Professional Documents
Culture Documents
Technique for
Internal Audit
WEBINAR IAI & FEBUI
28 – 29 AUGUST 2021
DAY 02
▪ Design Audit Programs
▪ Execute Audit Project Work Plan
Agenda ▪ Deliver Results and Insight
▪ Q&A?
Design Audit Programs
SOURCE: HTTPS://YOUTU.BE/WBPX6JMGBYA
7 Deadly Internal Audit Sins (Cont’d)
1) Publish an erroneous report (a mistake could be equally devastating);
2) To intentionally submit incomplete or false work papers (unethical);
3) Lose your temper with a client (don’t act out unprofessionally);
4) Auditing with an agenda (auditing with a conflict of interest);
5) Betraying the bond of confidentiality (inappropriate information exchange);
6) Violating company policy (walking the talk); and
7) Issuing an internal auditor's report that is petty or doesn’t add value
(wasting time on unimportant detail).
Phase 4: Design Audit Programs
1 Co-Develop Expectation
4. Design Audit Programs
▪ A successful internal audit engagement should be
supported by a well-designed Internal Audit Program
Develop Risk
▪ There are two objectives in Design Internal Audit
Deliver Results and 2
6
Insight Model and Universe Programs as follows:
▪ Develop Internal Audit Program
▪ Approve Internal Audit Program
▪ A well-developed audit program will provide the
Internal Audit foundation for the control testing being executed
Methodology
efficiently. Specifically, it:
5
Execute Audit Project
33
Develop
Develop ▪ Assists in controlling work and assigning
Work Plan Audit
Audit Plan
Plan
responsibility;
▪ Provides a record and confirmation of work
completed; and
4 Design Audit Programs
▪ Supports the achievement of the internal audit
objectives
Develop Internal Audit Program
Approve Internal
Develop Internal Audit Program
Audit Program
Internal Audit
Internal Audit Program
Program Draft (Approved)
What is an Audit Program and its Purpose?
An audit program can be described as follows:
▪ A detailed work plan that stipulates procedural steps required to achieve audit
objectives, including the creation of key working paper deliverables and/or the
final report.
▪ A document that sets forth procedures necessary to complete an efficient and
effective audit; it is suggested that this document be approved by the
engagement/project leader and/or Chief Internal Auditor, as applicable and
dependent on type of audit, prior to start of fieldwork.
▪ A project work plan that can assist in developing and monitoring project budgets.
Why Audit Program is Important?
It is important to have a well developed audit program, as it addresses a number of objectives. These objectives
include:
A comprehensive and well-written audit program substantiates the procedures followed, the compliance and
substantive tests performed, the information and evidence obtained, and the audit conclusions reached
Key Internal Audit Program Requirements
Sample size
Underlying Standards
▪ 2310 – Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s
objectives.
▪ 2320 – Analysis and Evaluation
Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.
▪ 2330 – Documenting Information
Internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement
results and conclusions.
▪ 2340 – Engagement Supervision
Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is
developed.
Phase 5: Execute Audit Project Work Plan
1
Co-Develop
Expectation
5. A shift in emphasis to “What must go right” not
simply “What can go wrong.” An efficient approach
Develop Risk
that not only reveals the impact and extent of real
Deliver Results and 2
6
Insight Model and Universe issues but assists in mitigating them.
Initial assessment workshop
Internal Audit
Integrated testing
Methodology
Deductive analytics
Execute Audit Project Develop
Develop
5
Work Plan
33
Audit
Audit Plan
Plan Clarity over agreed control strategy
Determine training, CSA and CCM needs.
4
Design Audit
Programs
Accelerate solutions development
Execute Audit Project Work Plan
Execution
Reference • Best practices • Walkthrough
• Walkthrough
• Prior years’ working results
• Audit Program results
papers and reports
• Data Analytics • Sample testing
• Integrated database results
Activity
Walkthrough Sample Testing
Execution (Design (Operating Closure of
Preparation Effectiveness Effectiveness Fieldwork
Review) Review)
Outcome
• Background • Observation
• Audit Program • Risk Control
Information • Exit Meeting
• Risk Control Matrix
• Risk Control Documents
Matrix • Test Sheet
Matrix
Internal Audit Execution Principles
Understand the
business & client
Provide value
Pre-empt (solve it
(root cause &
before it happens)
recommendation)
Examples of Principles in Action
Assign team most suited
Research past
Know past experience, in addressing technical
files/internet/client’s
know the people profile and people
information
requirements
▪ Scope of review
▪ Timeline of project (fieldwork, reporting etc.)
▪ Team members
▪ Background of scope of review
▪ Focus areas
▪ Challenges, strategy and approach
▪ Summary of past audit findings
▪ Request For Information (RFI)
▪ Process owners
What is a Business Cycle?
A business cycle is a collection of: Financial Accounting
▪ Transactions Revenue
▪ Processes
Expenditure
▪ Controls
Inventory
Payroll & Personnel
Fixed Assets
Treasury
Practical Example – Expenditure Cycle
We should obtain an understanding of the flow of transactions, the processes, and controls.
Example of Expenditure Cycle:
Transaction Reports
Disbursement
Ledger Reports
Supplier Master
1 File
2 3
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system
General
Purchase Order Good Received Note Invoice Ledger
Control Points
Audit of Expenditure Cycle
Transaction Reports
Disbursement
Ledger Reports
Supplier Master
1
File
2 3 4
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system
General Ledger
Purchase Order Good Received Note Invoice
Control Points
2 3 4
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system
General Ledger
Purchase Order Good Received Note Invoice
Control Points
2 3 4
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system
General Ledger
Purchase Order Good Received Note Invoice
Control Points
2 3 4
Purchase Order Inventory Account Payable
Sub-System Sub-system Sub-system
General Ledger
Purchase Order Good Received Note Invoice
Control Points
List up risks related to a business process List up controls to remediate the risks indicated to the left (for manual
operations and system functions)
Examples: Examples:
Errors in sales amounts when entering to Approval by manager, restrictions to prevent entering information of false
system, registering false sales, etc. customers by master data, periodic check for unusual amounts, etc.
Audit Program Component - Scope
Scope of the audit and risk mapping
Fraudulent payments
Payments are supported and reviewed prior to payments
1
and recognition
Unauthorised payments
Management Assertion
Transaction Categories
Transaction Structure
Document the Controls
A policy establishing what should be done and, and serving as a basis for the second element, procedures
Policies & Procedures
to affect the policy.
Written consent to proceed with a requested activity, without in any way diminishing the applicant’s
Authorization
obligation to meet the standard or specified requirements.
Comparison of two or more items, or the use of supplementary tests, to ensure the accuracy, correctness,
Verification
or truth of the information / Alternative term for acknowledgement
Analysis of actual results versus organizational goals or plans, periodic and regular operational reviews,
Monitoring
metrics, and other key performance indicators.
Control policy according to which no person should be given responsibility for more than one related
Segregation of Duties
function.
Sample Testing - Tasks
▪ Design test steps based on the controls identified during D&I review
▪ Select samples from the transaction population (e.g. PO listing, payment listing)
▪ Perform testing on samples
▪ Identify operating effectiveness deficiency
Risk Controls Identified during D&I Operating Effectiveness
Review
1. Fraudulent 1. Purchases are made based on A. For 25 sample of payments selected verify the following:
payments approved Purchase Request 1. Payment is duly supported (i.e. invoice, evidence of receipt,
(“PR”). Purchase Order)
2. 3 quotations are sourced for the 2. Payment is invalidated (stamped paid) upon payment
purchase 3. Payment is approved according to authorization matrix
3. Services or goods are received B. Perform data analytics to identify:
prior to payment 1. duplicate invoice numbers
4. Invoice is match to approved 2. duplicate payment voucher numbers
Purchase Order (“PO”), Invoices
and evidences of receipt
Type of
Control Frequency Sample Size
Control
Source: https://en.wikipedia.org/wiki/Auditor%27s_report
Audit Report Related Standards
2400 – Communicating Results
Internal auditors must communicate the results of engagements.
2410 – Criteria for Communicating
Communications must include the engagement’s objectives, scope, and results.
2410.A1
Final communication of engagement results must include applicable conclusions, as well as applicable recommendations
and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into
account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient,
reliable, relevant, and useful information.
2410.A2
Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications
2410.A3
When releasing engagement results to parties outside the organization, the communication must include limitations on
distribution and use of the results.
2410.C1
Communication of the progress and results of consulting engagements will vary in form and content depending upon the
nature of the engagement and the needs of the client.
Audit Report Related Standards (Cont’d)
2420 – Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.
2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal
Auditing”
Indicating that engagements are “conducted in conformance with the International Standards for the Professional Practice of
Internal Auditing” is appropriate only if supported by the results of the quality assurance and improvement program.
Internal Audit
• IA performs detailed test Methodology Based on the risk
work, reviews audit results
assessment results and
and holds a formal exit Execute Audit Project
meeting at the conclusion 5 Develop Internal Audit plan, IA
Work Plan 3 identifies timing,
of each audit performed. Audit Plan
locations, project teams
and determine
appropriate use of
Design Audit
4 technology tools.
Programs
Aquaman
Judge
Police Officer
Thor
Pandawa Lima
Things to Consider When Drafting Audit Report
❖ Stakeholders have diverse needs.
❖ Effective audit communication needs to be accurate, objective, clear, concise, constructive, complete and timely to be
relevant.
❖ The audit report must include the objectives, scope, and results of the engagement.
❖ Management’s action plans must be included, as they are often the most referenced segment of the report over time.
❖ It is important to conduct a thorough review of the content to validate factual accuracy, completeness of reporting, and
ensure the engagement results and conclusions are supported by sufficient, reliable, relevant, and useful information.
❖ A concise executive summary may highlight good practices observed during the engagement and any steps taken by
management to improve governance, risk management, and internal controls
❖ The distribution of the report must be validated and approved by the Chief Audit Executive (CAE) to ensure it is directed
to the intended recipients and disseminated to the appropriate parties who can ensure that the results are given due
consideration.
Audit Report Potential Pitfalls
Significant errors and omissions.
Factual evidence identified during the course of the engagement (what does exist). Condition is
Condition the key issue the internal auditor considers, and it can be measurable or observable.
Underlying reason for the difference between the criteria and condition (why the difference exists).
Cause It answers the questions “what allows the condition to exist?” and “why did the condition occur?” It
is essential that internal audit work with management to identify the root cause of the gap.
Risk or exposure encountered because the condition is not consistent with the criteria (the
Consequence consequence of the difference). In determining the degree of risk or exposure, internal auditors
consider the effect that the engagement observations may have on the organization’s operations
(Effect) and/or financial reporting process. Effects can be existing or potential.
Recommendations are internal auditors’ suggestions for correcting conditions and identifying the cause to prevent
Corrective Action recurrence (or the creation of new conditions). Recommendations provide an efficient and effective way to address
Plan / the gaps identified between condition and criteria. Actions that were initiated by management during the internal
Recommendation audit engagement, but before the issuance of the written report, can be acknowledged in the final engagement
communication.
Gap, Root Cause Analysis & Recommendation
Observation, Recommendation & Management
Action Plan
Examples of Condition, Effect, Cause, Root Cause,
& Recommendation
Rating of Finding
Rating Description
An audit finding is assigned a “High” priority when the underlying internal controls or processes contain material or pervasive
weaknesses. Remedial action should be taken immediately to address the audit finding. The condition requires improvements with
High
more than usual management involvement and monitoring until the internal controls are improved.
An audit finding is assigned a “Medium” priority when there are improvements required in the level of internal controls, effectiveness
and efficiency of operations, reliability of financial records, compliance with applicable laws and regulations and supervision or
Medium compliance with policies. Positive (but not urgent) action is required from management to address the audit finding within 3 months.
An audit finding is assigned a “Low” priority when the internal controls are generally functioning with some minor exceptions, mostly in
Low terms of efficiency and isolated events of non-compliance. Management can have within 3 to 6 months to address the audit finding.
Audit Report Template – Executive Summary
Audit Report Template – Executive Summary
(Cont’d)
Observations, Recommendations and
Management Response
Writing an Impactful Audit Report: 6 Tips for
being more Persuasive
Keep It Short
Remember Keep It
the 5 C’s Simple
Make Your
Consider the
Best Ideas
Implications
Stand Out
Don’t
Neglect the
Basics
Q&A?
Key Takeaways
Know the principles, be resourceful and creative in application