EXAMINATION PHASE OF INTERNAL AUDIT

Identify the main steps in the examination

phase of an internal audit.
There are three main steps in the examination phase of an internal
audit:
1. Examining and testing operations and transactions involves selecting samples
for review and carrying out appropriate audit tests.
2. Analyzing audit results involves assessing the conditions found during the
audit against the criteria to be used, and analyzing the causes and effects of any
weaknesses identified.
3. Completing and reviewing the working papers involves ensuring that the
audit has been conducted in accordance with appropriate standards and that
audit conclusions are supported by competent, sufficient, and relevant
evidence
 Identify the purpose of an internal audit program
and explain its components and format.
The main purposes of an internal audit program include the following:
ensuring that auditing standards are met
clearly communicating objectives, procedures, and criteria used
outlining the audit work to be done and ensuring that all necessary work is
completed
providing a basis for allocating time and ensuring that all necessary work is
completed
Identify the purpose of an internal audit program
and explain its components and format.

providing for an orderly and efficient review of the work performed

providing a checkpoint for approval of planned audit work and subsequent
audit review
ensuring the most efficient procedures are followed in the proper order to
gather audit evidence to support an observation
confirming an audit observation, finding, or conclusion with management
 Identify the purpose of an internal audit program
and explain its components and format.
The components of an audit program are the following:
The audit objectives summarize why the audit is being performed.
The audit scope defines the function or organizational unit to be reviewed,
and the activities and period to be covered by the engagement.
The audit criteria are the standards used by the auditors to check operations
and determine if the actual performance is acceptable.
 Identify the purpose of an internal audit program
and explain its components and format.
The audit procedures are the general and specific techniques carried out to
ensure that the scope of the audit is covered and that sufficient and
appropriate audit evidence is accumulated. The procedures include the
following:
inspection
analysis
interview
replication
physical observation
computation
Sampling
 confirmation
 Demonstrate how audit evidence is gathered,
selected, and assessed, and the importance of the
decisions involved.
• The examination of specific transactions and operations forms the evidence upon which the audit
report is based. The audit must test a sufficient number of transactions to be able to draw a valid
conclusion about the population from which the sample was selected.
• The auditor must decide the purpose of the audit test, determine the method used to select
sample items, determine what constitutes an exception or compliance deviation, select the
sample, test for the desired attribute, evaluate the results, and draw conclusions about the
population.
• The internal auditor must determine what kind of evidence is needed, how much is needed, and
how it will be obtained. Evidence should be appropriate, timely, relevant, sufficient, and useful.
• The quality of evidence is enhanced when it is relevant, objective, documented, external to the
organization, derived from a large, random, statistical sample, corroborated by other evidence,
timely, authoritative, direct, and from a well-controlled system.
• Audit techniques for gathering evidence include inspection (vouching), analysis, interviewing,
observation, confirmation, and re-performance.
 Develop appropriate criteria and prepare an
audit program for a risk-based audit.
• In risk-based auditing, the auditor must first identify the significant
risks faced by the organization in terms of the activities being audited.
• The auditor must consider the means available to management to
mitigate the significant risks. This process provides the auditor with
the audit criteria against which to compare the actual conditions
observed.
• The audit program is developed to acquire the evidence necessary to
assess whether the organization is meeting the criteria.
 Distinguish between systems-oriented and data-
oriented computer assisted audit techniques
(CAATs).
Systems-oriented CAATs are used to verify the controls of the computer
system being tested. They include the following:
test data method
integrated test facilities
system control audit review file (SCARF)
logic analysis programs
code comparison programs
audit expert systems
 Distinguish between systems-oriented and data-
oriented computer assisted audit techniques
(CAATs).
Data-oriented CAATs are used to examine and test data that are held in
a computer system. They can be grouped in the following categories:
generalized audit software
system utilities
custom-written programs
industry-specific audit programs
 Demonstrate how data are analyzed using
generalized audit software such as ACL.
1. Define the specific audit objectives to be carried out with the
assistance of the generalized audit software.
2. List the tests the generalized audit software will use to assist in
reaching the audit objectives.
3. Obtain copies of the data files to be tested.
4. Enter the audit commands or parameters in the generalized audit
software.
5. Check the output and draw audit conclusions.
 Demonstrate how data are analyzed using
generalized audit software such as ACL.
The features of ACL, in common with most generalized audit software
packages, are as follows
counting, footing, extensions, scanning, and listing of data
recalculations and aging
exception reporting
extraction and file processing
sampling
sorting, indexing, and summarizing
file merging, matching, and multi-file processing
production of reports and confirmation letters
 Assess conditions within an audited unit against
audit criteria, and analyze the cause and effects of
any observed deficiencies
• The auditor must use the evidence collected to determine whether
the activities audited have met the audit criteria. This must be done
objectively using criteria agreed with the auditee management.
• Where the auditor believes that the conditions do not conform to the
criteria, the auditor should determine both the cause and the effect
of the non-compliance. This may require obtaining additional
evidence. Identified weaknesses and their causes and potential
effects should be discussed with the management of the unit
reviewed before the audit report is issued.
 Explain the standards for preparing audit working
papers and the importance of the internal
auditor’s role in supervising the engagement.
The purpose of audit working papers and audit files is to provide
evidence of the audit work carried out and support for the audit
conclusions. They also facilitate review of the work performed and
assist in the planning of subsequent audits.
Audit files must have the following characteristics:
completeness and accuracy, showing proper support for decisions
clarity and concision
pertinence (that is, containing only relevant, useful information)
systematic organization
 Identify the roles and responsibilities of
management and the internal auditor in the
deterrence and detection of fraud.
• Management has the primary responsibility to prevent and detect
fraud. They accomplish this through an effective system of internal
controls.
• Internal auditors are responsible for assisting in the deterrence of
fraud by examining and evaluating the effectiveness of the controls in
place to prevent fraud. They are also responsible for identifying
indicators of potential fraud and should be alert to the possibility of
fraud when carrying out their audit work.
Identify the main steps in a fraud investigation and
the auditor’s responsibility in following up on the
results of such an investigation.
When conducting a fraud investigation, the internal auditor should do
the following:
1. Be alert to indications of the existence of fraud.
2. Inform management.
3. Conduct the investigation by performing audit steps.
4. Reappraise internal controls and audit procedures.
5. Report on the fraud investigation.
 Identify computer fraud and outline current
practices for how internal auditors deal with it.
The main categories of computer fraud:
theft of information
theft of assets and their cover-up
malicious destruction of information or programs
 Identify computer fraud and outline current
practices for how internal auditors deal with it.
Proper policies, procedures, and tools must be in place for internal auditors
to be able to deal with fraud situations:
Policies available to the internal auditor are those designed to prohibit
misuse of computer resources, to provide penalties for such misuse, and to
authorize appropriate investigations where such misuse is suspected.
Procedures should be designed to result in working papers that might be
used in subsequent court action. All potential evidence must be subject to
an appropriate chain of custody from the time of acquisition.
 Software tools available to the internal auditor include backups of files,
utilities to recover deleted files, search utilities, sorting and extraction
tools, and so on.
 Examine how ACL can be used to conduct a
payroll fraud investigation.
The data extraction, sort, compare, merge, and calculation functions
within ACL can be used in a variety of fraud investigation applications.
In a payroll fraud investigation, for example, the payroll or employee
data can be downloaded and sorted for duplicate bank account or
address information.
Comparisons can be done between actual amounts paid to
employees and those approved in data obtained from the personnel
department.
Calculations can be independently verified to test for possible
fraudulent manipulation of the payroll software.