Professional Documents
Culture Documents
Corporate Governance: system of rules, procedures and practices by which a company is directed
Internal auditing is an independent appraisal function established within the organization to examine and
evaluate its activities and controls.
Shareholders or members
The board and senior management who are within the
who are outside of the
organisations governance structure.
Reports to organization
- Usually employed within the company
- work for an outside
- Can also be outsourced
audit firm (KPMG)
CBOK: Common Body of Knowledge: For any profession defines the minimum level of proficiency
needed for effective performance within that profession
- Minimum knowledge needed to perform effectively
- For internal auditors CBOK covers practice areas, understanding of general management practice,
general application areas
Internal Controls policies and procedures put in place to ensure the achievement of objectives within
the 3 internal control objective categories
Must consider the 3-dimensional nature, where every internal control COSO element, up and down and across
the other sides of the COSO CUBE are related to the other components
All components are related and impact each other
Control Environment: the set of standards, processes, and structures that provide a basis
FOUNDATION for carrying out effective internal control activities across an enterprise
if this component is ineffective, most of the other components could be negatively affected.
An ineffective control environment effectively trumps the lower-level controls MUST BE EFFECTIVE STRONG
Risk Assessment: The process for determining how all levels of risks will be managed, responded to
linked at different levels of the enterprise. Prerequisite to risk assessment: establish risk related objectives
Risk assessment is an interactive process for identifying and assessing those risks that may limit the
achievement of enterprise objective IDENTIFY AND ASSESS RISKS how they will be managed
Risk: possibility of an event that could adversely affect the achievement of company objectives
Management must consider the impact of the internal and external environment
Determine how much risk to accept and strive to maintain the risk within these tolerated limits.
Understand how much tolerance they have for exceeding target risk levels. (risk tolerance)
Identify risk objectives within
1. Operations,
2. Reporting
3. Compliance
Risk identification considers all risks within an enterprise at multiple levels (entity level, subunits,
operational functions IT, marketing, HR, finance) that may impact the success of the company
Don’t identify ALLLLL possible risks but those that could impact operations with some level of probability and
within a reasonable time frame. (some risks can be significant but very unlikely) tsunami in mtl
Look at all types of risks, from larger more significant risks affecting the overall business to less major
risk affecting a project or smaller business unit
Look at How the risk will impact operations, financial reporting and compliance activities
Should consider factors internal to the enterprise, external parties and external issues such as laws,
regulations, environmental issues, natural events
No practical way to reduce all risks, will always have some residual risk event after implementing
necessary controls
Points to consider for the risk assessment component:
A. The enterprise should specify objectives with sufficient clarity to better identify and assess the risks
relating to those objectives.
B. The enterprise should identify risks relating to the achievement of its objectives across the entity all
levels.
Should then analyze risks to determine how those risks should be managed.
C. The enterprise should consider the potential for fraud in assessing risks to the achievement of
objectives. (assess the opportunity, the incentives etc)
D. The enterprise should identify and assess changes that could significantly impact its system of internal
controls.
Identify risk relating to achievement of objectives ACROSS the entity , then analyze the risks and determine how those risks should
be managed
Assess changes that many impact the system of internal controls. Assess changes in the external environment management or
thebusiness models
1. Risk Avoidance
walk away from risk, selling a business unit that gives you risk, leave a certain area, drop a product line.
Potentially costly, if investments were made to enter an area.
Hard to walk away on the basis of potential future risk, if everything right now is going well
2. Risk Reduction
reduce risk through diversification, product line diversification, can reduce risks at all levels splitting an IT
center into two locations
3. Risk Sharing
Insurance, hedging buy futures, have another party accept a portion of the risk. Share risk by purchasing
insurance OR enter into joint venture, share in profit and losse
4. Risk Acceptance
strategy of no action, establish a risk tolerance and then decided whether or not to accept it. Does it go
hand in hand with your risk appetite? What is the risk’s likelihood?
Internal Control Activities: controls are the actions—established through enterprise policies and
procedures—that help to mitigate risks regarding the achievement of objectives andsee if re carried out
properly and timely.
- Task is Performed by different people so that no one person has control over the entire cash handling
process.
- Will minimize the risk of errors,
- decrease the opportunity for fraudulent activity
- and increase the chance of detecting errors.
- NOT ONLY FOR CASH (cheques, deposits, journal entries)
- 1 person handling cash, 1 person recording, 1 person reconciling
- Decreases probability of fraud
- Risk of collusion: solution= rotation of responsibilities
Control activities include actions that ensure that responses to assess risks as well as other management
directives are carried out properly and in a timely manner.
Types of internal control activities
o Verifications: compares with policy or another item then performs a follow up
o Reconciliations: compares two or more data elements, differences identified are reconciled.
o Authorizations and approvals: affirm that a transaction is valid, approval from upper level
o Physical controls: includes equipment inventory, security for manufacturing plants, cash secured
physically in locked areas. Periodically counted and compared with control records
o Controls over standing data: standard organization data elements
o Supervisory controls: are they being performed completely, accurately and according to procedures
through observation
o Audit trails documents all transactions that came to the end results
a. Set the Tone at the top: management’s message to all stakeholders, committed to the highest ethical
standards in business. Management must lead by example, No tone at the top= high fraud probability
b. Establish a code of conduct, code of ethics,expectations and actively communicate this to all
employees. must be acknowledged and actively followed, LIVING DOCUMENT
a. Apply relevant expertise to the BOD – can be industry experience, knowledge about business, ex.
Venture Capitalist periodically evaluate the skills needed among members and make necessary
changes
b. Operate independently- Should be a mix of internal and external individuals who are not part of
everyday operations and can provide an objective outlook in their evaluation and decision making
c. Provide oversight for the system of internal controls- audit committee, oversee development and
performance of internal controls
BOD needs relevant expertise, operate independently and provide overisgn for the system of internal controls
3. Authority and Responsibility
Determine who reports to who, who is accountable for what, Explain why the task is being done
Organizational structure in place to plan, execute, control and assess the activities of the overall
enterprise. Establish reporting lines
This control environment goal = define clear limits, assign responsibility and authority for all members
of the enterprise, from lower levels all the way up in the pursuit of internal controls
Clear flow of information
Proper balance of delegation
There will always will be some form of risk in any business, no way to reduce all of them
Management must determine how much risk to accept and to maintain risk within these limits. Understand
the tolerance it has for exceeding target risk levels
Evaluate risks related to compliance, financial reporting and operations objectives 3 KEY AREAS
Put into motion controls to address these risks
risk related objectives based on situations that can potential harm them in future
The assessment should review operations and controls, policies and procedures, to
determine where gaps exist that could allow a person or group of persons to carry out a fraud against the
enterprise.
Management should be able to detect and prevent both types
Internal auditors play a role in fraud detection and prevention.
2 types of fraud Theft AND Fraudulent financial reporting
Assess incentives for fraud, opportunities
9. Identifying and Analyzing Changes Affecting Internal Controls (example: change in leadership)
ASSESS CHANGES (business, model, environment, management) THAT COULD IMPACT ACHIEVEMENT OF
OBJECTIVES
INTERNAL CONTROL ACTIVITIES (10-12)
10. Selecting Control Activities to Mitigate Risks towards achievement of objectives Objective assess the
risk select control activity to mitigate that risk
Select control activities that contribute to the mitigation of risk relating to the achievement of objectives
One size does not fit all, every enterprise has its own objectives, own risks, own responses and therefore their
own control activities that help mitigate risks
Can mitigate/reduce risks through segregation of duties. Used to handle cash or assets easily stolen
No segregation= high theft probability
Segregate duties risk of collusion (coming together to do fraud) solution is the rotation of individual’s
responsibilities
Controls Activities include: verification, approval, physical controls, authorization, supervisory controls
11. Selecting and developing technology (IT) controls
Accounting relies on IT, all information lives inside a database
Control access to certain functions
Controls for authorized access, data security
Establishes relevant technology infrastructure control activities
12. Deploying Policies and Procedures Deploy control activities through policies and procedures
13. Use Relevant, quality information to support functioning of internal control components
The organization obtains or generates and uses relevant, quality information to support the functioning of internal
control.
Identify and define information requirements in detail; iterative and ongoing process that occurs
throughout the performance of an effect internal control system
Quality of information needs to be maintained
Capture internal and external data, process this data into relevant information to be used by
management in decisions and to analyze internal controls
Compliance know the rules and regulations -> information is needed to do this
Key consideration: balancing the benefits and the costs to obtain and manage information and the
needed supporting system. COST BENEFIT ANALYSIS to obtain info
Begins with the delivery and communication of objectives and responsibilities. Communicate with BOD
Internal information should be endorsed by management
Should convey the importance and benefits of internal controls
The roles and responsibilities of management and personnel
The expectations to communicate up down and across
Consistent and timely communications reinforces the messages conveyed; make the controls known
Internal communications can also help management recognize problems or potential problems, determine
the cause and take corrective action
Management should periodically evaluate effectiveness of enterprise communications through employee
performance evaluations, annual management reviews, feedback
obtain or receive information from external parties and share that information internally,
Allows management to identify trends, events, or circumstances that may impact their achievement of
internal control objectives. THAT MAY AFFECT THE FUNCTIONING OF INTERNAL CONTROL SYSTEM ALSO
Communicate externally, receive external information
Communicate to suppliers/customers code of conduct
Annual reports go to outsiders, external investors know how your company is doing
Communicate company values to external users
ERM focuses exclusively on risk, COSO guides managers on how to make controls, prevent and detect fraud
This is an approach to allow an enterprise and internal audit to consider and assess its risks at all levels that
adversely impact the achievement of objectives and continuously improve its risk management process
Risk: uncertainty that can lead to a loss
- Identify all risks they face – financial, operation, environmental, ethical and manage them
- Internal auditors- need to understand risk management and how it impacts their skills for building and
developing effective internal control processes
- Must always consider relative risks when implementing internal controls
- All activities are exposed to some uncertainty and risk (small or big)
Risk Management Process
An effective risk management process requires 4 steps: at all levels of the enterprise
1. Risk identification (internal or external)
2. Risk assessment Quantitative or qualitative assessment of the documented risks,
3. Risk prioritization and response planning
4. Risk monitoring
Must identify and understand the various risks facing an enterprise,
Portfolio approach: are our risks currently very low, that we can accept a risky project now and VICE VERSA
Risks in a portfolio from all levels and areas of the company. Depends on Risk tolerance
Lots of risky projects, don’t undertake more risky projects. Keep within risk tolerance
1. Risk Identification Look at potential risks in each area of operations then Identify those that may have a
major impact on operations, within a reasonable time period
1 year from vs 1 month from now. Impact a small amount vs material impact on your net income?
A good approach is to identify people at all levels of the enterprise who would be asked to serve as risk
assessors.
Key people should be identified from each operating unit. Their job would be to identify and assess risks in
their unit
Impact represents the effect that a given event will have on an entity. Impact can be described both
qualitatively and quantitatively. Entities often describe events based on severity, consequences, or dollar
amounts
Risk Ranking: Take the established significance and likelihood estimate, calculate risk rankings, and
identify the most significant risks across the entity reviewed.
The risk significance and probabilities of occurrence are often called the risk drivers or the primary risks for
a set of identified risks. More objective
An enterprise should then focus its attention going forward on these primary risks.
Probability of two independent events= product of the two probabilities= P(event 1) x P(Event 2)
Risk interdependencies: one drives the other, one can trigger the other.
Each operating unit is responsible for managing its own risks but may be subject to the consequences of risk
events in other areas of the organization
3. Expected Values and Response Planning
Cost impact cost benefit analysis: financial impact/ cost to incur the risk vs cost to address the risk. If it’s
more costly to address then It’s not worth it. More subjective
Cost estimates should be performed by front line people who have good knowledge of that area/risks
Costs to incur the risk and recover from the risk vs Cost to address it (install
corrective action facilities)
Expected Cost of the Risk= Risk score (significance P*likelihood P)X estimated cost impact of
incurring the risk
Examples of some cost impacts and costs to recover from risks
a. Loss of 50% market share= sales reduction and loss of profits
b. Temporary loss of manufacturing due to natural disaster= estimate cost to repair and return to
operations, extra labor and production costs incurred
c. Try to look at the worst case
High significance, high likelihood and high expected cost= the type you need to identify,
address and take corrective actions towards
4. Risk Monitoring: Once risks have been identified they need to be monitored and make on going
adjustments as needed.
This risk monitoring can be performed by the process owner or by an independent reviewer.
Internal audit is often a very credible and good source to monitor the current status of identified risks.
Internal auditors can receive information from face to face, surveys or schedule a visit to better
understand the nature of the risk area
Or let the people who are very close to the risk to monitor, they know it best
COSO ERM COSO Enterprise Risk Management is a framework to help enterprises have a
consistent definition of their risks.
Definition: Enterprise risk management ERM is a process, effected by an entity’s board of
directors, management and other personnel, applied in a strategy setting and across the
enterprise,
Designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives
RISK APPETITE: how much risk a company will accept in pursuit of value . Attitude towards
risk. Am I willing to take risk or scared of risk (risk averse or risk neutral)
2. The ERM process is implemented by people in the enterprise (the ERM process will not be effective if
implemented only through a set of rules sent from headquarters) must be managed by people who
are close to the risk situation and understand the factors and implications
3. ERM is applied through the setting of strategies across the overall enterprise. (starts at the top and
works its way down the organization)
- use a portfolio approach that blends high and low risk activities
Risk appetite definition: the amount of risk that an enterprise is willing to accept in their pursuit of
value. Risky ventures with high returns vs a guaranteed return low risk venture.
5. ERM provides only reasonable, not positive, assurance on objective achievements. No 100%
guaranteed of outcomes. Reasonable assurance does not mean absolute assurance.
- A well controlled enterprise may achieve objectives every period but unexpected catastrophic
events (natural disasters, human error) can happen despite an effective ERM process.
- List of suggested practices, not an actual standard.
- Wont give you 100% assurance . just a guideline, never 100% certainty
6. An ERM is designed to help attain the achievement of objectives and mitigate risks associated
ERM KEY ELEMENTS
Why COSO ERM is a cube: because it is three dimensional, everything is interrelated
- All working together, affecting each other
- Analyze the risks as they relate to strategy, compliance, reporting, operations, they need to be
assessed overall and on every level/unit of the company
All components need to exist for all levels of the company and for every risk management objective
Easily confused with COSO internal controls, the COSO ERM framework outlines a risk management
approach applicable to all industries and encompassing all types of risk.
I only eat adam, ryan cums inside me
RISK COMPONENTS of COSO ERM (8) IOERRCIM
1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information & communication
8. Monitoring
Risk management objectives (4) COSO had 3
1. Strategic
2. Operations
3. Reporting
4. Compliance with laws and regulations
Entity and unit level components COSO had 3 very similar
1. Entity-level edus
2. Division
3. Business unit
4. Subsidiary
Internal Environment
Tone at the top foundation for all other components in the ERM model
Elements include:
Risk management philosophy: attitudes and beliefs that characterize how the enterprise considers risk
in everything it does. Consistent risk philosophy to how it accepts risky ventures
Risk appetite. Can be measured in quantitative or qualitative terms. Overall risk appetite of the
enterprise needs to known by all levels of management
Board of directors’ attitudes: role of overseeing and guiding an enterprises risk environment.
Integrity and ethical values: strong corporate culture and a written code of conduct
Commitment to competence. (best people identifying risks) best trained people. Assign the proper
people to perform developed strategies
Organizational structure: clear lines of authority and responsibility and appropriate reporting.
Assignments of authority and responsibility, delegation. Everyone must understand how their action
are interrelated and contribute to overall objectives
Human resources standards HR practices send a message about what is favored, tolerated or
forbidden. HR rules communicated to all stakeholders and enforced
ERM ensures that management has in place a process to set objectives and that the chosen objectives
support and align with the entity’s mission and are consistent with its risk appetite.
Process of setting objectives and that those objectives support and align with the mission statement and
are consistent with the risk apetite
Event Identification similar to risk identification INTERNAL OR EXTERNAL EVENTS
Events internal or external that affect the implementation of an ERM strategy and the achievement of its
objectives. Both long term and short term Management identifies events that, if they occur, will affect the
entity
• Event inventories: list of potential /past risks in a common industry, past risks the
company has encountered
• Facilitated workshops: workshops to bring together cross functional indivduals or multi
level to discuss potential risk factors regarding an objective and contribute their
knowledge
• Interviews, questionnaires, and surveys: reach out to people in the field (ex.suppliers),
customer satisfaction letters, exit interviews (get a view for past or potential events)
• Leading event indicators are qualitative or quantitative measures that provide insight
into potential events – such as the price of fuel, traffic on an Internet site (must be
available on a timely basis)
• and escalation triggers establish risk tolerance measurement/threshold; eg after 3
intrusions further action is triggered. Risk status reported through RED YELLOW GREEN.
• Loss event data tracking Monitoring relevant data can help an organization identify
past events having a negative impact and quantify the associated losses, in order to
predict future occurrences. Use past lossess from events to predict future
Risk Assessment
Allows an enterprise to consider the impact that potential risk related events may have on the achievement of
objectives. Risk are Viewed from two
perspectives
Inherent risk: Outside the control of management and usually stems from external factors
• These risks may result from an entity’s industry, strategy, and environmental factors.
• Stems from the nature of the activity
Residual risk. This is the risk that remains after other management responses to risk threats and
countermeasures have been applied/implemented. These may include diversification; policies and procedures
providing limits, authorizations, and other protocols; supervisory staff reviewing
Risk Response Elements (depends on likelihood, potential impact and cost benefit analysis in order to
develop appropriate response strategies)
3. Sharing: share risk through purchasing insurance, hedging to protect from price fluctuations, joint venture
agreements to share in both profit and losses, expenses, outsourcing
4. Acceptance: no action frequently driven by looking at the cost benefit analysis, more money to fix
than the actual risk would cost. Accept risks that adhere to your risk tolerance
Example: risk is that they could lose an entire manufacturing operation due to an old equipment plant failure
Risk response: acquire backup production equipment to serve as parts, Move production elsewhere
Control Activities
ERM’s control activities are the policies and procedures necessary to ensure the risk responses
are executed in a timely and efficient manner. All levels and all in all functions
Control Activities
a) Segregation of duties: the concept of having more than one person required to complete a task
a. a person who initiates a transaction should not be the one who approves it or who records it
b. should be separated so that one individual cannot complete a transaction from start to finish
c. reduce changes for error, fraudulent activity
b) Audit trails: final results can be easily traced back to the transactions that created those results.
c) Security and integrity: only authorized personnel can review or modify. Example: check issuing
d) All processes documented accurately
e) Top level reviews: top management reviews the status of identified risks
f) Direct functional or activity management. direct response from someone working in that area.
Control activities for each operating unit
Information is needed at all levels of an entity for identifying, assessing, and responding to risk.
Effective communication occurs when it is flowing down, across, and up the organization.
All personnel should receive a clear message from top management that enterprise risk management
responsibilities must be taken seriously. They understand their own role in enterprise risk management
Information from external sources and internal is used for setting strategy and objectives, identifying
events, analyzing risks, determining risk responses
ERM MONITORING
In order to establish an effective ERM framework, monitoring should include ongoing reviews of the overall
ERM process to assess the presence and functioning of its components (THE 8 COMPONENTS)
• Auditors are evaluators , evaluate all components
• Enterprise risk management deficiencies are reported upstream, with serious matters reported to top
management and the board.
Examples of monitoring: management reviews, separate evaluations of a process or control, internal audit
reviews.
Internal auditors: evaluate risk and control activities
OTHER DIMENSIONS: Although many look at COSO ERM from the perspective of the front‐facing side of its
three‐dimensional framework, the two other dimensions—the operational and organizational levels—should
always be considered. Each component of COSO ERM operates in this three‐dimensional space where each
must be considered in terms of the other
SECOND DIMENSION: The top‐facing components of strategic, operations, reporting, and compliance risk
objectives are important for understanding and implementing COSO ERM. RISK MANA OBJECTIVES
THIRD DIMENSION: The third dimension of the COSO ERM framework calls risks to be considered on an
organization or entity level. Four divisions: entity‐level, division, business unit, and subsidiary risks.
• Umbrella = entity level, Starbucks headquarters, Business units= Starbucks across the street
• Do you hate risk over all divisions?
• COSO ERM risks should be identified and managed within each significant organizational unit,
including risks on an entity‐wide basis through individual business units
Chapter 5: Performing Effective Internal Audits
What do internal auditors do? Makes sure controls are in place and operating efficiently
Areas: reporting, operations and compliance with laws and regulations
Controls are policies and procedures used to achieve objectives, Example: segregation of duties for cash,
verifications, physical count, supervisory controls, authorixation
COSO ERM: focuses on risk management, consistent definition of an enterprises risk
ERM Enterprise risk management: process to identify potential risk, manage them within the risk appetite of
the company, reasonable assurance of achieving objectives
Risk appetite: amount of risk the company is willing to live with in pursuit of value. Impossible to eliminate all
risk if cost outweighs the benefit of addressing the risk, you won’t address the risk
Audit charter: a formal document that defines internal audit's purpose, authority, responsibility and position
Internal Audit Preparatory Activities: Internal auditors visit the organization facility to
understand the processes in place. They then design tests and evaluate the internal controls.
Closely tied to the objective statement, a scope statement, narrows down the objectives.
For example, an objective statement can identify a planned review of quality management production
processes in international operations; a scope statement might limit the review to only Australia/New Zealand
Internal Audit Preliminary Surveys: gather background materials on the entity to be audited
1. Review of prior year workpapers: review workpapers and audit programs for past year to gain
familiarity with the approaches used and the results of prior year audits
• SALY: SAME AS LAST YEAR, wont work if there are changes in processes
• Make sure the same problems don’t arise, focus on problems encountered in the prior audit and
the suggested methods of solving them
2. Knowing the amount of time from the prior audit. (eg 200 hours, try to follow budget as close as
possible)
3. Review of prior audit reports. Must look at the past audit findings
- Audit report= final document presented to audit committee, includes the big problem found,
- Goal is to make sure the problems were fixed during the year or managements has a commitment
to take corrective actions
- Significant recommended corrective actions. (make sure corrective actions are working this year)
examine those areas where substantial corrective actions were required)
4. Organization of the entity understand the structure of the entity, responsibilities of the individuals
- Particular attention to areas with potential segregation of duties problem
- who is handling cash, reporting, approving, vendor set up etc .
- obtain the key employees names and contact information
Handling, recording and reviewing always needs to have segregation of duties (Know who is doing each, who is
overseeing)
5. Other related audit materials. (supporting data from related audits)
Internal audit field SURVEYYYY first step taken at the audit site. Helps determine the
direction, scope and extent of audit effort.
Field survey allows auditors to
1. Familiarize themselves with local processes in place key systems and processes UNDERSTAND THEM
2. Evaluate the control structure and level of control risk in the processes and systems
The audit staff gathers information about the auditee's operations, gains an understanding of the
unit's functions, and identifies both strengths and weaknesses
This is the time to clarify any questions that may have been raised through the engagement letter
Elements that should be assembled include
1. Organization charts, names of key personnel. Become familiar with the functional responsibilities and
the key people involved in the operation
2. Manuals and directives: policy and procedure manuals, applicable laws and regulations
3. Reports such as minute meeting, budgeting, operations, personnel matters, fire inspector review
4. Personnel observations: a tour or walk through of the activity allows internal audits to become familiar
with basic operations, space utilization
5. Discussion with key personnel can help determine known problems, planned changes
ALL INFORMATION GATHERED THROUGH THE FIELD SURVEY SHOULD BE DOCUMENTED IN AUDIT
WORKPAPERS
Conclusions from Field Survey CONFIRM ASSUMPTIONS AND MAKE NECESSARY ADJUSTMENTS
1. The purpose of an internal audit field survey is to confirm the assumptions gained from the
preliminary audit planning and to develop an understanding of key systems and processes.
2. make the necessary adjustments to the audit objectives and scope or planned procedures
An audit program is a tool for planning, directing, and controlling audit work and a blueprint for action,
specifying the steps to be performed to meet audit objectives. PLAN OF ACTION
THE PROGRAM IS YOUR BEST FRIEND ALONG WITH PRIOR YEAR WORKING PAPERS
- detailed description on how to approach different tasks/steps
Fieldwork encompasses all the efforts of the internal auditor to accumulate, classify, and
appraise information so as to enable the auditor to form an opinion and to make any needed
recommendations for improvement
Audit Evidence: An internal auditor should examine and evaluate information on all matters related to the
planned audit objective. This information, called audit evidence, covers everything an internal auditor
reviews or observes.
A properly constructed audit program should guide an internal auditor in this evidence‐gathering process.
Audit program guides audit evidence,
everything you do you gather evidence,
find proof
Confirmation: through an external party, example bank reconciliation. Confirms the accuracy of the information. The
receipt of a direct written response from a third party
Origin of the Evidence Corroborative materials independent of the entity: audit evidence that is generated internally,
such as evidence existing within the accounting records, minutes of meetings, or a management representation.
Sometimes the weaker form is the only thing you can get.
Fieldwork technical issue if something is not familiar to the audit team, the in‐charge auditor should seek
assistance as soon as possible.
- An internal audit supervisor or specialist may have to research the audit or technical issue in order
to provide the answer. (internal auditors are not engineers, work with the right people)
Internal audit workpapers: report on the work performed and provide a link between the procedures
documented in the audit program and the results of audit tests.
- Because they will become the basis for findings and recommendations in final audit reports, the
workpapers should appropriately document all audit work.
- Record all work you do, document what you did, why you did and conclusions
- Map/program guides your working paper,
A major area of emphasis in any internal audit is the identification of areas where the unit reviewed is not in
compliance with good internal control procedures and where improvements are needed
Wrapping up Formal Audit Report: The most important internal audit work product is the formal
audit report, with its findings and recommendations, which is delivered to the auditee after completion of
the review as well as to the audit committee
Field survey: go to the site, make sure you understand what is going on.Yes you have previous year working
papers, but processes may have changed since. (you first did the preliminary survey, bnut the field survey is to
confirm your assiumptions and make corrections as necessary to the planned audit objectives or scope. Field
survey includes organization charts, manuals, interviewing key personnel, observation of the walk through and
reports from meeting minutes budgets etc.
Audit program: list of steps to be performed, and each step must be documented with a working paper and a
conclusion BLUEPRINT FOR ACTION, plan of action details the steps to obtain audit objectives
Engagement letter: delivered to the department explaining who what where the audit is done, what they will
need to do it. Most audits are not surprise audits. All information, resources and people are available as you
need. Sent out to inform the department that an internal audit is scheduled to be performed
Control: someone is sweeping the restaurant check someone is doing this
Point sheets: document your preliminary findings, figure out a reason,
Complete audit documentation: lack of control someone, or not properly function, focus is on whats NOTTTT
working well, audit report focuses on the problems found, the controls not in compliance, reccommendations
to management for improvement
USE SAMPLING TO GATHER AUDIT EVIDENCE , check if it aligns with AUDIT OBJECTIVES, or a step in the
program
Sampling: Audit sampling is the process of examining less than 100% of the items within an account balance
or class of transactions for the purpose of drawing some form of conclusion for the entire population based
on the sample audit results.
• Example 1: payroll for 60,000 employees, test is done through determining IF the time sheet is signed
off by the manager, not possible, use sampling to conclude on the overall population of employees
• Control: time sheet authorization
• Pick a sample of 100 timesheets, to conclude on the entire population. Sampling is a tool, conclusion is
on the population.
• All 100 timesheets are signed off appropriately= the control for the population is functioning
• Example 2: inventory count at the end of each year in 5 warehouses= this can be done at all5
warehouses, look at 100%
Picking a sample
Must be representative of the population
1. Understand the total population of items of concern and develop a formal
sampling plan regarding the population of items;
2. Draw a sample from the population based on that sample selection plan;
3. Evaluate the sampled items against audit objectives;
4. Develop conclusions for the entire population based on audit sample results
2 FORMS OF SAMPLING (BOTH WORK)
Statistical Sampling; Draw conclusions regarding the entire population (math based)
Mathematical based method of selecting representative items that reflect characteristics of the whole
population. Example: statistical sample of inventory, use that sample to draw an opinion on the accuracy of
the entire inventory
Population: time sheet, that’s what you are testing
- 100,000 timesheets, upload into a software, that calculates equation, software has no bias
The following reasons encourage the use of audit sampling and statistical sampling:
a. Conclusions may be drawn regarding an entire population of data without checking 100% of
the population. (significant audit savings and strong audit position)
b. Sample results are objective and defensible. UNBIASED
d. Statistical sampling may even provide for greater accuracy than a 100% test.
Human error is possible if looking at a large amount of items
More data items=larger risk for audit or clerical errors
Smaller sample means each item gets more attention and analysis.
Small samples taken from each site to complete an overall sampling plan
One auditor can start, another finishes
f. Sampling procedures can be simple to apply. (plug information into a software)
Judgmental Sampling (Non-statistical): no mathematical theory, not statistically precise. Auditor uses
his or her judgment to design and select the sample. Less than 100% of the population, but sufficient to make
a conclusion. Methods Include
1. Fixed percentage selection (Ex. 2% of the population, random selection, no bias) no software used. Close
your eyes and pick
2. Designated attribute selection. (pick all the items with same attribute, pick your sample based on a certain
characteristic or time period)
- Example: look at all timesheets in February (specific time period)
- Example: all accounts ending in letter B or starting with b
3. Large value selection (based on dollar values of items, pick sample from million dollar items that can have a
large impact if there are deficiencies in controls) items with large balances/
4. Designated area selection (pick from a specific geographic area, or a specific file drawer where the files are)
5. Other selected attribute selection. (for some reason looks suspicious)
• Normal distribution= how items are distributed around the mean. BELL SHAPED DIAGRAM
o +/-1 standard deviation away – 68.2% of the population will be there
o 95.4% will be within 2 standard deviations from the mean.
Developing a Statistical Sampling Plan with each items having equal chance of being selected
Develop audit sampling plan that will allow each item in a population to have an equal
probability of selection.
Should attempt to remove any bias
Challenges for inventory records, account receivable, physical data and other audit
evidence, therefore audit sampling can be representative of the entire population
Understand the nature of the data to be reviewed such as the following:
1. The population (or universe or field) to be sampled must be clearly defined. (know where the control is
being executed and know what you are sampling)
Example
- Testing controls around cash
- Cash balance 1 million, 10,000 transactions, every month a bank rec is done
- Control: every bank reconciliation signed off the by CEO (what is being tested)
- Population: all bank recs
2. The population should be divided or stratified into groups IFFF major variations exist between
population items. Strata=GROUP.
Used when a population covers a few large items and many small items. Statistical conclusions will not be
valuable because it is not a normal distribution
Look at purchases, and making sure each purchase is properly approved. Population 100 Sample Size =3
- Stratify, look at the size of the purchases, put them into 2 groups STRATAS based on dollar value,
- Pick 2 for one group (with purchases over 100,000), 1 from the other (<100,000).
- Increase the chances of choosing the larger items
Can be done for any characteristic. Example timesheets.
- 1 sample from a group of timesheets signed by X manager
- and 2 from timesheets signed by Y manager
3. Every item in a population must have an equal chance of being selected in the sample
- Eliminate bias
- Always disclose if some items needed to be ignored to logistical or other valid reasons
4. There should be no bias in making the sample selection from the population.
- Must include items both in local areas and remote areas to draw a conclusion on the entire
population
Interval Selection Also called systematic sampling useful for monetary unit sampling
Requires the selection of individual items based on uniform intervals from the items in the total population.
SELECT EVERY N TH ITEM , appropriate for time periods
- Example: you need a sample of 3 (number of items in the population/sample size)
- 10/3=3 pick every 3rd item as your sample OR 5000/200 needed sample, choose every 25th
Downside: if interval is every 30 days, you won’t see a problem than may occur at the end of each month
Stratified Sampling
A population is divided into two or more subgroups or stratas, with each subgroup handled independently as
a separate population. Each strata have similar characteristics, homogeneous
• The justification for stratification may be that one stratum has significantly different characteristics,
and internal audit may wish to evaluate that subgroup on a more individual and precise basis
• one strata could be subject to 100% selection (items over 10,000) and one strata uses random
selection (items under 10,000)
• if stratified sampling is not used, there’s a chance that the larger items might not be selected
• mostly used for populations with few high values that have a large significance
• examples: inventories, accounts receivables or invoices
Cluster Sampling
Samples are made by systematically selecting subgroups or clusters from the total population. Divide into
heterogenous clusters that represent the population
• Cluster selection is useful when items are filed in shelves or in drawers, and it is physically more
convenient to select subgroups based on the physical shelf area or individual file drawers.
• The rationale is that the items on particular portions of the shelf areas or in designated drawers are
substantially similar in their nature and that a sample thus selected will be representative.
• Example sample size of 600; Sample 20 clusters with 30 items in each
• Use a larger sample when applying the cluster approach
Attribute Sampling: Attribute sampling is used to measure the extent or level of occurrence of various
conditions or attributes. GOOD TO REVIEW CONTROL PROCEDURES, (verification, authorization, are the
controls being done)
Used to check how many times a certain feature will show up in a population.
EITHER A CONDITION EXISTS OR NOT, (cannot be a maybe) CORRECT OR UNCORRECT
Auditors need to develop an acceptable error rate. Tolerance rate for errors
• Before performing the sampling, the needed reports must be available and accessible
Attributes Sampling Parameters (decided before the sampling is done)
1. Maximum tolerable error rate (the error rate an auditor will allow while still saying internal controls
are adequate)
2. Degree of confidence level (ex. 90% or 99% confident/certain that the rate of error is less than 1%)
- Usually 95 or 98 never 100
- Large confidence interval =larger sample
3. Estimated population error. Estimate the level of error in the population then takes a statistical
sample to either confirm or refute those assumptions
Sample Size: determined by
1. maximum tolerable error rate,
2. confidence level
3. and population error
Plug these values into the software and it will provide the required sample size for those values
LOOK AT EXAMPLE ON PAGE 258
Advantages of attributes sampling
- With large numbers of items, attributes sampling can provide an accurate assessment of a control
feature or attribute
- States that it is confident within a preestablished confidence value, that the number of errors in a
total population will not exceed a pre-chosen value (max tolerable error)
and Disadvantages
- computations are complex
- selection of attributes can be bias, judgment based
- results can be subject to misinterpretation
- non-normal distributions can complicate the process
Variables Sampling
Treats each individual item in the population as a sampling unit. ... As an auditor, you apply this statistical
concept to evaluate characteristics of your total population
• Two important variables sampling approaches are stratified sampling and monetary unit sampling
- Every dollar amount $ is treated as part of the population and each has a chance of being
selected
- Good for determining overstated account balances
- I am 95-98% confident that there are no material errors within the account balances. Never 100%
Example test/review if accounts receivable balance is fairly recorded
There are 1300 account balances in the account, total amount of 54,902$ Sample size of 60
54902/60 sample size= for every 915$th dollar, that item will be SAMPLED
Monetary unit sampling, the internal auditor would develop a sample by selecting every n th item in the
population
Steps in monetary unit sampling
1. Sum of all 10 items= 139$/ 3 sample size= 46$ IS THE INTERVAL, choose every 46th dollar
2. Choose every $46th dollar in the list, the item that has the 46th dollar within in
3. Determine starting point, between 1$ and 46$, random selection, this is the number you start
with
Monetary unit: increases chances to pick the larger items (which have larger impacts)
Testing the correctness of a balance, if a larger balance is wrong this has a larger significance/ impact for the
company and its operations.
The larger the item, the more likely to be picked when using the monetary unit sampling method
Whereas a purely random sample could potentially by pass a large dollar value based on random
selection. Potentially ignore a large discrepancy using purely random sampling
Less risk of failing to detect a material error, since all large dollar units are subject to selection
Disadvantage: cannot detect if an item is missing and ZERO items will never be chosen
Performing the Monetary Unit Sampling Test (4 elements to determine sample size)
1. Upper precision limit (maximum % the auditor will tolerate for errors and still accept the overall
controls in the system) amount of material errors that will be accepted. Usually around 2%
2. The expected confidence level
3. An expected error rate for sampling errors
4. The total recorded value of the account to be evaluated (sum off the entire account) 54902$
Discovery Sampling
Similar to non-statistical judgmental sampling
IN CLASS CASES
CASE 1: the security breach
Case requirement: identify any internal control issues relating to the 5 COSO components GOOD OR BAD?
Controls are established in response to risks
Control Environment - STRONG