PALATAN, Randell Jan M.

BSA35 Operations Auditing Quiz #9

BSA-III-A31A Mr. Clyde dela Fuente November 7, 2020

ANSWERS:
1. Periodic manual and sample-based audits has been a norm for companies until the recent
years when as businesses evolved, so did the risks. Limitations of periodic manual
include a staggered assessment of risks that should've been eliminated immediately. By
only checking periodically and not continuously, there are problems which incur
cumulative costs that by the next period of the audit, the problem is too big for the
company and for the auditor. Meanwhile, limitations of sample-based audits are the
limited samples the internal auditor can look at and assess. If unfortunately, the sample is
wrong one, it is opening the risk prolonged existence of issues not assessed because of
samples not audited. If processes and all samples aren't continuously checked, it may
diverge or go back to past bad practices of noncompliance and more. Everything must be
checked all the time for there are risks that may come from anywhere and needs
immediate action.

2. As the role of audit has grown through the years so does its enemy, risks therefore
auditing every transaction may be a requirement in today's risk environment. Over the
years, more and more corruption, fraud, pyramiding scheme, and embezzlement happen.
This may be due to the lack of continual audit of every transaction that occurs in the
business in all its area. Companies and internal auditors must be able to adapt with these
changes through a change in approaches and technology used. Periodic and sample-based
is no longer effective against new threats and smarter corporate criminals. Clients can't
afford to wait for the next period to come before problems and risks are assessed, they are
very prone to damages. Hence, a need for continuous audit of all transactions is a
requirement to identify what is not working and to identify at-risk transactions for early
intervention and resolution.

3. Through continuous and constant audit of all transactions, the utilization of risk-based
and a better and wider sample-based auditing may give the internal audit department the
control it needs to allow for a non-problematic business. By having the proper knowledge
and skills on risk assessment of the correct sample that rightfully represents the
population, there will be a higher level of control within the organization in terms of
processes and operations. For example, in continually assessing purchase orders and
delivery receipts followed by continuous physical count and checking, internal auditors
will assess early on if there are risks of ghost purchases or overpayments therefore giving
more control on the flow of purchases within the business and if any cuts or add-ons
should be made. Although time, money, and effort consuming, continuous assessment of
risks in a wider sampling can ensure that at-risk transactions are immediately assessed
therefore allowing immediate resolution as well.
PALATAN, Randell Jan M. BSA35 Operations Auditing Quiz #9
BSA-III-A31A Mr. Clyde dela Fuente November 7, 2020

4. There are many continuous analysis procedures and routines, one of which is the
assessment of unauthorized requisitions and approvals. This is done to ensure only
authorized individuals within the organization create and approve requisitions. Another is
the segregation of duties to make sure that there is no one person with two different
duties to prevent risks of an individual approving his or her own requests. The third one
is ensuring authorized payroll as to ensure the proper individuals to pay at the right
amount at the right time as required. Next is to make sure there no invalid purchase and
travel cards as to make sure only authorized personnel have access to these special cards.
Lastly, preventing duplicate claims to make sure that there is only a single claim on
transactions. By being able to assess these areas and use the preceding knowledge,
internal auditors will be able to better evaluate risks and samples and provide better audit
report with continuous audits.

5. The usage of metrics concepts such as the Key Performance Indicators (KPIs) and Key
Results Indicators inform how your business is doing and what to do and measure the
results thereof and compare it with corporate goals. KPIs help assess the precise actions
taken to obtain specific results while KRIs measure goals by reporting on the results of
many activities, so are backward looking and inform what has happened. They work hand
in hand in management review and helps operational auditors track current state and
goals through KRIs and knowing what activities caused the achievement or non-
achievement of goals through KPIs.

6. For a client with payment processing operations where money, security, and speed is of
great importance, I would definitely recommend checking for any duplicate payments to
make sure liabilities are only paid once; Authorized payroll to make sure there are no
over or underpayments; upholding Contract terms to make sure key contract
demographics and other complex and critical data are valid and authorized; assess Sales
as to identify discrepancies especially in prices and costs; and lastly Expense posting to
make sure that expenses are posted accurately and correspondingly. Data would mainly
come from contracts, list of payroll, and other receipts that contain relevant monetary
data for payment processing. It would be checked and reconciled with other evidences,
bank statements, and physical cash count as to determine whether there are lapses. As
payment processing operations are growingly needed in today’s e-commerce, reporting
should be done weekly as to prevent cumulative lapses and sources can be immediately
traced.

7. For a client engaging in a customer call center facility business where there are purchases
of the best available technology such as computers and routers to better deliver excellent
and speedy service to its clientele, I would recommend assessing checking for any
Overdue requisitions, purchase orders, and expenses as to make sure transactions are
processed promptly; continuous review thereof and making necessary adjustments to
PALATAN, Randell Jan M. BSA35 Operations Auditing Quiz #9
BSA-III-A31A Mr. Clyde dela Fuente November 7, 2020

make sure transactions are authorized and in compliance; prevention of Unauthorized

requisitions and approvals perhaps by having the same person with both duties to make
sure only separate and different authorized individuals create and approve requisitions;
application of Retroactive transactions to make sure purchase orders are not created after
invoice date; and lastly following the Invoice sequence so as to identify any suspicious
number sequencing not followed. As can be seen, data will come from purchase orders
and requisitions which will be reconciled with a physical count and checking of
conditions of purchased technologies. It will prevent risks of ghost purchases and
acquisition of faulty and damaged technology early on. There must be periodic
assessment and reporting of the conditions of technology to determine whether there is
need for repairs or replacements.

8. For a client focused on providing IT Services which is connected with the previous
question, there are also risks of ghost inventories of technology and provision of services
to far off areas that may require a need for travel cards and other cards for expenses of
service providers. I would definitely recommend checking for Excessive inventory to
identify whether there are over purchased technologies that gets damaged in storage;
checking for Invalid purchases every activity for legitimate business purposes and from
authorized merchants; Excessive cards as to make sure purchases do not exceed
authorized limits; assessment for Unusual activity to identify suspicious purchases; and
finally checking for Duplicate claims so as to save costs from rendering services twice.
Like the previous question, data will come from purchase orders and the likes which will
be double-checked through physical count of inventory and assessment of their condition.
Reporting must be done periodically to avoid future risks of fault technology and if there
is a need for replacement and if customers are satisfied with the IT services provided.

9. For a client acting as an Environmental Health and Safety Manager where data is of
complexity to ensure safety, there are legitimate suppliers that comply with
environmental, safety, and health protocols, and processes flow smoothly, I would
recommend the following routines. First is the assessment of Critical data through
formula and tables to make sure expected values and formats exist and are followed;
Segregation of duties to make sure no same person have two different duties that is
supposed to be for two people; checking for any Split transactions that exists to
undermine authority and relevant data for reporting; an existence of legitimate vendors,
customers, and personnel where any inventory used comes from; lastly, to assist the
previous routine, there must be an Employee and vendor match to identify suspicious
demographics and transactions. For health, safety, and environmental concerns, data must
come from various sources of samples. Reporting must be made immediately especially
when risks arise to determine changes needed in the process.