Compilation of Handouts
Compilation of Handouts
Compilation of Handouts
Internal control is a process, effected by an entitys board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives
relating to:
Operations
Reporting
Compliance
One writer has highlighted the dynamic of controls by saying that the purpose of any control
system is to attain or maintain a desired state or condition.
Objectives
Inherent Risk
Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Achievements
Strategy
Figure 4.1
Managements Responsibilities
Turnbull has made clear where control responsibility lies in an organization:
The board of directors is responsible for the companys system of internal control.
While the board sets overall direction, it is management who must implement good controls by
considering the following:
The IIAs Implementation Standard 2120.A1 provides four key aspects of the scope of controls:
Based on the results of the risk assessment, the internal audit activity should evaluate the
adequacy and effectiveness of controls encompassing the organisations governance, operations,
and information systems. This should include:
1 | Page
Reliability and integrity of nancial and operational information.
Effectiveness and efciency of operations.
Safeguarding of assets.
Compliance with laws, regulations, and contracts.
Control FrameworkCOSO
What is COSO?
COSO stand s for Committee of Sponsoring Organization (COSO) of the Treadway Commission
established in 1985
sponsored of the National Commission on Fraudulent Financial Reporting.
created through sponsorship of the AIPCA, American Accounting Association, FEI, IIA
and Institute of Management Accountants.
issued the 1992 framework on internal control framework
in 2010, began project to update the 1992 framework
representatives from industry, academia, government and non- profits formed advisory
council to provide input
Board Members
David L. Landsittel -COSO Chair
Mark S. Beasley Douglas F. Prawitt -American Accounting Association
Richard F. Chambers -The Institute of Internal Auditors
Charles E. Landes -American Institute of Certified Public Accountants
Marie N. Hollein -Financial Executives International
Sandra Richtermeyer Jeffrey C. Thomson -Institute of Management Accountants
Internal control helps entities achieve important objectives and sustain and improve performance.
COSOs Internal ControlIntegrated Framework (Framework) enables organizations to
effectively and efficiently develop systems of internal control that adapt to changing business
and operating environments, mitigate risks to acceptable levels, and support sound decision
making and governance of the organization.
PRINCIPLES CODIFICATION
Control Environment
Demonstrates commitment to integrity and ethical values
2 | Page
Exercises oversight responsibility
Establishes structure, authority, and responsibility
Demonstrates commitment to competence
Enforces accountability
Risk Assessment
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
Control Activities
Selects and develops control activities
Selects and develops general controls over technology
Deploys through policies and procedures
Monitoring Activities
Conducts ongoing and/or separate evaluations
Evaluates and communicates deficiencies
Control Environment
The control environment sets the tone of an organization, inuencing the control consciousness
of its people.
Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed.
Control Activities
Control activities are the policies and procedures that help ensure management directives are
carried out.
Monitoring
Internal control systems need to be monitoreda process that assesses the quality of the
systems performance over time. This is accomplished through ongoing monitoring activities,
separate evaluations or a combination of the two.
3 | Page
Control FrameworkCoCo
The principles may be organized according to the four groupings of the CICA criteria of control
framework
Purpose
The model starts with the need for a clear direction and sense of purpose.
Commitment
The people within the organization must understand and align themselves with the organizations
identity and values.
Capability
People must be equipped with the resources and competence to understand and discharge the
requirements of the control model.
Action
This stage entails performing the activity that is being controlled. Before employees act, they
will have a clear purpose, a commitment to meet their targets and the ability to deal with
problems and opportunities.
This control standard, known as CobiT, 3rd edition, covers security and control for information
technology (IT) systems in support of business processes and is designed for management, users
and auditors. Several denitions are applied to this standard including:
4 | Page
Control
IT control objective
IT governance
CobiT has four main components (domains) and for these domains there are a further 34 high
level control processes:
planning and organization;
acquisition and implementation;
delivery and support;
monitoring.
Control Mechanisms
Control mechanisms are all those arrangements and procedures in place to ensure the business
objectives may be met. They consist of individual mechanisms used by people and processes
throughout the organization and they should exhibit certain dened attributes:
Types of Controls
Principal controls may be categorized in a number of different ways. One way is to view them as
being classied as follows:
1. Directiveto ensure that there is a clear direction and drive towards achieving the stated
objectives.
Examples:
Organization structure
Policies
Procedures
Management directives
Guidance statements
Job\position descriptions
4. Correctiveto ensure that where problems are identied they are properly dealt with.
5 | Page
Examples:
Submit corrective journal entries after discovering an error
Complete changes to IT access lists if individuals role changes
5. Recovery
Examples:
Prepare data backups from current systems
Storing documents and IT backups in a protected environment to ensure availability
Restore data from backup following a failure
6. Automated (IT)
Examples:
IT access permissions
System password requirements
Preset spending limits
Importance of Procedures
Integrating Controls
1. Performance The process of assessing risk must t and be integrated with the performance
management system.
7 | Page
2. Communications The control model is improved by the addition of good communications in
the organization.
3. Policy, competence and training
Audit of inherent risk Superimposed on the control model is the role of internal audit and
external audit.
Audit of residual risk Internal audit will also be concerned that the risks that remain after
controls have been applied are fully understood and acceptable.
Statement of internal control One important constituent of the control model is the feed into
the published statement on internal control.
8 | Page
The figure shows the distinction of the two audit approaches
9 | Page
- The scope of the audit and any specific areas that are to be given emphasis
because they are high risk, are of critical importance to the system;
- Target dates for completion of each stage of the audit work;
- Which auditors are to be employed on the audit
It should involve:
- Review of the permanent audit file and previous audit reports,
- Review of the strategic and operational plans of the area to be audited;
- Current organization charts;
- Review of budget and management information;
- Initial discussions with management of the organizational units to establish
their objectives in the area to be audited;
b. Kick-off meeting
Prior to the Kick-off meeting the internal auditors are required to have a Letter of
Authorization, signed by of the Head of the Internal Audit unit. This will serve as
your passes in doing any audits within the audit plan.
The formal start of the audit is the Kick-off meeting which should be held
between the Head of the department to be audited and the Chief Internal Auditor
accompanied by the Team Leader/Auditor carrying out the work.
This meeting is intended to:
- Introduce the audit team
- Outline the objective of the audit and give a brief overview of the method to be
used
- Ask management to suggest particular areas which they think should be examined
- Discuss areas which internal auditors consider on the focus of the audit
- Explain that internal audit will keep them informed of the progress of the audit
- Request additional information about the business process under audit
c. Audit Plan
After the preliminary survey and the kick-off meeting, an Audit Plan should be
prepared.
2. Ascertaining and recording the system
Purpose for describing the system
- To confirm the auditors understanding of the system formulating clear process /
system objectives;
- To establish any interfaces between systems;
- To establish how the system fits within the Organization;
- To provide a basis for assessing the extent to which internal controls prevent or
detect and correct errors.
When recording the system, it is important to:
- Record the system as it actually operates;
10 | P a g e
- Identify and record all types of procedures and transactions covered by the system
under audit (including exceptions such as national holidays, staff holiday periods,
unusual overtime working hours etc);
- Look carefully for identifying controls - they may not always be clearly indicated;
- Record only the elements of the system essential to the audit;
- Copy only essential documents. Unnecessary copying of documentation can be
wasteful and tends to make it difficult to review audit files;
- Remember that the description of the system found in such documentation may be out of
date and incomplete.
Documenting of System:
- Narrative
- Flowchart
Narrative
- a narrative description helps to give a complete picture of the system. It provides a
detailed record of the system under audit and, taken together with other forms of system
records.
It should cover:
System objectives and targets;
- Links and interfaces with other systems;
- The environment in which the system operates;
- The allocation of authority and responsibility;
- All key controls and systems processes;
- Exceptional situations or cases that may need to be dealt with by the system;
- Ad hoc controls such as management reviews.
Flowchart
Flowcharting is a diagrammatic method of recording and describing a system,
which shows the flow of documents or information and the related internal controls
within a system.
Flowcharts can help:
- To obtain a perspective on the whole system;
- Gain an understanding of the auditees objectives;
- Identify segregation of duties;
- Help the person supervising the audit to identify areas which are not being covered by
the audit.
11 | P a g e
awareness; level of knowledge to assess controls vs. risks and process objectives; ability to
determent the extent of substantive and compliance tests, as well to create and carry out tests.
The last column with Conclusions and Recommendation contains information about the results
of the audit as a whole or specific step of the audit or procedure.
12 | P a g e
logical way when writing the audit report. It is designed to help the auditor to establish
the causes of the issues or weaknesses which have been identified from the evaluation of
the system of control, and to develop suitable recommendations.
It should be completed as testing is being done and the nature and significance of
control weaknesses are established. Wherever possible try to group related weaknesses
together on the Audit Findings Summary Form This will make it easier to plan your audit
report.
This is the stage of a system based audit where the auditor considers the results of
previous work before reporting to audit management and to the management of the area
audited. It is important that you think about your findings and conclusions throughout
the evaluation and testing processes.
7. Audit report and action plan
8. Audit Files
The working papers and any other documentation related to each audit assignment
should be held on dedicated audit files. Those files should be structured in a clear and
logical way in order to make it easy for anyone to find what they need and to understand
what has been done, and why. The files can be held in electronic or paper form.
Program development
Program modifications
Processing
Source
13 | P a g e
Role of the IS Auditor
The role of audit in computerized information systems is vital to the continuing welfare
of the organization. The high cost of investing in information technology in terms of set-up costs
and its impact on achieving objectives results in an abundance of control implications.
Option for securing IS/IT skills for internal auditing
o Use a consortium to provide the necessary skills
o Use a small number of IS auditors (perhaps one company expert ) to assist the other
auditors as they tackle computerized system
o Train general auditors in IS audit techniques
o Rotate auditors between groups with one group specialized in computerized system
o Use consultant either to perform certain computer audit project or to assist the general
auditors.
o View computer audit as the audit of MIS and play a wider base to computer audit project
covering managerial control as well as computerized ones
IS auditor will ideally have some expertise in areas such as:
o Systems development and project
o Overall IS Strategy
o Specialist technical areas such network management and database management system.
14 | P a g e
6. Remedial services
ASSURANCE- adequacy of entity internal control, adequacy of process or sub-entity
internal control, adequacy of ERM, adequacy of governance process, compliance with laws
and regulations
CONSULTING-improvement in efficiency or effectiveness, assistant in design of corrective
actions, controls needed for new systems design, benchmarking.
Assurance services:
Effectiveness of controls
Reliability of information
Consulting services
15 | P a g e
[3] Establish suppositions
Effects of the problem on performance, quality and value for money.
Materiality of the problem.
Hierarchy of suppositions, the most significant ones first.
Indications of how the suppositions may be tested to establish whether they are correct or not.
Likely causes of problems
Overall extent of the problem.
16 | P a g e
Incremental improvements or the more risky big bang approach.
Overall impact on the problem.
Whether it complies with the fundamental rules of successful change management.
[10] Report
Report needs to be formally cleared for final publication.
It should ideally be an extension of the oral presentation.
Make sure report is factually correct.
Report structure should be good and well written.
INTRODUCTION
The party commissioning the work the fact that it is consultancy, the difference between VFM
and systems
BACKGROUND TO THE OPERATION
This will normally include: the main activities, brief history, previous reviews, and main
suppositions
MAIN FINDINGS
For each of the suppositions
RECOMMENDATIONS
Options should be definedstating, where appropriate, any quantified savings and the effect on
official budgets
APPENDICES
May consist of performance indicators
COMPLIANCE
Compliance is an issue for the internal auditor and during the audit an assessment will be made
of the extent to which the business is adhering to laws, regulations and control standards.
A procedure for carrying out probity audits is:
1 The work will be agreed with senior management and this may involve a one-off visit or a
series of programmed visits.
2. The appropriate line manager should be contacted and a date set for the visit. It is possible to
distribute an audit information brochure in advance of this visit.
3. It is possible to apply standardized documentation to this programmed audit work. Probity
visits should not be allowed to consume excessive audit resources and the approach will be to
apply junior staff wherever possible and work to tight budgets of up to, say, a week. This will
depend on the type of audit.
4. Visits to remote establishments/operations should include:
A cash-up.
Vouching a sample of transactions from the banking arrangements.
Inventory checks covering all valuable and moveable items.
A check on a sample of local purchases and tests for compliance, integrity and effect on the cost
Centre.
A programmed of tests applied to all areas that may be vulnerable to fraud or irregularity.
Verification of a sample of returns made to head office.
Other checks as required or agreed with management.
17 | P a g e
5. The work undertaken will have to meet the standards set out in the audit manual and any
appropriate documentation, and report format should be agreed with the audit manager.
6. The standards of review should comply with the audit manual, and supervisory review and
performance appraisal documents should be used by audit management.
Is a broad based audit approach with a focus on efficiency, economy of operational and effective
achievements of objectives.
Right Structure
Once a clear audit strategy of risk-based assurance and consulting work is in place, audit
management must then turn its attention to the way resources are organized. This will have a
crucial effect on the delivery of audit services. Furthermore, there are many options underpinning
the type of structure that should be in place, which have to be considered and decided on. Some
of these options are:
Decentralized.
Centralized.
Service-based.
Client-based
Mixed structures.
A project-based approach.
Consultancy-based.
Hierarchical structures.
Setting an Audit Strategy
The audit strategy is based on the following considerations:
The characteristics of the engagement
Reporting objectives
Timing of the audit
Nature of communications
Significant factors in directing engagement team efforts
The results of preliminary engagement activities
The knowledge gained on other engagements
The nature, timing, and extent of resources available for the engagement
Establishing an audit strategy
18 | P a g e
Risk based Internal Audit (RBIA) is an internal methodology which is primarily focused on
the inherent risk involved in the activities or system and provides assurance that risk is being
managed by the management within the defined risk appetite level.
A risk survey necessitates discussion with middle management and involves:
a definition of the audit unit;
an assessment of the relative risks inherent in each unit;
research into the type of problems units attract;
Risk ranking related to resources subsequently assigned via an audit plan.
19 | P a g e
The IIA Performance Standard 2030 makes it clear that: The chief audit executive must ensure
that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the
approved plan.
This is required by IIA Practice Advisory 2030-1 which makes it clear that:
The chief audit executive (CAE) is primarily responsible for the sufficiency and
management of internal audit resources in a manner that ensures the fulfillment of
internal audits responsibilities, as detailed in the internal audit charter. This includes
effective communication of resource needs and reporting of status to senior management
and the board. Internal audit resources may include employees, external service
providers, financial support, and technology-based audit techniques. Ensuring the
adequacy of internal audit resources is ultimately a responsibility of the organizations
senior management and board; the CAE should assist them in discharging this
responsibility.
Resource management and human resource management (HRM) are major components of the
strategic management process. It is a key part of the strategic human resource management
process, which is fundamentally about matching human resources to the strategic and opera-
tional needs of the organization and ensuring the full utilization of those resources.
Managing Performance
Staff appraisal is a management control that audit would tend to recommend when undertaking
an audit where staffing is included in the terms of reference for the work.
For example, a target for a senior auditor may be:
To prepare and implement a new and revised audit manual that complies with best
practice and adopted audit standards by date X (using 100 audit hours).
Performance Measures:
Time budget
Time frame
Qualitative
Acceptable
Implemented
Examples of some specific and team and overall unit performance targets may be listed:
extent to which the annual and quarterly plan has been achieved;
the percentage of recoverable hours charged;
time taken to respond to management requests for assistance;
staff turnover;
absenteeism rate;
number of improvements to the audit manual;
time taken by auditors to get access to audit management;
level of managerial agreement to audit risk criteria;
level of involvement of auditee in the audit terms of reference;
number of recommendations agreed upon;
level of complaints;
level of staff grievances against management;
time taken to issue audit reports after completion of the audit;
level of suggestions from staff to audit management;
level of compliance with the audit manual;
regularity of group and departmental meetings;
the percentage of staff with poor timekeeping;
number of aborted audits;
level of problems found during work reviews;
extent to which audit objectives have been met;
number of audits completed on time;
level of audits within time budget
20 | P a g e
Dealing with Typical Problems
Excess Hours Charged
Inadequate Working Papers
No Sense of Direction
No Follow-up Procedure
No Sense of Direction
The CAE should:
prepare and implement an audit strategy that pushes internal audit from one period to
another;
publicize this strategy and seek support from staff by involving them in its formation and
use;
market internal audit and recognize achievement so that staff can relate to success
criteria;
implement suitable HRM policies and programmes;
remove blockages to performance, particularly with awkward clients who may impair
audits right of unrestricted access to documents, records and information;
keep internal audit fresh and vibrant by regular section meetings, days out, seminars,
socialevents and an invigorating audit manual;
No Follow-up Procedure
The internal auditor needs to:
target high risk systems;
review the adequacy and effectiveness of the systems of control that protect this system;
alert management to any problems with these controls where necessary;
advise management of ways that systems of control may be improved to handle risk;
21 | P a g e
ensure management responds to audit findings and indicates what it intends to do;
monitor the action taken by management;
Revisit the audit after a suitable period to highlight further action management needs to
take in respect of its controls.
Audit Manual
A device that involves the accumulation and dissemination of all those documents, guidance,
direction and instructions issued by audit management that affect the way the audit service is
delivered
1. The Internal Audit Profession and Related Material The IIA's International
Professional Practices Framework, COBIT, ISACA standards, and regulatory requirements.
22 | P a g e
4. Audit Procedures and Techniques Audit process, audit software, engagement
planning, audit fieldwork, audit reporting, audit effectiveness questionnaire, follow-up
information, operational auditing, IT auditing, and fraud auditing and investigation.
5. Audit Staff Resources Staff levels, job descriptions, training and development,
tuition assistance, transfers, rotational staff, and use of outside resources.
6. Audit Administration Staff meetings, intranet, acquiring routine and capital items,
department's budget and monthly performance reports, corporate credit cards, audit
committee reports, annual reporting, staffing and management surveys, and benchmarking
and key performance indicators.
DELEGATION PROCESS
Delegation allows auditors to perform day-to-day work unimpeded, around audit plans where
each internal auditor has dened responsibilities.
Audit brochures
Client presentations
Special projects
Internal reviews of audit les
Delegation creates the drive for the audit manager to dene and communicates exactly what is to
be achieved.
Manager/subordinate requirements
Manager Subordinate
23 | P a g e
Wants good results Enjoys the challenge
Wants to look good May make mistakes
Wants to save time Needs support
Wants no problem Wants to work it out
Audit standards
Fraud work
Business planning
Budgets
Tells the organization what it will get from its in-house audit team.
A person or rm, independent of the organization, who has special knowledge, skill, and
experience in a particular discipline.
PROACTIVE
INNOVATIVE
FOCUSED
24 | P a g e
MOTIVATED
INTEGRATED
Assess risk priorities. The relative risks of each audit are a must be identied, with reference to
the corporate risk database.
Resource prioritized areas. Suitable resources for these areas must be provided.
Audit strategic plan. A plan to reconcile workload with existing resources should be developed.
This should take on board the various constraints and opportunities that are inuential now and
in the future. The strategic plan takes us from where we are to where we wish to be over a
dened time frame, having due regard for the audit budget.
Annual audit plan. A formal audit plan for the year ahead is expected by most audit
committees.
Quarterly audit plan. A quarterly plan can be derived from the annual plan. Most organizations
experience constant change making the quarter a suitable time-slot for supportive work
programmes.
Assignment plan. We can now draft an assignment plan with formal terms of reference,
including budgets, due dates and an audit programme.
The audit. Progress should be monitored with all matters in the terms of reference considered.
The reporting process. Planning feeds naturally into reporting so long as we have made proper
reference to our plans throughout the course of the audit.
The risk management processes which management has put in place within the
organisation are operating as intended.
These risk management processes are of sound design.
The responses which management has made to risks which they wish to treat are both
adequate and effective in reducing those risks to a level which is acceptable to the board.
And a sound framework of controls is in place to sufciently mitigate those risks which
management wishes to treat.
ASSIGNMENT PLAN
Corporate objectives.
Identication of risks to achieving objectives.
What is the risk appetite of the business?
Is the risk management process a adequate and effective process for identifying,
assessing, managing and reporting on risk?
For sound processes the organisations view on risk can be used, and where this is not the
case, audit will wish to facilitate the identication of risk with management and help
rene the overall risk management process.
Determine risk universe.
Determine scope and priority of assignments.
Based on risks select areas for review.
26 | P a g e
For each area, review adequacy of risk management process.
Where risk management is largely okay, determine how management gain assurances,
and provide audit assurances. Where this is not the case, facilitate improvements.
Novemberstart the new planning process and build in extra capacity for consulting
requests for management (via a formal assessment criteria).
Decemberdraft risk assessment forms and review of corporate risk database. One audit
team uses the following allocations of productive audit time that is assigned in outline to:
50% annual audit plan, 20% emerging risk issues, 7% special investigations, 20% special
projects, 3% follow-up.
January/Februaryanalyse information and talk to senior management and the board,
and include all agreed consulting projects in the audit plan.
Marchnalize the annual audit plan after having discussed the draft plan with the audit
committee.
End Marchpublish the plan and allow update facilities. Aprilplan now live.
28 | P a g e
4. Useful
Ensuring that the information gained helps the organization meet its goals.
WHAT NOT TO DO WHEN GATHERING INFORMATION
1. Assume or presume that documentation exists.
2. Accept what you are told without checking the supporting facts.
3. Fail to document information gathered, analyzed and evaluated.
4. Collect too much information.
5. Collect irrelevant information.
6. Fail to protect the information gathered.
FIELDWORK
a. Transaction Testing
b. Advice & Informal Communications
c. Audit Summary
d. Working Papers
a. Transaction Testing
-the audit team selects a sample of transactions and then gathers and inspects sample
documentation for evidence of compliance with stated procedures and practices.
b. Advice & Informal Communications
-As the fieldwork progresses, the auditor discusses any significant findings with the
client.
c. Audit Summary
-the auditor summarizes the audit findings, conclusions, and recommendations necessary for the
audit report discussion draft.
d. Working Papers
- vital tool of the audit profession
- they are the support of the audit opinion
AUDIT REPORT
principal product in which we express our opinions, present the audit findings, and
discuss recommendations for improvements.
Includes the ff:
a. Discussion Draft
b. Exit Meeting
c. Formal Draft
d. Final Report
e. Client Response
f. Client Comments
a. Discussion Draft
29 | P a g e
-prepared for the unit's operating management and is submitted for the client's review
before the exit meeting.
a. Exit Meeting
-At this meeting, we strive to reach an agreement on our observations and the approach to
be taken by management to implement recommendations.
c. Formal Draft
- The auditor then prepares a formal draft, taking into account any revisions resulting
from the exit conference and other discussions
c. Final Report
-The final report is prepared based on the results of the exit conference and the discussion
draft report review.
-Confidential copies of the final report are distributed to the Dean/Director of the audited
area, the appropriate Vice-President(s), and the Presidents Office.
e. Client Response
- The client has the opportunity to respond to the audit findings prior to issuance of the
final report which can be included or attached to our final report.
f. Client Comments
-feedback has proven to be very beneficial to us, and we have made changes in our
procedures as a result of clients' suggestions.
AUDIT FOLLOW-UP
Within approximately one year of the final report, Internal Audit will perform a follow-up review
to verify the resolution of the report findings.
Includes the ff:
a. Follow-up Review
b. Follow-up Report
c. Audit annual report to the board
a. Follow-up Review
The client response letter is reviewed and the actions taken to resolve the audit report
findings may be tested to ensure that the desired results were achieved.
b. Follow-up Report
The review will conclude with a follow-up report which lists the actions taken by the client to
resolve the original report findings.
Internal Audit Annual Report to the Board
-the contents of the audit report, client response, and follow-up report may also be
communicated to the Audit Committee of the Board as part of the Internal Audit Annual Report.
Are all audits planned, or does the Internal Audit Department conduct surprise audits?
How does the Internal Audit Department select areas to be audited or reviewed?
30 | P a g e