Internal Audit Walkthroughs.
Why you should perform walkthroughs during planning and develop process maps at the same time Internal Audit planning is one…
Why you should perform walkthroughs during planning and develop process maps at the same time
Internal Audit planning is one of the most critical stages in an audit. As the quote goes, “proper planning prevents poor performance”, and this couldn’t be further from the truth with internal audit. Should we have poor planning, our audit fieldwork and subsequent reporting is likely going to chaotic and lack any substantial value to the business.
During the planning stage of the audit, it is ideal to include walkthroughs and process mapping as part of your risk assessment process. Performing walkthroughs for the end to end process allows us to effectively identify any controls, risks, or improvement opportunities. It also allows us to perform a detailed risk assessment which will ultimately help inform our audit scope and objectives.
In this post today, we are going to talk about:
- What is an audit walkthrough
- How we document evidence of our walkthrough
- What we should assess through our walkthrough
- How our walkthroughs and process maps feed into our audit scope, objectives and test plan.
What is an audit walkthrough?
An audit walkthrough is where we take one transaction for the process under review and follow it from start to end. For instance, if reviewing a new employee process, you will select one employee and follow them from the moment they were handed a Letter of Offer, through to the moment they were created in the payroll system and subsequently paid.
Using our example of the new starter, we will sit next to the relevant team member responsible for each step in the process. For example, we would sit next to the recruitment team and either watch them perform or re-perform the process for creating and issuing the Letter of Offer for the individual we have selected for our walk through. Once they have completed their part of the process, you will move to the next person. Keeping the exact sample example / employee, you will then ask the next person how they create the employee in the HR system.
Throughout this entire end to end walkthrough, it is important we obtain relevant screenshots, copies of supporting information and any policy or procedure documents which govern that particular part of the process.
It is also important that we only use one example for the end to end process and not a number of transactions / examples to make up the process.
How we document evidence of our walkthrough
There are a number of ways which we can document our walkthroughs. Often, a combination of these is considered best.
Option 1 – Record the meeting
When working virtually as most of us currently are, many video conferencing tools allow you to record the meeting. Recording the meeting not only provides the audit team with a reference point if they want to go back and double check something in the process, but can be used as great evidence for your walkthrough.
Option 2 – Meeting Minutes
Meeting minutes should not be used in isolation, but rather alongside a documented process flow, or an annotated copy of the evidence to support the walk through. Meeting minutes offer another great reference point for the team, but are also a good development tool for junior auditors. Being table to take good quality notes yet still be actively engaged during an audit is an important skill which junior auditors need to learn and develop. By taking meeting minutes from the walkthrough, audit team managers can review the minutes and feedback to team members on areas which they missed, the quality of their note taking, or help identify gaps in our understanding for further follow up / questioning. Whilst taking meeting minutes is not fun, there are a lot of additional benefits which can be achieved from this task.
You can purchase our meeting minute template here.
Are you a member? Members can download our meeting minute from the Members Area here.
Option 3 – Annotate Supporting Evidence
As you go through the process, you will obtain key documents, screen shots and relevant policies and procedures. These documents can be combined into one larger document which can then be annotated to explain the various steps and activities which have occurred through the process. For instance, on a screenshot, you will comment and highlight which sections have information manually populated (i.e. employee name). You will then cross reference this to the contract and letter of offer form which you would have also received as evidence during your walkthrough.
This option is best combined with the meeting minutes.
Option 4 – Process Flows / Process Map
Process flows are a great way to document a process in a simple and easy to understand method. Process flows also allow you to map risks, controls and any control gaps along the process. Additionally, you can add an additional layer to show data flows through the process, which is becoming increasingly important as more and more processes become automated or electronic.
Alongside the process flow, you can reference to the annotated supporting evidence as detailed in Option 3.
You can purchase our process flow template here.
Are you a member? Members can download our meeting minute from the Members Area here.
What should we assess through our walkthrough
Firstly, it is important to understand why we are doing a walkthrough. We are doing this walkthrough so we can:
- Understand the process;
- Identify controls;
- Ensure controls have been designed and implemented appropriately;
- Identify risks; and
- Aid in performing our risk assessment.
So as we perform our walkthrough, we should be assessing the following:
- Are the controls designed appropriately to either prevent or detect any errors, omissions or fraud?
- Have the controls been sufficiently implemented?
- Is there appropriate segregation of duties?
- Do the people performing the task have the appropriate skills and experience?
- Are the controls manual or automated?
- Are there any gaps in current controls?
- Is the process aligned to the documented procedure or policy?
- Is the control commensurate with the level of risk?
- Is there an opportunity to streamline the process and maintain the current level of risk?
These considerations can be documented in either your meeting minutes or your process flows however it is important that these questions and the answers be document as this all forms part of your risk assessment and will help feed into your audit scope and objectives. Remember, in accordance with the Standards, we perform a risk based audit.
How our walkthroughs and process maps feed into our audit scope, objectives and test plan
At the end of the walkthrough activity, we should have a solid idea of where our risks lie. To bring together all your walkthroughs, a high level macro process can be build. Simply a line across the page showing the key steps in the process (i.e. Hire employee, create employee, pay employee). Against each of these steps in the process, we can assign a control assessment and a risk assessment. For instance, for the hire employee process:
- Is the design of the controls satisfactory? Yes / No?
- Have the controls been implemented appropriately? Yes / No?
- What are the risks we should consider?
- Overall risk assessment?
This high level macro process flow and corresponding risk assessment can then be used during the team planning meetings. Junior team members can present the process flow to audit managers who can then challenge the team on their risk assessment. Additionally, teams can then discuss the planned audit approach and possible testing methods. This will help junior team members when they go to build their testing work program.
Whilst this process may require a significant amount of investment and time at the beginning of the audit, it will also ensure that adequate planning has been performed, all team members thoroughly understand the process, and junior team members are learning critical note taking, risks assessment and presentational skills.