© OECD

A j

oin

t i

nit

iati

ve o

f th

e O

EC

D a

nd

th

e E

uro

pe

an

Un

ion

,

pri

nc

ipall

y f

ina

nced

by t

he

EU

Tirana, 10-12 September 2014

Workshop System Based Auditing

5. System Based Audit approach: What is it about?

2

3

5.1 Internal control

• What is the role of internal control in an organisation?

• What is the role of internal control in audit?

4

5.2 Internal control: ISSAI definition

• ISSAI 4200 paragraph 65:

Understanding internal control is normally an integral part of understanding the entity and the relevant subject matter. The Fundamental Auditing Principles explain that in performing an audit, public sector auditors understand and evaluate the reliability of internal control (ISSAI 300, 3.3.1).

In compliance audit, this includes understanding and evaluating controls that assist management in complying with laws and regulations (ISSAI 300, 3.3.2).

5

5.3 Internal control: COSO definition

Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives, reporting, and compliance.

http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf page 3

6

5.4 Internal control: objectives

• Operations objectives:

Effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.

• Reporting objectives:

Internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or in other terms as set forth by regulators, recognized standard setters, or the entity’s policies.

• Compliance objectives:

Adherence to laws and regulations to which the entity is subject.

7

5.5 Internal control: COSO Framework

8

Internal Control Framework

2004

COSO ERM framework

1992

5.6 Internal control: COSO Internal control framework

• Control environment: sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

• Risk assessment: the entity's process for identifying and analyzing relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.

• Control activities: the policies and procedures that help ensure that management directives are carried out.

• Information and communication: these systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

• Monitoring of controls: a process that assesses the quality of internal control performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.

9

5.7 Systems Based Audit

System Based Audit is an audit in which the

nature and depth of the testing depends on the

auditor’s assessment of the internal control

system and these assessments form the main

part of the audit.

10

5.8 System based audit approach = Risk based

Three elements

1. Inherent Risk

2. Control Risk

3. Detection Risk

Audit Risk = Inherent Risk x Control Risk x Detection Risk

11

5.9 System based audit approach defines:

Whether the internal control procedure was performed

Whether the quality of the performed control procedures was satisfactory

12

5.10 Direct Tests

Tests for details on major classes of

transactions and account balances to

obtain evidence to detect material

misstatements in the financial statement

13

5.11 Do we need to use internal control procedures?

When the auditor has no specific requirement to assess the operation of the organisation’s systems of control or because the internal control procedures are too weak to be relied on, then the audit objectives can be achieved without relying on these systems and without undertaking tests of control

=> DIRECT TESTING

14

5.12 Direct Testing

The number of substantive tests necessary under Direct Testing will be higher than under the SBA approach!

15

5.13 Because if Control Risk is:

HIGH => More substantive tests needed

LOW => Not so many substantive tests needed

MODERATE => Number of substantive tests can be

reduced

16

5.14 What are steps of SBA?

Steps audit of system

• Understanding the business

• Evaluating Internal control system

• Testing Internal control system

Steps of testing transactions and account balances

• Analytical procedures

• Test of transactions

• Test of account details

17

5.14 Testing of systems

Activities

• What are the risks?

• What are the measures? (design)

Gaps?

• Do the measures exist (practice)

Gaps?

• Do the measures function? (practice)

Breaches

Errors

18

QUESTIONS?

19