Embed Size (px)
DESCRIPTION
Int Aud
Citation preview
Data Analysis and
Interpretation
A specific internal audit assignment, task, or review activity, such as an
internal audit, control self-assessment review, fraud examination, or
consultancy
An engagement may include multiple tasks or activities designed to
accomplish a specific set of related objectives
(Standards Glossary)
Source: IIA-p.org
Engagement
Engagement objectives
Broad statements
Developed by internal auditors
That define intended engagement accomplishments
Developed during the engagement planning
(Standards Glossary)
Scope of engagement objectives – governance process, risk management
process, and internal control (Standards 2110, 2120, 2130)
Examples:
To determine whether controls in the procurement are in place and
consistently applied throughout the process
To identify and evaluate controls on product development
To evaluate if payment of invoices are accurate and timely Source: IIA-p.org
Engagement Objectives
A document that lists the procedures to be followed during an
engagement, designed to achieve the engagement plan. (Standards
Glossary)
Prior to the engagement’s commencement, the internal auditor prepares
an engagement program that:
States the objectives of the engagement
Identifies technical requirements, objectives, risks, processes, and
transactions that are to be examined
States the nature and extent of testing required
Documents the internal auditor’s procedures for collecting, analyzing,
interpreting, and documenting information during the engagement
Is modified, as appropriate, during the engagement with the approval of
the CAE or his/her designee (PA 2200-1)
Source: IIA-p.org
Engagement Work Program
Contents of the Audit Program
Should be divided into sections that address one or more
objectives and include corresponding testing procedures
Should contain the details necessary to execute the audit work,
such as
Sample size
Basis for sample selection (i.e., statistical or judgmental)
Time period subject to testing
Reports from which samples will be obtained
Names of documents and reports to be reviewed
Specific attributes to be tested
Source: IIA-p.org
Engagement Work Program
Risk: inability to collect form customers
Controls:
Aging of receivables, monthly
Credit limits, given to all customers depending on type
Customer accreditation, every time
Audit objective:
To check whether collections from credit customers are made
regularly.
Source: IIA-p.org
Engagement Work Program - Sample
Audit procedures:
Obtain the latest aging of receivables from accounting department.
Compute for number of days sales are receivable; inquire the number of
regular credit terms.
Note customers that have long outstanding receivable (beyond the
regular credit terms or number of days sales in receivable). Inquire if
payment is expected anytime soon. If no payment is expected, inquire why
customer/account has been delinquent in its payment.
From the aging receivable, note the following:
Accounts that went over its approved credit limits. Inquire for reasons for
the overage
Accounts that have long outstanding receivables and over its approved
credit limits
From the top 10 long outstanding receivables, check if customer
accreditation is performed.
Source: IIA-p.org
Engagement Work Program - Sample
All the information used by the auditor in arriving at the
conclusion/opinion regarding the engagement objective.
Information obtained from audit procedures performed during the
course of the audit engagement
Evidence is used to determine:
Conditions (what exists)
Criteria (what should exists)
Causes (reason for the difference)
Impact/consequence
recommendations
Source: IIA-p.org
Audit Evidence
Source: SGV&Co, IIA-p.org
Types of Evidence
Physical Documentary Testimonial Analytical
• People
• Property
• Event
• Accounting
records
• Invoices
• Letters
• Contracts
• Mgt.
information
• Written
statement
• Spoken
statement
• Computations
• Comparisons
• evaluations
Re-performance • Performing client
procedures
Evidence that can actually seen by auditors
Supports existence only, not ownership or value
Obtained by:
Observing people and events (especially when no audit trails are left)
Examining assets or events
Walk-throughs of processes to gain better understanding; re-performance,
recalculation
(Walk-through is the act of tracing a transaction through organizational
records and procedures to develop an understanding of transaction flow and
design of controls)
Documented thru:
Photographs
maps
Audio and video records
Written narrative of things observed Source: IIA-p.org
Physical Evidence
Consists of information that exists in some permanent form such as:
letters, contracts, accounting records, invoices, management information
on performance, and documents recorded using computers or electronic
devices.
Procedures to collect evidence:
Confirmation – used to substantiate accuracy of internal records by
obtaining written or oral responses from independent third parties (e.g.,
banks, customers, vendors, attorneys for contingent liabilities, inventory
agents for consignments)
Document vouching – examination of document that supports a recorded
transaction or amount; tests existence or occurrence
Document tracing – test for unrecorded items and therefore tests the
completeness assertion
Source: IIA-p.org
Documentary Evidence
Information received from internal and external person/parties thru
inquiries, interviews, and questionnaires
But needs corroboration and may corroborate other forms of evidence
Oral evidence documented thru:
Questionnaires or surveys (during engagement planning)
Written statement or audio/video of interview or inquiries (with
permission from interviewee)
Source: IIA-p.org
Testimonial Evidence
Information is in the form of inferences or conclusions based on examining
data for consistencies, inconsistencies, cause-effect relationships, trends,
gaps, etc.
Obtained from:
Evaluating
Calculating
Comparing relationships between financial and non-financial information
Analysis techniques using CAATs
Reasonableness and completeness
Gaps and duplication tests
Period-over-period comparisons
Regression analysis
Statistical analysis
Transaction matching
Threshold comparison
Source: IIA-p.org
Analytical Evidence
2310 – Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful
information to achieve the engagement’s objectives.
Source: IIA-p.org
Relevant Standards
Source: IIA-p.org
Quality of Information
(Standards of Evidence)
Sufficient Useful Relevant Reliable
• Factual
• Adequate
• Convincing
Helps the
organization
meets its goals
Supports
engagement
observations
and
recommendation
s and is
consistent with
the objectives
for the
engagement
Best attainable
information
through the use
of appropriate
audit techniques
and methods
Source: IIA-p.org
Sufficient Evidence
Factual, adequate and convincing enough
To lead a prudent person to the same conclusion as the auditor
Achieved from the combination of several audit procedures that,
when taken together, will be convincing
Example: Sufficient evidence if a machinery was actually received
by the company
Original copy of receiving memorandum, signed by authorized
receiving personnel
Auditor’s physical inspection of the machinery, matching info
details with receiving memo
Helps organization meets its objectives
Example:
Organization’s objective: only materials with the right specifications are
received
Useful evidence: spoilage report, rejection report
Source: IIA-p.org
Useful Evidence
Relevant Evidence
supports engagement observations and recommendations
Relation of evidence to the what is being tested (ex: control)
Logical, sensible
Example:
A receiving memorandum signed by receiving personnel (if goods are actually
received)
Best reasonable available information
Original copy vs. a copy (photocopy)
Corroborated oral statement vs. stand-alone
Timely vs. untimely recording of documents
Auditor performing the test/procedure
Through the use of appropriate engagement techniques
Example: Auditor’s physical inspection; if a machinery was actually
received by the company vs. original copy of the receiving report
Source: IIA-p.org
Reliable/Competent Evidence
Source: SGV, IIA-p.org
Persuasiveness of audit evidence
Competence – the degree to which an
evidence be considered trustworthy
Persuasive
Sufficiency – amount of evidence is
enough to form a reasonable opinion
Source: IIA-p.org
Which data/information are more reliable?
• Internal
- originates and remains with the auditee
• Internal - external
- originates with the auditee but is also
processed by an external party
• External - internal
- created by an independent party but
subsequently processed or held by the auditee
• External
- created by an independent party and transmitted directly to
auditors
More
Less
Documentation and
Preparation of Working
Papers
2320 – Analysis and Evaluation
Internal auditors must base conclusions and engagement results on
appropriate analyses and evaluations.
2330 – Documenting Information
Internal auditors must document relevant information to support the
conclusions and engagement results.
Source: IIA-p.org
Relevant Standards
Working Papers
Document the information obtained, the analyses made, and the support
for the conclusions and engagement results
Include reports, supporting documentation, review notes, and
correspondence, regardless of storage media
Engagement working papers generally (purpose):
Aid in the planning, performance, and review of engagements.
Provide the principal support for engagement results.
Document whether engagement objectives were achieved.
Support the accuracy and completeness of the work performed.
Provide a basis for the internal audit activity’s quality assurance and
improvement program.
Facilitate third-party reviews. (PA 2330-1)
Source: IIA-p.org
Relevant Standards
Work programs
Engagement time budgets and resource allocation worksheets
Questionnaires used during preliminary survey
Process maps or flowcharts
chart, graphs and diagrams such as risk map
Agenda for internal audit team meetings and meeting with audit
clients/auditees
Minutes of meeting
Accounting records
Audit reports
“Working papers document the auditor’s conclusion and the
reasons those conclusions were reached.” Source: IIA-p.org
Examples of Working Papers
Aid in the planning, performance, and review of audits
Document whether the audit objectives were achieved
Supports the audit reports
Record information
Document audit findings and accumulated evidence
Basis for supervisory review
Support and evidence for issues like fraud and lawsuits
Facilitate 3rd party review/aid to peer review
Aid in the professional development of the audit staff
Source: IIA-p.org
Qualities of an audit work paper
Completeness – self standing and self-explanatory
Accuracy – include statements and computations that are accurate and
technically correct
organization/logical arrangement – logical system of number and reader-
friendly layout so a technically competent person unfamiliar with the
project/engagement could understand the purpose, procedures
performed, and results
Relevance – meets the applicable audit objectives; limited to matters
that are important and necessary to support the objectives and scope
established for the assignment
Conciseness – clear and understandable without supplementary oral
explanations
Legibility and neatness – legible and neat as practical; avoid crowding and
writing between lines Source: IIA-p.org
Key guidelines in preparing work papers (WP)
Control of engagement records
2330.A1 – The chief audit executive must control access to engagement
records. The chief audit executive must obtain the approval of senior
management and/or legal counsel prior to releasing such records to external
parties, as appropriate.
Retention of engagement records
2330.A2 – The chief audit executive must develop retention requirements for
engagement records, regardless of the medium in which each record is stored.
These retention requirements must be consistent with the organization’s
guidelines and any pertinent regulatory or other requirements.
2330.C1 – The chief audit executive must develop policies governing the
custody and retention of consulting engagement records, as well as their release
to internal and external parties. These policies must be consistent with the
organization’s guidelines and any pertinent regulatory or other requirements.
Source: IIA-p.org
Engagement Records (WPs)
Data Reporting
Based on the following attributes:
1.Criteria
The standards, measures, or expectations used in making an evaluation and/or
verification (the correct state).
States the “should be” such as policy, procedure, law, regulation, other reasonable
standards for achievement of the organization’s objectives
2.Condition (facts)
The factual evidence that the internal auditor found in the course of the
examination (the current state).
Describes the controls as they exist and are functioning at the time of the audit or
evaluation. This is the center of the audit observation and should be supported by
sufficient (relevant and reliable) evidence and information
Source: IIA-p.org
Audit observations and recommendations
Based on the following attributes:
3.Cause
The reason for the difference between expected and actual conditions.
Explains what allowed the conditions or facts to exists (happen). It describes the
organization’s process that allowed the deviation to happen. The cause is an
important component as the audit recommendation is targeted towards making sure
the root cause is addressed to ensure the deviation will not recur.
4. Effect
The risk or exposure the organization and/or others encounter because the
condition is not consistent with the criteria (the impact of the difference). In
determining the degree of risk or exposure, internal auditors consider the effect their
engagement observations and recommendations may have on the organization’s
operations and financial statements.
Describes the consequence (maybe past, present, or future) of the occurrence of
the condition. This should be expressed in terms of impact and likelihood.
Source: IIA-p.org
Audit observations and recommendations
Conclusions and opinions are the internal auditor’s evaluations of the
effects of the observations and recommendations on the activities
reviewed.
They usually put the observations and recommendations in perspective
based upon their overall implications.
Clearly identify any engagement conclusions in the engagement report.
Conclusions may encompass the entire scope of an engagement or
specific aspects.
They may cover, but are not limited to, whether operating or program
objectives and goals conform to those of the organization, whether the
organization’s objectives and goals are being met, and whether the
activity under review is functioning as intended.
An opinion may include an overall assessment of controls or may be
limited to specific controls or aspects of the engagement. (PA 2410-1) Source: IIA-p.org
Audit Conclusions and Opinions
The internal auditor may communicate recommendations for
improvements, acknowledgments of satisfactory performance, and
corrective actions.
Recommendations are based on the internal auditor’s observations and
conclusions.
They call for action to correct existing conditions or improve operations
and may suggest approaches to correcting or enhancing performance
as a guide for management in achieving desired results.
Recommendations can be general or specific.
For example, under some circumstances, the internal auditor may
recommend a general course of action and specific suggestions for
implementation.
In other circumstances, the internal auditor may suggest further
investigation or study. (PA 2410-1) Source: IIA-p.org
Recommendations
2410 – Criteria for Communicating
Communications must include the engagement’s objectives and scope as
well as applicable conclusions, recommendations, and action plans.
2410.A1 - Final communication of engagement results must, where
appropriate, contain the internal auditors’ opinion and/or conclusions. When
issued, an opinion or conclusion must take account of the expectations of
senior management, the board, and other stakeholders and must be
supported by sufficient, reliable, relevant, and useful information.
Source: IIA-p.org
Communicating Engagement Results
Communications must be accurate, objective, clear, concise, constructive, complete,
and timely.
Accurate communications are free from errors and distortions and are faithful to the
underlying facts.
Objective communications are fair, impartial, and unbiased and are the result of a
fair- minded and balanced assessment of all relevant facts and circumstances.
Clear communications are easily understood and logical, avoiding unnecessary
technical language and providing all significant and relevant information.
Concise communications are to the point and avoid unnecessary elaboration,
superfluous detail, redundancy, and wordiness.
Constructive communications are helpful to the engagement client and the
organization and lead to improvements where needed.
Complete communications lack nothing that is essential to the target audience and
include all significant and relevant information and observations to support
recommendations and conclusions.
Timely communications are opportune and expedient, depending on the significance
of the issue, allowing management to take appropriate corrective action.
Source: IIA-p.org
2420 – Quality of Communications
Engagement Opinion - the rating, conclusion, and/or other description of results
of an individual internal audit engagement, relating to those aspects within the
objectives and scope of the engagement.
2450 - Overall Audit Opinion
When an overall opinion is issued, it must take into account the expectations of
senior management, the board, and other stakeholders and must be supported by
sufficient, reliable, relevant, and useful information.
The communication will identify:
The scope, including the time period to which the opinion pertains;
Scope limitations;
Consideration of all related projects including the reliance on other assurance
providers;
The risk or control framework or other criteria used as a basis for the overall
opinion; and
The overall opinion, judgment, or conclusion reached. The reasons for an
unfavorable overall opinion must be stated.
Source: IIA-p.org
Engagement Opinion
2340 – Engagement Supervision
Engagements must be properly supervised to ensure objectives are
achieved, quality is assured, and staff is developed.
The extent of supervision required will depend on the proficiency and
experience of internal auditors and the complexity of the engagement.
The chief audit executive has overall responsibility for supervising the
engagement, whether performed by or for the internal audit activity, but
may designate appropriately experienced members of the internal audit
activity to perform the review.
Appropriate evidence of supervision is documented and retained.
Supervision is a process that begins with planning and continues throughout the
engagement. Source: IIA-p.org
Engagement Supervision
All engagement working papers are reviewed to ensure they support
engagement communications and necessary audit procedures are
performed.
Evidence of supervisory review consists of the reviewer initialing and
dating each working paper after it is reviewed.
Other techniques that provide evidence of supervisory review include
completing an engagement working paper review checklist; preparing a
memorandum specifying the nature, extent, and results of the review; or
evaluating and accepting reviews within the working paper software.
Source: IIA-p.org
2340-1 Engagement Supervision
2500 – Monitoring Progress
The chief audit executive must establish and maintain a system to monitor
the disposition of results communicated to management.
2500.A1 – The chief audit executive must establish a follow-up process to
monitor and ensure that management actions have been effectively
implemented or that senior management has accepted the risk of not
taking action.
2500.C1 – The internal audit activity must monitor the disposition of results
of consulting engagements to the extent agreed upon with the client.
Source: IIA-p.org
Monitoring
Follow-up
A process by which internal auditors evaluate the adequacy,
effectiveness, and timeliness of actions taken by management on
reported observations and recommendations, including those
made by external auditors and others
Includes determining whether senior management and/or the
board have assumed the risk of not taking corrective action on
reported observations
Source: IIA-p.org
Monitoring
Risk Management
Organizational use of risk frameworks
Risk management methodology
Various types of risks
Risk measurement tools
Managing corporate risks
Enterprise risk management
Source: IIA-p.org
Risk Management
A process to identify, assess, manage, and control potential events or
situations to provide reasonable assurance regarding the achievement
of the organization’s objectives. (Standards Glossary)
Refers to a coordinated set of activities and methods that is used to
direct an organization and to control the many risks that can affect its
ability to achieve objectives. (ISO 31000)
Risk Management = Risk assessment + Risk mitigation + Risk Monitoring
Risk Management Methodology
Risk Assessment – process of determining the extent of the potential threat
and the risk associated with a process or system
Risk Mitigation – involves prioritizing, evaluating, and implementing
appropriate risk-reducing controls recommended from the risk
assessment process
Risk Monitoring – a continual evaluation process since change is constant
in most organization Source: IIA-p.org
Risk Management
A rigorous and coordinated approach to assessing and responding to
all risks that affect the achievement of an organization’s strategic and
financial objectives.
Classification of Risks
Financial
Hazard
Strategic
Operational
Source: IIA-p.org
Enterprise Risk Management (ERM)
RM is a key responsibility of senior management and the board
Management implements
Boards have an oversight role
IA can assist the organization (in a consulting role) in identifying,
evaluating, and implementing risk management methodologies and
controls to address those risks
Source: IIA-p.org
Internal Audit Role in ERM
If with formal RM process:
CAE to obtain an understanding of senior management’s and the board’s
expectations of the IAA’s role in the organization’s RM process
Should be written in the IA Charter
Coordinated between all groups and individuals within the organization’s
RM process
If with formal RM process, IA activity’s role may vary from:
No role
Auditing the risk management process as part of the internal audit plan
Active, continuous support and involvement in risk management process
i.e., oversight committees, monitoring activities, status reporting
Managing and coordinating the process
(PA 2120-1) Source: IIA-p.org
Internal Audit Role in ERM
