Your SlideShare is downloading. ×
0
<ul><li>Administrative Details </li></ul><ul><li>9.30  - 10.15 Introductory Lectures </li></ul><ul><li>10.15  - 10.30 Coff...
<ul><li>AUDIT DOCUMENTATION  </li></ul><ul><li>- </li></ul><ul><li>TOOLS & TECHNIQUES  </li></ul><ul><li>for  </li></ul><u...
    Tools and Techniques for the Internal Auditor Objective Conduct an audit from beginning to end. Learn to understand ri...
<ul><li>How do we achieve our objectives? </li></ul><ul><li>The Internal Auditor's Roles and Responsibilities </li></ul><u...
<ul><li>How do we achieve our objectives? </li></ul><ul><li>Internal Control </li></ul><ul><ul><li>Establish management's ...
SEATA PHILOSOPHY SEATA  is defined as being `an approach to auditing that is concerned with risks, determines specific aud...
The SEATA approach is equally applicable in  all types of audit  - financial operating  or IT   related, as well as with  ...
The  consequence of   undetected risk  is a  potential detriment to the any organization, ranging from loss of cash or inc...
Classified below are the general consequences of  risks:  1. Loss of management control  OVER  ASSETS.
<ul><li>prescribed controls not being followed  </li></ul><ul><li>AFFECTING CONTROL AND SECURITY   </li></ul><ul><li>accur...
<ul><li>Financial a ssets are not safeguarded  DUE   TO POOR   FINANCIAL   MANAGEMENT </li></ul><ul><li>Transactions are n...
2.  A potential cash loss
3.  A potential reduction in income DUE TO BAD FUNDING
4.  Inaccurate accounting data and reports  INCURRING   THE WRATH OF   THE   REGULATORY BODIES
5.  Fines or embarrassment to the organization.
6.  Poor customer relations
7.  Operational inefficiency
8.  Loss of business license
<ul><li>Risk </li></ul><ul><li>The threat that an event or action will adversely affect the organization's  </li></ul><ul>...
<ul><li>The  Risk Spectrum  for business in general. </li></ul><ul><li>CREDIT </li></ul><ul><li>LIQUIDITY </li></ul><ul><l...
CREDIT RISK The potential earnings volatility caused by obligors defaulting on their obligations and the adequacy of colla...
LIQUIDITY RISK The potential earnings volatility arising from being unable to fund portfolio assets at reasonable rates ov...
MARKET RISK The potential value and earnings volatility in the trading and structural books due to market price changes.
OPERATIONAL RISK The potential loss caused by breakdown in information technology, communication and transaction processin...
CFE-In-Practice offers a comprehensive range of business and technology consulting services for banking and capital market...
CFE-In-Practice
CFE-In-Practice   Banking Industry Technology   IT Program Management   <ul><li>AML Certification  </li></ul><ul><li>Clear...
CFE-In-Practice   Executive Coaching   Corporate Governance Litigation Support   <ul><li>Conflict Resolution  </li></ul><u...
What is SEATA ? The Auditors Tool.    
<ul><li>General Function of Internal Audit </li></ul><ul><li>What is the role of the internal auditor ? </li></ul><ul><li>...
<ul><li>But first, the relationship between: </li></ul><ul><li>Internal Audit </li></ul><ul><li>Compliance </li></ul><ul><...
<ul><li>Systems Evaluation Approach Towards Auditing   </li></ul><ul><li>Control Objectives and Key Controls </li></ul><ul...
<ul><li>Internal auditors are of course in favor of controls.  </li></ul><ul><li>There is really nothing profound or myste...
<ul><li>From the  professional  Auditors perspective : </li></ul><ul><li>Controls should be there for a purpose.  </li></u...
<ul><li>Controls are only needed to reduce the risks to the achievement of these objectives to an acceptable level.  </li>...
<ul><li>The systems audit approach revolves around the objectives of the system  </li></ul><ul><ul><li>i.e.  should existi...
<ul><li>And does the internal control  system currently reduce the chance of things going wrong (or not going right) to an...
<ul><li>Before internal auditors start each audit assignment they need to be clear about the  relevant organizational and ...
<ul><li>Control Objectives in SEATA </li></ul><ul><li>Control objectives should form the framework of each systems audit a...
C ontrol Objectives in SEATA <ul><li>They identify specific objectives against which internal auditors can evaluate existi...
<ul><li>Comprehensive control objectives can be developed for any system by considering the following areas of control:  <...
<ul><li>Comprehensive control objectives can be developed for any system by considering the following areas of control:   ...
<ul><li>Internal auditors need to determine that the manager who is responsible for the system to be audited agrees with o...
<ul><li>These should be agreed at the initial meeting with the EIC who should also be requested to formally sign up to the...
<ul><li>Key controls </li></ul><ul><li>Once the control objectives have been agreed, internal auditors need to identify th...
<ul><li>Key controls </li></ul><ul><li>If the internal auditor is “lucky”, control schedules will have been developed for ...
<ul><li>SEATA </li></ul><ul><li>The purpose of the schedule of expected key controls is to assist in the evaluation of the...
<ul><li>SEATA </li></ul><ul><li>The standard key expected controls will not always be relevant and may have to be adapted ...
<ul><li>SEATA </li></ul><ul><li>If internal auditors do not identify the key expected controls, there is a danger that the...
<ul><li>SEATA </li></ul><ul><li>There may be many other controls, however, the key controls are the more important control...
<ul><li>SEATA </li></ul><ul><li>Identification and  documentation of existing controls. </li></ul><ul><li>Systems auditing...
<ul><li>SEATA </li></ul><ul><li>Internal auditors cannot assess, test or suggest improvements to the internal control envi...
<ul><li>SEATA </li></ul><ul><li>There may be a wide range of sources of information available to internal auditors about h...
<ul><li>SEATA </li></ul><ul><li>There may be a wide range of sources of information available to internal auditors about h...
<ul><li>SEATA </li></ul><ul><li>The most important source of information will usually be the staff working with the system...
<ul><li>SEATA </li></ul><ul><li>Thus interviewing skills are essential for all internal auditors . </li></ul><ul><li>They ...
<ul><li>SEATA </li></ul><ul><li>Staff who operate the system will know what they do, but not necessarily why they do it. <...
<ul><li>SEATA </li></ul><ul><li>Understanding why each task is undertaken may be more difficult. Staff may just do it ‘‘be...
<ul><li>SEATA -  Other places to look   </li></ul><ul><li>Auditors may review documentation such as statutes, circulars, c...
<ul><li>SEATA-  Other places to look </li></ul><ul><li>These may record how a system is supposed to work, but may not nece...
<ul><li>SEATA-  Other places to look </li></ul><ul><li>Observation  of the physical environment and working methods should...
<ul><li>SEATA- Other places to look </li></ul><ul><li>Internal auditors should however be aware that their presence may in...
<ul><li>SEATA- Other places to look </li></ul><ul><li>Reports of previous reviews of the system by other internal auditors...
<ul><li>SEATA- Other places to look </li></ul><ul><li>This consideration may allow internal auditors to reflect on the qua...
<ul><li>SEATA- Other places to look </li></ul><ul><li>Would these allow other auditors to quickly grasp the most important...
Internal Controls <ul><li>Auditors need to understand how the system operates and the role of all the key procedures, but ...
Internal Controls <ul><li>Segregation of duties:  </li></ul><ul><li>the functions of authorizing transactions; recording t...
Internal Controls <ul><li>Organization :  </li></ul><ul><li>there should be a clear organisation chart and all staff shoul...
Internal Controls <ul><li>Authorization and approval : </li></ul><ul><li>all transactions and decisions should be formally...
Internal Controls <ul><li>Physical: </li></ul><ul><li>there should be suitable controls over access to offices { i.e. incl...
Internal Controls <ul><li>Management: </li></ul><ul><li>production of suitable financial and operational management inform...
Internal Controls <ul><li>Arithmetical and accounting :  </li></ul><ul><li>checking / re-performing tasks carried out by o...
Internal Controls <ul><li>Personnel:  appointment of staff should be adequately controlled; all staff should be suitably t...
Interim Opinion <ul><li>Recording the controls </li></ul><ul><li>All internal audit work should be documented and be suffi...
Interim Opinion <ul><li>Recording the controls </li></ul><ul><li>The main procedures and key controls over significant ris...
Proper house keeping <ul><li>Audit working papers should include: </li></ul><ul><li>systems notes, either in text or graph...
<ul><li>There are a number of methods of documenting procedures </li></ul><ul><li>and controls, for example : </li></ul><u...
<ul><li>Whatever method is adopted should be used consistently.  </li></ul><ul><li>This should make it easier for the syst...
<ul><li>The purpose of this documentation is to: </li></ul><ul><li>enable the internal auditors to review the information ...
<ul><li>The purpose of this documentation is to: </li></ul><ul><li>provide details of problems encountered, evidence of wo...
<ul><li>The purpose of this documentation is to: </li></ul><ul><li>demonstrate to interested parties that the audit work h...
<ul><li>Once internal auditors have discovered the controls that actually exist and made notes of these they can go on to ...
<ul><li>The really professional auditors : </li></ul><ul><li>When they go on to test the controls that they have identifie...
The Fraud Triangle Motive Opportunity Rationalization
SEATA <ul><li>Risk Definition </li></ul><ul><li>What is Risk ? </li></ul>
Understanding Risk in Internal Audit SML Curve Return Risk Deviation from Return is Risk
The  Risk  Spectrum  for  any organization  in  general. Operational Risk Credit Risk Market Risk Liquidity Risk Reputatio...
How  ACTIVE DATA  can be used to achieve your risk management objectives
The  Risk  Spectrum   for  any organization  in  general . Operational Risk Credit Risk Market Risk Liquidity Risk Reputat...
Operational Risk and Challenges for Banks SML Curve Return Risk Deviation from Return is Risk
The SEATA AIG-Caat Approach   Risk Definition Product Risk General Risk Business Risk Critical Product Controls Business P...
System Documentation Internal Control Questionnaire (ICQ) Narrative Notes (Interviewing Notes) Flow Charts Analytical Revi...
System Documentation Internal Control Questionnaire (ICQ) Narrative Notes (Interviewing Notes) Flow Charts Analytical Revi...
Evaluate  (THEORETICAL)  Adequacy Determine the  Existence  of Controls System Appraisal Memorandum (Sam)
System Appraisal Memorandum (Sam) Part I  SYSTEM APPRAISAL   ADEQUATE IF NOT ADEQUATE           W.P.'s  REPORT   SYSTEM CO...
System Appraisal Memorandum (Sam) 2 Transaction Authorisation             Methods of transaction approval must be defined ...
System Appraisal Memorandum (Sam) 5 Integrity of Processing           Methods must exist to ensure there is control on acc...
System Appraisal Memorandum (Sam)     ADEQUATE IF NOT ADEQUATE           W.P.'s  REPORT     YES NO  N/A REF. SHEET NO. 6 I...
System Appraisal Memorandum (Sam) 8 Verification of Reports and Files             Methods must exist to ensure that report...
System Appraisal Memorandum (Sam)     ADEQUATE IF NOT ADEQUATE           W.P.'s  REPORT     YES NO  N/A REF. SHEET NO. 11 ...
System Appraisal Memorandum (Sam) PART II IMPACT OF WEAKNESS             WEAKNESS IMPACT OF THE WEAKNESS T.A.P REF.       ...
System Appraisal Memorandum (Sam) OVERALL CONCLUSION FOR  Preliminary  REPORT PART III <ul><li>The system of internal cont...
Evaluate  (THEORETICAL)  Adequacy Determine the  Existence  of Controls System Appraisal Memorandum (Sam) TAILORED AUDIT P...
Execution  of TAILORED AUDIT PROGRAM (TAP) Compliance Testing Substantive Testing Report Sheet AIG-Caat Effectiveness Accu...
AIG-Caat Application of Benford Law for Discovery Sampling Techniques in Analytical Review Procedures Software Assurance P...
FORM OPINION TAKE UP MEETING ISSUE REPORT
 
More Information <ul><li>CFE-In-Practice </li></ul><ul><ul><li>www.cfe-in-practice.com </li></ul></ul><ul><li>[Contact Per...
Upcoming SlideShare
Loading in...5
×

SEATA by TOMMY SEAH

1,303

Published on

SEATA PPT Presentation for FREE Download by TOMMY SEAH from CFE-In-Practice

Published in: Education, Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,303
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
64
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "SEATA by TOMMY SEAH"

  1. 1. <ul><li>Administrative Details </li></ul><ul><li>9.30 - 10.15 Introductory Lectures </li></ul><ul><li>10.15 - 10.30 Coffee Break </li></ul><ul><li>10.30 - 12.00 Product Lecture </li></ul><ul><li>12.00 - 2.00 Lunch </li></ul><ul><li>2.00 - 3.00 Case Study </li></ul><ul><li>3.00 - 3.15 Tea Break </li></ul><ul><li>3.15 - 4.00 Exercises and Q & A </li></ul><ul><li>4.00 - End of Day </li></ul>    CFE-In-Practice
  2. 2. <ul><li>AUDIT DOCUMENTATION </li></ul><ul><li>- </li></ul><ul><li>TOOLS & TECHNIQUES </li></ul><ul><li>for </li></ul><ul><li>THE </li></ul><ul><li>INTERNAL AUDITOR </li></ul>Tommy Seah CFE, Vice Chairman of the ACFE Board of Regents (Texas, USA) World Headquarters CFE-In-Practice
  3. 3.     Tools and Techniques for the Internal Auditor Objective Conduct an audit from beginning to end. Learn to understand risks and to identify, evaluate, and document internal controls. Use the preliminary survey to determine how and what to audit. Discover the best techniques for gathering audit evidence and preparing working papers. Enhance interpersonal and team-building skills throughout the audit. Understand the audit communication process
  4. 4. <ul><li>How do we achieve our objectives? </li></ul><ul><li>The Internal Auditor's Roles and Responsibilities </li></ul><ul><li>Audit responsibilities and general audit objectives </li></ul><ul><ul><li>Types of internal audits and factors impacting audit </li></ul></ul><ul><li>emphasis </li></ul><ul><ul><li>Attributes of the 21 st century internal auditor </li></ul></ul><ul><li>The Audit Model - Performance of Audit Work </li></ul><ul><ul><li>Overview of the audit process </li></ul></ul><ul><ul><li>Plan the audit - the preliminary survey, audit </li></ul></ul><ul><ul><li>objectives, scope, and audit program </li></ul></ul><ul><ul><li>Examine and evaluate information during fieldwork </li></ul></ul><ul><ul><li>Communicate results </li></ul></ul><ul><ul><li>Perform follow-up procedures </li></ul></ul>
  5. 5. <ul><li>How do we achieve our objectives? </li></ul><ul><li>Internal Control </li></ul><ul><ul><li>Establish management's responsibility for control </li></ul></ul><ul><ul><li>Identify internal audit's responsibility regarding </li></ul></ul><ul><ul><li>control </li></ul></ul><ul><ul><li>Introduce the SEATA control model </li></ul></ul><ul><li>Internal control components and factors </li></ul><ul><ul><li>Learn the various types of controls </li></ul></ul><ul><ul><li>Understand the difference between exception and </li></ul></ul><ul><ul><li>objective controls </li></ul></ul><ul><li>Review tools for documenting and evaluating internal controls </li></ul>
  6. 6. SEATA PHILOSOPHY SEATA is defined as being `an approach to auditing that is concerned with risks, determines specific audit objectives to meet those risks and utilizes a thorough evaluation of the system of internal control as a basis for determining the audit procedures necessary to accomplish the specific audit objectives.'
  7. 7. The SEATA approach is equally applicable in all types of audit - financial operating or IT related, as well as with manual and automated systems.
  8. 8. The consequence of undetected risk is a potential detriment to the any organization, ranging from loss of cash or income to dissatisfied customers or operational inefficiency .
  9. 9. Classified below are the general consequences of risks: 1. Loss of management control OVER ASSETS.
  10. 10. <ul><li>prescribed controls not being followed </li></ul><ul><li>AFFECTING CONTROL AND SECURITY </li></ul><ul><li>accuracy of accounts are reports are not ensured </li></ul><ul><li>RESULTING IN INACCURATE </li></ul><ul><li>PROFIT AND LOSS </li></ul>
  11. 11. <ul><li>Financial a ssets are not safeguarded DUE TO POOR FINANCIAL MANAGEMENT </li></ul><ul><li>Transactions are not properly authorized LEADINNG TO ABUSAGE OF POWER </li></ul>
  12. 12. 2. A potential cash loss
  13. 13. 3. A potential reduction in income DUE TO BAD FUNDING
  14. 14. 4. Inaccurate accounting data and reports INCURRING THE WRATH OF THE REGULATORY BODIES
  15. 15. 5. Fines or embarrassment to the organization.
  16. 16. 6. Poor customer relations
  17. 17. 7. Operational inefficiency
  18. 18. 8. Loss of business license
  19. 19. <ul><li>Risk </li></ul><ul><li>The threat that an event or action will adversely affect the organization's </li></ul><ul><li>Ability to achieve it's business objectives : </li></ul><ul><li>and </li></ul><ul><li>Execute it's strategies effectively </li></ul>
  20. 20. <ul><li>The Risk Spectrum for business in general. </li></ul><ul><li>CREDIT </li></ul><ul><li>LIQUIDITY </li></ul><ul><li>MARKET </li></ul><ul><li>OPERATIONAL </li></ul>
  21. 21. CREDIT RISK The potential earnings volatility caused by obligors defaulting on their obligations and the adequacy of collateral, if any.
  22. 22. LIQUIDITY RISK The potential earnings volatility arising from being unable to fund portfolio assets at reasonable rates over required maturities.
  23. 23. MARKET RISK The potential value and earnings volatility in the trading and structural books due to market price changes.
  24. 24. OPERATIONAL RISK The potential loss caused by breakdown in information technology, communication and transaction processing. Operational Risk includes inter alia, execution risk, information risk, relationship risk, legal/fiduciary risk and employee risk.
  25. 25. CFE-In-Practice offers a comprehensive range of business and technology consulting services for banking and capital markets. We offer Consultancy and Implementation for Third Party Independent SOX and or AML and or ISO 17799 Compliance Certification of your systems
  26. 26. CFE-In-Practice
  27. 27. CFE-In-Practice Banking Industry Technology IT Program Management <ul><li>AML Certification </li></ul><ul><li>Clearance Alternatives </li></ul><ul><li>Execution and Clearing </li></ul><ul><li>Infrastructure Re-alignment </li></ul><ul><li>Workflow Simplification </li></ul><ul><li>Application Evaluation </li></ul><ul><li>Multi-Currency System </li></ul><ul><li>Skills Assessment </li></ul><ul><li>System Conversion </li></ul><ul><li>Sarbanes-Oxley Compliance </li></ul><ul><li>Establish &quot;RFT” </li></ul><ul><li>Identify IT Security needs </li></ul><ul><li>Project Management </li></ul><ul><li>Project Staffing </li></ul><ul><li>Project Supervision </li></ul>
  28. 28. CFE-In-Practice Executive Coaching Corporate Governance Litigation Support <ul><li>Conflict Resolution </li></ul><ul><li>Leadership Skills </li></ul><ul><li>Managerial Skills </li></ul><ul><li>Motivational Strategies </li></ul><ul><li>Productivity Enhancements </li></ul><ul><li>Operations Infrastructure </li></ul><ul><li>Board of Directors </li></ul><ul><li>Performance Diagnosis </li></ul><ul><li>Technology Assessment </li></ul><ul><li>SOX Certification </li></ul><ul><li>Authoritative Opinion </li></ul><ul><li>Expert Testimony </li></ul><ul><li>Industry Best Practices </li></ul>
  29. 29. What is SEATA ? The Auditors Tool.    
  30. 30. <ul><li>General Function of Internal Audit </li></ul><ul><li>What is the role of the internal auditor ? </li></ul><ul><li>What really is internal audit? </li></ul><ul><li>What should be the expectation of the internal auditors? </li></ul><ul><li>Is there a way to check on the internal auditor? </li></ul><ul><li>How to protect yourselves when being audited? </li></ul>( S ystems E valuation A pproach T owards A uditing )
  31. 31. <ul><li>But first, the relationship between: </li></ul><ul><li>Internal Audit </li></ul><ul><li>Compliance </li></ul><ul><li>Risks Management </li></ul>
  32. 32. <ul><li>Systems Evaluation Approach Towards Auditing </li></ul><ul><li>Control Objectives and Key Controls </li></ul><ul><li>The Core of an Internal Audit Assignment </li></ul>
  33. 33. <ul><li>Internal auditors are of course in favor of controls. </li></ul><ul><li>There is really nothing profound or mysterious about auditing. </li></ul>
  34. 34. <ul><li>From the professional Auditors perspective : </li></ul><ul><li>Controls should be there for a purpose. </li></ul><ul><li>The purpose is to ensure that the system or process achieves its objectives. </li></ul>
  35. 35. <ul><li>Controls are only needed to reduce the risks to the achievement of these objectives to an acceptable level. </li></ul><ul><li>Thus, there may be circumstances when internal auditors suggest that certain controls should be removed, for example, if they do not contribute to the reduction of significant risks. </li></ul>
  36. 36. <ul><li>The systems audit approach revolves around the objectives of the system </li></ul><ul><ul><li>i.e. should existing controls provide sufficient assurance to the senior managers and directors of the organisation that the system will achieve its objectives? </li></ul></ul>
  37. 37. <ul><li>And does the internal control system currently reduce the chance of things going wrong (or not going right) to an acceptable level? </li></ul>
  38. 38. <ul><li>Before internal auditors start each audit assignment they need to be clear about the relevant organizational and management objectives . </li></ul><ul><li>Are the internal auditors clear about this ? </li></ul>
  39. 39. <ul><li>Control Objectives in SEATA </li></ul><ul><li>Control objectives should form the framework of each systems audit assignment. </li></ul><ul><li>They should detail the various aspects of a system’s objectives. </li></ul>
  40. 40. C ontrol Objectives in SEATA <ul><li>They identify specific objectives against which internal auditors can evaluate existing controls. </li></ul><ul><li>Control objectives should be specific enough to provide the basis for this evaluation. </li></ul><ul><li>Generalizations such as &quot;to ensure that support services are adequate&quot; should be avoided. </li></ul>
  41. 41. <ul><li>Comprehensive control objectives can be developed for any system by considering the following areas of control: </li></ul><ul><ul><li>Has the system been adequately planned? </li></ul></ul><ul><ul><li>Are the operations adequately supervised and controlled? </li></ul></ul>
  42. 42. <ul><li>Comprehensive control objectives can be developed for any system by considering the following areas of control: </li></ul><ul><li>Is the system periodically reviewed? </li></ul><ul><li>Is suitable management information produced? </li></ul>
  43. 43. <ul><li>Internal auditors need to determine that the manager who is responsible for the system to be audited agrees with objectives assigned to the system and the control objectives which audit have developed. </li></ul>
  44. 44. <ul><li>These should be agreed at the initial meeting with the EIC who should also be requested to formally sign up to the agreed scope and objectives for the audit assignment during the pre-audit meeting. </li></ul>
  45. 45. <ul><li>Key controls </li></ul><ul><li>Once the control objectives have been agreed, internal auditors need to identify the controls that they consider necessary to provide assurance that each of these objectives is being achieved. These are what may be termed the key controls. </li></ul>
  46. 46. <ul><li>Key controls </li></ul><ul><li>If the internal auditor is “lucky”, control schedules will have been developed for the relevant system. </li></ul><ul><li>These schedules should document the standard control objectives for such a system and the associated expected key controls. </li></ul>
  47. 47. <ul><li>SEATA </li></ul><ul><li>The purpose of the schedule of expected key controls is to assist in the evaluation of the actual controls identified during the audit. </li></ul><ul><li>It is imperative that the expected controls are reviewed critically to ensure that they are appropriate. HOW ? </li></ul>
  48. 48. <ul><li>SEATA </li></ul><ul><li>The standard key expected controls will not always be relevant and may have to be adapted to the particular system that is reviewed. </li></ul><ul><li>Do not jump to conclusion. There can always be compensating controls. </li></ul>
  49. 49. <ul><li>SEATA </li></ul><ul><li>If internal auditors do not identify the key expected controls, there is a danger that they will concentrate purely on the actual controls in place and fail to identify those that are missing. </li></ul><ul><li>Identification of key controls should ensure that audit time is spent efficiently by concentrating on the key control aspects of the system under review. </li></ul>
  50. 50. <ul><li>SEATA </li></ul><ul><li>There may be many other controls, however, the key controls are the more important controls and are the basic controls that are necessary to ensure that each control objective is achieved and all significant risks are adequately managed. </li></ul><ul><li>The audit should concentrate on assessing the adequacy and reliability of these key controls. </li></ul>
  51. 51. <ul><li>SEATA </li></ul><ul><li>Identification and documentation of existing controls. </li></ul><ul><li>Systems auditing should be a critical assessment of the controls currently in place against control objectives agreed for the system. </li></ul><ul><li>Thus, identifying existing controls is one of the central tasks of systems audit. </li></ul>
  52. 52. <ul><li>SEATA </li></ul><ul><li>Internal auditors cannot assess, test or suggest improvements to the internal control environment unless they have a clear and comprehensive view of all of the controls that currently operate. </li></ul><ul><li>Documenting the existing controls should help auditors understand these controls and form a basis for the evaluation of the controls and the development of their testing strategy. </li></ul>
  53. 53. <ul><li>SEATA </li></ul><ul><li>There may be a wide range of sources of information available to internal auditors about how a system operates. These may include: </li></ul><ul><ul><li>interviewing staff and their managers; </li></ul></ul><ul><ul><li>reviewing existing documentation; </li></ul></ul>
  54. 54. <ul><li>SEATA </li></ul><ul><li>There may be a wide range of sources of information available to internal auditors about how a system operates. These may include: </li></ul><ul><ul><li>observation of working practices; </li></ul></ul><ul><ul><li>reviewing previous audit reports. </li></ul></ul>
  55. 55. <ul><li>SEATA </li></ul><ul><li>The most important source of information will usually be the staff working with the system. </li></ul><ul><li>They know how the system actually operates and should have a reasonable idea of how practical any improvements may be. </li></ul>
  56. 56. <ul><li>SEATA </li></ul><ul><li>Thus interviewing skills are essential for all internal auditors . </li></ul><ul><li>They need to be able to understand what may be a complex system. </li></ul><ul><li>They also need to be able to critically assess each stage of the process; i.e. why is it performed? Could it be undertaken more efficiently? </li></ul>
  57. 57. <ul><li>SEATA </li></ul><ul><li>Staff who operate the system will know what they do, but not necessarily why they do it. </li></ul><ul><li>They may also try and explain the system in the most positive light. </li></ul><ul><li>The skill of internal audit is to enable all the staff they interview to open up and tell them what they actually do (not just what they think they should do) and to describe any aspects they think could be improved. </li></ul>
  58. 58. <ul><li>SEATA </li></ul><ul><li>Understanding why each task is undertaken may be more difficult. Staff may just do it ‘‘because we’ve always done it that way’’ or even worse ‘‘because the auditors told us to!’’ </li></ul>
  59. 59. <ul><li>SEATA - Other places to look </li></ul><ul><li>Auditors may review documentation such as statutes, circulars, committee reports, job descriptions, organisation charts, policy and procedure manuals and financial regulations. </li></ul>
  60. 60. <ul><li>SEATA- Other places to look </li></ul><ul><li>These may record how a system is supposed to work, but may not necessarily reflect actual practice. </li></ul><ul><li>Internal auditors may consider that the adequacy or otherwise of documentation is an indication of the attitude of management to internal control. </li></ul>
  61. 61. <ul><li>SEATA- Other places to look </li></ul><ul><li>Observation of the physical environment and working methods should provide internal auditors with further evidence of actual practice 。 </li></ul><ul><li>This is a particularly useful method of fact-finding where no physical evidence of an action may have taken place. </li></ul>
  62. 62. <ul><li>SEATA- Other places to look </li></ul><ul><li>Internal auditors should however be aware that their presence may influence the behavior and practices of staff under review. </li></ul>
  63. 63. <ul><li>SEATA- Other places to look </li></ul><ul><li>Reports of previous reviews of the system by other internal auditors, external auditors or other review agencies may also be a useful source of information. </li></ul><ul><li>However, these reports should be read with care. The authors may not have understood the system, they may not have covered all aspects or their reports may be unclear. </li></ul>
  64. 64. <ul><li>SEATA- Other places to look </li></ul><ul><li>This consideration may allow internal auditors to reflect on the quality of their own reports and system documentation. </li></ul>
  65. 65. <ul><li>SEATA- Other places to look </li></ul><ul><li>Would these allow other auditors to quickly grasp the most important aspects of the system and its internal controls? </li></ul>
  66. 66. Internal Controls <ul><li>Auditors need to understand how the system operates and the role of all the key procedures, but essentially they are only interested in controls. </li></ul><ul><li>There are a range of different types of control. The most important may be remembered by the mnemonic SOAP MAPS : </li></ul>
  67. 67. Internal Controls <ul><li>Segregation of duties: </li></ul><ul><li>the functions of authorizing transactions; recording the transactions; and custody of the associated assets should be undertaken by separate staff. </li></ul>
  68. 68. Internal Controls <ul><li>Organization : </li></ul><ul><li>there should be a clear organisation chart and all staff should have up to date job descriptions that clearly indicate their responsibilities. </li></ul>
  69. 69. Internal Controls <ul><li>Authorization and approval : </li></ul><ul><li>all transactions and decisions should be formally authorized by nominated staff. </li></ul>
  70. 70. Internal Controls <ul><li>Physical: </li></ul><ul><li>there should be suitable controls over access to offices { i.e. including RECORDS, DATA BASE and whatnots }, assets, controlled stationery and computer systems. </li></ul>
  71. 71. Internal Controls <ul><li>Management: </li></ul><ul><li>production of suitable financial and operational management information; use of exception reports; critical review and enquiry by management. </li></ul>
  72. 72. Internal Controls <ul><li>Arithmetical and accounting : </li></ul><ul><li>checking / re-performing tasks carried out by others; costing (adding up) orders, invoices, payroll etc; reconciliation between the bank and accounting records; control accounts. </li></ul>
  73. 73. Internal Controls <ul><li>Personnel: appointment of staff should be adequately controlled; all staff should be suitably trained for their post and appraised regularly. </li></ul><ul><li>Supervision : all staff and activities should be adequately supervised by someone who understands the process and will detect deviations from accepted practice. </li></ul>
  74. 74. Interim Opinion <ul><li>Recording the controls </li></ul><ul><li>All internal audit work should be documented and be sufficient to support the conclusions drawn on the adequacy and reliability of the internal controls. </li></ul>
  75. 75. Interim Opinion <ul><li>Recording the controls </li></ul><ul><li>The main procedures and key controls over significant risks should be clearly and concisely recorded. </li></ul>
  76. 76. Proper house keeping <ul><li>Audit working papers should include: </li></ul><ul><li>systems notes, either in text or graphics, whatever; </li></ul><ul><li>notes of interviews and meetings; </li></ul><ul><li>a record of the current key controls and their reliability; </li></ul><ul><li>an assessment of the extent that existing controls will ensure that each agreed control objective is achieved; and evidence of audit sampling and testing of controls.   </li></ul>
  77. 77. <ul><li>There are a number of methods of documenting procedures </li></ul><ul><li>and controls, for example : </li></ul><ul><li>flow charts, </li></ul><ul><li>key control schedules, </li></ul><ul><li>internal control questionnaires and </li></ul><ul><li>narrative notes. </li></ul>
  78. 78. <ul><li>Whatever method is adopted should be used consistently. </li></ul><ul><li>This should make it easier for the system notes to be used for future reviews of the same system. </li></ul><ul><li>Systems documentation should be: </li></ul><ul><ul><li>clear and easy to understand; </li></ul></ul><ul><ul><li>provide a standardized approach; </li></ul></ul><ul><ul><li>highlight risk points and key controls. </li></ul></ul>
  79. 79. <ul><li>The purpose of this documentation is to: </li></ul><ul><li>enable the internal auditors to review the information they have received and to organize their thoughts and knowledge so the internal controls can be systematically assessed and tested; </li></ul>
  80. 80. <ul><li>The purpose of this documentation is to: </li></ul><ul><li>provide details of problems encountered, evidence of work done and conclusions drawn for future reference and to assist the planning of future audits; </li></ul>
  81. 81. <ul><li>The purpose of this documentation is to: </li></ul><ul><li>demonstrate to interested parties that the audit work has been properly planned, controlled, executed and reported. </li></ul>
  82. 82. <ul><li>Once internal auditors have discovered the controls that actually exist and made notes of these they can go on to assess whether these controls should be adequate. </li></ul><ul><li>However, auditors do not usually look upon internal auditing as simply a series of stages that can be completed one after the other. (Those who do that are not real internal auditors – it is just an occupation, a job, paper pushers.) </li></ul>
  83. 83. <ul><li>The really professional auditors : </li></ul><ul><li>When they go on to test the controls that they have identified, they may discover further controls or that some controls are not actually operating as expected. </li></ul><ul><li>They will then have to go back and revise their system notes to ensure these reflect the actual controls that are operating in practice. </li></ul>
  84. 84. The Fraud Triangle Motive Opportunity Rationalization
  85. 85. SEATA <ul><li>Risk Definition </li></ul><ul><li>What is Risk ? </li></ul>
  86. 86. Understanding Risk in Internal Audit SML Curve Return Risk Deviation from Return is Risk
  87. 87. The Risk Spectrum for any organization in general. Operational Risk Credit Risk Market Risk Liquidity Risk Reputational Risk
  88. 88. How ACTIVE DATA can be used to achieve your risk management objectives
  89. 89. The Risk Spectrum for any organization in general . Operational Risk Credit Risk Market Risk Liquidity Risk Reputational Risk
  90. 90. Operational Risk and Challenges for Banks SML Curve Return Risk Deviation from Return is Risk
  91. 91. The SEATA AIG-Caat Approach Risk Definition Product Risk General Risk Business Risk Critical Product Controls Business Policy General Controls System Documentation
  92. 92. System Documentation Internal Control Questionnaire (ICQ) Narrative Notes (Interviewing Notes) Flow Charts Analytical Review Procedures (ARP) and Quantitative Testing i.e. MfV concepts and Economic Capital allocation test. Depth Tests Determine the Existence of Controls
  93. 93. System Documentation Internal Control Questionnaire (ICQ) Narrative Notes (Interviewing Notes) Flow Charts Analytical Review Procedures (ARP) and Quantitative Testing i.e. MfV concepts and Economic Capital allocation test. Evaluate (THEORETICAL) Adequacy Determine the Existence of Controls
  94. 94. Evaluate (THEORETICAL) Adequacy Determine the Existence of Controls System Appraisal Memorandum (Sam)
  95. 95. System Appraisal Memorandum (Sam) Part I SYSTEM APPRAISAL   ADEQUATE IF NOT ADEQUATE           W.P.'s REPORT   SYSTEM CONTROL OBJECTIVES YES NO N/A REF. SHEET NO. 1 Transaction or Event Recognition             Methods must exist to ensure that all transactions will be identified and recorded with control established close to the source of the transaction .          
  96. 96. System Appraisal Memorandum (Sam) 2 Transaction Authorisation             Methods of transaction approval must be defined with effective procedures to detect and clear errors with the responsibility for approval being at the right level.           3 Transaction Acceptance             There must be an effective control on converting data to the form used for accounting or record keeping which will ensure that errors will be detected and cleared and lost transactions will be identified.           4 Account of File Classification             Methods must exist to ensure consistency in making account allocations.          
  97. 97. System Appraisal Memorandum (Sam) 5 Integrity of Processing           Methods must exist to ensure there is control on accuracy of data during processing, that only valid files will be used and errors, lost transactions and transactions processed twice will be detected, ensuring that corrected transactions will be properly represented.                      
  98. 98. System Appraisal Memorandum (Sam)     ADEQUATE IF NOT ADEQUATE           W.P.'s REPORT     YES NO N/A REF. SHEET NO. 6 Interface Compatibility             Methods must exist to ensure that common data is used wherever possible and in interfacing systems that the information is consistent and compatible and is reconciled while the means to integrate interfacing systems should be thoroughly explored.           7 Accuracy of Reports             Methods must exist to ensure that output is reconciled to input, that reporting is complete, meets the requirements of management and is distributed correctly on a timely basis while ensuring management trails are adequate.          
  99. 99. System Appraisal Memorandum (Sam) 8 Verification of Reports and Files             Methods must exist to ensure that reports management are reconciled with underlying data files, that regular comparison of physical items where possible.           9 Error Correction             Methods must exist to ensure that all errors occurring at each state of the transaction process will be corrected and reprocessed on a timely basis.           10 Asset Access Restriction             Methods must exist to ensure that access to assets will be restricted and assets safeguarded.          
  100. 100. System Appraisal Memorandum (Sam)     ADEQUATE IF NOT ADEQUATE           W.P.'s REPORT     YES NO N/A REF. SHEET NO. 11 Organization             There must be proper segregation between functions of custody, authorisation and recording.          
  101. 101. System Appraisal Memorandum (Sam) PART II IMPACT OF WEAKNESS             WEAKNESS IMPACT OF THE WEAKNESS T.A.P REF.              
  102. 102. System Appraisal Memorandum (Sam) OVERALL CONCLUSION FOR Preliminary REPORT PART III <ul><li>The system of internal control is appraised to be </li></ul><ul><li>Satisfactory </li></ul><ul><li>Satisfactory however……… </li></ul><ul><li>Satisfactory except for……. </li></ul><ul><li>Unsatisfactory </li></ul><ul><li>We are unable to express an opinion because……….. </li></ul>
  103. 103. Evaluate (THEORETICAL) Adequacy Determine the Existence of Controls System Appraisal Memorandum (Sam) TAILORED AUDIT PROGRAM (TAP)
  104. 104. Execution of TAILORED AUDIT PROGRAM (TAP) Compliance Testing Substantive Testing Report Sheet AIG-Caat Effectiveness Accuracy
  105. 105. AIG-Caat Application of Benford Law for Discovery Sampling Techniques in Analytical Review Procedures Software Assurance Process
  106. 106. FORM OPINION TAKE UP MEETING ISSUE REPORT
  107. 108. More Information <ul><li>CFE-In-Practice </li></ul><ul><ul><li>www.cfe-in-practice.com </li></ul></ul><ul><li>[Contact Person] </li></ul><ul><ul><li>[Tommy Seah], ACFE Vice Chairman, Regent </li></ul></ul><ul><ul><li>[(65) 9106 9872] </li></ul></ul><ul><ul><li>[tommy@cfe-in-practice.com] </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×