Evaluate management policies
Evaluate controls effectiveness
Evaluate organisational efficiency
The critical first step is to validate that the policies, procedures, and other controls defined by management are relevant and adequate for the company. There is no point in assessing a control system that is not relevant to your environment and operating model. Unfortunately, we have seen a lot of companies that do not have ‘adequate’ policies or procedures to govern their operations. The main risk, however, is not the absence of those policies and procedures but the likelihood that they are not kept up to date to account for a change in the business structure. We have seen many instances where policies were issued more than 10 years ago without any periodic reviews. A periodic assessment should be performed to ensure that each policy continuously fits the operating landscape, also covering strategic transactions (mergers and separations), re-organization of structures (business segments, shared service centers, outsourcing), management transformations (approvers, segregation of duties), technology landscape (ERP, applications, etc..), and the level of risk appetite (periodicity of controls, limits and levels,..)
Once the policies and procedures have been estimated to be relevant, the next step is to ensure that the workforce is performing their tasks in compliance with the control expectations. Effectiveness is the degree to which a task is done in accordance with the expectation. This is the most traditional contribution of an auditor: validating and testing transactions against a set of rules. Sample testing is the most commonly used method but the emerging of data analytics technology offers the possibility to widen the scope of reviews and the strength of the assurance services. Instead of testing a sample, auditors can now test the full population of data and implement continuous auditing controls. Possible issues to be found are transactions that are carried out without the proper authorization: the lack of controls and oversight on the way work is being done, or the improper use of company assets and funds.
When assured that policies are relevant and respected by the workforce, auditors start looking for efficiency gains. From their transversal perspective, auditors have a unique opportunity and mandate to look at where and how work is done throughout the organization. Audit techniques such as interviews, data analytics, work shadowing, and walkthroughs offer unique opportunities to identify improvement measures such as standardization and simplification of work processes, the clarification of roles and organizational structures, the automation of repetitive tasks, or the parametrization of business information systems.