0% found this document useful (0 votes)

336 views184 pages

Internal Audit Manual

The document is a manual for risk-based internal auditing (RBIA) authored by David Griffiths, providing practical guidance on implementing RBIA principles. It includes four books covering various aspects of internal auditing, with this manual focusing on the audit process and documentation standards. The manual serves as a training resource and is designed to ensure consistent quality in audit work, while also being adaptable for different organizations.

Uploaded by

Arthur Kimani

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

336 views184 pages

Internal Audit Manual

Uploaded by

Arthur Kimani

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 184

Risk based

internal
auditing
Audit
Manual

David
Griffiths
PhD FCA

www.internalaudit.biz

Version 3.0
Introduction to www.internalaudit.biz
Welcome to risk based internal auditing (RBIA). The aim of this website, and the
books and spreadsheets available from it, is to push out the boundaries of internal
auditing by providing practical ideas on implementing (risk based) internal auditing.
These ideas are not meant to represent ‘best p
There are four books with associated spreadsheets
1. Book 1: Risk based internal auditing - an introduction. This introduces risk-
based principles and details the implementation of risk based auditing for a
small charity providing famine relief, as an example. It includes example
working papers.
2. Book 2: Compilation of a risk and audit universe. Book 2 aims to show you
how to assemble a Risk and Audit Universe (RAU) for a typical company and
extract audit programs from it. The audit program in this book (4) is based on
the accounts payable audit from the RAU in Book 2
3. Book 3: Three views on implementation. Looks at the implementation of risk
based internal auditing from three points-of-view: the board; Chief Audit
Executive (CAE); internal audit staff.
4. Book 4 Audit Manual. (This book). The manual provides ideas about how to
carry out a risk based internal audit of accounts payable. It is based around
the actual working papers, similar to those in the audit from Book 1.
Please remember when reading the book and the spreadsheets that they are only
presenting simplified examples. In practice there would be many more objectives,
risks and controls than I have listed. It is your responsibility to take the ideas you like
and adapt them for your organization. Please don't blindly copy them.
Finally, Risk based internal auditing by David Griffiths is licensed under a Creative
Commons Attribution-NonCommercial 3.0 Unported License. I don’t mind you
parts of it, provided you quote this source. It should not be used to promote any
product or service, without my permission. I do mind you making money out of it,
unless I get some!
Many thanks and happy reading…

David M Griffiths Ph.D. F.C.A.

Introduction
Purpose of this manual
This is the manual which details the standards to be adopted during the audit
process. It corresponds to the Institute of In
the Professional Practices Framework as applied to the individual audit.
¾ But –no-one reads a manual. Instead, they find out what to do by looking at the
files from the previous audit, or any similar audit!
¾ But –suppose that file, and the audit work, cou
build on imperfect work.
So why not create an example file to show the way an audit should be done and
documented –this is it.
So the purpose of the file is to:
¾ Provide guidance on the conduct of an audit, and the documentation
required, in order to ensure consistent quality in our work.
¾ Use as a basis for training new staff

When this manual should be used

¾ For all audits and projects (systems developments) where possible.
¾ During the reviews, to set the standard to judge audit work against.
¾ For training new staff.
¾ For reference at any time.
It is for guidance only. The underlying principle is to create a file which clearly shows:
¾ How the opinions in any report, or letter, have been reached.
¾ That sufficient work has been done to reach these opinions.

Structure of the manual

Prior to the use of computers, an audit manual would have been a file of papers split
up into sections such as Scope, Test etc. The use of computers has resulted in a
variety of methods to record audits, from specific applications to word processors,
spreadsheets and databases. Book 1(RBIA - Introduction) has example working
papers based around a spreadsheet with hyperlinks to the audit documents in Word.
The audit details for this manual are similarly recorded in a spreadsheet (Excel), with
a word processor (Word) used for documents such as the Scope and Audit Report.
However, the documents are included in this manual, not as separate files.
This manual retains the structure of a paper file and incorporates the word
documents and excerpts from the spreadsheet, since it is easier to include the
instructions in this format. The file is referenced as if it were a paper file.

How to use the manual

¾ The manual is an example file, with all the typical documents expected from an
audit shown on the right hand side page. On the opposite page are the
performance standards applying to the document.

¾ Thus the instructions (how to audit) are on the left page and the audit file (the
example) is on the right. I’ve tried to diffe
different headers and fonts.
¾ The instructions are split into sections, which have a standard format:
x Output of process –what document the process produces.
x Standards –what the document should contain.
x Work plan for achieving output –how to produce the document.
x Advice for achieving output –hints to make life easier.
¾ I recommend the manual is viewed in Adobe Acrobat in order to preserve
the formatting::
x It should be viewed as two pages (View/Page display/Two page view).
x Tick 'Show cover page in two page view' (View/Page display/)
¾ If the manual is to be printed, it must be double-sided. Dividers should be inserted
before each section.

The example manual

¾ The manual is intended to provide guidance on carrying out a risk based internal
audit. It aligns with the Performance Standards of the International Standards for
the Professional Practice of Internal Auditing (Standards) (known as the IPPF)
issued by the Institute of Internal Auditors. Numbers in brackets, like (2330) refer
to paragraph numbers in the IPPF.
¾ This manual is not intended to cover the Attribute Standards (internal audit
charter, independence etc.) of the IPPF.
¾ The manual is presented in the form of an actual manual for a fictitious retail
organization. No connection with any actual organization is intended or implied.
¾ The processes documented in this example manual are based on a computerized
accounts payable application. I have chosen accounts payable because the
objectives and risks are similar across all organizations. However, it should be
possible to use this example as the basis for any audit: strategic, financial,
operational or compliance.
¾ The audit has been taken from the company's Risk and Audit Universe developed
in Book 2 - Compiling a risk and audit universe.
¾ The AP application is extensive and I have not documented the entire system
since it would be time consuming and irrelevant to many readers. It is your
responsibility to fully understand your processes before auditing them.
¾ The manual needs to be read in conjunction with the spreadsheet file
downloadable from www.internalaudit.biz
(https://www.internalaudit.biz/files/manual/rbiamanual.xlsx)
¾ An internal audit involves:
x Establishing the risk maturity of the processes and functions which deliver the
objectives.
x Based on the risk maturity, carrying out sufficient testing to form an opinion on
the likely achievement of these objectives.

The objectives, risks and controls, plus the processes and functions which deliver
them, form an 'audit universe' specific to the audit being carried out. I refer to this
audit universe in this manual as the 'audit area'.
¾ This example file differs from an actual version in that:
x The spreadsheet would be used as the basis of the audit, with word
processed files referenced from it. The working paper example with Book 1
shows this.
x Not all processes and tests are documented in this manual and the
accompanying spreadsheet. This manual only shows examples.
x All pages are numbered in this manual –this is to make assembling the
manual easier.
x The audit file pages are filed chronologically, that is the most recent last in the
file section. In practice some documents might be filed with the most recent
on top, since this is the latest version.
x Where there would be many documents, such as meeting notes or test
details, only a sample are included.
x Draft documents are included, to show the audit process in full. In practice
some organizations may decide not to do this. I favor keeping important
drafts, such as reports, as the reviewers may wish to see how issues were
resolved.
x Where the term 'document' is used, this may refer to a worksheet in a
spreadsheet or word-processed document.
¾ Responses are required to bring risks down to an acceptable level (the 'risk
appetite'). These responses are usually considered as (see Book 1)
x Terminate the risk
x Transfer the risk (for example: insure)
x Tolerate the risk
x Treat the risk (set up internal controls)
For clarity, I refer to all these responses as 'internal controls'.
¾ Although the spreadsheet includes COSO attributes in the Objectives, Risks and
Controls Register (ORCR) at the end, I haven't incorporated these into the
example. Maybe later…Or you can do it.
¾ I have used U.S. English as the spelling standard, since most browsers
accessing www.internalaudit.biz are set to this.

Copyright
¾ Risk based internal auditing - the Manual by David Griffiths is licensed under a
Creative Commons Attribution-NonCommercial 3.0 Unported License. You may
copy and amend it for the purposes of your organization but not sell it. You
should refer to www.internalaudit.biz in your manual.
¾ Some parts of this manual refer to the Institute of Internal Auditors Standards and
the numbers in brackets refer to the relevant standard. Copyright of the IIA is
acknowledged. The Institute does not endorse this document in any way.

Amending the manual

¾ When you change this document remember that “
of each page. If you exceed a page length you will need to insert two section
breaks to bring the pages into line. I suggest you amend the document with
returns and page breaks switched on in the 'Home/Paragraph' menu. You may
also need to alter the Sameheaders
as previous”. to switch off
¾ The manual is formatted for European A4 size paper. If you use a different size
paper, I would suggest you amend the document with paper size set to A4 and
save the document as a pdf before circulating or printing it.

Insert a file divider after this page

File
Index

Audit: 205 Date of document: dd-mmm-yyyy 7

RBIA - Manual - File index

File index - Paper file

Output of process
¾ Index showing the sections of the audit file.

Standards for the structure of a paper file

¾ This structure is for guidance only; the sections actually used will depend on the
audit documents to be filed.
¾ Each section should consist of no more than approximately 20 documents.
¾ Sections should be arranged such that documents are easy to find.
¾ Each section should be preceded by a labeled divider.
¾ All pages should be referenced in red on the top right of each page (the reference
number is the letter and numbers in the red box).

Work plan for achieving structure

¾ Set up sections at the start of an audit, so that documents can be filed as they are
obtained but be prepared to set up new sections if some get too large.

Advice for achieving structure

¾ If you need to insert more documents after referencing use letters, for example
“D3a”.

File index - Computer file

Output of process
¾ Computer worksheets file with spreadsheets for each section. See section M for
more details.

Standards for the structure of a computer file

¾ Each audit should have a directory, using the unique identifier of the audit (audit
number for example)
¾ Set up sub-directories as necessary for planning, meetings, scope, testing
(including the ORCR) and reporting.
¾ The appropriate spreadsheet workbooks should be hyperlinked to the word
processed files.
¾ Word processed files (such as the report) should have names which include the
audit identifier, for example 205draftreport.docx.

Work plan for achieving structure

¾ Set up directories at the start of an audit, so that documents can be filed as they
are obtained but be prepared to set up new sections if some get too large.

Advice for achieving structure

¾ It may be necessary to scan copies of documents which need to be retained for
record, such as invoices, or maintain a paper file.

Accounts Payable 205

Audit group Dates Personnel

AP Jan 20X1 M Davis, F Sawyer

Contents Section
Audit management A

Background Information and notes B

Scope C

Meeting notes D

Risk maturity E

Objectives, Risks and Controls Register F

Testing controls G

Deficiencies H

Draft report and comments I

Final report J

Quality control K

Follow up work L

Computer files M

Version Control

Audit: 205 Date of document: dd-mmm-yyyy 9

RBIA - Manual - File index

Insert a file divider after this page

Audit
management

Audit: 205 Date of document: dd-mmm-yyyy 11

RBIA - Manual - A Audit management

Section index A ± Audit management

Purpose of section A
¾ This section holds the documents which show how the audit was managed and
how it delivered the work outlined in the scope.

Standards for section A

¾ All important matters affecting the operation of the audit should be included, for
example, changes to staff, reasons for delays, changes to the scope and the
action taken if serious issues (such as fraud) were found.

Work plan for achieving section A

¾ This section should be updated throughout the audit

Accounts Payable
Contents Ref
Milestones A1

Outline plan A2

Diaries A3

Back to File Index

Audit: 205 Date of document: dd-mmm-yyyy 13

RBIA - Manual - A Audit management

A - Milestones
Output of process
¾ A document (or worksheet) showing targets for completing the main stages of an
audit, and the dates actually achieved.
¾ A record of the authorizing of the scope and report.

Standards for output

¾ Dates included in the scope, and other documents sent to auditees should be
noted as target dates. The important date being that of the final report circulation.
¾ Approval signatures for the scope and report should be included
¾ Target dates should be realistic. If it is obvious they will not be achieved, the CAE
must agree new dates and the auditee informed.

Work plan for achieving output

¾ Set up the document when the audit is included on the quarterly plan, and staff
assigned.
¾ This document should be updated at each review meeting.
¾ The appraisal process should include a review of target and achieved dates.

Advice for achieving output

¾ Don’t be too optimistic on dates
¾ Complete it with reference to the Outline Plan

Accounts payable
Milestones Resp Target Achieved
Set up audit on quarterly plan CAE 1-Nov-X0 2-Nov-X0
Set up computer directories Auditor 16-Dec-X0 16-Dec-X0
Set up meetings Auditor 16-Dec-X0 16-Dec-X0
Issue draft scope Auditor 17-Dec-X0 18-Dec-X0
Final scope signed off. P Jones CAE 12-Jan-X1 12-Jan-X1
Authorizing signature:
Final scope issued Auditor 13-Jan-X1 13-Jan-X1
Risk maturity confirmed Auditor 2-Feb-X1 2-Feb-X1
Processes mapped Auditor 3-Feb-X1 3-Feb-X1
Inherent risks agreed Auditor 4-Feb-X1 5-Feb-X1
Controls tested Auditor 12-Feb-X1 12-Feb-X1
Residual risks scored and agreed Auditor 12-Feb-X1 12-Feb-X1
Deficiencies entered into the database Auditor 13-Feb-X1 13-Feb-X1
Mid-audit file review CAE 16-Feb-X1 17-Feb-X1
Deficiencies agreed with business Auditor 19-Feb-X1 19-Feb-X1
Draft report issued Auditor 20-Feb-X1 23-Feb-X1
Final report signed off. P Jones CAE 5-Mar-X1 8-Mar-X1
Authorizing signature:
Final report circulated Auditor 8-Mar-X1 8-Mar-X1
(COSO deficiencies report completed) Auditor 8-Mar-X1 8-Mar-X1
End audit file review CAE 12-Mar-X1 12-Mar-X1
All staff appraised CAE 18-Mar-X1 19-Mar-X1
Paper files stored in archives Auditor 19-Mar-X1 19-Mar-X1
Feedback to be obtained from: date
Accounts Payable Manager (Mike Khan) 15-Mar-X1
Head of Accounting Services (Anita Smith) 16-Mar-X1
Other Comments:

Audit: 205 Date of document: dd-mmm-yyyy 15

RBIA - Manual - A Audit management

A - Outline plan
Output of process
¾ A plan showing, for each person involved, their work on this audit and other
commitments during the period.
¾ The full plan is in the worksheet: A Audit Timetable

Standards for output

¾ The period planned should cover the audit from the initial meeting to the issue of
the final report.
¾ Show all staff affecting the progress of the audit, including the CAE and any
auditee staff who are important to the progress of the audit.

Work plan for achieving output

¾ Start the plan at least three months before the start of fieldwork, earlier if
managers and staff have full diaries, or if the audit involves complex travel
arrangements and vaccinations.
¾ Draw up a table, or spreadsheet, showing dates.
¾ Determine availability of everyone involved –particularly absences from the
office.
¾ Put details in the plan.
¾ Complete the “Milestones” schedule from the p

Advice for achieving output

¾ Where managers have full diaries, book meetings at this stage.
¾ Only include major time commitments which last at least a day (for example,
holidays), not individual meetings.

P Jones
Date M Davis F Sawyer (CAE)
15-Dec-X0 Monday 205 Briefing from CAE
16-Dec-X0 Tuesday 205 Set up files/scope
17-Dec-X0 Wednesday 205 Issue draft scope
18-Dec-X0 Thursday 204 Testing 200 Testing
19-Dec-X0 Friday 204 Testing 200 Testing
05-Jan-X1 Monday 204 Testing 200 Testing Holiday
06-Jan-X1 Tuesday 205 Scope meeting Holiday
07-Jan-X1 Wednesday 205 Amend scope Holiday
08-Jan-X1 Thursday 204 Testing 200 Testing Holiday
09-Jan-X1 Friday 204 Testing 200 Testing Holiday

12-Jan-X1 Monday 205 CAE approves scope

13-Jan-X1 Tuesday 205 Issue final scope
14-Jan-X1 Wednesday 204 Testing 200 Testing Out of office
15-Jan-X1 Thursday 204 Testing 200 Testing Out of office
16-Jan-X1 Friday 204 Testing 200 Testing

19-Jan-X1 Monday Holiday Course

20-Jan-X1 Tuesday Holiday Course
21-Jan-X1 Wednesday Holiday Course
22-Jan-X1 Thursday Holiday Course
23-Jan-X1 Friday Holiday Course

26-Jan-X1 Monday 204 Testing 200 Testing

27-Jan-X1 Tuesday 204 Testing 200 Testing
28-Jan-X1 Wednesday 204 Write report 200 Write report
29-Jan-X1 Thursday 204 Write report 200 Write report
30-Jan-X1 Friday 204 Write report 200 Write report
31-Jan-X1 Saturday
1-Feb-X1 Sunday
02-Feb-X1 Monday 205 Testing 205 Testing
03-Feb-X1 Tuesday 205 Testing 205 Testing
04-Feb-X1 Wednesday 205 Testing 205 Testing
05-Feb-X1 Thursday 205 Testing 205 Testing
06-Feb-X1 Friday 205 Testing 205 Testing

Audit: 205 Date of document: dd-mmm-yyyy 17

RBIA - Manual - A Audit management

A - Diary
Output of process
¾ A record of significant events, including targets, which occurred during the audit.
¾ Included in the spreadsheet

Standards for output

¾ Records targets and the achievement of these.
¾ Records failure(s) to meet targets, delays and the reasons for these.
¾ Records important stages such as the issue of the scope, draft and final reports.
¾ Records learning points for this, and other, audits.
¾ Records significant events, especially if possible frauds or major deficiencies
discovered.

Work plan for achieving output

¾ While the diary does not have to be entered for each day of the audit, it is
probably a useful discipline.
¾ The diary can be used during management reviews to note targets and their
achievement.

Advice for achieving output

¾ One important reason for the diary is that it provides reasons for missing targets
and if your salary depends on meeting targets...

Staff 1 Staff 2 Man

Max Davis Frank Sawyer Pat
Jones
Date Achieved today Next action Target
date
13 Briefing from CAE. Audit due Look at documentation, 14 Dec
Nov early Feb. Booked scope including Objectives and Risk
meeting for 6th Jan. Register and accounts payable
manuals. Prepare draft scope
15 Briefing from CAE. Draft scope Set up directories and 17 Dec
Dec agreed with CAE documentation.
Draft scope to be issued 17
Dec
18 Issued draft scope. (Additional Prepare for Jan 6 meeting 6 Jan
Dec work on audit 203 delayed the
issue) and agenda for Jan 6
meeting.
6 Jan Met Head of Accounting Update draft scope. Jan 9
Services and AP Manager Obtain approval
Arrange meeting with AP
Manager and Supervisors
Jan Obtained CAE approval. Issue final scope. Jan 13
12
Jan Final scope issued Jan 13
13
Mon Meeting with AP Manager and Write up notes from meeting Feb 2
Feb 2 Supervisors. Finish assessment risk maturity Feb 3
Assessment risk maturity

Feb 3 Assessment risk maturity Assess risk scores Feb 13

Draw diagrams of functions and Test operation of controls
processes
Decided on audit approach

Feb 4 Test operation of controls Follow up JB Associates Feb 5

Checked invoices with no order. invoices.
Mostly legal and properly approved
but one found for J B Associates.
Properly approved but why no
order? No report produced.

Audit: 205 Date of document: dd-mmm-yyyy 19

RBIA - Manual - A Audit management

Note that some dates have been omitted from the diary to save space in the manual.
They would be included in the real file.

© D M Griffiths www.internalaudit.biz 20
Internal Audit A4
A - Diary (2)
date Achieved today Target target
date
Feb 5 Pete Cooke wrote an enquiry Write up all details Feb 6
program to find invoices with
no order. Many JB
Associates. All addressed to
Jim Higson (the budget
holder) and signed by him.
Checked with Pat Jones.
Meeting arranged with COO.
Feb 6 Meeting to update Anita and Write up notes Feb 9
Mike on progress.
Meeting with Chief
Operations Officer about
invoices with no orders.
Feb 9 Continued tests Feb 13

Feb 13 Issues entered into ORCR Complete file 16 Feb

Informal meeting with Mike Write draft report 20 Feb
Khan to confirm deficiencies
found
Feb 17 CAE completed file review. Draft report 20 Feb
(One day late due to her
workload)
Feb 19 Deficiencies agreed with Draft report 20 Feb
business

23 Feb Draft report issued Issue final report 8 Mar

3 Mar All comments received. Draft Get CAE approval 5 Mar
report updated.
8 Mar CAE approved final report. AUDIT COMPLETE
(She was not available on
5Mar) Final report issued

Audit: 205 Date of document: dd-mmm-yyyy 21

RBIA - Manual - A Audit management

Insert a file divider after this page

Background
information

Audit: 205 Date of document: dd-mmm-yyyy 23

RBIA - Manual - B Background information

Section index B ± Background

information
Purpose of section B
¾ The documents which provide details around the processes being audited are
filed in this section
¾ Used to plan the audit and as a basis for the scope.

Standards for section B

¾ If this section becomes large, file the papers separately
¾ Organize the documents logically, splitting the file if necessary, in order for the
reader to be able to find documents quickly
¾ Clearly title computer files. Separate into several directories if necessary.

Accounts payable
Contents Ref
Strategy/Objectives and performance data

Organization chart B2

Summary of system B3

Process hierarchy B4

Budget (computer file only) (not included)

Back to File Index

Audit: 205 Date of document: dd-mmm-yyyy 25

RBIA - Manual - B Background information

B - Background information
Output of process
¾ Documents, pictures, accounts, organization charts and reports which aid
understanding of the context of the audit and the risks hindering the objectives of
the processes being audited (2310).
¾ The strategy/objectives for the function(s) concerned.
¾ Information used in assessing the performance of the function(s)
¾ The full organization chart is in the spreadsheet: Functions

Standards for output

¾ Documents not easily available, or which change with time, should be filed.
Examples are organization charts, budgets and accounts.
¾ Documents may be filed in paper form, or reference made to the location of
computer files.
¾ Lengthy manuals should not be photocopied and filed in this section. Either file a
few relevant pages, or obtain a computer version. If the manual is readily
available there should be no need to file any copies.

Work plan for achieving output

¾ At the start of an audit obtain:
x Organization charts for the departments (functions) concerned
x Budgets for the departments
x Any operating manuals
x Copies of job descriptions and targets
x Performance data and similar information issued to senior management
¾ During the audit obtain:
x Example documents (completed, not blank)
x Operating instructions people may have prepared for their own use
x Copies of computer screens
x Copies of spreadsheets used

Accounts payable
Strategy/Objectives and performance data
Long term strategy over the next three years
To improve efficiency and reduce the number of input clerks by 2

Strategy and Targets for this year (in addition to the objective identified for accounts
payable)
x Reduce invoices held pending clearance by purchasing by 50%
x Increase the number of invoices cleared for pay/hour of clerical time by 10%

Performance data
x Invoices held pending clearance by Purchasing
x Payments held
x Duplicate payments made
x Invoices cleared for payment per hour of input clerk time

Audit: 205 Date of document: dd-mmm-yyyy 27

RBIA - Manual - B Background information

(Page is blank)

Organization chart - Functions

Chief Executive Officer

Chief Financial Officer

(Helen Trent)

Head of Accounting
Services (Anita Smith)

Warehouse Stock Store Stock Account Bank Accounts Accounts Payable Accounts Receivable
Fixed Assets Manager Payroll Manager
Account Manager Manager Manager Manager (Mike Khan) Manager

Supplier supervisor Credit Control

(Ann Jones) Manager

Input Supervisor ( Fred

Higgs)

Payments supervisor
(Sally Boson)

Extract from the organization chart.

The full version is in the spreadsheet for Book 2
The above version is in the spreadsheet for this book

Audit: 205 Date of document: dd-mmm-yyyy 29

Internal Audit D1
Agenda

Accounts Payable
Date & time: January 6 20X1 2:00 p.m. Place: Meeting room 3
Anita Smith - Head of Accounting Services
Mike Khan - Accounts Payable Manager
Participants:
Max Lewis (Auditor)
Frank Sawyer (Auditor)

Purpose of
To agree the scope of the audit to be carried out in February (attached)
meeting:

Topics

¾ Introductions
¾ Why the audit is being done, what processes it will cover and what it will deliver
¾ Background to the processes being audited what are the major risks and
controls?
¾ The audit work plan
¾ Comments about the proposed scope including any special considerations
¾ Information available to assist the audit including risk registers, process maps,
budgets and organization charts
¾ Key contacts for the audit
¾ Timescale of the audit
¾ Next steps

Audit: 205 Date of document: dd-mmm-yyyy 57

RBIA - Manual - D Meeting notes

Advice for achieving output ± the meeting (cont.)

¾ Introduction
x Carry out introductions, if necessary
x Introduce the agenda, with approximate timings for each of the items
¾ Why the audit is being done, what processes it will cover and what it will deliver
x Remind attendees of the desired output from the meeting. If the meeting is to
agree the draft scope - be clear on the information you require to do this (risks
they have identified, process maps they have prepared, key contacts, audit
timing, special considerations).
x Ensure everyone understands why the audit is being done.
x Stress the audit will not only be looking at risks threatening objectives but the
identification of opportunities which will benefit the achievement of objectives.
x Understand what the attendees want to take away from the meeting - it may
not be what you want.
x Take along an example report to demonstrate what it will look like, who will
receive it and what possible opinions there will be.
¾ Background to the processes
x This is your opportunity to find out the major risks and controls.
¾ The audit work plan
x Provide a copy of the ORCR (although attendees should have one), to
demonstrate how the audit will be done.
x Discuss the work plan; do the attendees agree it should enable a proper
opinion to be reached?
¾ Comments from those involved
x How do people feel about the audit? Worried, thankful, angry? Why do they
feel this way?
x Are there any specific areas the attendees would like us to consider? (But
don’t be drawn outside the scope, other tha
scope if necessary).
¾ Information available
x Ask for any information (risk registers, organization charts, and process
maps) which may help the audit.
¾ Key contacts
x Find out who the key contacts are, any times they are not available.
¾ Timescale
x Outline the timetable, asking if it causes any problems and stressing the need
to respond promptly to the issue of the draft report.
¾ Next steps
x Before closing the meeting, check the agenda to ensure that you have got the
output you want.

Accounts Payable

This page is blank

Audit: 205 Date of document: dd-mmm-yyyy 59

RBIA - Manual - D Meeting notes

D ± Meeting notes
Output of process
¾ Document showing the output from a meeting (2330).

Standards for output

¾ The notes should contain the date, time, place of the meeting, attendees and any
apologies for absence
¾ Notes should not generally record all the discussions from the meeting, but only
the decisions made, action to be taken, by whom and when.
¾ The date of the next meeting (if any) should be included.
¾ Circulate the notes to all attendees after the meeting. If appropriate, ask them to
confirm they agree with its contents.

Work plan for achieving output

¾ Ideally, someone other than the chairman of the meeting should take notes.
¾ At the end of the meeting, confirm the output from the meeting.

Advice for achieving output

¾ Write, or type, up the notes immediately after the meeting. If you can, book the
meeting room for longer than the duration of the meeting and stay to write up the
notes.
¾ The meetings frequently highlight issues. These should be noted immediately on
an issues list (H1) which can later be transferred to the ORCR. This list is
referenced to the document giving rise to the issue and the document recording
the issue for reporting..

Accounts Payable
Date & time: January 6 2004 2:00 p.m. Place: Meeting room 3
Anita Smith - Head of Accounting Services
Mike Khan - Accounts Payable Manager
Participants:
Max Lewis (Auditor)
Frank Sawyer (Auditor)

Purpose of
To agree the scope of the audit to be carried out in February
meeting:

Introduction
¾ We introduced ourselves and gave a brief description of our experience.

Why the audit is being done, what processes it will cover and
what it will deliver
¾ The audit is a routine audit, identified from the company's Objectives, Risks and
Controls Register (ORCR) as having high risks.
¾ The processes to be covered are outlined in the scope.
¾ Both Anita Smith and Mike Khan were disappointed that we were not including
Merchandising and Purchasing Departments in our audit since they constantly
failed to deal promptly with invoices not matching due to price differences. This
lead to constant phone calls and letters from suppliers about late payment. (Noted
on issues H1) We said that overdue queries would be part of this audit.

Background to the processes

¾ The major opportunities and risks were as noted in the ORCR and the
supplementary ORCR for Accounts Payable.
¾ Prior to our meeting Anita and Mike had examined the ORCR and concluded that
objectives, risks and controls were complete. They liked the inclusion of
opportunities provided by decision making since they need to come up with ideas
to reduce staffing.
¾ During our discussion Anita and Mike confirmed that they understood the
underlying principles of risk management and appreciated the need for it to be
embedded in the procedures of the department. An understanding of risk is
included as part of induction training
¾ Accounts Payable is computerized using the Oracle Financials package. They are
reliant on the general ledger system for account codes, foreign currency rates and
the financial calendar. .

Audit: 205 Date of document: dd-mmm-yyyy 61

RBIA - Manual - D Meeting notes

This page is blank

© D M Griffiths www.internalaudit.biz 62
Internal Audit meeting notes –Accounts Payable D3
¾ We confirmed that other audits would cover payment for on-line purchases from
approved suppliers, employee expenses and Company Credit Card Purchases.

The audit work plan

¾ No specific comments about the audit plan.

Comments from those involved

¾ Very glad that the audit is to be held and it will give confidence in the processes
and staff involved.
¾ Mike Khan wants a meeting to be held with him and the supervisors before the
start of the audit, in order to explain the purpose and requirements of the audit.
None of the supervisors have been involved in an audit before and are a little
worried.

Information available
¾ Contact Mike's secretary for organization charts and other information required.

Key contacts
¾ Initial contact will be with the supervisors for routine queries.
¾ Mike wishes to be kept informed of audit progress and to be told immediately if
we find any major deficiencies.

Timescale
¾ The timescale was agreed.

Next steps
¾ We outlined our next steps would be to produce the final scope, get it agreed by
the CAE and then send it to Anita and Mike.
¾ The Anita and Mike confirmed that they would both like to be involved in the
close down meeting.
¾ We confirmed that the CAE would be seeking feedback at the end of the audit.

M Davis and F Sawyer

7 January 20X1

Audit: 205 Date of document: dd-mmm-yyyy 63

RBIA - Manual - D Meeting notes

This page is blank

Insert a file divider after this page

Risk
Maturity

Audit: 205 Date of document: dd-mmm-yyyy 65

RBIA - Manual - E Risk maturity

Section index E ± Risk maturity

Purpose of section E
¾ To show the work carried out to assess the risk maturity of the functions and
processes involved in the audit.
¾ To conclude on the risk maturity of the functions and processes.
¾ To decide on the audit methodology, based on this conclusion.

Standards for section E

¾ The questionnaire for risk maturity is a worksheet in the spreadsheet.

Contents Ref
Part of the test schedule for assessing risk maturity E1

Back to File Index

Audit: 205 Date of document: dd-mmm-yyyy 67

RBIA - Manual - E Risk maturity

E ± Risk maturity assessment

Output of process
¾ A completed schedule based on appendix N of Book 1 and modified by a
checklist in the Guide to ISO 31000:2009 for the functions and processes being
audited. Details in Book 1.
¾ The questionnaire has been amended to include the recognition of opportunities.
¾ An opinion on the risk maturity of the functions and processes being audited.

Standards for output

¾ Completion of the schedule, not only for the whole organization but also for each
audit, since the standards set for the organization may not necessarily have been
carried out by each function.
¾ The example schedule is only a guide to the controls expected and the tests to be
carried out. The aim is to ensure the opinion provided is based on sound
evidence and, if necessary, tests may have to be changed to achieve this.
¾ A completed schedule showing:
x The controls required within the functions and processes being audited which
will deliver the risk framework.
x Details of the tests carried out to check the proper operation of the controls.
x Details of the test results, indicating documents examined, and the staff
questioned.
¾ An opinion on the risk maturity attained, against each control.
¾ An overall opinion on the risk maturity of the area being audited.

Work plan for achieving output

¾ For each internal control (aim), identify the actual control (if any) which should be
in operation by using walkthrough tests, examining manuals and questioning
managers and staff.
¾ Devise a test which will check the correct operation of each control. Carry out the
test and note the results on the schedule.
¾ Come to an opinion on which level of risk maturity the test (or absence of control)
proves.
¾ When all the testing has been carried out, come to an overall opinion on the risk
maturity of the functions and processes being audited.

Advice for achieving output

¾ Use additional documents as necessary to provide further details of the tests and
evidence for their operation.

© D M Griffiths www.internalaudit.biz 68
Internal Audit E1
Section E - Risk maturity
Internal Control Control within AP Audit test Test result Risk Risk
(aim) enabled managed

The organization's There is an annual meeting of Checked the organization's Agendas for the meetings, YES
objectives are defined senior management to hear and objectives have been and notes distributed after
discuss the organization's determined by the board and the meetings show all the
objectives for the next year. The have been communicated to objectives
Head of Accounting Services all staff, by examining the
attends this meeting before agendas from all meetings.
having a meeting with her
Managers.
The organization's The Head of Accounting Services Check other objectives and Agendas for the meetings, YES
objectives are defined and AP Manager meet to targets are consistent with the and notes distributed after
determine the objectives organization's objectives. the meetings show all the
specifically for AP. The results of objectives
this meeting are communicated to
all staff
Management have Staff have had risk awareness Interviewed managers to Head of Accounting YES
been trained to training confirm their understanding of Services and AP Manager
understand what risks risk and the extent to which clearly understood risks
are, and their they manage it. and their responsibility for
responsibility for them. them (Meeting date: 6 Jan
20X1)
A scoring system for Risk Management have issued Checked the scoring system The standards are on the YES
assessing risks has standards for scoring risks, which has been approved, intranet
been defined. is available on the company communicated and is used.
intranet

The complete risk maturity assessment is in the spreadsheet

Audit: 205 Date of document: dd-mmm-yyyy 69

RBIA - Manual - E Risk maturity

This page is blank

Insert a file divider after this page

ORCR

Audit: 205 Date of document: dd-mmm-yyyy 71

RBIA - Manual - F ORCR

Section index F - Objectives, Risks and

Controls Register (ORCR)
Purpose of section F
¾ Record the objectives relating to the audit, the opportunities benefiting them, the
risks threatening them and the controls responding to the opportunities/risks,
which will be tested by the audit.
¾ Record the processes which deliver the objectives (from section B).
¾ Record the functions which operate those processes (from section B).
¾ Assess the inherent risk scores.
¾ Conclude on whether objectives, opportunities/risks and controls were identified,
evaluated and managed.

Associated worksheets
¾ ORCR Audit (Objectives, risks, controls register for the audit area)
¾ Key to columns in ORCR
¾ Flowcharts as necessary.

Standards for section F

¾ The ORCR to be completed up to the inherent risk scores and controls.
¾ Relevant flowcharts used to check/determine risks and controls should be
included as worksheets.
¾ The contents of section F will be determined by the level of risk maturity found.

Accounts Payable
Contents Ref
Determination of risks and controls F1

Process - input invoices F2

(Not included) N/A

Back to File Index

Audit: 205 Date of document: dd-mmm-yyyy 73

RBIA - Manual - F ORCR

F - Determination of risks and controls

Output of process
¾ The ORCR audit completed for objectives, opportunities/risks and controls,
including inherent risks scores.

Standards for output

¾ The action required on risks and controls is outlined in the table below:
Characteristics Internal audit Internal audit action -
action -risks controls
Risk Risk management Audit risk Assume controls are as stated
enabled and internal management in the ORCR. Check that they
controls fully processes and use are an adequate response to
embedded into the management the risks. Test a small
operations assessment of risk as selection of controls over high
appropriate inherent risks
Risk Enterprise Audit risk Assume controls are as stated
managed approach to risk management in the ORCR. Check that they
management processes and use are an adequate response to
developed and management the risks. Test controls over
communicated assessment of risk as high inherent risks
appropriate

Risk Strategy and Facilitate risk Where controls are included in

defined policies in place management/liaise the ORCR check that they are
and with risk management an adequate response to the
communicated. and use management risks .Facilitate the
Risk appetite assessment of risk determination of controls
defined where appropriate required to manage other
risks. Test controls over high
and medium inherent risks
Risk Scattered silo Promote enterprise- Determine the risks and
aware based approach to wide approach to risk controls necessary by holding
risk management management and rely workshops with appropriate
on audit risk managers and staff. Check
assessment controls over all risks
considered unacceptable
Risk No formal Promote risk Determine the risks and
naïve approach management and rely controls necessary by holding
developed for risk on audit risk workshops with appropriate
management assessment managers and staff, otherwise
use internal audit's
assessment. Use specialists if
necessary. Check controls
over all risks considered
unacceptable.

Objectives, Risks and Controls Register (ORCR) (Extract from spreadsheet).

L3 Objectives L3 Risks I I I Internal control Function Internal Process
R R R control
C L S owner
Data being used to Supplier data 3 5 1 Assistant buyer is responsible for Merchandising or Assistant Accounts Payable
update suppliers using is incorrect 5 obtaining correct standing data from Purchasing Buyer - maintain supplier
orders is complete and suppliers, such as bank account, data
accurate payment terms and address and
completing the input form

Data being used to Supplier data 3 5 1 Assistant buyer is responsible for Merchandising or Buyer Accounts Payable
update suppliers using is input 5 inputting data correctly from the input Purchasing - maintain supplier
orders is complete and incorrectly form data
accurate

Data being used to Data supplied 3 5 1 System checks all required data Merchandising or Buyer Accounts Payable
update suppliers using is incomplete 5 fields on system are completed Purchasing - maintain supplier
orders is complete and or not supplied data
accurate

Audit: 205 Date of document: dd-mmm-yyyy 75

RBIA - Manual - F ORCR

Standards for output (cont)

¾ At the end of this stage of the audit, the ORCR should be complete in the
following columns (2300):
x Objectives of the area being audited.
x Opportunities/Risks benefiting/threatening those objectives.
x Inherent risk scores.
x Controls responding to the risks (including monitoring controls).
x The function affected by a risk and the control owners.
x The process delivering the control.
x A conclusion on management's determination, assessment and response to
the risk.
¾ Certain opportunities/risks should always be considered, depending on the scope
of the audit (2110.A2 and 2120.A1)
x Opportunities from the decision making process.
x Reliability and integrity of financial and operational information.
x Effectiveness and efficiency of operations, including competencies and
contingency.
x Safeguarding of assets, including fraud.
x Compliance with laws, regulations, and contracts.
¾ The list of risks (ORCR) should be reviewed by the CAE, or another, suitably
skilled, person (2240.A1, 2340).
¾ Any issues found, for example incorrect scoring of inherent risks, should be
included on the Issues schedule (section H).

Work plan for achieving output

¾ The work necessary to produce the ORCR will depend on the risk maturity
determined in section E and is outlined in the table on the previous page.
¾ It may be useful to draw up a mindmap of the objectives/risks/controls/tests. An
example is shown in the Excel workbook (F- Mindmap).
¾ The work will vary from:
x Examining the ORCR to check it is complete and the scoring of inherent risks
is consistent with the organization's standards.
x TO
x Compiling the ORCR from a blank spreadsheet workbook.

This page is blank

Audit: 205 Date of document: dd-mmm-yyyy 77

RBIA - Manual - F ORCR

Work plan for achieving output (cont)

¾ Use flowcharts and walkthrough tests to determine risks arising from the
processes, such as input risks - see the next section (F -Risks in processes)
¾ The methods used to compile an ORCR for an audit are similar to those to
compile an ORCR for an organization, which is detailed in Books 1 and 2
x Extract any objectives, opportunities/risks and controls from the organizations
high-level ORCR, if available
x Confirm the objective(s) with management, including those specific to the
department include in section B.
x Carry out risk workshops to identify the risks.
x Consider the responses required to the risks, including internal controls
x Document the processes in use and determine any additional risks arising
from them.
x Score the risks (see 'Scoring Risks' worksheet).
x Match the responses required to the risks with the internal controls actually in
place. Note any risks with inadequate responses.
x Test the internal controls actually in place (section G).
¾ Risks can be determined by several means (2310).
x ORCRs from the departments involved, if available.
x Risk workshops with people from the departments involved.
x The auditor using their se”.
experience and “com
x “Brainstorming” meetings with colleagues.
x External sources such as web sites, books and magazines covering the
subjects involved.

Advice for achieving output

¾ Even if the risk maturity is considered to be good
x Be alert to the significant risks that might affect objectives, operations, or
resources. However, bear in mind that assurance procedures alone do not
guarantee that all significant risks will be identified (1220.A3).
x Speak to people in the business about their risks. They understand them and
it will involve them in the -in” audit
to your and conclusio
get bet
¾ It will only be possible to assess residual risk levels after the controls have been
determined (next stage).
¾ Scoring the consequence and likelihood of inherent risks is not easy but
remember it doesn’t have
highly accurate; to
the aim is be the need for
to assess
a control to mitigate the risk.

This page is blank

Audit: 205 Date of document: dd-mmm-yyyy 79

RBIA - Manual - F ORCR

F - Risks in processes
Output of process
¾ Flowcharts whose aim is to highlight the risks threatening the processes being
audited.
¾ They provide details about the inputs, outputs and processes which achieve the
objectives of the area being audited.
¾ Risks from these flowcharts are checked to the ORCR Audit to ensure they have
been included.

Standards for output

¾ The detailed process maps should link with process hierarchy map (section B)
map, which links to the organization's overall process map, thus ensuring an
audit trail from the highest to the lowest level processes.
¾ The only processes which should be mapped are those where the audit is
intended to provide an opinion on the controls mitigating the risks which threaten
the processes.
¾ If the processes followed are unclear and/or the objectives are not those of the
company an issue should be raised (2120.A2).
¾ The processes recorded should be reviewed to ensure they are in accordance
with the objectives of the company (2120.A3).
¾ The size and complexity of any map should be minimized. If necessary, several
simple maps should be drawn to achieve this. If necessary have a hierarchy of
maps, with processes in overview maps being referenced to greater detail.
¾ All maps should be cross referenced to show how they fit together.
¾ Risks from the processes should be included beside the map, as illustrated.

Work plan for achieving output

¾ Obtain details of the high level processes (section B).
¾ Obtain the organization chart(s) for the departments who should be operating the
processes.
¾ Meet with the people operating the processes, drawing rough copies of the maps
in the meeting and determine some of the risks associated with the processes.
¾ Draw the maps, preferably using graphics software, or the drawing tools in Excel,
with the risks noted alongside. (See example).
¾ Process maps can be confirmed by following a representative sample of
transactions through the processes, This involvesknown as
selecting documents at the start of a process (for example, a requisition) and
following it through all the stages (order, receipt, supplier invoice, payment). Such
a test should be documented.
¾ Amend the high level process map if necessary.
¾ Determine the risks arising from the processes - see example opposite.

Accounts Payable
Extract from spreadsheet - worksheet 'Input Invoices'.

Audit: 205 Date of document: dd-mmm-yyyy 81

RBIA - Manual - F ORCR

Advice for achieving output

¾ There is no simple answer as to how to map processes but remember, the
process map is not a document flow chart, intended to show every document and
check in the process, but one which enables the risks to be determined.
¾ Drawing the flowchart in a logical order noting:
x Processes which should be present to achieve the objectives efficiently, but
which are missing.
x Processes which don't seem to be necessary.
Note these details on the Issues schedule (section H)
¾ Risks result from having objectives and most risks should therefore be included in
the ORCR. However, where complex processes are involved not all risks may
have been identified and the mapping of the detailed processes may highlight
these. So, although there is the objective that, 'Invoices with an order number:
Invoice and credit note transaction data being used to update balances is
relevant, complete, accurate, timely and complies with regulations'. The risk to
this objective 'that the invoice may be entered against the wrong supplier' may
not be identified. In this case the auditor should notify the appropriate manager to
update the AP ORCR.
¾ In order to be get ideas of the risks involved, arrange a meeting with other
auditors to “brainstorm” what risks might exi
your “back pocket” to help as a prompt when a
¾ The task of mapping processes frequently highlights issues, such as missing
controls. These should be noted immediately on the Issues list (section H) which
can later be transferred to the ORCR.
¾ The detailed processes and risks may not agree exactly with the scope, since
that was only an initial evaluation.

F Opinion
Output of process
¾ The ORCR with opinions against all risks stating one of three opinions for 'Has
Management has established a proper control framework?'
¾ The combination of these opinions is included in the report summary under,
'Has management specified all objectives; identified and analyzed all risks above
the risk appetite and developed adequate responses to those risks which should
reduce them to acceptable levels?' -Yes/ Yes, with exceptions/No.

Standards for output

¾ Guidance on the opinion is below:
Opinion Has management established a Opinion: Report as:
on proper control framework? That is,
has management: specified their
objectives, identified the risks
threatening these objectives and
established controls which should
reduce the risks to acceptable
levels?
Definition Thorough processes have been used YES No
with the result that necessary controls to deficiency
risks have been established. The
objective will be achieved if the controls
are operating.
Processes have been used, but there YES WITH Deficiency
are some deficiencies which are not EXCEPTIONS
judged sufficient to prevent the
achievement of the objective.
Inadequate, or no, processes have NO Major
been used and, it is probable that the deficiency
objective will not be, OR is not being
achieved
¾ Each risk should have an opinion
¾ The overall opinion will be built up from these individual opinions.

Work plan for achieving output

¾ The work plan will depend on the risk maturity of the organization. There should
be few deficiencies, if any, for risk enabled and risk managed organizations but
there will be an increasing number as the risk maturity decreases. See the
working papers example with Book 1.

This page is blank

Audit: 205 Date of document: dd-mmm-yyyy 85

RBIA - Manual - F ORCR

Work plan for achieving output (cont)

¾ A thorough understanding of the processes is essential to identify the risks and
therefore required controls. This part of the work is almost identical to 'systems'
auditing.

Advice for achieving output

¾ Don't spend too long worrying about the opinion on every risk. Remember, you
are trying to come to an overall conclusion about the quality of the risk
management framework. One opinion is unlikely to make a difference.

This page is blank

Audit: 205 Date of document: dd-mmm-yyyy 87

RBIA - Manual - F ORCR

This page is blank

Insert a file divider after this page

Tests
and
r esidual
risks

Audit: 205 Date of document: dd-mmm-yyyy 89

RBIA - Manual - G Tests and residual risks

Section index G ± Tests and residual

risks
Purpose of section G
¾ This section contains:
x Details of the tests that check the proper operation of controls, where there is
insufficient space on the spreadsheet. (Not complete in this example)
x Entering the opinions on each residual risk in the ORCR

Standards for section G

¾ The details of tests should be included, probably as word processed documents
linked to a sheet in the workbook (G - Tests)
¾ The ORCR should clearly show, for each risk:
x The control(s) mitigating each risk.
x The tests carried out to check the controls are operating.
x The residual risk score.
x An opinion as to whether each risk is being reduced to an acceptable level
(2120.A1).
x If a deficiency exists, the number of that deficiency on schedule H.

Accounts Payable
Contents Ref
Test1 Invoices with no order G1

Test 2 - Unmatched invoices G4

Other tests are not included in this example

Objectives, Risks and Control Register - tests and results extract G7

Back to File Index

Audit: 205 Date of document: dd-mmm-yyyy 91

RBIA - Manual - G Tests and residual risks

G - Testing of controls
Output of process
¾ The ORCR with details of tests carried out to assess whether the controls (direct
and monitoring) are sufficient and operating in order to reduce the risks to below
the risk appetite. 'Below the risk appetite = the level of risk after the control is
applied is considered acceptable by the board)
¾ Where test details cannot easily be recorded on the ORCR, a schedule detailing
the test carried out and conclusions should be written (see examples opposite).

Standards for output

¾ In Risk Defined, Risk Aware and Risk Naïve organizations, the proper operation
of most controls should be tested.
¾ In Risk Enabled and Risk Managed organizations, the auditor will need to make a
judgment of which controls to test. This can be based on:
x Requests from management during the scope and other meetings.
x Comments and requests from operating staff.
x Issues found during the assessment of risk maturity or documenting the risks
and processes.
x The control score (=inherent risk score less residual risk score), which gives
an indication of the importance of the control.
x Auditor unease about any areas, whether there is justification or not! (Follow
your instincts and don't let the original scope stop you).
¾ If the test is simple and the results show the risk is being controlled to within the
risk appetite, details need only be recorded on the ORCR.
¾ Tests should be fully documented to the extent that they could be re-performed
on the original documentation.
¾ The test documentation should state:
x Controls being tested
x Method of testing, including sample size, if appropriate
x Results
x The cause of any deficiencies found.
x Options for correcting the deficiencies in order to reduce the residual risk to
below the risk appetite.
x Opinion on the control (see below for options)
¾ Evidence required to support issues found should be scanned/copied and
attached to the test documentation.

Accounts Payable
Objective (Level 3), Risk and Control
Invoices without an order: Invoice and credit note transaction data being used to
update balances is relevant, complete, accurate, timely and complies with regulations

No. Risk Primary Control Monitoring

Excessive prices Computer warning if the Exception report
95 are paid to account code is one where an produced of invoices
untrustworthy order is required (e.g. Goods for processed with no
suppliers. resale, capital items, expense order number
items ordered by Purchasing)

Method of testing
Primary control: Observed input of invoices with no order numbers. Asked input
staff about the number of warnings.
Monitoring control: Visited Merchandising and Purchasing Departments to
investigate the checking of the report of invoices with no order.

Results of tests
Since suppliers are instructed to obtain orders before supplying goods or services,
most invoices refer to an order and there will therefore have been a verification of the
supplier by a purchasing department and negotiation on prices. There are very few
batches of invoices without order numbers and these are mainly for lawyers providing
specialist advice to the company's legal department. All of these invoices are
approved by the Chief Legal Officer and the total spend on these services is closely
monitored by Management Accounts to prevent any staff submitting false invoices
and approving them. In addition, there is a list of approved lawyers.
However, one of the batches examined (number 12/02) contained an invoice from a
consultancy company for design work and competitor reviews. It was noted:
¾ The invoice from, JB Associates, had been correctly approved by the Head of
Food Merchandising (Jim Higson). The invoice was addressed to Mr. J Higson at
the company's address.
¾ The invoice amount ($14,500) was correctly coded to the cost center Food
Expense code Consultancy. The budget holder of this cost center is Jim Higson.
¾ If the invoice had been over $15,000 it would have to have been approved by the
Chief Operations Officer, since it had no order and therefore no prior approval.

Audit: 205 Date of document: dd-mmm-yyyy 93

RBIA - Manual - G Tests and residual risks

Standards for output (cont)

¾ An opinion should be expressed on the results of each test -

YES YES, EXCEPT NO

The control is sufficient The control is sufficient The control is not
and operating to bring the and operating to reduce sufficient and/or is not
risk to below the risk the risk. However, the risk operating to bring risks to
appetite. (although some is not below the risk below the risk appetite. It
action may be required – appetite but is not judged is probable that the
note in “Supplementary sufficient to prevent the objective will not be, OR
issues”. ) achievement of the
is not being achieved.
objective.
No more monitoring is
Major improvements are
necessary than is done at Some additional
required to the
present monitoring may be
monitoring of controls
required (see the report for
The objective is being
details)
achieved.

No deficiency Deficiency Major deficiency

Work plan for achieving output

¾ The methods of testing to be used are part of normal internal auditing and will
depend on the circumstances, so detailed advice is not being given in this
manual.
¾ If possible combine several controls into one test to improve efficiency.

Advice for achieving output

¾ Use computer aided audit techniques (CAATs) to improve the sample tested.
¾ The purpose of tests is to demonstrate whether controls are operating properly.
They are not to find errors, which should be detected by management.
¾ Where deficiencies are found, discuss these with the staff directly involved as
soon as possible. If fraud could be involved, follow defined procedures or, if these
do not exist, talk to no one except the Chief Audit Executive
¾ Where you have obtained “anecdotal” evidence of ri
controlled, try and obtain evidence through testing. If you cannot, obtain
agreement as to how it is best reported, if at all
¾ You should carry out sufficient testing in order to reach a conclusion about the
effectiveness of the control tested. The purpose of the test is not to find mistakes
- that is management’s . job
¾ The amount of testing of a control should be related to the importance of the risk
which the control isd much mitigating. So don’t spe
time testing controls over
low risks.

© D M Griffiths www.internalaudit.biz 94
Internal Audit G2
G Test 1 Invoices with no order
We decided to carry out further work:
¾ The monitoring control should be a report of all invoices processed without an
order, checked by the appropriate buying department. We could not find any
evidence of this report being produced and checked. Only one of the office
managers, who distributed such reports, could remember the report and she said it
had been 'discontinued by IT''.
¾ There was no clearly defined responsibility for checking such a report.
¾ We examined the expense account codes for the Food cost center, checking for the
supplier. We only found JB Associates' invoices in the Consultancy expense
account.
¾ We used the services of IT auditor Pete Cook to write a CAAT (computer assisted
audit technique) report to extract all invoices with no associated order number
back to 1 January 20X0. This report showed:
x 20 invoices for legal department totaling $126,340
x 46 invoices for JB Associates totaling $209,423.
x 126 other invoices, all below $300 value.
¾ We examined the invoices paid to JB Associates. All were addressed to Mr. J
Higson and all approved by him. None were over $15,000 in value.
¾ Discreet enquiries within the Food Merchandising Department indicated that
competitor reports had been received for the amount paid, but with no guarantee
that the company had obtained value for money.
At this point we presented our findings to the CAE, who has discussed the matter with
the Chief Financial Officer and Chief Operating Officer. They have instigated a
special investigation, separate from this audit. The CEO and Chairman of the Audit
Committee have also been notified.

Cause of deficiency
The underlying cause of this deficiency is the failure to define the responsibility for
checking the report listing invoices with no order.

Audit: 205 Date of document: dd-mmm-yyyy 95

RBIA - Manual - G Tests and residual risks

.This page is blank

Action
The Director of Operations has instigated the following action, after discussion with
the CAE:
¾ Suspension of J Higson pending results from the special investigation.
¾ All further work from JB Associates cancelled.
¾ No JB Associates invoices to be paid.
¾ The director will approve all invoices with no order until the investigation is
complete. A system will then be put in place to ensure division of responsibility
for approving these invoices.
¾ The director will approve a monthly report of all invoices processed without an
order.
The results from the special investigation will be considered separately.

Opinions

No. Risk Control Opinion on

control
Excessive Computer warning if the NO. There are major
95 prices are paid account code is one where an deficiencies in controls
to order is required (e.g. Goods over invoice approval
untrustworthy for resale, capital items, such that the risk, is
suppliers. expense items ordered by above the risk appetite of
Purchasing) the company.
Major Deficiency (H4)

Audit: 205 Date of document: dd-mmm-yyyy 97

RBIA - Manual - G Tests and residual risks

This page is blank

Accounts Payable
Objective (Level 3), Risk and Control
Invoices with an order number: Invoice and credit note transaction data being used to
update balances is relevant, complete, accurate, timely and complies with regulations.
There is a departmental objective to reduce staff numbers by improving efficiency

No. Opportunity/Risk Primary Control Monitoring

Goods/services priced Invoice costs matched Variance report produced
86 incorrectly/Incorrect with purchase order to showing difference between
costs input confirm correct price total ordered cost and total
and coding cost paid
Invoice payment A report is available on A monthly paper report is
87 delayed if queries from screen which buyers produced for each buyer and
mismatching not should regularly access sent to them by Accounts
promptly cleared to clear queries, either Payable
by agreeing the invoice
Payment on time would
price or by requesting a
88 reduce supplier queries
credit note.

Method of testing
Primary controls:
¾ Confirmed that the majority of invoices result from goods and services ordered and
therefore invoices must be matched with orders for costs. See test 1 for further details of
invoices with no orders.
¾ Examined 'Invoices failing match' report for January 20X1to ensure none are
outstanding for unreasonable periods. Failure to clear them quickly causes additional
costs in the AP department and may result in invoices being overridden to clear them,
with the risk that excessive costs are charged.
Monitoring control: Checked that Office managers in the purchasing departments
distribute reports of variances to senior buyers and obtain explanations

Results of tests
Invoices for goods are input into the system and are matched (automatically or manually)
with receipt details (for quantity) and order (for price). Invoices may fail to match with
quantities received or prices on the purchase order. Invoices failing to clear due to a
mismatch with quantities received usually clear automatically when the goods arrive and
are input into the system.
.

Audit: 205 Date of document: dd-mmm-yyyy 99

RBIA - Manual - G Tests and residual risks

G ± Opinions (see G7)

Output of process
¾ The ORCR completed up to the internal control opinion column.
¾ The ORCR with an opinion against all risks stating one of three opinions for
'Do internal controls, including monitoring controls, reduce the risk to
acceptable levels?'
¾ The combination of these opinions is included in the report summary under, 'Are
controls (including monitoring controls) sufficient and operating to reduce all risks
to acceptable levels?' -Yes/ Yes, with exceptions/No.

Standards for output

¾ The definition for the opinions are below:
Opinion Are these controls sufficient and Opinion: Report as:
on operating to bring the risk to below
the risk appetite and ensure the
achievement of the related objective?
Definition Controls are sufficient and are operating YES No
to bring the risk to below the risk deficiency
appetite. (although some action may be
required –note in “Supplementary
issues”.) No more monitoring is
necessary than is done at present. The
objective is being achieved.
The risks is not below the risk appetite YES WITH Deficiency
but is not judged sufficient to prevent EXCEPTIONS
the achievement of the objective. Some
additional monitoring may be required
(see the report for details)
Controls are not sufficient and/or are not NO Major
operating to the risk to below the risk deficiency
appetite. It is probable that the objective
will not be, OR is not being achieved.
Major improvements are required to the
monitoring of controls
¾ When the results from all tests are known, the final assessment of residual risks
should be made.
¾ The ORCR should be reviewed by an audit manager.
¾ Mitigating controls should be identified for each of the risks determined in the
previous process and entered in the “Control”

© D M Griffiths www.internalaudit.biz 100

Internal Audit G5
G Test 2 Unmatched invoices
Invoices failing to match due to price differences have to be cleared by:
¾ The receipt of a credit note when the price/item on the invoice is incorrect.
¾ The acceptance of the invoice price by the buyer when the order price is incorrect.
This is the usual reason which arises from a failure by purchasing to update item
prices, resulting in an order being issued with incorrect prices.
A report is available on screen which buyers should regularly access to clear queries,
either by agreeing the invoice price or by requesting a credit note. A monthly paper
report is produced for each buyer and sent to them by Accounts Payable. To monitor
the excess paid over the order cost, a variance report is produced against each buyer
showing the difference, by invoice in supplier order, of total invoice cost against
order cost.
We found the following in our enquiries:
¾ In the Food and Beverage Merchandise Departments and the Expense Purchasing
Department 27 invoices (Value $350,457) were not cleared for six months. (Copy
of report attached). As a result suppliers continually contact Accounts Payable,
who have to spend a considerable amount of time answering queries and referring
the suppliers to the appropriate buyers.
¾ In trying to determine the reason for the failure to clear invoices, of the six buyers
with long outstanding queries, four said they had received no training in clearing
queries. The other two said they had received training but had no time to sort out
problems.
¾ The buyers and office managers in the departments concerned stated that the main
reason for so many queries arising was the failure to update prices on the
computer when they changed. No-one seemed sure why the delay occurred but
lack of training was cited by some buyers. As a result the order was issued at the
incorrect cost. Suppliers accepted orders without checking the cost and invoiced at
the cost on the delivery date. We checked the 27 invoices overdue for more than 6
months. All the invoices prices were correct. The order prices had not been
updated when new prices were agreed with the supplier.
¾ In order to reduce the number of supplier phone calls, and in some cases ensure
delivery of important goods, the AP Supervisor was overriding the query hold to
pass invoices for payment, with the approval of the AP manager.
¾ Buying Departments didn't look at the variance report.

Cause of deficiency
¾ Failure to update prices promptly on the computer, possibly due to lack of
training.
¾ Lack of training was also the cause of failures to clear queries and check the
variance reports.

Audit: 205 Date of document: dd-mmm-yyyy 101

RBIA - Manual - G Tests and residual risks

Standards for output (cont)

¾ Action taken by management to ensure the continued operation of controls,
especially key controls should column. be noted in th
¾ The control should be specific - what is done, by whom (job title), how often
(2330).
¾ Test conclusions should be noted on the ORCR, with a reference to the test
schedule.
¾ Residual risk scores for consequence and likelihood are based on the risks as
mitigated by those controls which testing has shown operate properly. The
scoring is the same as for inherent risks.
¾ Conclusions should be included against each risk. The criteria are noted above. It
will probably not be possible to conclude on the action to be taken, and
monitoring, until after the deficiencies have been discussed. A deficiency should
be referenced the deficiency forms (section H) when they are drawn up. The
example on G7 will show an 'x' as the number until it is known.
¾ A deficiency should be referenced to the final report to confirm its inclusion. If
subsequent discussions result in the issue being omitted from the report, a
reference should be made to the document which notes the reasons.

Work plan for achieving output

¾ Ask about controls during the initial discussions to determine the process maps
and risks.
¾ Allocate these controls to the risks they mitigate.
¾ Add the details about controls, and monitoring, from the walkthrough tests. Score
the residual risks, where possible –the control score (inherent risk score minus
residual risk score) will automatically be calculated.
¾ Carry out tests on the key controls.
¾ Where the control score exceeds about 15, implying a key control, ensure that
testing has been thorough. After all tests have been carried out, re-score the
residual risks.
¾ Input the deficiencies (weaknesses) found.
¾ Decide on the opinions you are able to come to, at this stage.

© D M Griffiths www.internalaudit.biz 102

Internal Audit G6
G Test 2 Unmatched invoices

Action
Initial action:
¾ Office Managers will improve the training of buyers to include the clearance of queries and
prompt update of supplier prices.
¾ Office Managers will check the variance reports for unusual items and check these with the
appropriate buyers
¾ Accounts Payable will override the matching holds on any invoices:
x held for more than 10 working days
x with queries where the increase in invoiced price is less than 5% of the order price
x where buyers have not issued instructions to hold, pending a credit note.
These deficiencies will also be discussed with the Director of Operations.

Opinions

No. Risk Primary Control Opinion on control

Goods/services Invoice costs YES, WITH EXEPTIONS. Most
86 priced matched with invoices have orders and are therefore
incorrectly/Incorrect purchase order to checked against the order price for
costs input confirm correct price correctness. When the order price does
and coding not match, the queries are not being
cleared promptly and may be
overridden. We do not believe this
prevents the achievement of the
objective but does hinder it
Noted as a Deficiency (H5)
Invoice payment A report is available NO. There are material deficiencies in
87 delayed if queries on screen which the processes to clear unmatched
from mismatching buyers should invoices. As a result suppliers are being
not promptly cleared regularly access to paid late, with possible loss of discount
clear queries, either and, in some cases suppliers have
by agreeing the stopped deliveries.
invoice price or by
The variance reports are not being
requesting a credit checked, with the result that excessive
note. prices may be paid.
Major Deficiency (H6)
Payment on time NO. The opportunity to achieve the
88 would reduce objective of reducing staff numbers is
supplier queries being hindered. (H7)

Action on risks and opportunity: YES

Audit: 205 Date of document: dd-mmm-yyyy 103

RBIA - Manual - G Tests and residual risks

Advice for achieving output

¾ Scoring the consequence and likelihood of residual risks is not easy but it does
have to be reasonably accurate, since the aim is to decide whether the risks are
sufficiently mitigated by controls. This score will help you decide on the overall
conclusion for your report. Don’t get obsessed by t
question is, “Are you prepared to put your na
final report?”
¾ Some controls will only reduce the likelihood of the risk occurring. In other words,
if the risk occurs, due to a failure of the control, the consequence will be the same
as if the control didn’t exist. A control whi
likelihood, is insurance. In our example, a control which calls in another aid
agency to deliver food would reduce the consequence score.
¾ When assessing the residual risk, all controls mitigating it are taken into account
thus a score and conclusion is given to each risk depending on all the controls
mitigating it.
¾ The grading of a risk with a score of 5 (that is one with a high likelihood or
consequence and low consequence or likelihood) is difficult. In practice, it may
not be possible to mitigate and it has to be accepted (green). If there are cost-
effective controls which can mitigate it, then it is considered a “supplem
issue” in the report.

© D M Griffiths www.internalaudit.biz 104

Internal Audit G7
G ORCR with tests and results (extract)

Accounts Payable
L3 Risks Internal control Test of internal controls Result Control
opinion

Incorrect supplier Input clerk checks Observed input of invoices with no order EXCEPTION. There is a danger that an
selected on input name on screen numbers. Asked input staff about danger incorrect supplier could be selected,
EXCEPTION
against name on of selecting wrong supplier. although this would only be for invoices for
(Deficiency
invoice lawyers. Any other invoices result in a X)
warning message that the invoice should
have an order number.
Incorrect/incomplete Supplier is expected to Check that policies state that data should YES. Checked AP policy and procedures
data on invoice ensure invoice has all only be input from properly approved manual. It clearly states that the only
the correct data. If any documents (some tax authorities require documents input should be properly
is found to be missing external documents with a tax number) approved original documents from the
YES
during the input supplier. The manual is used for training.
process the invoice is
returned to the supplier
for correction
Account coding for The invoice is coded by Check invoices are coded by YES. Spoke to Legal Department accounts
invoice is incorrect the authorizing knowledgeable staff using published manager. Legal invoices are coded by the
manager guidelines authorizing manager and checked by the YES
accounts manager. Checked coding of
invoices for January 20X1. All OK.
Excessive prices Computer warning if Observed input of invoices with no order NO Found invoices with no order number,
are paid to the account code is one numbers. Asked input staff about the approved by the manager who had required
untrustworthy where an order is number of warnings. the service. See test for details
suppliers. required (e.g. Goods NO
for resale, capital items, (Deficiency
expense items ordered x)
by Purchasing)

Audit: 205 Date of document: dd-mmm-yyyy 105

RBIA - Manual - G Tests and residual risks

Insert a file divider after this page

© D M Griffiths www.internalaudit.biz 106

Internal Audit H
H Deficiencies

Deficiencies

Audit: 205 Date of document: dd-mmm-yyyy 107

RBIA - Manual - H Deficiencies

Section index H ± Deficiencies

Purpose of section H
¾ This section holds documents used for two purposes:
x Noting possible deficiencies as they arise, in order to follow them up during
the course of the audit.
x Noting down deficiencies for formal discussion, where we consider that the
risks are not being properly mitigated by operating controls

Standards for section H

¾ The referencing of documents in this section is very important. It must be possible
to see where a potential deficiency arose (meeting, test) and how it was resolved.

© D M Griffiths www.internalaudit.biz 108

Internal Audit H
Section index H - Deficiencies

Accounts payable
Contents Ref
Potential deficiencies H1

Deficiencies for discussion H2

Back to File Index

Audit: 205 Date of document: dd-mmm-yyyy 109

RBIA - Manual - H Deficiencies

H - Potential deficiencies identified

Output of process
A list of deficiencies, made as they arise, with action taken to resolve them, or a
reference to further work.

Standards for output

¾ The source of the deficiency (for example, a meeting or phone call) should be
noted, although there does not necessarily need to be a formal record of the
source.
¾ How the deficiency was resolved must be completed before the final deficiency
list is discussed at the close down meeting.
¾ Where the deficiency was not resolved, a reference should be included to the
document which carries it forward.

Work plan for achieving output

¾ The document is intended to be used as soon as a potential deficiency arises, so
it can't be forgotten. It is therefore always close by the auditors, and hand-written
or typed into a tablet/mobile (cell) phone.
¾ Resolve deficiencies as soon as possible, but when convenient.
¾ Each auditor needs a list.

Advice for achieving output

¾ Each auditor should check the other auditor’s
ll possible
deficiencies have been resolved.

© D M Griffiths www.internalaudit.biz 110

Internal Audit H1
Potential deficiencies identified

Accounts Payable
Date Source reference Potential Deficiency Resolution
6-Jan-X1 Scope meeting Queries on unmatched invoices See test 2
are overdue

4-Feb-X1 Observing input of Noted most invoices without an Test 1

invoices with no order order were for legal expenses.
However, some from JB
Associates for competitor review
work also had no order. Follow
this up.
5-Feb-X1 Visit to purchasing These departments don't seem to See tests 1
departments receive monitoring reports for and 2
invoices with no orders, variance
reports and unmatched invoices

Audit: 205 Date of document: dd-mmm-yyyy 111

RBIA - Manual - H Deficiencies

H ± Deficiencies for discussion

Output of process
¾ A list of those risks which we do not consider sufficiently mitigated by controls -
known as deficiencies
¾

© D M Griffiths www.internalaudit.biz 112

RBIA - Manual - I Draft report

This page is blank

Insert a file divider after this page

© D M Griffiths www.internalaudit.biz 138

Internal Audit
J Final report

Final
report

Audit: 205 Date of document: dd-mmm-yyyy 139

RBIA - Manual - J Final report

Section index J ± final report

Purpose of section J
¾ To hold the final report, covering letters sent with the report, and comments
received as a result of the report.

Standards for section J

¾ A paper copy of the report circulated must be filed, in case the electronic version
should be lost or altered.

© D M Griffiths www.internalaudit.biz 140

Internal Audit J
Section index J - Final report

Accounts Payable
Contents Ref
Final report (not included) J1

Letter with final report J8

Letter from Finance Director (not included) J9

Back to File Index

Audit: 205 Date of document: dd-mmm-yyyy 141

RBIA - Manual - J Final report

J - Final report
Output of process
¾ A report, giving a conclusion on whether the objectives of the processes audited
are being, and will be achieved.
¾ Where appropriate, details of the action to be taken, with times, to reduce risks to
acceptable levels.

Standards for output

¾ The report to be approved by an audit manager or the chief audit executive
before issue, to ensure the actions agreed are satisfactory (2440).
¾ The report to be proof read directly before distribution by someone who has not
been associated with the audit.
¾ If the report opinion is NO consider setting up a meeting to deliver the report and
discuss the issues.
¾ If the final report contains a significant error or omission, the CAE should
communicate the corrected information to all recipients of the final report (2421).
¾ If reports are to be sent outside the company, they should be marked
“Confidential”, and a covering letter sent st
distributed further without the company's permission (2410.A3). Except where
distribution is required by law, the CAE should assess the risk to the company
and consult as appropriate (2440.A2).
¾ Audits requiring follow-up to ensure the implementation of recommendations
should be noted on the ORCR (2500).
¾ Where the CAE believes management has accepted a residual risk which is
greater than the risk appetite of the organization, the CAE should discuss the
matter with the relevant senior management. If the matter is not resolved, it
should be referred to the Board and/or Audit Committee, as appropriate (2600).
¾ When complete, save the report as 'Read only', to prevent changes after
circulation.

© D M Griffiths www.internalaudit.biz 142

Internal Audit J1
Final report
As the final report is very similar to the draft report, it is not repeated here to save
space.

Audit: 205 Date of document: dd-mmm-yyyy 143

RBIA - Manual - J Final report

Work plan for achieving output

¾ Just before comments are due on the draft rep
responded to check that they are on target to reply.
¾ Chase for replies not received on time.

Advice for achieving output

¾ If people are late in replying, and do not respond to reminders or requests as to
why they have nor responded,, tell them that the final report will be distributed on
a particular date, so ifs will they
be noted.haven’t replied
¾ If e-mailing the report, remember that lovely colored charts may not be clear if the
recipient prints grayscale”. them
So print in “ them
grayscale” yourself
in “ to che

© D M Griffiths www.internalaudit.biz 144

Internal Audit J
Final report
This page is blank

Audit: 205 Date of document: dd-mmm-yyyy 145

RBIA - Manual - J Final report

J ± Letter with final report

Output of process
A letter, or e-mail, which is sent with the final report.

Standards for output

¾ A covering letter should be sent with the report:
x Indicating the overall conclusion.
x Noting the action which is being taken on any issues (2440.A1).
x Where action is not being taken, noting that senior management have
accepted the risks (2500.A1).
x Noting any special action the recipient should take.
x Specifying who they should contact in the event of a query.
¾ The letter is sent from the CAE.

Work plan for achieving output

¾ The letter is written when the report is ready for sending.
¾ If the report contains major deficiencies and/or proper action is not being taken,
consider briefing the finance director.

© D M Griffiths www.internalaudit.biz 146

Internal Audit J8
Memo
To: D Tritt Chief Operating Officer From: P Jones
H Trent Chief Financial Officer Chief Audit Executive
A Smith Head of Accounting Services Internal Audit Department
M Khan AP Manager* Head Office
Merchandise and Purchasing Date: 8 March 2004
Department Office
Managers**

Final report on Accounts Payable

Accounts Payable
The overall conclusion is that the risks to the organization's objectives are not being
managed to acceptable levels. We are satisfied that action is being taken to correct the
deficiencies found.
An executive summary is included in the first page of the report.
A summary of this report will be sent to the audit committee and the full version will
be available to the external auditors and audit committee.
If you have any queries on the report, please contact me

Regards

P Jones
Chief Audit Executive

Audit: 205 Date of document: dd-mmm-yyyy 147

RBIA - Manual - J Final report

This page is blank.

Insert a section divider after this page.

© D M Griffiths www.internalaudit.biz 148

Internal Audit K
Quality control

Quality
control

Audit: 205 Date of document: dd-mmm-yyyy 149

RBIA - Manual - K Quality control

Section index K ± quality control

Purpose of section K
¾ To file those documents used to record the quality control checks carried out
during the audit (1311).

Standards for section K

¾ Review notes and proof reading checklists are filed in the audit file.
¾ Feedback, targets and appraisal documents are
personnel (HR) files. (They are included in this file for convenience).

© D M Griffiths www.internalaudit.biz 150

Internal Audit K
Section index K –Quality Control

Accounts Payable
Contents Ref
Review notes after risks scored (not included) K1

Review notes - prior to closedown meeting K2

Review notes draft report (not included) K3

Review notes final report (not included) K4

Review notes file before filing (not included) K5

Proof reading K6

Feedback - M Khan Personnel

file

Feedback - H Trent (not included) Personnel

file

Individual targets M Davis Personnel

file

Individual targets F Sawyer (not included) Personnel

file

Personnel
Individual appraisal M Davis file

Personnel
Individual appraisal F Sawyer (not included) file

Back to File Index

Audit: 205 Date of document: dd-mmm-yyyy 151

RBIA - Manual - K Quality control

K - Review notes
Output of process
¾ Document noting comments from the reviews carried out on the audit
documentation.

Standards for output

¾ The document must always be used by a reviewer to ensure action is taken on
the points raised.
¾ The name of the reviewer, and date the review takes place, should be noted.
¾ The point in the audit at which the review takes place should be noted. The CAE
must carry out a review (2340):
x After the risk maturity check.
x After the issues have been included on the database, prior to close down
meeting.
x After the issue of the final report.
¾ The source of the deficiency should be noted.
¾ The action taken should be noted and, where necessary, the source document
should be corrected and its reference shown.
¾ The auditor is responsible for noting the action taken.
¾ All points should be cleared before the approval of the final report.
¾ The nature of the comments made will influence the appraisal of the auditor.
¾ Reports should be accurate, objective, clear, concise, constructive, complete, and
timely (2420).

Work plan for achieving output

¾ Give sufficient notice to the reviewer that a file review is required.
¾ Reviews, other than those noted above, may be carried out at any time during the
audit. The table on the next page gives details.
¾ Other than the CAE, reviews can be carried out by auditors not involved in the
audit colleagues”),
(“ staff with specialist skills
skills!

Advice for achieving output

¾ Reviewing files can be so boring. Set yourself a target to do so many sections in
30 minutes, before having a break and doing other work.

Internal Audit K2
Review notes

Accounts Payable
Review stage: End of Audit Review. Date: 16-Feb-X1 Review by: P Jones
Source Review point Action on point Action
reference reference
B Functions Include AP names in the Done Cleared
function hierarchy

E Input Include a box with the Done Cleared

invoices objective
flowchart

F Risk There is no Risk Management Discussed this with Head of Cleared.

Maturity Committee. Is one needed? Risk Management. The Audit Noted on F
Committee have discussed
the need for one but don't
consider it necessary

G ORCR Risk 127. What about Use of Agency staff is very G ORCR
controls over rare. If they are used, they are
Control
agency/temporary staff? interviewed and approved by
added
the AP manager. They are
used for jobs where the risks
are low.
H Potential I will include an audit of Noted by CAE on audit plan Cleared
deficiencies purchasing departments in the from this
plan ASAP audit

Audit: 205 Date of document: dd-mmm-yyyy 153

RBIA - Manual - K Quality control

Possible audit stages for review

When Purpose Who
Sign off of scope Confirm scope clearly sets out the aim and CAE
boundaries of the audit
Processes To decide on the direction for the rest of the Colleague
documented audit
To identify inherent risks and score them
Throughout audit Audit is in accordance with the scope (or scope Auditor in
needs amending), diary being written, meetings charge
being documented and referenced, and
“stakeholders” being informed of prog
Processes, risks and Ensure all risks have been identified and CAE
proposed tests testing covers all key controls
documented
Prior to the close File review to ensure: Colleague
down meeting
The work outlined in the scope has been CAE
carried out
Sufficient work has been carried out to justify
the conclusions made
Deficiencies are raised: where risks are not
properly mitigated by controls; or controls have
been tested and found to be ineffective
Deficiencies raised in the report can be easily
traced back to supporting evidence (tests,
interviews)
The documentation is complete and follows
standards set out in the manual, amended as
appropriate
Draft report ready for Check to ensure that the report properly CAE
circulation represents the conclusions of the audit work
and that the presentation and English are to the
standards expected
Proof read draft and Sign off to ensure that the report adheres to Colleague
final reports layout standards, no errors, spelling mistakes
Final report ready for Sign off to ensure that the report is suitable for CAE
circulation circulation
End of audit File conforms to “model
CAE file”, in par
issues are referenced

Internal Audit K2
Review notes (2)

This page is blank

Audit: 205 Date of document: dd-mmm-yyyy 155

RBIA - Manual - K Quality control

K - Proof reading
Output of process
¾ A checklist showing that the document has no errors.

Standards for output

¾ All important documents, including the final scope, draft and final reports must be
proof read immediately prior to sending.
¾ A document should be proof read by someone totally unconnected with it, but
who understands the standards it must be judged against.
¾ A black-and-white printed version of the document should be used.
¾ If a document only requires minor amendments, only these amendments need be
checked in the final document.
¾ If a document has many amendments, it must be proof read again
¾ If the document, such as accounts, contains totals, they must be checked with a
calculator. Spreadsheet formulas must not be relied on, as they can introduce
rounding errors. If calculations are too complex to repeat with a calculator, the
spreadsheet formulas should be independently checked. The degree of checking
will depend on how the results are used.
¾ Required amendments should be clearly marked, preferably in red or another
clearly visible color.

Work plan for delivery

¾ Request a suitably knowledgeable person to proof read the document. Give them
the checklist and, if necessary make sure they understand it.
¾ It is probably better to proof read the document several times, looking for
particular aspects each time, such as layout, then page numbers, then
punctuation, and so on.

Advice for achieving delivery

¾ The purpose of proof reading is to check the layout of the report and accuracy,
with regard to punctuation, spelling (including accents in some languages such as
French and Spanish) and grammar.
¾ The purpose of reviews is to ensure the document is technically correctly and
understandable. They will not necessarily detect errors found by proof reading.
¾ The audit report is our audit department’s “pr
removes credibility from the department. Some managers will take the view that,
if we can’t get our apostrophes (or accents)
cannot be correct either!

Internal Audit K6
Proof reading

Accounts Payable
Document: Final report 3URRIUHDG««H Bradshaw «
Layout Checked
Follows standards in the manual ¥
Page breaks to ensure titles not at bottom of page

Page numbers start on first narrative page

Page numbers correct on Contents page

Headers and footers correct throughout

If numbering used for sections, these are all consecutive

Titles, paragraphs, diagrams are all correctly aligned

Font sizes and type are consistent

Reading

Punctuation correct, including apostrophes

No initials or acronyms used without explanation

Circulation list names spelt correctly

All appendices are referred to in the report

All totals, and any other calculations, checked (if appropriate) N/A

requirement noted, not that no errors were found.

Where errors are found, clearly mark the report and refer them to the author for
correction.

Audit: 205 Date of document: dd-mmm-yyyy 157

RBIA - Manual - K Quality control

K - Feedback
Output of process
¾ A document recording the opinions of auditees on the conduct and opinions of
the audit which is used to:
x Improve audit procedures
x Act as a basis for the auditors’ appraisals

Standards for output

¾ The document is completed by the CAE during a discussion, preferably face-to-
face if possible, with individual auditees affected by the audit.
¾ Auditees should generally be seen individually.
¾ The feedback document is for guidance only during the meeting.
¾ The document should record the auditee's views, and not any excuses from the
audit department where the expectations. work did not meet
¾ Improvements to the audit process (“learnings
feedback should be noted on the form, together with the action taken.
¾ The completed document should be sent back to the auditee to confirm the
record of their views.

Work plan for delivery

¾ Arrange a meeting with the auditee in a location where you will not be overheard.
¾ Send a note:
x confirming the meeting
x giving reasons for the meeting
x asking the auditee to consult with colleagues affected by the audit for any
comments they may have
¾ Hold the meeting, noting comments on the form.
¾ Type comments into the form; send it to the auditee requesting confirmation that
it represents their opinions.
¾ Use the agreed comments for the staff project appraisals.

Internal Audit
Personnel
file

Feedback (1)

Accounts Payable
Feedback from: M Khan Date: 16-Mar-X1

Did we: What we did well What we could do

better
Planning
Clearly explain the reasons Reasons were clearly
for the audit? explained
Explain how the audit was Care was taken to explain
to be done? the full audit process
Include your wishes, The scope was good
priorities and concerns in
the Scope?
Fieldwork
Keep you informed of I was kept informed of
progress throughout the progress
audit?
Involve you, and your I was involved as Supervisors think that we
staff, to ensure the audit necessary should have involved
was carried out efficiently them more
and effectively?
Reporting
Discuss deficiencies with Deficiencies were
you at the appropriate discussed when they arose
time?
Make recommendations, Recommendations were
and agree actions, which practical.
improved control and were
appropriate to the situation
Produce a report which The report achieved the Very unhappy with the
completely fulfilled the objectives noted in the overall 'NO' opinion since
objectives noted in the scope. it only resulted from
scope? Purchasing Dept failures!
Carry out the audit within Report was received when
your expected timeframe? expected

Audit: 205 Date of document: dd-mmm-yyyy 159

RBIA - Manual - K Quality control

Advice for achieving delivery

¾ As noted above, the form is for guidance only. In practice you will find most of the
discussion goes under “Other comments”!
¾ Always have a discussion, even if over the phone. If you just send the document,
you may not get a full, honest, response, even if you get a reply.
¾ Record the comments accurately, even if you disagree with them. Remember:
x He/she could be right!
x Whether they are right, or wrong, they are probably passing these comments
to their staff and managers/directors. It is vital you know their views so that
you are in a position to correct them.
¾ Don’t use the meeting to argue against their
need to stress that you don’t agree with them,
¾ Make sure you extract the learnings and act on them. Even if mistakes were
made in the audit, showing that you are taking action to correct them will improve
your status. Don’t forget to learn from what the audi
¾ Remember to obtain the auditee's views about how well the auditors worked, as
well as the audit process.

Internal Audit
Personnel
file

Feedback (2)

Other comments:
The 'NO' opinion was unfortunate in that all the risks under the control of the AP
Department were within the risk appetite but the major deficiencies within the
Merchandising and Purchasing Departments resulted in this opinion.
IA tried to lessen the impact by referring to the adequate controls within AP but
this only appeared as one sentence on page 2.
The above notes should be an accurate reflection of the comments made during our
meeting. If you disagree with them, please let me know. (The inclusion of comments
GRHVQ¶Wnecessarily mean we agree with them, but we will learn from them, as
noted below)
P Jones, Chief Audit Executive (phone 2316)

Learnings going forward: Action

Involve supervisors more Brief audit teams

Need to consider how we present In cases like this one, consider splitting the
conclusions when more than one conclusion.
department is concerned

Audit: 205 Date of document: dd-mmm-yyyy 161

RBIA - Manual - K Quality control

K - Targets
Output of process
¾ A document showing the targets which an individual auditor should aim to reach
during the course of an audit and which will form the basis of his/her appraisal.

Standards for output

¾ Targets must be SMART:
x Specific: a clear outcome (“deliverable”) fr
x Measurable: it must be possible to know, without doubt, that the target has
been achieved.
x Achievable: it must be possible to achieve the target, by the auditor
concerned.
x Realistic/relevant: the target should be related to the work and objectives of
the auditor.
x Time-related: a time should be set by which the target should be completed.
¾ Targets set for an audit should be related to those set for the annual appraisal, so
that the audit appraisals can build up to the annual appraisal.
¾ The standard form, based on the targets for the year, should be used. This
should be amended by any specific targets required, which might arise from
previous audits, for example, fewer changes required to the draft report.
¾ A written version of the targets should be given to the auditor within a week of the
initial briefing session.

Work plan for achieving output

¾ The targets are discussed with the auditor just after the initial briefing session.
¾ If, during the course of an audit, it becomes obvious that an auditor will not meet
a target, he/she should be informed immediately. This provides an opportunity for
improvement.

Advice for achieving output

¾ The measurements are a bit negative, since there is reliance on the absence of
bad points, as opposed to the presence of compliments!
¾ The feedback from managers should look for compliments, as well as criticism.
¾ The targets such as, “Improve relations with
targets would not be easy to measure and, in most cases, the auditor would not
achieve the other targets without good relations. It is also possible for relations to
be poor with an incompetent NO”reportmanger
or for good who receiv
relations with a manager where the audit was not sufficiently thorough.

Internal Audit
Personnel
file

Targets

Accounts Payable
Auditor: M Davis
Target Measuremen
The audit scope will include Audit scope agreed by the CAE and management,
the work necessary to fulfill without significant alteration
the appropriate part of the
audit plan
The audit will achieve the The CAE review, pre close-down meeting, does not
work detailed in the scope require any further work to complete the objectives
set out in the scope
Sufficient work will be done The CAE reviews do not require additional work in
to reach the conclusions order to ensure the conclusions are backed-up by
required sufficient evidence
Feedback from management shows they are
satisfied with the work done, including the

All necessary deficiencies Reviews of the ORCR do not highlight omissions

will be raised which might miss deficiencies
Feedback indicates that management consider the
deficiencies raised to be relevant and have been
given the right priority
Action will be agreed on all Management have agreed to undertake action on all
the deficiencies raised the deficiencies raised, within a reasonable time
Feedback indicates management are satisfied that
recommendations for action were achievable and in
the best interests of the company
The audit will be completed The audit was completed within the budgeted time
on time and the report issued by the date given in the scope
Feedback indicates that management were satisfied
with the pace of the audit
The audit documentation will The reviews of the audit working papers did not
comply with the manual require extensive additions, changes or removal of
unnecessary detail
Staff are managed properly Measurements as above, applied to the work of
to assist in meeting the above staff under the control of the auditor
targets
Date: 15-Dec-X0 Signed: M Davis

Audit: 205 Date of document: dd-mmm-yyyy 163

RBIA - Manual - K Quality control

K - Appraisal
Output of process
¾ A document showing the achievements against his/her targets, agreed by the
auditor (appraisee) and CAE (appraiser).

Standards for output

¾ The achievement against the target must relate to the measurement listed on the
Target Form.
¾ The appraisal should be held no later than 10 working days after the distribution
of the final report.
¾ The appraisal must take into account the feedback from the auditees. Quotes, in
italics, should be used from the feedback.
¾ The appraisal is scored as follows:
x E = exceeded the target. This might be by: persuading a reluctant manager to
accept some essential action; showing exceptional initiative in the
recommendations made; detecting a well-hidden fraud.
x M = met the target. Achieved the performance expected for an auditor at
his/her grading
x F = fell short. Did not achieve the target.
¾ An overall appraisal grade is given.

Work plan for achieving output

¾ Read the review notes and feedback form on the audit file.
¾ Complete the Appraisal Form.
¾ Discuss the 'Achieved' comments and rating with the auditor.
¾ Both sign the form, which is filed
(HR) file. in the aud

Advice for achieving output

¾ You may wish to leave giving ratings until the discussion with the auditor, since it
is important to get agreement if possible.
¾ If you cannot get agreement, consider adjourning the meeting so that both can
reconsider the facts supporting the conclusion.

Internal Audit
Personnel
file

Appraisal (1)

Accounts Payable
Auditor: M Davis Appraiser: P Jones Date: 19-Mar-X1
Target Achieved Rating
The audit scope will include The draft audit scope was well written
the work necessary to fulfill and needed few changes before being
M
the appropriate part of the issued as a final version
audit plan
The audit will achieve the My review of the documentation and
work detailed in the scope database did not highlight any M
significant omissions
Sufficient work will be done No additional work was required M
to reach the opinions
required
All necessary deficiencies The database review showed all M
will be raised deficiencies were raised
Action will be agreed on all Action agreed on all deficiencies M
the deficiencies raised 'Recommendations were practical'. M M
Khan

The audit will be completed The audit was completed within the M
on time budgeted time and the report issued by
the date given in the scope
³5HSRUWZDVUHFHLYHGZKHQH[S
M Khan M

Audit: 205 Date of document: dd-mmm-yyyy 165

RBIA - Manual - K Quality control

This page is blank

Internal Audit
Personnel
file

Appraisal (2)

Target Achieved Rating

The audit documentation Excellent audit documentation
E
will comply with the manual
Staff are managed properly Measurements as above, applied to the Not
to assist in meeting the work of staff under the control of the applicable
above targets auditor

Additional points
The discovery of the J B Associate invoices and subsequent audit work
was very well done, with senior management being involved at the
E
appropriate time. Favorable comments were given by the Chief
Financial Officer and Chief Operations Officer
Key to rating: E=exceeded target; M=met; F=failed to meet target.

Overall rating: Exceeded targets

Agreed by (auditor) M Davis Date: 19 March X1

Appraisor P Jones Date: 19 March X1

Audit: 205 Date of document: dd-mmm-yyyy 167

RBIA - Manual - K Quality control

This page is blank.

Insert a section divider after this page.

Internal Audit L
Follow-up

Follow
up

Audit: 205 Date of document: dd-mmm-yyyy 169

RBIA - Manual - L Follow-up

L ± Follow-up section index

Purpose of section L
¾ To file those documents which report on the action taken as a result of the audit
report issued (2500.A1).

Standards for section L

¾ Follow-up audits must be carried
NO” or
YESout
“
WITH where there
EXCEPTION”opinions.
¾ Audits should be carried out until all opinions are “
YES”, or the CAE is sati
that management may accept the risks of not taking action (2500.A1).
¾ If, subsequent to action having been agreed in the report, management later
decides not to act but to accept a residual risk which is greater than the risk
appetite of the organization, the CAE should discuss the matter with the relevant
senior management. If the matter is not resolved, it should be referred to the
Board and/or Audit Committee, as appropriate (2600).
¾ The audit committee should be informed of follow-up audits carried out and their
last opinions.

Work plan for achieving output

¾ Use the date for the follow-up audit noted in the final audit report as the target
date for commencing the audit. If this is not possible, inform all those affected,
giving reasons for the delay.
¾ Send a letter to all those involved, about two weeks prior to commencing the
follow-up audit.

Advice for achieving output

¾ Where a management team has regular meetings, encourage them to put the
progress of the action which has been agreed on the agenda. In this way they will
be constantly reminded of the report until all issues are cleared.

Internal Audit L
Section index L - Follow-up

Accounts Payable
Contents Ref
E-mail advising of follow-up audit July 20X1 (not included) L1

Follow-up report July 20X1 L2

Letter with follow-up report (not included) L5

Back to File Index

Audit: 205 Date of document: dd-mmm-yyyy 171

RBIA - Manual - L Follow-up

L ± Follow-up report
Output of process
¾ A letter showing action taken as a result of issues raised and giving an update on
the conclusions.
¾ The ORCR follow-up columns completed as appropriate.

Standards for output

¾ Sufficient enquiries and tests should be carried out to ensure action has been
taken and the risk is now mitigated.
¾ The opinions in the original report and the opinions from the follow-up audit
should be shown alongside each other.
¾ Explanations should be provided for the opinions.
¾ A separate summary should show the action taken on each of the deficiencies
included in the original report.
¾ Follow-up reports should state a date for the next follow-up, if all opinions are not
“YES”.
¾ Where no action NO” isopinions
beingbut wastaken
promised in on “
the original
report the CAE should be immediately informed.
¾ The CAE should issue the report with a covering letter.
¾ If any deficiencies are found, which were not in the original report, they should be
included in the follow-up report, with an appropriate note.

Work plan for achieving output

¾ Telephone the management affected by the follow-up audit to inform them it is
about to take place, unless there is an element of surprise required.
¾ Issue a letter confirming this.
¾ Have meetings with all those people who should be taking action as a result of
the original audit report.
¾ Determine the action taken and confirm this by testing, as far as possible.
¾ Document the meetings and tests carried out.
¾ Have the work reviewed by the CAE.
¾ Write and issue the report.
¾ Update the ORCR with the results of the follow-up audit.

Advice for achieving output

¾ The format of the follow-up report is not rigid; you may have to modify it in order
to present the results in a clear, concise manner.

Internal Audit L2
Follow-up audit

Accounts Payable
Introduction
This audit is the first follow-up to the report issued on March 8, 20X1. Since the audit
was carried out, the separate investigation of payments to J B Associates has been
completed and is the subject of a fraud investigation by the police.
The Chief Operations Officer has reviewed all the objectives, risks and controls
within his responsibility and has agreed the proposed new controls with internal audit.
Objective: Pay suppliers the correct amount at the time agreed

Original report This audit

Significance of the processes to the
HIGH HIGH
organization

Opinions
Has management established a
proper internal control framework?
That is, has management: specified
their objectives, identified the
opportunities benefiting and risks YES YES
threatening these objectives and
established controls which should
reduce the risks to acceptable
levels?
Are these controls sufficient and
operating to bring the risks to
below the risk appetite and ensure NO YES
the achievement of the related
objective?
Is action being taken which will
bring the risks to below the risk YES WITH
YES
appetite and ensure the EXCEPTIONS
achievement of the objective?

Overall opinion: Is the objective

NO YES
being achieved?

The summary of action taken is shown on the next page.

Audit: 205 Date of document: dd-mmm-yyyy 173

RBIA - Manual - L Follow-up

This page is blank

Internal Audit follow-up report –Accounts payable L3

Summary of action taken

Deficiency Action promised Confirmed action Grade

taken to date
No monitoring of All invoices should have COO has issued
invoices an order. instruction that all invoices
processed with no The director will approve (except some Legal) must
order have an order number in
all invoices with no
order to ensure division of
order. YES
duties between the person
A system will be put in negotiating the service and
place to ensure division the recipient of the service.
of responsibility for
approving these invoices.
Queries on Office Managers will Training course held.
unmatched improve the training of Number of invoices failing
invoices not buyers to include the a price match has fallen by
cleared quickly clearance of queries and 90%. 95% of invoices
YES
prompt update of failing to match are being
supplier prices. cleared within two weeks.
Office Managers follow-
up any older invoices.
Some variance Office Managers will Examined reports. All
reports not check the variance variances explained.
checked reports for unusual items YES
and check these with the
appropriate buyers
Risk Management The Head of Risk Confirmed all replies
department Management will contact received from April
contacts all all managers not replying circulation.
functions every to insist on a reply
YES
quarter to update
the ORCR. Not
all replies are
received.
No evidence that Head of Accounting Confirmed ORCR signed.
the Head of Services will sign off the
Accounting Objectives, Risks and
Services signs off Controls Register YES
Objectives, Risks
and Controls
Register

Audit: 205 Date of document: dd-mmm-yyyy 175

RBIA - Manual - L Follow-up

This page is blank

Internal Audit follow-up report –Accounts payable L4

Summary of action taken (Continued)

Deficiency Action promised Confirmed action Grade

taken to date
Payment to None but likelihood is very low Low risk since most
incorrect supplier, invoices (except legal)
which it may not will have order YES
be possible to numbers and therefore
recover match on these.

Audit: 205 Date of document: dd-mmm-yyyy 177

RBIA - Manual - L Follow-up

Insert a file divider here

Internal Audit M
Computer files

Computer
files

Audit: 205 Date of document: dd-mmm-yyyy 179

RBIA - Manual - M Computer files

M - Computer files
Output of process
¾ A logical directory structure for storing the files of each audit.

Standards for output

¾ The Excel file should be the primary working document with word processed
files, such as the report, hyperlinked from it.
¾ The directory structure must follow the department
x Audits are filed in a sub-directory for the year the audit is planned. This
makes archiving computer files easier.
x Files for each audit are held in a directory called: audit number audit title. For
example: 205 Accounts payable.
x Within the main audit directory, there are subdirectories for:
A Audit management
B Background information.
C Scope.
D Meeting notes.
E Risks maturity
F Objectives, Risks and Controls Register
G Tests
H Deficiencies.
I Draft report
J Final report
K Quality Control
L Follow-up.
¾ All file titles should be preceded by the audit number (for example: 205 final
scope).
¾ Where several versions of a document exist, for example draft reports, attach a
version number –205 draft report v1.

Work plan for achieving output

¾ Set up the structure after the first meeting with the CAE.

Advice for achieving output

¾ A strict naming convention
–thefor files
important principle hasn’t b
is that files can be found quickly.

Internal Audit M1
Computer files

Accounts Payable example directory

structure
205 Accounts Payable
A Audit Management
B Background information
205 organization chart.docx
C Scope
205 draft scope.docx
205 final scope.docx
205 memo with draft scope.docx
205 memo with final scope.docx

etc

Back to file index

Audit: 205 Date of document: dd-mmm-yyyy 181

RBIA - Manual - Version Control

Version number Date issued Changes made to previous version

1.1 1-Jul-2004 First version using audit of a charity
delivering food to camps. (This audit is now
attached as working papers to Book 1)
2.0 25-May-2015 This version updated to be consistent with
Book 1 and uses an audit of accounts
payable as an example.
3.0 12-June-2020 Updated to include references to
opportunities as well as risks.
More emphasis on reporting on the
achievement of objectives.
Inclusion of audit tests on the decision-
making process

This is the last page in the manual

The Global Internal Audit Standards, 2024
No ratings yet
The Global Internal Audit Standards, 2024
13 pages
W2 Risk Culture - PPT
No ratings yet
W2 Risk Culture - PPT
16 pages
GIAS Overview - Slides - Colour
No ratings yet
GIAS Overview - Slides - Colour
11 pages
Risk Management
No ratings yet
Risk Management
27 pages
IIA Customer Service
No ratings yet
IIA Customer Service
10 pages
Reportonthe2024standards 2024january9
100% (1)
Reportonthe2024standards 2024january9
51 pages
ICAAP Guide for Financial Managers
No ratings yet
ICAAP Guide for Financial Managers
2 pages
Documento Científico
No ratings yet
Documento Científico
7 pages
Internal Audit Self-Assessment Guide
No ratings yet
Internal Audit Self-Assessment Guide
6 pages
Group 1 CASE STUDY 1
No ratings yet
Group 1 CASE STUDY 1
6 pages
Model Audit Committee Charter
No ratings yet
Model Audit Committee Charter
14 pages
Bank of Ireland: Agile in Audit at ECIIA2019
No ratings yet
Bank of Ireland: Agile in Audit at ECIIA2019
16 pages
Employee Violence Risk Assessment Questionnaire
100% (1)
Employee Violence Risk Assessment Questionnaire
3 pages
Internal Audit Standards Checklist
No ratings yet
Internal Audit Standards Checklist
4 pages
IIA POSITION PAPER The Role of Internal Auditing in Enterprise Risk Management
No ratings yet
IIA POSITION PAPER The Role of Internal Auditing in Enterprise Risk Management
8 pages
Sample Audit Balanced Scorecard
No ratings yet
Sample Audit Balanced Scorecard
1 page
Acl Data Analytics Ebook
No ratings yet
Acl Data Analytics Ebook
14 pages
Leadership Principles Assignment 2
No ratings yet
Leadership Principles Assignment 2
8 pages
C3A Internal Control Inter Audit
No ratings yet
C3A Internal Control Inter Audit
9 pages
Fraud Control Policy Guide
No ratings yet
Fraud Control Policy Guide
3 pages
The Basics of Internal Auditing
0% (1)
The Basics of Internal Auditing
5 pages
Implementation Guide To SQC
No ratings yet
Implementation Guide To SQC
115 pages
Corporate Governance A Practical Handbook by Karen Martyn
No ratings yet
Corporate Governance A Practical Handbook by Karen Martyn
657 pages
Fraud Risk Management - Good Practice Guide
No ratings yet
Fraud Risk Management - Good Practice Guide
82 pages
CBOK Requirements: Importance of Internal Controls
No ratings yet
CBOK Requirements: Importance of Internal Controls
2 pages
Implementation Guide 2120: Standard 2120 - Risk Management
No ratings yet
Implementation Guide 2120: Standard 2120 - Risk Management
5 pages
Wirecard Governance Failures Analysis
No ratings yet
Wirecard Governance Failures Analysis
2 pages
Guidance Note On Risk Based Internal Audit
No ratings yet
Guidance Note On Risk Based Internal Audit
81 pages
Module 6 ASYCUDA
No ratings yet
Module 6 ASYCUDA
27 pages
Liverpool Audit Strategy 2021
No ratings yet
Liverpool Audit Strategy 2021
36 pages
Buliding Effective Internal Audit Function in Public Sector
No ratings yet
Buliding Effective Internal Audit Function in Public Sector
62 pages
Public Sector Board Risk Management
No ratings yet
Public Sector Board Risk Management
6 pages
ERM Charter
No ratings yet
ERM Charter
3 pages
Summary Last Session
No ratings yet
Summary Last Session
81 pages
Mihret James Mula PAR 2010 AV
100% (1)
Mihret James Mula PAR 2010 AV
32 pages
Execute A Risk Assessment
No ratings yet
Execute A Risk Assessment
2 pages
Internal Audit Manual March 2025
No ratings yet
Internal Audit Manual March 2025
44 pages
WS IIA Vs ISO v08
No ratings yet
WS IIA Vs ISO v08
62 pages
Balanced Scorecard in Internal Audit
No ratings yet
Balanced Scorecard in Internal Audit
2 pages
Brand Sustainability and Brand Development
No ratings yet
Brand Sustainability and Brand Development
19 pages
Internal Audit
No ratings yet
Internal Audit
7 pages
UK Internal Audit PDF
No ratings yet
UK Internal Audit PDF
29 pages
5 - 5-Internal Audit For Treasury Market Risk Management
100% (1)
5 - 5-Internal Audit For Treasury Market Risk Management
34 pages
Risk-Based Audit Approach
No ratings yet
Risk-Based Audit Approach
82 pages
1 OneTel
100% (1)
1 OneTel
7 pages
D RBA Ethical (Quality ISQM 1 OBJECTIVES Template)
No ratings yet
D RBA Ethical (Quality ISQM 1 OBJECTIVES Template)
4 pages
Surveyofbanks
No ratings yet
Surveyofbanks
23 pages
How To Plan An Audit Engagement IIA UK
100% (1)
How To Plan An Audit Engagement IIA UK
14 pages
The Role of Internal Audit in Risk Management From The Perspectiv
100% (1)
The Role of Internal Audit in Risk Management From The Perspectiv
17 pages
Corruption Indicators in Internal Audit
No ratings yet
Corruption Indicators in Internal Audit
7 pages
Path To Quality
No ratings yet
Path To Quality
10 pages
Internal Control - Integrated Framework - May 2013
No ratings yet
Internal Control - Integrated Framework - May 2013
31 pages
FFIEC ITBooklet OutsourcingTechnologyServices
No ratings yet
FFIEC ITBooklet OutsourcingTechnologyServices
93 pages
MF0004 Internal Audit Control 1
No ratings yet
MF0004 Internal Audit Control 1
11 pages
Iia Whitepaper - Balanced Scorecard Reporting
No ratings yet
Iia Whitepaper - Balanced Scorecard Reporting
9 pages
ISA 315 slides-ICAEW
No ratings yet
ISA 315 slides-ICAEW
39 pages
Internal Audit Manual
No ratings yet
Internal Audit Manual
184 pages
Rbi A Manual
No ratings yet
Rbi A Manual
182 pages
Risk Based Internal Audit
No ratings yet
Risk Based Internal Audit
24 pages
Implementing Risk Based Internal Auditing
No ratings yet
Implementing Risk Based Internal Auditing
24 pages
Matters That Need Members Sanction
No ratings yet
Matters That Need Members Sanction
3 pages
Probability For Finance
No ratings yet
Probability For Finance
115 pages
Success Gardens Phase 1 Review
No ratings yet
Success Gardens Phase 1 Review
2 pages
Global Awards Member Letter - Kenya
No ratings yet
Global Awards Member Letter - Kenya
4 pages
Contract Procurement Fraud by Alex Musungu MCIPS MKISM
No ratings yet
Contract Procurement Fraud by Alex Musungu MCIPS MKISM
33 pages
Forensic - Audit - Report GMC Eagle Spur Consolidated Report-3007
No ratings yet
Forensic - Audit - Report GMC Eagle Spur Consolidated Report-3007
9 pages
Visualizing Fraud in Your Data by Raymond Kiprotich Bett
No ratings yet
Visualizing Fraud in Your Data by Raymond Kiprotich Bett
32 pages
2022 Sep II Yale Commercial
No ratings yet
2022 Sep II Yale Commercial
232 pages
15 Term Test 1 (QP)
No ratings yet
15 Term Test 1 (QP)
6 pages
Pricing Strategies - Final
No ratings yet
Pricing Strategies - Final
4 pages
Mallela Manimala v. Mallela Lakshmi Padmavathi, 2023 SCC OnLine AP 459
No ratings yet
Mallela Manimala v. Mallela Lakshmi Padmavathi, 2023 SCC OnLine AP 459
11 pages
Assignment Form
No ratings yet
Assignment Form
3 pages
FIN622 Mid Term Past Paper 2
No ratings yet
FIN622 Mid Term Past Paper 2
9 pages
Ashish's HRM
No ratings yet
Ashish's HRM
6 pages
Bank Negara Glossary
No ratings yet
Bank Negara Glossary
10 pages
3 1 1 - Hoba-Special-Transactions
No ratings yet
3 1 1 - Hoba-Special-Transactions
20 pages
Oesch Rodriguez 2011 Occupational Change SER
No ratings yet
Oesch Rodriguez 2011 Occupational Change SER
29 pages
Test Bank For Business Essentials 9th Edition by Ebert - Latest Version Can Be Downloaded Immediately
100% (18)
Test Bank For Business Essentials 9th Edition by Ebert - Latest Version Can Be Downloaded Immediately
45 pages
ECDoC SBC PCD2.ABCEFGRTW ZP-12001-01
No ratings yet
ECDoC SBC PCD2.ABCEFGRTW ZP-12001-01
2 pages
The Trends and Foresight Masterclass Series
No ratings yet
The Trends and Foresight Masterclass Series
8 pages
On Dishonour of Negotiable Instruments
No ratings yet
On Dishonour of Negotiable Instruments
43 pages
Emerging Report
No ratings yet
Emerging Report
20 pages
BA5029 QB Services Operations Management
No ratings yet
BA5029 QB Services Operations Management
11 pages
GCC Market Opportunities
100% (1)
GCC Market Opportunities
17 pages
EBITDA Growth Incentive Scheme
No ratings yet
EBITDA Growth Incentive Scheme
16 pages
Int J Fin Econ - 2021 - Ahmed - Do Forward Premium Rates Predict The Spot Rates Comparison of Developed and Emerging
No ratings yet
Int J Fin Econ - 2021 - Ahmed - Do Forward Premium Rates Predict The Spot Rates Comparison of Developed and Emerging
10 pages
Debtors Creditors Reconciliation Introduction
No ratings yet
Debtors Creditors Reconciliation Introduction
27 pages
SAP Activate Methodology For SAP S4HANA Deployment PDF
100% (1)
SAP Activate Methodology For SAP S4HANA Deployment PDF
2 pages
International Trade Documentation - World Trade Press
No ratings yet
International Trade Documentation - World Trade Press
192 pages
Consumer Protection Act
No ratings yet
Consumer Protection Act
16 pages
Excel Shortcuts
No ratings yet
Excel Shortcuts
2 pages
Marketing Strategy for Tasty Foods
No ratings yet
Marketing Strategy for Tasty Foods
10 pages
Elena Bibescu - Toronto Exchange Stock & OSC
No ratings yet
Elena Bibescu - Toronto Exchange Stock & OSC
3 pages
Final Draft
No ratings yet
Final Draft
2 pages
Jotun - Project Sales Executive
No ratings yet
Jotun - Project Sales Executive
2 pages
Delhi Mall
No ratings yet
Delhi Mall
32 pages
Senior High School Fees Ver02 SY 2023 2024
No ratings yet
Senior High School Fees Ver02 SY 2023 2024
2 pages