Identifying Existing Key Controls

Control should address : who, does what, when is it one, where is it done, why is it performed and how is it done. Example Senior Manager (who), reviews (what), bank reconciliations (where), monthly (when),which is signed off as proof of review ( how) , to validate that two systems (general ledger and bank statement balance) reconciles and variances are timely identified and investigated (why).

For each control identified as KEY: Walkthrough one sample of the control Show me Obtain evidence where possible: Screen-dumps reflecting authorisations Exception reports signed off as evidence of review Service Level Agreements

Document walkthrough For automated controls, your sample of 1 will be your Control Effectiveness

Effectiveness Testing
What are the most important issues in effectiveness testing? Objective of control Who performs the control Frequency of control Sample size and full details of sample selected Remember:

 Controls should only be tested for effectiveness once they have been assessed for adequacy and found to be adequately designed. If it is apparent that the internal control is inadequate, it should not be tested. The number of items tested for automated controls is one, as an automated control should follow the same logic irrespective of the number of times tested. Tests of manual controls are based on sampling, and the sample size is based on the frequency of the performance of the control.

Adequacy testing
What are the important issues in control adequacy? What sort of control is it? (Preventative / Detective / Corrective) Is the control the most efficient control? Is the control very time consuming? (automated / manual) What is the frequency of the control performed? (daily, monthly) What mechanism is used to perform the control? (systems) Who is the "owner" of the control? (Segregation of duties) Can the control be bypassed? Is it properly segregated? Does the control output match its objective? Does it do what its supposed to do?. In the case of a financial audit, what financial statement assertion does the control address? (Existence or occurrence / Completeness / Valuation or allocation / Rights and obligations / Presentation and disclosure)

Writing an Audit finding Guidance 1. Focus on control breaks/weaknesses and not on symptoms 2. Identify the risk/result/effect of control break 3. Give evidence to support finding

4. Note that a symptom is evidential 5. Control should speak to the risk

Identifying reportable issues

Materiality (Volume, Value & Recurrence) Risk Exposure (Threshold) Compliance and regulatory implications Scope and Audit Objective Frequency Business policy (Risk appetite) Impact on profit Impact on Balance Sheet items Causes adverse press publicity Result in losses through fraud Lead to customer complaints/ legal action

An audit issue consists of at least four basic elements:

1. Observation 2. Impact 3. Cause 4. Symptoms OBSERVATION An observation describes a task or process that Does not exist Is not working correctly Is not enforced, or Is not sustainable , and

Will not manage risk over time.

An observation is reportable because the business needs to take corrective action to bring the risk to an acceptable tolerance level. Observations describe CONTROL BREAKDOWNS that cause residual risk. Observations are provable over time. SYMPTOMS Symptoms are corroborating evidence for observations. They indicate that some control process is not working. Symptoms often describe an event or test result, and change with changing conditions. Usually written in past tense. IMPACT This puts into context why management should be bothered/concerned, ie What could go wrong as a result of the control break. CAUSE This is the reason for a control break. Cause creates a control break. They change with nature of the activities.