how$to$survive$an$audit · how$to$survive$an$audit steve$shofner,$cisa,$cgeit$ moss$adams$llp$...
TRANSCRIPT
![Page 1: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/1.jpg)
How to Survive an Audit
Steve Shofner, CISA, CGEIT Moss Adams LLP
Professional Techniques – T22
![Page 2: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/2.jpg)
2
ObjecEves
• Understand why we audit • Understanding the Audit Process & Goals • Preparing for an Audit • Understanding Audit Teams • SupporEng the audit • Addressing any findings
![Page 3: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/3.jpg)
3
UNDERSTANDING WHY WE AUDIT
![Page 4: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/4.jpg)
4
Management Cycle
Evaluate Process
IdenEfy Risks /
Weaknesses
Brainstorm & Evaluate SoluEons
Implement SoluEon
Where Audits Can
Help
![Page 5: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/5.jpg)
5
Types of Audits
• External Audit Examples: – Financial Statement and/or SOX – Regulatory / Special ExaminaEons
• Internal Audit Examples: – OperaEonal Efficiency – Compliance (SOX, PCI, HIPAA, etc.)
![Page 6: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/6.jpg)
6
UNDERSTAND THE AUDIT PROCESS AND GOALS
![Page 7: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/7.jpg)
7
The Goal Of Audits
• To confirm the good policies, procedures, controls, and related pracEces in place
• Audits generally looks for three things: 1. Policies and procedures are formally
documented and address related risks 2. The organizaEon is complying with the
documented policies and procedures 3. Management is monitoring to ensure the
organizaEon is complying the with the documented policies and procedures
![Page 8: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/8.jpg)
8
Audit Process
• Understand the process • Design tesEng • Perform tesEng • Communicate results • Follow-‐up test remediaEons (opEonal)
![Page 9: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/9.jpg)
9
Understanding the Process
• Review documentaEon – Policies – Procedures – Standards – Other
• Interview key staff • Perform “Walkthroughs” • Assess the design of controls
![Page 10: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/10.jpg)
10
Design & Perform TesEng
• Request a populaEon • Select a sample – Automated Controls = 1 – ParEally-‐Automated / Manual Controls = ‘More Than 1’
– Note: StaEsEcal vs. discovery sampling
• Check alributes
![Page 11: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/11.jpg)
11
Communicate Results
• Document and communicate results – ObservaEon: Just the facts – ImplicaEon / Business Risk: Why management cares
– RecommendaEon: Not a requirement…a recommendaEon
• You have input
![Page 12: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/12.jpg)
12
PREPARING FOR THE AUDIT
![Page 13: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/13.jpg)
13
Designing Controls
• Consider the four types of evidence:
– Reperformance – ExaminaEon – ObservaEon – Inquiry
Stronger Evidence
Weaker Evidence
![Page 14: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/14.jpg)
14
Designing Controls
• Inquiry alone is not enough • DocumentaEon is important – Consistency is key
• Make alributes obvious in documentaEon
• Group key alributes together if possible • Consider how easy difficult it will be to pull documentaEon
![Page 15: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/15.jpg)
15
UNDERSTANDING AUDIT TEAMS
![Page 16: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/16.jpg)
16
A ‘Typical’ Audit Team
• Independent Review Partner • Client RelaEonship Partner • Engagement Partner • Sr. Manager • Manager • Senior • Staff / Associate
Open The Same Person
![Page 17: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/17.jpg)
17
SUPPORTING THE AUDIT
![Page 18: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/18.jpg)
18
Audit Phases (Project Mgmt)
• Planning – Scope / Timing / LogisEcs
• Gathering iniEal documentaEon – Policies, procedures, standards, etc. – PopulaEons for tesEng
• Fieldwork • Exit meeEng (ini#al findings) • ReporEng
![Page 19: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/19.jpg)
19
Planning
• Scope and objecEves – Agree key controls are appropriate for risk
• Agree on Eming and key individuals – Major projects – PTO / VacaEon / Holidays – Work cycles (period close, major project deadlines)
• Prepare team
![Page 20: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/20.jpg)
20
Fieldwork (TesEng)
• Providing InformaEon – You can quesEon whether the requested info supports the key controls tested • If it does, you must provide • If it doesn’t and the auditors persist, move up the auditor’s hierarchy
– Applies to documentaEon and interviews
![Page 21: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/21.jpg)
21
Fieldwork (TesEng)
• Offer enough info…but not too much
![Page 22: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/22.jpg)
22
Exit MeeEng
• Should cover: – Preliminary findings – Open items • ResponsibiliEes • Timing
– Set Emeline to conclude and receive report
![Page 23: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/23.jpg)
23
ADDRESSING ANY FINDINGS
![Page 24: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/24.jpg)
24
Report
• Four SecEons – ObservaEon: Agree on the facts. No interpretaEon…yet
– ImplicaEon / Business Risk: Now the interpretaEon. Can be adjusted, as agreed
– RecommendaEon: Can be adjusted, as agreed. Must address the related risk
– Management’s Response: Should focus on owner, acEon plan, and Eming
![Page 25: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/25.jpg)
25
TIPS
![Page 26: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/26.jpg)
26
Tips For Success
• Design Layers of Controls: Prevent, detect, and correct
• Audit Yourself: Don’t wait for the audit – Ongoing throughout year
• Conduct a Pre-‐Audit: …or have one performed
![Page 27: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/27.jpg)
27
Summary
• Be Prepared: Document controls consistently over Eme, and evaluate your own controls first
• Be Relaxed: Auditors are not looking for issues
• Be Helpful: Provide informaEon needed, but not too much
• Be Engaged: Help the audit help your organizaEon with your involvement
![Page 28: How$to$Survive$an$Audit · How$to$Survive$an$Audit Steve$Shofner,$CISA,$CGEIT$ Moss$Adams$LLP$ Professional$Techniques$–T22$](https://reader034.vdocuments.mx/reader034/viewer/2022051916/6007b7a60e297869b852d1c8/html5/thumbnails/28.jpg)
28
QuesEons?
Steve Shofner, CISA, CGEIT Manager, Moss Adams LLP [email protected] 415-‐677-‐8263 www.mossadams.com