What are Effective Methods for Walkthrough’s?

After assessing the risks to the audit entity, such as in a risk control matrix (RCM) during planning stage of the audit, an assessment of the existence of the controls within the organisation needs to be made to assess whether the risk is adequately controlled. In audit, this is commonly referred to as an assessment of the design effectiveness.

 

A meeting with the risk or control owner enables the auditor to assess what controls there are to limit the risk. During this meeting, the auditor builds a map of the process flow and assesses where there should be control points as there are heightened risks. A demonstration of the process is made using a transaction, often a past transaction, and results are reviewed. This is referred to as a walkthrough.

From the risk identified within the RCM, the internal auditor should build a map of how the related process should flow and at what points are there elevated risks. During the meeting with the risk owner, the auditor should understand what controls are in existence from the risk points that were previously assessed. The way the control works should be demonstrated using an example, such as a past transaction. The control owner should be able to explain the purpose of this control and what risk it is limiting or stopping and where it fits in the wider process flow. 

Prior to a walkthrough meeting, if you have built a map of what the process flow should be and at what points you perceive risks, this gives a tremendous advantage when discussing with the risk or control owner.

Going into a meeting without having done the above, means you would have to ask the owner to describe the whole process during the meeting. Whilst that is being described, the auditor would have to at the same time evaluate the risks and assess whether the control described and demonstrated is adequate to control the risk. Sometimes details can be missed here, which often results in going back to the owner to clarify or ask additional questions. This is not always the most efficient way. 

Having done the pre-work before the meeting, can result in better conversations where the auditor not only gets an idea of the process flow but is able to ask questions of how this certain risk, that was thought of in the pre-work, is covered within the process. The auditor should have more “time” to follow up on explanations as they should already have a mental picture of what an ideal control looks like (typically through past experiences or coached by a senior team member) and is better able to understand what the owner is describing.

Auditors that understand the risks within the process and understand the controls or lack of controls in existence, should be able to “walk through” with the risk owner by asking what risks do they perceive in this part of the process flow and how should the risk identified be controlled. Afterwards, you can compare whether this is done within the process that you are reviewing. 

Engaging the risk owner and deriving answers through this process during a walkthrough, I have found most effective in them realising that there is a control gap. There is less contention as well. The key here is going back to that principle of doing the pre-work. In addition, having that “time” during the explanations by asking the owner of what risks they perceive and “directing” them to the risks that you identified. Then, getting them to dig deep and explain how it should be controlled so there is limited or no risk (based on the company’s appetite), is highly effective in the risk owner accepting control gaps.

After going through the controls in existence and using a past transaction to see it being demonstrated, the key questions now are:

• The risks that the auditor assessed, how is the risk being controlled to limit it to the company’s appetite?
• Is the design of the control able to limit the risk?
• Are there any weaknesses within the control, where risk can be penetrated? What is the probability of this happening?
• Could the control be made more efficient, where it uses less resources and time?
• Do the control/ risk owners understand where these controls fit in the overall process and what it’s intending to do?

These questions are a baseline for opining whether there are controls and that they are adequately designed to limit the risks that the auditor sees to a level that is acceptable.

In internal audit, walkthroughs are more than just looking at whether a transaction does what it says it does on a process or controls manual. If it is thought like this, I believe audit is not providing adequate assurance.

An internal auditor using their skills to identify the risks in the process and being comfortable that the company is protected by adequate controls, should be the objective that starts to provide adequate assurance.