f0cb287d522212dc5b32e5c592402750.ppt
- Количество слайдов: 157
Risk based audit methodology
Feedback from IIA training l Compliance auditing …. l l l and some more compliance auditing Consistent findings … l l l Same as last year Or the same as last time With the same result
Client indicators l l l Policemen image – newspaper exposure = forensic auditing Cost versus benefit questions Lack of funding and resources for IA l limiting effectiveness, ensuring compliance at a minimum cost
Government indicators l l l +/- 48% of local authorities are being mismanaged Section 100 take-overs Disciplining and terminating performance contracts of senior management for not delivering services Government statements relating to values and ethics Funds will be shifted from poorly managed to effective institutions
Audit Committees Chairperson independent Majority outside department Report annually on: l Effectiveness of internal control l Quality of management and financial reports l Evaluation of financial statements
Internal audit (IIA) Independent Objective Assurance Consulting Activity Add Value Improve Operations Evaluate and improve the effectiveness of risk management, control and governance processes. 3/15/2018 6
PFMA/ MFMA Internal Audit must be conducted in accordance with the standards set by the IIA IA must assist in achieving the objectives by evaluating and improving the process through which: – Objectives and values are established and communicated – Accomplishment of objectives are monitored – Accountability is ensured – Corporate values are preserved.
Objective setting Effectiveness of internal/external reporting -financial or non-financial. Safeguarding of assets Compliance with applicable laws and regulations. Compliance Reporting Operational Effectiveness/efficiency of operations, performance and service delivery goals. Strategic Control environment High-level goals, aligned with and supporting the entity’s mission/vision Prevention/ Timely detection
COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Info and communication Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Control activity Safeguard assets - prevention Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Monitoring activities - detection
IIA versus COSO l l Governance Control environment Information/Communi cation l l Risk management l Control activities Monitoring l
Governance process Risk Objective Legal mandate: Laws and regulations Process Part of control environment COSO Strategic/operational Plans (SMART/CQQT)
Control environment = foundation for all other components of internal control Integrity, ethical values, competence of management & employees; Management's philosophy & operating style Departmental structure, CQQT, Staff and employee development programs, its process for delegating authority & responsibility.
Executive authority Control environment l l Legal mandate = entity wide objectives = strategic plans = business plans = job descriptions and performance agreements Effective communication to all employees Integrity and ethical values l l l No dealings with others not demonstrating appropriate level of commitment to integrity Ethical tone at the top l Properly communicated downwards Formal code of conduct l Ethical standards l Acceptable operational practices l Conflict of interest
SMART Specific l Measurable l Achievable l Relevant l Timely l
Commitment to competence Job descriptions & performance agreements define tasks l Adequate analysis of knowledge and skills needed l Adequate training program l
Accomplishment of goals monitored Key performance objectives l Key performance indicators l Management information l Exception reports l Responsibility assigned l
Accountability Appropriate structure l Responsibility assigned l Delegation of authority consistent with assignment of responsibility l Who is driving accountability? l Disciplinary processes consistent l
Human resource policies Hire qualified staff l Ethical appointments with background checks l
Oversight groups Mechanism to monitor and review operations and programs l Independent oversight l
Values preserved Appropriate disciplinary action l Management action to address intervention/overriding control l Management action to remove unethical behavior l
CQQT l Cost l Standard costing l Net present value l Breakeven analysis l Quantity l Economic order quantities l Quality l Right quality at the right price l Timelines
Other benefits Responsibility l Quantify losses l Recovery of revenue from private sector patients l Recovery of revenue from road accident fund l
Economic order quantities
Economic order quantities Useful to establish the optimal frequency and quantity which should be ordered for each stock item l Formulas are built into LOGIS l Based on: l l Cost per unit l Delivery times l Cost of ordering
EOQ – practical use Reorder levels Safety levels
Quantities and price Maximum stock levels l Minimum stock levels l Reorder levels l
Governance process Risk Objective Process Laws/regs Strategic/operational Plans (SMART/CQQT) Capability – finance & human Key measurable objectives and indicators Responsibility/ accountability
Executive authority Control environment Integrity and ethical values Hire qualified staff Ethical appointments with background checks Commitment to competence l l l Job descriptions & performance agreements define tasks Adequate analysis of knowledge and skills needed Adequate training program Authority and responsibility Appropriate structure Responsibility assigned Delegation of authority consistent with assignment of responsibility Disciplinary processes consistent
Budget and HR l Budget l Operational budget l Capital budget l R 640 bn unspent l Human resources l Warm bodies l 829 000 vacant posts in government l Skills l 1 million people left the country since 1994
Become a KMI specialist l Management do not know where things go wrong l Medicine theft l Student bursaries l School books not delivered l Inefficient use of ambulances, police vehicles l Invalid qualifications
KMO and KMI l KMO l To ensure efficient asset management l KMI l Up to date asset registers
Governance process Risk Objective Process Laws/regs Performance measurement Strategic/operational Plans (SMART/CQQT) Capability – finance & human Key measurable objectives and indicators Responsibility/ accountability Performance agreements/ Job descriptions
Executive authority Control environment Integrity and ethical values Commitment to competence Authority and responsibility Monitoring of objectives Key performance indicators Management information Exception reports Responsibility assigned
Governance process Risk Objective Process Exception reports Laws/regs Strategic/operational Plans (SMART/CQQT) Key measurable objectives and indicators Management info Performance measurement Capability – finance & human Responsibility/ accountability Performance agreements/ Job descriptions
COSO versus IIA l l l GP RA CP l l l CE RA IC CA(preventative) M(detective)
Performance Measures
Power of measuring results (FMPPI – p 1) If you do not measure results – you cannot tell success from failure l If you cannot see success, you cannot reward it l If you cannot reward success, you are probably rewarding failure l If you cannot see success, you cannot learn from it l If you cannot recognise failure, you cannot correct it l If you can demonstrate results, you can win public support l
Planning budgeting and reporting (FMPPI - p 4) Oversight l Policy development l l Identify desired impacts I N S T I T U T I O N l Strategic planning l Specify performance indicators l Operational planning and in-year reporting l Set targets and allocate resources l Monitor and take corrective action l End-year reporting l Assess and adjust
Key Performance Concepts (FMPPI – p 6) l Inputs – what we use to do the work l Activities – what we do l Outputs – what we produce or deliver l Outcomes – what we wish to achieve l Impacts – results of achieving specific outcomes
Key Performance Information Concepts (FMPPI – p 6)
Performance indicators (FMPPI – p 7) Key Performance Information Indicators: l Reliable l Well defined l Verifiable l Cost effective l Appropriate l Relevant
Indicators of Economy, Efficiency, Effectiveness and Equity (FMPPI – p 7)
Types of indicators (FMPPI – p 8) Cost or price indicators l Distribution indicators l Quantity indicators l Quality indicators l Dates and time frame indicators l Adequacy indicators l Accessibility indicators l
Specific focus (FMPPI – p 8 & 9) Economy indicators – cost/benefit Economy indicators l Efficiency indicators – minimum input, Efficiency indicators maximum output l Effectiveness indicators – achieving the Effectiveness indicators goals and objectives l Equity indicators – services provided Equity indicators impartially, fairly and equitably l
Performance targets (FMPPI – pp 9 & 10) Baselines l Performance targets l Performance standards l Criteria l l Specific l Measurable l Achievable l Relevant l Time-bound
Developing Performance Indicators (FMPPI – p 11 & 12) Step 1: Agree on what you are aiming to achieve l Step 2: Specify the outputs, activities and inputs l Step 3: Select the most important indicators l Step 4: Select realistic performance targets l Step 5: Determine the process and format of reporting performance l Step 6: Establish processes and mechanisms to facilitate corrective action l
Managing Performance Information (FMPPI – p 13) l Responsibilities: - Executive authorities - Accounting officers - Line managers and other officials
Integrated Performance Information Structures (FMPPI – p 13) l l l l Well designed documentation Appropriate capacity to manage performance information Appropriate systems to collect, verify and store information Consultation process to include all needs Process to ensure information is used for planning, budgeting and management Processes to ensure responsibility is assigned Identified set of performance indicators for oversight
Reporting (FMPPI – p 15 & 16) l Accountability reports l Information to facilitate oversight l Public access to information
Values are preserved Appropriate disciplinary action l Management action to address intervention/overriding control l Management action to remove unethical behavior l
PFMA AO must facilitate risk assessment to identify material risks and to evaluate the strategy for managing these risks IA must assist in maintaining effective controls, evaluating effectiveness and efficiency and develop recommendations for improvement.
Understand risk management l l Underlying premise - every entity exists to provide value for its stakeholders. All entities face uncertainty, Challenge for management determine how much uncertainty is acceptable as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. I M P A C T Likelihood
2 week audit Reasons: Risk assessment Audit report 1. 2. 3. I M P A C T Likelihood Audit report Criteria Reasons: Condition 1. Cause 2. 3. Effect Recommendation Management comment I agree with finding, will implement recommendation Yes/No I accept the risk Yes
Sample sizes Express opinion on adequacy and effectiveness l Sample size 30 transactions l Select 1, first one is wrong, do I have to do the other 29? ? l
Sample sizes - automated One is enough l System must perform consistently!! l
Sample size – Old lady l l l People make mistakes! One is not enough Determine after how many mistakes will your audit opinion be changed from adequate and effective ti adequate, but ineffective. That number is enough!! If the same root cause is causing repetitive instances of non-compliance, one is enough!!
International standard Select 30 transactions USA and Eskom l Some departments select 25 – banks, muni’s l
Risk assessment Management should identify and analyze the risks of achieving its objectives and determine how to manage risks that may result from internal and external sources, such as changes in economic, industry, regulatory, and operating conditions.
Risks Inherent risks l Control risks l
Inherent Risk – risk of not achieving objectives Risk Strategic risk Objective Process Inherent risk – before the assessment of any controls
Dept of Education l 68% pass rate versus national average of 80% l Transport l Teachers – qualifications and absenteeism l LSM l Infrastructure
Management agenda Items on inherent risk assessment should be on management agendas l Also on Internal audit plans l
Risk & recommendations x I M P A C T Effect – reasons for a high impact focus: • Audit objectives • Fieldwork • Recommendations Root cause – reasons for high likelihood focus: • Audit objectives Likelihood • Field work • Recommendations
Risk management in stock control – ABC inventory management
ABC inventory management l Line items graded based on quantities kept l A-Items - high monetary value, not high quantities are tightly controlled and monitored - never stock outs on A items l B-items require less control and monitoring, lower monetary value and quantities, stock is kept on hand l C-items are only ordered when requested by clients
ABC inventory management Determine the average investment in each item l Express as a percentage of the total value of inventory l Classify in groups l
ABC - example Item code 1 2 3 4 5 6 Totals Average % ABC system investment average units 1 700 21. 3% A 270 3. 4% C 1 440 18. 1% A 720 9. 0% B 3 300 41. 4% A 540 6. 8% C 7 970 100%
Risk index risk index = severity X likelihood 5 5 10 15 20 25 4 4 8 12 16 20 3 3 6 9 12 15 2 2 4 6 8 10 1 2 3 4 5 1 2 3 4 1 5 severity
Risk management strategy unacceptable risks 10 acceptable risks 20 25 12 16 20 12 5 15 15 4 8 3 6 9 2 4 6 8 1 2 3 4 10 5
Control to minimize risks Risk Inherent risk Objective Residual risk Process Residual risk – after the assessment of any controls Control
Control activities Management develops policies & procedures to ensure that directives are followed & that necessary actions are taken to address risks that would impede achieving its objectives. Control activities include authorization, verification, reconciliation, review of operating performance, security of assets, & segregation of duties.
Control activities Safeguarding of assets Compliance with laws, regulations, contracts Accomplishment of objectives Economy, efficiency and effectiveness Reliability and integrity of information
Internal control as per traditional IIA definition 3/15/2018 73
Definition of internal control Document your definition of internal control. l What does it include? l
Internal control - SCARE Safeguarding of assets l Compliance with laws, regulations and contracts l Accomplishment of objectives l Reliability and integrity of information l Economy, efficiency and effectiveness l
Safeguarding of assets Physical safeguards l Access control l Segregation of duties l
Compliance Laws and regulations l Policies and procedures l Contractual obligations l
Accomplishment of objectives Strategic plans l Operational plans l Key measurable objectives l Key measurable indicators l Management information l Exception reporting l
Reliability and integrity of information Validity l Accuracy l Completeness l Timely l
3 x E’s l Economy l Effectiveness l Efficiency
Monitoring Management monitor internal control structure through ongoing monitoring activities and through separate evaluations. Scope/ sequence of separate evaluations depend on assessment of risks & effectiveness of ongoing monitoring procedures. Internal control deficiencies reported upstream & serious matters reported to management / Cabinet
Detection controls We are drowning in information, but starved of knowledge. We receive unfiltered information. Detection not a priority
Control risk assessment Remember SCARE? ? ? l Safeguarding of assets l Compliance with laws …. . l Accomplishment of objectives l Reliability and integrity of information l Economy effectiveness and efficiency
Control risk - S Inadequate/ineffective physical safeguarding l Inadequate/ineffective access control l Inadequate/ineffective segregation of duties l
Control risk - C Non-compliance with laws and regulations l Non-compliance with policies and procedures l Non-compliance with contractual obligations l
Control risk - A l l l Inadequate strategic plan Inadequate operational plans Inadequate/ineffective key measurable objectives Inadequate/ineffective key measurable indicators Inadequate/ineffective management information Inadequate/ineffective exception reporting
Control risk - R Inadequate/ineffective processes to prevent: l Invalid processing l Inaccurate processing l Incomplete processing l Untimely processing
Control risk - E Ineffective processes l Inefficient process l Uneconomic processes l
Objective S Risk Inadequate physical safeguards Inadequate access control Inadequate segregation of duties C Inadequate process to ensure compliance with laws/regs Inadequate process to ensure compliance with contracts R Inaccurate … Incomplete…. Invalid/unauthorised…. Untimely …. . E Ineffective …. . Inefficient …. Uneconomic …. I L A Control Type Preventati ve/ Detective Nature Manual/ IT CAA CEA
COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Info and communication Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Control activity Safeguard assets - prevention Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Monitoring activities - detection
Audit objectives To evaluate the adequacy and effectiveness of the internal control systems that ensures l. S l. C l. R l. E
Audit objectives To evaluate the adequacy and effectiveness of the internal control systems (choose prevention, detection or correction) that ensures l S l C l R l E
Audit objectives To evaluate the adequacy and effectiveness of the prevention controls that ensures l R – reliability and integrity of information
Audit objectives To evaluate the adequacy and effectiveness of the controls that ensures l R – reliability and integrity of the purchase order
Risks Inaccurate purchase order l Incomplete purchase order l Unauthorized purchase order l Untimely purchase order l
Inaccurate purchase orders Preventative control Detection control
Unauthorized purchase orders Preventative control Detection control
Untimely purchase orders Preventative control Detection control
Inaccurate purchase orders Preventative control Detection control
COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Info and communication Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Control activity Safeguard assets - prevention Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Monitoring activities - detection
Risk response before likelihood 5 4 3 risk reduction 2 after 1 1 2 3 4 5 severity
Control assessment R>C Inadequate Risk C>R Inefficient Objective Process Control C=R Adequate/effec tive Co. C > Co. R Uneconomic
Example
Practical exercise Process overview flowchart l SCRE l Audit objective l Risk areas l Preventative and detection controls l Audit opinion l
Phone call with password to cell phone Enter data Bank EDI INPUT Application program Suppliers master file PROCESSING OUTPUT Exception reports number of changes Email the change details to supplier Exception reports Frequency
Purchase order DOCUMENTATION Cheque payment/ EFT requisition Goods received note, supplier delivery note, invoice Enter data INPUT Application program PROCESSING Cheque Purchase transaction file Cash disbursement transaction file General ledger summary General ledger transaction file Exception reports and KPI’s Purchase journal OUTPUT Remittance advice Suppliers master file Accounts payable master file General ledger master file Disbursements journal
S C R E Application program S C R E Purchase transaction file S C R E Purchase order Goods received note, supplier delivery note, invoice Enter data Suppliers master file
To evaluate the adequacy and effectiveness of the controls relating to reliability and integrity of: l Asset count forms l Asset removal forms l Capturing l Processing l Updating the fixed asset register
Purchase order Goods received note, supplier delivery note, invoice Enter data E S SR Application program R Purchase transaction file R Suppliers master file R
Lesotho objective To verify the correctness of the requested amount of M 15 m l To check the adequacy of internal controls in place l To make recommendations based on the findings l
Audit objective To evaluate the adequacy and effectiveness of controls relating to: l Safeguarding of assets in the goods received area l Reliability and integrity of information in the: l l l Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase
Audit opinion The controls relating to: l Safeguarding of assets in the goods received area l Reliability and integrity of information in the: l l Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase Are adequate and effective l
Audit objective To evaluate the adequacy and effectiveness of controls relating to: l Safeguarding of assets (access control) l l l Allocation of unique supplier profile passwords in the capturing phase Reliability and integrity of information in the: l l l Capturing phase Processing phase Updating the SMF Exception reports (quantity and frequency) Email confirmations
Audit opinion The controls relating to: l Safeguarding of assets (access control) Allocation of unique supplier profile passwords l in the capturing phase l To the availability of the suppliers file Reliability and integrity of information in the: l Capturing phase l Processing phase l Updating the SMF l Exception reports (quantity and frequency) l Email confirmations l Are adequate and effectiveness
Risks – 22 in total l l l Inadequate physical safeguarding of assets/ access control/ segregation of duties [3] Inaccurate capturing/processing updating of PTF and SMF [4] Incomplete capturing/processing updating of PTF and SMF [4] Invalid capturing/processing updating of PTF and SMF [4] Untimely capturing/processing updating of PTF and SMF [4] Uneconomic, ineffective, inefficient use of resources in the purchase order phase [3]
Two ways of auditing IT Around the computer – IT auditing for non. IT auditors l Through the computer – IT specialist l
Data capture controls Data capture = manual procedure – covers initiation, approval, authorisation, review and preparation of documents for source transactions l User department function l Both batch and on-line entry systems l Designed to ensure reliability and integrity of data before data enter the computer application system l
Data capture controls - risks l Accounting system l l l Valid and completed source transactions may be omitted from data capture Inaccurate source data Inaccurate capturing/cut-off of source transactions Inaccurate valuation/ classification of source data Invalid source transaction Control procedures l l Valid and completed source transaction may be captured more than once Errors may not be properly detected corrected and resubmitted Source transactions may be unauthorized Source transaction may be lost
Types of controls Prevention l Detection l Correction l
Prevention objectives l l To ensure reliability and integrity of information (R) To ensure proper safeguarding of assets (S) To ensure reliable, accurate and complete, authorized, approved and secure source data Application controls l l l l user procedure manuals, source document design, pre-numbering, sound personnel practices, identification of preparer evidence of approval forms security – unused and document management, segregation of duties
User procedure manual l l Written procedures – encourage consistent performance of data capture responsibilities Include: l l l l Guidelines for documentation preparation Flow of documents within dept and to data processing Schedules for data capturing and cut-off dates Requirements for control over data prior to transmittal to data processing Scope of management review and approval of work performed Names of individuals authorized to review and approve documents Identification of proper evidence of approval
Source document design l l Use of special formats and preprinted data to ensure conformity of work performed to written procedures Special formats = use of specific boxes for authorisation signatures, control totals, footing and cross-footing balances and retention dates Preprinted data = include repetitive items such as form number and title, department responsibility, transaction code and product number Conformity = completeness, accuracy and proper authorisation
Pre-numbering Unique identification of transactions l Reduce likelihood that a transaction will be lost or omitted l
Sound personnel practices Ensure hiring of competent personnel l Continuing evaluation of individual performance l Periodic rotation of assignments l Required vacations l Bonding of key personnel l
Identification of preparer l Identification provided by l Signature l Initials l Employee number l Terminal entry l Sign-on codes l Logs of physical access to terminals l Increases the likelihood that segregation of duties is followed
Evidence of approval Authorized signatory l If no source document = review and approval may be subsequent review of transaction source listing or approval during data entry l Authorized signature on source listing = evidence of subsequent approval l Terminal entry = approval code in transaction record l
Forms security Physical controls over forms l Signatures for the release of forms for source document preparation l Reduce likelihood of unauthorized or invalid transactions l
Segregation of duties l Four types of separation l l l Custody of assets from data capture function Authorisation of transactions from custody of related assets Functions of transaction authorisation and source document preparation Error correction from initiation and source document preparation Reduced the likelihood of un-intentional errors
Detection objectives To ensure that unreliable, improper, unauthorized, invalid or lost source data are detected l Application controls l l Batch controls l User review
Batch controls l l l Batch number – keep track of receipt or transmittal of batches Limiting number of transactions in batch – facilitates reconciliation when batch is out of balance Control totals for number of transactions, amounts, quantities in batch – permits subsequent discovery of loss of items/changes in data – accommodated by reconciliation of source data control totals with output upon completion of processing Control totals usually recorded manually by user in control log Log records time and place of batch transmittal and receipt – attached transmittal ticket – controls flow of data from one user to another
User review Manual review performed by the user prior to transmittal of data l Purpose = to check source documents, transmittal tickets, control logs for completeness, accuracy, conformity with department policy l
Correction objectives l To ensure that unreliable, improper, unauthorized or invalid source data are, if appropriate, corrected and resubmitted for data capture l Error correction procedures l Audit trail
Error correction procedures l Written error correction procedures should include: l l l Resubmitted source documents – reviewed for errors in same way than documents after initial preparation Entry in error log for each erroneous source document. Should include: l l l l Description of common errors Correction procedures Directions for resubmitting transactions Batch number Transaction number Cause of error Date of occurrence Date of correction and resubmission Initials of user personnel Review of log will show that errors have been corrected and resubmitted on a timely basis
Audit trail for data capture l l Consists of copy of source documents or a listing of source transactions Source document can be manually prepared during data capture or printed by the terminal as a byproduct of transaction processing l l Auditor will trace original source documents filed by batch (normally sequentially filed) Where no source documents are used - source list produced as audit trail l Auditor will use computer to reference source lists on disk or tape
Control environment Objective setting Event identification Risk assessment Risk response Control activities Information/communication Pertinent information – from internal and external sources – must be identified, captured and communicated in a form and timeframe that enable personnel to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.
Risk and control matrix SCO Safeguard goods received Risk Inadequate physical security over goods received Control activity Maintain physical security over goods received Segregate custodial and record keeping functions CAA Best practice
Control analysis Added value opportunity Control activity Maintain physical security over goods received Segregate custodial and record keeping functions Prevention Detection IT Manual Computerise to increase efficiency, economy, effectiveness IT management information allows for effective detection controls Detection control allows development of prevention controls
Added value Inadequate controls x I M P A C T Recommendation I M P A C T x Likelihood = Added value
Audit report - finding Finding l Clear l Concise l Factual l l Inadequate Inefficient Ineffective Uneconomic
Determine the causes l l l Determine what circumstances, if any, caused identified weaknesses. Consider materiality of effect, before spending much time determining causes. Determine if participants understand both purpose of and their role Determine if relationship between accounts payable process and other department processes is clear. If process occurs at multiple locations, determine nature and scope of communication and coordination among components.
Determine the causes Determine if accounts payable process has adequate human, rand, time, and asset resources. If inadequate, determine if resources have been allocated according to materiality of accounts payable process relative to other processes. Negative trends in reports used to monitor outcome(s) - determine if reports are communicated to and used by appropriate parties to modify process. Determine what internal or external constraints or barriers, if any, must be removed in order to overcome these identified weaknesses. Review applicable laws or regulations to determine if any of them prevent necessary changes from being made in the accounts payable process.
Determine the effect l Compare actual process to a recommended alternative process(es) and determine if each weakness in department process is material. Materiality can be measured by comparing the rand cost, impact on economy, risks, etc. of actual process to recommended alternative process(es). l Measurements can be quantitative, qualitative, or both. l Identify benchmarks (industry standards, historical internal data, other comparable departments, etc. ) for process in question and compare to actual performance. l Measure difference, if possible. l Include cost of additional controls or changes in process.
Determine the effect Estimate cost of the actual process and alternative process(es) and compare. Estimate quantity and/or quality of services provided by actual process and by alternative process(es) and compare. Identify risks associated with actual process and with alternative process(es). Measure and compare the risks.
Develop recommendations l l l l Develop specific recommendations to correct weaknesses identified as material. In developing recommendations, consider tailored criteria, kind of process and control weaknesses identified, causes and barriers, effects, and additional resources Solicit solutions and recommendations from client. Identify alternative solutions used by other business units. Identify solutions for removing barriers. Provide general guidelines as to objectives each solution should meet; then the department can tailor the solution to its specific situation. Provide specific information, if available, on how each recommendation can be implemented.
Cause – directs recommendation Root cause of the finding l What was inherent risk? l Did management agree? l Root cause? I M P A C T l l l Likelihood l l Lack of budget/staff/skills? Inadequate detection Inadequate management information systems Lack of responsibility and accountability Infrastructure
Effect l What is the effect? l How will it be changed? l How will it be monitored? l Does it reduce accountability? I M P A C T Likelihood
Recommendation = responsibility Recommendation - teamwork l real time-online l detection focused l reduce risk l change likelihood/root cause l reduce effect/impact l enhance effectiveness, efficiency and economic use of resources l assign responsibility
Management comment Accept recommendation Accept the risk
Audit report - recommendation Inadequate l Recommend new control that change effect residual risk l Measure change Cost and benefit Inefficient l Difference between basic control and best practice l Measure change Ineffective l Non compliance l Cause l Disciplinary action
Audit report Cause and Criteria Condition effect Recommendation Management Comment How to fix it Accept? What? When? Who?
Audit report - process Finding worksheet Review by AD -effectiveness – IA Benchmark and review by DD - adequacy - AD Auditee Final draft audit report Comments Quality control Final audit report Audit report
Audit opinion The prevention controls that ensures l R – reliability and integrity of information are adequate and effective
COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Info and communication Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Control activity Safeguard assets - prevention Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Monitoring activities - detection
Audit opinion adequacy & efficiency Controls are Efficient Inefficient Adequate 1 2 Partially adequate 3 4 Inadequate N/A 5/6
Audit report Title of the finding Root cause analysis Criteria Condition Cause Effect Include in job descriptions! Responsibility Management Comment Accountability Recommendation Accept the recommendation or accept the risk! Finding
Follow up Audit scope and objectives Document system (POF) Follow up audit No compliance work Recommendations Likelihood assessment Identify weaknesses Inadequate opinion Likelihood assessment ADD VALUE Adequate controls Effectiveness audit
Follow up Identify the Scope for the Follow-up Audit Select the Sample Size and Items to be Tested Execute the Audit Work Develop Informal Queries and Discuss with the Client Report to Management
f0cb287d522212dc5b32e5c592402750.ppt