Why and how?
The "why" is pretty simple. Audit work is perishable. The longer it takes to deliver a report, the less valuable that report becomes. In an environment experiencing a high degree of change, even 10 days can be too long. Staff or management may turnover, serious control break-downs may occur, and leadership will lose interest if reports take a long time.
The question of "how" is probably more interesting. Some of the key points are:
- Reports have to be short. We set a standard of no more than 10 pages.
- Reports have to be easy to write. If the report is a creative writing exercise, it will take too long to write and too long to quality control (QC).
- Audit work should be front-loaded as much as possible. For example, we'd get insurance claim files sent to us in advance. That way when we hit the ground on-site, we spent our time talking to people and tracking errors back to their source.
- Workpapers should back up the findings and no more.
- Brief the management as soon as you have your findings, if they challenge your findings you'd rather have that happen before you write the report.
Prescott Coleman, CIA, CISA
Posts
No comments:
Post a Comment