This week, I was asked for advice on auditing an area that was new to the auditor and had a number of complex operations. While it happened to be of the Investments function, my answer should work for pretty much any business function. It is based on the premise that the objective of the audit is to provide assurance related to the more significant business risks; in other words, this was not an audit of operational efficiency, etc.
This is what I advised:
I would start with a traditional top-down risk and controls matrix.
What are the business objectives and strategies?
What are the more significant risks to achieving them?
Of those, which shall I audit? I will make that decision based on looking at both the inherent and residual risk levels. This will tell me whether risks are currently being managed effectively (the residual risk level, assuming the controls are designed and operating ok), and what the impact could be if the controls failed (the inherent risk, also known as potential exposure).
What are the key controls to managing those risks within organizational tolerances? Consider all forms of control at all levels, including entity-level and IT general controls.
What is my plan for auditing those controls? Do I address them in a single audit, perhaps with a team of IT and operational auditors, or do I rely on multiple audits (e.g., separate audits of hiring processes, ethics policies, investment department activities, finance activities — such as account reconciliations — and IT) and pull the results together?
I then advised the auditor to have a look at the IIA’s GAIT-R methodology. While it is in the Technology section of the IIA’s guidance, it is really about taking an integrated approach to defining the controls to be included in an audit of a business risk.
Do you agree with this advice for an assurance engagement?