1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
+++
date = 2023-06-20
title = "Cheatsheet: Review Audit Test Results"
description = "A handy cheatsheet for reviewing audit testing on FSA and SOC report engagements."
+++
## Overview
This post is a *very* brief overview on the basic process to review audit
test results, focusing on work done as part of a financial statement audit
(FSA) or service organization controls (SOC) report.
While there are numerous different things to review and look for - all varying
wildly depending on the report, client, and tester - this list serves as a solid
base foundation for a reviewer.
I have used this throughout my career as a starting point to my reviews, and it
has worked wonders for creating a consistent and objective template to my
reviews. The goal is to keep this base high-level enough to be used on a wide
variety of engagements, while still ensuring that all key areas are covered.
## Cheatsheet
1. [ ] Check all documents for spelling and grammar.
2. [ ] Ensure all acronyms are fully explained upon first use.
3. [ ] For all people referenced, use their full names and job titles upon
first use.
4. [ ] All supporting documents must cross-reference to the lead sheet and
vice-versa.
5. [ ] Verify that the control has been adequately tested:
- [ ] **Test of Design**: Did the tester obtain information regarding how
the control should perform normally and abnormally (e.g., emergency
scenarios)?
- [ ] **Test of Operating Effectiveness**: Did the tester inquire, observe,
inspect, or re-perform sufficient evidence to support their
conclusion over the control? Inquiry alone is not adequate!
6. [ ] For any information used in the control, whether by the control operator
or by the tester, did the tester appropriately document the source (system or
person), extraction method, parameters, and completeness and accuracy (C&A)?
- [ ] For any reports, queries, etc. used in the extraction, did the tester
include a copy and notate C&A considerations?
7. [ ] Did the tester document the specific criteria that the control is being
tested against?
8. [ ] Did the tester notate in the supporting documents where each criterion
was satisfied?
9. [ ] If testing specific policies or procedures, are the documents adequate?
- [ ] e.g., a test to validate that a review of policy XYZ occurs
periodically should also evaluate the sufficiency of the policy itself, if
meant to cover the risk that such a policy does not exist and is not
reviewed.
10. [ ] Does the test cover the appropriate period under review?
- [ ] If the test is meant to cover only a portion of the audit period, do
other controls exist to mitigate the risks that exist for the remainder of
the period?
11. [ ] For any computer-aided audit tools (CAATs) or other automation
techniques used in the test, is the use of such tools explained and
appropriately documented?
12. [ ] If prior-period documentation exists, are there any missing pieces of
evidence that would further enhance the quality of the test?
13. [ ] Was any information discovered during the walkthrough or inquiry phase
that was not incorporated into the test?
14. [ ] Are there new rules or expectations from your company's internal
guidance or your regulatory bodies that would affect the audit approach for this
control?
15. [ ] Was an exception, finding, or deficiency identified as a result of this
test?
- [ ] Was the control deficient in design, operation, or both?
- [ ] What was the root cause of the finding?
- [ ] Does the finding indicate other findings or potential fraud?
- [ ] What's the severity and scope of the finding?
- [ ] Do other controls exist as a form of compensation against the
finding's severity, and do they mitigate the risk within the control
objective?
- [ ] Does the finding exist at the end of the period, or was it resolved
within the audit period?
|
