PEM PAL IA COP Audit in Practice Working

PEM PAL IA COP Audit in Practice Working Group Introduction to the audit cycle Jean-Pierre Garitte Budapest 29 March 2017 1

Agenda • Part 1: Introduction to audit cycle • Part 2: How does audit cycle connect to our IAM template? • Part 3: Types of audit • Part 4: ISPPIA 2210 on audit objectives 2

Agenda • Part 1: Introduction to audit cycle • Part 2: How does audit cycle connect to our IAM template? • Part 3: Types of audit • Part 4: ISPPIA 2210 on audit objectives 3

Audit cycle is a rather generic process 1 Planning 2 3 Preliminary Survey Fieldwork Execution 4 Reporting 5 Action Plan (includes quality satisfaction) 6 Follow-Up Reporting Rule of thumb: 20% for planning and preliminary survey (1, 2) 60% for fieldwork (3) 20% for reporting (4) 4

1. Planning 1 Planning 2 Preliminary Survey • • • 3 4 Fieldwork Reporting 5 Action Plan 6 Follow-up Scheduling of the engagement Announcement of the engagement Opening meeting 5

Standard 2200 – Engagement Planning “Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. ” 6

Planning the engagement 1. When to do the audit? 2. Who will do the audit? • Resources: time budget • Resources: auditors • Competency and skills (align to subject to be audited) 3. First draft of audit objectives and scope (this will be revised!) 4. Announce the engagement to the auditee: • Announcement letter (may include scope, logistics, contacts) • Mutual expectations document 5. Arrange a first meeting to gain an understanding of the area to be audited and its objectives and key risks; discuss broad/general audit objectives and scope; logistics 7

2. Preliminary Survey 1 Planning 2 3 Preliminary Survey Fieldwork • • • 4 Reporting 5 Action Plan 6 Follow-Up Desk review Risk (re-)assessment Engagement planning memorandum Preparation of audit program Kick-off meeting with auditee 8

Standard 2310 – Identifying information “Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement’s objectives. ” 9

Preliminary survey • Familiarisation Desk review • Interviews of main actors • Risk (re-)assessment • • Engagement planning and scoping Audit objective(s) • Key risks • Audit scope • • Kick-off meeting 10

Key principles: audit work plan or programme • What? – A detailed list of “audit steps” (tasks) to be performed by the auditor in order to obtain sufficient evidence to be able to reach conclusions in respect of the audit objectives. • “Audit steps”: • Why? What are the objectives of this audit • What? Audit procedures, tests and evidence gathering • How? Sampling or full population • Who? Auditor(s) • When? Timing (interim or at year-end) • Where? Location of audit 11

3. Fieldwork 1 Planning 2 3 Preliminary Survey Fieldwork • • • 4 Reporting 5 Action Plan 6 Follow-Up Detailed review of internal control system Test of control design Test of operating effectiveness Formalising observations Validation meeting 12

Standard 2320 – Analysis and Evaluation “Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations. ” 13

Fieldwork Detailed review of the internal control system Reviewing the activities, processes, management's objectives, risks, and internal controls Are we responding to risk in the right way? Are these being achieved? Are these being managed? Activities Processes under review Management’s Objectives What is the internal control system? Risk Response Effective? Risks Mitigating Controls 14

Key principles: working papers Attributes Five attributes of quality working papers' documentation • Complete • Clear • Concise What is the purpose of a • Neat working paper? • Structured Automated audit workflow systems, e. g. Team. Mate. 15

Key principles: working papers Content of working papers • Purpose/objectives/tests • Scope • Test results/findings • Conclusions /recommendations • Source/references /evidence • Cross references to • Audit programme • Supporting documents Test Evidence Risk control matrix Working papers 16

Fieldwork Audit documentation = audit working papers • Audit working papers are organised in “audit files” • Can be in paper form, maintained in computerised files or both. • Working papers must always be cross-referenced (paper files as well as electronically) Audit documentation • Audit documentation is the principal record of: • Auditing procedures applied • Evidence obtained and conclusions reached by the auditor in the engagement • Main objective: • To aid the auditor in providing reasonable assurance that an adequate audit was conducted in accordance with auditing standards 17

4. Reporting 1 Planning 2 Preliminary Survey 3 Fieldwork 5 4 Reporting Action Plan 6 Follow-Up • Draft audit report • Contradictory process • Final audit report • Assessment of auditee satisfaction 18

Standard 2400 – Communicating Results “Internal auditors must communicate the results of engagements. ” Standard 2410 – Criteria for communicating “Communication must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans. ” Standard 2420 – Quality of Communications “Communication must be accurate, objective, clear, concise, constructive, complete, and timely. ” 19

Reporting Standard 2410. A 1 – Communicating Results “Final communication of engagement results must, where appropriate, contain the internal auditor’s overall opinion and/or conclusions. ” Types of opinion: • • • No opinion (consulting engagements, desk reviews, risk assessments) Disclaimer of opinion (scope limitation) Satisfactory Qualified (satisfactory except for …) Unsatisfactory/negative/adverse 20

The reasoning behind a recommendation Criteria What should exist - The standards, measures, or expectations used in making an evaluation and/or verification Condition What does exist - The factual evidence that the auditor found in the course of the examination Cause (Root) Why the difference exists - The (real) reason for the difference between the expected and actual conditions Consequence (Effect) The impact of the difference - The risk or exposure the organisation and/or others encounter because the condition is not consistent with the criteria Recommendation What, Who and When ? - Action linked to responsible, date/timing, priority, and severity Management Response Yes, agree / Yes, but alternative / No, disagree Action Plan designed by Management Follow-Up by Internal Audit 21

5. Action plan 1 Planning 2 Preliminary Survey 3 Fieldwork 4 Reporting 5 6 Action Plan Follow-Up • Drafting the action plan • Establishing responsibilities and deadlines 22

6. Follow up 1 Planning 2 Preliminary Survey 3 Fieldwork 4 Reporting 5 Action Plan 6 Follow-Up • Performing follow-up audits 23

Standard 2500 – Monitoring Progress “The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. ” 24

Agenda • Part 1: Introduction to audit cycle • Part 2: How does audit cycle connect to our IAM template? • Part 3: Types of audit • Part 4: ISPPIA 2210 on audit objectives 25

Connection audit cycle to IAM template 26

Connection audit cycle to IAM template 27

Connection audit cycle to IAM template • • • Engagement planning Audit objectives and audit scope Audit program Audit field work Reporting on internal audit engagement 28

Agenda • Part 1: Introduction to audit cycle • Part 2: How does audit cycle connect to our IAM template? • Part 3: Types of audit • Part 4: ISPPIA 2210 on audit objectives 29

Types of audit assurance engagements • Financial auditing looks at the past to determine if financial information was properly recorded and whether financial statements present a fair, accurate and reliable view. They are based on the analysis of the economic activities of an entity as measured by accounting methods. • Compliance audits look at both financial (audits on financial management) and operating controls and transactions to assess if they conform to laws, regulations, standards and procedures. • Performance auditing is an independent and objective assessment of an entity's activities, processes and internal controls systems, with regard to one or more of the three aspects of economy, efficiency and effectiveness (the "3 E’s"), aiming to lead to improvements. 30

Types of audit assurance engagements Other names sometimes used: • IT audit • Security audit • Value-for-money audit • Operational audit • System based audit • Comprehensive audit • … 31

Agenda • Part 1: Introduction to audit cycle • Part 2: How does audit cycle connect to our IAM template? • Part 3: Types of audit • Part 4: ISPPIA 2210 on audit objectives 32

ISPPIA 2210 2000 – Managing the Internal Audit Activity Performance Standards 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Communication and acceptance of risks 33

ISPPIA 2210 2200 – Engagement Planning 2201 – Planning Considerations 2210 – Engagement Objectives 2220 – Engagement Scope 2230 – Engagement Resource Allocation 2240 – Engagement Work Program 34

2210 Engagement Objectives must be established for each engagement.

2210 Engagement Objectives 2210. A 1 Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. 2210. A 2 The internal auditor must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

2210 Engagement Objectives 2210. A 3 – Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board. Interpretation: Types of criteria may include: • Internal (e. g. , policies and procedures of the organization). • External (e. g. , laws and regulations imposed by statutory bodies). • Leading practices (e. g. , industry and professional guidance).

2210 Engagement Objectives 2210. C 1 Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client. 2210. C 2 Consulting engagement objectives must be consistent with the organization's values, strategies, and objectives.

Questions & Answers 39