Internal Audit Guide


Chapter 4 – Audit Risk Assessment and Audit Plan



Download 433.12 Kb.
Page2/6
Date02.02.2017
Size433.12 Kb.
#16091
1   2   3   4   5   6

Chapter 4 – Audit Risk Assessment and Audit Plan
4.1—OVERVIEW
This section describes general steps for developing an STA’s Audit Risk Assessment and Audit Plan. The audit plan is usually developed annually but should be considered a living document that will change and grow. Most audit plans are works in progress, and schedules change to meet department needs. A new program, department realignment/reorganization, or unexpected occurrences may change management’s needs, shifting some engagements to higher priority status and inserting engagements of new programs. The audit plan should be based upon the risks of the organization. The internal audit manager should prioritize the internal audit work based upon the risks of the various areas of responsibility of the STA.
4.2—IDENTIFY AUDIT UNIVERSE OR AUDITABLE UNITS
In order to determine appropriate audit coverage, the internal audit manager, with input from executive management, should identify the auditable units within the STA. This enables internal audit to link the Internal Audit Plan to the STA risks based upon the primary owner of the process. Any additional areas responsible for completion of that particular process should also be identified within the auditable units. This is a vital component of the risk assessment process and consists of dividing the entire STA into various control areas that cover all responsibilities and functions of the STA. The key to maintaining a good schedule of auditable units is to periodically verify that there have been no changes or additions to the auditable units. The auditable units should be updated to reflect any changes in structure, functions or responsibility on at least an annual basis. When responsibility changes occur, historic data should be retained to reflect the previous responsibilities and audit coverage that was given.
Once identified, engagements performed and scheduled for each auditable unit can be tracked to ensure regular engagements are performed as necessary. This will also assist in developing the audit plan based upon length of time since last audit and ensure that all auditable units are considered in the audit plan. Some auditable units, however, may be low risk and not receive an engagement due to limited internal audit resources. The limited internal audit resources should be scheduled for areas of the STA which pose the highest risk.

Using the identified audit universe, prepare a matrix of engagements performed for each auditable unit. It is helpful to maintain at least three to five years of data to facilitate scheduling future engagements.



4.3—BENEFITS OF AUDITABLE UNITS
There are many benefits to developing the auditable units of the STA. These include, but are not necessarily limited to, the following:


  • Provides the framework for monitoring the internal control structure of the STA by operational area and provides the foundation for the risk assessment process




  • Allows Internal Audit to communicate with each division or office of the STA in a standardized manner to monitor the STA’s internal controls




  • Provides a mechanism for confirming whether all processes have been captured




  • Provides a means for monitoring historic audit coverage for all functions and activities of the STA




  • Demonstrates compliance with the standards and laws that may govern the internal audit function




  • Considered an Internal Audit best practice

4.4—DEVELOP PERMANENT FILES
A permanent file is a useful tool to assist with the audit process. It provides basic and historic information for Internal Audit in assessing auditable units. These files are generally created as part of the audit process, but may be created separately as time allows. This helps provide a starting point not only for the Internal Audit Plan Risk Assessment but also for audit specific risk assessments. It is also a primary source of information for the internal auditor assigned to a particular audit. Permanent files must be updated as changes occur in order for them to be useful. Suggested information for permanent files includes, but is not necessarily limited to, the following:


  • Applicable statutes, rules, and regulations



  • Policies and procedures, manuals, guidelines





  • Internal control certifications



  • List of information technology systems used



  • Interview notes



  • System narratives

4.5—RISK ASSESSMENT
Internal Audit should develop procedures to be followed each year in performing the STA’s internal audit risk assessment. Management input should be one of the factors considered. Internal Audit should consider holding meetings with various levels of management to gain a further understanding of the risks and controls of the auditable units. Internal auditors are the internal control and risk management experts in their agency. Audit planning should be used as an opportunity to educate and increase management’s understanding of the internal audit function and the risk assessment process, and ensure that there is a common understanding of definitions. A risk assessment questionnaire could be provided to management to assist them in determining their sections’ risks and needs. The risk assessment questionnaire might include the following:


  • Any changes to the auditable units



  • New programs or initiatives



  • Rapid growth or significant increases in funding or expenditures



  • Turnover of key management or key personnel



  • Reviews or audits by a federal agency; e.g., FHWA, FTA, FRA, FAA, NHTSA, FMCSA, GAO



  • Media exposure



  • Law changes



  • Administrative rule changes



  • Information technology that was developed or had major modifications in the last year or any that are currently in process or planned



  • Any fraudulent activity, improper conduct, blatant disregard for procedures, suspected or improper use of assets or state resources



  • Any processes or programs they would like Internal Audit to review



  • Rank what they consider to be the five most significant areas or processes for which they are responsible

Meetings should be scheduled with Executive Management and the Audit Committee, if applicable, to obtain their audit requests and areas of concern they would like considered. Consider informal sources of audit requests, such as, concerns noted in conversations and emails from STA staff members, anonymous tips, and auditor observations and concerns noted in other audits. Perform risk assessments on all the auditable units to determine priorities taking into consideration any audit requests that are received. Each year, new audit requests may be added and a risk assessment conducted to prioritize and insert new requests into the ongoing list.


4.6—RISK ASSESSMENT CRITERIA
A formal risk assessment should be developed which includes various criteria deemed significant to the STA. A risk assessment usually includes consideration of both the impact and the probability of occurrence for any given risk. Impact is somewhat conspicuous in the suggestion criteria below. However, the probability of occurrence should also be kept in mind. Suggested criteria may include, though are not limited to, the following:


  • Revenues/expenditures




  • Federal responsibilities/requirements




  • Legal responsibilities/requirements




  • Public impact or exposure







  • Management needs




  • Date of last audit




  • Prior experience with auditee




  • Inherent risk factors (high activity, high volume, complexity of operations, dollar value of assets, etc.)




  • Potential for fraud (improper conduct, suspected misuse, improper use of assets, blatant disregard for procedures)




  • Strength of internal controls




  • Reported problems on last audit, external audit, or U.S. Department of Transportation (USDOT) reviews




  • Potential efficiency improvements




  • New programs, initiatives or activities




  • Change in key personnel




  • New IT systems or major changes to IT systems key to department




  • Estimated audit time

4.7—CONSIDERATION OF INTERNAL CONTROLS
To achieve the objectives of the agency, management must sometimes place assets at risk. It is management's responsibility to decide how much and what risk it is willing to accept to achieve the objectives of the agency. Management mitigates risks and ensures that management’s objectives are met through the use of internal controls.
Identifying and assessing threats helps management recognize vulnerabilities in the internal control system. Based upon this information, management can provide appropriate controls to mitigate risk. The internal auditor should consider these areas during their meeting with management to assess which programs and functions pose the highest risk to the agency and should therefore receive internal audit coverage first. Some common threats include the following:


  • Management override - Controls are readily set aside at the option of management or personnel.




  • Optional or incomplete controls - Controls that say “may” or those that give options without guidance for making decisions on how to proceed are not effective. Clear direction regarding the choice should be made.




  • Form over substance - Controls appear to be well designed but are ineffective or miss their intended mark.




  • Conflicts of interest - Causes personnel to place their interest above that of the organization.




  • Access to assets - Having improper or unauthorized access to assets can result in theft, misuse or abuse.




  • Inadequately trained or informed personnel - Personnel who don’t understand the reason or necessity for a particular control or the desired result may not properly execute the necessary steps.




  • Inadequate separation of duties – Multiple control points are the responsibility of one person.

Chapter 5 discusses internal control in more detail.



4.8—INTERNAL CONTROL WEAKNESSES
Another key component of the risk assessment process is gaining an understanding of why internal control weaknesses occur. Understanding these weaknesses helps management monitor for appropriate and effective internal controls. Internal Audit should consider these factors and determine whether they exist as they walk through the risk assessment process with management. Some common reasons internal control weaknesses occur may include the following:


  • Poorly designed or implemented internal control processes--the process becomes routine due to familiarity and steps in the process are overlooked




  • Information concerning a law, rule or procedure was not adequately communicated




  • Employees not properly trained or instructed




  • Personnel not knowledgeable of the importance of a step or process and its impact on another area




  • Confusion over who is responsible (each area incorrectly thinks the other is handling the process)




  • Time constraints




  • Inadequate resources devoted to the process







  • Personnel are comfortable with the current process and resistant to change

4.9—ANALYSIS OF INTERNAL AUDIT RESOURCES

To determine the number of internal engagements to be scheduled, an analysis of available staff hours should be conducted. The internal audit manager should consider the following in determining hours available:




  • Total annual hours




  • Holidays



  • Annual leave



  • Sick leave



  • Training



  • Miscellaneous administrative

Other considerations might include:


  • Additional annual leave for long-term employees




  • Retirements/resignations



  • Time required to replace employees who retire or resign



  • Furlough days



  • Extended use of leave (family & medical leave, military leave, disability, and sick leave)



  • Other types of reviews, consulting, and non-audit services

4.10—DEVELOPING THE AUDIT WORK PLAN

Based on the risk assessment and analysis of staff availability, an audit work plan should be developed. Remember to include any needs for audit follow-ups (e.g. 90 – 120 days). It may be helpful to develop two types of audit work plans. One type would give a narrative describing the engagement. The second type would be a scheduling tool to assign auditors to each selected engagement with time estimates across the twelve months. Another consideration for scheduling engagements is the auditee’s schedule, which may include deadlines or busy seasons. These factors as well as others specific to your STA should be taken into account when scheduling.

It may also be helpful to prepare a two-year audit plan in order to assist with prioritizing engagements and resources. However, the second year of the internal audit plan is always given reconsideration at the time of the development of the next year’s two year plan. This is due to changes in circumstances and risks that may occur over the one-year period since the plan was last developed.

Final meetings with the STA’s chief executive officer and the audit committee, if applicable, should be scheduled to obtain concurrence and approval of the proposed audit work plan. Any scheduling concerns should be communicated at this time.


Chapter 5– Internal Control
5.1—OVERVIEW
Internal control is a system implemented by an organization’s governing body and management that helps ensure key financial, operational, and regulatory objectives are achieved. Internal control is affected by an entity’s management and other personnel; it is not merely policy manuals and forms, but involves people at every level of an organization. Internal control is pervasive, impacting people, process, and technology. It can be expected to provide reasonable assurance, not absolute assurance, to an organization’s management.
This review guide adopts the internal control direction provided by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. In May 2013, COSO updated its Internal Control – Integrated Framework to take into account changes in business environment and operations over the last 20 years.
5.2—COSO CATEGORIES
Internal control is broadly defined as a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three COSO categories:


  1. Reporting - related to the internal and external financial and nonfinancial reporting to stakeholders, encompassing reliability, timeliness, transparency, or other elements as established by regulators, standard setters, or the entity’s policies




  1. Compliance - adhering to those laws and regulations to which the entity is subject, where non-compliance could result in penalties, fines or negative impacts to reputation




  1. Operations - addresses an entity’s basic business objectives, including performance and goals and safeguarding of resources.



cube_framework_new2-01.jpg

In assessing the design and operating effectiveness of internal controls under the COSO framework, management also considers the five components of internal control as depicted in the COSO “Cube”. If designed and operating effectively, controls within these five components in totality provide a framework for internal control. The 2013 framework incorporates 17 principles that support these five components. For effective internal controls, the 2013 framework requires that each of the five components and 17 relevant principles be present and functioning, and that the five components must operate together in an integrated manner.


“Present” means that the components and relevant principles exist in the design and implementation of the system of internal control.
“Functioning” means that the components and relevant principles continue to exist in the conduct of the system of internal control.
5.3—FIVE COMPONENTS OF COSO


  1. Control Environment

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the set of standards, processes, and structures that provides the basis for carrying out internal control across the organization. It is the foundation for all other components of internal control, providing discipline and structure.


The five principles relating to control environment are:

  1. The organization demonstrates a commitment to integrity and ethical values.

  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

  3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

  4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

  1. Risk Assessment

Every entity faces a variety of risks from external and internal sources that must be assessed. Risk assessment is the identification and analysis of relevant risks that could affect the achievement of the entity’s objectives, forming a basis for determining how the risks should be managed.


The four principles relating to risk assessment are:


  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

  4. The organization identifies and assesses changes that could significantly affect the system of internal control.




  1. Control Activities

Control activities are the policies and procedures that help determine if management directives are carried out. They help facilitate the necessary actions required to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.


The three principles relating to control activities are:


  1. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

  2. The organization selects and develops general control activities over technology to support the achievement of objectives.

  3. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.




  1. Information and Communication

Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial, and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but with information about external reporting as well. Effective communication must also occur in a broader sense, flowing down, across, and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and stakeholders.


The three principles relating to information and communication are:


  1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

  2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

  3. The organization communicates with external parties about matters affecting the functioning of internal control.




  1. Monitoring Activities

Internal control systems need to be monitored (a process that assesses the quality of the system’s performance over time). This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The 2013 Framework distinguishes between a management review control as a control activity and a monitoring activity. A management review control that is a control activity responds to a specified risk and is designed to detect and correct errors. However, a management review control that is a monitoring activity would ask why the errors exist, and then assign the responsibility of fixing the process to the appropriate personnel.


The two principles relating to monitoring activities are:


  1. The organization selects, develops, and performs ongoing or separate evaluation to ascertain whether the components of internal control are present and functioning.

  2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

The COSO 2013 Framework became effective December 15, 2014.


5.4—COBIT
While COSO is commonly accepted as the internal control framework for organizations, the Control Objectives for Information and related Technology (COBIT) is the accepted internal control framework for the information technology (IT) environment. COBIT was first released by the Information Systems Audit and Control Foundation (ISACF) in 1996 and has been updated to include current IT governance principles and emerging international, technical, professional, regulatory, and industry specific standards. The resulting control objectives have been developed for application to organization-wide information systems. Now in Edition 4.1, COBIT is intended to meet the multiple needs of management by bridging gaps between business risks, control needs and technical issues.
The COBIT framework is based on the following principle:
To provide the information that the organization requires to achieve its objectives, the organization needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required organization information.
The COBIT framework identifies 34 IT processes and has an approach to provide control over these processes. It provides a generally applicable and acceptable standard for sound IT security and control practices to support management’s needs in determining and monitoring the appropriate level of IT controls for their organizations.
The COBIT framework is structured in four principle domains. Each domain includes unique processes which sum to the 34 IT processes discussed above. This structure serves as a process model for an enterprise to manage IT activities.
1. PLAN AND ORGANIZE (PO)
The Plan and Organize domain covers strategy and tactics and identifies how IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated, and managed for different perspectives. A proper organization as well as technological infrastructure should be put in place. The Plan and Organize domain addresses the following processes:


  • PO1—Define a strategic IT plan




  • PO2—Define the information architecture




  • PO3—Determine technological direction




  • PO4—Define the IT processes, organizations, and relationships




  • PO5—Manage the IT investment




  • PO6—Communicate management aims and direction




  • PO7—Manage IT human resources




  • PO—Manage quality




  • PO9—Assess and manage IT risks




  • PO10—Manage projects

2. ACQUIRE AND IMPLEMENT (AI)


To realize the Acquire and Implement IT strategy, IT solutions need to be identified, developed or acquired, and implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to ensure the solutions continue to meet business objectives. The Acquire and Implement domain addresses the following processes:


  • AI1—Identify automated solutions




  • AI2—Acquire and maintain application software




  • AI3—Acquire and maintain technology infrastructure




  • AI4—Enable operation and use







  • AI—Manage changes




  • AI7—Install and accredit solutions and changes

3. DELIVER AND SUPPORT


The Delivery and Support domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It addresses the following processes:


  • DS1—Define and manage service levels




  • DS2—Manage third-party services




  • DS3—Manage performance and capacity




  • DS4—Ensure continuous service




  • DS5—Ensure systems security




  • DS6—Identify and allocate costs




  • DS7—Educate and train users




  • DS8—Manage service desk and incidents




  • DS9—Manage the configuration




  • DS10—Manage problems




  • DS11—Manage data




  • DS12—Manage the physical environment




  • DS13—Manage operations

4. MONITOR AND EVALUATE (ME)
All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. The Monitor and Evaluate domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It addresses the following processes:


  • ME—Monitor and evaluate IT performance




  • ME—Monitor and evaluate internal control




  • ME3—Ensure compliance with external requirements




  • ME4—Provide IT governance


5.5—UNDERSTANDING AN AUDITEE’S INTERNAL CONTROLS
The auditor’s understanding of the client’s internal control is usually gained through the following procedures:


  • Prior experience with the entity

This can be a major source of audit efficiency in recurring audits. Because systems and controls usually don’t change frequently or significantly from year to year, information obtained by the auditor in previous audits of the entity can be updated and carried forward to the current year’s audit.



The auditor may inquire about the types of accounting documents used to process transactions and about control activities that have been placed in operation for authorizing, for example, a credit.




  • Observation of client activities and procedures

The auditor can observe client personnel in the process of preparing accounting records and documents and carrying out their assigned accounting and control functions.



  • Inspection of accounting documents and records

By inspecting actual, completed documents and records, the auditor can better understand their application to the entity’s internal control. The auditor may wish to obtain copies of sample documents used by the entity for inclusion in the permanent file.




  • Entity’s policy and system manuals

This includes both (1) policy manuals and documents, and (2) system manuals and documents, such as an accounting manual and an organization chart.


5.6—DOCUMENTING INTERNAL CONTROLS
The auditor documents their understanding of internal controls to:


  • Provide evidence of the understanding of the design of significant processes




  • Identify key risks within the process.




  • Identify controls that would prevent or detect errors from occurring within the process.




  • Identify control gaps and process improvement opportunities.

This documentation may take several forms such as:




  • Flowchart – A diagram that shows step-by-step progression through a procedure or system especially using connecting lines and a set of conventional symbols. The purpose of flowcharting is to:

    • Be a tool for analyzing processes.

    • Break down processes into individual events and activities, usually by process or event owner.

    • Identify interdependencies across the business.

    • Link system and manual activities.

    • Identify control gaps, segregation of duties, problems and inefficiencies.




  • Narrative – A document that describes a process or transaction flow using words rather than a pictorial representation. The purpose of a narrative is to:

    • Provide evidence of understanding of a process.

    • Identify and document key risks, controls and control gaps.

    • Confirm understanding with the process owner.

    • Provide knowledge that can be used in future years by other employees.




  • Walkthrough – A document that traces one representative transaction through a process from beginning to end. The purpose of a walkthrough is to:

    • Confirm understanding of the significant flow of transactions.

    • Confirm understanding of the relevant controls.

    • Confirm that relevant controls have been placed in operation.

    • Confirm process documentation.




  • Internal Control Questionnaire – Designed to identify basic control issues and used as a guide for improving or implementing good business practices and complying with policies and procedures.


5.7—INTERNAL CONTROL OVER FINANCIAL REPORTING
Auditors must understand the concepts of internal control; specifically, internal control over financial reporting. The AICPA’s Statement on Auditing Standards No. 115, as applicable, requires auditors to evaluate whether identified internal control deficiencies are significant deficiencies or material weaknesses, as they relate to financial reporting reliability. In addition, the conclusion that significant internal control deficiencies or material internal control weaknesses exist should be communicated in writing to management and the entity’s governing body.
A sound system of internal control over financial reporting includes control design and operating effectiveness to provide reasonable assurance that the entity’s financial statements are fairly presented in accordance with generally accepted accounting principles.
Internal controls over financial reporting are evaluated based upon the auditor’s risk assessment procedures to determine whether controls are designed adequately and operating effectively to provide reasonable assurance of financial reporting reliability. The entity’s ability to prevent and detect financial misstatement is evaluated and determines whether a significant deficiency or material weakness exists.
5.8—EVALUATION OF INTERNAL CONTROLS
Auditors can verify if controls are implemented as designed through testing, reviews, observations, and analytical procedures. Auditors can determine the validity and accuracy of transactions, as well as determine compliance with applicable rules, laws and procedures, and assess the adequacy of existing controls. Evaluation tools include:


  • Testing by statistical sampling – focuses on sampling techniques that provide assurance based on sampling risk that the auditor and stakeholders deem acceptable




  • Testing by direct sampling – focuses more closely on specific transactions or certain types of transactions and can be used when the population under review is not homogeneous




  • Reviews/interviews – used when the performance of a process does not lend itself to normal testing procedures







  • Analytical procedure – takes information as a whole and applies some set standard, analysis or comparison


5.9—CLASSIFYING INTERNAL CONTROL WEAKNESSES FOR REPORTING
Upon determining that controls are inadequately designed or implemented, auditors shall communicate the weakness to management based upon the likelihood and magnitude of the concern. This communication may be verbal, written via an informal management letter, or reported formally, such as in the audit report. The matrix below can help auditors determine how or where to report the weakness to management.


Likelihood of Misstatement or Error

Magnitude of Misstatement (or Error) that Occurred or Could Occur

Inconsequential

More than Inconsequential but Less than Material

Material

Remote

Not a significant deficiency or material weakness
Do not report

Not a significant deficiency or material weakness
Report informally, verbally or via management letter

Not a significant deficiency or material weakness
Report informally, verbally or via management letter

More than remote

Not a significant deficiency or material weakness

Report informally, verbally or via management letter

Significant deficiency
Report formally, via audit report

Material weakness
Report formally, via audit report


Download 433.12 Kb.

Share with your friends:
1   2   3   4   5   6




The database is protected by copyright ©ininet.org 2024
send message

    Main page