BUSINESS MANAGEMENT
BOOKSSOFTWARE
CDsINTERNAL AUDIT
BOOKS
SOFTWARE
CDs
|
|
SUPPORT
CENTER DATE: 12/14/99 QUESTION: We have a small audit group and our manager wants us to focus on Governance issues. Can we drop to the Management or Performance levels in order to test any hypothesis we form about Governance issues? ANSWER: I don’t think you have a choice. To obtain the evidence to the standard of proof necessary to test your Governance level hypotheses, you will probably need to perform all kinds of tests at all levels. DATE:
12/14/99 ANSWER: This depends on how much technology is used in the specific process. If the process is very manual in nature, you can. However, processes consist of things which people, computers and machines do to accomplish specific business objectives. If the process is very computerized, you will need access to an IT subject matter expert who understands the technology issues involved in the specific process. This does not mean, however, that you need an "IT auditor". You just need access to the specific IT subject matter expertise, maybe only on a temporary basis. DATE: 12/14/99 QUESTION: Does an interview note suffice as competent and sufficient evidential matter? ANSWER: I can’t answer this question without more detail. It would depend on your Team Success Objectives, the political environment in which you are working and the nature of your audit. If, for example, a team member interviews a manager concerning the status of a particular issue, that manager’s response, properly documented in interview note format, would probably not, by itself, be competent and sufficient evidential matter. The team would need to perform additional testing to confirm that the situation portrayed by the manager was indeed correct. However, if a specific questionnaire is asked of ten key people and they all respond exactly the same, then the properly documented interview notes would probably constitute competent and sufficient evidential matter but may not provide the evidence which you need for your customer to accept your recommendations. DATE: 12/14/99 QUESTION: Can I have a TSO which simply states that a "customer will accept our recommendations"? How much more detail is required? ANSWER: No. What recommendations? To go to lunch? The combination of the Value TSO, the Timing TSO and the Cost TSO must define the scope of the audit. The above statement does not commit the team to deliver anything of any value and fails to define the scope of information. Whenever we see this statement, the audit team always flounders since they do not know what they are trying to accomplish. They will also focus on the issues which they feel comfortable with and avoid the tough issues which are critical to the success of their audit customer. Our experience is that value TSOs written as above almost always end up with the team inappropriately treating middle management as the audit customer. DATE: 10/12/99 QUESTION: We have realized, in the midst of an RBIA audit, that we don’t have the skills to audit what we started out to audit. Should we stop and get the skills? Would the new skills then be held accountable for the TSOs? What if this change causes us to fail our TSO’s? ANSWER: Yes. You cannot audit what you don’t understand. Credibility is very important. If the skills you need are in your audit department, it is reasonable to hold them to the same TSOs as the other team members. If you are contracting in outside subject matter expertise, you need to make it very clear to the SME that the TSOs represent internal audit’s performance contract with the company and that they are required to do whatever they can to help the team meet those deadlines of value, time and cost. If bringing new SME onto the team causes the team to fail the TSO’s, I strongly suggest that you focus on the lessons learned. Why did you fail? What happened that caused you to miss the need for the additional SME up front? What should you do to make sure that it doesn’t happen again? DATE: 10/12/99 QUESTION: I attended an RBIA seminar recently and I am coming across a whole range of implementation problems that you did not address in the seminar. How can I get some help with these implementation issues? ANSWER: The RBIA training session is not designed to help you implement RBIA. It is designed to show participants how to apply RBIA in their teams to audits. The RBIA implementation process in a company involves a lot of work. I suggest that you refer to our "Implementing RBIA" guide. It will give you a lot of ideas to help you implement RBIA. DATE: 10/11/99 QUESTION: Can you implement RBIA in a department without the support of the audit department director? ANSWER: Sorry, no. RBIA changes the way you do internal auditing and eliminates many traditional audit practices that do not add value. If you do not have the support of the top person in the audit department, you will fail. Having said that, there are many value increasing components of RBIA that you may be able to adopt to your audit work. However, you will not get the full value and productivity results without the support of the head of the audit department. DATE: 10/11/99 Q: How many risks should we address in each audit? ANSWER: The following guidelines may help: Make
sure that you do not end up with an audit that is bigger than 200
- 300 hours. Group
like risks together and treat each grouping of risks as a separate
audit. This will make it easier to schedule the subject matter expertise
needed to address the particular risks.
|
  
The Best of the Best for 2006RBIA
Gold Medal RBIA
Silver Medal RBIA
Bronze Medal Congratulations!
SOX
404 RISK CONTROL MANAGER 2.1 SOFTWARE
|
|||
|
RBIA™
and PGRM™ Osterio, Inc. All rights reserved worldwide.
|
Updated: February 2, 2007 |
