Jean-Pierre Garitte Skopje 8 April 2019 PEM PAL IA COP Audit in Practice Working Group Introduction to the field work Jean-Pierre Garitte Skopje 8 April 2019
Agenda Part 1: Review on where we are Part 2: The components of the field work Part 3: Reference to the ISPPIA Part 4: How does field work connect to our planning?
Agenda Part 1: Review on where we are Part 2: The components of the field work Part 3: Reference to the ISPPIA Part 4: How does field work connect to our planning?
1 2 3 4 5 6 Audit cycle is a rather generic process Planning Execution Preliminary Survey Fieldwork Reporting Action Plan (includes quality satisfaction) Follow-Up Planning Execution Reporting Rule of thumb: 20% for planning and preliminary survey (1, 2) 60% for fieldwork (3) 20% for reporting (4)
1 2 3 4 5 6 Planning Scheduling of the engagement Preliminary Survey Fieldwork Reporting Action Plan Follow-up Scheduling of the engagement Announcement of the engagement Opening meeting
1 2 3 4 5 6 Preliminary Survey Desk review Risk (re-)assessment Planning Preliminary Survey Fieldwork Reporting Action Plan Follow-Up Desk review Risk (re-)assessment Engagement planning memorandum Preparation of audit program Kick-off meeting with auditee
Agenda Part 1: Review on where we are Part 2: The components of the field work Part 3: Reference to the ISPPIA Part 4: How does field work connect to our planning?
1 2 3 4 5 6 Fieldwork Detailed review of internal control system Planning Preliminary Survey Fieldwork Reporting Action Plan Follow-Up Detailed review of internal control system Test of control design Test of operating effectiveness Formalising observations Validation meeting
Activities Processes under review Management’s Objectives Fieldwork Detailed review of the internal control system Reviewing the activities, processes, management's objectives, risks, and internal controls Are we responding to risk in the right way? Are these being achieved? Activities Processes under review Management’s Objectives Risks What is the internal control system? Risk Response Are these being managed? Effective? Mitigating Controls
Activities Processes under review Management’s Objectives The Fieldwork – Step A A Detailed review of the Internal Control System Review of the activities, processes, objectives of management, risks and internal controls Activities Processes under review Management’s Objectives Risks Risk Response Internal Controls Take into account the control framework.
Assessment of Internal Controls The Fieldwork – Step B B Test of Design adequacy Are the internal controls adequate to mitigate the risks? Assessment of Internal Controls Finding Strong Control ? No E E E Yes C C Auditors will identify strengths to be tested (in D) C = Analysis of strengths and weaknesses E = Observation form
Confirmed Strong Internal Control The Fieldwork – Step D D Tests of Implementation effectiveness Do the internal controls work effectively as they are designed? C Finding E E Tests of Detail Confirmed Strong Internal Control May be recorded in Audit Report Applied in practice ? No Yes
The Fieldwork – Step F F Validation meeting A formal validation meeting with the auditee (normally at Management level for the process being audited) is organised no later than xxx days/weeks following the end of the fieldwork. The aim is to reach, during the formal validation meeting, an agreement, at the appropriate hierarchical level, on the facts, which will not be reopened or questioned again in the reporting stages of the audit. It is not a conclusion but an opportunity and should allow for the necessary understanding in order to prepare the report and the final conclusions.
The reasoning behind a recommendation Criteria What should exist - The standards, measures, or expectations used in making an evaluation and/or verification Condition What does exist - The factual evidence that the auditor found in the course of the examination Cause (Root) Why the difference exists - The (real) reason for the difference between the expected and actual conditions Consequence (Effect) The impact of the difference - The risk or exposure the organisation and/or others encounter because the condition is not consistent with the criteria Recommendation What, Who and When ? - Action linked to responsible, date/timing, priority, and severity Management Response Yes, agree / Yes, but alternative / No, disagree
Agenda Part 1: Review on where we are Part 2: The components of the field work Part 3: Reference to the ISPPIA Part 4: How does field work connect to our planning?
2300 – Engagement Performance ISPPIA 2300 2300 – Engagement Performance 2201 – Identifying Information 2210 – Analysis and Evaluation 2220 – Recording Information 2230 – Engagement Supervision
Standard 2300 – Performing the engagement “Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.”
Standard 2310 – Identifying information “Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement’s objectives.” Interpretation: Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals.
Standard 2320 – Analysis and Evaluation “Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.”
Standard 2330 – Documenting Information “Internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement results and conclusions.”
Standard 2340 – Engagement supervision “Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.” Interpretation: The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The chief audit executive has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained.
Agenda Part 1: Review on where we are Part 2: The components of the field work Part 3: Reference to the ISPPIA Part 4: How does field work connect to our planning?
Risk / control matrix (1)
Risk / control matrix (2) Name of (sub)process Inherent risk(s) to (sub)process Risk rating Expected mitigating controls Tests of control design Conclusion on control adequacy Tests of control implementation Conclusion on control effectiveness Overall conclusion
Field work (1) Develop necessary steps to assess the design of controls Execute the steps to assess the design of controls Discuss the observations on the design of controls with auditees Conclude on the adequacy of controls Submit working papers for review
Field work (2) Develop tests to assess the effective implementation of controls Execute the tests to assess the effectiveness of controls Discuss the observations resulting from the tests of controls with auditees Conclude on the effectiveness of controls Submit working papers for review
Field work (3) Prepare overall conclusions with regard to adequacy and effectiveness of controls Submit working papers for review
Questions & Answers