Operational Auditing--Fall Establishing an I/A Function n Reporting structure n Mission statement/ role of dept. n Objectives n Department tone--teamwork n IIA standards n Commitment to continuing education
Operational Auditing--Fall Human Relations Issues n General people techniques n Due professional care n Hostile management approaches n Dealing with external auditors n Participative approach w/auditees
Operational Auditing--Fall General People Techniques n Promote the “wanna” n Foster feedback n Adopt a consultative approach n Use the “Will Rogers’ Approach”
Operational Auditing--Fall …Due Professional Care n Be fair but don’t whitewash n Avoid surprises n Go for the win-win n Have the guts to go to the top
Operational Auditing--Fall Hostile Management Approaches n Select the right time for discussion n Remain flexible in your conclusions n Avoid emotion; sometimes even logic won’t work n Don’t corner yourself or the other party n Listen to the other party n Help the other guy “to be right”
Operational Auditing--Fall Dealing with the External Auditors n Different objectives n Different accountability n Different qualifications n Different activities
Operational Auditing--Fall Cooperation n Economy n Efficiency n Effectiveness n Advantages for the external auditor n Increases external auditor client insight n Improves client relations n Rotates emphasis n Advantages for the internal auditor n Improves training n Source of additional work n Increases professional knowledge n Independent appraisal source n Compliance with SAS 65 and SAS 99
Operational Auditing--Fall SAS 65 n Defines roles n Defines function n Discusses competency & objectivity n Considers nature of the work n Discusses coordination n Guidelines for evaluation n Role of direct assistance
Operational Auditing--Fall SAS 99 n Auditor’s responsibility to detect fraud
Operational Auditing--Fall Typical Int. Audit Assistance n Design of control systems n Reduction of risk assessment n Reduction of substantive testing
Operational Auditing--Fall Create a Cooperative Bridge n Coordination n Risk assessment alert n Control system disclosure n Common sampling tools n Pooled IT knowledge n Different perspective n Constant general communication
Operational Auditing--Fall Participative Approach n Joint goals n Consultation n Joint authority n Open discussion re: findings n Open review of reports
Operational Auditing--Fall COSO n Committee of Sponsoring Organizations n FEI, ACIPA, IMA, IIA and AAA n Sponsored the Treadway Commission in 1987 n Issued guidelines for Internal Control in 1992: COSO Cube n Issued guidelines for Enterprise Risk Management in 2004: COSO 2
Operational Auditing--Fall COSO Control Objectives n Economy & efficiency of operations n Reliable financial and operational data and reports n Compliance with laws and regulations
Operational Auditing--Fall Control Objectives n Reliability and integrity of info n Compliance n Safeguarding of assets n Economical & efficient use of assets n Organizational attainment of goals & objs.
Operational Auditing--Fall Types of Control n Preventive n Detective n Corrective n Directive n Compensating
Operational Auditing--Fall Methods of Control n Organizational n Operational n Personnel n Review n Facilities
Operational Auditing--Fall Threats to Control n Management override n Open access to assets n Form over substance approach n Conflict of interest
Operational Auditing--Fall COSO Approach to Achievement n Sound control environment n Sound risk assessment process n Sound operational control activities n Are the processes working n Sound info & communications system n Effective monitoring
Operational Auditing--Fall Control Environment n Culture of integrity, ethics and competence n Overall mgt. philosophy n Proper authority & responsibility n Proper organization of resources n Proper training and development n Senior mgt. attention & direction
Operational Auditing--Fall Internal Audit Process n Auditee selection n Audit planning n Preliminary survey n Internal control review n Expanded testing n Develop findings & recommendations n Reporting n Follow-up n Post audit evaluation
Operational Auditing--Fall Control Self Assessment (CSA) n Methodology n Review and Identification n Key business objectives n Related risks n Mitigating controls
Operational Auditing--Fall CSA-History n Introduced by Gulf Canada in 1987 n Gulf used facilitated meetings
Operational Auditing--Fall Facilitated Meetings n Management and staff participate through interviews and polling n Objectives n Risks n Processes n Soft and/or informal controls
Operational Auditing--Fall General Methodology n Shared process n Assessment of internal controls n Evaluation of risks n Development of action plans n Assess the likelihood of achieving objectives n SJSU simulation
Operational Auditing--Fall General Approaches n Facilitated meetings--group workshops n Questionnaires--yes/no answers n Management analysis--self studies
Operational Auditing--Fall Uses n Self analysis for risk* n Selection of audit areas* n Internal control review* n Special projects n Soft control analysis * alternatives to the traditional approach to the I/A process
Operational Auditing--Fall Benefits n Increases I/A scope n Target review of high risk areas n Increases the effectiveness of corrective action n Builds team-oriented relationships
Operational Auditing--Fall What Is Storyboard Flowcharting? n New method for documenting a process. n Clean and simple flowcharting method. n Allows for clients and auditors to clearly understand process under review. n Simple technique that requires a good graphics package and a little imagination. n Can use Microsoft PowerPoint, Harvard Graphics, Corel Draw, etc. n Does not replace IS flowcharting.
Operational Auditing--Fall The Basics of Storyboard n Meet with client and document process. n Use your imagination to choose/draw picture. n Under picture write narrative for each step represented. n Be creative - good control narrative in green; poor controls in red. n Completed storyboard must be reviewed with client. n Make any changes necessary. n Final copy should be in color for most effective presentation. n Different process may require different approach.
Operational Auditing--Fall How to Storyboard Meet with client and document process. From client interview create storyboard. A A Print out story board - black and white draft and color for final. Review storyboard with client and obtain sign off.
Operational Auditing--Fall Start Customer Service Rep Receives Order Scan Form Into System Shipping Files Yellow Customer Service Rep Researches And Corrects Information Shipping Pulls And Packs Orders End By Phone? By Mail or Fax? On Standard Order Form? Shipping Sends Order and Green Copy (Invoice) Customer Service Rep. Key Enters Data on-Line Approved By Manager? Send to Special Order Department Print Three-Part Shipper Yellow and Green To Shipping Department Pink to Accounts Receivable Department YES NO YES Company XYZ Order-fulfillment process NO
Operational Auditing--Fall A A Customer Representative Receives orders by fax or mail. Receives orders by phone. Standard orders are scanned into system. Customer Representative enters order data on-line. A three-part packing slip is printed per order. Pink copy sent to accounts receivable department. Company XYZ Order-fulfillment process Packing slip approved by Manager. If not approved, returned to Customer Representative for correction Packing slip Yellow and green copy go to shipping department. Shipping pulls and packs orders. Yellow copy filed in shipping department. Green copy sent with order.
Operational Auditing--Fall Flowcharting Begin or End File Decide Document Activity
Operational Auditing--Fall Work Paper Purposes n Documentation of evidence n Audit execution and planning tool n Follow-up reference n Review facilitator
Operational Auditing--Fall Other W/P Factors n Ownership: the company n Preparation guidelines n Completeness & accuracy n Clarity & understandability n Legibility & neatness n Relevance n Attention to detail
Operational Auditing--Fall Sample Work Paper Heading Ref. Review T/M Legend: Source Purpose: Conclusions