High-Level View of Internal

Auditing

- Status of Annual Audit Plan (2060)

Most organizations have several AU's
- Metrics for Department, such as Balanced
of homogenous items.
Scorecard (1311) Periodic Updates (2060)
- Important Issues
- Status of Risks/Controls
Combination of: - Audit Charter (1000, 1010)
- Fraud risks, governance issues
- Status of Corrective Actions
- Groups of people/departments - Independence (1110)
- Processes Results of Audits
- Results of quality program (1320)
- Locations Identify Auditable Items
- Non-conformance with Standards/Ethics IA Department
- Financial Statements "Audit Universe" Audit Reports, as issued?
(1322)
- IT Operations AU
- Policies
- Contracts
- Controls Board & Senior
On-going Management Reports
At Least Annually

Periodic
Selecting Audits Annual Audit Plan Performing Audits
AAP (2010) Reporting (2400)
(2200, 2300)

Approved by
Risk Registers or Matrix Board & Senior
with Probability and Impact Management
of risks for each item in AU (2020) Audit Programs
Engagement Audit Audit Report (2440)
Plan (2200) (2240)
Major time investment
Approved by CAE
Approved prior to before issuance
Method 1 (2120) use (2240.A1) (2440)
Identify Inherent and
Risk-Based Auditing Conduct Field Work
Residual Risks
- Macro-Level (2010) as per Audit Programs (2300)
for items in AU Plan Audit as per AAP.
"ERM" with Board & Senior Management input Risk-Based Auditing - Micro-Level (2210)
Test Compliance and Effectiveness of Controls
using sampling guidelines and types of audit
evidence

Method 2 Id important P&P Compliance with Policies

Use Risk Factors that should be followed & Procedures (P&P) Audits
to rank items in AU

Develop Audit Issues (2400)

Minor time investment Use CAATS to id process flow controls:
- Complete
- Accurate
Spreadsheet to calculate risk scores for each Elements of an Issue
- Authorized Process Flow Audits
item in AU, based on Risk Factors such as: - Criteria/Control Follow-up on Issues (2500)
- Timely
- Time Since Last Audit - Condition
- Safeguarded
- Volume/size - Root Cause
Or COBIT Application Controls Evaluate Status of Controls (2410, 2450)
- Visibility - Impact/Importance
- Complexity - Recommendation
Like ERM
- Etc.

Identify inherent and residual risks, Via Risk

Registers or Matrix with Probability and Impact
of risks for areas in audit Financial Statement Audits
Internal Control Audits

Evaluate Control Design using F/S Assertions

Accounting Rules
Notes COSO or COBIT (2201)
COSO Framework
- (2xxx) refers to IIA Performance Account Balance Verifications
Standards
- P&P must be developed to guide IA
activity (2040)

Larry Hubbard & Associates

c 2013 06