Audit Process
Audit Process
Audit Process
A. Four Phases
The Audit Process is divided into four phases, namely: audit engagement
planning, audit execution, audit reporting, and audit follow-up.
Audit Execution
Audit Reporting
Audit Follow-up
This audit process is applicable for both management and operations audit. For
each phase, there are specific criteria to ensure a successful audit engagement.
Purposes:
a. Understanding the control environment and the organization;
b. Outlining the scope and objectives of the audit;
c. Establishing the basis for budgeting (time, cost, personnel);
d. Identifying the evidence required to develop the audit findings;
e. Assisting in choosing/determining the audit procedures (nature, extent
and timing); and
f. Establishing the basis for coordinating the staff.
Audit objective,
Document Audit plan & Secure
scope, criteria Determine KPIs
understanding program approval
& evidence
Element Information
Introduction A brief description of the management controls or
the plan of organization and all the methods and
measures adopted within an agency to ensure:
o That resources are used consistent with
laws, regulations and managerial policies;
o That resources are safeguarded against
loss, wastage and misuse;
o That financial and non-financial information
are reliable, accurate and timely; and
o That operations are economical, efficient,
ethical and effective
Audit objective Overall objective and scope of the work to be
& scope accomplished
Assessment of Critical processes identified by the ICS during the
controls planning phase which led to the selection of the
audit area approved by the GM and the
Element Information
Introduction A brief description or background information of
the program or project, including:
o the main activities and significant events;
o information on the structure of the program or
project, systems and processes:
1) which lead to the attainment of the output
or the aggregate of the outputs to achieve
the outcome,
2) which process is underperforming
causing delays in completion
Audit objective Overall objective and scope of the work to be
& scope accomplished
Assessment of Critical points identified by the ICS during the
controls understanding phase which led to the selection of
the audit area approved by the GM and the
formulation of the audit objective
Audit approach Audit of program or project results
Resources / Statutory policies, mandates, managerial policies,
inputs citizens’ needs and expectations, manpower,
materials, equipment and timelines
Audit criteria Set of reasonable and attainable standards of
performance, statutory or managerial policies,
laws and regulations, etc.
Step 1:
The audit plan, audit work program and KPIs, are
submitted by the ICS team leader to the Head of
ICS for review and approval prior to the
commencement of the audit execution.
Step 2:
The Head of ICS will evaluate the documents to
assess the relevance, significance, auditability and
other factors affecting the conduct of the audit.
Step 3:
After the documents have been approved,
management should be informed about the
approved audit plan, audit work program and the
KPIs. The audit plan and the KPIs should be
discussed with management but the audit work
program should not be shared.
Conduct Conduct
Entry Exit
compliance system /
conference conference
audit process audit
a. Entry conference
- Sets the tone for the audit
- Done to discuss the focus, requirements and time lines of the audit,
as well as to obtain the audited entity’s views and expectations for
the overall framework for the conduct of the audit
- Matters arising from the entry conference must be recorded (as
entry conference notes) and should be considered during the
conduct of the engagement planning
Acts or ommissions which could Establish also the why, what and
have caused the non-compliance how of the non-compliance
The ICS should record relevant information to support the audit results
- Steps:
A structured investigation that aims to identify the true cause of a problem & actions
necessary to eliminate it
3. Audit Reporting
Represents the culmination of the audit execution and the associated
analysis and considerations made during the audit
The audit report sets out the findings in appropriate format: provides the
pieces of evidence gathered to arrive at the audit findings and the
recommendations
Steps:
Audit
Audit Draft audit Update the Final audit
recommend-
findings report GM report
ations
Criteria
Condition
Conclusion
Cause
d. Update the GM
- The GM should be updated on the results of the audit engagement
Increase the
• To increase the probability that
effectiveness of recommendations will be implemented
audits
Source of
Nature of Results of
information Prior audit
the control Materiality other audit
and experience
deficiency procedures
evidence
Sufficiency Appropriateness
3. Characteristics of evidence
Relevant
Direct
• That which proves the fact in dispute without the aid of any inference
or presumeption
Circumstantial
Corroborative
Admissible
Testimonial Evidence
Description Examples Sources
Documentary Evidence
Hierarchy of reliability:
Independent external
evidence
Internally provided
evidence
Analytical Evidence
Description Examples Sources
Electronic Evidence
Description Examples
5. Use of evidence
Overreliance on any one form of evidence may impact on the validity of the
findings. One should gather a wide variety of evidence for purposes of
triangulation of multiple forms of diverse and corroborating types of evidence.
This is to check the validity and reliability of the findings. Thus, more cross-
checks on the accuracy of the decision should be undertaken.
Methods
Types
•Preparatory interviews
•Interviews to collect or validate material information
•Interviews to generate and assess facts and pieces of evidence
Results
b. Sampling
Description
• Systematic
• Statistical
• Non-statistical
• Random
• Simple random
• Stratified
Procedures
Description
Types
Procedures
• Type 1:
• Detailed examination of program coding
• Involves a fair degree of programming skill & a thorough
knowledge of program specification
2. Basic Steps
3. Techniques
Selected techniques that can be used are as follows:
Problem
Low customer satisfaction rating
Why? 1
Long customer queues during payment due dates
Why? 2
There are only 2 payment centers
Why? 3
Plans to add payment centers have not yet materialized
Why? 4
TWD cannot afford the high collection cost charged by 3rd party
collecting agents
Why? 4
Poor cash management / low collections
Why? 5
No strategic plan to increase collections
Example:
For “Why? 3”, it is not enough to say “high collection
costs” because that is beyond the control of the
organization. However, if it is said that “the organization
cannot afford the high collection costs”, then it can be an
acceptable cause.
v. For each arrow going from left to write, read it using the word
“because”
Example:
The problem is we have a low customer satisfaction rating…
Example:
We have no strategic plan to increase collections…
vii. “The 5 Whys technique is a simple technique that can help you
quickly get to the root of a problem. But that is all it is, and the
more complex things get, the more likely it is to lead you down a
false trail. If it doesn't quickly give you an answer that's
obviously right, then you may need to use a more sophisticated
problem solving technique such as Root Cause Analysis or
Cause and Effect Analysis.” (Mind Tools Ltd., 2013)
- Identifies:
i. All potential failure modes of the various parts of a system (a
failure mode is what is observed to fail or to perform incorrectly,
i.e., the deficiency in control design and control operation);
ii. The effects these failures may have on the system;
iii. The mechanisms of failure; and
iv. How to avoid the failures and/or mitigate the effects of the
failures on the system.
- Procedures
i. Get an overview of the system:
o Determine the function of all components.
o Create functional and reliability block diagrams.
o Document all environments and missions of sys.
ii. ID all potential failure modes of each component.
iii. Establish failure effect on the next level of the sys.
o Determine failure detection methods.
o Determine if common mode failures exits.
iv. Determine criticality of the failure, ranking & CIL.
o Develop CIL
o Corrective actions/retention rationale.
v. Provide suitable follow-up or corrective actions.
(NASA Lewis Research Center, 2006)
- Procedure Flowchart
- Example
(Avaluation.com, 2009)
- Process overview:
i. If the technique is being applied in a formal, scheduled session,
take the necessary steps to prepare for conducting the FTA.
o If technological methods will be used, acquire concept
mapping software, a computer, a projection device (for
example, a video projector), and a projection surface or
screen.
o If non-technological methods will be used, ensure that you
have access to a large surface area (that is, a whiteboard or
chalkboard) on which you can create the concept map, as
well as thick markers in various colors, tape, and so on.
o If you are doing the concept mapping session with a large
number of participants, consider identifying a colleague or
assistant who is able to create the actual concept map while
the facilitator mediates the session.
o Identify and invite participants who are experts on the
system that will be the focus of the FTA.
o Schedule the FTA activity session.
iii. Identify the “what should be” for the system either by identifying
the system’s mission, purpose, or goals, or by defining the
criteria for what the “ideal situation” would look like.
vi. Look at each of the key factors you have identified in the
previous step. What sub-factors could be causing the key
factors? Identify the sub-factors, and place them underneath the
appropriate factor on the tree. Do not move on to the next level
of analysis until there is consensus that all factors at the current
level have been identified.
viii. After the fault tree has been completed, work with experts to
carefully and systematically analyze it for accuracy. Compare
the fault tree’s factors and structure against the actual system
being analyzed.
ix. Analyze the fault tree. This analysis can be done either
statistically or through informal nonstatistical methods (such as
brainstorming). To analyze quantitatively, use statistical analysis
to determine the probability of all the contributing factors you
have listed in the tree. This analysis can be complex, and we
recommend doing additional readings before completing the
analysis.
xi. Focus particularly on the factors that appear lowest in the tree,
because remedying or preventing these root causes is the most
effective and efficient way to obstruct or eliminate the critical
paths leading to the top undesired event.
(Ryan Watkins, 2008)
ii. Remember that the expert insight that is used to construct the
fault tree is generally of a very subjective nature. Take steps to
consult as many experts as possible and to externally validate
the fault tree and its outcomes. Both of these steps will reduce
the subjectivity to some extent.
(Ryan Watkins, 2008)
- Example
- Procedures
i. The Problem Statement. Write the problem statement at the
center right of the document / flipchart / whiteboard / screen.
Draw a box around it then draw a horizontal line / arrow from the
box to the left side of the sheet. The box would be the head and
the line the vertebra / backbone of the fish.
ii. The Categories. Draw five (5) diagonal lines stemming from the
main horizontal line: three (3) on top and two (2) below (or
reverse). The lines should be thinner than the horizontal line.
Label each diagonal line as follows:
o Surroundings
o Suppliers
o Systems
o Skills
o Safety
v. Root causes. Encircle the sub-causes which do not have further sub-causes. These are the root
causes.
(American Society for Quality, 2013) & (The Business Tools Store, 2012)
ii. Identify the root cause of each problem using other techniques
(5 Whys, Fishbone, Fault Tree, etc.).
Experts are those who have acquired special knowledge, skill, experience
or training in a particular field other than auditing. The auditor may use the
work of an expert as evidence but the auditor retains full responsibility for
the contents of the audit report.
The Supreme Court in Balbastro vs. COA, G.R. No. 171481, 30 June
2008, found the petitioner guilty on the basis of the audit report which
constitutes substantial evidence. The pertinent ruling reads:
American Society for Quality. (2013). Fishbone (Ishikawa) Diagram. Retrieved June 13, 2013, from ASQ:
http://asq.org/learn-about-quality/cause-analysis-tools/overview/fishbone.html
FMEA-FMECA.com. (2006). What is a FMEA? Retrieved June 11, 2013, from FMEA-FMECA.com:
http://fmea-fmeca.com/what-is-fmea-fmeca.html
Haughey, D. (2013). Pareto Analysis Step by Step. Retrieved June 13, 2013, from ProjectSmart.co.uk:
http://www.projectsmart.co.uk/pareto-analysis-step-by-step.html
Mind Tools Ltd. (2013). Pareto Analysis: Using the 80:20 Rule to Prioritize. Retrieved June 13, 2013, from
Mind Tools: http://www.mindtools.com/pages/article/newTED_01.htm
Mind Tools Ltd. (2013). 5 Whys: Quickly Getting to the Root of a Problem. Retrieved June 11, 2013, from
MindTools: http://www.mindtools.com/pages/article/newTMC_5W.htm
NASA Lewis Research Center. (2006). Tools of Reliability Analysis -- Introduction and FMEAs. Retrieved
June 11, 2013, from FMEA-FMECA.com: http://fmea-fmeca.com/fmea-examples.html
Ryan Watkins, M. W. (2008). Fault Tree Analysis. Retrieved June 11, 2013, from RyanRWatkins.com:
http://ryanrwatkins.com/na/guidebook/Fault%20tree%20analysis.pdf
The Business Tools Store. (2012). Cause and Effect Ishikawa Fishbone Diagram - Excel Template User
Guide. Retrieved June 13, 2013, from The Business Tools Store:
http://www.businesstoolsstore.com/content/User%20Guides/Cause%20and%20Effect%20Ishikawa%20
Fishbone%20Diagrams%20Excel%20Template%20User%20Guide.pdf