pgcia - scope, process and tools - icai sep 05, 2014
DESCRIPTION
internal auditTRANSCRIPT
-
Internal Audit Scope, Process and Tools
ICAI, Hyderabad
September 05, 2014
CA Nikshit HV Shah
1 ICAI Hyderabad
-
Agenda
Understanding Definition Scope Fraud IA role Process Tools
2
-
Reality Check
-
Reality check
As per a report of The IIA Several survey respondents cited internal auditors
as having primary responsibility for deterring
(preventing) financial reporting fraud
As per Association of Certified Fraud Examiners (ACFE) Survey:
Survey participants estimated that the typical organization loses 5% of its revenues to fraud each
year. 4
-
Reality check
5
ACFE Survey: 5% revenue loss, when applied to the 2011 Gross
World Product, this figure translates to a potential
projected annual fraud loss of more than $3.5
trillion.
This is a huge amount, economy of one developing country be changed
On an average, frauds reported in the survey lasted for 18 months before being detected.
-
Understanding IA
-
What is IA?
Point the five important elements, outcomes, factors, expectations, considerations for an
Internal Audit project.
Traditional approach and Modern approach
7
-
Traditional Risk Based Audits
Traditional isk Based IA approach: Perform a risk assessment and rate the various
elements in the audit universe (e.g., locations,
business units, processes, and projects) based
o the audit tea s assess e t of risk. Prioritize audits ased o the audit tea s
assessment of risk.
8
-
New approach - Risk Based Audits
Enterprise Risk Management (ERM) approach:
Instead of starting with an assessment of the audit universe, the auditor starts with the risks to the enterprise as a whole.
The goal is to provide assurance on how well a age e t s pro esses are a le to a age the
more significant risks.
Internal Audit will audit the processes and controls that management relies on to manage the more significant risks to the enterprise.
9
-
What is Risk Based Auditing?
Focus on risk of occurrences that could prevent the organization from achieving its goals
There are many types of risk fraud, improper reporting, ineffective or inefficient use of resources, credibility loss, etc.
Focus on areas with high risk and high probability that controls are not in place or are weak
10
-
Understanding Internal Audit
Internal audit is a tool to measure and evaluate:
Systems, procedures, practices, compliance with policies for accounting, financial and other
operations
Practices to ensure the rules and regulations governing the operations of the organization are
adhered to
Risks and also suggests remedial measures, thereby acting as a catalyst for change and action.
11
-
Purpose & Definition
-
Purpose and role of IA
13
-
Definition
As defined by The IIA IA is an
independent objective assurance consulting activity
Designed to add value improve an organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
14
-
IA Standards - ICAI
15
-
Scope
-
Scope
IA functions controls testing operational efficiency testing
Types of services
Assurance Services - involve the internal auditors objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system or other subject matter.
Consulting services - are advisory in nature, and are generally performed at the specific request of an engagement client.
17
-
Scope Area for review Internal Audit can review the following areas:
Fraud risk assessment Regulatory compliance process Finance & Payroll practice Internal Controls and documentation Accounting and reporting processes Talent/HR related processes Security of assets physical and IT Policy making and updation
Not an exhaustive list.. 18
-
Who needs Internal Audit?
As per Companies Act 2013 Mandatory internal audit for prescribed classes of companies.
U/s 138 - W.e.f April 2014 Who: CA, Cost Accountant or Other professional Internal or external: either Applicable to:
Every listed company Unlisted Public company having
Paid up share capital 50 crores or more in PFY TO of 200 crores or more in PFY O/S loans 100 crores or more anytime in PFY O/S deposit 25 crores or more anytime in PFY
Private company having 200 crores TO or 100 crores loan O/S
19
-
Process & Approach
-
IA Process & Methodology
INTERNAL
AUDIT
METHODOLOGY
1
Define
Engagement 2
Develop Risk
Model
3
Develop Plan
4
Design Project
Workplan
5
Execute Project
Workplan
6
Deliver Results
and Insights
21
-
Overview to Internal Audit Approach:
Based on Business Risk Common Sense/Analytic Approach Focus on Internal Control Issue Focused Integrated Approach
22
-
We have a plan!
Risk based audit plan developed with input from across the entity
Risk factors: Impact Probability Controls
-
What would be the impact on the entity if this item failed to
function
High Impact - it could create serious problems for the Entity that could result in the loss or use of resources, a significant loss of
revenues/funding, or unfavorable publicity and possible harm to
the E tity s reputatio
Medium Impact the Entity would recognize the impact, but would be able to manage the problem
Low Impact - it would not have a significant impact on the Entity or its reputation
24
Impact
-
Probability
Without considering existing process controls that may exist, what is the probability that this breakdown could occur?
Every area has certain checks that help prevent things from going wrong.
If the controls were not in place, what is the possibility that something would go wrong
High Probability it is very likely that something could go
wrong
Medium Probability it is possible that something could go wrong
Low Probability it is not likely that anything will go wrong
25
-
Controls
How well does the Entity manage this potential risk, i.e. how good are the controls in this area?
Are there currently processes in place that provide good checks and balances?
Good processes exist that should prevent the majority of possible losses or other problems
Average processes are in place that will usually prevent problems, although the processes could be better
Poor there are few processes in place to prevent losses or problems, or the processes are not working
26
-
Preventive Measures
Make sure your controls are working Review and reconcile Check the work of your subordinates Do t gi e i to the te ptatio to skip
controls because you are busy!
27
-
Audit Approach
Apply simple analytic/common sense approach Understand / Document: Systems, Procedures,
Internal Controls, Duties & People
Evaluate: are systems functioning as designed, are controls & procedures adequate, are duties
properly segregated, etc.
Test: for compliance to key controls / procedures, key information produced by systems.
28
-
Review the Prior Workpapers --
review the key systems, reports,
controls, people -- what were the
issues from the last audit
Audit team will review past review &
determine items to be requested/
samples as part of pre-engagement
planning
Discuss with Audit Team/management
issues & concerns, determine what
additional information/samples should
be requested prior to conducting
systems review
Interview the appropriate
associates, review processes,
perform initial testing
Determine if additional testing is
needed, update systems
documentation, request reports/
samples for testing based upon
review work performed
Perform Systems testing
Discuss preliminary findings with audit
team, get feedback as to additonal
testing to perform, how to summarize
and conclude on issues
Share findings, systems
documentation with auditee,
get their feedback/
corrections/disputes
Work with audit team to draft
preliminary findings for closing
meeting/audit report
Present the findings to
management in closing meeting/
draft audit report
Review the feedback from
management & factor it into the
final report/perform additional
audit steps
Issue the final audit report
Internal Audit Approach Simplified:
29
-
IA process in phases
1. Pre-engagement planning
2. Risk assessment
3. Developing audit plan
4. Audit program
5. Execution testing 6. Reporting and deliverables
30
-
Fraud
-
Definition of Fraud
Intentional deception to cause a person to give up property or some lawful right.
Deceit, Trickery, cheating. We ster s Ne World Di tio ary
32
-
Identification of fraud
Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception
Fraud can be perpetrated for the benefit of or the detriment of the organization and by persons outside as well as inside the organization.
33
-
Auditing Standards
SIA 11 by ICAI and standard issued by IIA:
The internal auditor should have sufficient knowledge to identify the indicators of fraud
but is not expected to have the expertise of a
person whose primary responsibility is
detecting and investigating fraud
34
-
IA should determine whether
The organizational environment fosters control consciousness To e at the Top Prohibited activities and actions Ethics or fraud hotlines Hiring and promoting procedures Audit committee oversight Fraud vulnerability assessment Investigative process Remediation
35
-
Internal Auditor Responsibilities
Have sufficient knowledge of fraud Be alert to opportunities where fraud could occur Evaluate the need for further action Perform additional audit procedures to gather
evidence to support the suspected fraud
Notify/Report the appropriate authorities
36
-
How Fraud is Identified
37
-
Reporting Fraud
Reporting a fraud consist of the various oral or written, interim or final communications to
management regarding the status and results
of fraud investigation.
Sufficient investigation should take place to establish reasonable certainty that a fraud has
occurred before any fraud reporting is made.
38
-
39
Sample case study
-
Auditors miss!!!
$1.04 billion that Satyam claimed to have on its ala e sheet i o -interest- eari g deposits.
Any reasonable company would have either invested the money into an interest-bearing account, or returned the excess cash to the shareholders.
The large a ou t of ash thus should ha e ee a red-flag for the auditors that further erifi atio a d testing was necessary.
Also, the auditors did not independently verify with the banks in which Satyam claimed to have deposits.
40
-
IA process steps
-
Risk Assessment
Understand
Clients Business
Design Risk Profile
Based on the
Outcomes of the
Risk Management
Process
Conduct Risk
Management Process
i.e. Interviews,
Interactive Workshops,
ur ey s, etc
Develop Risk
Management
Framework
Inquiries
Risk
Management
Framework
Risk Profile
High, Medium,
Low
Review
Prior Year Work
Papers
42
http://coe/Library/Local Settings/Risk Workshop CWW 301003/Indicative CWW Risk Management Framework.dochttp://coe/Library/Local Settings/Temporary Internet Files/OLK3D/Risk Report Audit Comm - Short Form.pdf
-
43
Audit Planning:
Establishing Audit Objective & Scope Obtaining Background Information Determining Resources Needed Issuing Announcement Letter Preparing Audit Program Conducting an Opening Meeting
-
44
Developing Audit Plan
Prioritize risk
with the
purpose of
developing the
internal audit
plan
Perform On-
Going
Reassessment of
Internal Audit
Plan
Agree on Timing
of Internal Audits
Obtain Client
Senior
Management &
Audit Committee
Approval
Recommend Risk-
Based Internal
Audit Strategic
Plan
Strategic Internal
Audit Plan
Audit Committee
Presentation
High-Level
Project Budget
Risk Assessment
-
45
Project Audit Program
Terms of
Reference
Conduct Audit
Project Planning
Meeting with
Staff
Prepare Project
Audit Program
(Part of risk &
control matrix)
Document Business
Processes (Specify
Risk Areas)
Identify
Risks
Understand
Process/System
Risk Audit
Program
Flowcharts,
Narratives &
Exhibits, Risk
Control Matrix
Risk Control
Matrix
Terms of
Reference
Controls
Adequate to
Mitigate
Risk?
To
Audit
Report
To
Client
Files
No
Yes
Conduct Planning
Meetings and Risk
Assessment with
Clients
-
Sample Audit program Some of the key fields that should be documented in
an Audit Program are:
Area of the process audited Key Risk and Sub-risk Controls Objectives Control Activities Testing procedure WP reference Observations
46
-
47
Review Prior Work papers / Initial Risk Assessment Update Process Documentation Perform Systems or Other Testing Discuss Issues with Management Throughout engagement -
No urprises strategy Prepare Observations in a Fair & Independent Manner Complete and save Workpapers Back observations with numbers and specific transactions
Conducting Fieldwork:
-
48
Issue Sheets
(Findings)
Perform &
Document
Tests/
Conclusions
Update
Strategic
Internal Audit
Plan
Issue Internal
Audit Report
Review Issues &
Recommendations
With Area
Management (Exit
Conference)
Evaluate Test
Results
Draft Reports Exit Conference Summary
Review Work
papers
Work papers
From
Clients
To
Client
Files
Management
Responses
Final Report
Final Report Mgt. Responses
Execute Audit Program / Testing
-
Work Paper Documentation
Describe the purpose of working papers. Apply firm policies and guidance as well as
est pra ti es to the preparatio of orki g papers.
Describe workpaper retention policies. Differentiate among types of correspondence
and evaluate their relevance to the audit file.
Share tips and tricks
49
-
Elements of Workpapers
Working papers need to:
Clearly demonstrate what work was performed. Contain sufficient information such as nature,
timing, extent, and results of the procedures
performed, evidence obtained, and conclusions
reached.
Preparer and Reviewer of working papers with the dates.
50
-
Example IA work paper
51
-
52
Closing Meeting, Audit Report, Memos Open Communication Due Professional Care Thorough, Review Issues
(identify significant vs. insignificant)
Objective/Factual Presentation bring support (documented examples)
Tactful, Flexible, Open & Listen! Know the Issues Importance/Support
Presenting Observations to Management:
-
53
Reporting and Deliverables
Define Reporting
Responsibilities
Evaluate IA
Performance Against
Client Expectations
Re-Evaluate the
Internal Audit Plan
Conduct Periodic Status
Meetings with Senior
Management & the Audit
Committee
Audit Committee
Presentation of IA
Activities
Executive Summary of IA
Activities
Summarize & Report
Current IA Activities
EP s
Survey
Follow-up & Track Key
IA Recommendations
Attend Audit Committee
Meetings
Communicate
Risks/Exposures of Audit
Findings
Strategic Plan
Periodic Meetings
with A.C. Chairman
-
54
Do s a d Do ts Best Practices Do
Pay attention to details (double check cross references)
Review the file for spelling and grammatical errors Include information electronically when possible
Don t Use time dependent descriptions (currently, soon, in
a few months)
Include excessively large detailed material unless the entire file has been reviewed and is necessary
-
55
IA Tools
Microsoft Office Products Access Excel Word PowerPoint Outlook
AS/2 (Auditsystem2) application used to document program reference aterial a d share & re ie /p s.
ACL (Audit Control Language)
-
56
Thank you!!!
Lets keep it safe out there!
CA Nikshit HV Shah
8886116020