Audit findings evaluation is an important step in each and every audit report irrespective of the related industry or organization. Both Audit Committee, management and other stakeholders wish to receive accurate, timely, constructive and relevant information regarding audit findings. However, relevant research (Koutoupis, 2009) demonstrates that there are many complaints by both management and audit committee members as to the volume and the size of audit reports delivered to them by internal audit departments. Currently, the vast majority of the Internal Audit departments evaluate audit findings using a simple scale of High, Medium, Low Risk (importance) scale based on the prior experience of Internal Auditors. Even, big Audit forms (e.g. PwC) has adopted this approach in order to keep the things simple (PwC Internal Audit Services Manual, 2007).
In this article we will try to develop a comprehensive methodology for evaluating audit findings as a mean to improve the quality of information sent to Audit committee members, management and other stakeholders (i.e. regulators). The relevant methodology is based on the practical experience of the authors as they were responsible for applying it in one of the largest Greek banks.
Based on the Internal Audit methodology (Standards, 2004), audit reports are considered as the main output (deliverable) of the audit work. Audit reports consist of several audit findings that are mainly derived either from the absence or inadequacy of controls or from no application or inadequate application of procedures and relevant controls. The relevant methodology takes into account several quantitative and qualitative parameters which will be analyzed in detail: Quantitative evaluation is used when immediate estimation of the financial impact is feasible. Moreover, qualitative evaluation can be used if we take into account several parameters such as the priority of the audit steps that consists a working program (audit program). On the other hand, Frequency of Occurrence of a specific control weakness when examining a certain sample size, or the likelihood of the related impact to the exception (when it is not possible to determine the frequency of occurrence) can be used.
Likelihood is normally used for exceptions that are raised during the review of the adequacy of controls thus when we perform walkthrough tests rather than extensive sample (i.e. when there is an absence / inadequacy of a procedure or a control).
For determining either the impact and / or the frequency of occurrence or likelihood of an exception, specific tables are used containing relevant numerical categories for ensuring the effective application of the evaluation methodology of audit findings.
After concluding with the separate evaluation of the impact and / or the frequency of occurrence or likelihood of an audit finding, we may proceed with the overall audit finding evaluation, which is based on the combination of the above two (2) parameters.
Finally, we refer to a relevant table, where “Impact” evaluation lays vertically while “Frequency of Occurrence or Likelihood” lays horizontally.
The methodology introduces a six (6) grade scale for the findings evaluation (a range from 1 to 6), with number six (6) being of major importance and number one (1) being of minimum importance.