Professional Documents
Culture Documents
You have asked a very good question what one needs to do is to Audit on
following points. These are from Business Excellence Model of EFQM. For example
the from the first point one can deternine if the the Organization has a process to
gather and understand the market information etc.
The following points will be good guidelines for any strategy audit. Based on
these points whether the leadership in the organization is developing vision,
mission and values and how the vision - mission values are communicated to all
people in the organisation as also other stakeholders.
Although it is long mail - Hope you will find it useful. You may get more details on
this model at http://www.efqm.org/ In case you need more information please let
me know
Regards
nishikant
a Policy and strategy (directions) are based on the present and future
needs and expectations of stakeholders
The scope of internal auditing within an organization is broad and may involve topics
such as the efficacy of operations, the reliability of financial reporting, deterring and
investigating fraud, safeguarding assets, and compliance with laws and regulations.
Internal auditing frequently involves measuring compliance with the entity's policies
and procedures. However, Internal auditors are not responsible for the execution of
company activities; they advise management and the Board of Directors (or similar
oversight body) regarding how to better execute their responsibilities. As a result of
their broad scope of involvement, internal auditors may have a variety of higher
educational and professional backgrounds.
Contents
[hide]
• 10 References
• 1) The reporting line or status of the CAE The Chief Audit Executive must
report to a level within the organization that allows the internal audit activity
to fulfill its responsibilities. The chief audit executive must confirm to the
board, at least annually, the organizational independence of the internal audit
activity.
• 2) Attitude of auditors, procedures of the internal audit department. The
internal audit activity must be free from interference in determining the scope
of internal auditing, performing work, and communicating results.
• 3) Communication right. The chief audit executive must communicate and
interact directly with the Board of Directors.
In the United States, internal auditors may assist management with compliance with
the Sarbanes-Oxley Act (SOX).
Under the COSO enterprise risk management (ERM) Framework, risks fall under
strategic, operational, financial reporting, and legal/regulatory categories.
Management performs risk assessment activities as part of the ordinary course of
business in each of these categories. Examples include: strategic planning, marketing
planning, capital planning, budgeting, hedging, incentive payout structure, and
credit/lending practices. Sarbanes-Oxley regulations also require extensive risk
assessment of financial reporting processes. Corporate legal counsel often prepares
comprehensive assessments of the current and potential litigation a company faces.
Internal auditors may evaluate each of these activities, or focus on the processes used
by management to report and monitor the risks identified. For example, internal
auditors can advise management regarding the reporting of forward-looking operating
measures to the Board, to help identify emerging risks.
In larger organizations, major strategic initiatives are implemented to achieve
objectives and drive changes. As a member of senior management, the Chief Audit
Executive (CAE) may participate in status updates on these major initiatives. This
places the CAE in the position to report on many of the major risks the organization
faces to the Audit Committee, or ensure management's reporting is effective for that
purpose.
Internal auditors may help companies establish and maintain Enterprise Risk
Management processes.[3][4] Internal auditors also play an important role in helping
companies execute a SOX 404 top-down risk assessment. In these latter two areas,
internal auditors typically are part of the project team in an advisory role.
1. Establish and communicate the scope and objectives for the audit to
appropriate management.
2. Develop an understanding of the business area under review. This includes
objectives, measurements, and key transaction types. This involves review of
documents and interviews. Flowcharts and narratives may be created if
necessary.
3. Describe the key risks facing the business activities within the scope of the
audit.
4. Identify control procedures used to ensure each key risk and transaction type is
properly controlled and monitored.
5. Develop and execute a risk-based sampling and testing approach to determine
whether the most important controls are operating as intended.
6. Report problems identified and negotiate action plans with management to
address the problems.
7. Follow-up on reported findings at appropriate intervals. Internal audit
departments maintain a follow-up database for this purpose.
Project length varies based on the complexity of the activity being audited and
Internal Audit resources available. Many of the above steps are iterative and may not
all occur in the sequence indicated.
The recommendations in an internal audit report are designed to help the organization
achieve its goals, which may relate to operations, financial reporting or
legal/regulatory compliance. They may relate to effectiveness (i.e., whether goals
were met or compliance with standards was achieved) or efficiency (i.e., whether the
outputs were generated with minimum inputs).
This effort helps ensure the audit activity is aligned with the organization’s objectives,
by answering two key questions: First, what goals are the organization trying to
accomplish in the upcoming period? Second, how can the Internal Audit Department
assist the organization in achieving these goals?
Quantitative measures can also be used to measure the function’s level of execution
and qualifications of its personnel. Key measures include:
Plan completion: This is a measure of the degree to which the annual plan of
engagements is completed, measured at a point in time. This may be measured using
the number of projects completed, weighted by the planned size of each project, with
estimates for projects in-progress. Measured throughout the year, it is compared
against the percentage of the year elapsed.
Report issuance: This is a measure of the time elapsed from completion of testing to
issuance of the final audit report, including management’s action plans. This can be
measured in average days or percentage of reports issued within a certain standard,
such as 30 days. Establishing expectations for the timing of management’s response
to report recommendations is critical. In addition, the scope and degree of change
involved in the report’s action plans are key variables. For example, a report for a
single retail store requiring only the store manager’s action might take 3–5 days to
issue. However, a report consolidating findings from 20 retail stores, with action plans
with national implications determined by top management, may take 30–60 days in
complex organizations.
Issue closure: Reported audit findings are often called “issues” or “deficiencies.”
Professional standards require audit functions to track reported findings to resolution,
which effectively requires the maintenance of an issues follow-up database. The
number of days that reported issues remain open, or open after their agreed-upon
closure date, are key measures. In addition, reporting database statistics such as the
number of issues open (unresolved), closed (resolved), and issues opened/closed
during a given period are useful statistics.
Staff qualifications: This can be measured through the percentage of staff with
professional certifications, graduate degrees, and overall years of experience.
Staff utilization rate: This is measured as the percentage of time spent on projects, as
opposed to administrative time such as training or vacation. Many internal audit
departments track time by audit project. This is typically captured in a database or
spreadsheet.
Staffing level: The number of positions filled relative to the authorized staffing level.
Due to the challenge of finding qualified staff, departments may have rotational
programs to bring in management to complete tours in the function or be "guest"
auditors. Audit departments also "co-source," meaning they obtain contract auditors
from service providers.
The Chief Audit Executive (CAE) typically reports the most critical issues to the
Audit Committee quarterly, along with management's progress towards resolving
them. Critical issues typically have a reasonable likelihood of causing substantial
financial or reputational damage to the company. For particularly complex issues, the
responsible manager may participate in the discussion. Such reporting is critical to
ensure the function is respected, that the proper "tone at the top" exists in the
organization, and to expedite resolution of such issues. It is a matter of considerable
judgment to select appropriate issues for the Audit Committee's attention and to
describe them in the proper context.