Audit scope
Audit scope defines the coverage and the extend of testing activities of an assurance review. The scope of an audit should be sufficient to satisfy the objectives of the engagement (audit). The Institute of Internal Auditors (IIA) established a framework of key Internal Audit Scope Standards to provide guidance for setting appropriate audit scope objectives. The five key objectives include the following items:
- "Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported.
2. Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually being followed.
3. Review how assets are safeguarded, and verify the existence of assets as appropriate.
4. Examine company resources to determine how effectively and efficiently they are utilized.
5. Review company operations and programs to determine whether they are being carried out as planned and whether they are meeting their objectives"[1].
The IIA Chicago Chapter argues that audit scopes should also include strategic issues. Research shows that much of financial reporting problems stem from strategic issues[2].
Audit planning phase
Determination of audit scope is part of the planning phase in the audit process. There are four audit process stages: audit planning, collection of audit evidence, evaluation of audit evidence, and communication of audit results. The purpose of the planning phase is to establish the scope and objectives, organize audit team, develop the knowledge of business operations, review prior audit results, identify risk factors, and prepare audit program[3].
Risk-based approach to audit scopes
Audit scopes are typically based on a risk assessment that focuses on key risk areas or uncertainties related to the activity that is reviewed. Risk is measured in terms of the likelihood of occurrence of adverse outcomes arising from the subject activity (inherent risk). Risk is mitigated by the existence of internal controls (mitigating factors). The level of residual risk (the difference between inherent risk and mitigating factors) drives audit requirements. Higher risk areas receive more frequent or more comprehensive reviews (higher extend of testing). A risk-based audit approach steers the audit process in a way that maximizes the benefit of assurance work by ensuring resources are allocated to the highest risks confronting the organization. This approach is aimed to improve the effectiveness and efficiency of audits, as it ensures that key risks are addressed with an optimal usage of audit resources[4].
The impact of the COSO framework
The scopes of internal audits are heavily influenced by the framework for evaluation of internal controls established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This unified approach for the assessment of internal control systems has five control components: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The Sarbanes Oxley Act of 2002 (SOX) has shifted the purpose of the internal audit function to focus on testing for compliance with SOX, which requires evaluation of effectiveness of internal controls, which are "the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives"[5].
Examples of Audit scope
- Assessing Risk: Establishing the scope of the audit to ensure that the audit covers all areas of significant risk.
- Controlling: Reviewing the management’s internal control processes to identify any weaknesses or gaps in the system.
- Compliance: Ensuring that the organization is in compliance with all applicable laws, regulations, and standards.
- Performance: Evaluating the efficiency and effectiveness of operations, and the quality of services provided.
- Governance: Reviewing organizational governance to ensure that the organization is operating in an ethical and transparent manner.
Advantages of Audit scope
Audit scope is a necessary and important tool to ensure that all areas of an organization are thoroughly and accurately audited. It provides a clear framework for the internal audit team to follow with regards to the scope of their work. The following are some of the advantages of audit scope:
- It helps to ensure that all areas of the organization are properly examined and evaluated.
- It helps to ensure that all relevant documents and records are reviewed.
- It clearly specifies the objectives, activities and criteria for the audit.
- It provides guidance for auditors so that they can conduct their audit in an effective and efficient manner.
- It helps to identify any potential risks that may exist in the organization.
- It provides a comprehensive view of the organization’s processes and operations.
- It helps to identify any areas that require improvement or corrective action.
- It helps to ensure that the audit activities are properly documented and reported.
Limitations of Audit scope
The limitations of audit scope include:
- Selection of the audit area: The scope of the audit should be selected carefully and should consider any external and internal factors that could influence the selection of the audit area.
- Timing of the audit: The timing of the audit should be evaluated and determined to ensure that any changes in the environment or activities being audited are identified and addressed.
- Resources available: The resources available should be evaluated and considered to ensure that the audit can be conducted effectively and efficiently.
- Quality of the audit evidence: The quality of the audit evidence should be evaluated and considered to ensure that it is sufficient and reliable to support the audit objectives.
- Audit objectives: The audit objectives should be clearly defined and communicated to ensure that the scope of the audit is appropriate.
- Risk-based Auditing - This approach focuses on the identification and assessment of risk levels across the organization to prioritize audit activities. It requires auditors to develop an understanding of the organization's internal control environment and to identify areas of significant risks.
- Process Auditing - This approach focuses on the evaluation of processes and their performance in order to identify opportunities for improvement. It involves assessing the design, implementation and effectiveness of processes within the organization.
- Data Analytics - This approach involves the use of technology to analyze data and uncover trends, patterns, anomalies and/or relationships. It is a powerful tool to detect fraud or error, identify potential areas of improvement or identify potential risks.
- Quality Assurance Auditing - This approach focuses on the evaluation of quality assurance systems, processes and procedures to ensure that they are effective and efficient. It involves assessing the design, implementation, and effectiveness of quality assurance systems and processes within the organization.
In summary, the audit scope can be determined using a variety of approaches, including risk-based auditing, process auditing, data analytics, and quality assurance auditing. Each approach has its own advantages and disadvantages, and each should be considered when determining the scope of an audit.
Audit scope — recommended articles |
Risk management process — Validation master plan — External quality assurance — Internal audit — ISO 9004 — Strategic risk management — Quality plan — Management system — Information security management system |
References
- Bariff, M. (2003). Internal Audit Independence and Corporate Governance, Institute of Internal Auditors-Research Foundation. Research Study Agenda, p. 6-7.
- Martin, K., Sanders, E., Scalan, G. (2014). The potential impact of COSO internal control integrated framework revision on internal audit structured SOX work programs, Research in Accounting Regulation, nr 26, p. 110-117.
- Romney, M. B., Steinbart, P. J. (2003). Accounting Information Systems, Internal Auditing Standards, p. 13-14, 18-19.
- Spencer Pickett, K. H. (2006). Audit Planning. A Risk-Based Approach, Engagement Planning, p. 166-167.
Footnotes
Author: Daniel Gaura