E.11 Preliminary Survey

  1. The purpose of the preliminary survey is to obtain the information needed to prepare the program for the audit work.

  2. The survey work can be broken down into four distinct phases:

    1. Familiarization
    2. Identification of Potential Areas of Improvement
    3. Confirmation
    4. Planning the Detailed Audit

  3. One of the challenges in performing effective surveys is to complete all phases of the survey prior to preparing the formal audit program and beginning the fieldwork.

A. Familiarization

  1. This phase consists of obtaining significant background information and a practical working knowledge of the following:

    1. department or program objectives
    2. applicable laws, regulations, and departmental policies and procedures
    3. management, operating, and financial controls
    4. operating procedures
    5. size and scope of the activities under review
    6. organization and staffing

  2. Some of the specific data needed to obtain a practical working knowledge are:
    1. statement of mission
    2. current goals and areas of emphasis
    3. specific objectives
    4. significant programs and activities
    5. principal delegations of authority
    6. a concise picture of the organizational arrangement, particularly how the program, function, entity, or activity to be audited fits into the overall operation
    7. unusual challenges being faced, changes contemplated

  3. Some sources of information are:

    1. audit programs
    2. prior audit working papers
    3. public laws, legal opinions, and special rulings
    4. operating procedures
    5. organizational charts
    6. functional statements and position descriptions
    7. processing flow charts and system narratives
    8. management, budget, financial, and operating reports
    9. Office of the Auditor General of Canada (Office) personnel

B. Identification of Potential Areas for Improvement

  1. An objective of the survey is the identification of areas for potential improvement. One of the first steps is to identify those programs, activities, and functions that are significant. These can be identified as those programs or activities

    1. that are indicated by existing risk management processes;
    2. that are susceptible to fraud, abuse, or mismanagement;
    3. in which there is a large dollar volume of transactions or large investments in assets that are subject to loss if not carefully controlled;
    4. about which management, the Audit Committee, or the Auditor General have expressed concerns; and
    5. in which prior audits have disclosed major weaknesses or deficiencies.

  2. This phase of the survey should also identify those areas that lack significance and do not appear to require detailed audit coverage. Once the significant programs and activities have been identified, the next step is to survey management controls.

  3. The internal auditor is responsible for determining how much reliance can be placed on the Office's management controls to reduce risks, protect assets, assure accurate information, assure compliance with applicable laws and regulations, promote efficiency and economy, and produce effective attainment of objectives.

  4. A complete review of all management controls is not always necessary because some controls may be irrelevant to the subject of the audit effort. Therefore, the internal auditor must identify those risk areas that are the most important and critical to the operation and concentrate on them. Some management controls that can normally be identified as critical are those that are designed to protect against:

    1. substantial financial losses
    2. program violations
    3. mismanagement
    4. legal violations
    5. adverse publicity
    6. lack of program or mission accomplishment

  5. The internal auditor's evaluation should include identification of areas in which essential risk-based controls appear to be weak, non‑functioning, or missing.

  6. In evaluating the controls, the internal auditor should identify:

    1. controls that are adequately designed for later testing during fieldwork to ensure effective operation;
    2. controls that are inadequately designed or are missing—to make recommendations for improvement—and/or to assess during fieldwork, if there has been any loss as a result, or what the potential impact might be; and
    3. controls that are unnecessary in relation to risk to recommend elimination of the control in order to streamline the process or save costs.

  7. When surveying to identify problem areas, we are searching for "red flags" or indicators. Some of the more typical red flags are:

    1. an absence or insufficiency of planning;
    2. a plan of organization that does not provide for segregation of duties appropriate for safeguarding of assets, or permits duplication of effort by employees or between organizational units, or performance of work that serves little or no useful purpose;
    3. a system of authorization and procedures that is inadequate to provide effective control over assets, liabilities, disbursements, receipts, and expenses;
    4. procedures (formal or informal) that are ineffective or more costly than justified; or written procedures that are unclear and confusing;
    5. absence of an established system of practices to be followed in the performance of duties and functions of each organizational unit; or overstaffing and understaffing in relation to the work to be done;
    6. a lack of coordination where the work of the audited entity is closely related to that of other units, departments, or outside entities;
    7. large dollar expenditures or receipts;
    8. abnormally high or low program participation or accomplishment;
    9. unusual program participation or transactions;
    10. programs, functions, entities, or activities never audited before;
    11. conflict of interest of personnel in a position to influence the Office’s policies and actions;
    12. transactions at or near control limits;
    13. complex programs; and
    14. a lack of information feedback (management records, operating statistics, financial reports, inspections, etc.) necessary to keep managers adequately informed about their operations.

  8. Some important sources of information for the identification phase of the survey are:

    1. audit leads
    2. prior audit reports, related correspondence, and working papers
    3. reports from outside consults
    4. the status of corrective action on prior audits
    5. investigative reports on personnel or activities of the internal audit customer

  9. Discussions with senior management, such as the Chief Audit Executive (CAE), assistant auditor general (AAG), or Auditor General, are often a good source of information about problems, sensitive issues, and other matters where audit attention may be needed. Such discussions may be held prior to the audit, at the entrance conference, during the survey, or during the detailed audit phase.

  10. Vast amounts of data are stored on servers to furnish management with periodic reports. These reports may not be tailored specifically to meet the needs of the internal auditor or may not provide all the information needed. However, through specialized computer-assisted audit techniques (CAATs), the internal auditor can usually obtain information in a format to suit the audit objective. This allows the internal auditor to search large amounts of data with relative ease. An information technology (IT) audit specialist should be consulted when necessary.

C. Confirmation

  1. This phase consists of limited testing to confirm the critical improvement areas and the need for detailed audit work. A limited examination of documents, records, and reports is generally necessary to add supporting evidence to the preliminary findings observed during the first two phases of the preliminary survey. Tests to determine the extent and significance of such matters, however, are to be performed during the detailed audit. Indicated problem areas should be discussed with the management of the area under audit at this point to help ensure that the internal auditor has an accurate understanding of the situations in question and has obtained all available information needed to arrive at decisions on the extent of audit work needed.

D. Planning the Detailed Audit

  1. The elements of materiality and relative risk must be considered in performing the audit. The due professional care standards do not imply unlimited responsibility for disclosure of irregularities and other deficiencies. The internal auditor's principal effort should be in those areas where significant potential for improvement may exist, rather than in areas that are relatively unimportant. Time should not be spent examining or developing evidence beyond what is necessary to afford a sound basis for a professional opinion.

  2. The results of the survey should be analyzed to determine the need for a detailed audit and the specific areas to be covered. To assist in identifying those vital activities and to help evaluate their relative importance, the following steps can be applied:

    1. Briefly record each improvement area indicated during the survey.
    2. Record your evaluation of the significance of the issue.
    3. Record the potential effect if improvement is not undertaken.
    4. Record what is needed and the estimated time required to confirm the extent and significance of the problem.
    5. Rank the issues in order of importance.

  3. After these steps have been completed, the detailed audit program should be prepared, allocating the project budget time for fieldwork to the specific areas to be covered in the audit.

Last modified:
2018-03-06