Confirmation business refers to the work that internal auditors objectively evaluate the evidence and put forward independent opinions or conclusions on procedures, systems or other routine matters. The nature and scope of the confirmation business shall be decided by the internal auditor. Confirmation business mainly includes fraud investigation, risk and control self-evaluation, third-party audit and contract audit, quality audit, due diligence audit, safety audit, confidentiality audit, performance audit, business audit, financial audit, information technology (it) audit and compliance audit.
Consulting business has several contents. Internal control training, business process inspection, benchmark comparison, information technology and system development, performance evaluation system design, etc. All belong to consulting business.
Risk and self-evaluation are all involved in the examinations of the first, second and third subjects, and also appear in the fifth part of the audit business tool of the second subject, so I hope that the majority of candidates will pay attention to this issue. This kind of control self-evaluation is a kind of self-evaluation of internal control, which is different from the traditional audit work, because this work needs grass-roots employees, executives and management. Therefore, all employees in the organization can participate in the evaluation process. To some extent, control self-evaluation transfers some responsibilities of internal auditors to others. Risk and control self-evaluation can often identify risks and unfavorable factors and the impact of potential crises, because it can evaluate those control procedures that reduce or manage risks; Develop an action plan for the acceptability of risk reduction; Let employees participate in the process of controlling self-evaluation, which will help to improve employees' sense of identity with the work they are engaged in, and then enhance employees' sense of self-satisfaction and motivate employees to complete their work better.
The implementation of this control self-evaluation has a very important content, which is training. Through training, it is also easier to find the weak links in the internal control of the department; On the other hand, internal auditors can get more information about the control process, so that they can pay attention to the business departments with significant control weaknesses or high residual risks, set up more procedures, conduct more tests and collect more evidence for these weaknesses, thus improving our audit effect.
Note that controlling self-evaluation is related to the different methods used, the degree of cultural empowerment of the organization and the way of formulating strategies and policies. Therefore, the success of a control self-evaluation project in one organization does not mean that the same project will be successful in another organization.
There are three commonly used self-evaluation methods of risk and control: promotion group seminar, investigation and management analysis.
The method of promoting group discussion refers to collecting information through groups representing different levels of business units or functional departments. The working group focuses on objectives, risks, controls and processes. In the group discussion, to ensure the smooth flow of information in the discussion, everyone can freely express various opinions. In order to resolve the differences between different viewpoints and interest groups, secret ballot can also be adopted. After the evaluation, we should prepare a report to record the consensus reached by the group in the discussion, and the members of the group have the right to view the final report to be released soon.
Group discussion is divided into four forms according to different purposes. Goal-based working groups focus on ways to achieve operational goals; The seminar first determines the existing control measures to support the objectives as the starting point, and then determines the remaining risks. The risk-based working group focuses on making a list of risks that affect the realization of the objectives. It emphasizes listing all risks that affect the realization of the goal, and then checks the control process to determine whether the control process is sufficient to manage key risks. The control-based working group mainly evaluates the methods of controlling risks and promoting the realization of goals, with the aim of analyzing the gap between the control process and the expectations of managers according to the current application. Process-based working groups focus on selecting activities that constitute the components of the process chain from beginning to end.
Investigation is a method of self-assessment, which collects information from process participants through well-prepared questionnaires and controls risks. The questionnaire should be the simplest yes or no, or yes or no question. Internal auditors can also use questionnaires to identify many risks and control measures in the working group that promotes the group seminar method.
Management analysis methods include many other methods. These methods are used by management teams to obtain information about business processes, risk management activities and control procedures.
Risk and control self-evaluation can be used to check the risks of business activities and financial conditions, evaluate control activities, moral values and control effects, and also can be used to check and understand the implementation of various control activities and policies. This work can be carried out independently or simultaneously with other businesses. However, some businesses, such as fraud investigation and businesses with complex or unclear objectives, are not suitable for this method.
Third-party audit is an audit business carried out by an independent third party that provides services or products to an organization and has an interest relationship with the organization. It is very necessary to carry out third-party audit, especially when the important control system affecting transaction matters exists outside the organization. The audit organization providing outsourcing services or the trading partners involved in the audit electronic data interchange system are typical third-party audits.
Third-party audit mainly involves two kinds: one is contract audit. The other is auditing, which evaluates the organization's own implementation of some industry-recognized standards. These audits are completed by registered auditors, whose main task is to ensure that the organization meets relevant standards, such as ISO9000 or ISO 14000.
Contract audit is usually aimed at some important construction contracts and commercial contracts (such as special machinery and equipment manufacturing contracts and software development), with the purpose of supervising and evaluating the contracts.
Quality audit mainly focuses on management quality, that is, auditors use a series of standards or controls to measure the current business activities of the organization. When necessary, auditors should also evaluate the quality of the organization's control, track whether the control is updated with the changes of organizational activities, industry rules and technologies, and constantly improve and strengthen it. An effective quality system consists of inspection, testing and corresponding corrective measures and methods.
Quality audit involves the concept of total quality control. Total quality management is a comprehensive method to improve total quality (from suppliers to customers) in an organization, and it is a continuous monitoring process. The concept of total quality management emphasizes that the efforts of top managers are the key factor for the success of total quality management. In an organization that implements total quality management, internal auditors should evaluate the whole process of quality management, especially in evaluating risks and promoting the continuous improvement of control system. At the same time, the concept of total quality management is also applicable to internal audit activities to improve their own work quality.
Due diligence audit, also known as diligent audit, refers to a limited and specialized audit of the third party with interest in the organization, which is mainly used for financial transaction decision-making involving joint ventures, mergers and alliances. In addition to financial transactions, bank account opening and securities trading, due diligence audits are often implemented in real estate projects such as real estate and engineering construction. Generally speaking, due diligence needs a team to complete, usually composed of internal auditors, lawyers and external auditors, all of whom need to undertake the review responsibilities in their respective professional fields.
The due diligence audit report should pay attention to factual issues, maintain an objective and fair position, and include a conclusive summary of some key issues. The report structure should be described according to the business-related process stages, and all documents and papers supporting the opinions and conclusions in the report should be numbered simply for easy reference.
Security audit business, this security audit, its purpose is to evaluate the effectiveness of current security control and supervise whether there is abuse and misuse of system programs. Security control includes physical contact and environmental control, logical contact control and backup control. Physical contact and environmental control mainly mean that you can't touch organizational resources and information without authorization. For example, electronic door locks, metal key door locks, biological door locks, alarm systems, electronic videos, security guards, identity bar codes, fire alarm systems (manual fire alarms, smoke generators), fire extinguishing systems (fire extinguishers, water sources), fireproof office materials, water source detectors, and regular inspection systems. Generally speaking, logical contact control is to protect information system resources, application software and data by setting various passwords to prevent unauthorized changes. Such as login password and ID number, retina scanning, fingerprint identification, recording online activities, setting data viewing rights and so on. Backup control is to back up data files regularly, and pay attention to the location of backup away from the original files. For example, the backup of computer data can be sealed separately by lettering.
For these systems related to safety control, the management is mainly responsible for the formulation and implementation, while the internal auditors know more about these measures, evaluate the effectiveness of these controls, and continuously monitor the implementation of these control measures, so as to put forward suggestions for the improvement of the system or the system itself.
Security audit, the main purpose of internal auditors to implement security audit is to evaluate the security system formulated by their organizations and determine important risks. In order to strike a balance between protecting personal privacy and rational use, we should not only avoid unauthorized use of information, but also guard against the serious consequences caused by the abuse of this information by authorized users, and pay attention to the cost-effectiveness of confidentiality measures. Another point, it should be noted that internal auditors should also be strict with themselves. They should not use the information collected in the course of performing their duties to seek personal interests, and should communicate with the chief auditor in time when it is expected that the implementation of confidentiality measures will affect their independence.
Performance audit is a series of audit activities carried out by internal auditors around the economy, efficiency and effectiveness of business processes. The main investigation: whether the organization conforms to the principle of cost-effectiveness in the process of obtaining and using resources, and if there is inefficiency, what are the reasons? Do you abide by the laws and regulations on economy and efficiency in the course of business operation? In addition, in the benefit output audit of the organization, the main evaluation is: (1) the completion of the planned objectives; (2) Whether the activities taken by the organization to achieve the output target are effective; (3) Whether the audited department complies with the laws and regulations related to its functions. This is usually done by using key performance indicators (KPIs). The task of internal auditors is to evaluate whether this indicator is appropriate and whether it is used properly.
Business audit mainly checks whether the business process is economical and efficient, whether the process of achieving the goals of various functional departments in the organization is effective, whether it can help the organization achieve the overall goals, and whether the departmental goals are consistent with the organizational goals.
Financial audit is an audit of an organization's financial situation. In foreign countries, financial audit business is usually carried out by external auditors, but it also belongs to the scope of internal audit responsibilities. The financial audit conducted by the external auditor is to audit whether the information in the financial report conforms to the accounting standards and fairly reflects the real financial situation and operating results of the organization. Internal auditors mainly focus on the supervision of procedures, check whether there are defects and loopholes in financial-related procedures and systems, control key links, and constantly put forward suggestions for improving the system to ensure that relevant procedures supporting the preparation of financial reports are effective.
Compliance audit, in the implementation of compliance audit, the auditor will check whether the organization has complied with laws and regulations, contractual agreements and relevant provisions in policies and procedures formulated by the organization's management.
The organization shall establish conformity standards and systems. These standards and systems should include written provisions that clearly state prohibited activities, as well as lists, questions and answers, participation instructions, etc. , and shall prepare a schematic diagram of the organizational process to clarify everyone's responsibility when implementing the compliance system.
The contents of compliance audit include: determining whether the written regulations are valid, whether the employees know the relevant contents, whether the violations found are properly controlled, whether the punishment is fair, whether the whistleblower has suffered retaliation, and whether the Legal Department has fulfilled its duties. Finally, the auditor should also find out what needs to be improved after the audit, and strive to get the support of employees.
The organization should set up a "hotline", which can be connected with the directors' representatives of non-legal departments and get policy support without fear of retaliation. At this time, the hotline can fully and effectively play its role, so that suspicious things can be exposed in the most timely manner. In addition, it can also be in the form of a code of conduct questionnaire.
Management should put environmental issues on the agenda, promote the audit of environmental management system, and ensure the effective operation of the system; Carry out pollution prevention audit to minimize pollution and waste caused by operation; Pay attention to the disposal, storage and treatment of some risky assets; Quantify and report the increased debt due to environmental problems; Evaluate whether the production process meets the safety regulations and so on.
The chief auditor shall establish contact with the environmental auditor, and shall regularly plan and implement environmental health and safety audits. He should also ensure that important information about environmental risks can reach the audit Committee or other board members smoothly. To this end, he should evaluate whether the environmental auditors outside the organization have complied with the auditing standards or recognized ethics, and evaluate the status and independence of the environmental auditing department in the organization.