Presentation 5, System based audit approach - what is it about?, Workshop on System-based auditing, Tirana, 10-12 Sept 2014_ENG
7 likes12,735 views
This document discusses system-based auditing and the role of internal control. It defines internal control according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as a process designed to provide reasonable assurance of achieving objectives related to operations, reporting, and compliance. The COSO internal control framework identifies five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities. System-based auditing involves assessing inherent and control risks to determine the nature and extent of substantive testing needed, with fewer tests required when control risk is low.
Presentation 5, System based audit approach - what is it about?, Workshop on System-based auditing, Tirana, 10-12 Sept 2014_ENG
- 1. © OECD A joint initiative of the OECD and the European Union, principally financed by the EU Tirana, 10-12 September 2014 Workshop System Based Auditing 5. System Based Audit approach: What is it about?
- 2. 2
- 3. 3
- 4. 5.1 Internal control •What is the role of internal control in an organisation? •What is the role of internal control in audit? 4
- 5. 5.2 Internal control: ISSAI definition •ISSAI 4200 paragraph 65: Understanding internal control is normally an integral part of understanding the entity and the relevant subject matter. The Fundamental Auditing Principles explain that in performing an audit, public sector auditors understand and evaluate the reliability of internal control (ISSAI 300, 3.3.1). In compliance audit, this includes understanding and evaluating controls that assist management in complying with laws and regulations (ISSAI 300, 3.3.2). 5
- 6. 5.3 Internal control: COSO definition Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives, reporting, and compliance. http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf page 3 6
- 7. 5.4 Internal control: objectives •Operations objectives: Effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss. •Reporting objectives: Internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or in other terms as set forth by regulators, recognized standard setters, or the entity’s policies. •Compliance objectives: Adherence to laws and regulations to which the entity is subject. 7
- 8. 5.5 Internal control: COSO Framework 8 Internal Control Framework 2004 COSO ERM framework 1992
- 9. 5.6 Internal control: COSO Internal control framework •Control environment: sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. •Risk assessment: the entity's process for identifying and analyzing relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed. •Control activities: the policies and procedures that help ensure that management directives are carried out. •Information and communication: these systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. •Monitoring of controls: a process that assesses the quality of internal control performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. 9
- 10. 5.7 Systems Based Audit System Based Audit is an audit in which the nature and depth of the testing depends on the auditor’s assessment of the internal control system and these assessments form the main part of the audit. 10
- 11. 5.8 System based audit approach = Risk based Three elements 1.Inherent Risk 2.Control Risk 3.Detection Risk Audit Risk = Inherent Risk x Control Risk x Detection Risk 11
- 12. 5.9 System based audit approach defines: Whether the internal control procedure was performed Whether the quality of the performed control procedures was satisfactory 12
- 13. 5.10 Direct Tests Tests for details on major classes of transactions and account balances to obtain evidence to detect material misstatements in the financial statement 13
- 14. 5.11 Do we need to use internal control procedures? When the auditor has no specific requirement to assess the operation of the organisation’s systems of control or because the internal control procedures are too weak to be relied on, then the audit objectives can be achieved without relying on these systems and without undertaking tests of control => DIRECT TESTING 14
- 15. 5.12 Direct Testing The number of substantive tests necessary under Direct Testing will be higher than under the SBA approach! 15
- 16. 5.13 Because if Control Risk is: HIGH => More substantive tests needed LOW => Not so many substantive tests needed MODERATE => Number of substantive tests can be reduced 16
- 17. 5.14 What are steps of SBA? Steps audit of system •Understanding the business •Evaluating Internal control system •Testing Internal control system Steps of testing transactions and account balances •Analytical procedures •Test of transactions •Test of account details 17
- 18. 5.14 Testing of systems Activities •What are the risks? •What are the measures? (design) Gaps? •Do the measures exist (practice) Gaps? •Do the measures function? (practice) Breaches Errors 18
- 19. QUESTIONS? 19