M. Douglas Campbell
Definitions:
Purpose of audit - to discover, and make recommendations to correct, management practice which constitutes business risk. The term “risk assessment” is sometimes used to convey a comprehensive view of the audit function.
Practice - the formal, written procedures that establish the rules for operation of the business entity/unit. Practice may include rules and procedures defined by agencies or groups that are external to the organization such as governmental regulations as well as the more diffuse pressure from the local community.
Business Entity - usually a given business location: e.g., a manufacturing plant, a warehouse operation, or an import/export operation. Generally it is defined by the fact that it is a commercial operation under a particular group of management.
Scenario:
An audit group is responsible to periodically audit a number of business entities. There are three distinct tasks involved: calendar scheduling of the various audits, performance of each audit, and evaluation
1. Scheduling
The individual audits are generally on a rotating schedule; however, certain abnormal events may trigger the need to prioritize the audit of some entities on the list. Typical triggers may include: newly formed/acquired entity, illegal activity, a sudden business upset.
Deficiencies: scheduling is a tedious, subjective task. True priorities are often overlooked. Due to unrecognized risks, emergency audits are often scheduled at the last minute.
2. Performance of Audit
The audit procedure may be defined as separate inspection activities in several domains of business management. The identification of domains is a function of the audit group... how they have decided to define the subdivisions of management activity within business entities. Examples of domains are: logistics, computer systems, cash flow accounting, cost accounting, asset tracking, etc. A given audit group will always use the same domain definitions for each audit performed. The audit of a business entity is performed by the audit team doing a detailed evaluation of practice/procedure in each domain.
Deficiencies: the great majority of audits result in finding no problems. In other words, most audits are a waste of time and money. Also there is a general inability to recognize the specific domains that are most likely to yield useful information about the true status of the organization. The result is somewhat like doing a full body MRI for a patient who has a headache.
3. Audit Evaluation Process
Each domain is characterized by a set of duties (or objectives) that are performed to run the business. The audit evaluation is a comparison of actual practice to accepted practice. Practice consists of work rules, organization, and performance controls.
Deficiencies: examining practice is only part of the needed assessment. This assumes that if they follow the procedural rules, nothing bad will happen. Thus, risk assessment is defined as (simply) the possibility that non-compliance will have undesirable business effects.