P A R T N E R
P A R T N E R
Don SparksVP Industry Relations
(888) 641-2800 x [email protected]
Shorten the Auditing Life Cycle
P A R T N E R
Nothing moves auditors into the board room faster than finding previously undetected anomalies in
corporate data!
P A R T N E R
“..it Happens”
• March 11, 2015, a chief audit & compliance officer received an anonymous, hand-written letter stating a vendor account needs investigated.
Findings:• Back in March, 2001, an employee created a shell
vendor mail box and bank account. For the next 14 years this same employee submitted and approved over 200 invoices totaling almost $10 million.
P A R T N E R
What is the response?
• Financial Auditors– Are the transactions properly recorded and presented in the financial statements? Did we look at any of these transactions? [historical view]
• Operational Auditors – Was the VMF in the audit universe? Do we have this area in our current or future audit plans? [future view]
• Board & Senior Mgmt – Were controls side-stepped or missing? When do you tell them? [Want answers now!]
• What do your customers think?
P A R T N E R
Study & Understand the IPPF• 1000.A1 – assurance services defined in audit committee charter• 1000.C1 – consulting services defined in audit committee charter• 1300 – Quality Assurance and Improvement Program – CAE must
develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity
• 2010 – CAE must establish a risk based plan and determine the priority of activity using management’s framework and risk appetitive levels. If none exists, the CAE uses his/her own.
• 2010.A1 – The CAE must use a documented framework, undertaken at least annually
• 2050 – Coordination between internal and external audit to ensure coverage and minimize duplication of efforts
• 2210 – Engagement Objectives - Objectives must be established for each engagement.
• 2210.A1 – IA must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.
P A R T N E R
Study & Understand the IPPF pg22120.A1 – The IA activity must evaluate risk
exposures relating to the organization’s governance, operations, and information systems regarding the following: • Achievement of the organization’s strategic objectives; • Reliability and integrity of financial and operational information; • Effectiveness and efficiency of operations and programs; • Safeguarding of assets; and • Compliance with laws, regulations, policies, procedures, and
contracts.
2120.A2 – The IA activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
P A R T N E R
Study & Understand the IPPF pg3
• Impact, Likelihood, Dollar materiality• Asset liquidity• Quality of internal controls• Degree of change or stability• Complexity• Management competence• Results of last audit • Government relations
Practice Advisory 2010-1: Linking the Audit Plan to Risk and Exposures, suggests the following risk factors, among others, should be considered:
P A R T N E R
Internal Auditing Governance Questions:
1. When does your staff first “LOOK” at data files used by the audit client?
2. Have you standardized on a performance metric? Do you need one?
3. Do you have a deadline for presenting your “next plan”? If yes, to whom? Do you include external audit and/or regulators in the plan process?
4. Quick Demo of Data Analysis with IDEA
P A R T N E R
IPPF – Practice Guide: Measuring IA Effectiveness and EfficiencyThe simple answer is “Yes”. Once key
effectiveness and efficiency measurements and targets have been identified, a monitoring process and method of reporting to stakeholders should be established (format, timing and metrics)
Note: the standards do not address IA maintaining a time
keeping process and functions have drastically simplified or completely eliminated them.
P A R T N E R
Performance Metrics to Consider
• Contribution level of improving risk management GRC processes• Achievement of key goals and objectives• Evaluation of progress against audit activity plan• Improvement in staff productivity• Increase in efficiency of the audit process• Increase in number of action plans for process improvements• Adequacy of engagement planning and supervision• Effectiveness in meeting stakeholders’ needs• Results of QA assessments and IA activity’s quality improvement
program• Effectiveness in conducting the audit• Clarity of communications with the audit client and the board
P A R T N E R
Annual Auditing Function Planning
Planning
Testing
Report Writing
Open Issue Follow-up
QA before OpeningConference
QA before ClosingConference
Validate test planswith audit clientClient/Auditor
meeting on Data Analysis E&E
1. Performance Metric
P A R T N E R
Annual Auditing Function Planning
• Hot Line Analysis• Audit Client Satisfaction Survey Analysis• Officer T&E Expenses• Code of Conduct Return Analysis• Officer Payroll• Officer Bonus Plan review• Stock Program (Phantom) Allocation• Prior Year Results (include repeat issues)• Update Anti-Fraud Review from prior years
P A R T N E R
• Training• Staffing – including 3rd party resources• Tools/Technologies• IA Charter update• Consider graphical or table representations in
final audit reports – picture can save time• Update Audit Universe – always take a complete
quick list to every board meeting• Effective use of Management Letters instead of
lengthy time consuming reports
Annual Auditing Function Planning – pg2
P A R T N E R
Develop a Risk Based Audit Plan
1. Determine & Update the Audit Universe2. Identify events that raise risks and opportunities3. Score events of probability and impact (after
mgmt actions to mitigate risk)*4. Use priority factors to rank audit plan5. Present & defend strategic directives and audit
work plan for management review
* Must be accomplished even if management does not maintain a risk register
P A R T N E R
Risk Assess Top Down vs. Bottom Up?
• Level 0: Data • Level 1: Process• Level 2: Project/Department• Level 3: Vertical/Functional• Level 4: Business Unit• Level 5: Organization
Internal Auditing
Management
P A R T N E R
Characteristics Red Yellow Green
Spend Amount >1m >500k >100k
Type of Spend Labor, allocations Material, equip Services
Contract Complexity High Med Low
Contract Type Cost Plus Hybrid Fixed Fee
Relationship Origin Sole sourced Hybrid Competitive bid
Historical Relationship Poor Neutral Trusted Advisor
Business Results/Issues Open civil/ criminal,bankruptcy
Multiple undisclosed related entities
No undisclosed related entities
Analytical Results/Issues Many exceptions Some exceptions No exceptions
Audit Rights None Standard Strong
Vendors Structure Decentralized Some issues Centralized billing and accounting
“Better” Risk Profile; Risk Rank Vendor
P A R T N E R
“Best” Solution – Transactional Tests
• It is important to analyze the data from several different perspectives. For example, duplicate testing on different combinations of fields (name, address, bank account number, tax ID number), as well as sophisticated matching methods (e.g. full name match, part name match, sounds like match) between employee and vendor files.
• Auditing vendor files is generally the best way to quickly risk assess where the issues may lie, as auditing transactional data can be overwhelming. Therefore, once you’ve cleaned house within the vendor master file, you’ll be ready to move on to analyzing transactional data, now armed with a list of vendors that are most likely to cause failure.
P A R T N E R
VMF Tech-Enabled Tests1. Scope analysis of top ## vendors during
a three year period looking for vendors in the top replaced without good reason
2. Risk assessing your current vendor master file
3. Vendor Setup walk through4. Process for revalidating approved Vendor
list [False (shell) Vendors]5. After the fact purchase orders6. Test round sum of payments7. Payments almost immediately after setup
P A R T N E R31
Tech-Enabled Tests (cont.)
8. Payments from inactive vendors9. Stratification or pivot table payables approval levels10. Benford's law11. Holding credit balances on inactive accounts 12. Inconsistent invoice number length test13. Nepotism - adding “relatives” living in same house14. Payments to PO boxes15. Round number tests16. Payments on weekends or late at night
P A R T N E R
Key Accounts Audit Solutions “Ready to Run” Tests (total 183)• Accounts Payable (15 total tests)• Expense Controls (17 total tests) • Fixed Assets (18 total tests) • General Ledger Controls (20 total tests) • Inventory Controls (21 total tests) • Journal Entries (14 total tests)• Payroll Controls (33 total tests) • Procurement Controls (23 total tests)• Travel Expense Controls (22 total tests)
P A R T N E R
Introduction to AuditNet.Org
A Digital Online Resource for Auditors•Join over 200,000 global users•More than 2,000 audit templates•15,000+ audit procedures and work papers•More articles and Surveys posted monthly
P A R T N E R
Demonstration VMF Tests
• Create Managed Project – VMF• Store Client provided VMF & import• Set screen, check data fields & reconcile• Top 5 vendors test
– Add auditor tickmark block– Add auditor comment block
• Find all payments sent to a PO Box• Make the tests repeatable for follow-up
P A R T N E R
Questions?
If it takes you more than 20 minutes to
utilize any IDEA function or feature,
contact us for assistance.
IDEA Help Desk888.641.2800 Option [email protected]
omDon Sparks
VP Industry Relations(888) 641-2800 x 1877