Chapter 1: An Internal Audit Common Body of Knowledge

Corporate Governance: system of rules, procedures and practices by which a company is directed
Internal auditing is an independent appraisal function established within the organization to examine and
evaluate its activities and controls.

Improvement is the fundamental purpose of internal auditing (through advising, coaching)

Internal Auditing Activities include
1. Evaluating risk
2. Evaluating controls
3. Analyzing operations
External auditing independent examination to express an opinion on whether the financial statements are
prepared, in all material respects, in accordance with the applicable financial reporting framework. Public IFRS
Private ASPE

External Audit Internal Audit

Shareholders or members
The board and senior management who are within the
who are outside of the
organisations governance structure.
Reports to organization
- Usually employed within the company
- work for an outside
- Can also be outsourced
audit firm (KPMG)

Add credibility and

reliability to financial Evaluate and improve the effectiveness of
Objectives reports governance, risk management and control processes.
Provides opinion on the
reports

Financial reports, financial All categories of risk, their management, including

reporting risks. reporting on them.
Coverage
- Annual and - Analyze operations, evaluate controls, evaluate
quarterly risk
Improvement is fundamental to the purpose of
Responsibility for None, however there is a internal auditing done by advising, coaching and
improvement duty to report problems. facilitating to not undermine the responsibility of
management.

CBOK: Common Body of Knowledge: For any profession defines the minimum level of proficiency
needed for effective performance within that profession
- Minimum knowledge needed to perform effectively
 - For internal auditors CBOK covers practice areas, understanding of general management practice,
general application areas

CHAPTER 2: COSO Internal Control Framework practices to establish efficient and

effective internal controls
COSO is a framework that outlines professional practices for establishing business systems and processes that
promote efficient and effective internal controls

 COSO does not have the authority to issue standards BUT

 Outlines an approach or recommended best practices
 COSO: provides GUIDANCE on risk management, internal control and fraud detection/prevention.

COSO: Committee Of Sponsoring Organizations

Worldwide best practices for defining and establishing good internal controls
Initiative of 5 private sector professional accounting, auditing and finance organizations

Internal Controls  policies and procedures put in place to ensure the achievement of objectives within
the 3 internal control objective categories

CONTROL is a process designed to provide reasonable assurance regarding the achievement of

objectives in operations, financial reporting and compliance
Internal Control Objective Categories (3)

1. Operations Internal Controls (effectiveness and efficiency)

2. Financial Reporting Internal Controls(reliability)
3. Compliance Internal Controls (with laws and regulations)

Original description of the COSO internal control system (Pyramid)

Includes 5 COSO internal
control components and 3
objective categories
5 COSO COMPONENTS
1. Control Environment
2. Risk Assessment
3. Internal Control
Activities
4. Information and
Communication
5. Monitoring Activities
Pyramid Design MONITORING AT THE TOP , CONTROL ENVIRONMNENT BOTTOM
Control Environment: seen as the base/ foundation of the entire structure. TONE AT THE TOP
4 horizontal layers (internal components) control environment, risk assessment, control activities and
monitoring activities
1 vertical layer communication and information acting as the interface channel for the four other layers

REVISED COSO FRAMEWORK (CUBE) – 3 DIMENSIONAL PERSPECTIVE

Includes the 3 internal control objective
categories
1. Operations internal controls
2. Financing Reporting internal controls
3. Compliance internal controls
5 COSO key Components of internal control
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
AND organizational structure controls
1. Business entity level
2. Division and function controls
3. Business unit activities
BDB

Must consider the 3-dimensional nature, where every internal control COSO element, up and down and across
the other sides of the COSO CUBE are related to the other components
All components are related and impact each other

The 5 COSO Internal Control Components

Control Environment: the set of standards, processes, and structures that provide a basis
FOUNDATION for carrying out effective internal control activities across an enterprise
if this component is ineffective, most of the other components could be negatively affected.
An ineffective control environment effectively trumps the lower-level controls MUST BE EFFECTIVE STRONG

a. Tone at the top

b. The foundation of the entire internal control system (pervasive impact)
c. Actions of the board of directors and senior management (they must set the example)
d. Commitment to Integrity and Ethical values of the enterprise
e. Enforces accountability
If management is setting the right example, and employees know that management values ethics and
integrity, this attitude will be passed down to the employees
- Creates a strong foundation
- The more ethical and responsible the management is, the more likely employees will follow
Control environment influenced by: entity’s history, values, competitive/regulatory landscape, culture
- Elements of a strong culture such as integrity, ethical values, oversight, accountabilities and
performance evaluations make the control environment strong as well
Some questions relating to the control environment:
 Does management take undue business risks to achieve objectives? Does it encourage risk taking or an
achieve at all costs attitude?
 Does management manipulate performance measures so they appear more favorable? Bend the
truth?
 Do management pressure employees to achieve results regardless of the methods?
 Is management open and honest with employees about performance and results?

Risk Assessment: The process for determining how all levels of risks will be managed, responded to
linked at different levels of the enterprise. Prerequisite to risk assessment: establish risk related objectives
Risk assessment is an interactive process for identifying and assessing those risks that may limit the
achievement of enterprise objective IDENTIFY AND ASSESS RISKS how they will be managed

Risk: possibility of an event that could adversely affect the achievement of company objectives

 Management must consider the impact of the internal and external environment
 Determine how much risk to accept and strive to maintain the risk within these tolerated limits.
 Understand how much tolerance they have for exceeding target risk levels. (risk tolerance)
Identify risk objectives within
1. Operations,
2. Reporting
3. Compliance

Risk identification considers all risks within an enterprise at multiple levels (entity level, subunits,
operational functions  IT, marketing, HR, finance) that may impact the success of the company

Don’t identify ALLLLL possible risks but those that could impact operations with some level of probability and
within a reasonable time frame. (some risks can be significant but very unlikely) tsunami in mtl

 Look at all types of risks, from larger more significant risks affecting the overall business to less major
risk affecting a project or smaller business unit
 Look at How the risk will impact operations, financial reporting and compliance activities
 Should consider factors internal to the enterprise, external parties and external issues such as laws,
regulations, environmental issues, natural events
 No practical way to reduce all risks, will always have some residual risk event after implementing
necessary controls
Points to consider for the risk assessment component:
A. The enterprise should specify objectives with sufficient clarity to better identify and assess the risks
relating to those objectives.

B. The enterprise should identify risks relating to the achievement of its objectives across the entity all
levels.
 Should then analyze risks to determine how those risks should be managed.

C. The enterprise should consider the potential for fraud in assessing risks to the achievement of
objectives. (assess the opportunity, the incentives etc)

D. The enterprise should identify and assess changes that could significantly impact its system of internal
controls.

 MANAGE CHANGEa in external environment, management (leadership), business model

Specify objectives with sufficient clarity

Identify risk relating to achievement of objectives ACROSS the entity , then analyze the risks and determine how those risks should
be managed

Consider the potential for fraud

Assess changes that many impact the system of internal controls. Assess changes in the external environment management or
thebusiness models

Types of risks include

1. Strategic risks (industry, economy, competitor, reputation, patent)
2. Operations risks (process risk, compliance, people risks, employee turnover)
3. Finance risks (interest rate risk, credit risks, trading risks)
4. Information risks (accounting/financial reporting, pricing, technology)

Risk Response Strategies A R S A

1. Risk Avoidance
walk away from risk, selling a business unit that gives you risk, leave a certain area, drop a product line.
Potentially costly, if investments were made to enter an area.
Hard to walk away on the basis of potential future risk, if everything right now is going well

2. Risk Reduction
reduce risk through diversification, product line diversification, can reduce risks at all levels splitting an IT
center into two locations

3. Risk Sharing
Insurance, hedging  buy futures, have another party accept a portion of the risk. Share risk by purchasing
insurance OR enter into joint venture, share in profit and losse
 4. Risk Acceptance
strategy of no action, establish a risk tolerance and then decided whether or not to accept it. Does it go
hand in hand with your risk appetite? What is the risk’s likelihood?

Internal Control Activities: controls are the actions—established through enterprise policies and
procedures—that help to mitigate risks regarding the achievement of objectives andsee if re carried out
properly and timely.

- Performed at all levels

- Control activities can be preventative or detective in nature/ through range of manual/automated
activities such as authorizations, approvals, reconciliations, and business performance reviews
Fundamental internal control is segregation of duties: the concept of having more than one person required
to complete a task.

- Task is Performed by different people so that no one person has control over the entire cash handling
process.
- Will minimize the risk of errors,
- decrease the opportunity for fraudulent activity
- and increase the chance of detecting errors.
- NOT ONLY FOR CASH (cheques, deposits, journal entries)
- 1 person handling cash, 1 person recording, 1 person reconciling
- Decreases probability of fraud
- Risk of collusion: solution= rotation of responsibilities
Control activities include actions that ensure that responses to assess risks as well as other management
directives are carried out properly and in a timely manner.
Types of internal control activities
o Verifications: compares with policy or another item then performs a follow up
o Reconciliations: compares two or more data elements, differences identified are reconciled.
o Authorizations and approvals: affirm that a transaction is valid, approval from upper level
o Physical controls: includes equipment inventory, security for manufacturing plants, cash secured
physically in locked areas. Periodically counted and compared with control records
o Controls over standing data: standard organization data elements
o Supervisory controls: are they being performed completely, accurately and according to procedures
through observation
o Audit trails documents all transactions that came to the end results

Information and Communication

The overall concept supporting COSO information and communication is that an enterprise needs to develop
and deliver many forms and types of competent information, from and to management
- Management obtains information from internal and external sources and uses the relevant and quality
of that information to support functioning of other COSO components
Communication: continual, iterative process of providing, sharing and obtaining necessary information.
Internal communication is the means by which information is disseminated throughout an enterprise, flowing
up, down, and across the entity.
- It enables personnel to receive clear messages from senior management that control responsibilities
must be taken seriously.
- Used primarily to communicate objectives and importance of internal controls
External communication also enables inbound communications of relevant external information and provides
information to external parties in response to requirements and expectations

The information process should

• Record transactions as they occur, breaking them into their component parts (dates, amounts, names,
accounts, authorizations, etc.).
• Process, summarize, and report that information for management purposes and pure accounting
purposes.
• Store captured and processed data in formats that can be summarized, audited, reviewed, and
reported quickly and easily.
• Report that information in a format that can be used for management analysis and internal control
purposes. MAKE BIG DATA INTO RELEVANT DATA

Importance of Relevant Information = define information requirements in detail

Internal auditor should obtain and use RELEVANT, QUALITY information to support the functioning of
components of internal control under review
Relevant information requires management to identify and define information requirements at a high level of
detail and specificity

Importance of Internal Communication= communication of objectives

Must internally communicate objectives and the responsibilities of good internal controls.
Should be initiated and endorsed by senior management and conveyed across the organization.
Examples of internal communication include

 The importance of effective internal controls

 The roles and responsibilities of management as well as other personal in performing internal
control processes
 The expectations of the enterprise to communication up, down or across about significant matters.
 Make sure sub-objectives and personnel understand how their roles and responsibilities impact the
achievement of the larger enterprise objectives.
 Acceptable and unacceptable behavior
Monitoring Activities ARE THE COMPONENTS PRESENT AND FUNCTIONING
Monitoring activities assess whether each of the other 5 objectives or components of COSO internal control,
including the control environment, risk assessment, control activities, information and communication, are
present and functioning.
2 principles of monitoring activities:
1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal controls are present and functioning both across the enterprise and in
the sub units
2. The organization evaluates and communicates internal control deficiencies in a timely manner to those
parties responsible for taking corrective action
Communicate internal control deficiencies in a timely manner to the parties responsible for taking
corrective action

TASKS FOR MONITORING ACTIVITIES

Management must determine if the current internal control system continues to be relevant and able to
address new risks the enterprise may face (is the current system still relevant? Can it address new risks?)
Monitoring activities can Identify and examine expectation gaps relation to internal control anomalies and
abnormalities. Helps identify root causes of breakdowns, which internal controls are not functioning
Help to dig out and identify potential problems that have been ignored
Should conduct on going evaluations to support monitoring activities and communicate any known internal
control deficiencies

2 ways to monitoring can be done

1. Management-initiated evaluations MANGEMENT VS INTERNAL AUDIT
2. Effective internal audit process

A control activity responds to a specific risk,

whereas a monitoring activity assesses whether the controls for the 5 components are
operating as intended.
 Must always take into account the 3dimensional nature of the COSO framework
 Relationships up, down and across
Appropriate monitoring activities benefits:
1. Identify and correct internal control problems on a timely basis
2. Produce accurate and reliable information
Chapter 3: 17 COSO
Principles 17 internal
controls represent the
fundamental concepts
associated with the 5
components of internal
control

Control Environment (5)

- Demonstrate commitment to intergrity and ethical values
- Ensure oversight from the board
- Establish structure, authority and responsibilities
- Commitment to competent workforce
- Hold people accountable
Risk Assessment (4)
- Specify appropriate objectives with sufficient clarity
- Identity and analyze risks / determine how they should be managed
- Evaluate fraud risks
- Identify and analyze changes that could significantly effect internal controls
Control Activities (3)
- Select and develop control activities that mitigate risks
- Select and develop TECH controls
- Deploy control activities through policies and procedures
Information and Communication (2)
- Use relevant and quality information to support the function other the other components
- Communicate internally
- Communicate externally
Monitoring
- Perform on going or separate evaluations of internal controls
- Communicate internal control deficiencies
CONTROL ENVIRONMENT (PRINCIPLE 1-5)
1. Demonstrate Commitment to integrity and ethical values:
Enterprise history and culture play a major role in forming the control environment

a. Set the Tone at the top: management’s message to all stakeholders, committed to the highest ethical
standards in business. Management must lead by example, No tone at the top= high fraud probability

b. Establish a code of conduct, code of ethics,expectations and actively communicate this to all
employees. must be acknowledged and actively followed, LIVING DOCUMENT

o Evaluate adherence to the code of conduct

 Mechanisms in place for reporting code of ethic/conduct violations: in a secure and confidential
manner
 Example a whistleblower facility. (caller remains anonymous, external company offers the service)
 Actions on violations need to be consistent no matter who it is(lower level employee vs CEO)

2. Oversight of the Board of Directors

Establish oversight responsibilities- oversee how the company is being run, make sure it is running correctly
o Don’t send negative signals, example if company is in a bad position don’t give CEO a bonus
o This can promote fraud and discourage employees

a. Apply relevant expertise to the BOD – can be industry experience, knowledge about business, ex.
Venture Capitalist  periodically evaluate the skills needed among members and make necessary
changes
b. Operate independently- Should be a mix of internal and external individuals who are not part of
everyday operations and can provide an objective outlook in their evaluation and decision making
c. Provide oversight for the system of internal controls- audit committee, oversee development and
performance of internal controls
BOD needs relevant expertise, operate independently and provide overisgn for the system of internal controls
3. Authority and Responsibility
Determine who reports to who, who is accountable for what, Explain why the task is being done
 Organizational structure in place to plan, execute, control and assess the activities of the overall
enterprise. Establish reporting lines
 This control environment goal = define clear limits, assign responsibility and authority for all members
of the enterprise, from lower levels all the way up in the pursuit of internal controls
 Clear flow of information
 Proper balance of delegation

4. Commitment to a Competent Workforce  attract, develop, retain, competent individuals

Employees= life line of a company. Find competent individuals to align with internal control objectives
 Determine Knowledge, skills, and experience needs
  Consider the nature and degree of judgement and the limits of authority for each job position
 Cost benefit analyses of different levels of skills and experience
 Trade offs between the extent of supervision and the competence levels of individual employees
 Evaluate current competence and address shortcomings
5. Hold People Accountable
Hold personnel accountable for their performance of internal control responsibilities across the enterprise and
take appropriate corrective actions as necessary.
 Should establish performance measures, incentives and other rewards
 The BOD should hold the CEO accountable for internal control in the enterprise achievement of
objectives
 Hold management responsible for implementing, conducting, periodically evaluating those controls
 Top level must set the tone
 Evaluates performance and rewards or disciplines individuals

RISK ASSESSMENT (6-9)

6. Specify appropriate Objectives
Specify objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

There will always will be some form of risk in any business, no way to reduce all of them
Management must determine how much risk to accept and to maintain risk within these limits. Understand
the tolerance it has for exceeding target risk levels
 Evaluate risks related to compliance, financial reporting and operations objectives 3 KEY AREAS
 Put into motion controls to address these risks
 risk related objectives based on situations that can potential harm them in future

7. Identifying and Analyzing Risks

Risk management strategy: how an enterprise intends to assess identified risks, plans to respond and
monitor those risks
Consideration of risks AT ALL LEVELS within an enterprise, including its subunits and operational functions,
such as finance, human resources, marketing, production.
 This process should consider internal and external risks that may DIRECTLY or INDIRECTLY impact an
enterprise’s achievement of objectives.
 Consider Broader risks vs local risk
 Analyze the risk and then Determine how to respond to the risks
Take into account

 possible losses from the risks,

 the significance of each risk and
 the likelihood
 the time frame,
  cost impact (cost to address the risk vs to incur the risk)
Deciding how risks should be managed: judgement based as well as cost benefit analysis
 You need an overall risk response plan to be compliant with COSO internal control

Management should consider actions based on 4 basic risk response strategies A R S A

a. Avoidance
b. reduction
c. sharing
d. risk acceptance

8. Evaluating Fraud Risks

A fraud risk assessment is a process to determine its exposure to internal and external fraud.

The assessment should review operations and controls, policies and procedures, to
determine where gaps exist that could allow a person or group of persons to carry out a fraud against the
enterprise.
 Management should be able to detect and prevent both types
 Internal auditors play a role in fraud detection and prevention.
 2 types of fraud Theft AND Fraudulent financial reporting
 Assess incentives for fraud, opportunities
9. Identifying and Analyzing Changes Affecting Internal Controls (example: change in leadership)
ASSESS CHANGES (business, model, environment, management) THAT COULD IMPACT ACHIEVEMENT OF
OBJECTIVES
INTERNAL CONTROL ACTIVITIES (10-12)
10. Selecting Control Activities to Mitigate Risks towards achievement of objectives Objective  assess the
risk  select control activity to mitigate that risk
Select control activities that contribute to the mitigation of risk relating to the achievement of objectives
One size does not fit all, every enterprise has its own objectives, own risks, own responses and therefore their
own control activities that help mitigate risks
 Can mitigate/reduce risks through segregation of duties. Used to handle cash or assets easily stolen
 No segregation= high theft probability
Segregate duties risk of collusion (coming together to do fraud) solution is the rotation of individual’s
responsibilities
Controls Activities include: verification, approval, physical controls, authorization, supervisory controls
11. Selecting and developing technology (IT) controls
 Accounting relies on IT, all information lives inside a database
 Control access to certain functions
  Controls for authorized access, data security
 Establishes relevant technology infrastructure control activities

12. Deploying Policies and Procedures Deploy control activities through policies and procedures

CONTROL is a process designed to provide reasonable assurance regarding the achievement of

objectives in operations, financial reporting and compliance
Through policies that establish what is expected POLICIES=WHAT IS EXPECTED
and procedures that put policies into action. PROCEDURES= TURNS INTO ACTION

Action steps FOR implementing policies and procedures

1. Establish policies and procedures to support the deployment of
management’s directives.
2. Establish responsibility and accountability for executing policies and
procedures.
3. Perform using competent personnel.
4. Perform in a timely manner.
5. Take corrective actions when controls are not working
6. Reassess policies and procedures.

Information and Communication (13-15)

13. Use Relevant, quality information to support functioning of internal control components
The organization obtains or generates and uses relevant, quality information to support the functioning of internal
control.

Identify and define information requirements in detail; iterative and ongoing process that occurs
throughout the performance of an effect internal control system
 Quality of information needs to be maintained
 Capture internal and external data, process this data into relevant information to be used by
management in decisions and to analyze internal controls
 Compliance know the rules and regulations -> information is needed to do this
Key consideration: balancing the benefits and the costs to obtain and manage information and the
needed supporting system. COST BENEFIT ANALYSIS to obtain info

14. Communicate Internal Control information

Begins with the delivery and communication of objectives and responsibilities. Communicate with BOD
Internal information should be endorsed by management
  Should convey the importance and benefits of internal controls
 The roles and responsibilities of management and personnel
 The expectations to communicate up down and across
 Consistent and timely communications reinforces the messages conveyed; make the controls known
Internal communications can also help management recognize problems or potential problems, determine
the cause and take corrective action
Management should periodically evaluate effectiveness of enterprise communications through employee
performance evaluations, annual management reviews, feedback

15. External communication

obtain or receive information from external parties and share that information internally,
Allows management to identify trends, events, or circumstances that may impact their achievement of
internal control objectives. THAT MAY AFFECT THE FUNCTIONING OF INTERNAL CONTROL SYSTEM ALSO
 Communicate externally, receive external information
 Communicate to suppliers/customers code of conduct
 Annual reports go to outsiders, external investors know how your company is doing
 Communicate company values to external users

MONITORING ACTIVITIES (16-17)

16. Evaluations of Internal Controls  identify and correct problems on a timely basis
An enterprise should select, develop, and perform ongoing and/or separate evaluations to monitor or
ascertain whether its internal control components are present and functioning. Done by
 Independent INTERNAL audit
 Evaluations by management
 Periodic evaluation of controls
Auditors= independent, managers are evaluating their own work
Unmonitored controls tend to deteriorate over time. Monitoring process ensure internal controls continue to
operate effectively. Identify and correct problems quicker

17. Communicating Internal Control Deficiencies

 An enterprise should communicate its internal control deficiencies in a timely manner to all parties
responsible for taking corrective actions, including senior management and the board of directors.
 Communicate potential or real short comings within the internal controls system that can adversely
affect the ability of the enterprise to achieve its objectives
• Assesses results • Communicates deficiencies • Monitors corrective actions

MONITORING= MAIN JOB OF INTERNAL AUDITORS,

Chapter 4: Enterprise Risk Management ERM COSO
REVIEW Internal auditors: evaluate INTERNAL controls  control = policies or procedures put in place to achieve
objectives Main focus: checking those controls
Control= process designed to provide reasonable assurance regarding the achievement of objectives in 3 AREAS
Controls  based on risks (Created in response to risks ASSESSMENTS)
Risks from the problem, based on objectives, what you are ultimately trying to do, example objective is customer
satisfaction risk is that the floor wont be clean
INTERNAL CONTROL Objectives in 3 areas Compliance, Reporting, Operations

ERM focuses exclusively on risk, COSO guides managers on how to make controls, prevent and detect fraud
This is an approach to allow an enterprise and internal audit to consider and assess its risks at all levels that
adversely impact the achievement of objectives and continuously improve its risk management process
Risk: uncertainty that can lead to a loss
- Identify all risks they face – financial, operation, environmental, ethical and manage them
- Internal auditors- need to understand risk management and how it impacts their skills for building and
developing effective internal control processes
- Must always consider relative risks when implementing internal controls
- All activities are exposed to some uncertainty and risk (small or big)
Risk Management Process
An effective risk management process requires 4 steps: at all levels of the enterprise
1. Risk identification (internal or external)
2. Risk assessment Quantitative or qualitative assessment of the documented risks,
3. Risk prioritization and response planning
4. Risk monitoring
Must identify and understand the various risks facing an enterprise,

to assess those risks in terms of their cost or impact and probability,(significance)

to develop responses in the event of risk occurrence and

to develop monitoring procedures as well corrective actions

Portfolio approach: are our risks currently very low, that we can accept a risky project now and VICE VERSA

 Risks in a portfolio from all levels and areas of the company. Depends on Risk tolerance
 Lots of risky projects, don’t undertake more risky projects. Keep within risk tolerance

1. Risk Identification Look at potential risks in each area of operations then Identify those that may have a
major impact on operations, within a reasonable time period
 1 year from vs 1 month from now. Impact a small amount vs material impact on your net income?
 A good approach is to identify people at all levels of the enterprise who would be asked to serve as risk
assessors.
Key people should be identified from each operating unit. Their job would be to identify and assess risks in
their unit

2. Risk Assessment Assess their likelihood and relative

significance
 R6- won’t happen, but very significant
 R5- very likely, but not significant
 R3, R2 -significant and likely, first risks you will
address, most important ones to look at
 TOP RIGHT= PRIORITY significant and likely

Likelihood is the possibility that an event may occur.

Likelihood can be described using qualitative terms such as high, medium, and low. Or by using quantitative
measures such as a percentage and frequency.

Impact represents the effect that a given event will have on an entity. Impact can be described both
qualitatively and quantitatively. Entities often describe events based on severity, consequences, or dollar
amounts

Risk Ranking: Take the established significance and likelihood estimate, calculate risk rankings, and
identify the most significant risks across the entity reviewed.
 The risk significance and probabilities of occurrence are often called the risk drivers or the primary risks for
a set of identified risks. More objective
 An enterprise should then focus its attention going forward on these primary risks.

RISK SCORE= Significance probability x

Likelihood probability
SIGNIFICANCE x LIKELIHOOD, Then rank
based on high to low

Probability of two independent events= product of the two probabilities= P(event 1) x P(Event 2)
Risk interdependencies: one drives the other, one can trigger the other.
Each operating unit is responsible for managing its own risks but may be subject to the consequences of risk
events in other areas of the organization
 3. Expected Values and Response Planning
Cost impact cost benefit analysis: financial impact/ cost to incur the risk vs cost to address the risk. If it’s
more costly to address then It’s not worth it. More subjective
 Cost estimates should be performed by front line people who have good knowledge of that area/risks

Costs to incur the risk and recover from the risk vs Cost to address it (install
corrective action facilities)

Expected Cost of the Risk= Risk score (significance P*likelihood P)X estimated cost impact of
incurring the risk
Examples of some cost impacts and costs to recover from risks
a. Loss of 50% market share= sales reduction and loss of profits
b. Temporary loss of manufacturing due to natural disaster= estimate cost to repair and return to
operations, extra labor and production costs incurred
c. Try to look at the worst case

High significance, high likelihood and high expected cost= the type you need to identify,
address and take corrective actions towards
4. Risk Monitoring: Once risks have been identified they need to be monitored and make on going
adjustments as needed.
This risk monitoring can be performed by the process owner or by an independent reviewer.

 Internal audit is often a very credible and good source to monitor the current status of identified risks.
 Internal auditors can receive information from face to face, surveys or schedule a visit to better
understand the nature of the risk area
 Or let the people who are very close to the risk to monitor, they know it best
COSO ERM COSO Enterprise Risk Management is a framework to help enterprises have a
consistent definition of their risks.
Definition: Enterprise risk management ERM is a process, effected by an entity’s board of
directors, management and other personnel, applied in a strategy setting and across the
enterprise,

 Designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives

RISK APPETITE: how much risk a company will accept in pursuit of value . Attitude towards
risk. Am I willing to take risk or scared of risk (risk averse or risk neutral)

Key points and concepts

1. ERM is a process: series of steps to review and evaluate potential risks & take actions

2. The ERM process is implemented by people in the enterprise (the ERM process will not be effective if
implemented only through a set of rules sent from headquarters) must be managed by people who
are close to the risk situation and understand the factors and implications

3. ERM is applied through the setting of strategies across the overall enterprise. (starts at the top and
works its way down the organization)

- use a portfolio approach that blends high and low risk activities

4. An enterprise’s risk appetite must be considered.

Risk appetite definition: the amount of risk that an enterprise is willing to accept in their pursuit of
value. Risky ventures with high returns vs a guaranteed return low risk venture.

5. ERM provides only reasonable, not positive, assurance on objective achievements. No 100%
guaranteed of outcomes. Reasonable assurance does not mean absolute assurance.
- A well controlled enterprise may achieve objectives every period but unexpected catastrophic
events (natural disasters, human error) can happen despite an effective ERM process.
- List of suggested practices, not an actual standard.
- Wont give you 100% assurance . just a guideline, never 100% certainty

6. An ERM is designed to help attain the achievement of objectives and mitigate risks associated
ERM KEY ELEMENTS
Why COSO ERM is a cube: because it is three dimensional, everything is interrelated
- All working together, affecting each other
- Analyze the risks as they relate to strategy, compliance, reporting, operations, they need to be
assessed overall and on every level/unit of the company
All components need to exist for all levels of the company and for every risk management objective

Easily confused with COSO internal controls, the COSO ERM framework outlines a risk management
approach applicable to all industries and encompassing all types of risk.
I only eat adam, ryan cums inside me
RISK COMPONENTS of COSO ERM (8) IOERRCIM
1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information & communication
8. Monitoring
Risk management objectives (4)  COSO had 3
1. Strategic
2. Operations
3. Reporting
4. Compliance with laws and regulations
Entity and unit level components  COSO had 3 very similar
1. Entity-level edus
2. Division
3. Business unit
4. Subsidiary

Internal Environment
Tone at the top foundation for all other components in the ERM model
Elements include:
 Risk management philosophy: attitudes and beliefs that characterize how the enterprise considers risk
in everything it does. Consistent risk philosophy to how it accepts risky ventures
 Risk appetite. Can be measured in quantitative or qualitative terms. Overall risk appetite of the
enterprise needs to known by all levels of management
 Board of directors’ attitudes: role of overseeing and guiding an enterprises risk environment.
 Integrity and ethical values: strong corporate culture and a written code of conduct
 Commitment to competence. (best people identifying risks) best trained people. Assign the proper
people to perform developed strategies
 Organizational structure: clear lines of authority and responsibility and appropriate reporting.
  Assignments of authority and responsibility, delegation. Everyone must understand how their action
are interrelated and contribute to overall objectives
 Human resources standards HR practices send a message about what is favored, tolerated or
forbidden. HR rules communicated to all stakeholders and enforced

If within risk appetite – more likely to accept the

project
Company’s attitude toward risk. Technology startup
need to take on risk or they will fail. Risk tolerance
will be higher THAN Established company with 80%
market share, don’t need to take on major risks. Risk
averse
- CEO – can be too risk averse, no new
developments, no growth
- CEO- too risky, can affect interest of the
shareholders

Objective Setting (the act of setting

objectives) what is our goal aligned with
mission statement
Objective setting outlines important conditions to
help management create an effective ERM process
• Must establish a series of strategic
objectives aligned with its mission
statement that covers operation, reporting,
compliance activities and is within the
enterprises risk appetite and considers
there tolerance
• Mission statement = crucial

Objectives must exist before management can

identify potential events affecting their
achievement.

ERM ensures that management has in place a process to set objectives and that the chosen objectives
support and align with the entity’s mission and are consistent with its risk appetite.

Process of setting objectives and that those objectives support and align with the mission statement and
are consistent with the risk apetite
Event Identification similar to risk identification INTERNAL OR EXTERNAL EVENTS
Events internal or external that affect the implementation of an ERM strategy and the achievement of its
objectives. Both long term and short term Management identifies events that, if they occur, will affect the
entity

External/ internal risks or threats:

 External economic events.
• Natural environmental events; fire, flood, earthquakes (loss of raw material, damage to facility)
• Political events; laws and regulations, election
• Social factors; demographic changes or social customs
• Internal infrastructure; strong demand or change in policy, something going wrong in manufacturing
• Internal process related events; changes in key process
• External/ internal technological events; (not adjusting for technological factors, ex paper newspaper)
• A technology may be becoming obsolete

Event identification techniques (look at past and future)

• Event inventories: list of potential /past risks in a common industry, past risks the
company has encountered
• Facilitated workshops: workshops to bring together cross functional indivduals or multi
level to discuss potential risk factors regarding an objective and contribute their
knowledge
• Interviews, questionnaires, and surveys: reach out to people in the field (ex.suppliers),
customer satisfaction letters, exit interviews (get a view for past or potential events)
• Leading event indicators are qualitative or quantitative measures that provide insight
into potential events – such as the price of fuel, traffic on an Internet site (must be
available on a timely basis)
• and escalation triggers  establish risk tolerance measurement/threshold; eg after 3
intrusions further action is triggered. Risk status reported through RED YELLOW GREEN.
• Loss event data tracking Monitoring relevant data can help an organization identify
past events having a negative impact and quantify the associated losses, in order to
predict future occurrences. Use past lossess from events to predict future
Risk Assessment
Allows an enterprise to consider the impact that potential risk related events may have on the achievement of
objectives. Risk are Viewed from two
perspectives

1. Likelihood of the risk

2. Potential Impact (significance)

 Consider likelihood and impact of each

risk and consider their interrelationship
from unit to entity level.
 identify risks and assign rankings to
identify which ones should receive the most
attention
 will the risk have a MATERIAL EFFECT?
 Enterprise will face a mix of inherent
and residual risk

Inherent risk: Outside the control of management and usually stems from external factors
• These risks may result from an entity’s industry, strategy, and environmental factors.
• Stems from the nature of the activity

Residual risk. This is the risk that remains after other management responses to risk threats and
countermeasures have been applied/implemented. These may include diversification; policies and procedures
providing limits, authorizations, and other protocols; supervisory staff reviewing

Risk that remains even after responded to risk implementing controls

There will virtually always be some level of residual risk.

Risk Response Elements (depends on likelihood, potential impact and cost benefit analysis in order to
develop appropriate response strategies)

1. Avoidance: walking away from a risk. Must consider risk appetite.

Examples include selling a business unit, exiting a risky geographical area or dropping a product line.
• Can be potentially costly if large investments were made to get into an area in the first place
• Enterprises often do not walk away until the risk has occurred.
• Difficult to walk way from an otherwise successful business based on potential future risk unless the
appetite for risk is very low within the enterprise
• Lesson learned approach learn from past activities with unfavourable consequence = avoid the risk
now
• Deciding not to engage in risk related objectives
2. Reduction: product diversification, cross training employees to reduce the risk of loss productivity if
someone leaves the company unexpectedly. Don’t rely on one product line or only one team of employees.

3. Sharing: share risk through purchasing insurance, hedging to protect from price fluctuations, joint venture
agreements to share in both profit and losses, expenses, outsourcing

4. Acceptance: no action  frequently driven by looking at the cost benefit analysis, more money to fix
than the actual risk would cost. Accept risks that adhere to your risk tolerance

Example: risk is that they could lose an entire manufacturing operation due to an old equipment plant failure
Risk response: acquire backup production equipment to serve as parts, Move production elsewhere

Control Activities
ERM’s control activities are the policies and procedures necessary to ensure the risk responses
are executed in a timely and efficient manner. All levels and all in all functions
Control Activities
a) Segregation of duties: the concept of having more than one person required to complete a task
a. a person who initiates a transaction should not be the one who approves it or who records it
b. should be separated so that one individual cannot complete a transaction from start to finish
c. reduce changes for error, fraudulent activity
b) Audit trails: final results can be easily traced back to the transactions that created those results.
c) Security and integrity: only authorized personnel can review or modify. Example: check issuing
d) All processes documented accurately
e) Top level reviews: top management reviews the status of identified risks
f) Direct functional or activity management.  direct response from someone working in that area.
Control activities for each operating unit

g) Information processing maintain quality

h) Physical controls: physical inventory count, inspections, plant security procedures. Restricted access to
areas, keep cash in secured safe
i) Performance indicators:
a. Performance indicators.  USB access is locked so not access to all the system
b. Segregation of duties.  especially for cash

Information and Communication

This COSO ERM component is a separate set of risk‐related processes linking other COSO ERM components,
showing the information flows across the COSO ERM components. Exhibit 7.9, p. 108 diagram

 Information is needed at all levels of an entity for identifying, assessing, and responding to risk.
 Effective communication occurs when  it is flowing down, across, and up the organization.
  All personnel should receive a clear message from top management that enterprise risk management
responsibilities must be taken seriously. They understand their own role in enterprise risk management
 Information from external sources and internal is used for setting strategy and objectives, identifying
events, analyzing risks, determining risk responses

ERM MONITORING
In order to establish an effective ERM framework, monitoring should include ongoing reviews of the overall
ERM process to assess the presence and functioning of its components (THE 8 COMPONENTS)
• Auditors are evaluators , evaluate all components
• Enterprise risk management deficiencies are reported upstream, with serious matters reported to top
management and the board.
Examples of monitoring: management reviews, separate evaluations of a process or control, internal audit
reviews.
Internal auditors: evaluate risk and control activities

OTHER DIMENSIONS: Although many look at COSO ERM from the perspective of the front‐facing side of its
three‐dimensional framework, the two other dimensions—the operational and organizational levels—should
always be considered. Each component of COSO ERM operates in this three‐dimensional space where each
must be considered in terms of the other

SECOND DIMENSION: The top‐facing components of strategic, operations, reporting, and compliance risk
objectives are important for understanding and implementing COSO ERM. RISK MANA OBJECTIVES

THIRD DIMENSION: The third dimension of the COSO ERM framework calls risks to be considered on an
organization or entity level. Four divisions: entity‐level, division, business unit, and subsidiary risks.
• Umbrella = entity level, Starbucks headquarters, Business units= Starbucks across the street
• Do you hate risk over all divisions?
• COSO ERM risks should be identified and managed within each significant organizational unit,
including risks on an entity‐wide basis through individual business units
Chapter 5: Performing Effective Internal Audits
What do internal auditors do? Makes sure controls are in place and operating efficiently
Areas: reporting, operations and compliance with laws and regulations
Controls are policies and procedures used to achieve objectives, Example: segregation of duties for cash,
verifications, physical count, supervisory controls, authorixation
COSO ERM: focuses on risk management, consistent definition of an enterprises risk
ERM Enterprise risk management: process to identify potential risk, manage them within the risk appetite of
the company, reasonable assurance of achieving objectives
Risk appetite: amount of risk the company is willing to live with in pursuit of value. Impossible to eliminate all
risk  if cost outweighs the benefit of addressing the risk, you won’t address the risk

Audit charter: a formal document that defines internal audit's purpose, authority, responsibility and position

Internal Audit Preparatory Activities: Internal auditors visit the organization facility to
understand the processes in place. They then design tests and evaluate the internal controls.

1. Define the objectives, scope and procedures to be used in the audit

A high‐level objective statement should be established for each individual planned audit. (what are we set
out to do) Examples:
a. To assess the adequacy of purchasing system internal accounting controls
b. To perform a planned review of quality of management production processes

Closely tied to the objective statement, a scope statement, narrows down the objectives.

For example, an objective statement can identify a planned review of quality management production
processes in international operations; a scope statement might limit the review to only Australia/New Zealand

AUDIT SCHEDULE AND TIME ESTIMATES

depends on the nature of the audit, staff size,
complexity, internal auditor’s abilities and time
constraints

An effective way to describe these internal audit

plans is through an audit planning memo.

Reasons for initiating and launching an internal audit

• Corporate reorganizations such as acquisition of a new business, sale of operating unit)
• Audit committee formal requests formal request from the audit committee
 • Response to unplanned events such as discovery of fraud, new regulations or unexpected economic
events

Internal Audit Preliminary Surveys: gather background materials on the entity to be audited
1. Review of prior year workpapers: review workpapers and audit programs for past year to gain
familiarity with the approaches used and the results of prior year audits
• SALY: SAME AS LAST YEAR, wont work if there are changes in processes
• Make sure the same problems don’t arise, focus on problems encountered in the prior audit and
the suggested methods of solving them

2. Knowing the amount of time from the prior audit. (eg 200 hours, try to follow budget as close as
possible)
3. Review of prior audit reports. Must look at the past audit findings
- Audit report= final document presented to audit committee, includes the big problem found,
- Goal is to make sure the problems were fixed during the year or managements has a commitment
to take corrective actions
- Significant recommended corrective actions. (make sure corrective actions are working this year)
examine those areas where substantial corrective actions were required)

4. Organization of the entity understand the structure of the entity, responsibilities of the individuals
- Particular attention to areas with potential segregation of duties problem
- who is handling cash, reporting, approving, vendor set up etc .
- obtain the key employees names and contact information
Handling, recording and reviewing always needs to have segregation of duties (Know who is doing each, who is
overseeing)
5. Other related audit materials. (supporting data from related audits)

STARTING THE AUDIT

This notice of a planned upcoming internal audit is
called an engagement letter.

Inform the group or organization that an internal audit

is scheduled
 Indicates when the audit is scheduled,
 who will perform the review,
 why the audit is planned (Regular audit, auditor
committee request etc).
Most audits are planned not a surprise allows you to
have all needed information/ access on that day
Fraud related investigation show up unannounced,
AKA surprise audits
The engagement letter must be addressed to the manager directly and include:
- Addressee (manager of unit being audited)
- Objectives and scope (purpose and areas the audit will cover) scope=coverage
- Expected start date and planned duration
- Identify the in-charge auditor
- Advance preparation needs: eg copies of certain reports, financial reports, statistical information,
office space, network access or access to databases. Key manager is present during that time

Internal audit field SURVEYYYY first step taken at the audit site. Helps determine the
direction, scope and extent of audit effort.
Field survey allows auditors to
1. Familiarize themselves with local processes in place key systems and processes UNDERSTAND THEM
2. Evaluate the control structure and level of control risk in the processes and systems
 The audit staff gathers information about the auditee's operations, gains an understanding of the
unit's functions, and identifies both strengths and weaknesses
 This is the time to clarify any questions that may have been raised through the engagement letter
Elements that should be assembled include
1. Organization charts, names of key personnel. Become familiar with the functional responsibilities and
the key people involved in the operation
2. Manuals and directives: policy and procedure manuals, applicable laws and regulations
3. Reports such as minute meeting, budgeting, operations, personnel matters, fire inspector review
4. Personnel observations: a tour or walk through of the activity allows internal audits to become familiar
with basic operations, space utilization
5. Discussion with key personnel can help determine known problems, planned changes
ALL INFORMATION GATHERED THROUGH THE FIELD SURVEY SHOULD BE DOCUMENTED IN AUDIT
WORKPAPERS
Conclusions from Field Survey CONFIRM ASSUMPTIONS AND MAKE NECESSARY ADJUSTMENTS
1. The purpose of an internal audit field survey is to confirm the assumptions gained from the
preliminary audit planning and to develop an understanding of key systems and processes.
2. make the necessary adjustments to the audit objectives and scope or planned procedures

Developing and Preparing Audit Programs also called MAPS

The term program refers to a set of auditor procedures similar to the steps in a computer program,
instructions for the process to run effectively

An audit program is a tool for planning, directing, and controlling audit work and a blueprint for action,
specifying the steps to be performed to meet audit objectives. PLAN OF ACTION

 Selection of the best method to get the job done

 What you need as an auditor  prior year working papers and the audit program (best friend)
Describes the steps and test to be performed by the auditor when actually doing fieldwork
Programs usually follow one of 3 general
formats:
1. A set of general audit procedures (execute
each of the given steps) document each step in
the working paper and reference # the paper

2. Audit procedures with steps and each step

includes detailed instructions for the auditor
 exhibit 8.8 much more detailed
3. A checklist for compliance reviews  not as precise, does not examine all evidence simply gives a YES
NO answer

THE PROGRAM IS YOUR BEST FRIEND ALONG WITH PRIOR YEAR WORKING PAPERS
- detailed description on how to approach different tasks/steps
Fieldwork encompasses all the efforts of the internal auditor to accumulate, classify, and
appraise information so as to enable the auditor to form an opinion and to make any needed
recommendations for improvement
Audit Evidence: An internal auditor should examine and evaluate information on all matters related to the
planned audit objective. This information, called audit evidence, covers everything an internal auditor
reviews or observes.

A properly constructed audit program should guide an internal auditor in this evidence‐gathering process.
Audit program guides audit evidence,
everything you do you gather evidence,
find proof

 Strongest form of evidence: direct

observation or confirmation (you
are the source)

 Observing an event is far more

superior that just hearing about it
Audit evidence through direct observation,
confirmation or inspection is the strongest.

Casual inquiry asking the manager=weak

Confirmation: through an external party, example bank reconciliation. Confirms the accuracy of the information. The
receipt of a direct written response from a third party

External document stronger than internally generated document

Origin of the Evidence Corroborative materials  independent of the entity: audit evidence that is generated internally,
such as evidence existing within the accounting records, minutes of meetings, or a management representation.

Sometimes the weaker form is the only thing you can get.

Performing the Internal Audit

Fieldwork initial procedures The in‐charge auditor and members of the audit team should begin by
meeting with appropriate members of management to outline preliminary plans for the audit,
 Including areas to be tested, special reports or documentation needed, and personnel
to be interviewed
 Engagement letter came first

Fieldwork follows the established audit program

- As each step is completed it should be initialed and date the program
- Reference the workpaper
- Any documentation gathered should be organized and forwarded to the incharge auditor
- In charge auditor reviews work papers and monitors the audit
- Point sheet: the incharge auditor signed off on key steps from the program and suggests areas for
additional work

Fieldwork technical issue if something is not familiar to the audit team, the in‐charge auditor should seek
assistance as soon as possible.
- An internal audit supervisor or specialist may have to research the audit or technical issue in order
to provide the answer. (internal auditors are not engineers, work with the right people)
Internal audit workpapers: report on the work performed and provide a link between the procedures
documented in the audit program and the results of audit tests.
- Because they will become the basis for findings and recommendations in final audit reports, the
workpapers should appropriately document all audit work.
- Record all work you do, document what you did, why you did and conclusions
- Map/program guides your working paper,

Preliminary audit findings typically have the following elements:

• Identification of the findings (audit deficiency)
• The conditions of the completed audit.
• References to the documented audit work.
• Auditor’s preliminary recommendations.
• Results of discussing the findings with management
• . Know what to fix , playing on same team as manager, goal is to improve, recommend and make sure
they are being addressed
• Recommended disposition of the matter.

A major area of emphasis in any internal audit is the identification of areas where the unit reviewed is not in
compliance with good internal control procedures and where improvements are needed

Wrapping up Formal Audit Report: The most important internal audit work product is the formal
audit report, with its findings and recommendations, which is delivered to the auditee after completion of
the review as well as to the audit committee

Field survey: go to the site, make sure you understand what is going on.Yes you have previous year working
papers, but processes may have changed since. (you first did the preliminary survey, bnut the field survey is to
confirm your assiumptions and make corrections as necessary to the planned audit objectives or scope. Field
survey includes organization charts, manuals, interviewing key personnel, observation of the walk through and
reports from meeting minutes budgets etc.
Audit program: list of steps to be performed, and each step must be documented with a working paper and a
conclusion BLUEPRINT FOR ACTION, plan of action details the steps to obtain audit objectives
Engagement letter: delivered to the department explaining who what where the audit is done, what they will
need to do it. Most audits are not surprise audits. All information, resources and people are available as you
need. Sent out to inform the department that an internal audit is scheduled to be performed
Control: someone is sweeping the restaurant check someone is doing this
Point sheets: document your preliminary findings, figure out a reason,
Complete audit documentation: lack of control someone, or not properly function, focus is on whats NOTTTT
working well, audit report focuses on the problems found, the controls not in compliance, reccommendations
to management for improvement

Overall goal is  improvement

Chapter 6: Testing Assessing and Evaluating Audit Evidence
Internal audit process starts with establishing audit objectives and scope
then planning and preparing the internal audit, (preliminary survey and field survey)
performing planned audit procedures (gathering and examining audit evidence) following the program
and finally assessing the audited results to determine if the objectives have been satisfied.
Satisfy audit objectives through audit evidence
Sample must be representative of the population

USE SAMPLING TO GATHER AUDIT EVIDENCE , check if it aligns with AUDIT OBJECTIVES, or a step in the
program
Sampling: Audit sampling is the process of examining less than 100% of the items within an account balance
or class of transactions for the purpose of drawing some form of conclusion for the entire population based
on the sample audit results.
• Example 1: payroll for 60,000 employees, test is done through determining IF the time sheet is signed
off by the manager, not possible, use sampling to conclude on the overall population of employees
• Control: time sheet authorization
• Pick a sample of 100 timesheets, to conclude on the entire population. Sampling is a tool, conclusion is
on the population.
• All 100 timesheets are signed off appropriately= the control for the population is functioning
• Example 2: inventory count at the end of each year in 5 warehouses= this can be done at all5
warehouses, look at 100%
Picking a sample
Must be representative of the population
 1. Understand the total population of items of concern and develop a formal
sampling plan regarding the population of items;
2. Draw a sample from the population based on that sample selection plan;
3. Evaluate the sampled items against audit objectives;
4. Develop conclusions for the entire population based on audit sample results
2 FORMS OF SAMPLING (BOTH WORK)
Statistical Sampling; Draw conclusions regarding the entire population (math based)
Mathematical based method of selecting representative items that reflect characteristics of the whole
population. Example: statistical sample of inventory, use that sample to draw an opinion on the accuracy of
the entire inventory
Population: time sheet, that’s what you are testing
- 100,000 timesheets, upload into a software, that calculates equation, software has no bias
The following reasons encourage the use of audit sampling and statistical sampling:
a. Conclusions may be drawn regarding an entire population of data without checking 100% of
the population. (significant audit savings and strong audit position)
b. Sample results are objective and defensible.  UNBIASED

 Software generated, based on random selection is unbiased.

 When based on auditor judgment it can be subjective: can be bias towards a
certain name example. Can be intentional or unintentional.
c. Less sampling may be required through the use of audit sampling.
 Sample selection of 50 or 100 can be used for a 10,000 population or for 1million
population
 Sample size does not need to increase in proportion to increases in size of
population. Depends on other parameters

d. Statistical sampling may even provide for greater accuracy than a 100% test.
 Human error is possible if looking at a large amount of items
 More data items=larger risk for audit or clerical errors
 Smaller sample means each item gets more attention and analysis.

e. Audit coverage of multiple locations is often more convenient.

 Small samples taken from each site to complete an overall sampling plan
 One auditor can start, another finishes
f. Sampling procedures can be simple to apply. (plug information into a software)
Judgmental Sampling (Non-statistical): no mathematical theory, not statistically precise. Auditor uses
his or her judgment to design and select the sample. Less than 100% of the population, but sufficient to make
a conclusion. Methods Include
1. Fixed percentage selection (Ex. 2% of the population, random selection, no bias) no software used. Close
your eyes and pick
2. Designated attribute selection. (pick all the items with same attribute, pick your sample based on a certain
characteristic or time period)
- Example: look at all timesheets in February (specific time period)
- Example: all accounts ending in letter B or starting with b
3. Large value selection (based on dollar values of items, pick sample from million dollar items that can have a
large impact if there are deficiencies in controls)  items with large balances/
4. Designated area selection (pick from a specific geographic area, or a specific file drawer where the files are)
5. Other selected attribute selection. (for some reason looks suspicious)

 a review of sensitive items or audit concern

 A person can judge if something doesn’t look right, looks off statistical software cannot do this,
everything has the same value to the software
 This can be a bias, but a judgement applied can also help identifying risky items

Three decisions to make when using judgemental sampling:

1. Develop a method of selection (above), and decide what types of items to examine.
2. Determine the size of the sample. (sample size must be reasonably compared to the entire
population)
3. The third decision is how to interpret and report the audit results from the limited judgmental
sample.
Not easy to apply to the overall population:
- If 1/10 sample is bad, cant say that 10% of the overall population are bad.
- Example you chose only dusty inventory, can say all inventory is obsolete

Statistical Sampling representative of the population

Population refers to the total number of items that are subject to an audit
• Ex timesheet, item you will be looking at for your audit, background checks=individual employees.
Random sample is the process of selecting a sample where each unit in that population has an equal
probability of selection. The sample then represents the characteristics of the entire population.
- Statistical software: no bias, random sampling
- Purely random sample: expect that it represents the population
Elements/terms
• The mean = average = total amount/# observed items
• The median= rank by size (low to high), choose the one in the middle
• The mode= the item that shows up the most frequently
• The range: difference between the largest and smallest variables
• The variance= THE SPREAD OF THE DISTRIBUTION=
• Standard deviation =how much variation of values exists around the mean. How far away an item is
from the mean.

• Normal distribution= how items are distributed around the mean. BELL SHAPED DIAGRAM
o +/-1 standard deviation away – 68.2% of the population will be there
o 95.4% will be within 2 standard deviations from the mean.

Larger distribution: more risky (could be outliers)

Is there an equal distribution of small and large numbers? Is the population skewed?\

Developing a Statistical Sampling Plan with each items having equal chance of being selected
Develop audit sampling plan that will allow each item in a population to have an equal
probability of selection.
 Should attempt to remove any bias
 Challenges for inventory records, account receivable, physical data and other audit
evidence, therefore audit sampling can be representative of the entire population
Understand the nature of the data to be reviewed such as the following:

1. The population (or universe or field) to be sampled must be clearly defined. (know where the control is
being executed and know what you are sampling)
Example
- Testing controls around cash
- Cash balance 1 million, 10,000 transactions, every month a bank rec is done
- Control: every bank reconciliation signed off the by CEO (what is being tested)
- Population: all bank recs

2. The population should be divided or stratified into groups IFFF major variations exist between
population items. Strata=GROUP.
Used when a population covers a few large items and many small items. Statistical conclusions will not be
valuable because it is not a normal distribution
Look at purchases, and making sure each purchase is properly approved. Population 100 Sample Size =3
- Stratify, look at the size of the purchases, put them into 2 groups STRATAS based on dollar value,
- Pick 2 for one group (with purchases over 100,000), 1 from the other (<100,000).
- Increase the chances of choosing the larger items
Can be done for any characteristic. Example timesheets.
- 1 sample from a group of timesheets signed by X manager
- and 2 from timesheets signed by Y manager

3. Every item in a population must have an equal chance of being selected in the sample
- Eliminate bias
- Always disclose if some items needed to be ignored to logistical or other valid reasons

4. There should be no bias in making the sample selection from the population.
- Must include items both in local areas and remote areas to draw a conclusion on the entire
population

4 methods to select an audit sample

Random Number Selection
Items here should be selected at random, with each in the population having an equal chance to be selected
as a part of the sample.
- Random number generator software
- Give each item a number, determine sample size and select randomly
- Measure the risk of sample being not representative of the population

Interval Selection Also called systematic sampling  useful for monetary unit sampling
Requires the selection of individual items based on uniform intervals from the items in the total population.
SELECT EVERY N TH ITEM , appropriate for time periods
- Example: you need a sample of 3 (number of items in the population/sample size)
- 10/3=3 pick every 3rd item as your sample OR 5000/200 needed sample, choose every 25th
Downside: if interval is every 30 days, you won’t see a problem than may occur at the end of each month

Stratified Sampling
A population is divided into two or more subgroups or stratas, with each subgroup handled independently as
a separate population. Each strata have similar characteristics, homogeneous
• The justification for stratification may be that one stratum has significantly different characteristics,
and internal audit may wish to evaluate that subgroup on a more individual and precise basis
 • one strata could be subject to 100% selection (items over 10,000) and one strata uses random
selection (items under 10,000)
• if stratified sampling is not used, there’s a chance that the larger items might not be selected
• mostly used for populations with few high values that have a large significance
• examples: inventories, accounts receivables or invoices

Cluster Sampling
Samples are made by systematically selecting subgroups or clusters from the total population. Divide into
heterogenous clusters that represent the population
• Cluster selection is useful when items are filed in shelves or in drawers, and it is physically more
convenient to select subgroups based on the physical shelf area or individual file drawers.
• The rationale is that the items on particular portions of the shelf areas or in designated drawers are
substantially similar in their nature and that a sample thus selected will be representative.
• Example sample size of 600; Sample 20 clusters with 30 items in each
• Use a larger sample when applying the cluster approach

Audit Sampling Approaches

1. Attribute sampling
2. Variables sampling (includes monetary unit sampling and stratified)
3. Discovery sampling

Attribute Sampling: Attribute sampling is used to measure the extent or level of occurrence of various
conditions or attributes. GOOD TO REVIEW CONTROL PROCEDURES, (verification, authorization, are the
controls being done)
Used to check how many times a certain feature will show up in a population.
EITHER A CONDITION EXISTS OR NOT, (cannot be a maybe) CORRECT OR UNCORRECT

• If the bank rec is not signed off= compliance error

• If the bank rec if signed off= ok
The results of an attribute sampling test are then compared to the tolerable error rate established for
that test.

 Auditors need to develop an acceptable error rate. Tolerance rate for errors
• Before performing the sampling, the needed reports must be available and accessible
Attributes Sampling Parameters (decided before the sampling is done)
1. Maximum tolerable error rate (the error rate an auditor will allow while still saying internal controls
are adequate)
2. Degree of confidence level (ex. 90% or 99% confident/certain that the rate of error is less than 1%)
- Usually 95 or 98 never 100
- Large confidence interval =larger sample
3. Estimated population error. Estimate the level of error in the population then takes a statistical
sample to either confirm or refute those assumptions
Sample Size: determined by
1. maximum tolerable error rate,
2. confidence level
3. and population error
Plug these values into the software and it will provide the required sample size for those values
LOOK AT EXAMPLE ON PAGE 258
Advantages of attributes sampling
- With large numbers of items, attributes sampling can provide an accurate assessment of a control
feature or attribute
- States that it is confident within a preestablished confidence value, that the number of errors in a
total population will not exceed a pre-chosen value (max tolerable error)
and Disadvantages
- computations are complex
- selection of attributes can be bias, judgment based
- results can be subject to misinterpretation
- non-normal distributions can complicate the process

Variables Sampling
Treats each individual item in the population as a sampling unit. ... As an auditor, you apply this statistical
concept to evaluate characteristics of your total population

• Two important variables sampling approaches are stratified sampling and monetary unit sampling

Monetary unit sampling

Determines if a financial account is fairly stated, and estimates the amount of any account overstatement

- Every dollar amount $ is treated as part of the population and each has a chance of being
selected
- Good for determining overstated account balances
- I am 95-98% confident that there are no material errors within the account balances. Never 100%
Example test/review if accounts receivable balance is fairly recorded
There are 1300 account balances in the account, total amount of 54,902$ Sample size of 60
54902/60 sample size= for every 915$th dollar, that item will be SAMPLED

Monetary unit sampling, the internal auditor would develop a sample by selecting every n th item in the
population
Steps in monetary unit sampling
1. Sum of all 10 items= 139$/ 3 sample size= 46$ IS THE INTERVAL, choose every 46th dollar
2. Choose every $46th dollar in the list, the item that has the 46th dollar within in
3. Determine starting point, between 1$ and 46$, random selection, this is the number you start
with

EXAMPLE, 5 is random number generated to use as a starting point

5+10+8+40=63 46th dollar is in the 63, therefore item #4 is a sample  63-46= 17 (new starting point)
The auditor will encounter the 46th dollar in item #4 therefore it will be selected
17+12+7+32= 68  46th dollar encountered, therefore item #7 is a sample  68-46= 22 (new starting point)
22+10+7+8= 47 46th dollar is in this, therefore item #10 is a sample

Monetary unit: increases chances to pick the larger items (which have larger impacts)
Testing the correctness of a balance, if a larger balance is wrong this has a larger significance/ impact for the
company and its operations.

 The larger the item, the more likely to be picked when using the monetary unit sampling method
 Whereas a purely random sample could potentially by pass a large dollar value based on random
selection. Potentially ignore a large discrepancy using purely random sampling
 Less risk of failing to detect a material error, since all large dollar units are subject to selection
 Disadvantage: cannot detect if an item is missing and ZERO items will never be chosen
Performing the Monetary Unit Sampling Test (4 elements to determine sample size)
1. Upper precision limit (maximum % the auditor will tolerate for errors and still accept the overall
controls in the system) amount of material errors that will be accepted. Usually around 2%
2. The expected confidence level
3. An expected error rate for sampling errors
4. The total recorded value of the account to be evaluated (sum off the entire account) 54902$

Discovery Sampling
Similar to non-statistical judgmental sampling

Efficient and Effective use of audit sampling

Audit sampling= basis for arriving at more valid conclusions  audit evidence
Even the best control system cannot eliminate errors resulting from system breakdowns
A review of only a few transactions may not be sufficient to disclose whether internal controls are operating
effectively

If errors are found

1. Isolating errors.
2. Reporting only on items examined.
Maybe only report the results to operating personnel.
Depends on the nature of errors
Auditor should attempt to determine the causes and make specific recommendations for
corrective action.
3. Performing 100% audits. (if significant errors are found)
Potential extended examination of all transactions when significant errors are found.
If the large sample size of 100% can not be justified by the costs involved, use a sampling plan
4. Projecting results of sample.

IN CLASS CASES
CASE 1: the security breach
Case requirement: identify any internal control issues relating to the 5 COSO components GOOD OR BAD?
Controls are established in response to risks
Control Environment - STRONG

 Tone at the top

 Has a detailed code of conduct and code of ethics
 Various committees(as seen on website)
 Corporate governance
 Corporate culture is based on deriving results but also on how those results are achieved
 REACH philosophy
 Culture centers on management acting with integrity and all people must be treated with respect
Risk Assessment WEAKLY ASSESSED THE RISKS
  Information risk-the structure of the system presents a risk, all networks are connected worldwide and
with each store (wireless system) WEAK
 Risk of not complying with rules and regulations of the FTC in 2008 (compliance)
 Technological risk; no firewall or encryption system to protect against data breaches
 Lack of instore security for the kiosks (where the breach occurred and how it did)
 Financial misstatement  contingent liability could be recorded or not depending on the likelihood
and if the amount can be determined SUED BY SHAREHOLDERS
 Financial risk losses from breach
Control Activities
were they present and working efficiently or were they not in place and no working effectively)
How the risks should have been controlled or reduced

 Reserve for future breaches 4.2 million

 Analysis/programs for security measures
 Restrict access to kiosks WEAK
 Firewall/encryptions WEAK
 on going program to monitor security status
 do a more regular analysis and review of the system to determine any gaps
Info/Communication

 TJX external communication: contacted law enforcement, adviced not to disclose

 TJX external communication: PRESS RELEASE ON JAN 1 regarding the breach
 External communication set up through helpline and website for external people to contact TJX
 Contacted computer security company IBM GDC
 Established a form of internal communication (fraud hotline, employees can clal in and report
suspicious activity while remaining anonymous)
Monitoring activities

 18 months before the breach was detected=lack of monitoring activities

 Need to establish on going evaluations that all controls are present and functioning
 On going monitoring of the system and supporting security controls

CASE 2 COSO ERM CASE 1

Requirement: what factors contributed
 various responsibilities given to one single person
 no controls in place to verify accounts, monitor inventory more than once a year
 there was no segregation of duties,
 jeff handled cash collection, disbursements, and account reconciliation making it easy for him to
commit fraud and try to cover it up
  they did no background check jeff, they would of known he had a history of fraud if this control was in
place
 no supervision, no oversight, he was given too much authority and responsibility
 decline in economy people losing jobs less money and could be more open minded to take what is not
theres COMMIT FRAUD

What internal controls should have been in place

 segregation of duties, have multiple people handling the cash function, rotate responsibilities, don’t
have one person doing the transaction or task from start to finish
 increase monitoring frequency, physical checks for inventory, authorization and verification of checks
 controller is a big position be sure to high competent workforce,
give Jeff less responsibilities
the owners should oversee new employees, establish oversight
restrict access to cheque endorsments
someone else verify the vendors
less probability of fraud if segregation of duties