Designing and Writing Audit Programs and Procedures Questionnaires, Checklists and Control Matrices
Using Generative Artificial Intelligence
Internal auditors utilize a systematic methodology for analyzing business processes procedures and activities with the goal of highlighting organizational problems and recommending solutions. Planning is not only an important part of the audit process but is also required by professional standards. Organizations may differ in their planning methodologies but the bottom line is that they must document the process. I was regularly besieged by questions on my website (AuditNet) from auditors looking for audit work programs, internal control matrices, internal control questionnaires and checklists. My response to these questions was that they first needed to determine the objectives, purpose, and scope of the audit they were about to begin. With these basics auditors can begin to create or search for an audit program that meets their needs. Over 20 years ago I created an AuditNet guide to creating audit planning documents (audit programs, matrices, questionnaires and checklists) as a resource and tool for auditors. The AuditNet monograph provided a methodology or framework for creating audit documentation as well as sample audit documentation including objectives for various areas, formats for audit programs, checklists and control matrices.
Organizations of all sizes use the professional standards of the AICPA, Institute of Internal Auditors (IIA), or GAO Government Audit Standards to structure their internal audit programs, supplementing this framework with best practices that are generally followed within their industry. The AICPA, IIA, and Government Auditing Standards have common elements in their field work standards requiring that auditors must adequately plan the work and must properly supervise any assistants. They also stipulate that the auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to design the nature, timing, and extent of audit procedures.
Finally, auditors must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion for the area under audit. Furthermore, auditors should develop and record a plan for each engagement, including the scope, objectives, timing, and resource allocations. There should be a plan for conducting the assigned audit which is reviewed and approved by audit management. This plan documents the auditor’s procedures for collecting, analyzing, interpreting, and documenting information during the engagement; states the objectives of the engagement; sets forth the scope and degree of testing required to achieve the engagement objectives in each phase of the engagement; identifies technical aspects, activity objectives, risks, processes, and transactions that should be examined and state the nature and extent of testing required. Modifications may be made during the engagement as long as they are approved by supervisors.
The audit program sets forth in detail the planned audit procedures to obtain audit evidence that is sufficient and appropriate to achieve the related audit objective. The audit program also serves as an outline of the work to be performed by engagement team members and provides a record of the proper planning and execution of the work that can be reviewed and approved prior to the performance of further work.
The audit program includes the details of the nature, timing and extent of planned audit procedures for material classes of transactions, account balances, and disclosures. This involves developing the audit program for the performance of risk assessment procedures sufficient to plan further audit procedures responsive to the assessed risks at the assertion level. The auditor uses the information obtained from performance of the risk assessment procedures to further develop the audit program into a comprehensive description of the planned further audit procedures at the assertion level. This includes whether the auditor intends to test the operating effectiveness of controls and the nature, timing and extent of planned substantive procedures. As the auditor performs audit procedures outlined in the audit program, the audit program is updated and changed to reflect the further audit procedures considered necessary given the circumstances.
After two decades it is now possible for auditors to generate audit programs and procedures for virtually any area using the power of generative artificial intelligence (GenAI). What follows are examples of a work program, internal control questionnaire, control matrix and risks and mitigation for an audit of ESG, a current hot topic for internal auditors. There are, of course risks which must be considered when using GenAI tools and I will address them is a future blog post.
Here is a sample audit work program from a GenAI App for auditing ESG
An Environmental, Social, and Governance (ESG) audit focuses on assessing a company's performance in environmental, social, and governance areas. These audits are becoming increasingly important as stakeholders are interested in sustainable and responsible business practices. Here are some internal audit procedures for an ESG audit:
1. Governance:
· Review the governance structure and policies in place to ensure they align with ESG goals.
· Assess the effectiveness of board oversight related to ESG issues.
· Evaluate the transparency of governance practices, including disclosure of board diversity and executive compensation.
2. Environmental Practices:
· Audit environmental policies and procedures to ensure compliance with relevant regulations.
· Evaluate the company's environmental impact, including energy consumption, waste management, and emissions.
· Assess the effectiveness of environmental risk management and mitigation strategies.
3. Social Responsibility:
· Review policies related to human rights, labor practices, and community engagement.
· Evaluate employee diversity and inclusion practices.
· Assess the company's social impact on the communities it operates in.
4. Supply Chain Management:
· Examine the sustainability practices of suppliers and assess the supply chain's environmental and social impacts.
· Evaluate the due diligence process for selecting and monitoring suppliers.
· Assess the company's efforts to promote responsible sourcing and fair labor practices in the supply chain.
5. Product Responsibility:
· Review product development and design processes for environmental considerations.
· Assess product life cycle impacts, including disposal and recycling practices.
· Evaluate the accuracy and transparency of product-related information provided to consumers.
6. Stakeholder Engagement:
· Assess the company's communication and engagement strategies with stakeholders on ESG matters.
· Review feedback mechanisms and channels for stakeholder input on ESG issues.
· Evaluate the company's responsiveness to stakeholder concerns and expectations.
7. Data Accuracy and Reporting:
· Audit the accuracy and completeness of ESG data collected and reported by the company.
· Assess the reliability of ESG performance metrics and key performance indicators (KPIs).
· Ensure compliance with relevant reporting standards and frameworks (e.g., GRI, SASB).
8. Risk Management:
· Evaluate the integration of ESG considerations into the company's overall risk management processes.
· Assess the identification and mitigation of ESG-related risks.
· Review the effectiveness of monitoring mechanisms for ESG risks.
9. Employee Training and Awareness:
· Assess the training programs in place to educate employees about ESG goals and practices.
· Review internal communications regarding ESG initiatives to ensure awareness and understanding among employees.
10.Continuous Improvement:
· Evaluate the company's commitment to continuous improvement in ESG performance.
· Assess the mechanisms in place for tracking progress against ESG goals and objectives.
· Review the company's responsiveness to emerging ESG trends and evolving stakeholder expectations.
These procedures can serve as a starting point for conducting an ESG audit. It's important to customize them based on the industry, size, and specific ESG priorities of your organization. Additionally, staying informed about evolving ESG standards and frameworks is crucial for ensuring the audit remains aligned with best practices in sustainability reporting.
Here is a sample internal control questionnaire from a GenAI app for ESG
Internal Control Questionnaires (ICQs) can help assess the effectiveness of internal controls related to Environmental, Social, and Governance (ESG) practices within an organization. Here are sample questions organized by the three main ESG pillars:
Environmental (E) Control Questions:
1. Environmental Policy and Governance:
· Is there a documented environmental policy in place that aligns with the organization's strategic goals?
· How is the effectiveness of the environmental policy monitored and communicated throughout the organization?
2. Energy Management:
· Are there controls in place to monitor and manage energy consumption within the organization?
· How does the organization ensure the use of renewable energy sources and promote energy efficiency?
3. Waste Management:
· Are there controls to track and reduce waste generation within the organization?
· How is the proper disposal of hazardous materials ensured, and are there controls to prevent environmental contamination?
4. Emissions Control:
· How does the organization monitor and control greenhouse gas emissions?
· Are there controls in place to assess and minimize the environmental impact of transportation and logistics?
Social (S) Control Questions:
5. Labor Practices:
· Are there controls to ensure fair labor practices, including equal opportunities and non-discrimination?
· How does the organization address and prevent instances of child labor or forced labor in its operations and supply chain?
6. Employee Well-being:
· Are there controls in place to monitor and enhance employee health, safety, and well-being?
· How does the organization promote work-life balance and mental health awareness among employees?
7. Diversity and Inclusion:
· Are there controls to track and promote diversity and inclusion within the workforce?
· How is the organization ensuring equal opportunities for career development and advancement for all employees?
8. Community Engagement:
· How does the organization engage with local communities and assess their needs?
· Are there controls in place to measure and report the social impact of the organization on local communities?
Governance (G) Control Questions:
9. Board Oversight:
· How does the board of directors oversee ESG-related matters?
· Are there controls in place to ensure effective communication between the board and management on ESG issues?
10.Risk Management:
· Are there controls to identify, assess, and manage risks associated with ESG factors?
· How does the organization integrate ESG considerations into its overall risk management framework?
11.Ethical Conduct:
· Are there controls to promote ethical behavior and prevent corruption within the organization?
· How is adherence to the organization's code of conduct monitored and enforced?
12.Transparency and Reporting:
· Are there controls in place to ensure accurate and timely reporting of ESG performance?
· How does the organization ensure transparency in its disclosure of ESG-related information to stakeholders?
These ICQs can serve as a foundation for assessing the internal controls related to ESG practices within your organization. Tailor these questions to fit the specific context, industry, and ESG priorities of your organization. Additionally, consider consulting relevant ESG reporting frameworks (such as GRI, SASB, or TCFD) to ensure comprehensive coverage of key ESG indicators and metrics.
Here is a sample control matrix for an audit of ESG using a GenAi App:
Creating a control matrix for an Environmental, Social, and Governance (ESG) audit involves mapping specific controls to the corresponding ESG criteria or objectives. Below is a sample control matrix that covers various aspects of ESG. This matrix provides a structured approach to evaluate the effectiveness of controls in place:
Environmental (E) Controls:
ESG Criterion | Control Description and Objective | Responsible Party | Control Owner | Control Effectiveness |
Environmental Policy | Establish and communicate an environmental policy aligned with goals. | ESG Committee | Sustainability Officer | Regularly monitored and updated. |
Energy Management | Implement controls to monitor and reduce energy consumption. | Facilities Manager | Energy Management Team | Regular energy audits and efficiency initiatives. |
Waste Management | Controls to track, minimize, and properly dispose of waste. | Environmental Officer | Waste Management Team | Regular waste audits and recycling programs. |
Emissions Control | Monitor and control greenhouse gas emissions. | ESG Committee | Environmental Compliance Officer | Regular assessments and implementation of emission reduction strategies. |
Social (S) Controls:
ESG Criterion | Control Description and Objective | Responsible Party | Control Owner | Control Effectiveness |
Fair Labor Practices | Controls to ensure fair labor practices, equal opportunities. | HR Manager | Human Resources Department | Periodic employee satisfaction surveys and compliance checks. |
Employee Well-being | Controls to monitor and enhance employee health and safety. | Health and Safety Officer | Employee Wellness Committee | Regular health and safety assessments and wellness programs. |
Diversity and Inclusion | Controls to track and promote diversity and inclusion. | Diversity and Inclusion Officer | Diversity and Inclusion Committee | Regular diversity audits and inclusion training. |
Community Engagement | Controls to engage with and support local communities. | Corporate Social Responsibility (CSR) Manager | Community Engagement Team | Regular community impact assessments and engagement programs. |
Governance (G) Controls:
ESG Criterion | Control Description and Objective | Responsible Party | Control Owner | Control Effectiveness |
Board Oversight | Mechanisms for board oversight of ESG matters. | Board of Directors | ESG Committee | Regular board reviews and reporting on ESG performance. |
Risk Management | Controls to identify, assess, and manage ESG-related risks. | Risk Management Officer | Risk Management Team | Integration of ESG risks into overall risk management processes. |
Ethical Conduct | Controls to promote ethical behavior and prevent corruption. | Ethics Officer | Ethics and Compliance Department | Regular ethics training and whistleblower mechanisms. |
Transparency and Reporting | Controls for accurate and timely ESG reporting. | ESG Reporting Manager | Communications Department | Adherence to reporting standards and periodic internal audits. |
This control matrix serves as a framework to assess the controls related to ESG criteria. Customize it based on the specific needs, industry, and ESG priorities of your organization. Regularly review and update the control matrix to reflect changes in policies, regulations, and the organization's ESG strategy.
Here are sample risks and mitigations for an audit of ESG using a GenAI tool:
Conducting an Environmental, Social, and Governance (ESG) audit involves identifying and assessing various risks associated with the organization's performance in these areas. Here are key risks to consider when conducting an ESG audit:
Environmental (E) Risks:
- Regulatory Compliance:
- Risk: Failure to comply with environmental regulations, resulting in fines or legal actions.
- Mitigation: Regularly monitor and update environmental policies to align with changing regulations.
- Climate Change Impact:
- Risk: Inadequate measures to address and adapt to the impact of climate change.
- Mitigation: Implement strategies to reduce greenhouse gas emissions and assess vulnerabilities to climate-related risks.
- Resource Scarcity:
- Risk: Risks related to resource scarcity, such as water shortages or raw material depletion.
- Mitigation: Implement sustainable resource management practices and diversify sourcing strategies.
- Environmental Accidents:
- Risk: Accidents leading to environmental damage, affecting ecosystems and communities.
- Mitigation: Implement robust safety protocols, emergency response plans, and regular audits of facilities.
Social (S) Risks:
- Labor Practices:
- Risk: Violations of fair labor practices leading to reputational damage and legal consequences.
- Mitigation: Regularly audit and update HR policies, provide employee training, and conduct compliance checks.
- Community Relations:
- Risk: Negative impact on local communities due to inadequate engagement or social initiatives.
- Mitigation: Establish community engagement programs, conduct impact assessments, and maintain open communication channels.
- Diversity and Inclusion:
- Risk: Lack of diversity and inclusion leading to employee dissatisfaction and reputational damage.
- Mitigation: Implement diversity and inclusion policies, conduct regular audits, and provide training programs.
- Human Rights Violations:
- Risk: Involvement in or association with human rights violations in the supply chain.
- Mitigation: Implement due diligence processes, audit suppliers, and ensure adherence to human rights standards.
Governance (G) Risks:
- Board Oversight:
- Risk: Insufficient board oversight of ESG matters, leading to strategic misalignment.
- Mitigation: Establish an ESG committee, ensure regular reporting to the board, and align ESG goals with overall business strategy.
- Data Accuracy and Reporting:
- Risk: Inaccurate or incomplete reporting of ESG performance, leading to loss of credibility.
- Mitigation: Implement robust data collection processes, adhere to reporting standards, and conduct regular internal audits.
- Ethical Conduct:
- Risk: Ethical misconduct, including corruption or fraud, damaging the organization's reputation.
- Mitigation: Implement a strong code of conduct, provide ethics training, and maintain whistleblower mechanisms.
- Cybersecurity:
- Risk: Cybersecurity threats compromising the confidentiality and integrity of ESG-related data.
- Mitigation: Implement robust cybersecurity measures, including encryption and regular security audits.
Considering and mitigating these risks during an ESG audit is essential for ensuring the organization's sustainable and responsible business practices. Tailor the risk considerations based on your organization's industry, size, and specific ESG priorities. Regular monitoring and adjustments to risk management strategies will contribute to the ongoing success of the organization's ESG initiatives.
The above documents took less than 10 minutes to generate. They obviously would need to be tailored for your organization, but this clearly demonstrates the ease to which a first step in audit planning would be using a GenAI tool. Once an auditor has the audit plan with the areas scheduled for audit, they could easily create initial audit documents which could be updated based on planning for each audit.
I welcome your thoughts on this topic. Feel free to email me at jkaplan@auditnet.org or message me on LinkedIn.