The fieldwork phase is the heart of the audit process. Everything auditors do in the planning phase drives them to do the right things in fieldwork. Everything auditors do in the reporting phase relates to what was found in fieldwork. Everything auditors do in the follow-up phase relates to the issues identified in fieldwork. This webinar will focus on the testing for control effectiveness. This includes capturing the best audit evidence and documenting quality work in the workpapers. This helps ensure that any competent third party person can re-perform the work and come to the same conclusion.
This webinar is for auditors who want to understand the key elements of the fieldwork phase of the audit process.
The learning objectives include the following:
- Learn about internal control terminology
- Learn about testing techniques and workpaper quality
- Learn about audit evidence
- Learn about workpaper documentation guidelines
Learn about Issues & Recommendations (I&Rs)
1. 7/26/2017
1
Internal Audit Skills
Training
Fieldwork
About Jim Kaplan, CIA, CFE
īŽ President and Founder of
AuditNetÂŽ, the global
resource for auditors
īŽ Auditor, Author, Web Site
Guru, Internet for
Auditors Pioneer
īŽ Recipient of the IIAâs
2007 Bradford Cadmus
Memorial Award.
2. 7/26/2017
2
About AuditNet LLC
âĸ AuditNetÂŽ, the global resource for auditors, is the pre-eminent
online portal for the global audit community hosting a
comprehensive catalogue of audit procedures.
âĸ Available on the Web, iPad, iPhone, Windows and Android devices and
features:
âĸ Over 2,700 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
âĸ Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
âĸ Audit guides, manuals, and books on audit basics and using audit
technology
âĸ LinkedIn Networking Groups
âĸ Monthly Newsletters with Expert Guest Columnists
âĸ Surveys on timely topics for internal auditors
Housekeeping
This webinar and its material are the property of AuditNetÂŽ and its Webinar partners. Unauthorized usage
or recording of this webinar or any of its material is strictly forbidden.
īŽ If you logged in with another individualâs confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
īŽ This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join
link.
īŽ We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
īŽ You must answer all the polling questions to qualify for CPE per NASBA.
īŽ If you meet the NASBA criteria for earning CPE you will receive a link via email within 5 days to
download your certificate. You must be able to receive emails from gensend.io with HTML links. Check
you inbox and junk mail folders and contact your IT department if your system blocks emails. The email
will be sent to the same email address that you used to register for the Webinar.
īŽ Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
īŽ Please complete the evaluation questionnaire to help us continuously improve our Webinars.
3. 7/26/2017
3
IMPORTANT
INFORMATION
REGARDING CPE!
īŽ Regarding CPE â If you attend the Webinar and are a basic, premium , group subscriber or a site
license users and answer all the polling questions you will receive an email within one week with the
link to download your CPE certificate. The official email for CPE will be sent out and the sender
address will be NoReply@gensend.io. Blocks or spam filters in your email system or a firewall that
will redirect or not allow delivery of this email from Gensend.io will impact your receiving the email
with the link.
īŽ If we receive an email request for CPE after sending out the official CPE email because you did not
receive your CPE we will require a processing fee to resend to an alternate email address or to send
you a claim link.
īŽ We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We
highly recommend that you work with your IT department to identify and correct any email delivery
issues prior to attending the Webinar.
īŽ We are not responsible for any connection, audio or other computer related issues. You must have
pop-ups enabled on you computer otherwise you will not be able to answer the polling questions
which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see
to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views, positions, or
opinions of AuditNetÂŽ LLC. These materials, and the oral presentation accompanying them,
are for educational purposes only and do not constitute accounting or legal advice or create
an accountant-client relationship.
While AuditNetÂŽ makes every effort to ensure information is accurate and complete,
AuditNetÂŽ makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNetÂŽ specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and linked
to the AuditNetÂŽ website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNetÂŽ LLC
4. 7/26/2017
4
William Woodington
CPA CIA CRMA
īŽ President Woodington Training
Solutions
īŽ Managed the Learning &
Development (L&D) function for Wells
Fargo Audit & Security for 18 years.
īŽ Audit Specialist for 4 years
supervising audit projects prior to
moving into the L&D position.
īŽ Worked for First Bank System and
Deloitte and Touche.
īŽ Member IIA and ATD
īŽ Teaches audit, business writing, and
leadership seminars
Fieldwork
5. 7/26/2017
5
Training Objectives
īŽ Learn about internal control terminology
īŽ Learn about testing techniques and workpaper
quality
īŽ Learn about audit evidence
īŽ Learn about workpaper documentation guidelines
īŽ Learn about Issues & Recommendations (I&Rs)
Internal Control
īŽ Control Adequacy â Is the internal control properly
designed?
īŽ Control Effectiveness â Is the internal control working as
intended?
Controls can be designed to carry out various functions.
Some are installed to prevent undesirable outcomes before
they happen (preventive controls). Others are designed to
identify the undesirable outcomes when they do happen
(detective controls).
7. 7/26/2017
7
Internal Control Types
Preventive Controls Detective Controls
Cost Effective More expensive
Competent and trustworthy people Reviews & comparisons
Segregation of duties Reconciliations
Proper authorization Physical counts
Adequate documentation Analyses of variances
Physical control over assets Computerized techniques
IIA Standards
2120 â Risk Management
The internal audit activity must evaluate the effectiveness and contribute to
the improvement of risk management processes.
2120.A1 â The internal audit activity must evaluate risk exposures relating
to the organizationâs governance, operations, and information systems
regarding the:
īŽ Reliability and integrity of financial and operational information.
īŽ Effectiveness and efficiency of operations and programs.
īŽ Safeguarding of assets.
īŽ Compliance with laws, regulations, policies, procedures, and contracts.
8. 7/26/2017
8
IIA Standards
2300 â Performing the Engagement
Internal auditors must identify, analyze, evaluate, and document sufficient
information to achieve the engagementâs objectives.
2310 â Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful
information to achieve the engagementâs objectives.
2320 â Analysis and Evaluation
Internal auditors must base conclusions and engagement results on
appropriate analyses and evaluations.
2330 â Documenting Information
Internal auditors must document relevant information to support the
conclusions and engagement results.
Testing
The following information was taken from âThe Practice of Modern Internal
Auditingâ by Lawrence B. Sawyer.
The Purpose of Testing
Auditors achieve audit objectives by a process known as testing. Testing
implies placing activities or transactions on trial, by putting selected items
to the proof and revealing their inherent qualities or characteristics.
To the internal auditor, testing implies the measurement of representative
transactions or processes and comparison of the results with established
standards or criteria. The purpose is to help provide the auditor with a
basis for forming an audit opinion. The audit test usually implies
evaluation of transactions, records, activities, functions, and assertions by
examining all or part of them.
9. 7/26/2017
9
Testing
The objective of testing is to determine:
īŽ Validity, i.e., propriety, genuineness, reasonableness
īŽ Accuracy, i.e., quantity, quality, classification
īŽ Compliance with applicable procedures, regulations, laws,
etc.
īŽ Competence of controls, i.e., the degree that risks are
neutralized
Simply put, testing determines whether something is as it
should be.
Testing Techniques
Observing â Seeing, noticing, not passing over.
Questioning â Asking open-ended unbiased questions. Oral
representations must be substantiated by some other form of audit
evidence.
Analyzing â Implies a detailed examination. It means dividing a complex
entity into parts for the purpose of determining its true nature.
Verifying â Confirming the truth, accuracy, genuineness, or validity of
something.
Investigating â An inquiry aimed at uncovering the hidden facts and
establishing the truth.
Evaluating â Estimation of worth. In auditing, it means arriving at
judgment.
10. 7/26/2017
10
Workpaper Quality
īŽ State Who, What, When, Where, Why, and How
īŽ Note why we performed a test and how it met objectives.
īŽ Ensure testing provides enough depth to reach a viable conclusion.
īŽ State the objective.
īŽ Tell a story (Readerâs Digest Version). Ensure enough information is
given to cover the subject, but not too much that you have trouble
finding the main message.
īŽ Note the reason for testing.
īŽ Ensure the Lead Auditor set expectations up front.
īŽ Explain what was done in testing, what the conclusions were, and the
audit universe.
Workpaper Quality
īŽ Ensure documentation supports testing. A third party should be able to
recreate the test step and arrive at the same conclusions.
īŽ Ensure the narrative is easy to read from beginning to end.
īŽ Ensure testing is independent versus conversational.
īŽ Ensure testing addresses all the objectives.
īŽ Ensure all exceptions are dispositioned.
īŽ Ensure sampling documentation is complete.
īŽ Ensure conclusions provide enough information related to the testing
performed.
īŽ Ensure the narrative is a complete description of the work performed.
11. 7/26/2017
11
Audit Evidence
īŽ Sufficient
īŽ Competent
īŽ Relevant
īŽ Useful
Audit Evidence
Sufficient â Factual, adequate and convincing. Quality audit
evidence ensures the scope of the work addresses the control
being tested and the sample sizes/items selected adequately
represent the population being tested. It ensures conclusions
are supported by factual information.
Competent â Reliable and the best attainable. Quality audit
evidence is gathered from the most independent source
available. It does not depend solely on oral representations
as this is the least reliable source of evidence. Trust but
verify!
12. 7/26/2017
12
Audit Evidence
Relevant â Supports audit findings and recommendations
and is consistent with the objectives of the audit. Quality
audit evidence ensures only information pertinent to the test
objectives are included. It focuses on current control
conditions and timely audit feedback.
Useful â Helps the organization meet its goals.
Polling Question #3
13. 7/26/2017
13
Audit Evidence
īŽ All audit evidence must be approached with a healthy professional
skepticism.
īŽ Professional auditors approach all assertions with uncertainty â with an
uneasy and dissatisfied state of mind.
īŽ When reduced to its barest essentials, fieldwork is simply the gathering
of evidence for measurement and evaluation.
īŽ Care is always required in the documentation process, if there is a
possibility of litigation or some type of legal action, the evidence must
be in a form that is legally usable.
īŽ Legal evidence and audit evidence have much in common. They have
the same objective â to provide proof, to foster an honest belief about
the truth or falsity of any proposition at issue.
Nature of Audit Evidence
Physical â Obtained by observing people, property, and events. It can
take the form of photographs, charts, maps, graphs, or other pictorial
representations.
Testimonial â Takes the form of letters or statements in response to
inquiries or interviews. This should be supported by documentation.
Documentary â The most common form of audit evidence. The source of
documentary evidence affects its reliability.
Analytical â Stems from analysis and verification.
14. 7/26/2017
14
Audit Workpapers
Clear â Free from confusion or doubt. Quality audit workpapers tell a
story, in a logical order, of the steps taken to perform the work.
Concise â Short and to the point. Quality audit workpapers make every
word count towards supporting the audit objective and conclusions.
Complete â Having all the necessary parts. All test objectives are
addressed; exceptions conditions are dispositioned; conclusion
statements, source, scope and sampling techniques are properly
documented.
Verifiable âThe reader should be able to re-perform the work based on
the content of the workpaper.
Audit Workpapers
Question â Would any third party person be able to
re-perform the test work and reach the same
conclusion as the auditor who originally performed
the test work?
15. 7/26/2017
15
Control Effectiveness Testing
īŽ Trust but verify
īŽ Donât clutter workpapers with background information.
īŽ Issue audit findings and recommendations to the business
partner as they are identified and request written
responses.
īŽ Workpapers are confidential.
īŽ Notify Audit engagement manager of any regulatory
exceptions.
īŽ Do not refer to potential or substantiated regulatory
exceptions as regulatory violations
Control Effectiveness Testing
īŽ Develop sufficient business knowledge to perform the
assigned audit steps. A thorough understanding of the
risks inherent in the business and the implications of these
risks must exist prior to the conclusion of the audit.
īŽ Obtain sufficient audit evidence to evaluate the system of
internal control. Use techniques including observation,
inquiry, and testing to obtain this evidence. Perform
substantive/corroborative testing to fully support
conclusions.
16. 7/26/2017
16
Control Effectiveness Testing
īŽ Document that all program steps have been properly
performed. This sign-off indicates the assigned audit work
has been completed and the documentation is thorough
and can be relied upon.
īŽ Be alert to indications of irregular or suspicious activity.
Should you identify irregular activity during the course of
an audit, inform the auditor in-charge as soon as possible.
Control Effectiveness Testing
īŽ Inform the auditor in-charge of any situations where an
expansion or constriction of scope should be considered.
īŽ Obtain the approval of the audit manager or the designee
for material changes in scope.
īŽ Take responsibility for the effective and efficient use of
time. Have significant deviations approved by the audit
manager prior to incurring overages. Justify all material
variances.
17. 7/26/2017
17
Workpaper Documentation Guidelines
īŽ Risk Statement â A high level description of the business
risk. The risk should be stated in terms of what could go
wrong and the potential impact/result.
īŽ Control Statement â A high level description of the
controls in place that mitigate the business risk. The
control statement should describe specifically what the
control is designed to do (control objective).
Workpaper Documentation Guidelines
īŽ Test Objective â Stated in terms of evaluating the
effectiveness of the controls in assisting management to
mitigate risk and achieve objectives.
īŽ Test Steps â Should be risk-based, direct the auditor to
test the effectiveness of the control, and prompt the auditor
to identify, analyze, evaluate, and record audit evidence
and results, as well as utilize data analysis techniques
wherever possible.
18. 7/26/2017
18
Workpaper Documentation Guidelines
īŽ Source â List the names/titles of the team members talked
to and the names/as of dates of documents/reports
reviewed and the names/titles of the team members the
documents/reports were obtained from.
īŽ Scope â Include a brief summary of the work performed
including population source, characteristics and validation,
as well as time period covered.
Workpaper Documentation Guidelines
īŽ Audit Evidence â Ensure quality audit evidence
(sufficient, competent, relevant, useful). Inquiry and
observation testing should include who interviewed,
process/control observed, date of interview/observation
and description of results. Do not rely solely on a verbal
representation from the business partner.
īŽ Attribute Testing â Include an attribute table (when
practical) to facilitate efficient workpaper preparation and
review.
īŽ Exceptions & Issues â Denote using a red X tickmark
(X1, X2, etc.) and disposition as an Isolated/Immaterial
Exception or an Exception.
19. 7/26/2017
19
Workpaper Documentation Guidelines
īŽ Source Documentation â When exception items are
noted, include copies of source documents to support
exception items. Only a sample of exception items is
needed.
īŽ Electronic Source Documents â Use whenever possible.
īŽ Hardcopy Source Documents â Store in pockets or other
appropriate means and label per policy requirements.
Click on HCWP in ACE test document.
Workpaper Documentation Guidelines
īŽ Test Conclusion â Select overall control effectiveness
rating in the âStatus Conclusionâ section. A rationale
statement (defined in terms of impact and probability) must
be provided in the âReasonâ field.
20. 7/26/2017
20
Workpaper Documentation Guidelines
īŽ Strong and Effective â The system of internal control provides
assurance the risks are well-managed.
īŽ Effective â The system of internal control provides reasonable
assurance the risks are being effectively managed.
īŽ Generally Effective â The system of internal control provides
reasonable assurance that risks are being managed. Control
exceptions exist but corrective action plans are in place.
īŽ Needs Improvement â The system of internal control may not provide
reasonable assurance that risks are being managed. Control
exceptions exist that need to be addressed.
īŽ Ineffective â The system of internal control does not provide
assurance that risks are being managed. Immediate management
attention is needed to address the control exceptions.
Other Fieldwork Tips
īŽ Communicate frequently with your AIC (Exceptions/I&Rs,
scope changes, etc.).
īŽ Set up communication guidelines with the business
partner.
īŽ Ensure review notes are cleared in the test document.
īŽ Be alert to indications of irregular or suspicious activity
(fraud).
21. 7/26/2017
21
Killing the Spider
Surface Pertinent Issues and Demand Effective Resolution
(SPIDER)
Killing the Spider
īŽ Provide recommendations that not only correct the
problems, but also address the root cause of those
problems.
īŽ This is the difference between âcleaning up the spider
websâ (simply fixing the current problem) and âkilling the
spiderâ (addressing the root cause to mitigate future
occurrences).
īŽ Too often auditors focus on conditions but ignore causes.
īŽ Too often auditors simply compare what the audited areas
is doing (the condition) with what the policy states it should
be doing (the criterion).
22. 7/26/2017
22
Killing the Spider
īŽ Generally the cause of the problem stems from a
breakdown in one or more of the five COSO components:
īŽ Control Environment
īŽ Risk Assessment
īŽ Control Activities
īŽ Information and Communication
īŽ Monitoring
īŽ To pinpoint the cause, start by looking at managementâs
risk assessment and control activities.
īŽ Has there been an assessment of risk?
īŽ Has management established policies/procedures to
address the risk?
Exceptions & Issues
īŽ Isolated/Immaterial Exception â A condition that falls
within allowable parameters of a controlâs performance.
These are typically an infrequent human error with an
insignificant negative impact.
īŽ Exception â a risk exposure resulting from a control
breakdown or deficiency that was not detected and
corrected or mitigated by existing controls.
īŽ Issue â A risk exposure resulting from a systemic or
material control breakdown or deficiency, supported by
one or more Exceptions whose potential negative impact is
sufficient to warrant corrective action by business
management.
23. 7/26/2017
23
Exceptions & Issues
īŽ Reportable Issue â An issue that will be formally reported
via the Audit Report. All reportable issues will be denoted
by significance, repeat status, root cause, and risk
category.
īŽ All Reportable Issues must be reviewed and approved by
the Audit Manager.
īŽ All Reportable Issues are communicated in writing and
given to the business partner during fieldwork. This is
done by either the staff auditor or AIC.
īŽ A written management response must be received for
every Reportable Issue. The response must be reviewed
for adequacy by the AIC and supervisor or SAM prior to
final acceptance.
Exceptions & Issues
īŽ Validation â The process for ensuring the facts of the
Exception and/or Issue are accurate through
communication with the business partner.
īŽ Management response â A formal written reply from the
business partner that is received for every Reportable
Issue. It should include the following:
īŽ Be specific and responsive
īŽ Be complete in addressing all material aspects
īŽ Include reasonable and achievable target dates
īŽ Include achievable actions that will prevent recurrence
īŽ Include designated individuals to own the corrective action
24. 7/26/2017
24
Exceptions & Issues
īŽ All audit evidence supporting Exceptions, Issues, and
conclusions must be documented in the workpapers.
īŽ Isolated/Immaterial Exceptions will be dispositioned in the
workpapers.
īŽ Exceptions will be developed on the Exception document
and will be communicated to the business partner and
validated. Exceptions are classified as reportable (I&R) or
non-reportable. All Exceptions must be independently
reviewed by the AIC, supervisor, or manager.
Exceptions & Issues
īŽ Issues will be developed on the Issue & Recommendation
(I&R) document and will be communicated to the business
partner and validated. All issues must be independently
reviewed by the AIC and supervisor or manager.
25. 7/26/2017
25
Issue & Recommendation (I&R)
A properly written I&R should include the following attributes:
īŽ Condition - What is the problem?
īŽ Criterion â What should be?
īŽ Cause â What led to the condition?
īŽ Effect â So what?
īŽ Recommendation â What should be done?
The recommendation should address the cause (kill the
spider)! Sell your recommendation based on the effect (risk)!
CIA Exam Question
We find that due to inadequate monitoring of cost-effective transportation
and hotel options, the department's travel budget has increased steadily by
a total of 1 percent per quarter, thus failing to achieve management's
objective of reducing travel-related expenses by 1 percent over the same
time period.
Which of the following elements is missing from the finding stated above?
īŽ Criteria
īŽ Effect
īŽ Cause
īŽ Condition
26. 7/26/2017
26
CIA Exam Question
Answer - Effect
CIA Exam Question
Late charges were waived on an excessive number of delinquent
installment loan payments at the Spring Street Branch. We were informed
that late charge waivers are not approved by an officer. Approximately US
$5,000 per year in revenues is being lost. In order to provide a better
control over late charges waived and loss of income, we recommend that a
lending officer be responsible for waiving late charges and that this
approval be in writing.
Which of the following elements of a deficiency finding is not properly
addressed?
īŽ Condition
īŽ Criteria or standards
īŽ Effect
īŽ Cause
28. 7/26/2017
28
Issue Severity Ratings
īŽ Low â (Previously known as Verbal) A non-reportable issue that does
not require corrective action. Remedial corrective actions may result in
improved business processes, and should be considered by business
unit management.
īŽ Moderate â A reportable issue that requires management attention.
Remedial corrective actions should be addressed in a reasonable
timeframe. If no action is taken, the issue may have an adverse effect
on business unit managementâs ability to meet a business objective.
Issue Severity Ratings
īŽ High â A reportable issue needing timely corrective action by business
unit management to adequately mitigate risks to the business. If action
is not taken in a timely manner, the issue may have an adverse effect
on business unit managementâs ability to meet one or more of its
business objectives.
īŽ Very High â A reportable issue needing immediate corrective action by
business unit management to adequately mitigate risks to the
business. If not immediately addressed, the issue may have significant
adverse effects on business unit managementâs ability to meet one or
more of its business objectives. Persistence of the Issue may also
have adverse effects to Wells Fargo at the enterprise level.
Management should monitor progress on the corrective action until
completed.
29. 7/26/2017
29
Questions?
Thank You!
William Woodington, CPA, CIA
Woodington Training Solutions
763-568-1181
http://woodingtontraining.com/
bill@woodingtontraining.com
Jim Kaplan, CIA, CFE
AuditNet LLCÂŽ
800-385-1625
www.auditnet.org
webinars@auditnet.org
30. 7/26/2017
30
AuditNetÂŽ and cRisk Academy
īŽ If you would like forever
access to this webinar
recording
īŽ If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
īŽ Previous AuditNetÂŽ
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacade
my.com
Use coupon code: 50OFF
for a discount on this
webinar for one week