Professional Documents
Culture Documents
CHAPTER 7 Internal Auditing Process
CHAPTER 7 Internal Auditing Process
CHAPTER 7 Internal Auditing Process
INTERNAL AUDITING
PROCESS
Learning Objectives
After going through this chapter, you should be able
to:
Describe audit planning methodology
Explain risk-based auditing process
2
Related Standards
Standard Content
2010 Planning
2020 Communication and Approval
2030 Resource Management
2050 Coordination
2200 Engagement Planning
2210 – Engagement Objectives
2220 – Engagement Scope
2230 – Engagement Resource Allocation
2240 – Engagement Work Program
2300 Performing the Engagement
2310 – Identifying Information
2320 – Analysis and Evaluation
2330 – Documenting Information
2340 – Engagement Supervision
2400 Communicating Results
2410 – Criteria for Communication
2420 – Quality of Communication
2440 – Disseminating Results
2450 – Overall Opinions
2500 Monitoring Progress
3
Overall Framework of Audit Process
Strategic Audit Planning
Engagement Planning
Evaluation/
Conclusion
Communication
(reporting)
Follow Up
4
Importance of Strategic Planning
Incorporation of IA strategies
5
Steps in Developing Strategic Plan
Consider Perform a
Understand
the strengths,
the relevant The Update the
Internationa Define the weaknesses,
industry and Understand internal
l critical opportunitie Identify key
the stakeholder audit vision
Professional success s, and initiatives
organisation expectations and
Practices factors. threats
’s . mission.
Framework (SWOT)
objectives.
(IPPF). analysis.
6
Overall view on an Internal Audit
Strategic Plan
7
Audit Universe and Audit Area
List of auditable areas – list of all areas
in an organization that are possible to
be audited
Audit universe – population; audit area
– sample selected
Three methodologies in selecting audit
area from the audit universe:
Risk assessment
Audit cycle
Feedback from top management
8
Audit Plan Methodologies
Risk assessment
For the company that has a risk management process, it will be practical for the
internal audit team/dept. to use the risk assessment committee as a guide &
compare it with the team own assessment.
If the company without a risk management process, internal auditor needs to
prepare its own risk assessment in selecting the areas to be audited.
Audit cycle
Is the method of auditing each auditable area within a certain period
Co. that implements a risk based audit process usually combines risk
assessment with audit cycle.
Feedback from top management
Internal auditor should get feedback from top management on areas of concern
or on departments they deem to be crucial.
However, bear in mind that there is always a possibility that top management
may not share their actual concern and choose to inform the audit team that
everything is in order.
9
Risks and Control Assessment
1) Likelihood Assessment of Risk -
Example
Almost
A More specific
Certain
guidance might be
B Likely provided for this, for
example
C Probable E: Once in 10 years
D: Once a year
D Unlikely
C: Several times a
E Rare year
B: Every day
10
A: Several times a
Risks and Control Assessment
2) Consequence Assessment - Example
Often a table of threshold
1 Negligible events is used.
5:The impact would stop the area
from reaching its key objectives
2 Minor 4: The impact would threaten the
area’s key objectives
3: The impact would not threaten
3 Moderate the area’s key objectives, but
subject it to significant review or
change the area’s function
4 Major 2: The impact would threaten a
minor aspect of the area’s
operations but it would not effect
the overall performance of the area
5 Catastrophic 1: The impact poses no threat and
routine procedures deal with it
11
Risk Scoring - Example
1 2 3 4 5
A
Significant Significant High High High
B
Moderate Significant Significant High High
C
Moderate Moderate Significant High High
D
Low Moderate Moderate Significant High
E
Low Low Moderate Significant High
12
Risk-based Planning and Auditing
Form a risk assessment to determine the priorities for
assurance
13
What is Risk-Based Audit?
Selection of areas to be audited is based on the
risk assessment prepared by:
Those involved in risk management process (e.g.
Risk Management Department), or
Internal auditors (for companies without risk
management process)
Or, combination of both
Audit plan will be formulated based on the level
of risk in each of the auditable area
High risk areas may need to be audited more
frequently compared to low risk areas
Refer figure 6.2 & 6.3 pg 80/81 for illustration on
risk assessment
14
Risk-based Auditing Process
Involves 4 main steps:
1. Engagement planning
Scope
Objectives
Timing
Resource allocation
Work program
2. Performing engagement
Identifying information
Analysis & evaluation
Recording information
Engagement supervision
3. Communication & results
Criteria
Quality
Disclosure
Disseminating
4. Monitoring
15
Differences between Traditional and
Risk-based Audit
Traditional approach
focuses on the internal auditor’s risk
concerned about the internal controls are in place and
functioning effectively
audit is designed to detect shortcoming or pitfalls
Risk-based approach
focuses not only on the internal auditor’s risk but also the
auditee’s business risks
auditor has to really understand how the business is operated
and the challenges and exposure the company is facing
16
Advantages of Risk-based Audit
17
Risk Assessment
Risk – any events, incidents or action which may
materially impair one company’s success potentials.
(eg. reputation, assets, capital, profitable, performance
or liquidity (cash)).
Enterprise Risk Management (ERM) – a structured
and disciplined approach aligning strategy, processes,
people, technology and knowledge with the purpose of
evaluating and managing the risks a company faces as
it creates value.
ERM should involved;
Identification of business risk (High risk/Low risk)
Measurement of the risk (look at probability & impact)
The control or the way the risk is managed with the needs of
the company’s policies and procedures (make sure proper internal
control in place to minimize risk)
Constant monitoring and communicating of risks associated
with any activity. (to avoid unknown risks of even greater consequence)
18
Preliminary Work During Engagement
Planning
Preliminary work is important for risk-based audit
IA must ensure that the company has embedded a
structured and systematic risk management
framework to handle risk effectively
All the information from the auditee’s ERM report will
eventually be translated into the auditor’s audit
programme and schedule
Preliminary survey
Entry meeting
Physical site-visit
Review of documents
Document all relevant information
Analytical procedures
19 Document the controls
Considerations when Preparing
the Engagement Plan
The objectives of the activity being reviewed
and the means by which the activity controls its
performance;
22
Information Gathering Process
Activities Detail examples
Interviewing or conducting Discuss with payroll manager on payroll calculation.
inquiry
Verifying or vouching Review the payroll payment instruction letter sent to the
bank.
Observation Observe employee clock in attendance.
Re-performance/ Recalculate amount of tax deduction.
Recalculation
Questionnaires Issue survey on employee satisfaction.
Analytical procedures Calculate ratio on total monthly tax deduction for 12
months.
Computer assisted audit tools Using audit software to reconcile payroll file and
and techniques (CAATTs) employee master file.
Physical inspection Test drive the company car used by the chief executive
officer to ensure that it is in good condition
Review of published reports Review minutes of meeting to identify decision on
or minutes bonuses for the year.
Confirmation Send letters to employees who took company car loan to
confirm the loan balance due.
23
Audit Sampling
Process of applying audit procedures to less than
an entire population to draw conclusions about
process overall total population
Manual or CAATs
Sampling Risk Vs. Non-sampling Risk
Statistical sampling Vs. Non-statistical sampling
24
Statistical Sampling
Types of statistical sampling techniques
Random sampling: The IA just select the sample without a formula
or randomly from the population such as from the total no. of the staff.
Systematic sampling: The IA chooses a few samples for certain
periods for example, if the total population or total no. of staff is 2000,
he/she will select sample based on a level which means that each for
each level, certain staff are being selected.
Steps in sampling
Planning the sample
Selecting the sample
Testing the sample
Evaluating the sample results
25
Audit Evidence
Types of audit evidence
Observed processes e.g. observations of activities
Documentary evidence e.g. invoices, control logs,
transactions
Representations e.g. interviews, policies, procedures
Analysis e.g. data comparison
Benchmarking with other departments or organizations
26
Analysing audit evidence
Sufficiency
Reliability
Relevancy
27
Documentation - Working papers
Purpose
28
Evaluation and Conclusion Process
Formulating recommendations
29
Evaluation and Conclusion Process
PS2320 – Analysis and Evaluation – IA should base conclusions
And engagement results on appropriate analyses and evaluations
30
Evaluate Evidence Gathered and Reach
Conclusion
Corroborating evidence
33
Process of Preparing an Audit
Communication
Preparation of the initial draft of the
report.
Review and edit by members
of the audit team.
Preparation of the revised audit
report.
Review and edit by the
manager of audit assignment
Preparation of the second revision
of the report.
Review and edit by the head of
internal auditdepartment
Preparation of the third revision of
the report.
Combined review and edit by
the audit team leader,
manager, and director.
Preparation of the “discussion draft”
of the report for review by auditee
management.
Review by management and
response provided on audit
findings.
Preparation of the final draft of the
audit report for distribution.
34
Criteria of Quality Communication
Quality
Timely Accurate
Complete Objective
Constructiv
Clear
e
35
Concise
Follow Up Activities
Factors to consider in determining the nature, timing and
extend of the follow up procedures:
The significance of
the reported
observation or
recommendation.
The degree of
effort and cost
The time period
needed to correct
involved.
the reported
condition.