View
225
Download
0
Tags:
Embed Size (px)
Citation preview
Operational Auditing--Spring 2010 1
Operational Auditing
Spring 2010
Professor Bill O’Brien
Operational Auditing--Spring 2010 5-2
Frameworks
Internal control IC-Integrated Framework (COSO) Guidance on Controls (CoCo) Internal Control Guidance (Turnbull)
Enterprise risk management Australian/New Zealand Std. Risk Mgt. ERM-Integrated Framework (COSO)
Operational Auditing--Spring 2010 5-3
COSO
Committee of Sponsoring Organizations AICPA, IIA, IMA, FEI, AAA Treadway Commission 1992 I/C; 2004 ERM
Control Objectives Compliance with laws and regulations Reliability of financial reporting Effectiveness & efficiency of operations
Operational Auditing--Spring 2010 5-4
Components of I/C
Control environment Risk assessment Control activities Information and communication Monitoring
Operational Auditing--Spring 2010 5-5
Threats to Control
Management override Open access to assets Form over substance approach Conflict of interest
Operational Auditing--Spring 2010 5-6
Balancing Risk and Control
Too much risk Loss of assets Poor decision making Potential non-compliance Potential for fraud
Too much control Increased bureaucracy Excess costs Excess cycle-time Increase in non-value added effort
Operational Auditing--Spring 2010 5-7
Control Activities Segregation of duties Performance reviews Approvals IT access Documentation Physical access IT applications Independent verifications & reconciliations
Operational Auditing--Spring 2010 5-8
IIA and Control
IIA control objectives: S-C-O-R-E Safeguarding of assets Compliance with laws and regulations Objective and goal achievement Reliability & integrity of information Economical & efficient use of assets
Operational Auditing--Spring 2010 5-9
Control Self Assessment (CSA)
Methodology Review and Identification
Key business objectives Related risks Mitigating controls
Operational Auditing--Spring 2010 5-10
CSA-History
Introduced by Gulf Canada in 1987 Gulf used facilitated meetings
Operational Auditing--Spring 2010 5-11
Facilitated Meetings
Management and staff participate through interviews and polling
Objectives Risks Processes Soft and/or informal controls
Operational Auditing--Spring 2010 5-12
General Methodology
Shared process Assessment of internal controls Evaluation of risks Development of action plans Assess the likelihood of achieving objectives SJSU simulation
Operational Auditing--Spring 2010 5-13
General Approaches
Facilitated meetings--group workshops Questionnaires--yes/no answers Management analysis--self studies
Operational Auditing--Spring 2010 5-14
Uses
Self analysis for risk* Selection of audit areas* Internal control review* Special projects Soft control analysis
* alternatives to the traditional approach to the I/A process
Operational Auditing--Spring 2010 5-15
Benefits
Increases I/A scope Target review of high risk areas Increases the effectiveness of corrective action Builds team-oriented relationships
Operational Auditing--Spring 2010 5-16
Engagement Process Planning:
Selecting the BPO Pre-site planning
Performing: Conducting the preliminary survey Review internal controls Expanding tests as necessary Generating findings
Communicating: Reporting the results Conducting follow-up Assessing the process
Operational Auditing--Spring 2010 5-17
Audit Evidence
Healthy skepticism Attributes
Relevant: consistent with objectives Reliable: credible Sufficient: convincing
Operational Auditing--Spring 2010 5-18
Generalized Audit Software (GAS)
Two most popular applications ACL (ACL) IDEA (CaseWare)
Typical uses File examination Recalculations Sample selection File comparison Reformatting Pivot tables Benford’s Law analysis Reporting Data analysis log
Operational Auditing--Spring 2010 5-19
GAS, continued Benefits
Minimizes customization Independent of company IT Efficient Facilitates 100% testing Frees BPP for analytical work
Obstacles Data access Physical access Format knowledge Downloading issues to BPP’s computer Importing data in usable format
Operational Auditing--Spring 2010 5-20
Workpaper Usage
Planning and execution Supervision and review Objective tracking Conclusion support Supports quality assurance Professional development IIA standards’ compliance
Operational Auditing--Spring 2010 5-21
Workpaper Guidelines Cross-referencing system Consistent layouts Standardized symbols or “tick marks” Standardization for permanent files Unique indexing Description of purpose Initialed by preparer and reviewer Source of information indicated Clear explanations of symbols Legibly written and easy to understand Must stand alone Must relate to the engagement objectives
Operational Auditing--Spring 2010 5-22
Sample Work Paper
Heading Ref.
Review
T/M Legend:
Source
Purpose:
Conclusions