Audit scope: Difference between revisions

From CEOpedia | Management online
(The LinkTitles extension automatically added links to existing pages (<a target="_blank" rel="noreferrer noopener" class="external free" href="https://github.com/bovender/LinkTitles">https://github.com/bovender/LinkTitles</a>).)
m (Text cleaning)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{infobox4
|list1=
<ul>
<li>[[Business risk management]]</li>
<li>[[Operational control]]</li>
<li>[[Risk management process]]</li>
<li>[[ISO 9004]]</li>
<li>[[Workplace safety]]</li>
<li>[[Process analysis]]</li>
<li>[[Operational impact]]</li>
<li>[[Control plan]]</li>
<li>[[Information security management system]]</li>
</ul>
}}
'''[[Audit]] scope''' defines the coverage and the extend of testing activities of an assurance review. The scope of an audit should be sufficient to satisfy the objectives of the engagement (audit). The Institute of Internal Auditors (IIA) established a framework of key Internal Audit Scope Standards to provide guidance for setting appropriate audit scope objectives. The five key objectives include the following items:
'''[[Audit]] scope''' defines the coverage and the extend of testing activities of an assurance review. The scope of an audit should be sufficient to satisfy the objectives of the engagement (audit). The Institute of Internal Auditors (IIA) established a framework of key Internal Audit Scope Standards to provide guidance for setting appropriate audit scope objectives. The five key objectives include the following items:
# “Review the [[reliability]] and integrity of operating and financial [[information]] and how it is identified, measured, classified, and reported.
# "Review the [[reliability]] and integrity of operating and financial [[information]] and how it is identified, measured, classified, and reported.


2. Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually being followed.
2. Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually being followed.
Line 25: Line 8:
4. Examine [[company]] resources to determine how effectively and efficiently they are utilized.
4. Examine [[company]] resources to determine how effectively and efficiently they are utilized.


5. Review company operations and programs to determine whether they are being carried out as planned and whether they are meeting their objectives”<ref>Romney, M. B., Steinbart, P. J. (2003)</ref>.
5. Review company operations and programs to determine whether they are being carried out as planned and whether they are meeting their objectives"<ref>Romney, M. B., Steinbart, P. J. (2003)</ref>.


The IIA Chicago Chapter argues that audit scopes should also include [[strategic issues]]. Research shows that much of financial reporting problems stem from strategic issues<ref> Bariff, M. (2003)</ref>.
The IIA Chicago Chapter argues that audit scopes should also include [[strategic issues]]. Research shows that much of financial reporting problems stem from strategic issues<ref> Bariff, M. (2003)</ref>.


==Audit planning phase==
==Audit planning phase==
Determination of audit scope is part of the [[planning]] phase in the audit [[process]]. There are four audit process stages: audit planning, collection of [[audit evidence]], [[evaluation]] of audit evidence, and [[communication]] of audit results. The purpose of the planning phase is to establish the scope and objectives, organize audit team, develop the [[knowledge]] of business operations, review prior audit results, identify [[risk]] factors, and prepare audit program<ref>Romney, M. B., Steinbart, P. J. (2003)</ref>.
Determination of audit scope is part of the [[planning]] phase in the audit [[process]]. There are four audit process stages: audit planning, collection of [[audit evidence]], [[evaluation]] of audit evidence, and [[communication]] of audit results. The purpose of the planning phase is to establish the scope and objectives, organize audit team, develop the [[knowledge]] of business operations, review prior audit results, identify [[risk]] factors, and prepare audit program<ref>Romney, M. B., Steinbart, P. J. (2003)</ref>.


==Risk-based approach to audit scopes==
==Risk-based approach to audit scopes==
Audit scopes are typically based on a risk assessment that focuses on key risk areas or uncertainties related to the activity that is reviewed. Risk is measured in terms of the likelihood of occurrence of adverse outcomes arising from the subject activity ([[inherent risk]]). Risk is mitigated by the existence of internal controls (mitigating factors). The level of [[residual risk]] (the difference between inherent risk and mitigating factors) drives audit requirements. Higher risk areas receive more frequent or more comprehensive reviews (higher extend of testing). A risk-based audit approach steers the audit process in a way that maximizes the benefit of assurance [[work]] by ensuring resources are allocated to the highest risks confronting the [[organization]]. This approach is aimed to improve the effectiveness and [[efficiency]] of audits, as it ensures that key risks are addressed with an optimal usage of audit resources<ref>Spencer Pickett, K. H. (2006)</ref>.
Audit scopes are typically based on a risk assessment that focuses on key risk areas or uncertainties related to the activity that is reviewed. Risk is measured in terms of the likelihood of occurrence of adverse outcomes arising from the subject activity ([[inherent risk]]). Risk is mitigated by the existence of internal controls (mitigating factors). The level of [[residual risk]] (the difference between inherent risk and mitigating factors) drives audit requirements. Higher risk areas receive more frequent or more comprehensive reviews (higher extend of testing). A risk-based audit approach steers the audit process in a way that maximizes the benefit of assurance [[work]] by ensuring resources are allocated to the highest risks confronting the [[organization]]. This approach is aimed to improve the effectiveness and [[efficiency]] of audits, as it ensures that key risks are addressed with an optimal usage of audit resources<ref>Spencer Pickett, K. H. (2006)</ref>.


==The impact of the COSO framework==
==The impact of the COSO framework==
The scopes of internal audits are heavily influenced by the framework for evaluation of internal controls established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This unified approach for the assessment of internal control systems has five control components: (1) control [[environment]], (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The Sarbanes Oxley Act of 2002 (SOX) has shifted the purpose of the [[internal audit]] function to focus on testing for compliance with SOX, which requires evaluation of effectiveness of internal controls, which are "the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives"<ref>Martin, K., Sanders, E., Scalan, G. (2014)</ref>.


The scopes of internal audits are heavily influenced by the framework for evaluation of internal controls established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This unified approach for the assessment of internal control systems has five control components: (1) control [[environment]], (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The Sarbanes Oxley Act of 2002 (SOX) has shifted the purpose of the [[internal audit]] function to focus on testing for compliance with SOX, which requires evaluation of effectiveness of internal controls, which are “the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives”<ref>Martin, K., Sanders, E., Scalan, G. (2014)</ref>.
==Examples of Audit scope==
# ''' Assessing Risk''': Establishing the scope of the audit to ensure that the audit covers all areas of significant risk.
# ''' [[Controlling]]''': Reviewing the management’s internal control processes to identify any weaknesses or gaps in the [[system]].
# ''' Compliance''': Ensuring that the organization is in compliance with all applicable laws, regulations, and standards.
# ''' Performance''': Evaluating the [[efficiency and effectiveness]] of operations, and the [[quality]] of services provided.
# ''' Governance''': Reviewing organizational governance to ensure that the organization is operating in an ethical and transparent manner.


==References==
==Advantages of Audit scope==
Audit scope is a necessary and important tool to ensure that all areas of an organization are thoroughly and accurately audited. It provides a clear framework for the internal audit team to follow with regards to the scope of their work. The following are some of the advantages of audit scope:
* It helps to ensure that all areas of the organization are properly examined and evaluated.
* It helps to ensure that all relevant documents and records are reviewed.
* It clearly specifies the objectives, activities and criteria for the audit.
* It provides guidance for auditors so that they can conduct their audit in an effective and efficient manner.
* It helps to identify any potential risks that may exist in the organization.
* It provides a comprehensive view of the organization’s processes and operations.
* It helps to identify any areas that require improvement or corrective [[action]].
* It helps to ensure that the audit activities are properly documented and reported.
 
==Limitations of Audit scope==
The limitations of audit scope include:
* '''Selection of the audit area''': The scope of the audit should be selected carefully and should consider any external and internal factors that could influence the selection of the audit area.
* '''Timing of the audit''': The timing of the audit should be evaluated and determined to ensure that any changes in the environment or activities being audited are identified and addressed.
* '''Resources available''': The resources available should be evaluated and considered to ensure that the audit can be conducted effectively and efficiently.
* '''Quality of the audit evidence''': The quality of the audit evidence should be evaluated and considered to ensure that it is sufficient and reliable to support the audit objectives.
* '''Audit objectives''': The audit objectives should be clearly defined and communicated to ensure that the scope of the audit is appropriate.
 
==Other approaches related to Audit scope==
* Risk-based Auditing - This approach focuses on the [[identification]] and assessment of risk levels across the organization to prioritize audit activities. It requires auditors to develop an understanding of the organization's internal control environment and to identify areas of significant risks.
* Process Auditing - This approach focuses on the evaluation of processes and their performance in order to identify opportunities for improvement. It involves assessing the design, implementation and effectiveness of processes within the organization.
* Data Analytics - This approach involves the use of [[technology]] to analyze data and uncover trends, patterns, anomalies and/or relationships. It is a powerful tool to detect fraud or error, identify potential areas of improvement or identify potential risks.
* Quality Assurance Auditing - This approach focuses on the evaluation of [[quality assurance]] systems, processes and procedures to ensure that they are effective and efficient. It involves assessing the design, implementation, and effectiveness of quality assurance systems and processes within the organization.


* Bariff, M. (2003). [https://na.theiia.org/iiarf/Public%20Documents/Internal%20Audit%20Independence%20and%20Corporate%20Governance%20-%20Chicago.pdf Internal Audit Independence and Corporate Governance], Institute of Internal Auditors-Research Foundation. Research Study Agenda, s.6-7.
In summary, the audit scope can be determined using a variety of approaches, including risk-based auditing, process auditing, data analytics, and quality assurance auditing. Each approach has its own advantages and disadvantages, and each should be considered when determining the scope of an audit.
* Martin, K., Sanders, E., Scalan, G. (2014). [https://www.sciencedirect.com/science/article/pii/S1052045714000137 The potential impact of COSO internal control integrated framework revision on internal audit structured SOX work programs], Research in Accounting Regulation, nr 26, s.110-117.
* Romney, M. B., Steinbart, P. J. (2003). [http://wps.prenhall.com/wps/media/objects/152/155841/AIS10.PPT Accounting Information Systems], [[Internal auditing|Internal Auditing]] Standards, s.13-14, 18-19.
* Spencer Pickett, K. H. (2006). [https://books.google.pl/books?hl=en&lr=&id=T8ZwvCquHyEC&oi=fnd&pg=PR9&dq=risk+based+approach+to+audit+scope&ots=o4b7kKvzPB&sig=09V8dhFbB6UfCLmlF2wz7Vn48Bw&redir_esc=y#v=onepage&q&f=false Audit Planning. A Risk-Based Approach], Engagement Planning, s.166-167.


{{infobox5|list1={{i5link|a=[[Risk management process]]}} &mdash; {{i5link|a=[[Validation master plan]]}} &mdash; {{i5link|a=[[External quality assurance]]}} &mdash; {{i5link|a=[[Internal audit]]}} &mdash; {{i5link|a=[[ISO 9004]]}} &mdash; {{i5link|a=[[Strategic risk management]]}} &mdash; {{i5link|a=[[Quality plan]]}} &mdash; {{i5link|a=[[Management system]]}} &mdash; {{i5link|a=[[Information security management system]]}} }}


==References==
* Bariff, M. (2003). [https://na.theiia.org/iiarf/Public%20Documents/Internal%20Audit%20Independence%20and%20Corporate%20Governance%20-%20Chicago.pdf Internal Audit Independence and Corporate Governance], Institute of Internal Auditors-Research Foundation. Research Study Agenda, p. 6-7.
* Martin, K., Sanders, E., Scalan, G. (2014). [https://www.sciencedirect.com/science/article/pii/S1052045714000137 The potential impact of COSO internal control integrated framework revision on internal audit structured SOX work programs], Research in Accounting Regulation, nr 26, p. 110-117.
* Romney, M. B., Steinbart, P. J. (2003). [http://wps.prenhall.com/wps/media/objects/152/155841/AIS10.PPT Accounting Information Systems], [[Internal auditing|Internal Auditing]] Standards, p. 13-14, 18-19.
* Spencer Pickett, K. H. (2006). [https://books.google.pl/books?hl=en&lr=&id=T8ZwvCquHyEC&oi=fnd&pg=PR9&dq=risk+based+approach+to+audit+scope&ots=o4b7kKvzPB&sig=09V8dhFbB6UfCLmlF2wz7Vn48Bw&redir_esc=y#v=onepage&q&f=false Audit Planning. A Risk-Based Approach], Engagement Planning, p. 166-167.


==Footnotes==
==Footnotes==

Latest revision as of 16:56, 17 November 2023

Audit scope defines the coverage and the extend of testing activities of an assurance review. The scope of an audit should be sufficient to satisfy the objectives of the engagement (audit). The Institute of Internal Auditors (IIA) established a framework of key Internal Audit Scope Standards to provide guidance for setting appropriate audit scope objectives. The five key objectives include the following items:

  1. "Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported.

2. Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually being followed.

3. Review how assets are safeguarded, and verify the existence of assets as appropriate.

4. Examine company resources to determine how effectively and efficiently they are utilized.

5. Review company operations and programs to determine whether they are being carried out as planned and whether they are meeting their objectives"[1].

The IIA Chicago Chapter argues that audit scopes should also include strategic issues. Research shows that much of financial reporting problems stem from strategic issues[2].

Audit planning phase

Determination of audit scope is part of the planning phase in the audit process. There are four audit process stages: audit planning, collection of audit evidence, evaluation of audit evidence, and communication of audit results. The purpose of the planning phase is to establish the scope and objectives, organize audit team, develop the knowledge of business operations, review prior audit results, identify risk factors, and prepare audit program[3].

Risk-based approach to audit scopes

Audit scopes are typically based on a risk assessment that focuses on key risk areas or uncertainties related to the activity that is reviewed. Risk is measured in terms of the likelihood of occurrence of adverse outcomes arising from the subject activity (inherent risk). Risk is mitigated by the existence of internal controls (mitigating factors). The level of residual risk (the difference between inherent risk and mitigating factors) drives audit requirements. Higher risk areas receive more frequent or more comprehensive reviews (higher extend of testing). A risk-based audit approach steers the audit process in a way that maximizes the benefit of assurance work by ensuring resources are allocated to the highest risks confronting the organization. This approach is aimed to improve the effectiveness and efficiency of audits, as it ensures that key risks are addressed with an optimal usage of audit resources[4].

The impact of the COSO framework

The scopes of internal audits are heavily influenced by the framework for evaluation of internal controls established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This unified approach for the assessment of internal control systems has five control components: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The Sarbanes Oxley Act of 2002 (SOX) has shifted the purpose of the internal audit function to focus on testing for compliance with SOX, which requires evaluation of effectiveness of internal controls, which are "the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives"[5].

Examples of Audit scope

  1. Assessing Risk: Establishing the scope of the audit to ensure that the audit covers all areas of significant risk.
  2. Controlling: Reviewing the management’s internal control processes to identify any weaknesses or gaps in the system.
  3. Compliance: Ensuring that the organization is in compliance with all applicable laws, regulations, and standards.
  4. Performance: Evaluating the efficiency and effectiveness of operations, and the quality of services provided.
  5. Governance: Reviewing organizational governance to ensure that the organization is operating in an ethical and transparent manner.

Advantages of Audit scope

Audit scope is a necessary and important tool to ensure that all areas of an organization are thoroughly and accurately audited. It provides a clear framework for the internal audit team to follow with regards to the scope of their work. The following are some of the advantages of audit scope:

  • It helps to ensure that all areas of the organization are properly examined and evaluated.
  • It helps to ensure that all relevant documents and records are reviewed.
  • It clearly specifies the objectives, activities and criteria for the audit.
  • It provides guidance for auditors so that they can conduct their audit in an effective and efficient manner.
  • It helps to identify any potential risks that may exist in the organization.
  • It provides a comprehensive view of the organization’s processes and operations.
  • It helps to identify any areas that require improvement or corrective action.
  • It helps to ensure that the audit activities are properly documented and reported.

Limitations of Audit scope

The limitations of audit scope include:

  • Selection of the audit area: The scope of the audit should be selected carefully and should consider any external and internal factors that could influence the selection of the audit area.
  • Timing of the audit: The timing of the audit should be evaluated and determined to ensure that any changes in the environment or activities being audited are identified and addressed.
  • Resources available: The resources available should be evaluated and considered to ensure that the audit can be conducted effectively and efficiently.
  • Quality of the audit evidence: The quality of the audit evidence should be evaluated and considered to ensure that it is sufficient and reliable to support the audit objectives.
  • Audit objectives: The audit objectives should be clearly defined and communicated to ensure that the scope of the audit is appropriate.

Other approaches related to Audit scope

  • Risk-based Auditing - This approach focuses on the identification and assessment of risk levels across the organization to prioritize audit activities. It requires auditors to develop an understanding of the organization's internal control environment and to identify areas of significant risks.
  • Process Auditing - This approach focuses on the evaluation of processes and their performance in order to identify opportunities for improvement. It involves assessing the design, implementation and effectiveness of processes within the organization.
  • Data Analytics - This approach involves the use of technology to analyze data and uncover trends, patterns, anomalies and/or relationships. It is a powerful tool to detect fraud or error, identify potential areas of improvement or identify potential risks.
  • Quality Assurance Auditing - This approach focuses on the evaluation of quality assurance systems, processes and procedures to ensure that they are effective and efficient. It involves assessing the design, implementation, and effectiveness of quality assurance systems and processes within the organization.

In summary, the audit scope can be determined using a variety of approaches, including risk-based auditing, process auditing, data analytics, and quality assurance auditing. Each approach has its own advantages and disadvantages, and each should be considered when determining the scope of an audit.


Audit scoperecommended articles
Risk management processValidation master planExternal quality assuranceInternal auditISO 9004Strategic risk managementQuality planManagement systemInformation security management system

References

Footnotes

  1. Romney, M. B., Steinbart, P. J. (2003)
  2. Bariff, M. (2003)
  3. Romney, M. B., Steinbart, P. J. (2003)
  4. Spencer Pickett, K. H. (2006)
  5. Martin, K., Sanders, E., Scalan, G. (2014)

Author: Daniel Gaura