iia general powerpoint template · tallahassee chapter exercise 2 ... •are reviewed by internal...
TRANSCRIPT
11/18/2018
1
TALLAHASSEE CHAPTER
Performing the Engagement
Emphasize the Basics Elevate the Standards
November 27-28, 2018
Sarah Beth Hall
Inspector General
Florida Office of Early Learning
TALLAHASSEE CHAPTER
Performing the Engagement
(IPPF 2300)
• Identifying Information (IPPF 2310)
• Analysis and Evaluation (IPPF 2320)
• Documenting Information (IPPF 2330)
TALLAHASSEE CHAPTER
Performing the Engagement
IPPF Standard 2300: Internal auditors
must identify, analyze, evaluate, and
document sufficient information to achieve
the engagement’s objectives.
11/18/2018
2
TALLAHASSEE CHAPTER
Performing the Engagement
• Review Planning Documentation
– Engagement objectives & scope
– Identified criteria
– Risk and Control Matrix
– Process maps, flowcharts, and/or
narratives
– Results of control design evaluations
– Plan & approach for testing key controls
TALLAHASSEE CHAPTER
Performing the Engagement
• Conduct audit procedures/ tests to gather
evidence.
• Key or primary controls must be tested.
• Secondary controls do not usually have to be
tested.
• If there is a significant design weakness, there is
usually no need to test the control.
– Determine losses
– Quantify or clarify the risk
TALLAHASSEE CHAPTER
Identifying Information
IPPF Standard 2310: Internal auditors
must identify sufficient, reliable, relevant,
and useful information* to achieve the
engagement’s objectives.
*includes audit evidence
11/18/2018
3
TALLAHASSEE CHAPTER
Identifying Information
• Sufficient information is factual,
adequate, and convincing so that a
prudent, informed person would reach
the same conclusions as the auditor.
• Reliable information is the best
attainable information through the use
of appropriate engagement techniques.
TALLAHASSEE CHAPTER
Identifying Information
• Relevant information supports
engagement observations and
recommendations and is consistent with
the objectives for the engagement.
• Useful information helps the
organization meet its goals.
TALLAHASSEE CHAPTER
Identifying Information
• How do you identify the information/evidence?
– Review engagement objectives, the engagement
work program, and the criteria.
– Facilitate open and collaborative communication.
– Establish effective communication channels.
– Utilize a variety of testing methods to find the
evidence that leads to conclusions on
effectiveness.
11/18/2018
4
TALLAHASSEE CHAPTER
Identifying Information
• Persuasive Audit Evidence
– Relevant
– Reliable
– Sufficient
• Relying on audit evidence that has little
or no pertinence to a specific audit
objectives greatly increases audit risk.
TALLAHASSEE CHAPTER
Types of Audit Evidence
• Testimonial Evidence – what is said
• Documentary Evidence – what is
contained in documents
• Physical Evidence – what is seen
• Analytical – obtained by comparing,
computing or analyzing data
TALLAHASSEE CHAPTER
Exercise 1 – Persuasive Audit
Evidence
Assume that an internal auditor wants to
determine whether a particular vehicle
included in the company’s fixed asset
ledger exists and is owned by the
company. The internal auditor locates the
vehicle in the company’s parking lot.
11/18/2018
5
TALLAHASSEE CHAPTER
Audit Evidence Guidelines
• Evidence is more reliable when – Obtained from independent third parties vs. from
auditee personnel.
– Produced by a process or system with effective
controls vs one with ineffective controls;
– Obtained directly by the internal auditor vs. indirectly;
– Documented vs. undocumented; and
– Timely vs. untimely.
TALLAHASSEE CHAPTER
Audit Evidence Guidelines
• Evidence is more sufficient when
–Corroborated vs. uncorroborated or
contradictory; and
–Produced from larger samples vs.
smaller samples.
TALLAHASSEE CHAPTER
Documentary Evidence - High
• Documents prepared by the internal auditor
– Inventory test counts
– Process maps
– Risk and control matrices
• Documents sent directly from a third party to
the internal auditor
– Confirmations
– Cutoff bank statements
– Letters from outside attorneys
11/18/2018
6
TALLAHASSEE CHAPTER
Documentary Evidence -
Medium
• Documents created by a third party, sent to the organization,
and requested from the organization by the internal auditor
– Vendor invoices
– Customer purchase orders
– Bank statements
• Documents created by the organization, sent to a third party,
returned to the organization, and requested from the
organization by the internal auditor
– Remittance advices
– Cancelled checks
– Deposit slips
TALLAHASSEE CHAPTER
Documentary Evidence - Low
• Documents created by the organization
and requested from the organization by
the internal auditor
– Written policy statements
– Receiving reports
– Time cards
TALLAHASSEE CHAPTER
Analysis and Evaluation
IPPF Standard 2320: Internal auditors
must base conclusions and engagement
results on appropriate analyses and
evaluations.
11/18/2018
7
TALLAHASSEE CHAPTER
Analysis
• Manual Audit Procedures – Inquiry,
Observation, Inspection, Vouching,
Tracing, Reperformance, Confirmation,
Analytical Procedures
• Computer-Assisted Audit Techniques
(CAATs)
TALLAHASSEE CHAPTER
Manual Audit Procedures
• Inquiry – entails asking questions, produces indirect
evidence, can be in the form of interviews, surveys,
and questionnaires.
• Practical Examples:
– Circulate a questionnaire among senior executives
asking them to identify the “top 10” risks
threatening the organization.
– Interview managers and employees involved in
the cash disbursements process to identify key
process controls.
TALLAHASSEE CHAPTER
Manual Audit Procedures
• Observation – entails watching people, processes, or
procedures; direct evidence; only provides evidence
at a point in time
• Practical Examples:– Tour the auditee’s facility to gain a general understanding of day-to-
day operations.
– Observe the care with which employees count the year-end
physical inventory.
– Watch employees involved in executing and recording cash
disbursement transactions to determine whether the y are
performing their assigned responsibilities and only their assigned
responsibilities.
11/18/2018
8
TALLAHASSEE CHAPTER
Manual Audit Procedures
• Inspection – entails studying documents and records
and physically examining tangible resources;
provides direct evidence and direct knowledge
• Practical Examples –
– Review the minutes of board of directors’ meetings looking
for authorization of significant events.
– Inspect selected inventory items to determine their condition
and salability.
– Read the cash disbursements policies and procedures to
obtain an understanding of key elements of the process.
TALLAHASSEE CHAPTER
Manual Audit Procedures
• Vouching – entails tracking information backward from one
document or record to a previously prepared document, record,
or a tangible resource; tests validity
• Practical Examples:
– Vouch a sample of inventory items from the accounting
records to the warehouse to see that the inventory items
exist.
– Vouch a sample of sales invoices to corresponding shipping
documents to verify that the shipments occurred.
– Vouch a sample of check copies to supporting voucher
packages to test the validity of the checks.
TALLAHASSEE CHAPTER
Manual Audit Procedures
• Tracing – entails tracking information forward from
one document, record, or tangible resource to a
subsequently prepared document or record; tests for
completeness
• Practical Examples:
– Trace internal auditor test counts of inventory to the
auditee’s inventory compilation records to verify that the
counts are properly included in the compilation.
– Trace checks dated within a period of several days before
and after year-end to the accounting recording to ensure
the checks were recorded in the proper year.
11/18/2018
9
TALLAHASSEE CHAPTER
Manual Audit Procedures
• Reperformance – entails redoing controls or other
procedures; provides direct evidence regarding operating
effectiveness
• Practical Examples:
– Recalculate accumulated depreciation and depreciation
expense to verify that they were calculated correctly.
– Independently estimate the allowance for doubtful
accounts to test the reasonableness of the account
department’s estimate.
– Reperform auditee-prepared bank reconciliations to test
whether they were completed correctly.
TALLAHASSEE CHAPTER
Manual Audit Procedures
• Confirmation – entails obtaining direct written
verification of the accuracy of information from
independent third parties; positive or negative
confirmations; considered very reliable evidence
• Practical Examples:
– Confirm a sample of accounts receivable
subsidiary ledger balances with customers.
– Confirm the principal balance of a notes-payable
and interest rate with the lender.
– Confirm cash account bank balances with banks.
TALLAHASSEE CHAPTER
Manual Audit Procedures
• Analytical Procedures – entail assessing information
obtained during an engagement by comparing the
information with expectations identified or developed by the
internal auditor.
• Common analytical procedures include:
– Ratio, trend, and regression analysis.
– Reasonableness tests.
– Period-to-period comparisons.
– Forecasts.
– Benchmarking information against similar industries or
organizational units.
11/18/2018
10
TALLAHASSEE CHAPTER
Manual Audit Procedures
• Analytical Procedures Practical Examples:
– Prepare common-size financial statements for the
current year and preceding two years; look
specifically for variances or unexpected trends.
– Compare the organization’s common-size financial
statement with published industry common-size
information looking for unexpected inconsistences.
– Calculate accounts payable turnover for the
current year and preceding two years as evidence
of vendor payment periods.
TALLAHASSEE CHAPTER
Exercise 2 – Testing a Manual
Procurement Process
1. Pick a sample of purchase requisitions
and trace each purchase forward to the
purchase order, receiving document,
invoice, and payment. OR
2. Pick a sample of payments, then vouch
each payment back to the other
documents.
TALLAHASSEE CHAPTER
Computer-Assisted Audit
Techniques (CAATs)
• Generalized Audit Software (GAS) –
multipurpose software that can be used for
audit purposes such as record selection,
matching, recalculation, and reporting.
– ACL
– IDEA
11/18/2018
11
TALLAHASSEE CHAPTER
Computer-Assisted Audit
Techniques (CAATs)
• Utility Software – computer programs
provided by a computer hardware
manufacturer or software vendor and used in
running the system.
• Test Data – simulated transactions that can
be used to test processing logic,
computations and controls actually
programmed in computer applications.
TALLAHASSEE CHAPTER
Computer-Assisted Audit
Techniques (CAATs)
• Application Software Tracing and Mapping –
specialized tools that can be used to analyze the flow
of data through the processing logic of the application
software and document the logic, paths, control
conditions and processing sequences.
• Audit Expert Systems – expert or decision support
system that can be used to assist auditors in the
decision-making process by automating the
knowledge of experts in the field.
TALLAHASSEE CHAPTER
Computer-Assisted Audit
Techniques (CAATs)
• Continuous Auditing – Uses computerized
techniques to perpetually audit the
processing business transactions.
• GTAG 16: Data Analysis Technologies of the
IIA’s Global Technology Audit Guide Series
11/18/2018
12
TALLAHASSEE CHAPTER
Evaluations
• Logic
• Professional Experience
• Professional Skepticism
TALLAHASSEE CHAPTER
Exercise 3 – Test for Duplicate
Payments
• An auditor uses generalized audit software to
directly test whether any duplicate payments
of invoices exist in the entity’s cash
disbursements transaction file. The auditor
uncovers several duplicate payments made
throughout the year.
• What can the auditor correctly conclude
regarding the controls that prevent and/or
detect such payments on a timely basis?
TALLAHASSEE CHAPTER
Evaluations
• Root Cause Analysis
– Ask a series of Why questions
– Include input from internal and external
stakeholders
11/18/2018
13
TALLAHASSEE CHAPTER
Documenting Information
IPPF Standard 2330: Internal auditors
must document sufficient, reliable,
relevant, and useful information to support
the engagement results and conclusions.
TALLAHASSEE CHAPTER
Engagement Workpapers
• Contain an appropriate index or reference number.
• Identify the engagement and describe the purpose or
contents of the working paper.
• Be signed (or initialed) and dated by both the internal
auditor who performed the work and the internal
auditor who reviewed the work.
• Clearly identify the sources of auditee data included
on the working paper.
• Include clear explanations of the specific procedures
performed.
TALLAHASSEE CHAPTER
Engagement Workpapers
• Be clearly written and easy to understand by
internal auditors unfamiliar with the work
performed.
• Contain sufficient and relevant information.
• Organized according to the engagement
program and cross-referenced to support.
• Maintained on paper, electronically, or both.
• Are reviewed by internal audit management.
11/18/2018
14
TALLAHASSEE CHAPTER
Engagement Workpapers
• Provide a basis for the internal audit
activity’s quality assurance and
improvement program.
• Facilitate third party-reviews.
• The Inspector General/Director of Audit
will establish working paper policies and
criteria or your respective organization
TALLAHASSEE CHAPTER
Example Risk and Control
MatrixProcess-
level Risk
Key Control Testing
Approach
Results of
Testing
Testing
Conclusions
TALLAHASSEE CHAPTER
Example of Delegation of
Authority Test
11/18/2018
15
TALLAHASSEE CHAPTER
Example of Duplicate
Payments Test
TALLAHASSEE CHAPTER
Documenting Information
Standard 2330.A1 – The chief audit
executive must control access to
engagement records. The chief audit
executive must obtain the approval of
senior management and/or legal counsel
prior to releasing such records to external
parties, as appropriate.
TALLAHASSEE CHAPTER
Documenting Information
Standard 2330.A2 – The chief audit executive
must develop retention requirements for
engagement records, regardless of the medium
in which each record is stored. These retention
requirements must be consistent with the
organization’s guidelines and any pertinent
regulatory or other requirements.
11/18/2018
16
TALLAHASSEE CHAPTER
Documenting Information
Standard 2330.C1 – The chief audit executive
must develop policies governing the custody
and retention of consulting engagement
records, as well as their release to internal and
external parties. These policies must be
consistent with the organization’s guidelines
and any pertinent regulatory or other
requirements.
TALLAHASSEE CHAPTER
Presentation Sources
• IIA’s International Standards for the Professional
Practice of Internal Auditing, January 2017
• IIA’s Implementation Guides - International
Professional Practices Framework (IPPF), January
2017
• Internal Auditing: Assurance & Advisory Services,
Third Edition, 2013
• Sawyer’s Guide for Internal Auditors, 6th Edition,
2012
TALLAHASSEE CHAPTER
Thank You
Sarah Beth Hall, CIA, CISA, CIG, CIGA, CISSP
850.717.8686