Add to collection(s) Add to saved
  1. No category
Uploaded by abongile maqashalala

AUI 4863 Study Guide

advertisement 
Internal Audit Practice
AUl4863
Year Module
Department of Auditing
Open Rubric
© 2019 University of South Africa
All rights reserved
Printed and published by the
University of South Africa
Muckleneuk, Pretoria
AUI4863/1/2019
70458758
Shutterstock.com images used
MNB_Style
ii
CONTENTS
PREFACE............................................................................................................................ iv
PART 1:
AUDIT ENGAGEMENT CONSIDERATIONS .................................................... 1
TOPIC 1: Planning and conducting audit engagements ................................................ 2
Learning unit 1: Planning the audit engagements ................................................ 4
Learning unit 2: Conducting the audit engagements .......................................... 23
Learning unit 3: Reporting and monitoring progress ...........................................37
PART 2:
Integrated applications in the internal audit process ...................................49
TOPIC 2: Financial systems auditing ............................................................................ 50
Learning unit 4: Financial systems audit planning .............................................. 52
Learning unit 5: Conducting financial systems audits ......................................... 59
Learning unit 6: Reporting on financial systems audits ....................................... 66
TOPIC 3: Compliance auditing ..................................................................................... 68
Learning unit 7: Compliance audit planning .......................................................71
Learning unit 8: Conducting compliance audits ................................................. 82
Learning unit 9: Reporting on compliance audits ............................................... 86
TOPIC 4: Operational auditing ............................................................................. 95
Learning unit 10: Operational audit plan ............................................................ 90
Learning unit 11: Conducting operational audits ................................................108
Learning unit 12: Reporting and follow-up on operational audits ......................... 117
TOPIC 5: Fraud investigations..................................................................................... 124
Learning unit 13: Planning fraud investigations ................................................. 126
Learning unit 14: Performing fraud investigations .............................................. 136
Learning unit 15: Reporting and follow-up on fraud investigations .......................142
Learning unit 16: Case Study ........................................................................... 149
TOPIC 6: Auditing of advanced IT system ........................................................... 160
Learning unit 17: General and application controls ............................................ 162
Learning unit 18: Auditing advanced and newly developed IT systems ................. 174
TOPIC 7: Performing information technology-based audits .....................................198
Learning unit 19: Auditing in an IT environment ................................................ 200
Learning unit 20: Computer-assisted audit tools and techniques (CAATTs) ........... 211
Learning unit 21: Factors to be considered in the choice and use of audit software 220
Learning unit 22: Corporate IT governance ........................................................223
iii
AUI4863/SG
PREFACE
STUDY OVERVIEW
Every human being has certain objectives in life. Being the manager of your life, you would have
set certain objectives for yourself. Being registered for this module indicates that one of your
objectives is to obtain a degree from Unisa. Since this is a third-level module, you should be
aware of the following risks that may keep you from reaching this objective:
● not having adequate time to study
● not being able to pay for your studies
● falling ill and not being able to study for and/or write the examination
Having reached this level of study also indicates that you have implemented adequate controls
to keep these risks from manifesting.
Let’s think of possible controls you may have implemented:
Risks
Not having adequate
time to study
Not being able to pay
for your studies
Falling ill and not being
able to study for and/or
write examinations
Controls
● Diarise deadlines of assignments and plan
your time to complete them.
● Arrange adequate study leave in advance
to prepare for examinations.
● Limit social activities to weekends only.
● Make sure you pass, so that your sponsors
will be willing to continue paying for your
studies.
● Be a diligent and reliable worker so that
you will continue to earn money to pay for
your own studies.
● Restrict yourself to a budget so that you will
have money to pay for your studies.
● Eat healthy food.
● Get enough sleep.
● Exercise frequently.
The ultimate proof to yourself that you have implemented adequate controls will be receiving
positive results at the end of the semester. However, if you are wise enough, you will perform
interim engagement procedures on the controls you have implemented to assure yourself that
the controls are working. By testing the controls, you will be able to assess whether the controls
you have implemented are working as intended or not, and whether additional controls or
adjustments to the existing controls may be necessary. How would you test the adequacy of these
controls?
This module is all about applying the fundamental internal auditing principles and techniques
which are normally considered and applied when establishing, managing and administrating the
internal audit activity.
iv
To be able to better understand this module you need to have passed the third-level modules,
AUI4863: Advanced Internal Audit Applications.
The module starts with a discussion of internal auditing and other guidance as well as best
practices regarding establishing, managing and administrating the internal audit activity. It then
continues discussing how these specific functions and quality assurance reviews on the internal
audit activity should be conducted.
Risks
Controls
● Diarise deadlines of
assignments and plan
your time to complete
them.
● Arrange adequate study
leave in advance to
prepare for
examinations.
● Limit social activities to
weekends only.
● Make sure you pass, so
that your sponsors will
be willing to continue
paying for your studies.
● Be a diligent and reliable
worker so that you will
continue to earn money
to pay for your own
studies.
● Restrict yourself to a
budget so that you will
have money to pay for
your studies.
● Eat healthy food.
● Get enough sleep.
● Exercise frequently.
Test of Controls
● Confirm with your employer and
friends that you have diarised all
commitments and that you still have
time to complete the assignments as
planned.
● Obtain written approval of your leave
arrangements from management.
● Page through your diary and reflect on
your time management for the past two
weeks and the two coming weeks to
ensure that you are not engaging in
social activities during the week.
● Check on myUnisa that the university
has received your assignments before
the cut-off date and that you have
admission to the examinations.
● Discuss your performance with your
supervisor/manager to find out if he or
she is satisfied or whether you should
improve and how.
● Check your expenses against your
budget and make sure you keep within the limits set for yourself.
From time to time, reflect on the following:
● when last you had a decent meal
● what time you have been going to
bed
● when last you exercised
THE ICONS FOR ACTIVITIES USED IN YOUR STUDY MATERIAL
Each learning unit contains various activities that you should perform. The study activities, for
example, refer you to the study material in the study guide and tutorial letters that you are
required to study; the doing and thinking activities require you to perform certain actions and to
answer certain questions.
The icons that will be used in this study guide and tutorial letters are listed below, together with a
description of what each of them means.
v
AUI4863/SG
Icon
Description
Key concepts. The key concepts icon draws your attention to certain keywords or
concepts that you will come across in the topic or learning unit.
Learning outcomes. The learning outcomes indicate what parts of the topic or
learning units you must master and demonstrate that you have mastered.
Mind map. Mind maps are provided to help you see the relationship between various
parts of the learning material.
Study. The study icon indicates which sections of the prescribed book or the study
guide you need to study and internalise.
Read. The read icon will direct you to read certain sections of the prescribed book
for background information.
Activity. The activity icon refers to activities that you must do to develop a deeper
understanding of the study material.
Reflection. The reflection icon requires you to reflect on the important issues or
problems dealt with in the learning unit.
Online assessment. When you see the online assessment icon, you will be required to
test your knowledge, understanding and application of the material you have just
studied.
Feedback. The feedback icon indicates that you will receive feedback on your
answers to the self-assessment activities.
Multimedia. The multimedia icon indicates that you must refer to any audio
material, screencasts, podcasts, videos or DVD material that may be included in your
study material as additional resources.
Time-out. The time-out icon indicates that you should take a rest because you have
reached the end of a learning unit or topic.
Discussion. Use the Discussion tool for this module on myUnisa to share valuable
information about assignments, topics that are related to this module, etc. Make sure
that you are using the correct Discussion tool.
Additional resources. Here you will find your assignments, additional documents,
resources, PowerPoint presentations and links to articles related to this module.
Internet source. You will receive a link to access web content from an external
website.
Frequently asked questions. Frequently asked questions on the topic will be posted
on myUnisa.
Blog. Join the discussion on the Blog provided on myUnisa.
vi
ABBREVIATIONS USED IN THIS STUDY GUIDE
CAATTS
CAE
Computer Assisted Audit Tools and Techniques
CEO
Chief executive officer
CFO
Chief financial officer
CIS
Computerised Information System
CPA
Certified Public Accountant
COBIT
Control Objectives for Information and Related Technology
CoCo
Criteria of Control
COSO
Committee of Sponsoring Organisations
CRSA
Control/Risk Self-Assessment
CSR
Corporate Social Responsibility
CSA
Control Self-Assessment
ERM
Enterprise risk management
GTAG
Global Technology Audit Guide
IAA
Internal audit activity
IASB
Internal Auditing Standards Board
IFRS
International financial reporting standards
IIA
Institute of Internal Auditors
IG
Implementation guides
IOD
Institute of Directors
IPPF
International Professional Practices Framework
ISO
International Organisation for Standardisation
IT
Information technology
JSE
Johannesburg Stock Exchange
King IV
King IV Report on Corporate Governance in South Africa
KPI
Key Performance Indicator
MFMA
Municipal Finance Management Act
PFMA
Public Finance Management Act
PCAOB
Public Company Accounting Oversight Board
PWC
PricewaterhouseCoopers
QAR
Quality assurance reviews
RBIA
Risk-based internal audit
SA
South Africa
SOX
Sarbanes Oxley Act
UNISA
University of South Africa
USA
United States of America
Chief audit executive
vii
AUI4863/SG
Level 1: Knowledge and comprehension
This calls for a knowledge and understanding of facts, methods, processes, patterns and structures
and an ability to list and explain them. It involves memorising as well as an awareness, immediate
discovery, recall or recognition of relevant information in various forms. A limited degree of
interpretation is required.
You are required to understand the meaning of certain words to enable you to interpret assessment
criteria, to understand what completing the various activities in the study guide require from you,
and to correctly interpret assignments and examination questions.
To indicate the length, scope and format of answers to study activities and questions, limits or
restrictions have been included in the questions through the use of specific action verbs. These
action verbs give you an indication of how to approach the problem and style of writing called for.
An analysis of the action verbs contained in a question will enable you to:
• plan the answer systematically and organise your thoughts systematically
• ensure that you comply with the lecturer's requirements
You will also save yourself time and trouble by eliminating irrelevant material in your answer that is
beyond the scope of the question.
For the purposes of internal auditing the following meanings will be attached to the most
commonly used action verbs:
Action verbs: Meaning
Complete
to finish something
Explain
make clear and intelligible, or account for
Interpret
explain the meaning of
Name
the word by which a something is known
Underline
emphasise
Define
state the exact meaning of
Extrapolate
infer something from known facts
Present
introduce and compare
Write
set down in words
Describe
give an account of something
Illustrate
explain by the use of examples
List
item-by-item record, written one below another
State
express in words
Draw
sketch with a pen or pencil
Interpolate
insert into a whole
Measure
determine the size, extent
viii
Level 2: Application
This calls for a knowledge and understanding of the background and of the facts, and the ability to
apply rules, principles, techniques and methods to a problem in order to find a solution based on the
information provided. There is normally only one ideal solution to the problem and the solution is
therefore logically determined by the information provided. This process is also sometimes called
the convergent application of knowledge.
For the purposes of internal auditing the following meanings will be attached to the most
commonly used action verbs:
Action verbs: Meaning
Allocate
assign to someone or for a specific purpose
Apply
to use theoretical knowledge in a practical situation
Calculate
solve by mathematical procedure or reasoning
Compile
collect and arrange
Construct
build or put together complex ideas or interpretations (noun)
Convert
change in form
Demonstrate
show or prove by reasoning or evidence
Determine
find out the facts, settle conclusively
Draw up
prepare and write out
Infer
work out from evidence
Manipulate
control cleverly or deviously
Organise
make arrangements; arrange systematically
Prepare
make or get ready
Qualify
provide or be provided with the abilities necessary for a task; restrict
Record
document/information
Transfer
move or send from one place to another
Use
put into service or action; take advantage of
MULTIMEDIA
Click on the hyperlinks below to view the following YouTube videos n “Study tips for
auditing” and “Concept mapping – linking the audit topics together”:
https://youtu.be/YPilGQIQkOw
NOTE: Apply these guidelines to your internal auditing studies.
ix
AUI4863/SG
STUDY SOURCES
The study material for this module comprises the discussions and explanations contained in this
study guide and tutorial letters, as well as those contained in the following prescribed books:
●
Coetzee, GP, Du Bruyn, R, Fourie H & Plant, K. 2017. 6th Edition. Internal Auditing an
introduction. Lexis Nexis, Johannesburg, South Africa.
●
Coetzee, GP, Du Bruyn, R, Fourie H & Plant, K. 2017. 6th Edition. Performing Internal Audit
Engagements. Lexis Nexis, Johannesburg, South Africa.
●
Coetzee, G.P., Du Bruyn, R., Fourie, H. & Plant, K. 2018. Assurance: An Audit Perspective.
1ST edition. LexisNexis
●
Legislation, Standards and Guidance – available for download at:
King IV Report, 2016:
http://www.iodsa.co.za/page/DownloadKingIVapp
Company’s
2008:
https://www.saica.co.za/Portals/0/Technical/LegalAndGovernance/Comp
anies%20Act%20consolidated.pdf
Act,
PFMA:
http://www.treasury.gov.za/legislation/PFMA/act.pdf
MFMA:
http://dkm.gov.za/wp-content/uploads/2015/03/Municipal-FinanceManagement-Act.pdf
IPPF:
https://na.theiia.org/standards-guidance/mandatoryguidance/Pages/Standards.aspx
Other source references:
•
Cascarino, R.E. 2012. Auditor’s guide to IT auditing. Wiley
•
Puttick, G. & van Esch, S. 2003. The Principles and Practice of Auditing. Juta
•
Reding, K.F. 2007. Internal Auditing: Assurance & Consulting Services. Institute of
Internal Auditors. Research Foundation
•
Sawyer et al, 2003. Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing.
•
Pickett, K.H. Spencer. 2010. The internal audit handbook. Wiley
•
Watne, D.A. & Turney, P.B.B. 1984. Auditing EDP systems. Prentice-Hall
x
PART 1
AUDIT ENGAGEMENT CONSIDERATIONS
Contents
TOPIC 1: Planning and conducting audit engagements
1
2
AUI4863/SG
TOPIC 1
Planning and conducting audit engagements
Contents
LEARNING UNIT 1:
Planning the audit engagement
4
LEARNING UNIT 2:
Conducting the audit engagement
23
LEARNING UNIT 3:
Reporting and monitoring progress
37
INTRODUCTION TO AND PURPOSE OF THE TOPIC
The aim of this topic is to guide you as a postgraduate student in internal auditing to become
proficient in planning and conducting an audit engagement according to the internal auditing
standards and other applicable guidelines, and to effectively communicate the results to the
relevant parties. Through practical examples and activities, we aim to help you integrate and extend
your knowledge to an integrated level of professional skill in this area.
This topic aims to provide guidance to you as a postgraduate student in internal auditing on how to
communicate the results of an audit to the relevant parties. The audit report is the only way in
which the engagement client can evaluate the work that the auditors have performed. The
definition of internal auditing states that the aim of internal auditors is to add value to their
engagement clients. The output of all the work done by the auditors is a report. Therefore, the
quality and accuracy of this report is an important means to convince management that internal
auditing does indeed add value. The way in which the results are communicated will greatly
influence the weight that management attach to the recommendations made in the report.
In this topic the results of the engagement and the best way to communicate these results, will be
applied to practical examples. This will include writing audit reports and communicating the results
to the engagement clients
REFLECTION
As a postgraduate student you will also have to undertake an independent and in-depth
study of the topics covered in the sections that follows. You should, therefore, refer to a
variety of publications, books, journal and magazine articles that deal with the topics
discussed.
In your undergraduate studies you have studied the concepts of the internal audit
process and you should already be able to plan and conduct an audit engagement. It is
important that you revise the underlying technical knowledge and expertise you
obtained at undergraduate level before you continue with the rest of this learning unit.
You may also want to review your undergraduate study material on “conducting an
internal audit engagement”.
2
While revising your undergraduate study material, take note of the following steps in the
internal audit process and make sure that you will be able to answer integrated and
practical questions pertaining to these steps:
•
Planning: In this step the internal auditor decides what will be covered (scope), how
the engagement should be approached, when the audit engagement should be
executed and who will perform the audit. This stage includes the setting of the
engagement objectives that are to be met.
•
Execution: The applicable audit procedures are applied to achieve the engagement
objectives.
•
Reporting: A draft audit report is discussed with management to obtain
management comments and to determine an action plan. The final report (also
referred to as the final engagement communication in the standards), which
contains all the findings, comments and the action plan, is then issued.
•
Follow-up: After the agreed implementation date, an audit engagement is
scheduled to verify that the action plan has successfully been implemented.
REFLECTION
Refer to Internal Auditing: An Introduction, Chapter 6
In this topic we revisit the first two of the abovementioned steps and discuss the
implementation thereof in more detail. You should be able to apply the relevant audit
steps to each type of audit that will be covered in the postgraduate modules. The steps
will, however, not be discussed in detail again.
The successful planning and conducting of an audit engagement is essential to report
the correct and necessary information to management. Planning and conducting the
audit engagement is discussed in two learning units.
LEARNING OUTCOMES
After you have studied this topic, you should be able to
● plan the audit engagement
● determine applicable audit objectives
● formulate audit procedures to be executed
● compile an internal audit report
● communicate audit engagement results
3
AUI4863/SG
Learning unit 1
Planning the audit engagements
Contents
1.1
1.2
1.3
1.4
1.5
1.6
INTRODUCTION
ANNUAL AUDIT PLAN
THE PRELIMINARY SURVEY
ESTABLISHING THE OBJECTIVES, CRITERIA AND SCOPE OF AN AUDIT ENGAGEMENT
EVALUATION OF THE SYSTEM
RESOURCE ALLOCATION AND TIMING
1.1
INTRODUCTION
The purpose of an IAA is to add value to the organisation’s operations. This implies that the areas
that have been identified by management as being important must be taken into consideration
when planning the audit engagement.
The mission statement describes the core purpose and focus of internal audit.
To enhance and protect organisational value by
providing risk-based and objective assurance, advice
and insight.
Source: https://global.theiia.org
The mission statement consists of the following key components:
•
To enhance and protect organisational value.
•
To be objective in the performance of duties.
•
Follow a risk-based approach.
•
Provide assurance.
•
Provide advice and insight (consulting).
It is quite clear from the IA mission that the mandate of the internal audit function is no longer
limited to the traditional assurance function of predominantly performing internal audits in the
financial area of the organisation.
First and foremost, internal auditors need to have expert knowledge of internal controls, risk
management, and corporate governance (especially business ethics).
It is also expected of the internal auditor, especially the CAE, to have a good working knowledge in
areas such as business strategy and effective business operations.
4
4
5
10
13
16
21
The expanded role of the internal audit function may be illustrated as follows:
The Standards prescribe that a risk-based audit plan should be followed. Risk-based auditing is
driven by the way an organisation identifies and manages its risks. The internal audit plan should
use the strategic risks and plans of the organisation to inform the annual audit plan. As the wellknown adage states: "If you fail to plan, you plan to fail”. Therefore, the time spent on planning
and preparing for an audit is never wasted. The IIA’s International Standards for the Professional
Practice of Internal Auditing (Standards) provides comprehensive mandatory guidance on how an
audit engagement should be planned and lists the relevant documentation that should be saved
for future reference.
In the sections that follow, the following topics will be discussed:
• The annual audit plan
• Planning the audit engagement – the preliminary survey
• Establishing the engagement objectives and scope of an audit engagement
• Evaluation of the system
• Resource allocation and timing
REFLECTION
Review your third-year studies and make sure you recall and understand the
importance engagement planning as part of the internal audit process.
1.2 ANNUAL AUDIT PLAN
STUDY
Study the following:
5
AUI4863/SG
•
•
•
•
International Professional Practices Framework (IPPF), Standards 2010, 2050 and
2120 as well as Implementation Guides 2010, 2050 and 2120
IIA Practice Guide: Engagement Planning – Establishing Objectives and Scope
Internal Auditing: An Introduction (2017: Chapter 6)
All the sections in your undergraduate study material that relate to engagement
planning, risks and risk management concepts.
According to Implementation Guide 2050, the board of directors of an organisation is responsible
for gaining assurance that risks are mitigated to an acceptable level. The chief audit executive
(CAE) of the IAA can assist by taking the risk assessment of the organisation into consideration
when drafting the annual audit plan.
Risk is identified by the IIA as the possibility of an event occurring that will have an impact on the
achievement of objectives. In the context of an organisation this can be the strategic objectives of
an organisation or the operational objectives in one of the departments in an organisation. The risk
management process is the way that an organisation identifies, assess, manage and control
potential events or situations to provide reasonable assurance regarding the achievement of the
organisation’s objectives (strategic and operational). The theory of risk management is covered in
detail in AUI4862.
Various guidelines, including Standard 2010 and King IV (2016:70), require that the annual audit
plan and the audit engagement plan (engagement work plan) be risk-based and consistent with
the organisation’s goals.
King IV (paragraph 58) requires that the governing body, usually the board of directors, ensure
that
• the internal audit function follows an approved risk-based internal audit plan; and
• the internal audit function reviews the organisational risk profile regularly
It is essential that the complete environment of the organisation is evaluated before the annual
audit plan is approved. This evaluation should consider the organisation’s risk management
framework and risk appetite levels.
Risk is becoming more complex, requiring risk oversight to be strengthened. King IV recommends
that the risk committee comprises a majority of non-executive members. This recommendation
goes beyond what was required in King III. King IV introduces the term “risk and opportunity
governance” and provides a different perspective on risk. Risk governance should aim for what is
stated as follows in Principle 11, “The governing body should govern risk in a way that supports the
organisation in setting and achieving its strategic objectives”.
The implementation and ongoing operation of RBIA has three stages:
• Stage 1: Assessing and reporting to the audit committee and board on the adequacy
and effectiveness of risk management within the organisation
• Stage 2: Preparing the risk-based annual internal plan
• Stage3: Performing risk-based internal audit engagements
6
The following flowchart (as per the IIA) gives an overview of the three stages involved:
Source: Risk based internal auditing - Chartered Institute of Internal Auditors
STUDY
Study “How to identify a risk” under Additional Guidance on myUnisa.
The risk-based internal approach (RBIA) provides assurance on the risk management process to
identify, evaluate, monitor and report on risk and that these processes are operating effectively.
7
AUI4863/SG
Source: Risk based internal auditing - Chartered Institute of Internal Auditors
Figure: The risk management process and the role of internal audit
If the organisation does not have a risk assessment process in place, the CAE should consider
various factors as discussed in Standard 2120 and Implementation Guides 2120. These factors
include:
• achievement of the organisation’s strategic objectives
• reliability and integrity of financial and operational information
• effectiveness and efficiency of operations and programs
• safeguarding of assets
8
• compliance with laws, regulations, policies, procedures, and contracts
The King Report on Governance for South Africa 2016, (King IV) applies to all
organisations/entities in South Africa and its recommendations are compulsory for organisations
listed on the Johannesburg Stock Exchange (JSE). King IV includes supplements to assist various
types of organisation to implement King IV. These organisations are municipalities, SMEs, SOEs,
NPOs and retirement funds.
One of the most important recommendation in King IV that is applicable to this section, is that the
organisation is required to do a risk assessment, at least annually (King IV 2016:70). This
assessment should include input from the board of directors and senior management (Standard
2010.A1). The CAE is responsible for using this risk assessment to identify the most important
activities that must be included in the annual audit plan. The final annual audit plan must be
approved by the organisation’s risk governance committee as required in King IV (2016:70). “The
CAE must review and adjust the plan, as necessary, in response to changes in the organization’s
business, risks, operations, programs, systems, and controls.” (Standard 2010)
Best practices, according to Standard 2010, are as follows:
• Identify and consider stakeholder input into the internal audit risk assessment process.
• Don’t let major risks go uncovered; find a way to address them before they get too big.
• Educate key stakeholders on important areas of risk and on actions needed to address issues.
• Develop an ongoing communications process with management to keep current on changing
business and risk issues.
The figure below shows where the internal audit activity should focus their internal audit
resources.
Source: www.theiia.org
Once the annual audit plan has been completed and approved by the audit committee, the
individual audit engagements can be planned. The figure below is an example of an annual audit
schedule.
9
AUI4863/SG
Figure: Internal audit annual schedule
Individual plans are referred to as the “assignment plan”. As part of the planning process, an
evaluation of the applicable activity must be done. This is known as a preliminary survey. In the
next section the preliminary survey and its contribution to the planning process will be discussed.
1.3 THE PRELIMINARY SURVEY
REFLECTION
Think of some other reasons for performing a preliminary survey and make a note
thereof. Also search for articles or information on the internet that give you more
insight into why a preliminary survey should be conducted.
INTERNET SOURCE
Go to myUnisa, under Additional Resources to download relevant articles or guidance
on this topic.
View the PowerPoint presentation on “Effective Preliminary Surveys” at:
https://www.resourcenter.net/images/AHIA/Files/2012/AnnMtg/Handouts/F8.pdf
or go to myUnisa, under Additional Resources to download it.
READ
Read at least one article from the internet that give you more insight into why a
preliminary survey should be conducted.
10
STUDY
Study the following:
• Standards 2200, 2201 and 2210 as well as Implementation Guides 2200, 2201 and
2210
• Internal Auditing: An Introduction (2017: Chapter 6, par 6.6.3)
• Revise all the sections in your undergraduate study material that relate to
preliminary surveys.
The preliminary survey will be used to identify the audit objectives that must be
aligned with the strategic objectives of the organisation. The preliminary survey
provides a basis for the preparation of a risk-based audit programme. The survey will
also assist the CAE to determine how much work must be done (i.e. the scope of the
audit). Based on this assessment, the resources and timing for the audit engagement
can be identified.
REFLECTION
Refer to the Additional Resources on myUnisa on the topic of “How to formulate an
audit objective”.
The main reasons for performing a preliminary survey of an activity to be audited are:
• to collect information on the activity that will serve as a basis to determine the
scope for the audit engagement and identify the audit objectives that must be
aligned with the strategic objectives of the organisation
• to identify the specific risks that are related to this activity, since the activity has
probably already been highlighted as an area that concerns management in the
annual risk assessment
• to get an overview of processes and resources that are in place and to evaluate
which processes and resources might be lacking or which of these processes do
not work effectively
• to identify adequate criteria that will be used when evaluating the activity; if the
criteria are not adequate, management of the activity must be consulted to
determine adequate criteria
• to determine the extent of audit work required and to identify the timing and
resources required for the audit
Standard 2220 stipulates that all relevant systems, records, personnel and physical
property must be taken into consideration during the preliminary survey to establish the
scope of the audit engagement. This will be covered in the next section.
The manner in which a preliminary survey is undertaken depends on how much is already
known about the activity that will be reviewed. In some instances, it will be sufficient to
review previous audit files, while in other instances a number of interviews may be
conducted to get an understanding of the activity that will be reviewed. Do your own
research to make sure that you have a thorough knowledge of the different ways in
which a preliminary survey could be performed.
11
AUI4863/SG
Good interviewing skills are also essential during this phase, especially when a system
description must be prepared. A system description is a flowchart or narrative of the flow
of activities and documents within a business cycle such as sales. It is done to understand
all the main activities and key controls within the system. By conducting a preliminary
survey, the internal auditor will be able to understand the impact of the risks on the
organisational objectives, the risk assessment and the risk management processes as
well as the control system that facilitate a successful risk management process.
The results of this review may be summarised to reflect the risk assessment, significant
engagement issues, engagement objectives and procedures, methodologies to be used,
sampling techniques and a brief evaluation of controls. It might also, amongst others
(Implementation Guide 2200), include whether third parties will rely on the results of the
engagement, whether the work that will be done will be used in potential or current
litigation, the experience needed of internal auditors to perform the engagement and
level of supervision required. This report will rarely exceed two pages.
Standard 2200 requires the internal auditor to compile a plan, referred to as the
“assignment plan” in Spencer Pickett (2010:789). This plan should include engagement
objectives, scope, timing and resource allocation. Now that you know what the
municipality’s main functions, risks and controls are, you can establish the engagement
objectives and scope of the audit engagement.
ACTIVITY 1
You are conducting an audit of the accuracy and completeness of property values and
property rates for a municipality. Make a list of the aspects you will consider during your
preliminary survey.
FEEDBACK
The following information could be included in the preliminary survey of the audit of the
accuracy and completeness of property values and property rates at the municipality:
•
•
•
•
•
•
•
•
•
Identify the mission and strategic objectives of the municipality.
Identify the person with whom the initial meeting should be held and schedule
such a meeting.
Obtain relevant reports and newspaper articles regarding the performance of the
municipality in this area of audit.
Obtain policies and procedures and other relevant legislation that are applicable
to the municipality and identify a specific section that governs the activity under
review.
Obtain an organisational chart for the activity under review.
Determine the major expenditure and revenues for the activity under review.
Determine the nature of information systems relating to the activity under review.
Determine the basis on which property values and property rates are calculated.
Interview key personnel in the activity and document the processes followed in the
activity under review.
12
Note that you should be
able to apply your
knowledge to any given
scenario or question for
examination purposes.
1.4 ESTABLISHING THE OBJECTIVES, CRITERIA AND SCOPE OF AN
AUDIT ENGAGEMENT
STUDY
• IPPF, Standards 2210 and 2220 as well as Implementation Guides 2210 and 2220
• Internal Auditing: An Introduction (2017: Chapter 6 – 6.6.5)
• Revise all the sections in your undergraduate study material that relate to
establishing the engagement objectives and scope of an audit engagement.
Should you find it necessary to refresh your theoretical knowledge of this study, you
should refer to your undergraduate study material.
According to the internal auditing standards, engagement objectives are broad
statements developed by the internal auditor that define the intended engagement
accomplishments. These statements will not limit the scope of the investigation and
will ensure that the purpose of the engagement is still accomplished. Based on the
information and evidence obtained during the preliminary survey, the auditors will
determine the objectives of the audit engagement. The objectives must enable the
internal auditors to add value to and improve the operations of the engagement
activity, as well as those of the organisation as a whole.
Audit engagements that have clear, specific objectives require less audit resources and
are completed in less time because work does not need to be repeated or wasted on
activities that do not form part of the scope. Establishing clear objectives provides a
structure and discipline that helps the audit team to focus on the expected results and
avoid confusion. When developing the engagement objectives, internal auditors must
consider the possibility of significant errors, fraud, noncompliance and other exposures
of the activity under review.
The next step is to identify the criteria to determine what should be in place, i.e. a list
of what you see as acceptable.
13
AUI4863/SG
STUDY
Study Internal Auditing: An Introduction (2017: par - 6.6.5.2)
Before the engagement procedures can be conducted, it must be clear what the audit
must achieve and what must be verified or investigated.
This is referred to as the "scope of the audit". Implementation Guide 2220 states that
scope statements identify the audited activities; they may include supportive
information such as the time period reviewed, and related activities not reviewed to
delineate the boundaries of the engagement. The scope should include considerations
of the relevant systems, records, personnel and physical property according to
Standard 2220. Achieving the engagement objectives is greatly influenced by what is
included and excluded from the scope for the engagement.
The scope will include the nature, timing and extent of the testing that will be
performed.
STUDY
Internal Auditing: An Introduction (2017: par - 6.6.5.3)
ACTIVITY 2
The preliminary survey of a municipality indicated the following:
• The mission of the municipality is to provide efficient, effective and affordable
services.
• The municipality is subjected to the Municipal Finance Management Act.
• A new mayor has been appointed in the past financial year after the previous mayor
was dismissed due to his involvement in illegal activities. It is general knowledge that
the municipality does not always make reputable decisions.
• It was reported by a local newspaper recently that some areas’ taxes are higher than
those for other parts of the city. It is suggested that the calculation of taxes is not
done according to policy.
• In the period under review the system for the collection of property rates for
sectional title properties has changed. The individual owners of units in a complex
are now liable for the payment of their own property rates, and not the sectional title
properties as before.
• Due to major corruption and errors in the evaluation of the property values, an
external contractor has been appointed. However, he has only revalued 40% of the
properties to date. The contractor is not required to give regular feedback on the
progress of the project. Due to the uncertainty of the accuracy of the property rates,
many residents refused to pay their accounts. Writing-off of bad debt is approved by
the municipal manager without supporting documentation.
• For four months during the previous financial period the Finance Manager has not
been available to review financial decisions. No one has been appointed to act on his
behalf.
• The section of the municipality that reviews property values is staffed by one newly
14
appointed manager who is responsible for communication with the Council and the
supervision of the section. Two supervisors were also appointed. The one is
responsible for the valuation of the properties and the other for calculating property
rates and forwarding these calculations to the finance department. Each supervisor
has two clerks to assist them. Supervisors may stand in for each other when one of
them wants to go on leave.
• The value of properties is entered into a computer programme which was written
especially for use by the municipality. The property rate calculations are based on a
master file that contains the rates based on the classification of the property. The
calculations are verified and submitted electronically to the finance department.
• Submission of calculations to the finance department is usually late.
• Property rates are calculated on the applicable council report in which the bases for
classification and rate per classification are announced.
Based on the preliminary survey performed, determine the scope and engagement
objectives for the audit of the accuracy and completeness of property values and
property rates for a municipality.
FEEDBACK
The scope of the audit might include
•
•
•
•
the basis for determining property values
property values used in calculation of property rates
submission of calculations to the finance department
timely collection of debt
Engagement objectives might include the following actions:
• Determine how management is going to ensure that all properties are
independently valued to use as a basis for all calculations.
• Verify that all properties are taxed appropriately.
• Ensure that the process followed to implement changes take good internal control
into consideration.
• Ensure the accuracy of changes implemented in the financial systems.
• Ensure that the calculations of rates are accurate.
• Ensure that properties’ values are determined accurately.
• Ensure that the municipality abides by all relevant laws, policies and procedures.
• Determine that the computer package used is subjected to appropriate general and
application controls.
• Ensure that overdue accounts are appropriately managed.
15
AUI4863/SG
Use the following depiction to study the requirements of audit objectives:
SMART
Source: www.theiia.org
You should be able to integrate and apply your knowledge to any given scenario or question for
examination purposes.
1.5 EVALUATION OF THE SYSTEM
STUDY
• Internal Auditing: An Introduction (2017: Chapter 7 – 7.3 - 7.9)
• Revise all the sections in your undergraduate study material that relate to system
descriptions and evaluation of the system.
16
Should you find it necessary to refresh your theoretical knowledge of this study, you
should refer to your undergraduate study material.
The system and processes within the specific activity that will be reviewed must be
evaluated and understood. One way to evaluate the system that will be discussed is the
Internal Control Questionnaire (ICQ). Refer to your prescribed textbook, Internal
Auditing: An Introduction (par 7.5).
In short, an ICQ is a list of questions with a "Yes" or "No" answer. It is designed in such a
way that, by answering "No" to a question, it indicates a control weakness. As a
postgraduate student, you should be able to evaluate such an ICQ and make
recommendations where applicable.
ACTIVITY 3
One of the internal auditors in the team compiled the following ICQ:
Internal Control Questionnaire for the municipality
No
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Internal Control Questions
Does the municipality have a good reputation in the community
it serves?
Do management personnel seem to have a positive attitude
towards integrity, ethical values, and competence? (Clues might
include professional credentials such as involvement and support
for industry standards.)
Does the municipality appear to have adequate personnel to
achieve segregation of duties?
Does the mayoral committee appear interested and involved in
the financial affairs of the municipality?
Does the council delegate decision-making to the municipal
manager to an excessive degree?
Has management assessed the risk of material misstatement of
the property value and property rates?
Has a new computerised accounting system been implemented
or were significant changes made to the previous system (i.e.
new software package)?
Have there been changes in the accounting procedures, including
new types of transactions, reduced personnel, and changes in
segregation of duties?
Is there an action plan in place to ensure that all property values
are reviewed to take changes in the property market into
consideration?
Are invoices filed in a timely manner to enhance collectability of
overdue accounts?
Yes
No
N/A
Refer to the background information that was obtained during the preliminary survey in the
previous section. Review the ICQ and evaluate whether it is complete and accurate to provide a
comprehensive evaluation of the control environment. If you think changes are necessary, how
17
AUI4863/SG
would you change it? Based on the information provided, what would your answers to the
questions be, “Yes”, “No” or “N/A”?
FEEDBACK
The following is a typical example of what would be an appropriate or correct internal
control questionnaire. The questionnaire should be directed to the municipal manager
to ensure that the correct information is obtained. You should be able to apply your
knowledge to any given scenario or question.
Internal Control Questionnaire for the municipality
No
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Internal Control Questions
Does the mayoral committee appear interested and involved in
the financial affairs of the municipality?
Has the mayoral committee assessed the risk of material
misstatement of the property value and property rates?
Does the mayoral committee receive reports from the contractor
to review and authorise the newly established property values?
Have there been any significant changes in operations since the
prior year, e.g. changes in management, changes in the
accounting system or type of transactions or the composition of
the mayoral committee and its subcommittees, etc?
Does the mayoral committee receive reports for the calculation
of the property rates based on the property values?
Does management seem to have a positive attitude towards
integrity, ethical values, and competence? (Clues might include
professional credentials such as involvement and support for
industry standards.)
Does the section responsible for property rates appear to have
adequate personnel to achieve segregation of duties?
Has the computerised accounting system been consistent for the
past financial year?
Will the established property values be reviewed to take into
consideration changes in the property market?
Are all owners of a complex billed for property rates instead of
the sectional title body?
Is the classification of properties reviewed before submission to
Finance?
Are property rates calculations submitted timely to be included in
the invoices?
Are accounts receivable listings aged to identify overdue
accounts?
Are overdue accounts pursued for collection in a timely manner?
Are bad debt write-offs reviewed and approved by the mayoral
committee?
18
Yes
No
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
N/A
From the above you have now established how dependable the control environment is.
This can give you an indication of the work that must be done. The next step is to
establish how long it will take to conduct the audit and what resources must be
allocated to this audit, taking the level of proficiency of the internal auditors into
consideration.
Another method of evaluation is analytical analysis and control self-assessment.
Standard 1220.A2 states that “in exercising due professional care internal auditors
must consider the use of technology-based audit and other data analysis techniques”.
STUDY
•
•
•
The IPPF, Standards 1220.A2, 2130 and 2310 as well as the related Implementation
Guides.
Assurance: An Audit Perspective (2018: Chapter 8 & 9 - 9.10)
myUnisa - Additional Resources: Additional Guidance - Analytical analysis
Data
analytics
Data analytics is very important to gather information and will form an integral part of
any audit where the velocity, volume and variety of data is a challenge. Also note the
difference between data analysis and data analytics.
STUDY
•
•
Assurance: An Audit Perspective (2018: Chapter 7 – 7.7 & Chapter 8 - 8.4)
GTAG 16 – Data Analysis Technologies
MULTIMEDIA
Click on the hyperlinks below to view the following YouTube videos:
https://youtu.be/aeHqYLgZP84
https://youtu.be/RAw55JEcnEs
https://youtu.be/mm2A5tKVIpg
https://youtu.be/2i8ZqL99Vz0
https://youtu.be/TzxmjbL-i4Y
https://youtu.be/7D1CQ_LOizA
19
AUI4863/SG
Data analytics used effectively will add value in the audit process and ensure the
efficient use of audit resources.
Source: http://www.byteorigin.com/services/cloud-application-development/big-data-analytics/
Source: https://www.xenonstack.com/blog/big-data-engineering/ingestion-processing-big-dataiot-stream/
20
1.6 RESOURCE ALLOCATION AND TIMING
STUDY
•
•
Study the IPPF, Standards 2020 and 2030 as well as Implementation Guides 2020
and 2030.
Internal Auditing: An Introduction (2017: Chapter 6 - 6.6.6)
Should you find it necessary to refresh your theoretical knowledge of this topic, you
should refer to your undergraduate study material.
The CAE must communicate the IAA's plans and resources to senior management and
the board of directors, including any resource limitations. It is the responsibility of the
CAE to ensure that resources are appropriate, sufficient and effectively deployed to
achieve the audit plan according to Standard 2030. Resources allocated to the
engagement should be sufficient to ensure that the engagement objectives are
achieved. Appropriateness and sufficiency of resources is determined by the number,
experience level and knowledge, skills and other competencies of the internal audit staff.
While supervising the engagement, the internal audit manager should ensure that the
staff members assigned to the engagement have the knowledge, skills and other
competencies required to conduct the engagement effectively. (There is a direct link
here with the competency requirement of the Code of Ethics and due professional care
requirements in Standard 1220.)
The internal audit manager who is supervising the audit must provide appropriate
instructions to the internal audit team. It is the responsibility of the internal audit
manager to initiate or request training of the internal audit team members to develop
their knowledge and skills as internal auditors. This will ensure that they perform the
engagement effectively.
He or she must ensure that the approved plan is carried out as was agreed, unless
changes are justified, and that the working papers adequately support the conclusions
and recommendations of the internal audit team.
The time that must be budgeted to complete the audit depends on the skill and
experience of the available auditors. The appropriate timing of the audit should also be
considered, e.g. the financial year-end of the engagement client might not be a suitable
time to schedule an audit.
READ
Go to myUnisa, under Additional Resources to download relevant articles or guidance on
this topic.
REFLECTION
Look for further articles that will give you insight into the engagement planning process,
the role of the CAE and audit team and any new developments or guidance in this
regard.
21
AUI4863/SG
ACTIVITY 4
You have completed the preliminary survey and determined the engagement objectives
for the audit of the accuracy and completeness of property values and rates at the
municipality. Now determine the resources that you will need to complete this audit.
ONLINE ASSESSMENT QUESTION
Do the online assessment multiple-choice questions on myUnisa.
SUMMARY
This learning unit focused on the planning of an audit engagement, also referred to as
the assignment plan. The main considerations are the preliminary survey, the
engagement objectives and scope as well as the allocation of resources. Once the
planning of the audit is completed, the audit procedures that will satisfy the engagement
objectives can be developed and the testing can begin.
NOTES
Make your own notes here:
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
22
Learning unit 2
Conducting the audit engagements
Contents
2.1
2.2
2.3
2.4
2.5
2.1
INTRODUCTION
ENGAGEMENT WORK PROGRAMME
SAMPLING
PERFORMING THE AUDIT PROCEDURES
EVIDENCE AND WORKING PAPERS
23
23
30
31
34
INTRODUCTION
In the previous learning unit, the planning of individual audit engagements was
discussed. This learning unit focus on the activities involved in the conduct of an audit
engagement. When you conduct an audit, the engagement objectives and scope
established during the planning phase are used to compile the engagement work
programme. The procedures performed will aim to determine •
•
whether the controls implemented are sufficient to mitigate the risks involved
whether the controls are adhered to
2.2 ENGAGEMENT WORK PROGRAMME
STUDY
•
The IPPF, Standards 2200 and 2240 as well as Implementation Guides 2200 and
2240.
• Internal Auditing: An Introduction (2017: Chapter 6 – 6.6.7; Chapter 7 – 7.2)
• Revise all the sections in your undergraduate study material that relate to compiling
an engagement programme.
The engagement programme will contain all the information that is needed to evaluate
the controls in place.
23
AUI4863/SG
To be able to test controls, you should know what the different types of controls are,
which control mechanisms can be used to mitigate risks and you must be able to
evaluate the suitability of controls. The following schematic representation shows where
these different types of controls fit into risk management process.
Figure: Types of controls
The following illustration shows the timeline of the implementation of controls as well as
examples of these controls.
Figure: Timeline of the types of controls
24
The following schematic diagram shows where the preventive control fits into the
transaction process:
Figure: Preventive control
In the next diagram the position of the detective control is displayed.
Figure: Detective control
The assertions for balances and transactions should be taken into consideration when
writing the engagement procedures (test of controls). If you are uncertain what the
assertions are, refer to your undergraduate study material.
25
AUI4863/SG
The assertions embodied in the financial statements, as used by the auditor to consider
the different types of potential misstatements that may occur, may take the following
forms:
Transactions
and events
Occurrence
Completeness
Accuracy
Cutoff
Classification
Account balances
at the year-end
Existence
Rights and
obligations
Completeness
Presentation and
disclosure
Occurrence
Rights and
obligations
Completeness
Classification and
understandability
Accuracy and
valuation
Valuation and
allocation
The engagement programme should cover the engagement objectives as discussed in
learning unit 1.1.
At a minimum, the engagement programme should include the following according to
Implementation Guide 2200:
•
•
•
•
the objectives of the engagement
technical requirements, objectives, risks, processes and transactions that are to be
examined
the nature and extent of testing required
the internal auditor’s procedures for collecting, analysing, interpreting and
documenting information during the engagement
With the approval of the CAE, the programme may be modified, as appropriate, during
the engagement. You should be able to identify other aspects that should also be
included in the engagement programme for a specific audit engagement or scenario.
The CAE should approve the engagement programme before testing can begin. The
engagement programme should be sufficient to ensure that the engagement objectives
are achieved. This will prevent having to redo work or doing unnecessary work that will
waste resources.
The evaluation of the activity’s controls will determine how much testing must be done
and how extensive the engagement programme should be. Inherent, control and audit
risk should be taken into consideration when compiling the programme to ensure that
unnecessary procedures are not included, but essential procedures are.
26
IR = Inherent Risks
RR = Residual Risks (Raindrops outside the umbrella)
CR = Control Risk (possibly the umbrella leaks)
Risk Appetite = How big the umbrella is.
ADDITIONAL READING
Go to myUnisa, under Additional Resources to download relevant articles or guidance on
this topic.
In this article the importance of proper planning is discussed as well as the importance of
alignment with the business objectives of the organisation to be audited.
NOTE: It is important to correctly
formulate an audit procedure. An
audit procedure is the specific test
that an internal auditor performs
when gathering the audit evidence
required to evaluate or determine if
the audit objectives are met.
27
AUI4863/SG
REFLECTION
Refer to the additional resources on myUnisa on the topic of “audit procedures”.
To perform the engagement procedures (test of controls), you will need documentation
or other information that is necessary to conduct the procedures. It is nearly impossible
to evaluate every transaction of an organisation. The prescribed textbooks for this
module refer to test of controls as engagement procedures. Please do not be confused
by this, as test of controls and engagement procedures are the same thing. Therefore,
the internal auditor uses only a sample of the transactions. In the next section we
discuss how this is done.
MULTIMEDIA
Click on the hyperlinks below to view the following YouTube videos:
https://youtu.be/9fNz4WJ4uZc
ACTIVITY 5
Compile a complete engagement programme for the municipality that will evaluate all
the applicable assertions based on the engagement planning done in learning unit 1.1
28
FEEDBACK
Engagement
Objective
Risk
Identified Control
Engagement Procedure/test of control
(Audit Procedures)
Ensure that
sufficient
segregation of
duties is in place.
The municipality might be
exposed to fraud due to
functions that are
overlapping because of a
lack of staff.
A transaction or process
may not be initiated,
prepared and approved by
the same person.
Obtain
satisfaction that
all properties are
taxed
appropriately.
Residents may be over or
under charged for
property rates.
Classification of properties
is verified before rates are
calculated.
The master file that
contains the rates that is
used to calculate rates is
changed only after the
new rates have been
published.
Only one person has access
to make amendments,
which must be approved by
a supervisor.
ResultRand
Finding
e
Reference
f
Determine by enquiring whether the same person can enter
and approve property values. Obtain appropriate evidence.
Determine by enquiring whether the same person can
amend the master file which is used to calculate property
rates and approve the changes.
Obtain appropriate
evidence.
Select a judgmental sample of 5 properties with accounts in
arrears from different areas and perform the following:
a) Compare the rate that the properties are taxed at to
the rate stipulated in the council report and ascertain
that it is the same. Investigate anomalies.
b) Compare the classification of properties to the type of
property selected and ascertain that it is the correct
classification.
Ascertain when the date of the changes of the property
rates have been affected on the master file and ascertain
that it is after the date stipulated in the council report.
Investigate anomalies.
Investigate and enquire whether independent personnel
effected the changes to the master file.
NOTE: It is important to correctly formulate an audit procedure. An audit procedure is the specific test that an internal auditor performs when gathering the audit
evidence required to evaluate or determine if the audit objectives are met. To perform the engagement procedures (test of controls), you will need documentation or
other information that is necessary to conduct the procedures. It is nearly impossible to evaluate every transaction of an organisation. Therefore, the internal auditor
uses only a sample of the transactions. In the next section we discuss how this is done.
29
AUI4863/SG
2.3
SAMPLING
STUDY
•
•
•
Internal Auditing: An Introduction (2017: Chapter 7 – 7.11)
myUnisa – Additional Resources: Additional Guidance - Sampling
Revise all the sections in your undergraduate study material that relate to sampling.
The population can be determined based on the audit procedures that have been approved. A
representative sample of the transactions under review should be selected from the population to
test. The sampling technique that must be used to select the sample depends on characteristics of
the population and the objectives of the testing that must be done. Each of the sampling
techniques satisfies a specific need. This need should be identified to determine which would be
the most appropriate method to use.
Judgmental sampling will be used only when the auditor knows which transactions may be
misstated. This may be the case, for example, when an employee who is responsible for certain
transactions went on extended leave and the employee standing in did not have the necessary skill
or experience to perform the absent employee’s duties. The auditor may decide to test all the
transactions for the employee’s extended leave period. This method of sampling may not be
extrapolated to the population.
Statistical sampling techniques may be extrapolated to the population and the results may be
communicated as conclusive if the technique has been applied appropriately. The audit procedures
will be applied to the selected transactions to determine whether the controls have been adhered to
or not.
ACTIVITY 6
Karabo Molefe manages the inventory at a branch of a clothing company. The accuracy
of the value of the recorded inventory on hand must be tested. Karabo randomly
selected 100 inventory items from the inventory held at the branch, with the total
population consisting of 2 000 inventory items. The total value of the selected inventory
items was R10 000. The standard deviation of the sample is R10 and the precision is ± R4
000.
a) Describe the statistical sampling technique that Karabo Molefe should use to
accomplish his objective and motivate your choice.
b)
Calculate the minimum and maximum acceptable value levels of the population
and explain what Karabo must do if his results fall outside these limits, and what
such results would mean to him as a manager.
FEEDBACK
a) STATISTICAL SAMPLING TECHNIQUE
Karabo’s objective is to test the accuracy of the value of the recorded inventory held at
the branch. In order to estimate a value for the inventory population he must use
estimation sampling for variables, or monetary unit sampling. Both of these techniques
are used to estimate the value of a population.
30
In the case of monetary unit sampling the sample selection is based on the value of the
items as each rand has an equal chance of being selected. Karabo, however, selected any
100 stock items randomly and thus did not use monetary unit sampling.
b) THE MINIMUM AND MAXIMUM ACCEPTABLE LEVELS OF THE POPULATION
R10 000 ÷ 100 items = R100 average price per unit
R100 average price per unit × 2 000 total units = R200 000 expected average value of the
population
Calculate minimum and maximum levels by adjusting the average value of the
population with the precision. R200 000 – 4 000 = R196 000 (minimum level)
R200 000 + 4 000 = R204 000 (maximum level)
If the actual amount calculated by Karabo for inventory is outside the minimum and
maximum levels calculated, he must extend his sample to achieve a better result.
If the calculated results are outside the minimum and maximum levels, it means either
that the statistical sampling method was incorrectly applied, or that there is a serious
problem with the value of the recorded inventory.
In both cases Karabo should determine the cause and take the required steps to rectify
the problem.
Sampling was covered in detail in the undergraduate internal auditing modules. At this
stage of your studies, we expect you to be proficient in selecting and applying
appropriate sampling methods. We recommend, therefore, that you refresh your
knowledge of sampling by revising the theory of sampling.
After you have used the correct sampling technique and identified your sample, the
engagement procedures can be performed. In the next section we will conduct the
engagement using the selected sample.
REFLECTION
Revise this section in AUI3702 in detail and ensure that you have detailed knowledge of
the sampling techniques used in the performance of an audit
2.4 PERFORMING THE AUDIT PROCEDURES
ADDITIONAL READING
Search for relevant articles on the internet on the performance of audit procedures and
share your insights on the Discussion Forum.
31
AUI4863/SG
STUDY
•
•
•
•
Study the IPPF, Standard 2300 and Implementation Guide 2300.
Internal Auditing: An Introduction (2017: Chapter 6 - 6.7.3)
Revise all the sections in your undergraduate study material that relate to testing.
Performing internal audit engagements (2017: Chapter 1 – 1.3.2 – 1.4.3)
MULTIMEDIA
Click on the hyperlinks below to view the following YouTube video on engagement
procedures and substantive procedures:
https://youtu.be/WDCJU9nbol0
https://youtu.be/v6zRAUCntr8
https://youtu.be/uBQYIZukwO8
Source: Misconception in Financial Audit Practices by Yulias Sihombing, 23 February 2015
The figure above depicts the testing process. Once the testing is completed, it should be evident
whether controls have been adhered to or not. It might be necessary to extend the testing to more
transactions or other areas based on what was found. All the tests that have been performed must
be documented completely, as will be discussed below.
ACTIVITY 7
You are provided with the salary scales for an organisation. Determine whether the
salary each employee earns, is in accordance with the approved minimum salary scale
per salary level. Determine whether further testing should be done and explain your
conclusion. The amounts below indicate the minimum salary that should be earned for
a specific level for the period January to December 2010.
SALARY LEVEL SALARY
32
1
2
3
4
5
6
R 34 107.00
R 38 202.00
R 43 875.00
R 75 891.00
R 94 530.00
R 111 006.00
Your sample is presented in the table below:
NO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
INITIALS
PS
NR
A
GAP
ME
MS
F
N
JK
N
L
BP
KL
EA
K
P
MP
PT
M
WN
GW
C
DV
L
TZ
ND
HJW
MB
A
ML
S
SURNAME
KHESWA
SELEWANE
NESER
MHLONGO
MABELE
KHANYE
DON
RASHAMUSE
STIRLING
HAMMEL
LETHETSA
SIBEKO
ROODT
CAPPER
VAN RHYN
NKQAYI
PEETE
SEFOKA
MANAZI
BAUER
RAHLABA
RADEBE
GAMA
MBENSE
MASIKE
TSOSANE
REDMOND
BALOYI
KEKANA
RAMAEMA
MBOKAZI
33
SALARY
LEVEL
6
6
6
6
5
5
5
5
5
5
5
5
5
5
5
4
4
4
4
4
4
4
4
3
3
3
3
3
2
2
1
SALARY
EARNED
R 117 402.00
R 111 006.00
R 111 006.00
R 109 758.00
R 109 758.00
R 109 758.00
R 94 530.00
R 94 530.00
R 94 530.00
R 94 530.00
R 94 530.00
R 94 530.00
R 79 761.00
R 79 761.00
R 79 761.00
R 79 761.00
R 75 891.00
R 75 891.00
R 75 891.00
R 43 875.00
R 43 875.00
R 43 875.00
R 43 875.00
R 43 875.00
R 43 875.00
R 38 202.00
R 38 202.00
R 38 202.00
R 38 202.00
R 38 202.00
R 34 107.00
AUI4863/SG
FEEDBACK
If you compared the salary level and the salary earned to the approved salary scale, you
would have found that 11 out of 31 salaries do not match the salary scale relevant to the
employee. Further testing should be done to determine the reasons why so many
employees do not earn the approved minimum amount according to their salary scale.
It is extremely important that the results of the engagement procedures performed are
documented completely and accurately. Evidence to support the results should be
sufficient, reliable, relevant and useful as stipulated in Standard 2310. In the next
section we discuss this important issue.
2.5 EVIDENCE AND WORKING PAPERS
STUDY
• The IPPF, Standards 2310 and 2330 as well as Implementation Guides 2310 and
2330.
• Internal Auditing: An Introduction (2017: Chapter 6 - 6.7)
• Revise all the sections in your undergraduate study material that relate to audit
evidence and audit working papers.
The evidence gathered during the course of the audit and the working papers compiled must
support the conclusions reached. All evidence should comply with Standard 2310, which
stipulates that evidence should be sufficient, reliable, relevant and useful. As the audit manager
or CAE, you may not be that much involved in the gathering of evidence.
However, when you review audit work done by audit staff, your main focus will be to determine if
the evidence gathered and documented in the audit working paper file, adequately support the
audit findings. You should therefore have an in-depth understanding of these concepts and be
able to determine if the given evidence is sufficient, relevant, reliable and useful. This will enable
you to defend the conclusions when the engagement client does not agree with the findings and
conclusions reported on. The standards also require that the evidence complies with certain
criteria and that it be filed for future use.
The purpose of working papers is as follows:
• They aid in the planning, performance, and review of engagements.
• They provide the principal support for engagement results.
• They document whether engagement objectives were achieved.
• They provide a basis for the internal audit activity’s quality assurance and improvement
program.
• They facilitate third-party reviews.
ACTIVITY 8
Further research into the purpose of audit working papers should be done to broaden
your knowledge and assist you in compiling relevant and complete working papers.
ACTIVITY 9
34
Compile a working paper that will set out all the necessary information for the test done
in the previous activity.
FEEDBACK
Professional Audit Services
Period: January to December 2010
Working Paper Reference:
W 201
Prepared
WM
Reviewed
CP
DATE
22/05/2011
Objective
To determine whether employees receive salaries according to the minimum approved salary scale per
level.
Sample Source
List of employees
Procedures
Select a sample of employees and compare the salaries earned to the approved salary scale.
Results
NO
INITIALS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PS
NR
A
GAP
ME
MS
F
N
JK
N
L
BP
KL
EA
K
P
MP
PT
M
WN
GW
C
DV
L
TZ
ND
HJW
MB
A
ML
S
Legend
SALARY
LEVEL
6
6
6
6
5
5
5
5
5
5
5
5
5
5
5
4
4
4
4
4
4
4
4
3
3
3
3
3
2
2
1
SURNAME
KHESWA
SELEWANE
NESER
MHLONGO
MABELE
KHANYE
DON
RASHAMUSE
STIRLING
HAMMEL
LETHETSA
SIBEKO
ROODT
CAPPER
VAN RHYN
NKQAYI
PEETE
SEFOKA
MANAZI
BAUER
RAHLABA
RADEBE
GAMA
MBENSE
MASIKE
TSOSANE
REDMOND
BALOYI
KEKANA
RAMAEMA
MBOKAZI
SALARY
RESULT
R 117 402.00
R 111 006.00
R 111 006.00
R 109 758.00
R 109 758.00
R 109 758.00
R 94 530.00
R 94 530.00
R 94 530.00
R 94 530.00
R 94 530.00
R 94 530.00
R 79 761.00
R 79 761.00
R 79 761.00
R 79 761.00
R 75 891.00
R 75 891.00
R 75 891.00
R 43 875.00
R 43 875.00
R 43 875.00
R 43 875.00
R 43 875.00
R 43 875.00
R 38 202.00
R 38 202.00
R 38 202.00
R 38 202.00
R 38 202.00
R 34 107.00
r
r
r
v
r
r
r
r
r
r
r
r
v
v
v
r
r
r
r
v
v
v
v
r
r
v
v
v
r
r
r
Incorrect minimum
v
salary is earned. Exception noted
Correct minimum
r
salary is earned. No exception noted
Conclusion
11 out of 31 employees do not earn the correct salary due to a system error.
ACTIVITY 10
35
AUI4863/SG
Look for further articles that will give you insight into audit working papers and the
preparation thereof as well as any new developments or guidance in this regard.
ACTIVITY 11
What kind of evidence can be used to substantiate the finding above?
FEEDBACK
•
•
A copy of the approved salary scale. The scale must be approved at a board meeting
or at least by the CEO and one other senior manager.
Copies of the salary slips of employees that were selected by the sample
ONLINE ASSESSMENT QUESTION
● Do the online assessment multiple-choice questions on myUnisa.
SUMMARY
This learning unit discussed how to conduct the audit engagement. The engagement
procedures should be established based on the engagement objectives as discussed in
learning unit 1.1. Once the engagement programme is finalised and approved, a sample
should be selected to test whether the controls are adhered to. Meticulous records
should be kept of all the fieldwork that is performed and evidence should be gathered to
support the conclusions drawn from the fieldwork. When you have completed all this,
the audit report can be written. This will be discussed in topic 2.
NOTES
Make your own notes here:
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
36
Learning unit 3
Reporting and monitoring progress
Report &
Monitor
Contents
3.1
INTRODUCTION
37
3.2
THE INTERNAL AUDIT REPORT
37
3.3
WRITING THE INTERNAL AUDIT REPORT
39
3.4
REPORTING RESULTS TO THE ENGAGEMENT CLIENT
42
3.5
FOLLOW-UP REPORTING
46
3.1
INTRODUCTION
The audit reporting process includes the writing of the audit report, reporting the results
to the engagement client and monitoring or following up on management’s progress at
the agreed time to ensure that the recommendations made have been implemented.
After the follow-up audit, a final report has to be issued to inform management of the
outcome.
In this learning unit the format of the audit report will be discussed as well as the internal
audit standards applicable to reporting. A range of reports will be evaluated to assess
whether or not they meet their specific requirements. For the different audit approaches
or applications, the applicable audit report will be described in more detail. The exact
format and content of the report depends on the organisation and the nature of the
engagement performed. Make sure that you are able to apply your knowledge with regard
to audit reporting to the different audit applications.
3.2
THE INTERNAL AUDIT REPORT
STUDY
•
The IPPF, Performance Standards 2400, 2410, 2420, 2421, 2430, 2431 and 2440 as
well as the relevant Implementation Guides (2400 - 2440).
37
AUI4863/SG
•
•
•
Performing Internal Audit Engagements, Par 9.1–9.4
Supplemental Guidance – Practice Guide: Audit Reports - Communicating Assurance
Engagement Results
Revise all the sections in your undergraduate study material that relate to the
reporting of the auditing results.
Standard 2400 requires engagement results to be communicated to the engagement
client. In most instances, a complete internal audit report will be used, but in other
instances a management letter or oral communication might be sufficient. This topic
focuses on the reporting of the results of the engagement, which includes interim
reports and engagement reports, or audit assignment reports.
An interim report is also issued when a matter that needs immediate attention is
discovered by the audit team. It also serves to:
•
force the internal auditor to build the report as the audit progresses
•
keep the audit manager up to date an allow interim review of work done
•
give to the client as a continuous report
The format of your report does not really matter, as long as it includes all the
requirements of the internal auditing standards. When an IAA has been subjected to an
external quality assessment and it was found to comply with all the internal auditing
standards, this fact may be indicated in the executive summary of the internal audit
report. If full conformance was not achieved, the rules of conduct of the Code of Ethics
or the internal auditing standard(s) which was not conformed with should be disclosed.
This disclosure should include all the necessary information as listed in Standard 2431.
The objectives or purpose for writing an audit report should be kept in mind while writing
it. The objectives appear on par 9.2 of the prescribed textbook, Performing Internal Audit
Engagements. Please note that this is not a comprehensive list of all possible objectives
and as a postgraduate student you should be able to draw up a more detailed list.
Structuring the internal audit report in such a way that it is easily understood by
management will make it easier to convince management to implement the
recommendations. Guidelines as to what to include in the report are given in Standard
2410, and are as follows:
•
•
•
the engagement objectives
scope
results
You should be able to apply these guidelines in preparing an engagement report.
STUDY
Study Performing Internal Audit Engagements, page 396 in terms of the logical
presentation or proposed framework for the report.
The basic structure should include an executive summary and detailed findings. The
executive summary will usually include the auditor’s opinion on the internal control
processes.
38
MULTIMEDIA
Click on the hyperlink below to view the following YouTube video:
https://youtu.be/GK6jZKqrjO8
In the next section we will demonstrate how to report the engagement results, taking all
the requirements from the Standards into consideration.
3.3
WRITING THE INTERNAL AUDIT REPORT
Standard 2420 requires that the report must be accurate, objective, clear, concise,
constructive, complete and timely. The accuracy of the report will depend mainly on the
quality of the fieldwork that was done. Through all the engagements that you will be
involved in, your relationship with the engagement client should stay objective, in order
to report objectively on the results of the audit.
Do not use unfamiliar and difficult words. Rather ensure that the report is concise, clear
and easy to understand. Before the report is presented to the engagement client, the
internal audit manager should ensure that all aspects of the report and all findings that
need to be raised are included. The pace of business cannot allow for delayed audit
reports. The results of the audit should be made available as soon as possible;
otherwise the report may become irrelevant. If errors or omissions are discovered after
the report was distributed, the corrections should be communicated to all parties to
whom the report had been distributed in the first place (Standard 2421).
STUDY
Study the guidelines for formulating effective recommendations in Performing Internal
Audit Engagements, Par 9.8–9.9.
Consider your recommendations carefully. It must be feasible and add more value to
the engagement client than the cost of implementing the proposed recommendations.
STUDY
Study Performing Internal Audit Engagements, Par 9.3 on the reporting process and
specifically the review process and how it should be approached.
The draft report should be reviewed by the audit supervisor or manager. Care should be
taken during the review process to ensure that the report is a true reflection of the audit
work that was performed.
39
AUI4863/SG
Once the report has been finalised by audit management, the action plan can be
discussed with the engagement client. This action plan must be added to the report
before it can be distributed to all the relevant parties. More about this follows below.
David A. Bates, CIA, based in Marietta, Georgia, gave the following ten tips to internal
auditors when writing an audit report:
•
•
•
•
•
•
•
•
•
•
Slow down. Think before you write. Precisely what is it you want to communicate?
Write for your least-informed reader. Simplify what you are trying to say.
If something doesn’t seem clear to you when you write it, it won’t be clear to your
reader.
Aim your writing to your audience.
Use a good style manual and refer to it often.
Set aside some quality time for writing or editing.
When editing go through each document at least three times.
As an editor ensure that you trust your judgment.
When editing someone’s writing, explain why you make changes.
Keep giving your best effort.
ACTIVITY 12
Great Farms is a partnership between various farmers in the Limpopo Province. The
farmers decided to build a cannery for their fresh farm produce and established Great
Farms for this purpose. The farmers requested you to audit the building project of the
cannery to ensure that everything went according to plan and that the actual cost of
the cannery was reflected fairly.
The fieldwork for this engagement was completed during December 2011. After the
review, the following engagement report was sent to the engagement client. The
internal audit activity has never been subjected to an external quality assessment.
Review the internal audit report below and evaluate whether it complies with the
internal auditing standards.
40
To:
The Farmer’s Co-operative
From: Internal Auditor
Date: 10 March 2012
AUDIT OF THE CANNERY PROJECT
Introduction
This internal audit was performed in response to a specific request received from the farmers. This audit
focussed on the cannery project.
Purpose and scope
The objectives of this internal audit were limited:
• to ensure that each project goal and its budget were approved by the farmers before the project
begins
• to ensure that the project goals and budget were reasonable
• to ensure that each project goal was achieved on time
• to ensure that the project goals were achieved within the budget and, if the goals were achieved
later, that the agreed penalty has been applied
• to ensure that the cannery would achieve the overall goals established for the project
Because of the critical nature of the project and the relatively small size of transactions, it was possible
to audit all the supporting documentation of the project.
Findings
• The audit procedures found that every project goal and its budget was approved by the farmers
before the project began.
• Discussions with the project coordinator, the building contractor, the project engineer and the
architect confirmed that the timing of the project as well as the initial project budget were
reasonable.
• The audit procedures indicated that only three of the five goals of the project were achieved on
time. The last goal is still outstanding but that is also the only project goal that did not have a
planned completion date. To date no information has been made available as to when the last
project goal would be completed. No penalty fees were paid.
• The engagement procedures revealed that two project goals were not signed off appropriately
when they were achieved. The project coordinator, the building contractor, the project engineer
and the architect must be in agreement that the project goal was satisfactorily achieved. In each
instance the Project Goal Sheet was signed off only by the building contractor and the project
engineer.
• The audit procedures performed highlighted the fact that some individual project goals exceeded
their budgets. This is not perceived to be a problem as the total actual cost of the first five project
goals were R3 966 800. This amount is well within the total project budget of R4 422 000. The
budgeted cost of the last project goal is R500 000 and the total budget still available is R455 200.
• After an inspection of the cannery on 1 December 2009, the consulting engineer concluded that the
cannery was built well within acceptable industry standards and he did not foresee any problems in
the production of canned produce.
The engagement has been performed in conformance with the IPPF.
Signed by Internal Auditor
FEEDBACK
41
AUI4863/SG
Please join the Discussion Forum and share with fellow students the violations of the
internal auditing standards that you found in the report provided. Feedback will be
provided subsequent to the discussion.
Also note:
All the above are shown in the draft internal audit report. The report is ready to be
discussed with the engagement client in order to obtain action plans and
management comments. In the next section, guidelines for reporting the results of
the audit will be discussed.
3.4
REPORTING RESULTS TO THE ENGAGEMENT CLIENT
STUDY
• Study the IPPF, Performance Standards 2400 and 2440 as well as Implementation
Guides 2400 and 2440.
• Performing Internal Audit Engagements, Par 9.7
• Revise all the sections in your undergraduate study material that relate to reporting
of results.
It is important to understand the process of communicating the engagement results to
the engagement client. Good communication already starts with the preparation for the
audit. Your relationship with the engagement client will either be improved or damaged
by the quality and frequency of the communication.
Source: https://elsmar.com/Forums/internal-auditing/7154-internal-audit-process-flow-chartplease-review-mine-comment.html
Best practice suggests that the audit findings should be discussed with the client as they
are discovered by the audit team. This might take the form of informal verbal
communication or interim written communications. Once again, you can see that
42
continuous communication should take place between the audit team and the
engagement client. In the closing conference the draft of the audit report is discussed.
The purpose of this meeting is to ensure that the engagement client commits to
implementing and enforcing the recommendations.
The audit manager may choose to do an oral presentation to present the findings.
Remember: it is not the audit team’s responsibility to enforce recommendations; that
responsibility lies with management. Depending on the relationship with the client the
auditor may need negotiation skills to finalise the action plan. All of this is done to
ensure that there are no surprises in the final report for the engagement client and to
assist in building a partnership approach to audit engagements.
Once you have agreed with the engagement client on an action plan, the report can be
finalised. The CAE is responsible to communicate the engagement results to the client
and to ensure that it is given due consideration.
If the report contains sensitive issues, then the CAE may remove these issues from the
final report and issue a separate report that will be distributed only to the relevant
parties (Standard 2440). A sensitive issue could, for example, be when fraud by
management was identified and this is brought to the attention of the audit committee
or other senior management at a level higher than the level where the fraud was
committed.
Figure: Elements of an audit finding (adapted form Waring & Morgan (2007))
43
AUI4863/SG
Standard 2440 – Disseminating Results
The chief audit executive must communicate results to the appropriate parties.
Interpretation:
The chief audit executive is responsible for reviewing and approving the final
engagement communication before issuance and for deciding to whom and
how it will be disseminated. When the chief audit executive delegates these
duties, he or she retains overall responsibility.
ACTIVITY 13
Use the internal audit report from the previous activity and rewrite the detailed findings
section to conform to the internal auditing standards. Also add information which is not
given that you find applicable, with appropriate action plans. The following information
was obtained from the engagement client:
Payment in terms of the project will only be approved by the project coordinator if it is
claimed in terms of a completed project goal and falls within the budget constraints of
that specific project goal. The penalty of late completion of any project goal is a 50%
reduction of the fees payable for that goal to all the parties involved.
FEEDBACK
Goals not achieved on time, yet no penalty fee has been deducted.
Criteria
The project goals should be completed before the planned completion date, otherwise
a 50% reduction of fees payable will apply.
Condition
The audit procedures indicated that only three of the five goals of the project were
achieved on time. The last goal is still outstanding but that is also the only project goal
that did not have a planned completion date. To date there is no information available
as to when the last project goal will be completed. No penalty fees have been deducted
from payment made towards the building project.
Cause
Building materials were not received on time to complete the goal and there was no
completion date set. The project manager deemed this as a reasonable excuse and did
not levy penalty fees.
Effect
The rest of the project is delayed because of these two deadlines that have not been
met. The farmers are losing revenue due to the delay. The full extent could not be
established due to too many variables.
Recommendation
The penalty fee should be affected. Management should not pay the full cost of the
project but take the reduction of 50% into consideration with the next payment that is
44
due. In future all goals should have a clear completion date set against which
performance and deliverables can be measured.
Action plan
Management will deduct the 50% penalty fee from the next payment that is due.
Implementation date
Immediately
Payment was approved for projects that have not been signed off appropriately
Criteria
Payment will be made by Great Farms only when the project coordinator, the building
contractor, the project engineer and the architect are in agreement that the project
goal was satisfactorily achieved. Their agreement is indicated by signing the Project
Goal Sheet.
Condition
The engagement procedures revealed that two project goals were not signed off
appropriately when they were achieved. In each instance the Project Goal Sheet was
signed off only by the building contractor and the project engineer.
Cause
The documentation was not forwarded to the project coordinator and payment was
made when he was on leave.
Effect
Great Farms may pay for an incomplete project, which would require extra time and
money to complete.
Recommendation
Proper segregation of duties and authorisation for payment should be in place.
Procedures should also be in place to ensure that proper authorisation for payment is
obtained even when the relevant person is on leave or otherwise not available. A
system of delegating authority should be established for cases where a signatory is
absent.
Action plan
Great Farms will compile appropriate policies and procedures that take these
requirements into consideration.
Implementation date
31 July 2012
This activity demonstrates what a final internal audit report may include. After the
implementation dates these recommendations should be investigated to determine
whether they mitigate the associated risk appropriately. This process is called follow-up
reporting and is discussed in the next section.
45
AUI4863/SG
3.5
FOLLOW-UP REPORTING
STUDY
•
•
•
•
IPPF, Performance Standards 2500 as well as Implementation Guide 2500
Performing Internal Audit Engagements, Par 9.10
Internal Auditing: An Introduction, Par 6.7.5
Revise all the sections in your undergraduate study material that relate to follow-up
reporting.
Follow-up engagements should be done to ensure that the work that has been done to date adds
value to the organisation. The main purpose of the audit will be to determine whether
management has implemented the recommendations as they committed to in the action plan of
the engagement report.
If management has implemented the recommendations, the audit team will be able to evaluate
whether the new processes or controls mitigate the risks that it intended to address. If the
implemented recommendations fail to mitigate the risk, other recommendations should be
developed in collaboration with management.
ADDITIONAL READING
Read the articles on writing an internal audit report available at:
• https://institutes.theiia.org/sites/ethiopia/resources/Documents/CommunicatingInternal-Audit-Results.pptx
• http://iia.org.au/sf_docs/default-source/technical-resources/iia-australia-whitepaper-good-practice-internal-audit-reports.pdf?sfvrsn=2
ACTIVITY 14
Look for further articles that will give you insight into report writing.
MULTIMEDIA
Click on the hyperlinks below to view the following YouTube video:
https://youtu.be/WbPx6jMgbYA
❖
View the screencast on internal audit report writing that are available on myUnisa.
ACTIVITY 15
Use the internal audit report from the previous two activities and determine what you
would include in the follow-up audit and when the best time for these engagements
would be.
46
FEEDBACK
The following issues should be included in the follow-up engagement:
• Levying of penalty fees because of missed deadlines. This can be done after the
next payment has been made.
• The programme of delegating authority in which proper segregation of duties is
stated.
• All goals should have agreed upon completion dates in future.
• The policies and procedures document that must be compiled will be included in the
follow-up engagement. This engagement should take place after 31 July 2012.
ONLINE ASSESSMENT QUESTION
Do the online assessment multiple-choice questions on myUnisa
SUMMARY
This learning unit focused on compiling the internal audit report and reporting to the
engagement client. The best way to communicate the findings of the engagement
report will be discussed in module AUI4861.
In the next part you will be studying the different types of audit performed, i.e. financial,
compliance audit, operational audit, forensic audit and IT audit.
The figure below is an explanation of the difference between financial, compliance and
operational audits, that will be discussed in the next topics to follow.
Source: www.theiia.org
NOTES
47
AUI4863/SG
Make your own notes here:
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
________________________________________________________
48
PART 2
Integrated applications in the internal audit
process
Contents
TOPIC 2: Financial system auditing
TOPIC 3: Compliance auditing
TOPIC 4: Operational auditing
TOPIC 5: Fraud investigations
TOPIC 6: Auditing of advanced IT systems
TOPIC 7: Performing information technology-based audits
49
50
73
95
133
169
209
AUI4863/SG
TOPIC 2
Financial systems auditing
Contents
LEARNING UNIT 4: Financial systems audit planning
52
LEARNING UNIT 5: Conducting financial systems audits
59
LEARNING UNIT 6: Reporting on financial systems audits
66
INTRODUCTION TO AND PURPOSE OF THE TOPIC
The drive for operational excellence requires from many financial executives to routinely reevaluate their company’s financial processes to see if there are areas where improvement is
needed.
The need for financial systems auditing arises from the importance of the financial systems to the
achievement of the organisations’ financial objectives.
The aim of this topic is to provide guidance as to how to perform a financial systems audit.
Financial systems auditing can be described as the analysis of the economic activity of an entity as
measured and reported by accounting methods. Financial systems auditing is the assurance
activity which is most closely related to external auditing.
Stated broadly, the objectives of a financial systems audit pertain to the presentation of reliable
published financial statements, including prevention of fraudulent public financial reporting. The
objectives are driven primarily by external requirements i.e. international accounting standards.
The different financial cycles to be discussed in this topic are:
• Revenue and receipts cycle
• Purchases and payments cycle
• Inventories, production and warehousing cycle
• Human resources and payroll cycle
• Bank and Cash
50
In your undergraduate studies you were exposed to the full process of financial systems auditing
and became skilled in applying the theoretical concepts and the appropriate internal auditing
approach when performing such audits.
In this topic the focus is on providing case studies and examples of financial systems auditing and
to provide you with the opportunity to research different approaches and applications of financial
systems auditing on the different financial cycles.
The practical performance of financial systems auditing is discussed in this topic, using three
learning units that deal comprehensively with each individual phase of the internal auditing
process.
MULTIMEDIA
Please access the podcast on myUnisa to assist you in your studies of topic 3.
LEARNING OUTCOMES
After you have studied this topic, you should be able to:
● plan the audit process according to applicable standards
● formulate audit procedures
● compile the audit report
● communicate the audit results
51
AUI4863/SG
Learning unit 4
Financial systems audit planning
Contents
4.1
4.2
4.3
4.1
INTRODUCTION
AUDIT ENGAGEMENT CONSIDERATIONS
THE PLANNING PHASE
52
53
57
INTRODUCTION
“In preparing for battle I have always found that plans are useless, but planning is
indispensable.” Dwight D Eisenhower, 34th American president truly knew the value of
proper planning.
This learning unit deals with the first and one of the most important steps in the auditing
process. As in the case of any other internal audit approach, the planning stage of a
financial systems audit is imperative to the success of the audit. Of all the elements of
planning, establishing the critical risks and problem areas is the most important.
REFLECTION
It is important that you revise the underlying technical knowledge and expertise you
obtained at undergraduate level before you continue with the rest of this learning unit.
This includes the IPPF
READ
https://www.iia.org.uk/resources/delivering-internal-audit/how-to-plan-an-auditengagement/?downloadPdf=true
52
4.2
AUDIT ENGAGEMENT CONSIDERATIONS
In this learning unit all the steps of the engagement process are described for each of the
cycles. This is done according to the risk-based approach.
STUDY
•
•
All the sections in your undergraduate study material that relate to financial audits.
Study the following in Performing Internal Audit Engagements (2017):
Chapter
3
Revenue and receipts cycle
Topic
Accounting system and control activities
• Introduction
• The internal audit approach
• Characteristics of the cycle
• System description
• Documents
• Flow charts
• Information and communication technology
• Internal controls
• Risk and typical control activities
4
Purchases and payments cycle Accounting system and control activities
• Introduction
• The internal audit approach
• Characteristics of the cycle
• System description
• Documents
• Flow charts
• Information and communication technology
• Internal controls
• Risk and typical control activities
5
Inventory, production
warehousing cycle
6
Human Resources and Payroll Accounting system and control activities
cycle
Introduction
•
and Accounting system and control activities
• Introduction
• The internal audit approach
• Characteristics of the cycle
• System description
• Documents
• Flow charts
• Information and communication technology
• Internal controls
• Risk and typical control activities
53
AUI4863/SG
Chapter
•
•
•
•
•
•
•
•
7
Bank and Cash
Topic
The internal audit approach
Characteristics of the cycle
System description
Documents
Flow charts
Information and communication technology
Internal controls
Risk and typical control activities
Accounting system and control activities
• Introduction
• The internal audit approach
• Characteristics of the cycle
• System description
• Documents
• Flow charts
• Information and communication technology
• Internal controls
• Risk and typical control activities
A proper understanding of a financial system and the different accounting cycles involved is
required before audit objectives can be determined and an audit can be performed on the financial
system.
It is very important to understand the following concepts for each of the cycles:
• the major activities in the cycle
• the documents used in the cycle
• a narrative description of the cycle
• the characteristics of a good internal control for the cycle
54
The following typical cycle flowchart could help you to understand all the above concepts:
55
AUI4863/SG
The functions above will differ depending on the cycle you are to audit. While
determining the objectives of the engagement, the internal auditor must take
cognisance of the main purpose of the relevant cycle as this will impact on the risk
assessment of the audit unit and ultimately on the audit procedures and the success of
the internal audit engagement.
Since this topic deals only with the financial aspects, the internal auditor will focus on
the:
• reliability and integrity of the financial information
• safeguarding of assets
• compliance with laws, regulations and contracts; that have a direct impact on specific
cycles
In the audit of financial statements, the external auditor’s aim would be to obtain
sufficient appropriate audit evidence by performing audit procedures to afford a
reasonable basis for an opinion regarding the financial statements under audit. The
external auditor should design and perform further audit procedures whose nature,
timing and extent are responsive to the assessed risks of material misstatement at the
relevant assertion level.
Implementation Guide 2130. A1-1 states: “The responsibility of the internal auditor is to
evaluate the adequacy and effectiveness of controls in responding to risks within the
organisation’s governance, operations and information systems regarding the:
• Achievement of the organization's strategic objectives;
• Reliability and integrity of financial and operational information;
• Effectiveness and efficiency of operations and programmes;
• Safeguarding of assets; and
• Compliance with laws, regulations, policies, procedures and contracts.”
During a financial systems audit, the evidence obtained relates to the reliability and
integrity of financial information. When an internal auditor conducts such audits, the
information is normally intended to be used by management for internal decisionmaking purposes. The audit may involve both operating and financial data. Financial
audits normally include a review of the accuracy and completeness of the numbers
themselves and an evaluation of the adequacy and effectiveness of the controls that
management have implemented to safeguard assets.
Auditing of financial statements is directed at assessing the accuracy of financial reports
relating to financial conditions and operating performance.
ACTIVITY 16
Discuss the following quote with reference to internal audit planning: “It pays to plan
ahead. It wasn’t raining when Noah built the ark.”
FEEDBACK
Join the Discussion Forum on myUnisa regarding internal audit planning.
56
4.3 THE PLANNING PHASE
READ
Read Risk rating; the audit universe - Bruce McCuaig. Internal Auditing. Jul/Aug 2008. Vol.
24, Iss. 4; p. 10
http://svn2.assembla.com/svn/GSIDEI/Bibliografia/RISK_RATING_THE_AUDIT_UNIVER
SE.pdf
STUDY
Study the following in Internal Auditing: An Introduction Engagements (2017): Par 6.6
Planning the engagement
Apply this knowledge to each of the cycles identified for purposes of this learning unit:
• Revenue and receipts cycle
• Purchases and payments cycle
• Inventory, production and warehousing cycle
• Human Resources and Payroll cycle
• Bank and Cash
The internal auditor must perform a preliminary survey to obtain the necessary
understanding of the engagement activity. The results of the preliminary survey should
enable the internal auditor to understand the specific financial system and the impact of
the associated risks on the organisational objectives.
ACTIVITY 17
Join the debate on myUnisa (Discussion Forum) on the need for the IAA to perform
financial system audits when external audit already focuses extensively on these cycles
FEEDBACK
Focus on the definition/value adding/purpose of internal auditing opposed to that of
external auditing.
ONLINE ASSESSMENT QUESTION
Do the online assessment multiple-choice questions on myUnisa.
SUMMARY
This learning unit focused on the aspects that an internal auditor should take into
consideration while planning a financial systems audit.
57
AUI4863/SG
NOTES
Make your own notes here:
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
________________________________________________________________________
58
Learning unit 5
Conducting financial systems audits
Contents
5.1
5.2
5.1
INTRODUCTION
FORMULATE AND CONDUCT AUDIT PROCEDURES
59
60
INTRODUCTION
This learning unit deals with the aspects necessary to formulate and perform the audit procedures
required during the execution of a financial systems audit
STUDY
Study the following in Performing Internal Audit Engagements (2017):
Chapter
3
Revenue and
receipts cycle
Topic
Auditing the cycle
• Control effectiveness testing / Engagement procedures
• Substantive procedures for the audit of debtors
4
Purchases and
payment cycle
Auditing the cycle
• Control effectiveness testing / Engagement procedures
• Substantive procedures for the audit of debtors
5
Inventory,
production and
warehousing cycle
Auditing the cycle
• Control effectiveness testing / Engagement procedures
• Substantive procedures for the audit of debtors
6
Human Resources Auditing the cycle
and Payroll cycle
• Control effectiveness testing / Engagement procedures
• Substantive procedures for the audit of debtors
59
AUI4863/SG
5.2 FORMULATE AND CONDUCT AUDIT PROCEDURES
STUDY
Study “Audit Procedures” and “Analytical procedures” under Additional Resources –
Additional Guidance on myUnisa.
NOTE:
Internal auditors apply engagement procedures to obtain sufficient, competent,
relevant and useful information that will achieve the engagement’s objectives.
REFLECTION
Refer to the Additional Resources on myUnisa on the topic of “Audit procedures –
financial audit”.
Engagement procedure/test of controls
Engagement procedures are performed to conclude as to the operating effectiveness of
controls over the different accounting cycles. The internal auditor’s identified control risk
refers to the adequacy and effectiveness of the system of internal control in respect of
the accounting system under scrutiny.
If the system of internal control is found to be adequate and effective, the internal
auditor knows that reliance can be placed on the system to function as intended.
Engagement procedures are performed only on those controls that the internal auditor
has determined to have been suitably designed to address the audit objective.
Substantive testing
Substantive testing is performed to detect material misstatements at the relevant
assertion level and includes test of details of classes of transactions, account balances
and analytical review procedures.
60
The importance of substantive testing is owing to the internal auditor's assessment of
risk being judgmental and it may not be sufficient to identify all risks (audit risk).
Furthermore, there are inherent limitations to internal control.
MULTIMEDIA
Click on the hyperlink below to view the following YouTube videos:
https://youtu.be/BIjyLY5uopo
https://youtu.be/g55oocoZiVY
https://youtu.be/4aAtPzamSGw
https://youtu.be/ncYYY5xU3Oo
https://youtu.be/ncYYY5xU3Oo
https://youtu.be/6XP8qnVNI5g
https://youtu.be/LAmK67FR-Oc
https://youtu.be/ZEXy6SbeFXU
NOTE:
The YouTube
videos relate
mostly to an
external audit of
financial
statements. Keep
that in mind when
watching these
videos.
61
AUI4863/SG
Substantive procedures include tests of detail and substantive analytical procedures.
Substantive analytical procedures are generally more applicable to large volumes of
transactions that tend to be predictable over time.
The internal auditor should plan substantive procedures to be responsive to the planned
detection risk.
ACTIVITY 18
You are reviewing the credit sales and debtor’s function at Adco Limited. Adco Limited
supplies chronic medication to people with chronic illnesses, who are members of
participating medical aid funds. In the past you found that sales matched budgeted sales
projections with an accuracy of 80%. You have planned to perform analytical review
procedures to fully substantiate sales recorded during the current financial year.
Deliveries are made on a monthly basis to all chronic patients registered for the chronic
programme through their medical aids and their accounts are settled on a monthly basis
by their respective medical aids. You have used computer-assisted audit techniques to
extract the following statistics from Adco’s database for further analysis:
Product sales
Budget per
month
March
Actual
April
Actual
May
Actual
Product A
3 500 units
2 600 units
3 000 units
2 800 units
Product B
4 500 units
5 800 units
4 900 units
5 600 units
Product C
2 300 units
1 100 units
3 200 units
4 100 units
Total monthly
debtors
R6 900 300
R5 400 200
R7 300 600
R8 500 400
Total monthly
sales
R6 300 200
R8 600 400
R7 400 300
R6 900 600
Patient
Last year’s
monthly sales on
average for that
patient
Actual sales for
the individual
patient March
Actual sales for
the individual
patient
April
Actual sales for
the individual
patient
May
Patient A
360 units
250 units
460 units
180 units
Patient B
125 units
125 units
125 units
125 units
Patient C
95 units
110 units
220 units
80 units
REQUIRED
1.
Indicate the analytical techniques you would use to review the information you have
extracted and describe the meaning of your results and their impact on your
substantive audit procedures
2.
Describe the additional substantive procedures you would use to verify sales.
62
FEEDBACK
1. Analytical review techniques
Percentage monthly purchases when compared with budgeted products
Budget
March
April
May
Average
A
3 500 units
74.29%
85.71%
80%
80.00%
B
4 500 units
128.89%
108.89%
124.44%
120.74%
C
2 300 units
47.83%
139.13%
178.26%
121.74%
Total average
107.49%
The actual sales recorded for products B and C do not follow the 80% budget projection.
The average deviation from budget is 107.5%, which is a significant deviation. This
indicates a change in the economic environment, a problem with the method used to
budget or problems with the recording of sales. Since all the accounts are settled on a
monthly basis by the medical aids, there should be high correlation between the debtors
and the sales of the previous month.
Actual monthly sales and debtors as a percentage of sales
Budget
March
April
May
Average
Debtors
6 500 300
83.08%
112.31%
130.77%
108.72%
Sales
6 300 200
136.51%
117.46%
109.53%
121.17%
With chronic medicine there should be a more stable sales pattern and debtors should
not be older than a month as the medical aids settle the outstanding amounts within a
month after the sales transaction.
Debtors as a percentage of the previous month’s sales
Debtors
April
May
84.89%
114.87%
None of the expected patterns were identified by the analytical review. This makes it
necessary to perform more extensive substantive audit procedures on both sales and
debtors.
Compare the monthly sales per patient with last year’s average.
Patient
Last year
March
April
May
Average
A
360
69.44%
127.78%
50.00%
0.82
B
125
100.00%
100.00%
100.00%
1.00
C
95
115.79%
84.21%
84.21%
1.44
The patients should have the same sales on a monthly basis after any price increases are
taken into account. This expected pattern is not supported by the information.
63
AUI4863/SG
2. Substantive audit procedures on sales
Select a statistical sample of debtors who are listed as chronic patients and perform the
following substantive procedures:
Extract the monthly chronic medicine required for each of the selected patients from
their permanent files and compare it to a doctor’s prescription.
Select the sales recorded for that patient for the year and compare the patient’s total
medicine received for the year with the prescription. Follow up on any differences.
For the selected sales:
• Agree the detail of the sale to a delivery note signed by the patient.
•
Agree the details of the medicine required by the patient to the medicine
received per the delivery note and sales invoice.
•
Compare the monthly sales of the selected patients with their chronic medicine
requirement and investigate any changes in volume on a month-to-month basis,
changes that deviate from the normal monthly prescription.
Compare the prices charged for the delivered medicines with the authorised prices as per
the approved price lists.
Use Computer-assisted Audit Tools (CAATS) to compare the list of chronic patients with
the sales in order to identify patients, for whom no sales were recorded. Follow up all
identified cases.
Use CAATS to compare the monthly sales with the list of chronic patients to identify any
patient who has not received any medicine in any given month. Follow up all identified
cases.
SUMMARY
This learning unit focused on the aspects that an internal auditor should take into
consideration when formulating and performing audit procedures for a financial
systems audit.
64
NOTES
Make your own notes here:
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
__
65
AUI4863/SG
Learning unit 6
Reporting on financial systems audits
Contents
6.1
6.2
6.1
INTRODUCTION
THE INTERNAL AUDIT REPORT
66
67
INTRODUCTION
In most organisations, reports are a standard management tool used to manage the
organisation effectively by getting timely and relevant information for decision-making.
Writing a good report can be the difference between achieving your objective or failing
to do so. An effective report can contribute to business success and assist greatly in the
process of planning and decision making.
Reporting is the final medium through which the result of the internal audit engagement
is communicated. These reports are communicated in a very well-defined and formal
manner throughout the organisation and to very high levels within the organisation. If
the report is not properly issued in a timely manner, some of the effectiveness of the
engagement can be lost.
The basic guidelines for report writing are the same, irrespective of the type of report
being written. Even internal auditors with good writing skills may sometimes find
themselves unable to write good reports. In this learning unit guidelines will be given to
assist internal auditors to write an internal audit report.
STUDY
Performing Internal Audit Engagements (2017),
•
•
•
Par 3.11 (p 139)
Par 4.11 (p 197)
Par 5.10 (p 254)
66
•
•
6.2
Par 6.11 (p 321)
Par 7.10 (p 357)
THE INTERNAL AUDIT REPORT
REFLECTION
Refer to topic 2 for a detail discussion on internal audit reporting.
Refer to Additional Resources on myUnisa on “A simple approach to developing an
audit finding”.
SUMMARY
This learning unit focused on writing an internal audit report for a financial systems
audit.
NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
67
AUI4863/SG
TOPIC 3
Compliance auditing
Contents
LEARNING UNIT 7: Compliance audit planning
71
LEARNING UNIT 8: Conducting compliance audits
82
LEARNING UNIT 9: Reporting on compliance
86
INTRODUCTION TO AND PURPOSE OF THE TOPIC
The South African business environment is currently experiencing the impact of changes to
numerous regulatory requirements including the Companies Act and the issue of the King IV Report
on Corporate Governance in 2016. King IV strengthens the position in the Companies Act 2008,
namely that the governing body of an organisation is ultimately responsible for the organisation
and needs to be held accountable for its actions.
These amendments were deemed necessary in light of the continuous increase in organisations and
high-profile persons implicated in illegal transactions and activities. The changes in the regulatory
environment increase the risk of non-compliance experienced by organisations and likewise impact
on the internal audit plans compiled by CAE and audit committees.
The aim of this topic is to provide guidance to you as a postgraduate student in internal auditing on
how to plan a compliance audit, how to conduct the audit and how to communicate the results in
adherence to the applicable standards and guidance provided in the IPPF. You have already gained
knowledge on this in your undergraduate studies and the aim now is for us to provide you with
practical examples and activities to apply your knowledge and skill, so that you can become
proficient in conducting these types of audit.
68
Please be advised that compliance does not only refer to legislation but can also refer to company
procedures, codes of conduct and/or policies. We will highlight the different forms of legislation you
might encounter and attempt to provide you with a template on how to conduct a compliance audit
regardless of the legislation involved.
In this topic we focus on the following specific outcome: “conducting compliance audits”. After you
have completed your study of this topic you will have refreshed your theoretical knowledge of
compliance auditing and through participation in the activities provided to you, you will have
developed the practical skills required to become more proficient in compliance auditing.
The IPPF issued by the IIA, define internal auditing as an independent, objective assurance and
consulting activity designed to add value and improve an organisation’s operations. The IAA should
evaluate risk exposure and the adequacy and effectiveness of controls encompassing the
organisation’s governance, operations and information systems. This includes compliance with
laws, regulations and contract terms and conditions.
Compliance can be defined as conformity and adherence to applicable laws and regulations as well
as policies, plans, procedures, contracts or other requirements.
Laws and regulations are imposed externally and must be complied with. Inadequate information
systems may lead to the organisation inadvertently breaching the laws of the country, resulting in
losses in terms of fines and penalties. Compliance audits are carried out in order to determine
whether a business entity has complied with specific policies, plans, procedures, laws, regulations
or contracts that affect the organisation.
COSO described internal control as follows:
“A process effected by an entity’s board of directors, management and other personnel, designed
to provide reasonable assurance regarding the achievement of objectives in the following
categories:
•
•
•
Effectiveness and efficiency of operations;
Reliability of financial reporting; and
Compliance with applicable laws and regulations”
It is clear that compliance with laws and regulations (externally created) and policies and
procedures (internally developed by the organisation) is very important to the IAA.
REFLECTION
Refer to your prescribed textbook, Performing Internal Audit Engagements, page 3.
From an organisational and board of director’s perspective the possibility of fines and penalties,
even the imprisonment of directors due to non-compliance to laws and regulations, shut down of
operations, as well as the loss of reputation and/or customer goodwill will ensure that effort is
placed on ensuring compliance.
69
AUI4863/SG
A compliance audit is a comprehensive review of an organisation’s adherence to regulatory
guidelines, as well as internal policies and procedures developed by management to ensure
objectives are met. What precisely is examined in a compliance audit will vary depending upon the
nature of the organisation and the regulatory requirements applicable to it.
In this topic we discuss compliance auditing based upon different examples of regulatory
frameworks. Some of the South African regulatory frameworks you should take note of are:
•
Companies Act of 2008
•
King IV Report on Governance (though not legally enforceable)
•
Public Finance Management Act (PFMA)
•
Municipal Finance Management Act (MFMA)
•
Occupational Health and Safety Act of 1993
MULTIMEDIA
Please access the podcast on myUnisa to assist you in your studies of topic 4.
As an internal auditor you should be aware of all these frameworks, but you should have an in-depth
knowledge of the requirements applicable to the organisations you are involved with.
LEARNING OUTCOMES
After you have studied this topic, you should be able to
● plan the compliance audit according to applicable standards
● formulate the audit procedures
compile the audit report
70
Learning unit 7
Compliance audit planning
Contents
7.1
7.2
7.3
7.4
INTRODUCTION
AUDIT ENGAGEMENT CONSIDERATIONS
THE NATURE OF INTERNAL AUDIT ENGAGEMENTS
PLANNING THE COMPLIANCE AUDIT
71
71
73
74
7.1 INTRODUCTION
This learning unit deals with the aspects necessary to properly plan a compliance audit
engagement.
The planning of a compliance audit is not in any way different from planning any of the
other types of internal audit engagements. The same planning steps are followed
regardless of whether a compliance, financial or operational audit is conducted. In this
learning unit, the aim will be to introduce examples of different planning scenarios in
respect of different compliance audits.
STUDY
•
•
•
•
Assurance: An Audit Perspective, par 2.8.1 & 3.3.1
Internal Auditing: An Introduction, par 6.6
Performing Internal Audit Engagements, par 1.3
All the sections in your undergraduate study material that relate to compliance
audits
7.2 AUDIT ENGAGEMENT CONSIDERATIONS
STUDY
Study the IPPF, Attribute Standards 1200 to 1210.C1 as well as the Implementation
Guides 1200 and 1210.
71
AUI4863/SG
It is important for the internal auditor to identify the nature of an engagement as soon as
possible in order to assess whether or not the internal auditor is able to perform the
engagement with the required level of professional proficiency.
As indicated before, compliance requirements depend on the organisation’s legal
environment. It is not possible for an internal auditor to be versed in all the different
regulatory requirements. It is, however, imperative for the internal auditor to have
knowledge of legislation relevant to the organisation.
For example, where an organisation is a manufacturing concern it will most certainly
require compliance with the Occupational Health and Safety Act, 1993 as well as
environmental waste management regulations.
Public sector companies should comply with the PFMA of 1999 or the MFMA and any
other relevant incorporation act that gives the organisation legal standing.
The inherent nature of a compliance audit is that of an assurance engagement but in
some circumstances, it can be deemed to be a consulting engagement. To audit an
organisation’s compliance to regulations governing that organisation will form part of
the annual internal audit plan. Requests made by the audit committee to audit an
organisation’s compliance and/or the impact on operations due to changes in legislation
may be deemed to be more of a consulting engagement.
Once the type of compliance engagement has been identified the impact of the type of
engagement on the IAA's resources should be considered. In this you should consider
the role the internal auditor should play, the type of engagement, the availability of
resources and the responsibility of the IAA to add value and improve the operations of
the activity or organisation.
Where the IAA does not have the required knowledge and skills, in situations where the
regulatory requirements are very advanced and/or unique the services of a specialist
should be sourced.
ACTIVITY 19
Perform desktop research and identify all the legislative requirements (Acts) Eskom
Holdings Limited (Eskom) should adhere to. (Exclude those Acts relevant to human
resource issues.)
FEEDBACK
Join the Discussion Forum and place your comments. Feedback will be provided
afterwards.
72
7.3
THE NATURE OF INTERNAL AUDIT ENGAGEMENTS
STUDY
Study the IPPF, Attribute Standards: 1000.C1, 1130.C1 & C2, 1210.C1, 1220.C1, 2010.C1,
2120.C1 - C3, 2130.C1, 2201.C1, 2210.C1 & C2, 2220.C1 & C2, 2240.C1, 2330.C1, 2410.C1,
2440.C1 & C2, 2500.C1, as well as the glossary.
Study Performing Internal Audit Engagements, par 1.2.
An internal audit engagement can either be of an assurance or consulting nature. The
nature of the internal audit engagement is important as it determines the applicable
Standards to be used in the engagement. These two types of services are defined in the
Glossary to the International standards for Professional Practice of Internal Auditing
(Standards) in IPPF as follows:
Assurance services
An assurance engagement is an engagement involving an objective examination of
evidence for the purpose of providing an independent assessment on governance, risk
management and control processes for the organisation. Examples may include
financial, performance, compliance, system security and due diligence engagements.
Consulting services
Advisory and related service activities, the nature and scope of which are agreed with
the customer, are intended to add value and improve an organisation’s governance,
risk management and control processes without the internal audit activity assuming
management responsibility. Examples include counsel, advice, facilitation and training.
There are different types of assurance engagements and there may be different
reasons for conducting each of them. The type of engagement and reasons for
performing the engagement are significant in how the engagement is performed.
There are a number of reasons for performing assurance engagements:
•
The engagement was identified in the annual internal audit plan because of
the risk assessment process.
•
The engagement is part of an annual legislative requirement.
•
A recent event (natural disaster) has tested the process under unusual
circumstances and management requires a review to determine where the
process was effective and where improvement is required.
•
Changes in the business or industry require changes to processes, and
73
AUI4863/SG
management requires that the organisation’s processes be validated to
ensure that amendments to address these changes are adequate.
Whereas the nature and scope of an assurance engagement are determined by the IAA, the nature
and scope of a consulting engagement are subject to agreement with the engagement customer.
The consulting engagement process includes the same steps as the assurance process. However,
each step may not be necessary for every consulting engagement.
It is important to note that the nature of consulting services must be defined in the internal audit
charter. All standards applicable to consulting services are marked with a “C”.
7.4 THE NATURE OF INTERNAL AUDIT ENGAGEMENTS
STUDY
•
•
•
Internal Auditing: An Introduction, par 6.6.3
Performing Internal Audit Engagements, par 8.1 – 8.3
The IPPF, Attribute Standards 1210 to 2240.A1 as well as related Implementation
Guides.
In order to complete a compliance audit successfully, there must be established criteria
against which the compliance can be measured. Compliance objectives pertain to the
adherence to laws and regulations to which the entity is subject to. They are dependent
on external factors such as environmental regulations and tend to be similar across all
entities in some cases and across an industry in others.
Compliance testing seeks to establish the degree to which control mechanisms are being
applied as prescribed and the results should highlight non-compliance in pursuit of the
defined test objective.
Once the engagement objectives are clear, the internal auditor must perform a
preliminary survey to obtain the necessary understanding of the engagement activity. It
is imperative that the results of the preliminary survey enable the internal auditor to
understand the impact of the non-compliance risks on the organisational objectives, the
risk assessment and risk management processes and the control system that enable
successful risk management. It is therefore important for the internal auditor to identify
the sections in the relevant legislation which pose the biggest risk to the organisation
and focus on those areas.
The following is a schematic presentation of the compliance risk universe in an
organisation.
74
Figure: Compliance risk universe
At this point an internal control questionnaire can be compiled to determine the level of compliance
and whether any controls exist to ensure compliance. It is important to have a good knowledge of
the relevant regulation to allow the internal auditor to focus the questionnaire on the important and
relevant sections of the regulations. The internal control questionnaire should be completed by the
staff members responsible for ensuring that particular compliance and documentary evidence
should be provided for every affirmative answer given.
This is an example of such a questionnaire for the Occupational Health and Safety Act, 1993:
Nr
1.
1.1
1.2
1.3
1.4
2.
2.1
2.2
3.
3.1
3.2
3.3
Details
Health & Safety Policy
Has top management defined and documented a health and
safety policy?
Is the policy relevant to the activities and processes on site?
Is the policy documented and implemented?
Is it communicated to all staff members?
Planning
Is there a procedure for the identification of health and safety
hazards and risks?
Are the hazards evaluated to determine significance?
Legal and other requirements
Has a procedure been developed for compliance with legal and
other requirements?
Has a legal register for the site been developed and is the
applicable legislation accessible?
Are legal requirements communicated to relevant persons in the
organisation?
Yes
No
Comments
The above table is only an example of a possible internal control questionnaire. Similar
questionnaires can be compiled for any of the regulatory compliance audits.
75
AUI4863/SG
ACTIVITY 20
Compile a compliance audit questionnaire for Eskom Holdings Limited (Eskom) in terms
of the Public Finance Management Act (PFMA).
FEEDBACK
An example of an internal control questionnaire for Eskom Holdings Limited (Eskom) in
terms of the PFMA:
Number
1.
Section
56(1)
2.
51(1)(a)(i)
3.
51(1)(a)(ii)
4.
TR27.1.1
5.
77(a)
6.
77(b)
7.
TR27.1.6
8.
TR27.1.6
9.
27.1.8
Details
Yes
Have the powers entrusted or delegated
to the accounting authority been
delegated to other officials within the
public entity?
Does the public entity have:
An effective, efficient and transparent
system of financial and risk management
and internal control?
A system of internal audit under the
control and direction of an audit
committee
complying
with
and
operating in accordance with regulations
and instructions prescribed in terms of
sections 76 and 77?
Is the audit committee a sub-committee
of the accounting authority?
Does the audit committee consist of at
least 3 persons?
Does the audit committee meet at least
twice a year?
Does the audit committee operate in
terms of a written terms of reference?
Are the terms of reference reviewed at
least annually to ensure its relevance?
Does the audit committee review the
following:
• The effectiveness of the internal
control systems:
• The effectiveness of internal audit;
• The risk areas of the entity’s
operations to be covered in the
scope of internal and external audits;
• The adequacy, reliability and
accuracy of financial information
provided to management and other
users of such information;
• Any accounting and auditing
76
No
Comments
Number
Section
10.
TR27.1.10(a)
11.
TR27.1.13
12.
TR27.2.1
Details
Yes
concerns identified as a result of
internal and external audits;
• The entity’s compliance with legal
and regulatory provisions;
• The activities of the internal audit
function, including its annual work
programme, co-ordination with the
external auditors, the reports of
significant investigations and the
responses of management to specific
recommendations; and
• Where relevant, the independence
and objectivity of the external
auditors.
Does the audit committee report and
make
recommendations
to
the
accounting authority?
Does the audit committee meet annually
with the Auditor-General or external
auditors to ensure that there are no
unresolved issues of concern?
Are risk assessments conducted
regularly to identify the public entity’s
emerging risks?
No
Comments
Does the public entity have a risk
management strategy (including a fraud
prevention plan) to direct internal audit
effort and priority and to determine the
skills required of managers and staff to
improve controls and to manage these
risks?
13.
TR27.2.5
14.
TR27.2.6
15.
TR27.2.7
If there is a risk management strategy, is
it communicated to all employees?
Are the purpose, authority and
responsibility of the internal audit
function defined in an audit charter?
Are internal audits conducted in
accordance with standards set by the
IIA?
Has the internal audit function prepared
a three-year strategic internal audit plan
based on the risks facing the public
entity?
Does the internal audit function report
to the audit committee detailing its
77
AUI4863/SG
Number
Section
TR27.2.10
16.
51(e)
17.
86(2)
18.
52
19.
51(1)
Details
Yes
performance against the plan?
Does the internal audit function evaluate
the following:
• The information systems
environment;
• The reliability and integrity of
financial and operational information;
• The effectiveness of operations;
• Safeguarding of assets; and
• Compliance with laws, regulations and
controls.
Have
effective
and
appropriate
disciplinary steps been taken against any
employee of the public entity who has:
• Contravened or failed to comply with
a provision of the PFMA;
• Committed an act which undermined
the financial management and
internal control system of the public
entity; and
• Made or permitted irregular or
fruitless and wasteful expenditure.
Has the accounting authority been found
guilty of an offence or is there any
investigation pending relating to the
wilful negligent failure to comply with
the provisions of section 50, 51 or 55?
Did the accounting authority submit the
following to the relevant treasury and to
the accounting officer of the department
at least one month before the start of
the public entity’s financial year:
• A projection of revenue, expenditure
and borrowings for the financial year
in the prescribed format; and
• A corporate plan in the prescribed
format covering the affairs of the
public entity or business enterprise
for the following three financial
years, and if it has subsidiaries, also
the affairs of the subsidiaries.
Does the public entity:
• Have an appropriate procurement and
provisioning administration system,
which is fair, equitable, transparent,
competitive and cost-effective?
• Have a system for properly evaluating
78
No
Comments
Number
Section
20.
55
Details
Yes
all major capital projects prior to final
decision on the project?
• Collect all revenue due?
• Have mechanisms in place to prevent
irregular and fruitless and wasteful
expenditure?
• Manage available working capital
efficiently and economically?
Did the public entity submit the
following to the relevant treasury,
executive authority and Auditor-General
within 5 months from the end of the
financial year:
• An annual report on the activities of
the public entity during that financial
year;
• The financial statements for the
financial year after the statements
have been audited; and
• The report of the auditors on those
statements.
No
Comments
Do the public entity’s annual report and
financial statements present the state of
affairs of the public entity, its business,
its financial results, its performance
against predetermined objectives and its
financial position as at the end of the
financial year concerned?
Do the annual report and financial
statements include:
• Any material losses through criminal
conduct and any irregular expenditure
and fruitless and wasteful expenditure
that occurred during the financial
year;
• Any criminal or disciplinary steps
taken as a consequence of such losses
or irregular expenditure or fruitless
and wasteful expenditure;
• Any losses recovered or written off;
• Any financial assistance received from
the state and commitments made by
the state on its behalf; and
financial
statements
of
• The
subsidiaries.
79
AUI4863/SG
Number
21.
Section
65
Details
Yes
Did the executive authority table the
annual report and financial statements
within one month after the accounting
authority received the audit report?
No
Comments
If no, did the executive authority table an
explanation in the legislature setting out
the reasons why the annual report and
financial statements were not tabled?
Other sections of the Treasury Regulations that can also be included are:
•
•
•
•
•
•
•
•
•
•
TR33.1.1
TR33.1.2
TR33.2.1
TR33.3.1
TR30.1.3
TR29.1.6
TR29.3.1
TR27.1.7
TR28.1.1
TR28.1.3
•
•
•
•
•
•
•
•
•
•
TR29.1.1
TR29.2
TR30.1.1
TR30.1.2
TR29.1.3
TR32.1.1
TR30.2.1
TR27.1.10
TR28.1.2
TR28.2.1
Please note that the questionnaire given is not an exhaustive list. More sections can be added
depending on the status of the control environment.
ADDITIONAL READING
Search for relevant internal audit compliance checklists on the internet.
SUMMARY
This learning unit focused on the aspects that an internal auditor should take into
consideration while planning a compliance audit engagement. Take note that the
examples relate to legislation only, but that the same approach will be followed to
perform a compliance audit on policies and procedures that were internally generated by
the organisation.
NOTES
Make your own notes here:
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
80
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
81
AUI4863/SG
Learning unit 8
Conducting compliance audits
Contents
8.1
8.2
8.3
INTRODUCTION
FORMULATE AND CONDUCT AUDIT PROCEDURES
COMPLIANCE AUDIT TESTING
82
82
83
8.1 INTRODUCTION
This learning unit deals with the actions and considerations necessary to formulate and
perform the audit procedures required during the execution of a compliance
engagement.
STUDY
8.2
•
Performance Standards 2300, 2310 and 2320 as well as Implementation Guides
2300, 2310 and 2320.
•
Performing Internal Audit Engagements:
• Par 3.7 (p 129)
• Par 4.7 (p 186)
• Par 5.7 (p 244)
• Par 6.8 (p 315)
• Par 7.7 (p 351)
• Par 8.4 (p 372)
FORMULATE AND CONDUCT AUDIT PROCEDURES
Internal auditors apply engagement procedures to obtain sufficient, competent, relevant
and useful information that will achieve the engagement’s objectives. An example of
such an audit objective may be to ensure that Eskom Holdings Limited complies with the
PFMA.
82
REFLECTION
In module AUI2601, the formulation of an audit objective is discussed in detail. Make
sure that you understand how to formulate an audit objective before continuing with the
study of this learning unit.
ACTIVITY 21
Indicate the process and/or procedures the internal auditor should follow to derive this
particular audit objective. Do you believe the audit objective to be relevant for Eskom
Holdings Limited? Discuss your view on myUnisa, under the Discussion Forum.
ADDITIONAL READING
Read the following article: Ethics and compliance programs. Available at:
https://na.theiia.org/aboutus/Public%20Documents/Esther%20R.%20Sawyer%20Research%20Manuscrip%20Dou
glas%20Secrest.pdf
8.3
COMPLIANCE AUDIT TESTING
When performing compliance tests, one is testing the existence or otherwise of a
particular control. The test is of a yes/no nature, to determine where an attribute is
either present or does not exist.
An example may be a test to determine the number of purchase invoices that have not
been authorised by a designated officer before being paid.
The focus of compliance auditing is on compliance with laws and regulations, statutes
and internal policies. A compliance audit therefore sets out to discover how well a unit or
organisation complies with an established set of “rules”.
The testing process in accordance with Implementation Guide 2310-1 can be illustrated
as follows:
Define the test objective
Perform the test
Interpret results
Determine the impact on audit
objectives
Determine the next step
83
AUI4863/SG
For compliance auditing, the internal control questionnaire can be adapted to present an audit
programme and used to perform the audit tests. Each requirement then becomes an audit
procedure that must be performed using relevant audit techniques.
For example:
Organisation:
Subject:
Nr
Sec
1.
56(1)
Compliance Audit Checklist/ Working paper
Department:
Auditor:
Details
Yes
No
Comments
Evidence
Examined
Page:
Date:
Audit ref:
Findings
&
Observations
Result
Have the powers
entrusted
or
delegated to the
accounting
authority
been
delegated
to
other
officials
within the public
entity?
KEY: COM = Complies
MAJ
=
compliance
Major
Non-
MIN = Minor Non-compliance
OBS = Observation
ACTIVITY 22
It is important to consider all the different engagement tools and techniques
available to the internal auditor during the performance of the audit procedures.
Make a list of different testing techniques available to the internal auditor
throughout the audit.
FEEDBACK
The testing techniques can consist of any one or any combination of the following:
• re-performance
• observation
• corroboration
• analytical review
• inspection
• reconciliation
• expert opinion
• interviews
• review of published reports/ research
• independent confirmation
• receiving the service as a client
• mathematical models
• questionnaires
• comparison
84
• user satisfaction surveys
Always remember that audit procedures are performed to enable the auditor to express
an opinion on the level of compliance, i.e. to what extent the audit objective is achieved.
ACTIVITY 23
Join the debate on myUnisa (Discussion Forum) on which position/person, within
Eskom Holdings Limited, you would interview to gather the most information about
the company’s compliance record?
SUMMARY
This learning unit focused on the aspects that an internal auditor should take into
consideration when formulating and performing audit procedures for a compliance
audit.
NOTES
Make your own notes here:
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
85
AUI4863/SG
Learning unit 9
Reporting on compliance audits
Contents
9.1
9.2
INTRODUCTION
THE INTERNAL AUDIT REPORT
86
87
9.1 INTRODUCTION
In most organisations, reports are a standard management tool. The quality of the
audit report can make the difference between achieving your objective or failing to do
so. An effective audit report can contribute to business success and assist greatly in the
process of planning and decision making.
The basic guidelines for report writing are the same, irrespective of the type of report
being written. Even internal auditors with good writing skills may sometimes find
themselves unable to write good reports. In this learning unit guidelines will be given to
assist internal auditors to write a compliance audit report.
STUDY
Performing Internal Audit Engagements:
• Par 8.4 (p 372)
• Par 8.7 (p 378)
Study Performance Standards 2400, 2410, 2410.A1, 2410.A2, 2420, 2421, 2430, 2431,
2440 and 2440.A1 as well as Implementation Guides 2400, 2410, 2420, 2440 and 2450.
9.2 THE INTERNAL AUDIT REPORT
REFLECTION
Refer to topic 2 for a detailed discussion on internal audit reporting.
86
READ
Go to myUnisa, under Additional Resources to download relevant articles or guidance
on this topic Report writing.
ACTIVITY 24
Join the debate on myUnisa (Discussion Forum) discussing the truth of the following
statement: “The executive summary is the most important section of the internal audit
report”.
SUMMARY
This learning unit focused on writing an internal audit report for a compliance audit.
NOTES
Make your own notes here:
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
87
AUI4863/SG
TOPIC 4
Operational auditing
Contents
LEARNING UNIT 10: Operational audit plan
90
LEARNING UNIT 11: Conducting operational audits
106
LEARNING UNIT 12: Reporting and follow-up on operational audits
117
INTRODUCTION TO AND PURPOSE OF THE TOPIC
In this topic the practice of operational auditing to the integrated level of professional skill is
presented. It provides an explanation of the full process of the performance of an operational audit.
MULTIMEDIA
Please access the podcast on myUnisa to assist you in your studies of topic 5.
REFLECTION
In your undergraduate studies of internal auditing you were exposed to the philosophy
and process of operational auditing. Before you continue with the study of this topic, you
should refer back to your undergraduate study material to refresh your knowledge of
operational auditing. After you have revised your undergraduate study material,
consider the following to evaluate the effectiveness of your revision:
●
●
The overall objective of operational auditing is to promote maximum managerial
efficiency. Operational auditing focuses mainly on individual areas such as a
particular system or section in the organisation so that, in this respect, operational
auditing is similar to micro-risk evaluation.
In practice it is difficult to differentiate between a financial audit and an operational
audit when any business process is exposed to an internal audit evaluation.
88
●
Depending on the specific objectives of the engagement, combining the two types
can be extremely effective.
The Standards that deal with the nature of audit work discourage the differentiation
between the various types of audit engagements. The Standards require internal
auditors to evaluate and contribute to the improvement of risk management,
control and governance systems as part of any engagement.
This includes an evaluation of the
●
●
●
●
reliability and integrity of the financial and operational information
effectiveness and efficiency of operations
safeguarding of assets
compliance with laws, regulations and contracts
Operational auditing is essentially more reactive because it is a process of determining
the economy, efficiency and effectiveness of completed actions and their consequences,
but it also includes a proactive component in that recommendations are made for the
improvement of the effectiveness and/or efficiency and the economy of activities
reviewed.
The practical performance of operational auditing is discussed in this topic, using three
learning units that deal with each individual phase of the operational auditing process
comprehensively.
LEARNING OUTCOMES
After you have studied this topic, you should be able to:
•
•
•
•
plan the operational audit according to applicable Standards
explain how to conduct the operational audit
perform the audit procedures
compile the audit report and communicate the audit results
89
AUI4863/SG
Learning unit 10
Operational audit plan
Contents
10.1
10.2
10.3
10.4
INTRODUCTION
IDENTIFYING THE AUDIT FIELD
FORMULATING THE ENGAGEMENT OBJECTIVES
ENSURE THAT THE PLANNING COMPLIES WITH THE INTERNAL
AUDITING STANDARDS
10.5 THE ENGAGEMENT PROGRAMME PHASE
10.6 EXAMPLES OF AN OPERATIONAL ENGAGEMENT PROGRAMME FOR THE
PURCHASING FUNCTION OF AN ORGANISATION
90
96
99
100
101
102
10.1 INTRODUCTION
This learning unit deals with the first and one of the most important phases in the
operational auditing process. An operational audit is also referred to as a value-formoney audit or a performance audit. As in the case of any other internal audit type, the
planning phase of an operational audit is of cardinal importance. The quality of the
planning determines the effectiveness of the audit. Of all the elements of planning,
establishing the critical risk and problem areas is the most important.
STUDY
• Assurance: An Audit Perspective, par 3.4
• All the sections in your undergraduate study material that relate to operational audits
REFLECTION
It is important that you revise the underlying technical knowledge and expertise you
obtained at undergraduate level before you continue with the rest of this learning unit.
You should already know what an operational audit is (an investigation into the
economy, efficiency and effectiveness of the activity in the organisation that is being
90
investigated). You should also know when an operational audit should be performed,
how to perform an operational audit efficiently and effectively, and how to effect the
necessary changes in the system or section concerned.
The planning phase of an operational audit comprises the following steps:
1. obtaining background information on the section/activity to be investigated
2. deciding on the scope of the engagement and the specific areas or aspects on
which to focus
3. formulating the engagement objectives
4. investigating audit criteria (performance standards) that can be applied in the
conduct of the audit
5. drawing up an engagement work programme
6. ensuring that the planning complies with the internal auditing standards
7. discussing the proposed audit engagement with the management of the section or
activity involved
As most of the above steps have been covered in your undergraduate studies, we will
only focus on certain aspects that we want to highlight in the following sections of this
learning unit:
• founding principles of operational auditing
• identifying the audit field
• formulating the engagement objectives
• ensure that the planning complies with the internal auditing standards
• the engagement programme phase
Founding principles of operational auditing
Based on your undergraduate studies, you should be able to formulate and discuss the
definition for operational auditing. Let’s revise the basic principles that form the
cornerstone of operational auditing.
The difference between an operational (performance) audit and internal audit:
Source: www.isaca.org/chapters10/Lusaka/.../Documents/Pefromance-Auditing.pdf
91
AUI4863/SG
The following are two definitions of operational auditing that you should be familiar
with.
In Operational auditing: an introduction, by Casler and Crockett, a publication of the
Institute of Internal Auditors Inc, operational auditing is defined as follows:
Operational auditing is a systematic process of evaluating an organisation’s
effectiveness, efficiency and economy of operations under management’s control and
reporting to appropriate persons the results of the evaluation along with
recommendations for improvement. Its objectives are to provide a means for
evaluating an organisation’s performance and to enhance performance by making
recommendations for improvements.
Reider, in his book The complete guide to operational auditing, defines operational
auditing as follows:
Operational auditing is an audit of operations performed from a management
viewpoint to evaluate the economy, efficiency and effectiveness of any and all
operations, limited only by management’s desires.
Visit the following website and read the article regarding operational auditing. Take
note of the definition of operational auditing as well as how to use operational auditing.
MULTIMEDIA
Click on the hyperlinks below to view the slides on operational auditing:
http://www.slideshare.net/ahmad1957/operational-auditing-presentation
The following diagram illustrate the interrelationship between economy, efficiency and
effectiveness:
Source: Chambers, A & Rand, G. 1997. The operational auditing handbook.
(1) Economy – the relationship between planned inputs and actual inputs in terms of unit costs
(2) Efficiency – the relationship between actual inputs and actual outputs
(2) Effectiveness – the relationship between actual outputs and planned outputs
92
The illustration below shows the mission and objectives and the planned outcomes of the
organisation in relation to the organisational processes. It shows where economy, efficiency and
effectiveness fits into these processes.
Examples of Economy, Efficiency and Effectiveness are illustrated below:
Source: Reider, HR. 1995. The complete guide to operational auditing
93
AUI4863/SG
REFLECTION
From your undergraduate studies you will remember that operational auditing has four
principal components, namely:
• financial
• compliance
• economy and efficiency
• effectiveness
Financial
This component is concerned with proper and adequate accounting and reporting
procedures. It closely resembles traditional financial auditing, the difference being that
in operational auditing it is only one element of an audit assignment and it is made
applicable to all the activities of an organisation.
Compliance
Compliance is usually dealt with in conjunction with the financial component. It
comprises compliance with legislation, regulations, internal policy and procedures. In
an operational audit assignment, the auditors assess compliance not only with financial
legislation, regulations, policy and procedures, but also with all the rules that regulate
the operations of an organisation.
Economy and efficiency
This component involves the achievement of the optimum balance between costs (i.e.
economy) and results (efficiency being the relationship between input and output, or
results achieved). Costs should be cut to the minimum, but not at the expense of
results, and at the same time productivity should be improved, but without incurring
excessive costs. In an investigation into economy and efficiency the auditors analyse
the way in which the organisation is applying its resources, namely human resources,
facilities, equipment, materials and funds.
The following aspects would be included in this example:
• the purchasing policy of the organisation
• material prices and service costs
• staffing in relation to the functions that have to be performed
• surplus stock on hand
• use of more expensive equipment than necessary
• prevention of losses and wastage of resources
• division of projects into logically manageable tasks
• efficiency and application of operating systems and procedures
• efficiency of documentation flow
• performance of unnecessary tasks or duplication of tasks
• allocation of responsibilities and authority within an organisation
• speed of production and completion time for projects
94
Effectiveness
This component is concerned with the achievement of results and the resultant
benefits. In an investigation of effectiveness internal auditors try to establish whether
an activity is achieving its purpose and whether the results of an undertaking or activity
correspond to the targets set, the objectives or any other criterion. An investigation of
effectiveness is concerned with quality rather than quantity.
The following procedures would, for example, form part of an investigation into
effectiveness:
• evaluation of the organisation's approach to the development of realistic targets,
objectives and
• procedures for attaining those targets and objectives
• evaluation of the adequacy of management's method of measuring effectiveness
• establishment of the extent to which results are being achieved
• identification of the factors that impede satisfactory performance or the
achievement of results
By referring back to your undergraduate studies, make a list of all the advantages and
disadvantages of operational auditing. Ensure that you can answer relevant questions
on the basic components of operational auditing.
You need to understand all these concepts and should be able to apply your theoretical
knowledge of the above components to practical scenarios.
MULTIMEDIA
Click on the hyperlink below to view the following YouTube video:
https://youtu.be/pre9V8XQVdI
❖
View the screencast on the Three E’s in operational auditing on myUnisa.
ACTIVITY 25
You are a senior internal auditor responsible for the operational audits in your
organisation, which happens to be a large manufacturing company. For purposes of
operational audits, summarise factors that could reveal critical conditions and could
also indicate possible risk areas in your organisation. Refer to the previous examples as
a guideline but also extend your discussion by referring to magazine articles and
literature.
This is a theoretical question where you are required to list the factors that could reveal
possible risk areas. Refer to your undergraduate work and the previous activity, and
then complete the answer to this activity. Because of the theoretical nature of this
question, answering it directly from your undergraduate study material is easy. Make
sure that you know the theoretical principles for the examination and that you are able
to apply these to practical situations.
95
AUI4863/SG
10.2
IDENTIFYING THE AUDIT FIELD
The most critical question the internal auditor has to answer before carrying out an
operational audit is which section, function or activity should be audited.
STUDY
• Revise all the sections in your undergraduate study material that relate to planning
considerations.
• Assurance: An Audit Perspective, par 3.4.3 – (Identifying the focus area)
Internal auditors usually operate on a limited budget as regards the funds and hours available for
operational auditing. Consequently, the available time and money must be used in those areas with
the greatest possibility for improved performance. Because the purpose of the internal audit
activity is to support management of the organisation in discharging their responsibilities, the
internal audit projects should focus on the aspects that are important to management in achieving
both their own goals and those of the organisation. The bigger the impact of a particular activity on
the attainment of the goals of the organisation, the more important the effective functioning of
that activity would be in the eyes of management.
The long-term planning of the IAA, which is approved by management and the audit committee,
should also make provision for operational audit engagements. When the CAE prepares the longterm planning of the IAA, he or she needs to evaluate the risks faced by the particular organisation
and identify the critical conditions within the organisation.
The following factors could reveal critical conditions for the purpose of operational auditing and
indicate possible risk areas:
• Income, expenses, concentration of fixed assets, sales, production volumes, staff numbers
and staff costs for one activity or department that appear to be high in comparison with the
figures for the other activities or departments within the organisation.
• Poor control, for example an inadequate manufacturing control system, poor management
reporting or poor planning and control system.
• Cases of abuse or carelessness. Examples would be a production and control system in
which transactions went unrecorded or an ineffective personnel evaluation process.
• Conditions that make it difficult to exercise control, such as inadequate storage facilities, or
delays in a shipping process.
• Activities that are not efficiently or economically carried out, such as ineffective procedures,
duplication of tasks, unnecessary work and surplus staff.
• Unexpected trends indicated by analytical reviews, such as major increases or decreases in
sales, cost per item, staff numbers, stock levels, etc.
• Areas in which management has identified specific weaknesses or the need for
improvement, such as personnel functions, manufacturing procedures, data processing
methods and management reporting.
96
This list is, however, not extensive and you should refer to your undergraduate studies for more
possible risk factors.
ACTIVITY 26
Being an internal auditor at a stationery manufacturer, you are currently compiling an
engagement programme for an operational audit of the pencil manufacturing plant.
Your objective is to evaluate the economy, efficiency and effectiveness of the plant.
During the preliminary survey, you acquired, among other things, the following
information regarding the activities of the pencil plant and the purchase and stock
keeping of materials for production purposes:
1.
2.
3.
Purchases of production material are done on behalf of the pencil plant by
personnel from the finance section.
Stock levels of production material are monitored by means of a computer. All
purchases, requisitions and write-offs are keyed into the computer by the assistant
to the storeroom foreman.
Purchases of production material are based on notices printed by the computer and
approved by the head of the plant as soon as the stock reaches certain minimum
levels.
REQUIRED
Based on the information given above, formulate 12 (twelve) audit procedures to
evaluate the economy, efficiency and effectiveness of the pencil plant. Structure your
answer under the following headings:
A Economy
B Efficiency
C Effectiveness
FEEDBACK
Audit procedures to evaluate the economy, efficiency and effectiveness of the pencil
plant
A
Economy
1.
Interview senior staff members to determine whether the purchasing department
gathers information regarding prices and suppliers on a frequent basis in order to
determine whether materials are purchased at the lowest prices.
2.
Evaluate the procedures followed to determine whether purchasing conditions are
agreed upon and followed in such a way that purchases fall within the budget, all
possible discounts are obtained and payments are made on terms that will be most
beneficial to the organisation.
97
AUI4863/SG
3.
Evaluate the policy of the purchasing department to determine whether it provides
for the frequent rotation of purchasing personnel in respect of suppliers and
whether such rotation in fact takes place.
4.
Reperform the calculation of minimum inventory levels and most economic
purchase quantities for accuracy.
5.
Evaluate whether the preparation of orders is based on information provided by
means of notices via computer that have been authorised by the head of the plant.
6.
Interview management and confirm the accuracy, reliability and relevance of
information used to determine minimum inventory levels and economic purchase
quantities.
7.
Visit the inventory warehouse and investigate the safeguarding of inventory against
theft and damage, the extent of obsolete inventory and the acceptability of the
inventory turnover rate.
8.
Evaluate inventory write-offs recorded on the computer for reasonableness and
determine whether all write-offs are properly authorised.
9.
Analyse the gross profit percentage and the factors influencing it.
10. Determine whether incorrect deliveries are returned in good time and whether
credit is received for them.
B
Efficiency
1.
Determine by way of observation and discussion whether the correct number of
people have been assigned to purchasing materials on behalf of the pencil plant to
avoid causing unacceptable backlogs or idle time.
2.
Evaluate whether it is efficient for the finance department to handle purchases on
behalf of the pencil plant.
3.
Determine whether a trained person is always available to handle purchases on
behalf of the pencil plant to avoid delays and backlogs which might lead to an
inventory shortage.
4.
Obtain evidence that the necessary backup of all information saved on computer is
done, and that the computer system is properly maintained in order to ensure that
the information upon which order requisitions are based is accurate, and that these
notices are processed on a regular basis.
5.
Determine whether someone with the necessary seniority, other than the head of
the pencil plant, also has the authority in the absence of the manager of the pencil
plant to authorise orders.
6.
Investigate the procedures followed as well as the time from the moment the notice
for an order is printed on computer until the order is placed and ensure that there
are no unnecessary delays.
98
7.
Confirm by observing that the particulars of inventory purchases, issues and writeoffs according to the original source documentation (such as delivery notes and
issuing requisitions) have been entered into the computer accurately and without
delay.
8.
Determine whether there have been any interruptions in production owing to
inventory shortages by way of discussion with the head of the pencil plant. If so,
investigate the cause of such shortages.
9.
Obtain or prepare a schedule of the purchasing and manufacturing process
concerning pencils, showing details of the machinery, equipment and labour that
are used, the idle time between processes, the duration of the process and the
stages at which quality control is exercised. Analyse the efficiency of the procedures
followed on the basis of this schedule, together with observation and discussions
with the head of the plant and the other personnel. Specifically take note of any
duplication of work and unnecessary steps in the manufacturing process.
C
Effectiveness
1.
Ensure that meaningful, realistic and measurable objectives have been set for the
pencil plant in respect of, for example, profit margins, output, manufacturing costs
and productivity.
Evaluate the planning of the plant to ensure that it is directed at achieving these
objectives.
2.
10.3
3.
Determine whether the criteria used to measure the achievement of the overall
objectives, for example quality of output, output quantities, spoilage levels,
application of materials, direct costs and throughput manufacturing rate, are
realistic and meaningful.
4.
Evaluate the effectiveness of the pencil plant by measuring the performance of the
plant in terms of the formulated objectives and criteria.
5.
If sufficient measuring criteria do not exist by means of which to evaluate the
effectiveness of the pencil plant, develop criteria in conjunction with the head of the
pencil plant that can be used in the interim for measuring purposes.
6.
Confirm the accuracy of the measurement of capacity utilisation and spoilage for
the pencil plant and also that the information forwarded to management is reliable
and timely.
FORMULATING THE ENGAGEMENT OBJECTIVES
Once a focus area has been identified, the engagement objectives for the focus area should be
defined. During the planning stage the auditors should specify what they intend to achieve by
performing an operational audit on the identified focus area and determine the boundaries of the
investigation (scope limitations). These audit objectives should be agreed to by the executive
management of the organisation, and the management of the department or division in question.
99
AUI4863/SG
The engagement objectives for the auditing of the operational audit of the tendering/quotation
process in terms of the procurement process could, for example, be the following:
(1)
Establish what procedures could be followed in obtaining quotations and tenders to optimise
the effectiveness of the purchasing function.
(2)
Develop procedures for the procurement of quotations and tenders that would contribute to
the most efficient and economic functioning of the purchasing function.
(3)
Identify opportunities for improving the existing procedures for obtaining quotations and
tenders.
(4)
Revise and analyse the existing data processing procedures for obtaining quotations and
tenders in the purchasing function with a view to possible improvement.
REFLECTION
Remember, in this learning unit we only highlight a few important aspects regarding
the planning phase. Revisit your undergraduate studies and ensure that you study all
the steps that relate to the planning phase of an audit engagement.
10.4
ENSURE THAT THE PLANNING COMPLIES WITH THE
INTERNAL AUDITING STANDARDS
As with any other audit engagement performed by the IAA, the planning of an operational audit
should also comply with the Standards. Internal Auditing Standards 2200 and 2201 lay down
guidelines for the planning of an audit engagement.
STUDY
Study Performance standards 2200, 2201, 2210, 2220, 2230 and 2240 as well as
Implementation Guides 2200, 2201, 2210, 2220, 2230 and 2240.
The engagement programme forms the link between the planning phase and the
fieldwork phase of an audit.
STUDY
•
•
•
Performing Internal Audit Engagements, par 1.3.1
Internal Auditing: An Introduction, par 6.5
Assurance: An Audit Perspective, par 3.4.4
100
10.5
THE ENGAGEMENT PROGRAMME PHASE
A well-structured operational engagement programme is a prerequisite for the effective and
efficient performance of an operational audit.
REFLECTION
Based on your undergraduate knowledge of operational auditing, you should be able to
compile an engagement programme for an operational audit. Work through the
following section just to refresh your memory.
In compiling operational engagement programmes the following steps should be
followed once focus areas have been identified:
(1) Identify existing controls and risk areas. In the purchasing function there is the risk
that unnecessary items could be ordered or that too much of a certain item could
be ordered.
(2) Determine the objectives that should be satisfied by specific audit steps. An
example of an objective for the auditing of the purchasing function might be to
establish whether only those items or services that are really needed are efficiently
and timeously ordered.
(3) The audit procedures required to satisfy these objectives are then formulated.
The following are examples of audit procedures that could satisfy the above objective:
•
•
•
•
•
•
Select a number of departments or sections where purchases are initiated and, in
cooperation with the management of the department or section, study the
procedures followed when placing orders.
Examine the need for selected material, equipment or services purchased for the
department or section.
Establish the authorisation requirements applicable in respect of purchases,
including the authorisation of orders, budgetary requirements, etc.
Establish the time lag between the placement of an order and the delivery of the
goods and find out how this influences the functioning of the department or
section.
Draw up a flow chart of the ordering procedure to determine whether the control
procedures are adequate to ensure accurate and full record-keeping of all orders.
Analyse specifications in terms of orders and quality control procedures to ensure
that the correct items are ordered at the best prices.
Although each operational audit programme is unique in the sense that it has been
developed for a specific audit area, this does not mean that the auditor cannot use audit
techniques that have already been used in previous operational audits. In deciding what
audit techniques to use, the auditor should identify the specific audit techniques that
best suit the situation he is dealing with. Although the use of tried and trusted audit
techniques is to be recommended because it can save time and money, the initiative and
101
AUI4863/SG
creativity of operational auditors should not be stifled, as it will often be necessary to
come up with unique audit techniques in order to audit certain activities or processes
effectively.
Some more general audit techniques that can be used in the development of
engagement programmes are the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
10.6
examination of existing documentation, such as policy and procedure manuals
compiling of organograms and accompanying job descriptions
analysis of policy and procedures with regard to personnel
analysis of policy and procedures surrounding the administrative and operating
systems of the organisation
interviews with management and operational personnel
drawing up of flow charts to analyse processes, or possibly the physical layout of a
working area
analysis of rates, changes and trends
questionnaires to management or operating personnel and questions in the audit
programme
telephonic or written inquiries to outside parties, such as suppliers or clients
reviewing of transactions
observation of specific activities
evaluation of the results of the focus area
compliance investigations, with regard to legislation, regulations, policies,
procedures, objectives, etc.
application of computer-assisted audit techniques (CAATS)
EXAMPLES OF AN OPERATIONAL ENGAGEMENT PROGRAMME
FOR THE PURCHASING FUNCTION OF AN ORGANISATION
Figure 10.1 is an example of an operational audit programme for the purchasing function of an
organisation. Because all operational audits are different, this audit programme merely serves as an
example and cannot be applied to any situation.
Figure 10.1: Engagement Programme for a purchasing function
I ORGANISATION
A Function and authority of the purchasing department
1
Obtain an organigram of the purchasing department and ascertain to whom the head of
the purchasing department reports.
2
Document the functions of the purchasing department and determine whether it is
appropriate for the purchasing department to handle all those functions.
B The function of and necessity for the various posts in the purchasing department
1
Document the duties and responsibilities of the following posts by obtaining existing job
descriptions and verifying their validity by means of interviews and observation:
102
•
•
•
•
•
Purchasing supervisor
Buyers I and II
Inventory control clerks
Clerical supervisor
Typist clerk
2
Evaluate the work done by the people in the above positions by means of physical
observation and consider whether those functions are necessary.
II
RESPONSIBILITIES OF THE PURCHASING DEPARTMENT
A
Processing general order forms
1
Obtain a copy of the purchasing department's systems and procedures.
2
Interview personnel from the purchasing department and physically observe the way
they perform their functions in order to confirm the accuracy of the systems
descriptions.
3
Compile a flow diagram of the activities within the purchasing department, and of related
activities, such as the initiation and placing of order requisitions, control over open
orders, etc.
4
Calculate the present cost of processing an order, taking the following into account:
• direct cost of running the purchasing department
• indirect costs attached to the purchasing department
• number of orders processed
5
Carry out the following analysis of orders placed by using management reports on
purchasing orders placed:
• orders per department
• orders per supplier
6
Analyse the number and amount of actual purchases in the following categories:
• under R50 000
• R50 000–R100 000
• R100 000–R200 000, etc.
Compare these statistics with those of previous years.
7
Calculate the actual cost of small purchases.
B
Decentralised purchases
1
Obtain copies of policy in respect of purchases generated outside the purchasing
department, such as emergency purchases, direct purchases and petty cash purchases.
103
AUI4863/SG
2
Select a number of decentralised operating units and examine the procedures they
follow in making such purchases; compare the procedures they follow with policy
directives.
Source: Based on Reider, HR. 1995. Complete guide to operational auditing.
ACTIVITY 27
During the planning phase of an operational audit the auditors noticed that there were
possibly too many purchasing staff in relation to the size of the purchasing department.
The auditors decided to investigate this problem in the next phase of the operational
audit and for this purpose audit procedures for inclusion in the operational auditing
programme will be formulated.
Although the office manager agreed that there might be a slight level of overstaffing,
she pointed out that the organisation's reported costs per order form processed were no
higher than those of similar organisations, including organisations functioning within
lower cost environments.
REQUIRED
Identify the audit procedures that you would include in the operational engagement
programme to support your preliminary finding that there might be too many staff in the
allocated area.
FEEDBACK
The following are some of the audit procedures that can be carried out:
(1) Extensive tests on the payroll of the purchasing department to make certain that all
the costs have been included and reported.
For example: Has the salary of the manager of the purchasing department by any
chance been included on the management payroll?
(2) Interviews with all employees to establish exactly what their functions are and the
nature of these functions.
(3) Preparing a layout flow chart of the office area with an indication of the most
important functions in order to analyse work flow.
(4) Preparing systems flow charts that analyse each procedure in order to establish
whether the procedures followed could be simplified, functions could be combined
or certain steps in the process could be eliminated.
(5) Consider possible improvements in the existing personnel allocation and procedures
that could lead to greater efficiency and a reduction in the personnel allocation.
Prepare layout flow charts and systems flow charts to reflect these
recommendations.
Source: Adapted from Reider, HR. 1995. Complete guide to operational auditing.
104
ACTIVITY 28
In the course of the preliminary survey carried out as part of the operational audit, the
internal auditors identified the following shortcomings with regard to the handling of
damaged or incorrect deliveries:
Returns by the organisation to suppliers (purchases returns):
(1) The organisation paid for the transport costs of almost 50 per cent of the items
returned. This happened because existing procedures were not complied with. In
terms of the established procedures freight on returns should not be paid directly by
the operating department where the items were delivered.
Returns received from the organisation's clients (sales returns):
(2) Some of the organisation's local clients sent the faulty deliveries back in the delivery
van --- in contradiction to the sales conditions and policy of the organisation which
provide that clients are not permitted to return faulty or damaged deliveries
directly.
(3) When faulty or damaged items were returned by clients, the cash discount was not
correctly handled. The client's account was credited with the amount invoiced plus
the cash discount.
REQUIRED
With regard to each of the problems listed above, develop one audit procedure the
auditors should include in their operational engagement programme to further
investigate the matter.
FEEDBACK
When you have to perform an operational audit, whether it is to formulate objectives, to
formulate audit procedures, to compile questionnaires or to gather information, you can
always use the aspects that the internal auditor should attend to when evaluating
economy, efficiency and effectiveness as a basis to work from and adjust these to suit
the applicable situation. You will also find these aspects handy in answering practical
questions on operational auditing. Through this question, we want to emphasise the
importance of knowing and understanding these aspects.
(1) Transport costs on purchase returns
(a) Analyse a sample of purchase returns and determine how regularly the
organisation has paid the transport costs and then calculate the amount
involved.
105
AUI4863/SG
(b) Examine the procedures followed in certain selected sections to determine to
what extent instructions are deviated from.
(2) Return of delivered goods in the organisation's delivery vans
(a) Analyse a sample of returns by customers and determine the degree of
deviation from prescribed procedures and agreements with regard to the
return of incorrect deliveries.
(b) Revise dispatch procedures to determine whether the procedures followed in
practice make provision for the recording of instances where items are brought
back by the delivery vehicles.
(c) Review the existing policy that the organisation's delivery vehicles may not be
used to transport faulty deliveries back to the organisation. Consider the
acceptability of the procedures followed at present and determine whether
they represent the most economic method of handling sales returns.
Note: This problem may merely be a symptom of larger underlying problems, such as a
considerable number of faulty deliveries or a lack of quality control in the manufacturing
department. The auditor should also carry out tests to investigate this possibility.
(3) Cash discounts
(a) Analyse accounting documents and records to determine what amount has
been paid to clients of the organisation in respect of cash discounts.
(b) Analyse the procedures, both computerised and manual, currently being
followed for sales returns and determine whether any controls could be
introduced to prevent similar errors in future.
Source: Based on Reider, HR. 1995. Complete guide to operational auditing.
ONLINE ASSESSMENT QUESTION
Do the online assessment multiple-choice questions on myUnisa.
DISCUSSION FORUM
Join the Discussion Forum to and give your views on the importance of proper planning
for an operational audit.
SUMMARY
This learning unit focused on the aspects that an internal auditor should take into
consideration while planning an operational audit engagement. We also looked at the
development of the engagement programme for an operational audit. The audit
team is now ready to start putting their plan of action into practice and the next
phase that we will be looking at is the performance of the fieldwork phase.
106
NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
107
AUI4863/SG
Learning unit 11
Conducting operational audits
Contents
11.1 INTRODUCTION
11.2 THE FIELDWORK PHASE OF AN OPERATIONAL AUDIT
11.1
108
109
INTRODUCTION
In this learning unit we shall examine the purpose, nature and method of performing the fieldwork
phase of an operational audit. It is during this phase of the operational audit process that the steps
outlined in the engagement programme (plan of action) are physically put into practice. It is on the
grounds of the audit steps carried out in this phase that the operational audit team determines
whether the shortcomings identified during the planning phase require further attention, and if the
decision is taken to further investigate, that sufficient information is collected to submit a properly
structured audit report to management. This phase of the audit can also indicate problem areas
that were not previously identified and that require further investigation.
REFLECTION
Before you study this learning unit, please revise the following sections in your
undergraduate studies:
• Identifying the purpose and nature of the fieldwork phase in operational auditing
• Designing the execution of the fieldwork phase of an operational audit
STUDY
Performing Internal Audit Engagements:
• Par 1.2.1 (p 3)
• Par 1.3.1 (p 7)
108
11.2
THE FIELDWORK PHASE OF AN OPERATIONAL AUDIT
In the fieldwork phase of an operational audit the internal auditors, on the basis of the engagement
programme, investigate the following:
•
whether the procedures and practices followed by the organisation, section or activity are in
line with the basic authority, guidelines and legislation that is applicable
•
whether the operating systems and internal control within the organisation, section or activity
being investigated could contribute to the economic and efficient performance of operations
and the achievement of anticipated results, in line with management's requirements
In order to be able to carry out the fieldwork phase of an operational audit, the auditor requires a
thorough knowledge of the following:
•
•
•
performance measurement
basic audit procedures
collection of information and record keeping
Performance measurement
Because operational auditing focuses more specifically on the economy, efficiency and
effectiveness of the activities of an organisation, performance measurement is an important
element in conducting the operational audit process. Not only do internal auditors have to be skilled
in evaluating the results of an organisation's activities, they also have to have the necessary
knowledge to evaluate the criteria for performance measurement that are in place in an
organisation and, where the need arises, to help improve, develop and implement criteria in
cooperation with management.
Basic audit procedures
Procedures are the techniques employed to achieve one’s objectives.
Audit procedures are the means by which the auditor meets the audit objectives. They are steps in
the audit process that guide the auditor in carrying out the planned reviews, based on the
established audit objectives.
Audit procedures are the techniques the auditor employs to determine whether operating
objectives have been met.
Experience and logic will determine which audit procedures apply to which audit objectives.
Procedures should be relevant to the selected objectives. Irrelevant procedures, no matter how
applicable to the audit as a whole, will be useless if they do not produce evidence about the
operating objectives selected for review.
Although it is sometimes necessary to use unique auditing procedures in carrying out the fieldwork
phase of an operational audit, there are certain basic audit procedures that occur in any internal
audit project, namely:
109
AUI4863/SG
•
•
•
•
•
•
•
•
observation
questioning
analysis
verification
routine checking
vouching
investigation
evaluation
At this point a thorough revision of the discussion of these basic audit procedures in your
undergraduate modules is necessary.
REFLECTION
From your undergraduate studies you should have obtained a detailed knowledge of the
development of performance objectives as well as performance measurement. You
should study these concepts in the context of the fieldwork phase of an operational audit
as well.
ACTIVITY 29
You have completed the planning phase of the operational audit of an organisation's
purchasing department and have identified the organisation’s control over inventory as a
critical area. Your decision is based on the following problems that are evident:
•
•
•
•
There is an increase in raw material inventory.
Large quantities of raw materials were found in several locations of the factory
outside of the storage area.
The finished product inventory is increasing.
There are problems with the physical safeguarding of inventory.
REQUIRED
•
•
•
List the parties responsible for preparing an operational audit programme and also
those parties who can contribute to this task.
Formulate ten audit procedures for your operational audit of the organisation’s
inventory control.
List six general audit techniques that the auditor can use when conducting an
operational audit.
110
FEEDBACK
Parties who are responsible for or who can contribute to the development of an
operational engagement programme
1.
the audit manager
2.
all the members of the operational audit team – especially those involved in
planning the audit
3.
audit staff who are experts in the area being examined, or who were previously
involved in a similar audit
4.
personnel of the organisation who work in the department being audited, and who
can make a specific contribution
5.
consultants who have specific expertise in
6.
personnel from similar organisations or departments who might be able to give
another perspective to the audit approach
relation to the area being audited, or who
are experts in the area of operational auditing
Audit procedures for the operational audit of inventory control
1.
Review and analyse existing inventory control procedures and pay attention to any
areas where inefficiencies exist or where proper inventory control practices are not
followed.
2.
Interview management and determine the organisation’s objectives regarding
inventory control and evaluate the organisation’s success in achieving these
objectives.
3.
Investigate if any standards were set regarding material consumption and
production outputs and, if so, evaluate the application of such standards in
inventory control.
4.
Determine acceptable inventory levels for raw materials and finished products and
evaluate the current inventory levels in the light of this.
5.
Review the accuracy of the information used in determining minimum inventory
levels and economic ordering quantities.
6.
Evaluate the efficiency of the existing communication between the inventory
warehouse and the acquisition department regarding raw material inventory as well
as between the inventory warehouse and the despatch department, regarding
finished products inventory.
7.
Examine the procedures regarding the receipt and despatch of inventory and
evaluate the efficiency of these procedures.
111
AUI4863/SG
8.
Inspect the physical control over, and the storage procedures of, inventory and
evaluate their economy and effectiveness.
9.
Investigate the reasons why the raw material inventory is not properly stored.
10. Analyse the production process to determine whether there are any inefficiencies in
the process that may lead to the accumulation of work in process and, if so,
determine if the process can be altered to eliminate the accumulation.
11. Investigate the extent of any obsolete or unusable inventory and evaluate the
methods that are used to reduce this inventory.
12. Examine the handling of obsolete or unusable inventory in the inventory records
and consider its influence on the inventory figures.
13. Examine the adequacy of current inventory reporting systems and identify any
shortcomings.
Audit techniques that can be used in performing an operational audit
1.
Conducting interviews with management and operational staff.
2.
Drafting flow charts in order to analyse processes, or to analyse the physical layout
of work areas.
3.
Thorough analysis of rates, changes and trends.
4.
Questionnaires to management or operational staff and questions in the audit
programme.
5.
Telephone or written enquiries from outside parties, for example suppliers and
clients.
6.
Reviewing transactions.
7.
Observing specific activities.
8.
Evaluating the results of the focus area.
9.
Compliance reviews in respect of laws, regulations, policies, procedures, objectives,
etc.
10. Using computerised audit techniques.
112
REFLECTION
At this point thorough revision of the discussion of basic auditing procedures as
discussed in your undergraduate studies is necessary.
Collection of information and record keeping
In operational auditing, as in any other form of internal auditing, the collection and
recording of information is an important part of the audit process. It is especially
important in the execution of the fieldwork phase for appropriate, adequate, complete
and accurate information to be collected and that the information should be properly
documented in audit working papers to support audit findings. The requirements with
which information must comply, the collection of information and recording procedures
were dealt with in your undergraduate studies. Ensure that you revise these important
topics.
STUDY
Performing Internal Audit Engagements:
• Par 3.9 (p 135)
• Par 4.9 (p 192)
• Par 5.9 (p 252)
• Par 6.10 (p 320)
• Par 7.9 (p 357)
• Par 8.6 (p 374)
Study the IPPF, Performance standards 2300, 2310, 2320, 2330 and 2340 as well as the
related Implementation Guides.
ACTIVITY 30
In your capacity as the internal auditor at a manufacturing organisation you are
performing an operational audit to determine whether manufacturing equipment is
economically acquired, utilised and maintained.
During your preliminary review, you noted the following:
•
It is the organisation's policy to purchase only new manufacturing equipment, to
depreciate it over five years and to replace the item at the end of the five-year
period.
•
All manufacturing equipment is cash purchased and is the property of the
organisation.
•
The managing director of the organisation is very proud of the organisation’s
manufacturing department, as all equipment is based on leading-edge technology.
113
AUI4863/SG
•
Some of the equipment on the production line is continuously in use, while other
items are used only for a few hours per day.
•
A standard maintenance contract is entered into for each item of manufacturing
equipment, according to which the item is serviced on a monthly basis and the
maintenance firm provides 24-hour support in the event of an item breaking down.
REQUIRED
Formulate ten questions that you would put to the relevant staff members of the
organisation during interviews to determine whether manufacturing equipment is
acquired, utilised and maintained economically. In each instance, mention the purpose
of the question, or the information you would expect to obtain from the answer to the
question.
FEEDBACK
Note: The purpose of each question is shown in brackets.
1.
What is management’s motivation behind the policy to buy only new production
equipment, to depreciate it over five years and to replace it thereafter?
(To determine whether management has recently reflected on their policy and why they
implemented it in the first place.)
2.
What is the possibility of distinguishing between different categories of production
equipment and of stipulating specific policies regarding depreciation for each
category?
(To determine whether it is possible to distinguish between items with longer and shorter
lifespans and identify equipment that might have a longer production life span than five
years.)
3.
Has any cost benefit analysis been done in the past regarding the existing policy
and, if so, what was the result?
(To determine whether management are aware of the cost implications of their policies – for
example, to replace items after five-year, irrespective of their condition – and to obtain
information regarding the factors that influenced their decisions.)
4.
What procedures are followed with the acquisition of new manufacturing
equipment?
(To determine whether the acquisition procedures result in the acquisition of manufacturing
equipment that best complies with specifications, at the lowest price.)
5.
What happens to the manufacturing equipment that has been written off, after it
has been replaced?
(To determine whether the organisation obtains maximum recovery on its investments with
the write-off of manufacturing equipment.)
114
6.
Why is all manufacturing equipment purchased for cash, i.e. why is manufacturing
equipment not hired or the acquisitions not financed?
(To determine whether the organisation considered other possibilities of obtaining
manufacturing equipment and how they feel about it, and to determine whether there is a
possibility of obtaining manufacturing equipment more economically.)
7.
Why is it so important to the managing director that all the manufacturing
equipment be based on the leading-edge technology?
(To determine whether the advanced technology of manufacturing equipment contributes
to better quality products, higher productivity and production outputs that result in higher
income for the organisation or whether it serves only to satisfy the whims of the managing
director.)
8.
Is the capacity utilisation of manufacturing equipment monitored frequently and
what are the results?
(To determine whether all equipment is really needed.)
9.
Why is the manufacturing equipment, which is only used for a few hours each day,
not used for longer periods?
(To determine whether one policy for all manufacturing equipment is justified and whether
costs cannot be saved by using certain items for longer or leasing equipment based on usage
frequency instead of buying it – pay-per-use agreements.)
10. For what purpose is equipment that is used only for a few hours a day applied?
11. Can the need for these items of equipment not be eliminated by means of
alternative procedures?
12. Why can one item of the manufacturing equipment not take over the functions of
other items?
(The reason for questions 11, 12 and 13 is to determine whether all the items of
manufacturing equipment are really needed.)
13. What is management’s motivation for the strict service policy on manufacturing
equipment?
(To determine whether management has thoroughly considered the policy regarding the
maintenance on manufacturing equipment and that it is to the best economic advantage of
the organisation.)
14. How are guarantee stipulations utilised?
(To determine whether guarantee stipulations are utilised to reduce maintenance costs on
manufacturing equipment.)
15. Why are alternative ways of maintenance not used, for example appointing a
person who will take care of the maintenance of the organisation’s manufacturing
115
AUI4863/SG
equipment or training one operator for every item of manufacturing equipment, so
that he can take care of the basic maintenance of the items under his control?
(To determine whether any consideration has been given to other methods of maintenance
and whether the current method provides maximum advantage to the organisation.)
16. Why is the policy regarding maintenance the same for items used on a full-time
basis and items that are used only for a few hours a day?
(To determine whether there might be savings on maintenance by establishing specific
policies for different items of manufacturing equipment.)
SUMMARY
In this learning unit we studied the fieldwork phase of an operational audit. We noted
firstly that the engagement programme is carried out during the fieldwork phase and
that the auditors base their findings and recommendations on the fieldwork phase. We
looked at the important aspects in the execution of the fieldwork phase, namely
performance measurement, basic auditing procedures and the collection and recording
of information. In the next learning unit, we will pay attention to the formulation of
findings and recommendations on the basis of the results of the fieldwork phase.
NOTES
Make your own notes here:
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
116
Learning unit 12
Reporting and follow-up on operational
audits
Contents
12.1
12.2
12.3
12.4
12.1
INTRODUCTION
AIMS AND PRINCIPLES OF OPERATIONAL AUDIT REPORTING
DRAFTING AN OPERATIONAL AUDIT REPORT
FOLLOW-UP ON AUDIT RESULTS
117
118
119
120
INTRODUCTION
The results of an operational audit are communicated to all interested parties in the operational
audit report. The principal purpose of the operational audit report is to bring useful and timely
information on material operational deficiencies to the attention of management and recommend
improvements. In this learning unit we should simply like to acquaint you with the general reporting
principles.
REFLECTION
The complete internal audit reporting process and the follow-up of audit results were
discussed in your undergraduate studies. Ensure that you revise these very important
topics.
STUDY
•
•
•
Assurance: An Audit Perspective (2018), par 3.4.5
Performing Internal Audit Engagements (2017), Chapter 9
Learning Unit 3 and revise the following topics applicable to operational auditing:
• Aim and principles of operational audit reporting
• Drafting an operational audit report
• Following up audit results
Before you continue, ensure that you study all topics relating to the reporting phase of
an audit engagement.
117
AUI4863/SG
12.2
AIMS AND PRINCIPLES OF OPERATIONAL AUDIT REPORTING
In the reporting phase of an operational audit, the audit team communicates the results of the
audit to interested persons in management and on the staff. The basic objectives of operational
audit reports are:
• to supply useful and timely information on material operational deficiencies and other
aspects
• to suggest improvements in the way in which the department is run
The operational audit report is the operational audit team's opportunity to get management's
undivided attention; it also gives them a chance to point out the benefits of operational auditing.
The operational audit report therefore serves a twofold purpose, namely:
• to communicate the results of an operational audit
• to persuade, and sound a call for action
If the audit has been correctly carried out, the audit findings will already have been discussed with
interested members of staff and management by this time and efforts will already have been
made to rectify deficiencies in the system. The final operational audit report is basically merely a
summary of the operational audit, documenting the following:
(1)
what the operational audit team has achieved
(2) what was found in the course of the audit
(3) the extent of the operating deficiencies in the section reviewed
(4) the steps taken by the operating personnel to rectify the situation
Figure: Elements of an audit finding (adapted form Waring & Morgan (2007))
118
In cases where operational audit findings have not yet been communicated to interested members
of staff and management, verbal and written audit reports are used to persuade management to
take corrective action. This method is suitable for audit projects that cover a short time span or for
a general review type of audit, where there is not sufficient opportunity during the audit to convey
the findings. In other circumstances the auditors should announce their audit findings as they are
generated.
The presentation of operational audit reports creates an opportunity for the internal auditors to
market the IAA within the organisation. Sufficient attention should therefore be paid to the
presentation of audit reports.
12.3
DRAFTING AND OPERATIONAL AUDIT REPORT
Characteristics of good reporting
The basic characteristics of good operational audit reporting are the following:
•
Only important matters should be reported.
•
Operational audit reports should be useful and timely.
•
Operational audit reports should be accurate and should be adequately supported by
vouchers.
•
The findings should prompt the management and personnel involved to take action.
•
Audit reports should be objective and should contain sufficient information to give the
readers the necessary perspective.
•
Operational audit reports should be clearly and simply presented.
•
Operational audit reports should be concise.
•
Operational audit reports should have a constructive impact.
•
Operational audit reports should be logically arranged and positive.
The format of operational audit reports
There is no generally accepted or prescribed format for operational audit reports. Nevertheless,
standard formats for audit reports are used in internal audit departments.
A format that is flexible and comprehensive and can be used for any internal audit report that is not
longer than four typed pages is the following:
•
management summary (if applicable)
•
background
•
overview
•
opinion/general evaluation
•
findings, recommendations and conclusions
•
comments by the auditee
INTERNET SOURCE
Before you attempt the activity visit the website of the Auditor-General of South Africa
and study the examples of operational audit reports published on the following
website: http://www.agsa.co.za/
119
AUI4863/SG
ACTIVITY 31
You are seconded to the technical and training section of the internal audit activity. A
significant number of the technical queries you received deal with reports. To improve
the level of professional competence and quality of work produced, you designed a
training programme for good report writing. In this training programme you include the
format and characteristics of a good report on operational auditing.
REQUIRED
Design a questionnaire to be used by internal auditors to ensure that their reports
comply with the requirements for the format and characteristics of a good report.
FEEDBACK
Questionnaire to ensure proper reporting
QUESTION
Yes
No
Characteristics of a good report
• Are only important matters reported?
• Is the report useful and timely?
• Is the report accurate and supported by documents/evidence?
• Do the findings prompt the relevant management and staff to
take action?
• Is this report objective?
• Is there sufficient information in the report to give its readers
the required perspective?
• Is the report a clear and simple presentation?
• Is the report concise?
• Does the report have a constructive impact?
• Is the report logically arranged and positive?
Format of a good report
• Does the report have a management summary?
• Does the report cover the background?
• Is there an overview?
• Is there an opinion or a general evaluation?
• Are the findings and recommendations included?
• Is there a conclusion?
• Are the comments of the auditee included?
12.4
FOLLOW-UP ON AUDIT RESULTS
The operational auditing process is not complete before all the procedural modifications have
been introduced. Organisational policy should require that written commentary on every internal
audit report be submitted to the CAE by the persons to whom the audit report was addressed.
120
The following should be specified in a company's policy:
• the format in which feedback should be produced
• how much time should be allowed for a response to internal audit reports
• who is responsible for drawing up and signing comments on internal audit reports
The CAE should receive copies of all comments on audit reports and should pass on any
reservations on such feedback to top management.
Irrespective of the fact that the internal auditors reviewed the comments on their audit reports
and accepted them, they should still carry out the necessary follow-up action to determine
whether any corrective measures have been taken and whether they are satisfactory.
Management may decide to take steps to rectify a problem that are different from the steps
suggested by the auditors. The decision rests with management, but the results of the decision
should still be weighed up by the internal auditors. If management does implement the steps
proposed by the auditors, the auditors should still follow up in order to evaluate the results
achieved. If the audit findings showed up material problems, it may be necessary to schedule a full
follow-up audit to make certain that the desired results have been achieved by the
implementation of the audit recommendations.
STUDY
Study the IPPF, Performance Standards 2400, 2410, 2420, 2421, 2430, 2431, 2440, 2500
and 2600 as well as the related Implementation Guides.
MULTIMEDIA
Click on the hyperlink below to view the following YouTube videos:
https://youtu.be/pFr7iH7vYBc
https://youtu.be/1NA0Z_BhV1E
❖
View the screencast on operational audit reporting on myUnisa.
ACTIVITY 32
Work through the following case study:
http://www.metricstream.com/casestudy/Audit_Solution_Airline_Case.htm
In this learning unit the reporting stage of the operational auditing process was
discussed and we showed that the reporting stage is an extension of the other stages of
the operational auditing process. We briefly discussed the aims and functions of the
operational audit report, its characteristics, a proposed format for operational audit
reports and the follow-up of audit results.
SUMMARY
In this topic we discussed the practice of operational auditing. It provides an
explanation of the full process of the performance of an operational audit.
121
AUI4863/SG
In learning unit 10 we discussed the planning phase of an operational audit. We revised
all the founding principles of operational auditing.
We also identified the following steps that should be followed during the planning
phase of the operational audit:
1.
2.
3.
4.
5.
6.
7.
obtaining background information on the section/activity to be investigated
deciding on the scope of the engagement and the specific areas or aspects on
which to focus
formulating the engagement objectives
investigating audit criteria (performance standards) that can be applied in the
conduct of the audit
drawing up an engagement work programme
ensuring that the planning complies with the internal auditing standards
discussing the proposed audit engagement with the management of the section
or activity involved
Learning unit 10 focused on the aspects that an internal auditor should take into
consideration while planning an operational audit engagement. We also provided an
example of an engagement programme for an operational audit.
In learning unit 11 we examined the purpose, nature and method of performing the
fieldwork phase of an operational audit. We studied the fieldwork phase of an
operational audit. We noted firstly that the engagement programme is carried out
during the fieldwork phase and that the auditors base their findings and
recommendations on the fieldwork phase. We looked at the important aspects in the
execution of the fieldwork phase, namely performance measurement, basic
engagement procedures and the collection and recording of information.
In learning unit 12 the reporting stage of the operational auditing process was discussed
and we showed that the reporting stage is an extension of the other stages of the
operational auditing process. We briefly discussed the aim and functions of the
operational audit report, its characteristics, a proposed format for operational audit
reports and the follow-up of audit results.
Now that you have studied the learning units in this topic, are you able to do the
following?
•
•
•
•
Plan the operational audit according to applicable Standards.
Explain how to conduct the operational audit.
Perform the audit procedures.
Compile the audit report and communicate the audit results
NOTES
Make your own notes here:
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
122
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
123
AUI4863/SG
TOPIC 5
Fraud investigations
Contents
LEARNING UNIT 13: Planning fraud investigations
126
LEARNING UNIT 14: Performing fraud investigations
136
LEARNING UNIT 15: Reporting and follow-up on fraud investigations
142
LEARNING UNIT 16: Case study
148
INTRODUCTION TO AND PURPOSE OF THE TOPIC
Fraud has become an industry, and not just for the fraudsters. Academics, investigators, internal
and external auditors, lawyers, management on all levels of public and private organisations,
oversight bodies and the general public are all involved in this industry in some way or another.
In this topic the following aspects of fraud that concern the internal auditor, are discussed:
•
•
•
•
•
the nature of fraud
the kinds of fraud that occur frequently
fraud prevention
indicators of the possible presence of fraud, i.e fraud risk
the activities in an organisation where fraud is usually committed or can easily be
committed
• the behavioural characteristics of people who engage in fraud
• ways and techniques of establishing whether fraud has been committed
• the procedures that should be followed when conducting a fraud investigation
124
From the point of view of the internal auditor, fraud is an extremely complex matter because it
involves so many aspects. The internal auditor has to fully understand each of these aspects so
that he or she knows what part each aspect plays and what the internal auditor's responsibility is in
regard to each aspect when carrying out a fraud investigation.
Fraud has always been and will always be present in society, and there is increasing pressure on
both internal and external auditors, especially from the general public, to detect and assist in the
prevention of fraud. Thus, adequate competence in this field is a necessity. Your aim in studying
this topic should be to enhance your knowledge, understanding and competence with regard to
fraud investigations as part of your professional career.
Fraud investigations, like all other internal audit engagements, should be approached in a
structured manner in order to ensure objectives are met. In this topic we discuss the nature of the
internal auditor's responsibility once it has been decided to carry out a fraud investigation, as well as
the practical aspects of fraud investigations. The procedures that should be followed when
conducting a fraud investigation are discussed, as are different matters that internal auditors should
attend to when they have to participate in fraud investigations
MULTIMEDIA
Please access the podcast on myUnisa to assist you in your studies of topic 6.
LEARNING OUTCOMES
After you have studied this topic, you should be able to
• apply the internal auditing standards relating to fraud investigations to practical
situations
• demonstrate knowledge of the practical performance of fraud investigations
• demonstrate knowledge of important considerations in the performance of fraud
investigations
• compile professional internal audit reports relating to fraud
125
AUI4863/SG
Learning unit 13
Planning fraud investigations
Contents
13.1
13.2
13.3
13.4
13.5
13.1
INTRODUCTION
INTERNAL AUDITOR'S RESPONSIBILITY WITH REGARD TO FRAUD INVESTIGATIONS
FRAUD RISK ASSESSMENT
FRAUD INVESTIGATION PLAN
ESTABLISHING THE OBJECTIVES OF A FRAUD INVESTIGATION
126
127
128
132
132
INTRODUCTION
Fraud allegations or detection can arise from whistle-blowers’ complaints or are sometimes
accidentally discovered. Fraud can also be detected by the internal auditors as a result of them
recognising fraud risk factors during their daily work.
The IAA should plan to do a comprehensive engagement of any fraud investigation it undertakes.
When the internal audit function has been assigned an investigator’s role, an investigation plan
should be developed for each investigation.
REFLECTION
You were given comprehensive exposure to fraud investigation planning in your
undergraduate studies. It is important that you revise the underlying level of technical
knowledge and expertise you obtained at the undergraduate level before you continue
with the rest of this learning unit.
Test your knowledge, insights and competencies by answering all the undergraduate
questions and answers you have accumulated so far.
In this learning unit we will look at the planning phase of a fraud investigation as well as
the internal auditor’s responsibility with regard to fraud investigations. The fraud
investigation plan as well as the objectives of a fraud investigation will also be covered.
126
STUDY
Ensure that you study the following Internal Auditing Standards:
•
Attribute standard 1210 and 1220
•
Performance standard 2060, 2110, 2210 and 2600
•
Related Implementation Guides
13.2
INTERNAL AUDITOR’S RESPONSIBILITY WITH REGARD TO
FRAUD INVESTIGATIONS
As soon as the internal auditor has established the presence of fraud of such a nature that it
requires investigation, he or she should report this to the CAE and the most senior executive
manager of the organisation. The next step is to decide what kind of investigation will be carried
out, and in what depth, and also what resources will be used in the process. This decision should,
however, be taken by senior management in conjunction with the CAE. Fraud investigations are
time-consuming, intensive and demanding and they frequently require specific technical
knowledge or experience of the operating environment within which the fraud occurred.
Depending on what management decides, the internal auditor will be involved to a greater or
lesser degree in fraud investigations.
The internal auditor has five specific responsibilities to discharge during fraud investigations,
namely:
•
An estimation must be made of the probable level of seniority involved in the fraud and
the extent of complicity in the fraud within the organisation.
•
The internal auditor should then determine what knowledge, skills and disciplines are
required to carry out the investigation effectively.
•
The internal auditor will also need to identify the procedures to follow in the attempt to
identify the culprits, the extent of the fraud, the techniques used and the cause of the
fraud.
•
There should be suitable coordination of activities with management staff, the legal
advisers and other specialists for the full course of the investigation.
•
The rights of the suspected culprits and the staff who will be affected by the investigation,
as well as the reputation of the organisation, should be taken into account.
STUDY
•
•
Assurance: An Audit Perspective (2018), Chapter 6 – 6.4.1 (The internal audit
activity).
All the sections in your undergraduate study material that relate to fraud
127
AUI4863/SG
13.3
FRAUD RISK ASSESSMENT
Standard 2060 states that the chief audit executive must report periodically to senior
management and the board on the internal audit activity’s purpose, authority, responsibility, and
performance relative to its plan and on its conformance with the Code of Ethics and the
Standards. Reporting must also include significant risk and control issues, including fraud risks,
governance issues, and other matters that require the attention of senior management and/or the
board.
In Standard 2120.A2 it is required that the internal audit activity must evaluate the potential for
the occurrence of fraud and how the organisation manages fraud risk.
STUDY
Assurance: An Audit Perspective – Chapter 6 – 5.5
Figure: Fraud risk assessment process
Sourse: http://www.gao.gov/products/GAO-15-593SP
128
MULTIMEDIA
View the Powerpoint presentation on myUnisa – GTAG 13 Fraud Prevention and
Detection in an Automated World - to assist you in your studies.
ACTIVITY 33
When Tammy Darling began working for African Properties, she had no intention of
defrauding the company. It was her first job after university and she was excited about
the opportunity and eager to do good work and to progress with her career. In fact, that
is what she did. African Properties owned several business properties in the Gauteng
area and, not long after her appointment, Tammy was assigned to run one of the big
shopping centres as the on-site manager. She showed shopping space to prospective
tenants, collected rents, oversaw a maintenance crew and generally ran the day-to-day
operations of the shopping centre.
After her husband was injured in a motorbike accident, money became an issue in
Tammy’s life. Around the same time one of the employees on the centre maintenance
crew resigned. Under normal circumstances, Tammy would have filled out paperwork
showing that this employee had left the company and then sent it to head office. Only
then would she have started looking for a replacement. However, this time Tammy did
not tell anybody at head office that the employee had resigned but kept on submitting
time sheets on his behalf. According to the company’s system, pay cheques were mailed
to Tammy and she distributed them to the employees. When the pay cheques arrived,
she now took the cheque made out to this employee and cashed it at a liquor store.
Tammy kept on doing this for approximately six months until she was reported through
the company’s anonymous fraud line. An internal auditor was immediately sent out to
investigate the matter and Tammy, who immediately confessed everything, was asked
to resign. A criminal case was filed against her. The details of the crime committed, and
the actions taken against Tammy were reported in African Properties’ quarterly
newsletter.
REQUIRED
I. Briefly discuss the factors that motivate people to commit fraud and also indicate
which of these factors apparently motivated Tammy to commit fraud.
II.
Mention the factors that should be kept in mind by the internal auditor who was
sent to investigate the suspicion that fraud had been committed.
III. Suggest 5 (five) practical recommendations to improve the internal controls related
to the payment of wages in order to prevent similar frauds in future.
IV. Briefly explain how the actions taken against Tammy will aid in the prevention of
fraud within African Properties.
129
AUI4863/SG
FEEDBACK
You have to be able to apply your theoretical knowledge of the nature, prevention,
detection, investigation and reporting of fraud that you obtained during your
undergraduate studies, to practical scenarios.
I.
The factors that motivate people to commit fraud, and the factor that
apparently motivated Tammy to commit fraud:
Firstly, there may be pressure on the individual, either internal pressure in the form
of debt or a desire for riches, or external pressure in the form of pressure exerted by
the organisation on management to achieve projected profit figures and adhere to
budgets.
Secondly, uncontrolled access to organisational assets tempts employees to
appropriate them for their own profit.
Thirdly, personality disorders may exist. Most people generally prefer to be honest,
but unfortunately there are the exceptions where people prefer to be dishonest.
Tammy experienced financial pressure due to her husband’s motorcycle accident
and also had uncontrolled access to the wage cheques of the maintenance staff.
II.
Factors that the internal auditor has to keep in mind when investigating a
suspicion that fraud is taking place:
1.
The success of inquiries to confirm suspicions of irregularities is largely dependent
on good working relations.
2.
The moral climate of the organisation as a whole is important. The success of the
audit depends on good teamwork within a structure of trust.
3.
One should beware of paranoia. Although it is important to be fully aware of the
possibility of irregularities, it is also important to keep an open mind. The internal
auditor should not automatically mistrust everyone who gambles or drinks or who
clearly follows an unusual lifestyle.
4.
The rules of interrogation are very important when inquiries could lead to the
disclosure of irregularities.
5.
The identity of any sources of information must be protected. If unconfirmed
information is volunteered by an informant, it should not be accepted without
investigating, but it should also not be ignored either.
6.
It helps to concentrate on the weakest link in the suspected fraud chain.
7.
Most instances of fraud are simple and obvious. Conspicuous opportunities should
not be overlooked. Investigate the simplest possibilities first.
8.
The internal auditor should look out for irregular entries (especially entries that have
been altered), corrected documents, photostats and duplicate documents, and
especially for addresses with a box number only.
130
9.
Careful consideration must be given to the audit sampling techniques that are used.
It may be necessary to take a larger sample, if this is warranted by a fraud
investigation. Special attention is required when a population is chosen, so that the
population can be stratified, if necessary, to isolate a possible area of
embezzlement.
10. In some instances, it may be necessary for the internal auditors to report to higher
authorities within the organisation – and possibly outside the organisation –
regarding sensitive information that has come to their attention.
III. Practical recommendations to improve the internal controls related to the
payment of wages, in order to prevent similar frauds in future:
1.
The wages of permanent employees should preferably be paid directly into their
bank accounts. If this is not possible then the following procedure should be
followed:
2.
Cheques should be made out in the name of the employee and be properly crossed
so that the recipient of the cheque is forced to deposit the cheque into his/her bank
account.
3.
Control over the payment of wages should not be the responsibility of one person
only. At least two authorised people should be present when wages are paid.
4.
A wage register should be kept in which staff must sign for the receipt of their
wages, and this register should be signed by both persons attending the wage
payment.
5.
Any unclaimed wages should be recorded and reported to head office and the
cheque should be dealt with appropriately.
IV. How the actions taken against Tammy will aid in the prevention of fraud within
African Properties:
The company took prompt and appropriate actions against Tammy and reported
the incident in the company’s newsletter. The way an entity reacts to incidents of
alleged or suspected fraud will send a strong deterrent message throughout the
entity, helping to reduce the number of future occurrences. Seeing that other
people have been disciplined for wrongdoing can be an effective deterrent,
increasing the perceived likelihood of violators being caught and punished. It can
also demonstrate that the entity is committed to an environment of high ethical
standards and integrity.
131
AUI4863/SG
13.4
FRAUD INVESTIGATION PLAN
As with any internal audit engagement the investigation plan should consider methods to •
•
•
•
•
•
13.5
gather evidence, such as surveillance, interviews or written statements
document the evidence, considering legal rules of evidence and the business uses of the
evidence
determine the extent of the fraud
determine the scheme (techniques to perpetrate the fraud)
evaluate the cause
identify the perpetrators
FESTABLISHING THE OBJECTIVES OF A FRAUD INVESTIGATION
The objectives of a fraud investigation should be determined right at the start, in consultation
with professional advisers. Four important aspects should be considered when establishing the
objectives:
•
•
•
•
Should the people involved in the fraud be criminally prosecuted?
Should civil procedures be instituted to recover losses?
Should staff suspected of fraud and found guilty be suspended and/or dismissed?
What procedures can be followed to prevent similar incidents in future?
NOTE:
There is a substantial difference between the objectives of a fraud investigation and the
objectives of other internal auditing engagements. These are tabled below:
In a normal internal audit engagement, A fraud investigation is geared towards
the internal auditor's objectives consist of detection. In a fraud investigation, the
the following:
internal auditor's tasks involve the
following:
•
•
•
•
Looking for weaknesses in the system,
or susceptibility of the system to
problems.
Making recommendations for improving
efficiency, economy and effectiveness.
Reassuring management.
Emphasising compliance with developed
procedures and controls and improving
them.
•
•
•
•
Looking for evidence supporting an
identified irregularity.
Determining the particulars of the
irregularity.
Quantifying the loss or scope of the
problem and the period in which it took
place, the method used and the persons
involved.
Acting as a gatherer of information and
evidence.
132
STUDY
Performing Internal Audit Engagements:
•
•
•
•
•
Par 3.5 (p 120)
Par 4.5 (p 180)
Par 5.5 (p 238)
Par 6.6 (p 309)
Par 7.5 (p 349)
ACTIVITY 34
Page through the local newspapers for a week and see how many fraud-related reports
you can find. Think about the effect that these frauds might have had, or still have, on
•
•
•
•
•
the organisation(s) involved
other employees
shareholders
creditors
affected families and society in general
FEEDBACK
Please join the Discussion Forum and share with fellow students your understanding of
activity 29. Feedback will be provided subsequent to the discussion.
REFLECTION
The summary of the KPMG Africa Fraud and Misconduct Survey 2005 (2005:68–73)
performed in South Africa and 12 other African countries revealed the following
statistics:
•
68% of respondents believe that fraud will increase in the future.
•
Most respondents believe that the sophistication of criminals is one of the reasons
for an increase in fraud.
•
Economic pressure indicates the lack of adequate penalties and law enforcement as
well as inefficiencies of the justice system; these are the most sited reasons for the
increase in fraud.
•
76% of respondents indicated that employees, excluding management, were the
major source of fraud and also accounted for the largest financial losses.
•
Information whistle-blower processes were cited as being the most effective
preventative action in the fight against fraud with good internal controls rated
second.
133
AUI4863/SG
•
Collusion between employees and third parties was cited as the most common
practice utilised by perpetrators.
•
The inability of the police to apprehend criminals, no chance of recovering losses
and the desire not to be tied up for years in criminal procedures were indicated as
the main reasons why fraud was not reported to the authorities.
•
The four most common prevention methodologies were indicated as being
-
reviewed and improved controls
establishing a corporate code of conduct
establishing a fraud policy
improved screening of new employees
Did your encounters with fraud in practice reveal similar statistics? Do you think the
situation has improved or changed since 2005?
FEEDBACK
Give your comments in the Discussion Forum.
Fraud is a major concern among all types of organisations, encompassing the private and
public sectors. Internal auditors must have a good understanding of factors that predispose fraud, fraud risk indicators and how to respond when suspicious transactions or
activities are observed.
The IAA should do proper planning before executing a fraud investigation. When the
internal audit function has been assigned an investigator’s role, an investigation plan and
engagement objectives should be developed for each investigation.
DISCUSSION FORUM
Join the Discussion Forum to discuss the importance of the “Tone at the Top” to prevent
fraud.
NOTES
Make your own notes here:
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
134
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
135
AUI4863/SG
Learning unit 14
Performing fraud investigations
Contents
14.1 INTRODUCTION
14.2 IMPORTANT CONSIDERATIONS IN THE PERFORMANCE OF
FRAUD INVESTIGATIONS
14.1
136
139
INTRODUCTION
Some frauds are resolved simply by identifying inconsistencies and inquiring about them to a
potential suspect who immediately confesses. Others are complex, and extensive; these require
concerted effort to bring them to light and justice. Fraud investigations may be conducted by or
involve participation by internal auditors, investigators, security personnel and other specialists
from inside or outside the organisation.
REFLECTION
Before you study this learning unit, please revise your undergraduate work regarding
fraud and all related topics. Also ensure that you can formulate procedures and make
valid recommendations regarding a fraud investigation.
STUDY
▪
▪
Assurance: An Audit Perspective (2018), Chapter 5 – 5.5.3
Performing Internal Audit Engagements (2017):
• Par 3.5 (p 120)
• Par 4.5 (p 180)
• Par 5.5 (p 238)
• Par 6.6 (p 309)
• Par 7.5 (p 349)
136
In this learning unit we will look at important aspects that should be taken into account when
performing a fraud investigation.
The following considerations should be taken into account when performing a fraud investigation:
1.
2.
3.
4.
5.
Underlying risks in fraud investigations
Confidentiality
Immediate action
Management’s actions when management fraud has occurred
The use of external investigators in the fraud investigation
1.
Underlying risks in fraud investigations
Fraud investigations involve certain risks for organisations and the persons involved in the fraud
investigations. There is the possibility that the suspect in a fraud case could institute legal
proceedings or a claim against the organisation or the individuals involved in the fraud
investigation, and that it might not be possible to prove the organisation's case against the suspect.
Risks to bear in mind are the following:
•
•
•
•
accusations of slander.
complaints of unlawful restraint or false arrest.
complaints of malicious prosecution.
depositions, admissions of guilt and evidence that have been illegally acquired will not be
accepted in court
A court ruling that evidence is not acceptable could result in an organisation losing a case against an
accused person and suffering major losses as a consequence.
It is therefore extremely important that internal auditors and anyone else involved in a fraud
investigation should be aware, from the very first moment that fraud is suspected, of the
procedures that should be followed in collecting evidence and information so that the evidence will
be accepted in court.
2.
Confidentiality
When fraud is discovered, the facts should be kept confidential until an arrest can be carried out. All
knowledge of the case should be strictly confined to top management and the people directly
involved in the investigation. Suspicions should be treated with the utmost discretion to avoid the
risk of slander suits or the possibility that the suspect will cover his tracks.
3.
Immediate action
Any suspicion of fraud should be immediately followed up. Unless immediate action is taken, the
suspect may have the opportunity to cover his or her tracks by destroying or altering records, for
example. Money can be transferred between accounts in minutes – or even sent out of the country
– and the suspect can escape. Arrangements should be made immediately for the securing of
records and evidence, suspects should be suspended or relieved of their duties and it may even be
necessary to cancel or postpone transactions with clients.
137
AUI4863/SG
At the beginning of a fraud investigation it may be necessary to work instinctively so that the
investigation can take shape. It is important, however, not to be prejudiced and incriminate people
unreasonably in the process.
4.
Management's actions when management fraud has occurred
Specific actions are recommended that should be taken by executive management when
management fraud has occurred, such as:
•
•
•
•
•
•
5.
Establish standards based on budgets and statistics and investigate all material deviations.
Use quantitative and analytical methods to highlight unusual behaviour. Where possible,
management information systems should be developed to supply the data needed for this
analysis.
Compare organisation performance with industry norms as well as with comparable profit
centres within the organisation.
Identify critical process indicators, such as the percentage rework in manufacturing and gross
profit percentages.
Carefully analyse performance that looks too good as well as performance that does not
meet standards.
Establish a professional internal audit activity with the necessary independence and authority
to act independently and objectively, to review all the operations within the organisation on a
regular basis, and to require proper follow-up of all findings and recommendations.
The use of external investigators in the fraud investigation
It is frequently the case that the internal auditing department does not have the necessary
manpower or the necessary skills to carry out fraud investigations or parts of such investigations.
The internal audit activity may then recommend the appointment of an external investigative agent
to deal with the investigation, to assist with parts of the investigation or to act in an advisory
capacity.
It is often an advantage to use external investigative agents when information and evidence have to
be obtained from outside the organisation. The internal auditor is usually in the best position to
collect information and evidence from within the organisation. Where external agents are
appointed to deal with a complete investigation, they should also use internal auditors or work in
close cooperation with the internal auditors when they gather information and evidence from inside
the organisation.
When external investigative agents are used, the way they carry out the assignment and the
activities of the agency should be carefully monitored. When an investigative agent is appointed,
the agent is acting on behalf of the organisation and the organisation remains responsible for any
action by the agent. For this reason, external investigative agents require the permission of top
management for everything they do.
External investigative agents can be especially helpful with the following activities:
•
•
•
obtaining information and evidence from external sources
as a source of trained manpower, carrying out certain tasks that require specific training
as specialists in areas like fingerprinting, graphology, observation, security, the examination
of public records, interviewing and interrogation, photographic work and communication
The following are important to bear in mind when external investigative agents are used:
138
•
•
•
•
Ensure the reliability of the investigative agency before appointing them.
Discuss the investigative procedures with the investigative agency before the appointment is
ratified.
Make a clear decision on what tasks the investigative agent should carry out and what
remuneration should be paid to them.
Remain informed about the investigation and do not leave the investigation and the decisions
solely to the investigative agency. The internal auditors have a better knowledge of and feel
for the business than any external investigative agent; they should listen to the information
and advice of the investigative agent and then take the necessary decisions themselves.
At the end of the investigation a written report should be obtained from the investigative agent in
which a clear distinction is drawn between facts, suspicions and hearsay. Reports should indicate
whether information has been obtained from a public record or from individuals. If interviews have
been conducted, the particulars of the people with whom the interviews were conducted must be
disclosed.
14.2
IMPORTANT CONSIDERATIONS IN THE PERFORMANCE OF
FRAUD INVESTIGATIONS
To protect the professional status and recognition enjoyed by auditors it is necessary to
retain the confidence of the users of the professional service. The profession should be
organised in such a way that the desired standards are maintained, and the users should
be aware of this.
ACTIVITY 35
The internal auditors of a bank suspect that one of the officers in the bank has given
loans to fictitious businesses, then transferred the loan amounts to her own bank
account and never paid the instalments, on account of which the bank suffered material
losses. The bank official’s colleagues believe that her luxury house and vehicles,
irrespective of her average income, can be attributed to the fact that she is someone
who works wisely with her money by investing it carefully. The fact that she is in a
management position at a relatively young age is not strange to them because she gets
on well with everybody in the bank, does favours for management, works more overtime
than any other official and never takes any leave. The internal auditors, therefore, were
surprised at first by the bank official’s nervous appearance and her unwillingness to
answer their questions.
REQUIRED
1.
Mention the steps that the internal auditor should follow as a result of their
suspicion that fraud has been committed by the bank official.
2.
Identify the warning signals in the above case study that strengthen the suspicion
that the bank official probably committed fraud.
139
AUI4863/SG
FEEDBACK
1.
Steps the internal auditor should follow as a result of the suspicion that fraud
has been committed by the bank official
•
The factors that indicate fraud should be evaluated to determine if any further
actions are required and whether a fraud investigation should be initiated.
If the conclusion is that fraud might have taken place, then the relevant persons in
authority within the organisation must be notified and the internal auditor can then
recommend the investigation procedures that he/she deems necessary.
The origin of the possible fraud must be identified, and recommendations must be
made to correct it.
Lastly, the internal auditor must ensure that management either pays the necessary
attention to the problem or accepts the responsibility when they neglect to address
the problem.
•
•
•
2.
Warning signals reinforcing the suspicion that the bank official probably
committed fraud
•
The bank official owns a luxury house and motor cars, but she earns an average
income.
She gets on well with everybody in the bank and does favours for management.
She works more overtime than any other official at the bank.
She never takes any leave.
The bank official appears to be nervous during the audit and is unwilling to answer
questions, irrespective of the fact that she seems to get on well with everybody
•
•
•
•
SUMMARY
In this learning unit we covered the internal auditor’s responsibility regarding the
performance of fraud investigations. We explained certain aspects of the procedures
for investigating fraud and dealt with some of the considerations to bear in mind when
conducting a fraud investigation.
NOTES
Make your own notes here:
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
140
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
141
AUI4863/SG
Learning unit 15
Reporting and follow-up on fraud
investigations
Contents
15.1 INTRODUCTION
15.2 FRAUD REPORTING
15.3 FOLLOW-UP AND CORRECTIVE ACTION
15.1
142
143
146
INTRODUCTION
According to the internal auditing standards, on completion of a fraud investigation the internal
auditors should issue a formal, written report that contains all observations/findings, conclusions,
recommendations and corrective actions taken.
The reporting phase could be regarded as the most important phase of a fraud audit. Regardless of
how well the work was done, if the report is not written properly, the perception of the reader will
be that the audit was not a success. The report must clearly reflect the quality of the investigation.
REFLECTION
The complete internal audit reporting process and the follow-up of audit results were
discussed in your undergraduate studies. Ensure that you revise these very important
topics and that you can apply this knowledge to fraud investigations.
STUDY
Performing Internal Audit Engagements (2017), - Chapter 9
142
15.2
FRAUD REPORTING
A written report should be issued at the conclusion of the investigation phase. It should include all
findings, conclusions, recommendations and corrective action taken.
ACTIVITY 36
Do a search for the “Rules of the written internal audit report” on the internet.
REQUIRED
Some articles encourage the use of visual aids. Explain what visual aids you could use to
make a report more presentable (at least ten examples). How would you prepare and
present these visual aids?
FEEDBACK
Visual aids are very important to make a report more presentable and professional.
Examples of visual aids include:
• time flow diagram
• graphs
• annexures – spreadsheets
• diagrams
• photos
• sketches
• scanned extracts of documents
• flow diagrams
• tables
• matrices
• links (references) to other documents/sites
• organograph
• list of abbreviations
• appropriate and logical (easy to follow) numbering system
• emphasis – use of different size lettering, bold, italics, different colour text, etc
• maps
How to prepare and present the visual aids:
The visual aids might be computer-generated and inserted into the body of the
report. They may also be scanned (for electronic inclusion). The use of annexures and
exhibits is encouraged, which would typically be appended to the report and
supported by a proper index. The spreadsheet programmes are invaluable tools to
prepare graphs (use sensible colours) and these are easy to “copy” into a “Word
document”. Visual aids which are not computer-generated can be attached as
exhibits.
ADDITIONAL READING
Read the following article and keep this information in mind when writing a report.
143
AUI4863/SG
144
145
AUI4863/SG
15.3
FOLLOW-UP AND CORRECTIVE ACTION
It is very important that internal auditors follow up on fraudulent activities and take remedial action.
This is a process which will help limit the exposure, be seen to take decisive action, and to prevent
recurrence of the fraud.
The internal auditor is responsible for the follow-up of a fraud investigation. The follow- up and
remedial phase consists of the following:
1.
2.
3.
4.
5.
1.
analysis
publication
implementation of controls
testing and training and
proactive fraud auditing
Analysis
Analysis means that after every fraudulent loss, the internal auditor should analyse the entire
circumstances of the fraud, carefully considering which internal controls failed to either prevent the
fraud, or alternatively failed to detect the fraud earlier. All of the missed “red flags'' should be
considered.
The purpose of this analysis stage is to learn from the mistakes made to ensure that similar
mistakes are not repeated. This is a very good, albeit expensive, learning process, but vital if the
organisation wishes to protect itself from similar future frauds. If this stage is not undertaken, the
learning opportunity is missed, and the organisation fails to protect itself against similar fraudulent
attacks in future. To maximise the learning opportunity from the analysis stage, it is recommended
that after every fraud, the internal auditor should investigate the details and make
recommendations on how to prevent similar frauds.
2.
Publication of fraud investigations
The internal auditor should assist with the publication of all, or some, details of a fraud
investigation. Care should be exercised, however, not to name an alleged offender until such time
that the entire process (usually disciplinary process) has been finalised, up to and including final
appeal or final resolution (if applicable). This process has multiple advantages, including managing
the negative rumours that always arise, sending a clear message about zero tolerance towards
fraudulent activity, visible signs that decisive action is taken, as well as the deterrent effect it has if a
person has been “named and shamed''. Care should always be exercised, however, as stated above,
not to compromise anybody's reputation on the basis of allegations.
3.
Implement controls
Any controls found to be lacking during the analysis stage must be communicated by the internal
auditor and recommendations should be made to correct or improve processes to ensure that the
possibility of similar frauds occurring is minimised. This stage, referred to as “implement controls'' is
an active corrective measure, whereby the revised controls are enacted. Typically, such controls
may include better segregation of duties, greater supervisory controls or better custodial controls,
or a combination of the above.
146
4.
Testing and training
The internal auditor should ensure that controls are implemented. The newly implemented controls
should be tested by the internal auditor and the staff should be trained on their new responsibilities
or the amended processes. Testing and training is therefore vital to maximise the benefit of the new
controls.
5.
Proactive fraud auditing
The best protection against fraud, however, remains identifying it as soon as possible, when the
impact of the fraud is limited, as opposed to the devastating effect of a long-term fraud. Rather
than relying on accidental discovery, it is far better to actively seek it out. After every fraud, it is also
advisable for the internal auditor to test the entire organisation for similar frauds, based on the red
flags identified during the analysis stage.
ADDITIONAL READING
Do not forget to stay in touch with the new developments in fraud investigations. Read
the newspapers, look for relevant publications on the internet or in newsletters that you
can subscribe to.
You can find more information on fraud by visiting the website of the Certified Fraud
Examiners (CFEs) at www.cfe.org.
SUMMARY
Report writing is a skill which is developed over time. Few professionals are
automatically good report writers, whilst many never truly develop the skill. Report
writing takes many years of practice and is never perfected. It should, however, be
continuously practised at all levels of staff. This vital skill, when mastered, will be
invaluable, and in high demand in your career, regardless of your industry. May you
strive to become a good reports writer and let it be said that you write a good report.
NOTES
Make your own notes here:
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
147
AUI4863/SG
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
______________________________________________________________
148
Learning unit 16
Case Study
Contents
16.1
16.2
16.3
16.4
INTRODUCTION
CASE STUDY INFORMATION
CASE STUDY QUESTIONS
CASE STUDY FEEDBACK
16.1
INTRODUCTION
149
149
154
154
The following case study was taken from Case studies in internal auditing, edited by Dittenhofer and
Ziegenfuss, and adapted to provide you with an example of how you can apply your theoretical
knowledge to a practical scenario.
16.2
CASE STUDY INFORMATION
THERE BE THIEVES IN TEXAS!
Gatesville, Texas, is a small community in central Texas, located in Coryell County, approximately
40 miles west of Waco. Gatesville is the largest municipality in Coryell County and functions as
county seat. It is typical of most Texas communities of its size. It still has a reasonably thriving
downtown area, a town square, one high school, and a strong sense of friendliness within the
community. Like many Texas towns, football is king and most of the social activities center around
the high school and local churches. In fact, very few things occur in Gatesville that everyone in the
community does not know about. It seems as if everyone who lives in Gatesville knows everyone
else who live in Gatesville. The largest employer in the Gatesville area is a branch facility of the
Texas Department of Corrections (state prison system) for housing convicted adult felons.
Therefore, people in Gatesville are not inexperienced in dealing with criminals. Yet, the community
was stunned in the fall of 2010 when a long-time employee of the Coryell County Tax AssessorCollector's (TAC) office was arrested by the county sheriff and charged with the embezzlement of
149
AUI4863/SG
tax receipts. Then, just as the news of the arrest was beginning to sink into residents, they were
shocked by what happened a week later. The accused employee committed suicide.
FACTS OF THE CASE
The Set-up
Joan Wilson had worked in the Coryell County TAC office for more than twenty years. During that
time, she had performed a number of accounting functions for the Coryell County TAC office. In
addition, she had worked closely with Joan Blanchard, who eventually was elected to be the
county's TAC Director. Owing to the years that Blanchard and Wilson had worked together and
known each other, Blanchard gained complete trust and confidence in Wilson and demonstrated
this trust and confidence by appointing Wilson to the Chief Deputy position shortly after Blanchard
took elected office. In fact, they became indirectly related in that Blanchard's son married Wilson's
daughter. Blanchard's trust and confidence in Wilson was so strong that she believed that Wilson
would carry out her duties on an ethical, honest and professional basis.
As a result of this trust and confidence, Wilson was allowed by Blanchard to carry out her function
as Chief Deputy with only minimum oversight. After all, if Blanchard could not trust Wilson in her
job, who could she trust? Blanchard would review reports as they were prepared by Wilson, but she
rarely, if ever, reconciled any of the accounting data in the reports to supporting detailed
documentation. Being a relatively small TAC office, budget constraints and turnover would occur
which would necessitate changes in job duties. When such changes occurred, Wilson was always
willing, if not eager, to take on the added responsibilities. Again, because of the trust Blanchard had
in Wilson, she would usually allow Wilson to take on the added duties and responsibilities; Wilson
appeared to be a willing, dedicated, hard-working employee who was not afraid to do whatever was
necessary to see that the job got done!
It was during one of these changes in job duties that Wilson was provided with the opportunity to
begin her embezzlement scheme. Sometime during 2004, a data entry clerk retired from the TAC
office. She had been responsible for the information from one of the tax receipt forms that usually
showed the amount of sales taxes collected from purchasers (Texas is one of the states that
depends heavily on its sales tax revenues as a primary source of tax revenues). The clerk would
enter the information from the tax form into the sales tax computer database. Prior to her
retirement, the data entry clerk often had been absent due to her husband's serious illness. As a
result of these frequent absences and the importance of the sales tax information to the state, the
data entry clerk taught Wilson how to input the tax receipt information. Therefore, when the clerk
retired, Wilson told Blanchard that she could take over the responsibilities without impairing her
current workload and thereby save the time and money that hiring and training a new clerk would
incur. Naturally, given the relationship between Wilson and Blanchard, it was not surprising that
Blanchard quickly agreed to Wilson's suggestion.
In taking over the duty of entering the sales tax information into the computer, Wilson now had sole
responsibility for reconciling the total daily receipts (incl. cash), preparing the daily cash sheet,
preparing the daily bank deposit, and reconciling the tax receipts to the computer summary report
(which was also prepared by her).
Shortly thereafter, Wilson took over the motor vehicle sales tax reconciliation function. When she
received Form 31, detailing the tax receipts – again, the side which showed the amount collected
150
from the motor vehicle purchaser – she began throwing away all of these tax receipts.
Subsequently, Blanchard discovered that Wilson was throwing these forms away and questioned
her as to why she did this. Wilson responded that she had been told by the State Controller's office
that the forms were not necessary if the county involved had a computer database. To her credit,
Blanchard told Wilson she was wrong and did indeed need these tax receipts forms. Therefore,
Wilson began filing them again in May, 2010.
Other unusual things began to happen in Wilson's performance of her tasks. Wilson appeared to be
very jealous and overly protective of the various tasks she performed. For example, none of the
other employees were ever allowed to input information from the motor vehicle sales tax receipts
forms (Form 31) into the motor vehicle sales tax computer database. Also, none of the other
employees were allowed free access to the tax side of the Form 31 receipts. Whenever an employee
needed to see one of these forms, Wilson would find the receipt, pull it out of the file, and then
hand it to the employee. When the employee was finished with the document, it was returned to
Wilson who then refiled the form. In addition, after the daily 3:00 PM reconciliation was completed
and cash receipts had been placed into the bank deposit bag, no one except Wilson was allowed to
make change for any taxpayers who had presented large bills.
Wilson would routinely get to the office very early in the mornings, usually before any of the other
employees had arrived. She also came into the office on Saturdays to enter the Form 31 information
into the sales tax database. One employee remarked that if another employee came in early, Wilson
would become very nervous and agitated and would not enter the tax information into the
computer whenever the employee was nearby.
Wilson, as chief deputy for the offices, was responsible for the handling of employee time sheets.
She took this duty very seriously as employees would write onto the time sheet the hours that they
had worked. If Wilson believed the employee had improperly recorded hours worked, she would
change the time sheet to the hours she felt should have been recorded. Naturally, these changes to
other employee time sheets caused numerous arguments between Wilson and the affected
employees. Eventually, these disgruntled employees wondered if Wilson was as strict with her own
time sheet. It was common knowledge in the office that Wilson would take numerous days off as
well as taking off every Thursday afternoon and all day Friday. When these employees managed to
obtain copies of Wilson's time sheet from her desk one day when she was gone, they noted she
never adapted her time sheet for the time she was away from her job. Employees also noted that
Wilson would routinely steal "little things" by using the postage meter for her personal mail, using
the business phone to make personal long-distance calls, etc.
In addition to the changes in Wilson's behavior in the performance of her duties, employees began
noting other changes in her personal life and behavior. For example, she always seemed to have
large amounts of cash in her purse. Whenever co-workers went shopping with her, she always paid
cash. Another time when the office personnel had to attend a seminar in Waco, Wilson pulled
several twenties out of her purse and said she was going to "let the county pay for our meals" yet
she never filed a voucher requesting reimbursement for the meals. Wilson and her husband, who
was a local chiropractor, took a lot of trips to different locations during the year and during the
summer, they would go to their beach-house nearly every weekend.
Suspicions Aroused
151
AUI4863/SG
In September 2010, Wilson's husband Charles became very ill which necessitated her being off work
for a week so she could be at home with him. During this time, Wilson's work was performed by
other employees within her department. Nothing unusual was noted with the cash sheets, deposits,
or reconciliations. However, on the Monday of the following week, employees began realising
something had occurred during the weekend. Upon arriving at work, employees noted the
computer had a strange message on it like it had been turned on during the weekend and not
turned off properly. Since Wilson was the only one who would come into the office on Saturdays to
enter the tax receipt information into the computer, they realised that Wilson had been in the office
on Saturday. Then, the clerk who had prepared the cash sheet on Friday noticed that changes had
been made on the cash sheet. It seems the clerk's original numbers had been "whited-out" and
changed to reflect lower balances. Although the clerk was curious about the changes, she had seen
similar changes before on previous cash sheets that she had prepared. Normally, when she
questioned Wilson about the changes (since it had been preached to her the cash sheet had to be
100% correct, with no changes showing), Wilson told the clerk that the clerk had made a mistake
which was changed by Wilson and she should not worry about it. However, this time she was certain
she had not made a mistake on Friday since her cash sheet and the cash receipts counted by
another clerk had balanced. She was also disturbed by the fact that whoever had made the changes
was trying very hard to make it appear that the handwriting in the changes looked just like the
handwriting on the unchanged numbers. The clerk decided to ask Blanchard, the director, why the
change was made. Blanchard indicated she had no idea why a change had been made over the
weekend. Wilson was subsequently approached as to why the change was made, and as before,
simply commented that a mistake had been made and she had changed the numbers. The second
clerk informed Blanchard that everything had balanced on Friday and still balanced on Monday,
except the numbers were different, showing the office had taken in less cash than had been shown
on Friday. Blanchard became suspicious. She began checking tax receipts taken on auto transfers
against the amounts shown on the computer printouts. On several of the tickets, Blanchard noted
the amount on the receipt was $500 or $1,000 greater than what had been recorded on the
printouts. Since Wilson was responsible for the data entries, Blanchard realised that her close friend
was responsible for stealing a great deal of money. Finally, she contacted the Coryell County
District Attorney (DA) who instructed her to tally as much of the losses as she could while the DA's
office initiated an investigation. When Blanchard discovered that for 2010 alone, Wilson had taken
over $100,000 from the Coryell County TAC office, she had no choice but to make a complaint
against Joan Wilson with the county sheriff’s office. Finally, on the afternoon of November 8, 2010,
before television cameras, Joan Wilson was arrested in her office. On November 15, 2010 she
committed suicide.
Results of the Investigation
Even though the accused was now dead, the district attorney's office and the state Comptroller's
office decided to conduct an investigation. The investigation turned up a great deal of evidence
against Joan Wilson. For example, when Wilson would make the deposits for the county with the
bank that handled both the county's account and her family's account, she would always make the
deposits inside the bank lobby. However, when she made personal deposits, she went through the
drive-in bank teller. The bank teller noted that when Wilson made these deposits, they were always
either into the joint account or into her son's account. These deposits were mostly in cash, with very
few cheques being deposited. Wilson made these deposits on almost a daily basis and was almost
always alone when she made the deposits.
152
In addition to the behavioral aspects noted, withdrawals from the bank accounts of Mr. and Mrs.
Wilson and their son as compared to total known sources of funds were as follows:
Year
2007
2008
2009
2010
Known Funds
$92,767
76,473
74,185
56,970
Withdrawals
$179,993
191,644
204,863
142,153
Other evidence came to light. The bank records did not show any transfers of funds between the
joint account and her husband’s chiropractor’s account. No funds generated by her husband’s
practice could be traced to the joint bank account, which was used to pay the monthly obligations
of the household. Yet, the only known source of funds being deposited into the joint account came
from Joan Wilson's salary from the TAC office.
Both Wilsons (Joan and Charles) committed themselves to various obligations during these same
periods. On the average, the recurring monthly payments for home mortgages, car payments,
insurance, credit cards, etc., were $5,976 per month. Again, as noted, these expenditures were
considered household obligations and were paid only from the joint account. In addition to the
recurring payments, it was known that a $15,000 investment was paid in lump sum in 2008, a
$4,000 lump sum loan made in 2008, and another large lump sum was paid in 2010. Interestingly,
the average net pay-check from the county for Joan Wilson was about $1,000.
Early in 2010, the Guaranty Bank and Trust, which was the principal bank used by the Wilsons,
asked Charles Wilson to prepare and file a personal financial statement showing personal income
and cash flows for the year ended 2009 and projected income and cash flows for the year ended
2010. The statements filed showed incomes of $36,158 and $42,564 for 2009 and 2010,
respectively. Personal expenses were reported at $23,964 and $26,163 for 2009 and 2010,
respectively. It should be noted that deposits in cash to the son's account for 2009 and 2010 were
more than the total personal expenses shown. Also, it is interesting to note Charles Wilson had
monthly debt service payments on personal loans from 2006 until April 2009 that averaged $1,473,
which was more than the monthly net pay available to pay all of the living expenses of the
household.
Epilogue
Based on the results of the investigation, the Coryell County District Attorney's office decided to
pursue the case since it appeared obvious that thefts over $100,000 had occurred, which is a firstdegree felony offense in the state of Texas. However, since Joan Wilson had committed suicide
shortly after her arrest, the district attorney had to decide on who to prosecute. Since Dr Wilson
seemingly benefited from the appropriations of funds by his wife, it was decided that he would be
prosecuted. Dr Wilson's defence was that he had no knowledge of his wife's embezzlement and
should not be held liable or as an accomplice to her scheme. This argument did not deter the district
attorney nor the jury as Dr Wilson was subsequently convicted and sentenced to a substantial
prison term. However, due to his age and poor state of health, he is not expected to complete his
term. In addition, the state of Texas has assessed the Wilson estate for the collection of funds in the
amount of $1,226,424.45, the amount that it has determined that Joan Wilson had stolen since
2004.
153
AUI4863/SG
16.3
CASE STUDY QUESTIONS
The following questions that are based on the case study were taken from Case studies in internal
auditing, edited by Dittenhofer and Ziegenfuss.
Assume that you are a state auditor for the State of Texas and you are assigned to deal with this
case. Complete the following:
I.
Identify the internal control weaknesses that appear to be present in the Tax AssessorCollector's office.
II.
What types of recommendations would you make to improve the identified weaknesses?
III. What "red flags" could you note, based on the above information that might have aroused
suspicions that some type of fraud or embezzlement could have been occurring?
IV. Why do you suppose that the employees within the county office failed to place much
emphasis on these "red flags"?
V.
What would you recommend to try to prevent future occurrences of this situation?
VI. Dr Charles Wilson, in his defence, argued that he was unaware of the embezzlement being
perpetrated by his wife.
VII. What information could you deduce from the case to refute his argument?
VIII. It appears that this county office did not have an internal auditor on its staff. In fact, the state
did not conduct any audit work until the embezzlement was discovered. Do you think that an
internal auditor might have been able to uncover this fraud?
16.4
CASE STUDY FEEDBACK
The following feedback was taken from Dittenhofer and Ziegenfuss (1997 adapted):
(i)
Internal control weaknesses in the Tax Controller's Office
• Segregation of duties
This weakness, along with the lack of access controls, was one of the most serious. There is little
doubt that there was no true segregation of duties in this case. Wilson clearly had far too many
responsibilities. Remember that we want to have specific responsibilities assigned to specific
individuals so problem areas can be easily identified and corrected. Wilson performed numerous
incompatible functions involving the custody and recording of cash receipts as well as the
authorisation function of approving transactions (i.e., she handled all employee time sheets
including her own).
154
• Personnel policies
The county office appeared to have done very little to ensure either honesty or the competency of
its employees. Since this county office acted primarily as a collection agency for state taxes,
perhaps the state should have had measures to ensure competency. However, the state does not
seem to have done anything either. None of the parties involved appeared to be accountants or
certified public accountants nor does it appear that there was any evidence that any training in
basic bookkeeping procedures occurred. Just because this office handled essentially cash basis
accounting, it does not relieve the state or county ensuring that its employees are competent and
adequately trained. Again, given that this office dealt predominantly with cash receipts, none of the
employees who had any custodial functions or were in a position of trust (such as Joan Wilson)
appear to have bonded. Clearly, there was little in-house training since Wilson would leap at the
opportunity to take on new duties. Also, there does not appear to have been any rotation of duties
or required vacations. Even when Wilson took time off, she would still come into the office on
Saturdays to ensure she handled the cash receipts records and entry into the computer files, so she
could continue her embezzlement scheme.
• Execution of transactions
Again, there appears to be little question that this county office was poorly organised. There
appears to be only a minimal organisation structure with very little formal structure. There were no
clear-cut or well-defined procedures for assigning responsibility and authority. Convenience or
willingness to take on additional duties seemed to be a predominant factor in the assignment of
duties and responsibilities. There were no written procedure manuals to explain how transactions
were to be recorded and executed. Otherwise, Wilson would not have been able to continually alter
and then destroy tax receipt forms.
• Recording of transactions
Several basic recording controls appear to have been ignored here as well. It appears that some of
the accounting documents were not prenumbered and controlled given that no one seemed to
realise that original tax receipts were missing until Wilson was actually caught throwing them away.
It is surprising that once it had been realised that Wilson had been throwing the receipts away and
destroying them that nobody really questioned her reasons for doing so (the State Comptroller's
office allegedly told her the receipts were not necessary if the data was kept on a computer
database). Evidently, if any questions as to amounts arose, the office must have relied on the
computer printouts prepared by Wilson. In addition, it is evident the recording of transaction on a
timely basis was not done consistently since only Wilson handled the computer entry of the tax
receipts.
• Access
As noted previously, this control, along with the lack of segregation of duties, was probably the
most violated control. Wilson not only had access to the cash receipts but also had access to the
accounting records. Therefore, she had the opportunity to steal the cash and then be able to cover
up her theft by altering the accounting records. Of course, it did not hurt her scheme any that she
was able to prepare the deposit documentation, jealously guard the deposit bag so that only she
could make change for any large bills paid by taxpayers, and then be able to make the deposit
herself.
155
AUI4863/SG
• Independent verification (accountability)
There appears to have been little, if any, type of independent verifications of any of the work that
was performed in this office, particularly Wilson's work. Of course, since she performed so many
custodial, recording, and authorisation duties, who was left other than Blanchard to verify her work.
Since Blanchard apparently had so much trust in Wilson, she obviously left Wilson alone. There was
no internal audit function within the county office, no independent reconciliation, surprise audits
and cash counts, or anything else that might have led to the earlier discovery of the embezzlement.
Even the state appears to have provided very little oversight since it did not become involved until
the theft was discovered.
(ii) Recommendations to improve the internal control structure
•
There should be proper segregation of duties wherever possible, especially with regard to
the custodial and recording duties. An organization chart should also be prepared. Since this
office was basically a small tax collection agency for the state and therefore dependent on
budget appropriations for its operating funds, it might be constrained as to the number of
employees that could be hired that would allow a better segregation of duties. Under no
circumstances, however, should any individual employee be allowed to handle the cash
receipts, record these receipts into the accounting records, and deposit these receipts into the
office's bank account.
•
Personnel policies should be clearly defined with job descriptions, required qualifications,
training, etc. Prospective employees should be tested to see if they have a rudimentary
understanding of basic accounting procedures. Duties between personnel should be
periodically rotated whenever possible. Temporary personnel should be used to perform the
duties of vacationing personnel rather than allowing employees to perform incompatible
functions. In addition, given the changing operating environment with more and more
computerisation, employees should be properly trained in the use of the computer and its
related software packages. If possible, the employees with computer duties should be certified
and periodically tested in the performance of their duties. Salaries need to be adequate enough
so that employees would be less tempted to try to steal funds. Vacations should be required
and strictly enforced. No employee on vacation should be allowed to come in at his/her
discretion to perform any assigned duties.
•
Policies and procedures for the handling and recording of the cash receipts need to be clearly
defined, established, and strictly followed, primarily through the use of a procedure manual. If
necessary, the steps involved with the handling and recording of the cash receipts might be
written in a "cookbook" format that would require the employee to document that each step
was properly done. Then, a supervisor would have to review the work performed and initial or
verify that no steps were omitted or improperly performed before any cash is placed into the
deposit bags and deposit slips are prepared. Clearly-defined lines of authority and
responsibility need to be established. A simplified organisation chart or something that can
define the organisation structure of the office needs to be prepared. Authorisation of
transactions should be performed by someone with no other custodial or recording duties,
particularly with the handling of the time reports. Deposits of the cash receipts should be made
on a daily basis, so no employee would be able to come into the office on weekends and
remove cash from the deposit bag.
156
•
All documentation should be pre-numbered, and accounted for, including tax receipts, tax
forms, cash count sheets, etc. A simplified chart of accounts could be established to control the
various types of tax receipts that are received. In any case, the documentation and procedures
followed in the recording process should be kept as simplified as possible to reduce the risk
that errors in the process will occur. Cash receipts should be entered into the computer records
as soon as possible, preferably by the end of the business day, rather than at the convenience
of the employee responsible for data entry.
•
Access controls should be established so that access to any documents or assets are limited so
that those employees who need access to perform their duties have the necessary access.
However, even this access should be limited only to the extent necessary to perform their
duties. Those employees with custodial duties should not have any access to the accounting
records or documents, and vice-versa for those employees with recording duties. Access to the
computer and computer records should be controlled.
•
There are a number of things that could be done to improve accountability through some type
of independent verification. First of all, there should be much stronger supervision of the work
by the director and other supervisory personnel. Of course, those employees charged with
supervision should have no other duties relating to what they are supervising. If possible, an
internal audit function should be added. Given that this office is a relatively small county office,
it may not be cost efficient to have a separate internal audit function. In such a case, the county
itself should establish an internal audit function to handle all county offices. If this would still
not be cost efficient, the county could approach neighbouring counties about the possibility of
an internal audit function to service several counties. Then, the related costs could be shared.
In addition, the state auditors should take a more active role in the accountability of these
smaller offices. While it may not be practical to audit such offices on a yearly basis, such offices
should be audited at least once every three years. The state auditor should routinely make
surprise cash counts and reconciliations on a periodic basis.
(iii) Red flags that could have aroused suspicions
There appear to be a number of "red flags" that should have aroused suspicions of employees and
the director that there was a possibility of something being wrong. Some of the obvious red flags in
this situation were as follows:
•
Wilson was too eager to take on new job responsibilities even when such responsibilities added
to her already heavy work load.
•
Wilson would get defensive, irritable, and argumentative when other employees would offer
to help her in her work.
•
The isolation she exhibited in her work in that only she was allowed to enter the tax receipt
data into the computer.
•
Wilson would not allow any employees to change large bills after the cash receipts were placed
into the bank deposit bag.
•
Wilson routinely had large amounts of cash in her purse.
•
The bank teller should have been suspicious that so many personal deposits were mainly in
cash to a drive-in teller where she would not be as easily seen as she would be when making
the office deposits in the bank lobby.
157
AUI4863/SG
•
The obvious changes in Wilson's lifestyle. She was noted taking numerous trips with her
husband. It was known they had a beach house, boat, investments, etc. that were clearly above
her annual gross income. Even her husband's chiropractic clinic was not producing enough
income to justify the extravagant lifestyle they were living.
•
Wilson often worked alone and worked late and on weekends. Usually when employees are
this dedicated, it is because they may be doing something they do not want other employees
to discover.
•
There were numerous instances of missing documents since Wilson would usually destroy the
tax receipts. In addition, she often made alterations of the cash sheets and deposit slips.
(iv) Reasons why employees failed to note many of the red flags
Some of the possible answers could be as follows:
•
Wilson was well-liked by a majority of the employees, although she did have some run-ins with
some employees regarding her handling of their time sheets.
•
Wilson could have used the time sheets as a type of "Damocles sword" over the head of the
employees who might have raised questions. In this manner, she could have circumvented any
controls, if they had been present, by virtue of her supervisory position.
•
It was well-known in the office that Wilson was a long-time employee and trusted by the
director. Given that the office was relatively small, and all employees knew each other and
were aware of office politics, any employee who might have had suspicions were afraid to
challenge or accuse Wilson by reporting her to the director. Also, the employees evidently
were able to discover that Wilson was routinely changing their time reports yet was not
adapting her time sheet for the times she took off from work.
(v) What could be done to improve the employee awareness
•
Certainly, one thing that should be done would be to educate employees on the various signs
of possible fraud through seminars, office meetings, etc.
•
In addition, better controls might have made employees more aware of the possibility of fraud
or embezzlement.
•
Finally, state and local government, as well as businesses in general, need to change attitudes
on the subject of whistle blowing. Instead of treating the whistle blower as a "stool pigeon"
motivated by self-interest, such individuals should be treated as heroes, particularly with
governmental entities who are accountable to the public for the proper handling of tax funds.
Had the whistle been blown on Wilson early, the state of Texas would not have been missing in
excess of $1 million in tax revenues.
(vi) Factors within the case that can be used to refute Dr Wilson's defence
There are a number of items within the case that can be used to refute Dr Wilson's defence.
As stated, there were two different bank accounts used by the Wilsons. One account was used
strictly for the chiropractor’s practice. None of the funds from this account were used to pay any of
158
the household expenses or any personal expenses. All household expenses and all other personal
expenses (boat, beach house, loans, investment, etc) came from the joint cheque account.
•
The source of the funds of the joint cheque account would normally be the paycheque of Joan
Wilson. It is obvious from the information in the case, the tables, etcetera that far more than
their income was spent for household and personal expenses.
•
It would be stretching the imagination of even the most gullible person to believe Dr Wilson did
not know what his wife's gross income was. Given that he wrote four cheques within a few
months for investments and a loan totalling more than his wife's yearly income, showed that
Dr Wilson had to be aware of the embezzling that his wife was doing. While he may not have
been directly involved in the planning and implementation of the embezzlement scheme, he
had to be aware something unusual was occurring for the joint account balance to be as high as
it was.
•
Even if he said nothing to encourage her scheme or to discourage her, his silence made him an
accomplice in that he used the funds for whatever reason he desired.
(vii) Would an internal auditor have uncovered this fraud?
There is no guarantee that had there been an internal auditor performing tests in this county office,
that the internal auditor would have been able to uncover the embezzlement scheme, however,
•
a good internal auditor should have readily recognised the obvious weaknesses in the internal
control structure of this office
•
the internal auditor would have questioned why the tax receipt forms were being destroyed or
why changes had been made by Wilson in the cash sheets when it was clearly emphasised to
other employees that changes were not to be made
•
the internal auditor would have been able to determine that the pay sheets were being
manipulated by Wilson and that could have cast doubts on her reliability and integrity and
would have caused more testing in the areas Wilson was heavily involved
•
an internal auditor might have been able to recognise enough of the red flags present in this
situation to have at least raised some questions and expressed the need for further
investigation
•
had there been an internal auditor present to periodically check and verify work performed in
the office, Wilson might not have been as likely to attempt her embezzlement scheme because
the risk that she might be caught would be substantially increased. Or she would have been
more careful and would not have tried to steal as much.
After working through this case study, you should have a better idea of how to apply your
theoretical knowledge to a practical scenario. Remember that for examination purposes you should
be able to apply your theoretical knowledge to practical scenarios.
159
AUI4863/SG
TOPIC 6
Auditing of advanced IT system
Contents
LEARNING UNIT 17: General and application controls
162
LEARNING UNIT 18: Auditing advanced and newly developed IT systems
174
INTRODUCTION TO AND PURPOSE OF THE TOPIC
Properly utilised information technology (IT) systems can play an extremely important role in the
strategic planning and management of an organisation, and they involve far more than mere
recordkeeping and processing of information for historical and legal purposes. Strategic and
timely information is vital for the achievement of the organisation's objectives in the most
efficient and effective manner.
Owing to its integrated
nature, IT auditing should
not be seen in isolation.
It can be combined and
integrated into almost
every internal audit
engagement.
160
The aim of this topic is to explain the
risks and controls that relate to advanced
IT systems and to formulate an audit
approach for auditing advanced IT
systems.
In this topic we focus on advanced
information technology (IT) concepts. It
is imperative that the internal auditor
understand the impact of advanced
information systems on the entire
organisation, as well as on the internal
audit activity specifically. In this module
we will discuss the risks and controls that
relate to advanced IT systems, as well as
the formulation of an audit approach for
new and advanced IT systems.
MULTIMEDIA
Please access the podcast on myUnisa to assist you in your studies of topic 7.
LEARNING OUTCOMES
After you have studied this topic, you should be able to
•
•
•
understand the risks related to advanced IT systems and be able to perform a risk
analysis in a given scenario
explain and evaluate the controls relating to advanced IT systems
develop an audit approach to evaluate advanced IT systems and applications
161
AUI4863/SG
Learning unit 17
General and application controls
Contents
17.1
17.2
17.3
17.4
17.1
INTRODUCTION
GENERAL CONTROLS IN AN IT ENVIRONMENT
EVALUATION OF APPLICATION CONTROLS
INTERNAL CONTROL SYSTEMS IN COMPUTER ENVIRONMENTS AND THE
EVALUATION OF SUCH SYSTEMS
162
165
168
172
INTRODUCTION
Information technology is not an isolated subject or topic. It should thus not be approached as a
highly specialised, separate section of the organisation. The information technologies deployed and
the systems supported by them form an integral part of the total infrastructure of an organisation
and, like other resources, they contribute to the achievement of the organisation's objectives.
REFLECTION
In your undergraduate studies you had extensive exposure to the theory and basic
principles of information systems and information systems auditing. Now that you are a
postgraduate student, we expect you to be proficient in the application and
interpretation of these basic principles and theories. Therefore, if you feel that your
knowledge is lacking in any way, you should revise all your undergraduate study material
on these topics thoroughly.
In this learning unit we will focus mainly on general and application controls in an IT
environment.
It is of utmost importance that you have the correct overall perspective on the role of
information technology (IT) in the management of an organisation. This includes the
timely and accurate preparation of authorised information, the timely and accurate input
of information into the system with the aid of applications software, the accurate
162
processing of the information, control of the processed information, timeous
distribution of the processed information and utilisation of the information for the
purposes for which it was intended. The golden rule, which applies to the whole system,
is the identification and management of all critical risks that are present in the system,
which could prevent an organisation from achieving not only its information technology
objectives, but possibly also its business objectives.
In the light of the sophistication and power of the computer programs in use today,
information systems can be regarded as the nerve network of organisations.
Because information systems play such an important part, they require managerial
efficiency of a high order. An information system consists of a number of very important
aspects, some of which are associated with a high degree of risk. The management of
such a system and the activities associated with it require a high degree of expertise,
which is why internal auditors require a thorough knowledge of each important aspect of
computerised systems if they are to make a significant contribution.
This overall perspective makes it easier for the internal auditor both to decide on his or
her focus and approach and to plan tasks with regard to the information technology
system itself and the processing of such information. The auditors must use the
information technology system and the information it generates to obtain the necessary
audit evidence to perform their responsibilities efficiently.
STUDY
• Performing Internal Audit Engagements (2017), Chapter 2
• Assurance: An Audit Perspective (2018), Chapter 8
• GTAG – 1 - IPPF- Practice Guide: Information Technology Risk and Controls
GOVERNANCE CONTROLS
According to GTAG (Global Technology Audit Guide) – Governance Controls, these are explained as
follows:
The primary responsibility for internal control resides with the board of directors in its role as keeper
of the governance framework. IT controls at the governance level involves ensuring that effective
information management and security principles, policies, and processes are in place and
performance and compliance metrics demonstrate ongoing support for that framework.
Governance controls are those mandated by, and controlled by, either the entire board of directors
or a board committee in conjunction with the organisation’s executive management. These controls
163
AUI4863/SG
are linked with the concepts of corporate governance, which are driven both by organisational goals
and strategies and by outside bodies such as regulators.
An important distinction between governance and management controls is the concept of “noses
in, fingers out”. The board’s responsibility involves oversight rather than actually performing
control activities. For example, the audit committee of the board does no auditing, but it does
oversee both the internal and external auditing of the organisation.
MANAGEMENT CONTROLS
According to GTAG (Global Technology Audit Guide) – Information Technology Controls,
management controls are explained as follows:
Management responsibility for internal controls typically involves reaching into all areas of the
organisation with special attention to critical assets, sensitive information, and operational
functions. Consequently, close collaboration among board members and executive managers is
essential. Management must make sure the IT controls needed to achieve the organisation’s
established objectives are applied and ensure reliable and continuous processing. These controls
are deployed as a result of deliberate actions by management to •
•
recognise risks to the organisation, its processes and assets
enact mechanisms and processes to mitigate and manage risks (protect, monitor, and
measure results)
TECHNICAL CONTROLS
According to GTAG (Global Technology Audit Guide) – Information Technology Controls, technical
controls are explained as follows:
Technical controls form the foundation that ensures the reliability of virtually every other control in
the organisation. For example, by protecting against unauthorised access and intrusion, they
provide the basis for reliance on the integrity of information — including evidence of all changes and
their authenticity. These controls are specific to the technologies in use within the organisation’s IT
infrastructures.
The ability to automate technical controls that implement and demonstrate compliance with
management’s intended information-based policies is a powerful resource to the organisation.
Below is a framework of the general and application controls also illustrated in figure 8.1 above.
These are the main categories of controls in an IT environment.
164
Figure 8.2 – General and application controls
Controls in an IT
environment
General controls:
•
System development and
implementation controls
•
System maintenance controls
•
Organisational and management
controls
•
Access controls to data and
programmes
•
Computer operating controls
•
System software controls
•
Business continuity controls
Application controls:
Controls over the:
•
input
•
processing
•
output
•
master file changes
Controls over transaction data to
ensure:
•
validity
•
accuracy
•
completeness
17.2 GENERAL CONTROLS IN AN IT ENVIRONMENTS
The management of an organisation is responsible for establishing the required control measures to
ensure that the IT system of the organisation is adequately protected and that the system meets
the required operational needs. The internal auditor should be able to identify these controls in any
IT environment and evaluate the impact of the general controls on the overall business of the
organisation.
General controls are controls that establish an overall framework of control for all IT systems
activities. They span all applications. A weakness in a general control could therefore affect
numerous applications. Ensure that you are able to identify applications that could be affected.
General controls comprise all the policies and procedures, both manual and computerised, which
govern the environment within which an organisation’s IT systems are developed, maintained and
operated, and within which the application controls operate.
165
AUI4863/SG
Programmed controls are those controls that the IT system will automatically perform. In contrast,
IT controls are both programmed and user controls.
Also note that IT controls
include both general and
application controls.
Programmed controls are controls enclosed in application programs and are therefore performed
by the system. They could include edit and validation checks.
User controls are controls that are manually performed by users. They include reviewing of reports,
performing certain reconciliations and the authorisation of documents and transactions, etc.
In the following table the difference between manual and programmed controls is explained.
Manual/programmed controls
Examples of general controls
Manual controls (can never be programmed)
Organisational and management controls:
staff practices (rotation of staff; enforced
annual leave, etc)
Programmed controls (can only be Access controls over programs: passwords to
programmed)
gain access to operating systems
Combination of manual and programmed System development and implementation
controls (can be either, depending on the controls: project authorisation
client’s system)
In order to rely on application controls, there have to be effective and efficient general controls.
General controls should thus be tested before the application controls can be tested.
REFLECTION
Revisit your undergraduate studies and ensure that you are very familiar with the nature,
purpose and application of general controls. Also ensure that you can discuss and apply
your knowledge regarding general controls to practical scenarios.
STUDY
• Performing Internal Audit Engagements (2017), par 2.3
• Assurance: An Audit Perspective (2018), par 8.2
166
Well-known models to use during the evaluation of general controls are the following:
COBIT (Control objectives for information and related technology) resources can be
used as a source of best practice guidance. COBIT is intended for use by business and IT
management, as well as IT auditors. Therefore, its usage facilitates and enables the
understanding of business objectives and communication of best practices and
recommendations, around a commonly understood and well-respected standard
reference (you can access this model at: www.isaca.org).
COBIT includes the following:
• Control objectives:
• Control practices:
• Audit guidelines:
• Management guidelines:
high-level and detailed generic statements of minimum
good control
practical rationales and how-to-implement guidance
for the control objectives
guidance for each control area on how to obtain an
understanding, evaluate each control, assess
compliance and substantiate the risk of controls not
being met
guidance on how to assess and improve IT process
performance, using maturity models, metrics and
critical success factors
Full details of the ISACA IS Auditing Standards, Guidelines and Procedures for Auditing
and Control Professionals can be found at www.isaca.org.
Other standards and frameworks relating to IT auditing, which you should be aware of,
are the following:
• Business continuity management –
http://www.continuitysa.co.za/news-room/articles/business-continuitymanagement.html
• ISO (International organisation for standardisation) standards related to IT auditing
(information security, governance, etc)–
http://www.iso.org/iso/products/standards/catalogue_ics_browse.htm?ICS1=37&ICS2=1
00&ICS3=99&
• King IV – corporate governance (with specific reference to chapter 5) –
http://www.corporategovernance.co.za/index.php?option=com_content&view=article&i
d=95&Itemid=92)
• ITIL (IT Infrastructure Library) – www.isaca.org
You need to study these frameworks thoroughly in order to deepen your knowledge of general
controls and the evaluation thereof. Visit the websites and make a short summary of the most
important aspects that relate to the frameworks. Also refer to your undergraduate studies, where
possible.
167
AUI4863/SG
17.3 EVALUATION OF APPLICATION CONTROLS
By this time, you should have a thorough understanding of the following terms and definitions:
Applications are programs that perform the business functions required of the system. They
operate under the direct control of the operating system but may contain many powerful control
elements themselves.
Application programmes are sets of procedures and programmes designed for performing specific
tasks and functions relating to inventory, salaries, sales, etc.
Application controls are controls over input, processing, output of information and master file
amendment controls relating to a specific application (e.g. payroll cycle), to ensure that such
information is valid, accurate and complete. Application controls relate to specific tasks performed
by computerised information systems. Their function is to provide reasonable assurance that the
initiation, recording, processing and reporting of data are properly performed.
Application controls are categorised as “input”, “processing”, “output” and “master file
maintenance” controls. Application controls relate primarily to the validity, accuracy and
completeness of data within a specific application in an organisation.
REFLECTION
If you have any uncertainty regarding the theory and principles of application controls,
you should revisit your undergraduate studies and ensure that you study application
controls in detail. Also ensure that you can discuss and apply your knowledge regarding
application controls to practical scenarios.
Application controls are normally divided into the following categories:
•
•
•
•
Input controls – These controls are used mainly to verify the integrity of data
entered into a business application, whether the data is entered directly by staff,
remotely by a business partner, or through a web- enabled application or interface.
Data input is checked to ensure that it remains within specified parameters.
Processing controls – These controls provide an automated means to ensure
processing is complete, accurate, and authorised.
Output controls – These controls address what is done with the data and should
compare output results with the intended result by comparing the output against
the input.
Master file maintenance controls – These are controls relating to changes made to
the master files where standing data is stored (e.g. client names, contact numbers,
addresses).
Common examples of application controls are the following:
▪ data edits
▪ separation of business functions (transaction initiation versus authorisation)
▪ balancing of processing totals
▪ input validation
▪ transaction logging
▪ error reporting/exception reports
168
STUDY
• Performing Internal Audit Engagements (2017), par 2.4
• Assurance: An Audit Perspective (2018), par 8.3
• GTAG 8 - Auditing Application Controls
ACTIVITY 37
You are in charge of the audit of Musicmix (Pty) Ltd, a company that wholesales CDs,
DVDs and related products from its premises in Johannesburg. Recently your firm’s IT
audit division completed a general control review at Musicmix (Pty) Ltd and submitted
its reports to you. The following points, inter alia, were raised in the report:
1.
The company has a centralised data processing department linked to terminals in
each of the other departments, e.g. warehouse, debtors, marketing, etc. The
“computer room” in which the central processing unit and related equipment are
located, is situated in a secure part of the head office. Earlier in the year some
damage was caused to equipment in the computer room when heavy rain came
through a window which had been left open overnight. The operator has opened
the window during the day to improve ventilation.
2.
Access to the computer room is restricted after working hours by a steel gate and
the activation of an electronic surveillance system by the last person leaving the
room at the end of the day.
3.
About six months ago an expensive data storage device was damaged when a
member of Musicmix (Pty) Ltd’s computer club spilled a soft drink on the device. As
a result, a fair amount of backed up data was lost and processing was disrupted for
some time. Nobody knew how to resolve the problem. Restructuring of the data
had to be carried out from source documentation kept in the user department. Wes
Hall, the IT manager, explained that the company’s computer club has access to the
computer room after hours to do “whatever computer fanatics do”.
REQUIRED
a) Distinguish between general and application controls in a computerised
environment.
b) State the recommendations you would make to improve the general controls at
Musicmix (Pty) Ltd, based on the information given above. Justify your
recommendation.
169
AUI4863/SG
FEEDBACK
a)
General and application controls
General controls are those that establish an overall framework of control for IT
system activities. They are controls that should be in place before any processing of
transactions gets under way.
Application controls are controls that are specific to a particular task within an IT
system, such as the wage (application) cycle or the purchases (application) cycle.
For example: controls over the physical security of the computer equipment would
be a general control, while the controls over the addition of an employee to the
wage master file would be an application control.
b)
Recommendations to improve the general controls at Musicmix (Pty) Ltd
1.
I would recommend that the physical security of the computer equipment
should be improved as follows:
All doors, other than the main access point, and windows should be sealed.
Justification – This will minimise the risk of unauthorised entry and protect
against natural and environmental hazards.
Justification – The operator’s having to open a window to improve ventilation
suggests that the air conditioning is ineffective. Effective air conditioning will
be even more essential if windows and doors, etc are sealed.
Access to the computer room should be restricted at all times, not only after
working hours. Justification – The intention of limiting access to the computer
facility is to protect the equipment and data from damage, destruction and
abuse at all times. Since damage can occur at any time, and very quickly,
physically restricting entry only after working hours is a totally inadequate
control.
Members of the computer club should not be granted access to the computer
room; access should be granted only to those employees who need to be in the
computer room to fulfil their functions. Justification – Restricting access
reduces the risk of damage to or destruction of computer equipment. In
particular, allowing “computer fanatics” uncontrolled access could lead to
breaches of confidentiality, the introduction of viruses, as well as
destruction/manipulation of data.
A standard operating control must be introduced, namely that no eating or
drinking is to take place in the computer room.
Justification – As has been illustrated, serious damage to expensive computer
equipment can be caused by spilt food or drink, resulting in expensive repairs
and loss of data.
170
2.
Controls over continuity of operations should be improved as follows:
A disaster recovery plan should be put in place, listing the procedures to be
carried out in the event of a disaster. This plan should be widely and readily
available.
Justification – Clearly there is no disaster recovery plan in place; nobody knew
“how to resolve the problem” and “processing was disrupted for some time”. A
proper disaster recovery plan minimises disruption.
Improved back-up strategies need to be put in place; three generations of
backups (grandfather, father and son) should be stored off-site/away from the
computer facility.
Justification – It is likely that back-ups are not made according to the threegeneration principle, as “restructuring had to be carried out from source
documentation held in the user departments”. Proper back-up strategies
facilitate the prompt and accurate reconstruction of data.
3.
Management should be informed of the importance of a strong control
environment and a management philosophy and operating style that
communicates and enforces the importance of internal control.
Justification – The evidence suggests that management (including the IT
manager) are not particularly concerned about potential breaches of security,
confidentiality issues or protection of the company’s assets, both physical and
non-physical.
ACTIVITY 38
List the programmed application controls for sales to ensure the completeness and
validity of processing and output.
FEEDBACK
Revenue and receipts cycle
Processing – programmed controls only
Output – programmed controls only
Validity
authorisation
√
√
Completeness
Accuracy
√
√
X
X
No manual input controls or output controls would have earned you marks, since they are
not programmed controls. Only if the question does not specify either programmed or
user controls could your solution contain both.
X – not relevant to this question
√ – should be addressed in this question
171
AUI4863/SG
17.4 INTERNAL CONTROL SYSTEMS IN COMPUTER ENVIRONMENTS
AND THE EVALUATION OF SUCH SYSTEMS
The evaluation of internal control systems, implemented to control the enormously complex
computerised information systems that support the creation, accumulation, processing,
management, communication and protection of information, is one of the first steps the auditor
needs to take towards rendering audit assurance. In order to evaluate these internal control
systems, the auditor needs to understand the complex and different environments that can be used
for computerised information systems. For this learning unit, you should research the different
computer information system (CIS) environments and the unique control needs of each
environment. Also take note of the way in which the auditor can evaluate such internal control
systems. The internal auditor must, however, obtain an understanding of the control measures in
operation in a CIS environment before he or she can evaluate these control measures.
STUDY
• Performing Internal Audit Engagements (2017), Chapter 2
• GTAG 1 - Information Technology Risk and Controls, 2nd Edition
ACTIVITY 39
What engagement procedures could be performed if an auditor plans to assess a low
level of control risk on the segregation of IT and user functions?
FEEDBACK
The following engagement procedures could be included in the audit programme to
assess a low level of control risk on the segregation of IT and user functions. There might
be more engagement procedures than those mentioned below and/or not all of the
factors mentioned below might be applicable to an entity.
1. Perform a review of the organisational charts for the position of the IT function
within the entity.
2. Perform a review of the job descriptions of the IT and user staff members who are
involved in the handling of exceptions. This review should be performed to ascertain
the proper segregation of duties.
3. Observe the actual operations, which might include preparation, inspection and
distribution of exception reports. It is important to take note of the degree to which
management is involved in the investigation of items on these exception reports.
4. Hold discussions with IT management and operating staff members in order to
determine the degree and value of management supervision.
5. Review management reports, studies or evaluations on the exception handling
process.
6. Review reconciliations of control totals maintained outside the IT department with
the totals that result from computer processing.
7. Test these reconciliations to ensure that they are performed accurately.
172
Controls in an IT environment are categorised as either general or application controls
and may be either manual or programmed. General controls are those that establish the
overall framework of control for IT activities, whereas application controls are controls
over the input, processing and output of data and master file changes.
In order to be able to evaluate internal controls, identify possible weaknesses and make
recommendations for improvements to internal control systems, internal auditors
require a thorough knowledge of and extensive insight into control activities.
NOTES
Make your own notes here:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
173
AUI4863/SG
Learning unit 18
Auditing advanced and newly developed IT
systems
Contents
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.1
INTRODUCTION
ADVANCED IT SYSTEMS
SYSTEM DEVELOPMENT
WHAT IS THE INTERNAL AUDITOR'S ROLE IN SYSTEM DEVELOPMENT?
CONTROLS RELATING TO SYSTEM DEVELOPMENT AND IMPLEMENTATION
CONTROLS OVER PURCHASED PACKAGES
CONTROL CONCERNS ASSOCIATED WITH ADVANCED IT ENVIRONMENTS
AUDITING ADVANCED IT ENVIRONENTS
CONTROLS OVER PURCHASED PACKAGES
174
175
176
177
177
182
184
184
186
INTRODUCTION
Given the fact that you are a postgraduate internal auditing student, you should have a good
understanding of the fundamental operational activities, transaction flows and controls that
constitute a transaction processing cycle as it pertains to manual and IT environments. This
learning unit will describe how transaction processing is affected by the utilisation of advanced or
complex computer technology and how internal auditors should go about conducting audits of
advanced and newly developed IT systems.
REFLECTION
The control concepts dealt with during your undergraduate studies will be expanded on
significantly here. It is therefore imperative that you update your general knowledge of
information technology auditing and control considerations to include the latest
174
available technology. In order to keep abreast of the latest developments in information
technology control aspects, you need to read extensively. You can access the most
recent information on the webpage of the Information Systems Audit and Control
Association (ISACA) by going to www.isaca.org.
In this learning unit we will cover the following aspects regarding IT systems:
•
•
•
•
•
advanced IT systems
systems development
the internal auditor’s role in systems development
controls relating to IT systems development
auditing systems development and implementation processes
18.2 ADVANCED IT SYSTEMS
www.webopedia.com defines Enterprise Resource Planning (ERP) as business process
management software that allows an organization to use a system of integrated applications to
manage the business and automate many back-office functions related to technology, services
and human resources.
ERP software typically integrates all facets of an operation — including product planning,
development, manufacturing, sales and marketing — in a single database, application and user
interface.
INTERNET SOURCE
Visit:https://www.wirc-icai.org/material/7-An-Overview-Enterprise-ResourcePlanning%20_ERP_.pdf for an overview of ERP.
Most IT departments manage their organisation’s enterprise resource planning (ERP)
systems in three primary areas of responsibility, namely • operations
• systems development
• technical support
Management and other stakeholders have specific requirements and expectations of the
information technology department in these areas.
The auditing of advanced IT systems and applications forms part of information
management and usage monitoring. In order to monitor the efficiency and effectiveness
of IT systems and applications, management has to set measurement criteria such as
evaluating service level performance against service level agreements, quality of service,
availability, response time, security and controls, processing integrity, and privacy. The
analysis, evaluation and design information, together with data and application
architecture, are used as tools by the auditor.
175
AUI4863/SG
Integrated systems such as SAP and Oracle are used for enterprise resource planning
(ERP). These systems span departmental and organisational boundaries and although
there are many benefits for the organisation from these integrated systems, there may
be resistance to the implementation and use of such systems if users fail to see the
benefits. It is therefore necessary to implement appropriate service level agreements
and system quality expectations after all stakeholders have been consulted.
STUDY
• Assurance: An Audit Perspective (2018), Chapter 7
• Performing Internal Audit Engagements (2017), par 2.5
18.3 SYSTEM DEVELOPMENTS
Systems development and implementation controls relate to both IT systems developed in-house
and IT packages purchased externally from vendors.
What is system development? System development refers to the development of a new computer
system for the entity and, therefore, it has to do with a significant change in the
IT system. Systems development is divided into systems developed in-house (for which external
consultants may be used) and packages purchased externally.
A system developed in-house is not available off-the-shelf and cannot be purchased from a vendor.
It is customised to enable the entity to meet its individual needs. In contrast, an example of a
purchased package is when a company goes to a vendor and buys an IT accounting system such as
SAP in order to accommodate its accounting functions.
When a new system is developed, the following aspects of the IT system will normally change
considerably:
•
•
•
•
•
hardware
software
personnel procedures
documentation relating to the system
controls
An example of this is a company that has a manual system for purchasing its inventory and plans to
computerise this function. Implementing a computerised IT system is a system development
exercise. The company will have to decide whether it is more feasible to develop a system in-house
or to purchase a package externally.
What are the risks (potential problems) associated with system development? When new IT
systems are developed, the process might be chaotic and haphazard. This could lead to
inadequate system development procedures and documentation and many problems for both the
auditor and the entity.
176
STUDY
• Performing Internal Audit Engagements (2017), par 2.3.4
18.4 WHAT IS THE
DEVELOPMENT?
INTERNAL
AUDITOR’S
ROLE
IN
SYSTEM
From the auditor’s point of view, the development, implementation and documentation of a
system are crucial stages at which to emphasise control. Application controls should preferably be
built into the system before it becomes operational. It should be reliable from the start.
Even though most entities do not involve their internal auditors in the system development
process, there is general agreement that such involvement would help to ensure that systems are
implemented appropriately and that the application controls built into the system operate
effectively.
18.5 CONTROLS RELATING TO SYSTEM DEVELOPMENT AND
IMPLEMENTATION
Systems developed in-house
A system developed in-house could be developed either by employees of the company (those with
the relevant knowledge and expertise) or it might involve the use of external consultants. Such a
system caters specifically for the needs of the company as it is custom-made for the entity and is
therefore not available as an off-the-shelf package.
The control objective would be to implement adequate controls, which are designed to ensure that
the new system is authorised, designed, developed and implemented effectively, in order to meet
the needs of the users.
The following table reflects the different stages of the system development process and the
controls that should exist in terms of systems developed in-house:
CONTROLS OVER SYSTEMS DEVELOPED IN-HOUSE
Systems development Systems development methodology requires that the development process be
methodology
broken down into various small tasks. The following are important aspects of
this methodology:
• A formalised, structured methodology should be followed.
• Roles and responsibilities should be clearly laid out and adhered to.
• The methodology should be kept up to date with current developments.
• Deviations from the methodology and standards should be strictly
monitored and followed up by management.
177
AUI4863/SG
Project authorisation/ The following are key controls over project authorisation/approval:
approval
• A system development plan should be developed in accordance with the
business’s strategic plan. System development might originate from users’
needs or as a result of strategic plans.
- The scope of each new project should be clearly defined before any
work is carried out.
- The user department should be actively involved in the requirements
and authorisation of any new systems.
- Team assignments must involve skilled and experienced staff
members.
- Each phase of the project should be appropriately authorised by the
relevant persons before commencement of the next phase.
• All system developments should be as a result of specific user or
management requests (these can result from user, technical, audit and
other specifications).
• A steering committee should be responsible for conducting a feasibility
study. This committee should also give its approval prior to the
commencement of the project.
• A feasibility study should be carried out and should generate conclusions
(proposals) on the following matters:
- whether the system should be developed in-house or purchased
externally, or whether the entire project should be rejected
- evaluation and consideration of any alternative courses of action in
order to arrive at the best solution
- consideration of technological feasibility
- the cost versus benefit of the required hardware, software, operating
costs, staff expertise, etc.
- the income or benefits that might arise from the implementation of
the system/s
- identification, evaluation and quantification of all relevant risks of the
recommended projects
- any other recommendations relating to the system development
• The project should be authorised only after the users’ needs have been
analysed (system analysis).
Project management
•
•
•
•
Establishing a project team (consisting of appropriate IT and user
personnel and management) is one of the responsibilities of the steering
committee. The project team’s main task is to manage the project.
Tasks should be aligned with planned development stages.
Responsibilities should be allocated for each task. These responsibilities
should be allocated to appropriate staff members and could include
defining the tasks of systems analysts and programmers:
- Analysts are responsible for designing a new system or changing the
existing system.
- Programmers are responsible for writing new programmes or execute
the actual changes made to existing ones.
Each specific task and stage of the project should have a predetermined
deadline and time schedule.
178
•
•
•
User requirements/
needs
•
•
•
Purchasing the
hardware and
software
•
•
•
Standards, system
specifications and
programming
•
•
•
Testing
•
•
•
•
Final approval
Progress should be monitored closely and regularly and any deviations
from the planned time schedule should be identified and investigated.
The project team should submit regular progress reports to the steering
committee.
A formal documented plan of action should also be submitted to the
steering committee (including the deadlines, time schedule, etc).
It is crucial that the user’s needs be assessed by the analyst. Their
requirements relating to the input, output, processing, procedures, etc
should be clearly identified and documented.
The requirements of the internal and external auditors should also be
considered (e.g. the auditors might expect certain documents, such as
audit trails, and might also expect certain controls).
The managers of the user departments should give their written approval
for the requirements.
Quotations should be obtained for the hardware that will be used in the
system. These quotes should be assessed for suitability of the hardware as
well as the costs thereof.
Should the software be developed or bought? Quotations in this regard
should also be obtained. Will the hardware be able to accommodate the
chosen software?
Will the purchase be a lease or purchase (cash/credit) agreement?
Consideration should also be given to the tax implications.
The system specifications and programming should be documented clearly
and concisely.
Predetermined programming standards should be applied in the
development of each phase and any non-compliance should be identified
and investigated.
Programmers should not develop in the live environment (they should not
have access to the live environment), but only in the development
environment.
Programs and systems should be tested meticulously before they are
installed or used.
Program coding should be tested by the programmers (e.g. using test
data).
The overall system should also be tested by system and program analysts.
Output by the system should also be tested by management, users and
auditors in order to ensure that it meets their requirements.
•
The results of the above-mentioned testing should be reviewed by all those
involved to establish whether all the required changes have been made.
• Management, users and IT staff should then give their final approval for the
implementation of the new system.
179
AUI4863/SG
Training of users
•
•
Staff members who will be using the new system should be adequately
trained in this respect. For this purpose, a detailed programme should be
set up, including training dates and times.
The user procedure manuals should be updated regularly and clear job
descriptions should be compiled/updated.
System
documentation
Clear system documents should be maintained (e.g. documentation with
regard to system descriptions).
Backups
All programs must be properly backed up and stored in an off-site location.
When transferring data and information from the old system to the new
system, it is imperative that the data and information be accurate, complete
and valid.
•
Conversion
•
•
•
•
•
•
Post-implementation
review
The conversion must be properly planned. This includes a detailed plan
with the dates, time frames and conversion methods (e.g. parallel
processing, immediate shutdown of old system, conversion of the entire
system at one time, or phasing one system out and the new system in).
The conversion process must be treated as an entire project on its own.
Data and files should be prepared for conversion. Files on the old system
should be balanced prior to conversion (e.g. control totals and other
controls used to ensure that data are valid, accurate and complete). Data
on the old system should be checked and discrepancies followed up
immediately. The data should be authorised by the appropriate senior staff
members before conversion. Staff should be thoroughly trained on the new
system and the premises should be prepared (e.g. there should not be
power interruptions).
The conversion process should be supervised (by relevant senior
personnel), and the internal and/or external auditors should preferably be
present.
The system should be tested after conversion. This can be done through
control totals (testing the balances on the old system against those on the
new system), performing file comparisons, using output (printouts) from
the new system and comparing it to source data on the old system,
following up on exception reports (through programmed checks),
obtaining approval from the users (giving it their “thumbs up”), confirming
data with third parties, if applicable, etc.
All system descriptions, flow charts, manuals, etc should be updated
immediately.
Backups should be made of the new system and files.
A post-implementation review should be conducted to determine whether
all the needs and requirements (of the users, auditors, management and IT
staff) are met by the new system, and whether the system is operating as
intended.
This review should be conducted in order to determine whether the
development and implementation has been a success, and to address any
problems.
180
Purchased packages
Another term for purchased packages is off-the-shelf packages. This simply means that the IT
system is available not only to you, but to anyone willing to buy it. This purchased IT system is
unfortunately not custom-made for the entity and it is often impossible to adapt it to individual
needs. The entity and the user have very limited control over the specifications, development,
testing and design of the system. It is therefore important to look for a package that suits most of
the needs so that it requires few, if any, changes.
The following table reflects the different stages of the process of purchasing a package and the
controls that should exist in this regard:
CONTROLS OVER PURCHASED PACKAGES
Performing a
feasibility study
•
Authorisation/
approval
Management, users, IT staff, etc have to approve the package before it is
purchased. This approval is based on the results obtained from the above
feasibility study.
Implementation
Refer to notes under “Conversion” in the previous table (Controls over systems
developed in-house) for the controls over implementation of the new system.
A feasibility study should be carried out, bearing the following in mind:
- The requirements of the users (employees, management, auditors and
IT staff) should be identified.
- Available packages’ specifications and requirements should be
identified.
- The costs relating to the purchase of the new system, as well as other
operating costs (e.g. maintenance costs), should be identified.
- The availability of maintenance and technical support for the supplier
should be considered.
Consideration must be given to the adaptability of the new system to
changes in the business, industry, etc.
The financial standing and reputation of the supplier: if the supplier is
experiencing financial difficulties, the entity should probably not do
business with him/her.
Enquiries should be made of other users of the package (who have
already purchased the same product and have been using it for some
time). Obtain general information from them, such as the frequency
of errors experienced, the speed of the system, its effectiveness and
ease of use.
An arrangement could be made with the supplier to test the system
before it is implemented.
181
AUI4863/SG
18.6 CONTROLS OVER PURCHASED PACKAGES
The following engagement procedures can be performed by the auditor in relation to the various
stages of the system development and implementation process (please note that these are only
examples and that any other valid procedures can also be considered, depending on the entity and
the IT system).
The following engagement procedures, as referred to in Watne and Turney, Auditing EDP systems
(1984), can be performed:
ENGAGEMENT PROCEDURES
If the auditors plan to assess control risk at a low level on the systems development process, their
audit program should include one or more of the following:
• Review the systems development standards manual to determine the existence of policy and
guidelines. Evaluate the thoroughness and comprehensiveness of the standards and be sure that
the standards are updated on a regular basis.
• Select applications from those under development and from those in operation. Review the
related systems development documentation to determine whether the standards are being met.
• Interview management, systems development and user personnel regarding the adequacy of
systems development standards.
If the auditors plan to assess control risk at a low level on programming conventions and procedures
as an internal control, procedures to obtain an understanding of the internal control structure and
engagement procedures should include the following:
•
•
Review the programming standards section of the systems and procedures manual to determine
whether standards are reasonably comprehensive.
Examine the selected flowcharts, decision tables and coding sheets to verify that standard
programming conventions and procedures are being followed.
If the auditors plan to assess control risk at a low level on participation by the user, accounting and
audit personnel, then procedures to obtain an understanding of the internal control structure and
engagement procedures should include one or more of the following:
•
•
Interview representatives of the user and accounting departments for evidence of the level of their
participation in the systems development process.
Review appropriate documents and related approvals for evidence that the user and accounting
departments have an adequate understanding of system inputs, processing procedures, controls
and system outputs.
If the auditors plan to assess control risk at a low level on technical, management, user and auditor
review and approval, they will perform procedures to obtain an understanding of the internal control
structure and engagement procedures using one or more of the following:
•
•
•
Review the section of the systems development standards manual that covers review and approval
requirements.
Interview technical staff, management and users to determine the process of review and approval.
For selected applications developed during the accounting period, review technical and output
documentation for written evidence of approval by technical supervisors, management and users.
182
If the auditors plan to assess risk at a low level on the control of system testing, they will need to
review new systems that were developed and implemented during the accounting period, as well as
the written standards for system testing. Procedures to obtain an understanding of the internal control
structure and engagement procedures of the standards and of one or more of the new systems should
include the following:
•
•
•
•
•
•
•
•
Review standards for system testing for comprehensiveness.
Interview internal audit and user staff to determine the extent of their involvement in testing.
Review test data and the resulting output for selected new systems to determine whether testing
is reasonably comprehensive.
Review the results of program and string tests (tests applied to programs, but instead of being
applied to a single program, they are applied to a string of logically related programs), including
flowcharts and logic analyses, to ensure that such tests are thorough and comprehensive.
Review the results of system tests of valid and invalid transactions to ensure that the system as a
whole is being tested adequately.
Review the procedures for reconciling output produced during the pilot (processing of an actual
period’s transactions on an after-the-fact basis) and parallel testing (where the old and new
systems are run in parallel, with subsequent comparison of the output from both systems).
Examine programs used to compare output files in pilot and parallel tests.
Examine reconciliations for selected tests to determine whether discrepancies were corrected by
systems personnel.
If the auditors plan to assess risk at a low level on final approval as a general control, they should
perform either or both of the following:
•
•
Review evidence of the approval of new applications by management, users and IT personnel.
Evidence may include signatures on system documentation, minutes of meetings, letters or
reports demonstrating approval.
Interview management, users and IT personnel involved in the final approval process, inquiring
about their understanding of the system and their satisfaction with its specifications.
If the auditors plan to assess risk at a low level on conversion control as a general control, they should
perform the following:
•
•
•
•
Review plans for controlling the conversion from one system to another to determine whether
they are sufficient to ensure that data on the new files are accurate and complete.
Examine documentation for evidence of file conversion approval.
Evaluate the procedures used to reconcile the original and new files.
Review or observe the use of record comparisons and confirmation requests.
If the auditors plan to assess risk at a low level on the general control of post-implementation review,
the procedures to obtain an understanding of the internal control structure and engagement
procedures should include the following:
•
•
•
•
•
Examine discrepancy reports for evidence of appropriate correction of errors.
Test the conversion by tracing record data from the original files to the new files and also from the
new files to the original files.
Review internal audit working papers for conclusions on the operation of system control and on
the effectiveness of the systems development process.
Interview systems development staff, users and management to determine their views on the
effectiveness of controls in the system.
Review the final report of the post-implementation review committee.
183
AUI4863/SG
18.7 CONTROL CONCERNS ASSOCIATED WITH ADVANCED IT
ENVIRONMENTS
Depending on the complexity of the system, control procedures and designs in an information
technology environment can vary from basic to very sophisticated. A less sophisticated computer
environment will generally provide complete audit trails which, together with exception reports,
allow for control to be exercised manually (i.e. checking or reconciling data generated by the
computer system with externally held data.) Advanced computer systems, on the other hand,
require more complex controls owing to the absence of audit trails. Advanced computer systems
could display some or all of the following characteristics:
•
•
•
•
•
•
•
•
•
•
•
absence of input source documents
authorisation of input controlled by the computer, e.g. passwords
online data input
real-time update
a single transaction updating multiple files
extensive use of automated controls to ensure completeness, accuracy and validity of input and
processing
application controls not evidenced by output from the computer
absence of management or audit trails
programs that automatically generate material transactions or entries directly to another
program
programs that perform complicated computations of financial information and/or automatically
generate material transactions or entries that may not be validated independently
transactions that are exchanged electronically between two or more organisations
computer systems with little or no manual review
18.8 AUDTING ADVANCED IT ENVIRONMENTS
Advanced IT environments are having a substantial impact on the work of the internal auditor.
Although the audits of advanced IT systems have to be performed in compliance with the IPPF, the
auditor has to adjust his or her audit approach for advanced IT environments. The auditor should
perform a preliminary evaluation of the system of internal control and then study and evaluate it.
The auditor also has to collect sufficient audit evidence to form a basis for an opinion. The results of
engagement procedure should be considered to determine the reliability of the internal controls.
Advanced auditing techniques are used to audit computer programs and data files. These auditing
techniques include the use of test data, for example by means of entering test transactions through
an online terminal device or by using audit software. During the audit of an advanced system, the
use of a computer as an audit aid becomes very prominent. It has therefore become common
practice for auditors to make use of computer-assisted auditing techniques (CAATs) in these
advanced computer environments. A broad discussion of this topic is included in the next learning
unit.
184
ACTIVITY 40
What are the risks that might occur if the systems development exercise is not
carefully planned and controlled?
1.
FEEDBACK
2.
It is crucial that the system development exercise be carefully planned and controlled.
If not, the following risks might occur:
•
System development is a costly exercise. If it is not carefully planned and
controlled, costs might get out of control. This could potentially put the company
under severe financial constraint.
•
The new system might be susceptible to inaccurate or incomplete recordkeeping,
for example the programs might contain errors.
•
Unacceptable or inaccurate accounting policies might be incorporated into the
system, or important accounting policies might not be incorporated at all. The
system developers (e.g. programmers) might not understand the accounting
policies and might implement them incorrectly.
•
The new system might not accommodate the needs of the users. The users might
require certain functions that the new system is not able to perform
•
When transferring information from the old system to the new system,
information might be lost, duplicated or transferred (with errors).
•
The new system might not have sufficient controls over access to information and
the integrity of data.
•
If the new system is very complex, users might find the system useless if no one
knows how to operate it.
•
In extreme cases, system deficiencies could result in temporary or even
permanent business interruption.
•
The ability to commit fraud might be deliberately or accidentally designed into
the system during the development thereof.
185
AUI4863/SG
18.9 CONTROLS OVER PURCHASED PACKAGES
Another term for purchased packages is off-the-shelf packages. This simply means that the IT
system is available not only to you, but to anyone willing to buy it. This purchased IT system is
unfortunately not custom-made for the entity and it is often impossible to adapt it to individual
needs. The entity and the user have very limited control over the specifications, development,
testing and design of the system. It is therefore important to look for a package that suits most of
the needs so that it requires few, if any, changes.
The following table reflects the different stages of the process of purchasing a package and the
controls that should exist in this regard:
ACTIVITY 41
You are a team member engaged on the external audit of Client Ltd, a manufacturer and
supplier of specialised equipment. You are completing interim audit work at the
company for the financial year ending 30 April 2011.
Information about the business
Client Ltd maintains a substantial inventory of the component parts that it uses for
product assembly. Some of these components have significant value. The products are
assembled on a just-in-time basis. Component inventory is kept in a secure centralised
warehouse and is distributed to manufacturing facilities to meet production
requirements as and when customer orders are received. You are satisfied that there are
sound physical security measures in place to prevent unauthorised personnel and
vehicles from gaining access to the warehouse. Management has established policies
and procedures for storing and handling of inventory, which have been communicated to
warehouse employees.
The purchasing, goods receiving, inventory custody, sales and accounting functions of
Client Ltd are segregated.
Client Ltd has outsourced its distribution services to a third-party supplier, Distribution
Ltd. This includes the shipping of component inventory from the warehouse to the
manufacturing facilities. The requirements for service delivery are specified in a written
service level agreement, which covers responsibilities, price and insurance.
Description of internal controls for inventories
Client Ltd makes use of a batch input batch processing inventory management system
and all data capturing from source documents takes place in the computer centre. You
are satisfied that the staff involved in the receiving, custody and delivery of inventory are
competent, adequately supervised and provide evidence that they have followed control
procedures (e.g. signing of documentation as evidence of their work).
186
The management of Client Ltd has confirmed that the following key controls are in
place over the inventory receiving, custody and delivery functions at the warehouse,
and that these have not changed since the previous year.
Goods receiving area (receipt of components from suppliers into the warehouse)
1. Copies of purchase orders are filed in delivery date order, which ensures that
receiving department personnel are made aware of all expected deliveries.
2. Staff in the receiving department prepare goods received notes on which they
record the supplier, date received, and the actual quantity and condition of each
item received.
3. Goods received notes are matched (specification and quantity) with purchase orders
by the staff in the receiving department. Differences identified between goods
received and goods ordered are reported to the purchasing department and
management.
Inventory custody area (storage of components in the warehouse)
4.
Inventory is subject to periodic physical counts and resultant adjustments
(quantities and amounts) are reviewed and approved by an appropriate official.
These inventory counts are undertaken in a systematic manner, using prenumbered count sheets which are completed in ink and signed by the counter on
completion.
Dispatch area (dispatch of components from the warehouse to the manufacturing
facility)
5.
6.
7.
Customer order documents are pre-numbered and missing documents are
investigated on a timely basis.
The specification and quantity of components transferred to the dispatch area are
compared with an authorised customer order and related delivery documents prior
to loading.
Delivery documents (including bills of lading) are signed by the delivery personnel of
Distribution Ltd to confirm acceptance of quantities shipped to production.
Maintenance of standing data
8.
Changes made to inventory master files are approved, prior to input, by an
appropriate official. Pre-printed sequence numbers are used on standing data input
forms and checks are performed to ensure that all numbers are accounted for.
Draft report on information technology (IT) general controls
The following is an extract from the draft report prepared by your firm’s IT audit
specialists following their review and testing of IT general controls of Client Ltd. The
extract summarises weaknesses identified during the review.
187
AUI4863/SG
Description of weakness
Recommendation
Management comment
1.
During our inspection of signed
authorisation forms supporting a
sample of transfers of program
changes from development into
production (drawn from the log of
program changes), we could not
locate five such forms. These
forms relate to program changes
implemented during the year to
the salaries and wages system.
Written authorisations
should be maintained on file
for all transfers of program
code from development into
production.
There is a documented
process requiring written
authorisation for the
implementation of all
program changes. These
forms have obviously
been misfiled and we will
endeavour to locate these
for audit inspection.
2.
The log of changes to access
rights on all application systems is
deleted after six weeks. No backup is maintained for future
reference.
A back-up copy of the log of
changes to access rights
should be maintained in
accordance with the standard
document retention policies
of the company.
3.
Some of the personnel working
on the IT support help desk do
not have adequate formal
qualifications or experience to be
effective in their role. The
purpose of the help desk is to
support users in resolving queries
about key applications.
Personnel working on the
help desk should undergo
additional training in new
applications.
This log is deleted on a
rolling basis once entries
are six weeks old in order
to free up server capacity.
Hard-copy user requests
for access changes are
maintained on file and are
available for inspection.
Recruitment of
appropriate support
personnel is the
responsibility of human
resources.
We will reassess the
competency
requirements and
determine whether
further training is
necessary.
REQUIRED
(a) Identify and state the internal controls listed above that address the existence of
inventory. For each such control, describe the control objective (i.e. how the control
supports the existence assertion) and additional information (if any) you would
require from Client Ltd management to enable you to assess whether the control
has been appropriately designed to prevent or detect and correct misstatements
relating to the existence of inventory.
• You should present your answer in table format.
• Ignore the possible effect of the weaknesses in the IT general controls
identified in the draft report.
(b) Describe the audit risks arising from the control weaknesses identified by your IT
audit specialists during the interim audit and state the appropriate audit response to
each risk. You are not required to formulate audit procedures.
188
3.
FEEDBACK
4.
Part (a)
Internal controls implemented over existence of inventory and additional information
required to assess whether the control has been appropriately designed:
Internal control
Implemented over
existence of
inventory
Control objective
(How the control
supports the existence
assertion)
Additional information required to assess
appropriateness of design
Component
inventory is kept in a
secure centralised
warehouse/ access to
the warehouse is
controlled.
Goods received notes
(GRNs) are prepared
by staff in the
receiving
department; these
notes identify the
supplier and the
actual quantity and
condition of each
item received.
Inventory is safeguarded
against unauthorised
removal.
•
•
Goods received notes are
prepared based on goods
actually received at the
warehouse.
•
•
•
•
•
Inventory is subject
to periodic physical
counts and such
counts are
undertaken in a
systematic manner.
Recorded inventory is
physically checked for
existence and/or to detect
differences be-tween
physical inventory and
recorded inventory.
•
•
•
•
•
•
•
189
What special precautions are taken to
safeguard small high-value component
inventory which can be easily concealed?
Are logs of physical access maintained
and reviewed in order to detect unusual
activity?
How diligently are the goods received
counted?
What controls ensure that only valid
goods received notes are recorded in the
inventory management system (i.e. are
there sound batch controls in place over
these GRNs)?
How is inventory physically safe-guarded
in transit between receiving and custody?
Does the warehouse staff compare the
quantities received with the details
recorded on the GRNs?
Are adequate controls in place over
unused stationery (i.e. GRNs/delivery
documents)?
Is the team performing the cyclical counts
independent of the custody function?
What is the extent of coverage of these
cyclical counts?
Are discrepancies identified during
inventory counts appropriately
investigated?
Is an appropriately documented inventory
count plan available prior to the count,
outlining the systematic procedures?
Is the movement of inventory controlled
during the count?
Is there additional focus on counting the
small high-value items?
Are count sheets properly controlled after
the count but before the input of
AUI4863/SG
Internal control
Implemented over
existence of
inventory
Control objective
(How the control
supports the existence
assertion)
Additional information required to assess
appropriateness of design
Adjustments
resulting from the
periodic physical
counts are reviewed
and approved by an
appropriate official.
Unauthorised adjustments
cannot be made to
conceal shortages.
•
The specification and
quantity of products
retrieved from
custody are
compared with an
authorised sales
order and related
delivery documents
prior to loading.
Delivery documents
(including bills of
lading) are signed by
carriers, indicating
acceptance of
quantities delivered.
Missing customer
order documents are
investigated on a
timely basis.
Management has
established policies
and procedures for
storing and handling
of inventory,
including segregation
of incompatible
duties, which have
been communicated
to warehouse
employees.
Data is input using a
batch input batch
update inventory
management system
Inventory is removed from
custody only in terms of
an approved sale
transaction (i.e. the theft
of inventory is prevented).
•
The quantities per the
delivery documents are
subject to an
external/independent
check.
•
Missing customer orders
may indicate an
unrecorded physical
movement in inventory.
A sound control
environment, including
the segregation of
incompatible duties,
reduces the risk of
inventory loss.
•
Quantities recorded in the
inventory management
system are accurate.
•
•
•
•
•
•
190
adjustments (if any) to the inventory
records?
Having reviewed the adjustments, is
appropriate remedial action taken?
What controls are in place to ensure that
the recording of valid adjustments is
complete and accurate?
Does the review of adjustments include a
full re-count of inventory items with
identified differences?
Is the person who performs this control
independent of the custody function, and
how is it evidenced?
Are the delivery documents used for the
comparison sequentially numbered (and
subsequently sequence checked) to
facilitate the completeness of recording?
What happens if the quantities on the
delivery documents differ from the
quantities accepted?
Are adequate controls in place over
unused stationery (i.e. GRNs and delivery
documents)?
Is there a pattern to the missing
documents (especially since the last
physical count)?
Are employees aware of the policies and
procedures?
Are there any close relationships between
employees performing incompatible
functions?
Are batch listings agreed and/or
reconciled with pre-prepared batch
totals?
Internal control
Implemented over
existence of
inventory
Control objective
(How the control
supports the existence
assertion)
and all data capturing
from source
documents takes
place in the
computer centre.
The internal audit
Internal audit visits will
function of Client Ltd assist in identifying fraud
conducts surprise
or theft of inventory.
visits to the
warehouse to
perform audit
testing.
Additional information required to assess
appropriateness of design
•
•
Is the internal audit function competent?
Is the internal audit function
independent?
Part (b)
Description of the audit risk arising from the control weaknesses identified during the
interim audit and related audit response:
Risk identified
Computer audit findings
• Unauthorised/invalid program changes
may be made to the salaries and wages
system, which
– modify key application controls on which
the external auditor intends to rely, or
– result in misstatements in salary and
wages expense due to errors in program
logic relating to the processing of
transactions with employees
• The missing forms may indicate that the
completeness of program changes is not
monitored.
Audit response
For those sampled program changes with
missing authorisation forms, inspect evidence
of identity of programmer who made changes
(and user acceptance testing prior to
implementation of the software).
• Use the services of your firm’s computer
audit specialists to review the program
logic of the five program changes lacking
authorisation.
• Consider the need to extend the scope of
year-end analytical procedures and tests of
detail which provide evidence about the
“occurrence” and “accuracy” of salary and
wages assertions.
• If the signed authorised forms are
subsequently found, inspect these forms
for the authorised signatories.
• Inappropriate logical access may have been
assigned to users, increasing the risk of
employees performing incompatible
functions, thereby weakening the control
environment.
• Invalid transactions and/or adjustments
may be processed.
• Test a sample throughout the year of
compensating controls (if any) which give
evidence that user requests are
appropriately authorised and completely
and accurately processed.
• Review a sample of hard-copy requests for
changes to user access during the year to
determine whether the requests were
191
AUI4863/SG
• Data integrity may be compromised.
•
•
• Users may not have been suitably trained to
operate the system, resulting in the
incomplete or erroneous input of
transactions and adjustments.
•
•
appropriate (i.e. they did not undermine
segregation of duties).
Review program change logs more
frequently throughout the year (i.e. before
deletion).
Consider the need to extend the scope of
analytical procedures and tests of detail
that provide evidence about the
“occurrence” and “existence” assertions.
Assess whether the edit/validation controls
are appropriately designed to detect and
prevent the erroneous input of transactions
and adjustments, and to test their
operating effectiveness throughout the
year.
Extend substantive testing of affected
financial statement items.
ACTIVITY 42
Indigenous Nursery (Pty) Ltd is a specialist nursery that sells only indigenous plants,
bulbs and seeds from their garden centre in Cape Town. Customers select the products
they want to buy from those available in the garden centre and pay at one of the pointof-sale (POS) terminals at the centre. These sales are recorded directly via POS
terminals onto AccSoft, the company’s off-the-shelf accounting package.
After numerous requests from the public, management has decided to acquire a website
to enable other nurseries and customers not based in Cape Town to purchase their bulbs
and seeds over the internet.
Indigenous Nursery (Pty) Ltd entered into a contract with NetService, a third-party
internet service provider, to design, implement and maintain the website
www.indigenous.co.za on its behalf. Indigenous Nursery will remain responsible for the
site content and specifications. It has been agreed that Indigenous Nursery will e-mail
the website administrator of NetService any new products and price details as and when
required. All prices are given in South African rand and payments from customers are
only accepted in this currency. The internet payment facility has been outsourced to
PayFriend.
NetService will automatically e-mail the details of each internet sales transaction to
sales@indigenous.co.za as soon as PayFriend informs NetService electronically that a
customer’s payment has been successful. Every Friday morning, Tracy, one of the
cashiers, will capture these e-mails as sales orders into AccSoft’s sales order processing
module. The system will generate picking slips from the sales orders that have been
captured. The picking slips will trigger any one of the five sales assistants to pick the
items ordered, to tick off the picked items on the picking slip and to pack them securely
for delivery to the internet customers. The ticked picking slips will be sent to the sales
manager, who will convert each picking slip to a sales invoice on AccSoft.
192
The printed sales invoice, clearly showing the delivery address, will be inserted into a
plastic folder and taped to the package. An administrative assistant will post the
packages to the internet customers at the local post office every Monday morning. The
administrative assistant will then file the post office slips for future reference in case any
delivery complaints are received from customers.
Required:
(a) Identify the risks associated with the new internet sales system introduced by
Indigenous Nursery (Pty) Ltd. Consider all aspects of the sales system. For each risk
you have identified, provide a brief reason why you consider it to be a risk.
(b) Identify the controls that should be in place to ensure that all changes to the
internet product details and prices on Indigenous Nursery’s website, as sent via email to the website administrator of NetService, are valid, accurate and complete.
FEEDBACK
(a)
Risks in proposed new internet sales of Indigenous Nursery:
Risk
Dependence on NetService, the internet
service provider, otherwise sales might be
lost.
Dependence on PayFriend and their
programmed controls, otherwise there will
be direct losses for payments not received.
Liability for losses suffered due to
insufficient payment security.
Reason/Weakness
Indigenous Nursery’s website has to be available
24 hours a day.
Indigenous Nursery has no control over the
collection of the payments.
This is a legal requirement, regardless of
outsourcing: see Electronic Communications
and Transactions Act.
Legal risk in terms of site content and This is a legal requirement, regardless of
confidentiality of information.
outsourcing, and Indigenous Nursery agreed to
remain responsible for site content and
specifications.
Dependence on technology.
They need access to their e-mail to execute the
internet sales.
Repudiation of transactions.
It is difficult to establish the identity of the
customers over the internet.
Unauthorised changes to the contents of Changes to the website are based on e-mails
the website.
only.
Risk of errors in the sales process.
Employees will be inexperienced in using the
new sales process.
International laws may be broken.
Plant material may not be exported to restricted
countries.
193
AUI4863/SG
Risk
Late delivery of products, leading to
cancellation of sales.
Not all internet orders received are
processed, leading to loss of reputation
and additional administration to return the
payments already received.
The cashier capturing the e-mails as sales
orders might not capture the information
accurately.
There is no proof of delivery document on
which the client must sign as proof of
acceptance.
Reason/Weakness
The internet orders are executed only once per
week, after an extended process.
There is no independent review to ensure
completeness and/or pre-numbered internet
sales orders.
This could lead to incorrect sales amounts
(incorrect price and quantities) being captured,
which might affect sales.
If a person receives goods incorrectly and does
not have to sign for them, they will probably not
send the goods back. This will lead to financial
losses for the company.
Indigenous Nursery is unable to fulfil the Availability of stock is not updated on the
internet orders received owing to a lack of website by e-mail and/or the website and
stock. (Again, this leads to a loss of accounting software is not integrated yet.
reputation and additional administration
to return the payments already received.)
Delivery of the products to the wrong The cashier will have to retype the customer
customer address.
details from the e-mails, without independent
review to ensure accuracy.
Delivery of the wrong product types and The product details and quantities will have to
quantities.
be retyped by the cashier from the e-mails,
without independent review to ensure accuracy;
in addition, nobody compares the contents of
the packages with the sales order before they
are sealed.
Theft of products by the sales assistants.
The sales orders are not signed by the sales
assistants to identify who is responsible, and the
packages are already sealed when handed to the
sales manager.
Sales recorded on the wrong date Sales are recognised when the invoice is
(timing).
prepared two days before postage.
The packages could be lost in the post.
The delivery address is only taped to the
package and no return to sender or contact
information is included on the package.
Dependence on the postal service The postal service provider(s) will have to deliver
provider(s).
goods promptly within agreed time frames to
ensure that the quality of bulbs and seeds is not
affected.
Theft of products by the administrative Insufficient segregation of duties, as the
assistant.
administrative assistant both posts the
packages and handles the customer complaints.
Payments are received by PayFriend, but There are no controls regarding reconciliation of
not paid over to Indigenous Nursery.
the payments received from PayFriend with the
internet sales made.
194
(b) Controls to ensure changes to website products and prices via e-mail are valid,
accurate and complete:
Preparing and sending of the e-mail – Indigenous Nursery
The change request to NetService should
• be prepared by someone other than the authoriser, such as the administrative
assistant (segregation of duties)
• be prepared on an official change request form (which must be attached to an
official letterhead of Indigenous Nursery)
• have a sequential number
• contain standard layout and wording, clearly indicating the nature of the change
required (e.g. new product, change of product description, price change or remove
product)
•
•
•
be signed by the sales manager as proof of authorisation
be sent via one authorised terminal only and be protected by username and
password
be in the form of an encrypted e-mail
If the change request was printed and signed, it should be scanned into a format such as
PDF, which does not allow changes to be made.
or
If the change request was signed electronically, it should be converted into an electronic
format that does not allow changes to be made (e.g. in PDF).
The change request (PDF file) should be e-mailed as an attachment by the sales manager
(it should not be returned to the preparer of the change request).
The e-mail should be sent to the e-mail address of the website administrator of
NetService, and the e-mail settings should require both a delivery and a read receipt.
The administrative assistant should be copied in all the e-mails between the sales
manager and the website administrator.
The original authorised change request (or a printout of the electronically signed change
request) should be filed in sequential order, together with a printout of the e-mail to the
website administrator.
Receiving the e-mail, updating the website details and general website security –
NetService
The website administrator should accept a change request only if it appears authentic,
which implies that
• it is on the official letterhead of Indigenous Nursery
• it follows in numerical sequence on the previous change request
• it contains the standard layout and wording
195
AUI4863/SG
•
it was signed by the sales manager of Indigenous Nursery
The website administrator should phone the sales manager of Indigenous Nursery if
anything seems suspicious, or if there are any missing sequential numbers for the change
requests.
The website administrator should make a screenshot of the details on the Indigenous
Nursery‘s website after the change and e-mail it back to the sales manager at Indigenous
Nursery.
Security controls at NetService should include the following:
• Strict access controls should prevent anyone other than the website administrator
from making changes to the website.
• A firewall should prevent unauthorised access to the web server of NetService.
• The system should regularly and automatically compare the actual website contents
with the stored images of the website to identify any possible unauthorised
changes.
• Available vulnerability assessment tools should be used to evaluate the security of
the web server of NetService.
Receiving confirmation of the change – Indigenous Nursery
• The sales manager should print the screenshot received from NetService, match it
with the filed change request and compare the details thereon.
•
The sales manager should date and sign the printed screenshot as proof of
comparing the details with the change request.
•
Unmatched change requests should be followed up by the sales manager.
•
There should be a register with all the change requests. This should be
inspected/reviewed at least once a week by an independent manager at Indigenous
Nursery.
•
There should be a reconciliation between change requests and actual changes
made.
•
The sales manager should print the product and price details from the website of
Indigenous Nursery regularly and compare them with the product and price details
on AccSoft.
The auditing of advanced IT systems and applications forms part of information
management and usage monitoring. The analysis, evaluation and design information,
together with data and application architecture, are evaluated as tools for the auditor.
When a new system is developed, the internal auditor should preferably be involved in
the process from the start, as he/she can give valuable input.
196
SUMMARY
This topic discussed the auditing of advanced IT systems and explained the risks and
controls that relate to advanced IT systems and the formulation of an audit approach for
auditing advanced IT systems.
Learning unit 7.1 discussed the concept of IT controls. The management of an
organisation is responsible for establishing the required control measures to ensure that
the IT system of the organisation is adequately protected and that the system meets the
required operational needs. You as the internal auditor should be able to identify these
controls in any IT environment and evaluate the impact of the general and application
controls on the overall business of the organisation.
In this learning unit the concepts of general and application controls were discussed in
detail.
Learning unit 7.2 discussed auditing advanced and newly developed IT systems.
This learning unit described how transaction processing is affected by the utilisation of
advanced or complex computer technology and how internal auditors should go about
conducting audits of advanced and newly developed IT systems.
In this learning unit the following aspects regarding IT systems were discussed:
• advanced IT systems
• systems development
• the internal auditor’s role in systems development
• controls relating to IT systems development
• auditing systems development and implementation processes
Now that you have studied the learning units in this topic, are you able to do the
following?
• Understand the risks related to advanced IT systems and perform a risk analysis in a
given scenario.
• Explain and evaluate the controls relating to advanced IT systems.
• Develop an audit approach to evaluate advanced IT systems and applications.
197
AUI4863/SG
TOPIC 7
Performing information technology-based
audits
Contents
LEARNING UNIT 19:
Auditing in an IT environment
200
LEARNING UNIT 20:
Computer assisted audit tools and techniques (CAATTs)
211
LEARNING UNIT 21:
Factors to be considered in the choice and use of audit software
LEARNING UNIT 22:
Corporate IT governance
220
223
INTRODUCTION TO AND PURPOSE OF THE TOPIC
The use of information technology (IT) forms part of everyday life for most internal auditors – they
carry out and document their work using laptops and they are required, at the early stages of the
audit engagement, to obtain an understanding of their clients’ accounting and information
systems, most of which are computerised. (Jackson & Stent 2007:8/3)
The overall objective and scope of an audit engagement do not change in an information
technology (IT) environment. The use of a computer does, however, change the method of
recording information, and the processing, storage and communication of operational and
financial information. An IT environment is any environment where a computer, of any type or
size, is used in the processing of financial and other management information.
198
In this topic we will look at auditing in an IT environment, computer-assisted audit tools and
techniques (CAATTS) and audit software.
Computer-assisted audit techniques are exactly what the name says, i.e.: making use of a
computer to assist the internal auditor in carrying out the audit engagement. Although there are
some extremely powerful and complex software packages available to assist in performing audits,
the concept is simple: wherever it is economical and efficient to do so, the power, speed and
versatility of the computer should be harnessed to assist with the audit engagement.
We will also provide a brief overview of corporate IT governance as good governance has become
very important in view of the global requirements for transparency and accountability in
organisational stewardship.
MULTIMEDIA
Please access the podcast on myUnisa to assist you in your studies of topic 8.
LEARNING OUTCOMES
After you have studied this topic, you should be able to
•
•
•
•
understand and be proficient in the application of theoretical concepts underlying
CAATTs in the context of an IT environment
consider and adapt to all the factors relating to the application of CAATTs in the
audit process
explain and apply all aspects concerning an audit in the IT environment on an
integrated level
consider all the factors that should be taken into account when deciding on audit
software
199
AUI4863/SG
Learning unit 19
Auditing in an IT environment
Contents
19.1 INTRODUCTION
200
19.2 THE EFFECT OF AN IT ENVIRONMENT OF THE AUDIT PROCESS
201
19.3 APPROACH TO AUDITING IN AN IT ENVIRONMENT
204
19.4 NATURE OF AUDIT EVIDENCE
204
19.5 PERFORMING
205
19.6 PERFORMING SUBSTATNTIVE TESTS IN AN IT ENVIRONMENT
205
19.7 TIMING OF AUDIT PROCEDURES
206
19.8 EXTENT OF AUDIT PROCEDURES
206
19.1 INTRODUCTION
In today's business environment most audit clients use information systems to process financial and
management information. The use of information systems to process financial and other
information has an effect on an entity's accounting system and internal controls.
In this learning unit we will look at the effect of an IT environment on the audit process, including
the following concepts:
•
•
•
•
Approach to auditing in an IT environment
The nature of audit evidence
Engagement procedures related to an IT environment
Engagement procedures
200
An Information Technology (IT) environment influences the procedures followed by an auditor in
the following respects:
•
•
•
It affects the engagement procedures that need to be carried out in order to obtain a sufficient
understanding of the accounting and internal control system of an organisation.
A computerised information system (CIS) environment influences the factors that should be
considered in respect of the inherent and control risk of an organisation in order to reach a
decision on the audit risk an auditor would be prepared to accept.
It affects the design and performance of engagement procedures and substantive procedures
in order to achieve the audit objectives.
REFLECTION
You were given a lot of exposure to IT auditing in your undergraduate studies. It is
important that you revise all the topics relating to the IT environment before you
continue with the rest of this learning unit.
STUDY
Performing Internal Audit Engagements (2017: par 2.1–2.5)
Ensure that you are familiar with all the concepts that relate to the IT environment.
19.2 THE EFFECT OF AN IT ENVIRONMENT OF THE AUDIT PROCESS
The main phases in the audit process are not different when auditing in an IT environment, but the
following activities will be affected:
•
•
•
planning
study and evaluation of information systems and internal controls
performing engagement procedures (engagement procedure and substantive)
In practice the auditor will encounter different computer environments, which may include
mainframe computers, mini-computers and micro-computers.
The processing method within such environments could include:
•
•
•
batch entry with batch processing/update
on-line entry with batch processing/update
on-line entry with real-time processing/update
The processing could involve distributed data processing or even the use of a computer service
bureau. Each of these processing methods affects the audit process in a different way. The
organisation's use of computer systems may offer the auditor the opportunity to improve the
efficiency and effectiveness of the audit through the use of appropriate computer-assisted audit
tools and techniques (CAATTs).
201
AUI4863/SG
STUDY
•
•
Internal Auditing: An Introduction (2017, par 7.10)
GTAG 11 – Developing the IT Audit Plan
Take note of the changing role of the IT auditor as well the role in terms of controls.
MULTIMEDIA
View the Powerpoint presentation on myUnisa – GTAG 11 Developing the IT Audit Plan to assist you in your studies.
ACTIVITY 43
Part A
A retail company wishing to computerise their credit sales system might adopt one of
the following three data processing methods:
1.1
1.2
1.3
Batch input / batch processing
Online input / batch processing
Online / real time processing
You are required to outline the steps in the above methods of data processing for a
credit sales system indicating the files which would be created in the process. You are
NOT required to discuss controls within the systems.
Part B
Members of the public are often exposed to online real time computer systems, for
example when booking a seat on an airline or a ticket for a cinema through a call
centre. As these systems very often do not have source documents, specific control
techniques are required.
You are required to indicate the controls that should be implemented to ensure that
the person making the booking enters the correct information.
(Source: Dynamic Auditing)
FEEDBACK
PART A
1. Batch system – sales
1.1
Invoices are collected into distinct batches in the user department – e.g. sales
invoices. (manual procedure)
202
1.2
Details from the invoices within the batch are keyed into the computer and
stored on a "batch file" at a specific time and date.
1.3
The batch file would be validated and sorted into debtors’ master file record
sequence (alphabetic debtors) to create a "sorted sales transaction file".
1.4
On a predetermined day (say, 25th each month) the existing debtors master file
would be updated from the "sorted sales transaction file" to produce the current
debtors master file.
2. Online capture/batch processing – sales
2.1
A sales order, for example taken over the telephone, would be keyed in via a
terminal directly onto the "unsorted sales transaction file" (validation takes place
at this time).
2.2
This file would be sorted into debtors’ master file record sequence to create the
sorted sales "transaction file".
2.3
On a predetermined date, (say, 25th each month) the existing debtors master
file would be updated from the sorted "sales transaction file" to produce the
"current debtors master file".
3.
Online/real time – sales
3.1
A sales order will be entered into the system via a terminal (validation takes
place).
3.1.1 As entry takes place, the debtors master file (which will be right up to date) is
immediately updated.
3.1.2 A transaction log indicating the time and date of each online entry should be
created, but simultaneously with the master file update.
PART B
1.
Online entry controls
1.1
Terminal operators should be adequately trained.
1.2
Terminal operators should confirm verbally with the customer each piece of
information to be keyed into the terminal.
1.3
There should be computer-assisted procedures:
1.3.1 Screen formats should guide the operator in supplying the proper data in the
proper location.
1.3.2 Computer dialogue. This permits the computer to instruct the terminal operator
at each step in the data entry process. Until the necessary inputs are made, the
process cannot continue. The computer will indicate what is required.
1.4
The application program should contain controls which prevent “impossible"
bookings, e.g. an invalid seat number is entered.
203
AUI4863/SG
19.3 APPROACH TO AUDITING IN AN IT ENVIRONMENT
The application of audit procedures in computerised environments will be influenced by the method
of data processing. The nature of the audit procedures, being engagement procedures and
substantive testing, does not change. However, the computer environment may affect the
following aspects of the audit process:
•
•
•
•
nature of audit evidence
procedures used to obtain the evidence
timing of the procedures
extent of the procedures
In performing these audit procedures, the auditor can use either manual auditing procedures,
CAATTs or a combination of both.
STUDY
•
•
•
Assurance: An Audit Perspective (2018), Chapter 8
Internal Auditing: An Introduction (2017), par 2.1.3 & 7.10
Performing Internal Audit Engagements (2017), par 2.1.3, 2.2
19.4 NATURRE OF AUDIT EVIDENCE
The principles relating to obtaining audit evidence do not change because the audit is being carried
out in an IT environment. In simple applications, the auditor may obtain sufficient audit evidence to
satisfy a particular objective relying solely on manual controls, for example reconciliation of input to
output. In advanced and more complex systems this may not be possible, e.g. due to the volume
and complexity of the information systems.
When auditing in an IT environment the auditor may be faced with one or a combination of the
following conditions
•
•
•
the absence of input documents
generation of accounting transactions by computer programs
the lack of visible audit trails
The above conditions may preclude the auditor from examining documentary evidence and
manually tracing information through the computerised system, and alternative procedures to
obtain audit evidence may need to be adopted. In these situations, the effectiveness and efficiency
of audit procedures may be improved through the use of CAATTs in obtaining and evaluating
audit evidence.
204
19.5 PERFORMING ENGAGEMENT
ENVIRONMENT
PROCEDURES
IN
AN
IT
The procedures involved in designing and performing the engagement procedure necessary to
ensure the effective operation of controls do not change in a computerised environment.
Having identified the nature of the control on which reliance is intended to be placed, the auditor
must design and perform appropriate an engagement procedure to ensure that the control has
been operating effectively.
Evidence must be obtained to support the effective operation of the control throughout the period
of intended reliance. The controls to be tested may be either manual controls or automated
controls. In the latter case the auditor may need to obtain evidence of the effective operation of
certain computer environment controls. In performing engagement procedures, the auditor will
align the audit tests to be performed with the following control objectives:
•
•
•
Completeness. All transactions are recorded and no transactions are omitted (e.g. sequential
numbering of source documents, where available, ensure that all transactions are recorded).
Accuracy. All transactions are recorded at the correct quantity and prices (e.g. the computer
matches delivery notes, order forms and master file information with the generated invoices to
ensure that the correct quantities and prices are used).
Validity. Recorded transactions have actually occurred and are supported by sufficient
documentation and audit evidence (e.g. specific manual authorisation is required for overriding
the system).
Please note that the control
objective of validity should be
formulated in terms of the
management assertion of
“occurrence”.
19.6 PERFORMING SUBSTANTIVE TESTS IN AN IT ENVIRONMENT
When records and information are maintained by a computer, the objectives of the substantive
procedures and the relationship between the system of internal control and the substantive
procedures remains the same as for a non-computerised system. The opportunity to make use of
audit software to examine the data held on computer files can result in a more efficient and
effective substantive approach, even if CAATTs have not been used in performing engagement
procedures.
Owing to the particular features of computer processing, certain substantive procedures either
need to be modified or become unnecessary. For example, it may be easier to carry out more
effective cut-off tests in computer systems, particularly in batch systems. The principal requirement
is to identify the last processing run for sales, purchases and inventory movements in the period
being audited and to confirm, by reference to batches of input around that time, that the data were
captured in the correct period and that rejections were properly dealt with.
205
AUI4863/SG
19.7 TIMING OF AUDIT PROCEDURES
The timing of audit procedures may be affected because data may not be retained in computer files
for a sufficient period of time to allow for auditing. The auditor may have to make specific
arrangements to have the data retained or copied.
Another consideration with respect to timing is that test data only provides evidence that the
automated control is operating at the time the check was performed. Additional evidence or
additional runs of the test data would be required to ensure the continued operation of the control
throughout the period under review.
19.8 EXTENT OF AUDIT PROCEDURES
As is the case when testing manual systems, it is not possible to prescribe hard and fast rules for
determining the extent of audit procedures. That remains a matter of judgement by the auditor in
the light of all relevant factors.
In computerised environments two general factors may justify a reduction in the extent of audit
procedures compared to manual systems:
•
•
the increased information that can usually be obtained from other audit procedures based on
improved account analysis for analytical review purposes
where substantive procedures are carried out on data generated by automated controls (e.g.
valuations of stock, depreciation calculations), considerable reductions can often be made in
comparison to the levels of procedures carried out in manual systems
STUDY
•
•
Performing Internal Audit Engagements (2017: par 2.1.3)
Internal Auditing: An Introduction (2017: 7.10)
Ensure that you are familiar with all the terminology and concepts explained regarding
the IT audit process.
ACTIVITY 44
You are a senior internal auditor at Go Cars (Pty) Ltd, a motor spares outlet, which is
situated in an industrial complex in Durban. The outlet is very busy and is getting busier.
Go Cars (Pty) Ltd sells to other companies on credit and to the public. Due to the
upsurge in business, the directors are considering ways in which they can improve their
outdated computerised information system. One of the methods under consideration is
as follows:
The industrial complex in which Go Cars (Pty) Ltd is located, consists of 20 businesses
physically situated in the same building. One of the other occupants of the building is
Protec Ltd, a holding company in the industrial sector. Protec Ltd is responsible for the
data processing function of its group but for various reasons has found that its IT
206
resources are under-utilised. To fill this gap, Protec Ltd proposed to a number of the
businesses in the industrial complex that they enter into a contract whereby Protec Ltd
will capture various applications for those businesses. Protec Ltd has indicated that each
business will be linked by terminals to Protec Ltd’s IT system. The directors of Go Cars
(Pty) Ltd have arranged a meeting with the IT manager of Protec Ltd, to discuss this
proposal and have requested that you attend the meeting as they are not confident that
they are sufficiently knowledgeable to cover all matters which should be dealt with.
REQUIRED
a)
Discuss in reasonable detail, the matters which should be covered in the meeting
with the IT manager of Protec Ltd.
b)
Discuss the procedure and/or controls which you would recommend being
instituted if you were requested to assist in the conversion of their existing
outdated systems to the new system to be run by Protec Ltd.
FEEDBACK
a) The following matters should be dealt with in the meeting with the IT manager of
Protec Ltd.
1.
Hardware
1.1
1.2
It should be established who will purchase, install and maintain the terminals (and
the link) which will be located at Go Cars (Pty) Ltd.
Who will bear the cost and responsibility of insurance?
2.
Staff training and support
2.1
Agreement must be reached on initial and ongoing training of Go Cars (Pty) Ltd
personnel.
A help-line/liaison function should be provided to Go Cars (Pty) Ltd by Protec (Pty)
Ltd.
2.2
3.
Security arrangements
3.1
The security arrangements at Protec Ltd with regard to –
3.1.1 back up of company data files, reports, programs
3.1.2 confidentiality and integrity of Go Cars (Pty) Ltd data stored at Protec
(Pty) Ltd must be discussed. In this regard, access controls are of major
significance as Protec (Pty) Ltd plans to link a number of businesses to its
computers using terminals (apart from links which it already has with the
rest of the Protec group)
4.
Applications and software
It must be established
4.1 which of Go Cars (Pty) Ltd's applications will be processed by Protec Ltd
207
AUI4863/SG
4.2
4.7
whether they will be standard software packages (unlikely) or custom designed for
Go Cars (Pty) Ltd
who will have ownership of the software
what procedures will be adopted for the maintenance (amending, updating) of
software
what reports will be produced for management purposes e.g. exception reports
what enquiry facilities management and staff at Go Cars (Pty) Ltd would have and
whether they will be able to prints logs, reports etc as required
the controls over important matters such as amendments to master files
5.
Fees and charges
4.3
4.4
4.5
4.6
The basis of charging must be agreed upon specifically in respect of5.1 start-up costs and conversion to the computerised system
5.2 systems development/maintenance
5.3 processing of applications
5.4 stationery, e.g. supply of invoices, statements etc
5.5 escalation charges
6.
Penalty clauses
6.1
6.2
Penalty clauses must be established for situations where Protec Ltd and Go Cars
(Pty) Ltd fail to reach their respective responsibilities, especially with respect to
deadlines and provision of accurate systems.
Turnaround times should be discussed.
7.
Division of duties
7.1
The respective duties of Go Cars (Pty) Ltd and Protec Ltd should be established in
respect of
• input, e.g. format
• transfer of output, e.g. payroll or debtors’ statements
• control over rejected data, and its resubmission procedures
8.
Right of access
8.1
The right of access which Go Cars (Pty) Ltd personnel and particularly the internal
auditors would have to Protec Ltd's computer installation, data files and records
pertaining to Go Cars (Pty) Ltd, which are kept by Protec Ltd.
9.
Methods of processing
9.1
Whilst it appears that input will be online it should be established how each
application should be processed, i.e. either batch or real time.
For example, being a retailer for spares, it will be critical for Go Cars (Pty) Ltd to
have real time processing of their inventory applications, (hundreds of inventory
items, customers cannot be kept waiting at the counter whilst the sales person
looks for the item and determines whether there is inventory). It must be available
on screen.
9.2
208
10.
The actual conversion
The following should be agreed upon:
10.1 the method of conversion e.g. run the old system in parallel with the new system,
for a period
10.2 the respective responsibilities of Go Cars (Pty) Ltd and Protec Ltd
10.3 the commencement date
11.
Back-up and recovery procedures
11.1 Go Cars (Pty) Ltd should be informed of the back-up and recovery procedures to
be adopted by Protec Ltd and the role that Go Cars (Pty) Ltd may be obliged to
play.
12.
The terms of the contract
The following must be agreed upon:
12.1 the notice period
12.2 grounds for giving notice
13.
The long-term future of the arrangement
13.1 This is very important. Protec Ltd has offered this service because they have
underutilised computer resources. The permanency of this arrangement should be
evaluated.
13.2 Protec Ltd should clarify what their intentions are when their business returns to
normal, in relation to Protec Ltd's own processing and processing for other
businesses, specifically that of Go Cars (Pty) Ltd.
13.3 Should Protec Ltd go insolvent, what warranties will come into play?
b) Conversion procedures/controls
I would:
1.1
1.2
1.3
Recommend forming a steering committee consisting of myself and suitable staff
from Protec Ltd and Go Cars (Pty) Ltd and recognising the conversion as a project
to which management principles must be applied.
With the help of the committee
1.2.1 decide upon the most efficient method of conversion. e.g. run systems in
parallel for a period
1.2.2 develop a detailed conversion plan
1.2.3 decide upon the order of converting the various applications
1.2.4 allocate responsibilities for different aspects of the conversion to specific
appropriate personnel ensuring adequate segregation of duties
1.2.5 set deadlines for completion of each stage and each task and monitor
progress in this regard
Recommend appointment of a data control group to promote control over
preparation and entry of data onto the new system. Their activities should include
209
AUI4863/SG
1.3.1
1.4
1.5
detailed checking procedures to ensure that data that is be converted is as
error free as possible PRIOR to conversion
1.3.2 file comparisons and reconciliations between old and new files and
resolution of discrepancies
1.3.3 extraction and follow-up of exception reports relating to information on
the new system, e.g. unusually large balances
1.3.4 obtaining user approval for data converted in respect of each user
department (e.g. debtors)
Recommend joint implementation of a training program for staff involved in the
conversion, by both Protec Ltd and Go Cars (Pty) Ltd.
Recommend that a post-implementation review be performed in order to
1.5.1 confirm with both Go Cars (Pty) Ltd and Protec (Pty) Ltd that the system is
operating as intended and that all bugs have been resolved
1.5.2 assess the adequacy of the conversion controls
1.5.3 confirm that all aspects of the new system have been properly
documented in line with pre- determined standards
The extent of an organisation’s use of IT systems will have an effect on the work of the
internal auditor. The auditor will need to gain an understanding of the entity's use of IT.
This is achieved by gathering information about the IT environment, determining the
risks related to this environment and assessing the controls in operation to reduce these
risks. This information will influence the selection of the audit approach and the
selection of engagement procedures.
The overall objective and scope of an audit do not change in an IT environment. The use
of a computer does, however, change the method of recording transactions, and the
processing, storage and communication of financial and other information. An IT
environment is any environment where a computer, of any type or size, is used in the
processing of financial and management information.
Auditing in an IT environment is a very comprehensive topic and it is therefore important
that you use all available resources to ensure that you have a good understanding of the
IT environment as well as auditing in the IT environment.
210
Learning unit 20
Computer-assisted audit tools and
techniques (CAATTs)
Contents
20.1 INTRODUCTION
211
20.2 CONSIDERATIONS WHEN USING CAATTS
212
20.3 AUDIT TEST DATA
213
20.4 CONTINUOUS AUDITING
214
20.5 FACTORS THAT COULD INFLUENCE THE AUDITOR’S DECISION TO USE CAATTS
214
20.6 CONSIDERATIONS IN THE IMPLEMENTATION OF CAATTS
215
20.7 PLANNING FOR THE USE OF CAATTS
215
20.8 THE CONSEQUENCES INADEQUATE PLANNING
218
20.9 CONTROL PROCEDURES WHEN USING CAATTS
218
20.10 THE APPLICATION OF CAATTS
218
20.1 INTRODUCTION
Computer-assisted audit tools and techniques (CAATTS) are exactly what the name says: making
use of a computer to assist in carrying out the audit. Although some extremely powerful and
complex software exists to assist in performing audits, the concept is simple: wherever it is
economical and efficient to do so, the power, speed and versatility of the computer should be
harnessed to assist with the audit.
Complex business environments, generating large volumes of data in multiple locations, created
the need for computer-assisted audit tools and techniques (CAATTs). System CAATTs are used to
211
AUI4863/SG
test computerised controls while data CAATTs are used for substantive audit procedures to access,
retrieve and manipulate data from a computerised information system (CIS).
The use of CAATTS involves the merging of software into an audit programme. Information
retrieval and analysis programs and procedures include programs that organise, combine, extract
and analyse information. The availability of microcomputer-based software, which provides
computing power without requiring technical expertise, makes direct data analysis part of the
toolkit of any auditor. The primary requirement is for the auditor to have an understanding of the
business application and of how data relates to it (Cascarino 2012:118).
In this learning unit we will look at the way CAATTs fit into the audit process by discussing the
following sections:
•
•
•
•
•
•
Considerations when using CAATTS
Audit test data
Continuous auditing
The implementation of CAATTS
Control procedures when using CAATTS
The application of CAATTS
REFLECTION
Before you study or attempt this learning unit, please revise your undergraduate work
regarding CAATTs and all related topics.
You should already know what the use of CAATTS entails, as well as the advantages and
disadvantages of the use of CAATTs.
20.2 CONSIDERATIONS WHEN USING CAATTS
CAATTs refer to an auditor’s use of the computer to assist in the acquisition of audit evidence and in
the performance of audit procedures. CAATTs can be divided into system-orientated CAATTs and
data-orientated CAATTs. System-orientated CAATs are used predominantly to perform
engagement procedures (although some substantive evidence may be produced), whilst-data
orientated CAATTs are concerned mainly with substantive testing.
Various CAATTs are available to the auditors of computer-based systems. In many instances these
techniques, performed by using computer audit software programs or test data, may be an efficient
and effective way to apply auditing procedures to computer-based systems.
An important difference between computer and manual systems is that in IT systems there is an
opportunity to read data at high speed by using CAATTs, thereby providing access to information
otherwise not easily reviewed. CAATTs can be used to assist audit procedures in various ways, for
example:
•
•
•
examination of records based on certain criteria to identify inconsistencies, missing data and
exceptions for investigation
testing calculations and making computations to evaluate the reasonableness of given
information
exception reporting
212
•
•
•
•
•
analytical review or data analytics
comparing data on separate files to identify differences or exceptions, or to confirm
information on one file with corroborating independent information on a second file
selecting and printing audit samples for verification with source documents or other evidence
(Selection can be for a number of criteria and involve varying degrees of sophistication.
Evaluation of results can also be done using CAATTs.)
summarising, re-sequencing or combining retrieved information for analysis by certain criteria,
or for financial information disclosure
simulation of the entity's data processing system to determine the degree of reliance to be
placed on the entity's processing of information
A major advantage of using powerful CAATTs packages, is that all relevant items can be reviewed,
whereas with manual tests only a sample is normally examined. The increased amount and variety
of data maintained on computer files and the power of computer processing result in the creation of
more detailed account analyses, (often in the form of exception reports) than is usually the case in
conventional systems. These reports could include simple analyses of items making up an account
balance (e.g. analyses of inventory or trade debtors by age) as well as more complex analyses
making use of data not forming part of the account balance (e.g. analyses of trade debtors in
relation to credit limits; stock balances in relation to maximum stock levels). Therefore, the use of
CAATTs in modern day auditing becomes increasingly important, but it does not always mean that
it is the most appropriate tool for every audit.
REFLECTION
Can you still recall the advantages and disadvantages of using CAATTs? If not, you need
to refer to your undergraduate studies that relate to the basic principles of the use of
CAATTs.
20.3 AUDIT TEST DATA
This is only one of many methods of system-orientated CAATTs. Audit test data involves the
creation of simulated or fictitious data for input to the application. It can test the correct functioning
of automated controls, for example:
•
•
•
•
edit or validation checks
totals
analysis
production of exception reports
It can also be valuable as the auditor can design information to test any control which the client
claims are in the system. The auditor would compare the system produced results with his/her own
manually predetermined results to ensure that the automated controls were operating as intended.
Unfortunately, the test data approach only gives assurance that the control was working when it
was tested and not that it worked throughout the whole period under review. There are two ways
of running test data: against the live data and programs or against a test system. Each of these has
advantages and disadvantages, which are fully documented in your undergraduate studies.
213
AUI4863/SG
STUDY
Assurance: An Audit Perspective (2018: Chapter 8)
Also study the following tools and techniques which are normally required when CAATTs
are used:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
test data generators
flowcharting packages
specialised audit software
generalised audit software
utility programs
source code review
confirmation of results
test data
analytical analysis / data analysis
integrated test facility
snapshot technique
controls self-assessment
sampling
parallel simulation
20.4 CONTINUOUS AUDITING
A continuous audit permits auditors to monitor an organisation’s systems using appropriate sensors
and digital agents.
STUDY
•
•
Assurance: An Audit Perspective (2018), par 8.4.3
GTAG 3 – Continuous Auditing: Coordinating Continuous Auditing and Monitoring
to Provide Continuous Assurance
20.5 FACTORS THAT COULD INFLUENCE THE AUDITOR'S DECISION TO
USE CAATTS
• Complexity of client’s system – the more complex and sophisticated the accounting system the
less appropriate it is to rely solely on manual audit procedures.
• The volume of transactions/output – as the volume of transactions increases, it becomes
impractical to perform manual extraction, sorting, analysing and summarising of data, because
of normal audit time constraints.
• Data stored in electronic form – the client may store data only in electronic form as opposed to
maintaining hard copy records.
• Availability of skills in the audit team – particular skills, sometimes of a high level, is required
when using CAATTs.
• Potential loss of independence – the use of CAATTs is going to require the cooperation of the
client.
214
• The attitude of the client – professionally managed companies may expect their auditors to be
up to date with and capable of using modern audit techniques.
• Compatibility of the auditor’s computer hardware and software with the client’s hardware and
software.
• The utilities available at the client’s office which could assist with the sorting of files, printing of a
part of a file, copying a database onto a disk etc. It is important to note that if the auditor wants
to utilise the tools already implemented at the client, they may have to review the code or
scripts used in the tools.
• Costs associated with obtaining the relevant data.
• Lack of audit trails to trace information to final records or to source documents.
• Situations where detection risk would be significantly decreased as a result of more extensive
testing capabilities.
20.6 CONSIDERATIONS IN THE IMPLEMENTATION OF CAATTS
If an internal auditor decides, after considering the factors mentioned in the previous section, to use
CAATTs, it is essential that the management of the audit firm (or the internal audit section) should
make a formal commitment to the implementation of CAATTs and offer the necessary support in
order to develop the required knowledge and competence for the application of CAATTs.
CAATTs can best be used for the following audit functions:
• Sorting and file reorganisation – data can be sorted by date, customer name, department name,
etc.
• Summarisation, stratification and frequency analysis - data can be summarised in account
number order, departmental order, and the frequency with which certain items are bought and
used.
• Extracting samples, exception reporting, file comparison, for example current master file to prior
year’s master file – these comparisons can be used to develop certain ratios to compare
exceptions and deviations.
• Analytical review, for example extraction of ratios.
• Casting and recalculation.
• Examining records for inconsistencies, inaccuracies and missing data and creating a report
thereon.
STUDY
Assurance: An Audit Perspective (2018), Chapter 8
Familiarise yourself with the following:
• advantages and disadvantages when using the different CAATTs
• audit procedures
• CAATTs use in non-computer areas
20.7 PLANNING FOR THE USE OF CAATTS
Proper planning for the use of CAATTs is just as important as the planning phase of the audit
process where the computer is not used. In addition to ordinary planning matters, attention should
215
AUI4863/SG
be given to the matters listed below, which are of exceptional importance in the application of
CAATTs.
The auditor should consider the following specific planning items:
• knowledge of the auditee’s business
• audit plan
• data file reconciliation
Knowledge of the auditee’s business. With respect to the possible audit software, the auditor
should consider accumulating the following information at the planning stage of the audit:
• the impact of the auditor’s access to an auditee’s data, hardware, software and networks
• the main systems of financial significance, and the data retention policies, related file layouts
and volumes of transactions
Audit plan. The audit plan should be reviewed to ensure that optimum use is made of the available
audit software. Appropriate resources should be available to support the audit plan. Attention
should be paid to the following aspects:
•
•
•
•
•
•
the need for continuity of staff on each audit to ensure that the use of audit software increases
over time
experience of scheduled audit staff in the use of audit software
training requirements for audit staff before the fieldwork begins
need for, and timing of, technical support
specialised hardware or software required to access an auditee’s data
need for auditees to retain data necessary for the audit and to ensure that the auditor is made
aware of changes in, for example, file structures and content
Data file reconciliation. It is important that the auditee’s data which are used for audit testing be
reconciled to the subject matter of the engagement, for example, financial statements or auditee’s
control totals. The auditor should request the auditee to provide the information, such as control
totals of the more important numerical fields, to verify that all transactions have been processed. It
is also important to reconcile the number of records back to the source population.
ACTIVITY
You are a senior internal auditor at Parts n Pieces (Pty) Ltd, a motor spares and
accessories company. Parts n Pieces (Pty) Ltd uses a computerised perpetual inventory
system and carries out regular physical inventory test checks (cycle counts) rather than
performing a count at the year-end. Internal audit does not attend these cycle counts.
Pre-numbered goods received notes are used to record receipts of inventory while prenumbered stores goods issue slips are used to record issues of goods from inventory. The
company makes use of on-line prepared source documents, which are captured
individually onto the system, via terminals located in the inventory section.
You have a range of audit software available for use on the inventory master file and you
are competent to use it.
216
REQUIRED
Briefly discuss the matters an auditor would consider in deciding whether or not to use
CAATTs given the above circumstances.
FEEDBACK
1. It may be impossible to obtain sufficient audit evidence without using CAATTs due
to:
1.1 the complexity of the clients’ system and the degree of reliance on computers and
related controls
1.2 the volume of transactions processed
2.
The manner in which data is stored by the client - CAATTs may be the best way to
retrieve data necessary for audit where minimal hard copies are kept.
3.
The length of time the client retains data - a concurrent auditing technique such as
SCARF may be necessary where detail (transaction files) supporting totals and
balances is not kept for long.
4.
The availability of suitable CAATT software to meet the particular audit objective.
·
If suitable CAATT software is not available it will take time and money to develop
suitable software.
·
Client may have certain software (e.g. report writers) which may be useful.
5.
The cost effectiveness and efficiency of adopting the technique.
6.
The availability of competent staff within the audit team and firm to support and
use the software.
7.
The degree of reliance on clients’ IT staff that will be necessary and the effect of
such reliance on the internal auditor's independence/objectivity.
8.
The willingness of the client to let you make use of CAATTs on client hardware and
the level of co-operation which can be expected. This will depend upon:
8.1 the extent to which use of CAATTs will disrupt the client’s normal processing
activities
8.2 how much risk there is of corrupting client files through use of CAATTs
9.
The compatibility of audit hardware (e.g. laptop) with client hardware and software.
10. Client expectations – the client may be concerned about internal audit’s
competence if you do not use CAATTs.
217
AUI4863/SG
20.8 THE CONSEQUENCES OF INADEQUATE PLANNING
The failure to plan adequately for the use of CAATTs can result in
•
•
•
•
cost and time overruns
arriving at the wrong audit conclusion
failure to achieve the desired objective of the test
significant frustration to both the auditor and the auditee
20.9 CONTROL PROCEDURES WHEN USING CAATTS
To use CAATTs successfully it is necessary to have sufficient controls in place while using CAATTs.
These controls will ensure that the client’s data is protected and that the auditor obtains reliable
audit evidence. The following control procedures should be in place:
•
•
•
•
•
Approve CAATTs specifications.
Review work to be performed by the CAATTs.
Review the client’s general control environment.
Consider whether client staff could improperly influence the results of the CAATTs.
Ensure integration of output into the audit process.
20.10 THE APPLICATION OF CAATTS
CAATTs can be used to perform engagement procedures. As mentioned earlier, system-oriented
CAATTs concentrate on the accounting system and related control procedures and data-oriented
CAATTs are mainly concerned with substantive testing.
Where the client has a computerised information system, it may be more effective and efficient to
use CAATTs in the performance of substantive audit procedures. Typical ways in which this can be
done are indicated below:
Audit working papers - The firm’s audit working papers and audit methodology may be available on
generalised audit software packages such as Caseware, ACL or IDEA. The working papers would
document the audit programme and schedules, analysing account balances and significant classes
of transactions in detail.
Substantive analytical procedures - CAATTs may be used to download information from the
computerised records and then, using spreadsheets and modelling programs, the full range of
analytical procedures may be performed. CAATTs may be used to analyse all journal entries
processed during the period in order to identify all large and unusual journal entries for substantive
testing. The auditor should be alert to the risk of management override of controls over nonstandard journal entries and to the fact that there may be little or no visible evidence of such
override.
Sample selection - Sampling software can facilitate the selection of random and other samples of
source documents or transactions recorded.
218
Data sorting and analysis and printing of exception reports - CAATTs may be used to sort data
within the computerised accounts according to the specifications of the auditor, for example:
•
•
•
•
revenue transactions
payroll transactions
inventory listings
recalculation
ADDITIONAL READING
Read the following interesting article regarding CAATTs on the following website, and
participate by trying to add some ideas to the various topics:
http://en.wikipedia.org/wiki/Computer_Aided_Audit_Tools
Visit the following website and familiarise yourself with the key terminologies explained:
http://www.docstoc.com/docs/21535006/Computer-Assisted-Audit-Techniques(CAATs)/
A computerised information system (CIS) environment influences the procedures followed by an
auditor in the following respects:
• It affects the audit procedures that need to be carried out in order to obtain a sufficient
understanding of the accounting and internal control system of an organisation.
• It influences the factors that should be considered in respect of the inherent and control risks of
an organisation.
• It affects the design and performance of engagement procedures and substantive procedures in
order to achieve the audit objectives.
Where the client has a computerised accounting system, it may be more effective and efficient to
use CAATTs in the performance of substantive audit procedures.
219
AUI4863/SG
Learning unit 21
Factors to be considered in the choice and
use of audit software
Contents
21.1 INTRODUCTION
220
21.2 AUDIT SOFTWARE: GENERAL CRITERIA THAT AUDIT SOFTWARE SHOULD
COMPLY WITH
220
21.3 DIFFERENCES BETWEEN OFF-THE-SHELF (GENERALISED) AND PURPOSE-WRITTEN
AUDIT SOFTWARE
221
21.1 INTRODUCTION
It was mentioned in the previous learning unit that one of the considerations with regard to the use
of CAATTs is the audit software that will be used. Audit software is of such importance, however,
that it will be dealt with in greater detail in this learning unit. The following aspects of audit
software are dealt with:
• general criteria that audit software should comply with
• differences between choosing off-the-shelf (generalised) and purpose-written audit software
• control procedures when using CAATTs
21.2 AUDIT SOFTWARE: GENERAL CRITERIA THAT AUDIT SOFTWARE
SHOULD COMPLY WITH
When choosing or designing audit software the following general characteristics of good audit
software should be taken into account:
220
• user-friendliness of the software in the application of CAATTs
• consistent use of audit software
• logical presentation of the auditor’s options when using the audit software, usually involving the
use of lists of options
• functionality in the sense that audit software should be capable of performing the specific
techniques or procedures that the auditor requires
• speed of execution of the techniques and procedures that the auditor requires
• linked editing of instructions
• handling of errors
• human interaction with the computer
• documentation prepared by the audit software as an essential element of the audit evidence
• the question whether the software is able to provide control over the storage of and access to
the audit specifications
21.3 DIFFERENCES BETWEEN OFF-THE-SHELF (GENERALISED) AND
PURPOSE-WRITTEN AUDIT SOFTWARE
CAATTs may be package programs, purpose-written programs, utility programs or system
management programs. The auditor needs to substantiate the appropriateness and validity for the
audit purpose before using any program and therefore needs to understand the purpose and
application of each of the various options to decide which one will be the most appropriate in the
circumstances.
• Package programs. These are generalised programs designed to perform data functions, such as
reading data, selecting and analysing information, performing calculations, creating data files
and reporting in a format specified by the auditor. Some of the software packages used by
internal auditors – IDEA, ACL, DIAL and SAS – can be used on a mainframe or microcomputer
platform.
• Purpose-written programs. These programs perform audit tasks in specific circumstances.
Written at the request of the auditor or management, they determine specific information such
as the number of sick leave days taken in a department.
• Utility programs. Used by an entity to perform common data processing functions, such as
sorting, creating and printing files. A utility program could be a program used on a daily basis to
determine stock issued from stores to the manufacturing plant.
System management programs. These enhanced productivity tools are typically part of a
sophisticated operating system environment, for example, data retrieval software or code
comparison software.
STUDY
Assurance: An Audit Perspective (2018), par 8.4
Study the information on generalised audit software (GAS) and make a summary of the
following aspects:
• definition of GAS
221
AUI4863/SG
• uses of GAS
• limitations of GAS
• benefits of GAS
ADDITIONAL READING
Read additional information regarding audit software on the following website:
http://en.wikipedia.org/wiki/Computer_Aided_Audit_Tools
The use of computer-assisted audit solutions involves the merging of software into an
audit program. Information retrieval and analysis programs and procedures include
programs that organise, combine, extract and analyse information. The availability of
micro-computer-based audit software, which provides computing power without
requiring technical expertise, makes direct data analysis part of the toolkit of any
auditor. The primary requirement is for the auditor to have an understanding of the
business application and how data relates to it.
NOTES
Make your own notes here:
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
222
Learning unit 22
Corporate IT governance
Contents
22.1 INTRODUCTION
223
22.2 IT GOVERNANCE
223
22.3 SUPPORT TOOLS AND FRAMEWORKS
224
22.4 IS INFRASTRUCTURES
225
22.1 INTRODUCTION
Control frameworks are needed by managers to ensure that their IT processes are contributing to
business objectives and creating a competitive advantage. The organisation needs assurance that
risks are mitigated. Stakeholders need assurance that the organisation can be trusted. The only way
to gain assurance is for management to increase their understanding of IT operations without
getting bogged down in the increasingly complex execution details.
REFLECTION
Before you study this learning unit, please revise all material relating to corporate
governance and refer to all relevant modules.
22.2 IT GOVERNANCE
Good governance has become very important in view of the global requirements for transparency
and accountability in organistional stewardship. IT Governance is a subset of Corporate
Governance.
223
AUI4863/SG
The IPPF define IT governance as follows: “Consists of the leadership, organizational structures, and
processes that ensure that the enterprise’s information technology supports the organization’s
strategies and objectives.”
STUDY
•
•
•
•
Performing Internal Audit Engagements, Par 2.6 (page 82)
Assurance: An Audit Perspective (2018: Chapter 2 – 2.11)
GTAG 17: Auditing IT Governance
King IV: Principle 12
22.3 SUPPORT TOOLS AND FRAMEWORKS
According to the Institute of Internal Auditors’ Global Technology Audit Guide (GTAG), a control
framework is an outline that identifies the need for controls but does not describe how they should
be applied.
IT control frameworks are internal control systems that help managers set IT control objectives, link
IT to business processes and overall control frameworks identifying key IT areas to leverage and
create a process model that logically groups IT processes.
A key control concept is that IT controls must provide continuous assurance for internal controls, as
covered in the Internal Control – Integrated Framework of the Committee of Sponsoring
Organisations of the Treadway Commission (COSO).
STUDY
•
•
•
IIA Standards relevant to IT Governance – Standards 2110, 2110.A2
GTAG – Information Security Governance
King IV Report – Technology and information governance (Principle 12)
ADDITIONAL READING
Other standards and frameworks that relate to IT auditing that you should be aware of,
are the following:
•
•
•
•
•
•
Business continuity management – http://www.continuitysa.co.za/newsroom/articles/business-continuity- management.html
ISO standards related to IT (information security, governance etc)
http://www.iso.org/iso/products/standards/catalogue_ics_browse.htm?ICS1=37&IC
S2=100&ICS3=99&
ITIL – www.isaca.org
COBIT – http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
Refer you again to the IIA website, where the “G-tag” articles are published, refer
specifically to the one that relates to IT Governance: http://www.theiia.org
224
ACTIVITY
List and discuss the five components defined by COSO as components that would assist
management in achieving their objectives.
FEEDBACK
Refer to Internal Auditing: An Introduction (2017: par 5.4), and describe each of the
following components:
•
•
•
•
•
Sound control environment
Sound risk assessment process
Sound operational control activities
Sound information and communications systems
Effective monitoring
22.4 IS INFRASTRUCTURES
IT staff require specialist expertise and skills in order to develop a technology infrastructure plan.
The architecture itself will constantly change in order to ensure the best approach is taken to satisfy
user requirements as they change with increasing rapidity.
IS can be split broadly into three infrastructural areas:
•
•
•
project-based functions
operations and production
technical services
STUDY
Performing Internal Audit Engagements, (2017: par 2.3.1)
ADDITIONAL READING
I refer you again to the IIA website, where the “GTAG” articles are published, specifically
to the one that relates to IT Governance: http://www.theiia.org
SUMMARY
In this learning unit we briefly discussed IT governance. It is of the utmost importance
that you refer to your undergraduate studies as well as to the other modules where
governance is discussed. IT control frameworks are internal control systems that help
managers set IT control objectives, link IT to business processes and overall control
frameworks.
225
AUI4863/SG
In this topic we discussed auditing in an IT environment, computer-assisted audit tools
and techniques (CAATTS) and audit software. A brief overview was also provided of
corporate IT governance.
In learning unit 22.1 auditing in an IT environment was discussed. We looked at the
effect of an IT environment on the audit process, including the following concepts:
• Approach to auditing in an IT environment
• The nature of audit evidence
• Engagement procedures related to an IT environment
• Engagement procedures
The auditor will need to gain an understanding of the entity's use of IT. This is achieved
by gathering information about the IT environment, determining the risks related to this
environment and assessing the controls in operation to reduce these risks. This
information will influence the selection of the audit approach and the selection of audit
procedures.
In learning unit 22.2 we discussed computer-assisted audit tools and techniques
(CAATTS).
Complex business environments, generating large volumes of data in multiple locations,
created the need for computer-assisted audit tools and techniques (CAATTs).
In this learning unit we looked at the way CAATTs fit into the audit process by discussing
the following sections:
• Considerations when using CAATTS
• Audit test data
• Continuous auditing
• The implementation of CAATTS
• Control procedures when using CAATTS
• The application of CAATTS
In learning unit 22.3 we discussed the factors that should be considered in the choice and
use of audit software. Audit software is of such importance that it was discussed in detail
in this learning unit. The following aspects of audit software were dealt with:
• General criteria that audit software should comply with
• Differences between choosing off-the-shelf (generalised) and purpose-written audit
software
• Control procedures when using CAATTs
The primary requirement is for the auditor to have an understanding of the business
application and how data relates to it.
In learning unit 22.4 we briefly discussed corporate IT governance. Control frameworks
are needed by managers to ensure that their IT processes are contributing to business
objectives and creating a competitive advantage. The organisation needs assurance that
risks are mitigated. Stakeholders need assurance that the organisation can be trusted.
The only way to gain assurance is for management to increase their understanding of IT
operations without getting bogged down in the increasingly complex execution details.
226
IT control frameworks are internal control systems that help managers set IT control
objectives, link IT to business processes and overall control frameworks.
Now that you have studied the learning units in this topic, are you able to do the
following?
• Understand and be proficient in the application of theoretical concepts underlying
CAATTs in the context of an IT environment.
• Consider and adapt to all the factors relating to the application of CAATTs in the
audit process.
• Explain and apply all aspects concerning an audit in the IT environment on an
integrated level.
• Consider all the factors that should be taken into account when deciding on audit
software.
NOTES
Make your own notes here:
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
227
AUI4863/SG
Related documents
Exercise Chapter 15
Exercise Chapter 15
aud
aud
Download
advertisement