phase of an internal audit. There are three main steps in the examination phase of an internal audit: 1. Examining and testing operations and transactions involves selecting samples for review and carrying out appropriate audit tests. 2. Analyzing audit results involves assessing the conditions found during the audit against the criteria to be used, and analyzing the causes and effects of any weaknesses identified. 3. Completing and reviewing the working papers involves ensuring that the audit has been conducted in accordance with appropriate standards and that audit conclusions are supported by competent, sufficient, and relevant evidence Identify the purpose of an internal audit program and explain its components and format. The main purposes of an internal audit program include the following: ensuring that auditing standards are met clearly communicating objectives, procedures, and criteria used outlining the audit work to be done and ensuring that all necessary work is completed providing a basis for allocating time and ensuring that all necessary work is completed Identify the purpose of an internal audit program and explain its components and format.
providing for an orderly and efficient review of the work performed
providing a checkpoint for approval of planned audit work and subsequent audit review ensuring the most efficient procedures are followed in the proper order to gather audit evidence to support an observation confirming an audit observation, finding, or conclusion with management Identify the purpose of an internal audit program and explain its components and format. The components of an audit program are the following: The audit objectives summarize why the audit is being performed. The audit scope defines the function or organizational unit to be reviewed, and the activities and period to be covered by the engagement. The audit criteria are the standards used by the auditors to check operations and determine if the actual performance is acceptable. Identify the purpose of an internal audit program and explain its components and format. The audit procedures are the general and specific techniques carried out to ensure that the scope of the audit is covered and that sufficient and appropriate audit evidence is accumulated. The procedures include the following: inspection analysis interview replication physical observation computation Sampling confirmation Demonstrate how audit evidence is gathered, selected, and assessed, and the importance of the decisions involved. • The examination of specific transactions and operations forms the evidence upon which the audit report is based. The audit must test a sufficient number of transactions to be able to draw a valid conclusion about the population from which the sample was selected. • The auditor must decide the purpose of the audit test, determine the method used to select sample items, determine what constitutes an exception or compliance deviation, select the sample, test for the desired attribute, evaluate the results, and draw conclusions about the population. • The internal auditor must determine what kind of evidence is needed, how much is needed, and how it will be obtained. Evidence should be appropriate, timely, relevant, sufficient, and useful. • The quality of evidence is enhanced when it is relevant, objective, documented, external to the organization, derived from a large, random, statistical sample, corroborated by other evidence, timely, authoritative, direct, and from a well-controlled system. • Audit techniques for gathering evidence include inspection (vouching), analysis, interviewing, observation, confirmation, and re-performance. Develop appropriate criteria and prepare an audit program for a risk-based audit. • In risk-based auditing, the auditor must first identify the significant risks faced by the organization in terms of the activities being audited. • The auditor must consider the means available to management to mitigate the significant risks. This process provides the auditor with the audit criteria against which to compare the actual conditions observed. • The audit program is developed to acquire the evidence necessary to assess whether the organization is meeting the criteria. Distinguish between systems-oriented and data- oriented computer assisted audit techniques (CAATs). Systems-oriented CAATs are used to verify the controls of the computer system being tested. They include the following: test data method integrated test facilities system control audit review file (SCARF) logic analysis programs code comparison programs audit expert systems Distinguish between systems-oriented and data- oriented computer assisted audit techniques (CAATs). Data-oriented CAATs are used to examine and test data that are held in a computer system. They can be grouped in the following categories: generalized audit software system utilities custom-written programs industry-specific audit programs Demonstrate how data are analyzed using generalized audit software such as ACL. 1. Define the specific audit objectives to be carried out with the assistance of the generalized audit software. 2. List the tests the generalized audit software will use to assist in reaching the audit objectives. 3. Obtain copies of the data files to be tested. 4. Enter the audit commands or parameters in the generalized audit software. 5. Check the output and draw audit conclusions. Demonstrate how data are analyzed using generalized audit software such as ACL. The features of ACL, in common with most generalized audit software packages, are as follows counting, footing, extensions, scanning, and listing of data recalculations and aging exception reporting extraction and file processing sampling sorting, indexing, and summarizing file merging, matching, and multi-file processing production of reports and confirmation letters Assess conditions within an audited unit against audit criteria, and analyze the cause and effects of any observed deficiencies • The auditor must use the evidence collected to determine whether the activities audited have met the audit criteria. This must be done objectively using criteria agreed with the auditee management. • Where the auditor believes that the conditions do not conform to the criteria, the auditor should determine both the cause and the effect of the non-compliance. This may require obtaining additional evidence. Identified weaknesses and their causes and potential effects should be discussed with the management of the unit reviewed before the audit report is issued. Explain the standards for preparing audit working papers and the importance of the internal auditor’s role in supervising the engagement. The purpose of audit working papers and audit files is to provide evidence of the audit work carried out and support for the audit conclusions. They also facilitate review of the work performed and assist in the planning of subsequent audits. Audit files must have the following characteristics: completeness and accuracy, showing proper support for decisions clarity and concision pertinence (that is, containing only relevant, useful information) systematic organization Identify the roles and responsibilities of management and the internal auditor in the deterrence and detection of fraud. • Management has the primary responsibility to prevent and detect fraud. They accomplish this through an effective system of internal controls. • Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the effectiveness of the controls in place to prevent fraud. They are also responsible for identifying indicators of potential fraud and should be alert to the possibility of fraud when carrying out their audit work. Identify the main steps in a fraud investigation and the auditor’s responsibility in following up on the results of such an investigation. When conducting a fraud investigation, the internal auditor should do the following: 1. Be alert to indications of the existence of fraud. 2. Inform management. 3. Conduct the investigation by performing audit steps. 4. Reappraise internal controls and audit procedures. 5. Report on the fraud investigation. Identify computer fraud and outline current practices for how internal auditors deal with it. The main categories of computer fraud: theft of information theft of assets and their cover-up malicious destruction of information or programs Identify computer fraud and outline current practices for how internal auditors deal with it. Proper policies, procedures, and tools must be in place for internal auditors to be able to deal with fraud situations: Policies available to the internal auditor are those designed to prohibit misuse of computer resources, to provide penalties for such misuse, and to authorize appropriate investigations where such misuse is suspected. Procedures should be designed to result in working papers that might be used in subsequent court action. All potential evidence must be subject to an appropriate chain of custody from the time of acquisition. Software tools available to the internal auditor include backups of files, utilities to recover deleted files, search utilities, sorting and extraction tools, and so on. Examine how ACL can be used to conduct a payroll fraud investigation. The data extraction, sort, compare, merge, and calculation functions within ACL can be used in a variety of fraud investigation applications. In a payroll fraud investigation, for example, the payroll or employee data can be downloaded and sorted for duplicate bank account or address information. Comparisons can be done between actual amounts paid to employees and those approved in data obtained from the personnel department. Calculations can be independently verified to test for possible fraudulent manipulation of the payroll software.