In this video Mike digs into planning your audit to arrive at independent results to aid management's decisions.
- [Instructor] Alright, well lets talk about keeping your audit organized. You know, audits are long, drawn out, complex things, and so, keeping them organized is an important thing. Practicing with good project management, processes, and tools is one way to keep this all in check, one way to keep it all organized. So, some of you may see a lot of unprepared auditees say something like this. It's very, very common, and oftentimes auditors are the guys coming around on purpose trying to find something that you did wrong, or something that is insufficient, or something that you did naughty, or something you might even have done that's considered a fraud.
And so, the auditors tend to be unpopular folks, and it can create this environment, or this attitude of panic, and oh My god, the auditor's coming again. So, this is why it's important to have some kind of organization in the audit, so that people aren't surprised by things, and so that the audit goes along, and is conducted fairly smoothly. Alright, so the auditor is the person that comes around to periodically ensure that you're behaving, or that you're performing your job as the policies of the organization dictate, whether your complying with some regulatory standard or regulation.
They're really there to ensure that the correct controls are in place, and that they're sufficient. That's really what auditing is all about; is there a control for something, and is that control sufficient, and is it being circumvented some way? Now, when it comes to audits, we have two types, we have the internal audits, which are people that work for the organization, they're in the organization, they know the policies, they know all the applicable laws, and they're there to make sure that you're compliant with them. They know who's who in the zoo, they know the roles and responsibilities, they know the management involved, they know the people who are in the trenches doing the work.
The external audits are where you bring someone else in. They may be someone brought in from some kind of accounting or auditing firm, or they may be from a regulating body itself. So, whether it's internal or external, doesn't really matter. At the end of the day, we're still going to be testing controls to make sure that they're one: in place, and two: sufficient, and meeting the mark. So, some key documents involved in auditing: an audit charter is the sort of mother document that is the document that imbues the authority to the auditors.
It defines some kind of scope for what the audit function is, not necessarily for a single audit, but in general, what are we going to be auditing at this organization? What functions? What business functions? What business processes? What assets are going to be involved? Like it defines the responsibility of the audit team, and the responsibilities of the people being audited, mid-level management, people in the trenches, et cetera, et cetera. An engagement letter is focused on a more specific engagement, as it's name implies.
With engagement letters, we're not defining an overall responsibility for an audit team within the organization, we're defining for this audit. These are the rules, these are the specific details, the scope. Here's some special consideration that needs to be provided, and typically, that's done for external auditors coming in. You can have an engagement letter if you're doing a sort of project-based style of auditing within your organization, but it's more come to see in a third party audit where you're having an external auditor come in.
So, the audit charter; audit charter is there to define the roles, who's who in the zoo, what the roles of the audit team are, what the roles of management are, what the roles of the people being audit, the auditees are. It's there to define the functions of the audit team, and the functions within the business that are going to be audited. It's a sort of double meaning thing there. It's going to define management's responsibility, which is almost always some kind of oversight for the audit process. Remember, an audit team is brought in to speak directly to management to give management some oversight as to what's really going on in the trenches of the organization.
We're going to look at controls, figure out whether they're sufficient, et cetera, et cetera, and pipe that all up to management, so management has visibility. How will things be approved? What is the approval process? What's the escalation process? An audit charter will spell all of this out so that it's clear, black and white, everybody knows how this will be piped up to management. And then finally, perhaps most importantly, it's going to define some level of independence for the audit team. Auditors have to have some ability to go into an organization, find out all the things that aren't right, or aren't sufficient, and then report it directly to management, circumventing all those mid-level managers and everyone else.
That's why auditors tend to be the black sheep, the guys who or... Gals who are less liked within the organization because they always come around and find you doing something naughty, or that you haven't complied with this, and oftentimes, it's something as simple as pass or fail. But they've got to be able to be independent, such that they can report directly to management, and provide that transparency so that management has some level of oversight. And that's a little bit about keeping an audit organized, and some of things that are involved in making that so.
Note: This series was created by Human Element, Michael Lester, Jordan Genung, and Steve Bennett.
- Managing an IS audit
- Regulatory drivers
- IS controls
- Performing an IS audit
- Communicating audit results
- Evolving the audit process
- Continuous auditing