Professional Documents
Culture Documents
COSO and ACL 302
COSO and ACL 302
Florida 2002 As auditors we are often advisors to anage ent in relation to the i !le entation of new auto ated finan"ial syste s# $uring these efforts, we see to %e "onstantly re inding anage ent not to i !le ent a new syste %ased on the &old way' of doing %usiness# (e as) the to re*thin) their %usiness !ro"esses to enhan"e effe"tiveness, redu"e redundan"y, and fully utili+e the new fun"tions !rovided %y the newer tools# ,et, when we as auditors internally i !le ent an auto ated audit tool, su"h as A-., we often forget to !ra"ti"e what we !rea"h# (e too, try to in"or!orate A-. fun"tionality into the e/isting audit !ro"ess rather than re*thin)ing the audit !ro"ess and the affe"t this tool will have on audit de!art ent o!erations# In 0112, -2S2 told us that we needed to reassess our audit !ro"esses to in"or!orate soft "ontrols**not 3ust hard "ontrols# -2S2 also told us that one of the least i !ortant "o !onents of the internal "ontrol environ ent was a"tually those "ontrol !ro"esses we had s!ent 40*506 of our ti e evaluating# 7raditional auditing was %ased on the !rin"i!al that we should identify )ey "ontrols and then sele"t a re!resentative sa !le of transa"tions to verify their e/isten"e# If our sa !le indi"ates that these )ey "ontrols are fun"tioning, we "an a)e "ertain re!resentations regarding the finan"ial fun"tion %eing reviewed# 7here was little testing or evaluation of soft "ontrols# In 0118, -2-2 even further refined the "on"e!t !resented in -2S2 and !rovided us a series of twenty o%3e"tives of an effe"tive internal "ontrol syste # -2S2 9and -2-2: told us the ost i !ortant "o !onent of internal "ontrol was the "ontrol environ ent# But auditors "ontinue to struggle on how to evaluate ;tone fro the to!#; Soft "ontrols su"h as anage ent integrity, !hiloso!hy, and ethi"s have %een hard to <uantify# ,et we )now that e !loyee "o !lian"e with "ontrols is integrally tied to these fa"tors# 7he other three "o !onents of internal "ontrol 9ris) assess ent, infor ation and "o uni"ation, and onitoring: "an %e rated as e<ually i !ortant# 7esting of these !rin"i!als also did not see to fit with our traditional odel of s!ending ini al ti e on ris) assess ent and the a3ority of audit ti e on testing "ontrols# 2ften only 00 !er"ent of our audit ti e was s!ent in ris) assess ent 9see e/hi%it A:# =is) assess ent was often li ited to !erfor ing a few si !le analyti"al review !ro"edures and do"u enting "ontrol !ro"esses through narratives and flow"harts# =is) assess ent tools were li ited to de"iding what fun"tions to test#
In order to ado!t the !rin"i!als of -2S2 9and -2-2: you need to %e a%le to shift the audit ti e to in"lude a signifi"ant evaluation of the "ontrol environ ent, in"luding an assess ent of ris), a review of the infor ation availa%le to users a%out the syste and "ontrol !ro"esses, and an assess ent of the ade<ua"y of onitoring of o!erations# 9See e/hi%it B: 7he use of auto ated -AA7S easily !er its a shift to -2S2 9e/hi%it -:# Using -AA7S has for"ed auditors to learn ore a%out the finan"ial syste to %e reviewed# 7he auditor naturally o%tains a ore detailed overview of the infor ation and "o uni"ation !ro"esses in !la"e# 2ften the sa e infor ation used to train users is used to train auditors# Meetings with anagers and users on o!erational ris)s not only allows anage ent to share their )nowledge of the o!erational ris)s %ut allows the auditor to get a gli !se of the "ontrol environ ent through these intera"tions# In addition, onitoring syste s are "arefully reviewed %y auditors who are gaining infor ation a%out availa%le data sour"es# 2ften these onitoring re!orts are useful in -AA7 testing? therefore, they are ore "arefully analy+ed# As a result signifi"antly ore ti e is s!ent in understanding the "ontrol environ ent, infor ation and "o uni"ation syste s, and onitoring a"tivities# 7he !reli inary review of "ontrol !ro"esses is then li ited to those areas in whi"h "ontrol ris) is signifi"ant# 7his ini i+es ti e s!ent in evaluating low ris) o!erational areas and !la"es the a!!ro!riate a ount of e !hasis on these "ontrol a"tivities# (hile syste strengths and wea)nesses are still identified, this infor ation is used in deter ining what a nor al transa"tion loo)s li)e and where ris)s of errors ight o""ur# @ven %efore true -AA7 testing has %egun, the auditor is well on the way to evaluating four attri%utes of "ontrolA "ontrol environ ent, infor ation and "o uni"ation !ro"esses, onitoring syste s, and "ontrol a"tivities# 7he last "riteria for the esta%lish ent of an ade<uate internal "ontrol syste is the assess ent of ris)# 2ften these ris) are not !urely finan"ial and ay %e o!erational in nature# 7he assess ent of ris) is one area in whi"h -AA7 tools really shine# 7he data ining a"tivities used in -AA7S allow for a ore "o !rehensive assess ent of ris)# $ata ining is %ased on the a%ility to review large data files and drill down into the data to o%tain ore and ore detailed infor ation# Fun"tions su"h as analy+e, "lassify, and stratify allow the auditor to assess the data <ui")ly and to deter ine the degree of ris) asso"iated with various "ategories of transa"tions# 2n"e these high*ris) areas are identified, an ano aly*%ased testing a!!roa"h "an %e utili+ed#
An assu !tion is ade that if the internal "ontrol stru"ture is wor)ing effe"tively, transa"tions will fall within e/!e"ted li its# Ano aly*%ased testing allows you to &ignore' those transa"tions that a!!ear reasona%le and allow you to "on"entrate your efforts on those transa"tions that have a higher !ro%a%ility of errors and irregularities# 7ransa"tions that do not eet the nor ally e/!e"ted range "an either %e natural ano alies in the environ ent, unintentional errors not identified %y the "ontrol a"tivities, or fraudulent transa"tions# In all of these situations, there is a good !otential that the "ontrol a"tivities failed# As a result, you are testing the "ontrol environ ent without having to evaluate all of the )ey "ontrols# ,ou are also eeting the audit standards for loo)ing for &red flags' of fraud and are not !la"ing undue e !hasis on the hard "ontrols# 2n"e you have lo"ated unidentified errors or irregularities, a review of the !ro"esses surrounding these transa"tions will hel! identify the hard and soft "ontrols that were issing or were not %eing i !le ented !ro!erly# In addition, the sa e audit !ro"edures you develo! to identify ano alies "an later %e used as "ontinuous onitoring tools %y anage ent# 7his will allow anage ent to !erfor an on*going evaluation of the "ontrol environ ent and !rovide a value*added audit servi"e# An e/a !le of this a!!roa"h is a re"ent audit of tele"o uni"ations we !erfor ed# After !erfor ing a ris) assess ent !ro"ess, we felt our highest ris) area was long distan"e "alls# (e used A-. not only to re!ort unusual a"tivity 9e/"essive long distan"e, fre<uent "alls to the sa e nu %er, e/"essive lengths, "osts, et":, %ut we were a%le to test for )nown ano alies su"h as "alls ade %y ter inated e !loyees 9indi"ating !hone "odes had not %een "an"elled:, and fa"ulty "odes used in dor itories 9indi"ating isuse of fa"ulty "odes:# (e were a%le to easily identify these "alls and !rovide an e/"ellent "ontinuous onitoring tool for anagers# (e also were a%le to re"al"ulate the !hone %ills and ensure anage ent that the syste was rating and %illing "alls !ro!erly# Sin"e A-. "an %e used to test 0006 of transa"tions, the audit re!ort also "an %e a ore %alan"ed re!ort of ris)s and itigating "ontrols# In the e/a !le a%ove we were a%le to re!ort that 0006 of the "alls were !ro!erly rated# 7he i !le entation of -AA7 tools will allow you to shift your efforts to %e ore in line with the -2S2 !yra id, !rovide ore infor ation and tools for anagers, and will in"rease the effi"ien"y and effe"tiveness of the audit de!art entBs o!erations# 7he audit !ro"ess goes fro a "he")list or !rogra driven !ro"ess to an intera"tive analysis of the high*ris) transa"tion in an o!erations# Manage ent %e"o es an integral !art of the !ro"ess fro ris) assess ent to resolving issues
identified %y the audit# @ !hasis is !la"ed on those ris)s that are un itigated rather than verifying "ontrol to deter ine their e/isten"e# 9See @/hi%it $:
@/hi%it A
7esting
70-80%
=e!orting
10-20%
@/hi%it B
COSO Auditing
-o !rehensive =is) Assess ent, In"luding I7 =is)s 7esting =e!orting 40-50%
40-50% 10%
@/hi%it -
Paradigm Shift
Old Model 'o#u! of Audit &m,ha!i! 0e!t! to 1etermine "e,ort &m,ha!i! 'inding! 0ran!a#tion 1ri(en %nternal Control! Com,lian#e .ith /e Control! +e. Model Pro#e!! 1ri(en "i!$ A!!e!!ment Pre!en#e of -nmitigated "i!$!
)i!tori#al *a!ed %n!tan#e O(erall A!!e!!ment of of +on-Com,lian#e "i!$ Control Wea$ne!!e! Wa ! to "edu#e "i!$ or %n#rea!e &ffi#ien#
@/hi%it $
&ffe#t on Pro#e!!
Old Model Preliminar 0e!ting Audit Planning S#o,e &!ta6li!hment *a!i! of S#o,e "e,ort 0iming 'inding! Che#$li!t 1ri(en *a!ed on Pa!t Audit5 Standard Plan! Set at *eginning7 %nfle8i6le Auditor 3udgment At &nd of 0e!ting Control 'la.!5 +oted %neffi#ien#ie! +e. Model Pro#e!! 1ri(en %ntera#ti(e A!!e!!ment Pro#e!! &!ta6li!hed after "i!$ A!!e!!ed7 'le8i6le Auditor2Manager A!!e!!ment of "i!$ Continuou! Wa ! to "edu#e "i!$ "i!$2%n#r4 &ffi#ien#