Professional Documents
Culture Documents
Pre Plan Audit
Pre Plan Audit
com/pre-audit-planning-what-to-do-now/
As the New Year approaches, your organization is likely preparing for new opportunities,
resolutions and goals. This season is the perfect time to lay the groundwork for a 2016
full of success.
And of course, auditing time is just around the corner. Wait, where’d you go?
Seriously though, just the mere mention of auditing is enough to ignite a sense of panic in
most offices. While not exactly professional, the reaction is perfectly reasonable as it is a
stressful time of year for accountants and executives alike.
However, the right pre-audit planning can set you and your team on the course to smooth
sailing. If you’re looking for calmer seas, follow these expert tips for successful
navigation.
Notice that nowhere in that definition did they reference a “gotcha!” situation. But for
many accountants, it can sure feel that way. The fear of making a career-ending mistake
can paralyze many professionals in the pre-auditing planning process.
But the truth is the real purpose of auditing is simply to make sure your financial
information, internal operations and business practices are all in order.
While people may joke about underwear selections, most auditors only come to review
your year-end bank statements, charitable contributions, and other professional records
that may give an insight into your organization’s health.
Make sure you have copies of your grant awards, related contracts, payroll taxes, W-2
and 1099s. Next, appoint someone to organize the visit.
1
You’ll want to take a look at the schedule during this time and make sure you have a
quiet, comfortable place for auditors to review. Any important meetings or events should
be scheduled off-site or postponed.
When you’re pre-audit planning, you’ll likely come across many ways to improve your
organization’s accounting system. Take time to note areas you’d like to streamline and
workflows you’d like to put in place.
A nonprofit-friendly financial management solution can take the fear out of pre-audit
planning for your team. Imagine having the files and documents you need at the tip of
your fingertips instead of stored across multiple systems (or, shudder, filing cabinets).
Abila MIP Fund Accounting is used by many nonprofit organizations to make reporting,
budgeting and managing more successful.
You’ll avoid auditing nightmares like inconsistent financial statements, lack of internal
control and multiple allocations. It’s truly a comprehensive solution for improving
existing process and optimizing new procedures. Best of all, Abila offers customization
for a more flexible approach that grows with your organization.
What Is a Pre-Audit?
by Forest Time
Related Articles
2
The term audit describes the process in which the financial records of a business or
individual are examined for accuracy. This is often a high-stakes process; for example, an
audit by the Internal Revenue System that finds a business not paying enough taxes can
have serious financial and legal repercussions. A pre-audit is the first part of the auditing
process.
Basic Definition
A pre-audit is the first step in the process of an audit. During a pre-audit, a company or
individual's financial documents are examined to ensure that all information is correct
before the company or individual undergoes an official audit. The pre-audit process may
be undertaken by employees of the company being pre-audited, or the company may hire
an independent organization to examine its finances. Pre-auditing may be used to
describe both a single instance of review directly preceding an official audit as well as the
continuous process of monitoring finances throughout the year.
Segregation of Duties
According to the Nebraska Department of Administrative Services, one of the most
important aspects of a general pre-auditing process is the segregation of duties when it
comes to finances. For instance, payroll checks should be issued by a different employee
than the one who approves time cards and cash should not be deposited by the same
employee who balances bank statements. In small organizations where this is not
possible, finances should be routinely checked by the management. Proper oversight or
segregation of duties will lessen the likelihood of intentional or unintentional abuse or
misconduct.
Types of Transactions
The types of transactions that should be examined in a pre-audit vary according the type
of business conducting the review and the state and federal statutes to which a business is
subject. For example, the pre-audit manual of the University of Wisconsin system
suggests that pre-auditors review such transactions as travel expenses, meeting expenses,
payments for personal services, invoices, checks and taxes paid. The Nebraska
Department of Administrative Services stipulates that all transactions marked "sensitive"
or valued at greater than $1,500 must be reviewed as part of a pre-audit.
Why Pre-Audit?
Most importantly, pre-auditing gives companies a chance to catch and correct accounting
errors on their own before they are caught by an independent auditing agency, such as the
IRS. This may lessen the likelihood that an auditing agency will assume that accounting
errors are intentional and illegal instead of honest mistakes. In addition, engaging in pre-
3
auditing practices throughout the year helps companies to have a clear picture of their
financial situation at any given time.
Audit Checklist
Audit Sample
Audit Program
Internal Audit Process
Financial Audit
https://searchsecurity.techtarget.com/tip/Pre-audit-planning-Four-keys-to-a-successful-
IT-security-audit
Steven Weil
Point B
For many information security professionals, a visit from an auditor is perceived as something to
be feared or...
4
endured. However, an experienced auditor can offer many benefits, such as a neutral and honest
review of an organization's security posture, validation and support of the company's efforts, and
useful advice on how to mitigate gaps and meet requirements.
That being said, based on my many years of experience as a senior auditor and after assessing a
wide variety of organizations, I want to share some real-world, useful tips on how infosec pros
can collaborate with auditors to make an IT audit -- such as with the Health Insurance Portability
and Accountability Act or the Payment Card Industry Data Security Standard (PCI DSS) -- as
useful, painless and efficient as possible for both the auditor and the organization being audited.
Below are four tips organizations can use to ensure successful organization-auditor collaboration.
Advance preparation
Before they come on-site, most auditors will request a variety of information -- e.g., network
diagrams, system inventories, control descriptions – and infosec pros should provide as much of
this as possible. The more an auditor understands about an organization's environment before he
starts, the more efficient and timely the audit will be. If an auditor does not receive adequate
information in advance, he must learn about the organization from scratch upon arrival, which
not only makes for a longer audit, but may also lead to auditor misunderstandings or confusion.
In advance of an auditor's visit, an organization should also ask the auditor which experts (e.g.,
developers, system administrators, network administrators) he will need to meet with. The
organization must ensure its experts come to the formally scheduled meetings with equipment
(such as laptops) and passwords that enable them to access the systems the auditor needs to see.
It is important to note that auditors have a schedule and budget, and therefore appreciate not
standing around or finding out last minute that a key employee is not available.
An information security team should also learn the basics of the standard the organization will be
audited against, and be cognizant of the unique attributes of the environment that is to be
assessed. For example, if an organization is being audited against the PCI DSS, it is important to
know what the organization's cardholder data environment (CDE) is, because not only does the
CDE determine what will be assessed during a PCI audit, but it can also vary significantly from
one organization to the next. This knowledge will help infosec pros understand what systems and
processes are likely to be assessed when the auditor arrives.
Scoping
Once on-site, one of the first and most important tasks for an auditor is to determine what
systems and processes are in scope for the audit. Infosec pros can help the auditor accurately and
efficiently do this by clearly identifying and documenting how sensitive information (such as
5
credit card information or medical data) flows through the organization -- auditors love data flow
diagrams!
After the first day on-site, an organization should ask the auditor to clearly explain what he
considers to be in scope for the audit. If they disagree with the scoping or don't fully understand
it, the organization should calmly discuss the scoping with the auditor until they reach an
agreement.
Certain actions by an organization will make an auditor nervous, which will likely result in
increased scrutiny and time on-site. More specifically, it is critical to never lie or make up
information during an audit; this is a major red flag. If an auditor thinks he is being lied to or
misled, he will perceive this as a significant risk to himself and his employer, and therefore dig
deeper in order to reduce the risk. Never assume auditors aren't technical and won’t understand
your systems. Many auditors have significant "hands on" technical experience and have assessed
many different environments and technologies. It's OK to tell an auditor, "I don't have an answer
for you right now, but I will get you one as soon as possible."
Another red flag for an auditor is if an organization is not confident in knowing where sensitive
information is stored and/or how it moves throughout the organization. From an auditor's
perspective, the implementation of security controls is highly dependent on an enterprise's
understanding of where its sensitive data is. If an auditor believes a company is not fully aware
of its sensitive data, he will likely assume the measures used to protect the data are not correctly
or fully implemented, and will therefore further scrutinize the controls. Security pros can prevent
this by clearly identifying and documenting how the sensitive information subject to the audit
flows through the organization.
A final red flag to be aware of is if controls are mentioned in policies and standards but are not
consistently implemented. For example, if an organization's policy states systems must have
strong passwords and the auditor's hands-on assessment reveals many systems have weak
passwords, he may doubt the organization's capabilities, causing him to inspect the controls more
thoroughly than usual. Security pros can prevent this from happening by verifying that all
requirements in their organization's policies and standards have been implemented; if a
requirement can't be implemented, it shouldn't be in a policy or standard.
Gaps
At the beginning of an audit, I highly encourage those being audited to request that the auditor
report any significant gaps as soon as they are determined. This will minimize surprises for the
organization and allow for prompt remediation -- something all auditors like to see. And,
depending on the circumstances, an auditor may allow certain gaps to be fixed on the spot (e.g.
removing an unnecessary software program from a server or enhancing the password policy on a
server).
6
If a security manager doesn't understand why an auditor thinks there is a gap, he should ask for
an explanation; perhaps the auditor misunderstood something. A good auditor will always clearly
explain why there is a gap and the intent of a specific requirement. If there's a strong technical or
business reason why a gap can't be mitigated, the organization should ask if a compensating
control is possible.
Conclusion
The ultimate goal of an auditor is to collaborate with and improve the security of the
organizations he assesses. It's much better for an organization to have an auditor find a gap and
help fix it than to have a malicious person find it and exploit it.
By following the advice in this piece, information security professionals can significantly help
their organizations have a useful, painless and efficient information technology-focused audit --
and learn a few things in the process.
Editor's note: The views and opinions expressed in this article are those of the author and do not
necessarily reflect the opinions or practices of the author's employer.
https://cpahalltalk.com/audit-planning-analytics/
1. Inquiry
2. Observation
3. Inspection
7
4. Analytical procedures
I previously provided you with information about the first three risk assessment procedures.
Today, I provide you with the fourth, analytical procedures.
While analytical procedures should occur at the beginning and the end of an audit, this post
focuses on planning analytics.
Below I provide the quickest and best way to develop audit planning analytics.
A detective investigates a crime scene using various tools: fingerprints, forensic tests, interviews,
timelines. Auditors have their own tools: inquiry, observation, inspection, analytical procedures.
Sherlock Holmes looks for the culprit. The auditor (and I know this isn't as sexy) looks for
material misstatements.
The detective and the auditor are both looking for the same thing: evidence. And the deft use of
tools can lead to success. A key instrument (procedure) available to auditors is planning
analytics.
8
When to Create Planning Analytics
Create your preliminary analytics after gaining an understanding of the entity. Why? Context
determines reasonableness of numbers. And without context (your understanding of the
entity), changes in numbers from one year to the next may not look like a red flag--though
maybe they should.
Therefore, learn about the entity first. Are there competitive pressures? What are the company's
objectives? Are there cash flow issues? What is the normal profit margin percentage? Does the
organization have debt? Context creates meaning.
Additionally, create your comparisons of numbers prior to creating your risk assessments.
After all, the purpose of the analytical comparisons is to identify risk.
But before creating your planning analytics, you first need to know what to expect.
Developing Expectations
Knowing what to expect provides a basis for understanding the changes in numbers from
year to year.
Increases in numbers
Decrease in numbers
Stable numbers (no significant change)
In other words, you can have reasons to believe payroll (for example) will increase or decrease.
Or you might anticipate that salaries will remain similar to last year.
Do you expect sales to decrease 5% based on decreases in the last two years? If yes, then an
increase of 15% is a flashing light.
Or maybe you expect sales to remain about the same as last year? Then a 19% increase might be
an indication of financial statement fraud.
Sources of Expectations
9
Discussions with management about current year operations
Reading the company minutes
Staffing reductions
Non-financial statistics (e.g., decrease the number of widgets sold)
A major construction project
While you'll seldom know about all potential changes (and that's not the goal), information--such
as that above--will help you intuit whether change (or a lack of change) in an account balance is
a risk indicator.
First, create your planning analytics at the financial statement reporting level. Why? Well,
that's what the financial statement reader sees. So, why not use this level (if you can)? (There is
one exception in regard to revenues. See Analytics for Fraudulent Revenue Recognition below.)
The purpose of planning analytics is to ferret out unexpected change. Using more granular
information (e.g., trial balance) muddies the water. Why? There's too much information. You
might have three hundred accounts in the trial balance and only fifty at the financial statement
level. Chasing down trial-balance-level changes can be a waste of time. At least, that's the way I
look at it.
10
Second, add any key industry ratios tracked by management and those charged with
governance. Often, you include these numbers in your exit conference with the board (maybe in
a slide presentation). If those ratios are important at the end of an audit, then they're probably
important in the beginning.
Inventory turnover
Return on equity
Days cash on hand
Gross profit
Debt/Equity
Okay, so we know what analytics to create, but how should we document them?
The auditing standards suggest a more detailed form of analytics for revenues. AU-C 240.A25
offers the following:
a comparison of sales volume, as determined from recorded revenue amounts, with production
capacity. An excess of sales volume over production capacity may be indicative of recording
fictitious sales.
a trend analysis of revenues by month and sales returns by month, during and shortly after the
reporting period. This may indicate the existence of undisclosed side agreements with
customers involving the return of goods, which, if known, would preclude revenue recognition.
a trend analysis of sales by month compared with units shipped. This may identify a material
misstatement of recorded revenues.
In light of these suggested procedures, it may be prudent to create revenue analytics at a more
granular level than that shown in the financial statements.
11
4. Summarize your conclusions. Are there indicators of increased risks of material misstatement? Is
yes, say so. If no, say so.
Once you create your conclusions, place any identified risks on your summary risk assessment
work paper (where you assess risk at the transaction level--e.g., inventory).
Some auditors use filtered trial balance reports for their analytics. For instance, all accounts with
changes of greater than $30,000. There is a danger in using such thresholds.
What if you expect a change in sales of 20% (approximately $200,000) but your filters include:
If sales remain constant, then this risk of material misstatement (you expected change of 20%,
but it did not happen) fails to appear in the filtered report. The filters remove the sales account
because the change was minimal. Now, the risk may go undetected.
Developing Conclusions
I am a believer in documenting conclusions on key work papers. So, how do I develop those
conclusions? And what does a conclusion look like on a planning analytics work paper?
First, develop your conclusions. How? Scan the comparisons of prior year/current year
numbers and ratios. We use our expectations to make judgments concerning the
appropriateness of changes and of numbers that remain stable. Remember this is a judgment, so,
there's no formula for this.
No Risk Identified
Now, you'll document your conclusions. But what if there are no unexpected changes? You
expected the numbers to move in the manner they did. Then no identified risk is present. Your
conclusion will read, (for example):
Conclusion: I reviewed the changes in the accounts and noted no unexpected changes. Based on
the planning analytics, no risks of material misstatement were noted.
Risk Identified
Alternatively, you might see unexpected changes. You thought certain numbers would remain
constant, but they moved significantly. Or you expected material changes to occur, but they did
not. Again, document your conclusion. For example:
12
Conclusion: I expected payroll to remain constant since the company's workforce stayed at
approximately 425 people. Payroll expenses increased, however, by 15% (almost $3.8 million). I
am placing this risk of material misstatement on the summary risk assessment work paper at
0360 and will create audit steps to address the risk.
Now, it's time to place the identified risks (if there are any) on your summary risk assessment
form.
The final step in the audit risk assessment process is to link your identified risks to your audit
program.
Now, I tailor my audit program to address the risks. Tailoring the audit program to
respond to identified risks is known as linkage.
1. Planning analytics are created for the purpose of identifying risks of material misstatement
2. Develop your expectations before creating your planning analytics (learn about the entity's
operations and objectives; review past changes in numbers for context--assuming you've
performed the audit in prior years)
3. Create analytics at the financial statement level, if possible
4. Use key industry ratios
5. Conclude about whether risks of material misstatement are present
6. Link your identified risks of material misstatement to your audit program
13
If you have thoughts or questions about this post, please let me know below in the comments
box. Thanks for reading.
First Option
One option is to compute expected numbersng non-financial information. Then compare the
calculated numbers to the general ledger to
So, yes, it is possible to create useful risk assessment analytics–even for a first-year company.
Get my free weekly accounting and auditing digest with the latest content.
https://internalaudit.ku.edu/project-process
Selection Phase
Internal Audit conducts a University-wide risk assessment near the end of each calendar
year. We develop the audit plan for the subsequent year based on the results of this
assessment and the department’s available resources. The Chancellor and the Fiscal
Affairs and Audit Committee of the Kansas Board of Regents review the audit plan
before it is executed.
Planning Phase
During the planning phase of each project, the Internal Audit staff gather relevant
background information and initiate contact with the client. Auditors meet with
14
University leadership and clients to identify risks and determine the objectives and scope
of the audit as well as the timing of fieldwork and the report distribution.
Execution Phase
Once the audit is planned, fieldwork is executed by the Internal Audit staff. Clients are
kept informed of the audit process through regular status meetings. We discuss audit
observations, potential findings, and recommendations with the client as they are
identified.
Reporting Phase
Follow-Up
Internal Audit follows up on all audit findings within one year of when the report was
issued.
https://smallbusiness.chron.com/sixstep-audit-process-17816.html
Related Articles
15
external audit may be conducted by a regulatory agency or governmental agency. There are
six specific steps in the audit process that should be followed to ensure a successful audit.
Drafting a Report
The auditor prepares a report detailing the findings of the audit. Included in the report are
mathematical errors, posting problems, payments authorized but not paid and other
discrepancies; other audit concerns are also listed. The auditor then writes up a commentary
describing the findings of the audit and recommended solutions to any problems.
16
problem and a projected completion date. At the closing meeting, all parties involved discuss
the report and management responses. If there are any remaining issues, they're resolved at
this point.
References (3)
Sharon Penn is a writer based in South Florida. A professional writer since 1981, she has
created numerous materials for a Princeton advertising agency. Her articles have appeared in
"Golf Journal" and on industry blogs. Penn has traveled extensively, is an avid golfer and is
eager to share her interests with her readers. She holds a Master of Science in Education.
https://bizfluent.com/how-does-5296119-steps-audit-process.html
Notification
Audits begin with the issuance of some kind of notification to the company or
organization being audited. The notification letter generally will specify the purpose of
the audit, when it will be conducted and the date and time of an initial meeting the
auditors would like to schedule with the company’s leaders.
17
The notification will also list what documents the auditor wants to examine. For a
corporation, this can include articles of incorporation, the recorded minutes of any board
meetings, an organizational chart, correspondence, sales records and more.
Planning Process
After the notification is sent, the auditor will take some time to plan the audit. This is
done before meeting with the organizational leadership in order to craft the appropriate
strategy for that meeting and the fieldwork that follows. Auditors also need to identify the
key areas of inquiry and concern and the specific information they wish to examine in
order to analyze those areas. This also gives the company time to gather the requested
documents.
Initial Meeting
The planning stage usually leads to an initial meeting between the senior management of
the company and the auditors. Administrative staff may also be present. The purpose of
the meeting is to give the auditors an opportunity to explain the process, as well as to give
the organization a chance to express any practical, strategic or scheduling concerns they
may have.
Fieldwork
Fieldwork is the first active auditing stage. A more detailed schedule is usually drawn up
so that the auditor’s presence isn’t too disruptive to business. Interviews with key
employees may take place to investigate business procedures and practices. Auditors may
also perform sample document checks, to make sure the company’s document creation
and retention practices are sound.
The fieldwork may be conducted by a few auditors or a larger team, depending on the
size and scope of the audit.
Communication
While the fieldwork is carried out by the auditing team on-site at the company’s
premises, the team should be in regular contact with the corporate auditor in order to
clarify procedures and ensure proper access to needed documents.
18
Draft Audit
When the auditing team completes the fieldwork and document review, the auditors
prepare a draft audit report. This document details the purpose of the audit, the
procedures the auditors used, the documents reviewed and the audit’s findings. It will
also likely include a preliminary list of unresolved issues. The draft report is circulated
among the team for review and suggested revisions.
Management Response
After the auditing team makes the last revisions to the audit report, the final document is
given to management for its review and response. The audit document usually asks
management to respond to each of the audit’s findings and conclusions by stating
whether it agrees or disagrees with the problems cited, the plan to correct any observed
problems or deficiencies and the expected date by which all issues will have been
addressed.
Exit Meeting
Following the management response, which may be formally attached to the final audit
report, a formal exit meeting may be scheduled with the company being audited to close
any existing loose ends or answer questions, discuss the management response and
address the scope of the audit.
The finalized audit report is distributed to all necessary stakeholders, including inside and
outside the area audited, if applicable.
Feedback
Finally, the audited company implements the changes recommended in the audit report,
then the auditors review and test how well those changes solve the identified problems or
issues. The feedback between the company and the auditors continues until all issues are
resolved and the next audit cycle begins.
References
19
About the Author
Annie Sisk is a freelance writer who lives in upstate New York. She holds a B.A. in
Speech from Catawba College and a J.D. from USC. She has written extensively for
publications and websites in the business, management and legal fields.
https://www.bm-sms.co.jp/eng/ir/corporate-governance/audit/
Auditing Structure
The Internal Audit Department (four persons), which is under the direct supervision of
the CEO, implements internal audits of the operations of all departments based on the
rules and regulations of internal audits and the Internal Audit Plan determined each term.
The results of these audits are reported to directors and Audit & Supervisory Committee
members. The CEO issues instructions for improvement to each relevant department
based on audit results, and the efficacy of internal audits is secured by requiring written
reports on the status of improvements.
The Audit & Supervisory Committee comprises three outside directors. The Company
appoints Audit & Supervisory Committee members who have a deep understanding and
knowledge of the business environment and who are experts in various fields, including
legal and accounting/tax experts. These members also do not present any conflict of
interest with general shareholders. Based on the Audit Policy and Audit Plan determined
by the Audit & Supervisory Committee, Audit & Supervisory Committee members
conduct audits of the business execution of directors by investigating matters such as the
status of operations and financial assets. Also, Audit & Supervisory Committee members
attend other important meetings, including meetings of the Executive Committee, sharing
opinions and inspecting important documents circulated for approval and other related
materials. In these ways, Audit & Supervisory Committee members carry out their audits.
As a general rule, the Audit & Supervisory Committee Meeting is held once a month.
Through mutual contact and cooperation performed in an appropriate manner, the Audit
& Supervisory Committee conducts audits on the various risks that are difficult to
visualize within organizational management in a manner that is independent from
business execution.
20
Accounting Audits
As for accounting audits, the Company has concluded an audit contract with Ernst &
Young ShinNihon LLC. Ten certified public accountants assist with accounting audit
work, in addition to twenty-nine other members.
Mutual Cooperation between the Audits by Audit & Supervisory Committee, Internal
Audit Department, and Accounting Auditors as well as the Relationship of Audits with
the Internal Control Department
The Audit & Supervisory Committee cooperates with the Internal Audit Department to
conduct audits. The Audit & Supervisory Committee also receives quarterly reports from
the accounting auditors on the results of accounting audits. Moreover, the Committee
holds meetings with the accounting auditors on a timely basis to exchange opinions and
information, thereby working to realize mutual cooperation. In addition to assisting in the
duties of the Audit & Supervisory Committee, the Internal Audit Department holds
monthly meetings with the Audit & Supervisory Committee, where reports are made on
the results and progress of audits, including the Audit Plan, and opinions and information
are exchanged. The Internal Audit Department also reports on the operational status of
the Company’s internal reporting system. In these ways, the department aims to achieve
mutual cooperation with the Audit & Supervisory Committee. Moreover, the department
exchanges opinions and information related to internal controls and governance based on
the Financial Instruments and Exchange Act with accounting auditors. In doing so, the
department facilitates close cooperation in order to improve the efficacy and efficiency of
audits. Also, the Internal Control Department evaluates issues raised by these various
types of audits and makes efforts to implement the necessary response.
21