Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk based audit methodology

Published bySharleen Crawford Modified over 6 years ago

Similar presentations

Presentation on theme: "Risk based audit methodology"— Presentation transcript:

1 Risk based audit methodology

2 Feedback from IIA training
Compliance auditing …. and some more compliance auditing Consistent findings … Same as last year Or the same as last time With the same result

3 Client indicators Policemen image – newspaper exposure = forensic auditing Cost versus benefit questions Lack of funding and resources for IA limiting effectiveness, ensuring compliance at a minimum cost

4 Government indicators
+/- 48% of local authorities are being mismanaged Section 100 take-overs Disciplining and terminating performance contracts of senior management for not delivering services Government statements relating to values and ethics Funds will be shifted from poorly managed to effective institutions

5 Chairperson independent Majority outside department
Audit Committees Report annually on: Effectiveness of internal control Quality of management and financial reports Evaluation of financial statements Chairperson independent Majority outside department

6 Internal audit (IIA) Independent Objective Assurance Consulting Activity Add Value Improve Operations Evaluate and improve the effectiveness of risk management, control and governance processes. 22/11/2018

7 PFMA/MFMA Internal Audit must be conducted in accordance with the standards set by the IIA IA must assist in achieving the objectives by evaluating and improving the process through which: Objectives and values are established and communicated Accomplishment of objectives are monitored Accountability is ensured Corporate values are preserved.

8 Objective setting Control environment Strategic Operational Reporting
High-level goals, aligned with and supporting the entity’s mission/vision Effectiveness/efficiency of operations, performance and service delivery goals. Effectiveness of internal/external reporting -financial or non-financial. Control environment Strategic Compliance with applicable laws and regulations. Operational Within the context of the established mission or vision, management establishes strategic objectives, selects strategy and establishes related objectives, cascading through the enterprise and aligned with and linked to the strategy. Objectives must exist before management can identify events potentially affecting their achievement. Enterprise risk management ensures that management has a process in place to both set objectives and align the objectives with the entity’s mission/vision and are consistent with the entity’s risk appetite. Entity objectives can be viewed in the context of four categories: Strategic – relating to high-level goals, aligned with and supporting the entity’s mission/vision. Operations – relating to effectiveness and efficiency of the entity's operations, including performance and profitability goals. They vary based on management's choices about structure and performance. Reporting – relating to the effectiveness of the entity’s reporting. They include internal and external reporting and may involve financial or non-financial information. Compliance – relating to the entity's compliance with applicable laws and regulations. This categorization of entity objectives allows management and the board to focus on separate aspects of enterprise risk management. These distinct but overlapping categories – a particular objective can fall under more than one category – address different entity needs and may be the direct responsibility of different executives. This categorization also allows distinguishing between what can be expected from each category of objectives. Some entities use another category of objectives, “safeguarding of resources,” sometimes referred to as “safeguarding of assets.” Viewed broadly, these deal with prevention of loss of an entity’s assets or resources, whether through theft, waste, inefficiency or what turns out to be simply bad business decisions - such as selling product at too low a price, failing to retain key employees or prevent patent infringement, or incurring unforeseen liabilities. This broad-based safeguarding of assets category may be narrowed for certain reporting purposes, where the safeguarding concept applies only to the prevention or timely detection of unauthorized acquisition, use, or disposition of the entity’s assets. Reporting Prevention/ Timely detection Compliance Safeguarding of assets

9 COSO – all five components must be present and functioning before a control system can be effective
Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Info and commu-nication Control activity - prevention Monitoring activities - detection

10 IIA versus COSO Governance Risk Control Control environment
Information/Communication Risk management Control activities Monitoring

11 Governance process Risk Objective Process Legal mandate:
Laws and regulations Part of control environment COSO Strategic/operational Plans (SMART/CQQT)

12 Control environment Control environment = foundation for all other components of internal control Integrity, ethical values, competence of management & employees; Management's philosophy & operating style Departmental structure, CQQT, Staff and employee development programs, its process for delegating authority & responsibility.

13 Integrity and ethical values
Executive authority Legal mandate = entity wide objectives = strategic plans = business plans = job descriptions and performance agreements Effective communication to all employees Integrity and ethical values Control environment No dealings with others not demonstrating appropriate level of commitment to integrity Ethical tone at the top Properly communicated downwards Formal code of conduct Ethical standards Acceptable operational practices Conflict of interest

14 SMART Specific Measurable Achievable Relevant Timely

15 Commitment to competence
Job descriptions & performance agreements define tasks Adequate analysis of knowledge and skills needed Adequate training program

16 Accomplishment of goals monitored
Key performance objectives Key performance indicators Management information Exception reports Responsibility assigned

17 Accountability Appropriate structure Responsibility assigned
Delegation of authority consistent with assignment of responsibility Who is driving accountability? Disciplinary processes consistent

18 Human resource policies
Hire qualified staff Ethical appointments with background checks

19 Oversight groups Mechanism to monitor and review operations and programs Independent oversight

20 Values preserved Appropriate disciplinary action
Management action to address intervention/overriding control Management action to remove unethical behavior

21 CQQT Cost Quantity Quality Timelines Standard costing
Net present value Breakeven analysis Quantity Economic order quantities Quality Right quality at the right price Timelines

22 Other benefits Responsibility Quantify losses
Recovery of revenue from private sector patients Recovery of revenue from road accident fund

23 Economic order quantities

24 Economic order quantities
Useful to establish the optimal frequency and quantity which should be ordered for each stock item Formulas are built into LOGIS Based on: Cost per unit Delivery times Cost of ordering

25 EOQ – practical use Reorder levels Safety levels

26 Quantities and price Maximum stock levels Minimum stock levels
Reorder levels

27 Governance process Risk Objective Process Key measurable objectives
Laws/regs Key measurable objectives and indicators Strategic/operational Plans (SMART/CQQT) Capability – finance & human Responsibility/ accountability

28 Executive authority Hire qualified staff Ethical appointments with background checks Integrity and ethical values Commitment to competence Job descriptions & performance agreements define tasks Adequate analysis of knowledge and skills needed Adequate training program Control environment Commitment to Competence Competence reflects the knowledge and skills needed to perform assigned tasks. Management decides how well these tasks need to be accomplished weighing the entity's strategy and objectives against plans for strategy implementation and achievement of the objectives. A trade-off often exists between competence and cost – it is not necessary, for instance, to hire an electrical engineer to change a light bulb. Management specifies the competency levels for particular jobs and translates those levels into requisite knowledge and skills. The necessary knowledge and skills in turn may depend on individuals' intelligence, training and experience. Factors considered in developing knowledge and skill levels include the nature and degree of judgment to be applied to a specific job. Often a trade-off can be made between the extent of supervision and the requisite competence level of the individual. Authority and responsibility Appropriate structure Responsibility assigned Delegation of authority consistent with assignment of responsibility Disciplinary processes consistent

29 Budget and HR Budget Human resources Operational budget Capital budget
R640bn unspent Human resources Warm bodies vacant posts in government Skills 1 million people left the country since 1994

30 Become a KMI specialist
Management do not know where things go wrong Medicine theft Student bursaries School books not delivered Inefficient use of ambulances, police vehicles Invalid qualifications

31 KMO and KMI KMO KMI To ensure efficient asset management
Up to date asset registers

32 Governance process Risk Objective Process Performance measurement
Laws/regs Performance measurement Strategic/operational Plans (SMART/CQQT) Key measurable objectives and indicators Performance agreements/ Job descriptions Capability – finance & human Responsibility/ accountability

33 Control environment Executive authority Integrity and ethical values
Commitment to competence Authority and responsibility Control environment Monitoring of objectives Key performance objectives Key performance indicators Management information Exception reports Responsibility assigned Management's Philosophy and Operating Style Management's philosophy and operating style affect the way the enterprise is managed, including the kinds of risks accepted. A company that has been successful accepting significant risks may have a different outlook on enterprise risk management than one that has faced harsh economic or regulatory consequences as a result of venturing into dangerous territory. An informally managed company may control operations largely by face-to-face contact with key managers. A more formally managed one may rely more on written policies, standards of behavior, performance indicators and exception reports. Other elements of management's philosophy and operating style include preference for conservative or aggressive accounting principles, conscientiousness and conservatism with which accounting estimates are developed and attitudes toward financial reporting, information technology, business processes and personnel. The attitude and daily operating style of top management affect the extent to which actions are aligned with risk philosophy and appetite. For example, an undisciplined operating style often is associated with – and might encourage – an appetite for high risk. An effective environment does not require that risks be avoided; rather it reinforces the need to be knowledgeable about the risks associated with strategic choices and the entity’s operating environment, both internal and external. An effective environment encourages people to pursue business opportunities that align with the entity’s risk appetite. Organizational Structure An entity’s organizational structure provides the framework to plan, execute, control and monitor its activities. A relevant organizational structure includes defining key areas of authority and responsibility and establishing appropriate lines of reporting. For example, an internal audit function should be structured in a manner that achieves organizational objectivity and permits full and unrestricted access to top management and the audit committee of the board, and the chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. An entity develops an organizational structure suited to its needs. Some are centralized, others decentralized. Some have direct reporting relationships, others are more of a matrix organization. Some entities are organized by industry or product line, by geographical location or by a particular distribution or marketing network. Other entities, including many state and local governmental units and not-for-profit institutions, are organized by function. The appropriateness of an entity's organizational structure depends, in part, on its size and the nature of its activities. A highly structured organization with formal reporting lines and responsibilities, may be appropriate for a large entity that has numerous operating divisions, including foreign operations. However, such a structure could impede the necessary flow of information in a small entity. Whatever the structure, an entity should be organized to enable effective enterprise risk management, and to carry out its activities so as to achieve its objectives.

34 Governance process Risk Objective Process Exception reports
Laws/regs Management info Strategic/operational Plans (SMART/CQQT) Key measurable objectives and indicators Performance measurement Capability – finance & human Responsibility/ accountability Performance agreements/ Job descriptions

35 COSO versus IIA GP RA CP CE RA IC CA(preventative) M(detective)

36 Performance Measures

37 Power of measuring results (FMPPI – p1)
If you do not measure results – you cannot tell success from failure If you cannot see success, you cannot reward it If you cannot reward success, you are probably rewarding failure If you cannot see success, you cannot learn from it If you cannot recognise failure, you cannot correct it If you can demonstrate results, you can win public support

38 Planning budgeting and reporting (FMPPI - p4)
Oversight Policy development Identify desired impacts Strategic planning Specify performance indicators Operational planning and in-year reporting Set targets and allocate resources Monitor and take corrective action End-year reporting Assess and adjust I N S T U O

39 Key Performance Concepts (FMPPI – p6)
Inputs – what we use to do the work Activities – what we do Outputs – what we produce or deliver Outcomes – what we wish to achieve Impacts – results of achieving specific outcomes

40 Key Performance Information Concepts (FMPPI – p6)

41 Performance indicators (FMPPI – p7)
Key Performance Information Indicators: Reliable Well defined Verifiable Cost effective Appropriate Relevant

42 Indicators of Economy, Efficiency, Effectiveness and Equity (FMPPI – p7)

43 Types of indicators (FMPPI – p8)
Cost or price indicators Distribution indicators Quantity indicators Quality indicators Dates and time frame indicators Adequacy indicators Accessibility indicators

44 Specific focus (FMPPI – p8 & 9)
Economy indicators – cost/benefit Efficiency indicators – minimum input, maximum output Effectiveness indicators – achieving the goals and objectives Equity indicators – services provided impartially, fairly and equitably

45 Performance targets (FMPPI – pp9 & 10)
Baselines Performance targets Performance standards Criteria Specific Measurable Achievable Relevant Time-bound

46 Developing Performance Indicators (FMPPI – p11 & 12)
Step 1: Agree on what you are aiming to achieve Step 2: Specify the outputs, activities and inputs Step 3: Select the most important indicators Step 4: Select realistic performance targets Step 5: Determine the process and format of reporting performance Step 6: Establish processes and mechanisms to facilitate corrective action

47 Managing Performance Information (FMPPI – p13)
Responsibilities: - Executive authorities - Accounting officers - Line managers and other officials

48 Integrated Performance Information Structures (FMPPI – p13)
Well designed documentation Appropriate capacity to manage performance information Appropriate systems to collect, verify and store information Consultation process to include all needs Process to ensure information is used for planning, budgeting and management Processes to ensure responsibility is assigned Identified set of performance indicators for oversight

49 Reporting (FMPPI – p15 & 16) Accountability reports
Information to facilitate oversight Public access to information

50 Values are preserved Appropriate disciplinary action
Management action to address intervention/overriding control Management action to remove unethical behavior

51 PFMA AO must facilitate risk assessment to identify material risks and to evaluate the strategy for managing these risks IA must assist in maintaining effective controls, evaluating effectiveness and efficiency and develop recommendations for improvement.

52 Understand risk management
Underlying premise - every entity exists to provide value for its stakeholders. All entities face uncertainty, Challenge for management -determine how much uncertainty is acceptable as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. I M P A C T Likelihood

53 I agree with finding, will implement recommendation Yes/No
2 week audit I M P A C T Likelihood Reasons: 1. 2. 3. Audit report Risk assessment Audit report Criteria Condition Cause Effect Recommendation Management comment I agree with finding, will implement recommendation Yes/No I accept the risk Yes Reasons: 1. 2. 3.

54 Sample sizes Express opinion on adequacy and effectiveness
Sample size 30 transactions Select 1, first one is wrong, do I have to do the other 29??

55 Sample sizes - automated
One is enough System must perform consistently!!

56 Sample size – Old lady People make mistakes! One is not enough
Determine after how many mistakes will your audit opinion be changed from adequate and effective ti adequate, but ineffective. That number is enough!! If the same root cause is causing repetitive instances of non-compliance, one is enough!!

57 International standard
Select 30 transactions USA and Eskom Some departments select 25 – banks, muni’s

58 Risk assessment Management should identify and analyze the risks of achieving its objectives and determine how to manage risks that may result from internal and external sources, such as changes in economic, industry, regulatory, and operating conditions.

59 Risks Inherent risks Control risks

60 Inherent Risk – risk of not achieving objectives
Strategic risk Risk Objective Process Inherent risk – before the assessment of any controls

61 Dept of Education 68% pass rate versus national average of 80%
Transport Teachers – qualifications and absenteeism LSM Infrastructure

62 Management agenda Items on inherent risk assessment should be on management agendas Also on Internal audit plans

63 Risk & recommendations
Effect – reasons for a high impact focus: Audit objectives Fieldwork Recommendations I M P A C T x Likelihood Root cause – reasons for high likelihood focus: Audit objectives Field work Recommendations

64 Risk management in stock control – ABC inventory management

65 ABC inventory management
Line items graded based on quantities kept A-Items - high monetary value, not high quantities are tightly controlled and monitored - never stock outs on A items B-items require less control and monitoring, lower monetary value and quantities, stock is kept on hand C-items are only ordered when requested by clients

66 ABC inventory management
Determine the average investment in each item Express as a percentage of the total value of inventory Classify in groups

67 ABC - example Item code Average investment % average units ABC system
1 1 700 21.3% A 2 270 3.4% C 3 1 440 18.1% 4 720 9.0% B 5 3 300 41.4% 6 540 6.8% Totals 7 970 100%

68 risk index = severity X likelihood
4 3 2 1 5 10 15 20 25 8 12 16 6 9 1 2

69 Risk management strategy
4 8 3 6 9 2 1 5 15 20 25 12 16 10 unacceptable risks acceptable risks

70 Control to minimize risks
Inherent risk Residual risk Objective Process Control Residual risk – after the assessment of any controls

71 Control activities Management develops policies & procedures to ensure that directives are followed & that necessary actions are taken to address risks that would impede achieving its objectives. Control activities include authorization, verification, reconciliation, review of operating performance, security of assets, & segregation of duties.

72 Control activities Safeguarding of assets
Compliance with laws, regulations, contracts Accomplishment of objectives Economy, efficiency and effectiveness Reliability and integrity of information

73 Internal control as per traditional IIA definition
22/11/2018

74 Definition of internal control
Document your definition of internal control. What does it include?

75 Internal control - SCARE
Safeguarding of assets Compliance with laws, regulations and contracts Accomplishment of objectives Reliability and integrity of information Economy, efficiency and effectiveness

76 Safeguarding of assets
Physical safeguards Access control Segregation of duties

77 Compliance Laws and regulations Policies and procedures
Contractual obligations

78 Accomplishment of objectives
Strategic plans Operational plans Key measurable objectives Key measurable indicators Management information Exception reporting

79 Reliability and integrity of information
Validity Accuracy Completeness Timely

80 3 x E’s Economy Effectiveness Efficiency

81 Monitoring Management monitor internal control structure through ongoing monitoring activities and through separate evaluations. Scope/ sequence of separate evaluations depend on assessment of risks & effectiveness of ongoing monitoring procedures. Internal control deficiencies reported upstream & serious matters reported to management / Cabinet

82 Detection controls We are drowning in information,
but starved of knowledge. We receive unfiltered information. Detection not a priority

83 Control risk assessment
Remember SCARE??? Safeguarding of assets Compliance with laws ….. Accomplishment of objectives Reliability and integrity of information Economy effectiveness and efficiency

84 Control risk - S Inadequate/ineffective physical safeguarding
Inadequate/ineffective access control Inadequate/ineffective segregation of duties

85 Control risk - C Non-compliance with laws and regulations
Non-compliance with policies and procedures Non-compliance with contractual obligations

86 Control risk - A Inadequate strategic plan
Inadequate operational plans Inadequate/ineffective key measurable objectives Inadequate/ineffective key measurable indicators Inadequate/ineffective management information Inadequate/ineffective exception reporting

87 Control risk - R Inadequate/ineffective processes to prevent:
Invalid processing Inaccurate processing Incomplete processing Untimely processing

88 Control risk - E Ineffective processes Inefficient process
Uneconomic processes

89 Objective Risk I L A Control Type Preventative/ Detective Nature Manual/ IT CAA CEA S Inadequate physical safeguards Inadequate access control Inadequate segregation of duties C Inadequate process to ensure compliance with laws/regs Inadequate process to ensure compliance with contracts R Inaccurate … Incomplete…. Invalid/unauthorised…. Untimely ….. E Ineffective ….. Inefficient …. Uneconomic ….

90 COSO – all five components must be present and functioning before a control system can be effective
Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Info and commu-nication Control activity - prevention Monitoring activities - detection

91 Audit objectives To evaluate the adequacy and effectiveness
of the internal control systems that ensures S C R E

92 Audit objectives To evaluate the adequacy and effectiveness
of the internal control systems (choose prevention, detection or correction) that ensures S C R E

93 Audit objectives To evaluate the adequacy and effectiveness
of the prevention controls that ensures R – reliability and integrity of information

94 Audit objectives To evaluate the adequacy and effectiveness
of the controls that ensures R – reliability and integrity of the purchase order

95 Risks Inaccurate purchase order Incomplete purchase order
Unauthorized purchase order Untimely purchase order

96 Inaccurate purchase orders
Preventative control Detection control

97 Unauthorized purchase orders
Preventative control Detection control

98 Untimely purchase orders
Preventative control Detection control

99 Inaccurate purchase orders
Preventative control Detection control

100 COSO – all five components must be present and functioning before a control system can be effective
Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Info and commu-nication Control activity - prevention Monitoring activities - detection

101 Risk response before risk reduction after likelihood 5 4 3 2 1 1 2
1 2 severity risk reduction before after

102 Control assessment R > C Inadequate Risk C > R Inefficient
Objective Process Control C = R Adequate/effective CoC > CoR Uneconomic

103 Example

104 Practical exercise Process overview flowchart SCRE Audit objective
Risk areas Preventative and detection controls Audit opinion

105 INPUT PROCESSING OUTPUT Phone call with password to cell phone
Enter data Bank EDI INPUT Application program PROCESSING Suppliers master file OUTPUT Exception reports number of changes the change details to supplier Exception reports Frequency

106 DOCUMENTATION INPUT PROCESSING OUTPUT Purchase order
Goods received note, supplier delivery note, invoice Cheque payment/ EFT requisition Enter data Enter data INPUT Application program PROCESSING Purchase transaction file Cash disbursement transaction file General ledger transaction file Cheque General ledger summary Exception reports and KPI’s Purchase journal OUTPUT Remittance advice Disbursements journal Suppliers master file Accounts payable master file General ledger master file

107 S C R E S C R E S C R E S C R E S C R E S C R E
Purchase order S C R E Goods received note, supplier delivery note, invoice S C R E Enter data S C R E Application program S C R E Purchase transaction file S C R E Suppliers master file S C R E

108 To evaluate the adequacy and effectiveness of the controls relating to reliability and integrity of:
Asset count forms Asset removal forms Capturing Processing Updating the fixed asset register

109 E S S R R R R Purchase order
Goods received note, supplier delivery note, invoice S Enter data S R Application program R Purchase transaction file R Suppliers master file R

110 Lesotho objective To verify the correctness of the requested amount of M15m To check the adequacy of internal controls in place To make recommendations based on the findings

111 Audit objective To evaluate the adequacy and effectiveness of controls relating to: Safeguarding of assets in the goods received area Reliability and integrity of information in the: Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase

112 Audit opinion The controls relating to:
Safeguarding of assets in the goods received area Reliability and integrity of information in the: Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase Are adequate and effective

113 Audit objective To evaluate the adequacy and effectiveness of controls relating to: Safeguarding of assets (access control) Allocation of unique supplier profile passwords in the capturing phase Reliability and integrity of information in the: Capturing phase Processing phase Updating the SMF Exception reports (quantity and frequency) confirmations

114 Audit opinion The controls relating to:
Safeguarding of assets (access control) Allocation of unique supplier profile passwords in the capturing phase To the availability of the suppliers file Reliability and integrity of information in the: Capturing phase Processing phase Updating the SMF Exception reports (quantity and frequency) confirmations Are adequate and effectiveness

115 Risks – 22 in total Inadequate physical safeguarding of assets/ access control/ segregation of duties [3] Inaccurate capturing/processing updating of PTF and SMF [4] Incomplete capturing/processing updating of PTF and SMF [4] Invalid capturing/processing updating of PTF and SMF [4] Untimely capturing/processing updating of PTF and SMF [4] Uneconomic, ineffective, inefficient use of resources in the purchase order phase [3]

116 Two ways of auditing IT Around the computer – IT auditing for non-IT auditors Through the computer – IT specialist

117 Data capture controls Data capture = manual procedure – covers initiation, approval, authorisation, review and preparation of documents for source transactions User department function Both batch and on-line entry systems Designed to ensure reliability and integrity of data before data enter the computer application system

118 Data capture controls - risks
Accounting system Valid and completed source transactions may be omitted from data capture Inaccurate source data Inaccurate capturing/cut-off of source transactions Inaccurate valuation/ classification of source data Invalid source transaction Control procedures Valid and completed source transaction may be captured more than once Errors may not be properly detected corrected and resubmitted Source transactions may be unauthorized Source transaction may be lost

119 Types of controls Prevention Detection Correction

120 Prevention objectives
To ensure reliability and integrity of information (R) To ensure proper safeguarding of assets (S) To ensure reliable, accurate and complete, authorized, approved and secure source data Application controls user procedure manuals, source document design, pre-numbering, sound personnel practices, identification of preparer evidence of approval forms security – unused and document management, segregation of duties

121 User procedure manual Written procedures – encourage consistent performance of data capture responsibilities Include: Guidelines for documentation preparation Flow of documents within dept and to data processing Schedules for data capturing and cut-off dates Requirements for control over data prior to transmittal to data processing Scope of management review and approval of work performed Names of individuals authorized to review and approve documents Identification of proper evidence of approval

122 Source document design
Use of special formats and preprinted data to ensure conformity of work performed to written procedures Special formats = use of specific boxes for authorisation signatures, control totals, footing and cross-footing balances and retention dates Preprinted data = include repetitive items such as form number and title, department responsibility, transaction code and product number Conformity = completeness, accuracy and proper authorisation

123 Pre-numbering Unique identification of transactions
Reduce likelihood that a transaction will be lost or omitted

124 Sound personnel practices
Ensure hiring of competent personnel Continuing evaluation of individual performance Periodic rotation of assignments Required vacations Bonding of key personnel

125 Identification of preparer
Identification provided by Signature Initials Employee number Terminal entry Sign-on codes Logs of physical access to terminals Increases the likelihood that segregation of duties is followed

126 Evidence of approval Authorized signatory
If no source document = review and approval may be subsequent review of transaction source listing or approval during data entry Authorized signature on source listing = evidence of subsequent approval Terminal entry = approval code in transaction record

127 Forms security Physical controls over forms
Signatures for the release of forms for source document preparation Reduce likelihood of unauthorized or invalid transactions

128 Segregation of duties Four types of separation
Custody of assets from data capture function Authorisation of transactions from custody of related assets Functions of transaction authorisation and source document preparation Error correction from initiation and source document preparation Reduced the likelihood of un-intentional errors

129 Detection objectives To ensure that unreliable, improper, unauthorized, invalid or lost source data are detected Application controls Batch controls User review

130 Batch controls Batch number – keep track of receipt or transmittal of batches Limiting number of transactions in batch – facilitates reconciliation when batch is out of balance Control totals for number of transactions, amounts, quantities in batch – permits subsequent discovery of loss of items/changes in data – accommodated by reconciliation of source data control totals with output upon completion of processing Control totals usually recorded manually by user in control log Log records time and place of batch transmittal and receipt – attached transmittal ticket – controls flow of data from one user to another

131 User review Manual review performed by the user prior to transmittal of data Purpose = to check source documents, transmittal tickets, control logs for completeness, accuracy, conformity with department policy

132 Correction objectives
To ensure that unreliable, improper, unauthorized or invalid source data are, if appropriate, corrected and resubmitted for data capture Error correction procedures Audit trail

133 Error correction procedures
Written error correction procedures should include: Description of common errors Correction procedures Directions for resubmitting transactions Resubmitted source documents – reviewed for errors in same way than documents after initial preparation Entry in error log for each erroneous source document. Should include: Batch number Transaction number Cause of error Date of occurrence Date of correction and resubmission Initials of user personnel Review of log will show that errors have been corrected and resubmitted on a timely basis

134 Audit trail for data capture
Consists of copy of source documents or a listing of source transactions Source document can be manually prepared during data capture or printed by the terminal as a byproduct of transaction processing Auditor will trace original source documents filed by batch (normally sequentially filed) Where no source documents are used - source list produced as audit trail Auditor will use computer to reference source lists on disk or tape

135 Information/communication
Objective setting Event identification Risk assessment Risk response Control environment Control activities Information/communication There is also effective communication and exchange of relevant information with external parties, such as customers, suppliers, regulators and shareholders. Information is needed at all levels of an organization to identify, assess and respond to risks, and to otherwise run the entity and achieve its objectives. An array of information is used, relevant to one or more objectives categories. Information comes from many sources – internal and external, and in quantitative and qualitative forms – and allows enterprise risk management responses to changing conditions in real time. The challenge for management is to process and refine large volumes of data into actionable information. This challenge is met by establishing an information systems infrastructure to source, capture, process, analyze and report relevant information. These information systems – usually computerized but also involving manual inputs or interfaces – often are viewed in the context of processing internally generated data relating to transactions. Information systems have long been designed and used to support business strategy. This role becomes critical as business needs change and technology creates new opportunities for strategic advantage. To support effective enterprise risk management, an entity captures and uses historical and current data. Historical data allow the entity to track actual performance against targets, plans and expectations. It provides insights into how the entity performed under varying conditions, allowing management to identify correlations and trends and to forecast future performance. Historical data also can provide early warning of potential events that warrant management attention. Present or current state data allow an entity to assess its risks at a specific point in time and remain within established risk tolerances. Current state data allow management to take a real-time view of existing risks inherent in a process, function or unit and to identify variations from expectations. This provides a view of the entity’s risk profile, enabling management to alter activities as necessary to calibrate to its risk appetite. Information is a basis for communication, which must meet the expectations of groups and individuals, enabling them to effectively carry out their responsibilities. Among the most critical communications channels is that between top management and the board of directors. Management must keep the board up-to-date on performance, developments, risks and the functioning of enterprise risk management, and other relevant events and issues. The better the communication, the more effective the board will be in carrying out its oversight responsibilities, in acting as a sounding board on critical issues and in providing advice, counsel and direction. By the same token, the board should communicate to management what information it needs and provide feedback and direction. Management provides specific and directed communication addressing behavioral expectations and the responsibilities of personnel. This includes a clear statement of the entity’s enterprise risk management philosophy and approach and delegation of authority. Communication about processes and procedures should align with, and underpin, the desired risk culture. In addition, communication should be appropriately “framed” – the presentation of information can significantly affect how it is interpreted and how the associated risks or opportunities are viewed. Communication should raise awareness about the importance and relevance of effective enterprise risk management, communicate the entity’s risk appetite and risk tolerances, implement and support a common risk language, and advise personnel of their roles and responsibilities in effecting and supporting the components of enterprise risk management. Communications channels also should ensure personnel can communicate risk-based information across business units, processes or functional silos. In most cases, normal reporting lines in an organization are the appropriate channels of communication. In some circumstances, however, separate lines of communication are needed to serve as a fail-safe mechanism in case normal channels are inoperative. In all cases, it is important that personnel understand that there will be no reprisals for reporting relevant information. External communications channels can provide highly significant input on the design or quality of products or services. Management considers how its risk appetite and risk tolerances align with those of its customers, suppliers and partners, ensuring that it does not inadvertently take on too much risk through its business interactions. Communication from external parties often provides important information on the functioning of enterprise risk management. Pertinent information – from internal and external sources – must be identified, captured and communicated in a form and timeframe that enable personnel to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.

136 Risk and control matrix
Best practice Control activity SCO Risk CAA Safeguard goods received Inadequate physical security over goods received Maintain physical security over goods received Segregate custodial and record keeping functions

137 Added value opportunity
Control analysis Added value opportunity Control activity Prevention Detection IT Manual Maintain physical security over goods received Segregate custodial and record keeping functions Computerise to increase efficiency, economy, effectiveness IT management information allows for effective detection controls Detection control allows development of prevention controls

138 Added value x x = Added value Inadequate controls Recommendation I M P
Likelihood I M P A C T x Likelihood = Added value

139 Audit report - finding Finding Clear Concise Factual Inadequate
Inefficient Ineffective Uneconomic

140 Determine the causes Determine what circumstances, if any, caused identified weaknesses. Consider materiality of effect, before spending much time determining causes. Determine if participants understand both purpose of and their role Determine if relationship between accounts payable process and other department processes is clear. If process occurs at multiple locations, determine nature and scope of communication and coordination among components.

141 Determine the causes Determine if accounts payable process has adequate human, rand, time, and asset resources. If inadequate, determine if resources have been allocated according to materiality of accounts payable process relative to other processes. Negative trends in reports used to monitor outcome(s) - determine if reports are communicated to and used by appropriate parties to modify process. Determine what internal or external constraints or barriers, if any, must be removed in order to overcome these identified weaknesses. Review applicable laws or regulations to determine if any of them prevent necessary changes from being made in the accounts payable process.

142 Determine the effect Compare actual process to a recommended alternative process(es) and determine if each weakness in department process is material. Materiality can be measured by comparing the rand cost, impact on economy, risks, etc. of actual process to recommended alternative process(es). Measurements can be quantitative, qualitative, or both. Identify benchmarks (industry standards, historical internal data, other comparable departments, etc.) for process in question and compare to actual performance. Measure difference, if possible. Include cost of additional controls or changes in process.

143 Determine the effect Estimate cost of the actual process and alternative process(es) and compare. Estimate quantity and/or quality of services provided by actual process and by alternative process(es) and compare. Identify risks associated with actual process and with alternative process(es). Measure and compare the risks.

144 Develop recommendations
Develop specific recommendations to correct weaknesses identified as material. In developing recommendations, consider tailored criteria, kind of process and control weaknesses identified, causes and barriers, effects, and additional resources Solicit solutions and recommendations from client. Identify alternative solutions used by other business units. Identify solutions for removing barriers. Provide general guidelines as to objectives each solution should meet; then the department can tailor the solution to its specific situation. Provide specific information, if available, on how each recommendation can be implemented.

145 Cause – directs recommendation
P A C T Likelihood Root cause of the finding What was inherent risk? Did management agree? Root cause? Lack of budget/staff/skills? Inadequate detection Inadequate management information systems Lack of responsibility and accountability Infrastructure

146 Effect Effect What is the effect? How will it be changed?
M P A C T Likelihood Effect What is the effect? How will it be changed? How will it be monitored? Does it reduce accountability?

147 Recommendation Recommendation = responsibility
Recommendation - teamwork real time-online detection focused reduce risk change likelihood/root cause reduce effect/impact enhance effectiveness, efficiency and economic use of resources assign responsibility

148 Accept recommendation
Management comment Accept recommendation Accept the risk AN AUSTRALIAN STUDY INDICATED THAT ON AVERAGE, 10% OF PEOPLE WILL NEVER STEAL – WHILST 10% OF PEOPLE WILL ALWAYS STEAL. THE MAJORITY OF US IS INFLUENCED BY THE STRONGER OF THE TWO 10%’S. THE ISSUE FORMS THE BACK-BONE OF THE PRINCIPLES OF VALUES AND CONFORMANCE – WHICH I WILL RETURN TO LATER. ONE CHALLENGE TO INTERNAL AUDITORS TODAY IS THE FACT THAT CRIME PAYS! AND THE PENALTY OF THOSE CRIMES SEEM TO BE MANAGEABLE, AS ANY OTHER RISK IN NORMAL BUSINESS ACTIVITIES

149 Audit report - recommendation
Inadequate Recommend new control that change effect residual risk Measure change Inefficient Difference between basic control and best practice Measure change Ineffective Non compliance Cause Disciplinary action Cost and benefit

150 Audit report How to fix it What? When? Who? Accept? What? When? Who?
Cause and effect Management Comment Criteria Condition Recommendation How to fix it What? When? Who? Accept? What? When? Who?

151 Benchmark and review by DD Final draft audit report
Audit report - process Finding worksheet effectiveness – IA adequacy - AD Review by AD Benchmark and review by DD Final audit report Auditee Comments Final draft audit report Quality control Audit report

152 Audit opinion The prevention controls that ensures
R – reliability and integrity of information are adequate and effective

153 COSO – all five components must be present and functioning before a control system can be effective
Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Info and commu-nication Control activity - prevention Monitoring activities - detection

154 Audit opinion - adequacy & efficiency
Controls are Efficient Inefficient Adequate 1 2 Partially adequate 3 4 Inadequate N/A 5/6

155 Accept the recommendation or accept the risk!
Audit report Title of the finding Root cause analysis Criteria Condition Cause Effect Include in job descriptions! Responsibility Accountability Management Comment Recommendation Finding Accept the recommendation or accept the risk!

156 Follow up Follow up audit Audit scope and objectives
Document system (POF) Follow up audit Identify weaknesses No compliance work Recommendations Adequate controls Inadequate opinion Likelihood assessment Likelihood assessment Effectiveness audit ADD VALUE

157 Follow up Identify the Scope for the Follow-up Audit
Select the Sample Size and Items to be Tested Execute the Audit Work Develop Informal Queries and Discuss with the Client Report to Management

Download ppt "Risk based audit methodology"

Similar presentations

Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Auditing Concepts.

Auditing Concepts.
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Purpose of the Standards

Purpose of the Standards
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Control and Accounting Information Systems

Control and Accounting Information Systems
Central Piedmont Community College Internal Audit.

Central Piedmont Community College Internal Audit.
Planning an Audit The Audit Process consists of the following phases:

Planning an Audit The Audit Process consists of the following phases:
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Introduction to Internal Control Systems

Introduction to Internal Control Systems
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Enterprise Risk Management

Enterprise Risk Management

Similar presentations

Ads by Google