1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
+++
date = 2023-06-20
title = "Audit Testing Review Template"
description = "A handy reference template for audit reviews."
+++
## Overview
This post is a *very* brief overview on the basic process to review
audit test results, focusing on work done as part of a financial
statement audit (FSA) or service organization controls (SOC) report.
While there are numerous different things to review and look for - all
varying wildly depending on the report, client, and tester - this list
serves as a solid base foundation for a reviewer.
I have used this throughout my career as a starting point to my reviews,
and it has worked wonders for creating a consistent and objective
template to my reviews. The goal is to keep this base high-level enough
to be used on a wide variety of engagements, while still ensuring that
all key areas are covered.
## Review Template
1. [ ] Check all documents for spelling and grammar.
2. [ ] Ensure all acronyms are fully explained upon first use.
3. [ ] For all people referenced, use their full names and job titles
upon first use.
4. [ ] All supporting documents must cross-reference to the lead sheet
and vice-versa.
5. [ ] Verify that the control has been adequately tested:
- [ ] **Test of Design**: Did the tester obtain information
regarding how the control should perform normally and abnormally
(e.g., emergency scenarios)?
- [ ] **Test of Operating Effectiveness**: Did the tester inquire,
observe, inspect, or re-perform sufficient evidence to support
their conclusion over the control? Inquiry alone is not
adequate!
6. [ ] For any information used in the control, whether by the control
operator or by the tester, did the tester appropriately document the
source (system or person), extraction method, parameters, and
completeness and accuracy (C&A)?
- [ ] For any reports, queries, etc. used in the extraction, did
the tester include a copy and notate C&A considerations?
7. [ ] Did the tester document the specific criteria that the control
is being tested against?
8. [ ] Did the tester notate in the supporting documents where each
criterion was satisfied?
9. [ ] If testing specific policies or procedures, are the documents
adequate?
- [ ] e.g., a test to validate that a review of policy XYZ occurs
periodically should also evaluate the sufficiency of the policy
itself, if meant to cover the risk that such a policy does not
exist and is not reviewed.
10. [ ] Does the test cover the appropriate period under review?
- [ ] If the test is meant to cover only a portion of the audit
period, do other controls exist to mitigate the risks that exist
for the remainder of the period?
11. [ ] For any computer-aided audit tools (CAATs) or other automation
techniques used in the test, is the use of such tools explained and
appropriately documented?
12. [ ] If prior-period documentation exists, are there any missing
pieces of evidence that would further enhance the quality of the
test?
13. [ ] Was any information discovered during the walkthrough or inquiry
phase that was not incorporated into the test?
14. [ ] Are there new rules or expectations from your company's
internal guidance or your regulatory bodies that would affect the
audit approach for this control?
15. [ ] Was an exception, finding, or deficiency identified as a result
of this test?
- [ ] Was the control deficient in design, operation, or both?
- [ ] What was the root cause of the finding?
- [ ] Does the finding indicate other findings or potential fraud?
- [ ] What's the severity and scope of the finding?
- [ ] Do other controls exist as a form of compensation against
the finding's severity, and do they mitigate the risk within
the control objective?
- [ ] Does the finding exist at the end of the period, or was it
resolved within the audit period?
|
