operational auditing--fall 2010 1 operational auditing fall 2010 professor bill o’brien

Operational Auditing--Fall 2010 1

Operational Auditing

Fall 2010

Professor Bill O’Brien

Operational Auditing--Fall 2010 5-2

Workpaper Usage

Planning and execution Supervision and review Objective tracking Conclusion support Supports quality assurance Professional development IIA standards’ compliance


Workpaper Guidelines Cross-referencing system Consistent layouts Standardized symbols or “tick marks” Standardization for permanent files Unique indexing Description of purpose Initialed by preparer and reviewer Source of information indicated Clear explanations of symbols Legibly written and easy to understand Must stand alone Must relate to the engagement objectives


Sample Work Paper

Heading Ref.

Review

T/M Legend:

Source

Purpose:

Conclusions


Generalized Audit Software (GAS)

Two most popular applications ACL (ACL) IDEA (CaseWare)

Typical uses File examination Recalculations Sample selection File comparison Reformatting Pivot tables Benford’s Law analysis Reporting Data analysis log


GAS, continued Benefits

Minimizes customization Independent of company IT Efficient Facilitates 100% testing Frees BPP for analytical work

Obstacles Data access Physical access Format knowledge Downloading issues to BPP’s computer Importing data in usable format


Control Self Assessment (CSA)

Methodology Review and Identification

Key business objectives Related risks Mitigating controls


CSA-History

Introduced by Gulf Canada in 1987 Gulf used facilitated meetings


Facilitated Meetings

Management and staff participate through interviews and polling

Objectives Risks Processes Soft and/or informal controls


General Methodology

Shared process Assessment of internal controls Evaluation of risks Development of action plans Assess the likelihood of achieving objectives SJSU simulation


General Approaches

Facilitated meetings--group workshops Questionnaires--yes/no answers Management analysis--self studies


Uses

Self analysis for risk* Selection of audit areas* Internal control review* Special projects Soft control analysis

* alternatives to the traditional approach to the I/A process


Benefits

Increases I/A scope Target review of high risk areas Increases the effectiveness of corrective action Builds team-oriented relationships


Engagement Process Planning:

Selecting the BPO Pre-site planning

Performing: Conducting the preliminary survey Review internal controls Expanding tests as necessary Generating findings

Communicating: Reporting the results Conducting follow-up Assessing the process


Audit Evidence

Healthy skepticism Attributes

Relevant: consistent with objectives Reliable: credible Sufficient: convincing


Business Processes

Basic entity for I/A services Understanding business processes is key


Process Documentation

Flow charts

Storyboarding

Identifying business risks What gets in the way of objective achievement


FlowchartingBegin or End

File

Decide

Document

Activity


What Is Storyboard Flowcharting?

New method for documenting a process. Clean and simple flowcharting method. Allows for clients and auditors to clearly understand

process under review. Simple technique that requires a good graphics

package and a little imagination. Can use Microsoft PowerPoint, Harvard Graphics,

Corel Draw, etc. Does not replace IS flowcharting.


The Basics of Storyboard

Meet with client and document process. Use your imagination to choose/draw picture. Under picture write narrative for each step represented. Be creative - good control narrative in green; poor controls in red. Completed storyboard must be reviewed with client. Make any changes necessary. Final copy should be in color for most effective presentation. Different process may require different approach.


How to Storyboard

• Meet with client and document process.

• From client interview create storyboard.

A

A

• Print out story board - black and white draft and color for final.

• Review storyboard with client and obtain sign off.


Start

Customer Service

Rep ReceivesOrder

Scan Form IntoSystem

Shipping FilesYellow

Customer ServiceRep ResearchesAnd CorrectsInformation

Shipping Pulls And

Packs Orders

End

By Phone?

By Mail or Fax?

On StandardOrder Form?

Shipping SendsOrder and Green

Copy (Invoice)

Customer Service Rep.Key Enters

Data on-Line

ApprovedBy Manager?

Send to SpecialOrder

Department

Print Three-Part

Shipper

Yellow and GreenTo ShippingDepartment

Pink to AccountsReceivable

Department

YES

YES YES

NO

NO

YES

Company XYZOrder-fulfillment process

NO


A

A

Customer Representative

Receives orders by faxor mail.

Receives orders by phone.

Standard orders arescanned into system.

Customer Representativeenters order data on-line.

A three-part packing slip is printed per order.

Pink copy sent toaccounts receivabledepartment.

Company XYZOrder-fulfillment process

Packing slip approved by Manager.If not approved, returnedto Customer Representativefor correction

Packing slip

Yellow and green copy go to shipping department.Shipping pulls andpacks orders.

Yellow copy filed inshipping department.

Green copy sentwith order.


Mapping Risk to Processes

Identify risks Link risks to the processes Evaluate risks in terms of likelihood and impact

(exposure) Determine risk responses

Avoidance, reduction, sharing, acceptance

operational auditing--fall 2010 1 operational auditing fall 2010 professor bill o’brien

Documents

n efficient n

n gulf

continued n benefits

testing n

necessary n

followup n

findings n

results n