The following figure explains the Audit and Compliance process starting with the establishment of the program office and ending with certified financial statements:
While there are many processes that support and feed into the audit processes process, it is important to realize who the players are at the end of top level process. The process has to make evident to investors and regulators that risks are managed. Once an Audit and Compliance process is established, it goes through a risk assessment, audit planning, documentation phase, a testing phase, and a reporting phase, before the results are combined with the financial disclosures and signed by the management.
In the Risk Assessment phase, you will be cataloging the risks to the objectives of the business and asking questions such as "What can go wrong?". There are many methodologies, tools, and focuses for this. One methodology is to review the financial statements by subsidiary and highlight the lines that are material and then start to investigate the risks to which that line is exposed. For example, if a subsidiary constitutes less than five percent of the revenue of the enterprise, its revenue line may not be material. For one of the subsidiaries, the revenue line may be subject to risks of mistatement. For example, if revenue is claimed when customers have vouchers outstanding. Other methodologies include facilitated workshop methods and survey methods.
In the Audit Planning phase, you will create a set of audit engagements, each with a defined scope and projected timeframe. Scope may be defined in terms of process, business units, and subsidiaries. The scope sets a boundary around the set of risks and controls that will be tested. An engagement itself is a project that has an engagement manager and a set of auditors assigned. The audit and its scope is generally authorized through an engagement letter addressed to the management and authorized from the Chief Audit Executive or audit committee. It may well include a records request for access to records that are within the scope of the audit.
As you kick off the program, you will probably establish a program office. The controls will need to be cataloged, but they are generally organized by processes, and the processes and procedures themselves may be controls in and of themselves. The testing phase will be performed within the legal entities and business units of the enterprise, so the enterprise structure needs to be documented.
The testing phase will include a risk assessment to prompt the management to think about the risks to the mission of the enterprise. When the risks have been cataloged, the scope of the audit and the audit plan can be set. The scope may be set in terms of the processes, business units, or individual controls. The audit plan is broken down into individual engagement projects that have their own scope, where controls are tested and the results reported back to the Chief Audit Executive. Management may also be testing controls themselves and providing self assessments of the effectiveness of those controls.
The reporting phase brings together management testing and the results of audit operations to be able to arm management and the directors with the information they need to certify the financial statements.
The Chief Audit Executive will need to keep the audit committee apprised of the findings in the audit engagements.
We should always remember that the end goal is that we can prove to the investors that management and directors have worked with due diligence to govern the company, assess risks to the enterprise and its mission, and comply with applicable laws and regulations.
We should look at an example of a process, a risk, a control, and a test:
In this example, a subsidiary of Infission runs the U.S. Operations. Part of the results for the subsidiary is the revenue line. The receivables management process has a material impact on what is reported as revenue. There is an inherent risk that we may apply improper revenue recognition policies. For example, we may recognize revenue, even though we have written into the contract that the customer has right of return if the product does not perform as specified, within 90 days. The control may be that every contract with revenue over 100,000 dollars is reviewed by the Revenue Recognition Team. That control may be tested by generating a report of all contracts over 100,000 and testing for revenue recognition approval.