Our philosophy for internal audit co-sourcing is quite simple: we seek to serve and protect our clients. To achieve this objective, we assist management to define a risk-based approach. From there, we help design an audit plan that makes sense for your individual and unique environment.
Depending on your needs, we can follow our own standards for internal audit protocol and reporting, or we can adopt your current standard and work papers. Either way, our approach is customized to your needs.
Our comprehensive methodology utilizes a risk-based approach and includes integrated audit deployment and customized solutions. Our focus is to comprehensively address your financial, operational, and compliance audit needs. We integrate these engagements with IT audits of the underlying information technology infrastructures that support key business processes.
Our work utilizes standards and frameworks such as COSO and CobIT, and ranges from performing risk assessments; audit program creation; performing industry or process specific audits; internal control documentation development; and detailed control testing. Our financial, operational, and compliance audits have recently included fraud reviews, regulatory compliance audits, and SOX/JSOX and MAR work. Recent IT audits include IT general control reviews, application control audits, and security-focused audits such as firewall reviews.
Regardless if the audit is focused on financial, operational, compliance, or IT, we develop work programs utilizing the strength of our experience in internal audit and customize these programs based upon your specific needs. Our audit methodology includes the following elements:
- Narratives and Flowcharts are reviewed to identify and define the processes to be audited. If unavailable, our team will produce a high-level narrative as we prepare for audit testing. Flowcharts may also be used to identify controls within the process.
- Examination of the Process is performedto gain knowledge of transaction flows within each process and sub-process. This is generally achieved through interviews with those involved in the operation. Walk-throughs are performed to validate what is documented in our narratives reflects the process that actually exists. This is achieved by a combination of observation and selecting a sample of transactions to trace through the controls
- Assessing Internal Controls to form an opinion on the adequacy and effectiveness of the controls. This is accomplished by collecting evidence and testing to a level that is sufficient, appropriate, and material for reasonable assurance.
- Perform Testing which may include inquiry, observation, inspection, and re-performance. Each of these major classifications of tests differs in the extent of the testing performed and the reliance that can be placed upon the test.
- Compliance Testingis designed to obtain reasonable assurance that internal controls are effective. Compliance procedure tests are conducted by looking for exceptions in the control process rather than financial errors.
- Substantive Testingis used to obtain evidence of completeness, accuracy, and validity of data. These tests focus on output and financial errors rather than the procedures. Substantive testing may be diminished if compliance testing provides reasonable assurance the control processes are functioning adequately.
- Developing Recommendationsto help improve the system of controls, improve the process, or assist in the reduction of risks. There are three main components for a recommendation:
- Observation– Identification of a control deficiency or area for improvement.
- Risk– The impact and likelihood of the control deficiency identified or the area to improve.
- Recommendation– A realistic, cost-effective, and efficient solution that demonstrates understanding of the organization’s current environment and provides a reasonable means to mitigate the identified issue.
The role computers play in the business environment is constantly evolving. Initially, computers were only performing component parts of a job, such as tallying a ledger or counting checks. Their role was to help the individual perform repetitive functions within their job responsibilities more effectively. However, we now see these roles reversed and people today have become the operators for these computers, assisting them in performing required tasks.
The professionals, from Clark Schaefer Consulting, can help organizations focus on the technology risks that are inherent in today’s highly complex computing environments. Since most companies operate with significant reliance on information technology systems and processes, threats to that technology and the business processes they support are increased. Our IT audit methodology is focused on a risk-based approach that is designed to assist businesses develop and establish control structures that substantially reduce the risk they will suffer technology related incidents.
In a real sense, computers have become a “black box” as they have been described. Most people assume that their computer is more correct if there is ever a discrepancy between man vs. computer. How many of us have created an Excel spreadsheet and presented it only to find that there was a math error? Our rising reliance upon computers and their increasing automation of a company’s core business processes has added risks to an organization. With a shifting of significance from manual to automated controls and Cybersecurity concerns, IT auditing has become much more critical for truly assessing the control environment of a company.
IT auditing seeks to ensure that automated controls are designed appropriately to mitigate IT risks and that they are operating effectively. General Computer Controls are the security and safeguards over the environment, operations and maintenance of hardware, systems software, applications, topology and IT governance areas of an organization. The following is a high-level list of these general computer controls:
- IT Management, Governance, and Risk Assessment
- Logical and Administrative Access
- Network Architecture and Administration
- Telecommunications and Remote Access
- System Configuration and Security
- Business Continuity and Disaster Recovery
- Service Provider Oversight
- Systems Acquisition, Development, and Maintenance
- IT Operations and Monitoring
- Physical Security and Environmental Controls
Additionally, IT auditing helps an organization assess their Application Computer Controls, which are safeguards contained within an application’s coding. These controls are designed to ensure information within a system is restricted only to those who require such data to perform their job responsibilities and that such access is appropriate. Generally, application controls are divided into three main categories:
- Input controls are safeguards over the initial entry of data into a system.
- Processing controls are within application logic ensuring data processing integrity.
- Output controls are concerned with information as it exits the applications.