SEATA by TOMMY SEAH

Administrative Details

9.30 - 10.15 Introductory Lectures

10.15 - 10.30 Coffee Break

10.30 - 12.00 Product Lecture

12.00 - 2.00 Lunch

2.00 - 3.00 Case Study

3.00 - 3.15 Tea Break

3.15 - 4.00 Exercises and Q & A

4.00 - End of Day

CFE-In-Practice

AUDIT DOCUMENTATION

-

TOOLS & TECHNIQUES

for

THE

INTERNAL AUDITOR

Tommy Seah CFE, Vice Chairman of the ACFE Board of Regents (Texas, USA) World Headquarters CFE-In-Practice

Tools and Techniques for the Internal Auditor Objective Conduct an audit from beginning to end. Learn to understand risks and to identify, evaluate, and document internal controls. Use the preliminary survey to determine how and what to audit. Discover the best techniques for gathering audit evidence and preparing working papers. Enhance interpersonal and team-building skills throughout the audit. Understand the audit communication process

How do we achieve our objectives?

The Internal Auditor's Roles and Responsibilities

Audit responsibilities and general audit objectives

Types of internal audits and factors impacting audit

emphasis

Attributes of the 21 st century internal auditor

The Audit Model - Performance of Audit Work

Overview of the audit process

Plan the audit - the preliminary survey, audit

objectives, scope, and audit program

Examine and evaluate information during fieldwork

Communicate results

Perform follow-up procedures

How do we achieve our objectives?

Internal Control

Establish management's responsibility for control

Identify internal audit's responsibility regarding

control

Introduce the SEATA control model

Internal control components and factors

Learn the various types of controls

Understand the difference between exception and

objective controls

Review tools for documenting and evaluating internal controls

SEATA PHILOSOPHY SEATA is defined as being `an approach to auditing that is concerned with risks, determines specific audit objectives to meet those risks and utilizes a thorough evaluation of the system of internal control as a basis for determining the audit procedures necessary to accomplish the specific audit objectives.'

The SEATA approach is equally applicable in all types of audit - financial operating or IT related, as well as with manual and automated systems.

The consequence of undetected risk is a potential detriment to the any organization, ranging from loss of cash or income to dissatisfied customers or operational inefficiency .

Classified below are the general consequences of risks: 1. Loss of management control OVER ASSETS.

prescribed controls not being followed

AFFECTING CONTROL AND SECURITY

accuracy of accounts are reports are not ensured

RESULTING IN INACCURATE

PROFIT AND LOSS

Financial a ssets are not safeguarded DUE TO POOR FINANCIAL MANAGEMENT

Transactions are not properly authorized LEADINNG TO ABUSAGE OF POWER

2. A potential cash loss

3. A potential reduction in income DUE TO BAD FUNDING

4. Inaccurate accounting data and reports INCURRING THE WRATH OF THE REGULATORY BODIES

5. Fines or embarrassment to the organization.

6. Poor customer relations

7. Operational inefficiency

8. Loss of business license

Risk

The threat that an event or action will adversely affect the organization's

Ability to achieve it's business objectives :

and

Execute it's strategies effectively

The Risk Spectrum for business in general.

CREDIT

LIQUIDITY

MARKET

OPERATIONAL

CREDIT RISK The potential earnings volatility caused by obligors defaulting on their obligations and the adequacy of collateral, if any.

LIQUIDITY RISK The potential earnings volatility arising from being unable to fund portfolio assets at reasonable rates over required maturities.

MARKET RISK The potential value and earnings volatility in the trading and structural books due to market price changes.

OPERATIONAL RISK The potential loss caused by breakdown in information technology, communication and transaction processing. Operational Risk includes inter alia, execution risk, information risk, relationship risk, legal/fiduciary risk and employee risk.

CFE-In-Practice offers a comprehensive range of business and technology consulting services for banking and capital markets. We offer Consultancy and Implementation for Third Party Independent SOX and or AML and or ISO 17799 Compliance Certification of your systems

CFE-In-Practice

CFE-In-Practice Banking Industry Technology IT Program Management

AML Certification

Clearance Alternatives

Execution and Clearing

Infrastructure Re-alignment

Workflow Simplification

Application Evaluation

Multi-Currency System

Skills Assessment

System Conversion

Sarbanes-Oxley Compliance

Establish "RFT”

Identify IT Security needs

Project Management

Project Staffing

Project Supervision

CFE-In-Practice Executive Coaching Corporate Governance Litigation Support

Conflict Resolution

Leadership Skills

Managerial Skills

Motivational Strategies

Productivity Enhancements

Operations Infrastructure

Board of Directors

Performance Diagnosis

Technology Assessment

SOX Certification

Authoritative Opinion

Expert Testimony

Industry Best Practices

What is SEATA ? The Auditors Tool.

General Function of Internal Audit

What is the role of the internal auditor ?

What really is internal audit?

What should be the expectation of the internal auditors?

Is there a way to check on the internal auditor?

How to protect yourselves when being audited?

( S ystems E valuation A pproach T owards A uditing )

But first, the relationship between:

Internal Audit

Compliance

Risks Management

Systems Evaluation Approach Towards Auditing

Control Objectives and Key Controls

The Core of an Internal Audit Assignment

Internal auditors are of course in favor of controls.

There is really nothing profound or mysterious about auditing.

From the professional Auditors perspective :

Controls should be there for a purpose.

The purpose is to ensure that the system or process achieves its objectives.

Controls are only needed to reduce the risks to the achievement of these objectives to an acceptable level.

Thus, there may be circumstances when internal auditors suggest that certain controls should be removed, for example, if they do not contribute to the reduction of significant risks.

The systems audit approach revolves around the objectives of the system

i.e. should existing controls provide sufficient assurance to the senior managers and directors of the organisation that the system will achieve its objectives?

And does the internal control system currently reduce the chance of things going wrong (or not going right) to an acceptable level?

Before internal auditors start each audit assignment they need to be clear about the relevant organizational and management objectives .

Are the internal auditors clear about this ?

Control Objectives in SEATA

Control objectives should form the framework of each systems audit assignment.

They should detail the various aspects of a system’s objectives.

C ontrol Objectives in SEATA

They identify specific objectives against which internal auditors can evaluate existing controls.

Control objectives should be specific enough to provide the basis for this evaluation.

Generalizations such as "to ensure that support services are adequate" should be avoided.

Comprehensive control objectives can be developed for any system by considering the following areas of control:

Has the system been adequately planned?

Are the operations adequately supervised and controlled?

Comprehensive control objectives can be developed for any system by considering the following areas of control:

Is the system periodically reviewed?

Is suitable management information produced?

Internal auditors need to determine that the manager who is responsible for the system to be audited agrees with objectives assigned to the system and the control objectives which audit have developed.

These should be agreed at the initial meeting with the EIC who should also be requested to formally sign up to the agreed scope and objectives for the audit assignment during the pre-audit meeting.

Key controls

Once the control objectives have been agreed, internal auditors need to identify the controls that they consider necessary to provide assurance that each of these objectives is being achieved. These are what may be termed the key controls.

Key controls

If the internal auditor is “lucky”, control schedules will have been developed for the relevant system.

These schedules should document the standard control objectives for such a system and the associated expected key controls.

SEATA

The purpose of the schedule of expected key controls is to assist in the evaluation of the actual controls identified during the audit.

It is imperative that the expected controls are reviewed critically to ensure that they are appropriate. HOW ?

SEATA

The standard key expected controls will not always be relevant and may have to be adapted to the particular system that is reviewed.

Do not jump to conclusion. There can always be compensating controls.

SEATA

If internal auditors do not identify the key expected controls, there is a danger that they will concentrate purely on the actual controls in place and fail to identify those that are missing.

Identification of key controls should ensure that audit time is spent efficiently by concentrating on the key control aspects of the system under review.

SEATA

There may be many other controls, however, the key controls are the more important controls and are the basic controls that are necessary to ensure that each control objective is achieved and all significant risks are adequately managed.

The audit should concentrate on assessing the adequacy and reliability of these key controls.

SEATA

Identification and documentation of existing controls.

Systems auditing should be a critical assessment of the controls currently in place against control objectives agreed for the system.

Thus, identifying existing controls is one of the central tasks of systems audit.

SEATA

Internal auditors cannot assess, test or suggest improvements to the internal control environment unless they have a clear and comprehensive view of all of the controls that currently operate.

Documenting the existing controls should help auditors understand these controls and form a basis for the evaluation of the controls and the development of their testing strategy.

SEATA

There may be a wide range of sources of information available to internal auditors about how a system operates. These may include:

interviewing staff and their managers;

reviewing existing documentation;

SEATA

There may be a wide range of sources of information available to internal auditors about how a system operates. These may include:

observation of working practices;

reviewing previous audit reports.

SEATA

The most important source of information will usually be the staff working with the system.

They know how the system actually operates and should have a reasonable idea of how practical any improvements may be.

SEATA

Thus interviewing skills are essential for all internal auditors .

They need to be able to understand what may be a complex system.

They also need to be able to critically assess each stage of the process; i.e. why is it performed? Could it be undertaken more efficiently?

SEATA

Staff who operate the system will know what they do, but not necessarily why they do it.

They may also try and explain the system in the most positive light.

The skill of internal audit is to enable all the staff they interview to open up and tell them what they actually do (not just what they think they should do) and to describe any aspects they think could be improved.

SEATA

Understanding why each task is undertaken may be more difficult. Staff may just do it ‘‘because we’ve always done it that way’’ or even worse ‘‘because the auditors told us to!’’

SEATA - Other places to look

Auditors may review documentation such as statutes, circulars, committee reports, job descriptions, organisation charts, policy and procedure manuals and financial regulations.

SEATA- Other places to look

These may record how a system is supposed to work, but may not necessarily reflect actual practice.

Internal auditors may consider that the adequacy or otherwise of documentation is an indication of the attitude of management to internal control.

Observation of the physical environment and working methods should provide internal auditors with further evidence of actual practice 。

This is a particularly useful method of fact-finding where no physical evidence of an action may have taken place.

Internal auditors should however be aware that their presence may influence the behavior and practices of staff under review.

Reports of previous reviews of the system by other internal auditors, external auditors or other review agencies may also be a useful source of information.

However, these reports should be read with care. The authors may not have understood the system, they may not have covered all aspects or their reports may be unclear.

This consideration may allow internal auditors to reflect on the quality of their own reports and system documentation.

Would these allow other auditors to quickly grasp the most important aspects of the system and its internal controls?

Internal Controls

Auditors need to understand how the system operates and the role of all the key procedures, but essentially they are only interested in controls.

There are a range of different types of control. The most important may be remembered by the mnemonic SOAP MAPS :

Internal Controls

Segregation of duties:

the functions of authorizing transactions; recording the transactions; and custody of the associated assets should be undertaken by separate staff.

Internal Controls

Organization :

there should be a clear organisation chart and all staff should have up to date job descriptions that clearly indicate their responsibilities.

Internal Controls

Authorization and approval :

all transactions and decisions should be formally authorized by nominated staff.

Internal Controls

Physical:

there should be suitable controls over access to offices { i.e. including RECORDS, DATA BASE and whatnots }, assets, controlled stationery and computer systems.

Internal Controls

Management:

production of suitable financial and operational management information; use of exception reports; critical review and enquiry by management.

Internal Controls

Arithmetical and accounting :

checking / re-performing tasks carried out by others; costing (adding up) orders, invoices, payroll etc; reconciliation between the bank and accounting records; control accounts.

Internal Controls

Personnel: appointment of staff should be adequately controlled; all staff should be suitably trained for their post and appraised regularly.

Supervision : all staff and activities should be adequately supervised by someone who understands the process and will detect deviations from accepted practice.

Interim Opinion

Recording the controls

All internal audit work should be documented and be sufficient to support the conclusions drawn on the adequacy and reliability of the internal controls.

Interim Opinion

Recording the controls

The main procedures and key controls over significant risks should be clearly and concisely recorded.

Proper house keeping

Audit working papers should include:

systems notes, either in text or graphics, whatever;

notes of interviews and meetings;

a record of the current key controls and their reliability;

an assessment of the extent that existing controls will ensure that each agreed control objective is achieved; and evidence of audit sampling and testing of controls.

There are a number of methods of documenting procedures

and controls, for example :

flow charts,

key control schedules,

internal control questionnaires and

narrative notes.

Whatever method is adopted should be used consistently.

This should make it easier for the system notes to be used for future reviews of the same system.

Systems documentation should be:

clear and easy to understand;

provide a standardized approach;

highlight risk points and key controls.

The purpose of this documentation is to:

enable the internal auditors to review the information they have received and to organize their thoughts and knowledge so the internal controls can be systematically assessed and tested;

provide details of problems encountered, evidence of work done and conclusions drawn for future reference and to assist the planning of future audits;

demonstrate to interested parties that the audit work has been properly planned, controlled, executed and reported.

Once internal auditors have discovered the controls that actually exist and made notes of these they can go on to assess whether these controls should be adequate.

However, auditors do not usually look upon internal auditing as simply a series of stages that can be completed one after the other. (Those who do that are not real internal auditors – it is just an occupation, a job, paper pushers.)

The really professional auditors :

When they go on to test the controls that they have identified, they may discover further controls or that some controls are not actually operating as expected.

They will then have to go back and revise their system notes to ensure these reflect the actual controls that are operating in practice.

The Fraud Triangle Motive Opportunity Rationalization

SEATA

Risk Definition

What is Risk ?

Understanding Risk in Internal Audit SML Curve Return Risk Deviation from Return is Risk

The Risk Spectrum for any organization in general. Operational Risk Credit Risk Market Risk Liquidity Risk Reputational Risk

How ACTIVE DATA can be used to achieve your risk management objectives

The Risk Spectrum for any organization in general . Operational Risk Credit Risk Market Risk Liquidity Risk Reputational Risk

Operational Risk and Challenges for Banks SML Curve Return Risk Deviation from Return is Risk

The SEATA AIG-Caat Approach Risk Definition Product Risk General Risk Business Risk Critical Product Controls Business Policy General Controls System Documentation

System Documentation Internal Control Questionnaire (ICQ) Narrative Notes (Interviewing Notes) Flow Charts Analytical Review Procedures (ARP) and Quantitative Testing i.e. MfV concepts and Economic Capital allocation test. Depth Tests Determine the Existence of Controls

System Documentation Internal Control Questionnaire (ICQ) Narrative Notes (Interviewing Notes) Flow Charts Analytical Review Procedures (ARP) and Quantitative Testing i.e. MfV concepts and Economic Capital allocation test. Evaluate (THEORETICAL) Adequacy Determine the Existence of Controls

Evaluate (THEORETICAL) Adequacy Determine the Existence of Controls System Appraisal Memorandum (Sam)

System Appraisal Memorandum (Sam) Part I SYSTEM APPRAISAL ADEQUATE IF NOT ADEQUATE W.P.'s REPORT SYSTEM CONTROL OBJECTIVES YES NO N/A REF. SHEET NO. 1 Transaction or Event Recognition Methods must exist to ensure that all transactions will be identified and recorded with control established close to the source of the transaction .

System Appraisal Memorandum (Sam) 2 Transaction Authorisation Methods of transaction approval must be defined with effective procedures to detect and clear errors with the responsibility for approval being at the right level. 3 Transaction Acceptance There must be an effective control on converting data to the form used for accounting or record keeping which will ensure that errors will be detected and cleared and lost transactions will be identified. 4 Account of File Classification Methods must exist to ensure consistency in making account allocations.

System Appraisal Memorandum (Sam) 5 Integrity of Processing Methods must exist to ensure there is control on accuracy of data during processing, that only valid files will be used and errors, lost transactions and transactions processed twice will be detected, ensuring that corrected transactions will be properly represented.

System Appraisal Memorandum (Sam) ADEQUATE IF NOT ADEQUATE W.P.'s REPORT YES NO N/A REF. SHEET NO. 6 Interface Compatibility Methods must exist to ensure that common data is used wherever possible and in interfacing systems that the information is consistent and compatible and is reconciled while the means to integrate interfacing systems should be thoroughly explored. 7 Accuracy of Reports Methods must exist to ensure that output is reconciled to input, that reporting is complete, meets the requirements of management and is distributed correctly on a timely basis while ensuring management trails are adequate.

System Appraisal Memorandum (Sam) 8 Verification of Reports and Files Methods must exist to ensure that reports management are reconciled with underlying data files, that regular comparison of physical items where possible. 9 Error Correction Methods must exist to ensure that all errors occurring at each state of the transaction process will be corrected and reprocessed on a timely basis. 10 Asset Access Restriction Methods must exist to ensure that access to assets will be restricted and assets safeguarded.

System Appraisal Memorandum (Sam) ADEQUATE IF NOT ADEQUATE W.P.'s REPORT YES NO N/A REF. SHEET NO. 11 Organization There must be proper segregation between functions of custody, authorisation and recording.

System Appraisal Memorandum (Sam) PART II IMPACT OF WEAKNESS WEAKNESS IMPACT OF THE WEAKNESS T.A.P REF.