Professional Documents
Culture Documents
Class 8 Managing The Internal Audit Function: CAE's Responsibilities
Class 8 Managing The Internal Audit Function: CAE's Responsibilities
CAE’s responsibilities
2000 – managing the IA acty
The CAE must effectively manage the IA acty to ensure it adds value to
the org
Interpretation:
IA acty is effectively managed when:
- It achieves the purpose and responsibility included in the IA charter
- It conforms with the standards
- Its individual members conform with the codes of ethics and the standards
- It considers Trends and emerging issues that could impact the organization
The internal auditor activity adds value to the organization and its stakeholders when it considers
their strategies, objectives, and risks; strives to offer ways to enhance governance, risk
management, and control processes; in objectively provides relevant assurance
xCLASS 9 AUDIT EVIDENCE AND WORKING PAPERxx
- Audit evidence
- Audit procedures
- Audit working paper
AUDIT EVIDENCE
Professional skepticism and reasonable assurance
- Professional skepticism = IA take nothing for granted; they continuously question what they
hear and see and critically assess audit evidence
- IA strives to obtain sufficient evidence to provide a reasonable basis for formulating their
conclusions and advice. This concept is referred to as reasonable assurance ≠ absolute
assurance (100%) ⇒ we can only assure to reasonable level (not 100%)
Definition
- Represent the fact the IA collected from their audit operations
- Used to prove or confirm with the criteria to summarize audit results and provide advice in
the IA report
- May come from internal or external sources
Characteristics
1. Sufficiency
a. Data or evidence that confirms or support the same conclusions
b. Evidence is considered sufficient if the evidence can exhibit facts and persuade a
prudent, informed person to believe and rely on the fact
c. Sufficiency depends on judgement
→ so it’s difficult to conclude (sometimes use stat record)
→ give to s/o who has enough knowledge to evaluate it
Criteria
● Importance of the audit matter: diff value → diff materiality
● Risks and probability of error: If comp made a lot of error → larger audit sample
● Costs to obtain the evidence: we may have many types of audit procedure
บางทีเลือก 2nd best ก็พอเพราะถ ้าเราเลือกอันทีด
่ ท
ี ส
ี่ ด
ุ อาจจะแพงเกิน benefit ไป
● larger/smaller sample sizes
● corroborated / contradictory: if 2 tests give diff result → may have another test
2. Reliability
“WHERE does evidence come from/ HOW you get it”
a. Data or evidence that is obtained from reliable source and through appropriate audit
procedures
Criteria
● Source of evidence
○ internal/ external ⇒ internal more likely to manipulate
○ general/ expert ⇒ ex. Operational staff vs land appraiser
3. Relevance
a. Data or evidence that can confirm or support the audit conclusion, findings or
recommendation and conform with the audit objective ( relevance, accuracy,...)
b. Some evidence may be relevant to only one audit objectives
ex. Observation of assets count vs existence
c. Some evidence may be relevant to >1 audit objectives
Ex. confirmation of AR vs accuracy and existence
4. Usefulness (อันนีเ้ ป็ น comp goal ทีเ่ หลือเป็ น audit goal)
a. Data or evidence that helps provide assurance that the org will meet its goal
⇒ strat, operations, reporting, compliance, safeguarding assets**
Factor to consider
● Materiality ⇒ use mat to measure usefulness
Exercise on characteristics
Assume IA wants to determine whether a particular vehicle included in the comp’s FA ledger EXISTS
and is OWNED (audit obj) by the comp. Therefore, IA locates the vehicle in the comp’s parking lots
1. Relevant?
○ Existence VS locate vehicle ⇒ yes
○ Ownership VS locate vehicle ⇒ NO ต ้องไปดูทdี่ ocs (registration info/ car owner)
โฉนดทีด
่ น
ิ ก็เหมือนกัน
มี ownership transfer
2. Reliable?
○ Source of info: aud go to see by themselves = reliable
○ if docs photocopied ⇒ not so reliable
3. Sufficient?
○ Existence VS locate vehicle ⇒ yes
○ Ownership VS locate vehicle ⇒ NO ต ้องไปดู regis no./ engine no. ด ้วย
4. Useful?
○ Useful for reporting
○ ถ ้าดูวธิ เี ก็บรถด ้วยก็ also safeguarding assets
Evidence
1. Risk and control matrices
○ B – risk-based plan → need documented risk assessment process at least annually
So IA have to prepare this
○ C – comp มี risk mgt department (แต่ต ้องออดิทอีกที IA เลยไปขอ matrices มาจากบอ)
2. Deposits slips ใบนำฝากธนาคาร
○ D – if have 1: bring check to tellers → they do everything for you
○ A – if have many: บอออก plain(?) slip → bank stamp → send back to comp
3. Bank statements
○ D – monthly statement
○ E – aud request from bank
4. Receiving reports = you order materials
○ A – receiving dept prepare this ตอนได ้รับของ
○ C – ask คนส่งให ้เซ็นด ้วย
5. Confirmations
○ E – mostly E
○ D
AUDIT PROCEDURES
Definition and objectives
= tasks performed to obtain evidence
● Aud procedures = specific tasks performed by the IA to gather evidence required to achieve
the prescribed audit objectives
● objectives:
○ Obtain a thorough understanding of the auditee, including the auditee’s obj, risks, and
controls ⇒ observe what they do, interview personnel, see docs
○ Test the design adequacy and operating effectiveness of the targeted area’s system of
IC ⇒ when we want to evaluate control, there are 2 aspects:
■ Adequacy: whether the control is enough to bring risk to acceptable level
■ Effectiveness: those controls really work + is performed
(perform test of control)
○ Analyze plausible relationships among different elements of data
⇒ compare data whether they are reasonable or not – มี fraud, error มัย
้
○ Directly test recorded fin and non-fin info for errors and fraud
⇒ similar to substantive test of external auditor
● สรุป ส่วนใหญ่เป็ น test of controls แล ้วก็ม ี substantive test บ ้าง
Standards
○ Analytical procedures:
Common-size – use number in FS as a base ex. I/Sเทียบกับ net sales ออกมาเป็ น %
Ratio-analysis
Trend analysis – compare many years → see trend whether it conforms with
economic condition
Analysis of future-oriented information – check budget in the future
External benchmarking – compare with competitors
Internal benchmarking – compare among branch
○ Confirmation:
Positive – recipients have to answer in every case
Negative – answer only when not correct
Describe the procedures you might use to gain an understanding of how the computers were
acquired, used, and accounted for. อจพูดไม่คอ
่ ยรู ้เรือ
่ งเลยอันนี้
2 Responsibilities regarding the - If big comp, check คนใน job description or interview
computers are properly personnel
segregated.
8 The estimated useful lives and - Salvage: Ask expert or check market value of com
salvage values of the computers ว่าถ ้าเวลาผ่านไป 5 ปี ราคาเหลือเท่าไหร่
are reasonable. - Useful lives: Check records of the comp ว่าปกติใช ้
คอมกันนานแค่ไหน
9 Depreciation expense was - Inspect formulas
calculated correctly. - recalculate
Case
Summary: จดว่ามีการซือ้ รถ 501 คันแต่จริงๆ only 8 exists เงินออกตลอดแต่ไม่เคยเห็นรถ เงินเข ้ากระเป๋ า chairman
หมด โดนจับได ้เพราะ SEC สังเกตว่าถ ้ามีรถเยอะขนาดนีก
้ ต
็ ้องมีตก
ึ หรือเช่าทีไ่ ว ้เก็บรถ → ask for special audit
⇒ Check ration เทียบ inventory กับ rent expense
Summary: try to advertise that he has a way to invest and promise really high return พอคนให ้เงินเค ้า เค ้า
ก็pay return ให ้ investor กลุม
่ แรก ด ้วยเงินของ investor กลุม ่ สองไปเรือ่ ยๆ: He make up all investment stm
มี fund manager try to win this ว่าreturn สูงขนาดนีม ้ น
ั เป็ นไปไม่ได ้ แต่มน ่ เพราะเค ้าเป็ นคนมีตำแหน่งใหญ่
ั ไม่มใี ครเชือ
่ ถือ (director of NASDAQ)
โตน่าเชือ
⇒ สรุปโดนจับได ้เพราะ proudกับแผนมากเลยเล่าให ้ลูกฟั ง ลูกแจ ้งตำรวจ
Contents
- Depends on nature of engagement
Preparation guideline
Appropriate working paper standardization may include:
● A uniform cross-referencing system for all engagements
INTRO
What and why
● Audit sampling is the application of an audit procedure to less than 100 percent of the items
in a population for the purpose of drawing an inference about the entire population.
● Economic and time constraints generally preclude internal auditors from testing 100% of
everything they would like to test.
● Sampling is used most commonly by internal auditors to test the operating effectiveness of
controls. (really work? is performed?) ไม่ใช่ test adequacy นะ !!
Vocab
Concept
1. How much is the sample
2. Apply audit procedure to the sample chosen (vouching, tracing,..)
3. Find stat
4. Estimate population parameter
AUDIT RISK IN CONTEXT OF SAMPLING
Audit risk = risk of reaching invalid conclusions and/or providing faulty advice based on the audit
work conducted.
2. Nonstatistical sampling
○ Use sample size based on our convenience: we gonna audit this much, don’t care stat
○ Save costs and time
○ Appropriate for experienced auditors so they can target on more risky part
⇒ เลือกว่าจะใช ้อันไหนจาก cost-benefit decision ex. ถ ้าเกินล ้านใช ้stat ส่วนทีเ่ หลือใช ้ non-stat
REVIEWING STATS
What is the difference between a test of control and a test of monetary value?
Population distribution
⇒ for audit purpose, each item in a pop is associated w/ a variable of interest to the auditor
● Discrete variables การสุม่ ตัวอย่างเชิงคุณลักษณะ, such as the YES/NO decision whether to authorize
pmt of invoices, are tested using attribute sampling **focus**
○ Ex. authorize or not? Comply or not?
● Continuous variables, such as the monetary amounts of accounts receivable, are tested using
variable sampling
Exercise
For which of the following would an IA most likely use attribute sampling?
a. Determining whether the year-end inventory balance is overstated
b. Selecting FA additions to inspect
c. Choosing inventory items to test count
d. Inspecting employee timecards for proper approval ⇒ just approve or not
For all these deviations, there should be sth that help us say that this wrong ⇒ criteria
Internal ––––––––– Example of criteria ––––––––– External
4. Determine the appropriate values of the parameters affecting sample size (table 1 or Formula)
○ The acceptable risk of assessing control risk too low
⇒ risk that IA will incorrectly conclude that a specified control is more effective than it
really is (risk of marking wrong conclusion)
■ Ex. 100% - confidence level 95%
= 5% → เปอเซนทีอ่ อดิทจะ conclude ผิด
Acceptable risk of assessing control risk too low (beta risk) Inverse
= accept error more in making audit decision, lower confidence = smaller sample
7. Audit the sample items selected and count the number of deviations from the prescribed
control
Discovery Sampling
⇒ Use to specify the sample that is big enough to find at least 1 deviation if it exists
พยยหาให ้ได ้อย่างน ้อย 1 devถ ้ามี – เอาไว ้หาfraud, non-compliance
● Discovery sampling is the easiest of all statistical sampling variations to understand.
● It deals with the probability of discovering at least one error in a given sample size if the
population error rate is a certain percentage.
2 ways [Table 3]
1. Not much time → เลือก sample มา สมมติวา่ 300
○ เจอ 1 fraud = 100% fraud exists
○ ไม่เจอ fraud ก็ดต
ู าราง ว่าเราอยากให ้ confident เท่าไหร่ในการเกิด fraud เท่าไหร่ base from 300
■ 95 % confident that the true population fraud rate did not exceed 1 percent.
■ 78 % confident that no more than 0.5 percent of the checks were fraudulent
2. Lots of time → ทำย ้อนกลับ
○ ถ ้าเราอยาก 95% confident that no more than 0.2% were fraud → ก็ต ้องcheck 1500 sample
○ For serious non-compliance
Nonstatistical Audit Sampling in Tests of Controls
**convenient + use judgement**
Selecting and evaluating a non-stat sample
● specific/ purpose sampling may include
○ Items with potential errors ex. High risk, past errors, or related party transactions
○ Items with high values or importance ex. Amount over threshold or special
procurement method
⇒ this method is highly effective, however, the results cannot be extrapolated to the whole
population. Therefore, internal auditors need to consider the need to obtain evidence for the
rest of the population. บอกไม่ได ้ว่า confidentกีเ่ ปอเซน
● Haphazard sampling ตามวิจารณญาณ
= is a nonrandom selection technique that is used by internal auditors to select a sample that
is expected to be representative of the population. **judmental**
○ The internal auditor’s conclusion about the population from which the sample is drawn
is strictly judgmental instead of being based on probability theory.
○ It is important for the internal auditors to determine whether they can reach valid
conclusions using nonstatistical sampling
● Stop-or-go sampling
An initial, relatively small, sample is drawn and analyzed. The internal auditor then decides,
based on the results of this initial sample, whether the sample size should be increased.
⇒ if find not much error: stop and conclude
But if find many error: extend test
Some firm may come up with sth like this. But if you want to use in practice → be careful
Documenting sample selection
จะเห็นว่ามี 4 items from 10000 and 8 items from 20000 ก็จะ proportionate กันกับ value
พอดี