PLANNING THE INTERNAL AUDIT (8 - 10%) MODULE 4 PLANNING THE INTERNAL AUDIT (8 - 10%) Lecturer: Dale Neuls, BA, CGA DN 14/15

INTERNAL AUDITING PROCESS 4 main phases Planning long term short term engagement Examination fieldwork (audit program) Reporting draft and final reports Monitoring action taken by management on audit recommendations

IA PLANNING PROCESS Knowledge of Organization Preparing Long Term Plan (3 to 5 yrs) Defining the Audit Universe Performing the Overall Risk Assessment Determining Frequency of Audits (risk assessment matrix) Approval of the Plan Long Term Planning Short Term Planning Preparing Short Term Plan (Annual) Preparing Engagement Plan Obtaining Knowledge of Client Defining Audit Objectives/Scope Defining an Audit Methodology (function, organization, program) Developing Audit Criteria Preparing Staffing Plans and Time Budgets Communications with Management (audit planning memo) Preparing Audit Program Engagement Planning

KNOWLEDGE OF ORGANIZATION organization charts (job descriptions) role and mission statements corporate and operational plans policies and procedures manuals systems descriptions (I,P,O)

financial statements, annual report reports EA, consultant IA, management minutes - board of directors, audit committee, executive and management laws, regulations financial statements, annual report

Preparing Long Term Plan (3 to 5 yrs) Defining the Audit Universe Performing the Overall Risk Assessment Determining Frequency of Audits (risk assessment matrix) Approval of the Plan

AUDIT UNIVERSE defined as aggregate of all areas to be audited within organization organization divided into auditable activities (functional, organizational, project/program approaches) policies, procedures, laws cost/profit/investment centres GL account balances information systems (manual, computer) major contracts, projects, programs organization units such as product or service lines functions e.g. IT, purchasing, marketing, production, finance transaction systems e.g. RRR, PPP, inventory, payroll, HR geographical locations such as sales offices or manufacturing plants

RISK ASSESSMENT audits must cover areas of high significance and risk which are most critical to success of organization for senior management and board IA assists with risk management by evaluating controls for appropriateness and adequacy and by focusing on most significant risks key decisions what areas to audit frequency

RISK ASSESSMENT FACTORS CONTROLLABILITY some organizational activities are more controllable than others e.g. control of personnel and payroll but lesser control of fraud, sales, warranty claims LIKELIHOOD WEAKNESS WILL OCCUR (risks) Business risk (internal/external) common to all company functions organizational complexity management practices and culture (boss vs leader) competitive pressures economic and financial situation (credit, interest rate, currency, market price)

Control risk - all controls deteriorate over time (dampbqs) specific which varies from operation to operation e.g. finance, production competence and training of staff volume/complexity of transactions extent of management information systems Control risk - all controls deteriorate over time (dampbqs) complacency short cut knowledge technology changes Audit risk - the chance that audit will fail to detect an error sampling recognition/evaluation training/competence

IMPACT OF WEAKNESS business risks financial - erroneous record keeping, unacceptable accounting, profit loss because of increased costs information - data altered, destroyed or misused regulatory - penalties for non compliance with laws resource - human and physical resources managed contrary to policies, procedures, efficiency and effectiveness competition - unable to meet demands of marketplace or respond to competitive challenge

RISK ASSESSMENT MATRIX risk assessment matrix prepared to document overall risk for audit areas rating of H, M, L assigned to each audit area for 3 risk factors - controllability, likelihood that weakness will occur and impact of weakness

frequency of audit focus on areas with highest overall risk high - audit each year e.g. inventory, production moderate - audit every 2 to 3 years e.g. HR, purchasing low - audit every 5 years e.g. travel/expense accounts IA coordinate work with EA to determine frequency of audit and reliance of EA on IA work

plans prepared by IA (independence) AUDIT PLANNING (IIA) plans prepared by IA (independence) Standard 2000 Managing IA Activity (2010 to 2070) 2010 Planning (risk based audit plan based on risk assessment with senior management and board) 2020 Communication/Approval (audit plan reviewed and approved by senior management and board) 2030 Resource Management (resources appropriate, sufficient, effectively deployed)

2040 Policies and Procedures (guide activities) 2050 Coordination (external auditors, consultants) 2060 Reporting to Senior Management and Board (periodic report on audit plan vs performance) 2070 External Service Provider and Organizational Responsibility for Internal Auditing (provider must make organization aware that organization has responsibility for maintaining an effective IA activity)

short term plan (annual) for current year prepared from long term plan audit area e.g. purchasing effectiveness using 12 attributes rationale for selection audit resources and hours for project plan subject to change after approval by Audit Committee and senior management e.g. fraud, new computer systems, organizational changes, governance issues

Preparing Engagement Plan Obtaining Knowledge of Client (knowledge of organization) Defining Audit Objectives/Scope Defining an Audit Methodology (function, organization, program) Developing Audit Criteria Preparing Staffing Plans and Time Budgets Communications with Management (audit planning memo) Preparing Audit Program

AUDIT OBJECTIVES AND SCOPE audit objectives define what is to be achieved by audit “to determine whether cash receipts are deposited daily and intact in accordance with corporate policies and procedures” audit scope defines extent of review “to review cash receipts and deposit practices in Vancouver office for period January to June 20XX”

AUDIT CRITERIA “standards” that client is expected to follow and against which client performance will be assessed e.g. internal controls, policies/procedures, budgets developed in discussions with client and IA

sources of criteria Authoritative literature e.g. manufacturing manual Common sense and experience Organization policies/procedures manuals Laws and regulations e.g. CRA, environmental Professional associations e.g. CICA Interviews with management e.g. staff performance should be consistent with company goals Earlier management audits