132,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Fachliteratur
- Sprache: Englisch
The operational auditing HANDBOOK
Auditing Business and IT Processes
Second Edition
The Operational Auditing Handbook Second Edition clarifies the underlying issues, risks and objectives for a wide range of operations and activities and is a professional companion for those who design self-assessment and audit programmes of business processes in all sectors.
To accompany this updated edition of The Operational Auditing Handbook please visit www.wiley.com/go/chambers for a complete selection of Standard Audit Programme Guides.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 1200
Veröffentlichungsjahr: 2011
Ähnliche
Contents
Cover
Half Title page
Title page
Copyright page
Preface
Acknowledgements
Part I: Understanding Operational Auditing
Chapter 1: Approaches to Operational Auditing
Definitions of “Operational Auditing”
Scope
Audit Approach to Operational Audits
Auditing for the Three and Six Es
Resourcing the Internal Audit of Technical Activities
Productivity And Performance Measurement Systems
Value for Money (VFM) Auditing
Benchmarking
Notes
Chapter 2: Business Processes
Introduction
An Audit Universe of Business Processes
Self Assessment of Business Processes
A Hybrid Audit Universe
Reasons for Process Weaknesses
Identifying the Processes of an Organisation
Why Adopt A “Cycle” or “Process” Approach To Internal Control Design And Review?
Business Processes in the Standard Audit Programme Guides
The Hallmarks of A Good Business Process
Academic Cycles in A University
Academic Cycles in A University
Notes
Chapter 3: Developing Operational Review Programmes for Managerial and Audit Use
Scope
Practical Use of SAPGs
Format of SAPGs
Risk in Operational Auditing
Notes
Chapter 4: Governance Processes
Introduction
Internal Control Processes Being Part of Risk Management Processes
Risk Management Processes Being Part of Governance Processes
Objectives of Governance, Risk Management and Control Processes
The Coso View of Objectives
Should There be A Single Set of Objectives?
The Internal Governance Processes
The Board and External Aspects of Corporate Governance
The Board’s Assurance Vacuum
Risk and Control Issues for Internal Governance Processes Control Objectives For Internal Governance Processes
Risk and Control Issues for the Board
Risk and Control Issues for External Governance Processes
Notes
Chapter 5: Risk Management Processes
Introduction
Objectives of Risk Management
Essential Components of Effective Risk Management
The Scope of Internal Audit’s Role in Risk Management
Tools for Risk Management
The Risk Matrix
Risk Registers
Risk Management Challenges
Control Issues for Risk Management Processes
Notes
Chapter 6: Internal Control Processes
Introduction
Paradigm 1: COSO on Internal Control
Paradigm 2: Turnbull on Internal Control
Paradigm 3: COCO on Internal Control
Paradigm 4: A Systems/Cybernetics Model of Internal Control
Paradigm 5: Control by Division With Supervision
Paradigm 6: Control by Category
The Objectives of Internal Control
Determining Whether Internal Control is Effective
Control Cost-Effectiveness Considerations
Issues for Internal Control Processes
Notes
Chapter 7: Review of the Control Environment
Introduction
Control Objectives For A Review of the Control Environment
Risk and Control Issues for A Review of the Control Environment
Fraud
Chapter 8: Reviewing Internal Control over Financial Reporting—The Sarbanes-Oxley Approach
Introduction
Costs and Benefits
2007 Sox-Lite
Revised Definitions of “Significant Deficiency” and “Material Weakness”
Using A Recognised Internal Control Framework for the Assessment
Risk and Control Issues for the Sarbanes-Oxley S. 302 and S. 404 Compliance Process
Notes
Chapter 9: Business/Management Techniques and their Impact on Control and Audit
Introduction
Business Process Re-Engineering
Total Quality Management
Delayering
Empowerment
Outsourcing
Just-In-Time Management (JIT)
Notes
Chapter 10: Control Self Assessment
Introduction
Survey and Workshop Approaches to CSA
Selecting Workshop Participants
Where to Apply CSA
CSA Roles for Management and for Internal Audit
Avoiding Line Management Disillusionment
Encouragement from the Top
Facilitating CSA Workshops, and Training for CSA
Anonymous Voting Systems
Comparing CSA with Internal Audit
Control Self Assessment as Reassurance for Internal Audit
A Hybrid Approach—Integrating Internal Auditing Engagements with CSA Workshops
Workshop Formats
Utilising CoCo IN CSA
Readings
Control Self Assessment
Notes
Chapter 11: Evaluating the Internal Audit Activity
Introduction
Ongoing Monitoring
Periodic Internal Reviews
External Reviews
Common Weaknesses Noted by Quality Assurance Reviews
Internal Audit Maturity Models
Effective Measuring of Internal Auditing’s Contribution to the Enterprise’s Profitability
Control Objectives for the Internal Audit Activity
Notes
Part II: Auditing Key Functions
Chapter 12: Auditing the Finance and Accounting Functions
Introduction
System/Function Components of the Financial and Accounting Environment
Control Objectives and Risk and Control Issues
Treasury
Payroll
Accounts Payable
Accounts Receivable
General Ledger/Management Accounts
Fixed Assets (and Capital Charges)
Budgeting and Monitoring
Bank Accounts and Banking Arrangements
Sales Tax (Vat) Accounting
Taxation
Inventories
Product/Project Accounting
Petty Cash and Expenses
Financial Information and Reporting
Investments
Chapter 13: Auditing Subsidiaries, Remote Operating Units and Joint Ventures
Introduction
Fact Finding
High Level Review Programme
Joint Ventures
Notes
Chapter 14: Auditing Contracts and the Purchasing Function
Introduction
Control Objectives and Risk and Control Issues
Contracting
Contract Management Environment
Assessing the Viability and Competence of Contractors
Maintaining an Approved List of Contractors
Tendering Procedures
Contracting and Tendering Documentation
Selection and Letting of Contracts
Performance Monitoring
Valuing Work for Interim Payments
Contractor’s Final Account
Review of Project Outturn and Performance
Note
Chapter 15: Auditing Operations and Resource Management
Introduction
System/Function Components of A Production/Manufacturing Environment
Control Objectives and Risk and Control Issues
Planning and Production Control
Facilities, Plant and Equipment
Personnel
Materials and Energy
Quality Control
Safety
Environmental Issues
Law and Regulatory Compliance
Maintenance
Chapter 16: Auditing Marketing and Sales
Introduction
System/Function Components of the Marketing and Sales Functions
General Comments
Control Objectives and Risk and Control Issues
Product Development
Market Research
Promotion and Advertising
Pricing and Discount Policies
Sales Management
Sales Performance and Monitoring
Distributors
Relationship with The Parent Company
Agents
Order Processing
Warranty Arrangements
Maintenance and Servicing
Spare Parts and Supply
Note
Chapter 17: Auditing Distribution
Introduction
System/Function Components of Distribution
Control Objectives and Risk and Control Issues
Distribution, Transport and Logistics
Distributors
Stock Control
Warehousing and Storage
Chapter 18: Auditing Human Resources
Introduction
System/Function Components of the Personnel Function
Control Objectives and Risk and Control Issues
Human Resources Department
Recruitment
Manpower and Succession Planning
Staff Training and Development
Welfare
Performance-Related Compensation, Pension Schemes (and Other Benefits)
HEALTH INSURANCE
Staff Appraisal and Disciplinary Matters
Health and Safety
Labour Relations
Company Vehicles
Chapter 19: Auditing Research and Development
Introduction
System/Function Components of Research and Development
Control Objectives and Risk and Control Issues
Product Development
Project Appraisal and Monitoring
Plant and Equipment
Development Project Management
Legal and Regulatory Issues
Chapter 20: Auditing Security
Introduction
Control Objectives and Risk and Control Issues
Security
Health and Safety
Insurance
Chapter 21: Auditing Environmental Responsibility
Introduction
Environmental Auditing
The Emergence of Environmental Concerns
Emas—the European Eco-Management and Audit Scheme
Linking Environmental Issues to Corporate Strategy and Securing Benefits
Environmental Assessment and Auditing System Considerations
The Role of Internal Audit
Example Programme
Notes
Part III: Auditing Information Technology
Chapter 22: Auditing Information Technology
Introduction
Introduction to Recognised Standards Related to Information Technology and Related Topics
System/Function Components of Information Technology and Management
Control Objectives and Risk And Control Issues
Note
Chapter 23: IT Strategic Planning
Chapter 24: IT Organisation
Chapter 25: IT Policy Framework
Chapter 26: Information Asset Register
Chapter 27: Capacity Management
Chapter 28: Information Management (IM)
Chapter 29: Records Management (RM)
Chapter 30: Knowledge Management (KM)
Chapter 31: IT Sites and Infrastructure (Including Physical Security)
Chapter 32: Processing Operations
Chapter 33: Back-up and Media Management
Chapter 34: Removable Media
Note
Chapter 35: System and Operating Software (Including Patch Management)
Chapter 36: System Access Control (Logical Security)
Chapter 37: Personal Computers (Including Laptops and PDAs)
Note
Chapter 38: Remote Working
Note
Chapter 39: Email
Notes
Chapter 40: Internet Usage
Note
Chapter 41: Software Maintenance (Including Change Management)
Chapter 42: Networks
Note
Chapter 43: Databases
Chapter 44: Data Protection
Chapter 45: Freedom of Information
Note
Chapter 46: Data Transfer and Sharing (Standards and Protocol)
Chapter 47: Legal Responsibilities
Chapter 48: Facilities Management
Chapter 49: System Development
Chapter 50: Software Selection
Chapter 51: Contingency Planning
Note
Chapter 52: Human Resources Information Security
Chapter 53: Monitoring and Logging
Chapter 54: Information Security Incidents
Notes
Chapter 55: Data Retention and Disposal
Note
Chapter 56: Electronic Data Interchange (EDI)
Chapter 57: Viruses
Note
Chapter 58: User Support
Chapter 59: BACS
Chapter 60: Spreadsheet Design and Good Practice
Note
Chapter 61: IT Health Checks
Chapter 62: IT Accounting
Appendix 1: Index to SAPGs on the Companion Website
Appendix 2: Standard Audit Programme Guides
Use in Relation to “Business Processes”
Appendix 3: International Data Protection Legislation
Appendix 4: International Freedom of Information Legislation
Appendix 5: Information Management Definitions
Appendix 6: IT and Information Management Policies
Note
Bibliography
Index
The Operational Auditing Handbook
This edition first published 2010© 2010 John Wiley & Sons, Ltd
Registered office
John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom
For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.
The right of the author to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.
Library of Congress Cataloging-in-Publication Data
Chambers, Andrew D.The operational auditing handbook : auditing business and IT processes / Andrew Chambers, Graham Rand.—2nd ed.p. cm.Includes bibliographical references and index.ISBN 978-0-470-74476-51. Management audit. I. Rand, G. V. (Graham V.) II. Title.HD58.95.C48 2010658.4’013—dc22
2009054377
A catalogue record for this book is available from the British Library.
Preface
The durability of this Handbook is indicated by the fact that the previous edition, first published in 1997, was in print until this second edition appeared. The Handbook was designed to fill a gap by providing an up-to-date guide to operational auditing, taking a business process approach. The format makes the book friendly as a practical Handbook.
New content for this edition includes in-depth consideration of governance processes, risk management processes and internal control processes. We have radically updated and much extended the content on auditing information technology, and our treatment of international data protection legislation and international freedom of information legislation does, we believe, give thorough and innovative coverage of these important contemporary topics. Indeed, users of this Handbook will find it gives them most of the up-to-date toolkit they need to provide an effective audit service in the field of information technology. Because compliance with s. 404 of the Sarbanes-Oxley Act has resulted in a widely applied approach to assessing the effectiveness of internal control over financial reporting, we have given that attention too. Readers will find more detailed coverage of control self assessment, and we have also included a chapter on assessing the internal audit activity. Where appropriate we have aligned this edition to the latest Standards of The Institute of Internal Auditors and to the pronouncements of other bodies.
The Handbook is intended as a companion for those who design self assessment programmes of business processes to be undertaken by management and staff. Likewise it is a mentor for internal auditors and consultants who conduct audits on behalf of others. We have developed the book to cater for private, public and not-for-profit sectors and to be a basis for designing value-for-money audit approaches. We also believe that external auditors dealing with financial and accounting systems and often engaged in management audits will find the book of value and should have it in their libraries.
At the same time we have had in mind the professional qualification requirements in this subject area of The Institute of Internal Auditors, with the intention that this book will be a suitable standard text. Particularly with the student in mind we have where appropriate supported specific points with cross-referenced notes which appear at the end of each chapter, and there is a comprehensive bibliography.
The book’s timeliness comes partly from the mix of business processes included, and the contemporary treatment given to each. In part it comes from the ways we have attempted to weave in the contemporary approaches and issues of, for instance, business process re-engineering, just-in-time management, downsizing, delayering, empowerment, environment, ethics, control self assessment and IT. In part it is a matter of the risk evaluation techniques which we describe as often being appropriate aids for those who must review and evaluate business processes.
The Handbook aims to raise the consciousness of the underlying issues, risks and objectives for a wide range of operations and activities. In other words, it aims to stimulate creative thought about the business context of operational audit reviews. In practice, it would be an extremely difficult task to define a set of universal panacea approaches to the audit of the various operational areas of any organisation, as the driving motivations and the contexts into which they are set would vary between entities. In adopting a business oriented stance supported by practical examples of the key questions to resolve, we hope that audit creativity will be encouraged rather than stifled by over-prescriptive programmes and routines. Readers will need to take account of their own experiences and the relevant aspects of the cultures prevailing within their organisations, and bring these to bear on the contents of this book, so that a suitably tailored approach to auditing operations emerges.
We have attempted to distinguish between on the one hand approaching audit work according to the way a business is structured, and on the other hand seeking to identify and then assess the natural business processes that step across organisational parts. It is often the latter approach to audit work that has the greatest potential to add value.
We are confident that the “real world” pedigree of this book will make it eminently useful for practising auditors, line managers, consultants, and those who intend to become qualified as operational auditors.
We would appreciate readers’ comments and advice for future editions.
Graham Rand
[email protected] Mobile: +44 (0)7729 374074
Andrew ChambersManagement Audit LLPThe Water MillMoat LaneOld BolingbrokeSpilsbyLincolnshirePE23 4ESEngland
Tel. & fax: +44 (0)1790 763350 Internet tel.: +44 (0)207 099 9355Internet fax.: +44 (0)207 099 3954
Email: [email protected]
Web: www.management-audit.com
Acknowledgements
We thank our many clients and friends who have been the stimulus for much of the content and approach of this book. We are grateful to those who have kindly read through the full manuscript with care, making many useful suggestions which we believe have led to a better book. We have quoted from many sources: in every case we have endeavoured to provide full attribution for the material we have used and to obtain the appropriate permissions. If there has been any oversight on our part we apologise and would like to correct it at our first opportunity.
Andrew ChambersGraham Rand
Part I:
Understanding Operational Auditing
Chapter 1
Approaches to Operational Auditing
DEFINITIONS OF “OPERATIONAL AUDITING”
Business processes often step across the frontiers between sections within a business, requiring high standards of coordination between different organisational parts. Control is often weaker where coordination is required between sections that are organisationally separate. Internal auditors are likely to be more productive if they focus considerable attention to the points of interface between organisational parts where coordination is required but is more difficult to achieve than within a single section of the business. Furthermore, internal auditors are likely to be more productive if a significant proportion of the audit engagements they perform are of natural business processes that step across the business’s organisational frontiers. We state this up front as it is so important, and we shall explore this innovative audit approach in detail in Chapter 2 when we have established some fundamentals in this chapter.
The term “operational auditing” conjures up different images for internal auditors. It may be used to mean any of the following:
The audit of operating units such as manufacturing plants, depots, subsidiaries, overseas operating units, and so on. While the audit scope may cover only accounting, financial and administrative controls it may be broadened in scope to cover the administrative and operational controls, risk management and governance processes of the operating unit under review. To impose general scope limitations for internal audit activities is inconsistent with the global Standards of The Institute of Internal Auditors (www.theiia.org).
The audit is how the functional areas of a business (such as sales, marketing, production, distribution, HR, etc.) account for their activities and exercise financial control over them. This meaning of operational auditing acknowledges that the internal auditing activity should review all the operational areas of the business, but too narrowly specialises in the audit of accounting and financial controls. It is likely to imply that the internal auditing activity is representing only the finance director or the chief accountant in providing assurance about accounting and financial control across the business.
The audit of any part of the business (operating unit, functional area, section, department or even business process, etc.) where the audit objective is to review the effectiveness, efficiency and economy with which management is achieving its own objectives. Depending upon how broadly one defines internal control, the approach to operational auditing goes further than a review of detailed internal control procedures since management’s objectives are not achieved merely by adhering to satisfactory systems of internal control.
The classic management writers, Koontz, O’Donnell and Weihrich, endorsed this approach to operational auditing:
An effective tool of managerial control is the internal audit, or, as it is now coming to be called, the operational audit … Although often limited to the auditing of accounts, in its most useful aspect operational auditing involves appraisal of operations generally … Thus operational auditors, in addition to assuring themselves that accounts properly reflect the facts, also appraise policies, procedures, use of authority, quality of management, effectiveness of methods, special problems, and other phases of operations.
There is no persuasive reason why the concept of internal auditing should not be broadened in practice. Perhaps the only limiting factors are the ability of an enterprise to afford so broad an audit, the difficulty of obtaining people who can do a broad type of audit, and the very practical consideration that individuals may not like to be reported upon. While persons responsible for accounts and for the safeguarding of company assets have learned to accept audit, those who are responsible for far more valuable things—the execution of the plans, policies and procedures of a company—have not so readily learned to accept the idea.1
SCOPE
A key issue for a business and its internal audit function to decide upon is whether the scope of internal audit work in an operational area of the business should be restricted to a review of the appropriateness of, and extent of compliance with, key internal controls or should be a more comprehensive review of the operation generally.
The Committee of Sponsoring Organizations (COSO) view of internal control rightly sees one of the three objectives of internal control as being to give “reasonable assurance” of “effectiveness and efficiency of operations”:
Internal control is broadly defined as a process, effected by the entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations.Reliability of financial reporting.Compliance with applicable laws and regulations.2So COSO’s broad view of internal control is that internal control (i.e. management control) is everything that management does in order that there is reasonable assurance the business will achieve all of its objectives. A narrower view of internal control is that it is only one of a number of facets of management—among others being planning, organising, staffing and leading. It is true that these facets overlap and an internal audit which intends to focus more narrowly on key internal controls is likely to need to address planning, organising, staffing and/or leadership issues to some extent, since deficiencies in these may weaken control. But there will be many aspects of planning, organising, staffing and leading which are neutral in their effect on the functioning of key controls but which contribute to providing reasonable assurance of the achievement of efficient and effective operations.
The important issue is whether internal audit may legitimately draw management’s attention to deficiencies in planning, organising, staffing and leading which, while not weakening the design and operation of key controls, nevertheless impede the achievement of objectives more generally. In the past internal audit was often defined as the independent appraisal of the effectiveness of internal control. The Institute of Internal Auditors’ current (2009) definition of internal auditing, subscribed to globally, is that:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.3
So, should an enlightened enterprise restrict internal audit to narrow internal control matters, or should internal audit be encouraged to review and report on any matters which may be unsound? Differing positions are adopted in different enterprises. The middle-of-the-road approach is to encourage internal audit to interpret its mission as being the appraisal of internal control (in all its component parts,4 in all operational areas of the business and at all levels of management). If during the course of audit work, other matters are noted which should be of management concern but do not directly have a control dimension, internal audit should be encouraged to report on them.
Beyond the consideration of the point of focus for audit reviews of operational areas, the audit function will have to define those aspects of the organisation which are to be subject to review. In practice, of course, this will vary considerably between organisations, and will be related directly to the nature of the business and the way the organisation is structured. For example, a multinational pharmaceutical company may have its principal manufacturing bases and research and development activities in only those few countries where the economic and commercial environments are most suitable, whereas sales and marketing operations (of varying scale) may exist in every country where there is a proven market for the products.
Although the focus of operational auditing is likely to be on those activities which are most strongly associated with the main commercial markets of the organisation (for example, production, sales, after sales support, service provision, etc.), it is likely that the supporting or infrastructure operations will also need to be reviewed on the basis that they too contribute to the well-being of the organisation as a whole. At the top level, one possible categorisation of all these areas could be as follows (although this classification will not fit every business or service-provision scenario):
management and administrationfinancial and accountingpersonnel and human relationsprocurementstock and materials handlingproduction/manufacturingmarketing and salesafter sales supportresearch and developmentinformation technologycontracting.This particular top level classification would be appropriate for a large organisation involved in product development, manufacturing and sales activities. A modified model would emerge for an organisation (public or private) associated with providing a service (for example, a public health authority or a roadside vehicle repair service).
Below this level of categorisation, there would be specific or discrete activities or systems, each of which may be the subject of a separate operational audit review. The subsequent chapters of this book will predominantly examine operational areas from this systems/activities orientation. For each of the above classifications there will be a number of discrete functions, systems or activities which may be defined within a particular organisation and be subject to examination by the internal auditors. This breakdown of the organisation into a set of separate audit reviews could be said to form the audit universe of potential audit projects. For example, the top level classifications noted above could be broken into the constituent systems or activities listed below, each of which could be the subject of an audit review. In some cases the noted subjects may readily align with a department within the organisation (i.e. payroll, human resources, purchasing, etc.). Alternatively, the activities may require coordination between a number of departments or functions (for example, the development of a new product may involve, inter alia, the marketing, accounting and research functions). Each organisation will be different and the internal audit function will need to adopt the most suitable definition of their universe of potential review assignments in order to match the prevailing structure and style.
A breakdown of the above top level classification into constituent systems or activities is given below:
Management and administration:
the control environmentorganisation (i.e. structure)management informationplanningrisk managementlegal departmentquality managementestates management and facilitiesenvironmental issuesinsurancesecuritycapital projectsindustry regulations and compliancemedia, public and external relationscompany secretarial department.Financial and accounting:
treasurypayrollaccounts payableaccounts receivablegeneral ledger/management accountsfixed assets (and capital charges)budgeting and monitoringbank accounts and banking arrangementssales tax (i.e. VAT) accountingtaxationinventoriesproduct/project accountingpetty cash and expensesfinancial information and reportinginvestments.Personnel/Human relations:
human resources department (including policies)recruitmentmanpower and succession planningstaff training and developmentwelfarepension scheme (and other benefits)health insurancestaff appraisal and disciplinary mattershealth and safetylabour relationscompany vehicles.Procurement (see also Contracting (below)):
purchasingcontracting (NB: this subject may be further broken down into a number of discrete subsystems, such as tendering, controlling interim and final payments, etc. see below).Stock and materials handling:
stock controlwarehousing and storagedistribution, transport and logistics.Production/manufacturing:
planning and production controlfacilities, plant and equipmentpersonnelmaterials and energyquality controlsafetyenvironmental issueslaw and regulatory compliancemaintenance.Marketing and sales:
product developmentmarket researchpromotion and advertisingpricing and discount policiessales managementsales performance and monitoringdistributionrelationship with parent company (for overseas or subsidiary operations)agentsorder processing.After sales support:
warranty arrangementsmaintenance and servicingspare parts and supply.Research and development:
product developmentproject appraisal and monitoringplant and equipmentdevelopment project managementlegal and regulatory issues.Information Technology (IT):
Auditing Information TechnologyIT Strategic PlanningIT OrganisationIT Policy FrameworkInformation Asset RegisterCapacity ManagementInformation Management (IM)Records Management (RM)Knowledge Management (KM)IT Sites and Infrastructure (Including Physical Security)Processing OperationsBack-up and Media ManagementRemovable MediaSystem and Operating Software (Including Patch Management)System Access Control (Logical Security)Personal Computers (Including Laptops and PDAs)Remote WorkingEmailInternet UsageSoftware Maintenance (Including Change Management)NetworksDatabasesData ProtectionFreedom of InformationData Transfer and Sharing (Standards and Protocol)Legal ResponsibilitiesFacilities ManagementSystem DevelopmentSoftware SelectionContingency PlanningHuman Resources Information SecurityMonitoring and LoggingInformation Security IncidentsData Retention and DisposalElectronic Data Interchange (EDI)VirusesUser SupportBACSSpreadsheet Design and Good PracticeIT Health ChecksIT AccountingContracting:
the contract management environmentproject management frameworkproject assessment and approvalengaging, monitoring and paying consultantsdesignassessing the viability/competence of contractorsmaintaining an approved list of contractorstendering procedurescontract and tendering documentationinsurance and bondingselection and letting of contractsmanagement information and reportingperformance monitoringarrangements for subcontractors and suppliersmaterials, plant and project assetsvaluing work for interim paymentscontrolling price fluctuationsmonitoring and controlling variationsextensions of timecontrolling contractual claimsliquidations and bankruptciescontractor’s final accountrecovery of damagesreview of project outturn and performancemaintenance obligations.Governance, risk management, internal control:
internal governance processesthe boardexternal governance processesrisk management processesissues for internal control.For each of the above constituent activities there is available on the companion website a detailed standard audit programme guide (SAPG) in Word format, which readers can adapt to be more closely applicable to their business activities.5 This is available on a password protected accompanying website. See Appendix 1 for details. The above list of constituent activities is by no means exhaustive, so we also provide a blank SAPG in Word format for readers to use to develop further business activities.
We also provide in Word format a set of 24 SAPGs relating to some of the activities within financial institutions and a set of 27 applicable to the health sector. The activities covered in these sector-specific sets are:
Sector: Financial institutions
branch securitybranch operationsmanagementtreasury dealinginvestments—new accountsinvestments—account maintenanceinvestments—account statementssecured personal loansunsecured loanscommercial lending—new businesscommercial lending—account maintenancecheque accountsATM servicescredit and debit cardsnew mortgage businessmortgage account maintenancemortgage arrearsmortgage possessions and salesmortgage mandatesmortgage annual statementstreasury environmentstaff accountssecurities.Sector: Health
purchaser contractingprovider contractinggeneral practitioner fund holdingcharitable fundsuse of health centresprivate patientswelfare foodsresidential accommodationjoint financeresidents’ moniescashiersfamily health service authorityroad traffic accidentsnursing homestrading agenciesinsurance productspharmacy storesrisk managementcash collection—car parkscash collection—telephonescash collection—prescriptionscash collection—shops/restaurantscash collection—staff mealscash collection—vending machinesincome generationstaff expenseslosses and compensations.It is unwise to restrict one’s thinking of these systems or activities as either existing or operating in isolation. This is rarely true. Any organisation will be formed from a number of interacting activities with points of interface. For example, in the case of ordering and receiving goods from external suppliers, there needs to be a coordinated flow of accurate information between the purchasing department, the stock warehouse and the accounts payable section. Whereas the control processes operating within a function or department may be well defined and applied, there is the potential for control weaknesses at the point of interface with other related functions. There are alternative ways of dividing up the audit universe of activities within an organisation and Chapter 2 examines such approaches in some detail.
It is important to stress that the listing of possible systems and activities given above is but one example of the way in which an organisation can be defined for audit or review purposes. Not all the items will be appropriate in every organisation. Additionally, although a listed activity may be relevant to a particular scenario, the scale and significance of it will vary between organisations. This matter of degree should be taken into account when the audit function is determining its priorities for planning purposes.
When approaching the review of operational areas of the organisation, it is important that the auditor has an accurate appreciation of the related key issues. If necessary, prior research should be conducted in order to provide the auditor with an acceptable level of understanding. Beyond the auditor’s self-interest in being able to tackle confidently the review project, there is also the matter of the auditor’s credibility in the eyes of operational management. It is interesting to note that The Institute of Internal Auditors’ Standards place even more stress on planning an audit engagement than on performing it, expending twice as many words on the former. Unless the auditor can readily demonstrate a pragmatic awareness of the critical issues and set these against the objectives of senior management for the area under review, any subsequent work and findings may be in danger of not being treated seriously by management due to inaccuracies, misinterpretations and an inappropriate focus. The auditing approach to be adopted during operational reviews needs to be both professional and practical, and these elements will need to be set into the context of the formal auditing procedures. The practical and behavioural aspects of auditing are beyond the scope of this book. However, unless management can be suitably assured that the reviews conducted by internal audit are objective, professional and based upon an accurate understanding of the issues, they may question the worth of such activities to the organisation.
AUDIT APPROACH TO OPERATIONAL AUDITS
Auditors of operations should keep firmly in their mind the objectives of management for the operations being audited. At an early stage in planning the audit engagement, the audit team need to establish what are management’s objectives. If management are unclear as to their objectives, then these objectives must be worked out with management before the audit engagement can process. During the planning phase of the audit engagement the audit objectives need to be established. “Audit objectives” are not synonymous with “management’s objectives” as the audit objectives specify the particular focus that the auditors will have during the audit engagement. Even so, each audit objective must be determined because it will potentially add value in assisting management to achieve one or more of their objectives. No time should be expended during the audit engagement on issues which are immaterial to the achievement of management’s objectives. Nothing should appear in the audit report of the engagement which is immaterial to the achievement of business objectives by management.
An audit approach which places management’s objectives at its centre6
The group internal audit department of a domestic products multinational company headquartered in London is undertaking an audit engagement of the multinational’s operating unit in Tokyo. At an early point in the planning process of this engagement, the audit team establishes who has oversight responsibility for the Tokyo operating unit. Let us say that this is the production director located in London, to whom the head of the Tokyo operating unit reports.
In a real sense the audit engagement is being conducted for the production director. The production director has a number of direct reports spread across the world, with oversight responsibility for each. The production director needs to know that all is in order within each of these operating units. He or she can go and find out for himself or herself. But the production director will rarely find the time to do so, and would hardly know how to set about doing so effectively. Internal auditing has been defined as doing what management would do if management had the time and knew how to do it. Internal auditors are experts at auditing—which management usually is not. An internal audit function does, of course, have the time to audit. Internal audit looks round corners that management are unable easily to look round for themselves.
At a later stage, the emerging audit findings will be discussed with the head of the Tokyo operating unit, whose responses will be built into the final audit report; the audit report will be addressed to the production director in London who may be regarded as the main client of this particular audit engagement. The report will be copied to the head of the Tokyo operating unit. In this way, the audit findings will be addressed to the level of management that needs to know and that is capable of ensuring appropriate action on audit findings is taken. Should the production director fail to ensure this, the chief audit executive will then need to consider whether the audit results, together with reference to the CAE’s view that insufficient action has been taken upon them, should be communicated to an even higher level.7 However, the CAE may consider that the degree of importance of the audit findings, when matched to the seniority of the production director, means that escalation above the level of the production director is not warranted as it may be legitimate for the production director to decide whether to live with a level of risk identified during the audit engagement.
Meanwhile, early during the planning of the audit engagement, having established that the production director has oversight responsibility for the Tokyo operating unit, the audit team arrange to meet with the production director. Initially the auditors ask the production director to explain:
“What are your objectives for the Tokyo operation?”
As with all information offered to the audit team during the course of the audit engagement, the auditors will consider how they can independently verify the validity of the statement of management’s objectives that the team has been given. If the production director points out to the audit team that he or she has not thought much about the Tokyo operation for a while and cannot immediately recall whether there are any established objectives for Tokyo, then audit findings are already starting to emerge as clearly this is unsatisfactory. Nevertheless, the audit engagement cannot proceed further until the audit team has hammered out with the production director an agreed upon set of objectives for the Tokyo operation.
Next, in effect the audit team asks the production director the following question:
“OK, we are agreed on your objectives for the Tokyo operating unit. What information do you need to be receiving so that you know whether these objectives are being achieved?”
Again, if the production director is uncertain, then further provisional audit findings are starting to emerge—even though this discussion is taking place only during the planning phase of the audit engagement, before the audit team have left London for Tokyo. But planning the engagement cannot proceed further until the audit team has hammered out with the production director an agreement on the nature of the information he or she needs to be in receipt of in order to monitor whether management’s objectives for the Tokyo operation are being achieved.
The next step is for the audit team to ask to see the information the production director is receiving:
“OK, we are agreed on the information you need to get from Tokyo to monitor that management’s objectives for Tokyo are being achieved. Can you show us the information you are receiving about the Tokyo operation, please?”
When the audit team reviews this information they may discover that it is incomplete, unclear, inconsistent or untimely. So, further important provisional audit findings are starting to emerge. Nevertheless, the audit team endeavours to interpret the information so as to determine the most valuable focus for the audit fieldwork in Tokyo—that is, their audit objectives. They will discuss their proposed audit objectives with the production director with the intention of getting his “buy-in” to them. But being an assurance engagement, not the provision of a consulting service, it should be the decision of the chief audit executive what the audit objectives are to be: internal auditors do not subordinate their judgement on professional matters to that of others.8
Having determined the audit objectives for the engagement, the audit team are then able to draw up their audit programme which sets out how they plan to spend their fieldwork time in Tokyo. The approach they will take in Tokyo will include:
confirming the reliability of the management information of importance submitted to the oversight function in London;undertaking audit fieldwork so as to develop audit recommendations on issues they are already aware of with respect to incompleteness, lack of clarity, inconsistency and untimeliness;determining whether other significant events are occurring in Tokyo which should be reported to the oversight function.While this case study describes a slightly novel approach to operational auditing, it does illustrate the importance of being clear about management’s objectives for the operation being audited, and how management’s objectives are woven through the engagement from beginning to end. The case study interprets a classic article which defined internal auditing as:
“Internal auditing is the process of appraising the information flow to the monitoring function of a system for its quality and completeness. It is carried out by checking that the information is both self consistent and mutually consistent and by the irregular generation of test information flows.”
AUDITING FOR THE THREE AND SIX ES
Operational auditors are auditing for the “three Es”—effectiveness, efficiency and economy. They are looking for opportunities for business processes to be done differently so as to improve their effectiveness, efficiency and economy. At the very least they are intending to provide assurance to management and to the board that business processes are effective, efficient and economic. Too often auditors fail to appreciate the distinctiveness between each of these “three Es” with the risk that auditors fail to address all three separately. The COSO definition of internal control, given earlier in this Chapter, fails to highlight ‘Economy’ separately, choosing instead to subsume it within ‘Efficiency’.
Figure 1.1 helpfully shows the distinctions, as well as the relationships, between the three. How economic we are is best considered in terms of the ratio between what we planned to spend on each unit of resource of given quality, and what we actually spent. Every organisation (whether a manufacturing or service entity), and every function or process within an organisation, has conversion processes that turn the actual inputs available into actual outputs. If staff are poorly trained, incompetent, poorly motivated or poorly supervised it will be likely that the ratio of usable outputs to the actual resources input into the conversion process will be unsatisfactory: in other words we do not have an adequately efficient (or smooth) conversion process. It is not just the quality of staff that contributes to efficiency: the design of processes, the quality of technology and so on are other factors. We are effective if our actual outputs correspond to the outputs we planned.
Figure 1.1 presumes that our economy, efficiency and effectiveness are each measured against economy, efficiency and effectiveness targets we set ourselves. If we are insufficiently demanding we may achieve 100% outcomes against the modest targets we set ourselves. Clearly we need ways of avoiding falling into this trap by:
Figure 1.1 The three Es
These three Es can be related to each other as shown in the model in Figure 1.1.
Internal auditors have now added a further “three Es” to their portfolio of matters of audit interest, particularly as a consequence of their role in the audit of governance processes as set out in Standards 2110 to 2110.C1 of The Institute of Internal Auditors:9
Equity—avoidance of discrimination and unfairness; acceptance and promotion of diversity.Environment—acting in an environmentally responsible way.Ethics—legal and moral conduct by management and staff.RESOURCING THE INTERNAL AUDIT OF TECHNICAL ACTIVITIES
Standard 1210 of The Institute of Internal Auditors on “Proficiency” reads:
“Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.”
and Standards 1210.A1 and 1210.C110 respectively read:
“1210.A1—The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement….
“1210.C1—The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.”
Business objectives are achieved through successful processes within the operational areas of the business. The internal audit scope should not be merely to explore how operations are accounted for and administered. Business operations often include elements which are highly technical and which are essential if operational objectives are to be achieved. To audit such operations successfully, the audit team must collectively possess an understanding of those technical activities. While this understanding generally need not be to the level of an expert, it must be sufficient for the audit team to be able to determine whether the governance processes, risk management and internal control give reasonable assurance of the achievement of objectives and, if not, what measures might be introduced to rectify the situation. Beyond that, it is not necessary for the internal auditor to be expert in the technicalities of the operation being audited. Indeed it can be counterproductive and unconvincing for the auditor to try to project an expert image in the technicalities of the operation under review. Operational management are the operational experts. Internal auditors are expert at conducting audits and have general expertise in the principles of governance processes, risk management and internal control.
Where there is an inadequate balance between the technical complexity of the operation to be audited and the available, relevant technical competence of the in-house internal auditors, a number of options are available to the chief audit executive.
One option is to decline to include the operation within the future audit plan, or to approach the engagement with a limited scope so as to skirt round the challenging technical aspects of the operation … Standards 1130 on “Impairment to Independence or Objectivity” requires that …
“If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties …”
and the Interpretation to this Standard makes “scope limitations” one of these impairments. Standard 2020 on “Communication and Approval” requires that the chief audit executive communicate to senior management and to the board the impact of resource limitations.
Another option is to adjust the competencies of the internal audit function so that all the principal technical disciplines which are core to the operations of the business are represented within the audit team. This often requires foresight—long-range planning to adjust the complement of internal auditors to the future needs of the business. Modern internal auditing activities should be multidisciplinary. The bias towards accountancy expertise is largely a consequence of the accountancy profession being one of the few sources of recruits of staff who have been trained in auditing. It is likely that the chief audit executive will favour recruiting internal auditors who are familiar with more than one of the requisite technical areas.
A further option is to buy-in temporarily the technical expertise to work alongside in-house internal auditors so as to build their competence to perform audits in particular technical areas. Such bought-in expertise may be sourced from outside the organisation or from technical areas within the entity but divorced from the particular operation to be audited. A similar but not identical approach was followed within British Petroleum for the internal audit of plant safety—of refineries, depots, terminals, pipelines and so on.
BP’s approach after the Texas refinery explosion
Non audit staff, selected by BP’s process safety advisor for the refining business from technical staff who were external to the subject site but were almost always BP employees, were used to undertake these so-called gHSEr audits.11 The role of BP’s Group Internal Audit was to conduct internal reviews of this gHSEr process but generally not to undertake the audit engagements themselves. Following the explosion at BP’s Texas refinery early in 2005, and pipeline spillage at Prudhoe Bay, Alaska at about the same time, BP’s board asked James Baker, previously Secretary of State in George Bush Snr’s Administration and previously an oil industry specialist, to enquire and report to the board. The Baker Panel’s report12 suggested that BP’s approach to resourcing their gHSEr audits had led to an internalised view of how things were done in BP and that third-party reviews by a qualified outside party would offer a different level of assurance. BP’s board accepted the Baker Panel’s suggestion that the Panel be mandated by the board to appoint an external expert to undertake this audit work for at least a five-year period, reporting directly to the board of BP.13, 14
Indeed, sometimes the approach is followed to outsource completely the audit of highly technical areas. IT auditing is often so outsourced. While it is a moot point whether the work done by an outside expert and his or her team (as with the BP example) is to be regarded as internal audit work, The Institute of Internal Auditors’ Standards make it clear that overall responsibility remains with the chief audit executive even when entire parts of internal audit work have been outsourced:
The chief audit executive is responsible for all internal audit engagements, whether performed by or for the internal audit activity, and all significant professional judgements made throughout the engagement. The CAE also adopts suitable means to ensure this responsibility is met. Suitable means include policies and procedures designed to:
minimize the risk that internal auditors or others performing work for the internal audit activity make professional judgements or take other actions that are inconsistent with the CAE’s professional judgement such that the engagement is impacted adversely.Resolve differences in professional judgement between the CAE and internal audit staff over significant issues relating to the engagement. Such means may include discussion of pertinent facts, further inquiry or research, and documentation and disposition of the differing viewpoints in engagement working papers. In instances of a difference in professional judgement over an ethical issue, suitable means may include referral of the issue to those individuals in the organization having responsibility over ethical matters.Another approach to obtaining assurance about highly technical activities is to rely, to a greater or lesser extent, on a programme of control self assessment (CSA) by technical management and staff, most probably in the form of CSA workshops facilitated by internal audit. This is different from traditional internal auditing—in particular as it is a less independent, less objective self assessment by management and staff. It has the advantage that it taps into the technical expertise of management and staff active in running the technical operation. Furthermore, these staff are probably already aware of the deficiencies of the operation and will have their own ideas as to how to make rectification going forward. We address control self assessment in Chapter 10.
PRODUCTIVITY AND PERFORMANCE MEASUREMENT SYSTEMS
Overview
Organisations are likely to have in place a number of key performance measures, so as to, among other things, assess the achievement of their objectives and goals, assess their progress, and compare relative performance (for example, over time). The nature and form of such measures will, of course, vary between types of organisation and indeed specific specialised forms of measurement may apply in certain industries or sectors. However, there are a number of general measures of effectiveness, efficiency and economy which usually apply universally and we shall look at some examples later in this chapter.
Measurement methods can be applied in order to identify whether there is any initial potential for improvement, and then subsequently used to monitor that the required levels of performance are maintained. The need to apply effective and realistic performance measurement methods is often generated as a by-product of fundamental change processes where, for example, an organisation is refocusing its strategy and position.
The Audit Implications for Measurement
During the course of a review of an operational area, the auditor is often faced with the need either to set the review findings into an appropriate context, or to indicate the performance of the area under review against the criteria previously established by management.
In most cases, it is preferable to utilise the measurement standards and criteria put in place by management as this results in the auditor using a common and compatible language when communicating results and points of concern. Conversely, if the auditor chooses to use a new, alternative or perhaps radical form of performance measure, this may influence or jeopardise management’s view of the auditor’s findings. This is not to say that auditors should only adopt the prevailing measurement criteria established by management, as there may be a compelling reason for introducing another objective form of performance assessment in some cases. Whatever the form of measurement applied, its use must be founded on both accurate and reliable data and a proven method, otherwise the credibility of internal audit will suffer.
Although it is important to establish a reliable and meaningful vocabulary for the measurement of performance in key operations, auditors must not lose sight of the fact that such measures can only point to potential areas of improvement and do not of themselves offer solutions. Assuming that the conclusions drawn from the review of such criteria are accurate and relative, they can then be used to frame and support audit recommendations and the appropriate corrective action(s).
In their use of performance measurement, auditors should be careful not to supplant management’s use and interpretation of the same criteria. On the one hand, it may be legitimate for an auditor to investigate further the lack of management response to an adverse measurement indicator, but this does not necessarily mean that management has abdicated their basic responsibility for monitoring and control. This underlines a basic truism, in that measurement data is provided for interpretation and unless there is a formal measurement protocol in place, there may be the potential for differing conclusions to be drawn from the same data. This stresses the importance of formally establishing, for the organisation, a performance measurement policy and framework so that all concerned are clear about the nature of the data and how to use it in practice. Additionally, the creation and communication of corporate targets and goals can remove (or at least contain) some of the ambiguity associated with the required level of performance and expected level of associated achievement.
Each operational audit review project will present the auditor with a challenge to identify the most appropriate and meaningful performance measures to utilise, whether or not such criteria are already applied within the organisation.
Example Performance Measures
When establishing performance measures, it is logical to structure them on a hierarchal basis with the macro level indicators being broken into more detailed (micro level) measures relative to specific areas or subdivisions of either the operations or organisation. This should be borne in mind when considering the following example performance measures.15
Workload/Demand Performance Measures
Indicate the volume of output, whether services, products or other, and when linked to measures of input of resources, give useful information on quality or quantity matters.
Examples:
Number of usersNumber of units producedNumber of books in a libraryPercentage of first class degrees in a university.Economy Performance Measures
These may highlight waste in the provision of resources indicating that the same resources may be provided more cheaply or that more enterprise may be conducted at the same cost. Examples:
Cost of actual input in comparison with planned inputCleaning costs per hour workedMaintenance costs per unit areaCost of the finance function per 100 staffCost of the chief executive’s department per 1000 clients.Efficiency Performance Measures
These may highlight potential opportunities to convert given resources to end product with less waste. Many performance measures will point to either uneconomic or inefficient practices, or both. It is often not possible to distinguish between one and the other. Examples:
Ratio of actual input to actual outputBreakdown per production dayAccidents at work per 1000 personnelDegree success in comparison to school examination grades.Effectiveness Performance Measures
These performance measures focus on how objectives are being achieved—regardless of economy, efficiency or equity (except where the objectives relate specifically to economy, efficiency and equity). Examples:
Actual output in comparison to planned outputDegree success (in a college or university)Research output per 100 research staffRatio of customer complaints to sales.Equity Performance Measures
These performance measures draw attention to unfairness or potential social irresponsibility in terms of corporate policy and practice.
Examples:
Departmental grant per member of staffNumber of library books per category of userProportion of female employeesProportion of disabled employees.VALUE FOR MONEY (VFM) AUDITING
Earlier in this chapter we gave the generally accepted definition of internal auditing to which internal auditing Standards require internal auditors to conform. The definition states that internal auditing is designed “to add value and improve an organization’s operations”. So, internal auditors should add value in all of their work. The Institute of Internal Auditors defines “add value” as:
Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services.16
A better definition of ‘add value’ would be:
The internal audit activity adds value when the organisation and its stakeholders benefit from the results of internal audit work. Benefit arises when the internal audit activity provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management and control processes.
Value for money auditing is sometimes used in a different context to refer to a style of operational auditing which makes extensive use of key performance indicators to explore the cost of achieving standards of efficiency and effectiveness and whether these costs represent good value.
Value for money auditing takes account of the three Es. It frequently makes extensive use of performance indicators in the form of ratios and other statistics to give an indication of value for money—especially when trends are explored in these performance indicators over time, or variations in performance are identified and explained between different operating units.
The term value for money is often applied to public sector spending in the UK, where there is an implied obligation placed on public bodies to ensure that they obtain and provide services on the most economic grounds. This process invariably involves elements of competition where cost comparisons are made between parties being invited to supply goods and services. For example, many services within UK local government have been put out to tender in order to obtain the “best deal”, and very often this tendering process has also included the internal department or function that had previously been supplying the service.
This striving for procurement on a least cost basis appears to be very logical and represent common sense, especially where the expenditure of public funds is involved. However, it is equally important to consider whether the potential service provider (or supplier or contractor) can meet the required quality and performance standards as well. Therefore, any consideration of value for money must take in quality and performance achievement factors as well, as there may be serious commercial or operational implications if the relevant services/goods are not up to a given standard.
Value for money auditing will involve the assessment of an appropriate range of performance measurement criteria. It could be asked that unless management have clearly established their own basis for measuring and assessing the supply of goods and the provision of services, why did they embark on the process in first place? In other words, what was their driving motivation in either fulfilling the requirements or seeking alternatives?
In both the management and audit assessment of matters of value for money, the usual approach is to make comparisons with a range of options or possible solutions to the principal problem. These comparisons should be conducted as scientifically and objectively as possible and utilise appropriate measurement means. This part of the process begins with realistically identifying all the practical options and alternatives (perhaps including doing nothing at all).
In a more formal environment (for example, where acquiring new computing facilities) it may be necessary and desirable to go through a detailed feasibility study as part of an overall project appraisal process. This can then incorporate the appropriate cost and performance comparisons which underline the determination of value for money. In such scenarios, it is important that the auditor is content with the chosen assessment mechanism and measurement criteria so that, taken together, the appropriate reassurance can be derived that the process is sound and accurate. In some instances it may be necessary for the auditors to recommend improvements in these areas to add value to the process, whilst avoiding usurping management’s ultimate responsibility for their system.
Whether or not a formal procedure is in place to determine generally the achievement of value for money, the internal audit function may be required (or indeed obliged) independently to assess such matters on behalf of management. Auditors should always avoid taking on activities which should, in the first place, be the responsibility of management. However, where internal audit has a legitimate role to play, auditors should endeavour to identify all the probable options and the most suitable basis on which they should be measured and assessed in value terms.
In order to avoid any potential problems at the conclusion of their assessment, auditors should consider discussing their proposed assessment and measurement criteria with management at the outset, and furthermore to obtain the agreement of management on the applied methodology. In certain sectors and industries, recognised criteria may already exist and so it may not be necessary for auditors to develop their own process.
BENCHMARKING
