Internal Auditing & Controls. Examination phase of the internal audit Module 5. Course Name: Internal Auditing & Controls

(1)

Lecture and handouts prepared by Chuck Campbell

Course Name: Internal Auditing & Controls

Module: 5

Module Title: Examination phase of the

internal audit

MU1 2007-08 Module 5 Part 1 Slide 2

Examination phase of the internal audit

Module 5

This module covers the main aspects of the examination phase of the internal audit. In this module, you will learn how the auditor organizes and carries out the work needed to obtain sufficient, appropriate evidence to assess the quality of management systems and practices in areas selected for audit. You will also be introduced to generalized audit software packages such as ACL and will use this software to obtain evidence for internal audits, including fraud investigations.

Internal Auditing & Controls

Module 5

Part 1 Topic 5.1 Overview of the examination phase Topic 5.2 Preparing the audit program Part 2 Topic 5.3 Testing and evidence

Topic 5.4 Developing audit criteria and preparing an audit program – case study

Part 3 Topic 5.5 Computer-assisted audit techniques Topic 5.6 Generalized audit software

(2)

Internal Auditing & Controls

Module 5

Part 4 Topic 5.7 Evaluating audit results

Topic 5.8 Completing and reviewing audit files Part 5 Topic 5.9 Fraud and investigations

Topic 5.10 Conducting a fraud investigation Topic 5.11 Fraud in a technological environment Part 6 Module summary – Learning objectives

Recent examination questions

Internal Auditing & Controls

Module 5

Part 1 Topic 5.1 Overview of the examination phase

Topic 5.2 Preparing the audit program

Steps in the examination phase of

an internal audit

1. Examining and testing operations and transactions by performing the procedures set out in the audit program.

(3)

Steps in the examination phase of

a internal audit

(cont’d)

1. Examining and testing operations and transactions by performing the procedures set out in the audit program. 2. Analyzing audit results by comparing audit evidence with audit criteria and establishing the causes for any significant variances.

Steps in the examination phase of

a internal audit

(cont’d)

1. Examining and testing operations and transactions by performing the procedures set out in the audit program. 2. Analyzing audit results by comparing audit evidence with audit criteria and establishing the causes for any significant variances.

3. Completing and reviewing audit files including summarizing audit findings, in preparation for producing the audit report.

Purposes of audit programs



ensuring that audit standards are met



clearly communicating objectives, audit criteria

and procedures



aiding in understanding the activities being

audited



outlining the work to be done and ensuring that

no important steps are overlooked



providing a basis for scheduling and controlling

audit work and time

(4)

Purposes of audit programs

(cont’d)



providing for an orderly review of the work

performed



providing a checkpoint for approval of planned

audit work and subsequent audit review



ensuring that the most efficient procedures are

followed in the proper order to gather sufficient,

appropriate evidence to support the auditor’s

observations



providing supporting evidence for audit findings

Steps in preparing internal audit

programs

1. Determine the nature of evidence

required by the audit objectives.

Steps in preparing internal audit

programs

(cont’d)

1. Determine the nature of evidence

required by the audit objectives.

2. Determine what evidence is appropriate

to achieve the audit objectives.

(5)

Steps in preparing internal audit

programs

(cont’d)

1. Determine the nature of evidence

required by the audit objectives.

2. Determine what evidence is appropriate

to achieve the audit objectives.

3. Determine how much evidence is needed

to achieve the audit objectives.

Steps in preparing internal audit

programs

(cont’d)

1. Determine the nature of evidence

required by the audit objectives.

2. Determine what evidence is appropriate

to achieve the audit objectives.

3. Determine how much evidence is needed

to achieve the audit objectives.

4. Determine the timeliness of the evidence

needed to meet the audit objectives.

Steps in preparing internal audit

programs

(cont’d)

1.

Determine the nature of evidence required by

the audit objectives.

2.

Determine what evidence is appropriate to

achieve the audit objectives.

3.

Determine how much evidence is needed to

achieve the audit objectives.

4.

Determine the timeliness of the evidence

needed to meet the audit objectives.

5.

Determine how the required evidence will be

obtained.

(6)

Steps in preparing internal audit

programs

(cont’d)

1.

Determine the nature of evidence required by

the audit objectives.

2.

Determine what evidence is appropriate to

achieve the audit objectives.

3.

Determine how much evidence is needed to

achieve the audit objectives.

4.

Determine the timeliness of the evidence

needed to meet the audit objectives.

5.

Determine how the required evidence will be

obtained.

6.

Write the audit program.

Components of the audit program

Audit objectives summarize why the audit is being

performed.

Components of the audit program

Audit objectives summarize why the audit is being

performed.

Audit criteria are the standards used by the auditor

to assess performance.

(7)

Components of the audit program

Audit objectives summarize why the audit is being

performed.

Audit criteria are the standards used by the auditor

to assess performance.

Audit procedures are the general and specific

techniques performed by the auditors to obtain

sufficient, appropriate evidence to determine if

operations are in accordance with the audit

criteria.

Examples of audit procedures

Audit procedures include:

 inspection of documents (vouching and tracing)  analysis

 interviews

Examples of audit procedures

Audit procedures include:

 inspection of documents (vouching and tracing)  analysis  interviews  replication or reperformance  physical observation  computation  confirmation

(8)

Internal Auditing & Controls

Module 5

Part 2

Topic 5.3 Testing and evidence

Topic 5.4 Developing audit criteria and preparing an audit program – case study

Appropriateness of internal audit

evidence

In determining the appropriateness of audit

evidence, the internal auditor considers three

factors:

 its competence or reliability

Appropriateness of internal audit

evidence

In determining the appropriateness of audit

evidence, the internal auditor considers three

factors:

 its relevance for the purpose for which it is to be

(9)

Appropriateness of internal audit

evidence

In determining the appropriateness of audit

evidence, the internal auditor considers three

factors:

 its relevance for the purpose for which it is to be

used

 its usefulness in helping the organization improve

and achieve its goals

Sufficiency of internal audit

evidence

Sufficiency of audit evidence means that the

auditor has examined a large enough

quantity of evidence such that a reasonably

trained person would concur that the

amount of evidence was adequate to

support the audit conclusions reached

Factors in determining sufficiency

of audit evidence

Factors to consider in determining how much evidence is required include:

(10)

Factors in determining sufficiency

of audit evidence

 the risk associated with the activities being audited  the materiality or impact of the potential

weaknesses

Factors in determining sufficiency

of audit evidence

weaknesses

 the nature of the evidence available (the more

persuasive the evidence, the less of it is needed)

Factors in determining sufficiency

of audit evidence

weaknesses

 the sensitivity of the matter being assessed (more

evidence is needed, for example, for suspected frauds)

(11)

Factors in determining sufficiency

of audit evidence

weaknesses

 the sensitivity of the matter being assessed (more

evidence is needed, for example, for suspected frauds)

 the cost of obtaining the evidence

Persuasiveness of audit evidence

Evidence is most persuasive when it is:



relevant;

Persuasiveness of audit evidence

Evidence is most persuasive when it is:



relevant;

(12)

Persuasiveness of audit evidence

Evidence is most persuasive when it is:



relevant;



objective;



documented;

Persuasiveness of audit evidence

Evidence is most persuasive when it is:



relevant;



objective;



documented;



external to the organization;

Persuasiveness of audit evidence

Evidence is most persuasive when it is:



relevant;



objective;



documented;



external to the organization;



derived from a large sample;

(13)

Persuasiveness of audit evidence

Evidence is most persuasive when it is:



relevant;



objective;



documented;



external to the organization;



derived from a large sample;



derived from a random, statistical sample;

Persuasiveness of audit evidence

Evidence is most persuasive when it is:

 relevant;  objective;  documented;

 external to the organization;  derived from a large sample;

 derived from a random, statistical sample;  corroborated by evidence from other sources;

Persuasiveness of audit evidence

Evidence is most persuasive when it is:

 relevant;  objective;  documented;

 derived from a random, statistical sample;  corroborated by evidence from other sources;  timely;

(14)

Persuasiveness of audit evidence

Evidence is most persuasive when it is:  relevant;

 objective;  documented;

 authoritative;

Persuasiveness of audit evidence

 authoritative;  direct;

Persuasiveness of audit evidence

 authoritative;  direct;

(15)

Connon Chemicals Inc. case study –

1. Decide how you would expect the company to mitigate

each of the risks identified in the planning stage of the audit.

2. For each risk, state the criteria that you would use to

evaluate the company’s efforts to address each identified risk.

3. For each criterion stated, set out one or more steps

that would make up the audit program to obtain and assess evidence as to whether the company is in compliance with the criteria you have determined to be appropriate.

Internal Auditing & Controls

Module 5

Part 3

Topic 5.5 Computer-assisted audit techniques Topic 5.6 Generalized audit software

Prerequisites to using

computer-assisted audit techniques



The information must be stored in computer

records.

(16)

Prerequisites to using

computer-assisted audit techniques



The information must be stored in computer

records.



Computer software must be available to

perform

the

computer

assisted

audit

techniques

(or

can

be

developed

economically).

Prerequisites to using

computer-assisted audit techniques

 The information must be stored in computer records.  Computer software must be available to perform the

computer assisted audit techniques (or can be developed economically).

 The auditor must have the technical competence to

perform the audit procedures using the computer assisted audit techniques.

Systems-oriented CAATs

Systems-oriented CAATs are used to:

 enable the auditor to directly test system-based

(17)

Systems-oriented CAATs

Systems-oriented CAATs are used to:

internal controls;

 enable the auditor to check the logic of the

computer systems;

Systems-oriented CAATs

Systems-oriented CAATs are used to:

internal controls;

computer systems;

 enable the auditor to gain a better understanding of

the computer systems;

Systems-oriented CAATs

Systems-oriented CAATs are used to:

internal controls;

computer systems;

 enable the auditor to gain a better understanding of

the computer systems;

 enable the auditor to establish that there have been

(18)

Systems-oriented CAATs

(cont’d)

Examples of system-oriented CAATs include:



test data;



integrated test facilities;



system control audit review files (SCARF);



logic analysis programs;



code comparison programs

.

Data-oriented CAATs

Data-oriented CAATs:

 are used to retrieve, select, summarize and process

data for the purposes of establishing its completeness and accuracy;

Data-oriented CAATs

Data-oriented CAATs:

 are used to perform statistical and other analysis on

(19)

Data-oriented CAATs

Data-oriented CAATs:

audit data;

 are usually used to produce substantive audit evidence

(occasionally to test controls);

Data-oriented CAATs

Data-oriented CAATs:

audit data;

 enable the auditor to gain a better understanding of the

computer systems;

Data-oriented CAATs

Data-oriented CAATs:

audit data;

 enable the auditor to gain a better understanding of the

computer systems;

(20)

Data-oriented CAATs

(cont’d)

Examples of data-oriented CAATs include:



generalized audit software;



system utilities;



custom-written programs;



industry-specific audit programs.

Functionality of generalized audit

software

Most generalized audit software programs (such as ACL) can do the following:

 read data in a variety of formats and file

structures;

 merge records from multiple files;

 extracts records according to auditor’s

specifications;

 sort records according to the auditor’s

specifications;

 select samples using statistical or other criteria;

Functionality of generalized audit

software

(cont’d)

Most generalized audit software programs (such as ACL) can do the following:

 perform numerical calculations on data;  perform statistical analysis on data;  perform summation of data;

 generate reports in prescribed formats (e.g.,

(21)

An example of the use of ACL

ACL was used to:

 select travel and entertainment payments from the

accounts payable master file;

 select employees who had the highest total travel and

entertainment costs;

 select the highest reimbursements to employees

other than those selected in the previous step;

 select transactions from those identified by previous

internal audits as violators of the company’s policies and procedures;

 select a random sample of the remaining

reimbursements;

 merge data with employee file to obtain employee’s

names and locations;

 generate a worksheet containing selected

reimbursements for audit follow-up.

Steps in using generalized audit

software

1. define the specific audit objectives for the application;

Steps in using generalized audit

software

2. determine the specific tests to be performed by the software;

(22)

Steps in using generalized audit

software

3. obtain copies of the data files to be tested;

Steps in using generalized audit

software

4. verify completeness of data files to be used;

Steps in using generalized audit

software

5. enter the commands into the generalized audit software and run the program;

(23)

Steps in using generalized audit

software

5. enter the commands into the generalized audit software and run the program;

6. check the output and draw audit conclusions.

Computer illustrations using ACL

You should work through computer illustrations

5-1 to 5-4 to gain some hands-on experience

working with a generalized audit software

package:

 5-1: Basic table management using ACL  5-2: Analyzing field contents and sorting a table  5-3: Creating new fields and analyzing a field  5-4: Aggregating the values of a field

(These are found under the ACL computer illustrations link on the navigation pane.)

Internal Auditing & Controls

Module 5

Part 4

Topic 5.7 Evaluating audit results

(24)

Evaluating audit results

1.

The auditor compares the observation with the

audit criteria.

Evaluating audit results

1.

The auditor compares the observation with the

audit criteria.

2.

The auditor determines the cause and effects of

the identified weakness.

a)the auditor must define the problem and gather evidence as to the cause of the deficiency;

Evaluating audit results

1.

The auditor compares the observation with the

audit criteria.

2.

The auditor determines the cause and effects of

the identified weakness.

b)the auditor must consider the effect of the deficiency on the company’s operations;

(25)

Evaluating audit results

1.

The auditor compares the observation with the

audit criteria.

2.

The auditor determines the cause and effects of

the identified weakness.

b)the auditor must consider the effect of the deficiency on the company’s operations;

c) the auditor must ensure that sufficient evidence is obtained to support the existence of the weakness and its cause and effects.

Reviewing audit files

Audit working paper files should contain:



a statement of audit objectives;

Reviewing audit files

Audit working paper files should contain:



a statement of audit objectives;



reasons

for

performing

specific

audit

procedures;

(26)

Reviewing audit files

Audit working paper files should contain:



a statement of audit objectives;



reasons

for

performing

specific

audit

procedures;



the basis for sample selection;

Reviewing audit files

Audit working paper files should contain:



a statement of audit objectives;



reasons

for

performing

specific

audit

procedures;



the basis for sample selection;



documentation of matters examined;

Reviewing audit files

Audit working paper files should contain:



a statement of audit objectives;



reasons

for

performing

specific

audit

procedures;



the basis for sample selection;



documentation of matters examined;



key documentary evidence;

(27)

Reviewing audit files

Audit working paper files should contain:

 a statement of audit objectives;

 reasons for performing specific audit procedures;  the basis for sample selection;

 documentation of matters examined;  key documentary evidence;

 audit programs, setting out work done;

Reviewing audit files

Audit working paper files should contain:

 a statement of audit objectives;

 documentation of matters examined;  key documentary evidence;

 audit programs, setting out work done;  drafts of audit reports;

Reviewing audit files

Audit working paper files should contain:  a statement of audit objectives;

 documentation of matters examined;  key documentary evidence;  audit programs, setting out work done;  drafts of audit reports;

(28)

Reviewing audit files

 details of discussions with management;  management’s response to audit findings;

Reviewing audit files

 details of discussions with management;  management’s response to audit findings;  evidence of adequate review of work done.

internal audit working papers

Working papers should be:



complete and accurate;

(29)

internal audit working papers

Working papers should be:



complete and accurate;



clear and concise;

internal audit working papers

Working papers should be:



complete and accurate;



clear and concise;



pertinent (relevant);

internal audit working papers

Working papers should be:



complete and accurate;



clear and concise;



pertinent (relevant);



systematically organized.

(30)

Internal Auditing & Controls

Module 5

Part 5

Topic 5.9 Fraud and investigations Topic 5.10 Conducting a fraud investigation Topic 5.11 Fraud in a technological environment

Responsibility for the deterrence and

detection of fraud



Management

has the primary responsibility

for preventing and detecting fraud.

Responsibility for the deterrence and

detection of fraud



Management

has the primary responsibility

for preventing and detecting fraud.



Internal

auditors

must

have

sufficient

knowledge of fraud to be able to identify

indications that fraud might have occurred.

(31)

Some indicators of potential fraud



control in the hands of few individuals; little

segregation of duties;



unexplained

variances

and

unexpected

performance ratios;



late reporting;



unexplained shortages in physical assets;

Some indicators of potential fraud

(cont’d)



unusually high number of interbank transfers;



staff not taking vacations;



high staff turnover;



extreme pressure to achieve results;



unexplained extravagant lifestyles.

Steps in a fraud investigation

1. Be alert to the indications of the existence of possible fraud.

(32)

Steps in a fraud investigation

2. Inform management of suspicious circumstances.

Steps in a fraud investigation

2. Inform management of suspicious circumstances.

3. Assist in the investigation, as requested:

a) co-ordinate efforts of all parties working in the investigation;

b) determine appropriate audit procedures;

c) obtain and evaluate audit evidence;

d) determine actual or potential loss;

e) identify specific cause or deficiency that permitted fraud to occur;

f) carry out interviews;

g) respect the legal rights of all employees.

Steps in a fraud investigation

(cont’d)

4.

Reappraise internal controls and audit

procedures.

(33)

Steps in a fraud investigation

(cont’d)

4.

Reappraise internal controls and audit

procedures.

5.

The company must determine the action to

be taken against the perpetrator.

Steps in a fraud investigation

(cont’d)

4.

Reappraise internal controls and audit

procedures.

5.

The company must determine the action to

be taken against the perpetrator.

6.

Prepare a written report.

Contents of a fraud report



how the fraud was discovered



nature or type of fraudulent activity



identity of perpetrator



dollar amount involved



method of concealment

(34)

Contents of a fraud report

(cont’d)



time period during which fraud occurred



effect on financial statements



recommendations to prevent recurrence



disciplinary or legal action taken

Types of computer fraud

1.

theft of information

Types of computer fraud

1.

theft of information

2.

theft of assets (with manipulation of

(35)

Types of computer fraud

1.

theft of information

2.

theft of assets

3.

malicious destruction of programs and/or data

Internal Auditing & Controls

Module 5

Part 6

Module summary -- Learning Objectives Recent past examination questions

Module 5 Learning Objectives

1.

Outline the main steps in the examination

(36)

Module 5 Learning Objectives

2.

Describe the purpose of a internal audit

program and explain its components and

format. (Level 1)

Module 5 Learning Objectives

3.

Explain how evidence is gathered, selected,

and assessed, and the importance of the

decisions involved. (Level 1)

Module 5 Learning Objectives

4.

Develop appropriate criteria and prepare an

(37)

Module 5 Learning Objectives

5.

Distinguish between systems-oriented and

data-oriented computer-assisted audit

techniques (CAATs). (Level 1)

Module 5 Learning Objectives

6.

Explain and demonstrate how data are

analyzed using generalized audit software such

as ACL. (Level 1)

Module 5 Learning Objectives

7.

Assess conditions within an audited unit against

audit criteria, and analyze the cause and effects

of any observed deficiencies. (Level 1)

(38)

Module 5 Learning Objectives

8.

Explain the standards for preparing audit

working papers and the importance of the

internal auditor’s role in supervising the

engagement. (Level 2)

Module 5 Learning Objectives

9.

Describe the roles and responsibilities of

management and the internal auditor in the

deterrence and detection of fraud. (Level 1)

Module 5 Learning Objectives

10.

Outline the main steps in a fraud investigation

and the auditor’s responsibility in following up

on the results of such an investigation. (Level 1)

(39)

Module 5 Learning Objectives

11.

Describe computer fraud and outline current

practices for how internal auditors deal with it

(Level 2); examine how ACL can be used to

conduct a payroll fraud investigation. (Level 1)

Recent examination questions

Multiple choice questions:

June 2005, Questions 1(c) and 1(d)

Recent examination questions

Multiple choice questions:

(40)

Recent examination questions

Multiple choice questions:

March 2006, Questions 1(e) and 1(f)

Recent examination questions

Multiple choice questions:

June 2006, Questions 1(e) and 1(f)

Recent examination questions

Multiple choice questions:

(41)

Recent examination questions

GAS output interpretation questions:

March 2006, Question 2

Recent examination questions

GAS output interpretation questions:

June 2006, Question 2

Recent examination questions

Essay questions

(42)

Recent examination questions

Essay questions:

December 2005, Question 3 (part)