Developing Operational Review Programmes for Managerial and

Audit Use

Standard Audit Programme Guides (SAPGs)

 a practical method of documenting all the elements of an operational audit review in a
form which resembles the traditional internal control questionnaire (ICQ).
 SAPGs are intended for use during management and audit reviews of activities within an
organisation.
 SAPG documents offer an ideal basis for control self assessment. They raise the right
questions and encourage management and staff to consider whether controls are
satisfactory to address the issues raised.
 During the course of an audit review there will be a number of common factors to record
and evaluate. For example, the control objectives for the activity being reviewed, the
risks or operational issues, the controls and measures in place to address the risks and
issues, the results of audit testing and the conclusions drawn. The SAPG will cater for all
these factors and we will subsequently describe how the SAPG can be completed and
used to document these key review elements.
 SAPGs can be used in a variety of ways, and each SAPG can be suitably scoped to meet
the method of defining the discrete audit review projects (e.g. based on division or
business process). Example of division of the audit universe of potential review projects:
o 1. Management and Administration
o 2. Financial and Accounting
o 3. Personnel
o 4. Procurement
o 5. Stock and Materials Handling
o 6. Production/Manufacturing
o 7. Marketing and Sales
o 8. After Sales Support
o 9. Research and Development
o 10. Information Technology
o 11. Contracting
o 12. Governance, Risk Management, Internal Control

FORMAT OF SAPGs
1. Title Page

The title page has three separate areas:

 • an area which records the details of the subject matter covered by the SAPG and a
reference number
• an area used to record details about the specific audit project
• a section which describes the control objectives for the relevant system. In practical
usage, the text in this last section of the page can be edited and updated whenever
necessary by the user.

2. The Risk/Control Issues

 This is the main part of the SAPG and consists of a table based on the headings
such as:
o Sequence
 Seq. column contains a sequential number used to identify each
risk/control issue
o Risk and control issues
 These issues are divided into two groups, Key Issues and Detailed
Issues
 The Key Issues reflect the top level and critical aspects of the
system/activity under review and should always be considered by
the auditor.
 The detailed issues examine the relevant subject in greater
elemental detail and should be addressed by the auditor only if the
responses obtained in relation to the key issues suggest that there
could be further inherent weaknesses in control.
o Current Control/Measure
 The Current Control/Measure column is used by the auditor to
record a brief description of any controls or measures that are in
place to address the issues raised in the Risk/Control Issue column.
 This type of information can be obtained in a number of ways, for
example, as a result of discussion with departmental staff, from a
review of documented procedures, or from previous audit working
papers.
o WP Reference
 The WP Ref. column can be used to note any working paper cross-
reference, such as a system flowchart or procedure manual.
o Effective Yes/No
 The Effective Yes/No column is used to note whether the recorded
current control or measure is likely to be effective in either
supporting the required objective or counteracting any underlying
risk posed by the issue. This judgement, which may need to be
applied by the audit manager or supervisor, is an opinion on likely
effectiveness. The responses recorded in this column can be used
to determine those areas which should be subject to audit testing.
The decision whether or not to apply audit testing will, of course,
 be relative to the user’s own auditing standards, but a number of
logical tactics could apply
o Compliance Testing
 The Compliance Testing column can be used to record the test
applied and a summary outcome.
o Substantive Testing
 where either the compliance testing revealed an inadequate
application of the measure or the control/measure was judged
unlikely to be effective, further substantive testing may be justified
to evaluate if a potential weakness has been exploited.
o Weakness to Report
 can be used to note any points of audit concern arising from the
audit review and testing which should either be discussed can be
used to note any points of audit concern arising from the audit
review and testing which should either be discussed.

3. System Interfaces
o This page of the SAPG is intended to alert auditors to the likely interfaces
between the system or activity being addressed in the SAPG and any others.
o Where weakness and control problems have been revealed during the system
review, there may be consequences or implications for other systems either
“downstream” or “upstream” of the system under review.
o The System Interfaces Table is intended to draw auditors’ attention to systems
with input or output connections. These connections may be based solely on data
flow or have additional operational implications.