Inherent Risk risk of not achieving objectives Risk
Inherent Risk – risk of not achieving objectives Risk Inherent risk Objective Process Inherent risk – before the assessment of any controls 3/12/2021 1
Risk & recommendations x I M P A C T Effect – reasons for a high impact focus: • Audit objectives • Fieldwork • Recommendations Root cause – reasons for high likelihood focus: • Audit objectives Likelihood • Field work • Recommendations 3/12/2021 2
Different impacts Financial l Service delivery l Political l Legal l Environmental l Human resources l 3/12/2021 3
Risk index risk index = severity X likelihood 5 5 10 15 20 25 4 4 8 12 16 20 3 3 6 9 12 15 2 2 4 6 8 10 1 2 3 4 5 1 2 3 4 1 3/12/2021 5 severity 4
Risk management strategy unacceptable risks 10 5 acceptable risks 3/12/2021 15 20 25 12 16 20 12 15 4 8 3 6 9 2 4 6 8 1 2 3 4 10 5 5
Control to minimize risks Risk Inherent risk Objective Residual risk Process Control Residual risk – after the assessment of any controls 3/12/2021 6
COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Info and communication Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Control activity Safeguard assets - prevention Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Monitoring activities - detection 3/12/2021 7
Internal control - SCARE Safeguarding of assets l Compliance with laws, regulations and contracts l Accomplishment of objectives l Reliability and integrity of information l Economy, efficiency and effectiveness l
Safeguarding of assets Physical safeguards l Access control l Segregation of duties l
Systems to ensure compliance Laws and regulations l Policies and procedures l Contractual obligations l
Accomplishment of objectives Strategic plans l Operational plans l Key measurable objectives l Key measurable indicators l Management information l Exception reporting l
Reliability and integrity of information Validity - authorization l Accuracy -100% accurate l Completeness - all l Timely – real time now l
3 x E’s l Economy l CQQT l Cost vs benefit l Co. R>Co. C l Effectiveness l Outcomes vs outputs l Actual vs standard l Efficiency l Output vs input l Automation
Business objective design What works for audit objective design, works for business objective design l King 2 – high correlation l COSO – developed by line management l 3/12/2021 14
Risk & recommendations x I M P A C T Effect – reasons for a high impact focus: • Audit objectives • Fieldwork • Recommendations Root cause – reasons for high likelihood focus: • Audit objectives Likelihood • Field work • Recommendations 3/12/2021 15
Prevention and detection Prevention controls l Detection controls l Manual l Automated l 3/12/2021 16
Adequacy and effectiveness l Adequacy l Design l Implementation l Walk through l Effectiveness l Working as intended 3/12/2021 17
Objective S Risk Inadequate physical safeguards Inadequate access control Inadequate segregation of duties C Inadequate process to ensure compliance with laws/regs Inadequate process to ensure compliance with contracts R Inaccurate … Incomplete…. Invalid/unauthorised…. Untimely …. . E Ineffective …. . Inefficient …. Uneconomic …. I L A Control Type Preventati ve/ Detective Nature Manual/ IT CAA CEA
Practical exercise Process overview flowchart l SCRE l Audit objective l Risk areas l Preventative and detection controls l Audit opinion l
Purchase order DOCUMENTATION Cheque payment/ EFT requisition Goods received note, supplier delivery note, invoice Enter data INPUT Application program PROCESSING Cheque Purchase transaction file Cash disbursement transaction file General ledger summary General ledger transaction file Exception reports and KPI’s Purchase journal OUTPUT Remittance advice Suppliers master file Accounts payable master file General ledger master file Disbursements journal
S C R E Application program S C R E Purchase transaction file S C R E Purchase order Goods received note, supplier delivery note, invoice Enter data Suppliers master file
Purchase order Goods received note, supplier delivery note, invoice Enter data E S SR Application program R Purchase transaction file R Suppliers master file R
Business objective To ensure: l Safeguarding of assets in the goods received area l Reliability and integrity of information in the: l l l Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase
Audit objective To evaluate the adequacy and effectiveness of controls that ensures: l Safeguarding of assets in the goods received area l Reliability and integrity of information in the: l l l Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase
Audit opinion The controls relating to: l Safeguarding of assets in the goods received area l Reliability and integrity of information in the: l l Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase Are adequate and effective l
Risk appetite before likelihood 5 4 3 risk reduction 2 after 1 1 3/12/2021 2 3 4 5 severity 26
Control assessment R>C Inadequate Risk C>R Inefficient Objective Process Control C=R Adequate/effec tive Co. C > Co. R Uneconomic 3/12/2021 27
Control analysis Added value opportunity Control activity Maintain physical security over goods received Segregate custodial and record keeping functions 3/12/2021 Prevention Detection IT Manual Computerise to increase efficiency, economy, effectiveness IT management information allows for effective detection controls Detection control allows development of prevention controls 28
Added value Inadequate controls x I M P A C T Recommendation I M P A C T x Likelihood = Added value 3/12/2021 29
Determine the causes l l l Determine what circumstances, if any, caused identified weaknesses. Consider materiality of effect, before spending much time determining causes. Determine if participants understand both purpose of and their role Determine if relationship between accounts payable process and other department processes is clear. If process occurs at multiple locations, determine nature and scope of communication and coordination among components. 3/12/2021 30
Determine the causes Determine if accounts payable process has adequate human, rand, time, and asset resources. If inadequate, determine if resources have been allocated according to materiality of accounts payable process relative to other processes. Negative trends in reports used to monitor outcome(s) - determine if reports are communicated to and used by appropriate parties to modify process. Determine what internal or external constraints or barriers, if any, must be removed in order to overcome these identified weaknesses. Review applicable laws or regulations to determine if any of them prevent necessary changes from being made in the accounts payable process. 3/12/2021 31
Determine the effect l Compare actual process to a recommended alternative process(es) and determine if each weakness in department process is material. Materiality can be measured by comparing the rand cost, impact on economy, risks, etc. of actual process to recommended alternative process(es). l Measurements can be quantitative, qualitative, or both. l Identify benchmarks (industry standards, historical internal data, other comparable departments, etc. ) for process in question and compare to actual performance. l Measure difference, if possible. l Include cost of additional controls or changes in process. 3/12/2021 32
Determine the effect Estimate cost of the actual process and alternative process(es) and compare. Estimate quantity and/or quality of services provided by actual process and by alternative process(es) and compare. Identify risks associated with actual process and with alternative process(es). Measure and compare the risks. 3/12/2021 33
Develop action plans l l l l Develop specific action plans to correct weaknesses identified as material. In developing action plans, consider tailored criteria, kind of process and control weaknesses identified, causes and barriers, effects, and additional resources Solicit solutions from client. Identify alternative solutions used by other business units. Identify solutions for removing barriers. Provide general guidelines as to objectives each solution should meet; then the department can tailor the solution to its specific situation. Provide specific information, if available, on how each action plan can be implemented. 3/12/2021 34
Develop recommendations l l l l Develop specific recommendations to correct weaknesses identified as material. In developing recommendations, consider tailored criteria, kind of process and control weaknesses identified, causes and barriers, effects, and additional resources Solicit solutions and recommendations from client. Identify alternative solutions used by other business units. Identify solutions for removing barriers. Provide general guidelines as to objectives each solution should meet; then the department can tailor the solution to its specific situation. Provide specific information, if available, on how each recommendation can be implemented. 3/12/2021 35
Cause – directs recommendation Root cause of the finding l What was inherent risk? l Did management agree? l Root cause? I M P A C T l l l Likelihood l l 3/12/2021 Lack of budget/staff/skills? Inadequate detection Inadequate management information systems Lack of responsibility and accountability Infrastructure 36
Effect l What is the effect? l How will it be changed? l How will it be monitored? l Does it reduce accountability? I M P A C T Likelihood 3/12/2021 37
Recommendation = responsibility Recommendation - teamwork l real time-online l detection focused l reduce risk l change likelihood/root cause l reduce effect/impact l enhance effectiveness, efficiency and economic use of resources l assign responsibility 3/12/2021 38
Management comment Accept recommendation Accept the risk 3/12/2021 39
Audit report - recommendation Inadequate l Recommend new control that change effect residual risk l Measure change Cost and benefit 3/12/2021 Inefficient l Difference between basic control and best practice l Measure change Ineffective l Non compliance l Cause l Disciplinary action 40
Audit report Cause and Criteria Condition effect 3/12/2021 Recommendation Management Comment How to fix it Accept? What? When? Who? 41
Audit opinion adequacy & efficiency Controls are Efficient Inefficient Adequate 1 2 Partially adequate 3 4 Inadequate N/A 5/6 3/12/2021 42
Follow up Audit scope and objectives Document system (POF) Follow up audit No compliance work Recommendations Likelihood assessment Identify weaknesses Inadequate opinion Likelihood assessment Adequate controls Effectiveness audit ADD VALUE 3/12/2021 43
- Slides: 43