Professional Documents
Culture Documents
Training
2nd & 3rd June
With You
Today
Jonathan Ho
Director
Risk Consulting
KPMG Services Pte Ltd
Victor Chan
Assistant Manager
Risk Consulting
KPMG Services Pte Ltd
2
Training
Objectives
By the end of this training, the Control and Compliance team will:
3
Training
Objectives
4
Training Agenda – Day
1
5
Training Agenda – Day
2
6
Training Agenda – Day
2
7
Internal Audit
Charter and
IA Manual
C&C’s Organisation
Structure
Head of C&C
(Arthur Felix Kalesaran)
Senior Manager
(Deddy Taufik Hidayat)
Supervisor Supervisor
(Seprian Anggasari) (Greggy Alvin Leander)
9
IA Charter and IA Manual
Contents of IA Charter
1. Introduction
2. Mission
3. Scope of Internal Audit Work
4. Accountability
5. Independence and Reporting
6. Code of Ethics
7. Responsibility
8. Authority
9. Communication with the Auditees
10. Relationship with External Auditors
11. Operating Budget / Expenses
12. Quality Assurance
11
Knowing your IA
Manual
2. Skill, Professional
• Skill sets and professional development
Development and • Professional conduct
Conduct
What is
What is
Internal
Risk?
Control?
What is
a
Process?
14
What is Risk?
COSO Cube
16
Types of Internal
Controls
17
Types of Internal Controls
(Cont’d)
• Automated Controls are generally more effective
• Preventive Controls are typically more efficient
HIGH
Effectiveness
Automated Automated
Detective Preventive
Manual Manual
Detective Preventive
LOW
Efficiency HIGH
18
Examples of Control
Activities
Type Description Examples
Authorization Approval of transactions • Limits and delegation of financial
executed and access to authority for purchase orders, waiver of
assets and records competitive quotes requirement, write-
off of bad debts, fixed assets,
cancellation/ reversal of course fees
collection.
• Bank signatories for payments.
19
Examples of Control Activities
(Cont’d)
Type Description Examples
IT Controls: The permissions that are • Access rights are assigned based on
Access Rights granted to a user to read, roles and responsibilities – only
write and erase files in the cashiers are granted access to cash
system. receipts module.
20
Examples of Control Activities
(Cont’d)
Type Description Examples
Key Financial and non-financial • Accounts Receivables turnover ratio.
Performance quantitative measurements • Leasing rates above budget
Indicators that are collected by the
• Vacant units
entity and used to evaluate
progress towards meeting
objectives.
21
Examples of Control Activities
(Cont’d)
Type Description Examples
Document Pertinent documents are • Receipt vouchers are filed in sequential
Control properly filed for easy reference order.
and tracking, and safeguarded • Billings are sequentially numbered
for retention.
Physical Pertinent assets such as cash is • Cash and blank cheque books are
Security adequately safeguarded, where placed under lock and key with dual
access is restricted. control.
• Physical access to offices are restricted
to personnel of the department,
especially Leasing, Finance, Payroll and
IT department.
Review and A person different from the • Manager’s review of reconciliations.
Monitoring preparer analyzing and • Co-workers verifying each others’ work.
performing oversight of
activities performed.
22
Difference between a Control Activity and Process
Activity
23
Pointers to Document Controls:
5Ws + H and 12 Questions
5Ws +H 12 Questions
24
Quiz 1
Developing Risk
Based Internal
Audit Plan
Steps to develop an Internal Audit Plan IA Manual Chapter 3
Internal Audit
Plan
Risk
Assessment
Business
Understanding
27
Business Understanding IA Manual Chapter 3.1
Review and
Analyse Industry
Information
Identify Auditable
Business
Processes
28
Risk Assessment
IA Manual Chapter 3.2
29
Risk Assessment - Concepts and
Terminologies
Concepts Definition
Likelihood of Occurrence
Likelihood Probability that a particular risk will occur, evaluated against a set
Likely
time period.
Impact In the event that a risk occur, the potential impact to an organization.
Possible/Moder Likely
ate
Unlikely
Magnitude of Impact
Risk Assessment - Concepts and
Terminologies 30
Defining your thresholds of impact…(monetary
Likelihood of occurrence
loss)
Magnitude of Impact
Scale 1 2 3
Descriptors Low Moderate Major
Potential
Monetary loss < 5% of net cash flow 5% to 10% of net cash flow >10% of net cash flow
(Net Profit)
Defining your thresholds of impact…(monetary
loss) 31
Likelihood of occurrence
Defining your thresholds of impact…(non-monetary
loss)
Magnitude of Impact
Scale 1 2 3
Descriptors Low Moderate Major
Damage to reputation Low (involving several small Moderate (involving major Major (involving major
incidents in a single location) incident/s in a single location) loss incidents in several locations)
loss of confidence service of confidence in service loss of confidence in service
capabilities capabilities capabilities
Operational 3 days of total work days in a 3 to 5 days of total work days in a Greater than 5 days of total
disruption year unscheduled disruption to year unscheduled disruption to work days in a year
operations operations unscheduled disruption to
operations
Defining your thresholds of impact…(non-monetary
loss) 32
…and likelihood
Likelihood of occurrence
Magnitude of Impact
Scale 1 2 3
1. Probability < 25% chance of occurring. 25% - 50% chance of occurring. > 50% chance of occurring.
Risk event will occur beyond the Risk event will occur between Risk event will occur within the
2. ‘Time-to-failure’
next 2 years. the next 12 – 24 months next 12 months
…and likelihood
33
Dashboard report on LMIRT’s Top 10 Risks Profile
(2013)
Likelihood of Occurrence
R2 R8 R1 R5
R8 Regulatory risk (changes in SGX Rules/MAS L&R)
R9 R10 R6
R9 New acquisition risk
Magnitude of
Impact
Mapping of Key Risks to Processes – Tier 1
(2013) Processes
35
Processes that were covered in FY2011/ 2012 IA Plan
Mapping of Key Risks to Processes – Tier 1
(2013) Processes
36
Processes that were covered in FY2011/ 2012 IA Plan
Develop Internal Audit Plan IA Manual Chapter 3.3
Determine
Business Determine Present to
Develop IA
Process to be Timing and Board for
Plan
included in the Resources approval
Plan
37
Internal Audit Plan – Sample for Illustration
38
Internal Audit Plan – Timing and Resources of Audit
Timing of audit
• Internal audit reviews of malls can be allocated over a number
of years due to budgetary, resources or other restrictions,
resulting in the need for a multi year plan.
• Malls may be priortised based on factors illustrated in the
next slide
39
•Sun – Fire incident in tenant’s premise due to mishandling of flammable substance
Prioritising Malls • Pluitt – Travelator incident which result in negative publicity in social media
Sun Plaza X X* 2
Pluit Village X X X X* 4
42
Quiz 2
Audit Planning
IA Manual Chapter 4.1
Pre-Fieldwork Planning
45
During Fieldwork
IA Manual Chapter 4.1
46
Process Narratives - Sample for
Illustration
•An appointment for the •Interviewer is to •Matters discussed should •The results should be
interview should be made introduce himself / be summarised with the documented as soon
at a mutually agreeable herself and give the interviewee to allow for as possible after the
time. objective of the audit and affirmation of given interview has ended.
the purpose for the input.
interview. •The interview records
•Prepare agenda and
interview questions (ask •The interviewer should (i.e. walkthroughs) are
5W1H questions) •Reserve judgement and provide orientation about to be used as
keep an open mind the next step after the supporting evidence
during the interview. interview. in the working papers.
Leading questions should
not be asked. •The interviewee should
then be thanked for his
•Be punctual, polite and time and the information
tactful. given.
50
Audit Fieldwork
and Working
Papers
Purpose of Working IA Manual Chapter 4.5
Papers
Audit evidence
Plan Review
53
Working
Paper
Walkthrough Testing
Test of Operational
Test of Design Effectiveness
56
Test of Design - IA Manual Chapter 4.2
considerations
Design effectiveness refers to whether a control is suitably designed
to prevent or detect the mentioned risk. Consider the following :-
Procedures:
• Trace a transaction from origination, through to the company’s
accounting and information systems and financial report preparation.
• Use the following methods to verify the documentation; Inquiry and
observation of person performing the control, documentation review, and
inspection by comparing the supporting documents to the accounting records
(e.g. lease agreements, billings, etc.).
58
Test of Operational IA Manual Chapter 4.2
Effectiveness
59
Test Operational Effectiveness IA Manual Chapter 4.2
of techniques
Techniques of Testing Examples
Inquiry “Do you reconcile your activity or do you review a
certain report each month?”
Observation Observing a reconciliation occur
Inspection Invoices are examined to assure that receiving
documents and proof of delivery are attached when
they are presented for payment
Re-performance Re-calculating the amortisation of lease revenue
Knowledge Assessment Interview the person performing the 3 way match,
assess if the person has sufficient understanding to
carry out the control activities.
Corroborative Inquiry Interview a second person to confirm the control
activity.
61
Sample Criteria IA Manual Chapter 4.2
Higher risk
Key Part of Process
situations
Sampling
Focus
63
63
Sampling Size IA Manual Chapter 4.2
64
Quiz 3
Break Out 2
Internal Audit
Report
Documenting Audit Findings IA Manual Chapter 4.4.3
Deficiency
from testing Ascertain the Validate Finding Make a practical
result Root Cause Accuracy recommendation
68
Draft Rep ort IA Manual Chapter 4.7
69
How to rate findings IA Manual Chapter 4.4.3
Medium
• Issue is either recurring in nature or could result in
financial or operational losses within this area over the
next 12 months if left unresolved.
70
Audit Report - Sample for Illustration
The Audit Report would clearly state the Finding (i.e. the Issue), the Possible Impact, as well as
Recommendations to address the issue.
71
What is the nature of an effective Audit Report?
IA Manual Chapter 4.9.2
72
Content of Audit Report IA Manual Chapter 4.9.3
Action
Impact Plan
73
Audit Conclusions IA Manual Chapter 4.9.5
Audit Conclusions IA Manual Chapter 4.9.5
75
Audit Conclusions IA Manual Chapter 4.9.5
76
Break Out 3
Follow Up
Respons to audit reports IA Manual Chapter 4.11
79
Follow Up IA Manual Chapter 4.12
Determine
Escalate
Monitor Report the Status of Clear
Unresolved
Action Plan Progress Corrective Findings
Issues
Action
80
Break Out 4
Questions?
82
Richard Tan
Contact Jonathan Ho
83