A Guide to Enhanced Systems Based Auditing: The Exeter Approach

To combat fraud and loss, it is essential that organisations (whether they are in the public, private or not-for-profit sector) have effective systems of internal control in place. But it is not just financial risks that organisations may be exposed to. Events such as the summer floods in 2007 show the need for robust and effective risk and business continuity management systems to be established, tested and maintained.

To assess the effectiveness of systems of internal controls and risk and business continuity management and whether they are embedded, an Enhanced Systems Based Auditing (ESBA) approach has been devised. ESBA is ‘risk-based’ SBA that uses the internationally recognised COSO Enterprise Risk Management - Integrated Framework (2004) approach.

In accordance with the COSO ERM approach, ESBA tests whether the organisation’s objectives, policies and procedures have been embedded by assessing the extent that they are in operation throughout the organisation from the corporate level right down to individual. The incorporation of such testing into systems work may identify individual cases or indeed general lack of awareness of policies and procedures thus highlighting possible communication problems, for example.

A Guide to Enhanced Systems Based Auditing explains this new approach, which was used as the basis for CIPFA’s Systems Based Auditing Control Matrices Series 7. The guide also gives an example of a risk-based audit planning process and shows how audit findings can be recorded and reported to achieve maximum impact.

The guide is therefore essential reading for audit managers and staff and will also be of interest to members of the senior/strategic management team, and scrutiny and audit committees who wish to ensure that the organisation and its audit service are effective and achieving their goals and objectives.