. I also consider whether we could add value to top management and/or the board through an audit. If there would be little value to an audit, I hesitate to perform it. But I might perform an audit of a lower risk area if I anticipate delivering significant value, such as identifying the root cause of a problem and suggesting an antidote.
Courtesy : https://normanmarks.wordpress.com/2024/08/26/audit-risk-assessment-tips/