Effective

Technique for
Internal Audit
WEBINAR IAI & FEBUI
28 – 29 AUGUST 2021
DAY 02
 ▪ Design Audit Programs
▪ Execute Audit Project Work Plan
Agenda ▪ Deliver Results and Insight
▪ Q&A?
Design Audit Programs
SOURCE: HTTPS://YOUTU.BE/WBPX6JMGBYA
7 Deadly Internal Audit Sins (Cont’d)
1) Publish an erroneous report (a mistake could be equally devastating);
2) To intentionally submit incomplete or false work papers (unethical);
3) Lose your temper with a client (don’t act out unprofessionally);
4) Auditing with an agenda (auditing with a conflict of interest);
5) Betraying the bond of confidentiality (inappropriate information exchange);
6) Violating company policy (walking the talk); and
7) Issuing an internal auditor's report that is petty or doesn’t add value
(wasting time on unimportant detail).
Phase 4: Design Audit Programs
1 Co-Develop Expectation
4. Design Audit Programs
▪ A successful internal audit engagement should be
supported by a well-designed Internal Audit Program
Develop Risk
▪ There are two objectives in Design Internal Audit
Deliver Results and 2
6
Insight Model and Universe Programs as follows:
▪ Develop Internal Audit Program
▪ Approve Internal Audit Program
▪ A well-developed audit program will provide the
Internal Audit foundation for the control testing being executed
Methodology
efficiently. Specifically, it:
5
Execute Audit Project
33
Develop
Develop ▪ Assists in controlling work and assigning
Work Plan Audit
Audit Plan
Plan
responsibility;
▪ Provides a record and confirmation of work
completed; and
4 Design Audit Programs
▪ Supports the achievement of the internal audit
objectives
Develop Internal Audit Program

Approve Internal
Develop Internal Audit Program
Audit Program

Internal Audit
Internal Audit Program
Program Draft (Approved)
What is an Audit Program and its Purpose?
An audit program can be described as follows:

▪ A detailed work plan that stipulates procedural steps required to achieve audit
objectives, including the creation of key working paper deliverables and/or the
final report.
▪ A document that sets forth procedures necessary to complete an efficient and
effective audit; it is suggested that this document be approved by the
engagement/project leader and/or Chief Internal Auditor, as applicable and
dependent on type of audit, prior to start of fieldwork.
▪ A project work plan that can assist in developing and monitoring project budgets.
Why Audit Program is Important?
It is important to have a well developed audit program, as it addresses a number of objectives. These objectives
include:

▪ Provide an outline of the work to be performed

▪ Encourage a thorough understanding of the audited function or department by listing program steps
aimed at gaining an understanding
▪ Assist project management in controlling work and assigning responsibility
▪ Provide a record of the scope of the audit and work steps completed
▪ Aid in reviewing the audit
▪ Furnish evidence that the work is adequately planned
▪ Provide evidence that the scope of a particular function or department has received separate and
adequate consideration and that important aspects or steps of the audit have been considered and not
omitted
▪ Serve as a directive and guide against which actual performance is ultimately compared
▪ Give order and coherence to the audit undertaking

A comprehensive and well-written audit program substantiates the procedures followed, the compliance and
substantive tests performed, the information and evidence obtained, and the audit conclusions reached
Key Internal Audit Program Requirements
Sample size

Basis for selection

Time period subject to testing

Reports from which samples will be obtained

Names of reports and documents to be reviewed or used for testing

Specific attributes to be tested

Key Steps in Designing an Internal Audit Program
Understand the Business
Obtain understanding of the
selected business process as
indicated in the Internal Audit
Planning Memorandum. This
can be achieved through the
following:
• Review of Standard
Operating Procedures for
the related business
process
• Review of Financial
Statements /
Management Reports
Link and Map the
Finalise the
Risks Identified to Design Audit Work
Internal Audit
the Business to be Performed
Program
Process
• Map the risks Based on the Audit Determine the following based on
identified to the Objectives, design our understanding of the business
process and the specific audit work
business process specific audit work to
designed for the engagement:
• Determine the be performed, to • Sample Size;
audit objectives. At address the risks • Basis of Selection;
minimum, the audit identified • Time period subject to testing;
objectives should • Reports from which samples
will be obtained;
address the risks • Names of reports and
identified documents to be reviewed or
used for testing; and
• Specific attributes to be tested
Key Steps in Designing an Internal Audit Program
– Sample
Audit Area Risks Identified Audit Objectives Proposed Audit Work
Expenditure ✓ Fraudulent Payments are ✓ Ascertain that Payment Vouchers (“PV”) are
Payment supported and sequentially numbered
✓ Unauthorised reviewed prior to ✓ Ascertain that there is segregation of duties in the
Payment payment process of payments process
✓ Ascertain that the goods/services have been
received by reviewing the Suppliers Delivery Order
or the Company’s Goods Received Note. Determine
whether these documents are acknowledged by the
Receiver. Match the Purchase Order / Contract
before payment is processed
✓ Ascertain that a Payment Voucher is raised and
supported with the relevant supporting documents
prior payment
✓ Ascertain that the Payment Voucher is approved in
accordance with the Authorised Approval Matrix
Key Steps in Designing an Internal Audit Program
– Sample (Cont’d)
Key Stakeholders
Key Process Owner
▪ To determine if the Audit Team has a correct understanding of business processes; and
▪ To verify feasibility of test programs

Chief Audit Executive (CAE) /Coordinator of the Audit

▪ To ensure that all key risk areas and concerns have been addressed by the Internal Audit Program; and
▪ To manage the expectation of the Chief Audit Executive (CAE)/Coordinator of the Audit in relation to work being
performed. This will facilitate the process of asking for a fee increase should any significant client delays occur.

Internal Audit Engagement Assistant Managers and Managers

▪ To review the Internal Audit Program and determine if it adequately addresses the internal audit scope and does
not require for excessive testing; and
▪ To ensure that appropriate control objectives, control activities and risks have been identified. Subsequently, the
documented understanding of the process should adequately relate to risks identified.
Execute Audit
Project Work
Plan
Performance Standard 2300: Performing the
Engagement
Overarching Standards
▪ 2300 – Performing the Engagement
Internal Auditors must identify, analyze, evaluate, and document sufficient information to achieve the
engagement’s objectives.

Underlying Standards
▪ 2310 – Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s
objectives.
▪ 2320 – Analysis and Evaluation
Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.
▪ 2330 – Documenting Information
Internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement
results and conclusions.
▪ 2340 – Engagement Supervision
Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is
developed.
Phase 5: Execute Audit Project Work Plan
1
Co-Develop
Expectation
5. A shift in emphasis to “What must go right” not
simply “What can go wrong.” An efficient approach
Develop Risk
that not only reveals the impact and extent of real
Deliver Results and 2
6
Insight Model and Universe issues but assists in mitigating them.
 Initial assessment workshop

Internal Audit
 Integrated testing
Methodology
 Deductive analytics
Execute Audit Project Develop
Develop
5
Work Plan
33
Audit
Audit Plan
Plan  Clarity over agreed control strategy
 Determine training, CSA and CCM needs.
4
Design Audit
Programs
 Accelerate solutions development
Execute Audit Project Work Plan
Execution
Reference • Best practices • Walkthrough
• Walkthrough
• Prior years’ working results
• Audit Program results
papers and reports
• Data Analytics • Sample testing
• Integrated database results

Activity
Walkthrough Sample Testing
Execution (Design (Operating Closure of
Preparation Effectiveness Effectiveness Fieldwork
Review) Review)

Outcome
• Background • Observation
• Audit Program • Risk Control
Information • Exit Meeting
• Risk Control Matrix
• Risk Control Documents
Matrix • Test Sheet
Matrix
Internal Audit Execution Principles
Understand the
business & client

Risk management Know the people

Provide value
Pre-empt (solve it
(root cause &
before it happens)
recommendation)
Examples of Principles in Action
Assign team most suited
Research past
Know past experience, in addressing technical
files/internet/client’s
know the people profile and people
information
requirements

Look at any findings

Communicate with objectively, if we can’t
clients, give them articulate the risks or can’t
identify the benefit of
Follow-up and escalate
heads-up on possible
issues solving it, then possibly not
an issue

Focus on thinking more

Know our scope, know Formalised and keep
(and adding value) and
what is the basic we documentary for client
complete the routine
need to do communication
work fast
Audit Planning Memorandum (APM)
Objective is to provide the necessary planning and background information, to be
used by the team and circulated to client (with certain sections removed)
APM should include the following:

▪ Scope of review
▪ Timeline of project (fieldwork, reporting etc.)
▪ Team members
▪ Background of scope of review
▪ Focus areas
▪ Challenges, strategy and approach
▪ Summary of past audit findings
▪ Request For Information (RFI)
▪ Process owners
What is a Business Cycle?
A business cycle is a collection of: Financial Accounting
▪ Transactions Revenue
▪ Processes
Expenditure
▪ Controls
Inventory
Payroll & Personnel
Fixed Assets
Treasury
Practical Example – Expenditure Cycle
We should obtain an understanding of the flow of transactions, the processes, and controls.
Example of Expenditure Cycle:

Transaction Reports
Disbursement
Ledger Reports
Supplier Master
1 File

2 3
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system

Purchase Order Data

General
Purchase Order Good Received Note Invoice Ledger

Control Points
Audit of Expenditure Cycle
Transaction Reports
Disbursement
Ledger Reports
Supplier Master
1
File

2 3 4
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system

Purchase Order Data

General Ledger
Purchase Order Good Received Note Invoice

Control Points

Supplier Master File – Example of controls:

1. The ability to create, change, or delete vendor pricing information should be restricted;
2. The ability to create, change, or delete vendor master records should be restricted;
3. The ability to input, change, cancel, or release vendor invoices for payment should be restricted; and
4. Reports of changes to vendor master records are compared to authorized source documents and/or a manual
log of requested changes to ensure that all valid changes were input accurately and timely.
Audit of Expenditure Cycle (Cont’d)
Transaction Reports
Disbursement
Ledger Reports
Supplier Master
1 File

2 3 4
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system

Purchase Order Data

General Ledger
Purchase Order Good Received Note Invoice

Control Points

Purchase Order Module – Example of controls:

1. The ability to create, change, or cancel purchase requisitions should be restricted; and
2. The ability to create, change, or cancel purchase orders should be restricted;
3. The application validates purchase orders on-line (automated controls).
Audit of Expenditure Cycle (Cont’d)
Transaction Reports
Disbursement
Ledger Reports
Supplier Master
1 File

2 3 4
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system

Purchase Order Data

General Ledger
Purchase Order Good Received Note Invoice

Control Points

Inventory Module – Example of controls:

1. The ability to input, change, or cancel goods received transactions should be restricted; and
2. The ability to input vendor invoices that do not have a purchase order and/or goods receipt as support should be restricted.
Audit of Expenditure Cycle (Cont’d)
Transaction Reports
Disbursement
Ledger Reports
Supplier Master File
1

2 3 4
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system

Purchase Order Data

General Ledger
Purchase Order Good Received Note Invoice

Control Points

Account Payable Module – Example of controls:

1. The ability to modify the payment run parameter specification or to initiate a payment run should be restricted;
2. The ability to release invoices that have been blocked for payment, either for an individual invoice or for a specified vendor;
3. The system automatically matches vendor invoice transactions to receipts of goods and purchase orders. It then posts the invoices to the
appropriate vendor account in Accounts Payable and to the Accounts Payable control account in the general ledger (automated controls).
Risk Control Matrix (RCM)
Risk Control Matrix (RCM) is a table to compare risks with corresponding controls in business
process. Effectiveness of controls shall be assessed based on this RCM.

List up risks related to a business process
Examples:
Errors in sales amounts when entering to
system, registering false sales, etc.
List up controls to remediate the risks indicated to the left (for manual
operations and system functions)
Examples:
Approval by manager, restrictions to prevent entering information of false
customers by master data, periodic check for unusual amounts, etc.
Audit Program Component - Scope
Scope of the audit and risk mapping

No Audit Objectives (as defined in APM) Risk

Fraudulent payments
Payments are supported and reviewed prior to payments
1
and recognition
Unauthorised payments
Management Assertion

Validity Corresponding transaction actually exist and authorized.

Completeness All transactions are recorded as they should be.

Accuracy Transactions are recorded accurately.

Allocation Transactions are recorded in appropriate term.

Management Assertion (Cont’d)
Existence or Occurrence
Existence is an assertion about whether the existence of an asset or a liability exists at a certain time. Occurrence
is an assertion about whether a recorded transaction has occurred during a certain period.
Completeness
Completeness is an assertion of whether all transactions and accounts that should be presented in the Financial
Statements are available and recorded.
Valuation or Allocation
Valuation or Allocation is an assertion to ensure that each asset and liability is recorded at an appropriate value.
Rights and Obligations
Rights is an assertion about whether the Company has rights to an asset at a certain time. Obligation is an
assertion about whether the Company has an obligation that is the responsibility of the Company at a certain
time.
Presentation and Disclosure
Presentation is an assertion about whether certain components in the Financial Statements have been
appropriately classified and described. Disclosure is an assertion that describes whether all material information
has been disclosed in the Financial Statements.
Walkthrough - Tasks
▪ Understand the existing business process from process owners
▪ Identify and review existing controls based on risk identified
▪ Identify design effectiveness deficiencies

Risk Design Effectiveness

1. Fraudulent payments 1. Review that 3-way match, where applicable, is performed before processing
invoice
2. Review control (e.g. system control) is in place to prevent invoice/credit note from
recorded twice
3. Whether management review aged accounts payable analysis regularly and
unusual items timely investigated and resolved
2. Unathorised payments 1. Review the authorization matrix on whether it is up to date
2. Understand the urgent payment procedures

Design effectiveness deficiency:

a) a necessary control is missing
b) an existing control doesn’t remediate the risk.
Understand the Process
Transaction Volume

Transaction Categories

Key Statistic Summarised by Category

Transaction Structure
Document the Controls

Check your control documentation:

1. What is the risk being controlled?
2. Who (or what system) performs the control activity?
3. How frequent is the activity performed?
4. What mechanism is used to perform the activity (source documents)?
Conducting Interviews: Tip
▪ Have them explain their process role from beginning to end
▪ Keep initial questions open-ended
Who What
▪ Don’t use a checklist approach
▪ Take detailed notes
When Where
▪ Be inquisitive, ask probing questions
▪ Ask them to show you (observe)
How Why ▪ Ask them if there are any gaps or opportunities for
enhancement
What Why ▪ Include discussion on key systems and applications
if
not ▪ Ask to receive documentation not already obtained
▪ Be well prepared and make efficient use of their time
Control Category

A policy establishing what should be done and, and serving as a basis for the second element, procedures
Policies & Procedures
to affect the policy.

Written consent to proceed with a requested activity, without in any way diminishing the applicant’s
Authorization
obligation to meet the standard or specified requirements.

Comparison of two or more items, or the use of supplementary tests, to ensure the accuracy, correctness,
Verification
or truth of the information / Alternative term for acknowledgement

Regulation Compliance Compliance with relevant laws and regulations.

Analysis of actual results versus organizational goals or plans, periodic and regular operational reviews,
Monitoring
metrics, and other key performance indicators.

Control policy according to which no person should be given responsibility for more than one related
Segregation of Duties
function.
Sample Testing - Tasks
▪ Design test steps based on the controls identified during D&I review
▪ Select samples from the transaction population (e.g. PO listing, payment listing)
▪ Perform testing on samples
▪ Identify operating effectiveness deficiency
Risk Controls Identified during D&I Operating Effectiveness
Review
1. Fraudulent 1. Purchases are made based on A. For 25 sample of payments selected verify the following:
payments approved Purchase Request 1. Payment is duly supported (i.e. invoice, evidence of receipt,
(“PR”). Purchase Order)
2. 3 quotations are sourced for the 2. Payment is invalidated (stamped paid) upon payment
purchase 3. Payment is approved according to authorization matrix
3. Services or goods are received B. Perform data analytics to identify:
prior to payment 1. duplicate invoice numbers
4. Invoice is match to approved 2. duplicate payment voucher numbers
Purchase Order (“PO”), Invoices
and evidences of receipt

Operating effectiveness deficiency:

a) a control does not operate as designed
b) the person performing the control does not possess the necessary authority or qualifications.
Sample Test Sheet

Type of
Control Frequency Sample Size
Control

Manual Many Times per Day 25

Daily 15
Weekly 5
Monthly 2
Quarterly / Annually 1
ITAC 1
This is just a guideline. Sample size can be based on your professional
judgment.
Key Questions Prior Closure Meeting

How Do You Know When What are the Key

You’re Ready for the Elements of a “Successful”
Closure Meeting? Closure Meeting?

Who to Invite to the

Closure Meeting?
Closure Meeting Preparation
❑ Workpapers have been completed and reviewed.

❑ Communication of potential issues, findings and/or areas of concerns has

been made with the Audit Client prior closure meeting (root clause
availability is a plus).

❑ Any gap was supported with sufficient evidence.

Inviting the Attendee
❑ The decision of who to invite should be based on
input from the Chief Audit Executive (CAE), Audit
Manager, Audit Staff and the Audit Client.
❑ Invitation should include:
➢ Audit Client’s Head of Division (if available)
➢ Audit Client
➢ Audit Client’s Staff (Staff Worked with During the
Engagement)
➢ Audit Team
A Successful Closure Meeting Tips & Tricks
Aces the Attitude
Deliver Results and
Insight
Auditor's Report Definition
The auditor's report is a formal opinion, or disclaimer thereof, issued by
either an internal auditor or an independent external auditor as a result
of an internal or external audit, as an assurance service in order for the
user to make decisions based on the results of the audit.

Source: https://en.wikipedia.org/wiki/Auditor%27s_report
Audit Report Related Standards
2400 – Communicating Results
Internal auditors must communicate the results of engagements.
2410 – Criteria for Communicating
Communications must include the engagement’s objectives, scope, and results.
2410.A1
Final communication of engagement results must include applicable conclusions, as well as applicable recommendations
and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into
account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient,
reliable, relevant, and useful information.
2410.A2
Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications
2410.A3
When releasing engagement results to parties outside the organization, the communication must include limitations on
distribution and use of the results.
2410.C1
Communication of the progress and results of consulting engagements will vary in form and content depending upon the
nature of the engagement and the needs of the client.
Audit Report Related Standards (Cont’d)
2420 – Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.

2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal
Auditing”
Indicating that engagements are “conducted in conformance with the International Standards for the Professional Practice of
Internal Auditing” is appropriate only if supported by the results of the quality assurance and improvement program.

2440 – Disseminating Results

The chief audit executive must communicate results to the appropriate parties.

2450 – Overall Opinions

When an overall opinion is issued, it must take into account the strategies, objectives, and risks of the organization; and the
expectations of senior management, the board, and other stakeholders. The overall opinion must be supported by sufficient,
reliable, relevant, and useful information.
Phase 6: Deliver Results and Insight
People Process Technology

• IA understands the business objectives of company and Develop the expectations

regarding IA’s alignment with those business objectives and criteria for assessing the
related risks.
Co-Develop
1
Expectation
• IA reports audit results to • IA identifies
management. business process
• Periodic reporting of IA Deliver Results 2 Develop Risk & develop risk
6
activities to senior and Insight Model and Universe assessment
management & the Audit
Committee.

• IA performs detailed test
work, reviews audit results
and holds a formal exit
meeting at the conclusion
of each audit performed.
Internal Audit
Methodology Based on the risk
assessment results and
Execute Audit Project
5 Develop Internal Audit plan, IA
Work Plan 3 identifies timing,
Audit Plan
locations, project teams
and determine
appropriate use of
Design Audit
4 technology tools.
Programs

IA develops audit programs of detailed tests.

Audit Report is an Evidence of Quality Audit

Risk-Based Internal Audit Audit Report

Audit Report Means to Internal Auditor

Aquaman
Judge
Police Officer

Thor
Pandawa Lima
Things to Consider When Drafting Audit Report
❖ Stakeholders have diverse needs.
❖ Effective audit communication needs to be accurate, objective, clear, concise, constructive, complete and timely to be
relevant.
❖ The audit report must include the objectives, scope, and results of the engagement.
❖ Management’s action plans must be included, as they are often the most referenced segment of the report over time.
❖ It is important to conduct a thorough review of the content to validate factual accuracy, completeness of reporting, and
ensure the engagement results and conclusions are supported by sufficient, reliable, relevant, and useful information.
❖ A concise executive summary may highlight good practices observed during the engagement and any steps taken by
management to improve governance, risk management, and internal controls
❖ The distribution of the report must be validated and approved by the Chief Audit Executive (CAE) to ensure it is directed
to the intended recipients and disseminated to the appropriate parties who can ensure that the results are given due
consideration.
Audit Report Potential Pitfalls
Significant errors and omissions.

Language that is too technical or filled with too much jargon.

Observations and recommendations that are not well-formulated.

Failing to acknowledge satisfactory performance.

Omitting or not explaining the scope limitations.

Issuing late reports or issuing them to inappropriate parties.

Audit Report Elements
Five C’s Standards, measures, or expectations used in making an evaluation and/or verification of an observation (what
should exist). Criteria are used to compare and evaluate the existing condition(s) and can be written policies,
Criteria procedures, laws, regulations, and/or guidelines. Criteria can also be established organizational practices,
expectations based on the design of the control, and even common-sense procedures that may not be formally
documented and may require internal auditors’ professional judgment for their evaluation.

Factual evidence identified during the course of the engagement (what does exist). Condition is
Condition the key issue the internal auditor considers, and it can be measurable or observable.

Underlying reason for the difference between the criteria and condition (why the difference exists).
Cause It answers the questions “what allows the condition to exist?” and “why did the condition occur?” It
is essential that internal audit work with management to identify the root cause of the gap.

Risk or exposure encountered because the condition is not consistent with the criteria (the
Consequence consequence of the difference). In determining the degree of risk or exposure, internal auditors
consider the effect that the engagement observations may have on the organization’s operations
(Effect) and/or financial reporting process. Effects can be existing or potential.
Recommendations are internal auditors’ suggestions for correcting conditions and identifying the cause to prevent
Corrective Action recurrence (or the creation of new conditions). Recommendations provide an efficient and effective way to address
Plan / the gaps identified between condition and criteria. Actions that were initiated by management during the internal
Recommendation audit engagement, but before the issuance of the written report, can be acknowledged in the final engagement
communication.
Gap, Root Cause Analysis & Recommendation
Observation, Recommendation & Management
Action Plan
Examples of Condition, Effect, Cause, Root Cause,
& Recommendation
Rating of Finding

Rating Description
An audit finding is assigned a “High” priority when the underlying internal controls or processes contain material or pervasive
weaknesses. Remedial action should be taken immediately to address the audit finding. The condition requires improvements with
High
more than usual management involvement and monitoring until the internal controls are improved.

An audit finding is assigned a “Medium” priority when there are improvements required in the level of internal controls, effectiveness
and efficiency of operations, reliability of financial records, compliance with applicable laws and regulations and supervision or
Medium compliance with policies. Positive (but not urgent) action is required from management to address the audit finding within 3 months.

An audit finding is assigned a “Low” priority when the internal controls are generally functioning with some minor exceptions, mostly in
Low terms of efficiency and isolated events of non-compliance. Management can have within 3 to 6 months to address the audit finding.
Audit Report Template – Executive Summary
Audit Report Template – Executive Summary
(Cont’d)
Observations, Recommendations and
Management Response
Writing an Impactful Audit Report: 6 Tips for
being more Persuasive
Keep It Short

Remember Keep It
the 5 C’s Simple

Make Your
Consider the
Best Ideas
Implications
Stand Out

Don’t
Neglect the
Basics
Q&A?
Key Takeaways
Know the principles, be resourceful and creative in application

Work hard but work smarter, 1(effort) + 1(smart) = 3

Thank you
“Risk comes from not knowing what you’re doing.”
– Warren Buffet –
CEO of Berkshire Hathaway