| | | |
Why Classification?
Classification is making audit findings commensurate with each other,
which is a prerequisite for a useful analysis.
Classified findings, after being analysed properly, can help to identify
clusters, trends, common features, etc.
Effective ways to analyse classified data are among others statistics and pivot tables.
|
|
Importance of a Finding
In audits it is common to classify findings in terms of their seriousness.
This is an excellent way to put the findings in proper perspective.
An auditor can use e.g. the following scale.
|
| 1 |
Very important, i.e. important and urgent. The finding describes something
the likehood and consquenses of which cannot be accpeted. Corrective action is needed without delay
(e.g. within 14 days).
|
| 2 |
Important: The finding describes something the likelihood or
the consequences of which cannot be accepted.
Corrective action should take place within a reasonable time frame,
(e.g. 90 days).
|
| 3 |
Worth noticing: it is at the accountable person's discretion,
whether to take corrective action.
This can be the case when there is a possibility to improvement,
but existing state of affairs can be tolerated (e.g. within 360 days).
|
|
The ECAR Model Objectives and Elements
Any audit finding can be associated with one or more of the general objectives of internal control:
|
| 1 |
Objectives and opportunities: doing right things (effectiveness)
and doing them efficiently.
|
| 2 |
Compliance: doing things respecting laws, regulations and other rules of the society
and the rules of the organization [1].
|
| 3 |
Right information: collecting, organizing and saving information that decision makers
need about the organization and its performance, including factors affecting the latter.
|
|
|
There is one or more reasons for any negative state of affairs reported as an audit finding.
The reasons can be associated [by their nature] with the [ECAR] internal control elements:
|
| E |
Control environment: behavioural circumstances within an organization.
|
| C |
Controls: procedures or conditions designed to keep performance or a state of affairs
within what is expected, allowed or accepted.
|
| A |
Accounting systems: systems that provide information about "what is"
or " "what happened" compared to what "what should be" or "what should have happened".
|
| R |
Determination of risks: identification, analysis, and evaluation of risks
in Control Environment, Controls, and Accounting Systems.
|
|
Other Classification Variables
In addition, findings can be classified using many other variables,
including but not limited to the following:
|
| - |
where the finding was made (e.g. department, cycle [2])
|
| - |
in what audit was it made (audit identification code)
|
| - |
by whom it was made (Internal auditor or External auditor, including Initials of an auditor)
|
| - |
when was it made (month and year of audit report)
|
| - |
what is state of progress in corrective action
(no corrective measures ... corrective action completed)
|
| - |
what is the risk exposure associated with the finding
according to the auditor or audit committee (not acceptable ... accptable).
|
|
[1] Economy, not spending more than necessary can be regarded either
as a violation against objectives or as a violation against rules, or as both, depending on circumstances.
[2] Examples of cycles: Sales and cash collection; Acquisitions and payments; Inventory and warehousing;
Personnel and payroll.
|