Compilation of Handouts

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 30

INTERNAL CONTROL

Internal control is a process, effected by an entitys board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives
relating to:
Operations
Reporting
Compliance

Turnbull report (see Chapter 2) suggests that:


A companys system of internal control has a key role in the management of risks that are
signicant to the fullment of its business objectives.

One writer has highlighted the dynamic of controls by saying that the purpose of any control
system is to attain or maintain a desired state or condition.

Objectives

Inherent Risk

Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Achievements
Strategy

Figure 4.1

Managements Responsibilities
Turnbull has made clear where control responsibility lies in an organization:
The board of directors is responsible for the companys system of internal control.

While the board sets overall direction, it is management who must implement good controls by
considering the following:

Determine the need for controls


Design suitable controls
Implement these controls
Check that they are being applied correctly
Maintain and update the controls
Inclusion of the above noted matters within any appraisal scheme that seeks to judge
managements performance

Internal Audits Role


The internal auditor has to be concerned about the state of control in the organization.

The auditors role regarding systems of internal control


Assessing those areas that are most at risk
Dening and undertaking a programme
Reviewing each of these systems
Advising management
Recommending any necessary improvements
Following up audit work

The IIAs Implementation Standard 2120.A1 provides four key aspects of the scope of controls:
Based on the results of the risk assessment, the internal audit activity should evaluate the
adequacy and effectiveness of controls encompassing the organisations governance, operations,
and information systems. This should include:

1 | Page
Reliability and integrity of nancial and operational information.
Effectiveness and efciency of operations.
Safeguarding of assets.
Compliance with laws, regulations, and contracts.

Control FrameworkCOSO
What is COSO?
COSO stand s for Committee of Sponsoring Organization (COSO) of the Treadway Commission
established in 1985
sponsored of the National Commission on Fraudulent Financial Reporting.
created through sponsorship of the AIPCA, American Accounting Association, FEI, IIA
and Institute of Management Accountants.
issued the 1992 framework on internal control framework
in 2010, began project to update the 1992 framework
representatives from industry, academia, government and non- profits formed advisory
council to provide input

Board Members
David L. Landsittel -COSO Chair
Mark S. Beasley Douglas F. Prawitt -American Accounting Association
Richard F. Chambers -The Institute of Internal Auditors
Charles E. Landes -American Institute of Certified Public Accountants
Marie N. Hollein -Financial Executives International
Sandra Richtermeyer Jeffrey C. Thomson -Institute of Management Accountants

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission have


suggested that (www.coso.org):
Internal controls are put in place to keep the company on course toward protability goals and
achievement of its mission, and to minimize surprises along the way.

Internal control helps entities achieve important objectives and sustain and improve performance.
COSOs Internal ControlIntegrated Framework (Framework) enables organizations to
effectively and efficiently develop systems of internal control that adapt to changing business
and operating environments, mitigate risks to acceptable levels, and support sound decision
making and governance of the organization.

COSO components and the entire model

Figure 4.4 The COSO model

PRINCIPLES CODIFICATION
Control Environment
Demonstrates commitment to integrity and ethical values

2 | Page
Exercises oversight responsibility
Establishes structure, authority, and responsibility
Demonstrates commitment to competence
Enforces accountability

Risk Assessment
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change

Control Activities
Selects and develops control activities
Selects and develops general controls over technology
Deploys through policies and procedures

Information & Communication


Uses relevant information
Communicates internally
Communicates externally

Monitoring Activities
Conducts ongoing and/or separate evaluations
Evaluates and communicates deficiencies

Control Environment
The control environment sets the tone of an organization, inuencing the control consciousness
of its people.
Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed.

Control Activities
Control activities are the policies and procedures that help ensure management directives are
carried out.

Information and Communication


Pertinent information must be identied, captured and communicated in a form and timeframe
that enable people to carry out their responsibilities.

Monitoring
Internal control systems need to be monitoreda process that assesses the quality of the
systems performance over time. This is accomplished through ongoing monitoring activities,
separate evaluations or a combination of the two.

COSO simply asks ve key questions:


1. Do we have the right foundations to control our business? (control environment)
2. Do we understand all those risks that stop us from being in control of the business? (risk
assessment)
3. Have we implemented suitable control activities to address the risks to our business? (control
activities)
4. Are we able to monitor the way the business is being controlled? (monitoring)
5. Is the control message driven down through the organization and associated problems and
ideas communicated upwards and across the business? (communication and information)

3 | Page
Control FrameworkCoCo
The principles may be organized according to the four groupings of the CICA criteria of control
framework

Purpose
The model starts with the need for a clear direction and sense of purpose.

Commitment
The people within the organization must understand and align themselves with the organizations
identity and values.

Capability
People must be equipped with the resources and competence to understand and discharge the
requirements of the control model.

Action
This stage entails performing the activity that is being controlled. Before employees act, they
will have a clear purpose, a commitment to meet their targets and the ability to deal with
problems and opportunities.

Monitoring and learning


People must buy into and be part of the organizations evolution. This includes monitoring
internal and external environments, monitoring performance, challenging assumptions,
reassessing information needs and information systems, follow-up procedures, and assessing the
effectiveness of control.

Other Control Models


COSO and CoCo are well-known control frameworks and they provide most of what is needed
for an organization to consider when developing its own framework

This control standard, known as CobiT, 3rd edition, covers security and control for information
technology (IT) systems in support of business processes and is designed for management, users
and auditors. Several denitions are applied to this standard including:

4 | Page
Control
IT control objective
IT governance

CobiT has four main components (domains) and for these domains there are a further 34 high
level control processes:
planning and organization;
acquisition and implementation;
delivery and support;
monitoring.

Control Mechanisms
Control mechanisms are all those arrangements and procedures in place to ensure the business
objectives may be met. They consist of individual mechanisms used by people and processes
throughout the organization and they should exhibit certain dened attributes:
Types of Controls
Principal controls may be categorized in a number of different ways. One way is to view them as
being classied as follows:
1. Directiveto ensure that there is a clear direction and drive towards achieving the stated
objectives.
Examples:
Organization structure
Policies
Procedures
Management directives
Guidance statements
Job\position descriptions

2. Preventiveto ensure that systems work in the rst place.


Examples:
Segregation of duties
Timely reconciliation of accounts
Restricted areas, money safes, controls over night collections
Plans, goals, budgets, and comparison of the actual with budgets
Procedure manuals
An adequate check on prior employment background for all new employees

3. Detectiveto pick up transaction errors that have not been prevented.


Examples:
Cash counts
Bank reconciliation;
Review your payroll reports;
Compare transactions on reports to source documents;
Monitor actual expenditures against budget;
Review logs for evidence of mischief;

4. Correctiveto ensure that where problems are identied they are properly dealt with.

5 | Page
Examples:
Submit corrective journal entries after discovering an error
Complete changes to IT access lists if individuals role changes

5. Recovery
Examples:
Prepare data backups from current systems
Storing documents and IT backups in a protected environment to ensure availability
Restore data from backup following a failure

6. Automated (IT)
Examples:
IT access permissions
System password requirements
Preset spending limits

They should be SMART Specic. Measurable. Achievable. Results oriented. Timely.


Some of the more traditional control mechanisms that may be applied in practice include:
1. Authorization The act of authorizing something brings with it the process of granting
permission on behalf of the organization.
2. Physical access restrictions measures should be applied to information through, say,
passwords, access restrictions to desktop computers and an overall policy covering buildings
security.
3. Supervision This control tends to have a dual nature whereby staff are observed rst hand by
their line managers, while at the same time these supervisors are available to help and assist their
subordinates.
4. Compliance checks We have already discussed compliance as a fundamental component of
the control systems and the way it is part of the process of doing things properly.
5. Procedures manuals as a high level control, the organization should set corporate standards
that cover at least the following areas: Financial regulations covering income, expenditure,
cash, banking, general accounting, contracts and related matters. Staff handbook covering
recruitment, training and development, performance, discipline and so on. Purchasing code of
practice on goods and services acquired by the organization. Code of personal conduct with
guidance on gifts and hospitality. Computer standards on the use of computer systems and
security procedures. 6. Recruitment and staff development practices We have indicated that most
controls are based around what people do and the people factor cannot be ignored.
7. RECRUITMENT AND STAFF DEVELOPMENT PRACTICES Recruitment and staff
development practices We have indicated that most controls are based around what people do
and the people factor cannot be ignored
8. Segregation of duties This control brings into play more than one individual during any one
transaction, which can lead to an actual gain or benet.
9. Organization The way an organization is structured can promote or impair good control.
Clear reporting lines that establish links between accountability, responsibility and authorization
is a good starting place.
10. Sequential numbering of documents and controlled stationery Valuable documents such
as orders, cheque requisitions and cheques themselves have an in-built control in terms of the
sequential numbers.
6 | Page
11. Cash Controls Cash for purposes of controls discussion includes currency, coins, checks,
money orders, and gift certificates/cards
Types of cash typically on hand include cash receipts, petty cash accounts, and change funds
Segregation of duties, Security, Reconciliation, Management Review, Documentation.
Segregation of Duties
*divided into four stages: receiving, depositing, recording, and reconciling
Security: Keep all cash in a safe until it is deposited
. If cash boxes are used ensure that they can be locked, are fire resistant, are not easily movable
or concealable, and access is limited to the person collecting the cash
. If large sums of money are being collected and/or cash is collected in a high traffic area,
consider installing a camera and alarm system.
The Suitability of Controls
In terms of assessing the suitability of systems of internal control, there are some danger signs
that should be looked for that might lower the efciency of the control environment as follows:
Ability of senior management to override accepted control. Lack of staff and vacant posts.
Poor control culture. Staff collusion. Reliance on a single performance indicator. Reliance
on memory. Retrospective transaction recording. Uncontrolled delegation of tasks.

Importance of Procedures

Integrating Controls

1. Performance The process of assessing risk must t and be integrated with the performance
management system.

7 | Page
2. Communications The control model is improved by the addition of good communications in
the organization.
3. Policy, competence and training

Internal Control Awareness Training

Audit of inherent risk Superimposed on the control model is the role of internal audit and
external audit.
Audit of residual risk Internal audit will also be concerned that the risks that remain after
controls have been applied are fully understood and acceptable.
Statement of internal control One important constituent of the control model is the feed into
the published statement on internal control.

PRELIMINARY REVIEW, INTERNAL AUDIT PROGRAM AND FIELDWORK


INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICES OF
INTERNAL AUDITING
Standard 2130- Control- The internal audit activity must assist the organization in maintaining
effective controls by evaluating their effectiveness and efficiency and by promoting continuous
improvement.
Standard 2130.A1 The internal audit activity must evaluate the adequacy and effectiveness of
controls in responding to risks within the organizations governance, operations, and information
systems regarding the:
- Achievement of the organizations strategic objectives.
- Reliability and integrity of financial and operational information.
- Effectiveness and efficiency of operations and programs.
- Safeguarding of assets.
- Compliance with laws, regulations, policies, procedures, and contracts.
2 Types of AUDIT
1. System/ Risk Based Audit
2. Probity/ Transaction Based Audit

8 | Page
The figure shows the distinction of the two audit approaches

SYSTEM BASED AUDIT APPROACH


-is an in-depth evaluation of the internal control systems, aiming to assess whether such
systems are functioning properly.
STAGES IN THE SYSTEMS BASED AUDIT:
1. Preparing for & planning the audit assignment
2. Ascertaining and recording the system
3. Identifying system objectives
4. Identifying risks and evaluating controls against risks
5. Testing controls
6. Arriving at conclusions
7. Audit reports and
8. Audit Files

1. Preparing for & planning the audit assignment


The preparing for & planning the audit assignment consists of: preliminary survey,
organizing kick-off meeting and preparing an audit plan.
a. Preliminary survey
Before the audit is scheduled to take place a preliminary survey should be undertaken in
order to get an overview of the area to be audited.
This preliminary survey should provide the basis for planning the audit, and for
determining:
- The objectives of the audit;

9 | Page
- The scope of the audit and any specific areas that are to be given emphasis
because they are high risk, are of critical importance to the system;
- Target dates for completion of each stage of the audit work;
- Which auditors are to be employed on the audit
It should involve:
- Review of the permanent audit file and previous audit reports,
- Review of the strategic and operational plans of the area to be audited;
- Current organization charts;
- Review of budget and management information;
- Initial discussions with management of the organizational units to establish
their objectives in the area to be audited;

b. Kick-off meeting
Prior to the Kick-off meeting the internal auditors are required to have a Letter of
Authorization, signed by of the Head of the Internal Audit unit. This will serve as
your passes in doing any audits within the audit plan.
The formal start of the audit is the Kick-off meeting which should be held
between the Head of the department to be audited and the Chief Internal Auditor
accompanied by the Team Leader/Auditor carrying out the work.
This meeting is intended to:
- Introduce the audit team
- Outline the objective of the audit and give a brief overview of the method to be
used
- Ask management to suggest particular areas which they think should be examined
- Discuss areas which internal auditors consider on the focus of the audit
- Explain that internal audit will keep them informed of the progress of the audit
- Request additional information about the business process under audit
c. Audit Plan
After the preliminary survey and the kick-off meeting, an Audit Plan should be
prepared.
2. Ascertaining and recording the system
Purpose for describing the system
- To confirm the auditors understanding of the system formulating clear process /
system objectives;
- To establish any interfaces between systems;
- To establish how the system fits within the Organization;
- To provide a basis for assessing the extent to which internal controls prevent or
detect and correct errors.
When recording the system, it is important to:
- Record the system as it actually operates;

10 | P a g e
- Identify and record all types of procedures and transactions covered by the system
under audit (including exceptions such as national holidays, staff holiday periods,
unusual overtime working hours etc);
- Look carefully for identifying controls - they may not always be clearly indicated;
- Record only the elements of the system essential to the audit;
- Copy only essential documents. Unnecessary copying of documentation can be
wasteful and tends to make it difficult to review audit files;
- Remember that the description of the system found in such documentation may be out of
date and incomplete.
Documenting of System:
- Narrative
- Flowchart
Narrative
- a narrative description helps to give a complete picture of the system. It provides a
detailed record of the system under audit and, taken together with other forms of system
records.
It should cover:
System objectives and targets;
- Links and interfaces with other systems;
- The environment in which the system operates;
- The allocation of authority and responsibility;
- All key controls and systems processes;
- Exceptional situations or cases that may need to be dealt with by the system;
- Ad hoc controls such as management reviews.
Flowchart
Flowcharting is a diagrammatic method of recording and describing a system,
which shows the flow of documents or information and the related internal controls
within a system.
Flowcharts can help:
- To obtain a perspective on the whole system;
- Gain an understanding of the auditees objectives;
- Identify segregation of duties;
- Help the person supervising the audit to identify areas which are not being covered by
the audit.

Checking if the system is recorded correctly


Walk-through testing
In conducting walk through tests, the auditor looks primarily for evidence of the
existence of controls. This may involve examining a small number of different transactions at
each stage of the process or following one transaction through from start to finish.
Developing an Audit Program
Once you have identified and confirmed the system/process or activity objectives, the
audit manager should start developing the Audit Program
In developing an audit program, the First step is to record the process objectives in
column 1. The purpose of this chart is to guide the auditor through the audit. It is also an
instrument for the management and quality control. Its content shows how well did the auditor
understand the operations and process objectives; his capability to identify controls; risk

11 | P a g e
awareness; level of knowledge to assess controls vs. risks and process objectives; ability to
determent the extent of substantive and compliance tests, as well to create and carry out tests.
The last column with Conclusions and Recommendation contains information about the results
of the audit as a whole or specific step of the audit or procedure.

3. Identifying system objectives


- Establishing control objectives
The key to an effective system based audit is to identify the system objectives that
determine the control objectives against which controls in the system can be audited. The first
step is to identify the objectives laid down by management for the system. By obtaining an
understanding of what the objectives of the system are, it will help you to identify what the
control objectives should be. The control objectives you set need to be consistent with the
objectives of management in the organization, and should be discussed and agreed with
management before you start any evaluation of controls. Once the auditor has determined the
control objectives they should be recorded in Audit program (column 2). This Audit program will
be filled gradually for each step of the audit.
4. Identifying risks & evaluating controls against risks
- Identification of risks
Risks are classified according to two criteria:
1. the probability for a certain risk to appear in reality;
2. its impact, which can be identified
Identification of key controls
For each risk, using the description of the system you prepared, you should then identify
the control or controls which are intended to manage that risk. Full details of the control should
be recorded in column 4 in Audit program. It is important that you record the actual controls in
existence, and not the ideal controls for the situation, or the controls that management would like
to have in place. Details should also be included of who (grade and position) performs the
control, and where.
Evaluating controls involves two stages:
evaluating the system design to establish the adequacy of control, and
evaluating the operation of the system to establish the effectiveness of control
5. Testing controls
There are two main types of testing:
- test of controls or compliance test and
- substantive testing.
Sampling techniques
In order to reach a judgement on the effectiveness of the internal control system adequate
tests need to be performed on the system. If the review of the system and the walk-through tests
indicate a weakness in the system, then further tests may be conducted to determine whether that
weakness has been exploited and to what extent.
In order to carry out these tests on these controls it is necessary to use sampling
techniques
6. Arriving at conclusions
It is important that you think about your findings and conclusions throughout the
evaluation and testing processes. The Record of Audit Findings Form provides a useful
structure for handling the information you have obtained and to think things through in a

12 | P a g e
logical way when writing the audit report. It is designed to help the auditor to establish
the causes of the issues or weaknesses which have been identified from the evaluation of
the system of control, and to develop suitable recommendations.
It should be completed as testing is being done and the nature and significance of
control weaknesses are established. Wherever possible try to group related weaknesses
together on the Audit Findings Summary Form This will make it easier to plan your audit
report.
This is the stage of a system based audit where the auditor considers the results of
previous work before reporting to audit management and to the management of the area
audited. It is important that you think about your findings and conclusions throughout
the evaluation and testing processes.
7. Audit report and action plan
8. Audit Files
The working papers and any other documentation related to each audit assignment
should be held on dedicated audit files. Those files should be structured in a clear and
logical way in order to make it easy for anyone to find what they need and to understand
what has been done, and why. The files can be held in electronic or paper form.

Information System Auditing


IS audit refers to audit system which provide information to assure management that the
information generated from these system are liable.
Information System Auditing Important
Growing access to and use of computers

Growing concern for data security due to proliferation of technology

Existence of computer fraud

Complexity of system and computers

Protectors of information assets and privacy

INFORMATION SYSTEM RISK


When performing an IS Audit , Auditors should ascertain the following objectives
are met:
Security

Program development

Program modifications

Processing

Source

Computer data files

13 | P a g e
Role of the IS Auditor
The role of audit in computerized information systems is vital to the continuing welfare
of the organization. The high cost of investing in information technology in terms of set-up costs
and its impact on achieving objectives results in an abundance of control implications.
Option for securing IS/IT skills for internal auditing
o Use a consortium to provide the necessary skills

o Use a small number of IS auditors (perhaps one company expert ) to assist the other
auditors as they tackle computerized system
o Train general auditors in IS audit techniques

o Rotate auditors between groups with one group specialized in computerized system

o Use consultant either to perform certain computer audit project or to assist the general
auditors.
o View computer audit as the audit of MIS and play a wider base to computer audit project
covering managerial control as well as computerized ones
IS auditor will ideally have some expertise in areas such as:
o Systems development and project

o Computerized applications such as payroll, payment, income, performance reporting and


so on
o Information system security standards

o Computer assisted audit techniques

o System development and project management

o Disaster recovery and contingency planning

o E-business and Internet design and security

o Overall IS Strategy

o Data protection and legal requirements

o Specialist technical areas such network management and database management system.

The Consulting Approach


Consultancy- is the process of providing expert knowledge, guidance and resources, to
deliver a specific result or outcome, or to solve a particular problem or challenge. Usually this is
delivered on a contractual basis from one organization to another as a discrete commercial piece
of work.
Six types of consulting work:
1. Formal engagements
2. Informal engagements
3. Emergency
4. Assessment services
5. Facilitation services

14 | P a g e
6. Remedial services
ASSURANCE- adequacy of entity internal control, adequacy of process or sub-entity
internal control, adequacy of ERM, adequacy of governance process, compliance with laws
and regulations
CONSULTING-improvement in efficiency or effectiveness, assistant in design of corrective
actions, controls needed for new systems design, benchmarking.
Assurance services:

Quality of information about processes

Effectiveness of controls

Reliability of information

Compliance w/ company, regulatory, or government procedures

Effectiveness and efficiency of operations

Consulting services

Advisory or partnering activities that add value and improve operations

Both parties must agree on nature and scope of services

Identifies problems and potential solutions

Advisory; does not include decision making

1. INITIAL TERMS OF REFERENCE FOR THE WORK


2. PRELIMINARY SURVEY
3. ESTABLISH SUPPOSITION
4. AUDIT PLANNING AND WORK PROGRAMME
5. DETAILED FIELD WORK
6. DETERMINE UNDERLYING CAUSES OF PROBLEMS
7. DEFINE AND EVALUATE AVAILABLE OPTIONS
8. TEST SELECTED OPTIONS
9. DISCUSS WITH MANAGEMENT
10. REPORT
FIGURE 7.10 PEERFORMIG CONSULTING INVESTIGATION

[1] Initial terms of reference for the work


Key manager briefing and discussions on the review.
Outline symptoms and main problem areas.
Management success criteria established.
Brief history of events relevant to the issue in hand documented.
Indication of specific constraints acknowledged by management.
Management policy on unacceptable solutions, e.g. staff cuts or major restructuring.
Indication of future plans that management has set for short and medium terms.

[2] Preliminary survey


Committee/board minutes that impact on the review.
Brief discussions with staff to assess general consistency with key problems.
Performance indicators.
Analyze symptoms and capture what is really wrong.
Internal reports and budgets. Relevant published research that relates to the particular field of
work. Visits to the location.

15 | P a g e
[3] Establish suppositions
Effects of the problem on performance, quality and value for money.
Materiality of the problem.
Hierarchy of suppositions, the most significant ones first.
Indications of how the suppositions may be tested to establish whether they are correct or not.
Likely causes of problems
Overall extent of the problem.

[4] Audit planning and work programmer


Number of auditors required and time budgets.
Levels and types of expertise required.
Supervision of staff assigned to the project.
Guidance on testing.
Review arrangements covering audit work as it is performed.
Reporting arrangements.
Programmed of work
Time available and deadlines.
Administrative arrangements including travel, expenses, accommodation, computers, etc.

[5] Detailed field work


Programmed interviews.
Available research that will have to be secured and taken on board.
Re-performance of specific tasks if required.
Independent expert opinion where appropriate.
Inspection.
Cause-and-effect analysis.
Statistical analysis.
Questionnaires.
Construction of new performance indicators if required.
Other specific testing routines.

[6] Determine underlying causes of problems


Detailed discussions with management.
Review of managerial structures.
Review of existing managerial practices.
Determination of the extent of influence of the external environment.
Level of managerial control and guidance available to staff.
Establishing a clear relationship between problems and causes.
Distinguishing between symptoms and these underlying causes.

[7] Define and evaluate available options


Extensive research in isolating suitable options.
Ideas from managers and staff.
Textbook solutions can form a starting place.
Model building.
The application of creative thinking.
Determination of relevant best practice elsewhere that is transferable.

[8] Test selected options


Defined benefits.
Staff expertise available and required.
Actual financial costs.
Resource implications generally.
Motivational aspects and impact on work flows.
Timetable for implementation.
Political aspects.
Knock-on effects for other systems.

16 | P a g e
Incremental improvements or the more risky big bang approach.
Overall impact on the problem.
Whether it complies with the fundamental rules of successful change management.

[9] Discuss with management


Constraints that confront management, including practicalities.
Agree factual content of report.
Bear in mind the costs of the audit and the need to provide a defined benefit.
Watch the psychology of negotiationse.g. seek partial compromise where necessary.
Keep in mind managerial objectives and their real success criteria.
Consider level of work carried out and the extent to which we can be sure of our position.
Consider overall acceptability of the audit work.

[10] Report
Report needs to be formally cleared for final publication.
It should ideally be an extension of the oral presentation.
Make sure report is factually correct.
Report structure should be good and well written.

FIGURE 7.11 Standard report structures.

INTRODUCTION
The party commissioning the work the fact that it is consultancy, the difference between VFM
and systems
BACKGROUND TO THE OPERATION
This will normally include: the main activities, brief history, previous reviews, and main
suppositions
MAIN FINDINGS
For each of the suppositions
RECOMMENDATIONS
Options should be definedstating, where appropriate, any quantified savings and the effect on
official budgets
APPENDICES
May consist of performance indicators
COMPLIANCE
Compliance is an issue for the internal auditor and during the audit an assessment will be made
of the extent to which the business is adhering to laws, regulations and control standards.
A procedure for carrying out probity audits is:
1 The work will be agreed with senior management and this may involve a one-off visit or a
series of programmed visits.
2. The appropriate line manager should be contacted and a date set for the visit. It is possible to
distribute an audit information brochure in advance of this visit.
3. It is possible to apply standardized documentation to this programmed audit work. Probity
visits should not be allowed to consume excessive audit resources and the approach will be to
apply junior staff wherever possible and work to tight budgets of up to, say, a week. This will
depend on the type of audit.
4. Visits to remote establishments/operations should include:
A cash-up.
Vouching a sample of transactions from the banking arrangements.
Inventory checks covering all valuable and moveable items.
A check on a sample of local purchases and tests for compliance, integrity and effect on the cost
Centre.
A programmed of tests applied to all areas that may be vulnerable to fraud or irregularity.
Verification of a sample of returns made to head office.
Other checks as required or agreed with management.

17 | P a g e
5. The work undertaken will have to meet the standards set out in the audit manual and any
appropriate documentation, and report format should be agreed with the audit manager.
6. The standards of review should comply with the audit manual, and supervisory review and
performance appraisal documents should be used by audit management.

Value for money audit

Is a broad based audit approach with a focus on efficiency, economy of operational and effective
achievements of objectives.

The three Es aim to achieve different objectives in the organization:


Economy: resources required to perform the operation are acquired the most cost effectively.
Efficiency: resources are employed to maximize the resulting level of output.
Effectiveness: final output represents the product that the operation was set up to produce.

Right Structure
Once a clear audit strategy of risk-based assurance and consulting work is in place, audit
management must then turn its attention to the way resources are organized. This will have a
crucial effect on the delivery of audit services. Furthermore, there are many options underpinning
the type of structure that should be in place, which have to be considered and decided on. Some
of these options are:
Decentralized.
Centralized.
Service-based.
Client-based
Mixed structures.
A project-based approach.
Consultancy-based.
Hierarchical structures.
Setting an Audit Strategy
The audit strategy is based on the following considerations:
The characteristics of the engagement
Reporting objectives
Timing of the audit
Nature of communications
Significant factors in directing engagement team efforts
The results of preliminary engagement activities
The knowledge gained on other engagements
The nature, timing, and extent of resources available for the engagement
Establishing an audit strategy

18 | P a g e
Risk based Internal Audit (RBIA) is an internal methodology which is primarily focused on
the inherent risk involved in the activities or system and provides assurance that risk is being
managed by the management within the defined risk appetite level.
A risk survey necessitates discussion with middle management and involves:
a definition of the audit unit;
an assessment of the relative risks inherent in each unit;
research into the type of problems units attract;
Risk ranking related to resources subsequently assigned via an audit plan.

The Corporate Risk Strategy


1. Risk Assessment
IIA Performance Standard 2010 makes it clear that: The chief audit executive must
establish risk-based plans to determine the priorities of the internal audit activity,
consistent with the organizations goals.
2. Management Participation
IIA Performance Standard 2010.A1 which states that: The internal audit activitys plan
of engagements must be based on a documented risk assessment, undertaken at least
annually. The input of senior management and the board must be considered in this
process.
Management participation includes:
explaining that audit operates to a risk-based strategy;
ensuring that this strategy is based primarily on addressing organizational risk and
control needs;
publicizing the link between risk and resource allocation;
keeping management informed as to changes to the existing strategies;
securing avenues whereby relevant information may be imparted to and from
management;
Clarifying the agreed cut-off points between management and internal audits roles;
retaining a degree of independence that gives audit the final say in strategy and
planning.

Features of Audit Strategy:


1. Achievable
2. Implemented
3. Long-term plans
4. Preliminary Surveys
5. Contingency Allowances

Resourcing the Strategy

19 | P a g e
The IIA Performance Standard 2030 makes it clear that: The chief audit executive must ensure
that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the
approved plan.
This is required by IIA Practice Advisory 2030-1 which makes it clear that:
The chief audit executive (CAE) is primarily responsible for the sufficiency and
management of internal audit resources in a manner that ensures the fulfillment of
internal audits responsibilities, as detailed in the internal audit charter. This includes
effective communication of resource needs and reporting of status to senior management
and the board. Internal audit resources may include employees, external service
providers, financial support, and technology-based audit techniques. Ensuring the
adequacy of internal audit resources is ultimately a responsibility of the organizations
senior management and board; the CAE should assist them in discharging this
responsibility.
Resource management and human resource management (HRM) are major components of the
strategic management process. It is a key part of the strategic human resource management
process, which is fundamentally about matching human resources to the strategic and opera-
tional needs of the organization and ensuring the full utilization of those resources.
Managing Performance
Staff appraisal is a management control that audit would tend to recommend when undertaking
an audit where staffing is included in the terms of reference for the work.
For example, a target for a senior auditor may be:
To prepare and implement a new and revised audit manual that complies with best
practice and adopted audit standards by date X (using 100 audit hours).
Performance Measures:
Time budget
Time frame
Qualitative
Acceptable
Implemented

Examples of some specific and team and overall unit performance targets may be listed:
extent to which the annual and quarterly plan has been achieved;
the percentage of recoverable hours charged;
time taken to respond to management requests for assistance;
staff turnover;
absenteeism rate;
number of improvements to the audit manual;
time taken by auditors to get access to audit management;
level of managerial agreement to audit risk criteria;
level of involvement of auditee in the audit terms of reference;
number of recommendations agreed upon;
level of complaints;
level of staff grievances against management;
time taken to issue audit reports after completion of the audit;
level of suggestions from staff to audit management;
level of compliance with the audit manual;
regularity of group and departmental meetings;
the percentage of staff with poor timekeeping;
number of aborted audits;
level of problems found during work reviews;
extent to which audit objectives have been met;
number of audits completed on time;
level of audits within time budget

20 | P a g e
Dealing with Typical Problems
Excess Hours Charged
Inadequate Working Papers
No Sense of Direction
No Follow-up Procedure

Excess Hours Charged


This occurs where:
the budget was not set properly;
the budget is not seen as a serious issue;
authorization was not secured for extended hours;
the audit entailed resolving unforeseen problems and/or difficulties;
the client asked for additional work;
the auditor decided to do additional work;
the auditor was dumping time into the job; not all charged hours were worked on the
project;

Inadequate Working Papers


Audit management must as a minimum:
set a documentation standard that covers permanent and current audit files;
train staff in these standards;
review all audits and seek compliance with the standards;
review the filing system: destroy old files or microfilm, archive or retain them on disk;
maintain a clear-desk policy that ensures files and papers are not scattered;
adopt automated papers;
use standardized documentation;
keep the documentation standard under review.

No Sense of Direction
The CAE should:
prepare and implement an audit strategy that pushes internal audit from one period to
another;
publicize this strategy and seek support from staff by involving them in its formation and
use;
market internal audit and recognize achievement so that staff can relate to success
criteria;
implement suitable HRM policies and programmes;
remove blockages to performance, particularly with awkward clients who may impair
audits right of unrestricted access to documents, records and information;
keep internal audit fresh and vibrant by regular section meetings, days out, seminars,
socialevents and an invigorating audit manual;

No Follow-up Procedure
The internal auditor needs to:
target high risk systems;
review the adequacy and effectiveness of the systems of control that protect this system;
alert management to any problems with these controls where necessary;
advise management of ways that systems of control may be improved to handle risk;

21 | P a g e
ensure management responds to audit findings and indicates what it intends to do;
monitor the action taken by management;
Revisit the audit after a suitable period to highlight further action management needs to
take in respect of its controls.

Audit Manual
A device that involves the accumulation and dissemination of all those documents, guidance,
direction and instructions issued by audit management that affect the way the audit service is
delivered

Role of Audit Manual


Defining standards and methods of work
Communicating this to auditors
Establishing a base from which to measure the expected standards of performance

The role of the audit manual:


Audits need to be managed, and the best tool for audit management is an audit manual. An
internal audit manual is an in-house guide to the contents of an audit; it is a reference book which
can be consulted when an audit question arises.

The Three Main Elements:


The management of internal audit
The operational aspects of internal audit
Administrative matters concerning the audit function
Importance of Audit Manual
1. Serve as a guide to those responsible for internal audit activities.

2. Represent a key benchmark by which internal audit can be measured.

3. Be a reference for undertaking an audit assignment.

4. Aid in making effective decisions.

5. Assist in undertaking staff appraisals, training, and development.

6. Enhance staff morale and productivity.

An audit manual typically is divided into several sections:

1. The Internal Audit Profession and Related Material The IIA's International
Professional Practices Framework, COBIT, ISACA standards, and regulatory requirements.

2. Corporate Operating Policies Vision, mission, organizational structure and


business fundamentals, industry risk profile, corporate governance, and control frameworks.

3. Overview of the Internal Audit Function Audit charter, enterprise risk


management charter, audit committee charter, departmental chart, risk universe, audit
universe, and annual audit plan.

22 | P a g e
4. Audit Procedures and Techniques Audit process, audit software, engagement
planning, audit fieldwork, audit reporting, audit effectiveness questionnaire, follow-up
information, operational auditing, IT auditing, and fraud auditing and investigation.

5. Audit Staff Resources Staff levels, job descriptions, training and development,
tuition assistance, transfers, rotational staff, and use of outside resources.

6. Audit Administration Staff meetings, intranet, acquiring routine and capital items,
department's budget and monthly performance reports, corporate credit cards, audit
committee reports, annual reporting, staffing and management surveys, and benchmarking
and key performance indicators.

7. Reference Material Acronyms; glossary; governance, risk, and control resources;


audit manual maintenance; and audit library.

DELEGATING AUDIT WORK

DELEGATION PROCESS

Determine required results


Assign the audit project
Delegate authority for project
Establish suitable control mechanisms
Review outcome: Does it equal required results?

DELEGATION IN INTERNAL AUDIT

Delegation allows auditors to perform day-to-day work unimpeded, around audit plans where
each internal auditor has dened responsibilities.

TASKS & PROJECTS OF AUDITORS

Audit brochures

Marketing logos and web-based material

The annual report

Client presentations

Special projects
Internal reviews of audit les

Quality assurance programmes

The audit charter

Auditing standards Staff training and development

Delegation creates the drive for the audit manager to dene and communicates exactly what is to
be achieved.

Manager/subordinate requirements

Manager Subordinate

23 | P a g e
Wants good results Enjoys the challenge
Wants to look good May make mistakes
Wants to save time Needs support
Wants no problem Wants to work it out

AUDIT INFORMATION SYSTEMS

TIME MONITORING SYSTEM


AUDIT TIME MONITORING SYSTEM
JOB CODING SYSTEM

ESTABLISHING A NEW INTERNAL AUDIT SHOP

The audit charter

Audit standards

The code of conduct

Recruitment and selection

Recruitment and selection

The business risk assessment

Information systems (IS) audit

Fraud work

Business planning

Assurance and consulting services

Budgets

The launch of the new service

The audit manual

Internal audit strategy

Tells the organization what it will get from its in-house audit team.

External service provider

A person or rm, independent of the organization, who has special knowledge, skill, and
experience in a particular discipline.

An internal auditing department with vision is:

PROACTIVE

INNOVATIVE

FOCUSED

24 | P a g e
MOTIVATED

INTEGRATED

AUDIT PLANNING PROCESS

Assess risk priorities. The relative risks of each audit are a must be identied, with reference to
the corporate risk database.

Resource prioritized areas. Suitable resources for these areas must be provided.

Audit strategic plan. A plan to reconcile workload with existing resources should be developed.
This should take on board the various constraints and opportunities that are inuential now and
in the future. The strategic plan takes us from where we are to where we wish to be over a
dened time frame, having due regard for the audit budget.

Annual audit plan. A formal audit plan for the year ahead is expected by most audit
committees.

Quarterly audit plan. A quarterly plan can be derived from the annual plan. Most organizations
experience constant change making the quarter a suitable time-slot for supportive work
programmes.

Outline objectives statement. Audit management can make a one-line statement of


expectations from an audit from work done so far in the planning process.

Preliminary survey. Background research requires thought on key areas to be covered in an


audit. This ranges from a quick look at previous les and a conversation with an operational
manager to formal processes of many days of background work involving a full assessment of
local business risks.

Assignment plan. We can now draft an assignment plan with formal terms of reference,
including budgets, due dates and an audit programme.

The audit. Progress should be monitored with all matters in the terms of reference considered.

The reporting process. Planning feeds naturally into reporting so long as we have made proper
reference to our plans throughout the course of the audit.

ASSESS RISK PRIORITIES


FACTOR SCORE WEIGHT
Materiality 110
Impact on reputation 110
State of control 110
Management 110
Score for the system 440

RESOURCE PRIORITIZED AREAS


Boardroom arrangements and accountabilities.
Remunerations committee.
The role and impact of audit committee.
The impact of NEDs on the board accountability.
Factors that encourage nancial misreporting.
Reliability of audit committee and external audit coverage (and independence).
Control framework in use.
Reporting on internal controls.
Risk assessment and risk management arrangements.
25 | P a g e
Ethical standards and staff awareness.
Anti-fraud policies and whistleblowing arrangements.
Project management
Control activities and performance management.
Information systems
Communicationsacross and up/down the organization.
Control assurance reportingand underlying evidence such as CRSA
Control environmentand ethics and tone at the top.
Compliance teams and routines. Fraud policies and security.
Accreditation systems such as ISO 9000, EFQM, IiP.
HR policies such as staff training, competencies, vetting and learning programmes.
Financial systems and validation routines by nancial controller.

AUDIT STRATEGIC PLAN

o Corporate board level risk assessment


o Risk management
o Operational level CRSA programmes
o Discussion
o Risk database
o Discuss the results

ANNUAL AUDIT PLAN

It ts with the way the organization responds to corporate governance.


It is mainly driven by the corporate risk register.
The board/audit committee accepts that this is the best way to apply audit resources.
It underpins and links into the annual opinion that the CAE provides on the system of
internal control.
It is dynamic, exible and responds to the changing demands of risk management and
accountability.

OUTLINE OBJECTIVES STATEMENT

The risk management processes which management has put in place within the
organisation are operating as intended.
These risk management processes are of sound design.
The responses which management has made to risks which they wish to treat are both
adequate and effective in reducing those risks to a level which is acceptable to the board.
And a sound framework of controls is in place to sufciently mitigate those risks which
management wishes to treat.

ASSIGNMENT PLAN

Corporate objectives.
Identication of risks to achieving objectives.
What is the risk appetite of the business?
Is the risk management process a adequate and effective process for identifying,
assessing, managing and reporting on risk?
For sound processes the organisations view on risk can be used, and where this is not the
case, audit will wish to facilitate the identication of risk with management and help
rene the overall risk management process.
Determine risk universe.
Determine scope and priority of assignments.
Based on risks select areas for review.

26 | P a g e
For each area, review adequacy of risk management process.
Where risk management is largely okay, determine how management gain assurances,
and provide audit assurances. Where this is not the case, facilitate improvements.

THE REPORTING PROCESS

Novemberstart the new planning process and build in extra capacity for consulting
requests for management (via a formal assessment criteria).
Decemberdraft risk assessment forms and review of corporate risk database. One audit
team uses the following allocations of productive audit time that is assigned in outline to:
50% annual audit plan, 20% emerging risk issues, 7% special investigations, 20% special
projects, 3% follow-up.
January/Februaryanalyse information and talk to senior management and the board,
and include all agreed consulting projects in the audit plan.
Marchnalize the annual audit plan after having discussed the draft plan with the audit
committee.
End Marchpublish the plan and allow update facilities. Aprilplan now live.

AUDIT PROCESS AND FIELDWORK


INTERNAL AUDIT PROCESS
FOUR STAGES OF THE IA PROCESS
1. Planning
2. Fieldwork
3. Audit Report
4. Follow-up Review
PLANNING
a. Announcement Letter
c. Initial Meeting
d. Preliminary Survey
d. Internal Control Review
e. Audit Program
f. Announcement Letter
a. This letter communicates the scope and objectives of the audit team assigned to
the project.
g. Initial Meeting
a. During this meeting, the client describes the unit or system to be reviewed, the
organization, available resources (personnel, facilities, equipment, funds), and
other relevant information.
c. Preliminary Survey
In this phase the auditor gathers relevant information about the unit in order to
obtain a general overview of operations.
d. Internal Control Review
The auditor will review the unit's internal control structure
e. Audit Program
27 | P a g e
This program outlines the fieldwork necessary to achieve the audit objectives.

CATEGORIES OF AUDIT PROCEDURES


1. Risk-assessment procedures
2. Further audit procedures
a. Test of controls
b. Substantive procedures, including test of details and substantive analytical
procedures
1. Risk-assessment procedures
-performed to obtain an understanding of the entity and its environment, including the entitys
internal control, to identify and assess the risks of material misstatement, whether due to fraud or
error, at the financial statement and assertion levels.
1. Further audit procedures
a. Test of controls
b. Substantive procedures
-performed by an auditor to detect whether there are any material misstatements in
accounting transactions.
SPECIFIC AUDIT PROCEDURES
a. Inspection of records and documents
b. Inspection of tangible assets
c. Observation
d. Inquiry
e. Confirmation
f. Recalculation and re-performance
g. Analytical procedures
QUALITY OF AUDIT EVIDENCE
Sufficient
Relevant
Reliable
Useful
1. Sufficient
-sufficient information is factual, adequate and convincing so that a prudent, informed person
would reach the same conclusions as the auditor
2. Reliable
-reliable information is the best attainable information through the use of appropriate
engagement techniques
3. Relevant
Supports the engagement observations and recommendations and is consistent with the
objectives for the engagement.

28 | P a g e
4. Useful
Ensuring that the information gained helps the organization meet its goals.
WHAT NOT TO DO WHEN GATHERING INFORMATION
1. Assume or presume that documentation exists.
2. Accept what you are told without checking the supporting facts.
3. Fail to document information gathered, analyzed and evaluated.
4. Collect too much information.
5. Collect irrelevant information.
6. Fail to protect the information gathered.
FIELDWORK
a. Transaction Testing
b. Advice & Informal Communications
c. Audit Summary
d. Working Papers
a. Transaction Testing
-the audit team selects a sample of transactions and then gathers and inspects sample
documentation for evidence of compliance with stated procedures and practices.
b. Advice & Informal Communications
-As the fieldwork progresses, the auditor discusses any significant findings with the
client.
c. Audit Summary
-the auditor summarizes the audit findings, conclusions, and recommendations necessary for the
audit report discussion draft.
d. Working Papers
- vital tool of the audit profession
- they are the support of the audit opinion
AUDIT REPORT
principal product in which we express our opinions, present the audit findings, and
discuss recommendations for improvements.
Includes the ff:
a. Discussion Draft
b. Exit Meeting
c. Formal Draft
d. Final Report
e. Client Response
f. Client Comments
a. Discussion Draft

29 | P a g e
-prepared for the unit's operating management and is submitted for the client's review
before the exit meeting.
a. Exit Meeting
-At this meeting, we strive to reach an agreement on our observations and the approach to
be taken by management to implement recommendations.
c. Formal Draft
- The auditor then prepares a formal draft, taking into account any revisions resulting
from the exit conference and other discussions
c. Final Report
-The final report is prepared based on the results of the exit conference and the discussion
draft report review.
-Confidential copies of the final report are distributed to the Dean/Director of the audited
area, the appropriate Vice-President(s), and the Presidents Office.
e. Client Response
- The client has the opportunity to respond to the audit findings prior to issuance of the
final report which can be included or attached to our final report.
f. Client Comments
-feedback has proven to be very beneficial to us, and we have made changes in our
procedures as a result of clients' suggestions.
AUDIT FOLLOW-UP
Within approximately one year of the final report, Internal Audit will perform a follow-up review
to verify the resolution of the report findings.
Includes the ff:
a. Follow-up Review
b. Follow-up Report
c. Audit annual report to the board
a. Follow-up Review
The client response letter is reviewed and the actions taken to resolve the audit report
findings may be tested to ensure that the desired results were achieved.

b. Follow-up Report
The review will conclude with a follow-up report which lists the actions taken by the client to
resolve the original report findings.
Internal Audit Annual Report to the Board
-the contents of the audit report, client response, and follow-up report may also be
communicated to the Audit Committee of the Board as part of the Internal Audit Annual Report.

Are all audits planned, or does the Internal Audit Department conduct surprise audits?
How does the Internal Audit Department select areas to be audited or reviewed?

30 | P a g e

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy