Audit 101 2 Days Dec 2015 GoldSRD · Snapple Group • Former CAE - Tyler Technologies •...

[email protected]

(C) GoldCal LLC 2015 1

AUDIT 101: BEGINNER AUDITOR TRAINING

Danny M. Goldberg, Founder

INTRODUCTION

Danny M. Goldberg •  Founder, GOLDSRD

(www.goldsrd.com) •  Former Director of Corporate

Audit/SOX at Dr Pepper Snapple Group

•  Former CAE - Tyler Technologies •  Published Author (Book/

Articles) •  Texas A&M University – 97/98

•  Chairman of the Leadership Council of the American Lung Association - North Texas – Calendar Year 2012

•  Served on the Audit Committee of the Dallas Independent School District (CY 2008)

•  Current Dallas and Fort Worth IIA Programs Co-Chair

•  Fort Worth IIA Board Member •  IIA North America Learning

Committee Member Certifications: •  CPA – Since 2000 •  CIA – Since 2008 •  CISA – Since 2008 •  CGEIT - Since 2009 •  CRISC - Since 2011 •  CRMA – Since 2011 •  CCSA – Since 2007 •  CGMA – Since 2012

[email protected]


Danny M. Goldberg •  Highly-Rated, Internationally Recognized Speaker

–  Asked to Speak @ 2015 IIA All-Star Conference (October, 2015) –  One of the Top Rated Sessions, 2015 GAM Conference –  8th Rated Speaker, 2015 MISTI AuditWorld –  10th Rated Speaker, 2015 ISACA CACS –  One of the Top Rated Speakers, 2014 IIA All-Star Conference –  7th Rated Speaker, 2014 ISACA ISRM Conference –  One of the Top Rated Speakers, 2014 IIA Mid-Atlantic

Conference –  3rd Rated Speaker, 2014 ISACA CACS –  One of the Top Rated Speakers, 2014 IIA Gaming Conference –  6th Highest Rated Speaker (out of 116), 2013 IIA International

Conference –  3rd and 5th Rated Sessions, 2013 IIA Central Regional

Conference –  8th Rated Speaker (out of 120), 2012 IIA International

Conference

People-Centric Skills •  Added to IIA and ISACA Bookstores, Summer 2015 •  Published August 2014 (Wiley Publications) •  Coauthored with Manny Rosenfeld

–  Chief Audit Executive with four global F500 Cos. and a global Financial Services organization.

•  First book specific to internal audit communications and personal interactions

•  This is not a reference book! –  Story book format –  Character development –  Fictional Internal Audit Department –  Fictional Professional Coach/Trainer –  Situational

GoldSRD Snapshot

Staff Augmentation:

§  Market leader in locating cost-effective, recognized resources in accounting, finance, audit and IT

§  All requests filled within 72 hours

Professional Development:

§  Nationally-Recognized Leader in Audit and People-Centric Skill Training

§  Over 100 Full-Day Courses on Audit, Accounting, Finance and People-Centric Skills

§  Registered with NASBA to offer CPE’s for all courses in course catalog

§  Competitive Pricing

§  Interactive and Educational Courses for all levels

Executive Recruiting:

§  Unique approach to filling positions, including personality assessment for candidate and organization

§  Expansive network of qualified candidates actively looking

[email protected]


PPT Business Card Danny M. Goldberg Founder – GoldSRD [email protected] P: (214) 514-8883

www.linkedin.com/in/dannymgoldberg ‎

https://twitter.com/DannyMGoldberg

Course Overview I.  Introduction and

Background II.  Overview of Internal Audit

Guidance III.  Internal Audit Annual

Planning IV.  Internal Audit Process

a.  Planning b.  Fieldwork c.  Reporting

V.  Control Best Practices

VI.  Fraud Overview and Fraud Red Flags

VII. Sampling Methodologies and Overview of Application

VIII. Internal Audit Wrap-Up IX.  Flowcharting X.  Crucial Communication/

The Role of Internal Audit XI.  Interview Techniques XII. Future Steps and Hurdles

Let’s Set Up Our Teams •  Introduce Yourselves to Your

Team –  Interesting Fact –  Specific Area of Interest in this

Course •  Create a Team Name •  Complete Your Name Tent &

–  Put your High School/College Nickname on the Reverse side

[email protected]


INTRODUCTION, OVERVIEW AND BACKGROUND

Discussion – What is the Goal of Internal Auditing?

Definition of Internal Auditing (Red Book) •  Internal Auditing is an independent,

objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance process

[email protected]


Auditor Guidance? •  International Professional Practice

Framework (“IPPF”) •  Governmental Auditing Standards (“Yellow

Book”) •  Generally Accepted Auditing Standards

(AICPA/ASB/PCAOB) •  State Requirements (varies) •  Major differences between standards are

minimal

The Institute of Internal Auditors •  Formed in 1941 •  Headquartered in Altamonte Springs, Florida •  130,000 members worldwide and growing •  Sets standards for practicing internal audit

(IPPF) •  Conferences •  Research •  Guidance is somewhat “loose”

IIA IPPF •  Definition •  Code of Ethics •  Standards (attribute,

performance, implementation)

•  Position Papers •  Practice Advisories •  Practice Guides

[email protected]


Assurance Services •  Assurance services involved the

internal auditor’s objective assessment of evidence to provide an independent opinion or conclusions regarding a process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor

Consulting Services •  Consulting services are advisory in

nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client.

Code of Ethics •  Integrity •  Objectivity •  Confidentiality •  Competency

[email protected]


Standards •  Attribute Standards (1000 series) – address

the characteristics of organizations and individuals performing IA services

•  Performance Standards (2000 series) – describe the nature of internal audit activities and provide quality criteria against which the performance can be measured.

•  Implementation Standards – under Attribute and Performance Standards that apply to specific engagements.

Attribute Standards •  1000 – Purpose, Authority, Responsibility •  1100 – Independence and Objectivity •  1200 – Proficiency and Due

Professional Care •  1300 – Quality Assurance and

Improvement

Performance Standards •  2000 – Managing the Internal Audit Activity •  2100 – Nature of Work •  2200 – Engagement Planning •  2300 – Performing the Engagement •  2400 – Communicating the Results •  2500 – Monitoring Progress •  2600 – Resolution of Management’s

Acceptance of Risks

[email protected]


Definition Elements

Practice Guides

Practice Advisories

Position Papers

International Standards

Code of Ethics

Definition

for conducting internal audit activities. Includes detailed , such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables.

Address and considerations, but NOT detailed processes and procedures. Concise and timely guidance to assist internal auditors in applying Code of Ethics and Standards and promoting good practices. Includes practices relating to: international, country, or industry specific issues; specific types of engagements; and legal or regulatory issues.

IIA statement to assist a wide range of interested parties, including those not in internal auditing profession, in understanding governance, risk or control issues and delineating related

.

Mandatory requirements consisting of: •  Statements of basic requirements for professional practice of internal auditing and for evaluating

the effectiveness of its performance, which are internationally applicable at organizational and individual levels. -focused and provide a framework for performing and promoting internal auditing. Includes Attribute, Performance and Implementation .

, which clarify terms or concepts within the Statements.

Consider both Statements and Interpretations to understand and apply correctly.

Statement of principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. Description of minimum requirements for conduct. Describes

rather than specific activities.

Statement of purpose, nature, and scope of internal auditing.

Definition of Internal Auditing •  Internal auditing is an independent,

objective assurance and consulting activity designed to add value and improve an organization's operations.

•  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Code of Ethics •  Integrity

–  The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

•  Objectivity –  Internal auditors exhibit the highest level of professional objectivity

in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

•  Confidentiality –  Internal auditors respect the value and ownership of information

they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

•  Competency –  Internal auditors apply the knowledge, skills, and experience

needed in the performance of internal auditing services.

[email protected]


PAs related to Attribute Standards 1000-1: Internal Audit Charter

1110-1: Organizational Independence

1111-1: Board Interaction

1120-1: Individual Objectivity

1130-1: Impairments to Independence or Objectivity

1130.A1-1: Assessing Operations for Which Internal Auditors were Previously Responsible

1130.A2-1: Internal Audit’s Responsibility for Other (Non-audit) Functions

1200-1: Proficiency and Due Professional Care

1210-1: Proficiency

1210.A1-1: Obtaining Services to Support or Complement the Internal Audit Activity

1220-1: Due Professional Care

1230-1: Continuing Professional Development

1300-1: Quality Assurance and Improvement Program

1310-1: Requirements of the Quality Assurance and Improvement Program

1311-1: Internal Assessments

1312-1: External Assessments

1312-2: External Assessment - Self Assessment with Independent Validation

1321-1: Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”

PAs related to Performance Standards 2010-1: Linking the Audit Plan to Risk and

Exposures

2020-1: Communication and Approval

2030-1: Resource Management

2040-1: Policies and Procedures

2050-1: Coordination

2060-1: Reporting to Senior Management and the Board

2120-1: Assessing the Adequacy of Risk Management Processes

2130-1: Assessing the Adequacy of Control Processes

2130.A1-1: Information Reliability and Integrity

2130.A1-2: Evaluating An Organization's Privacy Framework

2200-1: Engagement Planning

2210-1: Engagement Objectives

2210.A1-1: Risk Assessment in Engagement Planning

2230-1: Engagement Resource Allocation

2240-1: Engagement Work Program

2330-1: Documenting Information

2330.A1-1: Control of Engagement Records

2330.A2-1: Retention of Records

2340-1: Engagement Supervision

2410-1: Communication Criteria

2420-1 Quality of Communications

2440-1: Disseminating Results

2500-1: Monitoring Progress

2500.A1-1: Follow-up Process

GENERAL IT AUDIT GUIDANCE

[email protected]


General IT Guidance •  IIA GTAG Series – IT Auditing for Non-IT

Auditors •  ISACA •  CobiT

Practice Guides •  15 Global Technology Audit Guides (GTAG)

•  Guide on the assessment of IT Risk (GAIT)

•  Additional Practice Guides will be issued regularly

ANNUAL AUDIT PLANNING

[email protected]


Guidance on Planning and Scheduling of Engagements Contained in IIA Professional Standards and Related Practice Advisories •  CAE has a responsibility to assure the audit committee that the

outcomes of planned internal audits will result in maximum value to the organization in relation to their cost

IIA Professional Standard 2010 requires: •  The CAE should establish risk-based plans to determine the

priorities of the internal audit activity, consistent with the organization’s goals

•  Plan should be : –  Detailed enough to enable the internal audit activity to achieve

the objectives of internal auditing that are set forth in its mission statement and charter document

–  The plan should also be based on an assessment of risks throughout the organization

Guidance on Planning and Scheduling of Engagements Contained in IIA Professional Standards and Related Practice Advisories •  Practice Advisory 2010-1, Planning explains in paragraph 1 the process as

establishing: goals, engagement work schedules, staffing plans and financial budgets, and activity reports. The Practice Advisory (2010-1) goes on in paragraph 4 to outline various factors that should be considered in establishing planning and scheduling priorities: –  Dates and results of the last engagement; –  Updated assessments of risks and effectiveness of risk management

and control processes; –  Requests by the board and senior management; –  Current issues relating to organizational governance; –  Major changes in the enterprise’s business, operations, systems, and

controls; –  Opportunities to achieve operating benefits; and –  Changes to and capabilities of the audit staff. The work schedules

should be sufficiently flexible to cover unanticipated demands on the internal audit activity

What is an Audit Risk Assessment? •  The Audit Risk assessment is the identification and analysis of

relevant risks to the achievement of an organization's objectives, for the purpose of determining how those risks should be managed

•  Risk assessment implies an initial determination of operating objectives, then a systematic identification of those things that could prevent each objective from being attained. In other words, it's an analysis of what could go wrong

•  Not all risks are equal. Some are more likely than others to occur, and some will have a greater impact than others if they occur. So, once risks are identified, their probability and significance must be assessed

•  The risk assessment process is an ongoing one. Internal and external threats constantly develop, presenting new hazards to the organization. Change itself is a risk, and management must continually adapt its policies and procedures to manage its changing risks to a comfortable level

[email protected]


THE INTERNAL AUDIT PROCESS

Internal Audit Process

Planning Fieldwork Reporting

Continuous Communication

Planning Fieldwork Reporting Results & Follow-Up

•  Information Gathering

•  Documentation •  Gain an

Understanding •  Engagement

Risk Assessment

•  Audit Testing •  Audit Testing

Types •  Workpaper

Creation •  Finding

Discussions •  Conclusions

•  Issue Discussion

•  Report Finalization

•  Report Issuance

•  Update RA •  Finalize

Documentation •  Issue Management

PLANNING

Planning

[email protected]


PRELIMINARY ENGAGEMENT-LEVEL RISK ASSESSMENT (INHERENT RISK)

Preliminary Risk Analysis (PRA) •  Risk - Function of probability and potential impact

–  Each business function or entity has approved tolerance levels for risk exposure

–  Risk exposure tolerance must be monitored to determine whether it is increasing, decreasing, or remaining stable

•  Key to an effective PRA is understanding the goals and objectives of an audit –  The objective of an audit is not to perform the audit –  Why is this audit being performed? –  How can we narrow the focus of the audit to the greatest risks? –  Why was it identified as a risk? –  Why was it deemed important enough to appear in the audit plan?

•  Information collected alters audit scope •  Higher risk = More testing •  Lower risk = Less/possibly no testing •  A good risk analysis refocuses the audit to the most relevant

points (this is where real value is added!)

Risk Categories - Standard •  Reputational - Potential that negative publicity regarding

an the company’s business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions

•  Regulatory and Compliance - Risk of rating adjustments and reputational impact that stems from regulatory oversight of the Company’s conformance with regulations and guidelines

•  Strategic and Emerging - Related to the current and future impact on earnings, capital or potential growth that may arise from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. Strategic risks are closely related to identifying and monitoring emerging risks

[email protected]


Risk Categories – Standard (cont) •  Operational/Fraud - Risk of direct or indirect loss

resulting from inadequate or failed internal processes, people, strategies or external events; Includes fraud risk

•  Technology - Risk of loss due to inadequate security, confidentiality, integrity, capability or availability of systems affecting an organization’s operations, assets, customers, shareholders or employees

•  Financial Reporting – Risk of unreliable or misleading financial reporting and disclosures, including to the U.S. Treasury, SEC, FDIC, FFIEC and other external reporting

Discussion – What Other Risk Categories Should be Used in Your Organization?

Assess Inherent Risk – What is IR? Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls) •  Tempting to equate Inherent Risk to Cost, since both

terms refer to the importance of a process or asset to a business before controls (“vulnerabilities”) are taken into account

•  Alternatively, Inherent Risk could equated to the Probability that records are incorrect

•  Inherent Risk is not always HIGH!

[email protected]


Preliminary Analytical Procedures •  Five general types of procedures for analysis of

current year account balance are as follows: –  Compare to balances for one or more comparable

periods –  Compare to anticipated results (budget and

forecasts) –  Evaluate relationships to other current-year balances

for conformity with predictable patterns –  Compare with similar industry information –  Study relationships with relevant non–financial

information

CASE STUDY

Case Study - Payroll •  Assess Inherent Risk for the Case Study •  Include All Risk Categories

–  Reputational –  Regulatory and Compliance –  Strategic and Emerging –  Operational/Fraud –  Technology –  Financial Reporting

•  Rank 1-3 (1=Low, 2=Medium, 3=High) •  Explain rankings for each •  What Ratios could be helpful in assessing risk?

[email protected]


AUDIT PLANNING PROCESS

Elements of Preliminary Work 1.  Define Objectives

a.  Define Business Objectives for Area Under Review (verified in Interviewing)

b.  Define Business Risks to Meeting Those Objectives (verified in Interviewing)

c.  Define Preliminary Audit Objectives (Risk-Based) 2.  Define Scope (Sufficient) 3.  Knowledge Gathering (Readily Available) 4.  Authoritative Research 5.  Interview Management (Who/What/Why/When) –

Covered Later in Course 6.  Identify Internal Controls (Key vs. Non-Key) – Covered

Later in Course 7.  Walkthroughs/Narratives/Documentation 8.  Assess Key Control Design 9.  Resource Allocation (Appropriate) 10.  What Else Can we Provide?

1. Define Preliminary Audit Objectives •  General idea (initial perspective) as to what

we should be auditing and why we are auditing it

•  Define Preliminary Audit Objectives –  Why are you performing this audit? –  What is the point of this audit? –  What are the expected outcomes? –  What are the expected benefits?

NOTE: Audit Objectives cannot be developed without understanding the (a) business objectives and (b) risks to those objectives!

[email protected]


Audit Engagement – Planning Objectives =

pecific easurable chievable esults-Orientated ime-Based

Define Audit Objectives – Common Pitfalls •  Objectives are not SMART! •  Too General to Try to Cover Everything •  Too Specific – Limits Possible Scope •  Do Not Make Sense to Auditee

CASE STUDY

[email protected]


Case Study - Payroll •  Identify business objectives for case study •  Identify key risks that could impede the

company form meeting those objectives •  Identify preliminary audit objectives (refined

after planning is complete)

2. Define Scope •  What are we auditing? •  What period? •  What depth? •  What area?

3. KNOWLEDGE GATHERING

[email protected]


3. Knowledge Gathering •  Narratives •  Policies & Procedures •  Organizational Chart •  Intranet •  Previous Audit Reports •  Organizational Files, etc.

DISCUSSION

Utilizing Public Information •  Should you Google the names of key

auditees during planning? •  What if the key auditee has a

bankruptcy? – Would you want to know? – Does it matter?

[email protected]


4. Authoritative Research •  Audit Director’s Roundtable •  Knowledgeleader.com •  www.aicpa.org •  www.auditnet.org •  www.theiia.org •  www.isaca.org •  www.acuia.org •  www.sec.org •  Peer Groups

6. Internal Controls •  Controls are relevant for any type of

audit and any process •  All controls should be identified (not

necessarily by internal audit) and key controls (defined later in section) should be identified

•  Throughout the process, review for: – Controls that make sense – Controls that are efficient – Are there better ways to do things?

Control Assertions •  Validity - Ensure that recorded transactions are the ones that

should have been recorded. •  Completeness - Ensure that valid transactions are not omitted

entirely from the accounting records. •  Authorization - Ensure that transactions are approved before

they are recorded. •  Accuracy - Ensure that dollar amounts are figured correctly. •  Classification - Ensure that transactions are recorded in the

right accounts. •  Accounting and Posting - Ensure that the accounting process

for a transaction is completely performed and in conformity with GAAP.

•  Proper period - Ensure that transactions are accounted for in the period in which they occur.

[email protected]


Control Specifics Each control should describe the actions taken by management to mitigate the related risk, including: •  WHO (or what system) performs the control activity •  WHAT is used to perform the activity (reports/

systems) •  WHEN (how often/relational timing) the activity is

performed •  WHERE is the activity is performed, if relevant to

mitigating the risk •  WHY the activity is performed •  HOW (specific action) the activity is performed

Controls are Either: •  Preventive Control - Designed to prevent

or deter the risk event from occurring •  Detective/ Corrective Control - Designed

to discover and/or correct the risk event that has already occurred. Detective controls must occur on a timely basis (before the event has had an unacceptably negative impact) to be considered effective

Control Types •  Control: Activity conducted by management to mitigate

risks to an acceptable level and increase the likelihood that objectives will be achieved

•  Key Control: Strongest control designed to mitigate a risk; usually addresses three control assertions or more

•  Compensating Control: Control designed to supplement key controls that are either ineffective or cannot fully mitigate the risk themselves to an acceptable level.

•  Complementary Control: Control that must be combined with one or more other controls to mitigate the risk to an acceptable level

•  Monitoring Control: Control that provides management timely and accurate feedback on compliance and effectiveness of other controls; must have a strong level of precision

[email protected]


CASE STUDY

Case Study - Payroll •  Identify three key controls in the case

study •  Explain why these controls are key

7. Walkthroughs/Narratives/Documentation Walkthrough - Procedure used during an audit of a process to gauge its reliability •  Walkthough tests trace the transaction step-

by-step through the process from its inception to the final disposition/recording

Other Benefits: •  Validate Documentation •  Reliability of Information •  Get to know and understand personnel •  Verify control design effectiveness

[email protected]


Walkthrough Questions •  Use Open-Ended questions •  Get them talking about their job and what they do •  It is not the first question, it is usually the next

question –  Interfaces –  Reports –  When discussing controls, make sure to ask if the

control: •  Is in the system? •  If it is manual, could it be done in the system?

–  Include SME with Process Owner in interviews?

8. Assess Key Control Design •  Determine whether each key control is designed

adequately to mitigate the associated risk(s) •  Primary focus of testing - Determine whether the key

controls are designed adequately to provide reasonable assurance that the risks are adequately

•  When assessing control design, focus on: –  Alignment between controls and the business and audit risks

identified –  Whether controls satisfy the information processing objectives

(Completeness, Accuracy, Validity, Restricted Access) and relevant financial statement assertions

–  Knowledge and experience of the people involved in performing the controls

–  Segregation of duties relevant to the process being controlled

10. What Else Can We Provide? •  Always ask the auditee “how else can we

help you?” (last question) –  Shows trust –  Builds confidence –  We are not on the other team –  We want to help –  We are consultants, not auditors

[email protected]


UPDATED ENGAGEMENT-LEVEL RISK ASSESSMENT (RESIDUAL RISK)

Updating the Risk Hypothesis •  No steadfast template…but be consistent! •  Numerical Ratings or H/M/L •  Show Starting Point (prior to planning), Planning and

End Point (prior to fieldwork) – walk auditee through the logic

Residual Risk •  Residual Risk: The risk that remains after

controls are taken into account (the net risk or risk after controls)

•  Commonly known as Risk (generalized)

[email protected]


CASE STUDY

Case Study - Payroll •  Update the Inherent Risk Rating based

on the additional information that has been uncovered during planning – People Rating: Based on the experience

and know-how of the personnel, will this increase or decrease the current inherent risk rating?

– Process/Control Design Rating: Based on the design of the controls (see Planning) and the risks the controls should mitigate, rank the risk

BUILDING AN EFFECTIVE AUDIT WORKPROGRAM

[email protected]


Discussion – What Should be in a Workprogram?

Workprogram Contents •  Basic criteria for audit programs include:

–  Carefully stated objectives, agreed to by the client. –  Programs should be tailor-made to the audit assignment. –  Each step of the program should include the reason for the step. –  Step priority should be indicated. –  Programs should be flexible and permit use of initiative and

judgment. –  Audit work requested by the client should be identified.

•  One of the objectives of the audit is to ensure that the client is effectively managing risks. During the audit, the auditor should maintain a record of the accomplishment of this element of the audit.

Writing Workprograms – Leading Practices •  Tailor the program to fit the specific audit as to the type of

organization, personnel involved, systems and procedures in effect, degree of sophistication, etc.

•  Each work program step should clearly set forth the work to be completed and the reason (objective) for performing –  Each audit team member must fully understand and comprehend

why each audit step is being completed (e.g. succession planning) –  Minimizes the inclusion of possible unnecessary work steps. –  Efficient and effective review of audit work papers

•  Program should be flexible and permit application of initiative in deviating from prescribed procedures

•  Provide for the development of individual findings: –  Performance is analyzed and reported –  Evidence to support conclusions –  Evaluate performance and evidence in comparison with relevant

standards

[email protected]


STEPS TO BUILDING AN EFFECTIVE AUDIT WORKPROGRAM

Steps to Building an Effective Audit Workprogram

1.  Identify Specific Audit Risks 2.  Define Audit Scope 3.  Define Audit Objectives 4.  Define Audit Criteria 5.  Define Overall Steps to Testing

Objectives 6.  Define Specific Work Sub-Steps for Each

Overall Step 7.  Verify Specific Audit Risks are covered

through Work Steps

Define Audit Criteria •  Make all Audit Objectives Measurable! •  Efficiency and effectiveness is defined as:

–  Key Performance Indicators that will be defined by Management and the business and measured against

–  Leading industry practices –  Balance of controls and efficiency

•  Tools and materials are defined as: –  Guidance on current role and responsibilities –  Access, both physical and logical –  Role of hiring manager in process

•  Messaging is defined as: –  Documents/Presentations that highlight the strengths of the

organization –  Document/Presentations that outline the benefits of working at

the organization –  Analysis of role and key stakeholders each new employee should

meet and be introduced to

[email protected]


CASE STUDY

Case Study - Payroll •  For the audit objectives previously

identified in Exercise #2, identify any audit criteria (if necessary)

[email protected]


Keys to Building an Effective Workprogram •  Remember – testing should correlate

to risk – Higher Risk: need more/reliable evidence – Lesser Risk: do we test at all? Can we just

walkthrough? •  Writing for ANY PRUDENT AUDITOR •  Need lots of detail but cannot

eliminate (nor do you want to) professional judgment.

Do Not Forget! •  How will testing be performed? •  How will samples be selected? •  What is the source(s) of information? •  What types of information are needed? •  Must evaluate sufficiency, reliability, relevance? •  How will the objectives be tested? •  How reliable does the testing method need to

be? •  Can we integrate other audits?

–  IT General Controls/Application Controls –  Fraud Risk Assessment/Red Flags

Determining Sampling Sizes •  Identify your population first •  Base sample size on risk •  Consider transaction frequency •  Establish a sampling technique/

process/policy •  Consider the number of exceptions

you expect to find (more exceptions = more samples) – set your error rate

•  Ask your external auditor

[email protected]


Evidence Requirements •  Sufficient – Measure of quantity of the evidence; should be

collected and evaluated sufficient information so that the reasonably informed unbiased person agreed with the auditor’s conclusions.

•  Reliable – Comprises the measure of reliability and adequacy of the source of evidence and the method of seeking thereof; generally, information received from a third party that is independent is more reliable; the evidence is reliable where it is gained via direct physical examination, observations and inspection and where it is received in the documentary form, rather than verbally. Degree of information reliability increases where it is received from several sources;

•  Adequate – Measure of adequacy of the evidence. Audit evidence may be physical, testimonial, documentary and analytical.

Types of Audit Tests •  Design only (no control testing) •  Interviews only (must corroborate) •  Procedural review (not

representative) •  IT testing (analyze files, screens,

procedures, logs, and audit trails) •  Tests of controls •  Substantive tests •  CAATs

CASE STUDY

[email protected]


Write the Workprogram •  For the controls identified as key in

Exercise 3, write the workprogram steps necessary in order to test each.

Build Workprogram Steps - Example •  Audit Objective - Employees are not

provided applicable tools and materials to begin tenures successfully

•  Audit Criteria - Tools and materials are defined as: – Guidance on current role and

responsibilities – Access, both physical and logical – Role of hiring manager in process

Workprogram Steps - Example Based on the IA Sampling Policy, select a sample of 30 new hires during calendar year 2013: 1.  Verify Human Resources coordinates with the hiring manager

and applicable department to obtain the new employee’s role guidance summary and presentation of detail of job description (this is verified through the new employee coordination checklist).

2.  Obtain the new employee building access form and verify it has been completed by the hiring manager and approved by facilities at least three days prior to start date

3.  Obtain the new employee equipment forms and verify they have been completed by the hiring manager and approved by IT and Facilities in regards to office equipment, smart phone and laptop

4.  Obtain the new employee system access forms and verify they have been completed by the hiring manager and approved by IT Security at least five days prior to start date

[email protected]


FRAUD AUDITING

The Definition of Fraud “… any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.”

Fraud Auditing Overview •  Audits are not designed to detect fraud

–  Goal: Determine whether the financial statement is free from material misstatements.

•  Auditors test only a small fraction of transactions

•  Auditors must: –  Be aware of the potential of fraud –  Discuss how fraud could occur –  Delve into suspicious observations and report

them

[email protected]


Fraud Quiz 1.  What % of its revenue does the typical organization

loose to fraud each year? 2.  How many months does a fraud usually last before

being reported? 3.  What is the most common type of occupational fraud? 4.  Three industries most common victimized by fraud are: 5.  How many prior offenses have occupational fraudsters

often committed? 6.  Do the higher fraud losses tend to be committed by

fraudsters with low or high tenure with an organization? 7.  What departments do most fraudster’s work in?

Fraud Quiz Answers 1.  Answer – 5% 2.  Answer – 18 months 3.  Answer – asset misappropriation 4.  Answer – banking & financial services, government & public

administration, and manufacturing 5.  Answer – None! Most are first offenders with clean histories 6.  Answer – the higher the fraud loss – median of $229,000 are

committed by fraudsters with more than 10 years. Those during the first year on the job committed a median of $25,000

7.  Answer – accounting, operations, sales, executive/upper mgmt., customer service, and purchasing

The Fraud Triangle Opportunity •  Must gain access to assets/

records •  Can be controlled/prevented

by organization

Rationalization •  Follow through and commit

the fraud •  Can be controlled/prevented

by organization

Pressure •  The more incentive, the easier it is to justify •  Financial or personal problems, financial

pressure, mental instability

[email protected]


How is Fraud Discovered?

How is Fraud Discovered?

Detection of Fraud Schemes

[email protected]


Factors Contributing to Fraud Contributing Factor Percentage

Poor Controls 59%

Management Override 36%

High Risk Industry 34%

Third Party Collusion 33%

No Ethics Policy 7%

No Board of Directors Control

6%

Other 2%

Truth – White Collar Criminal •  Older (30+ years) •  55% male, 45% female •  An appearance of a stable family situation •  Above average (postgraduate) education. •  Less likely to have a criminal record. •  Good psychological health. •  Position of trust. •  Detailed knowledge of accounting systems

and their weaknesses. •  Prior accounting experience.

Categories of Fraud Risk •  Misappropriation of Assets

–  involve the theft or misuse of an organization’s assets. (Common examples include skimming revenues, stealing inventory, and payroll fraud.)

•  Corruption –  fraudsters wrongfully use their influence in a business transaction in

order to procure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another. (Common examples include accepting kickbacks and engaging in conflicts of interest.)

•  Fraudulent Financial Statements –  falsification of an organization’s financial statements. (Common

examples include overstating revenues and understating liabilities or expenses.)

[email protected]


FRAUD RED FLAGS

Red Flags Are Indicators, Not Proof •  Living beyond means (36%) •  Financial difficulties (27%) •  Close association with vendors/customers

(19%) •  Poor internal controls (18%) •  Employee morale changes •  Employee turnover •  Pressure to meet targets •  Management infighting •  Addiction problems

Employee Red Flags •  Significant change in lifestyle, such as new

wealth •  Financial difficulties may create need

–  Gambling or drug addiction –  Infidelity is an expensive habit

•  Criminal background •  Chronic legal problems

•  Dishonest behavior in other parts of life •  Beat the system

–  Break rules commonly

•  Chronic dissatisfaction with job

[email protected]


Organizational Red Flags

•  Lack of communication of expectations

•  Too much trust in key employees

•  Lack of proper authorization procedures

•  Lack of attention to detail

•  Changes in organizational structure

•  Tendency towards crisis management

Financial Document Red Flags •  Missing/Altered

documents •  Excessive number of

voided documents •  Documents not

numerically controlled

•  Questionable handwriting or authorization

•  Numerous duplicate payments

•  Unusual billing addresses

•  Address of employee same as vendor

•  Duplicate or photocopied invoices

•  Invoices not folded for envelope

Accountability and Control Red Flags

•  Lack of segregation of duties

•  Lack of physical security and/or key control

•  Weak links in chain of controls and accountability

•  Missing independent checks on performance

•  Weak management style

•  Poor system design •  Inadequate training

[email protected]


How to Minimize Fraud Risk •  Adhere to policies/procedures

(especially documentation and authorization)

•  Identify and understand of key controls and fraud areas

•  Ensure physical security over assets •  Provide proper training to employees •  Independently review and monitor tasks •  Review segregation of duties •  Ensure clear lines of authority

How to Minimize Fraud Risk •  Rotate duties in positions susceptible to fraud •  Ensure employees take regular vacations •  Schedule regular independent audits of areas

susceptible to fraud •  Ensure background checks including criminal and

credit for all employees •  Make sure internal controls are followed •  Ask for documentation •  Ensure that one person does not have total

responsibility for a process •  Evaluate performance regularly •  Report suspicious activity

CONTROLS OVERVIEW

[email protected]


What Do We Do on a Daily Basis that Involves Internal Control?

§  Lock-up valuable belongings §  Keep copies of your tax returns and related

support §  Balance your checkbook §  Keeping passwords unique and separate §  Planning Ahead §  Home and Car Insurance §  Seat Belts §  Physical Control of Credit Cards

What is the Risk of Weak Internal Controls? Business Interruption §  system breakdowns or

catastrophes, excessive re-work to correct for errors.

Erroneous Management Decisions §  based on erroneous, inadequate

or misleading information.

Fraud, Embezzlement and Theft §  by management, employees,

customers, vendors, or the public-at-large.

What is the Risk of Weak Internal Controls? Statutory Sanctions §  penalties arising from failure to

comply with regulatory requirements, as well as overt violations.

Excessive Costs/Deficient Revenues §  expenses which could have been

avoided, as well as loss of revenues. Loss, Misuse or Destruction of Assets §  unintentional loss of physical assets

such as cash, inventory, and equipment.

[email protected]


What is the Benefit of Strong Internal Controls? §  Providing appropriate checks and

balances. §  Reducing and preventing errors in a

cost- effective manner. §  Ensuring priority issues and risks are

identified and addressed. §  Protecting employees & resources. §  Having more efficient audits,

resulting in shorter timelines, less testing, and fewer demands on staff.

Controls Applicable to All •  EXERCISE – Based on your view of

internal controls, what controls apply to all processes regardless of type?

The foundation of our controls

home!

ANSWER •  Segregation of Duties •  Physical and IT Access •  Review and Reconciliation Controls

(Management Oversight) – Balance Sheet Reconciliations – JE Reviews

•  Tiered Approvals •  Pre-numbered documents •  Policies and Procedures

[email protected]


Other Controls •  Code of Conduct •  Hotline •  Whistle-blower policy •  Conflict of interest policy •  Fiscal Policy

Update Considers Changes in Business and Operating Environments

Environments changes... •  Expectations for governance oversight •  Globalization of markets and operations •  Changes and greater complexity in

business •  Complexities in laws, rules, regulations,

and standards •  Expectations for competencies and

accountabilities •  Use of, and reliance on, evolving

technologies •  Expectations relating to preventing and

detecting fraud …have driven Framework updates •  COSO Cube (2013 Edition)

Update Articulates 17 Principles of Effective Internal Control Control Environment (CE)

1.  Demonstrates commitment to integrity and ethical values

2.  Exercises oversight responsibility 3.  Establishes structure, authority

and responsibility 4.  Demonstrates commitment to

competence 5.  Enforces accountability

Risk Assessment (RA) 6.  Specifies suitable objectives 7.  Identifies and analyzes risk 8.  Assesses fraud risk 9.  Identifies and analyzes

significant change Control Activities (CA)

10.  Selects and develops control activities

11.  Selects and develops general

controls over technology 12. Deploys through policies and

procedures

Information & Communication (IC) 13. Uses relevant information 14. Communicates internally 15. Communicates externally

Monitoring Activities (MA) 16. Conducts ongoing and/or

separate evaluations 17.  Evaluates and communicates

deficiencies

[email protected]


AUDIT SAMPLING

Reasons for Sampling •  Efficiency •  Standards permit sampling to obtain

sufficient evidence to support assertions

•  Reasonable Assurance – not Absolute!

Statistics as an Audit Tool •  Auditors use inferential statistics to

draw conclusions about populations based on samples of data.

•  Why do auditors use samples—usually too costly and time-consuming to examine entire “universe”

[email protected]


Three Instances When Not to Use Sampling

•  Total is auditable •  Inquiry/Observation •  Analytical Procedures – Trending – Ratios

STATISTICAL VS NON-STATISTICAL SAMPLING

Types of Sampling •  Statistical – provides quantitative

measure of sampling risk •  Nonstatistical – does not provide

quantitative measure of sampling risk

What does this mean?

[email protected]


Types of Sampling (cont.) •  When using nonstatistical sampling,

errors or issues identified cannot be quantified over the population as there is no strategy to the sampling – Reliability – Replacing issues/errors/omissions – Bias in sampling

Advantages of Statistical Sampling •  Objective and defendable – Not subject to bias

•  Estimate of degree of risk that sample may not be representative of entire population

•  Results are quantifiable •  Stat sampling can be more accurate

than review of population (volume and tediousness of review can lead to errors of omission or fact)

•  Can save time and money

SELECTION METHODOLOGIES

[email protected]


Selection Methodologies •  REMEMBER: Valid statistical references

can only be made when each sampling unit has an equal probability of being selected -> Truly Random Technique – Simple Random Sampling – Stratified Random Sampling – Systematic Sampling

•  All units in a population have an equal chance of being selected.

•  Example – Texas Lottery

Simple Random Sampling

•  Stratification is the process of grouping members of the population into relatively homogeneous subgroups before sampling. The strata should be mutually exclusive: every element in the population must be assigned to only one stratum.

•  Proportionate allocation uses a sampling fraction in each of the strata that is proportional to that of the total population. If the population consists of 60% in the male stratum and 40% in the female stratum, then the relative size of the two samples (three males, two females) should reflect this proportion.

•  Divide population into groups (Select from all disbursements less than $50,000 and test all disbursements > $50,000)

Stratified Random Sampling

[email protected]


•  Choosing every Xth disbursement in order of disbursement (check number)

•  Systematic sampling is a statistical method involving the selection of elements from an ordered sampling frame.

•  The most common form of systematic sampling is an equal-probability method, in which every kth element in the frame is selected, where k, the sampling interval (sometimes known as the skip), is calculated as: –  K=N/n –  n is the sample size, and N is the population size.

•  Forces us to ensure a pattern is not hidden •  Population must also be homogenous

Systematic Sampling

Nonstat Sampling Methodologies •  Haphazard Selection – selection without

intentional bios •  Judgmental Selection – attempt to select

an unbiased sample by specifically selecting large items and a selection of smaller items

•  Block Selection – selection of adjoining transactions (invoices 1-1000 or all payments in May)

•  Cluster Selection – attributes similar, geographic location

Don’t Forget! Consideration of: •  Voids – replace – Not a valid selection

•  Missing – control not effective/ value of $0 – Why is it missing?

•  Debit/Credit – test separately? – Debit/Credits skew the ultimate results. –  For example, if we are testing accounts

receivable balances and we come across a credit and attempted to quantify the error, this could be significant.

[email protected]


•  Population is numbered or are listed in a register – Random

•  Random number is too burdensome and there is no pattern in the population and items missing can be identified – Intervals/Systematic

•  Significant variation in the population and more reliability would be achieved by breaking the population into similar groups – Stratification

•  Population is geographically dispersed and making random selections from the population would be burdensome - Cluster

Population Selection Methodology

FIELDWORK

Fieldwork

What is Audit Documentation? •  Principal written record •  Performed in compliance with applicable

standards •  Provide a clear link between significant

matters •  Contain sufficient information and detail •  Clear understanding of:

–  The purpose of the work; –  The work performed; –  The source of the information analyzed and supporting evidential

matter obtained, examined, and evaluated; and –  The nature, timing, and extent of the auditing procedures planned;

–  The conclusions reached.

[email protected]


Purpose of Audit Documentation •  Assisting auditors to plan and perform the audit; •  Assisting those responsible to direct, supervise, and review the

work performed; •  Providing and demonstrating stand alone documentation on

the accountability of those performing the work (i.e., compliance with applicable standards);

•  Assisting quality-control reviewers to understand and assess how the engagement team reached and supported significant conclusions;

•  Enabling internal and external inspection teams and peer reviewers to assess compliance with professional, legal, and regulatory standards and requirements; and

•  Assisting successor auditors.

What Does Audit Documentation Include?

•  Audit documentation and workpapers can be stored in any medium and include a variety of documents, including the following: –  Audit programs and other planning documents; –  Analyses; –  Memoranda; –  Confirmations; –  Representation letters (if relevant); –  Extracts of important documents; –  Significant correspondence; –  Details of tests performed and documents examined; and –  Includes significant emails

WHY is working paper quality so important? •  Working papers are the basis for our conclusions – they must

stand on their own and be understandable by external parties who review them.

•  Execution project management – Quality documentation enables us to effectively supervise and review engagement execution.

•  Documentation provides evidence of compliance with IIA Standards and attention to professional standards.

[email protected]


Opening Remarks – Documentation Concepts

§  What are workpapers? –  Evidence of audit performance in all phases –  Documents that support:

§  Audit findings & observations –  Exist in each phase of the audit process

§  Why do we have workpapers? –  Objective evidence for audit conclusions

§  Used if issues arise after report published –  Required by professional standards –  Reference for other audit teams –  May be relied upon by external parties (DCAA, D&T)

Opening Remarks – Documentation Concepts

§  Workpaper documentation concepts –  Sufficient

§  Support program steps & audit results

–  Relevant §  Clear relationship to audit objectives & results

–  Economical §  Include only what is essential

–  Complete §  Support conclusions and findings

–  Sensitivity §  Generally considered “attorney-client privilege”

AUDIT DOCUMENTATION GUIDANCE

[email protected]


IAPPF •  2240 – Engagement Work Program

–  Internal auditors must develop and document work programs that achieve the engagement objectives

•  2240.A1 –  Work programs must include the procedures for identifying,

analyzing, evaluating, and documenting information during the engagement

–  The work program must be approved prior to its implementation, and any adjustments approved promptly

•  2240.C1 –  Work programs for consulting engagements may vary in

form and content depending upon the nature of the engagement

IAPPF •  2310 – Identifying Information

–  Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives

•  2320 – Analysis and Evaluation –  Internal auditors must base conclusions and engagement results

on appropriate analyses and evaluations

Workpaper Overview •  At a minimum, audit documentation should be sufficient to: Enable reviewers

to understand the tests that were conducted, the results thereof, and the evidence accumulated.

•  Indicate which members of the engagement team performed and reviewed the work.

•  Show that the accounting records agree with or reconcile to the financial statements (or other information being reported upon).

•  In determining the type and extent of audit documentation for a particular audit area, the following factors should be taken into account:

•  The risk of material misstatement. –  The degree of judgment involved in performing the work and in

evaluating the results. –  The significance of the evidence in relation to the assertions being tested. –  The nature and extent of exceptions found. –  Documentation should include identification of items examined in

substantive tests of details and of items reviewed to determine the operating effectiveness of internal controls.

[email protected]


Workpaper Overview •  Significant findings or issues should be documented, as should actions

taken to address them and the final conclusions reached. Significant findings and issues generally include: Matters involving the selection, application, and consistency of accounting principles.

•  Results of procedures performed indicating that the financial statements could be materially misleading or a need to revise a previous assessment of the risk of material misstatement.

•  Circumstances causing difficulty in applying auditing procedures. •  Findings that could result in a modification to the auditor's standard

report.

Audit Documentation – Common Errors •  Constructing workpapers that sufficiently evidence work performed in an

efficient and effective fashion requires judgment, skill, and experience. It is a task that many auditors find to be among the most difficult in performing an audit. Reviewers often note that workpapers are simply incomplete, unreadable, unintelligible, or unwisely constructed. Other more subtle deficiencies, such as the following, have also been noted: Narratives of discussions, meetings, and so forth, have no clear indication as to the relevance to the audit.

•  The auditor has failed to properly cross-reference copies of evidential matter to narratives, lead sheets, or tables summarizing sample results.

•  Comparative analyses do not provide complete comparisons or analyses. •  Written conclusions are not supported by, or referenced to, evidence. •  Copies of memoranda, invoices, purchase orders, and other forms of

evidence have no reference or commentary as to why they are present. •  Copies of computerized reports (in whole or in part) have no indication as to

why they are present. •  Copies of flowcharts, procedural narratives, and policy statements do not

clearly relate to the audit objective.

DOCUMENTING AN AUDIT TEST

[email protected]


Testing •  The procedure of testing is a methodology

that is a major part of the previously described process of verifying. It is simply the determination of: –  Validity –  Accuracy –  Compliance –  Competence of controls

Audit Test Documentation •  For each test performed, the following

detail MUST be included: –  Control Objective –  Clearly Document testing attributes –  Document sample size, why sample is appropriate, sampling

methodology, population and source –  If exceptions are identified, document what the impact is and

how it is addressed (i.e., extended testing sample, isolated error and why, etc).

–  Document testing results and conclusion –  Support documentation to be retained to allow re-performance

by external auditors, where applicable. –  Photocopy support and make binders available on the first day of

fieldwork.

Audit Testing •  Should describe identifying characteristics of the specific items

tested (sufficient to enable reperformance of the test for the same items), such as the source or population and the selection criteria

•  For example: For an audit sample selected from a population of checks, the specific check numbers of the items included in both the population and the sample; or

•  For a test of all items over a specific amount from a given population, the scope and the population, such as “all journal entries over $50,000 in the general ledger for the year”; or

•  For procedures that involve inquiries, the name and job description of persons interviewed, the date and content of the inquiries, and the responses received.

[email protected]


Other Workpaper Considerations •  Due to the significant variety of internal audit engagements

and related workpapers, assessing the adequacy of audit documentation often can be difficult. The specific audit procedures performed can result in different documentation requirements. –  For example, if the engagement involves a review of sensitive

payroll information, the auditor likely would not be able to retain example information and instead would have to create a detailed memo explaining the procedures performed. The amount of auditor judgment used to determine any observations also will impact documentation requirements. Any assumptions, inferences, or other uses of judgment will need to be documented clearly and reviewed by appropriate levels of internal audit management.

Other Workpaper Considerations •  Finally, the quantity and severity of exceptions noted will

require varying degrees of audit documentation. If there are no exceptions, one thorough walk-through example of procedures performed likely would suffice. How ever, if multiple significant exceptions are noted, internal auditors likely would need to obtain all related source documentation and provide detailed explanations for each exception. –  Keeping these considerations in mind, internal auditors always

should try to adhere to any standard in-house work paper styles and templates. They also should exercise caution when relying on prior year workpapers, as the documentation may not meet current quality standards. Careful consideration of key audit work paper characteristics and essential elements will improve the quality of audit documentation and reflect on the audit project itself.

Pet Peeves •  Do not just N/A a workprogram step; detail exactly

why it is N/A. •  Do not just “DONE” a review note; explain how this

note was cleared. •  Self-review all work; regardless of the time it takes.

This includes every review step the supervisor would do.

•  PFW (Pass Further Review) – use sparingly or never; are you complete or is this more of a short cut?

•  Know what your supervisor is looking for – understand the expectations up front.

[email protected]


Four Essential Workpaper Characteristics •  COMPLETENESS

–  Each work paper should be completely self-standing and self-explanatory. –  If a work paper is separated from the engagement file, readers should be able to

ascertain the purpose, work performed, and results based solely on information included on that single work paper. Because internal and external parties reviewing audit documentation may only select a sample of files, all individual documents must provide adequate evidence of the work performed.

–  One key to achieving complete workpapers is to prepare audit documentation timely.

•  ACCURACY –  High-quality workpapers include statements and computations that are accurate

and technically correct. –  Errors included in final workpapers certainly will shed doubt on the procedures

performed and results noted from an internal or external review perspective. –  Use defined tick marks and to cross-reference computation data to source

documentation. Auditors should also clearly differentiate statements based on facts from those based on inquiry or matters of judgment.

Four Essential Workpaper Characteristics •  ORGANIZATION

–  Workpapers should have a logical system of numbering and a reader friendly layout so a technically competent person unfamiliar with the project could understand the purpose, procedures performed, and results.

–  Workpapers should be arranged logically and cross-referenced from source documentation to test grids and audit work steps.

–  The cross-referencing should extend to an issue summary that links to the audit report, thus clearly communicating the derivation of audit observations.

•  RELEVANCE & CONCISENESS –  Audit workpapers and items included on each work paper should

be relevant to meeting the applicable audit objective. –  Writing concise notes and removing unnecessary pages of bulky

policies will also help improve the efficiency of review and ultimately the quality of the documentation.

Audit Testing •  What do we test against? •  What type of tests for what type of

reliability? •  What is our criteria? •  What are we attempting to

accomplish?

[email protected]


Evidence Must Be:

Sufficient –

Information is factual, adequate and convincing so that a prudent, informed

person would reach the same conclusion as the auditor

Reliable–

The best attainable information through the use of appropriate audit techniques

Relevant –

Information supports audit findings and recommendations and is consistent with the

objectives of the audit

Useful –

Information helps the organization meet its goals

AUDIT EVIDENCE

TEST OF CONTROL

Audit Testing •  For each test performed, the following detail

MUST be included: –  Control activity –  Clearly document testing procedures –  Document sample size, why sample is appropriate,

sampling methodology, population and source –  If exceptions are identified, document what the

impact is and how it is addressed (i.e., extended testing sample, isolated error and why, etc)

–  Document testing results and conclusion –  Support documentation to be retained to allow re-

performance by external auditors, where applicable

[email protected]


Audit Testing •  Should describe identifying attributes of the specific

items tested (sufficient to enable reperformance of the test for the same items), such as the source or population and the selection criteria

•  For example: For an audit sample selected from a population of checks, the specific check numbers of the items included in both the population and the sample; or

•  For a test of all items over a specific amount from a given population, the scope and the population, such as “all journal entries over $50,000 in the general ledger for the year”; or

•  For procedures that involve inquiries, the name and job description of persons interviewed, the date and content of the inquiries, and the responses received

AUDIT WRAP-UP

Reporting

Findings •  Issues should be discussed with auditee prior

to inclusion in report •  Stick to the facts •  Verify – no opinions •  Level of Finding – direct correlation to level

of interest •  Staff – can write findings and Senior can

develop and verify recommendation or Staff does it all.

[email protected]


Contents of a “Typical” Audit Report •  Executive Summary •  Observations •  Appendices

Contents of a “Typical” Audit Report •  Observations – Criteria – Condition – Cause – Effect – Recommendations – Action Plans

Watch Out Words •  Think through some words that should

not be used and make a list (at least five)

[email protected]


Watch Out Words •  Emotional Triggers

–  Adequate/Inadequate

–  Fail –  Wrong –  Finding –  Opinion –  Fraud

•  Mysterious Terms –  Discovered –  Appeared –  Revealed –  Captured

•  Definitive Terms –  Absolutely –  Never –  Always –  Must

•  Ambiguous Terms –  Reasonable –  Should

•  First/Third Person –  Personally –  We/I/You

Audit Follow-Up •  Responsibility to follow-up and track

issues •  Time, method and depth is

determined by level of importance of audit and finding –  Inquiry – Re-audit – Follow-up during next year

Effective Exit Conference 1.  Arrange a mutually convenient time, well in advance of fieldwork completion 2.  Provide advance information to permit study and formulation of response 3.  Provide a draft of the final report, if feasible (make sure to stamp this document

“DRAFT”) 4.  Any significant issues identified should be discussed with the auditee real-time; the

draft report should not contain any surprises 5.  Derive conclusions for each matter. The following categories indicate the variety of

possible alternatives: –  Eliminate the finding. –  Perform further specific research or checking. –  Alter the language used in particular sections. –  Attempt to identify compensating controls that would mitigate the exposure

and reduce the severity of the finding. –  OK as is

6.  Conduct the meeting as though it were for evidence-gathering purposes 7.  Thank Everyone and Avoid arguments, disagreements, or unpleasantness 8.  Listen and carefully observe reactions and responses 9.  Continually reassess findings and recommendations in light of the discussion

[email protected]


IT AUDITING BASICS

GENERAL COMPUTER CONTROLS

Information Security — Designing, implementing, and maintaining information security, including both physical and logical security over all access paths to programs and data. Accessing and prioritizing relevant security risks. Defining data owners, classifying data as to necessary security, and selecting and implementing security tools and techniques.

• Critical Areas • Tools and techniques restrict access to

programs, data, and other information resources

• Restricts access to programs and information

• Physical access restrictions are implemented and administered to restrict access to information

• All information resources subject to appropriate physical and logical security

• Value Add Areas • Virus Protection • Software is used in accordance with

licensing agreements and management’s authorization

• Information is protected against environmental hazards and related damage

• Security policies • Security standards • Data ownership • Information security architecture • Security administration • Logical access • Security logging & monitoring • Physical access • Environmental

Control Objectives Covers

[email protected]


Access Controls •  No matter what method is chosen to scope the review of application controls, the

module’s or application’s logical access controls need to be reviewed periodically. The strategies employed to determine which logical access rights will be assigned to users vary from a need-to-know basis to a need-to withhold basis. Regardless, the access rights should be granted based on the user’s job function and responsibilities.

•  When a review of an application’s logical access controls is performed, it is important to ensure that the general application security controls are reviewed as well, including: –  The length of the user name or user identification –  The password’s length. –  Password character combinations. –  Password aging (e.g., users must change their password every 90 days). –  Password rotation (e.g., users cannot use any of their last eight passwords). –  User account lockout after six unsuccessful login attempts. –  Session timeout (e.g., the application automatically logs out a user if the user has not

interacted with the application within 15 minutes)

Information Systems Operations — Supervising and maintaining computer systems operations. Providing scheduled, monitored, and secure computer operations. Satisfying end-user requirements for computer processing support and problem resolution.

• Critical Areas • Production to process batch and on-line

transactions and prepare related reports are executed timely and completely

• Only valid production programs are executed

• Value Add Areas • Data is retained in accordance with laws,

regulations, and company policy • Computer processing environment service

levels meet or exceed management’s expectations

• Users receive appropriate systems training in the use of application systems

• Users receive appropriate support to ensure that application systems function as intended

• Job scheduling • Processing control • Output control • Problem logging, tracking & reporting • Problem escalation & resolution • Capacity planning • Performance monitoring • Facilities management • Help desk procedures • Backup & Recovery • Business Continuity/Disaster Recovery


Application Systems Implementation and Maintenance — Selecting or developing, implementing, and maintaining application systems.

• Critical Areas • New application systems are implemented

appropriately and function as expected • When new application systems are

implemented, existing data that is appropriately converted

• All necessary modifications to existing application systems are implemented timely

• Modifications to existing systems are properly implemented and function as expected

• Value Add Areas • New application systems are acquired or

developed consistent as expected §  Application systems are maintainable and

supportable

• Project planning & management • Project prioritization • Project budgeting • Systems development methodologies

•  Design Specifications •  Programming standards •  Programmer access •  Modifications to purchased software •  Testing •  Change control •  Program documentation •  User documentation


[email protected]


Change Control •  Types of changes:

–  Program code changes, software updates, system patches, new software implementations

•  Change controls should include: –  Monitoring and logging of all changes –  Steps to detect unauthorized changes –  Confirmation of testing –  Authorization for moving changes to production –  Tracking movement of hardware and other infrastructure components –  Periodic review of logs –  Back out plans –  User training

•  Specific procedures should be defined and followed for emergency changes

Database Implementation and Support — Managing the data architecture and maintenance in terms of defining and maintaining the structure of master file data, transaction data, and organization data. Maintaining the database management system (or its equivalent).

• Critical Areas • The data structure is appropriately

implemented and functions consistent with management’s intentions

• All necessary modifications to the data structure are implemented timely and with proper approval (SDLC)

• Modifications to the data structure are appropriately implemented and the modified data structure functions consistent with management’s intentions

• Data architecture • Database implementation • Database administration & monitoring • Database maintenance & modifications

Control Objectives Topics Covered

Network Support — Designing, installing and operating networks and communication software and protocols. This includes defining the structure and interrelationships between components of the network, configuring the physical locations of files and equipment, and planning the operating capacity and capabilities to meet current network needs.

Critical Areas • New network and communication

software is appropriately implemented and functions properly and implemented in a timely manner.

• Modifications to existing network and communications software are properly implemented and function as expected

Value Add Areas • New network and communication

software is acquired consistent with management’s intentions

• Network and communication software is maintainable and supportable

Network & communication software: • Acquisition & approval • Implementation & testing • Support • Maintenance

• Performance monitoring • Documentation


[email protected]


Systems Software Support — Selecting, implementing, and maintaining necessary systems software, including the parameters that configure and control such software. Implementing and monitoring system software changes, including vendor upgrades.

• Critical Areas • New system software is appropriately

implemented and functions properly • All necessary modifications to system

software are implemented timely • Modifications to system software are

properly implemented and function as intended

• Value Add Areas • New system software is acquired

consistent with management’s intentions • System software is maintainable and

supportable

• Operating system acquisition, installation, configuration and updates/patches


AUDITING APPLICATION SYSTEMS

Defining Application Controls •  Application controls are those controls that pertain to

the scope of individual business processes or application systems, including data edits, separation of business functions, balancing of processing totals, transaction logging, and error reporting.

•  Objective of application controls is to ensure that: –  Input data is accurate, complete, authorized, and correct. –  Data is processed as intended in an acceptable time

period. –  Data stored is accurate and complete. –  Outputs are accurate and complete. –  A record is maintained to track the process of data from

input to storage and to the eventual output

[email protected]


Application Systems Auditing •  All key business processes are supported by application systems.

–  Financial Reporting, Sales, Inventory Management, et al. •  Most companies have not optimized identification of application

controls and flipped the switch on application versus manual controls

•  Application systems help achieve: –  Efficiency and effectiveness of operations –  Reliability of financial reporting –  Compliance with applicable laws and regulations

•  What are application controls?

Types of Application Controls •  Input Controls – These controls are used mainly to check the integrity

of data entered into a business application, whether the data is entered directly by staff, remotely by a business partner, or through a Web-enabled application or interface. Data input is checked to ensure that is remains within specified parameters.

•  Processing Controls – These controls provide an automated means to ensure processing is complete, accurate, and authorized.

•  Output Controls – These controls address what is done with the data and should compare output results with the intended result by checking the output against the input.

•  Integrity Controls – These controls monitor data being processed and in storage to ensure it remains consistent and correct.

•  Management Trail – Processing history controls, often referred to as an audit trail, enables management to identify the transactions and events they record by tracking transactions from their source to their output and by tracing backward. These controls also monitor the effectiveness of other controls and identify errors as close as possible to their sources.

Nature, Timing, & Extent of Testing •  Nature of Testing will depend on if the control is

embedded or configurable •  Configurable application control:

–  Inspect configuration of each significant transaction type (can be performed via walkthrough also)

–  Consider override capability •  Other menu and record level functionality

–  Generally can be viewed within a configuration screen or via a system generated report

•  Embedded application control: –  Walkthrough of each significant transaction type –  Consider override capability –  Positive and negative aspects of control

•  Identify any dependencies on other controls

[email protected]


Nature, Timing, & Extent of Testing •  By recognizing that application controls

operate in a systematic manner, we may be able to perform testing of application controls in conjunction with the walkthrough for each applicable transaction type and processing alternative.

•  We perform tests to obtain evidence that the application controls operated effectively throughout the period of reliance.

•  Testing ITGC’s is the most effective way to obtain evidence that the application control have continued to operate throughout the period.

Electronic Audit Evidence (EAE) •  Data generated by or processed through an

application, spreadsheet and/or end user computing solution, be it in electronic or printed form, used to support audit procedures –  Data used for analytical and data analysis

procedures –  Data supporting the performance of internal controls,

including key performance indicators –  Data that represents substantive audit evidence to

support assertions for significant accounts •  Aging list of accounts receivable •  Spreadsheet specifying hedging transactions •  List of gains and losses from sales of marketable securities

EAE Reliance •  Establishing a basis for relying on

electronic data includes: – Determining the source of the electronic

data (which application produces the data)

– Determining, through identification and evaluation of internal controls or through substantive procedures, whether the electronic data is complete and accurate

[email protected]


Testing Report Logic •  Evaluate to what extent the logic of the report or

query guarantees that the report is complete and accurate

•  Test procedures are determined based on risk assessment: –  What is the origin of the software? –  Is the report used frequently by the client? –  Can the client influence the content of the report? –  Can the client edit the output of the report? –  Are we sure the data in the underlying database is

complete and accurate? •  Test procedures are based on controls testing or

substantive testing

COMMUNICATION: PEOPLE-CENTRIC SKILLS FOR AUDITORS

Why Is Communication Important?

[email protected]


SEVEN C’S TO EFFECTIVE COMMUNICATION

Clear/Coherent •  Focused •  No question about intention or

objective •  Leave no doubt •  Eliminate irrelevance •  Embrace logic •  Straight forward •  Comprehendible

Which is more clear? •  Please take care of the assignment I

emailed you a few weeks back regarding the memo on accounting.

•  Brent, a few weeks back (May 12th) I emailed you concerning the accounting for our new acquisition (ABC Company). I wanted to check in and see the status of the memo. Please let me know at your earliest convenience.

[email protected]


Which is more clear? •  Please take care of the assignment I emailed you a few weeks

back regarding the memo on accounting. •  Brent, a few weeks back (May 12th) I emailed you concerning

the accounting for our new acquisition (ABC Company). I wanted to check in and see the status of the memo. Please let me know at your earliest convenience.

Brent – I wanted to check on accounting memo on our new acquisition (ABC). Please let me know the

status as soon as possible. Thanks!

Somewhere in the middle

Concise •  Minimize word usage but…. – Do not spare words for the sake of being

brief

•  Use useful words, not space killers •  Do keep your audience engaged and

interested

Complete/Correct •  Be thorough, paint a picture •  Beginning to end •  Get your point across –  Introduce –  Support – Reiterate

•  Truthful •  Accurate •  Honest •  If you do not know, admit it!

[email protected]


Captivating •  Interesting •  Know when to dive into an area and know

when you are giving too much detail –  Subject matter must be flexible

•  Command more attention and better responses

•  Compelling language that encourages action •  Know your objective and consistently reiterate •  Well organized messages

Which is more captivating? •  Thank you for your presentation this morning; it

was exciting, endearing and very engaging. I would like to follow up this presentation with a request for the presentation slides as I would like to pass them on to my superiors. Thank you so much.

•  Thanks.

Question – Is the latter too concise?

Conversational •  Easy to follow and understand •  Speak with an audience, not to them •  Personalize the experience, make

them connect

[email protected]


Courteous •  Professional demeanor •  Friendly •  Approachable •  Talk with not to

Concrete •  Specifics and certainty •  No ambiguity •  Direct and to the point

GENERAL COMMUNICATION ISSUES & CONFLICT MANAGEMENT

[email protected]


Personal vs. Professional •  Separation of Church vs. State or

Personal vs. Professional •  Know the difference •  Be emotionally-savvy (recurring theme

throughout the course) •  Personal attack vs. getting to the root

of the problem •  Casualness of emails (know your

audience)

Miscommunication •  #1 cause of unnecessary conflict – Happens in many cases due to the mode

of communication •  Emotion/feelings are difficult to interpret via

email, Blackberry, IM, etc.

•  People always fear the worst outcome – “Hey, can we talk?”

•  Assumptions take on a world of its own

Optimize Your Conflict Resolution •  Personally confront the issue •  Make your initial statement and stop talking •  Avoid arguing during the confrontation •  Know the resolution you want prior to the

confrontation •  Focus on the real issue of the confrontation •  Acknowledge feelings

[email protected]


Fact Conflicts •  Conflicts over facts are usually the easiest to

resolve since facts are subject to independent verification

•  In these cases, the questions will concentrate on gathering the information needed to confirm or refute the facts

•  Once everyone is satisfied that the facts are correct, the conflict will be resolved

•  Walk through the steps to lead to the conclusion – gain agreement on each step

Feelings & Perceptions •  Well-intentioned recommendations may

sometimes be perceived as criticisms or even accusations

•  The natural human response to a perceived threat is “fight or flight”

•  Defensive and making excuses – Make the situation not personal –  Look for cost/benefit – Respect the other person – who knows more? – Make sure they understand – you are doing

your job

Personalities •  We are not psychologists •  Researchers have found that most

differences in working styles result from differences in two basic characteristics: 1) Ask vs. tell 2) task-oriented vs. people-oriented

behavior •  Manage the situation and person

[email protected]


Individual Values •  May be no immediate resolution •  Generally not subject to negotiation or

compromise •  Asking questions about fundamental

values can actually be counter-productive – Avoid deep conflict – Stay at a higher level – Find a mutual ground/understanding

EMAIL EXCELLENCE

Caution – Be Careful What You Send •  Email can hang around forever •  Your emails can be subpoenaed •  You may be called to explain or defend

something you emailed years later •  Regardless of personal or business

[email protected]


Caution – Be Careful What You Send Try to avoid: •  Making accusations of fraud or error via email •  Making personal attacks or derogatory comments

about others •  Sending confidential, classified or personal

identifiable information (like SS#’s, etc.) via email •  Blunt statements (I will respond to you at my earliest

convenience) •  Emotional responses

Best Practices - Practical Tips to Improving Your Email Skills

•  Clarity is key •  Understand your audience •  White space is good •  It’s not just what you say, but how you say it •  Never send an email angry •  Don’t forget about verbal communication •  Consider what you are communicating •  Ambiguity in tone

Typical Bad Practices •  Blank or non-descriptive subject lines •  Reply to all •  One-liners •  Address exposure •  BCC

[email protected]


Misc. Email •  Keep relevant emails

–  Create and utilize folders (easy to find)

•  Who do you CC and BCC? –  CC relevant parties but watch over CCing; do they really need to

be on the email string? –  Use BCC sparingly

•  Utilizing read receipts –  Only use if you feel this is very necessary. Remember – recipient

receives notice that read receipts are being utilized; not readily accepted in the workplace

•  Personal emails –  Nothing via email is personal – watch usage

INSTANT MESSAGING

Leading Practices •  Knock, Knock – Anyone There? •  Concision is Key •  Be Professional •  Watch Emotional Responses •  What are we Trying to Accomplish? •  Speed is Key!

[email protected]


AUDIT INTERVIEWING BASICS

What is an Audit Interview? •  Small, personal, controlled

conversational meeting in which auditors obtain needed information from people who have it.

•  Conversation with an agenda.

Interview = Evidence? •  Four kinds of audit evidence: – Physical – Documentary – Analytical – Testimonial

•  QUESTION – Which is the strongest and which is the weakest?

•  QUESTION – What is an interview?

[email protected]


Interview Evidence •  STRONGEST = Physical •  WEAKEST = Testimonial •  Interviewing is……

•  Allegations/Opinions are NOT evidence.

Steps in the Audit Interview Process ① Planning/

Preparation

a.  Objectives b.  Types of Questions c.  Background on

Interviewee d.  Information

Requests e.  Participants f.  Location g.  Time

②  Conducting the Interview

a.  Agenda b.  Environment

i.  Interviewer(s) ii.  Participant(s)

c.  Interview Variations d.  Recording the

Interview e.  Ending the Interview

Steps in the Audit Interview Process

③  Interview Results a.  Professional

Skepticism b.  Documenting the

Interview

④  Follow Up

[email protected]


INTERVIEW PREPARATION

Managing Yourself - Interviewing Interview

“A meeting at which

information is obtained from a person.”

Merriam-Webster

Managing Yourself - Interviewing Preparation – Objective(s) •  Clearly defined •  Documented •  Understood by interviewer(s) •  Foundation of questions and

information requests

[email protected]


Types of Interview Questions Type Advantage

Open Ended Detailed explanations and descriptions; conversation can veer in numerous directions

Closed Simple Information, Yes/No

Qualifying Establishes witness credibility

Range Provides general areas

Motives Reveals why people did/did not do

Opportunity Reveals whether people could have done

Lead to Others Sets stage for subsequent questions

More Info Asks that more information be provided

GROUP EXERCISE –INTERVIEW QUESTIONS #1

Interview Questions •  You are performing an audit of an

area you have not audited before and you have limited information on the auditee and the business area.

•  Please list, in order, the questions you would ask (at least 10) YES/No Questions.

[email protected]


Questionnaires •  Can be more efficient than the open-

ended interview •  Yes/No Questions will drive Yes/No

Answers •  Questionnaires are not very valuable

without open-ended follow-up

Creating a Standard Questionnaire •  Use a variety of questions such as yes/no, ratings

from best to worse and request explanations. •  Make the questions as simple as possible so your

interviewees can understand and answer them in the same way.

•  Standardize as much as possible but know they limit the answer given (make it easier on the employee)

•  Leave plenty of white space for answers •  Be sure questions can only be answered one way,

with the exception of explanation questions. •  Make sure range options are very specific. •  Review and test prior to using the questionnaire.

Managing Yourself - Interviewing Participants •  Individual or Group •  Information Dependent •  Backgrounds •  Personality Styles (Driver, Expressive,

Amiable, or Analytical)

[email protected]


Background on Interviewee •  Do your homework •  Review old workpapers and PY audit

work •  Ask other auditors about interviewee •  Google….

Managing Yourself - Interviewing Time •  Number of Questions

and Information Requests

•  Availability of Participants

•  Number of Participants

•  Interview Venue •  Use of Pre-reads and/

or Questionnaires

Eight Stages of an Interview 1.  Defining its purpose 2.  Identifying information needed from

interviews 3.  Identifying people to interview 4.  Preparing for the interview 5.  Conducting and controlling the interview 6.  Recording the interview 7.  Analyzing the results 8.  Documenting the analyze results in the

working papers

[email protected]


LISTENING TECHNIQUES

Listening Skills •  Depending on the study being quoted,

we remember a dismal 25-50% of what we hear.

•  Good communication skills require a high level of self-awareness. By understanding your personal style of communicating, you will go a long way towards creating good and lasting impressions with others.

•  Become an active listener and eliminate bad habits!

Listening Optimized (1 of 2) •  Ignore phone calls during the conversation

and abstain from multitasking •  Look at the other person and focus on the

words and meanings –  Content and intent

•  Avoid interruptions •  Resist jumping to conclusions •  Concentrate on the flow and back and forth

of the conversation, rather than becoming hung up on bits of information or parts of past conversation

[email protected]


Listening Optimized (2 of 2) •  Take on the responsibility of listening:

being bored, not liking the speaker, or disagreeing with what he or she has to say does not excuse you from actively listening

•  Consider body language and respond with both words and actions, taking into account your own body language and concern

•  Restate key points to ensure accuracy and prevent potential misunderstandings

Active Listening •  When the listener provides feedback

(verbal and/or non-verbal) to the speaker demonstrating to that the speaker’s message has been understood and will be retained.

•  Active Listening Involves: –  communicating verbally and nonverbally –  practicing “uninterrupted” listening –  restating the message –  observing the sender’s nonverbal signals

Why practice active listening? •  Helps us understand others better •  Show others we respect them •  Allows us to receive accurate

messages •  Enables us to respond appropriately

[email protected]


Attending posture Nonverbal skill = SOLER •  S= squarely face person •  O= use open posture •  L= lean toward the person •  E= use eye contact •  R= relax, keep it natural

SOURCE: According to Gerald Egan, author of the supplement “Skilled Helper: A Problem-Management Approach to Helping.

Verbal Active Listening Techniques (1 of 2)

•  Using encouraging words and reassuring sounds to convey interest (“I see.”)

•  Restating in your own words what the person said

•  Repeating exactly what the person said (“Mirroring”)

•  Reflecting to show you understand how they feel (“You were pretty upset by this…”)

Verbal Active Listening Techniques (2 of 2)

•  Probing the interviewee’s initial response in order to expand and/or clarify the information given (“Please tell me more about that”)

•  Summarizing (“these seem to be the main ideas you stated”)

[email protected]


Nonverbal Listening •  Facial Expressions – eye/eyebrow movements

and smiles, frowns and grimaces •  Gestures – Hand & arm gestures are numerous

Look for open or closed arms and hands for sincerity or obstruction.

•  Postures – Shows attitude and feelings. Sitting or standing in straight or slouched positions for example.

•  Environment – open, comfortable office arrangements indicate sociability, while close arrangements indicate control or self-protection.

Barriers to Active Listening (1 of 2) •  Not keeping an open mind by letting

biases interfere •  Jumping to conclusions •  Interrupting or debating the

interviewee: seek understanding first! •  Monopolizing the conversation (70/30

rule) •  Thinking ahead to your next question

Barriers to Active Listening (2 of 2) •  Reading documents provided by the

presenter •  Not suppressing disruptive habits such

as finger drumming or pencil tapping •  Assuming you know what the presenter

meant and not requesting clarification

[email protected]


FUTURE TRENDS AND TECHNIQUES

Pulse of Internal Audit 370 Completed Surveys

•  October 2014 •  7th consecutive year •  63% Public/Private

companies •  84% CAEs and Directors (311

responses) •  92% internal audit managers

or above

311 Responses From CAEs and Directors •  28% Finance and Insurance •  14% Manufacturing •  10% Educational services •  7% Healthcare and social

assistance

Surveys & Demographics

CBOK 12,570 completed the survey

•  Q1 2015 •  Conducted every five years •  32% CAEs and Directors/Sr.

Managers (4,043 responses) •  28% North American participants •  878 CAEs and Directors/Sr.

Managers from North America

878 Responses From CAEs and Directors/Sr. Managers in North America •  30% Finance and Insurance •  10% Healthcare and social

assistance •  10% Manufacturing •  8% Public Administration

Sources: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from The IIA.

•  Assessing emerging and evolving risks

•  Linking risks and audit coverage

•  Navigating an emerging talent shortage

•  Address gaps in quality assurance and improvement

Five Priorities for 2015!

[email protected]


Source: The CBOK 2015 Global Internal Audit Practitioner survey: : © 2015 The IIA Research Foundation

•  Stakeholders often expect base level of coverage: o  Financial risks o  Regulatory risks o  Compliance risks

•  Once base is addressed: o  Operating risks o  IT risks

•  Only then, is there interest in strategic and business risks

•  The paradox: o  Base level coverage

often provides the lowest perceived value

34%

46%

20%

Linking Risks and Audit Coverage: The Paradox of “Structural Expectations”

They Add Value by:

1.  Identifying improvement opportunities

2.  Mitigating risk 3.  Increased efficiency 4.  Stronger corporate

governance 5.  Stronger financial controls

compliance

Barriers Include:

1.  Budget constraints (60%) 2.  Talent quality or capacity

(47%) 3.  Focus on financial controls

and compliance (43%) 4.  Perception of internal audit

(40%) 5.  Organizational politics (40%)

Source: “Competing Priorities: Are CAE and audit committee priorities in sync?” © 2015 Grant Thornton LLP

Delivering Internal Audit Value: According to Grant Thornton, CAE’s Believe

Source: The CBOK 2015 Global Internal Audit Practitioner survey: : © 2015 The IIA Research Foundation Survey respondents were asked to estimate the distribution of their audit plan coverage. This figure reflects a summary of the data.

Total “Financial”

16%

Audit Plan Coverage in 2015

[email protected]


•  Undertake a comprehensive assessment •  Develop an audit plan based on the “real

risks” •  Identify resources and expertise gaps •  Formulate strategies for addressing gaps •  Have candid conversations with

management and the audit committee regarding: •  Resource shortfalls •  Expertise gaps •  Risks that may fall victim to resources •  A plan of action

•  Develop a long-term strategy for addressing gaps

•  Don’t let the “tail wag the dog”

“Disclosing the gaps in risk coverage and discussing the resources needed to address the gaps is essential.” •  Joe Steakley, CAE

of Hospital Corporation of America

Linking Risks & Audit Coverage: Key Imperatives

Internal audit functions providing significant value have more diversified skill sets:

The talent gap is “fueling a poor perception of internal audit’s relevance and value: 65 percent of stakeholders who do not find value in the internal audit functions cite talent as a top barrier.” - PwC

Source: 2015 State of the Internal Audit Profession Study, © 2015 PwC

Navigating an Escalating Talent Shortage: PwC’s View

Skill Sets

Business Continuity 84%

Data Privacy 80%

Specialized IT 77%

Data Analytics 72%

Supply Chain 69%

AUDITING EMERGING RISKS

[email protected]


•  93 percent use risk-based methodologies when planning

•  But, emerging risks present a challenge

•  Risks often materialize with little or no warning

•  Decades of accumulated value can evaporate

•  We must be able to “audit at the speed of risk”

Assessing Emerging and Evolving Risks

Assessing Emerging/Evolving Risks •  Industry Trends (what is in the news) •  ERM – predicting changes over 5+

years •  Change to ERM -> Change ARM &

Audit Plan

•  Assess existing risk assessment maturity

•  Develop/refine processes to identify and report on emerging risks

•  Assess existing processes for updating the annual audit plan

•  Obtain stakeholders’ input on the need for frequent updates

•  Develop/refine audit reporting to demonstrate a stronger link between changes to:

o  The organization’s risk profile

o  Associated changes to the audit plan

Continuously Assessing Emerging and Evolving Risk – Key Imperatives

[email protected]


DYNAMIC RISK ASSESSMENT PROCESS

Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from The IIA.

Continuous Risk Assessment is Still Aspirational for Many

How frequently does internal audit conduct a risk assessment? Frequency

Annual assessment without formal updates

38%

Annual assessment with periodic formal updates 41%

Continuous assessment 13%

Never (Internal audit does not conduct a risk assessment.)

4%

Other 4%

SOURCE: IIA/Richard Chambers Presentation “Pulse of Internal Audit” to the FTW IIA, September 4, 2015

How are We Assessing Risk? •  How many are performing a formal

annual risk assessment? •  How many are performing a formal

engagement-level risk assessment? •  What is the process? – Numerical/Ratings? –  Interviews? – Questionnaires? – Surveys?

[email protected]


Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from The IIA.

Continuous Risk Assessment Methodologies

The degree to which internal audit utilizes these methodologies to continuously assess risk

Very/Extensively Utilized

Periodic manual monitoring of KRIs 27%

Using technology to continuously monitor KRIs 10%

Periodically interview management to identify changes in the organization's risk profile

71%

Initiate formal updates of the internal audit risk assessment & audit plan

60%

Initiate informal or ad hoc updates of the internal audit risk assessment & audit plan

61%

Periodically update risk assessment based on changes to risk ratings identified during ongoing audit operations

54%

AUDIT TRANSPARENCY

Audit Transparency •  Do You Share Your Risk Assessment with

Your Auditees? •  Do You Post Your Audit Plan for the

Year? •  Do You Give Your Auditees Your

Workprogram During Planning?

[email protected]


MARKETING INTERNAL AUDIT

3 Pillars of Marketing internal audit Consistent Messaging •  Define Internal

Auditing •  Focus on

Objectives •  Marketing Plan •  Marketing Sheet •  Outreach w/ new

managers •  Periodic outreach

w/manager (take the pulse)

•  Intranet Site

Continuous Education •  Alleviate the Fear •  Focus on “Value” •  Brown Bag

Lunches •  Newsletters •  Email with Issues/

Findings •  Don’t Use

Independence as an Excuse

Transparency •  Try to Help •  Try Not to Hide

Anything •  Walk Auditees

through ARA •  Post the Audit

Plan •  Give Auditees

Audit Work program (Path to Success)

COMMUNICATION & CRITICAL THINKING

[email protected]


Top Skills Being Recruited or Built in Internal Audit Departments

Source: The CBOK 2015 Global Internal Audit Practitioner survey: : © 2015 The IIA Research Foundation

Navigating an Escalating Talent Shortage

Skills Recruited or Built Recruited Essential

1 Analytical/Critical Thinking 74% 96%

2 Communication Skills 57% 96%

3 Data Mining and Analytics 48% 44%

4 Industry-specific Knowledge 43% 69%

5 IT (general) 42% 43%

6 Business Acumen 40% 80%

7 Accounting 31% 48%

8 Risk Management Assurance 27% 40%

Course Summary •  Understand and Manage Expectations •  Over-communicate – Transparency is

Key! •  Ask for More and Ask for Feedback!

Audit 101 2 Days Dec 2015 GoldSRD · Snapple Group • Former CAE - Tyler Technologies •...

Documents

Transcript of Audit 101 2 Days Dec 2015 GoldSRD · Snapple Group • Former CAE - Tyler Technologies •...