operational auditing--spring 2010 1 operational auditing spring 2010 professor bill o’brien

Operational Auditing--Spring 2010 1

Operational Auditing

Spring 2010

Professor Bill O’Brien

Operational Auditing--Spring 2010 5-2

Frameworks

Internal control IC-Integrated Framework (COSO) Guidance on Controls (CoCo) Internal Control Guidance (Turnbull)

Enterprise risk management Australian/New Zealand Std. Risk Mgt. ERM-Integrated Framework (COSO)

Operational Auditing--Spring 2010 5-3

COSO

Committee of Sponsoring Organizations AICPA, IIA, IMA, FEI, AAA Treadway Commission 1992 I/C; 2004 ERM

Control Objectives Compliance with laws and regulations Reliability of financial reporting Effectiveness & efficiency of operations

Operational Auditing--Spring 2010 5-4

Components of I/C

Control environment Risk assessment Control activities Information and communication Monitoring

Operational Auditing--Spring 2010 5-5

Threats to Control

Management override Open access to assets Form over substance approach Conflict of interest

Operational Auditing--Spring 2010 5-6

Balancing Risk and Control

Too much risk Loss of assets Poor decision making Potential non-compliance Potential for fraud

Too much control Increased bureaucracy Excess costs Excess cycle-time Increase in non-value added effort

Operational Auditing--Spring 2010 5-7

Control Activities Segregation of duties Performance reviews Approvals IT access Documentation Physical access IT applications Independent verifications & reconciliations

Operational Auditing--Spring 2010 5-8

IIA and Control

IIA control objectives: S-C-O-R-E Safeguarding of assets Compliance with laws and regulations Objective and goal achievement Reliability & integrity of information Economical & efficient use of assets

Operational Auditing--Spring 2010 5-9

Control Self Assessment (CSA)

Methodology Review and Identification

Key business objectives Related risks Mitigating controls

Operational Auditing--Spring 2010 5-10

CSA-History

Introduced by Gulf Canada in 1987 Gulf used facilitated meetings

Operational Auditing--Spring 2010 5-11

Facilitated Meetings

Management and staff participate through interviews and polling

Objectives Risks Processes Soft and/or informal controls

Operational Auditing--Spring 2010 5-12

General Methodology

Shared process Assessment of internal controls Evaluation of risks Development of action plans Assess the likelihood of achieving objectives SJSU simulation

Operational Auditing--Spring 2010 5-13

General Approaches

Facilitated meetings--group workshops Questionnaires--yes/no answers Management analysis--self studies

Operational Auditing--Spring 2010 5-14

Uses

Self analysis for risk* Selection of audit areas* Internal control review* Special projects Soft control analysis

* alternatives to the traditional approach to the I/A process

Operational Auditing--Spring 2010 5-15

Benefits

Increases I/A scope Target review of high risk areas Increases the effectiveness of corrective action Builds team-oriented relationships

Operational Auditing--Spring 2010 5-16

Engagement Process Planning:

Selecting the BPO Pre-site planning

Performing: Conducting the preliminary survey Review internal controls Expanding tests as necessary Generating findings

Communicating: Reporting the results Conducting follow-up Assessing the process

Operational Auditing--Spring 2010 5-17

Audit Evidence

Healthy skepticism Attributes

Relevant: consistent with objectives Reliable: credible Sufficient: convincing

Operational Auditing--Spring 2010 5-18

Generalized Audit Software (GAS)

Two most popular applications ACL (ACL) IDEA (CaseWare)

Typical uses File examination Recalculations Sample selection File comparison Reformatting Pivot tables Benford’s Law analysis Reporting Data analysis log

Operational Auditing--Spring 2010 5-19

GAS, continued Benefits

Minimizes customization Independent of company IT Efficient Facilitates 100% testing Frees BPP for analytical work

Obstacles Data access Physical access Format knowledge Downloading issues to BPP’s computer Importing data in usable format

Operational Auditing--Spring 2010 5-20

Workpaper Usage

Planning and execution Supervision and review Objective tracking Conclusion support Supports quality assurance Professional development IIA standards’ compliance

Operational Auditing--Spring 2010 5-21

Workpaper Guidelines Cross-referencing system Consistent layouts Standardized symbols or “tick marks” Standardization for permanent files Unique indexing Description of purpose Initialed by preparer and reviewer Source of information indicated Clear explanations of symbols Legibly written and easy to understand Must stand alone Must relate to the engagement objectives

Operational Auditing--Spring 2010 5-22

Sample Work Paper

Heading Ref.

Review

T/M Legend:

Source

Purpose:

Conclusions