This document provides guidance for internal auditors on evaluating internal controls. It discusses:
1) The nature and purpose of internal controls, including preventive and detective controls, as well as control environment and activities.
2) The role of the internal auditor in evaluating the design and operating effectiveness of internal controls, identifying control gaps, and making recommendations.
3) Procedures for the internal auditor to obtain an understanding of the entity's business processes, accounting and IT systems, and evaluate segregation of duties, information system controls, and perform tests of controls.
The document discusses audit evidence and procedures for gathering evidence. It defines audit evidence and its basic principles of independence, integrity, and objectivity. It describes the sources of audit evidence, including physical examination, confirmations, documentation, analytical procedures, inquiries, reperformance, and observation. It discusses factors like audit risk, reliance on controls, materiality, and reliability that influence evidence. It also covers the appropriateness, relevance, reliability, and direction of testing for audit evidence. Finally, it discusses substantive procedures used to detect material misstatements.
Practical approach to Risk Based Internal AuditManoj Agarwal
The document provides an overview of risk based internal auditing. It discusses key concepts like the definition of risk, COSO ERM framework, three lines of defense model, definition of internal audit, and risk based internal audit approach. The approach involves identifying the audit universe and processes, risk identification and assessment, risk scoring and heat mapping, developing the risk based internal audit plan, and executing the plan. Various tools for risk based auditing like the audit tracker, audit report templates, and resources are also outlined.
The COSO framework provides guidance for establishing effective internal controls. It is comprised of 5 components: control environment, risk assessment, control activities, information and communication, and monitoring. The control environment sets the tone at the top and influences employee conduct. Risk assessment involves identifying risks to financial reporting. Control activities are policies and procedures that help ensure management directives are followed. Information and communication systems identify, capture, and communicate pertinent information. Monitoring assesses internal control effectiveness over time.
This document discusses audit risk assessment. It defines audit risk as the risk that an auditor gives an inappropriate opinion when financial statements are materially misstated. Audit risk has three components: inherent risk, control risk, and detection risk. The auditor assesses these risks to determine the nature, timing and extent of audit procedures. A key part of risk assessment is understanding the client's internal controls, including control environment, risk assessment, information and communication, control activities, and monitoring. The auditor documents their understanding of internal controls to help plan the audit and determine appropriate audit strategies.
Building trust means managing both the conditions and consequences of reputation risk. This presentation looks at how to integrate reputation management and reputation risk into the enterprise, across functions.
An internal audit is designed to review what a company is doing in order to identify potential threats to the organization's financial health and profitability and to make suggestions for mitigating the risk associated with those threats.
This document provides an overview of tests of controls for auditing purposes. It discusses assessing control risk, the purpose and nature of tests of controls, and how the work of internal auditing may be used. The document outlines the process of assessing control risk and communicating conclusions. It describes types of controls expected in IT environments and lists alternative computer-assisted audit techniques.
The document discusses internal controls in auditing, including the objectives, components, and case studies related to internal controls. It describes the control environment, risk assessment, control activities, information and communication, and monitoring as the main components of internal controls. The document also differentiates between substantive tests and tests of controls in auditing.
The document discusses audit evidence and procedures for gathering evidence. It defines audit evidence and its basic principles of independence, integrity, and objectivity. It describes the sources of audit evidence, including physical examination, confirmations, documentation, analytical procedures, inquiries, reperformance, and observation. It discusses factors like audit risk, reliance on controls, materiality, and reliability that influence evidence. It also covers the appropriateness, relevance, reliability, and direction of testing for audit evidence. Finally, it discusses substantive procedures used to detect material misstatements.
Practical approach to Risk Based Internal AuditManoj Agarwal
The document provides an overview of risk based internal auditing. It discusses key concepts like the definition of risk, COSO ERM framework, three lines of defense model, definition of internal audit, and risk based internal audit approach. The approach involves identifying the audit universe and processes, risk identification and assessment, risk scoring and heat mapping, developing the risk based internal audit plan, and executing the plan. Various tools for risk based auditing like the audit tracker, audit report templates, and resources are also outlined.
The COSO framework provides guidance for establishing effective internal controls. It is comprised of 5 components: control environment, risk assessment, control activities, information and communication, and monitoring. The control environment sets the tone at the top and influences employee conduct. Risk assessment involves identifying risks to financial reporting. Control activities are policies and procedures that help ensure management directives are followed. Information and communication systems identify, capture, and communicate pertinent information. Monitoring assesses internal control effectiveness over time.
This document discusses audit risk assessment. It defines audit risk as the risk that an auditor gives an inappropriate opinion when financial statements are materially misstated. Audit risk has three components: inherent risk, control risk, and detection risk. The auditor assesses these risks to determine the nature, timing and extent of audit procedures. A key part of risk assessment is understanding the client's internal controls, including control environment, risk assessment, information and communication, control activities, and monitoring. The auditor documents their understanding of internal controls to help plan the audit and determine appropriate audit strategies.
Building trust means managing both the conditions and consequences of reputation risk. This presentation looks at how to integrate reputation management and reputation risk into the enterprise, across functions.
An internal audit is designed to review what a company is doing in order to identify potential threats to the organization's financial health and profitability and to make suggestions for mitigating the risk associated with those threats.
This document provides an overview of tests of controls for auditing purposes. It discusses assessing control risk, the purpose and nature of tests of controls, and how the work of internal auditing may be used. The document outlines the process of assessing control risk and communicating conclusions. It describes types of controls expected in IT environments and lists alternative computer-assisted audit techniques.
The document discusses internal controls in auditing, including the objectives, components, and case studies related to internal controls. It describes the control environment, risk assessment, control activities, information and communication, and monitoring as the main components of internal controls. The document also differentiates between substantive tests and tests of controls in auditing.
The document outlines audit working paper purposes, contents, organization and types of audit evidence. It discusses how working papers support the audit opinion, substantiate competence, guide future audits and evaluate staff. Contents include entity information, risk assessments, audit programs, analyses, conclusions and representations. Organization includes permanent files on the client and current files indexing planning, compliance, balances and income/expenses. Evidence includes physical counts, confirmations, representations, documents, observation, accuracy checks and comparisons.
Audit of other assets (and related items)Khalid Aziz
This document discusses auditing procedures for various asset accounts including prepaid expenses, intangible assets, and property, plant and equipment. It provides details on assessing inherent and control risks, substantive analytical procedures, and tests of details for transactions in these accounts. Key aspects covered include confirming prepaid insurance policies, assessing valuation of intangible assets, and procedures over the property management process such as authorizing capital expenditures and taking physical inventories.
The document discusses internal financial controls (IFC) and internal financial controls over financial reporting (ICFR) as required by the Companies Act 2013 in India. It defines IFC and ICFR and explains who is responsible for them according to the Act, including directors, auditors, and audit committees. It outlines how IFC can help companies beyond compliance, the objectives of IFC coverage, key highlights from ICAI guidance, and penalties for non-compliance. Finally, it describes how the consulting firm A.P. Doshi & Co. can help companies with IFC implementation, documentation, testing, and reporting.
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
This presentation is my endeavor to bring to notice the new position that internal audit enjoys today in the corporate framework, expectations of the industry and emerging opportunities for the professionals.
The document provides learning objectives and substantive procedures for auditing various accounts including non-current assets, intangible non-current assets, inventory, trade receivables, bank, cash, trade payables, accruals, provisions, contingencies, non-current liabilities/long term borrowings, equity, directors' emoluments, revenue, purchases, payroll, interest expense and income, and other expenses. The learning objectives cover verification of additions and disposals for non-current assets, valuation of intangible assets, verification of inventory existence and valuation, and cutoff testing for trade receivables among other procedures.
This document provides an introduction and overview of internal control. It defines internal control as a process designed by management and those charged with governance to provide reasonable assurance of achieving reliable financial reporting, effective and efficient operations, and compliance with laws and regulations. The document discusses the key components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring activities. It also outlines some of the primary objectives and benefits of internal controls, as well as limitations.
The document discusses risk-based auditing (RBIA) and its key concepts. RBIA requires internal audit to be strategically linked to an organization's risk management and assurance frameworks. It also discusses applying RBIA methodology to internal audit assignments and linking an organization's risk framework to the stages of RBIA. The document provides information on introducing RBIA to an organization and adapting it based on the organization's structures, processes and risk maturity.
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. It consists of five components: control environment, risk assessment, control activities, information and communication, and monitoring activities. The components work together to help ensure reliable financial reporting, effective and efficient operations, and compliance with laws and regulations. Internal control is important for both management and external auditors, and while it cannot provide absolute assurance, it helps reduce risks of failure to achieve goals.
Slide gives information about working style of internal audit department in micro-finance institution. It helps the viewer to enhance the skills and knowledge about audit activities in MFI.
The document summarizes Risk-Based Internal Audit (RBIA) framework requirements for Non-Banking Financial Companies (NBFCs) in India. It specifies that all deposit-taking NBFCs and non-deposit taking NBFCs with assets over ₹5,000 crore must implement an RBIA system by March 31, 2021. The framework outlines objectives to provide assurance on internal controls and risk management. It details responsibilities of the board, senior management, and internal audit function to ensure independence, competency, appropriate resourcing and oversight of the RBIA system.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity must be independent, and internal auditors must be objective in performing their work. Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities and apply the care and skill expected of a reasonably prudent and competent internal auditor. The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
The document provides an overview of internal controls related to the sales system of an entity. It discusses control objectives, control activities, and tests of controls for the order department, dispatch department, and invoicing/billing department of the sales system. The key control objectives covered are related to authorization of sales orders and credit limits, accuracy of order recording and invoicing, and segregation of duties. The document also provides examples of control activities and procedures that can be implemented to achieve the control objectives as well as examples of audit tests that can be performed to evaluate the operating effectiveness of the controls.
The internal audit department provides independent and objective assurance to help the company accomplish its objectives. It identifies risks, finds better processes, and partners with departments to solve issues. The department reports to the audit committee and develops a risk-based annual audit plan. It audits operations, departments, programs, and processes. The department also receives whistleblower reports and investigates fraud and misconduct.
The document discusses internal audit effectiveness and quality assessment (IAEQA). IAEQA involves evaluating the effectiveness, efficiency, and quality of an organization's internal audit function. It assesses compliance with internal auditing standards and benchmarks the function against a balanced scorecard approach. The methodology uses a holistic evaluation of the internal audit process, coverage, findings, skills, and compliance with standards. Key components reviewed include the internal audit process, compliance with standards, skills/competence, structure, cross-functional engagement, and board oversight. Specific tactical audit areas are also assessed by re-performing audit procedures and critically reviewing findings. The outcome is an internal audit effectiveness scorecard and action plan to improve areas.
Internal audit is an independent appraisal activity within an organization that reviews systems, procedures, and compliance with policies. It helps ensure efficient controls are in place for all organizational activities and assets. The purpose of internal audit is to detect errors and fraud, identify risks, and forewarn management about deficiencies. It identifies both issues and opportunities to improve an organization's financial, operational, and planning processes. Certain companies and trusts are required by law to appoint an internal auditor, including those with a paid up capital over 50 lakh rupees or average annual turnover exceeding 5 crore rupees for the last three years.
Assertions in the Audit of Financial Statements (Audit)Artless Shakhawat
This document discusses audit assertions and the audit of financial statements. It defines audit assertions as claims made by management regarding the appropriateness of financial statement elements and disclosures. There are five types of audit tests that can be used, including tests of controls and substantive tests. The document then discusses auditing various accounts, such as revenue/receipts, purchases, inventory, payroll, and fixed assets. It describes the types of evidence and assertions auditors consider when auditing these accounts.
What is the purpose of internal auditing? How important is it to the business? How are internal audits planned and carried out? These slides show the relevance of internal audit to the business, how internal audits relate to the objectives and risks of the business, how they are planned and the work involved in an internal audit. Further advice is available from www.internalaudit.biz
Common internal audit findings & how to avoid themSurajit Datta
The document summarizes topics that were covered in a workshop on common internal audit findings and how to avoid them. It discusses internal auditing and controls, elements of internal controls, common audit findings such as non-compliance and lack of monitoring, fraud indicators, and how to avoid findings by establishing policies, procedures, and internal controls.
This document provides an overview of an internal risk assessment process presentation. It outlines the presentation agenda, which includes discussions of internal control frameworks like COSO and COBIT, risk assessment techniques, risk identification mapping, and the components of internal control. It also details the key aspects of each presentation section, such as defining internal control, its objectives, and management and auditor responsibilities regarding internal control assessment.
Continuous Auditing, Monitoring & Data AnalyticsCISA1567
This document discusses continuous auditing, monitoring, and data analytics for auditing SAP R/3 environments. It defines these terms and outlines some tools that can be used, including ACL, IDEA, and Microsoft Access. Benefits of data analysis include testing entire data populations more efficiently. Specific areas that can be analyzed are discussed, like payroll (ghost employees, overtime) and accounts payable (duplicate payments, loose invoices). Best practices include following the software development life cycle and allocating enough storage space.
The document discusses internal control, internal check, internal audit, and the differences between internal check and internal audit. It defines internal control as the system established by management to carry out business operations in an orderly manner. The objectives of internal control are to avoid inefficiency, waste, and fraud, and ensure accuracy of records. Internal check is a part of internal control that divides work so no single person can carry out a whole transaction alone. Internal audit involves examining procedures, records, and operations to evaluate management controls and ensure goals are met. It differs from internal check in that internal check mechanically checks work as it is performed while internal audit examines work after it is completed.
The document outlines audit working paper purposes, contents, organization and types of audit evidence. It discusses how working papers support the audit opinion, substantiate competence, guide future audits and evaluate staff. Contents include entity information, risk assessments, audit programs, analyses, conclusions and representations. Organization includes permanent files on the client and current files indexing planning, compliance, balances and income/expenses. Evidence includes physical counts, confirmations, representations, documents, observation, accuracy checks and comparisons.
Audit of other assets (and related items)Khalid Aziz
This document discusses auditing procedures for various asset accounts including prepaid expenses, intangible assets, and property, plant and equipment. It provides details on assessing inherent and control risks, substantive analytical procedures, and tests of details for transactions in these accounts. Key aspects covered include confirming prepaid insurance policies, assessing valuation of intangible assets, and procedures over the property management process such as authorizing capital expenditures and taking physical inventories.
The document discusses internal financial controls (IFC) and internal financial controls over financial reporting (ICFR) as required by the Companies Act 2013 in India. It defines IFC and ICFR and explains who is responsible for them according to the Act, including directors, auditors, and audit committees. It outlines how IFC can help companies beyond compliance, the objectives of IFC coverage, key highlights from ICAI guidance, and penalties for non-compliance. Finally, it describes how the consulting firm A.P. Doshi & Co. can help companies with IFC implementation, documentation, testing, and reporting.
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
This presentation is my endeavor to bring to notice the new position that internal audit enjoys today in the corporate framework, expectations of the industry and emerging opportunities for the professionals.
The document provides learning objectives and substantive procedures for auditing various accounts including non-current assets, intangible non-current assets, inventory, trade receivables, bank, cash, trade payables, accruals, provisions, contingencies, non-current liabilities/long term borrowings, equity, directors' emoluments, revenue, purchases, payroll, interest expense and income, and other expenses. The learning objectives cover verification of additions and disposals for non-current assets, valuation of intangible assets, verification of inventory existence and valuation, and cutoff testing for trade receivables among other procedures.
This document provides an introduction and overview of internal control. It defines internal control as a process designed by management and those charged with governance to provide reasonable assurance of achieving reliable financial reporting, effective and efficient operations, and compliance with laws and regulations. The document discusses the key components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring activities. It also outlines some of the primary objectives and benefits of internal controls, as well as limitations.
The document discusses risk-based auditing (RBIA) and its key concepts. RBIA requires internal audit to be strategically linked to an organization's risk management and assurance frameworks. It also discusses applying RBIA methodology to internal audit assignments and linking an organization's risk framework to the stages of RBIA. The document provides information on introducing RBIA to an organization and adapting it based on the organization's structures, processes and risk maturity.
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. It consists of five components: control environment, risk assessment, control activities, information and communication, and monitoring activities. The components work together to help ensure reliable financial reporting, effective and efficient operations, and compliance with laws and regulations. Internal control is important for both management and external auditors, and while it cannot provide absolute assurance, it helps reduce risks of failure to achieve goals.
Slide gives information about working style of internal audit department in micro-finance institution. It helps the viewer to enhance the skills and knowledge about audit activities in MFI.
The document summarizes Risk-Based Internal Audit (RBIA) framework requirements for Non-Banking Financial Companies (NBFCs) in India. It specifies that all deposit-taking NBFCs and non-deposit taking NBFCs with assets over ₹5,000 crore must implement an RBIA system by March 31, 2021. The framework outlines objectives to provide assurance on internal controls and risk management. It details responsibilities of the board, senior management, and internal audit function to ensure independence, competency, appropriate resourcing and oversight of the RBIA system.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity must be independent, and internal auditors must be objective in performing their work. Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities and apply the care and skill expected of a reasonably prudent and competent internal auditor. The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
The document provides an overview of internal controls related to the sales system of an entity. It discusses control objectives, control activities, and tests of controls for the order department, dispatch department, and invoicing/billing department of the sales system. The key control objectives covered are related to authorization of sales orders and credit limits, accuracy of order recording and invoicing, and segregation of duties. The document also provides examples of control activities and procedures that can be implemented to achieve the control objectives as well as examples of audit tests that can be performed to evaluate the operating effectiveness of the controls.
The internal audit department provides independent and objective assurance to help the company accomplish its objectives. It identifies risks, finds better processes, and partners with departments to solve issues. The department reports to the audit committee and develops a risk-based annual audit plan. It audits operations, departments, programs, and processes. The department also receives whistleblower reports and investigates fraud and misconduct.
The document discusses internal audit effectiveness and quality assessment (IAEQA). IAEQA involves evaluating the effectiveness, efficiency, and quality of an organization's internal audit function. It assesses compliance with internal auditing standards and benchmarks the function against a balanced scorecard approach. The methodology uses a holistic evaluation of the internal audit process, coverage, findings, skills, and compliance with standards. Key components reviewed include the internal audit process, compliance with standards, skills/competence, structure, cross-functional engagement, and board oversight. Specific tactical audit areas are also assessed by re-performing audit procedures and critically reviewing findings. The outcome is an internal audit effectiveness scorecard and action plan to improve areas.
Internal audit is an independent appraisal activity within an organization that reviews systems, procedures, and compliance with policies. It helps ensure efficient controls are in place for all organizational activities and assets. The purpose of internal audit is to detect errors and fraud, identify risks, and forewarn management about deficiencies. It identifies both issues and opportunities to improve an organization's financial, operational, and planning processes. Certain companies and trusts are required by law to appoint an internal auditor, including those with a paid up capital over 50 lakh rupees or average annual turnover exceeding 5 crore rupees for the last three years.
Assertions in the Audit of Financial Statements (Audit)Artless Shakhawat
This document discusses audit assertions and the audit of financial statements. It defines audit assertions as claims made by management regarding the appropriateness of financial statement elements and disclosures. There are five types of audit tests that can be used, including tests of controls and substantive tests. The document then discusses auditing various accounts, such as revenue/receipts, purchases, inventory, payroll, and fixed assets. It describes the types of evidence and assertions auditors consider when auditing these accounts.
What is the purpose of internal auditing? How important is it to the business? How are internal audits planned and carried out? These slides show the relevance of internal audit to the business, how internal audits relate to the objectives and risks of the business, how they are planned and the work involved in an internal audit. Further advice is available from www.internalaudit.biz
Common internal audit findings & how to avoid themSurajit Datta
The document summarizes topics that were covered in a workshop on common internal audit findings and how to avoid them. It discusses internal auditing and controls, elements of internal controls, common audit findings such as non-compliance and lack of monitoring, fraud indicators, and how to avoid findings by establishing policies, procedures, and internal controls.
This document provides an overview of an internal risk assessment process presentation. It outlines the presentation agenda, which includes discussions of internal control frameworks like COSO and COBIT, risk assessment techniques, risk identification mapping, and the components of internal control. It also details the key aspects of each presentation section, such as defining internal control, its objectives, and management and auditor responsibilities regarding internal control assessment.
Continuous Auditing, Monitoring & Data AnalyticsCISA1567
This document discusses continuous auditing, monitoring, and data analytics for auditing SAP R/3 environments. It defines these terms and outlines some tools that can be used, including ACL, IDEA, and Microsoft Access. Benefits of data analysis include testing entire data populations more efficiently. Specific areas that can be analyzed are discussed, like payroll (ghost employees, overtime) and accounts payable (duplicate payments, loose invoices). Best practices include following the software development life cycle and allocating enough storage space.
The document discusses internal control, internal check, internal audit, and the differences between internal check and internal audit. It defines internal control as the system established by management to carry out business operations in an orderly manner. The objectives of internal control are to avoid inefficiency, waste, and fraud, and ensure accuracy of records. Internal check is a part of internal control that divides work so no single person can carry out a whole transaction alone. Internal audit involves examining procedures, records, and operations to evaluate management controls and ensure goals are met. It differs from internal check in that internal check mechanically checks work as it is performed while internal audit examines work after it is completed.
The document discusses internal controls and provides guidelines for cash controls, petty cash, cash over and short, banking activities, and bank reconciliation. It explains that internal controls protect assets, ensure reliable accounting, promote efficient operations, and encourage adherence to company policies. Some key principles of internal controls are clearly establishing responsibilities, maintaining adequate records, separating duties, and performing regular reviews.
The document discusses internal controls and their importance for auditing. It defines internal controls as policies and procedures adopted by management to achieve objectives like ensuring orderly and efficient operations, safeguarding assets, and preparing reliable financial reports. The two main components of internal controls are the control environment and control procedures. The control environment reflects management's attitude towards controls, while control procedures are specific policies that help achieve objectives. Understanding internal controls is essential for auditors to plan the nature, timing, and extent of audit procedures.
Internal controls are defined as the entire system of controls, both financial and non-financial, established by management to carry out business operations in an orderly manner, safeguard assets, and ensure accurate and reliable record keeping. An effective internal control system includes proper organization structure and division of responsibilities, adequate authorization and accountability, sound practices and procedures, competent personnel, and controls over assets, liabilities, revenues, and expenses. However, internal controls also have limitations such as high implementation costs for small businesses, the potential for human error, possibility of collusion between employees, and risk of misuse of authority or manipulation by management.
This document discusses internal controls and information system (IS) audits. It defines control as any input given to a dynamic system to produce a desired output. The level of control required increases as a system becomes more dynamic and complex. Effective controls require understanding a system's dynamism so control measures can operate effectively. Controls should be focused on specific outputs and evaluated to provide further appropriate inputs. Internal controls aim to ensure business objectives are achieved and undesired risks prevented or detected and corrected through policies, procedures and organizational structure. Controls can be preventive, detective, or corrective and take both manual and automated forms depending on the environment.
This document contains 49 multiple choice questions about risk assessment and internal control evaluation. It covers topics such as the auditor's responsibility regarding internal controls, separation of duties, control activities, obtaining an understanding of internal controls, control risk assessment, tests of controls, and internal control deficiencies.
This document provides an overview of access control concepts and topics relevant to the CISSP certification. It defines access control as the mechanisms that grant or revoke the right to access data or perform actions on an information system. The document outlines key access control topics like identification, authentication, authorization, accountability, access control models, and monitoring. It also discusses access control principles such as least privilege and separation of duties.
internal control and control self assessmentManoj Agarwal
The document discusses internal controls and control self-assessment. It begins with definitions of internal control and internal auditing. It then outlines the COSO internal control framework, including the five components and seventeen underlying principles of internal control. The presentation agenda and a case study are also mentioned. Sample templates for evaluating internal controls against the principles are included.
The document discusses internal control systems and the COSO framework. It provides details on the following:
1. There are three main categories of internal controls - financial, operational, and compliance controls. The COSO framework defines internal control and its objectives.
2. The COSO framework has five main elements - control environment, risk assessment, control activities, information and communication, and monitoring. These elements work together to help ensure objectives are met.
3. Internal audit is an independent function that examines and evaluates internal controls to provide assurance on their effectiveness and efficiency. Internal auditors may review various areas including financial and operational controls, compliance, risk management, and value for money.
This document provides an overview of access control, including identification, authentication, and authorization. It discusses different types of access controls like administrative, technical, and physical controls. It also covers specific access control methods like passwords, biometrics, smart cards, and tokens. Identification establishes a subject's identity, while authentication proves the identity. Authorization then controls the subject's access to resources based on their proven identity. The document categorizes access controls as preventive, detective, corrective, recovery, compensating, and directive. It provides examples of different administrative, technical, and physical controls that fall into each category.
ICQs provide system for the assessment of risks embedded in the internal control system. Every internal auditor prepares ICQs according to his understanding of the internal control system. There are some certain common areas that are present in every organization. This ICQs deal with those common areas that are integral part of every organization's internal control system.
This document discusses the Physical (Environmental) Security domain of the CISSP Common Body of Knowledge. It covers topics such as defining physical security, types of threats to the physical environment like natural/environmental and man-made/political events. It also discusses security countermeasures and technologies to protect physical assets, including administrative, technical, and physical controls. Specific controls covered include perimeter security, building access controls, data center security, and the strategic application of crime prevention through environmental design principles.
Advanced auditing Chapter Five.Internal control pptxseidIbrahim2
This document discusses internal control and its importance for management in meeting its responsibilities. It defines internal control as a process effected by people to provide reasonable assurance over assets and reliable information. The auditor needs to understand internal control to determine audit strategies and the scope of substantive testing. Key components of internal control include the control environment, risk assessment, control activities, information/communication, and monitoring. The control environment, comprising factors like integrity, competence, management philosophy and structure, is the foundation for an effective system of internal controls.
PART II INTERNAL AUDITING in local government.pptCamellaCandon
This document provides definitions and discusses the scope of internal auditing. It defines internal auditing as an independent and objective assurance activity that aims to add value and improve an organization's operations. The scope of internal auditing includes evaluating controls related to strategic objectives, operations, financial and operational information, asset protection, and compliance. The document also discusses the traditional audit approach and risk-based audit approach used in internal auditing.
Internal control is a process designed to provide reasonable assurance that an organization achieves its objectives relating to operational effectiveness and efficiency, reliable financial reporting, and compliance with laws and regulations. It involves establishing policies and procedures to direct operations and monitor activities. Internal control aims to protect resources, detect and prevent fraud, and ensure accurate financial reporting. It includes internal checks, internal auditing, and other controls implemented by management. The objectives of internal control are reliable financial reporting, effective and efficient operations, and compliance with applicable laws and regulations.
The document discusses internal control, including its meaning, elements, and evaluation. It defines internal control as a process that provides assurance around an organization's objectives related to operations, financial reporting, and compliance. The key elements of internal control are the control environment, risk assessment, control activities, information and communication, and monitoring. An internal control review evaluates how effective the internal control system is at addressing risks.
This document provides an overview of internal auditing, including:
- The nature and scope of internal auditing focuses on evaluating internal controls and actual performance.
- Financial audits examine accounting controls and data accuracy, while operational audits appraise business operations.
- Efficiency, propriety, voucher, compliance, and pre- and post-audits are different types of internal audits.
- Auditing in depth traces transactions through all stages to ensure compliance with internal controls.
- The Companies (Auditor's Report) Order outlines reporting requirements for auditors.
The document discusses internal control systems. It defines internal controls as processes put in place to help an organization achieve its objectives. The Committee of Sponsoring Organizations (COSO) framework categorizes internal controls into three types: financial controls, operational controls, and compliance controls. The COSO framework also identifies five key elements of an effective internal control system: control environment, risk assessment, control activities, information and communication, and monitoring. Internal audit is discussed as a way for boards of directors to evaluate whether the internal control system is operating effectively.
Internal control and Control Self AssessmentManoj Agarwal
The document provides an overview of internal control and control self-assessment. It defines internal control and control self-assessment and discusses the rationale, goals, benefits and case study of control self-assessment. It outlines the COSO internal control framework components of control environment, risk assessment, control activities, monitoring and traditional auditing vs control self-assessment. The presentation also discusses control types, principles of internal control and evaluating controls objectives. It provides a sample control self-assessment template and case study.
The most comprehensive definition of internal audit is given by the IIA, USA. It is,
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."
The purpose of the presentation is to provide clarification for a better understanding of what internal audit definition, objectives, functions, stages and reporting are all about? What difference does it make in the presence of an external audit? How different is its scope from that of the external audit? How internal audit standards contribute to better performance of internal audit work and its reporting to the Board or Audit Committee?
Assessing risks and internal controls trainingshifataraislam
This document provides an overview of assessing risks and internal controls for process owners. It discusses identifying risks within business processes and points where failures could occur. The document also covers internal control definitions, techniques, myths and facts. Process owners are responsible for acknowledging risks and controls within their processes, remedying deficiencies, and signing quarterly certifications. They should educate their personnel on requirements and reinforce internal focus on controls.
Internal and external audits are important functions for organizations. Internal auditors independently evaluate activities within an organization, while external auditors are outsiders. The audit committee oversees the internal audit function and ensures auditors remain independent. Audits follow standards to verify key aspects of financial statements like existence, completeness, and valuation. Auditors assess risks and design procedures accordingly. Internal controls are also evaluated to safeguard assets and ensure accurate financial reporting. Information systems and IT governance are important parts of the audit and control process.
The document discusses internal controls, including their meaning, concepts, importance, principles, components, and limitations. Specifically, it defines internal controls as activities established within a company to monitor for errors, omissions, misstatements, or fraud. It describes the key components of internal control systems as the control environment, risk assessment, control activities, information and communication, and monitoring. Finally, it notes limitations of internal controls, such as collusion between employees, incorrect professional judgments, failure to train employees, and potential management overrides.
The document discusses the three main types of internal controls: preventive, detective, and corrective controls. It provides examples for each type and explains the key differences between detective and corrective controls. The document also discusses some limitations of internal controls, noting that they can only provide reasonable assurance and not absolute guarantees due to factors like human judgment errors. It identifies the five main components of an effective internal control system according to international standards.
Audit report- Consideration of Internal Controlnellynljcoles
This document discusses internal control and its assessment. It defines internal control as a process designed to help achieve an entity's objectives. The five components of internal control are the control environment, risk assessment, control activities, information and communication, and monitoring. The auditor assesses control risk by obtaining an understanding of internal controls, testing their design and implementation, and judging their effectiveness in preventing misstatements. Control risk is then used to determine the nature, timing and extent of substantive audit procedures. Weaknesses identified during this process are communicated to management.
The document discusses internal controls and provides guidance for organizations in Vermont state government. It defines internal controls as processes designed to reasonably ensure effectiveness, efficiency, reliable reporting, and compliance. It outlines the five components of the COSO internal control framework: control environment, risk assessment, control activities, information/communication, and monitoring. It emphasizes that internal controls should make sense within each organization and benefit rather than encumber management.
The document discusses internal controls and provides guidance for organizations in Vermont state government. It defines internal controls as processes designed to reasonably ensure effectiveness, efficiency, reliable reporting, and compliance. It outlines the five components of the COSO internal control framework: control environment, risk assessment, control activities, information/communication, and monitoring. It also describes five key internal control activities and resources the Department of Finance & Management provides to help improve organizations' internal controls.
The document discusses internal controls and provides guidance for organizations in Vermont state government. It defines internal controls as processes designed to reasonably ensure effectiveness, efficiency, reliable reporting, and compliance. It outlines the five components of the COSO internal control framework: control environment, risk assessment, control activities, information/communication, and monitoring. It also describes key internal control activities like separation of duties, documentation, authorization, security of assets, and reconciliation/review. The Department of Finance & Management aims to strengthen internal controls through resources like self-assessments, standards guides, newsletters, and operational reviews.
The document discusses internal controls and provides guidance for organizations in Vermont state government. It defines internal controls as processes put in place by management to reasonably ensure objectives are achieved in operations, financial reporting, and compliance. Key components of internal controls include control environment, risk assessment, control activities, information and communication, and monitoring. The document outlines five important control activities and resources the Department of Finance & Management provides to help organizations strengthen their internal controls.
UBL is the leading auditing firm in Dubai. We become experts in your business with practices across the UAE-helping you take control of finances across all aspects of your business. While we are qualified auditors, accountants and business consultants, our innovative, flexible and business approach is what makes us different.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
How to Fix the Import Error in the Odoo 17Celine George
An import error occurs when a program fails to import a module or library, disrupting its execution. In languages like Python, this issue arises when the specified module cannot be found or accessed, hindering the program's functionality. Resolving import errors is crucial for maintaining smooth software operation and uninterrupted development processes.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
1. STANDARD ON INTERNAL AUDIT (SIA) 12
INTERNAL CONTROL EVALUATION*
Contents
Paragraph(s)
Introduction ............................................................................1
Nature, Purpose and Types of Internal Controls....................2-6
Inherent Limitations of Internal Controls ..................................7
Role of the Internal Auditor in Evaluating
Internal Controls ............................................................... 8-14
Segregation of Duties ........................................................... 15
Control Activities for Information Technology .................... 16-19
Test of Controls ............................................................... 20-23
Monitoring Internal Audit Findings ......................................... 24
Communication of Continuing Internal Control
Weaknesses.................................................................... 25-29
Effective Date....................................................................... 30
The following is the text of the Standard on Internal Audit
(SIA) 12, Internal Control Evaluation, issued by the Council of
the Institute of Chartered Accountants of India. These
Standards should be read in conjunction with the Preface to
the Standards on Internal Audit, issued by the Institute.
In terms of the decision of the Council of the Institute of
Chartered Accountants of India taken at its 260 th meeting held
in June 2006, the following Standard on Internal Audit shall be
recommendatory in nature in the initial period. The Standards
shall become mandatory from such date as notified by the
Council.
Published in the February, 2009 issue of The Chartered Accountant.
*
2. Standard on Internal Audit (SIA) 12
Introduction
1. The purpose of this Standard on Internal Audit is to establish standards
and provide guidance on the procedures to be followed by the internal
auditor in evaluating the system of internal control in an entity and for
communicating weaknesses therein to those charged with governance.
Nature, Purpose and Types of Internal Controls
2. Internal controls are a system consisting of specific policies and
procedures designed to provide management with reasonable
assurance that the goals and objectives it believes important to the
entity will be met. "Internal Control System" means all the policies and
procedures (internal controls) adopted by the management of an entity
to assist in achieving management's objective of ensuring, as far as
practicable, the orderly and efficient conduct of its business, including
adherence to management policies, the safeguarding of assets, the
prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of
reliable financial information. The internal audit function constitutes a
separate component of internal control with the objective of determining
whether other internal controls are well designed and properly operated.
Internal control system consists of interrelated components as follows:
Control (or Operating) environment.
Risk assessment.
Control objective setting.
Event identification..
Control activities.
Information and communication.
Monitoring.
Risk response.
2
3. Internal Control Evaluation
3. The system of internal control must be under continuous supervision by
management to determine that it is functioning as prescribed and is
modified, as appropriate, for changes in environment. The internal
control system extends beyond those matters which relate directly to
the functions of the accounting system and comprises:
a. "control environment" means the overall attitude, awareness and
actions of directors and management regarding the internal control
system and its importance in the entity. The control environment has
an effect on the effectiveness of the specific control procedures and
provides the background against which other controls are operated.
Factors reflected in the control environment include:
The entity's organisational structure and methods of assigning
authority and responsibility (including segregation of duties and
supervisory functions).
The function of the board of directors and its committees, in the
case of a company or the corresponding governing body in case
of any other entity.
Management's philosophy and operating style.
Management's control system including the internal audit
function, personnel policies and procedures.
Integrity and ethical values.
Commitment to competence.
Human resource policies and practices.
b. "control activities” (or procedures) which means those policies and
procedures in addition to the control environment which management
has established to achieve the entity's specific objectives. Control
activities include approvals, authorizations, verifications,
3
4. Standard on Internal Audit (SIA) 12
reconciliations, reviews of performance, security of assets,
segregation of duties, and controls over information systems.
4. Internal controls may be either preventive or detective. Preventive
controls attempt to deter or prevent undesirable acts from occurring.
They are proactive controls that help to prevent a loss. Examples of
preventive controls are separation of duties, proper authorization,
adequate documentation, and physical control over assets. Detective
controls attempt to detect undesirable acts. They provide evidence that
a loss has occurred but do not prevent a loss from occurring. Examples
of detective controls are reviews, analyses, variance analyses,
reconciliations, physical inventories, and audits.
5. Internal controls are generally concerned with achieving the following
objectives:
Transactions are executed in accordance with management's general
or specific authorisation.
All transactions and other events are promptly recorded in the correct
amount, in the appropriate accounts and in the proper accounting
period so as to permit preparation of financial statements in
accordance with the applicable accounting standards, other recognised
accounting policies and practices and relevant statutory requirements,
if any, and to maintain accountability for assets.
Assets and records are safeguarded from unauthorised access, use or
disposition.
Recorded assets are compared with the existing assets at reasonable
intervals and appropriate action is taken with regard to any differences.
Systems and procedures are effective in design and operation.
Risks are mitigated to a reasonable extent.
4
5. Internal Control Evaluation
6. Internal control is a process. Internal control can be expected to provide
only reasonable assurance, not absolute assurance. Internal control is
geared to the achievement of objectives. Internal control is effected by
people and not by policy manuals and forms alone.
Inherent Limitations of Internal Controls
7. Internal control systems are subject to certain inherent limitations, such as:
Management's consideration that the cost of an internal control does
not exceed the expected benefits to be derived.
The fact that most internal controls do not tend to be directed at
transactions of unusual nature. The potential for human error, such as,
due to carelessness, distraction, mistakes of judgement and
misunderstanding of instructions.
The possibility of circumvention of internal controls through collusion
with employees or with parties outside the entity.
The possibility that a person responsible for exercising an internal
control could abuse that responsibility, for example, a member of
management overriding an internal control.
Manipulations by management with respect to transactions or
estimates and judgements required in the preparation of financial
statements.
Role of the Internal Auditor in Evaluating Internal Controls
8. The Internal auditor should examine the continued effectiveness of
the internal control system through evaluation and make
recommendations, if any, for improving that effectiveness. However,
the internal auditor is not vested with management’s primary responsibility
for designing, implementing, maintaining and documenting internal control.
Internal audit function adds value to an organization’s internal control
system by bringing a systematic, disciplined approach to the evaluation of
5
6. Standard on Internal Audit (SIA) 12
risk and by making recommendations to strengthen the effectiveness of risk
management efforts. The internal auditor should focus towards
improving the internal control structure and promoting better
corporate governance. The role of the internal auditor encompasses:
Evaluation of the efficiency and effectiveness of controls.
Recommending new controls where needed – or discontinuing
unnecessary controls.
Using control frameworks.
Developing control self-assessment.
9. The internal auditor’s evaluation of internal control involves:
determining the significance and the sensitivity of the risk for which
controls are being assessed;
assessing the susceptibility to misuse of resources, failure to attain
objectives regarding ethics, economy, efficiency and effectiveness, or
failure to fulfil accountability obligations, and non-compliance with laws
and regulations;
identifying and understanding the design and operation of relevant
controls;
determining the degree of control effectiveness through testing of
controls;
assessing the adequacy of the control design; and
reporting on the internal control evaluation and discussing the
necessary corrective actions.
10. The broad areas of review by the internal auditor in evaluating the
internal control system, inter alia, are:
Mission, vision, ethical and organizational value-system of the entity.
6
7. Internal Control Evaluation
Personnel allocation, appraisal system, and development policies.
Accounting and financial reporting policies and compliance with
applicable legal and regulatory standards
Objective of measurement and key performance indicators.
Documentation standards.
Risk management structure.
Operational framework.
Processes and procedures followed.
Degree of management supervision.
Information systems, communication channels.
Business Continuity and Disaster Recovery Procedures.
11. The internal auditor should obtain an understanding of the significant
processes and internal control systems sufficient to plan the internal
audit engagement and develop an effective audit approach. The
internal auditor should use professional judgment to assess and
evaluate the maturity of the entity’s internal control. The auditor
should obtain an understanding of the control environment sufficient
to assess management's attitudes, awareness and actions regarding
internal controls and their importance in the entity. Such an
understanding would also help the internal auditor to make a preliminary
assessment of the adequacy of the accounting and internal control systems
as a basis for the preparation of the financial statements, and of the likely
nature, timing and extent of internal audit procedures. The internal auditor
assesses the ‘as–is’ internal control system within the organization.
12. The internal auditor should obtain an understanding of the internal
control procedures sufficient to develop the audit plan. In obtaining this
understanding, the internal auditor would consider knowledge about the
presence or absence of control procedures obtained from the
7
8. Standard on Internal Audit (SIA) 12
understanding of the control environment, business processes and
accounting system in determining whether any additional understanding of
control procedures is necessary. The internal auditor should understand
and document the design and operations of internal controls to
evaluate the effectiveness of the control environment. The important
procedures to be adopted by the internal auditor for this purpose include:
Narratives
Flowcharts
Questionnaires
13. When obtaining an understanding of the business processes, accounting
and internal control systems to plan the audit, the internal auditor obtains a
knowledge of the design of the internal control systems and their operation.
For example, an internal auditor may perform a "walk-through" test that is,
tracing a few transactions through the accounting system. When the
transactions selected are typical of those transactions that pass through the
system, this procedure may be treated as part of the tests of control.
14. The internal auditor should consider the following aspects in the
evaluation of internal control system in an entity:
Ascertaining whether the entity has a mission statement and
written goals and objectives.
Assessing risks at the entity level.
Assessing risks at the activity (or process) level.
Completing a Business Controls worksheet for each significant
activity (or process) in each function or department with
documentation of the associated controls and their degree of
effectiveness (partial or full); prioritizing those activities (or
processes) which are most critical to the success of the function
or department.
8
9. Internal Control Evaluation
Ensuring that all risks identified at the entity and function or
department level are addressed in the Business Controls
worksheet along with the consolidated documentation of the
operating controls.
Ascertaining from the Business Controls worksheet, those risks
for which no controls exist or existing controls are inadequate.
This process is the stage of ‘controls gap’ analysis.
Segregation of Duties
15. Segregation of duties is critical to effective internal control; it reduces the
risk of both erroneous and inappropriate actions. The internal auditor
should ensure that in general, the approval function, the
accounting/reconciling function, and the asset custody function is
separated among employees of the entity. When these functions
cannot be separated due to small department size, the internal auditor
should ensure that a detailed supervisory review of related activities
is in practice, as a compensating control activity.
Control Activities for Information Technology
16. In a computer information systems environment, the objectives of tests of
control do not change from those in a manual environment; however, some
audit procedures may change. The internal auditor may find it necessary, or
may prefer, to use computer-assisted audit techniques. The use of such
techniques, for example, file interrogation tools or audit test data, may be
appropriate when the accounting and internal control systems provide no
visible evidence documenting the performance of internal controls which
are programmed into a computerised accounting system. There are two
broad categories of information systems controls - general controls and
application controls. General Controls apply to all information systems-
mainframe, minicomputer, network, and end-user environments. Application
Controls are designed to cover the processing of data within the application
software.
9
10. Standard on Internal Audit (SIA) 12
17. While evaluating the information technology controls in a system-
driven environment, the internal auditor should determine whether the
entity, inter alia, uses:
encryption tools, protocols, or similar features of software
applications that protect confidential or sensitive information
from unauthorized individuals;
back-up and restore features of software applications that reduce
the risk of permanent loss of data;
virus protection software; and
passwords that restrict user access to networks, data and
applications.
18. The nature, timing and extent of the procedures performed by the internal
auditor to obtain an understanding of the internal control systems will vary
with, among other things:
Size and complexity of the entity and of its information system.
Materiality considerations.
Type of internal controls involved.
Nature of the entity's documentation of specific internal controls.
Internal auditor's assessment of inherent risk.
19. Ordinarily, the internal auditor's understanding of the internal control
systems significant to the audit is obtained through previous experience
with the entity and is supplemented by:
a. inquiries of appropriate management, supervisory and other
personnel at various organisational levels within the entity, together
with reference to documentation, such as procedures manuals, job
descriptions, systems descriptions and flow charts;
10
11. Internal Control Evaluation
b. inspection of documents and records produced by the accounting and
internal control systems; and
c. observation of the entity's activities and operations, including
observation of the organisation of computer operations, personnel
performing control procedures and the nature of transaction
processing.
Test of Controls
20. Tests of control are performed to obtain audit evidence about the
effectiveness of the:
a. design of the internal control systems, that is, whether they are
suitably designed to prevent or detect and correct material
misstatements;
b. operation of the internal controls throughout the period; and
c. cost of a control vis-a-vis the benefit obtained from the same.
21. Tests of control normally include:
Inspection of documents supporting transactions and other events to
gain audit evidence that internal controls have operated properly, for
example, verifying that a transaction has been authorised.
Inquiries about, and observation of, internal controls which leave no
audit trail, for example, determining who actually performs each
function and not merely who is supposed to perform it.
Re-performance of internal controls, for example, reconciliation of bank
accounts, to ensure they were correctly performed by the entity.
Testing of internal control operating on specific computerised
applications or on the overall information technology function, for
example, access or program change controls.
11
12. Standard on Internal Audit (SIA) 12
22. Based on the results of the tests of control, the internal auditor should
evaluate whether the internal controls are designed and operating as
contemplated in the preliminary assessment of control risk. The
evaluation of deviations may result in the internal auditor concluding that
the assessed level of control risk needs to be revised. In such cases, the
internal auditor would modify the nature, timing and extent of planned
substantive procedures.
23. The internal auditor should consider whether the internal controls
were in use throughout the period. If substantially different controls were
used at different times during the period, the auditor would consider each
separately. A breakdown in internal controls for a specific portion of the
period requires separate consideration of the nature, timing and extent of
the audit procedures to be applied to the transactions and other events of
that period. The internal auditor would obtain audit evidence as to the
nature, timing and extent of any changes in the entity's accounting and
internal control systems since such procedures were performed and assess
their impact on the auditor's intended reliance.
Monitoring Internal Audit Findings
24. The internal auditor should identify internal control weaknesses that
have not been corrected and make recommendations to correct those
weaknesses. The internal auditor should document the rationale in
deciding which audit recommendations should be followed up on and
when, in contrast with recommendations where no follow-up is
needed. The internal auditor should also inquire from the
management and document that either audit recommendations have
been effectively implemented or that senior management has
accepted the risk of not implementing the recommendations.
12
13. Internal Control Evaluation
Communication of Continuing Internal Control
Weaknesses
25. When internal controls are found to contain continuing weaknesses,
the internal auditor should consider whether:
Management has increased supervision and monitoring;
Additional or compensating controls have been instituted; and/or
Management accepts the risk inherent with the control weakness.
26. The internal auditor should evaluate identified control deficiencies
and then determine whether those deficiencies, individually or in
combination, are significant deficiencies or material weaknesses. The
auditor should communicate significant deficiencies and material
weaknesses to management and those charged with governance. This
communication includes significant deficiencies and material weaknesses
identified and communicated to management and those charged with
governance in prior audits but not yet remediated.
27. Some examples of common weaknesses in internal controls are:
Corporate philosophy is understood but not written exposing it to
misinterpretation.
Organizational roles and responsibilities are not explicitly defined.
Lack of performance appetite and understanding of the entity's appetite
for risk taking.
Management or board of directors do not receive the right information
at the right time.
Disincentives exist which lead employees to behave in a dysfunctional
manner.
13
14. Standard on Internal Audit (SIA) 12
28. As a result of obtaining an understanding of the internal control systems
and tests of control, the internal auditor may become aware of weaknesses
in the systems. The internal auditor should make management aware,
as soon as practical and at an appropriate level of responsibility, of
material weaknesses in the design or operation of the internal control
systems, which have come to the internal auditor's attention. The
communication of material weaknesses to management would ordinarily be
in writing, as part of the internal audit report. However, if the internal auditor
judges that oral communication is appropriate, such communication would
be documented in the audit working papers. It is important to indicate in the
communication that only weaknesses which have come to the internal
auditor's attention as a result of the audit have been reported and that the
examination has not been designed to determine the adequacy of internal
control for management purposes.
29. The internal auditor in his report to the management, should provide:
A description of the significant deficiency or material weakness in
internal control.
His opinion on the possible effect of such weakness on the
entity’s control environment.
Effective Date
30. This Standard on Internal Audit is applicable to all internal audits
commencing on or after ______. Earlier application of the SIA is
encourage.
14