This document outlines the steps of a system-based audit approach. It discusses understanding the business and internal control system, identifying risks and controls, testing controls, and documenting results. The key aspects of a system-based audit include understanding the entity's processes, identifying risks to the achievement of process objectives, identifying and testing relevant controls, and assessing residual risk.

1. © OECD
A joint initiative of the OECD and the European Union, principally financed by the EU
Tirana, 10-12 September 2014
Workshop System Based Auditing
Steps of System Based Audit approach

2. 2

3. 3

4. 6.1 Steps of SBA?
Steps audit of system
•Understanding the business
•Evaluating Internal control system
•Testing Internal control system
4

5. 6.2 Activities for SBA engagement
•Understand the entity/process
•Identify the risks
•Identify the controls
•Perform compliance tests
•Assess the residual risk
•Document the results
5

6. 6.3 Understand the process
Objectives
 identify process objectives
Activities
 identify activities that are relevant to the identified process objectives
Description
 document the process in brief description (flowchart)
6

7. 6.4 Identify risks
Risks threatens achievement of
identified process objectives.
Two elements for classification:
1.Impact
2.likelihood
7

8. 6.5 Risk classification
Impact
LOW
MEDIUM
HIGH
Likelihood
HIGH
Medium
High
High
MEDIUM
Low
Medium
High
LOW
Low
Low
Medium
8

9. 6.6 How to identify risks?
Two steps
•identify the points within the flow of transactions where data is initiated, transferred, or changed
•identify “what can go wrong” to achieve the management assertions
,
9

10. 6.7 What are management assertions?
Assertion – is a representation, explicit or implicit, that is embodied in the activities, financial transactions and information pertaining to the audited entity, used by the auditor in considering different types of potential deviations.
In the context of compliance audit, the compliance assertion would mean that the entity, including responsible public sector officials, is acting in accordance with applicable authorities (crtteria).
Assertions may be embodied in subject matter information presented by the audited entity or stated explicitly in a management representation letter.

11. 6.8 Management Assertions
111111
3
Transaction-related:
Occurrence
Completeness
Accuracy
Timing
Classification
Regularity
Balance-related: Existence Completeness Rights and obligations Disclosure Valuation and allocation

12. 6.9 Criteria ISSAI 4100 Chapter 6
The criteria, or the benchmarks against which the subject matter will be compared, must also be identified.
In performing compliance audits, the identification of the criteria is an essential step in the audit planning process.

13. 6.10 Examples criteria ISSAI 4100 Chapter 6
a)Relevant
b)Reliable
c)Complete
d)Objective
e)Understandable
f)Comparable
g)Acceptable
h)Available

14. 6.11 Identify controls
Definition
Controls are all actions undertaken to
mitigate risks
Technique
Interviews
Document analysis
14

15. 6.12 Types of control
•Organizational
•Segregation of duties
•Physical
•Authorisation and approval
•Arithmetical and accounting
•Personnel
•Supervision
•Management
15

16. 6.13 Test of controls
Test of controls is an audit procedure designed to evaluate the operating effectiveness of controls in preventing, detecting and correcting material misstatements in the assertion level of the management
16

17. 6.14 Test of control: how?
•Interview: use of questionnaires
•Walk-though tests
•Direct observations
•Reperformance
17

18. 6.15 Test of control: when?
•Throughout the audit period: every month, periods of absence of key staff
•All types of transaction processes through the system: high volume, low value transactions, unusual transactions, re-processed rejected transactions
•Negative and positive evidence
18

19. 6.16 After test of control : residual risk
The risk to the process that remains after the controls
RISK CONTROLS
RESIDUAL RISK
19

20. 6.17 Residual risk rating
risk
HIGH
MEDIUM
LOW
Controls
HIGH
Low
Low
Low
MEDIUM
Medium
Low
Low
LOW
High
Medium
Low
20

21. 6.18 Evaluation of internal control
•Excellent: all major risks addressed and controls likely to be effective
•Good: most major risks addressed and/or controls likely to be generally effective
•Fair: control sytem seems generally reasonable, but danger of some control failures
•Poor: risk not addressed and/or control failures likely
21

22. 6.19 Document the results
1.Description of the process
2.Compliance test of process
3.System Analysis Document with references to 1 and 2
(Working paper is available)
22

23. QUESTIONS?
23