Date post: | 06-Jul-2015 |
Category: |
Government & Nonprofit |
Upload: | support-for-improvement-in-governance-and-management-sigma-oecd |
View: | 823 times |
Download: | 0 times |
© OECD
A j
oin
t i
nit
iati
ve o
f th
e O
EC
D a
nd
th
e E
uro
pe
an
Un
ion
,
pri
nc
ipall
y f
ina
nced
by t
he
EU
Tirana, 10-12 September 2014
Workshop System Based Auditing
5. System Based Audit approach: What is it about?
2
3
5.1 Internal control
• What is the role of internal control in an organisation?
• What is the role of internal control in audit?
4
5.2 Internal control: ISSAI definition
• ISSAI 4200 paragraph 65:
Understanding internal control is normally an integral part of understanding the entity and the relevant subject matter. The Fundamental Auditing Principles explain that in performing an audit, public sector auditors understand and evaluate the reliability of internal control (ISSAI 300, 3.3.1).
In compliance audit, this includes understanding and evaluating controls that assist management in complying with laws and regulations (ISSAI 300, 3.3.2).
5
5.3 Internal control: COSO definition
Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives, reporting, and compliance.
http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf page 3
6
5.4 Internal control: objectives
• Operations objectives:
Effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.
• Reporting objectives:
Internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or in other terms as set forth by regulators, recognized standard setters, or the entity’s policies.
• Compliance objectives:
Adherence to laws and regulations to which the entity is subject.
7
5.5 Internal control: COSO Framework
8
Internal Control Framework
2004
COSO ERM framework
1992
5.6 Internal control: COSO Internal control framework
• Control environment: sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
• Risk assessment: the entity's process for identifying and analyzing relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.
• Control activities: the policies and procedures that help ensure that management directives are carried out.
• Information and communication: these systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
• Monitoring of controls: a process that assesses the quality of internal control performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.
9
5.7 Systems Based Audit
System Based Audit is an audit in which the
nature and depth of the testing depends on the
auditor’s assessment of the internal control
system and these assessments form the main
part of the audit.
10
5.8 System based audit approach = Risk based
Three elements
1. Inherent Risk
2. Control Risk
3. Detection Risk
Audit Risk = Inherent Risk x Control Risk x Detection Risk
11
5.9 System based audit approach defines:
Whether the internal control procedure was performed
Whether the quality of the performed control procedures was satisfactory
12
5.10 Direct Tests
Tests for details on major classes of
transactions and account balances to
obtain evidence to detect material
misstatements in the financial statement
13
5.11 Do we need to use internal control procedures?
When the auditor has no specific requirement to assess the operation of the organisation’s systems of control or because the internal control procedures are too weak to be relied on, then the audit objectives can be achieved without relying on these systems and without undertaking tests of control
=> DIRECT TESTING
14
5.12 Direct Testing
The number of substantive tests necessary under Direct Testing will be higher than under the SBA approach!
15
5.13 Because if Control Risk is:
HIGH => More substantive tests needed
LOW => Not so many substantive tests needed
MODERATE => Number of substantive tests can be
reduced
16
5.14 What are steps of SBA?
Steps audit of system
• Understanding the business
• Evaluating Internal control system
• Testing Internal control system
Steps of testing transactions and account balances
• Analytical procedures
• Test of transactions
• Test of account details
17
5.14 Testing of systems
Activities
• What are the risks?
• What are the measures? (design)
Gaps?
• Do the measures exist (practice)
Gaps?
• Do the measures function? (practice)
Breaches
Errors
18
QUESTIONS?
19