diff options
Diffstat (limited to 'content/blog/2023-06-20-audit-review-template.md')
| -rw-r--r-- | content/blog/2023-06-20-audit-review-template.md | 55 |
1 files changed, 28 insertions, 27 deletions
diff --git a/content/blog/2023-06-20-audit-review-template.md b/content/blog/2023-06-20-audit-review-template.md index 853bbd1..ede3092 100644 --- a/content/blog/2023-06-20-audit-review-template.md +++ b/content/blog/2023-06-20-audit-review-template.md @@ -7,7 +7,7 @@ draft = false # Overview -This post is a *very* brief overview on the basic process to review audit test +This post is a _very_ brief overview on the basic process to review audit test results, focusing on work done as part of a financial statement audit (FSA) or service organization controls (SOC) report. @@ -25,52 +25,53 @@ variety of engagements, while still ensuring that all key areas are covered. 1. [ ] Check all documents for spelling and grammar. 2. [ ] Ensure all acronyms are fully explained upon first use. 3. [ ] For all people referenced, use their full names and job titles upon first - use. + use. 4. [ ] All supporting documents must cross-reference to the lead sheet and - vice-versa. + vice-versa. 5. [ ] Verify that the control has been adequately tested: - [ ] **Test of Design**: Did the tester obtain information regarding how - the control should perform normally and abnormally (e.g., emergency - scenarios)? + the control should perform normally and abnormally (e.g., emergency + scenarios)? - [ ] **Test of Operating Effectiveness**: Did the tester inquire, observe, - inspect, or re-perform sufficient evidence to support their conclusion - over the control? Inquiry alone is not adequate! + inspect, or re-perform sufficient evidence to support their conclusion + over the control? Inquiry alone is not adequate! 6. [ ] For any information used in the control, whether by the control operator - or by the tester, did the tester appropriately document the source (system or - person), extraction method, parameters, and completeness and accuracy (C&A)? + or by the tester, did the tester appropriately document the source + (system or person), extraction method, parameters, and completeness and + accuracy (C&A)? - [ ] For any reports, queries, etc. used in the extraction, did the tester - include a copy and notate C&A considerations? + include a copy and notate C&A considerations? 7. [ ] Did the tester document the specific criteria that the control is being - tested against? + tested against? 8. [ ] Did the tester notate in the supporting documents where each criterion - was satisfied? + was satisfied? 9. [ ] If testing specific policies or procedures, are the documents adequate? - [ ] e.g., a test to validate that a review of policy XYZ occurs - periodically should also evaluate the sufficiency of the policy itself, if - meant to cover the risk that such a policy does not exist and is not - reviewed. + periodically should also evaluate the sufficiency of the policy + itself, if meant to cover the risk that such a policy does not exist + and is not reviewed. 10. [ ] Does the test cover the appropriate period under review? - [ ] If the test is meant to cover only a portion of the audit period, do - other controls exist to mitigate the risks that exist for the remainder of - the period? + other controls exist to mitigate the risks that exist for the + remainder of the period? 11. [ ] For any computer-aided audit tools (CAATs) or other automation - techniques used in the test, is the use of such tools explained and - appropriately documented? + techniques used in the test, is the use of such tools explained and + appropriately documented? 12. [ ] If prior-period documentation exists, are there any missing pieces of - evidence that would further enhance the quality of the test? + evidence that would further enhance the quality of the test? 13. [ ] Was any information discovered during the walkthrough or inquiry phase - that was not incorporated into the test? + that was not incorporated into the test? 14. [ ] Are there new rules or expectations from your company's internal - guidance or your regulatory bodies that would affect the audit approach for - this control? + guidance or your regulatory bodies that would affect the audit approach + for this control? 15. [ ] Was an exception, finding, or deficiency identified as a result of this - test? + test? - [ ] Was the control deficient in design, operation, or both? - [ ] What was the root cause of the finding? - [ ] Does the finding indicate other findings or potential fraud? - [ ] What's the severity and scope of the finding? - [ ] Do other controls exist as a form of compensation against the - finding's severity, and do they mitigate the risk within the control - objective? + finding's severity, and do they mitigate the risk within the control + objective? - [ ] Does the finding exist at the end of the period, or was it resolved - within the audit period? + within the audit period? |