PART II - II INTERNAL AUDIT APPROACHES AND PRACTICES
AUDIT APPROACHES Audit Approaches or methodology is the framework or outline of a process which provides guidance and control to help ensure the audit objectives are achieved.
STEPS • Determine the universe of the auditable entities • This involves establishing a model of the business process subject to audit and identifying the various functions or activities within the model that would be audited. 2. Perform a risk assessment for the audit universe.
Using risk assessment results, rank the auditable entities according to risk. • Estimate the auditable time required for each auditable entity • Apply the resources available to the time required and develop an audit schedule for the audit year or audit cycle. • Conduct in-depth, detailed audits of the function using a defined audit methodology.
AUDIT APPROACHES • TRADITIONAL AUDIT APPROACH • RISK – BASED AUDIT APPROACH • CONTROL SELF ASSESSMENT (CSA)
TRADITIONAL AUDIT APPROACH • Derived from the Report of the Special • Advisory Committee on Internal Accounting Control (Minahan Committee) • System Documentation and Evaluation • Program Development • Testing • Report Development
SYSTEM DOCUMENTATION AND EVALUATION Control Technique Evaluation has the following steps: • Determine general objectives • Example: • All accounts payable transactions are processed in an accurate, prompt and complete manner. • Determine the specific objectives • Example: • Purchase orders invoices processed for payment by A/P are processed in an accurate, prompt and complete manner.
Identify Control Techniques • Example: • a. Segregation of duties • b. Approval on documents • c. Complete, clear policies • d. Pre-numbered documents • e. Documented deviations from policies
Evaluate the adequacy of the control techniques • Before actually testing the control techniques, the auditor should evaluate the adequacy of the identified control techniques, assuming they are functioning properly.
Test selected control techniques • Report opinion and recommendations regarding the adequacy of the system of internal control to achieve the control objectives
PROGRAM DEVELOPMENT Audit programs provide a guide for the actual audit steps performed and documentation for decisions made by the auditor about the nature, timing, and extent of audit procedures applied. The program also serves as a check against possibility of omissions, a record of the work done and a method of facilitating control and review.
Analytical Review Inquiry and Observation 100% Examination of Key items Discovery Computational Test Non-Statistical Sampling Random Number Systematic Block Samplings Haphazard Sampling Statistical Sampling TESTING
REPORT DEVELOPMENT SECTIONS OF THE AUDIT REPORT Purpose Scope Opinion Background Findings and Recommendations Management Response
ADVANTAGES ADVANTAGES AND DISADVANTAGES OF TRADITIONAL APPROACH DISADVANTAGES • Obtaining detailed coverage of potentially risky areas every three to five years • Comprehensive coverage of financial and accounting functions • Because of the extensive nature of these audits, coverage is often completed on a three or five year cycle, not annually • Audit coverage is very detailed and very expensive.
ADVANTAGES DISADVANTAGES • Professionally qualified audit staff • Independence from operating managers • Assurance that controls are in place at a given point in time for a given entity. • Coverage often only addresses accounting controls, not the higher risk and higher value-added operating controls • Audit staff skills are narrowly focused on acctg and finance issues • Audit staff is not only independent but isolated from the operating functions.
RISK-BASED AUDITING Internal Control System can help management manage or control the degree of business risk inherent in any business operation. Internal control is a risk management process. “Internal Control Systems” – “Risk Management Systems”
Fundamental to COSO Model and to risk management • Objectives are established and communicated • risk is dependent upon people, organization, climate, characteristics , situational pressures, and conditions of opportunity
Primary Causes of Fraud (Study of KPMG Peat Marwick) • Poor internal control • Collusion between employees and a third party • Management override of internal controls • High-risk industry where there was a risk of decline or loss The system of internal control must address the “red flags” that might herald management or employee override of the internal controls.
NEW PARADIGM SHIFT • New definition of control: Control is broadly defined and includes both formal and informal controls • Total Quality: TQM demands participative,team approaches to problem identification and solution development • Management/Employee Expectations: • Managers and employees expect tools that add value to their own arsenal of resources.
RISK-BASED AUDIT METHODOLOGY • Determine the key risks or objectives which internal auditors should address • Identify limits of risk used by management or deemed appropriate to controlling the processes designed to achieve the objectives (reduce the risk of failure)
Conduct initial survey and form hypothesis regarding how well the risk appears to be controlled or how well controls appear to ensure achieving the objectives • Verify through the most cost-effective means the validity of the hypothesis • Report results
ADVANTAGESDISADVANTAGES RISK BASED AUDIT METHODOLOGY • Extremely cost effective • Focuses on areas of highest risk, thus adds greatest value to the organization • Helps managers with problems of importance to them. • Requires significant auditor experience and judgment • Requires auditors to change their paradigm • Requires significant interface with management and employees
ADVANTAGES DISADVANTAGES • Uses ideas and concepts understood by managers rather than by auditors only. • Provides opportunity to train management and employees on how controls work to achieve business objectives of importance to them • May not provide an overall assessment of the organization’s system of internal control
CONTROL SELF-ASSESSMENT (CSA) CSA is a relatively new method for examining and evaluating the organization’s system of internal control. It is an amalgam of traditional internal auditing concepts, risk analysis, and self assessment approaches. CSA has the following elements: • Front-end planning and preliminary audit work.
The gathering of a group of people into a same time/same place meeting, - study of relationships among elements of information (for example fluctuation in recorded interest expense compared to changes in related debt balances) typically involving a facilitation seating arrangement (U-shape table) and a meeting facilitator. The participants are “process owners” – management and staff who are involved with the particular issues under examination, who know them best, and who are critical to the implementation of appropriate process control.
Structured agenda which the facilitator uses to lead the group through an examination of the process’s risks and controls. Frequently, the agenda will be based on a well-defined framework or model so that participants can be sure to address all necessary issues framework for that project. • Optionally, the presence of a scribe to take an on-line transcription of the session and of electric voting technology to enable participants to anonymously voice their perceptions of the issues. • Reporting and the development of action plans
CSA’s BASIC PHILOSOPHY Is that the control is the responsibility of all employees in the organization. The people who work within the process, including employees as well as the managers of the process, are asked for their assessments of risks and controls in their process.
Control Self-Assessment auditing has the following advantages and disadvantages: • Very cost effective. • Provides overall, annual assessment of the organization’s system of internal control • Helps managers with problems of importance to them. • Requires significant facilitation skills and team leading ability. • Requires auditors to change their paradigm • Requires significant interface with management and employees. ADVANTAGES DISADVANTAGES
ADVANTAGES DISADVANTAGES CONTROL SELF-ASSESSMENT • Uses ideas and concepts understood by managers rather than by auditors only. • Provides opportunity to train management and employees on how controls work to achieve business objectives of importance to them. • Requires significant planning and coordination • Provides only a high-level review of the organization’s internal controls.
ADVANTAGES DISADVANTAGES CONTROL SELF-ASSESSMENT • Fosters buy-in to recommendations and action plan since employees participated in their development
INTERNAL AUDIT PRACTICE • INTERNAL AUDITING ACTIVITIES • Internal Control Audits • Compliance Audits • Fraud Audits • Operational/Management Audits • Other Internal Control Audits The objective of internal control audits is to apprise management of how adequately a particular system of internal control provides reasonable assurance that objectives are achieved.
Compliance Audits Compliance audits are largely focused on apprising management of the degree of compliance with established policies, laws, procedures, regulations, contractual provisions, etc. Fraud Audits Where fraudulent activity is present or suspected, specialized audit activities maybe performed to assist management in detecting or confirming the presence and extent of fraud and in providing necessary evidence for legal purpose. Also called forensic auditing or investigative auditing.
Operational/Management Audits • Stating the obvious, operational audits are audits of operations. They focus on the ability of an organization to achieve its business objectives in the areas of efficiency and effectiveness. Efficiency – is a measure of the ability of a process to function at a low cost in relation to similar or alternative processes Effectiveness - is a measure of the ability of a process to accomplish its functional objective.
OTHER AUDIT ACTIVITIES Internal Auditors may be asked to participate in many other activities for their organization. These may include duties routinely expected of all employees such as participating in quality improvement teams or they may be unique activities such as performing studies for management for which the the auditor’s skills are considered helpful.
INTERNAL AUDIT PROCESS ENGAGEMENT PLANNING (PLANNING THE AUDIT) EXAMINATION AND EVALUATION OF INFORMATION COMMUNICATING RESULTS MONITORING PROGRESS (FOLLOW-UP PROCESS)
ENGAGEMENT PLANNING (PLANNING THE AUDIT) • Establishing audit objectives and scope of work • Obtaining background information about the activities to be audited • Determining the resources necessary to perform the audit • Communicating with all who need to know about the audit • Performing, as appropriate, a survey to become familiar with activities, risks and controls; to identify areas for audit emphasis; and to invite auditee comments and suggestions
Engagement Planning . . . (Cont’n) • Writing the audit program • Determining how, when and to whom audit results will be communicated • Obtaining approval of the audit work plan
SETTING OF AUDIT OBJECTIVES AND SCOPE OF WORK Audit objectives are broad statements developed by internal auditors and define intended audit accomplishments Audit procedures are the means to attain audit objectives Audit objectives and audit procedures, taken together, define the scope of the internal auditors’ work. Audit objectives and audit procedures should address the risks associated with the activity under audit
THE PRELIMINARY SURVEY The preliminary or on-site survey allows for the gathering of information, without, detailed verification about the activities to be audited. The internal auditor learns about the auditee’s objectives, organization, operations, information systems, personnel and internal controls.
MAIN PURPOSES OF THE SURVEY • Understand the activity under review • Identify significant areas warranting special emphasis • Obtain information for use in performing the audit • Determine whether further auditing is necessary.
EXAMINATION AND EVALUATION OF INFORMATION Internal Auditors should collect, analyze interpret and document information to support audit results. Process of Examining and Evaluating Information • Extent of information collection -- -audit objectives and scope of work. • Information – SUFFICIENT, COMPETENT, RELEVANT, USEFUL to provide sound basis for audit findings and recommendations
SELECTION IN ADVANCE of audit procedures, testing and sampling techniques • Supervision of the process of examination and evaluation of information to provide reasonable assurance • auditors objectives • audit goals are met • Workpapers should be prepared and reviewed by IAD management
ANALYTICAL AUDITING PROCEDURES Nature of Analytical Auditing Procedures • Analytical auditing procedures are performed by studying and comparing relationships among both financial and nonfinancial information.
Nature of Analytical Auditing Procedures 2. The application of analytical auditing procedures is based on the premise that, in the absence of known conditions to the contrary, relationships among information may reasonably be expected to exist and continue. Examples of contrary conditions include unusual or nonrecurring transactions or events; accounting, organizational, operational, environmental, and technological changes; inefficiencies; ineffectiveness; errors; irregularities, or illegal acts.
Nature of Analytical Auditing Procedures • Analytical auditing procedures provide the internal Auditor with an efficient and effective means of making an assessment of information collected in an audit. The assessment results from comparing such information with expectations identified or developed by the internal auditor.
Nature of Analytical Auditing Procedures 4. Analytical auditing procedures are useful in identifying, among other things: • differences that are not expected • the absence of differences when they are expected • potential errors • potential irregularities or illegal acts • other unusual or nonrecurring transactions or events.
Analytical auditing procedures assist the internal auditor in identifying conditions which may require subsequent auditing procedures. Internal Auditors should use analytical auditing procedures in planning the audit. Use of Analytical Auditing Procedures
Analytical auditing procedures should also be used during the audit to examine and evaluate information to support audit results. The internal auditor should consider the following factors in determining the extent to which analytical auditing procedures should be used:
The significance of the area being examined. • The adequacy of the system of internal control.
The availability and reliability of financial and nonfinancial information. • The precision with which the results of analytical auditing procedures can be predicted.