p3 - extra knowledge pack 2 (audit)
DESCRIPTION
Types of audit and risk management etc. for p3 (new syllabus)TRANSCRIPT
Pag
e2
Management Review of Controls
The UK's Turnbull committee says that a review of internal controls should be an integral part of management's role. The board or committees should actively consider reports on control issues. In particular they should consider:
The report goes on to recommend that the board should consider:
The nature and extent of the risks which face the organisation
The threat of those risks occurring
The organisation's ability to reduce the probability and consequences of the risk, and to adapt to any changing risks
The costs and benefits of any controls implemented
Pag
e3
An effective internal control system should keep management properly informed about the progress of the organisation (or lack of it) towards the achievement of its objectives. Management and supervisors have a responsibility for monitoring controls in the area of operations for which they are responsible. Internal control might also be monitored by an internal audit function.
What is Internal Audit?
Internal auditing is an independent and objective assurance activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic approach to evaluating and improving the effectiveness of risk management, control, and governance processes. Internal auditing improves an organisation’s effectiveness and efficiency by providing recommendations based on analyses and assessments of data and business processes.
Internal auditing provides value to governing bodies and senior management as an objective source of independent advice.
The scope of internal auditing within an organisation is broad and may involve topics such as the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations.
Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities.
An internal audit function therefore acts as an internal control, to ensure that the internal control system is operating effectively.
Risk Management vs. Internal Audit
Risk Management
A risk management team would be considered to own the entire risk management process
A risk management team would be considered to own the entire risk management process
They would be ultimately responsible for all aspects of this process including identification and maintenance of the company’s risk register, assessment, and prioritisation, treatment of risks and establishment of controls to manage these risks.
Pag
e4
The team would lead the company in developing a risk response strategy and would act in an advisory capacity supporting all areas of the business.
Provision of training and development by risk staff would facilitate operational managers’ ability to identify risks in their area of work and devise controls by which to manage them
Internal Audit
The role of internal audit is that of monitoring and reviewing the effectiveness of the controls implemented by operational managers
In the context of risk management their key activity is in the testing and evaluation of the risk controls (hence ensuring that those who design controls should not test them).
In a wider context the internal audit department can carry out special investigations as directed by management, and can assist the organisation in review of the efficient use of resources.
Internal audit teams can provide support and assistance to senior management in a range of projects, some of which may fall outside the risk management arena.
They are often able to contribute to the work of operational teams in identifying risks due to their extensive knowledge of the business, but this is not their primary responsibility.
In summary, risk management identify risks or problems, management devise controls which they think will prevent the risk or problem and the auditors check that the control works. If it doesn't, then it is still a problem and management will implement further or different controls which audit will check again. And so the process goes on until the risk or problem is minimised to the satisfaction of management i.e. it is within the companies’ attitude to risk.
There are three different parties involved in the process review – risk management, managers and auditors, to ensure independence and the best solution for the company.
2 Scope and standard of internal audit work
Scope of internal audit work
The internal audit department will typically have the following scope and objectives as prescribed by the management of the business:
Pag
e5
(Do not treat this as a comprehensive list of all the areas that the internal auditor considers, as management may prescribe different functions to meet the needs of their company).
Standard of internal audit work
The internal audit function would be expected to carry out their work to a high professional standard. To achieve this the audit function should be well managed and have clear and appropriate procedures for carrying out its work.
It would be expected that:
There is a formal plan of all audit work that is reviewed by the head of audit and the board/audit committee
The audit plans should be reviewed at least annually.
Each engagement should be conducted appropriately
- Planning should be performed
- Objectives should be set for the engagement
- The work should be documented, reviewed and supervised
- The results should be communicated to management
Pag
e6
- Recommendations for action should be made
The progress of the audit should be monitored by the head of internal audit, and if recommendations that the head feels are appropriate are not acted on, the matters should be brought to the attention of the board.
3 Structure, independence and effectiveness of internal audit
Structure and independence of internal audit
To ensure that the internal audit function provides an objective assessment of control systems and their weaknesses, there should be measures in place to protect the independence of the internal audit department.
The internal auditors should be independent of executive management (but have direct access to the highest level of management if required) and should not have any involvement in the activities or systems that they audit (free from operational responsibility).
The head of internal audit should report directly to a senior director
In addition, however, the head of internal audit should have direct access to the chairman of the board of directors, and to the audit committee, and should be accountable to the audit committee.
The audit committee should approve the appointment and termination of appointment of the head of internal audit.
In large organisations the internal audit function will be a separate department
In a small company it might be the responsibility of individuals to perform specific tasks even though there will not be a full-time position.
Some companies outsource their internal audit function, often to one of the large accountancy firms.
The internal auditor will review the accounting and control systems, perform testing of transactions and balances, review the 3E's, implementation of corporate policies, carry out special investigations, and assist the external auditors where necessary.
They should be technically competent and exercise due professional care by planning, supervising and reviewing any work performed. Documentation should be kept, results communicated to management and recommendations made.
Effectiveness and efficiency of internal audit
The work of an internal audit department should be monitored to assess effectiveness in the broader context of the company’s risk management systems.
Pag
e7
The internal audit process must provide benefits in excess of its cost.
The efficiency of internal audit can be assessed by comparing actual costs and output against a target, such as:
o the cost per internal audit day o the cost per audit report o the number of audit reports produced
The effectiveness of internal audit needs to be measured in a way that indicates the extent to which it provides assurance to management, the audit committee and the board about the effectiveness of the system of internal control.
This can be done by identifying evidence of improvements in internal control.
An internal audit report can be prepared for many company activities or systems. E.g. payroll.
If an internal audit was to be performed it might consider the following:
1) At the front of the report there would usually be an executive summary. This would cover the main objectives and scope of the audit, the work performed in brief, the results found and recommendations made
2) The scope of the assignment would be elaborated on in the next section. This would detail the methodology used e.g. observation, questionnaires, etc., and the areas covered .e.g. joiners, leavers, etc.
3) The next section might be observations and recommendations i.e. what the auditor observed during his testing, whether the system was working as it was designed to, and whether any recommendations should be implemented. It should also say who is responsible for any implementations and by when they should be undertaken. The number of recommendations could range from none i.e. the system is working perfectly, to many. This is probably the most practical and most useful part of the report for management.
4) The recommendations may be graded by importance. For example a Level 1 recommendation may need to be implemented immediately since it poses a significant risk to the company, whereas a Level 5 recommendation, say, might be desirable but not necessarily life-threatening so can be implemented later.
5) Finally there will be a statement of responsibility from the internal auditor. This will detail any Auditing Standards (standard tests or rules an auditor should follow) used during the course of the work and any limitations that the audit work was performed under. To a cynic, this is the auditors 'get out' clause i.e. some might read it as 'we performed the audit work to the best of our ability, but
Pag
e8
we can't test everything, so if we missed something, we are sorry but it wasn't our fault'! The auditor will finally sign the report.
The internal audit report is often seen as a 'trigger for risk management' both in the real world and in the CIMA P3 case study exam.
4 Internal and external audit
To a large extent, the work of internal auditors and external auditors is similar, and overlaps. It is therefore important that their efforts should complement each other, rather than duplicate each other.
Comparison of internal to external audit
External audit Internal audit
Role required by:
Statute, for limited companies. Directors and shareholders, usually in larger organisations.
Appointed by: Shareholders or directors. Directors, via the Chief Internal Auditor (CIA).
Reports to: Shareholder (primary duty) and management (professional responsibility).
Directors, via the CIA.
Reports on: Financial statements. Internal controls mainly.
Forms opinions on:
True and fair view and proper presentation.
Adequacy of ICS as a contribution to the economic, efficient and effective use of resources.
Scope of assignment:
Unlimited, to fulfil statutory obligation.
Prescribed by directors.
Relationship of internal audit to external audit
The audit plan of the external auditors should be drawn up taking into consideration the work of internal audit, and the extent to which the external auditors can rely on the findings of the internal auditors in reaching their audit opinion.
Factors that the external auditor should consider include:
the status of internal audit within the organisation
the status of internal audit within the organisation
the scope of the internal audit function
whether management act on the recommendations of the internal auditor
the technical competence of the internal auditors
Pag
e9
whether the objectives of the internal audit work are aligned with that of the external auditor
Whether the work of the internal audit function appears to have been planned, supervised, reviewed and documented with due professional care.
Note that there is no particular expectation that the external auditor will be able to rely on the work done by internal audit. The duties of both sets of auditors will differ and hence the work of internal audit may be of very little relevance to the external auditor.
However, in some instances, the external auditors do rely on the internal auditors work if areas of the external auditors audit program have been covered (and the factors mentioned above can be met). Providing the testing performed meets the scope and quality level that the external auditor requires, then the external auditor will place ‘some’ reliance on the work already performed by internal audit, and consequently reduce the amount of further testing required in order to state an opinion.
However, the external auditors would not place ‘total’ reliance on the internal auditors work. (They would effectively need to audit the internal auditors work by testing it in part before they could rely on it.)
For example, internal audit might know that during the annual external audit purchase compliance tests are performed to ensure that, say, all purchases are backed up by an order, the order is authorised, etc. The sample normally taken by the external auditor might be, say, 20 transactions. Internal audit could choose to perform this work during the course of the year and present their findings to the external auditor when they arrive to perform the annual audit. The external auditors would then check the internal auditors work by re-performing the compliance tests on a few transactions, say, 3 of the 20. Providing no errors were found, the external auditors would then perform their own, new compliance tests on a reduced number of, say, 5 transactions.
More testing will have been performed since both internal and external audit have been involved, giving a higher assurance level (or lower risk).
Also, this ‘sharing’ of work can lead to a reduced external audit fee, because some of the testing has been done internally at a reduced cost.
Pag
e10
Management letter
In addition to an internal or external audit report, the auditor will usually produce a 'management letter'. This letter usually includes a list of 'issues' that the auditor came across during the course of his audit work.
The letter usually includes a table of:
• issues concerning the auditor (usually a control that could be improved);
• Recommendations to implement or improve the controls.
The auditor would usually state a time frame by which the new controls should be implemented and then re-visit the department to ensure that the implementation had taken place.
The management are at liberty to reply to the auditor. They may state that the recommended control has been implemented, or why it hasn't been, perhaps because it was too costly, or is on-going.
5 Types of audit work
As there are many risks and many controls within a business, there will be many different types of audit that can be performed. All types will essentially ensure the same thing – which the company’s processes are being adhered to.
https://connect.cimaglobal.com/system/files/resource/Risk-control-and-internal-audit-2005.pdf
Pag
e11
Some different types of audit work are discussed below, but the list is not exhaustive.
The latter four types of audit work will now be considered in more detail.
Value for money audit
An area that internal auditors have been getting increasingly involved in is value for money audits. These have been replaced in terminology more recently by 'best value' audits, but many of the principles remain the same.
In a value for money (VFM) audit the auditor assesses three main areas.
Pag
e12
Economy
The economy of a business is assessed by looking at the inputs to the business (or process), and deciding whether these are the most economical that are available at an acceptable quality level.
Efficiency
The efficiency of an operation is assessed by considering how well the operation converts inputs to outputs.
Effectiveness
The effectiveness of an organisation is assessed by examining whether the organisation is achieving its objectives. To assess effectiveness there must be clear objectives for the organisation that can be examined.
Social and environmental audit
Environmental audit
An environmental audit is defined as:
'A management tool comprising a systematic, documented, periodic and objective evaluation of how well organisations, management, and equipment are performing, with the aim of contributing to safeguarding the environment by facilitating management control of environmental practices, and assessing compliance with company policies, which would include meeting regulatory requirements and standards applicable.'
It is possible that an 'accounting' trained auditor could be asked to perform one of these audits but it is unlikely that they would be able to perform the task with the proper competence. The auditor is unlikely to have the necessary skills and therefore it would be professionally wrong to accept the assignment.
Social audit
The social audit would look at the company's contribution to society and the community. The contributions made could be through:
Donations
Sponsorship
Employment practices
Pag
e13
Education
Health and safety
Ethical investments, etc.
A social audit could either confirm statements made by the directors, or make recommendations for social policies that the company should perform.
Management audit
A management audit is sometimes called an operational audit.
A management audit is defined by CIMA as 'an objective and independent appraisal of the effectiveness of managers and the corporate structure in the achievement of the entities' objectives and policies'.
Its aim is to identify existing and potential management weakness and recommend ways to rectify them.
This type of audit would require the use of very experienced staff who understand the nature of the business.
Systems-based audit
A systems-based audit is an audit of internal controls within an organisation. Although the term refers to any type of system, it is often associated with the audit of accounting systems, such as the sales ledger system, purchase ledger system, receipts and payments, fixed asset records, stock records and so on.
The aim of such an audit is to identify weaknesses in the system (weaknesses in either the controls or in the application of controls, such that there is a risk of material inaccuracy in financial records and statements, or a risk of fraud). More will be seen of systems-based audit in the next chapter.
A systems-based audit would take the following steps:
Identify the objectives of each system
Identify the procedures
Identify why the system might not meet its objectives
Identify ways to manage the above
Identify if current controls are adequate
Report on the above
Pag
e14
6 The audit process
Introduction
This chapter looks at a typical audit process as it would be carried out by the internal auditor to audit a company's systems or processes. A key point to consider when going through this process is the problems that might be encountered when attempting to audit these different areas
The audit process
The audit process can be summarised in the following diagram:
7 Audit planning
Audits should be planned. There should be an audit programme for each financial year, in which the internal auditors set out which activities or operations they will audit, and what the purpose of the audit will be in each case.
Objectives of the audit For example, to check whether the internal controls within a particular operation are adequate and are applied properly.
Pag
e15
Conduct of the audit The auditors need to decide what information they need and what investigations they need to carry out.
* Decisions have to be made about:
How to collect and record evidence?
How much evidence to collect?
Resources and timing The auditors should assess how much time and effort will be required to carry out the audit, and schedule the work accordingly.
Risk-based approach
Most audits are now carried out using a risk-based approach, whereby the auditor assesses whereabouts the key risks are in a system, and then concentrates the audit effort at those key risks.
The result of this approach is that the audit should be more efficient and effective at achieving its objectives than if another approach were followed.
Bear in mind from earlier chapters that the internal control system should be built on the back of risk assessments
One of the key ways an auditor can try to identify risk is by benchmarking.
8 Systems investigation and documentation
The auditors should document the system or operation subject to audit, and document their findings or judgements. They will need to ascertain what the system is and also the controls that operate over the system.
Ascertaining systems
The auditor could use the following sources and methods to ascertain how the systems operate:
Flowcharts These could be examined or created from discussions with staff who use and operate systems.
Pag
e16
Interviews/ Questionnaires
The staff who operate the system can describe how they use it. This has the advantage over other existing system documentation as it identifies how the staff use the system even if this is out of line with the proper procedures.
Systems documentation
The auditor can research the documentation of the system when it was produced to identify how the system operates. Documentation tends to be best for computerised systems as they will have gone through a proper systems development approach and also they tend to be least well understood by users.
Observation The operation of the system can be observed.
Ascertaining controls
To specifically assess the controls in systems an auditor could use standard control questionnaires. These documents are structured so as to identify all key internal controls and also enable the auditor to assess the quality of the controls.
9 Control assessment
Once auditors have ascertained what the controls are they need to make an assessment of the internal controls and whether they will achieve their objectives.
10 Audit testing
Having made an assessment of the existing controls and identified the areas of greatest risk the auditor will move onto the testing.
Auditors need to carry out tests, to ensure that procedures are performed correctly, and that controls to prevent or detect errors are adequate and applied effectively.
Types of testing
Compliance testing (test of controls):
The test of controls should be carried out to ensure that the controls identified at the planning stage operate as they should.
If the controls are not being complied with then there will be a material weakness in the control system and the result could be serious errors or fraud and the business objectives may not be achieved.
Pag
e17
The results of the compliance testing should indicate whether:
the controls are effective, or
the controls are ineffective in practice, even though they appeared adequate ‘on paper’
Substantive testing (test of balances or transactions):
Substantive testing, on the other hand, does not look at the controls in the system – it rather concentrates on the output and ensuring that the output is as expected.
Substantive testing is normally associated with financial systems but can also be used for non-financial systems.
The purpose of the substantive tests is either to:
Confirm that the controls are effective Where the controls are ineffective, to establish the apparent consequences
For example, an audit of a quality control system would give the following types of testing:
Substantive test
Monitor the number of quality control failures as a proportion of good output.
Compliance test
Observe the functioning of the quality control staff to ensure they are checking output.
In the exam, students should concentrate on using words like reconcile, analyse, observe, monitor or sample at the beginning of any sentence that recommends an audit test. Try to avoid the word 'check' since that can be construed as vague, unless you explain fully what you are checking for and why.
11 Sampling
With any audit testing it will probably be necessary to undertake some form of sampling.
Sampling is testing a proportion of a population to gain assurance about the population as a whole.
Pag
e18
Audit sampling
The application of audit procedures to less than 100% of the items within an account balance or class of transactions to obtain and evaluate evidence about some characteristic of the items selected in order to form a conclusion on the population.
Risks that occur with sampling
As soon as an auditor decides to sample a population, there are risks that are brought into the audit:
Sampling risk This is the risk that the auditor’s conclusion, based on the results of the sample, may be different from the result that would have been obtained had all items in the population been tested. (This risk can never be removed if sampling is done.)
Non-sampling risk
This is the risk that the auditor may use inappropriate procedures, or misinterpret evidence that the test results give. As a result the auditor would fail to recognise an error. (This risk is avoidable if auditors use the appropriate procedures.)
12 Analytical review
Analytical review is arguably the most important test available to the auditor as they can be used in the audit of most items – both financial and non-financial – and can be used at various points in the audit process.
Definition
Analytical review is the examination of ratios, trends and changes in the business from one period to the next, to obtain a broad understanding of the results of operations, and to identify any items requiring further investigation.
When the results appear abnormal the auditors will investigate more closely to find out the cause(s) by performing further work.
Pag
e19
Nature of analytical review
Comparisons of information could be with:
Examples
• Prior periods/anticipated results
20X1 20X1 20X0
Actual Budget Actual Number of new products launched 9 11 10
• Predictive estimates
Depreciation for year = 15% × y/e cost
• Similar industry info
Staff turnover v industry average
Uses of analytical review
Analytical review will be used at all stages of the audit.
Planning They will be used to identify risks, and therefore help in deciding the level of testing, and its nature and timing.
Substantive testing
Analytical review is a very important substantive procedure that can provide sufficient audit evidence in some areas. In practice in the audit of financial information, expenses in the income statement, accruals and prepayments are all audited by substantive analytical procedures.
Overall review The procedures are used to conclude whether the area being tested is consistent with the auditors’ knowledge of the business entity and the expected results.
13 Audit reporting
Audit report
The final stage of an audit is the audit report. In an internal audit assignment the audit report does not have a strict structure, however, it would be expected to feature a number of different parts:
• The objectives of the audit work.
• A summary of the process undertaken by the auditor.
Pag
e20
• The results of tests carried out.
• The audit opinion (if an opinion is required).
• Recommendations for action.
When giving recommendations auditors must always ensure that the recommendations are practical and cost-effective.
The auditor will need to consider whether the residual risk will be reduced by the recommendation. If it will not, the recommendation is not worthwhile.
* The internal auditor should have a process of post-implementation review to ensure that recommendations have been actioned by management
14 Audit of computer systems
In the case of computer systems, audits are carried out:
To check whether the system is achieving its intended objectives, and
In the case of accounting systems, to check that the information produced by the system is reliable.
Problems of auditing computer systems
Problems of auditing computer systems
Problems of auditing computer systems
Pag
e21
Auditing computer systems gives some different problems and some new opportunities to auditors to test systems. There are several problems for the auditor of computer systems that do not occur with ‘manual’ systems, including:
Errors
Additionally, when auditors audit computer systems they need to be aware of the types of errors that occur in the systems. The characteristics of errors are:
• No one-off errors unless deliberate amendment of individual items.
• Systematic errors which repeat across all transactions.
• Higher danger that input errors will not be detected.
Audit approach
The audit approach for computer auditing is often summarised in one of two ways:
Through the computer; or
Round the computer.
Pag
e22
Round the computer
Under this approach the auditor does not attempt to understand the operation of the computer system, but rather treats it as a 'black box'. To audit the system, the auditor matches up inputs to predicted outputs to ensure that the outputs are being processed correctly.
The approach is good in that it does not require a high level of expertise of IT in the audit teams, but it is only suitable if the following conditions are met:
Computer processing is relatively simple
Audit trail is clearly visible
A substantial amount of up-to-date documentation exists about how the system works.
Problems with auditing round the computer include:
Computer files and programs are not tested, hence there is no direct evidence that program is working as documented
If errors are found it may be impossible to determine why they have happened
All discrepancies between predicted and actual results must be fully resolved and documented no matter how small (this is because controls are being tested).
Through the computer
This approach actually interrogates the computer files and computer controls and relies much more on the processes that the computer uses.
The auditor follows the audit trail through the internal computer operations and attempts to verify that the processing controls are functioning correctly. The computer controls are directly tested and the accuracy of computer-based processing of input data is verified.
To audit through the computer requires more expertise and a longer set-up time; however, the results can be of very good quality.
This approach utilises different computer-assisted audit techniques (CAATs) such as test data and audit software, discussed below.
Pag
e23
15 Computer-assisted audit techniques (CAATs)
Computer-assisted audit techniques are methods of using a computer to carry out an audit of a computer system. There are two main categories of CAAT:
Audit software, such as audit interrogation software
Test data.
Audit interrogation software
Audit software consists of computer programs used by auditors to interrogate the files of a client. Normally the client's data files are input into the audit software program on the auditor's computer, and the auditor can then test those files. Examples of what audit software can do include:
Extract a sample according to specified criteria o Random o Over a certain amount o Below a certain amount o At certain dates
Calculate ratios and select those outside the criteria
Check calculations (for example, additions)
Prepare reports (budget vs. actual)
Produce letters to send out to customers suppliers
Follow items through a computerised system
Search for underlying relationships and check for fraud.
Pag
e24
Packages are generally designed to:
• read computer files
• select information
• perform calculations
• create data files, and
• Print reports in a format specified by the auditor.
Audit software enables large volumes of data to be processed very quickly and accurately. The main drawback of audit software is that it can take a long time to set up the systems with the client data, and it will require expertise.
Embedded audit facilities
Embedded audit facilities might be written into a program, particularly in on-line/real-time systems. These facilities can carry out automatic checks or provide information for subsequent audit, such as:
Extracting and storing information for subsequent audit review, with sufficient details to give the auditor a proper audit trail
Identifying and recording items that are of some particular audit interest, as specified by the auditor.
Test data
Test data can be used by inputting the data into the system and checking whether it is processed correctly. The expected results can be calculated in advance, and checked against the actual output from the system. The auditors might include some invalid data in the tests, which the system should reject.
It will only be used if the auditor is intending to do a 'test of controls' audit, and it must be considered cost effective.
Live data = test data are processed during a normal production run.
Dead data = test data are processed outside the normal cycle.
The stages involved in using test data are:
1. Gain a thorough understanding of how the system being tested is supposed to work and the controls that are included in it.
2. Devise the test data set. This should be a set of data containing both valid and invalid items. The controls in the system should identify the invalid items
Pag
e25
3. Run the test data. This can be 'live' (within the normal processing at the client), or 'dead' (outside the normal processing). Live runs give more reliable results but are more risky to operate.
4. Evaluate the results. It is important that the auditor fully evaluates the results of the test data and does further work if unexpected results occur.
Risks with test data
Risks Controls
Damage to the system as the system is tested to its limits.
Ensure auditors understand the system and have software support.
Corruption of the systems data if test data are not properly removed.
Ensure process for data removal.
System down time if ‘dead’ data used. Establish when system can be used with minimum disruption to the business.
Pag
e26
Summary - Internal Audit