SEATA by TOMMY SEAH

Administrative Details• 9.30 - 10.15 Introductory Lectures• 10.15 - 10.30 Coffee Break• 10.30- 12.00 Product Lecture• 12.00- 2.00 Lunch• 2.00 - 3.00 Case Study• 3.00 - 3.15 Tea Break• 3.15 - 4.00 Exercises and Q & A • 4.00 - End of Day

CFE-In-Practice

AUDIT DOCUMENTATION AUDIT DOCUMENTATION

--

TOOLS & TECHNIQUES TOOLS & TECHNIQUES

for for

THE THE

INTERNAL AUDITORINTERNAL AUDITOR

Tommy Seah CFE, Tommy Seah CFE,

Vice Chairman of the ACFE Board of RegentsVice Chairman of the ACFE Board of Regents

(Texas, USA) World Headquarters(Texas, USA) World Headquarters

CFE-In-Practice

Tools and Techniques for the Internal AuditorTools and Techniques for the Internal Auditor

ObjectiveObjective

Conduct an audit from beginning to end.Conduct an audit from beginning to end.Learn to understand risks and to identify, evaluate,Learn to understand risks and to identify, evaluate,and document internal controls.and document internal controls.Use the preliminary survey to determine how andUse the preliminary survey to determine how andwhat to audit.what to audit.Discover the best techniques for gathering auditDiscover the best techniques for gathering auditevidence and preparing working papers.evidence and preparing working papers.Enhance interpersonal and team-building skillsEnhance interpersonal and team-building skills throughout the audit.throughout the audit.Understand the audit communication processUnderstand the audit communication process

How do we achieve our objectives?•The Internal Auditor's Roles and ResponsibilitiesThe Internal Auditor's Roles and Responsibilities•Audit responsibilities and general audit objectivesAudit responsibilities and general audit objectives

•Types of internal audits and factors impacting auditTypes of internal audits and factors impacting audit emphasisemphasis

•Attributes of the 21 st century internal auditorAttributes of the 21 st century internal auditor•The Audit Model - Performance of Audit WorkThe Audit Model - Performance of Audit Work

•Overview of the audit processOverview of the audit process•Plan the audit - the preliminary survey, auditPlan the audit - the preliminary survey, audit•objectives, scope, and audit programobjectives, scope, and audit program•Examine and evaluate information during fieldworkExamine and evaluate information during fieldwork•Communicate resultsCommunicate results•Perform follow-up proceduresPerform follow-up procedures

How do we achieve our objectives?

Internal Control

Establish management's responsibility for controlIdentify internal audit's responsibility regardingcontrolIntroduce the SEATA control model

Internal control components and factorsLearn the various types of controlsUnderstand the difference between exception and objective controls

Review tools for documenting and evaluating internal controls

SEATA PHILOSOPHYSEATA PHILOSOPHY

SEATA is defined as being `an approach to is defined as being `an approach to auditing that is concerned with risks, determines auditing that is concerned with risks, determines specific audit specific audit objectivesobjectives to meet those risks and to meet those risks and utilizes a thorough utilizes a thorough evaluationevaluation of the of the systemsystem of of internal control as a basis for determining the internal control as a basis for determining the audit procedures necessary to accomplish the audit procedures necessary to accomplish the specific audit objectives.'specific audit objectives.'

The SEATA approach is equallyapplicable in all types of auditall types of audit -financial operating or IT related, aswell as with manual and automatedsystems.

The consequence of undetected risk is a potential detriment to the any organization, ranging from loss of cash or income to dissatisfied customers or operational inefficiency.

Classified below are thegeneral consequences of risks: 1.

Loss of management control OVER ASSETS.

• prescribed controls not being followed AFFECTING CONTROL AND SECURITY

• accuracy of accounts are reports are not ensured RESULTING IN INACCURATE PROFIT AND LOSS

• Financial assets are not safeguarded DUE TO POOR FINANCIAL MANAGEMENT

• Transactions are not properly authorized LEADINNG TO ABUSAGE OF POWER

2. A potential cash lossA potential cash loss

3. A potential reduction in income DUE TO BAD FUNDING

4. Inaccurate accounting data andreports INCURRING THE WRATH OF THE REGULATORYBODIES

5. Fines or embarrassment to the organization.

6. Poor customer relations

7. Operational inefficiency

8. Loss of business license

RiskThe threat that an event or action will adversely affect the organization's

•Ability to achieve it's business objectives :

and•Execute it's strategies effectively

The Risk SpectrumRisk Spectrum for business in general.

•CREDIT•LIQUIDITY•MARKET•OPERATIONAL

CREDIT RISK

The potential earnings volatility caused by obligors defaulting on their obligations and the adequacy of collateral, if any.

LIQUIDITY RISK

The potential earnings volatility arising from being unable

to fund portfolio assets at reasonable rates over required

maturities.

MARKET RISKThe potential value and earnings volatility in the trading

and structural books due to market price changes.

OPERATIONAL RISK

The potential loss caused by breakdown in information

technology, communication and transaction processing.

Operational Risk includes inter alia, execution risk, information risk, relationship risk, legal/fiduciary risk and employee risk.

CFE-In-Practice offers a comprehensive range of business and technology consulting services for

banking and capital markets. We offer

Consultancy and Implementation for Third Party Independent

SOX and or AML and or ISO 17799 Compliance Certification of your systems

CFE-In-Practice

CFE-In-Practice

Banking Industry

Technology IT Program

Management

AML Certification Clearance Alternatives Execution and Clearing Infrastructure Re-alignment Workflow Simplification

Application Evaluation

Multi-Currency System

Skills Assessment

System Conversion

Sarbanes-Oxley Compliance

Establish "RFT” Identify IT

Security needs Project

Management Project Staffing Project

Supervision

CFE-In-Practice

Executive Coaching

Corporate Governance

Litigation Support

Conflict Resolution Leadership Skills Managerial Skills Motivational Strategies Productivity Enhancements

Operations Infrastructure Board of Directors Performance Diagnosis Technology Assessment SOX Certification

Authoritative Opinion Expert Testimony Industry Best Practices

What is SEATA ?What is SEATA ?

The Auditors Tool.The Auditors Tool.

General Function of Internal AuditGeneral Function of Internal Audit• What is the role of the internal auditor ?What is the role of the internal auditor ?

• What really is internal audit?What really is internal audit?• What should be the expectation of the What should be the expectation of the

internal auditors?internal auditors?• Is there a way to check on the internal Is there a way to check on the internal

auditor?auditor?• How to protect yourselves when being How to protect yourselves when being

audited?audited?

(SSystems ystems EEvaluation valuation AApproach pproach TTowards owards AAuditinguditing)

But first, the relationship between:•Internal Audit•Compliance•Risks Management

Systems Evaluation Approach Systems Evaluation Approach Towards AuditingTowards Auditing

Control Objectives and Key Control Objectives and Key ControlsControls

The Core of an Internal Audit The Core of an Internal Audit AssignmentAssignment

Internal auditors are of course in Internal auditors are of course in favor of controls. favor of controls.

There is really nothing profound or There is really nothing profound or mysterious about auditing.mysterious about auditing.

From the From the professionalprofessional Auditors Auditors perspective :perspective :

Controls should be there for a purpose. Controls should be there for a purpose.

The purpose is to ensure that the The purpose is to ensure that the system or process achieves its system or process achieves its

objectives. objectives.

• Controls are only needed to reduce the risks to Controls are only needed to reduce the risks to the achievement of these objectives to an the achievement of these objectives to an acceptable level. acceptable level.

• Thus, there may be circumstances when Thus, there may be circumstances when internal auditors suggest that certain controls internal auditors suggest that certain controls should be removed, for example, if they do not should be removed, for example, if they do not contribute to the reduction of significant risks. contribute to the reduction of significant risks.

• The systems audit approach The systems audit approach revolves around the objectives revolves around the objectives of the system of the system – i.e. i.e. should existing controls should existing controls

provide sufficient assurance to provide sufficient assurance to the senior managers and the senior managers and directors of the organisation directors of the organisation that the system will achieve its that the system will achieve its objectives? objectives?

• And does the internal control And does the internal control system currently reduce the system currently reduce the chance of things going wrong chance of things going wrong (or not going right) to an (or not going right) to an acceptable level?acceptable level?

• Before internal auditors start each Before internal auditors start each audit assignment they need to be audit assignment they need to be clear about the clear about the relevant relevant organizational and organizational and management objectivesmanagement objectives..

• Are the internal auditors clear Are the internal auditors clear about this ?about this ?

• Control Objectives in SEATAControl Objectives in SEATA

• Control objectives should form the Control objectives should form the framework of each systems audit framework of each systems audit assignment. assignment.

• They should detail the various They should detail the various aspects of a system’s objectives. aspects of a system’s objectives.

CControl Objectives in SEATA

• They identify specific objectives against which They identify specific objectives against which internal auditors can evaluate existing internal auditors can evaluate existing controls. controls.

• Control objectives should be specific enough Control objectives should be specific enough to provide the basis for this evaluation. to provide the basis for this evaluation.

• Generalizations such as "to ensure that Generalizations such as "to ensure that support services are adequate" should be support services are adequate" should be avoided.avoided.

• Comprehensive control objectives Comprehensive control objectives can be developed for any system by can be developed for any system by considering the following areas of considering the following areas of control: control:

– Has the system been adequately planned? Has the system been adequately planned?

– Are the operations adequately supervised Are the operations adequately supervised and controlled? and controlled?

Comprehensive control objectives Comprehensive control objectives can be developed for any system can be developed for any system by considering the following areas by considering the following areas of control:of control:

•Is the system periodically reviewed? Is the system periodically reviewed?

•Is suitable management information Is suitable management information produced? produced?

Internal auditors need to determine Internal auditors need to determine that the manager who is responsible that the manager who is responsible for the system to be audited agrees for the system to be audited agrees with objectives assigned to the with objectives assigned to the system and the control objectives system and the control objectives which audit have developed.which audit have developed.

These should be agreed at the initial These should be agreed at the initial meeting with the EIC who should meeting with the EIC who should also be requested to formally sign also be requested to formally sign up to the agreed scope and up to the agreed scope and objectives for the audit assignment objectives for the audit assignment during the pre-audit meeting.during the pre-audit meeting.

Key controlsKey controls

Once the control objectives have been Once the control objectives have been agreed, internal auditors need to identify agreed, internal auditors need to identify the controls that they consider necessary to the controls that they consider necessary to provide assurance that each of these provide assurance that each of these objectives is being achieved. objectives is being achieved. These are These are what may be termed the key controls. what may be termed the key controls.

Key controlsKey controls

If the internal auditor is “lucky”, control If the internal auditor is “lucky”, control schedules will have been developed for schedules will have been developed for the relevant system. the relevant system.

These schedules should document the These schedules should document the standard control objectives for such a standard control objectives for such a system and the associated expected key system and the associated expected key controls.controls.

SEATASEATA

The purpose of the schedule of The purpose of the schedule of expected key controls is to assist in expected key controls is to assist in the evaluation of the actual controls the evaluation of the actual controls identified during the audit. identified during the audit.

It is imperative that the expected It is imperative that the expected controls are reviewed critically to controls are reviewed critically to ensure that they are appropriate. ensure that they are appropriate. HOW ?HOW ?

SEATASEATA

The standard key expected The standard key expected controls will not always be relevant controls will not always be relevant and may have to be adapted to the and may have to be adapted to the particular system that is reviewed.particular system that is reviewed.

Do not jump to conclusion. There Do not jump to conclusion. There can always be compensating can always be compensating controls.controls.

SEATASEATA If internal auditors do not identify the If internal auditors do not identify the

key expected controls, there is a danger key expected controls, there is a danger that they will concentrate purely on the that they will concentrate purely on the actual controls in place and fail to actual controls in place and fail to identify those that are missing. identify those that are missing.

Identification of key controls should Identification of key controls should ensure that audit time is spent ensure that audit time is spent efficiently by concentrating on the key efficiently by concentrating on the key control aspects of the system under control aspects of the system under review. review.

SEATASEATA

There may be many other controls, There may be many other controls, however, the key controls are the however, the key controls are the more important controls and are the more important controls and are the basic controls that are necessary to basic controls that are necessary to ensure that each control objective is ensure that each control objective is achieved and all significant risks are achieved and all significant risks are adequately managed. adequately managed.

The audit should concentrate on The audit should concentrate on assessing the adequacy and assessing the adequacy and reliability of these key controls.reliability of these key controls.

SEATASEATA Identification and Identification and documentation of documentation of

existing controls.existing controls.

Systems auditing should be a critical Systems auditing should be a critical assessment of the controls currently in assessment of the controls currently in place against control objectives agreed place against control objectives agreed for the system. for the system.

Thus, Thus, identifying existing controlsidentifying existing controls is is one of the central tasks of systems one of the central tasks of systems audit. audit.

SEATASEATA Internal auditors cannot assess, test or Internal auditors cannot assess, test or

suggest improvements to the internal suggest improvements to the internal control environment unless they have a control environment unless they have a clear and comprehensive view of all of clear and comprehensive view of all of the controls that currently operate. the controls that currently operate.

Documenting the existing controlsDocumenting the existing controls should help auditors understand these should help auditors understand these controls and form a basis for the controls and form a basis for the evaluation of the controls and the evaluation of the controls and the development of their testing strategy.development of their testing strategy.

SEATASEATAThere may be a wide range of sources of There may be a wide range of sources of

information available to internal auditors information available to internal auditors about how a system operates. These about how a system operates. These may include:may include:interviewing staff and their managers; interviewing staff and their managers;

reviewing existing documentation; reviewing existing documentation;

SEATASEATA

There may be a wide range of sources of There may be a wide range of sources of information available to internal auditors information available to internal auditors about how a system operates. These about how a system operates. These may include:may include:

observation of working practices; observation of working practices;

reviewing previous audit reports. reviewing previous audit reports.

SEATASEATA

The most important source of The most important source of information will usually be the staff information will usually be the staff working with the system. working with the system.

They know how the system actually They know how the system actually operates and should have a operates and should have a reasonable idea of how practical any reasonable idea of how practical any improvements may be. improvements may be.

SEATASEATA

Thus interviewing skills are essential Thus interviewing skills are essential for all internal auditorsfor all internal auditors..

They need to be able to understand what They need to be able to understand what may be a complex system. may be a complex system.

They also need to be able to critically They also need to be able to critically assess each stage of the process; i.e. assess each stage of the process; i.e. why is it performed? Could it be why is it performed? Could it be undertaken more efficiently?undertaken more efficiently?

SEATASEATA

Staff who operate the system will know what Staff who operate the system will know what they do, but not necessarily why they do it.they do, but not necessarily why they do it.

They may also try and explain the system in They may also try and explain the system in

the most positive light.the most positive light. The skill of internal audit is to enable all the The skill of internal audit is to enable all the

staff they interview to open up and tell them staff they interview to open up and tell them what they actually do (not just what they think what they actually do (not just what they think they should do) and to describe any aspects they should do) and to describe any aspects they think could be improved. they think could be improved.

SEATASEATA

Understanding why each task is Understanding why each task is undertaken may be more difficult. undertaken may be more difficult. Staff may just do it ‘‘because we’ve Staff may just do it ‘‘because we’ve always done it that way’’ or even always done it that way’’ or even worse ‘‘because the auditors told us worse ‘‘because the auditors told us to!’’to!’’

SEATA - SEATA - Other places to lookOther places to look

Auditors may review documentation Auditors may review documentation such as statutes, circulars, committee such as statutes, circulars, committee reports, job descriptions, organisation reports, job descriptions, organisation charts, policy and procedure manuals charts, policy and procedure manuals and financial regulations. and financial regulations.

SEATA- SEATA- Other places to lookOther places to look

These may record how a system is These may record how a system is supposed to work, but may not supposed to work, but may not necessarily reflect actual practice. necessarily reflect actual practice.

Internal auditors may consider that the Internal auditors may consider that the adequacy or otherwise of documentation adequacy or otherwise of documentation is an indication of the attitude of is an indication of the attitude of management to internal control.management to internal control.

SEATA- SEATA- Other places to lookOther places to look

ObservationObservation of the physical environment of the physical environment and working methods should provide and working methods should provide internal auditors with further evidence of internal auditors with further evidence of actual practiceactual practice 。。

This is a particularly useful method of This is a particularly useful method of fact-finding where no physical evidence fact-finding where no physical evidence of an action may have taken place. of an action may have taken place.

SEATA- Other places to lookSEATA- Other places to look

Internal auditors should however be aware Internal auditors should however be aware that their presence may influence the that their presence may influence the behavior and practices of staff under review.behavior and practices of staff under review.


Reports of previous reviews of the Reports of previous reviews of the system by other internal auditors, system by other internal auditors, external auditors or other review external auditors or other review agencies may also be a useful source agencies may also be a useful source of information. of information.

However, these reports should be However, these reports should be read with care. The authors may not read with care. The authors may not have understood the system, they have understood the system, they may not have covered all aspects or may not have covered all aspects or their reports may be unclear. their reports may be unclear.


This consideration may allow This consideration may allow internal auditors to reflect on the internal auditors to reflect on the quality of their own reports and quality of their own reports and system documentation. system documentation.


Would these allow other auditors to Would these allow other auditors to quickly grasp the most important quickly grasp the most important aspects of the system and its internal aspects of the system and its internal controls?controls?

Internal ControlsAuditors need to understand how the Auditors need to understand how the

system operates and the role of all system operates and the role of all the key procedures, but essentially the key procedures, but essentially they are only interested in controls. they are only interested in controls.

There are a range of different types There are a range of different types of control. The most important may of control. The most important may be remembered by the mnemonic be remembered by the mnemonic SOAP MAPSSOAP MAPS::

Internal Controls

Segregation of duties: Segregation of duties:

the functions of authorizing transactions; the functions of authorizing transactions; recording the transactions; and custody of recording the transactions; and custody of the associated assets should be the associated assets should be undertaken by separate staff. undertaken by separate staff.

Internal Controls

OrganizationOrganization: :

there should be a clear organisation chart and there should be a clear organisation chart and all staff should have up to date job descriptions all staff should have up to date job descriptions that clearly indicate their responsibilities. that clearly indicate their responsibilities.

Internal Controls

Authorization and approvalAuthorization and approval::

all transactions and decisions should all transactions and decisions should be formally authorized by nominated be formally authorized by nominated staff.staff.

Internal Controls

Physical:Physical:

there should be suitable controls over there should be suitable controls over access to offices { i.e. including access to offices { i.e. including RECORDS, DATA BASE and RECORDS, DATA BASE and whatnots }, assets, controlled stationery whatnots }, assets, controlled stationery and computer systems. and computer systems.

Internal ControlsManagement:Management:

production of suitable financial and production of suitable financial and operational management operational management information; use of exception information; use of exception reports; critical review and enquiry reports; critical review and enquiry by management. by management.

Internal Controls

Arithmetical and accountingArithmetical and accounting: :

checking / re-performing tasks carried out checking / re-performing tasks carried out by others; costing (adding up) orders, by others; costing (adding up) orders, invoices, payroll etc; reconciliation invoices, payroll etc; reconciliation between the bank and accounting between the bank and accounting records; control accounts. records; control accounts.

Internal Controls

Personnel:Personnel: appointment of staff should appointment of staff should be adequately controlled; all staff should be adequately controlled; all staff should be suitably trained for their post and be suitably trained for their post and appraised regularly. appraised regularly.

SupervisionSupervision: all staff and activities : all staff and activities should be adequately supervised by should be adequately supervised by someone who understands the process someone who understands the process and will detect deviations from accepted and will detect deviations from accepted practice. practice.

Interim Opinion

Recording the controlsRecording the controls

All internal audit work should be All internal audit work should be documented and be sufficient to support documented and be sufficient to support the conclusions drawn on the the conclusions drawn on the adequacyadequacy and reliability of the internal controls. and reliability of the internal controls.

Interim Opinion

Recording the controlsRecording the controls

The main procedures and key controls The main procedures and key controls over significant risks should be clearly over significant risks should be clearly and concisely recorded. and concisely recorded.

Proper house keeping

Audit working papers should include:Audit working papers should include: systems notes, either in text or graphics, systems notes, either in text or graphics,

whatever; whatever; notes of interviews and meetings; notes of interviews and meetings; a record of the current key controls and their a record of the current key controls and their

reliability; reliability; an assessment of the extent that existing an assessment of the extent that existing

controls will ensure that each agreed control controls will ensure that each agreed control objective is achieved; and evidence of audit objective is achieved; and evidence of audit sampling and testing of controls. sampling and testing of controls.

There are a number of methods of There are a number of methods of documenting proceduresdocumenting procedures

and controls, for example :and controls, for example :

flow charts, flow charts, key control schedules, key control schedules, internal control questionnaires and internal control questionnaires and narrative notes. narrative notes.

Whatever method is adopted should be Whatever method is adopted should be used consistently. used consistently.

This should make it easier for the system This should make it easier for the system notes to be used for future reviews of the notes to be used for future reviews of the same system. same system.

Systems documentation should be:Systems documentation should be:clear and easy to understand; clear and easy to understand;

provide a standardized approach; provide a standardized approach;

highlight risk points and key controls. highlight risk points and key controls.

The purpose of this documentation is to:The purpose of this documentation is to:

enable the internal auditors to review enable the internal auditors to review the information they have received and the information they have received and to organize their thoughts and to organize their thoughts and knowledge so the internal controls can knowledge so the internal controls can be systematically assessed and tested; be systematically assessed and tested;


provide details of problems provide details of problems encountered, evidence of work done encountered, evidence of work done and conclusions drawn for future and conclusions drawn for future reference and to assist the planning of reference and to assist the planning of future audits; future audits;


demonstrate to interested parties that the demonstrate to interested parties that the audit work has been properly planned, audit work has been properly planned, controlled, executed and reported. controlled, executed and reported.

Once internal auditors have Once internal auditors have discovered the controls that actually discovered the controls that actually exist and made notes of these they exist and made notes of these they can go on to assess whether these can go on to assess whether these controls should be adequate. controls should be adequate.

However, auditors do not usually look However, auditors do not usually look upon internal auditing as simply a upon internal auditing as simply a series of stages that can be completed series of stages that can be completed one after the other. (Those who do one after the other. (Those who do that are not real internal auditors – it is that are not real internal auditors – it is just an occupation, a job, paper just an occupation, a job, paper pushers.)pushers.)

The really professional auditors :The really professional auditors :

When they go on to test the controls that When they go on to test the controls that they have identified, they may discover they have identified, they may discover further controls or that some controls further controls or that some controls are not actually operating as expected. are not actually operating as expected.

They will then have to go back and They will then have to go back and revise their system notes to ensure revise their system notes to ensure these reflect the actual controls that are these reflect the actual controls that are operating in practice. operating in practice.

The Fraud Triangle

Motive

Opportunity Rationalization

SEATA

Risk Definition

What is Risk ?

Understanding Risk in Internal Audit

SML Curve

Return

Risk

Deviation from Return is Risk

The Risk Spectrum for any organization in general.

Operational Risk

Credit Risk

Market Risk

Liquidity RiskReputational

Risk

How ACTIVE DATA can be used to achieve your risk management objectives

The The Risk SpectrumRisk Spectrum for any organization in general for any organization in general.

Operational Risk

Credit Risk

Market Risk

Liquidity RiskReputational

Risk

Operational Risk and Challenges for Banks

SML Curve

Return

Risk

Deviation from Return is Risk

The SEATA AIG-Caat Approach

Risk Definition

Product RiskProduct Risk General RiskGeneral RiskBusiness RiskBusiness Risk

Critical Product Controls

Business Policy General Controls

System Documentation


Internal Control Internal Control Questionnaire Questionnaire (ICQ)(ICQ)

Narrative NotesNarrative Notes

(Interviewing Notes)(Interviewing Notes)

Flow ChartsFlow Charts

Analytical Review Procedures (ARP) and Quantitative Testing i.e. MfV concepts and Economic Capital allocation test.

Depth Tests

Determine the Existence of Controls


Internal Control Internal Control Questionnaire Questionnaire (ICQ)(ICQ)

Narrative NotesNarrative Notes

(Interviewing Notes)(Interviewing Notes)

Flow ChartsFlow Charts

Analytical Review Procedures (ARP) and Quantitative Testing i.e. MfV concepts and Economic Capital allocation test.

Evaluate (THEORETICAL) Adequacy




System Appraisal Memorandum (Sam)


Part I

SYSTEM APPRAISAL

ADEQUATE IF NOT ADEQUATE

W.P.'s REPORT

SYSTEM CONTROL OBJECTIVES

YES NO N/A REF. SHEET NO.

1Transaction or Event Recognition

Methods must exist to Methods must exist to ensure that all ensure that all transactions will be transactions will be identified and recorded identified and recorded with control established with control established close to the source of close to the source of the transactionthe transaction..


2Transaction Authorisation

Methods of transaction approval must be defined with effective procedures to detect and clear errors with the responsibility for approval being at the right level.

3 Transaction Acceptance

There must be an effective control on converting data to the form used for accounting or record keeping which will ensure that errors will be detected and cleared and lost transactions will be identified.

4Account of File Classification

Methods must exist to ensure consistency in making account allocations.


5

Integrity of Processing

Methods must exist to ensure there is control on accuracy of data during processing, that only valid files will be used and errors, lost transactions and transactions processed twice will be detected, ensuring that corrected transactions will be properly represented.

System Appraisal Memorandum (Sam) ADEQUATE IF NOT ADEQUATE

W.P.'s REPORT

YES NO N/A REF. SHEET

NO.

6 Interface Compatibility

Methods must exist to ensure that common data is used wherever possible and in interfacing systems that the information is consistent and compatible and is reconciled while the means to integrate interfacing systems should be thoroughly explored.

7 Accuracy of Reports

Methods must exist to ensure that output is reconciled to input, that reporting is complete, meets the requirements of management and is distributed correctly on a timely basis while ensuring management trails are adequate.


8Verification of Reports and Files

Methods must exist to ensure that reports management are reconciled with underlying data files, that regular comparison of physical items where possible.

9 Error Correction

Methods must exist to ensure that all errors occurring at each state of the transaction process will be corrected and reprocessed on a timely basis.

10 Asset Access Restriction

Methods must exist to ensure that access to assets will be restricted and assets safeguarded.


ADEQUATE IF NOT ADEQUATE

W.P.'s REPORT

YES NO N/A REF. SHEET

NO.

11 Organization

There must be proper segregation between functions of custody, authorisation and recording.


PART II IMPACT OF WEAKNESS

WEAKNESSIMPACT OF THE

WEAKNESS T.A.P REF.


OVERALL CONCLUSION FOR Preliminary REPORT

PART III

The system of internal control is appraised to be •Satisfactory•Satisfactory however………•Satisfactory except for…….•Unsatisfactory

•We are unable to express an opinion because………..




TAILORED AUDIT PROGRAM TAILORED AUDIT PROGRAM (TAP)(TAP)

Execution Execution

ofof

TAILORED AUDIT PROGRAM TAILORED AUDIT PROGRAM (TAP)(TAP)

Compliance

Testing

Substantive

Testing

Report Sheet

AIG-CaatAIG-Caat

EffectivenessEffectiveness AccuracyAccuracy

AIG-CaatAIG-Caat

Application of Benford Law for Discovery Sampling

Techniques in

Analytical Review ProceduresSoftware Assurance Process

FORM OPINIONFORM OPINION

TAKE UP MEETINGTAKE UP MEETING

ISSUE REPORTISSUE REPORT

More Information

• CFE-In-Practice– www.cfe-in-practice.com

• [Contact Person]– [Tommy Seah], ACFE Vice Chairman, Regent– [(65) 9106 9872]– [[email protected]]

Education

SEATA by TOMMY SEAH