iia general powerpoint template · tallahassee chapter exercise 2 ... •are reviewed by internal...

11/18/2018

1

TALLAHASSEE CHAPTER

Performing the Engagement

Emphasize the Basics Elevate the Standards

November 27-28, 2018

Sarah Beth Hall

Inspector General

Florida Office of Early Learning

TALLAHASSEE CHAPTER


(IPPF 2300)

• Identifying Information (IPPF 2310)

• Analysis and Evaluation (IPPF 2320)

• Documenting Information (IPPF 2330)

TALLAHASSEE CHAPTER


IPPF Standard 2300: Internal auditors

must identify, analyze, evaluate, and

document sufficient information to achieve

the engagement’s objectives.

11/18/2018

2

TALLAHASSEE CHAPTER


• Review Planning Documentation

– Engagement objectives & scope

– Identified criteria

– Risk and Control Matrix

– Process maps, flowcharts, and/or

narratives

– Results of control design evaluations

– Plan & approach for testing key controls

TALLAHASSEE CHAPTER


• Conduct audit procedures/ tests to gather

evidence.

• Key or primary controls must be tested.

• Secondary controls do not usually have to be

tested.

• If there is a significant design weakness, there is

usually no need to test the control.

– Determine losses

– Quantify or clarify the risk

TALLAHASSEE CHAPTER

Identifying Information


must identify sufficient, reliable, relevant,

and useful information* to achieve the

engagement’s objectives.

*includes audit evidence

11/18/2018

3

TALLAHASSEE CHAPTER


• Sufficient information is factual,

adequate, and convincing so that a

prudent, informed person would reach

the same conclusions as the auditor.

• Reliable information is the best

attainable information through the use

of appropriate engagement techniques.

TALLAHASSEE CHAPTER


• Relevant information supports

engagement observations and

recommendations and is consistent with

the objectives for the engagement.

• Useful information helps the

organization meet its goals.

TALLAHASSEE CHAPTER


• How do you identify the information/evidence?

– Review engagement objectives, the engagement

work program, and the criteria.

– Facilitate open and collaborative communication.

– Establish effective communication channels.

– Utilize a variety of testing methods to find the

evidence that leads to conclusions on

effectiveness.

11/18/2018

4

TALLAHASSEE CHAPTER


• Persuasive Audit Evidence

– Relevant

– Reliable

– Sufficient

• Relying on audit evidence that has little

or no pertinence to a specific audit

objectives greatly increases audit risk.

TALLAHASSEE CHAPTER

Types of Audit Evidence

• Testimonial Evidence – what is said

• Documentary Evidence – what is

contained in documents

• Physical Evidence – what is seen

• Analytical – obtained by comparing,

computing or analyzing data

TALLAHASSEE CHAPTER

Exercise 1 – Persuasive Audit

Evidence

Assume that an internal auditor wants to

determine whether a particular vehicle

included in the company’s fixed asset

ledger exists and is owned by the

company. The internal auditor locates the

vehicle in the company’s parking lot.

11/18/2018

5

TALLAHASSEE CHAPTER

Audit Evidence Guidelines

• Evidence is more reliable when – Obtained from independent third parties vs. from

auditee personnel.

– Produced by a process or system with effective

controls vs one with ineffective controls;

– Obtained directly by the internal auditor vs. indirectly;

– Documented vs. undocumented; and

– Timely vs. untimely.

TALLAHASSEE CHAPTER

Audit Evidence Guidelines

• Evidence is more sufficient when

–Corroborated vs. uncorroborated or

contradictory; and

–Produced from larger samples vs.

smaller samples.

TALLAHASSEE CHAPTER

Documentary Evidence - High

• Documents prepared by the internal auditor

– Inventory test counts

– Process maps

– Risk and control matrices

• Documents sent directly from a third party to

the internal auditor

– Confirmations

– Cutoff bank statements

– Letters from outside attorneys

11/18/2018

6

TALLAHASSEE CHAPTER

Documentary Evidence -

Medium

• Documents created by a third party, sent to the organization,

and requested from the organization by the internal auditor

– Vendor invoices

– Customer purchase orders

– Bank statements

• Documents created by the organization, sent to a third party,

returned to the organization, and requested from the

organization by the internal auditor

– Remittance advices

– Cancelled checks

– Deposit slips

TALLAHASSEE CHAPTER

Documentary Evidence - Low

• Documents created by the organization

and requested from the organization by

the internal auditor

– Written policy statements

– Receiving reports

– Time cards

TALLAHASSEE CHAPTER

Analysis and Evaluation


must base conclusions and engagement

results on appropriate analyses and

evaluations.

11/18/2018

7

TALLAHASSEE CHAPTER

Analysis

• Manual Audit Procedures – Inquiry,

Observation, Inspection, Vouching,

Tracing, Reperformance, Confirmation,

Analytical Procedures

• Computer-Assisted Audit Techniques

(CAATs)

TALLAHASSEE CHAPTER

Manual Audit Procedures

• Inquiry – entails asking questions, produces indirect

evidence, can be in the form of interviews, surveys,

and questionnaires.

• Practical Examples:

– Circulate a questionnaire among senior executives

asking them to identify the “top 10” risks

threatening the organization.

– Interview managers and employees involved in

the cash disbursements process to identify key

process controls.

TALLAHASSEE CHAPTER


• Observation – entails watching people, processes, or

procedures; direct evidence; only provides evidence

at a point in time

• Practical Examples:– Tour the auditee’s facility to gain a general understanding of day-to-

day operations.

– Observe the care with which employees count the year-end

physical inventory.

– Watch employees involved in executing and recording cash

disbursement transactions to determine whether the y are

performing their assigned responsibilities and only their assigned

responsibilities.

11/18/2018

8

TALLAHASSEE CHAPTER


• Inspection – entails studying documents and records

and physically examining tangible resources;

provides direct evidence and direct knowledge

• Practical Examples –

– Review the minutes of board of directors’ meetings looking

for authorization of significant events.

– Inspect selected inventory items to determine their condition

and salability.

– Read the cash disbursements policies and procedures to

obtain an understanding of key elements of the process.

TALLAHASSEE CHAPTER


• Vouching – entails tracking information backward from one

document or record to a previously prepared document, record,

or a tangible resource; tests validity


– Vouch a sample of inventory items from the accounting

records to the warehouse to see that the inventory items

exist.

– Vouch a sample of sales invoices to corresponding shipping

documents to verify that the shipments occurred.

– Vouch a sample of check copies to supporting voucher

packages to test the validity of the checks.

TALLAHASSEE CHAPTER


• Tracing – entails tracking information forward from

one document, record, or tangible resource to a

subsequently prepared document or record; tests for

completeness


– Trace internal auditor test counts of inventory to the

auditee’s inventory compilation records to verify that the

counts are properly included in the compilation.

– Trace checks dated within a period of several days before

and after year-end to the accounting recording to ensure

the checks were recorded in the proper year.

11/18/2018

9

TALLAHASSEE CHAPTER


• Reperformance – entails redoing controls or other

procedures; provides direct evidence regarding operating

effectiveness


– Recalculate accumulated depreciation and depreciation

expense to verify that they were calculated correctly.

– Independently estimate the allowance for doubtful

accounts to test the reasonableness of the account

department’s estimate.

– Reperform auditee-prepared bank reconciliations to test

whether they were completed correctly.

TALLAHASSEE CHAPTER


• Confirmation – entails obtaining direct written

verification of the accuracy of information from

independent third parties; positive or negative

confirmations; considered very reliable evidence


– Confirm a sample of accounts receivable

subsidiary ledger balances with customers.

– Confirm the principal balance of a notes-payable

and interest rate with the lender.

– Confirm cash account bank balances with banks.

TALLAHASSEE CHAPTER


• Analytical Procedures – entail assessing information

obtained during an engagement by comparing the

information with expectations identified or developed by the

internal auditor.

• Common analytical procedures include:

– Ratio, trend, and regression analysis.

– Reasonableness tests.

– Period-to-period comparisons.

– Forecasts.

– Benchmarking information against similar industries or

organizational units.

11/18/2018

10

TALLAHASSEE CHAPTER


• Analytical Procedures Practical Examples:

– Prepare common-size financial statements for the

current year and preceding two years; look

specifically for variances or unexpected trends.

– Compare the organization’s common-size financial

statement with published industry common-size

information looking for unexpected inconsistences.

– Calculate accounts payable turnover for the

current year and preceding two years as evidence

of vendor payment periods.

TALLAHASSEE CHAPTER

Exercise 2 – Testing a Manual

Procurement Process

1. Pick a sample of purchase requisitions

and trace each purchase forward to the

purchase order, receiving document,

invoice, and payment. OR

2. Pick a sample of payments, then vouch

each payment back to the other

documents.

TALLAHASSEE CHAPTER

Computer-Assisted Audit

Techniques (CAATs)

• Generalized Audit Software (GAS) –

multipurpose software that can be used for

audit purposes such as record selection,

matching, recalculation, and reporting.

– ACL

– IDEA

11/18/2018

11

TALLAHASSEE CHAPTER


Techniques (CAATs)

• Utility Software – computer programs

provided by a computer hardware

manufacturer or software vendor and used in

running the system.

• Test Data – simulated transactions that can

be used to test processing logic,

computations and controls actually

programmed in computer applications.

TALLAHASSEE CHAPTER


Techniques (CAATs)

• Application Software Tracing and Mapping –

specialized tools that can be used to analyze the flow

of data through the processing logic of the application

software and document the logic, paths, control

conditions and processing sequences.

• Audit Expert Systems – expert or decision support

system that can be used to assist auditors in the

decision-making process by automating the

knowledge of experts in the field.

TALLAHASSEE CHAPTER


Techniques (CAATs)

• Continuous Auditing – Uses computerized

techniques to perpetually audit the

processing business transactions.

• GTAG 16: Data Analysis Technologies of the

IIA’s Global Technology Audit Guide Series

11/18/2018

12

TALLAHASSEE CHAPTER

Evaluations

• Logic

• Professional Experience

• Professional Skepticism

TALLAHASSEE CHAPTER

Exercise 3 – Test for Duplicate

Payments

• An auditor uses generalized audit software to

directly test whether any duplicate payments

of invoices exist in the entity’s cash

disbursements transaction file. The auditor

uncovers several duplicate payments made

throughout the year.

• What can the auditor correctly conclude

regarding the controls that prevent and/or

detect such payments on a timely basis?

TALLAHASSEE CHAPTER

Evaluations

• Root Cause Analysis

– Ask a series of Why questions

– Include input from internal and external

stakeholders

11/18/2018

13

TALLAHASSEE CHAPTER

Documenting Information


must document sufficient, reliable,

relevant, and useful information to support

the engagement results and conclusions.

TALLAHASSEE CHAPTER

Engagement Workpapers

• Contain an appropriate index or reference number.

• Identify the engagement and describe the purpose or

contents of the working paper.

• Be signed (or initialed) and dated by both the internal

auditor who performed the work and the internal

auditor who reviewed the work.

• Clearly identify the sources of auditee data included

on the working paper.

• Include clear explanations of the specific procedures

performed.

TALLAHASSEE CHAPTER


• Be clearly written and easy to understand by

internal auditors unfamiliar with the work

performed.

• Contain sufficient and relevant information.

• Organized according to the engagement

program and cross-referenced to support.

• Maintained on paper, electronically, or both.

• Are reviewed by internal audit management.

11/18/2018

14

TALLAHASSEE CHAPTER


• Provide a basis for the internal audit

activity’s quality assurance and

improvement program.

• Facilitate third party-reviews.

• The Inspector General/Director of Audit

will establish working paper policies and

criteria or your respective organization

TALLAHASSEE CHAPTER

Example Risk and Control

MatrixProcess-

level Risk

Key Control Testing

Approach

Results of

Testing

Testing

Conclusions

TALLAHASSEE CHAPTER

Example of Delegation of

Authority Test

11/18/2018

15

TALLAHASSEE CHAPTER

Example of Duplicate

Payments Test

TALLAHASSEE CHAPTER


Standard 2330.A1 – The chief audit

executive must control access to

engagement records. The chief audit

executive must obtain the approval of

senior management and/or legal counsel

prior to releasing such records to external

parties, as appropriate.

TALLAHASSEE CHAPTER


Standard 2330.A2 – The chief audit executive

must develop retention requirements for

engagement records, regardless of the medium

in which each record is stored. These retention

requirements must be consistent with the

organization’s guidelines and any pertinent

regulatory or other requirements.

11/18/2018

16

TALLAHASSEE CHAPTER


Standard 2330.C1 – The chief audit executive

must develop policies governing the custody

and retention of consulting engagement

records, as well as their release to internal and

external parties. These policies must be

consistent with the organization’s guidelines

and any pertinent regulatory or other

requirements.

TALLAHASSEE CHAPTER

Presentation Sources

• IIA’s International Standards for the Professional

Practice of Internal Auditing, January 2017

• IIA’s Implementation Guides - International

Professional Practices Framework (IPPF), January

2017

• Internal Auditing: Assurance & Advisory Services,

Third Edition, 2013

• Sawyer’s Guide for Internal Auditors, 6th Edition,

2012

TALLAHASSEE CHAPTER

Thank You

Sarah Beth Hall, CIA, CISA, CIG, CIGA, CISSP

850.717.8686

[email protected]