Beruflich Dokumente
Kultur Dokumente
Control should address : who, does what, when is it one, where is it done, why is it performed and how is it done. Example Senior Manager (who), reviews (what), bank reconciliations (where), monthly (when),which is signed off as proof of review ( how) , to validate that two systems (general ledger and bank statement balance) reconciles and variances are timely identified and investigated (why).
For each control identified as KEY: Walkthrough one sample of the control Show me Obtain evidence where possible: Screen-dumps reflecting authorisations Exception reports signed off as evidence of review Service Level Agreements
Document walkthrough For automated controls, your sample of 1 will be your Control Effectiveness
Effectiveness Testing
What are the most important issues in effectiveness testing? Objective of control Who performs the control Frequency of control Sample size and full details of sample selected Remember:
Controls should only be tested for effectiveness once they have been assessed for adequacy and found to be adequately designed. If it is apparent that the internal control is inadequate, it should not be tested. The number of items tested for automated controls is one, as an automated control should follow the same logic irrespective of the number of times tested. Tests of manual controls are based on sampling, and the sample size is based on the frequency of the performance of the control.
Adequacy testing
What are the important issues in control adequacy? What sort of control is it? (Preventative / Detective / Corrective) Is the control the most efficient control? Is the control very time consuming? (automated / manual) What is the frequency of the control performed? (daily, monthly) What mechanism is used to perform the control? (systems) Who is the "owner" of the control? (Segregation of duties) Can the control be bypassed? Is it properly segregated? Does the control output match its objective? Does it do what its supposed to do?. In the case of a financial audit, what financial statement assertion does the control address? (Existence or occurrence / Completeness / Valuation or allocation / Rights and obligations / Presentation and disclosure)
Writing an Audit finding Guidance 1. Focus on control breaks/weaknesses and not on symptoms 2. Identify the risk/result/effect of control break 3. Give evidence to support finding
An observation is reportable because the business needs to take corrective action to bring the risk to an acceptable tolerance level. Observations describe CONTROL BREAKDOWNS that cause residual risk. Observations are provable over time. SYMPTOMS Symptoms are corroborating evidence for observations. They indicate that some control process is not working. Symptoms often describe an event or test result, and change with changing conditions. Usually written in past tense. IMPACT This puts into context why management should be bothered/concerned, ie What could go wrong as a result of the control break. CAUSE This is the reason for a control break. Cause creates a control break. They change with nature of the activities.