Updated: Jan 3
Today we mainly study audit reports and control self-assessment CSA-related knowledge points.
Audit reports usually have the following structure and content:
①The summary of the report describes the audit objectives, scope and limitations, the audit period, a general description of the nature and scope of the audit procedures and tests performed during the audit, and a description of IS audit methods and guidance.
②It is best to describe the audit findings in sections, which can be divided according to the importance of the audit findings or the intended recipients.
③Make overall conclusions and opinions on the adequacy of the controls and procedures tested in the audit, as well as the potential risks caused by the defects found.
④The IS auditor’s qualifications and limitations on the audit, stating whether the controls or procedures tested are sufficient or inadequate. The audit report should support the audit conclusion, and all the evidence collected during the audit should also provide a higher level of support for the audit conclusion.
⑤Detailed audit findings and recommendations. IS auditors should decide which audit findings to include in the report. This should be based on the significance of the findings and the expected recipients of the audit report.
⑥Various audit findings are in nature, some are important, some are not. Auditors can submit unimportant audit findings to management in other formats such as memos.
Audit documents are evidence supporting the audit conclusions, so they should be clear, complete, easy to retrieve, and understand.
Audit documents are usually the property of the auditing entity and can only be accessed by authorized persons. When external organizations need to access these documents, the auditor should obtain approval from the senior management or the client.
IT auditors or audit departments should also formulate policies for keeping, retaining, and publishing audit documents.
The audit documentation should include at least the following records:
1. Planning and preparation of audit objectives and scope
2. Describe the defined audit areas or perform walkthroughs
3. Audit procedures
4. Audit steps performed and audit evidence collected
5. Use the services of other auditors and experts
6. Audit findings, conclusions, and recommendations
7. The relationship between audit documents and document appraisal and time
8. It is recommended that the audit document also include:
9. A copy of the audit report as the result of the audit work
10. Evidence of audit supervision and inspection
Control Self-Assessment CSA
Control Self-assessment (CSA) can be seen as a management technique that assures stakeholders, customers, and other organizations that a company's internal control system is reliable and that employees are aware of the risks facing the business and proactively implement periodic control checks.
CSA is also a method. It is a series of formal and written procedures used to check key business objectives, the risks faced in achieving the objectives, and the internal controls for managing business risks.
In the control self-assessment activities, the management and CSA team will directly participate in the judgment and monitoring of existing controls.
In this activity, the information system auditors act as control experts and facilitators of evaluation activities.
CSA basic tools include management meetings, seminars, worksheets, and CSA project methods.
Control self-assessment CSA goal
The main goal of CSA is to give full play to the internal audit function by decentralizing some control and supervision responsibilities to functional departments. This is not to replace the audit responsibilities, but to strengthen them.
The CSA program also educates managers on how to design and monitor controls, especially in high-risk areas.
The key success factor is the main goal of the business unit that has been discussed with the representatives of the business unit (appropriate and relevant employees or managers) to determine the reliability of the internal control system.
COBIT is a governance and control framework that can provide guidance for designing control self-assessment methods.
The advantages of controlling self-assessment CSA:
① Detect risks early
②Improve internal control more effectively
③ Strengthen team spirit through employee participation
④Increase employees' understanding of organizational goals, understanding of risks and internal control
⑤Enhance communication between operations and senior management
⑥Highly stimulate the initiative of employees
⑦Improve the audit evaluation process
⑧ Reduce control costs
⑨Provide guarantee to stakeholders and customers
⑩In terms of meeting the requirements of various legal institutions and regulations (such as the Sarbanes-Oxley Act) for internal control, make necessary guarantees to senior management
The disadvantages of control self-assessment CSA:
① May be mistaken for replacing the audit function
②It is considered that the workload has increased (an additional report must be submitted to the management)
③Failure to implement improvement suggestions will destroy the rusticity of employees
④ Lack of motivation may limit the effectiveness of inspection of control deficiencies
The role of auditors in CSA:
When the audit department establishes a CSA procedure, it should consider strengthening the auditor's responsibilities in the CSA. In the established procedure, the auditor should act as an internal control expert and evaluation promoter.
When managers take the initiative to supervise and improve the process structure, assume the responsibility of internal control within their authorized management, and clarify the identity of the owner, the value of auditors in CSA can be reflected. To become effective CSA promoters and innovators, auditors must understand business processes, which can be achieved through various traditional audit methods (such as pre-investigation, walkthrough, etc.).At the same time, auditors should keep in mind that they are only the promoters of CSA, and only managers are the specific implementers of CSA procedures.