Download - SEATA by TOMMY SEAH
Administrative Details• 9.30 - 10.15 Introductory Lectures• 10.15 - 10.30 Coffee Break• 10.30- 12.00 Product Lecture• 12.00- 2.00 Lunch• 2.00 - 3.00 Case Study• 3.00 - 3.15 Tea Break• 3.15 - 4.00 Exercises and Q & A • 4.00 - End of Day
CFE-In-Practice
AUDIT DOCUMENTATION AUDIT DOCUMENTATION
--
TOOLS & TECHNIQUES TOOLS & TECHNIQUES
for for
THE THE
INTERNAL AUDITORINTERNAL AUDITOR
Tommy Seah CFE, Tommy Seah CFE,
Vice Chairman of the ACFE Board of RegentsVice Chairman of the ACFE Board of Regents
(Texas, USA) World Headquarters(Texas, USA) World Headquarters
CFE-In-Practice
Tools and Techniques for the Internal AuditorTools and Techniques for the Internal Auditor
ObjectiveObjective
Conduct an audit from beginning to end.Conduct an audit from beginning to end.Learn to understand risks and to identify, evaluate,Learn to understand risks and to identify, evaluate,and document internal controls.and document internal controls.Use the preliminary survey to determine how andUse the preliminary survey to determine how andwhat to audit.what to audit.Discover the best techniques for gathering auditDiscover the best techniques for gathering auditevidence and preparing working papers.evidence and preparing working papers.Enhance interpersonal and team-building skillsEnhance interpersonal and team-building skills throughout the audit.throughout the audit.Understand the audit communication processUnderstand the audit communication process
How do we achieve our objectives?•The Internal Auditor's Roles and ResponsibilitiesThe Internal Auditor's Roles and Responsibilities•Audit responsibilities and general audit objectivesAudit responsibilities and general audit objectives
•Types of internal audits and factors impacting auditTypes of internal audits and factors impacting audit emphasisemphasis
•Attributes of the 21 st century internal auditorAttributes of the 21 st century internal auditor•The Audit Model - Performance of Audit WorkThe Audit Model - Performance of Audit Work
•Overview of the audit processOverview of the audit process•Plan the audit - the preliminary survey, auditPlan the audit - the preliminary survey, audit•objectives, scope, and audit programobjectives, scope, and audit program•Examine and evaluate information during fieldworkExamine and evaluate information during fieldwork•Communicate resultsCommunicate results•Perform follow-up proceduresPerform follow-up procedures
How do we achieve our objectives?
Internal Control
Establish management's responsibility for controlIdentify internal audit's responsibility regardingcontrolIntroduce the SEATA control model
Internal control components and factorsLearn the various types of controlsUnderstand the difference between exception and objective controls
Review tools for documenting and evaluating internal controls
SEATA PHILOSOPHYSEATA PHILOSOPHY
SEATA is defined as being `an approach to is defined as being `an approach to auditing that is concerned with risks, determines auditing that is concerned with risks, determines specific audit specific audit objectivesobjectives to meet those risks and to meet those risks and utilizes a thorough utilizes a thorough evaluationevaluation of the of the systemsystem of of internal control as a basis for determining the internal control as a basis for determining the audit procedures necessary to accomplish the audit procedures necessary to accomplish the specific audit objectives.'specific audit objectives.'
The SEATA approach is equallyapplicable in all types of auditall types of audit -financial operating or IT related, aswell as with manual and automatedsystems.
The consequence of undetected risk is a potential detriment to the any organization, ranging from loss of cash or income to dissatisfied customers or operational inefficiency.
Classified below are thegeneral consequences of risks: 1.
Loss of management control OVER ASSETS.
• prescribed controls not being followed AFFECTING CONTROL AND SECURITY
• accuracy of accounts are reports are not ensured RESULTING IN INACCURATE PROFIT AND LOSS
• Financial assets are not safeguarded DUE TO POOR FINANCIAL MANAGEMENT
• Transactions are not properly authorized LEADINNG TO ABUSAGE OF POWER
2. A potential cash lossA potential cash loss
3. A potential reduction in income DUE TO BAD FUNDING
4. Inaccurate accounting data andreports INCURRING THE WRATH OF THE REGULATORYBODIES
5. Fines or embarrassment to the organization.
6. Poor customer relations
7. Operational inefficiency
8. Loss of business license
RiskThe threat that an event or action will adversely affect the organization's
•Ability to achieve it's business objectives :
and•Execute it's strategies effectively
The Risk SpectrumRisk Spectrum for business in general.
•CREDIT•LIQUIDITY•MARKET•OPERATIONAL
CREDIT RISK
The potential earnings volatility caused by obligors defaulting on their obligations and the adequacy of collateral, if any.
LIQUIDITY RISK
The potential earnings volatility arising from being unable
to fund portfolio assets at reasonable rates over required
maturities.
MARKET RISKThe potential value and earnings volatility in the trading
and structural books due to market price changes.
OPERATIONAL RISK
The potential loss caused by breakdown in information
technology, communication and transaction processing.
Operational Risk includes inter alia, execution risk, information risk, relationship risk, legal/fiduciary risk and employee risk.
CFE-In-Practice offers a comprehensive range of business and technology consulting services for
banking and capital markets. We offer
Consultancy and Implementation for Third Party Independent
SOX and or AML and or ISO 17799 Compliance Certification of your systems
CFE-In-Practice
CFE-In-Practice
Banking Industry
Technology IT Program
Management
AML Certification Clearance Alternatives Execution and Clearing Infrastructure Re-alignment Workflow Simplification
Application Evaluation
Multi-Currency System
Skills Assessment
System Conversion
Sarbanes-Oxley Compliance
Establish "RFT” Identify IT
Security needs Project
Management Project Staffing Project
Supervision
CFE-In-Practice
Executive Coaching
Corporate Governance
Litigation Support
Conflict Resolution Leadership Skills Managerial Skills Motivational Strategies Productivity Enhancements
Operations Infrastructure Board of Directors Performance Diagnosis Technology Assessment SOX Certification
Authoritative Opinion Expert Testimony Industry Best Practices
What is SEATA ?What is SEATA ?
The Auditors Tool.The Auditors Tool.
General Function of Internal AuditGeneral Function of Internal Audit• What is the role of the internal auditor ?What is the role of the internal auditor ?
• What really is internal audit?What really is internal audit?• What should be the expectation of the What should be the expectation of the
internal auditors?internal auditors?• Is there a way to check on the internal Is there a way to check on the internal
auditor?auditor?• How to protect yourselves when being How to protect yourselves when being
audited?audited?
(SSystems ystems EEvaluation valuation AApproach pproach TTowards owards AAuditinguditing)
But first, the relationship between:•Internal Audit•Compliance•Risks Management
Systems Evaluation Approach Systems Evaluation Approach Towards AuditingTowards Auditing
Control Objectives and Key Control Objectives and Key ControlsControls
The Core of an Internal Audit The Core of an Internal Audit AssignmentAssignment
Internal auditors are of course in Internal auditors are of course in favor of controls. favor of controls.
There is really nothing profound or There is really nothing profound or mysterious about auditing.mysterious about auditing.
From the From the professionalprofessional Auditors Auditors perspective :perspective :
Controls should be there for a purpose. Controls should be there for a purpose.
The purpose is to ensure that the The purpose is to ensure that the system or process achieves its system or process achieves its
objectives. objectives.
• Controls are only needed to reduce the risks to Controls are only needed to reduce the risks to the achievement of these objectives to an the achievement of these objectives to an acceptable level. acceptable level.
• Thus, there may be circumstances when Thus, there may be circumstances when internal auditors suggest that certain controls internal auditors suggest that certain controls should be removed, for example, if they do not should be removed, for example, if they do not contribute to the reduction of significant risks. contribute to the reduction of significant risks.
• The systems audit approach The systems audit approach revolves around the objectives revolves around the objectives of the system of the system – i.e. i.e. should existing controls should existing controls
provide sufficient assurance to provide sufficient assurance to the senior managers and the senior managers and directors of the organisation directors of the organisation that the system will achieve its that the system will achieve its objectives? objectives?
• And does the internal control And does the internal control system currently reduce the system currently reduce the chance of things going wrong chance of things going wrong (or not going right) to an (or not going right) to an acceptable level?acceptable level?
• Before internal auditors start each Before internal auditors start each audit assignment they need to be audit assignment they need to be clear about the clear about the relevant relevant organizational and organizational and management objectivesmanagement objectives..
• Are the internal auditors clear Are the internal auditors clear about this ?about this ?
• Control Objectives in SEATAControl Objectives in SEATA
• Control objectives should form the Control objectives should form the framework of each systems audit framework of each systems audit assignment. assignment.
• They should detail the various They should detail the various aspects of a system’s objectives. aspects of a system’s objectives.
CControl Objectives in SEATA
• They identify specific objectives against which They identify specific objectives against which internal auditors can evaluate existing internal auditors can evaluate existing controls. controls.
• Control objectives should be specific enough Control objectives should be specific enough to provide the basis for this evaluation. to provide the basis for this evaluation.
• Generalizations such as "to ensure that Generalizations such as "to ensure that support services are adequate" should be support services are adequate" should be avoided.avoided.
• Comprehensive control objectives Comprehensive control objectives can be developed for any system by can be developed for any system by considering the following areas of considering the following areas of control: control:
– Has the system been adequately planned? Has the system been adequately planned?
– Are the operations adequately supervised Are the operations adequately supervised and controlled? and controlled?
Comprehensive control objectives Comprehensive control objectives can be developed for any system can be developed for any system by considering the following areas by considering the following areas of control:of control:
•Is the system periodically reviewed? Is the system periodically reviewed?
•Is suitable management information Is suitable management information produced? produced?
Internal auditors need to determine Internal auditors need to determine that the manager who is responsible that the manager who is responsible for the system to be audited agrees for the system to be audited agrees with objectives assigned to the with objectives assigned to the system and the control objectives system and the control objectives which audit have developed.which audit have developed.
These should be agreed at the initial These should be agreed at the initial meeting with the EIC who should meeting with the EIC who should also be requested to formally sign also be requested to formally sign up to the agreed scope and up to the agreed scope and objectives for the audit assignment objectives for the audit assignment during the pre-audit meeting.during the pre-audit meeting.
Key controlsKey controls
Once the control objectives have been Once the control objectives have been agreed, internal auditors need to identify agreed, internal auditors need to identify the controls that they consider necessary to the controls that they consider necessary to provide assurance that each of these provide assurance that each of these objectives is being achieved. objectives is being achieved. These are These are what may be termed the key controls. what may be termed the key controls.
Key controlsKey controls
If the internal auditor is “lucky”, control If the internal auditor is “lucky”, control schedules will have been developed for schedules will have been developed for the relevant system. the relevant system.
These schedules should document the These schedules should document the standard control objectives for such a standard control objectives for such a system and the associated expected key system and the associated expected key controls.controls.
SEATASEATA
The purpose of the schedule of The purpose of the schedule of expected key controls is to assist in expected key controls is to assist in the evaluation of the actual controls the evaluation of the actual controls identified during the audit. identified during the audit.
It is imperative that the expected It is imperative that the expected controls are reviewed critically to controls are reviewed critically to ensure that they are appropriate. ensure that they are appropriate. HOW ?HOW ?
SEATASEATA
The standard key expected The standard key expected controls will not always be relevant controls will not always be relevant and may have to be adapted to the and may have to be adapted to the particular system that is reviewed.particular system that is reviewed.
Do not jump to conclusion. There Do not jump to conclusion. There can always be compensating can always be compensating controls.controls.
SEATASEATA If internal auditors do not identify the If internal auditors do not identify the
key expected controls, there is a danger key expected controls, there is a danger that they will concentrate purely on the that they will concentrate purely on the actual controls in place and fail to actual controls in place and fail to identify those that are missing. identify those that are missing.
Identification of key controls should Identification of key controls should ensure that audit time is spent ensure that audit time is spent efficiently by concentrating on the key efficiently by concentrating on the key control aspects of the system under control aspects of the system under review. review.
SEATASEATA
There may be many other controls, There may be many other controls, however, the key controls are the however, the key controls are the more important controls and are the more important controls and are the basic controls that are necessary to basic controls that are necessary to ensure that each control objective is ensure that each control objective is achieved and all significant risks are achieved and all significant risks are adequately managed. adequately managed.
The audit should concentrate on The audit should concentrate on assessing the adequacy and assessing the adequacy and reliability of these key controls.reliability of these key controls.
SEATASEATA Identification and Identification and documentation of documentation of
existing controls.existing controls.
Systems auditing should be a critical Systems auditing should be a critical assessment of the controls currently in assessment of the controls currently in place against control objectives agreed place against control objectives agreed for the system. for the system.
Thus, Thus, identifying existing controlsidentifying existing controls is is one of the central tasks of systems one of the central tasks of systems audit. audit.
SEATASEATA Internal auditors cannot assess, test or Internal auditors cannot assess, test or
suggest improvements to the internal suggest improvements to the internal control environment unless they have a control environment unless they have a clear and comprehensive view of all of clear and comprehensive view of all of the controls that currently operate. the controls that currently operate.
Documenting the existing controlsDocumenting the existing controls should help auditors understand these should help auditors understand these controls and form a basis for the controls and form a basis for the evaluation of the controls and the evaluation of the controls and the development of their testing strategy.development of their testing strategy.
SEATASEATAThere may be a wide range of sources of There may be a wide range of sources of
information available to internal auditors information available to internal auditors about how a system operates. These about how a system operates. These may include:may include:interviewing staff and their managers; interviewing staff and their managers;
reviewing existing documentation; reviewing existing documentation;
SEATASEATA
There may be a wide range of sources of There may be a wide range of sources of information available to internal auditors information available to internal auditors about how a system operates. These about how a system operates. These may include:may include:
observation of working practices; observation of working practices;
reviewing previous audit reports. reviewing previous audit reports.
SEATASEATA
The most important source of The most important source of information will usually be the staff information will usually be the staff working with the system. working with the system.
They know how the system actually They know how the system actually operates and should have a operates and should have a reasonable idea of how practical any reasonable idea of how practical any improvements may be. improvements may be.
SEATASEATA
Thus interviewing skills are essential Thus interviewing skills are essential for all internal auditorsfor all internal auditors..
They need to be able to understand what They need to be able to understand what may be a complex system. may be a complex system.
They also need to be able to critically They also need to be able to critically assess each stage of the process; i.e. assess each stage of the process; i.e. why is it performed? Could it be why is it performed? Could it be undertaken more efficiently?undertaken more efficiently?
SEATASEATA
Staff who operate the system will know what Staff who operate the system will know what they do, but not necessarily why they do it.they do, but not necessarily why they do it.
They may also try and explain the system in They may also try and explain the system in
the most positive light.the most positive light. The skill of internal audit is to enable all the The skill of internal audit is to enable all the
staff they interview to open up and tell them staff they interview to open up and tell them what they actually do (not just what they think what they actually do (not just what they think they should do) and to describe any aspects they should do) and to describe any aspects they think could be improved. they think could be improved.
SEATASEATA
Understanding why each task is Understanding why each task is undertaken may be more difficult. undertaken may be more difficult. Staff may just do it ‘‘because we’ve Staff may just do it ‘‘because we’ve always done it that way’’ or even always done it that way’’ or even worse ‘‘because the auditors told us worse ‘‘because the auditors told us to!’’to!’’
SEATA - SEATA - Other places to lookOther places to look
Auditors may review documentation Auditors may review documentation such as statutes, circulars, committee such as statutes, circulars, committee reports, job descriptions, organisation reports, job descriptions, organisation charts, policy and procedure manuals charts, policy and procedure manuals and financial regulations. and financial regulations.
SEATA- SEATA- Other places to lookOther places to look
These may record how a system is These may record how a system is supposed to work, but may not supposed to work, but may not necessarily reflect actual practice. necessarily reflect actual practice.
Internal auditors may consider that the Internal auditors may consider that the adequacy or otherwise of documentation adequacy or otherwise of documentation is an indication of the attitude of is an indication of the attitude of management to internal control.management to internal control.
SEATA- SEATA- Other places to lookOther places to look
ObservationObservation of the physical environment of the physical environment and working methods should provide and working methods should provide internal auditors with further evidence of internal auditors with further evidence of actual practiceactual practice 。。
This is a particularly useful method of This is a particularly useful method of fact-finding where no physical evidence fact-finding where no physical evidence of an action may have taken place. of an action may have taken place.
SEATA- Other places to lookSEATA- Other places to look
Internal auditors should however be aware Internal auditors should however be aware that their presence may influence the that their presence may influence the behavior and practices of staff under review.behavior and practices of staff under review.
SEATA- Other places to lookSEATA- Other places to look
Reports of previous reviews of the Reports of previous reviews of the system by other internal auditors, system by other internal auditors, external auditors or other review external auditors or other review agencies may also be a useful source agencies may also be a useful source of information. of information.
However, these reports should be However, these reports should be read with care. The authors may not read with care. The authors may not have understood the system, they have understood the system, they may not have covered all aspects or may not have covered all aspects or their reports may be unclear. their reports may be unclear.
SEATA- Other places to lookSEATA- Other places to look
This consideration may allow This consideration may allow internal auditors to reflect on the internal auditors to reflect on the quality of their own reports and quality of their own reports and system documentation. system documentation.
SEATA- Other places to lookSEATA- Other places to look
Would these allow other auditors to Would these allow other auditors to quickly grasp the most important quickly grasp the most important aspects of the system and its internal aspects of the system and its internal controls?controls?
Internal ControlsAuditors need to understand how the Auditors need to understand how the
system operates and the role of all system operates and the role of all the key procedures, but essentially the key procedures, but essentially they are only interested in controls. they are only interested in controls.
There are a range of different types There are a range of different types of control. The most important may of control. The most important may be remembered by the mnemonic be remembered by the mnemonic SOAP MAPSSOAP MAPS::
Internal Controls
Segregation of duties: Segregation of duties:
the functions of authorizing transactions; the functions of authorizing transactions; recording the transactions; and custody of recording the transactions; and custody of the associated assets should be the associated assets should be undertaken by separate staff. undertaken by separate staff.
Internal Controls
OrganizationOrganization: :
there should be a clear organisation chart and there should be a clear organisation chart and all staff should have up to date job descriptions all staff should have up to date job descriptions that clearly indicate their responsibilities. that clearly indicate their responsibilities.
Internal Controls
Authorization and approvalAuthorization and approval::
all transactions and decisions should all transactions and decisions should be formally authorized by nominated be formally authorized by nominated staff.staff.
Internal Controls
Physical:Physical:
there should be suitable controls over there should be suitable controls over access to offices { i.e. including access to offices { i.e. including RECORDS, DATA BASE and RECORDS, DATA BASE and whatnots }, assets, controlled stationery whatnots }, assets, controlled stationery and computer systems. and computer systems.
Internal ControlsManagement:Management:
production of suitable financial and production of suitable financial and operational management operational management information; use of exception information; use of exception reports; critical review and enquiry reports; critical review and enquiry by management. by management.
Internal Controls
Arithmetical and accountingArithmetical and accounting: :
checking / re-performing tasks carried out checking / re-performing tasks carried out by others; costing (adding up) orders, by others; costing (adding up) orders, invoices, payroll etc; reconciliation invoices, payroll etc; reconciliation between the bank and accounting between the bank and accounting records; control accounts. records; control accounts.
Internal Controls
Personnel:Personnel: appointment of staff should appointment of staff should be adequately controlled; all staff should be adequately controlled; all staff should be suitably trained for their post and be suitably trained for their post and appraised regularly. appraised regularly.
SupervisionSupervision: all staff and activities : all staff and activities should be adequately supervised by should be adequately supervised by someone who understands the process someone who understands the process and will detect deviations from accepted and will detect deviations from accepted practice. practice.
Interim Opinion
Recording the controlsRecording the controls
All internal audit work should be All internal audit work should be documented and be sufficient to support documented and be sufficient to support the conclusions drawn on the the conclusions drawn on the adequacyadequacy and reliability of the internal controls. and reliability of the internal controls.
Interim Opinion
Recording the controlsRecording the controls
The main procedures and key controls The main procedures and key controls over significant risks should be clearly over significant risks should be clearly and concisely recorded. and concisely recorded.
Proper house keeping
Audit working papers should include:Audit working papers should include: systems notes, either in text or graphics, systems notes, either in text or graphics,
whatever; whatever; notes of interviews and meetings; notes of interviews and meetings; a record of the current key controls and their a record of the current key controls and their
reliability; reliability; an assessment of the extent that existing an assessment of the extent that existing
controls will ensure that each agreed control controls will ensure that each agreed control objective is achieved; and evidence of audit objective is achieved; and evidence of audit sampling and testing of controls. sampling and testing of controls.
There are a number of methods of There are a number of methods of documenting proceduresdocumenting procedures
and controls, for example :and controls, for example :
flow charts, flow charts, key control schedules, key control schedules, internal control questionnaires and internal control questionnaires and narrative notes. narrative notes.
Whatever method is adopted should be Whatever method is adopted should be used consistently. used consistently.
This should make it easier for the system This should make it easier for the system notes to be used for future reviews of the notes to be used for future reviews of the same system. same system.
Systems documentation should be:Systems documentation should be:clear and easy to understand; clear and easy to understand;
provide a standardized approach; provide a standardized approach;
highlight risk points and key controls. highlight risk points and key controls.
The purpose of this documentation is to:The purpose of this documentation is to:
enable the internal auditors to review enable the internal auditors to review the information they have received and the information they have received and to organize their thoughts and to organize their thoughts and knowledge so the internal controls can knowledge so the internal controls can be systematically assessed and tested; be systematically assessed and tested;
The purpose of this documentation is to:The purpose of this documentation is to:
provide details of problems provide details of problems encountered, evidence of work done encountered, evidence of work done and conclusions drawn for future and conclusions drawn for future reference and to assist the planning of reference and to assist the planning of future audits; future audits;
The purpose of this documentation is to:The purpose of this documentation is to:
demonstrate to interested parties that the demonstrate to interested parties that the audit work has been properly planned, audit work has been properly planned, controlled, executed and reported. controlled, executed and reported.
Once internal auditors have Once internal auditors have discovered the controls that actually discovered the controls that actually exist and made notes of these they exist and made notes of these they can go on to assess whether these can go on to assess whether these controls should be adequate. controls should be adequate.
However, auditors do not usually look However, auditors do not usually look upon internal auditing as simply a upon internal auditing as simply a series of stages that can be completed series of stages that can be completed one after the other. (Those who do one after the other. (Those who do that are not real internal auditors – it is that are not real internal auditors – it is just an occupation, a job, paper just an occupation, a job, paper pushers.)pushers.)
The really professional auditors :The really professional auditors :
When they go on to test the controls that When they go on to test the controls that they have identified, they may discover they have identified, they may discover further controls or that some controls further controls or that some controls are not actually operating as expected. are not actually operating as expected.
They will then have to go back and They will then have to go back and revise their system notes to ensure revise their system notes to ensure these reflect the actual controls that are these reflect the actual controls that are operating in practice. operating in practice.
The Fraud Triangle
Motive
Opportunity Rationalization
SEATA
Risk Definition
What is Risk ?
Understanding Risk in Internal Audit
SML Curve
Return
Risk
Deviation from Return is Risk
The Risk Spectrum for any organization in general.
Operational Risk
Credit Risk
Market Risk
Liquidity RiskReputational
Risk
How ACTIVE DATA can be used to achieve your risk management objectives
The The Risk SpectrumRisk Spectrum for any organization in general for any organization in general.
Operational Risk
Credit Risk
Market Risk
Liquidity RiskReputational
Risk
Operational Risk and Challenges for Banks
SML Curve
Return
Risk
Deviation from Return is Risk
The SEATA AIG-Caat Approach
Risk Definition
Product RiskProduct Risk General RiskGeneral RiskBusiness RiskBusiness Risk
Critical Product Controls
Business Policy General Controls
System Documentation
System Documentation
Internal Control Internal Control Questionnaire Questionnaire (ICQ)(ICQ)
Narrative NotesNarrative Notes
(Interviewing Notes)(Interviewing Notes)
Flow ChartsFlow Charts
Analytical Review Procedures (ARP) and Quantitative Testing i.e. MfV concepts and Economic Capital allocation test.
Depth Tests
Determine the Existence of Controls
System Documentation
Internal Control Internal Control Questionnaire Questionnaire (ICQ)(ICQ)
Narrative NotesNarrative Notes
(Interviewing Notes)(Interviewing Notes)
Flow ChartsFlow Charts
Analytical Review Procedures (ARP) and Quantitative Testing i.e. MfV concepts and Economic Capital allocation test.
Evaluate (THEORETICAL) Adequacy
Determine the Existence of Controls
Evaluate (THEORETICAL) Adequacy
Determine the Existence of Controls
System Appraisal Memorandum (Sam)
System Appraisal Memorandum (Sam)
Part I
SYSTEM APPRAISAL
ADEQUATE IF NOT ADEQUATE
W.P.'s REPORT
SYSTEM CONTROL OBJECTIVES
YES NO N/A REF. SHEET NO.
1Transaction or Event Recognition
Methods must exist to Methods must exist to ensure that all ensure that all transactions will be transactions will be identified and recorded identified and recorded with control established with control established close to the source of close to the source of the transactionthe transaction..
System Appraisal Memorandum (Sam)
2Transaction Authorisation
Methods of transaction approval must be defined with effective procedures to detect and clear errors with the responsibility for approval being at the right level.
3 Transaction Acceptance
There must be an effective control on converting data to the form used for accounting or record keeping which will ensure that errors will be detected and cleared and lost transactions will be identified.
4Account of File Classification
Methods must exist to ensure consistency in making account allocations.
System Appraisal Memorandum (Sam)
5
Integrity of Processing
Methods must exist to ensure there is control on accuracy of data during processing, that only valid files will be used and errors, lost transactions and transactions processed twice will be detected, ensuring that corrected transactions will be properly represented.
System Appraisal Memorandum (Sam) ADEQUATE IF NOT ADEQUATE
W.P.'s REPORT
YES NO N/A REF. SHEET
NO.
6 Interface Compatibility
Methods must exist to ensure that common data is used wherever possible and in interfacing systems that the information is consistent and compatible and is reconciled while the means to integrate interfacing systems should be thoroughly explored.
7 Accuracy of Reports
Methods must exist to ensure that output is reconciled to input, that reporting is complete, meets the requirements of management and is distributed correctly on a timely basis while ensuring management trails are adequate.
System Appraisal Memorandum (Sam)
8Verification of Reports and Files
Methods must exist to ensure that reports management are reconciled with underlying data files, that regular comparison of physical items where possible.
9 Error Correction
Methods must exist to ensure that all errors occurring at each state of the transaction process will be corrected and reprocessed on a timely basis.
10 Asset Access Restriction
Methods must exist to ensure that access to assets will be restricted and assets safeguarded.
System Appraisal Memorandum (Sam)
ADEQUATE IF NOT ADEQUATE
W.P.'s REPORT
YES NO N/A REF. SHEET
NO.
11 Organization
There must be proper segregation between functions of custody, authorisation and recording.
System Appraisal Memorandum (Sam)
PART II IMPACT OF WEAKNESS
WEAKNESSIMPACT OF THE
WEAKNESS T.A.P REF.
System Appraisal Memorandum (Sam)
OVERALL CONCLUSION FOR Preliminary REPORT
PART III
The system of internal control is appraised to be •Satisfactory•Satisfactory however………•Satisfactory except for…….•Unsatisfactory
•We are unable to express an opinion because………..
Evaluate (THEORETICAL) Adequacy
Determine the Existence of Controls
System Appraisal Memorandum (Sam)
TAILORED AUDIT PROGRAM TAILORED AUDIT PROGRAM (TAP)(TAP)
Execution Execution
ofof
TAILORED AUDIT PROGRAM TAILORED AUDIT PROGRAM (TAP)(TAP)
Compliance
Testing
Substantive
Testing
Report Sheet
AIG-CaatAIG-Caat
EffectivenessEffectiveness AccuracyAccuracy
AIG-CaatAIG-Caat
Application of Benford Law for Discovery Sampling
Techniques in
Analytical Review ProceduresSoftware Assurance Process
FORM OPINIONFORM OPINION
TAKE UP MEETINGTAKE UP MEETING
ISSUE REPORTISSUE REPORT
More Information
• CFE-In-Practice– www.cfe-in-practice.com
• [Contact Person]– [Tommy Seah], ACFE Vice Chairman, Regent– [(65) 9106 9872]– [[email protected]]