CHAPTER

Directing and Performing

Internal Audits
Planning, Preliminary Survey,
work Papers, and Reporting.
The Beginning of an Internal Audit Process

1. Get off the seat.

2. Visit the department, factory, facility, warehouse that make the
organization.
3. Observe, talk to people, interview them.
4. Do the work at the location.
5. Verify internal controls.
6. Part of what was discussed already risk assessment must be
revisited at this time.
What are some of the steps involved during
an actual internal audit process?

Field visit
Interviews of personnel
Preliminary survey of systems, people, and
documents.
Documenting the system.
Work paper documentation and
Control evaluations.

Please give your views on these questions.

 The Audit Planning Stage

Dont go to the field if you have no idea what you want

to do there.
You are not going for sight seeing.
Determine whether the audit is a routine audit or a
special audit.
Do your work plan the audit project accordingly.
Remember: No two audit assignments are identical and
would require planning every time.
 Determining the Audit Objectives

How do you know what the audit objectives

are?
It is directed by specific requests from senior
management.
What does management expect from the audit?
What types of coverage and findings are expected?
A few of the objectives are routine general
objectives (internal control evaluations, risk
identification).

Remember: the ultimate responsibility for determining whether audit objectives

were met resides with the Chief Audit Executive. As head of the audit group,
it is the CAEs role to ensure that internal auditors functioned as they should.
 Accomplishing Audit Objectives
The Issues

Types of Managerial Assistance

Level of Managerial Assistance
Degree of independence
Resource availability

Types of Managerial Assistance: Will they be limited to evaluating compliance

with rules, procedures, and policies? Should it also include specific
recommendations on improving the rules, procedures, and policies? Should such
recommendation be a routine evaluation of existing policies, procedures, and
controls or should it also be a through reappraisal of the underlying policies and
procedures?

Level of Managerial assistance: What is the scope or the extent to which internal
auditors recommendations go? In other words, should the review by limited to
field levels, middle manager levels or even senior levels of the management with
implications for stockholders.

Degree of independence: What is the extent of facility and freedom the auditor
will be provided? That is, how much authority and support will be given to the
internal auditor by the senior managers and how independent will the auditors be?

Resource availability: What extent are these available to the internal auditor and
to what extent the management is willing to provide such resources for the internal
auditor to accomplish the audit objectives?
 Audit Planning Staffing Issues

Auditing requires qualified and skilled

internal auditors. Special audits (e.g.
fraud detection) require specific skills
and knowledge.
Do we have auditors with investigative skills
and knowledge of the law?
Do we have auditors with technological
skills?
Do we have auditors with analytical skills?
 Audit Planning the Preliminary Survey

Auditors must have sufficient understanding of

the organization and the areas that they intend
to audit.
A Preliminary survey helps in gathering
background data, materials, and information about
the various segments of interest.
The auditor in charge of the specific audit must
undertake such a survey.
An additional source of information is prior year
audit work papers, reports, and audit files.

For example, during a preliminary survey of the firms records and documents, an
auditor may notice that there are several invoices missing related to A/Receivable
or vouchers related to Accounts payable need changes or adjustme nt because more
than one voucher was paid. What should the auditor do at this stage? The auditor
should not jump to conclusions at this stage. The preliminary survey, however,
points to the auditor for additional testing to find out whether these errors or
inconsistencies took place because of lack of adequate controls and what
additional tests must the auditor take to further examine the errors and
inconsistencies so that the auditor can report the issue, if needed, to the
appropriate authorities.
 Audit Planning Gaining Preliminary
understanding
Review of Prior year work papers
Review of Prior Audit Reports
Study the organizational structure, authority
and responsibility designations.
Obtain a copy of the budget and forecast
documents.
Other materials audits planned, in progress
(e.g. outside CPA). Internal reviews by
supervisors. Even industry reports, articles
related to the firm and its industry-types.

Review of Prior year work papers: Will tell you what the issues were in prior
years, how much time it took to audit the segment, who the personnel involved
were, what their duties and assigned responsibilities were, what problems were
identified during the audit; what sampling and what analytical procedures were
used and how effective they were; any other comments of interest may aid the
current years audit.

Review of prior audit reports should not be restricted only to the segment under
audit but also must be extended to other units within the organization. This might
highlight problem areas not only in the unit under audit but also other units; it
might also highlight issues that are more prominent in the unit under audit
compared to other units. Either way, it provides useful information to the internal
auditor. When you read the prior year audit reports, read the recommendations
that were made to the management, what corrective actions were taken, what is
the current situation, etc.

Organizational structure: This document not only points to the authority and
responsibility designations but also who does what and who should not be doing
what. It is a control mechanism. Additionally, it also provides you with
information on who should be contacted to identify a problem, who should be
contacted to remedy an issue as well.
 Start the Audit
Unless it is a surprise audit, inform the auditee
that an audit is about to begin.
Do it orally followed by an engagement letter in
writing.
Address the letter to the manager of the unit.
Explain the purpose of the audit and the areas
that will be covered.
Expected start date and audit duration.
Who will be performing the audit.
As for items needed for the audit reports,
office space, computer, network access, etc.
 The Field Work

Begins after the audit has been scheduled

and management has been informed
through an engagement letter.
Field work might be done at the Head
Office itself or in some remote site or
both.
First step in a field work is doing a field
survey.
 Field Survey

Requires that auditors familiarize

themselves with the unit to be audited. A
field survey will help the auditors in:
The unit to be audited.
The computing and other systems
operational at this unit.
The controls existing at this unit and system,
and
The Personnel who work at this unit and
their assigned roles and responsibilities.

Many of the items covered earlier in the preliminary survey.

 During the field survey

Read the organizational charts.

Authority and responsibility roles of
personnel.
Operating manuals
Reports, minutes of BOD
Observe actual events, work, and
operations.
Interview, discuss with key employees
and personnel.
 Flow charting and
Flow chart symbols
These are items that you would have
learnt in your accounting 4310 course. I
expect you to remember them.
They are important and I do expect you
to be very familiar with flow charts ad
flow chart symbols.
 Documenting the field survey

It is very important for the auditors to

document the information learnt from
the field survey because:
It provides an understanding of the unit and
the systems within it.
The controls that exist and
Weaknesses within this control and that
could lead the auditor to
Adjust the scope and audit approach.

The field survey is part of the preliminary investigation. It is at this time that the
auditor finds good controls and weaknesses in certain controls. Both must be
documented. But, if the auditor finds control weaknesses and if some of the
weaknesses are not mitigated by other good controls, then the auditor must decide
whether to expand audit work and if so, in what areas and in what ways. These
must be done before preparing the final communication to the management and
audit committees.
 The Audit Program

An audit program is somewhat similar to a

computer program.
It goes through a set of pre-determined and
pre-tested audit steps.
Audit program helps with planning and
keeping the audit work within boundaries and
in controlling the work.
However, please note that one size does not fit
all and the audit program must be tailored to
suit specific units, types of audits, and
situations.

The advantages of an audit program are:

1. It guides and points to the areas that must be audited and where greater
emphasis would be needed.
2. It helps both senior and inexperienced auditors in performing the audit and
learning from it.
3. Since most efficient IA departments will update the audit program as new
lessons are learnt or new experiences are gained, it will be a very useful
audit tool.

See figure 10.11 and 10.12 and 10.13 in your text book.

Remember: audit programs are somewhat standardized. Auditors follow a

kind of a routine on certain areas. At the same time, as the slide points out,
one size does not fit all. Standardized audit programs are OK as long as
the organizational controls are stable and there has not been drastic change
since the last year in controls or operations or even management. If the
operating environment goes through significant change or there had been
major shifts in control procedures or there are other complex situations that
have arisen since the last audit, the auditor must tailor the audit program to
suit these changing circumstances. Simply reusing prior year audit
programs or some sort of standard format would be inadequate.\

Particularly when it comes to evaluating and testing of internal controls, they

must be tailored to suit individual operations. Simply testing every third
 The Audit Program

As the previous slide states, audit

program are tailored to audit situations.
The most essential item for developing an
audit program are the objectives of the
clients operation for which an audit is
being conducted.
All the rest must be planned and
programmed depending on these
objectives.

All the rest must be planned and programmed depending on these objectives. For
example, auditors cannot use a preset list of controls to test or a preset audit steps
or audit methodology to be followed. These are to be determined as the audit is
taking place and would be influenced by what is being audited and the objectives
behind the audit.
 Collecting Audit Evidence

1. Collecting audit evidence is not always

easy.
Personnel may be busy or uncooperative.
Files or data might have been misplaced or
lost.
Regardless of the scenario, auditors
must document the event, what they
found and what they could not find.

Collecting audit evidence is not always easy. Why? Because personnel may
be too busy and may not give sufficient time or provide support documents
and records. This may arise due to two reasons: 1. the personnel are busy
or 2. they are just not interested in cooperating with the auditors. In either
case, the auditor should take appropriate actions from urging personnel to
cooperate to reporting the delay to the supervisors.

Files or data might have been misplaced or lost. In this case, the
auditor must evaluate alternative course of action. Revise the audit
procedures, increase sampling or reconstruct data from other
records. In the worst case scenario, auditors must report that they
could not find the data or reconstruct it and therefore, were unable
to express an opinion on these data and connected records.
 Collecting Audit Evidence

2. Some of the work may require technical

assistance (e.g. computer databases,
networks, or other complex systems).
1. Auditor should have anticipated this problem
during the field work or preliminary assessment
stage and requested for help.
2. Some of these technical work could be handled by
one or more auditors (e.g. an EDP specialist) and
some may require internal or external technical
assistance.

For example, when an auditor is examining accounts receivable or uncollectible

receivables or write-offs, amounts from actual accounts and books and amounts
written off by the organization are more useful than, say, forecasts of future A/R
or write-offs. Forecasts, statistics, and other projections, even if they are from
third-party reliable sources are less relevant under these circumstances.
 Audit Evidence
Competence and Quality
Audit evidence comes in many forms and
some are more reliable than others.
Always an evidence from an external
source is likely to be more reliable than
an internally-generated evidence.
The evidence should be free of error and
should be unbiased and faithfully
represent what it purports to represent.

Example: If you want to examine unrecorded accounts payable liabilities, what

are some of the sources that you can use to verify the unrecorded liabilities?

You can Examine cash disbursements for accounts payable made

after the end of the accounting period and match them with supporting
documentation. This will show that, on the date of the accounting period,
these items must have been shown as recorded liabilities.

You can send confirmations to accounts payable vendors who sold

the firm merchandise to the firm and ask them to send confirmation that they have
no outstanding amount to be paid by the firm.

You can trace the receiving reports issued before the period end to
the related vendor invoices and accounts payable listing.

Note: However, since we are talking about outstanding liabilities,

you must compare balance reported in end of the period accounts to payments
after the period (payments made before the period would not serve the
purpose).

How would you rank the evidence from each of these actions
which would be most reliable and which, least?
 Audit Evidence
Competence and Quality
Audited evidence is more reliable than
un-audited evidence.
The evidence should be such that a
prudent person who looks at the same
evidence is likely to reach similar
conclusions.
Forecasts and projections are less reliable
than actual results and data.
Primary evidence is more reliable than
secondary evidence.
 Using Computers during evidence collection
CAAT Computer Assisted Audit
Techniques

Could be a generalized or specialized

computer program.
It is under the control of the auditors and
Is useful to test, observe, and analyze
computer files and to collect audit
evidence.

CAAT is particularly suited for large transaction volume environments. In such

environments where many of the data and files are stored electronically and where
transactions are generated and processed within the computing system, CAAT is an
essential audit tool. CAAT is very useful for auditors to read and analyze financial
data on large computer files.

Read the Equity funding case.

 CAAT functions

Auditing an Accounts Receivable file

Auditing an Accounts Payable file
Verifying Internal Controls
Produce exception reports
Error monitoring
Test of controls
 Some of the audit procedures
well-suited for CAAT
A received from other audit Examining
records that meet auditor criteria
Test of calculations and computations
Compare data from more than one file
Selecting and printing audit samples
Summarize data, perform analyses
Comparing data generated by other audit
procedures with computer system files.
 Types of CAAT tools

Generalized audit software

Micro-computer based audit tools
Test Data or Test Deck Methodology
Expert Systems and Neural Networks
Embedded Audit Modules and
Procedures
 Items to remember about
CAAT
IAs can use both test and real
transactions to test the system.
IA can use transactions with errors and
inconsistencies.
Both transactions and application
programs can be tested using CAAT.
It can test pgoram logic.
 Reporting audit findings
When auditors find that a unit or group that
was reviewed is not in compliance with
management policies and procedures or is
violating other rules, it must:
First be reviewed with management during audit,
sometimes several times during an audit.
Minor transgressions or violations can be corrected
even before the final report is issued.
Serious issues must be documented and reported to
management for followup.
 Nature of Audit Findings
Audit findings vary in content and seriousness.
For example:
Actions that should have been taken, but were not,
such as shipments made but not billed.
Restricted actions, such as an employee making use
of company car for his own personal use.
Improper actions, such as entering into contract for
high rates on inventory purchases, while lower
contracts are available.
Risky actions borrowing at high rates of interest.

Some times auditors will across evidence or findings that point to improper
actions, violation of management policy or even fraud. Under these conditions,
what should an auditor do? If the evidence is substantive, the auditor must inform
senior managers of the findings and depending on the materiality of the event
(fraud should be reported regardless of the amount involved), must also report to
the audit committee of the findings and ask them to conduct further investigation
of the matter. This is in accordance with both auditing standards of due care and
diligence and proper audit procedures.

For example, let us say, an auditor uncovers a plan to make fictitious purchases of
inventory (ordered and paid but inventory never received). The auditor has
substantial evidence that one or more of the employees are even managers are
involved in these activities. The auditor should not wait until a definitive case is
made but must right away inform senior management and the audit committee of
the findings and discuss possible further investigation.

Remember: A certain level of caution on the part of the auditor is must during
investigation of fraud. The auditor should not jump to conclusions as there are
preliminary indicators of fraud. The auditor must expand audit procedures and
evidence collection to determine whether the possibility of fraud exists and
whether it requires further investigation. Only after this stage, the auditor must
consider whether to speak to a legal counsel and ask for advise on the legal
consequences and once there is substantive evidence of fraud, report to senior
managers and audit committee.
 Audit suggestions

Not all audit findings relate to

shortcomings or deficiencies.
Certain transactions or conditions may
not be intrinsically wrong, but could be
improved.

Paying for products that were never received is wrong and improper. If the
amounts are material, it would be a violation that must be reported in an audit
finding. However, a receiving memo document to account for inve ntories
received may need simplification. This is not a defect but a suggestion for
improvement particularly when the internal auditor cannot find any errors in
the processing of inventory receipts. Items such as this may be reported by an
auditor under a separate classification Suggestions for Improve ment.

In distinguishing audit findings from suggestions for improvement, the auditor

must ask whether the condition is contrary to some acceptable criteria, or if it
is acceptable but capable of being improved because new knowledge about the
subject has come to light.
 Reportable Audit Findings

Not all defects and digressions are

reported by auditor. Some are minor
and not worthy of managements
attention. Reportable findings should be:
Significant errors or deviations.
Documented by facts and by sufficient,
competent, and relevant evidence.
Serious and convincing enough to be
reported.

These are attributes that would be interpreted subjectively. What is significant

for one may not be significant for another. The test is 1) will a prudent
person consider the item serious and significant? 2) Would managers consider
this a serious issue warranting their attention?
 Minor findings and Major findings

What is minor or major condition

depends on the context, environment, and
circumstances.
A clerical error is normally a minor
condition. However, when viewed in the
context of other conditions, the same
clerical error may sometimes become a
major concern.
 Reporting audit findings

Some of the steps an auditor must take to

report audit findings are:
First be reviewed with management during
audit, sometimes several times during an
audit.
Minor transgressions or violations can be
corrected even before the final report is
issued.
Serious issues must be documented and
reported to management for follow up.

For example, what happens if the auditor finds that serious issues that he reported
last year are yet to be corrected?

Should he abandon further audit? Go back and audit the prior year
items again? Or, schedule audit within a few months or a year to redo the audit
just completed?

Assuming the issues are serious, the above questions are less
relevant. What is immediately relevant and important is to seek an interview with
the audit committee or Board of directors and ask them to urge management
to take corrective action or initiate other corrective steps.
 Exit Conference with Managers after
Audit Completion
Auditors generally hold an exit
conference with senior managers (and
audit committee) when:
They will discuss some of the important
engagement observations and
Make recommendations on how to deal with
some of these concerns.

However, the purpose of the exit conference is to resolve conflicts if any and is it
to ask discuss with managers some of the engagement observations and
recommendations and identify managements actions and responses to the
engagement recommendations.

The exit conference is also useful to the auditors in the sense that, managers may
throw more light on some of the issues and this might even lead the auditors to
rewrite some of the recommendations based on newer facts and evidence.
 Why should audit report be in writing?

It is a record of the observations made by

the auditors and the recommendations
they are making to managers for action.
Before they submit a written report,
auditors must provide managers:
An opportunity to respond
Document corrective actions taken by
managers.

External auditors do not rely on audit reports as the formal means to assess
internal audit activity. They rely more on auditors workpapers.
 Make Recommendations through the
Audit Report
Auditors must include recommendations
in the audit report in order to:
Provide management with options for
addressing the issues raised in the audit
report.

However, auditors should not expect the management to resolve the problems only
in accordance with auditor recommendations nor should the auditor expect the
managers to implement audit recommendations regardless of the cost. The
managers are better judges of company strategy, cost, and other implications and
the auditor is not an expert of all issues.
 Internal Audit
Work Papers

Work papers document the audit. They are

records of information obtained and the
analyses made during the audit process. work
papers are prepared from the time the
auditors first launch their assignment until
they review corrective action and close the
audit project.

The work papers are very important because they document what the auditors did
during the audit process, what procedures they followed, and what information
they obtained, and why they reached certain conclusions about certain documents.
Work Papers What do they include

They include:
The various schedules
Analyses
Memoranda prepared during the audit
process
Copies of documents obtained from
employees, managers, and even from
external sources.
 Work Papers What do they include

They include:
Control questionnaires, flow charts, checklists.
Notes of interviews.
Organizational charts, objectives, policy documents,
job descriptions.
Copies of important contracts, agreements.
Tests and analyses of transactions.
Summaries within the work papers
Results of analytical review procedures.
Audit correspondence and other facts and
supporting evidence.

The summaries are useful to cull important information from several work papers
into a convenient and usefully readable format. Remember: the summaries are
not a mandatory requirement as per auditing standards and nor is it required as
part of every audit assignment or because they are audit evidence. The summaries
are primarily a concise document that can bring several items together in a simpler
form; that is all.
 Work papers document
The following:
Plan of the audit, including the audit program
Examination and evaluation of the adequacy
and effectiveness of internal controls
Audit procedures followed, information
obtained, and the conclusions reached.
Supervisory reviews.
Audit reports.
Follow up or corrective action taken.
 Why should internal auditors
prepare work papers?
To provide support for audit reports.
It facilitates the IA in transferring the
findings to the final audit report.
To keep the field work relevant and
direct the audit in the right direction.
Record information obtained from
observation, questionnaire, and
interviews of personnel.
 Why should internal auditors
prepare work papers?
To record the evidence as a basis for
determining the existence and extent of
deficient conditions.
Lend support for discussions with
operating personnel.
Offer a basis for supervisory review of
audit progress and accomplishments.
Prove legal support (e.g. fraud, insurance
claims).
 Work paper document organization and
Tick Marks
Please read the parts on work paper
document organization and
Tick Marks on your own.
They are self-explanatory.
 Supervisory Review of
Work Papers
Audit work papers are subject to review by
audit supervisors.
The purpose of the review is to:
Ensure that audit program was followed and
specific instructions to the auditors were followed.
Papers were accurate and reliable evidence of
adequate work performed.
Conclusions reached were reasonable
Reviews with clients were carried out.
Audit standards on work papers were followed.

Supervisory review of workpapers: As stated earlier, workpaper summaries are

useful to cull important information from several work papers into a convenient
and usefully readable format. Remember: the summaries are not a mandatory
requirement as per auditing standards and nor is it required as part of every audit
assignment or because they are audit evidence. The summaries are primarily a
concise document that can bring several items together in a simpler form; that is
all. Workpaper summaries can be used by internal auditor supervisors to review
the audit work by other internal auditors.

Some times, auditors come across investigations of fraud or suspected instances of

improper activities. How should these events be documented in a working paper
maintained by the auditors. If the auditor obtains evidence in the form of
documents, interviews, or other items, pointing to fraud or improper actions, the
auditor must include those items in the workpapers. Similarly, all evidence that
are of testimonial nature, interviews, interrogations, observations by others that
support an accusation of fraud or impropriety must be included in the workpapers.
Interview with the individual suspected of engaging in improper activities must
also be included in the workpapers.
 Control over work Papers

work papers are the property of auditors and

should be kept under their control.
Access is restricted to authorized personnel
only.
Access to audit work papers and reports may
be allowed to external auditors and to people
within the organization other than the clients.
Greater control would be required over
electronic work paper and they must be
changed only by the auditor who created them.
 What are Analytical Procedures

And

What are Substantive Tests?

Example 1: In an organization, shipments are made from the warehouse based on customer
purchase orders. The matched shipping documents and purchase orders are then forwarded to
the billing department for sales invoice preparation. The warehouse department documents
stating that goods were shipped are serially numbered. The auditor matches the customer
invoice with purchase orders and shipping documents from the warehouse. Is this substantive
test or an analytical procedure?

Suppose if some of the shipping documents (warehouse documents) are missing, how would the
auditor find out whether goods were shipped? What documents would the auditor trace them
from or to?
Select bills of lading from the warehouse and trace the shipments to the related sales invoices.

Example 2: Suppose an auditor is examining a contract entered by an organization for a cost plus
contract. What are some of the important items, an auditor must review as part of substantive
testing?
1. Costs of the contract and the clauses within the contract to review the costs and if
necessary, audit the contractor.
2. The auditor may also review items such as completion date and lowest bidder but
these are less important than the ability to ascertain the costs of the
contract and the terms that allow for verification of the costs.
Example 3: An auditor computes depreciation expenses of last year and for this year and compares
the two numbers to find significant changes between the two. Is this a substantive test or an
analytical procedure?