Professional Documents
Culture Documents
There are format templates for risk control, audit procedures, questionnaires and
checklists.
There is a blank workpaper and a report summary that can in used by audit
organizations.
AuditNet has prepared a monograph for guidance on preparing and developing audit
work programs, checklists, questionnaires and matrices.
2. You recognize that the product and its content are the sole property of AuditNet®
(the Publisher), and that we have copyrighted the product.
3. You agree that the Publisher is not responsible for any interruption of service or
malfunction that is a consequence of the Internet, a service provider, personal
computer, browser or other software or hardware components. You accept that there
is no guarantee that this product is totally error free. You further understand and
accept that the Publisher intends to provide reliable information but does not
guarantee the accuracy or completeness of any information, and is not responsible for
any results obtained from the use of such information.
4 This license is effective until terminated, when the license or subscription period
ends without renewal, or when you destroy this product and any related
documentation. The Publisher may terminate your license without notice if you fail to
comply with the conditions set forth in this agreement, and may pursue any other legal
recourse.
This document was created by AuditNet® using advanced Internet search
techniques.
The document is from a site which has not identified restrictions on permitted use
and are sharing this information for the benefit of the audit community.
In particular, you should be aware that the document may be incomplete, may
contain errors, or may have become out of date.
While every reasonable precaution has been taken in the preparation of this
document, neither the author nor AuditNet® assumes responsibility for errors or
omissions, or for damages resulting from the use of the information contained
herein. The information contained in this document is believed to be accurate.
2. You recognize that the product and its content are the sole property of
AuditNet® (the Publisher), and that we have copyrighted the product.
3. You agree that the Publisher is not responsible for any interruption of
service or malfunction that is a consequence of the Internet, a service
provider, personal computer, browser or other software or hardware
components. You accept that there is no guarantee that this product is
totally error free. You further understand and accept that the Publisher
intends to provide reliable information but does not guarantee the accuracy
or completeness of any information, and is not responsible for any results
obtained from the use of such information.
Audit Objectives
1. Follow-up on the recommendations made in the prior audit report
(XXX ).
5. Obtain copies of the confirmations of the wire transfer for the sampled
periods received by the Manager of Deferred Compensation from the
agencies, and agree the details of the confirmations to the amount shown
on the 401 (k) withholding file and the amount wired into Treasury.
6. Obtain copies of the Manager of Deferred Compensation’s
instructions to Treasury authorizing the funds to be wired to XXX. Agree
the amount to the amount received from the agency.
7. Ascertain whether monies received by XXX are credited to the
participants’ accounts as of the date the monies are received by XXX.
14. Consider using ACL to review the % and $ contributed to the 457 plan
in 1998 to ensure that the maximum % limit and $ limits were adhered to.
Significant control points identified during process mapping should be tested during an internal control review. Other, less
significant points should be included in the process flow narrative describing the Control cycle. An example narrative is
presented below, in the right-hand column. It is the management’s option to include the narrative below, or to present it as a
separate document (such as internal process overviews or agency-based procedures). For that reason, the example
narrative below is “grayed out.” If this template is utilized but alternative documentation describes the process in the internal
control program work papers, please feel free to remove the column.
The Control objectives below are broken down into the following sub-cycles: General/Control Environment, (list additional
cycles for the area under review).
For the purpose of this generic document, the following terms are used: Define terms for example in the area of fixed asset -
Assets that are capitalized and depreciated over a period longer than one year are referred to as “fixed assets,” or as “capital
assets”- the terms are used interchangeably; and the person responsible for managing fixed assets at the department level
is termed the “Property Control Coordinator,” with the understanding that at one branch, it may be Facilities Management,
while at another it may be an official from the Business Office. Management are encouraged to substitute below the terms
that are in widespread use among their staff.
Notes:
(1) Each broad area is divided into subcycles. A subcycle is a sequence of related processes for which one set of
objectives and risks can be determined. Audit Assertions are the implicit or explicit claims and representations made by the
management responsible for the preparation of financial statements regarding the appropriateness of the various elements
of financial statements and disclosures - See more at: http://accounting-simplified.com/audit/introduction/audit-assertions.
(2) Management must designate which of the control points that it deems to be significant or key, for testing as part of the
internal controls (IC) review. Only the significant control points are required to be tested.
(3) In addition to noting a weakness and means of remediation, the control in place and the test performed should also be
noted in this column. (This will help management enact and/or maintain the proper monitoring to identify control
weaknesses in the future.)
POTENTIAL CONTROL
PROCESS AREA OBJECTIVES/ASSERTIONS (1)
POINT(S)(2)
Cash Receipts
Cash Disbursements
Procurement
Human Resources
Payroll
Accounts Receivable
Investments
Grants
Inventory
Financial Reporting
Fixed Assets
IT
RISK SUGGESTED CONTROL TEST
IC REVIEW CONCLUSION (3)
/IDENTIFIED /WEAKNESSES/ACTION
TAKEN PROCESS NARRATIVE (SAMPLE WORDING)
Project Work Schedule
A. General Information
These are the key elements of your project that must be completed on-time and on-budget for your project to be successful and therefore require monitoring by the project manager and stakeholders. The status of these
items should be reported in your Project Status Report.
The element column below demonstrates the pattern to report milestones, tasks, and activities, i.e., a milestone is achieved by a series of tasks and each task is achieved by a series of activities. A deliverable, or group of
deliverables, should be given for each milestone. Overwrite the example given with the milestones, tasks, and activities for this project.
Enter the CAP ID #, Enter the Enter the year Enter the date Enter the target date Enter the target date Identify Identify the priority level Identify whether the Enter the name of Identify whether the deficiency Describe the issue(s) recognized Present a high-level summary of action Enter the name of Identify the Enter the date Describe the Describe the activities Enter the name of
as identified in the name of the when the (month/ for correcting the for correcting the whether for correcting the deficiency relates to the IT system(s) is a control deficiency ("CD"), in the design or operation of the procedures to resolve the reported the Reporting percentage of (month/year is activities taken to performed to the organization that
Reporting Entity's assessable deficiency was year is deficiency reported on deficiency reported on corrective deficiency. one of the FIAR impacted by the significant deficiency ("SD"), or control or control(s) that does not deficiency. For example: Entity's or Service corrective sufficient) when remediate the validate/verify that performed the
or Service unit affected first reported to sufficient) the prior year's ICOFR the current year's actions are "On Guidance deficiency, if material weakness ("MW"). allow management or Provider's actions corrective actions deficiency. the deficiency had verification activities.
Provider's CAP. by the the OUSD(C) FIAR when the Statement of ICOFR Statement of Track" or have Deficiencies that must dealbreakers. applicable. employees, in the normal course (1) New system implementation; management office completed. were implemented been remediated.
deficiency. Directorate. deficiency was Assurance. Assurance. "Slipped." be corrected to allow for of performing their assigned (2) Process or control changes that will be responsible for to remediate the
originally assertion are Priority 1. functions, to prevent or detect implemented; coordinating deficiency.
identified. Significant deficiencies misstatements related to (3) Testing existing compensating controls closure of the CAP.
are Priority 2. Control financial information on a timely and improving them, or identifying
deficiencies are Priority basis. compensating controls that need to be put
3. in place until new system is deployed; and
(4) Analyze test results to determine if the
weakness has been corrected.
Template Instructions – Documentation Demonstrating Remediation of Deficiencies – Activities 4.1 (Reporting Entity)/4.1 (Service Provider) 2
TEMPLATE INSTRUCTIONS
Template Instructions – Documentation Demonstrating Remediation of Deficiencies – Activities 4.1 (Reporting Entity)/4.1 (Service Provider) 2
T
C
Ç
F
TB
PBC
G/L
AFR
PBIA
^
Rx
<
T
V
A
check mark
X
Black
Red
Green
Blue
√
F
CF
R
N/A
S
W
GL
T
PBC
WI
Rx
E#
JE
O
Audit tick marks are abbreviated notations used on audit work papers to denote auditing actions taken. These tick marks are u
manager's perspective, to see which activities have been completed. They are also useful as evidence, to show which audit ste
to support the audit opinion given to the financial statements of a client. In addition, the use of tick marks compresses the spa
describe audit actions taken, which improves the usability of the audit documentation. Examples of auditing activities for whic
used include:
The numbers in the column were manually added and matched to the total shown (footed)
The totals in the report were manually added and matched to the grand total shown (cross footed)
The computation on the report was independently verified
The amount was traced to the ledger balance
Supporting documents were examined
A cancelled check was examined
An asset was physically confirmed
Audit tick marks are not standardized across the industry. Instead, a common set of tick marks is used within each audit firm, w
across the industry. Tick marks may just as easily be used within an internal audit department as by outside auditors, and may
department.
When used, a tick mark should be sufficiently distinct that it cannot be confused with another type of tick mark. Also, an audit
internally publish a listing of "official" tick marks used and what each one means, so that they are used by the staff in a consist
audits.
Customized tick marks were more heavily used when auditing was done primarily on paper documents. When used in that ma
more likely to be recorded with a colored pencil, such as in red. Since the advent of auditing software, tick marks can be desig
standardized within the software.
Traced face amount, interest rate, issue and maturity dates to note receivable documents
Agreed to confirmation
Calculation checked and agreed
Footed
Agreed to trial balance
Prepared/provided by client
Agreed to the general ledger
Agreed to the Annual Financial Report
Prepared by component internal audit
Footed,
Recalculated by System auditor
Crossfooted
traced to ___ (fill in the blank)
violation of law
agrees with ___ (fill in the blank - example: agrees with audit calculation)
in compliance OR no error
error (you should specify error type)
facts
violation
questions to ask
responses
attribute tested successfully
Foots
cross-foots
recalculated without exception
(attribute) not applicable
identified control strength
identified control weakness
agreed to general ledger
traced successfully to
Prepared by client
waived due to immateriality
reasonable explanation
Exception (with the sub-script“#” replaced with number 1, 2, 3, etc)
A fundamental element of internal control is the segregation of certain key duties. The basic idea
underlying segregation of duties is that no employee or group should be in a position both to
perpetrate and to conceal errors or fraud in the normal course of their duties. In general, the
principal incompatible duties to be segregated include:
- Custody of assets
- Authorization or approval of related transactions affecting those assets
- Recording or reporting of related transactions
- Execution of the transaction or transaction activity
Based on the above criteria, this worksheet has been designed to highlight conflicting duties
performed by one individual or group of individuals (potential lack of proper segregation of duties).
Audit teams are encouraged to use this form to help identify potentially commingled duties within
accounting processes that may constitute a control weakness.
Instructions
1) The Tester should inquire to determine which individuals are responsible for certain duties within
the company/location.
2) The matrix should be used to determine if there is potential for a segregation of duties conflict.
Use the following key to identify the potential financial risk and segregation of duties conflicts:
3) The potential issues should be investigated to ensure a mitigating control prevents the individuals
from performing both tasks.
Instructions
We should always strive for the optimum degree of segregation of duties.
However, due to limited staff sizes at some organizations, optimum
separation of duties cannot be achieved. In those circumstances you
should at least strive for an acceptable(minimal) level of segregation of
duties which when combined with compensating controls will minimize the
impact of control deficiencies and exposure to errors or irregularities. A
minimal level of segregation of duties could possibly be achieved by
verifying that no one employee performs more than two of the "incompatible
duties". For example, an employee might perform the authorization and
verification/reconciliation functions but they should not record the
transaction or maintain custody of assets. A compensating control would be
managerial review.
The risk assessment process identifies audit areas that present the highest risks to the achievement of the organization's strate
and objectives, and continues to be based on Internal Audit’s judgment and knowledge of the entity.
5 Significant alignment to strategies and objectives and/or material financial impact with identified moderate to high potential ris
4 Significant alignment to strategies and objectives and/or financial targets with low to moderate identified potential risk.
3 Average alignment to achieving strategies and objectives and/or financial targets with potential challenges.
2 Relatively minor strategic and/or financial impact.
1 No discernible strategic or financial impact.
Consideration should be given to audits that will be completed in the remainder of the current fiscal year in evaluating this facto
Global Audit Procedure Control Objective Risks Control Control KeyControl? Frequency
Ref No, Activity Description
Number
Owner Exceptions Type Document Mapping to
Reference Standards
Client Name
Internal Control Framework
Date Completed:
Completed By:
Reviewed By:
To the best of my knowledge, the answers and comments noted above are accu
internal controls within this department:
* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
Control Questionnaire Template
or is to be performed.
Name and Title of Person Completing Form (please print) Name and Title of Department Dir
4/21/2024
Date Form Completed Date of Department Directo
* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
Control Questionnaire Template
or is to be performed.
Employee Responsible for Task
* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
Control Questionnaire Template
or is to be performed.
Name and Title of Department Director (please print)
* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
Control Questionnaire Template
or is to be performed.
AREA:
Process Objective
Control Risk Control Considerations
Do controls meet
objective?
Assertion Documentation W/P Yes/No Test
E,A,C,V,P Description of control Ref. W/P Ref
Testing
exceptions
noted? Resolution / remediation/ comments
Yes/No W/P Ref
Description of Item Performed By (Initials) Date Completed
Reviewed by
(Initials) Budget Hours Actual Hours Document Reference
Source Reviewed By
Remarks/Comments
Finding Ref # Control Testing Finding
Management Response & Treatment