From fdd80eadcc2f147d0198d94b7b908764778184a2 Mon Sep 17 00:00:00 2001 From: Christian Cleberg Date: Mon, 29 Apr 2024 14:18:55 -0500 Subject: format line wrapping and fix escaped characters --- content/blog/2023-06-20-audit-review-template.md | 119 +++++++++++------------ 1 file changed, 57 insertions(+), 62 deletions(-) (limited to 'content/blog/2023-06-20-audit-review-template.md') diff --git a/content/blog/2023-06-20-audit-review-template.md b/content/blog/2023-06-20-audit-review-template.md index 6fc69c8..853bbd1 100644 --- a/content/blog/2023-06-20-audit-review-template.md +++ b/content/blog/2023-06-20-audit-review-template.md @@ -7,75 +7,70 @@ draft = false # Overview -This post is a *very* brief overview on the basic process to review -audit test results, focusing on work done as part of a financial -statement audit (FSA) or service organization controls (SOC) report. +This post is a *very* brief overview on the basic process to review audit test +results, focusing on work done as part of a financial statement audit (FSA) or +service organization controls (SOC) report. -While there are numerous different things to review and look for - all -varying wildly depending on the report, client, and tester - this list -serves as a solid base foundation for a reviewer. +While there are numerous different things to review and look for - all varying +wildly depending on the report, client, and tester - this list serves as a solid +base foundation for a reviewer. -I have used this throughout my career as a starting point to my reviews, -and it has worked wonders for creating a consistent and objective -template to my reviews. The goal is to keep this base high-level enough -to be used on a wide variety of engagements, while still ensuring that -all key areas are covered. +I have used this throughout my career as a starting point to my reviews, and it +has worked wonders for creating a consistent and objective template to my +reviews. The goal is to keep this base high-level enough to be used on a wide +variety of engagements, while still ensuring that all key areas are covered. # Review Template -1. [ ] Check all documents for spelling and grammar. -2. [ ] Ensure all acronyms are fully explained upon first use. -3. [ ] For all people referenced, use their full names and job titles - upon first use. -4. [ ] All supporting documents must cross-reference to the lead sheet - and vice-versa. -5. [ ] Verify that the control has been adequately tested: - - [ ] **Test of Design**: Did the tester obtain information - regarding how the control should perform normally and abnormally - (e.g., emergency scenarios)? - - [ ] **Test of Operating Effectiveness**: Did the tester inquire, - observe, inspect, or re-perform sufficient evidence to support - their conclusion over the control? Inquiry alone is not - adequate! -6. [ ] For any information used in the control, whether by the control - operator or by the tester, did the tester appropriately document the - source (system or person), extraction method, parameters, and - completeness and accuracy (C&A)? - - [ ] For any reports, queries, etc. used in the extraction, did - the tester include a copy and notate C&A considerations? -7. [ ] Did the tester document the specific criteria that the control - is being tested against? -8. [ ] Did the tester notate in the supporting documents where each - criterion was satisfied? -9. [ ] If testing specific policies or procedures, are the documents - adequate? - - [ ] e.g., a test to validate that a review of policy XYZ occurs - periodically should also evaluate the sufficiency of the policy - itself, if meant to cover the risk that such a policy does not - exist and is not reviewed. +1. [ ] Check all documents for spelling and grammar. +2. [ ] Ensure all acronyms are fully explained upon first use. +3. [ ] For all people referenced, use their full names and job titles upon first + use. +4. [ ] All supporting documents must cross-reference to the lead sheet and + vice-versa. +5. [ ] Verify that the control has been adequately tested: + - [ ] **Test of Design**: Did the tester obtain information regarding how + the control should perform normally and abnormally (e.g., emergency + scenarios)? + - [ ] **Test of Operating Effectiveness**: Did the tester inquire, observe, + inspect, or re-perform sufficient evidence to support their conclusion + over the control? Inquiry alone is not adequate! +6. [ ] For any information used in the control, whether by the control operator + or by the tester, did the tester appropriately document the source (system or + person), extraction method, parameters, and completeness and accuracy (C&A)? + - [ ] For any reports, queries, etc. used in the extraction, did the tester + include a copy and notate C&A considerations? +7. [ ] Did the tester document the specific criteria that the control is being + tested against? +8. [ ] Did the tester notate in the supporting documents where each criterion + was satisfied? +9. [ ] If testing specific policies or procedures, are the documents adequate? + - [ ] e.g., a test to validate that a review of policy XYZ occurs + periodically should also evaluate the sufficiency of the policy itself, if + meant to cover the risk that such a policy does not exist and is not + reviewed. 10. [ ] Does the test cover the appropriate period under review? - - [ ] If the test is meant to cover only a portion of the audit - period, do other controls exist to mitigate the risks that exist - for the remainder of the period? + - [ ] If the test is meant to cover only a portion of the audit period, do + other controls exist to mitigate the risks that exist for the remainder of + the period? 11. [ ] For any computer-aided audit tools (CAATs) or other automation techniques used in the test, is the use of such tools explained and appropriately documented? -12. [ ] If prior-period documentation exists, are there any missing - pieces of evidence that would further enhance the quality of the +12. [ ] If prior-period documentation exists, are there any missing pieces of + evidence that would further enhance the quality of the test? +13. [ ] Was any information discovered during the walkthrough or inquiry phase + that was not incorporated into the test? +14. [ ] Are there new rules or expectations from your company's internal + guidance or your regulatory bodies that would affect the audit approach for + this control? +15. [ ] Was an exception, finding, or deficiency identified as a result of this test? -13. [ ] Was any information discovered during the walkthrough or inquiry - phase that was not incorporated into the test? -14. [ ] Are there new rules or expectations from your company\'s - internal guidance or your regulatory bodies that would affect the - audit approach for this control? -15. [ ] Was an exception, finding, or deficiency identified as a result - of this test? - - [ ] Was the control deficient in design, operation, or both? - - [ ] What was the root cause of the finding? - - [ ] Does the finding indicate other findings or potential fraud? - - [ ] What\'s the severity and scope of the finding? - - [ ] Do other controls exist as a form of compensation against - the finding\'s severity, and do they mitigate the risk within - the control objective? - - [ ] Does the finding exist at the end of the period, or was it - resolved within the audit period? + - [ ] Was the control deficient in design, operation, or both? + - [ ] What was the root cause of the finding? + - [ ] Does the finding indicate other findings or potential fraud? + - [ ] What's the severity and scope of the finding? + - [ ] Do other controls exist as a form of compensation against the + finding's severity, and do they mitigate the risk within the control + objective? + - [ ] Does the finding exist at the end of the period, or was it resolved + within the audit period? -- cgit v1.2.3-70-g09d2