A Step By Step Guide - Ebook Publishing / Self-Publishing ... Step By Step Guide: ... facilatating risk assesment workshops as ... learning from this guide, ...

Download A Step By Step Guide - Ebook Publishing / Self-Publishing ...  Step By Step Guide: ... facilatating risk assesment workshops as ... learning from this guide, ...

Post on 11-Feb-2018

213 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • A Step By Step Guide:How to Perform Risk Based

    Internal Auditing for Internal Audit Beginners

    byRAZLY ZAKARIA

  • Copyright 2014 RAZLY ZAKARIA,All rights reserved.

    Published in eBook format by eBookIt.comhttp://www.eBookIt.com

    ISBN-13: 978-1-4566-2165-0

    No part of this book may be reproduced in any form or by any electronic or mechanical means including information storage and retrieval systems, without permission in writing from the author. The only exception is by a reviewer, who may quote short excerpts in a review.

    http://www.eBookIt.comhttp://www.eBookIt.com

  • TABLE OF CONTENTS

    ABOUT THE AUTHOR

    PREFACE

    STEP 1: BUSINESS & PROCESS UNDERSTANDINGIntroduction How to Understand Auditees Business/ Process?

    STEP 2: RISK ASSESSMENTIntroduction How to Perform Risk Assessment? RISK ASSESSMENT TEMPLATE

    STEP 3: AUDIT PERFORMANCEIntroduction I. Setting up of the Engagement File II. Development of Internal Audit Program III. Preparation of Information Request List IV. Team Briefing V. Kick-off Meeting VI. Business Process Analysis (BPA) VII. Audit Testing VIII. Compliance to Laws & Regulations IX. Internal Audit Analysis And/ Or Benchmarking X. Documenting Working Papers XI. Exit Meeting

    STEP 4: PREPARING INTERNAL AUDIT REPORTIntroduction Content of Internal Audit Report Issuance of Draft Report Finalisation of Internal Audit Report

    STEP 5: FOLLOW-UP AUDITIntroduction How to perform follow-up audit

    SUMMARYPre Fieldwork During Fieldwork Post Fieldwork

  • ABOUT THE AUTHOR

    Razly Zakaria is actively involved in the provision of internal audit outsourcing services. He is also active in conducting risk awareness trainings, facilatating risk assesment workshops as well as handling many projects with regards to the establishment of enterprise risk management framework for public listed companies and government agencies. He has been leading many major assignments in Malaysia, Thailand, Singapore and Bahrain.

    Razlys certifications & professional memberships include the followings: Association of Chartered Certified Accountants, UK (ACCA) Certified Internal Auditor, USA (CIA) Certification in Risk Management Assurance, USA (CRMA) Malaysian Institute of Accountants (MIA) Chartered Member of Institute of Internal Auditors Malaysia (CMIIA) He gained commercial & consulting experience during his employment with few public listed companies and private entities as well as international audit firms namely KPMG, BDO & Grant Thornton, before heading an Internal Audit & Risk Management Department in a utility company.

    He is currently the Managing Director of a training company and a shareholder and Executive Director of a reputable consulting company, providing business advisory services which include Business Valuations, Financial Due Diligence for Mergers & Acquisitions, Enterprise Risk Management, Internal Audit Outsourcing and Governance Review.

    During his employment with commercial organisations, he has been exposed to Corporate Planning, Securities Market Operations, Financial Management, Office Administration as well as Investment Analysis.

    Besides commercial experience, he was exposed to consulting activities while serving the above-mentioned international audit & consulting firms. He has been involved in Corporate Recovery & Insolvencies, Internal Audit, Investigative Audit, Enterprise Risk Management, Development of SOPP, Financial Due Diligence and Business Valuation assignments covering private and public entities in various industries namely construction, property/ hotel management, utilities, manufacturing, plantation, heavy engineering, trading, food & beverages, transportation & logistics, investment holding and government-linked corporations.

  • PREFACE

    I started my journey as an internal auditor in a big 4 international accounting firm. My very first assignment started on my second day at the firm. I was assigned to perform risk-based audit on Procurement, Finance and Strategic Management Departments. I was totally lost and the only reference that I had were working files from the previous audit which actually covering different processes.

    I was flipping through the previous working files when my superior told me, In 15 minutes, we are going to see the Head of Procurement Department, get your Information Request List ready.. I was never involved in auditing before, I was doing accounting, costing, administration and corporate planning in my previous employments. I remembered I scribbled few basic documents that I know and passed it to the Vice President of Procurement Department. Definitely I got tonnes of review points when my Manager review my working papers, because it is far from complete.

    I took my own effort to go through the so called advanced and the best methodology in the firms database. If I look at the methodology now, yes, I would say that the methodology is good and comprehensive. But at that time, as a beginner, of course I would say that it is too complicated. I need to start my assignment immediately, so I need something simple and easy-to-follow as a guide to start my assignment. I dont have a simple step by step guide which can assist me to immediately audit a process or a department. So, I have to struggle to complete my assignment and learnt through the hard ways.

    Based on my past experience, I started drafting a simple step by step guide when I became Head of Internal Audit & Risk Management Services in one of a medium-sized consulting firm. This has been done in view to give a simple and understandable guide to my Internal Audit staff so that they can start to perform their job immediately at an acceptable standard.

    This e-book is developed to serve the same purpose, to provide beginners in internal audit profession with a step by step guide to effectively carried out their risk-based audit without going through the hard ways as I did before.

    I have developed 5 simple and easy-to-understand steps for readers to learn. By reading and learning from this guide, readers would be able not only to understand the internal audit process, but to deliver a better quality works from what would be expected from beginners.

    SO, KEEP READING THE BOOK AND.ALL THE BEST!

    Special thanks to my mother, wife and daughter, for being very supportive in whatever move that I made and for being there with me in all situations and challenges. I may not be what I am today without your support and patience. To my mother, my wife and my daughter.youre my strength, youre my motivation. THANK YOU!

  • STEP 1:BUSINESS & PROCESS

    UNDERSTANDING

  • STEP 1: BUSINESS & PROCESS UNDERSTANDINGIntroduction

    When you are given a task or an assignment, before you start doing anything, you MUST understand the nature of the business as well as processes that you are required to audit.

    I always stressed to my team, please do your RESEARCH & READING! Why I include the word READING?! Because some people are very good in doing research, but they keep the research materials in their working file without reading and understanding the research materials.

    This RESEARCH & READING step is what distinguished internal auditors from other professionals. Internal Auditors are forced to read and understand multiple business processes in multiple industries in a limited time frame. That requires your focus and commitment but it is worth it considering your bright future.

    WHY should I do this? Is it necessary?

    Some internal auditors did not perform this step, but GOOD internal auditors definitely would consider this step as necessary. This process gives you an overall understanding of the business and organisation structure. This process would be helpful as it creates the following advantages:

    Understanding of environmental factors and business process

    Information obtained through this step would assist you to perform a more complete and relevant risk assessment and process analysis (this will be discussed in detail in Step 2: Risk Assessment Process).

    Enhance communication with auditee

    It helps you to communicate well with your auditee. Remember, as an internal auditor, it is a norms to deal with head of departments and senior people within the organisation. Internal Auditors are no longer Compliance Officer who just tick and complete the checklist. We are a consultant. Therefore, basic knowledge on the organisation, the industry and current issues with regards to their business is important to illustrate that we are knowledgeable and fit to advise them. This would enhance the co-operation level of your auditee. FIRST IMPRESSION COUNTS!

    Practical solutions & recommendation

    One of the challenge to come out with an internal audit report which is considered as a good report, is to include a practical and suitable recommendation which not only to resolve the problem, but to effectively resolve the problem using the recommendation that suits your company/ clients business nature, financial ability as well as organisational culture and behaviour.

    SO what to do? Where shall I start?

  • How to Understand Auditees Business/ Process?

    Business Understanding

    At this stage, there is no particular focus area to stress on, unless you are focussing on certain specific issue under any ad-hoc or special assignment. Otherwise, it should be a general understanding process of your company/ clients business and organisation structure. You may consider the following areas of understanding:

    What is their business? What products they are selling or what type of services are they offering? Who are their customers? Their target group or market segmentation?Who are their competitors?Who are their suppliers?How large is their organisation? How many people do they have?Who is managing the organisation? How they structure the organisation? How many departments do they have?Where the company is heading? What does it want to achieve?The industry outlook of the auditee (if available). What would be current or future challenges to the industry?How much was their annual revenue for the previous year? Is it a profitable business? Any current issues/ latest news with regards to the organisation and/or its industry.

    Process Understanding

    Opposite to the business understanding step above where you only have to understand the overview of the business, this step requires you to study in-depth and really understand about the targeted processes. Targeted processes or auditable processes are the processes that you have plan to audit during the visit. The example of processes may be procurement process, manufacturing process, project management process or human resource management.

    It is COMPULSORY for you to understand specific processes that you are going to audit. This is an important step that will affect your overall internal audit job from planning up to reporting. I would like to stress again here the importance of RESEARCH & READING!

    Before you even meet your client and ask for any documents such as Standard Operating Procedures or Operational Manual, you need to be very clear on what you are going to audit. The following questions need to be addressed:

    What are the normal process flow? What are the policies normally established? What are the risks normally involved? Is there any legislation governing particular area that you are going to audit? What are best practices practiced in other organisations? What are current issues with regards to that particular processes?

    SO, where can you get all the above-mentioned information?

  • Documents Gathering Process

    To address the questions mentioned above, you may want to obtain the following documents:

    Relevant Documents HOW to Obtain the Documents

    Understanding of business and environmentsUnderstanding of business and environmentsAnnual Report of the company. This d o c u m e n t p r o v i d e s g o o d b a s i c information on business activities of that particular company

    I. Browsing through the companys website,II. Off icial request from the Companys

    Documents Controller or other similar function of your company/ client (steps to prepare Information Request List is discussed in detail in Step 3: Audit Performance);

    III. Local bourse website, if your company/ client is a public listed company;

    IV. Research through business information database such as Bloomberg, Reuters etc. (if you have access to the databases);

    V. Research through the search engine to identify any issues or recent news with regards to your company/ client; AND/OR

    VI. Magazines or newspapers.

    Business & Marketing Plan of the company. This document enable auditors to clearly understand the vision, mission, objectives and future plan of your company/ client.

    I. Browsing through the companys website,II. Off icial request from the Companys

    Documents Controller or other similar function of your company/ client (steps to prepare Information Request List is discussed in detail in Step 3: Audit Performance);

    III. Local bourse website, if your company/ client is a public listed company;

    IV. Research through business information database such as Bloomberg, Reuters etc. (if you have access to the databases);

    V. Research through the search engine to identify any issues or recent news with regards to your company/ client; AND/OR

    VI. Magazines or newspapers.

    Brochures, company profile, prospectus or any other similar documents.

    I. Browsing through the companys website,II. Off icial request from the Companys

    Documents Controller or other similar function of your company/ client (steps to prepare Information Request List is discussed in detail in Step 3: Audit Performance);

    III. Local bourse website, if your company/ client is a public listed company;

    IV. Research through business information database such as Bloomberg, Reuters etc. (if you have access to the databases);

    V. Research through the search engine to identify any issues or recent news with regards to your company/ client; AND/OR

    VI. Magazines or newspapers.

    Companys organisation chart.

    I. Browsing through the companys website,II. Off icial request from the Companys

    Documents Controller or other similar function of your company/ client (steps to prepare Information Request List is discussed in detail in Step 3: Audit Performance);

    III. Local bourse website, if your company/ client is a public listed company;

    IV. Research through business information database such as Bloomberg, Reuters etc. (if you have access to the databases);

    V. Research through the search engine to identify any issues or recent news with regards to your company/ client; AND/OR

    VI. Magazines or newspapers.Write-up or analysis on the company with regards to its performance and future outlook (if any).

    I. Browsing through the companys website,II. Off icial request from the Companys

    Documents Controller or other similar function of your company/ client (steps to prepare Information Request List is discussed in detail in Step 3: Audit Performance);

    III. Local bourse website, if your company/ client is a public listed company;

    IV. Research through business...