Sie sind auf Seite 1von 27
Preface GCA is a non-government/non-profit organization working for the development of professional accountancy and

Preface

GCA is a non-government/non-profit organization working for the development of professional accountancy and members /students of such professional bodies. We work to provide career counseling, guidelines and other stuff to assist in making a

well-established career in professional accountancy professions.Our members are social workers from all the corners of world, ready to assist all to their best.

SCOPE OF OUR ACTIVITIES:

1.Provision of useful study material and guidelines to students. 2.Guidelines about firms’ induction process, interview preparation and skills development. 3.Complete and relevant information about different accountancy bodies. 4.Sharing updates from the word of accountancy. 5.Sharing latest relevant job vacancies. 6.Efforts to become a bridge between students and professional bodies. 7.Provision of the largest discussion forum to students and members for professional discussions. 8.Arranging revision classes for the students of CA Inter & CA Final by the competent teachers of the other cities.

Contact:

Email: gcaofficial@gmail.com Cell: +923361492450

How to use this book

This book provides complete understanding of internal audit procedures from basic concepts understanding to practical internal audit procedures.

For beginners,use this text to grasp basic concepts. Annexure placed at the end which contains pactical audit procedures used.You can get practical understanding of internal audit by using that.

For professionals,just go through this text and use annexure placed at the end in daily audit workings.

You can go through this book within 90 minuts even,so this can be said to be the shortest comprehensive book on internal audit.

Best Regards

GCA Team

Contents 1 Internal Auditing, Risk and Governance 2 Conducting internal audit engagements 3 Sampling and

Contents

1 Internal Auditing, Risk and Governance

2 Conducting internal audit engagements

3 Sampling and statistics

4 Gathering data and other engagement tools

5 Analytical review

6 Computerised audit tools and techniques

7 Risk and control self-assessment

8 Financial audit engagements

9 Security and privacy audit engagements

10 IT engagements

11 Other assurance engagements

12 Consulting engagements

13 Fraud

14 Monitoring engagements

15 Annexure

Chapter 1

www.gcaofficial.org

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

The International Professional Practices Framework (IPPF) is the conceptual framework that organizes guidance issued by the IIA.

The IPPF produces mandatory guidance which must be complied with, and strongly recommended guidance which, although not compulsory, should be complied with.

The Code of Ethics is a statement of the principles and expectations governing the behavior of individuals and organisations in the conduct of internal auditing. It applies to both individuals and entities that provide internal auditing services and compliance is compulsory. Breaches may result in disciplinary action.

Internal auditors must apply and uphold the four principles of integrity, objectivity, confidentiality and competency and abide by twelve rules of conduct. Internal auditors shall:

(1)

Perform their work with honesty, diligence, and responsibility.

(2)

Observe the law and make disclosures expected by the law and the profession.

(3)

Not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organisation.

(4) Respect and contribute to the legitimate and ethical objectives of the organisation.

(5)

Not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation.

(6)

Not accept anything that may impair or be presumed to impair their professional judgment.

(7)

Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

(8)

Be prudent in the use and protection of information acquired in the course of their duties.

(9)

Not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organisation.

(10)

Engage only in those services for which they have the necessary knowledge, skills and experience.

(11)

Perform internal auditing services in accordance with the Standards for the Professional Practice of Internal Auditing.

(12)

Shall continually improve their proficiency and the effectiveness and quality of their service.

Impairment to objectivity or impendence occurs when they are actually impaired, or presumed to be impaired.

Impairments to objectivity or independence (real or presumed) must be disclosed to appropriate parties.

The Standards are developed by the Internal Audit Standards Board (IASB) on behalf of the IIA; they form part of the mandatory guidance for internal auditors.

The Standards consist of Attribute Standards, Performance Standards and Implementation Standards.

Attribute and Performance Standards apply regardless of the service provided, whilst each group of Implementation Standards apply only to a major category of engagements (assurance [A] and consulting [C] services).

The purpose of the strongly recommended guidance is to support, and assist the implementation of, the mandatory guidance. Although not mandatory in itself, compliance is strongly recommended.

Chapter 1

www.gcaofficial.org

Strongly recommended guidance consists of Position Papers, Practice Advisories and Practice Guides.

Internal auditors must be aware of, and be able to apply, other laws and regulations in addition to those set out by the IIA, eg Sarbanes-Oxley, the Integrated Framework, and the US Government 'Yellow Book'.

Chapter 2

www.gcaofficial.org

The audit engagement process is made up of a number of steps following from the initial collection of data, through to developing working papers, drawing conclusions and recommendations and producing the final report.

Internal auditors must remain alert to the potential for fraud during all stages of an internal audit engagement.

Internal auditors must be skilled in the collection of useful data. This data will form the basis of their conclusions and recommendations.

Audit evidence is the facts that the auditor uses to support the audit opinions, conclusions and recommendations. It can be physical, documentary, representational or analytical.

Evidence received from an external source can be more reliable than that from an internal source.

Timing and confidentiality must be taken into consideration when collecting data, particularly from external sources.

Internal auditors have a right of access to all information within an organisation, and are under no obligation to provide a reason for why documents are required.

Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement's objectives.

Audit evidence should be collected on all matters that relate to the engagement objectives and scope of work. The method used for this should be appropriate to the situation.

Analytical procedures can be used to analyze information to identify relationships, trends and anomalies for further investigation.

After data and evidence has been collected, it must then be analysed in order to transform it into meaningful information upon which to draw sensible conclusions.

In order to have any meaning analysis should put into context by looking at comparisons.

Common analytical techniques include ratio analysis, trend analysis, regression analysis, period to period comparisons, comparisons with budgets, forecasts and economic information, and comparisons with external sources such as legislation or best practice.

The analyzing and interpreting data stage will continue until the auditor is satisfied that a sufficient explanation has been received for all discrepancies.

Auditors are required to document the engagement in workpapers. The purpose of these workpapers is to record relevant information to support conclusions and engagement results. They contain details of everything you did during the audit.

Good working papers will be well structured and easy to follow. They could be read by another auditor, who had no involvement in the engagement, and would lead that auditor to draw the same conclusions as those drawn by the auditor that originally carried out the work.

Work papers are likely to contain confidential or personal information and are also crucial to the success of the engagement. Therefore access to these documents must be carefully controlled.

Workpapers should be reviewed to ensure the work is of sufficient quality and to evaluate the skills and training needs of the internal auditor.

Workpaper reviews should be evidenced.

Any review notes arising from the review should be followed up by the internal auditor. Sufficient evidence should be placed on file to prove the review notes have been resolved.

Chapter 2

www.gcaofficial.org

Interim reports should be used to communicate information that requires immediate attention, to communicate a change in scope, or to keep management informed of progress.

Fraud should be communicated to senior management and the board immediately.

Internal auditors are required to communicate the results of the audit in a report. Conclusions form the basis of this report. They are built upon the facts and findings of the audit work carried out.

Conclusions are the auditor's professional opinion of the activity based on the facts gathered during the audit process. They can be positive as well as negative, presuming there is sufficient reason to compliment the client.

Recommendations are suggested courses of action.

Auditors must take care not to take on management responsibilities.

Recommendations are not obligatory – they are only one possible way to address a problem. Managers may chose to follow a different course of action.

Exit meetings are held at the end of the audit engagement after a draft report has been produced. This is to discuss findings and recommendations, obtain client perspective, agree possible solutions and thank the client for their help and cooperation during the audit.

The final report is then put together. This will include, among other things, the purpose, scope and results of the audit. The report is provided to those people who can take corrective action on the issues. Summaries will go to more senior managers.

After issue of the formal report, managers have the opportunity to formally respond. To prevent problems at this stage the findings should have been regularly discussed with management throughout the course of the engagement.

The internal audit activity should aim to always improve and should add value to an organisation.

Client feedback is an important method of assessing how well the internal audit activity is performing and to what extent it is meeting the expectations of its clients. It should be incorporated into every internal audit engagement after the final report has been issued.

Auditors' performance should be reviewed both annually by the CAE, and following each audit by the auditor-in-charge.

Chapter 3

www.gcaofficial.org

Mean is the sum of all the items in the sample divided by the number of items in that sample.

Median is the midpoint of all the values in that sample, with an equal number of values above and below it.

Mode is the most frequently occurring number in a sample.

The range is the difference between the largest and smallest values in the population.

Probability uses estimation techniques to work out the likelihood of particular outcomes occurring and provides a basis for making decisions.

The normal distribution of a population is where most items clump around the mean, but there are also individual cases that are a long way from the mean. If plotted on a graph, the line would form the shape of a bell shaped curve.

The standard deviation indicates the dispersion of the variable, ie how tall or flat the curve is. The smaller the standard deviation, the taller and narrower the curve.

The aim of sampling is to select a subset of items that provide a reasonably accurate reflection of the whole population.

Sampling risk is the risk that the conclusions an auditor reaches based on a sample are different to the conclusions that would be reached if the whole population had been audited.

The greater the reliance on the results of a procedure, the lower the acceptable audit risk will be, and therefore the larger the sample size will need to be.

Statistical sampling means choosing a scientifically random sample.

Judgmental samples are selected based on the auditor's informed assessment of how many items should be in the sample to give a reasonably reliable result.

An auditor can use a variety of methods to select a sample; cluster, random number, stratified random, interval, and haphazard sampling are all useful methods of sampling.

There are also a range of selection techniques that can be used. Different techniques are better suited to different audit objectives.

Chapter 4

www.gcaofficial.org

The aim of the interview is to uncover facts, but without forcing information out of them

Successful interviews are made up of 6 stages: planning, opening, conducting, closing, documenting and evaluating

Internal control questionnaires (ICQs) are used to document the adequacy of process activities and controls

There are a number of advantages and disadvantages to using questionnaires, the main advantage is that they can be used for lots of respondents in diverse locations, and the main disadvantages are that they do not provide detailed information and provide little opportunity for follow-up questioning and observation

Questionnaires are best suited to multiple units, or to matters of a yes/no nature such as regulatory compliance

Checklists help to ensure consistency and completeness in carrying out a task.

Checklists are useful internal audit tools and can be used as a memory aid, to gather information and as a control

Observation allows auditors to obtain information that can't be gathered by transaction testing or the review of documentation

In order to carry out effective observation the auditor should prepare in advance, put observations into context, and notice what is missing

Observations should be backed up by other evidence wherever possible to give the finding sufficient impact in the report

Observations can be misleading when employees know they are being observed

Process maps visually show the steps of a process. The most common form of process mapping is the flowchart

Flowcharts can be extremely useful tools for internal auditors both for charting their own processes, as well as those they are auditing

Standard flowcharting symbols have been developed to improve consistency and aid the understanding of users or recipients of flowcharts

Flowcharts can take either a horizontal or vertical format and can focus on the process steps, or the functions they pass through

Auditors must translate their findings into recommendations that will be agreed by management and, once implemented, solve the identified problems

This can be done using the five attribute approach which requires the internal auditor to define the condition, criterion, effect, cause and recommendation for each of the findings

Every recommendation in the draft report should be reviewed against the five attributes

Chapter 5

www.gcaofficial.org

Analytical procedures allow auditors to make comparisons between what they would have expected to find and what was actually found during the audit engagement.

Analytical work should be carried out whenever an unexpected change is identified, or where expected changes do not occur. The reasons for this should always be determined.

Variance analysis means looking at the differences between expected and actual results then determining the reasons for those differences.

Regression analysis is a quantitative technique to check any underlying correlations between two variables (eg sales of ice cream and the weather).

Trend analysis is used by internal auditors to review changes in an account, or other historical data. One form of trend analysis is the learning curve.

Ratios are useful to determine how well an organisation is performing. They are only meaningful, however, when some form of comparison is made.

Ratio analysis is a useful technique, but it has a number of limitations including the availability of comparable information, the use of historical data, variability between industries, the need for careful interpretation, the risk of manipulation, and the lack of standard form.

Activity ratios, such as the inventory turnover, accounts payable and receivable payment periods and asset turnover, are useful for measuring efficiency.

Profitability ratios involve ROCE, profit margins, ROI and earnings per share.

Debt and gearing (leverage) ratios look at how much an organisation owes in comparison to its size. Is it setting into more and more debt or improving its situation.

A company needs liquid assets so that it can meet its debts when they fall due. Liquidity is the amount of cash an organisation can obtain quickly in order to settle its debts.

Chapter 6

www.gcaofficial.org

Embedded audit modules are computer programs that run alongside the software they are monitoring and are permanently resident within the main processing system.

The main advantage of using embedded audit techniques is that potential problems are highlighted as soon as they occur.

The biggest problem with an embedded audit module is that it is difficult to add it to a system once that system is operational.

Generalized audit software (GAS) is designed to assist auditors in reviewing digitally stored information.

GAS can be used to carry out a number of tasks including reading digital files, examining specific records, performing tests of calculations or making independent calculations, analyzing/summarizing/re-sequencing data, testing the effectiveness of controls, and extracting data from electronic records (such as databases).

Spreadsheets are both useful auditing tools, and business tools that are subject to review by internal audit.

Over time, the data may become corrupted, leading to an ever-compounding trail of errors. Internal auditors should monitor the accuracy of spreadsheets and help the organisation use spreadsheets appropriately.

Automated workpapers are electronic documents created in software templates and stored on servers or mainframes. These documents are transmitted to different computers through electronic networks.

There are a number of advantages to using automated workpapers including cost savings, convenience, efficient communication, document linking, consistency, multimedia and security.

There are also a number of obstacles to overcome in relation to automated workpapers including the need for training, managing the transition process, file deterioration and obsolescence.

Chapter 7

www.gcaofficial.org

CSA is a useful and efficient approach for managers and internal auditors to collaborate in assessing and evaluating control procedures.

CSA differs from traditional methods of auditing by shifting some of the responsibilities away from the auditors towards others such as work teams set up within the organisation.

Facilitated team workshops attempt to gather information from work teams representing different levels of the business unit. They are facilitated by either the client or an internal auditor.

Facilitated team workshops can be either objective based, risk based, control based or process based.

Questionnaires are a quick and cost effective method of gathering information in a yes/no format.

Questionnaires are appropriate where the people questioned are based in numerous locations or where feedback is required from a large volume of people.

Most other processes used by management groups to produce information about processes, risk and control can be described as management produced analyses.

Internal auditors may use this information, or elements of it, alongside other information obtained in the CSA program of the organisation.

The role of internal audit in CSA can vary from intense to minimal involvement.

Internal auditors should be alert to anything that may affect their objectivity.

As the level of involvement increases, the CAE should monitor the objectivity of the internal audit staff and take any necessary steps to manage that objectivity.

There are many positive outcomes of CSA including improved knowledge of risks/controls, increased ownership, greater monitoring of controls, easier identification of informal and improved control information which helps with the allocation of audit resources.

There are also a number of negative outcomes of CSA including the provision of information but not analysis, raised expectations that are not met, angry/humiliated participants, failure to establish sense of ownership or to involve participants, and unsuccessful due to starting the process without sufficient preparation.

Chapter 8

www.gcaofficial.org

Financial audits carried out by internal auditors focus on the internal controls of the organisations

The need for auditors to carry out audits such as these has been greatly increased in light of the Sarbanes-Oxley legislation

Although both external auditors and internal auditors carry out financial audits of an organisation, their purpose and responsibilities differ greatly. Whilst external auditors focus on the organisation's financial statements, internal auditors focus on the organisation's internal controls.

Internal auditors have a crucial role in providing the CEO and CFO with assurance that the relevant controls are in place for them to feel comfortable in the certifications required by Sarbanes-Oxley.

Internal auditors should recommend improvements to policies, procedures and the process for quarterly reporting

The cycle approach to financial audit engagements ensures each area is reviewed on a regular basis

The levels of audit risk and materiality affect the work that internal auditors will carry out in relation to specific areas when carrying out a financial audit engagement

Audit risk is the risk that the auditors may unknowingly fail to modify the opinion on materially misstated financial statements

When reviewing transactions that will have an impact on the financial statements of the organisation, the internal auditor must gain assurance over the occurrence, completeness, accuracy, cut off and classification of the transaction

Internal auditors form an opinion on the effectiveness and adequacy of the organisation's internal controls based on the information gathered throughout the year

The opinion is communicated by the CAE to the audit committee, who will review the opinion and may include it in their own report to the governing board

The recommended framework for internal control is COSO's Internal Control – Integrated Framework

A broad (not limited to accounting controls and financial reporting) definition of control should be included in an assessment of a system of internal control

The board has to rely on the management of the organisation to maintain effective controls

Even the most effective internal controls cannot protect against everything that may go wrong. This includes the intentional override of controls by dishonest management

The CAE is responsible for determining if the plans for the audit are adequate to ensure its success

The CAE is responsible for allocating the resources needed to perform the audit and should consider financial reporting, corporate governance, and corporate risk control processes as part of this process

Chapter 9

www.gcaofficial.org

Physical security controls include those relating to physical security, environmental risks, and fire and flood protection

Physical security can be enhanced through careful site design

Access to buildings, areas within the building, or other secure areas can be restricted using a number of measures such as magnetic access cards, code entry systems, and biometric access systems

Specific controls should be put in place to protect the organisation's buildings and information from damage by fires and loss of power supply

Controls should be in place to reduce the instances of equipment breakdowns and inaccurate processing

The internal auditor should review the controls over physical security to ensure that sufficient appropriate controls are in place. They must also carry out observation and testing to make sure the processes are actually being followed in practice

It is important that the data and information of an organisation are protected in order to guard against access by unauthorised personnel who could damage the data, either intentionally or maliciously, or leak confidential information outside the organisation

Management is responsible for establishing appropriate and effective controls to protect data

Internal auditors should make sure they have an up-to-date understanding of all systems in use in the organisation, be able to recommend improvements to systems and controls, and should continuously monitor data security controls

Data should be carefully backed up, and where possible copies should be held in different locations (ideally off-site) to ensure that nothing is lost

A careful cataloguing and labelling system should also be used for all data to ensure the data is not lost or mistakenly updated

Breach of privacy can have serious repercussions for an organisation, such as legal problems, reputation damage and loss of customer trust. It is therefore vital that management establishes suitable controls to ensure privacy is protected

Privacy audits should be approached by identifying the 'maturity' level of the organisation and helping it to move up to the next level of maturity by identifying significant risks and making recommendations to mitigate those risks.

Internal auditors should work with in-house, or external experts to determine which laws are relevant, the exact nature of those laws and their impact on the organisation. Any risks the organisation is exposed to as a result of these laws and regulations should be defined.

Auditor independence may be impaired if they assume any responsibility for developing and implementing a privacy program

Internal auditors are generally expected to identify the types and appropriateness of information gathered, identify the collection methodology used, and determine if the organisation's use of the information is in accordance with its intended use and relevant laws

Internal auditors must ensure the appropriate in-depth knowledge and capacity for such work and use third party experts where necessary

Chapter 10

www.gcaofficial.org

Modern organisations place a vast amount of reliance on their information systems, and so the risk of error, or poor controls within these systems can have fundamental consequences for the organisation. Is auditors play a crucial role in ensuring that this information systems risk is properly managed.

Auditors should ensure they are aware of changes in the IS environment and make sure adequate change controls are in place

Internal auditors should ensure adequate contingency plans are in place for the key systems within the organisation

Hardware is the general term for the physical components of a computer system

An operating system is the software that runs the computer, for example Windows

IS systems have a lifecycle running from the request to design through to maintenance. Internal auditors play an important role throughout the process and can add valuable input at each of the stages. Care must be taken, however, to avoid self review further down the line.

IT audits could take place in any department within an organisation

There are special considerations for when a system is computerised. IT controls comprise general and application controls.

There are a number of types of networks that you should be familiar with; LANs, WANs, VANs and MANs

Some industries, e.g. airlines, rely on continuous, uninterrupted communications or telecommunications. These systems should be reviewed by internal auditors to assess integrity, security, reliability and performance

The Internet has revolutionised the way many organisations conduct their business, however, it also exposes the organisation to a number of risks

E-commerce is now an accepted, and often expected, aspect of modern commercial life. It is defined as 'conducting commercial activities over the Internet'. E-commerce brings with it a number of risks and e- commerce activities should be reviewed by internal audit

Security risks related to IT include hackers, viruses and other unauthorised access to systems, data or information.

There are a number of security measures that organisations should put in place to protect its systems and information, including access control, firewalls, antivirus measures and data encryption

Databases can be either flat (single large database) or relational (linking several smaller databases)

Very large databases are known as data warehouses. The extraction of information from databases is known as data mining

Internal auditors must verify software licensing requirements have been met by the organisation

Enterprise resource planning (ERP) is an integrated computer-based system designed to consolidate all business operations into a uniform and enterprise wide system environment

Implementing ERP often leads to an entire reorganisation of the business so the internal auditor should be involved from the very start of the implementation process

Challenges such as increased complexity, end-user acceptance and training are likely to be encountered when implementing ERP

Chapter 11

www.gcaofficial.org

Organisations often use contractors and third parties to carry out work. This work, and the contracts, are subject to review by internal audit.

Contract audits may be carried out in order to check the efficiency, the economy, the efficiency of, or compliance with, a particular contract.

Key types of contracts you are likely to encounter are lump sum contracts, cost-plus contracts and unit price contracts. Each has their own particular risks.

To help organisations improve their quality and productivity, auditors need to focus on the organisation's procedures, their sufficiency and the levels of compliance.

Quality audits are carried out to ensure the quality plans in place are sufficient to achieve the level of quality they are aiming to achieve.

Due diligence audits are voluntary (in most cases) reviews to ensure the validity of a substantial transaction. The aim is to determine whether or not that transaction should go ahead.

It is not possible to efficiently and effectively track all parts of an organisation so the focus has to be on those measures that relate to the most important objectives of the organisation. These factors are known as key performance indicators (KPIs)

There are six broad categories of KPIs: quantity, accuracy, cost, timeliness, capital and revenue

KPIs can provide internal auditors with an excellent basis for audits of performance

Operational auditing looks at how well (ie how efficiently and effectively) organisations meet their objectives

Compliance audits review compliance with applicable legislation in specific areas of the organisation.

Standards and procedures should be in place, well communicated and monitored to ensure compliance with laws and regulations.

Environmental compliance audits are carried out by Environmental Health and Safety team to ensure the organisation is not subject to any fines, penalties or reputational damage due to non-compliance. Internal auditors periodically audit Environmental Health and Safety to ensure their processes and procedures are adequate.

Chapter 12

www.gcaofficial.org

The nature of consulting services must be defined in the internal audit charter.

The need for consulting engagements can arise in a number of different ways

Internal auditors are the ideal people to provide training on internal controls.

Internal control training benefits the internal audit activity, as well as those receiving the training, as it can help improve understanding leading to improved co-operation during the audit process.

The five components of the COSO framework are, control environment, risk assessment, control activities, information and communication, and monitoring. Training should be provided on all five of these components.

Business process audits measure the efficiency and effectiveness of cross-functional processes. Such audits focus on specific processes, for example ordering, receiving and paying for supplies, throughout the whole organisation.

There are a number of benefits to adopting a business process approach, including increased value of reports to senior management, better understanding of the process, senior management quickly informed of issues, focal point for resolving issues, and increased co-operation due to an alignment of the goals of internal audit and processing staff.

In order for benchmarking to be effective it has to be realistic, measurable, and beneficial to the organisation.

Internal auditors can review the effectiveness of benchmarking.

The basis for benchmarking can be internal, competitive, industry, generic, best-in-class, or process.

Internal auditors can work with clients to develop performance measures as well as review them in an audit.

The balanced scorecard is made up of four perspectives: financial, customer, business process and learning and growth. It aims to give a wider view of the performance of the organisation.

Chapter 13

www.gcaofficial.org

Fraud is an attempt to gain some benefit though dishonest actions, either through misrepresentation or concealment of the truth. It covers a whole range of irregularities and illegal acts, including ethical violations as well as criminal acts.

Fraud falls into two categories: that which harms the organisation (such as submitting false expense claims) and that which benefits the organisation.

For fraud to occur, three conditions must be in place: opportunity, motive and rationalization.

Auditors must remain alert for the potential of fraud during internal audit engagements.

Internal auditors have a responsibility to notice indicators of fraud, design appropriate steps to address significant risk of fraud, employ audit tests to detect fraud, and determine if any suspected fraud merits investigation.

If management is suspected of being involved in the fraud, the board and audit committee should be involved as well as internal auditors, legal counsel and specialist investigators.

The first step of a fraud investigation is to establish the opportunity, motive and rationalization behind the fraud.

The facts and extent of the fraud are then established and documented.

The final stage includes reviewing the process to identify where controls should be strengthened to avoid future frauds.

Discovery sampling means the sampling of data or documents with the aim of identifying errors or irregularities.

Interviewing and interrogation are not the same thing. They have very different aims and approaches.

Forensic auditing means using auditing skills to gather evidence that may be used in court for a criminal or civil matter. It is a specialist skill that is usually provided by experts.

Forensic auditors need investigation and auditing skills, a strong understanding of the rules and standards of legal proceedings, the ability to identify gaps and organize details into a story that can be convincingly presented in court.

Cyberforensics, or computer forensics, means using computer investigation and analysis to gather digital evidence for use in court.

Chapter 14

www.gcaofficial.org

Internal auditors are required (as per Performance Standard 2500) to follow up on all internal audit engagements

An audit can only improve the effectiveness of controls and risk management if the results are implemented by management

The right of the internal auditors to carry out follow-up activities should be stated in their audit charter

The CAE determines the nature, extent and timing of follow-up activities based on:

– Significance of recommendation

– Cost and effort of correction

– Impact of failure of corrective action

– Timescale

When planning the monitoring process it is important to do so in terms of who, what, how and when.

The data gathered during the follow-up process should allow the auditor to confirm the status of the recommendations

Progress against the recommendations should be fully documented

Where no progress has been made against a recommendation, the auditor should find out why and document the reasons

Additional follow-up activities should occur until the auditor is satisfied that sufficient progress has been made

If the management response is considered inadequate, the CAE should first discuss the recommendation and underlying problem with management, escalating where necessary.

If the recommendation relates to a significant risk, the CAE should escalate to senior management, and eventually the board.

Annexure Internal Auditing General Procedures Note: This annexure is for guidance purpose only. Procedures provided

Annexure

Internal Auditing General Procedures

Note:

This annexure is for guidance purpose only.

Procedures provided here are not necessarily complete and may not aply to all organization.

Different organization use different processes and hence audit procedures vary from org. to org.

Area: Procurement and Payables Overall Consideration Understand and evaluate the following processes for risks Risk

Area: Procurement and Payables

Overall Consideration

Understand and evaluate the following processes for risks

Risk Involved

 

Procurement Planning

High

Planning

Monitoring of procurement plan and revision

High

 

Supplier searching and evaluation

Moderate

Supplier Evaluation and Induction (Import and Export)

Payment terms

Moderate

Supplier Induction

Moderate

 

Issuance of purchase requisition

High

Evaluate Performa invoice and LC opening process

High

Purchase (import)

Receipt and inspection of goods

Moderate

Purchase return / claim

Moderate

Periodic Supplier evaluation

Moderate

 

Issuance of purchase requisition and ordering

High

Receipt and inspection of goods

High

Purchase (local)

Purchase return / claim

Moderate

Periodic supplier evaluation

Moderate

 

Invoice receipt and Payment Processing

Moderate

Managing Accounts Payable

Adjustments

Moderate

Management Reporting by Procurement Department

Management Reporting by Commercial Department

Low

Area: Operations and Inventory Management Overall Consideration Understand and evaluate the following processes for

Area: Operations and Inventory Management

Overall Consideration

Understand and evaluate the following processes for risks

Risk Involved

 

Production planning and approval

High

Planning

Monitoring and revision

High

 

Issuance requisitioning and approval

Moderate

Production operations

Weighing and quantification and Raw material issuance

Moderate

Production and quality assurance

Moderate

 

Inventory Costing and Valuation

Moderate

Stock level setting and monitoring (factory and warehouses)

Moderate

Inventory Management (RM, waste, WIP, stores & Finished goods)

Waste / Scrap management

High

Rework management

Moderate

 

Provisions against damaged, slow moving and expired stocks (if any)

Moderate

Interunit transfer of stock

Low

Management Reporting by Production and store / stock department

Management Reporting by Production and store / stock department

Low

Area: Fixed Assests Management Overall Consideration Understand and evaluate the following processes for risks Risk

Area: Fixed Assests Management

Overall Consideration

Understand and evaluate the following processes for risks

Risk Involved

 

Planning and Budgeting and approval

Moderate

Planning and Budgeting

Monitoring of expenditure against budget and revision (if required)

Moderate

 

Requisition, approval and ordering

Moderate

Procurement of Fixed Assets

Receipt and inspection of fixed assets

Moderate

CWIP management

Moderate

 

Capitalization as per policy

Low

Maintenance of fixed asset register

Moderate

Fixed assets coding and tagging

Moderate

Physical verification of assets

Moderate

Capitalization

Depreciation and impairment

Low

Insurance

Moderate

Fixed asset management

Moderate

Inter-unit movement of assets

Moderate

 

Authorization and approval

Moderate

Disposal / De-recognition

Updation of fixed asset register

Moderate

Area: Sales and Receivable Management Overall Consideration Understand and evaluate the following processes for risks

Area: Sales and Receivable Management

Overall Consideration

Understand and evaluate the following processes for risks

Risk Involved

 

Planning and Forecasting

High

Planning

Monitoring of Sales Plan

High

 

Identification of new customers

Low

Marketing Activities

Liasoning with prospective customers

Low

 

Computation of Selling price

Moderate

Pricing

Comparison of pre order costing and post order costing

Moderate

Approval of discounts (if any)

Moderate

Customer Induction

Evaluation of customer (setting credit period)

Low

Customer / contract creation in ERP

Moderate

 

Receipt of Order and recording

High

Order Processing

Billing and Invoicing

Moderate

Monitoring of pending orders

Moderate

 

Issuance of goods

High

Logistic arrangement and planning

Moderate

Dispatch

Freight and transportation expenses

Moderate

Monitoring of deliveries (order vs dispatch, dispatch vs output of production,etc )

High

Sales Return

Receipt and recording of returned goods

High

Quality Assurance follow-up

High

Customer Relations

Complaint receipt and processing

Moderate

Liasoning with customers

Moderate

 

Process account receivables

Moderate

Manage and process collections

Moderate

Receivable Management

Manage and process adjustments (credit/ debit notes)

Moderate

Follow-up of outstanding receivables

Moderate

Area: Accounts and Finance Overall Consideration Understand and evaluate the following processes for risks Risk

Area: Accounts and Finance

Overall Consideration

Understand and evaluate the following processes for risks

Risk Involved

 

Preparation, compilation and approval of budget

High

Planning and Budgeting Process

Monitoring of variances against budget and reporting thereof

High

 

Processing of receipts

High

Banking Operations

Processing of payments

High

 

Manage Policies and Procedures

High

Maintenance of Chart of Accounts and General Ledgers

Moderate

General accounting and reporting

Financial Statement closing process

Moderate

Accounting for taxes

High

Treasury

Manage cash and fund flows

High

Expenses

Recording and approval of expenses

Moderate

Area: Human Resource Management Overall Consideration Understand and evaluate the following processes for risks Risk

Area: Human Resource Management

Overall Consideration

Understand and evaluate the following processes for risks

Risk Involved

 

Planning for HR requirements

High

Create and develop employee requisitions

Moderate

Hiring

Recruit candidates

Moderate

Screen and select candidates

Moderate

Compliance with HR policies and procedures

High

 

Employee performance assessment

High

Approval of increments, benefits and bonuses

Moderate

Develop and Council Employees

Design of training courses

Low

Approval of training expenditure

Low

 

Maintenance and updation of personal files

High

Manage employee information

Manage reporting process and job description

High

Develop and manage time and attendance

Low

 

Salary and wages calculation and approval

High

Employee benefit calculation and approval

Moderate

Payroll Processing

Advances to employees

Moderate

Statutory and other deductions

Moderate

 

Final settlement process

High

Employee Exit and Retirement

Handing and taking records, assets etc.

Moderate

Exit Approval

Moderate

Area: Entity Level Controls Overall Consideration Understand and evaluate the following processes for risks Risk

Area: Entity Level Controls

Overall Consideration

Understand and evaluate the following processes for risks

Risk Involved

Control Environment

Effectiveness ofControl Environment

Moderate

Risk Assessment

Management procedures for identification and assesment of Risk

High

Monitoring

Monitoring of controls by management

Moderate