Risk based audit methodology

Feedback from IIA training Compliance auditing …. and some more compliance auditing Consistent findings … Same as last year Or the same as last time With the same result

Client indicators Policemen image – newspaper exposure = forensic auditing Cost versus benefit questions Lack of funding and resources for IA limiting effectiveness, ensuring compliance at a minimum cost

Government indicators +/- 48% of local authorities are being mismanaged Section 100 take-overs Disciplining and terminating performance contracts of senior management for not delivering services Government statements relating to values and ethics Funds will be shifted from poorly managed to effective institutions

Chairperson independent Majority outside department Audit Committees Report annually on: Effectiveness of internal control Quality of management and financial reports Evaluation of financial statements Chairperson independent Majority outside department

Internal audit (IIA) Independent Objective Assurance Consulting Activity Add Value Improve Operations Evaluate and improve the effectiveness of risk management, control and governance processes. 22/11/2018

PFMA/MFMA Internal Audit must be conducted in accordance with the standards set by the IIA IA must assist in achieving the objectives by evaluating and improving the process through which: Objectives and values are established and communicated Accomplishment of objectives are monitored Accountability is ensured Corporate values are preserved.

Objective setting Control environment Strategic Operational Reporting High-level goals, aligned with and supporting the entity’s mission/vision Effectiveness/efficiency of operations, performance and service delivery goals. Effectiveness of internal/external reporting -financial or non-financial. Control environment Strategic Compliance with applicable laws and regulations. Operational Within the context of the established mission or vision, management establishes strategic objectives, selects strategy and establishes related objectives, cascading through the enterprise and aligned with and linked to the strategy. Objectives must exist before management can identify events potentially affecting their achievement. Enterprise risk management ensures that management has a process in place to both set objectives and align the objectives with the entity’s mission/vision and are consistent with the entity’s risk appetite. Entity objectives can be viewed in the context of four categories: Strategic – relating to high-level goals, aligned with and supporting the entity’s mission/vision. Operations – relating to effectiveness and efficiency of the entity's operations, including performance and profitability goals. They vary based on management's choices about structure and performance. Reporting – relating to the effectiveness of the entity’s reporting. They include internal and external reporting and may involve financial or non-financial information. Compliance – relating to the entity's compliance with applicable laws and regulations. This categorization of entity objectives allows management and the board to focus on separate aspects of enterprise risk management. These distinct but overlapping categories – a particular objective can fall under more than one category – address different entity needs and may be the direct responsibility of different executives. This categorization also allows distinguishing between what can be expected from each category of objectives. Some entities use another category of objectives, “safeguarding of resources,” sometimes referred to as “safeguarding of assets.” Viewed broadly, these deal with prevention of loss of an entity’s assets or resources, whether through theft, waste, inefficiency or what turns out to be simply bad business decisions - such as selling product at too low a price, failing to retain key employees or prevent patent infringement, or incurring unforeseen liabilities. This broad-based safeguarding of assets category may be narrowed for certain reporting purposes, where the safeguarding concept applies only to the prevention or timely detection of unauthorized acquisition, use, or disposition of the entity’s assets. Reporting Prevention/ Timely detection Compliance Safeguarding of assets

COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Info and commu-nication Control activity - prevention Monitoring activities - detection

IIA versus COSO Governance Risk Control Control environment Information/Communication Risk management Control activities Monitoring

Governance process Risk Objective Process Legal mandate: Laws and regulations Part of control environment COSO Strategic/operational Plans (SMART/CQQT)

Control environment Control environment = foundation for all other components of internal control Integrity, ethical values, competence of management & employees; Management's philosophy & operating style Departmental structure, CQQT, Staff and employee development programs, its process for delegating authority & responsibility.

Integrity and ethical values Executive authority Legal mandate = entity wide objectives = strategic plans = business plans = job descriptions and performance agreements Effective communication to all employees Integrity and ethical values Control environment No dealings with others not demonstrating appropriate level of commitment to integrity Ethical tone at the top Properly communicated downwards Formal code of conduct Ethical standards Acceptable operational practices Conflict of interest

SMART Specific Measurable Achievable Relevant Timely

Commitment to competence Job descriptions & performance agreements define tasks Adequate analysis of knowledge and skills needed Adequate training program

Accomplishment of goals monitored Key performance objectives Key performance indicators Management information Exception reports Responsibility assigned

Accountability Appropriate structure Responsibility assigned Delegation of authority consistent with assignment of responsibility Who is driving accountability? Disciplinary processes consistent

Human resource policies Hire qualified staff Ethical appointments with background checks

Oversight groups Mechanism to monitor and review operations and programs Independent oversight

Values preserved Appropriate disciplinary action Management action to address intervention/overriding control Management action to remove unethical behavior

CQQT Cost Quantity Quality Timelines Standard costing Net present value Breakeven analysis Quantity Economic order quantities Quality Right quality at the right price Timelines

Other benefits Responsibility Quantify losses Recovery of revenue from private sector patients Recovery of revenue from road accident fund

Economic order quantities

Economic order quantities Useful to establish the optimal frequency and quantity which should be ordered for each stock item Formulas are built into LOGIS Based on: Cost per unit Delivery times Cost of ordering

EOQ – practical use Reorder levels Safety levels

Quantities and price Maximum stock levels Minimum stock levels Reorder levels

Governance process Risk Objective Process Key measurable objectives Laws/regs Key measurable objectives and indicators Strategic/operational Plans (SMART/CQQT) Capability – finance & human Responsibility/ accountability

Executive authority Hire qualified staff Ethical appointments with background checks Integrity and ethical values Commitment to competence Job descriptions & performance agreements define tasks Adequate analysis of knowledge and skills needed Adequate training program Control environment Commitment to Competence Competence reflects the knowledge and skills needed to perform assigned tasks. Management decides how well these tasks need to be accomplished weighing the entity's strategy and objectives against plans for strategy implementation and achievement of the objectives. A trade-off often exists between competence and cost – it is not necessary, for instance, to hire an electrical engineer to change a light bulb. Management specifies the competency levels for particular jobs and translates those levels into requisite knowledge and skills. The necessary knowledge and skills in turn may depend on individuals' intelligence, training and experience. Factors considered in developing knowledge and skill levels include the nature and degree of judgment to be applied to a specific job. Often a trade-off can be made between the extent of supervision and the requisite competence level of the individual. Authority and responsibility Appropriate structure Responsibility assigned Delegation of authority consistent with assignment of responsibility Disciplinary processes consistent

Budget and HR Budget Human resources Operational budget Capital budget R640bn unspent Human resources Warm bodies 829 000 vacant posts in government Skills 1 million people left the country since 1994

Become a KMI specialist Management do not know where things go wrong Medicine theft Student bursaries School books not delivered Inefficient use of ambulances, police vehicles Invalid qualifications

KMO and KMI KMO KMI To ensure efficient asset management Up to date asset registers

Governance process Risk Objective Process Performance measurement Laws/regs Performance measurement Strategic/operational Plans (SMART/CQQT) Key measurable objectives and indicators Performance agreements/ Job descriptions Capability – finance & human Responsibility/ accountability

Control environment Executive authority Integrity and ethical values Commitment to competence Authority and responsibility Control environment Monitoring of objectives Key performance objectives Key performance indicators Management information Exception reports Responsibility assigned Management's Philosophy and Operating Style Management's philosophy and operating style affect the way the enterprise is managed, including the kinds of risks accepted. A company that has been successful accepting significant risks may have a different outlook on enterprise risk management than one that has faced harsh economic or regulatory consequences as a result of venturing into dangerous territory. An informally managed company may control operations largely by face-to-face contact with key managers. A more formally managed one may rely more on written policies, standards of behavior, performance indicators and exception reports. Other elements of management's philosophy and operating style include preference for conservative or aggressive accounting principles, conscientiousness and conservatism with which accounting estimates are developed and attitudes toward financial reporting, information technology, business processes and personnel. The attitude and daily operating style of top management affect the extent to which actions are aligned with risk philosophy and appetite. For example, an undisciplined operating style often is associated with – and might encourage – an appetite for high risk. An effective environment does not require that risks be avoided; rather it reinforces the need to be knowledgeable about the risks associated with strategic choices and the entity’s operating environment, both internal and external. An effective environment encourages people to pursue business opportunities that align with the entity’s risk appetite. Organizational Structure An entity’s organizational structure provides the framework to plan, execute, control and monitor its activities. A relevant organizational structure includes defining key areas of authority and responsibility and establishing appropriate lines of reporting. For example, an internal audit function should be structured in a manner that achieves organizational objectivity and permits full and unrestricted access to top management and the audit committee of the board, and the chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. An entity develops an organizational structure suited to its needs. Some are centralized, others decentralized. Some have direct reporting relationships, others are more of a matrix organization. Some entities are organized by industry or product line, by geographical location or by a particular distribution or marketing network. Other entities, including many state and local governmental units and not-for-profit institutions, are organized by function. The appropriateness of an entity's organizational structure depends, in part, on its size and the nature of its activities. A highly structured organization with formal reporting lines and responsibilities, may be appropriate for a large entity that has numerous operating divisions, including foreign operations. However, such a structure could impede the necessary flow of information in a small entity. Whatever the structure, an entity should be organized to enable effective enterprise risk management, and to carry out its activities so as to achieve its objectives.

Governance process Risk Objective Process Exception reports Laws/regs Management info Strategic/operational Plans (SMART/CQQT) Key measurable objectives and indicators Performance measurement Capability – finance & human Responsibility/ accountability Performance agreements/ Job descriptions

COSO versus IIA GP RA CP CE RA IC CA(preventative) M(detective)

Performance Measures

Power of measuring results (FMPPI – p1) If you do not measure results – you cannot tell success from failure If you cannot see success, you cannot reward it If you cannot reward success, you are probably rewarding failure If you cannot see success, you cannot learn from it If you cannot recognise failure, you cannot correct it If you can demonstrate results, you can win public support

Planning budgeting and reporting (FMPPI - p4) Oversight Policy development Identify desired impacts Strategic planning Specify performance indicators Operational planning and in-year reporting Set targets and allocate resources Monitor and take corrective action End-year reporting Assess and adjust I N S T U O

Key Performance Concepts (FMPPI – p6) Inputs – what we use to do the work Activities – what we do Outputs – what we produce or deliver Outcomes – what we wish to achieve Impacts – results of achieving specific outcomes

Key Performance Information Concepts (FMPPI – p6)

Performance indicators (FMPPI – p7) Key Performance Information Indicators: Reliable Well defined Verifiable Cost effective Appropriate Relevant

Indicators of Economy, Efficiency, Effectiveness and Equity (FMPPI – p7)

Types of indicators (FMPPI – p8) Cost or price indicators Distribution indicators Quantity indicators Quality indicators Dates and time frame indicators Adequacy indicators Accessibility indicators

Specific focus (FMPPI – p8 & 9) Economy indicators – cost/benefit Efficiency indicators – minimum input, maximum output Effectiveness indicators – achieving the goals and objectives Equity indicators – services provided impartially, fairly and equitably

Performance targets (FMPPI – pp9 & 10) Baselines Performance targets Performance standards Criteria Specific Measurable Achievable Relevant Time-bound

Developing Performance Indicators (FMPPI – p11 & 12) Step 1: Agree on what you are aiming to achieve Step 2: Specify the outputs, activities and inputs Step 3: Select the most important indicators Step 4: Select realistic performance targets Step 5: Determine the process and format of reporting performance Step 6: Establish processes and mechanisms to facilitate corrective action

Managing Performance Information (FMPPI – p13) Responsibilities: - Executive authorities - Accounting officers - Line managers and other officials

Integrated Performance Information Structures (FMPPI – p13) Well designed documentation Appropriate capacity to manage performance information Appropriate systems to collect, verify and store information Consultation process to include all needs Process to ensure information is used for planning, budgeting and management Processes to ensure responsibility is assigned Identified set of performance indicators for oversight

Reporting (FMPPI – p15 & 16) Accountability reports Information to facilitate oversight Public access to information

Values are preserved Appropriate disciplinary action Management action to address intervention/overriding control Management action to remove unethical behavior

PFMA AO must facilitate risk assessment to identify material risks and to evaluate the strategy for managing these risks IA must assist in maintaining effective controls, evaluating effectiveness and efficiency and develop recommendations for improvement.

Understand risk management Underlying premise - every entity exists to provide value for its stakeholders. All entities face uncertainty, Challenge for management -determine how much uncertainty is acceptable as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. I M P A C T Likelihood

I agree with finding, will implement recommendation Yes/No 2 week audit I M P A C T Likelihood Reasons: 1. 2. 3. Audit report Risk assessment Audit report Criteria Condition Cause Effect Recommendation Management comment I agree with finding, will implement recommendation Yes/No I accept the risk Yes Reasons: 1. 2. 3.

Sample sizes Express opinion on adequacy and effectiveness Sample size 30 transactions Select 1, first one is wrong, do I have to do the other 29??

Sample sizes - automated One is enough System must perform consistently!!

Sample size – Old lady People make mistakes! One is not enough Determine after how many mistakes will your audit opinion be changed from adequate and effective ti adequate, but ineffective. That number is enough!! If the same root cause is causing repetitive instances of non-compliance, one is enough!!

International standard Select 30 transactions USA and Eskom Some departments select 25 – banks, muni’s

Risk assessment Management should identify and analyze the risks of achieving its objectives and determine how to manage risks that may result from internal and external sources, such as changes in economic, industry, regulatory, and operating conditions.

Risks Inherent risks Control risks

Inherent Risk – risk of not achieving objectives Strategic risk Risk Objective Process Inherent risk – before the assessment of any controls

Dept of Education 68% pass rate versus national average of 80% Transport Teachers – qualifications and absenteeism LSM Infrastructure

Management agenda Items on inherent risk assessment should be on management agendas Also on Internal audit plans

Risk & recommendations Effect – reasons for a high impact focus: Audit objectives Fieldwork Recommendations I M P A C T x Likelihood Root cause – reasons for high likelihood focus: Audit objectives Field work Recommendations

Risk management in stock control – ABC inventory management

ABC inventory management Line items graded based on quantities kept A-Items - high monetary value, not high quantities are tightly controlled and monitored - never stock outs on A items B-items require less control and monitoring, lower monetary value and quantities, stock is kept on hand C-items are only ordered when requested by clients

ABC inventory management Determine the average investment in each item Express as a percentage of the total value of inventory Classify in groups

ABC - example Item code Average investment % average units ABC system 1 1 700 21.3% A 2 270 3.4% C 3 1 440 18.1% 4 720 9.0% B 5 3 300 41.4% 6 540 6.8% Totals 7 970 100%

risk index = severity X likelihood 4 3 2 1 5 10 15 20 25 8 12 16 6 9 1 2

Risk management strategy 4 8 3 6 9 2 1 5 15 20 25 12 16 10 unacceptable risks acceptable risks

Control to minimize risks Inherent risk Residual risk Objective Process Control Residual risk – after the assessment of any controls

Control activities Management develops policies & procedures to ensure that directives are followed & that necessary actions are taken to address risks that would impede achieving its objectives. Control activities include authorization, verification, reconciliation, review of operating performance, security of assets, & segregation of duties.

Control activities Safeguarding of assets Compliance with laws, regulations, contracts Accomplishment of objectives Economy, efficiency and effectiveness Reliability and integrity of information

Internal control as per traditional IIA definition 22/11/2018

Definition of internal control Document your definition of internal control. What does it include?

Internal control - SCARE Safeguarding of assets Compliance with laws, regulations and contracts Accomplishment of objectives Reliability and integrity of information Economy, efficiency and effectiveness

Safeguarding of assets Physical safeguards Access control Segregation of duties

Compliance Laws and regulations Policies and procedures Contractual obligations

Accomplishment of objectives Strategic plans Operational plans Key measurable objectives Key measurable indicators Management information Exception reporting

Reliability and integrity of information Validity Accuracy Completeness Timely

3 x E’s Economy Effectiveness Efficiency

Monitoring Management monitor internal control structure through ongoing monitoring activities and through separate evaluations. Scope/ sequence of separate evaluations depend on assessment of risks & effectiveness of ongoing monitoring procedures. Internal control deficiencies reported upstream & serious matters reported to management / Cabinet

Detection controls We are drowning in information, but starved of knowledge. We receive unfiltered information. Detection not a priority

Control risk assessment Remember SCARE??? Safeguarding of assets Compliance with laws ….. Accomplishment of objectives Reliability and integrity of information Economy effectiveness and efficiency

Control risk - S Inadequate/ineffective physical safeguarding Inadequate/ineffective access control Inadequate/ineffective segregation of duties

Control risk - C Non-compliance with laws and regulations Non-compliance with policies and procedures Non-compliance with contractual obligations

Control risk - A Inadequate strategic plan Inadequate operational plans Inadequate/ineffective key measurable objectives Inadequate/ineffective key measurable indicators Inadequate/ineffective management information Inadequate/ineffective exception reporting

Control risk - R Inadequate/ineffective processes to prevent: Invalid processing Inaccurate processing Incomplete processing Untimely processing

Control risk - E Ineffective processes Inefficient process Uneconomic processes

Objective Risk I L A Control Type Preventative/ Detective Nature Manual/ IT CAA CEA S Inadequate physical safeguards Inadequate access control Inadequate segregation of duties C Inadequate process to ensure compliance with laws/regs Inadequate process to ensure compliance with contracts R Inaccurate … Incomplete…. Invalid/unauthorised…. Untimely ….. E Ineffective ….. Inefficient …. Uneconomic ….

COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Info and commu-nication Control activity - prevention Monitoring activities - detection

Audit objectives To evaluate the adequacy and effectiveness of the internal control systems that ensures S C R E

Audit objectives To evaluate the adequacy and effectiveness of the internal control systems (choose prevention, detection or correction) that ensures S C R E

Audit objectives To evaluate the adequacy and effectiveness of the prevention controls that ensures R – reliability and integrity of information

Audit objectives To evaluate the adequacy and effectiveness of the controls that ensures R – reliability and integrity of the purchase order

Risks Inaccurate purchase order Incomplete purchase order Unauthorized purchase order Untimely purchase order

Inaccurate purchase orders Preventative control Detection control

Unauthorized purchase orders Preventative control Detection control

Untimely purchase orders Preventative control Detection control

Inaccurate purchase orders Preventative control Detection control

COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Info and commu-nication Control activity - prevention Monitoring activities - detection

Risk response before risk reduction after likelihood 5 4 3 2 1 1 2 1 2 3 4 5 severity risk reduction before after

Control assessment R > C Inadequate Risk C > R Inefficient Objective Process Control C = R Adequate/effective CoC > CoR Uneconomic

Example

Practical exercise Process overview flowchart SCRE Audit objective Risk areas Preventative and detection controls Audit opinion

INPUT PROCESSING OUTPUT Phone call with password to cell phone Enter data Bank EDI INPUT Application program PROCESSING Suppliers master file OUTPUT Exception reports number of changes Email the change details to supplier Exception reports Frequency

DOCUMENTATION INPUT PROCESSING OUTPUT Purchase order Goods received note, supplier delivery note, invoice Cheque payment/ EFT requisition Enter data Enter data INPUT Application program PROCESSING Purchase transaction file Cash disbursement transaction file General ledger transaction file Cheque General ledger summary Exception reports and KPI’s Purchase journal OUTPUT Remittance advice Disbursements journal Suppliers master file Accounts payable master file General ledger master file

S C R E S C R E S C R E S C R E S C R E S C R E Purchase order S C R E Goods received note, supplier delivery note, invoice S C R E Enter data S C R E Application program S C R E Purchase transaction file S C R E Suppliers master file S C R E

To evaluate the adequacy and effectiveness of the controls relating to reliability and integrity of: Asset count forms Asset removal forms Capturing Processing Updating the fixed asset register

E S S R R R R Purchase order Goods received note, supplier delivery note, invoice S Enter data S R Application program R Purchase transaction file R Suppliers master file R

Lesotho objective To verify the correctness of the requested amount of M15m To check the adequacy of internal controls in place To make recommendations based on the findings

Audit objective To evaluate the adequacy and effectiveness of controls relating to: Safeguarding of assets in the goods received area Reliability and integrity of information in the: Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase

Audit opinion The controls relating to: Safeguarding of assets in the goods received area Reliability and integrity of information in the: Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase Are adequate and effective

Audit objective To evaluate the adequacy and effectiveness of controls relating to: Safeguarding of assets (access control) Allocation of unique supplier profile passwords in the capturing phase Reliability and integrity of information in the: Capturing phase Processing phase Updating the SMF Exception reports (quantity and frequency) Email confirmations

Audit opinion The controls relating to: Safeguarding of assets (access control) Allocation of unique supplier profile passwords in the capturing phase To the availability of the suppliers file Reliability and integrity of information in the: Capturing phase Processing phase Updating the SMF Exception reports (quantity and frequency) Email confirmations Are adequate and effectiveness

Risks – 22 in total Inadequate physical safeguarding of assets/ access control/ segregation of duties [3] Inaccurate capturing/processing updating of PTF and SMF [4] Incomplete capturing/processing updating of PTF and SMF [4] Invalid capturing/processing updating of PTF and SMF [4] Untimely capturing/processing updating of PTF and SMF [4] Uneconomic, ineffective, inefficient use of resources in the purchase order phase [3]

Two ways of auditing IT Around the computer – IT auditing for non-IT auditors Through the computer – IT specialist

Data capture controls Data capture = manual procedure – covers initiation, approval, authorisation, review and preparation of documents for source transactions User department function Both batch and on-line entry systems Designed to ensure reliability and integrity of data before data enter the computer application system

Data capture controls - risks Accounting system Valid and completed source transactions may be omitted from data capture Inaccurate source data Inaccurate capturing/cut-off of source transactions Inaccurate valuation/ classification of source data Invalid source transaction Control procedures Valid and completed source transaction may be captured more than once Errors may not be properly detected corrected and resubmitted Source transactions may be unauthorized Source transaction may be lost

Types of controls Prevention Detection Correction

Prevention objectives To ensure reliability and integrity of information (R) To ensure proper safeguarding of assets (S) To ensure reliable, accurate and complete, authorized, approved and secure source data Application controls user procedure manuals, source document design, pre-numbering, sound personnel practices, identification of preparer evidence of approval forms security – unused and document management, segregation of duties

User procedure manual Written procedures – encourage consistent performance of data capture responsibilities Include: Guidelines for documentation preparation Flow of documents within dept and to data processing Schedules for data capturing and cut-off dates Requirements for control over data prior to transmittal to data processing Scope of management review and approval of work performed Names of individuals authorized to review and approve documents Identification of proper evidence of approval

Source document design Use of special formats and preprinted data to ensure conformity of work performed to written procedures Special formats = use of specific boxes for authorisation signatures, control totals, footing and cross-footing balances and retention dates Preprinted data = include repetitive items such as form number and title, department responsibility, transaction code and product number Conformity = completeness, accuracy and proper authorisation

Pre-numbering Unique identification of transactions Reduce likelihood that a transaction will be lost or omitted

Sound personnel practices Ensure hiring of competent personnel Continuing evaluation of individual performance Periodic rotation of assignments Required vacations Bonding of key personnel

Identification of preparer Identification provided by Signature Initials Employee number Terminal entry Sign-on codes Logs of physical access to terminals Increases the likelihood that segregation of duties is followed

Evidence of approval Authorized signatory If no source document = review and approval may be subsequent review of transaction source listing or approval during data entry Authorized signature on source listing = evidence of subsequent approval Terminal entry = approval code in transaction record

Forms security Physical controls over forms Signatures for the release of forms for source document preparation Reduce likelihood of unauthorized or invalid transactions

Segregation of duties Four types of separation Custody of assets from data capture function Authorisation of transactions from custody of related assets Functions of transaction authorisation and source document preparation Error correction from initiation and source document preparation Reduced the likelihood of un-intentional errors

Detection objectives To ensure that unreliable, improper, unauthorized, invalid or lost source data are detected Application controls Batch controls User review

Batch controls Batch number – keep track of receipt or transmittal of batches Limiting number of transactions in batch – facilitates reconciliation when batch is out of balance Control totals for number of transactions, amounts, quantities in batch – permits subsequent discovery of loss of items/changes in data – accommodated by reconciliation of source data control totals with output upon completion of processing Control totals usually recorded manually by user in control log Log records time and place of batch transmittal and receipt – attached transmittal ticket – controls flow of data from one user to another

User review Manual review performed by the user prior to transmittal of data Purpose = to check source documents, transmittal tickets, control logs for completeness, accuracy, conformity with department policy

Correction objectives To ensure that unreliable, improper, unauthorized or invalid source data are, if appropriate, corrected and resubmitted for data capture Error correction procedures Audit trail

Error correction procedures Written error correction procedures should include: Description of common errors Correction procedures Directions for resubmitting transactions Resubmitted source documents – reviewed for errors in same way than documents after initial preparation Entry in error log for each erroneous source document. Should include: Batch number Transaction number Cause of error Date of occurrence Date of correction and resubmission Initials of user personnel Review of log will show that errors have been corrected and resubmitted on a timely basis

Audit trail for data capture Consists of copy of source documents or a listing of source transactions Source document can be manually prepared during data capture or printed by the terminal as a byproduct of transaction processing Auditor will trace original source documents filed by batch (normally sequentially filed) Where no source documents are used - source list produced as audit trail Auditor will use computer to reference source lists on disk or tape

Information/communication Objective setting Event identification Risk assessment Risk response Control environment Control activities Information/communication There is also effective communication and exchange of relevant information with external parties, such as customers, suppliers, regulators and shareholders. Information is needed at all levels of an organization to identify, assess and respond to risks, and to otherwise run the entity and achieve its objectives. An array of information is used, relevant to one or more objectives categories. Information comes from many sources – internal and external, and in quantitative and qualitative forms – and allows enterprise risk management responses to changing conditions in real time. The challenge for management is to process and refine large volumes of data into actionable information. This challenge is met by establishing an information systems infrastructure to source, capture, process, analyze and report relevant information. These information systems – usually computerized but also involving manual inputs or interfaces – often are viewed in the context of processing internally generated data relating to transactions. Information systems have long been designed and used to support business strategy. This role becomes critical as business needs change and technology creates new opportunities for strategic advantage. To support effective enterprise risk management, an entity captures and uses historical and current data. Historical data allow the entity to track actual performance against targets, plans and expectations. It provides insights into how the entity performed under varying conditions, allowing management to identify correlations and trends and to forecast future performance. Historical data also can provide early warning of potential events that warrant management attention. Present or current state data allow an entity to assess its risks at a specific point in time and remain within established risk tolerances. Current state data allow management to take a real-time view of existing risks inherent in a process, function or unit and to identify variations from expectations. This provides a view of the entity’s risk profile, enabling management to alter activities as necessary to calibrate to its risk appetite. Information is a basis for communication, which must meet the expectations of groups and individuals, enabling them to effectively carry out their responsibilities. Among the most critical communications channels is that between top management and the board of directors. Management must keep the board up-to-date on performance, developments, risks and the functioning of enterprise risk management, and other relevant events and issues. The better the communication, the more effective the board will be in carrying out its oversight responsibilities, in acting as a sounding board on critical issues and in providing advice, counsel and direction. By the same token, the board should communicate to management what information it needs and provide feedback and direction. Management provides specific and directed communication addressing behavioral expectations and the responsibilities of personnel. This includes a clear statement of the entity’s enterprise risk management philosophy and approach and delegation of authority. Communication about processes and procedures should align with, and underpin, the desired risk culture. In addition, communication should be appropriately “framed” – the presentation of information can significantly affect how it is interpreted and how the associated risks or opportunities are viewed. Communication should raise awareness about the importance and relevance of effective enterprise risk management, communicate the entity’s risk appetite and risk tolerances, implement and support a common risk language, and advise personnel of their roles and responsibilities in effecting and supporting the components of enterprise risk management. Communications channels also should ensure personnel can communicate risk-based information across business units, processes or functional silos. In most cases, normal reporting lines in an organization are the appropriate channels of communication. In some circumstances, however, separate lines of communication are needed to serve as a fail-safe mechanism in case normal channels are inoperative. In all cases, it is important that personnel understand that there will be no reprisals for reporting relevant information. External communications channels can provide highly significant input on the design or quality of products or services. Management considers how its risk appetite and risk tolerances align with those of its customers, suppliers and partners, ensuring that it does not inadvertently take on too much risk through its business interactions. Communication from external parties often provides important information on the functioning of enterprise risk management. Pertinent information – from internal and external sources – must be identified, captured and communicated in a form and timeframe that enable personnel to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.

Risk and control matrix Best practice Control activity SCO Risk CAA Safeguard goods received Inadequate physical security over goods received Maintain physical security over goods received   Segregate custodial and record keeping functions

Added value opportunity Control analysis Added value opportunity Control activity Prevention Detection IT Manual Maintain physical security over goods received   Segregate custodial and record keeping functions Computerise to increase efficiency, economy, effectiveness IT management information allows for effective detection controls Detection control allows development of prevention controls

Added value x x = Added value Inadequate controls Recommendation I M P Likelihood I M P A C T x Likelihood = Added value

Audit report - finding Finding Clear Concise Factual Inadequate Inefficient Ineffective Uneconomic

Determine the causes Determine what circumstances, if any, caused identified weaknesses. Consider materiality of effect, before spending much time determining causes. Determine if participants understand both purpose of and their role Determine if relationship between accounts payable process and other department processes is clear. If process occurs at multiple locations, determine nature and scope of communication and coordination among components.

Determine the causes Determine if accounts payable process has adequate human, rand, time, and asset resources. If inadequate, determine if resources have been allocated according to materiality of accounts payable process relative to other processes. Negative trends in reports used to monitor outcome(s) - determine if reports are communicated to and used by appropriate parties to modify process. Determine what internal or external constraints or barriers, if any, must be removed in order to overcome these identified weaknesses. Review applicable laws or regulations to determine if any of them prevent necessary changes from being made in the accounts payable process.

Determine the effect Compare actual process to a recommended alternative process(es) and determine if each weakness in department process is material. Materiality can be measured by comparing the rand cost, impact on economy, risks, etc. of actual process to recommended alternative process(es). Measurements can be quantitative, qualitative, or both. Identify benchmarks (industry standards, historical internal data, other comparable departments, etc.) for process in question and compare to actual performance. Measure difference, if possible. Include cost of additional controls or changes in process.

Determine the effect Estimate cost of the actual process and alternative process(es) and compare. Estimate quantity and/or quality of services provided by actual process and by alternative process(es) and compare. Identify risks associated with actual process and with alternative process(es). Measure and compare the risks.

Develop recommendations Develop specific recommendations to correct weaknesses identified as material. In developing recommendations, consider tailored criteria, kind of process and control weaknesses identified, causes and barriers, effects, and additional resources Solicit solutions and recommendations from client. Identify alternative solutions used by other business units. Identify solutions for removing barriers. Provide general guidelines as to objectives each solution should meet; then the department can tailor the solution to its specific situation. Provide specific information, if available, on how each recommendation can be implemented.

Cause – directs recommendation P A C T Likelihood Root cause of the finding What was inherent risk? Did management agree? Root cause? Lack of budget/staff/skills? Inadequate detection Inadequate management information systems Lack of responsibility and accountability Infrastructure

Effect Effect What is the effect? How will it be changed? M P A C T Likelihood Effect What is the effect? How will it be changed? How will it be monitored? Does it reduce accountability?

Recommendation Recommendation = responsibility Recommendation - teamwork real time-online detection focused reduce risk change likelihood/root cause reduce effect/impact enhance effectiveness, efficiency and economic use of resources assign responsibility

Accept recommendation Management comment Accept recommendation Accept the risk AN AUSTRALIAN STUDY INDICATED THAT ON AVERAGE, 10% OF PEOPLE WILL NEVER STEAL – WHILST 10% OF PEOPLE WILL ALWAYS STEAL. THE MAJORITY OF US IS INFLUENCED BY THE STRONGER OF THE TWO 10%’S. THE ISSUE FORMS THE BACK-BONE OF THE PRINCIPLES OF VALUES AND CONFORMANCE – WHICH I WILL RETURN TO LATER. ONE CHALLENGE TO INTERNAL AUDITORS TODAY IS THE FACT THAT CRIME PAYS! AND THE PENALTY OF THOSE CRIMES SEEM TO BE MANAGEABLE, AS ANY OTHER RISK IN NORMAL BUSINESS ACTIVITIES

Audit report - recommendation Inadequate Recommend new control that change effect residual risk Measure change Inefficient Difference between basic control and best practice Measure change Ineffective Non compliance Cause Disciplinary action Cost and benefit

Audit report How to fix it What? When? Who? Accept? What? When? Who? Cause and effect Management Comment Criteria Condition Recommendation How to fix it What? When? Who? Accept? What? When? Who?

Benchmark and review by DD Final draft audit report Audit report - process Finding worksheet effectiveness – IA adequacy - AD Review by AD Benchmark and review by DD Final audit report Auditee Comments Final draft audit report Quality control Audit report

Audit opinion The prevention controls that ensures R – reliability and integrity of information are adequate and effective

COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Info and commu-nication Control activity - prevention Monitoring activities - detection

Audit opinion - adequacy & efficiency Controls are Efficient Inefficient Adequate 1 2 Partially adequate 3 4 Inadequate N/A 5/6

Accept the recommendation or accept the risk! Audit report Title of the finding Root cause analysis Criteria Condition Cause Effect Include in job descriptions! Responsibility Accountability Management Comment Recommendation Finding Accept the recommendation or accept the risk!

Follow up Follow up audit Audit scope and objectives Document system (POF) Follow up audit Identify weaknesses No compliance work Recommendations Adequate controls Inadequate opinion Likelihood assessment Likelihood assessment Effectiveness audit ADD VALUE

Follow up Identify the Scope for the Follow-up Audit Select the Sample Size and Items to be Tested Execute the Audit Work Develop Informal Queries and Discuss with the Client Report to Management