Inherent Risk risk of not achieving objectives Risk
Inherent Risk – risk of not achieving objectives Risk Inherent risk Objective Process Inherent risk – before the assessment of any controls 2/19/2021 1
Risk & recommendations x I M P A C T Effect – reasons for a high impact focus: • Audit objectives • Fieldwork • Recommendations Root cause – reasons for high likelihood focus: • Audit objectives Likelihood • Field work • Recommendations 2/19/2021 2
Different impacts Financial l Service delivery l Political l Legal l Environmental l Human resources l 2/19/2021 3
Risk index risk index = severity X likelihood 5 5 10 15 20 25 4 4 8 12 16 20 3 3 6 9 12 15 2 2 4 6 8 10 1 2 3 4 5 1 2 3 4 1 2/19/2021 5 severity 4
Risk management strategy unacceptable risks 10 5 acceptable risks 2/19/2021 15 20 25 12 16 20 12 15 4 8 3 6 9 2 4 6 8 1 2 3 4 10 5 5
Control to minimize risks Risk Inherent risk Objective Residual risk Process Control Residual risk – after the assessment of any controls 2/19/2021 6
COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Info and communication Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Control activity Safeguard assets - prevention Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Monitoring activities - detection 2/19/2021 7
Practical exercise Process overview flowchart l SCRE l Audit objective l Risk areas l Preventative and detection controls l Audit opinion l
Phone call with password to cell phone Enter data Bank EDI INPUT Application program Suppliers master file PROCESSING OUTPUT Exception reports number of changes Email the change details to supplier Exception reports Frequency
Purchase order DOCUMENTATION Cheque payment/ EFT requisition Goods received note, supplier delivery note, invoice Enter data INPUT Application program PROCESSING Cheque Purchase transaction file Cash disbursement transaction file General ledger summary General ledger transaction file Exception reports and KPI’s Purchase journal OUTPUT Remittance advice Suppliers master file Accounts payable master file General ledger master file Disbursements journal
S C R E Application program S C R E Purchase transaction file S C R E Purchase order Goods received note, supplier delivery note, invoice Enter data Suppliers master file
To evaluate the adequacy and effectiveness of the controls relating to reliability and integrity of: l Asset count forms l Asset removal forms l Capturing l Processing l Updating the fixed asset register
Purchase order Goods received note, supplier delivery note, invoice Enter data E S SR Application program R Purchase transaction file R Suppliers master file R
Audit objective To evaluate the adequacy and effectiveness of controls relating to: l Safeguarding of assets in the goods received area l Reliability and integrity of information in the: l l l Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase
Audit opinion The controls relating to: l Safeguarding of assets in the goods received area l Reliability and integrity of information in the: l l Capturing phase Processing phase Updating the PTF Updating the SMF Economic, effective and efficient use of resources in the ordering phase Are adequate and effective l
Audit objective To evaluate the adequacy and effectiveness of controls relating to: l Safeguarding of assets (access control) l l l Allocation of unique supplier profile passwords in the capturing phase Reliability and integrity of information in the: l l l Capturing phase Processing phase Updating the SMF Exception reports (quantity and frequency) Email confirmations
Audit opinion The controls relating to: l Safeguarding of assets (access control) Allocation of unique supplier profile passwords l in the capturing phase l To the availability of the suppliers file Reliability and integrity of information in the: l Capturing phase l Processing phase l Updating the SMF l Exception reports (quantity and frequency) l Email confirmations l Are adequate and effectiveness
Audit objectives To evaluate the adequacy and effectiveness of the internal control systems that ensures l. S l. C l. R l. E 2/19/2021 18
Audit objectives To evaluate the adequacy and effectiveness of the internal control systems (choose prevention, detection or correction) that ensures l S l C l R l E 2/19/2021 19
Audit objectives To evaluate the adequacy and effectiveness of the prevention controls that ensures l R – reliability and integrity of information 2/19/2021 20
Audit objectives To evaluate the adequacy and effectiveness of the prevention controls that ensures l R – reliability and integrity of information of the purchase order 2/19/2021 21
Risk response before likelihood 5 4 3 risk reduction 2 after 1 1 2/19/2021 2 3 4 5 severity 22
Control assessment R>C Inadequate Risk C>R Inefficient Objective Process Control C=R Adequate/effec tive Co. C > Co. R Uneconomic 2/19/2021 23
Control analysis Added value opportunity Control activity Maintain physical security over goods received Segregate custodial and record keeping functions 2/19/2021 Prevention Detection IT Manual Computerise to increase efficiency, economy, effectiveness IT management information allows for effective detection controls Detection control allows development of prevention controls 24
Added value Inadequate controls x I M P A C T Recommendation I M P A C T x Likelihood = Added value 2/19/2021 25
Audit report - finding Finding l Clear l Concise l Factual l l 2/19/2021 Inadequate Inefficient Ineffective Uneconomic 26
Determine the causes l l l Determine what circumstances, if any, caused identified weaknesses. Consider materiality of effect, before spending much time determining causes. Determine if participants understand both purpose of and their role Determine if relationship between accounts payable process and other department processes is clear. If process occurs at multiple locations, determine nature and scope of communication and coordination among components. 2/19/2021 27
Determine the causes Determine if accounts payable process has adequate human, rand, time, and asset resources. If inadequate, determine if resources have been allocated according to materiality of accounts payable process relative to other processes. Negative trends in reports used to monitor outcome(s) - determine if reports are communicated to and used by appropriate parties to modify process. Determine what internal or external constraints or barriers, if any, must be removed in order to overcome these identified weaknesses. Review applicable laws or regulations to determine if any of them prevent necessary changes from being made in the accounts payable process. 2/19/2021 28
Determine the effect l Compare actual process to a recommended alternative process(es) and determine if each weakness in department process is material. Materiality can be measured by comparing the rand cost, impact on economy, risks, etc. of actual process to recommended alternative process(es). l Measurements can be quantitative, qualitative, or both. l Identify benchmarks (industry standards, historical internal data, other comparable departments, etc. ) for process in question and compare to actual performance. l Measure difference, if possible. l Include cost of additional controls or changes in process. 2/19/2021 29
Determine the effect Estimate cost of the actual process and alternative process(es) and compare. Estimate quantity and/or quality of services provided by actual process and by alternative process(es) and compare. Identify risks associated with actual process and with alternative process(es). Measure and compare the risks. 2/19/2021 30
Develop recommendations l l l l Develop specific recommendations to correct weaknesses identified as material. In developing recommendations, consider tailored criteria, kind of process and control weaknesses identified, causes and barriers, effects, and additional resources Solicit solutions and recommendations from client. Identify alternative solutions used by other business units. Identify solutions for removing barriers. Provide general guidelines as to objectives each solution should meet; then the department can tailor the solution to its specific situation. Provide specific information, if available, on how each recommendation can be implemented. 2/19/2021 31
Cause – directs recommendation Root cause of the finding l What was inherent risk? l Did management agree? l Root cause? I M P A C T l l l Likelihood l l 2/19/2021 Lack of budget/staff/skills? Inadequate detection Inadequate management information systems Lack of responsibility and accountability Infrastructure 32
Effect l What is the effect? l How will it be changed? l How will it be monitored? l Does it reduce accountability? I M P A C T Likelihood 2/19/2021 33
Recommendation = responsibility Recommendation - teamwork l real time-online l detection focused l reduce risk l change likelihood/root cause l reduce effect/impact l enhance effectiveness, efficiency and economic use of resources l assign responsibility 2/19/2021 34
Management comment Accept recommendation Accept the risk 2/19/2021 35
Audit report - recommendation Inadequate l Recommend new control that change effect residual risk l Measure change Cost and benefit 2/19/2021 Inefficient l Difference between basic control and best practice l Measure change Ineffective l Non compliance l Cause l Disciplinary action 36
Audit report Cause and Criteria Condition effect 2/19/2021 Recommendation Management Comment How to fix it Accept? What? When? Who? 37
Audit report - process Finding worksheet Review by AD -effectiveness – IA Benchmark and review by DD - adequacy - AD Auditee Final draft audit report 2/19/2021 Comments Quality control Final audit report Audit report 38
Audit opinion The prevention controls that ensures l R – reliability and integrity of information are adequate and effective 2/19/2021 39
COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Info and communication Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Control activity Safeguard assets - prevention Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Monitoring activities - detection 2/19/2021 40
Audit opinion adequacy & efficiency Controls are Efficient Inefficient Adequate 1 2 Partially adequate 3 4 Inadequate N/A 5/6 2/19/2021 41
Audit report Title of the finding Root cause analysis Criteria Condition Cause Effect Include in job descriptions! Responsibility Management Comment 2/19/2021 Accountability Recommendation Accept the recommendation or accept the risk! Finding 42
Follow up Audit scope and objectives Document system (POF) Follow up audit No compliance work Recommendations Likelihood assessment Identify weaknesses Inadequate opinion Likelihood assessment Adequate controls Effectiveness audit ADD VALUE 2/19/2021 43
Follow up Identify the Scope for the Follow-up Audit Select the Sample Size and Items to be Tested Execute the Audit Work Develop Informal Queries and Discuss with the Client Report to Management 2/19/2021 44
- Slides: 44