A Hand Book On Internal Audit - Rajkumar S. Adukia
4.1 Field survey
4.2 Audit programme
4.3 Audit procedures
4.4 Audit sampling
4.5 Sample selection Techniques
4.6 Audit Tests
4.7 Specimen letters
4.1 Field survey
This is very critical step as it allows auditor to determine the scope and extent of audit effort. It is done in advance of detailed testing and analysis work. The auditors can familiarise themselves with the system and control structure. Typically the audit team would consider:
· The organisational structure and the responsibilities of key members.
· Manuals of policies and procedures and applicable regulations.
· Management reports and minutes of meeting.
· Walkthrough of activity
· Discussions with key personnel
The field survey is the initial contact point and might take one or two days depending on the size of the audit. Flowcharts should be prepared for the major activities, processes, procedures and internal control points. The auditor might have prepared flowcharts during an earlier review or the organisation may have internal flowcharts. The auditor will have to determine that they are updated. Flowcharts are explained here as part of field survey but they can be used as an audit procedure too.
Flowcharts show the relationship between different operational elements and also identify the key control attributes--those attributes that achieve control objectives. This can efficiently point out cases of under/over control and processing redundancy.
4.1.2 Flowcharting Guidelines:
1. Necessary information about flowcharting to be gathered from
· interviewing personnel about procedures followed,
· reviewing of procedure manuals,
· existing flow charts
· other system documentation.
Available documents and manuals are collected and personnel concerned are questioned about their specific duties. Inquiries can be made concurrently with the performance of transaction reviews, particularly when flow charts are being updated.
2. Clarity and simplicity in presentation are essential. Too much detail would obscure the key points. Complex controls can be explained in an attached narration in brief.
3. Only transactions/documents with control significance should be shown (i.e., control over authorization, recording, safeguarding, reconciliation, and valuation). Include only those activities within an application where data is initialized, changed, or transferred to other departments. The name(s) and position(s) of the people performing the transactions should be indicated for each action.
The completion of field survey helps the auditor to understand key systems and processes. If the information during preliminary audit planning is imperfect, the audit team can make adjustments to planned audit scope .
4.2 Audit programme
After the conclusion of preliminary survey, the auditor has a fair idea of the audit objectives and the control systems. At this stage the audit programme should be made providing the proposed procedures, budgeting and basis for controlling the audit. It outlines the steps to achieve the objectives of the audit within the defined scope The audit programme will prevent the auditor from going off the scope pursuing irrelevant items and help in completing the audit project in an efficient manner.
4.2.1 Things to be considered while preparing audit programme
· Needs of potential users of the audit report.
· Legal and regulatory requirements
· Management controls
· Significant findings and recommendations from previous audits that could affect the current audit objectives. Also determine whether corrective action has been taken and earlier recommendations implemented.
· Potential sources of data that could be used as audit evidence and consider the validity and reliability of these data.
· Consider whether the work of other auditors and experts may be used to satisfy some of the audit objectives.
· Provide sufficient staff and other resources to do the audit
· Criteria for evaluating areas under audit.
4.2.2 Framing the programme:
· Review the results of preliminary survey with audit supervisor
· The audit team holds a meeting with the audit supervisor to decide on the priority / high risk areas and tests to be conducted.
· Provide a general overview of the auditee's operations. Include in the narrative statistical and monetary information, locations, authority, staffing and main duties and responsibilities.
· The programme should consist of detailed directions for carrying out the assignment. For each segment of the audit the programme should (1) state the risks that must be covered in that segment; (2) the controls that exist or that are needed to protect against the indicated risk; (3) state the work steps required to test the effectiveness of those controls, or set forth the recommendations that will be required to install needed controls; and (4) provide space for referencing the related audit work papers.
· Prepare draft audit programme and document transaction flows.
· Audit programmes should be consistent. Some organisation’s may have standardised audit programmes.
· It should contain an estimate of the time necessary to complete the project
· Number the audit programme steps consecutively.
· Have the final programme reviewed by Audit supervisor and Audit manager.
· All major changes must be documented in writing and the reason documented.
· A well constructed programme provides:
§ Plan for each phase of the work that can be communicated to all audit personnel concerned
§ A means of self control for the audit staff assigned
§ A means by which the audit supervisor/manager can review and compare performance with approved plans
§ Assistance in training inexperienced staff members and acquainting them with the scope, objectives, and work steps of an audit.
§ Assistance in familiarizing successive audit staff with the nature of work previously carried out.
· The audit programme should contain a statement of the objectives of the area being reviewed. These objectives would be achieved through the detailed audit programme procedure. Objectives should fit within the overall scope of the audit.
· Every audit procedure should help answer one of the objectives and every objective should be addressed in the procedures or steps.
· The tests have to be designed in such a manner that they achieve their objectives. Use imagination, ingenuity and intelligence in creating audit steps responsive to objectives.
· The goals should be made amply clear by prefacing major steps with : to test whether . . .; or, to determine that . .
4.2.3 Time Budget
· At the planning phase an estimated time budget should be prepared to control the audit and complete it efficiently. The detailed project time budget should be completed at the conclusion of the preliminary review.
· The time budget should be approved by the audit manager and audit administration. This budget will include all time necessary to complete the audit, from assignment through issuance of the final report.
· A portion of the budgeted time should be allocated to planning. Adequate planning is essential for effective audit. However, care should be taken that not too much time is spent on that activity.
· The time budget should be broken down into the following general categories:
§ Planning - initial planning, preliminary survey, audit programme
§ Fieldwork - allocated to the various segments of the audit project
§ Audit report and wrap-up - audit manager's review, quality assurance review, report writing and editing, report review, auditee's review, exit conference, etc.
· Preparation and Approval - The project time budget should be prepared by the audit manager and approved by audit administration
· Any revisions to the project time budget should be discussed with audit administration at the earliest and when approved by audit administration, documented.
Planning should continue throughout the audit. Audit objectives, scope, and methodologies are not determined in isolation. They have to be determined together, as the considerations in determining each often overlap.
4.2.4 Audit Evidence
Evidential matter obtained during the course of the audit provides the documented basis for the auditor's opinions, findings, and recommendations as expressed in the audit report.
A. Types of audit evidence
Evidence may be categorized as physical, documentary, testimonial, and analytical.
a. Physical evidence is obtained by auditors' direct inspection or observation of people, assets, or events. Such evidence may be documented in memoranda, photographs, charts, or physical samples.
b. Documentary evidence consists of created information that may be internally or externally generated. Some examples are letters, contracts, accounting records, invoices, and management reports.
c. Testimonial evidence is obtained through inquiries, interviews, or questionnaires.
d. Analytical evidence includes computations, comparisons, and rational arguments.
4.2.5 Test of Evidence
Internal auditors are obligated by professional standards to collect sufficient, competent, relevant, and useful information to provide a sound basis for audit findings and recommendations.
Evidence is sufficient if there is enough of it to support the auditors' findings. It would be also be sufficient if it can persuade a reasonable person of the validity of the findings. When appropriate, statistical methods may be used to establish sufficiency.
Evidence used to support a finding is relevant if it has a logical, sensible relationship to that finding.
Evidence is competent to the extent that it is consistent with fact (that is, evidence is competent if it is valid). Auditors should get written representations from the officials of the auditee on the evidence provided. Written representations ordinarily confirm oral representations given to auditors, indicate and document the continuing appropriateness of such representations, and reduce the possibility of misunderstanding. Given below are some presumptions for judging reliability and competency of evidence. They would usually hold true but they might not be valid in all cases.
a. Evidence obtained from a credible third party is more reliable than that secured from the auditee.
b. Evidence developed under an effective system of management controls is more competent than that obtained where such controls are weak or nonexistent.
c. Evidence obtained by the auditors themselves through direct physical examination, observation, computation, and inspection is more competent than evidence obtained indirectly.
d. Original documents provide more competent evidence than copies.
e. Person providing the evidence: Information obtained from a person having knowledge of the area would be more reliable
f. Objective evidence would be more reliable than the evidence which require judgment.
The sufficiency, competence and relevance of evidence depends on the source of information. This would include data collected by auditee, third party or the auditor .
Data gathered by auditors: This would include auditors own observations and information collected through interviews, questionnaires, surveys and calculations.The design of these methods and the skill of the auditors applying them are the keys to ensuring that these data constitute sufficient, competent, and relevant evidence.
Data Gathered by the Auditee :When data gathered by auditee is used as evidence , the auditor has to test the reliability and validity of the data. If the entity’s internal control systems test the data for accuracy and validity , then the auditor needs to check whether internal controls are functioning . The nature and extent of testing of the data will depend on the significance of the data to support auditors' findings. In case the auditor is not satisfied for any reason the auditor may :
- seek evidence from other sources
- use the data and indicate the limitations.
Data Gathered by Third Parties evidence may also be received from third parties. In most cases the auditor will not get chance to test its validity and accuracy.
Data from computer based information systems: Auditors have to determine the accuracy and reliability of data from computer based systems either by testing the data or by testing the effectiveness of general and application controls over computer-processed data, and these tests support the conclusion that the controls are effective.
4.3 Audit procedures
Programme step procedures should be in enough detail so that an experienced auditor could carry out the task with normal supervision. An audit causes disruption and interruptions in the day-to-day operations of an enterprise and it is advisable that the auditors provide a tentative schedule of the planned audit work (unless it is a surprise audit ). Documentation should be kept for each step that would generally be in the form of working papers. Preparation and organisation of working papers have been dealt with in a separate chapter.
4.3.1 Review and Evaluation of Internal Control Environment :
The auditor will have to review the internal control structure . The effectiveness and efficiency of the internal control will determine the extent of tests to be performed. This evaluation will also provide assurance on whether the systems are functioning properly. The auditor should provide for tests in the audit programme which could be in the form of interviews, internal control questionnaires , checklists, audit tests. Discussion of the control procedures will help in determining the adopted control procedures and plan of organisation. The auditor can also observe the processes and also use electronic data processing methods if required. The study and evaluation should be properly documented .
Matters to be considered while evaluating internal controls
- Identification of risks
- Internal control structure put in place to prevent, detect, correct undesired events
- Whether the control structure is functioning as desired
- Identification of weaknesses in the structure and their effect on auditing procedures .
4.3.2 Procedures to evaluate internal controls:
- Description of system of internal control
- Flowcharts: flowcharts visually aid in understanding the relationship between operational elements. They identify key control attributes and point out areas of under/over control.
- Internal Control Questionnaires –The questionnaires are designed for the officials of the auditee. Responses would indicate areas of potential control weakness. The auditors will then have to determine whether there are other controls to offset the weakness in one. Many audit functions have standardised questionnaires for specific departments that may be modified by the audit supervisor if the need arises.
- Tests of compliance are performed to obtain sufficient evidence that the system is operating in accordance with the understanding the auditor obtained from the review. The auditor usually tests whether policies, procedures and practices are indeed in place and functioning. The nature, timing, and extent of tests of compliance are closely related to the control procedures and methods studied by the auditor.
4.4 Audit sampling