audit approaches Speed of Change Model

why have a model? Easy way to describe a set of audit processes Guides the choice of audit process - based on velocity of change Velocity of change is an aspect of risk

basics Transactional “Assume output expectations are entirely correct”. Risk assessment done at audit selection Substantive Operational “Assume output expectations are mostly correct”. Risk assessment needed to identify which output expectations to test. Substantive Operational “Assume objectives are mostly correct”. Risk assessment done to validate objectives. Functional Strategic “Assume nothing is correct at the start”. Risk assessment done to validate objectives. Functional COMPLIANCE OUTPUT PROCESS DEVELOPMENT

process steps Define specific tolerances Test broad sample Tell Mgt. those things outside of tolerance Define expectations Test small sample -or- Observe in action Use issues which don’t meet expectation to suggest changes and inquire further Recommend fixes Define process objectives Sketch out process & identify control points Test enough to see if control points are effective Recommend process changes Recommend dashboard indicators Define process & development objectives Evaluate planned processes & development for control points Suggest processes COMPLIANCE OUTPUT PROCESS DEVELOPMENT

preparation & fact gathering amount of time devoted to understanding the environment COMPLIANCE OUTPUT PROCESS DEVELOPMENT

what do we learn? Specific degree of compliance with tolerances. Limited information suggesting cause. Whether most of process is operating as it should. Weaknesses in existing processes. Future audits Some information regarding cause Whether process will have weaknesses built in. Whether development will occur efficiently Whether Mgt. has tools to self-analyze processes. Cause tends to be indefinable Whether processes are designed to generate acceptable results. Whether process is the most efficient Whether Mgt would know if results stopped being acceptable Cause is clear COMPLIANCE OUTPUT PROCESS DEVELOPMENT

importance of cause Low Medium High COMPLIANCE OUTPUT PROCESS DEVELOPMENT

what does it take to work? Detailed Audit Programs & checklists Less experienced auditors Detailed tolerance levels Good Audit Programs with key risk areas well defined Analytical auditors with some business acumen Defined expectations A methodology for defining critical process steps and control points Auditors with high business acumen who can assist management Defined control objectives A methodology for outlining objectives and reviewing processes. Very experienced professionals Control Objectives and Achievement indicators COMPLIANCE OUTPUT PROCESS DEVELOPMENT

outputs? Identification of occurrences out of tolerance Transactional issue listings Report is an Advisory or “issues report” Indicators of larger process issues Some process improvement suggestions Detailed Mgt. comments Report is an “issues report” Comfort that process should produce in control Comfort that Mgt. would know if it stopped. Broader Mgt. comments. Report is “issues report” or in SWOT form. Opportunity to prevent weaknesses Better educated business group Report is in SWOT or Controls Memo format. COMPLIANCE OUTPUT PROCESS DEVELOPMENT

audit program? Detailed prescribed tests 1st- Agree expectations with Mgt. 2nd- Obtain evidence of output 3rd- Test output against expectations 4th- Inquire into areas which have inconsistent output 1st- Agree control objectives with Mgt. 2nd- Find out how process works 3rd- Sketch control points 4th- Determine whether points are most effective means of achieving objectives 5th- Test to verify control points 1st- Agree control objectives with Mgt. for both the process & development 2nd- Find out how process will work 3rd- Sketch control points 4th- Determine whether points are most effective means of achieving objectives Include counseling, facilitating, & teaching COMPLIANCE OUTPUT PROCESS DEVELOPMENT

qualities of audit program level of detail testing depth of risk analysis during the audit COMPLIANCE OUTPUT PROCESS DEVELOPMENT

so what now... Decide the type Stay focused based on it Reassess frequently based on the risks you are encountering Different audits require a different approach - need to get comfortable with all of them Speed of Change Model