Audit Walkthrough Procedure for Design Efficiency
Definition
An audit walkthrough for design efficiency is a procedure used by auditors to determine whether a control, process, system, policy, or framework is properly designed to achieve its intended objective before testing whether it actually operates effectively.
The focus is on answering:
An audit walkthrough for design efficiency is a procedure used by auditors to determine whether a control, process, system, policy, or framework is properly designed to achieve its intended objective before testing whether it actually operates effectively.
The focus is on answering:
"If this control were performed exactly as designed, would it reasonably prevent, detect, or correct the identified risk?"
Objectives of the Walkthrough
The auditor seeks to:
- Understand the end-to-end process.
- Identify key risks.
- Identify key controls.
- Evaluate whether controls adequately address risks.
- Verify roles and responsibilities.
- Confirm documentation and evidence requirements.
- Detect design gaps before operational testing.
Step-by-Step Audit Walkthrough Procedure
1. Define Audit Scope and Objectives
Identify:
- Process to be reviewed
- Business objective
- Risks to be mitigated
- Applicable policies and regulations
| Item | Description |
|---|---|
| Process | Procurement |
| Objective | Authorized purchases only |
| Risk | Unauthorized spending |
| Key Control | Purchase approval workflow |
2. Obtain Process Documentation
Gather:
- SOPs
- Policies
- Flowcharts
- Process maps
- Work instructions
- System configurations
- Organizational charts
Review whether documentation exists and is current.
3. Select a Representative Transaction
Choose one transaction and follow it from beginning to end.
Examples:
- One purchase order
- One employee hiring
- One customer onboarding
- One inventory movement
The selected transaction becomes the basis for the walkthrough.
4. Conduct Interviews with Process Owners
Meet personnel involved in the process.
Typical questions:
- What do you do?
- Why do you do it?
- What documents are created?
- What approvals are required?
- What systems are used?
- What exceptions occur?
Compare actual practices against documented procedures.
5. Observe Process Execution
Observe the process being performed.
Examples:
- Approval process
- Data entry
- Reconciliation
- Physical inventory count
Observation helps validate whether the documented design is realistic and practical.
6. Trace the Transaction End-to-End
Follow the selected transaction through every stage.
Request → Approval → Purchase Order → Goods Receipt → Payment
Verify:
- Inputs
- Outputs
- Approval points
- Segregation of duties
- Supporting evidence
7. Identify Key Risks
For each process step ask:
What could go wrong?
| Process Step | Risk |
|---|---|
| Request | Unauthorized request |
| Approval | Improper approval |
| Receiving | Missing goods |
| Payment | Duplicate payment |
8. Identify Existing Controls
| Risk | Control |
|---|---|
| Unauthorized request | Manager approval |
| Duplicate payment | System duplicate check |
| Fraudulent vendor | Vendor master review |
9. Evaluate Design Efficiency
Determine whether controls are:
- Appropriate – Does the control address the risk?
- Preventive – Can the control stop the issue before occurrence?
- Detective – Can the control identify issues quickly?
- Corrective – Can the control resolve identified issues?
- Cost-Effective – Is the control proportional to the risk?
Design Efficiency Evaluation Questions
- Is the control linked to a specific risk?
- Is responsibility clearly assigned?
- Is evidence generated?
- Is segregation of duties adequate?
- Are approval limits defined?
- Are exceptions handled?
- Is automation used where appropriate?
- Are monitoring activities included?
- Could the control be bypassed?
- Would the control reasonably achieve the objective?
Common Design Deficiencies
- Missing Control – Risk exists but no control addresses it.
- Weak Approval Structure – Approvals are undefined or unclear.
- Lack of Segregation of Duties – One person can initiate, approve, and execute transactions.
- Insufficient Documentation – No evidence is retained.
- Manual Control Without Review – Manual activities occur without supervision.
- Undefined Exception Handling – Process does not specify what happens when issues arise.
Example Walkthrough Documentation
| Process Step | Risk | Control | Design Assessment |
|---|---|---|---|
| Purchase Request | Unauthorized purchase | Manager approval | Effective |
| Vendor Creation | Fake vendor | Vendor review | Effective |
| Invoice Payment | Duplicate payment | System duplicate check | Effective |
| Emergency Purchase | Unauthorized bypass | No control | Deficiency |
Sample Audit Conclusion
Based on the walkthrough performed, the procurement process design is generally adequate to mitigate identified risks. Key controls related to authorization, vendor management, and payment processing are appropriately designed.
However, a design deficiency exists in the emergency procurement process, where no compensating control has been established to prevent unauthorized purchases. Management should implement an approval and post-review mechanism to address this gap.
However, a design deficiency exists in the emergency procurement process, where no compensating control has been established to prevent unauthorized purchases. Management should implement an approval and post-review mechanism to address this gap.
Simplified Formula
Risk Identified
↓
Control Exists
↓
Control Addresses Risk
↓
Control Cannot Be Easily Circumvented
↓
Evidence Is Generated
↓
Control Is Considered Design Efficient
↓
Control Exists
↓
Control Addresses Risk
↓
Control Cannot Be Easily Circumvented
↓
Evidence Is Generated
↓
Control Is Considered Design Efficient
Key Principle:
If any step in the chain fails, the control may have a design deficiency and should be improved before operational effectiveness testing begins.
If any step in the chain fails, the control may have a design deficiency and should be improved before operational effectiveness testing begins.
Comments
Post a Comment