Chapter 3

Developing Operational
Review Programmes for
Managerial and Audit Use

Standard Audit Programme Guides (SAPGs) - a practical method of documenting all

the elements of an operational audit review in a form which resembles the traditional
internal control questionnaire (ICQ)

PRACTICAL USE OF SAPGs

SAPGs are intended for use during management and audit reviews of activities within
an organisation.
SAPG documents offer an ideal basis for control self-assessment.
They raise the right questions and encourage management and staff to consider
whether controls are satisfactory to address the issues raised. They provide a self-
documenting record of the progress of the control self-assessment which is available for
subsequent audit or senior management review.
The classification of SAPGs into a wide variety of business activities means that a
suitable SAPG is likely to be available for most functional areas.

Functionally based on the organisational structure, or Operationally based on the

prime activities of organisation.

12 main areas

1. Management and Administration

• The control environment
• Organisation (i.e. structure)
• Management information
• Planning
• Risk management
• Legal department
• Quality management
• Estates management and facilities
• Environmental issues
• Insurance
• Security
• Capital projects
• Industry regulation and compliance
• Media, public and external relations
• Company secretarial department

2. Financial and Accounting

• Treasury
• Payroll
• Accounts payable
• Accounts receivable
• General ledger/management accounts
• Fixed assets (and capital charges)
• Budgeting and monitoring
• Bank accounts and banking arrangements
• Sales tax (i.e. VAT) accounting
• Taxation
• Inventories
• Product/project accounting
• Petty cash and expenses
• Financial information and reporting
• Investments.
3. Personnel
• Human resources department (including policies)
• Recruitment
• Manpower and succession planning
• Staff training and development
• Welfare
• Pension scheme (and other benefits)
• Health insurance
• Staff appraisal and disciplinary matters
• Health and safety
• Labour relations
• Company vehicles.
4. Procurement
• Purchasing.
5. Stock and Materials Handling
• Stock control
• Warehousing and storage
• Distribution, transport and logistics.

6. Production/Manufacturing
• Planning and production control
• Facilities, plant and equipment
• Personnel
• Materials and energy
• Quality control
• Safety
• Environmental issues
• Law and regulatory compliance
• Maintenance.

7. Marketing and Sales

• Product development
• Market research
• Promotion and advertising
• Pricing and discount policies
• Sales management
• Sales performance and monitoring
• Distribution
• Relationship with parent company (for overseas or subsidiary operations)
• Agents
• Order processing.

8. After Sales Support

• Warranty arrangements
• Maintenance and servicing
• Spare parts and supply.

9. Research and Development

• Product development
• Project appraisal and monitoring
• Plant and equipment
• Development project management
• Legal and regulatory issues.
10. Information Technology
• IT strategic planning
• IT organisation
• IT sites
• Processing operations
• Back-up and media
• Systems/operating software
• System access control
• Personal computers
• Software maintenance
• Local area networks (LANs)
• Databases
• Data Protection
• Facilities management
• System development
• Software selection
• Contingency planning
• Electronic data interchange (EDI)
• Viruses
• Electronic office
• User support
• Spreadsheet design
• Expert systems
• IT accounting.
11. Contracting
• Contract management environment
• Project management framework
• Project assessment and approval
• Engaging, monitoring and paying consultants
• Design
• Assessing viability/competence of contractors
• Maintaining an approved list of contractors
• Tendering procedures
• Contract and tender documentation
• Insurance and bonding
• Selection and letting of contracts
• Management information and reporting
• Performance monitoring
• Sub-contractors and suppliers
• Materials, plant and project assets
• Valuing work for interim payments
• Controlling price fluctuations
• Monitoring and controlling variations
• Extensions of time
• Controlling contractual claims
• Liquidations and bankruptcies
• Contractor’s final account
• Recovery of damages
• Review of project outturn and performance
• Maintenance obligations.

12. Governance, Risk Management, Internal Control

(Note that this group is numbered as Set 14 in Appendix 1 and in the web-based SAPG
resource.)
• Internal governance processes
• The board
• External governance processes
• Risk management processes
• Issues for internal control.

12 Main Areas

1. Management and Administration

2. Financial and Accounting
3. Personnel
4. Procurement
5. Stock and Materials Handling
6. Production/Manufacturing
7. Marketing and Sales
8. After Sales Support
9. Research and Development
11. Contracting
12. Governance, Risk Management, Internal Control

FORMAT OF SAPGs
In our proposed SAPG format, the critical contents of each SAPG are a number of risk
or control issues relevant to the specific system. These are expressed in the form of
questions which raise the issues in the context of what is being done either to achieve
a desired outcome or to avoid an unwanted one.

The risk and control issues are further divided into two groups, namely key issues and
detailed issues.

KEY ISSUES. The former are the more significant and crucial points about the system
under review and the aim should be always to take them into account during the audit.

DETAILED ISSUES. The latter category of issues takes the user into more of the
underlying system considerations, and would be utilised only if there was a potential
weakness revealed as a consequence of considering the key issues.

The purpose of the SAPG is to guide the auditor through an examination of the issues
specific to the system or activity with the intention of recording the nature of measures
and controls in place to ensure either that business objectives are achieved, or that
risks and exposures are successfully avoided.

The suggested form of the SAPG is divided into three distinct sections:
• title page
• the risk/control issues
• system interfaces.

1. SAPG Title Page

The title page has three separate areas:
• an area which records the details of the subject matter covered by the SAPG and a
reference number
• an area used to record details about the specific audit project
• a section which describes the control objectives for the relevant system

SAPG TITLE PAGE CONTROL OBJECTIVES

(a) To ensure that the organisational structure is appropriate to the business and the
achievement of strategic objectives;
(b) To ensure that the organisational structure is determined by the business and
operational needs and avoids needless subdivisions and excessive levels;
(c) To ensure that the structure enables the flow of key information upwards and
outwards within the organisation and across all the business activities;
(d) To ensure that relevant responsibilities, authorities and functional terms of reference
are defined and in place;
(e) To ensure that responsibilities and authorities are adequately segregated in order to
avoid conflicts of interest and the potential for fraudulent practices;
(f) to ensure that the structure is periodically reviewed and any changes are agreed and
authorised at a senior level;
(g) To ensure that each manager’s span of control is optimised and avoids either over-
or under-utilisation;
(h) To ensure that adequate staff resources are determined, authorised and provided in
order to achieve the functional and business objectives;
(i) To ensure that the prevailing organisational structure is suitably documented and
communicated to all relevant staff; and
(j) To ensure that the organisational structure and the related functional divisions of
responsibility are accurately and adequately reflected in the accounting and
management information systems.

2. The Risk/Control Issues

This is the main part of the SAPG and consists of a table based on the headings
The Seq. column contains a sequential number used to identify each risk/control issue.

The Key Issues reflect the top level and critical aspects of the system/activity
under review and should always be considered by the auditor. There are normally
between six and ten key issues noted on each system/activity SAPG.

The detailed issues examine the relevant subject in greater elemental detail and
should be addressed by the auditor only if the responses obtained in relation to the key
issues suggest that there could be further inherent weaknesses in control. There can be
any number of detailed issues recorded within an SAPG dependent on the complexity
and relevance of the system/activity.

The Current Control/Measure column is used by the auditor to record a brief

description of any controls or measures that are in place to address the issues raised in
the Risk/Control Issue column.

The WP Ref. column can be used to note any working paper cross-reference, such as a
system flowchart or procedure manual.

The Effective Yes/No column is used to note whether the recorded current control or
measure is likely to be effective in either supporting the required objective or
counteracting any underlying risk posed by the issue. The responses recorded in this
column can be used to determine those areas which should be subject to audit testing.

The Compliance Testing column can be used to record the test applied and a
summary outcome.

Summary details of such substantive testing can be noted in the Substantive Testing
column.
The last column (Weakness to Report) can be used to note any points of audit concern
arising from the audit review and testing which should either be discussed further with
management or formally reported to them as a recommendation for action. The
contents of this column can be interfaced with the reporting processes used by the audit
function.

System Interfaces
This page of the SAPG is intended to alert auditors to the likely interfaces between the
system or activity being addressed in the SAPG and any others. Where weakness and
control problems have been revealed during the system review, there may be
consequences or implications for other systems either “downstream” or “upstream” of
the system under review. The System Interfaces Table is intended to draw auditors’
attention to systems with input or output connections.

Different levels of audit planning and activity

At a tactical level the auditor may choose to apply risk assessment techniques to the
potential universe of possible audit projects as a means of setting relative priorities, and
thus determine those higher risk audit projects for inclusion into the annual audit plan.
This approach normally involves the development of an audit risk formula.

At the operational level (i.e. during the course of a specific audit project), risk
assessment linked to an evaluation of control effectiveness can focus the auditor’s
attention on aspects of the subject under review which are more deserving of his or her
attention.

The Nature of Risk

Risk can be defined as a function of what is at risk and how likely is it to be at risk . In
other words, the extent (or size) of the risk and the probability of that risk actually
occurring.
An alternative term for the size dimension would be inherent risk.
An alternative term for the probability dimension would be the control risk or the
system risk.

The term “exposure” in relation to risk could be defined as “an unwanted event or
outcome that management would wish to avoid”.

Measuring Control Effectiveness

Overall control effectiveness can be said to be the product of two dimensions, namely:

1. the potential effectiveness of a control activity6 assuming that it is applied correctly all
the time by staff and management

combined with

2. the actual extent it is complied with.

The control matrix technique is ideally suited to the spread sheet environment. The
control matrix can be used by auditors during any audit project or review. The aim of the
control matrix method is to bring together, in a mathematically sound way, the
dimensions of risk and control as a means of calculating a risk score for each of the component
risk exposures.