Embed Size (px)
Citation preview
Internal Oversight Division
Audit Approach for Continuous Auditing
July 24, 2014
Annex 1.8
TABLE OF CONTENTS
1. INTRODUCTION ................................................................................................................. 3
2. OBJECTIVES ..................................................................................................................... 3
3. AUDIT APPROACH ............................................................................................................ 4
4. IOD IDENTIFICATION OF KEY CONTROLS AND RISKS ................................................. 4
5. REPORTING ....................................................................................................................... 5
Annex 1.8
1. INTRODUCTION
1. The audit approach is set out for continuous auditing purposes and aimed at enabling IOD to conduct real-time or near real-time tests of internal controls in WIPO in order to provide assurance that financial transactions and underlying information is recorded timely and fairly and in accordance with WIPO regulations. A key component of the continuous audit approach is the use of data analytics technology to enable analysis of all transactions rather than a sample of transactions.
2. OBJECTIVES
2. The objective of this continuous audit approach is to review financial and non-financial information available in selected business areas, with a view to ensuring that they are adequately and effectively controlled for purposes as intended and to flag any control weaknesses, which may lead to unintentional errors or omission or intentional wrongdoing. Each sample item will be tested to ensure:
- Accuracy of the transactions, their supporting documentation and related payments if relevant;
- Properly authorized;
- Are in line with applicable FRR, SRR, OI etc.;
- Properly recorded and processed without error;
- Business systems/ processes have proper and effective controls and this is monitored;
- Availability, integrity and reliability of business systems;
- Adequacy and effectiveness of internal control framework;
- Integrity of financial reporting; and
- Efficiency and effectiveness of business operations.
3. The areas for particular attention that may be included but not limited to;
Finance
- Duplicate payments;
- Dubious beneficiaries;
- Payments without proper approvals,
- Bogus vendors (suppliers, third party consultants, etc.).
Human Resources
- Bogus employees;
Annex 1.8
- Flexitime abuse;
- Excessive and unjustified Overtime;
- Allowances such as staff language courses, educational grant, home leave;
- Review of selected contractual arrangements (ICS).
Procurement
- Duplicate vendor accounts;
- Splitting purchase orders;
- Ex-post facto purchase requisitions.
Other Areas
- Excessive, unjustified travel/official missions; linkage with home/annual leave;
- Telephone expenses borne by WIPO
- Segregation of Duties.
4. Any departures from established policies and procedures lead to financial loss and hence, need to be further investigated or corrected for efficiency and effectiveness purposes.
3. AUDIT APPROACH
5. Transactions from selected operational areas will be examined each quarter depending on materiality, the risk priority, availability of audit data, auditor’s time and other factors. Focused samples will also be taken for areas of identified risks. After having gained a good level of experience with continuous auditing IOD will further refine the frequency of its reviews over time
6. Given the size and limited resources of IOD and the first stage of the continuous auditing experience, IOD will sample from the years 2013 and 2014 to date.
7. Subject to the adequacy of audit staff as well as experience gained in applying information technology tools for continuous auditing, IOD will have direct access (read-only) to key business systems and use available automated audit tools to perform tests on a more regular continuous basis.
4. IOD IDENTIFICATION OF KEY CONTROLS AND RISKS
8. A walkthrough of all the main business processes including financial and authorizing processes will be performed with a view to identifying the key process controls and gathering high level system documentation. Any deficiencies identified in systems, processes and the key controls will be reported to the responsible manager.
9. Selection of the key controls to be tested will be conducted before each sampling. Business areas, processes and systems may be prioritized in terms of their risk assessment in the scope of the continuous auditing samples.
Annex 1.8
10. Some of the criteria based on which priority areas for continuous auditing will be selected are as follows:
- Criticality of the Business process;
- Availability of data for continuous auditing;
- Cost/benefit of implementing a continuous auditing approach for a particular risk area;
- Organization wide implications of implementing continuous auditing in a particular area;
- Selection of areas where rapid demonstration of results may be of great value to the organization.
11. In addition to the criteria above, the following parameters will be considered in selecting the area for review:
- Management concerns;
- Historical background;
- Previous Fraud Cases;
- Inherent Risk/Vulnerability to misuse, etc.
5. REPORTING
12. Conclusions of continuous audit work will be reported to the concerned program manager highlighting the exception cases identified and requesting that management take appropriate action to remediate the internal control weaknesses.
Annex 1.8
