First AS5 audit – auditor’s and company’s views

As large public companies are approaching the first reporting cycle under AS5, how are auditors and companies planning for their first AS5 audit?

After digesting several articles at Compliance Week, I have listed some important findings from both auditor’s and company’s view and opportunity for GRC software.

Auditors’ perspective:  

For auditors, most noticeable impact lies on two areas:  1) how can auditors reduce the number of site visits for control testing; 2) how much can the auditor rely on company’s internal auditor and other consultants’ work to reduce the number of walkthroughs

In the previous AS2, in terms of testing at company locations, there was coverage threshold to meet. Now, although it was not expected to change dramatically, auditors have more flexibility to determine which locations should be included and which should be excluded base on the risk assessment. Over the time, a more systematical way to make the decision on location will be formed.

While AS2 required auditors to perform their own walkthrough for key controls, AS5 gives auditors more flexibility to leverage company’s internal controls or other consultants’ work under auditors’ supervision. To companies, it means they can decide to allocate more of their staff to free external auditors. And, auditors may rely more on third party external resources. In either way, the goal is to have more effective walkthroughs.  

Company’s perspective

Companies will focus on risk assessment to decide the critical risks and decide how much risk assessment. Under AS5, risk assessment will drive the decision making around what and when to test, who should test and how it should be done. A better job done by the company will enable auditors to leverage their work and to maximize the outcome, although the balance needs to be maintained.

Opportunities for GRC vendors:

The more auditors can rely on company’s internal control work, the more is needed for companies to provide automated controls and more documentations. It provides more value proposition for GRC software in improving compliance efficiency and reducing the overall costs.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: