Audit Engagement Strategy (Driving Audit Value, Vol. III): The Best Practice Strategy Guide for Maximising the Added Value of the Internal Audit Engagements
By Hans Beumer
()
About this ebook
(Driving Audit Value, Vol. III)
the best practice guide for implementing a value-added internal audit engagement strategy
Follow the strategic principles and become successful in achieving the objectives of the audit engagements. Apply the fundamental success principles described in this book and your audit engagements will generate the desired added value.
drs. Hans Beumer has a Master degree in Business Economics and was educated and trained as Dutch CPA, CIA, CISA, CRMA and CFE. Hans is a long-time Internal Audit, External Audit and Finance Management professional. During his 28 years’ career, he was CAE for 16 years at the head offices of global operating companies, worked 6 years in public accounting and held other positions such as CFO.
During the last 10 years, he published 4 books and 8 articles on the topic of best practice internal auditing.
Read more from Hans Beumer
The Internal Audit Handbook - The Business Approach to Driving Audit Value Rating: 0 out of 5 stars0 ratingsSwiss Camino - Volume I: North-East Switzerland Rating: 0 out of 5 stars0 ratingsSWISS CAMINO - Volume II: Central Switzerland Rating: 0 out of 5 stars0 ratingsTravel Guide to Self-Actualization, Ebook Rating: 0 out of 5 stars0 ratingsJapan’s Travel Culture – Second Edition: The Definite Guide to the Cultural Particularities of Travelling in Japan Rating: 0 out of 5 stars0 ratingsKumano Kodo - Ebook Rating: 0 out of 5 stars0 ratingsThe 7 Leadership Habits of Highly Effective Chief Audit Executives - Inspiring Excellence in Leading the Internal Audit Function Rating: 0 out of 5 stars0 ratingsThe Global Traveller Series: 20,000 km by Train Rating: 0 out of 5 stars0 ratingsSuccess for Everyone - Follow the Universal Success Cycle to realise Wealth and Abundance and the Life of your Dreams Rating: 0 out of 5 stars0 ratingsSWISS CAMINO - Volume III: South-West Switzerland Rating: 0 out of 5 stars0 ratingsHappiness for Everyone: Applying a Universal Happiness Formula to the Four Sources of Happiness Rating: 0 out of 5 stars0 ratings
Related to Audit Engagement Strategy (Driving Audit Value, Vol. III)
Related ebooks
How to Audit the Process-Based QMS Rating: 5 out of 5 stars5/5Forensic Accounting A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsRisk Appetite A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsFinancial Audit A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsRisk Appetite Best Practice A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsAudit Process A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsSWANSON on Internal Auditing: Raising the Bar Rating: 5 out of 5 stars5/5Risk-Based Internal Audit Rating: 5 out of 5 stars5/5Remote Audit: From Planning to Implementation Rating: 4 out of 5 stars4/5COSO ERM A Complete Guide - 2021 Edition Rating: 5 out of 5 stars5/5Sarbanes Oxley Internal Controls A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsAudit Planning: A Risk-Based Approach Rating: 4 out of 5 stars4/5Risk based internal audit A Complete Guide Rating: 0 out of 5 stars0 ratingsAuditors A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsPractice Aid: Enterprise Risk Management: Guidance For Practical Implementation and Assessment, 2018 Rating: 0 out of 5 stars0 ratingsIT Audit A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCOSO A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsRisk Based Internal Auditing A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsAudit risk Standard Requirements Rating: 0 out of 5 stars0 ratingsInternal Auditing A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCOSO Internal Control A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsThe Executive’S Guide to Internal Auditing Rating: 0 out of 5 stars0 ratingsAuditing and Reporting A Complete Guide Rating: 0 out of 5 stars0 ratingsThe Basics of IT Audit: Purposes, Processes, and Practical Information Rating: 4 out of 5 stars4/5Auditor's Guide to IT Auditing Rating: 5 out of 5 stars5/5A Step By Step Guide: How to Perform Risk Based Internal Auditing for Internal Audit Beginners Rating: 4 out of 5 stars4/5IT Governance: Guidelines for Directors Rating: 0 out of 5 stars0 ratingsInternal audit Third Edition Rating: 0 out of 5 stars0 ratings
Business For You
The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5How to Write a Grant: Become a Grant Writing Unicorn Rating: 5 out of 5 stars5/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Emotional Intelligence: Exploring the Most Powerful Intelligence Ever Discovered Rating: 5 out of 5 stars5/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5Capitalism and Freedom Rating: 4 out of 5 stars4/5Real Artists Don't Starve: Timeless Strategies for Thriving in the New Creative Age Rating: 4 out of 5 stars4/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5
Reviews for Audit Engagement Strategy (Driving Audit Value, Vol. III)
0 ratings0 reviews
Book preview
Audit Engagement Strategy (Driving Audit Value, Vol. III) - Hans Beumer
Audit Engagement Strategy
DRIVING AUDIT VALUE (VOL. III)
The best practice strategy guide
for maximising the added value
of the internal audit engagements
HANS BEUMER
ALSO AVAILABLE FROM HANS BEUMER
Driving Audit Value (Vol. II): Audit Risk Management
Driving Audit Value (Vol. I): Audit Function Strategy
Success for Everyone
Happiness for Everyone
Kumano Kodo
Thailand
20’000 km by Train
Visit www.hansbeumer.com
COPYRIGHT
HB Publications
Zug, Switzerland
www.hansbeumer.com
Text Copyright © Hans Beumer 2017
Figures and Tables Copyright © Hans Beumer 2017
Cover Stock Media Copyright © BillionDigital 2017 and Shutterstock 2017
International Professional Practices Framework and International Standards for the Professional Practice of Internal Auditing, available at: https://global.theiia.org/standards-guidance. Lake Mary, FL: Copyright © 2017 by The Institute of Internal Auditors, Inc. All rights reserved.
All rights reserved. No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording, nor may it be stored in a retrieval system, transmitted, or otherwise be copied for public or private use without the express written permission of the publisher, except for the use of brief quotations in a book review.
First edition published in July 2017
This book is available as:
-Hardcover: ISBN 978-3-906861-18-0
-EBook: ISBN 978-3-906861-19-7
Printed and distributed by Lulu Press, Inc.
This book is not intended to provide personalised business advice. It offers the viewpoints and extensive experience of the Author, but the views expressed should not be taken as instructions or commands. The reader is responsible for his or her decisions and actions for the business of internal audit and related topics. The Author and Publisher expressly disclaim any liability, loss, damage, or risk, business, personal or otherwise, that is incurred as a consequence, directly or indirectly, of the use and application of any of the contents of this book
CONTENTS
FOREWORD
BOOK STRUCTURE
PART I - AUDIT ENGAGEMENT STRATEGIC MODEL
Where were the Auditors?
Soll and Ist
Process and Project
Beumer Audit Engagement Strategic Models©
Beumer Audit Engagement Strategic Model©
Audit Engagement Value Drivers Model©
Audit Engagement Value Enablers Model©
PART II - AUDIT ENGAGEMENT VALUE DRIVERS
Engagement Value Driver 1: Identifying Significant Risks
IPPF’s requirements for identifying significant risks
Standardisation
Process for identifying significant risks
Step 1: What are the key enablers for identifying significant risks?
Step 2: What is significant?
Step 3: Is it a process or substance issue?
Step 4: How to scope for identifying significant risks?
Step 5: How to develop the work programme for identifying significant risks?
Step 6: How to report the identified significant risks?
Identifying significant risks as value driver
Engagement Value Driver 2: Agreeing on Risk Mitigations
IPPF’s requirements for agreeing on risk mitigations
Standardisation
Process for agreeing on risk mitigations
Step 1: What are the key enablers for agreeing on the risk mitigations?
Step 2: What are the appropriate risk mitigation measures?
Step 3: To what level must the risks be reduced?
Step 4: Who should be responsible for the risk mitigations?
Step 5: How to determine the appropriate due dates of the risk mitigations?
Step 6: How to resolve disagreements?
Agreeing on risk mitigations as value driver
Engagement Value Driver 3: Monitoring Progress of Agreed Risk Mitigations
IPPF’s requirements for monitoring progress of agreed risk mitigations
Standardisation
Process for monitoring progress of agreed risk mitigations
Step 1: What are the key enablers for monitoring progress?
Step 2: What assurance needs to be provided?
Step 3: What is the appropriate type of progress monitoring?
Step 4: How to do the progress monitoring?
Step 5: How to handle cancelled, delayed, changed or incomplete mitigations?
Step 6: How to report the results of progress monitoring?
Monitoring progress of agreed risk mitigations as value driver
PART III - AUDIT ENGAGEMENT VALUE ENABLERS
Engagement Value Enabler 1: Resource Planning
IPPF’s requirements for resource allocation
Standardisation
Process for engagement resource planning
Step 1: What is the management activity to be audited?
Step 2: What type of audit work must be performed?
Step 3: What are the available audit resources?
Step 4: How to handle resource shortfalls?
Step 5: What are the audit resources at the time of the audit engagement?
Step 6: How to do the annual time-scheduling of the engagements?
Step 7: How to do the time-scheduling within the engagements?
Example
Resource planning as value enabler
Engagement Value Enabler 2: Engagement Planning
IPPF’s requirements for engagement planning
Standardisation
Process for engagement planning coordination and logistics
Step 1: What needs to be coordinated with management?
Step 2: What needs to be organised logistically?
Example
Engagement planning coordination and logistics as value enabler
Engagement Value Enabler 3: Audit Objective
IPPF’s requirements for engagement objective
Standardisation
Process for determining audit objective
Step 1: Why to audit?
Step 2: What is the required level of assurance?
Step 3: What is the subject matter of assurance?
Step 4: What are the objectives of assurance?
Example
Engagement objective as value enabler
Engagement Value Enabler 4: Understanding the Subject Matter
IPPF’s requirements for understanding the subject matter
Standardisation
Process for understanding the subject matter
Step 1: What are the process characteristics?
Step 2: What are the sources of information?
Step 3: Why understand two levels?
Example
Understanding the subject matter as value enabler
Engagement Value Enabler 5: Subject Matter Risk Assessment
IPPF’s requirements for risk assessment
Standardisation
Process for subject matter risk assessment
Step 1: What are the subject matter’s inherent risks?
Step 2: What are the subject matter’s control risks?
Subject Matter Risk Indicators Model©
Step 3: What are the risks in the 2nd lines of defence relating to the subject matter?
Step 4: How to use the results from the risk assessment?
Example
Risk assessment as value enabler
Engagement Value Enabler 6: Audit Scoping
IPPF’s requirements for engagement scoping
Standardisation
Process for engagement scoping
Step 1: What to audit?
Step 2: Where to audit?
Step 3: Who to audit?
Step 4: What period to audit?
Example
Engagement scoping as value enabler
Engagement Value Enabler 7: Work Programme
IPPF’s requirements for engagement work programme
Standardisation
Process for developing work programme
Step 1: What are the objectives that need to be tested?
Step 2: What types of audit tests are available?
Step 3: What audit tests are allocated to the objectives?
Step 4: What items from the population need to be tested?
Step 5: What time is allocated to each audit test?
Example
Engagement work programme as value enabler
Engagement Value Enabler 8: Audit Execution
IPPF’s requirements for engagement execution
Standardisation
Process for engagement execution
Step 1: What are the execution objectives?
Step 2: How to achieve the execution objectives?
Step 3: What audit evidence is needed?
Step 4: What are the working paper requirements?
Engagement execution as value enabler
Engagement Value Enabler 9: Audit Report
IPPF’s requirements for engagement reporting
Standardisation
Process for the final audit engagement reporting
Step 1: What is the structure of the report body?
Step 2: What audit results are included in the report body?
Step 3: What is the structure of the executive summary?
Step 4: What audit results are included in the executive summary?
Step 5: How to word the audit opinion?
Step 6: How to resolve disagreements?
Step 7: Who needs to receive the report?
Example
Audit report as value enabler
Engagement Value Enabler 10: Performance Management
IPPF’s requirements for performance management
Standardisation
Process for performance management
Step 1: What are the engagement performance targets?
Step 2: How to achieve the performance targets?
Step 3: What are the engagement detection risks?
Audit Engagement Detection Risk Indicators Model©
Step 4: How to mitigate the engagement detection risks?
Audit Engagement Detection Risk Mitigations Model©
Example
Performance management as value enabler
RECOMMENDED READING LIST
VOL. I OF DRIVING AUDIT VALUE: AUDIT FUNCTION STRATEGY
VOL. II OF DRIVING AUDIT VALUE: AUDIT RISK MANAGEMENT
DRIVING AUDIT VALUE BUNDLE: THE INTERNAL AUDIT HANDBOOK
VOL. IV OF DRIVING AUDIT VALUE: HOW TO AUDIT …
ABOUT THE AUTHOR
FOREWORD
Audit Engagement Strategy serves several purposes. For:
Chief Audit Executives (CAEs): to benchmark the internal audit engagements against the best practices and to increase the added value of the audit work.
Auditor Managers: to enhance their management of the internal audit engagements under their supervision, and to increase the quality of the audit work and the audit results.
Auditors: to execute the internal audit engagements in accordance with the best practices, and to increase the added value of their audit work.
Local management, process owners and auditees: to better understand the activities, focus and priorities of the internal audit engagements.
Advisors, consultants, freelancers: to use as a frame of reference for the best practice internal audit engagement strategy model.
Teachers and students: to teach and study internal audit engagement best practices based on a proven strategic model.
The Institute of Internal Auditors: to enhance the IPPF model with best practice elements.
Audit Engagement Strategy differs from all the other books about internal audit, in the way it combines the theoretical knowledge with the practical experiences of a seasoned CAE:
This is the first and only book that develops a clear strategy for the internal audit engagements. It reflects on the audit engagements from an entirely new perspective by defining its added value and how this added value can be attained through the value drivers and value enables.
The Beumer Audit Engagement Strategic Models© provide transparency for the main success principles for an internal audit engagement, presenting a unique new frame of reference for understanding, managing and deploying the audit strategy at the audit engagement.
This book includes the practical experiences, examples, tips and foremost solutions, from an experienced CAE. The content of this book draws upon 28 years of business experience, of which 16 years as leader of audit functions of globally operating corporations.
Audit Engagement Strategy is the best practice guide for implementing a value-added internal audit engagement strategy. Follow the strategic principles and become successful in achieving the objectives of the audit engagements. Apply the fundamental success principles described in this book and your audit engagements will generate the desired added value.
This book is part of a series on internal audit best practices called Driving Audit Value. The first three books in the series are:
1. Audit Function Strategy: This Volume I of Driving Audit Value describes the strategies for creating the maximum audit added value at the level of the internal audit function. The book explains and analyses the two main value drivers and the six main value enablers. Volume I was published in January 2017 (see the book preview and the global endorsements on pages 377 to 380).
2. Audit Risk Management: The Beumer Audit Risk Management Model© provides a ground-breaking new approach to understanding, identifying, measuring and mitigating the audit risks at both the audit function level and the audit engagement level. This book focuses solely on identifying and mitigating 60 potential audit risks. These audit risk management measures are described in Driving Audit Value, Volume II, which was published in March 2017 (see the book preview on pages 381 and 382).
3. Audit Engagement Strategy: The strategic model for driving the audit value at the level of the audit engagements is described in Driving Audit Value, Volume III. At the audit engagement level, the audit added value, value drivers, and value enablers also exist, though with a different content when compared to the level of the audit function.
When you combine the Volumes I, II and III of Driving Audit Value, a comprehensive internal audit handbook is created. The Driving Audit Value Bundle will integrate the best practice strategies for the audit function, audit engagement and the audit risk management into one handbook of more than 750 pages. This Bundle will be available for sale from July 2017 (see the book preview on pages 383 and 384).
Books published under The Successful Business Series
describe the professional experiences in various lines of business. The series has the intention of helping you make your business successful.
Read to advance your life,
drs. Hans Beumer
July 2017
BOOK STRUCTURE
This book provides a practical approach and concrete tools to manage the internal audit engagements. The objective of the audit engagements is to achieve the maximum added value for the key customers: the board and executive management, divisional/business unit management as well as the process owner. There is a certain way to organise, plan, direct and execute the individual audit engagements that makes the audit function achieve this added value. The best practice methodologies and strategies for attaining the highest level of added value are presented in three distinct parts:
PART I: Audit Engagement Strategic Model
Part I presents the Beumer Audit Engagement Strategic Model©. This model shows the comprehensive audit engagement framework for maximising the added value of the audit engagements. The model connects 3 value drivers to 10 value enablers. The Audit Engagement Value Drivers Model© shows how the 3 key value drivers can be achieved in 18 defined and focused steps. The Audit Engagement Value Enablers Model© shows how the 10 key value enablers can be achieved in 39 steps. Together these models determine the comprehensive audit engagement strategy model for driving the audit value at the level of the audit engagements.
PART II: Audit Engagement Value Drivers
Part II shows that identifying the significant risks, agreeing on the risk mitigation, and monitoring the progress of this risk mitigation, are the three primary value drivers of the audit function. From the perspective of the board and senior management, this is what the audit function is all about. Everything the audit function does must ultimately result in providing assurance that management knows the significant risks to their business, and are appropriately reducing the impact of these risks to a level that is within the risk appetite of the board. The generation of this added value is based on explicit and structured processes. The chapter Identifying Significant Risks explains how this can be achieved in 6 defined steps. A further 6 clear steps result in Agreeing on Risk Mitigations, and Monitoring Progress of Agreed Risk Mitigations is achieved in 6 straightforward steps.
PART III: Audit Engagement Value Enablers
Part III presents the 10 most significant value enablers for the internal audit engagements: resource planning (2 steps); engagement planning (2 steps); engagement objectives (4 steps); understanding the subject matter (3 steps); risk assessment of the subject matter (4 steps); engagement scoping (4 steps); engagement work programme (5 steps); engagement execution (fieldwork) (4 steps); engagement report (7 steps); engagement performance management (4 steps).
In 10 chapters, these topics are analysed and efficient, effective and practical guidance is provided to maximise the value enabling capacity of each subject, by consequently following these defined steps.
Figure 1 - Book structure
Audit engagement level versus audit function level
Audit Engagement Strategy describes the added value, the value drivers, and the value enablers at the level of the internal audit engagement. Although all of these can be derived from the internal audit function strategy, the latter is not further detailed in this book. At the audit function level the added value, the value drivers and the value enablers also exist, though with a different content. The strategic model for driving the audit value at the level of the internal audit function is described in detail in Volume I of Driving Audit Value: Audit Function Strategy. I refer to the book preview on pages 377 to 380.
Managing the audit engagement risks
At the level of the internal audit engagement, six significant risks may occur: value risks, focus risks, execution risks, performance risks, reporting risks and compliance risks. The strategic model for managing these risks to the audit value at the level of the internal audit engagements is described in detail in Volume II of Driving Audit Value: Audit Risk Management. I refer to the book preview on pages 381 and 382.
Audit engagements versus consulting and support engagements
The title of this book is Audit Engagement Strategy. The emphasis is on audit. The main role of the internal audit function is to provide independent assurance to support management and the board in achieving their objectives. As the 3rd line of defence, it is the audit function’s competencies in risk assessment and its independence that generate the added value. Though internal audit functions also conduct consulting and support assignments, these are neither covered in this book, nor in the series of Driving Audit Value.
How to audit any topic
How to audit strategy-related topics? How to audit a research and development function? How to audit any topic for which the audit engagement team has no advance knowledge and still be able to come up with the high added-value audit results? The performance of the audit work foremost depends on the appropriateness and focus of the audit work programme. Do the appropriate risk considerations flow into the audit steps? Do the audit steps cover all the important areas of the subject matter? Is the testing methodology appropriate for reaching the audit objective? These topics are only generically covered in this book, as the focus of this book is on the general engagement strategy. The topics of the specific work programmes for the value chain and support processes will be covered in Volume IV of Driving Audit Value, called How to audit … I refer to the book preview on page 385.
Lifting the audit engagements to the highest level of added value
This book is the best practice guide for maximising the added value of the internal audit engagements. It clearly describes what best practice processes look like and provides detailed guidance to allow each audit function to realise its own maximum added value. However, it does not cover the topic of how to lift the current status of your audit engagements to this best practice strategy model. Such a roadmap can be best developed using a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) for benchmarking your current internal audit engagement strategies, processes and procedures against the value drivers and the value enablers presented in this book.
PART I - AUDIT ENGAGEMENT STRATEGIC MODEL
Figure 2 – PART I: Audit engagement strategic model
Where were the Auditors?
Major corporate scandals 2010-2016
VOLKSWAGEN EMISSIONS SCANDAL
September 2015 – The US Environmental Protection Agency caught VW cheating on diesel emissions tests to falsely pass the maximum allowed levels. Diesel models had software installed to fraudulently show that the cars were more environmental friendly than they actually were. More than 11 million cars had to be refitted, regulatory fines amounted to more than $15 billion, civil and criminal suits cost further billions. High profile managers and the CEO were dismissed.
Possible audit engagement issues:
Risk Assessment
Scoping
Work Programme
Audit skills
FIFA CORRUPTION SCANDAL
May 2015 – The FBI indicted the FIFA organisation and officials with racketeering, fraud, corruption, and with paying millions of dollars in bribes to influence FIFA elections, locations for hosting the World Cup, sponsorship contracts, broadcasting rights, and more.
Possible audit engagement issues:
Audit Objective
Scoping
BP OIL SPILL SCANDAL
April 2010 – The Deepwater Horizon rig explosion caused the largest environmental disaster of the 21st Century. Oil and gas producer BP had the worst health, safety and environment practices, which caused damages and cost by far exceeding $25 billion, and destructed shareholder value by more than $100 billion.
Possible audit engagement issues:
Scoping
Risk assessment
YAHOO HACKING SCANDAL OF 1 BILLION USER ACCOUNTS
December 2016 – Yahoo disclosed that a data breach exposed the private information of more than 1 billion user accounts. It related to a theft of names, email addresses, telephone numbers, birthdates, and unrecognisable passwords, as well as encrypted and non-encrypted security questions and answers.
Possible audit engagement issues:
Risk assessment
Scoping
WELLS FARGO SCANDAL OF FAKE ACCOUNTS
September 2016 – Over the period 2011-2016, Retail Banking employees created 1.5 million phoney deposit accounts and issued 0.5 million fake credit cards, without the knowledge or permission of the related customers. Employees resorted to fraud in order to meet challenging growth quotas. The bank paid $185 million in fines and fired 5’300 employees.
Possible audit engagement issues:
Work programme
Execution
Type of test
OLYMPUS ACCOUNTING AND BRIBERY SCANDAL
October 2011 - Olympus hid $1.7 billion in losses over a period of 13 years and admitted to paying kickbacks and foreign bribery.
The company paid more than $0.5 billion to settle criminal and civil investigations.
Possible audit engagement issues:
Risk assessment
Scoping
PETROBRAS CORRUPTION SCANDAL
March 2014 – Executives and key management of Brazil’s state-owned Oil & Gas Company were accused of bribery of officials as well as siphoning off money for their own use. In criminal investigations, more than 80 managers and politicians were charged with money laundering and bribery of more than $8 billion.
Possible audit engagement issues:
Scoping
Work programme
Execution
LIBOR RIGGING SCANDAL
June 2012 – Criminal investigations into the manipulation of interest rates spread to 10 countries and involved more than 20 major banks. Total fines reached more than $10 billion.
Possible audit engagement issues:
Risk assessment
Work programme
Where were the internal auditors?
These eight examples represent some of the major scandals, bribery, corruption, fraud, and non-compliance cases in the period 2010-2016. In each of these cases, you can rightfully ask Where were the internal auditors?
The answers to this question can be manifold:
during the planning of the audit engagement, the auditors insufficiently coordinated with the board and executive management about their business, risk and control concerns: BP, Petrobras, Yahoo.
during the audit engagement scoping, the risk assessment was incomplete: VW, BP, Petrobras, Wells Fargo, Yahoo.
during the audit engagement planning, the work programme was not focusing on the right key controls or risks: Libor, Olympus, Wells Fargo, Yahoo.
during the audit engagement planning, insufficiently skilled auditors were allocated to the audit: Libor, Wells Fargo, Yahoo.
during the audit engagement execution, the auditors did not have access to the staff, systems or information they needed to achieve the audit objective: FIFA, Petrobras, Olympus.
during the audit engagement execution, the auditors did not understand the transactions: Libor, Wells Fargo.
during the audit engagement execution, the auditors relied too much on single audit tests, such as interviews and other tests with a very weak evidence: Libor, Wells Fargo, BP, FIFA.
during the audit engagement execution, the auditors did not agree on the appropriate risk mitigation with management: Yahoo, BP.
the auditors performed no follow-up to ascertain that their recommended risk mitigation actions were indeed implemented by management: Yahoo, BP, Libor.
We will never know the real reasons for these companies’ audit functions inability to successfully identify these issues and have management mitigate those risks. For the internal audit functions of these companies, it is already too late. Their effectiveness will probably have been seriously questioned, and this might have resulted in the dismissal of the CAE, downsizing or upsizing of the audit function, combined with a refocus of the audit function’s and audit engagement’s strategies and objectives. However, for your company’s audit function a similar scandal can be avoided. The strategic audit engagement model presented in this book comes to the rescue, and provides practical guidance for preventing such audit engagement risks.
Risks, Mitigations, Monitoring
When you analyse the issues of these eight cases, a clear trend can be identified. In all these scandals three engagement related topics stand out:
1. The audit engagements did not have the appropriate focus and as a result were not able to identify the significant risks.
2. If the audit engagements did identify the significant risks, they were ineffective in agreeing with management on the appropriate risk mitigating measures and their urgency of implementation.
3. An ineffective monitoring of the progress of the risk mitigations resulted in the materialisation of the risks before they could have been prevented or reduced.
The boards of these organisations must have expected their internal audit functions to do their jobs: identify the significant risks, agree with management on the appropriate risk mitigations, and monitor management’s implementation of the risk reductions.
Meeting these three expectations are the key value drivers for any audit engagement and represent the core of the audit engagement strategic model.
Soll and Ist
Comparing Soll and Ist
In its simplest form an audit (test) is a comparison of two states (conditions) of an item, transaction, or activity: the state which should exist and the state that actually exists. Exceptions, risks, deviations, issues, or however these may be called, represent the (incurred or expected) differences between the target state and the actual state. In the German language, this terminology is captured in two simple words: Soll
and Ist
. The Soll represents the target state, whereas the Ist represents the actual state. In an equation, this looks as follows:
Figure 3 – Standard definition of an audit (test)
Audit (test) =
comparing the actual state (Ist
) to the target state (Soll
)
Exception =
difference between the actual state and the target state
Soll = Ist + Exceptions
Virtually all audit work, all audit testing, and all audit engagements can be simplified to the core of Soll and Ist:
Wording the audit engagement objective results in stating the Soll, the target state that needs to be confirmed by the audit. The audit assurance is providing the key customers of the audit function a confirmation that the Soll can indeed be achieved.
The audit engagement work programme describes the Soll. It states the objectives of the management activity (process or sub-process), and the controls that management has put in place to ensure that the Ist equals the Soll. The audit testing element of the work programme reflects the audit function’s activity to compare the Ist with the Soll of management’s control activities, to ascertain whether the management controls were actually (Ist) executed as they should have been (Soll).
During the audit field work, the auditor collects evidence that the Ist of management’s control activity is achieving or can indeed achieve the Soll of the control.
The audit report, generated at the conclusion of the audit engagement, reflects on the Soll, the Ist and the Exceptions. The Soll will be described in the audit objective, the scope and the subject matter’s objectives. The Ist and Exceptions will be described in the issues, risks and recommendations. The agreed risk mitigation actions will close the gap between the Soll and the Ist.
In case the Ist = Soll, there will be no exceptions, and the audit report has no issues or recommendations of significance.
In case the Ist ≠ Soll, there will be exceptions or opportunities. The exceptions will result in the wording of (significant) audit issues (risks), while at the same time recommending the actions to mitigate the exceptions (to make the Ist equal to the Soll). Opportunities may arise when the audit identified that management is able to improve the performance of the subject matter above the target.
Whenever the engagement team or the auditors have difficulties in establishing the audit engagement objectives, developing the audit engagement work programme, performing the audit field work or writing the audit engagement report, they should keep in mind this simple principle of (comparing) Soll and Ist.
Auditing without a Soll
What to do when there is no Soll? Or to be more precise, when the board or management did not establish a target state for (elements of) the subject matter, the sub-processes, the key objectives or the key controls?
In essence this would reflect the situation described in Standard 2210 – Engagement Objectives: the absence of measurement criteria. Though the IPPF is somewhat confusing on this topic: it refers to the absence of a measurement system, but assumes that the objectives against which the measurements need to be made are available (the guidance does not provide further explanation). The underlying topic to be addressed is twofold:
absence of objectives;
absence of measurement criteria.
The standard does not address the absence of the objectives. Still, the examples listed in the standard (policies, procedures, laws, regulations, industry practices) may contain objectives as well as measurement criteria. For example, an objective can be to apply the industry best practice process for health & safety, and the regulations explain what this entails and how this can be achieved. So principally, when there are such criteria, there may also be objectives. Still, there could also be criteria without an objective. Management may have implemented health and safety procedures, formally or informally, without setting a clear target.
A policy or regulation in itself may not necessarily contain an objective; it may just describe how the subject matter needs to be organised, but not the goals that need to be achieved with it. ISO standards provide the typical example. A process can be fully compliant with these standards but still lack an objective, be highly ineffective and miss all the substance needed to reach any meaningful objective, output or added value. Compliance with a policy or standard does not necessarily result in success (achievement of an objective that enables the achievement of the organisation’s business strategies). Is it the same the other way around? Can there be an objective without measurement criteria? Such a situation could arise when management sets an objective of having a high level of health and safety, but does not specify how this needs to be achieved (there is no policy or reference to industry standards). It is then up to the audit function to discuss with management against which standard (Soll) the audit testing of the actual situation (Ist) needs to be done. For example, there could be a choice between OSHAS 18000, ISO 45001, HSE49 or other national standards and regulations. Only this situation is covered by the IPPF’s standard.
What to do when there is no Soll for the objectives and/or the measurement system? The IPPF’s standards have answered the latter part of the question. But what if management and the board are not able to answer that question? In my personal experience, there can be situations where no measurement systems are available. Management may not have a comprehensive policy for research & development project management, for developing the strategic business plans, for developing business concepts, for implementing a new IT platform, for business continuity, for managing its intellectual property, for preparing the weekly production planning, for the reasons for hiring