Embed Size (px)
Citation preview
© OECD
A j
oin
t i
nit
iati
ve o
f th
e O
EC
D a
nd
th
e E
uro
pe
an
Un
ion
,
pri
nc
ipall
y f
ina
nced
by t
he
EU
Tirana, 10-12 September 2014
Workshop System Based Auditing
Steps of System Based Audit approach
2
3
6.1 Steps of SBA?
Steps audit of system
• Understanding the business
• Evaluating Internal control system
• Testing Internal control system
4
6.2 Activities for SBA engagement
• Understand the entity/process
• Identify the risks
• Identify the controls
• Perform compliance tests
• Assess the residual risk
• Document the results
5
6.3 Understand the process
Objectives
identify process objectives
Activities
identify activities that are relevant to the identified process objectives
Description
document the process in brief description (flowchart)
6
6.4 Identify risks
Risks threatens achievement of
identified process objectives.
Two elements for classification:
1. Impact
2. likelihood
7
6.5 Risk classification
Impact LOW MEDIUM HIGH
Likelihoo
d
HIGH Medium High High
MEDIUM Low Medium High
LOW Low Low Medium 8
6.6 How to identify risks?
Two steps
• identify the points within the flow of transactions where data is initiated, transferred, or changed
• identify “what can go wrong” to achieve the management assertions
,
9
6.7 What are management assertions?
Assertion – is a representation, explicit or implicit, that is embodied in the activities, financial transactions and information pertaining to the audited entity, used by the auditor in considering different types of potential deviations. In the context of compliance audit, the compliance assertion would mean that the entity, including responsible public sector officials, is acting in accordance with applicable authorities (crtteria). Assertions may be embodied in subject matter information presented by the audited entity or stated explicitly in a management representation letter.
6.8 Management Assertions 111111
3
Transaction-related:
Occurrence
Completeness
Accuracy
Timing
Classification
Regularity
Balance-related:
Existence
Completeness
Rights and
obligations
Disclosure
Valuation and
allocation
6.9 Criteria ISSAI 4100 Chapter 6
The criteria, or the benchmarks against which the subject matter will be compared, must also be identified. In performing compliance audits, the identification of the criteria is an essential step in the audit planning process.
6.10 Examples criteria ISSAI 4100 Chapter 6
a) Relevant b) Reliable c) Complete d) Objective e) Understandable f) Comparable g) Acceptable h) Available
6.11 Identify controls
Definition
Controls are all actions undertaken to
mitigate risks
Technique
Interviews
Document analysis
14
6.12 Types of control
• Organizational
• Segregation of duties
• Physical
• Authorisation and approval
• Arithmetical and accounting
• Personnel
• Supervision
• Management
15
6.13 Test of controls
Test of controls is an audit procedure designed to evaluate the operating effectiveness of controls in preventing, detecting and correcting material misstatements in the assertion level of the management
16
6.14 Test of control: how?
• Interview: use of questionnaires
• Walk-though tests
• Direct observations
• Reperformance
17
6.15 Test of control: when?
• Throughout the audit period: every month, periods of absence of key staff
• All types of transaction processes through the system: high volume, low value transactions, unusual transactions, re-processed rejected transactions
• Negative and positive evidence
18
6.16 After test of control : residual risk
The risk to the process that remains after the controls
RISK CONTROLS
RESIDUAL RISK
19
6.17 Residual risk rating
risk HIGH MEDIUM LOW
Controls
HIGH Low Low Low
MEDIUM Medium Low Low
LOW High Medium Low 20
6.18 Evaluation of internal control
• Excellent: all major risks addressed and controls likely to be effective
• Good: most major risks addressed and/or controls likely to be generally effective
• Fair: control sytem seems generally reasonable, but danger of some control failures
• Poor: risk not addressed and/or control failures likely
21
6.19 Document the results
1. Description of the process
2. Compliance test of process
3. System Analysis Document with references to 1 and 2
(Working paper is available)
22
QUESTIONS?
23
