AuditNet® Ask the Auditor Forum

How Do I ...?

Disclaimer


Also post your question at AudiTalk The AuditNet Discussion Forum

 

Q;  I would like to get your advice on ratings of the processes. In our department we would like to rate a process audited and we cannot come up with good wording of ratings. We would like to have 3 possible ratings of processes: 1. Appropriate 2. Improvement needed 3. Inappropriate Would it be possible to get any other wording of ratings, as we do not really like appropriate/inappropriate words. Are there any guidelines on this?


A: This is a question that many internal audit departments have asked. The IIA has issued a report on expressing opinions on audit reports which references grading scales however there is no specific standard or guideline on ranking. Audit departments should consider implementing an audit rating system (for example, satisfactory, needs improvement, unsatisfactory) approved by the audit committee. A rating system facilitates conveying to the board a consistent and concise assessment of the net risk posed by the area or function audited. All written audit reports should reflect the assigned rating for the areas audited. 

 

There are various ways that organizations have approached this. In order to provide general guidance for the audit community AuditNet has issued a Monograph on Audit Rating Systems which includes examples used by different organizations.


Q; For a cash basis financial review of a small not for profit, is it OK to omit the property and associated depreciation? If so, should an explanation about that be included in the body of the report?


A: In order to determine if it's okay to use the cash basis for the not-for-profit, you need to know who the users of the financial statements are. If any of those users require the statements to be prepared in accordance with generally accepted accounting principals (GAAP) then the cash basis can't be used unless a waiver is obtained.

 

If the cash basis can be used then yes it is okay to omit the property and associated depreciation. Under that basis of accounting, all transactions represent either increases or decreases to cash and appear in the accounting records only as they affect cash. The cash basis of accounting recognizes revenues and expenses based on the receipt and disbursement of cash. The pure cash basis treats all disbursements of cash as expenses; thus, the purchase of items such as property and equipment are not recorded as assets. Stated another way, under a pure cash basis of accounting, the conventional balance sheet contains only cash and equity; and the conventional income statement shows all cash receipts as revenues and all cash disbursements as expenses.

 

Nonprofit organizations that use the pure cash basis of accounting typically have the following characteristics:

• Their operations are simple.
• Their accounting and finance functions are unsophisticated.
• There is only one major activity.
• Capital expenditures and long-term financing are not significant.

The following are examples of entities that sometimes use the pure cash basis of accounting:

• School activity funds.
• Fairs and other civic ventures.
• Political action committees and political campaigns.

 

The notes to the financial statements should disclose the basis of accounting and the differences between the basis used (cash) and GAAP.

 

Thanks for Jennifer Freitas for the above response provided through the Professional Audit Information Network (PAIN)

 

Q; How do I test for fictitious employees in a big company with employees at various places but get paid from the central office?


A: A "ghost employee" is a fictitious employee entered into a company's payroll system. Sometimes the "ghost" is a real person who was once entitled to be paid, but who was retained on the payroll after being terminated. These ghosts could also be fictitious people created for the purpose of defrauding the organization. Rarely does the perpetrator of this fraud follow all the rules and regulations that would be followed by actual employees. A standard audit technique is to examine the payroll data using data extraction software (IDEA or ACL) to search for the resulting anomalies. 

 

Here are some ways that personnel and payroll files can be used to identify possible symptoms of "ghost employees":

  • Many employers are using direct deposit as a means of paying employees.  Search for duplicate employee addresses and bank account numbers for direct deposits.
  • List employee names in alphabetical order and check for duplicate names or similar names. Verify duplicate records against human resources files.
  • Obtain a list of employees with abbreviations or initials for names or post office boxes for addresses. Fraudulently obtained payroll checks may use P.O. boxes as a mailing address.
  • Obtain a listing of all employees with few or no payroll deductions. A "ghost employee" may be receiving a regular pay check without any of the usual deductions for taxes, pension or health insurance. Use IDEA or ACL to calculate, and verify the deductions, or to identify payroll records that have no deductions.
  • Employees usually take vacation and sick leave at some point during the year. In general, a failure to take vacation is considered to be a fraud red flag. Match the payroll records with the leave database to test for "ghost employees, unmatched records will identify all persons on the payroll with no vacation or sick leave recorded.
  • Obtain names of persons employed for a short time. Matching of the payroll file to the personnel file will identify employees on the payroll who have no previous employment history, no previous positions, no performance evaluations, etc. This will identify all new employees, but will also help to identify potential "ghost employees".
  • Select all or a sample of final pay checks payable to terminated employees. Verify the date of termination to ensure that pay checks were not issued after the employee had actually terminated. Compare the endorsements to the employee's signatures in personnel records.

The Internal Audit Services in our organization (in the Energy/Utility industry) is planning to develop an annual training program. We are trying to find some guidelines relating to what general areas internal auditor should be receiving continuous trainings on the annual basis and how many hours are suggested on each of the areas.

  Training programs for auditors are highly dependent on the firm's practice area as well as the unique qualifications of the staff for the engagements. I assume that this training will also be used to satisfy the CPE requirements for the staff. The following comes from the CPE requirements for Certified Internal Auditors: 

Training should be on a professional level and related to the Common Body of Knowledge. The following general subjects are acceptable as long as they meet other CPE program criteria:

  • Auditing and accounting
  • Management and communication (oral and written).
  • Computer science
  • Mathematics, statistics, and quantitative applications in business
  • Economics
  • Business law
  • Specific business topics such as finance, production, marketing, and personnel
  • Specialized industry areas such as government, banking, utilities, or oil and gas. Activities other than those listed in this guidance may be deemed acceptable if the CIA can demonstrate that they contribute to professional competence. Substantiating that a particular activity qualifies as acceptable and meets the requirements is the responsibility of the CIA.

As your practice area is in the energy/utility industry you might want to check with the IIA. 

I need to test some attributes on a population of 41 for SOX testing. I need to do it statistically with 95% confidence and 5% sampling error. Using a normal sample size calculation with a 3% Maximum expected error rate I get a sample size of 33. I have read about a "small population" adjustment to the calculation of sample size but I cannot find how to calculate it. I have looked on the web and in my audit books. Due to various factors, the time to test 33 of the 44 in the population would be very expensive and time-consuming. Is there an adjustment for small populations that will reduce the sample size and still be 'statistical"? 

Statistical sampling would not be feasible when sampling a relatively small population. Where an auditor vouches every item in a population (as is often the case with small populations in which knowledge of the existence of exceptions is critical to the auditor's opinion about the population), it is referred to as a 100% examination. This is not a form of audit testing.

How do I value a long dated zero cost currency option at year-end?

You should start by conducting a Google search for this subject. The valuation of derivatives is a specialized area and requires the aid of an experienced professional. An option on a currency is an option to buy or sell an amount of that specific currency at a set exchange rate on a certain date. For option valuation purposes, a foreign currency is analogous to a stock providing a known dividend yield. The holder of the currency would receive a yield equal to the risk-free interest rate of the foreign country. There are different valuation models available and therefore the year-end valuation should be done by someone with specialized knowledge and experience. Find a CPA or Chartered Accountant familiar with derivative valuation. 

 The company I work for is looking for an external IT firm to come in and audit our hardware software compliance. Do you have any recommendations?

 There are a number of firms that will perform ISO compliance reviews if this is what you are interested in. I would suggest networking with peers to find a qualified firm. The Big 4 would be a starting point and then, depending on your specific objectives, I would seek bids from at least 5 qualified firms. If you are looking at conducting a hardware/software inventory and compliance with software licensing agreements, there are several firms that offer software solutions. Check with PCProfile or conduct a Google search for software hardware inventory audit. You should also check the Business Software Alliance or Software Information Industry Association sites for more information about audits in this area.

 When reviewing or writing the steps that comprise a process, how do I define which step is a control point (i.e. approval) and which step is not?. Is there any official document that defines control point?

Auditors are responsible for looking at how the internal controls, within an operation, work together to make up the internal control structure. The auditor gathers information about the mission and processes entity under review, discusses the major objectives with the manager or supervisor, and identifies control points within each process where an error, irregularity, or inefficiency is likely to occur.

The auditor documents existing controls at each significant control point, evaluates the adequacy of the controls to ensure achievement of the objective, and then tests the controls to verify they are working as described. Further discussions with the manager focus on control risks, manager insights, and potential control enhancements. The greater the risk, the more extensive the control that is warranted.

Control points represent the point in the process where a critical event could occur.

Things to consider at control points are but not limited to policies, established procedures, approvals and authorization procedures, supervisory review, reconciliation, job descriptions,  records substantiating transactions, segregation of duties (an individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping),  safeguarding of physical assets, periodic inventories, locks, monitoring operations (auditing), confirmations, exception reports.

As for a specific document that defines control points you should look at the  Federal Government Green Book (Standards for Internal Controls in the Federal Government) which lists general and specific standards and defines controls techniques. You should be able to find this document on the GAO site. The specific standards include:

  • Documentation
  • Recording of Transactions and Events
  • Execution of Transactions and Events
  • Separation of Duties
  • Supervision
  • Access to and Accountability for Resources

Look at the Standards for Business Controls available on this Web site. 

When performing an Agreed-upon procedure engagement, is it ever acceptable to include a financial statement with the report that was given to me by management? I am reviewing the cash transactions of a company that has summarized the cash transactions into the various income and expense accounts. Part of my procedures is to test the correctness of the account charged.  

Answer: Based on authoritative literature it appears that if you include financial statements in your agreed-upon procedure engagement, these unaudited financial statements must be accompanied by a statement that you have not compiled or reviewed them and assume no responsibility with respect to the unaudited financial statements. Also you should not be offering any assurance that the financial statements are prepared in accordance with GAAP. The CPA's Guide to Effective Engagement Letters from Aspen Publishers has a sample engagement letter for agreed-upon procedures. From your description it appears that this is a limited scope engagement and you will not be auditing or reviewing the client's financial statements and therefore not expressing an opinion on them.  

How do you audit staff accounts in commercial bank?

Answer: Not being in banking I can't provide a definitive answer as to how to perform these audits. However I am sure that bank auditors do have procedures in place for auditing staff personal accounts. I would begin by going to the Bankers Online Forum. I posted your question in this forum and bank auditors will respond. Each bank will have unique procedures fro reviewing staff accounts so in order to determine what would work best for you would require finding peer banks by size and assets and networking with those auditors to determine a best practice. If anyone has an audit program for reviewing internal staff accounts please send it to editor@auditnet.org.

Question: How do I go about developing a strategic plan for an internal audit department in a retail bank?

Answer: The first step in developing a strategic audit plan for any type of organization is to conduct a comprehensive risk assessment.

Question: I am trying to find out a detailed explanation/description of the services that a typical internal audit department is expected to render to a business organization.

Answer: The services provided to a business organization by an internal audit department are defined in the department's charter. The expectation depends on management's objective and reason for establishing an internal audit function. According to the International Standards for the Professional Practice of Internal Auditing (Standards) promulgated by the IIA,

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal audit activities are performed in diverse legal and cultural environments; within organizations that vary in purpose, size, and structure; and by persons within or outside the organization. These differences may affect the practice of internal auditing in each environment.

The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.

The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.

The internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the

  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations.
  • Safeguarding of assets.
  • Compliance with laws, regulations, and contracts.

Consider looking at the charters of other audit departments to see how they are structured. Depending on what industry sector you are in perhaps contacting other peers to see what services they offer to their organizations would help provide direction.

Question: (Editor's Note: Several auditors posted questions on Audit-l about rating systems and I thought it would benefit all if I provided the questions and responses in this forum)  Sorry for any duplication across the list servers but I'm currently interested in knowing if other audit departments are including any ratings in their audit report. I currently have a five category descriptive rating system with a corresponding color based system (i.e., red, orange, yellow, blue and green) and would like to know how many categories you use. Also, I would greatly appreciate any information you could share about the specific categories and how they are assigned to each audit. Thanks in advance for the information. 

If you have any existing internal audit scoring system or creative ideas on how to make one, please mail me soonest. I would look at this favor with tremendous appreciation. Best regards.

Answer: This topic is one of those topics which can be discussed at length and many books have been written on it and many sessions in workshops have been devoted to it so I may not give it the attention it requires or deserves. I found the following methodology to be working the best:

1. Agree scoring scope with the auditee:

What will be included in the scope of the rating;

2. Agree ratings of the processes with the auditee:

Inventory is the major risks and should be rated higher importance than petty cash disbursements, etc.

3. Agree upon sub area ratings within each process:

Inventory adjustments are higher importance than the inventory access to the system, etc.

4. Agree weighting per risk level:

A high risk level should be weighted. For example - a high risk is weighted double the weight of a medium risk which is weighted double the weight than a low risk or a high risk is weighted at 10% a medium risk at 6% and a low risk at 1%, etc.

5. Agree rating method per risk level:

  • For a high risk - the rating will either be 1,2,3,4,5 out of 5;
  • For a medium risk - the rating will either be 1,2,3 out of 3; and
  • For a low risk - the rating will either be 1,2 out of 2 (which is more subjective, etc.).

Or you could agree upon a rating out of 100% achieved per risk mitigated, etc.

With all this information available it is simple to build a scoring method. You can decide to which level you would like to go with this. You could decide the level of subjectivity or objectivity you would like to choose. Obviously the more information you divulge to the auditee, the better results you will obtain. The fun starts here. The application and the reporting of this lies with the auditor. I am attaching 2 different scoring methods. One is by area while one is by risk mitigated.

Then the whole reason for the scoring was to compare the rating with other companies or to compare the rating to other periods, but this I leave to the auditor.

I have a few more ideas on the topic but these basic models should give you guys the just of my ideas.

Risk Scoring Template

Risk Scoring Matrix

Corne van Rooyen (cornev@ihd.com)

Audit Report Ranking System (from Don Whitehouse)

Answer: While most auditors do not like scoring or grading their audit reports, I have no problem doing so and over the years have found it a distinct advantage when the audit report is being interpreted by non-technical people or those not familiar with the detail of the process being audited to understand the risk/lack of control.

I also use the grading method (for individual issues) for reporting on outstanding issues and who should be told what is outstanding or overdue - I have set up an Access database with all outstanding issues in it that I run a macro at the end of each month and it produces reports for the respective people.

I grade each individual issue/finding either High, Medium of Low depending on the definitions on the attached document. These gradings are included at the end of each issue, which are listed in an appendix of my report.

I also grade the audit report either Good, Satisfactory, Less Than Satisfactory or Unsatisfactory depending on the definitions also in the attached document. The Audit Committee has approved both of these definitions. Where an audit encompasses more than one area/process and the grading of the areas/process differs, I then grade each area and also give an overall grading for the report. This grading/s is/are shown at the start of my Executive Summary of the report, with a definition of the grading in an appendix of the report.

So that there is little (if any) argument over the grading, I do not place the grades on either the issues or audit report until the audit report has been completed and the words in the report agreed with the auditee. I make it quite clear that the grading of both is my opinion, but I will have a discussion with the auditee on them, just prior to releasing the audit report - very seldom is there a change as you have the definition and they have already agreed with the conclusions/recommendations in the report.

I also use a Questionnaire at the end of each audit which the auditee scores and sends a copy to the Managing Director - the scores (averaged over a financial year) are reported to the Audit Committee annually. The Questionnaire covers preparation, field work, issues raised, audit report and whether the audit added any value to the relevant area.

I hope this is of assistance to you.

Regards

Ray Francis
Internal Audit Manager
rayfrancis@e-access.com.au

Audit Report Finding Grading System

Question: We are in the process of setting up a specialized unit under our internal audit umbrella by the name of management audit. Are there any other organizations doing such an audit. What is the scope for such audits and how effective can such a unit become?

Answer: Management audit, sometimes called an operational audit, is used to describe an evaluation of management processes and performance going beyond an appraisal of management control. Many internal audit department include management audits in their annual work plan. Management audits focus on results, evaluating the effectiveness and suitability of controls by challenging underlying rules, procedures and methods. These are sometimes called performance, efficiency and effectiveness or operational audits. Management audits are compliance audits plus cause-and-effect analysis.   Check out the bookstore for books on operational or quality auditing including Operational Auditing Handbook : Auditing Business Processes by Professor Andrew Chambers. Here is a link to a management audit guide provided for non profit organizations by a collaborative group in Central Alberta, Canada.

A management audit is designed to determine how well a company plans, documents and performs. It’s a review of management systems and their effectiveness. The scope of these audits might include (in addition to other industry specific items):

  • Management Objectives
  • Management Responsibilities
  • Management Systems
  • Operational Reviews
  • Documentation & Management of Change
  • Purchasing
  • Asset Identification & Traceability
  • Process Control
  • Asset Maintenance
  • Record Keeping
  • Quality Audits
  • Training & Training Records
  • Safety
  • Emergency Response

The question of effectiveness of the unit depends on how well defined the scope of the activities are, the support that the unit receives and the staffing of the unit. The effectiveness of the unit will be directly related to the quality of the unit and it's staffing, support of the audit committee, the Board of Directors and senior management.

Question: My company is currently using a statistical sampling method that I am unfamiliar with to make QC tests of incoming goods purchases for resale. The method is based upon a AQL 4.0 and inspection level S1. The chart used provides a sample size and accept/reject variables based upon the lot size. I am trying to figure out how the chart was determined and if the results of the samples being used make sense to what  we are trying to accomplish.  Thank you for any help that you can give me.

Answer: AQL stands for acceptable quality level which establishes a maximum allowable error rate or variation from the standard. Acceptance testing will cease immediately if the failure rate of the product being tested exceeds the minimum Acceptable Quality Level. Information about this type of acceptance sampling and inspection levels is available here. Another resource for information is the Certified Quality Engineer chapter on Sampling. Finally, check out this article on selecting statistically valid sampling plans.

Question: I am an IT professional who is really interested in getting into IT Auditing. I also have a degree and experience in Accounting. Do you have any advice on how I can get into this field?

Answer: Yes I do! To begin with I would recommend that you join a professional association such as ISACA or the IIA. Attend meetings and network with other audit professionals. Your background and skills are in high demand within the audit community and you should be able to get an entry level IT audit position. I would then begin pursuing certification perhaps as a Certified Internal Auditor or Certified Information Systems Auditor. The preparation for the exam will help you in your pursuit of employment in an audit department. I have seen many individuals transition into audit positions from a wide variety of educational and occupational backgrounds.

Good luck!

Question: In organizing audit work papers, what kinds of documents would be in the Planning Section and Control Testing Sections and what is an example of a Lead Schedule and need a summary of standard tick marks.

Answer: Workpapers documenting the planning will include: (1) the audit objectives and scope of work; (2) background information about the activities to be audited, including the risks associated with the area; (3) the resources necessary to perform the audit; (4) the names of individuals who need to know about the audit; (5) the results, if appropriate, of an on-site survey to become familiar with the activities and controls to be audited, to identify areas for audit emphasis, and to invite customer comments and suggestions; (6) the audit program; (7) how, when, and to whom audit results will be communicated; and (8) the approval of the Director Internal Audit if the audit work plan was completed by an assistant. For a sample workpaper index for the planning section click here. The workpapers for the control testing section will depend on the objectives of the audit and the type of testing performed.

A lead schedule summarizes other workpaper with the appropriate indexing and cross reference. Tick marks used by internal auditors vary from department to department. What is most important with tick marks is that there is a legend on the workpaper explaining what the various tick marks mean. For instance F=footed, √=Traced to G/L, r=reconciled etc. The Journal of Accountancy published an  excellent article on documenting spreadsheets and the author has a downloadable tick mark tool for Excel.

Finally, an AuditNet® monograph on Workpapers is in the works! Stay tuned!

Question: I was tasked to came up with a newsletter for the audit department as soon as possible (around 2 pages per month). What should be the content?

Answer: Newsletters are an effective tool for audit departments to communicate with other departments and staff within the organization as well as market internal auditing. They can be used to provide information on internal controls, the audit process, profile audit staff members, alert employees on issues such as cash collection guidelines, what it means to be selected for an audit, recent audit reports, industry news, books of interest, job opportunities and more. Here are some examples of sites that use newsletters as a communication tool:

Seattle Office of the City Auditor Newsletter

UMBC Management Advisory Services Quarterly Newsletter

Boston College Audit News

Question: I'm a manager in an audit dept of a financial institution. I've been asked by my boss to consider setting up a risk management unit under Audit Dept. I'm having a hard time to come out with the job function of this unit. What roles/functions can this unit play under an Audit Dept?

Answer: First you need to make sure what management means by risk management. Is this credit risk management, organizational business risk management, enterprise risk management, insurance risk management etc.?  If this is an "insurance type" risk management function perhaps it would be better established under the treasury function. This would be especially true if you were required to periodically audit this unit. As you are working within a financial institution you should contact the American Bankers Association for guidance on risk management units within the banking industry. Network with other bank auditors and find out whether they have established risk management units under the audit department. Many colleges and universities have organized risk management within internal audit.

Here are some of the roles assumed by the risk management unit in one university:

Risk Management Conducts Risk Analysis

Risk management identifies, measures, and analyzes the liability and property exposures of the University utilizing established and recognized techniques in the insurance industry.

Risk Management Selects and Administers Risk-Financing Techniques

Risk management selects and administers insurance, self-insurance and/or other recognized risk-financing techniques to handle loss exposures.

Risk Management Investigates and Manages Claims

Risk management actively investigates and manages liability and property claims and recommends adjustment and settlement of insured and retained losses.

Risk Management Provides Contractual Risk Analysis

Risk management analyzes all contracts entered into by the University with respect to indemnity, insurance and other risk-related provisions. Risk management reviews and recommends contract indemnity and insurance provisions for contracts created by the University.

Risk Management Manages Insurance Agent or Broker

Risk management selects the University’s insurance agent or broker and manages the agent or broker services and compensation.

Risk Management Recommends Loss Control Procedures

Risk management recommends loss control procedures to University departments to minimize liability and property damage of the University, except when University departments have the expertise, such as Accounting Services, to develop specific loss control procedures for their particular exposures. University departments must be cooperative to achieve this policy.

Risk Management Develops Risk Charges to University Departments

Risk management recommends risk charges to Vice President of Business & Financial Affairs and allocates to University departments as approved by President’s Council.

Risk Management Informs University Personnel

Risk management offers advisories and training and briefing programs to University personnel focusing on current risk management issues.

Question: I am finding it difficult to test for adequacy of training for the IT personnel at my company. How and what kind of evidence would an auditor gather for this area?

Answer: Start with a copy of the training plan from the CIO (Chief Information Officer). The CIO should have an inventory of systems in place, the skills and disciplines required for staff and an analysis or assessment of needs. You should review the training records (perhaps maintained either in the department or in the HR files) to determine what training staff has received. If staff is required to have specific certifications perhaps you could check with the professional association for their CPE requirements.

You might try posting a message on one of the audit related discussion groups such as CISACA-L or Audit-L (information on both of these is available here).

When you have developed your audit program for this area consider sharing it with other auditor by sending a copy to editor@auditnet.org.

Question: I started working in an internal audit (by the way I am the only one) of a bank (investing bank) with 15 employees and I want to prepare the planning. Can you provide me with a simple planning sample for an investing bank. Other planning in the forum are too big and too general.

Answer: Preparing the annual audit plan for any organization begins with determining the audit universe and then conducting a risk assessment. You should start with a general planning document and then customize it to your institution. For a sample audit plan methodology click here. You should also review the risk based internal auditing page which will provide additional alternate methodologies. Finally you may want to contact other investment banks and ask their internal auditors if they would be willing to share a sample of their planning documents. This type of Internet meta-information may not be available online but you should use the power of the Internet to find peers and then email or phone them with your request.

Question: How do I use working papers for documentation in the area of sales, collection and banking, inventory management and fixed assets? My question is basically on working paper, how it should be and how it should be used. I have the feeling that different working papers have to be used in different audit areas.

Answer: Your question addresses the basics of working paper preparation. Working papers document the audit process including  the collection, appraisal and utilization of evidence. Working papers serve as the connecting link between the audit assignment, the auditor's fieldwork, and the final report. They contain the records of planning and preliminary surveys, audit procedures, fieldwork, and other documents relating to the audit. Most importantly, the working papers document the auditor's conclusions and the reasons those conclusions were reached.

The actual construction of working papers for the specific areas you mention will depend on the audit objectives. So in that respect they might be different for specific areas of the audit. They should however support that tests performed based on the audit steps. For example if the audit objective is to determine the accuracy and completeness of fixed assets records, an audit step might be to obtain the fixed asset register and compare against accounts payable to ensure that all new acquisitions are properly recorded. The working paper should include the reason the working paper was prepared, who prepared it, date prepared, source of the information. It should be reviewed by the auditor's supervisor, initialed and dated.

Among other things, working papers may include:

  • planning documents and audit procedures;
  • controls questionnaires, flowcharts, checklists and narratives;
  • notes and minutes resulting from interviews;
  • organizational data, such as charts and job descriptions;
  • copies of important documents;
  • information about operating and financial policies;
  • results of control evaluations;
  • letters of confirmation and representation;
  • analysis and test of transactions, processes, and account balances;
  • results of analytical review procedures;
  • audit reports and management responses; and
  • audit correspondence that documents the audit conclusions reached.

For sample audit working papers visit the following sites:

World Bank Group

Audit Observation Form

PC Inventory Application Audit

The AuditNet® Monograph on Audit Working Papers scheduled for release in March 2003 will provide more information on this topic.  

Question: How do I can find an auditor for my organization?

Answer: This question is one that is asked often so I thought it would be best to provide a generic answer in this forum. The first issue is whether you are looking for an outside auditor (public accountant) to provide an opinion on your organization's financial statements. For information on hiring a CPA firm the best place to start your search is through the state society. For a list of state CPA societies click here. As to how to choose a CPA click here for guidance. 

If you are looking to establish and internal audit function in your organization then you should either hire an individual or contract with a professional firm to provide internal audit services. Internal auditors verify the accuracy of their organization's records and check for mismanagement, waste, or fraud. Specifically, they examine and evaluate their firms' financial and information systems, management procedures, and internal controls to ensure that records are accurate and controls are adequate to protect against fraud and waste. They also review company operations—evaluating their efficiency, effectiveness, and compliance with corporate policies and procedures, laws, and government regulations. There are many types of highly specialized auditors, such as electronic data processing, environmental, engineering, legal, insurance premium, bank, and healthcare auditors. As computer systems make information more timely, internal auditors help managers to base their decisions on actual data, rather than personal observation. Internal auditors also may recommend controls for their organization's computer system to ensure the reliability of the system and the integrity of the data.

For more information on establishing an internal audit department for your organization click here

Question: I wanted to have some information on how to audit the systems procedures department of a Central Bank of a country.

Answer: Begin planning for an audit of the systems procedure department of a central bank would by determining your audit objectives. The purpose of the audit will determine the audit procedures that you should use. You might want to contact the central audit organization for other countries with central banking systems and request their assistance (meta-information represents the most powerful search resource on the Internet). You might also try posting a message on discussion lists related to auditing (audit-l or auditprograms-l) or central banks (central-banks@lists.nyu.edu) to request the assistance of other auditors that may have experience in this area. 

For general guidance on auditing information systems you should refer to the COBIT guidelines of ISACA. Another excellent reference is the FFIEC Information Systems Examination Handbook from the U.S. Federal Deposit Insurance Corporation. The Basel Committee issued a document called Framework for Internal Control Systems in Banking Organisations which may provide some guidance. 

Some additional resources for consideration include the Centre for Central Banking Studies and Internal Audit in a Central Bank.

Question: I am trying to make a case to start an internal audit department. My audit committee asked me to present them with the pros and cons. Can you help?

Answer: There is a wide variety of resources available on the Internet covering this subject.  The place to start would the Institute of Internal Auditors (IIA) About the Profession page. There you will find a Definition of
Internal Auditing, All in a Day's Work and Adding Value Across the Board. If you are working for a publicly traded company you may be required to have an internal audit function. Click here for information on corporate governance. The IIA has the following publication which may also help:

Establishing an Internal Audit Activity Manual 

Question: We have an accounting application that shows all the user passwords in clear text when the delegated data owner (finance head- highest rights) invokes the option. what is the solution/mgmt. recommendation to mask the passwords (SQL database)?

Answer: Answer pending

Question: I am now preparing to present my department's proposal of setting up the IS Audit section. The problem is, I don't have enough information on the audit software since in Malaysia, we doesn't really have enough expertise on IS Auditing software. What is the recommended software that I could approach, what do these software covers, what do I have to look into in determining a good software, and
what do I have to do in giving the management's thumbs up for the proposal

Answer: Information systems or IS audit software covers a wide range of areas depending on the information technology environment.  Audit software focuses on either audit management or data analysis. There are a number of software solutions in the audit management market including AuditLeverage, AutoAudit, Galileo, TeamMate, and Pentana.  The data analysis or retrieval and extraction software market is dominated by two companies; CaseWare/IDEA and ACL

Check out the CAATT page of AuditNet® for information and articles on computer assisted audit tools and techniques to see the different types of software solutions. Also, the Institute of Internal Auditors conducts a survey each year to assess the software usage trends of auditors. IIA members can access the survey results for August 2002 online. 

Specific software recommendations would depend on your requirements and the expertise of your audit staff. So "good software" is software that meets your needs for your operating environment and is aligned with the goals of your audit department. Different industries focus on different areas of the business environment so there is no one solution that fits all. Once you determine what software is appropriate for your industry you then need to develop a value added plan to present and sell to management. 

Question: I have recently been hired by a local school district to be their one and only internal auditor. I will eventually build an Internal Audit department and become the director. I have some ideas on the subject, but I was wondering how you would suggest I go about effectively identifying the auditable universe and performing a control/risk assessment.

Answer: Identifying the auditable universe and performing the risk assessment for school districts should be no different than any other type of organization. Begin by examining the budget which should include an organization chart. You will then need to go through each department and identify the major programs. Interview senior administration and department heads for their critical program objectives and risk areas. The end product of the risk assessment is the annual internal audit work plan. There are examples of risk assessment methodologies for local governments including a school district available on the AuditNet page developed for N.A.L.G.A

Question: Can you direct me to resources for conducting an audit of my company's payroll tax function?

Answer: Begin this audit by obtaining a description of the payroll tax function i.e. responsibilities, objectives etc. Auditing the payroll tax function should include a review of employment taxes and benefits deductions. Some of these deductions are mandated under federal and state law therefore IRS guidelines should be part of your review. The AuditNet inventory of audit programs includes several related to payroll. Check out this article on auditing payroll data. Consider reconciling gross payroll reported on IRS form 941 to the general ledger amounts. Verify accrued payroll taxes and payroll taxes withheld form employees pay against tax forms and disbursements.  Additional resources include the Federation of Tax Administrators, the IRS, the Social Security Administration, Payroll Reference Library, and Payroll 101

Question: My company has a process where our dealers reduce payments on invoices they owe us via a debit memo for any advertising they have done in local papers for their stores for our products. Our Credit and Collections group issues a credit to the dealer's account to account for this payment reduction after obtaining approval of the Account Manager in the sales organization responsible for the dealer in question. These credits are often over 100k and there is no other approval required other than the account manager. This violates the spirit of our corporate expenditure approval policy which requires a financial signature and escalating manager signatures for commitments and expenditures. How do you think we should structure our approval policy for these transactions? Are there any Best practices you are aware of? The Account Managers are concerned that additional signature requirements would be non-value add as they themselves are the only party with a detailed understanding of what the customer is spending on advertising.

Answer:  This sounds like a dealer co-op marketing program whereby your dealers are advertising your products and receiving credits from you for their advertising costs. The Promotional Alliance Association provides a great deal of information about this process including an opportunity to ask questions. The true value of the Internet as a search tool is the ability to leverage the communication power to conduct research by using meta-information. In this case the meta-information was an email link. 

I visited the NAPAA web site and found the email address for Mr. Roger Vickery. I sent him your question and the following is his response (received the same day the email was sent):

Sounds as if you have set up a program for paying your dealers that works well for them, and for your Account Managers, but not for your company's financial people. All three parties have needs that have to be addressed, as you are hearing. Are there any written guidelines on how these deductions (as we call them) are to be managed? Most companies do not permit deductions for performance payments, but most larger retailers and dealers are known to take unauthorized deductions whether permitted or not. This results in a lot of post follow-up work for both supplier and receiver of these funds.

To satisfy the needs of all three parties you need to establish some guides that permit Account Managers to approve credits when there is documentation to support what the credit is for. Dealers should be required (or your Account Managers) to provide proof of advertising performance. This can be either copies of tear sheets with newspaper invoices, or some sort of documentation that supports the claims for your funds. Account Managers could sign a form that attests to this documentation. To reduce the paperwork the documentation could be held by the Account Manager and random audits could be performed to verify it.

There are many outside audit and service organizations that could help you, and software companies who could provide you with internal tracking help. Go to our Web site at www.napaa.org and look at our Directory of Resources in the menu on the left side of the screen. While I can not recommend one over another, you can be sure that if they are members of NAPAA they have a sincere interest in meeting the needs of our members.

You should consider joining NAPAA, of course, as the exposure you would get to how other companies handle similar situations would be invaluable. The cost is very low. Details are at www.napaa.org/become.html

For some best practices I would also look at how others are controlling these types of costs. Check out the following for an example of policies and forms:

  1. Georgia Pacific Co-Op Advertising Policies and Procedures

  2. Georgia Pacific Co-op Advertising Request for Reimbursement Form

Question: I am in the process of auditing a scrap broker.  Would you let me know what would be the best audit approach?

Answer: Start with the IRS Market Segment Specialization Program audit guide for the scrap metal industry. You might also contact the internal audit groups of large scrap broker and discuss possible approaches with them. You might start with The David J. Joseph Company, the oldest and largest scrap metal broker in the U.S. and they buy, sell, and lease transportation equipment. Their web site also has links to other industry trade groups and organizations. Scrap brokers would have the standard business functions of buying, selling, receivables, payables, etc so you should also consider reviews of those areas.

Question: I work for a Government agency and we now provide students with funding through an external service provider instead of the bank. They have access to our bank account for student payment deposits and loan funding disbursements, what type of controls do I have to have in place with respect to validating the controls of the service provider? How much should I rely on their information (bank reconciliation, trial balance) without duplicating their efforts?

Answer: From your description it appears that you have a contractual arrangement with a third party service provider. I would begin by reviewing the contract and determining your contractual audit rights. I would also look at the A.I.C.P.A. Web Trust Principles and Criteria for guidance. You might also consider the British Information Security Assurance Guidelines. As to your question regarding reliance on their information, IMO you need to exercise due diligence when it comes to the arrangement. Just because you have contracted it out does not mean that you should not maintain oversight. The question is how much can you rely on their controls and the level of risk your agency is willing to take based on that reliance.

Question: I'm in the process of auditing our Mellon Positive Pay Disbursement Program, is there any internet link or guidance that you can refer to me.

Answer: Positive Pay, an automated check-matching service offered by most banks, will catch any check not issued by the company. It matches the account number, check number and dollar amount of all in-clearing checks. It does not match payee names. With check fraud losses 12 times greater than credit card fraud, every company should use Positive Pay.

Following are some links to articles and guides regarding positive pay and while not specific to the Mellon Program, they should provide some general guidance. You might also contact Mellon and find out what other institutions are using this program and contact their auditors for collaborative guidance.

http://biz.yahoo.com/prnews/011227/phth007_1.html
http://www.isaca.org/art7b.htm
http://www.mhcscpa.com/asp/newnews/newsArchiveView.asp?GalleryID=86
http://www.all.net/books/audit/CheckFraud/contents.htm
http://www.printech.com/resources/guide_to_doc_sec.pdf

Question: I am auditing Corporate Owned Life Insurance in a Thrift. OTS Regulatory Bulletin 32-16 states that a "Pre-Purchase" analysis is to be done and presented to the board. If the policy it a term policy in which we pay premiums yearly, would you consider each yearly premium as a new purchase and thus requiring an analysis being presented to the Board?

Answer: Questions on regulatory guidance are best directed to the source. In this case I would contact the Ombudsman for the Office of Thrift Supervision. The email address for the Ombudsman is Lee.Lassiter@ots.treas.gov. As you indicated the guidelines require a pre-purchase analysis presented to the board. It also calls for reviewing the characteristics of the available insurance products to determine whether they meet the institution's objectives and needs.   This is clearly a case where meta information, available through an Internet-based contact, is the best source for answering this question.

Question: At our company, we audit the sufficiency of policies and procedures and are constantly recommending new policies or changing existing policies. I am looking for a free resource that provides examples of standard policies and procedures for areas such as depreciation, standard costing, revenue recognition, etc.

Answer: AuditNet has a page available in the Virtual Library with links to policies and procedures. Also Andersen KnowledgeSpace, a fee-based subscription service has many examples of policies and procedures. Sign up for a free 30 day trial subscription. 

Question: I am an Internal Audit Manager for a Fortune 500 company and I am trying to create a Segregation of Duties Matrix in order to analyze all of the main business processes at each of our Business Units (cash, A/R, A/P, etc.). Do you know where I can find a segregation of duties matrix to use as a guide that will allow me to fill in the names of people responsible for performing each process activity in order to visually determine if a segregation of duties control weakness exists? I have seen a similar matrix before which lists all activities on the left hand side and has blocks to fill in people's names next to each activity. If the same person's name is in more than one block in a given row or column then it signifies a possible control weakness.

Answer: Absolutely! Andersen KnowledgeSpace, a fee-based subscription Web site has a matrix for financial functions.  Sign up for a free 30 day trial evaluation and you will have access to all the resources and tools they have including those on segregation of duties. Also look in the Audit Programs section of AuditNet for a segregation of duties matrix.

Question: I am a new Audit Manager and have been given the task of "taking the division to the next level of professional auditing" In doing that I must start to issue our reports in accordance with something. We do compliance audits of insurance companies issuing workers' compensation benefits (straight compliance, no financial). I have not been able to find just the right guidelines for our type of audit. Any suggestions?

Answer: Professional standards promulgated by the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the Comptroller General of the United States and other organizations provide specific reporting guidelines. Some of these bodies include the language that an auditor must use in the audit report such as Our audit was conducted in accordance with.... The format of your report may also depend on the capacity in which you audit i.e. internal reporting or external reporting. If there are other entities that do similar types of audits you may want to contact them for sample audit report formats. 

Question: Although I am the head of our internal audit department, I was tasked to prepare an accounting manual for our company. Our company is involved with the following operations: car dealership (sales of brand new cars), parts sales, and car repairs service. So that I need not re-invent the wheel, where can I find an accounting manual for our type of operations so I could use it as a reference?

Answer: First let me begin by stating that internal audit involvement in preparing a company accounting manual could impair your objectivity and independence if or when you are called on to review accounting operations within your organization. That being said there are several suggestions that I could offer. First you might want to contact some dealership or automobile manufacturers and see if they could offer suggestions on sources for auto dealership accounting manuals. Use meta information on the Net by going to Web sites for auto dealers or manufacturers and find the email contact address and send a message requesting information about auto dealership accounting manuals. The IRS Market Segmentation Specialization Program is worth a look as they have a section for auto dealerships.  You might want to recommend that management outsource the preparation of the manual to a public accounting firm that specializes in auto dealerships. The AICPA produces an Accountants Auto Dealership Engagement Manual. You might also want to look at generic prewritten policy and procedure manuals and tailor one to your organization. 

Question: I need to develop a risk based audit plan. The CFO requested that I focus on financial statement accuracy and not just internal controls. My original approach is to perform a general risk assessment of a business unit (such as publishing) and then develop a specific risk assessment and audit plan of the risks of that business unit's process (i.e. the Arthur Anderson risk model based on one of your responses to a question). However, I am having difficulty determining and assessing business risk and this approach seems too long. Can you recommend resources to build this plan for a non-profit association which owns various for-profit subsidiaries? Do you have any sample plans or case studies?

Answer: Like they say timing is everything! I just returned from a risk based internal auditing conference and was overwhelmed by the different approaches, techniques and methodologies for risk based auditing.  I developed a page devoted to this subject on AuditNet. Look in the AuditNet Library section for this page. For Andersen's risk approach you might want to take a look at their KnowledgeSpace site (access through AuditNet and sign up for a free 30 day trial). They have volumes of resources on risk based auditing. I will be adding resources to the AuditNet page as they become available. As to your question on case studies read the response to the next question and follow the same technique. 

Question: I am a fresh internal auditor, nowadays we are planning to hold a training.  I am required to collect some cases and study materials about the purchase and a/p cycle, fixed asset business cycle. Appreciate your valuable help.

Answer: There is a great deal of resource material on the Internet for this subject. The audit programs section of AuditNet includes material for purchasing, a/p and fixed assets. To find case studies on purchasing (or the other areas) the best method is to use a search engine such as Google (www.google.com) and use a query like purchasing case study +audit. Use the same technique for a/p and fixed assets and you should have plenty of material for your training session.

Question: I am an Auditor for a hospital and our Data Operations
department will start printing computer generated payroll checks. If we
were to audit this process, what should we concentrate on?

Answer: Many organizations have reviewed this area and as a result there is a great deal of guidance on this subject available on the 'Net. If you are a member of the Association of Health Care Internal Auditors, you should go to their site and research their library of audit programs on this subject. Next look at the Treasury Board of Canada's Techniques for Control in a Computer System Environment which can be found at: www.tbs-sct.gc.ca/Pubs_pol/dcgpubs/TBM_142/5-14E6.html. IT Security Controls from the Indiana State Board of Accounts can be found at www.ai.org/sboa/publications/manuals/state/state00/STATCH16.pdf  No review of this area would be complete without making a stop at Frank Abagnale's site at www.abagnale.com. Based on his experience as a reformed fraudster, he is a consultant to government and private industry on the subject of protection against check fraud.  Public Works and Government Services Canada performed an Audit of Delivery of Compensation Services (Pay) and you can read the abstract at www.pwgsc.gc.ca/arb/text/00-711-e.html. Send them an email and ask for their audit program or specific areas to review. Finally, look at GAO's Assessing the Reliability of Computer Processed Data at www.gao.gov/special.pubs/p0813.pdf All of the above documents should provide some insight into auditing computer generated payroll. If you develop an audit program specific to reviewing this area consider sharing it with others by contributing it to the AuditNet inventory.

Question: What are the telltale signs that a purchaser is taking $ from suppliers/subcontractors even though, on the surface, there are 3 quotations obtained, purchasing committee present etc?

Answer: Excellent question and this is a case where good old auditor intuition plays a big part. While on the surface things may appear to be OK, it is worthwhile to pay close attention to the purchasing area of all organizations. Many audit organizations routinely audit the procurement/purchasing area because of the increased risks and vulnerabilities.

Most kickback schemes begin as over billing wherein a vendor submits inflated invoices to the company. The vendor submits a fraudulent or inflated invoice to the company and the employee assures payment is made. As reward for his assistance, the employee receives remuneration (monetary or non monetary) or in other words a kickback.

Kickback schemes in themselves are very difficult to detect because there is collusion between the vendor and the employee.

The ability of the employee to authorize purchases can be a key to kickback schemes.

Things to look for may include unreasonable price increases without a change in suppliers. Sometimes the employee could be accepting substandard goods in return for an under the counter payment. Look for substandard goods and question why.  Payments to the employee may be non monetary. Look for gifts to the employee such as paid vacations, free airfare or use of corporate jets, boats, condos, automobiles etc., financial interest (stock) provided to employees at below market prices or at no cost.

Private Business Dealings or Close Social Relationships With Contractors. Private business dealings or social closeness between contractors and contracting personnel and their families.  Close relationships between these groups increase the likelihood that  improper/ fraudulent activities may be taking place.  Supervisors should be sensitive to even the appearance of a conflict of interest.   

Go to the following site for Red Flags of Fraud and other common situations http://www.fcps.k12.va.us/Superintendent/InternalAudit/redflagsfraud.htm

The Association of Certified Fraud Examiners may be able to provide additional detailed information. Go to www.cfenet.com

Check out the following for possible fraud indicators in federal contracts:

http://www.osc.army.mil/others/gca/indicator.html

http://www.usaid.gov/oig/hotline/fraud_awareness_handbook_052201.PDF

INDICATORS OF FRAUD IN DEFENSE REUTILIZATION AND MARKETING SERVICE PROCUREMENT CONTRACTING

Question: The bulk of our Information Technology department has been outsourced and I an interested in understanding how to audit in that environment. Do we continue to audit things like Disaster Recovery, Change control, Information security, applications, etc. or do we rely on outsourcing firm to conduct the audits and review their reports?

Answer: Outsourcing does not in any way reduce the internal auditor's responsibility to assess the risks of an organization's operations, nor of conducting audits based on these risk assessments. It obviously changes the way your audit and what you audit. An excellent reference for this is a Federal Reserve Board Letter titled Outsourcing of Information and Transaction Processing.  

Question: I do not have an audit background and have been asked to plan and manage for a SAS 70 audit. Any ideas on where I can get information on creating a plan. I have been told money does not exist for consultants.

Answer: Interesting that management would give a non-auditor responsibility for this assignment. Look at www.sas70.com for some guidance however I would suggest that management find some money for a consultant to conduct this engagement.

Question: How do I plan an inventory audit? This will be the first audit that I have planned and coordinated! In fact its the first audit I've actually been involved with from the perspective of the auditor.

I'm looking for some pointers on how I should plan the audit, tests that should be carried out, documentation of tests, sample reports etc.

Answer: You fail to mention whether you have had any audit training. It sounds like you have been involved in audits from the perspective of the function being audited. You might try starting with a good auditing text book such as Sawyer's Practice of Modern Internal Auditing. There are also an abundance of audit guides and manuals online. You did not mention what industry you are in but if you could network with some other auditors perhaps they could help you.  There are audit programs (step by step procedures) available on this site for inventory audits. Look in the audit programs section. Auditing is a combination of art as well as science. First you have to have an understanding of the function that you are auditing. Start by interviewing staff and writing a narrative of the process. You could flowchart the process as well. This will help identify control points and possible weaknesses. Then you need to develop a strategy or how you are going to proceed. You may need access to computer systems for testing. Depending on the type of inventory you are auditing there are different tests that you could perform. With the little amount of information you provided I cannot be more specific.

Question: I've been assigned the task of preparing a debtor circularisation, and I want to know the best way to choose a sample. 

Answer: The first thing you need to do is decide whether to use statiscal or non statistical sampling. I provided some references to sites that should help you in this area.  You need to understand the population in order to determine the best way to choose the sample. You will then need specific information such as population size, expected error rate, and confidence level. Click here for specific audit sampling guidance. Also ISACA provides guidance on audit sampling at http://www.isaca.org/standard/guide13.htm. Will Yancey prepared Sampling and Design Issues in Sales and Use Taxes that may be helpful from a conceptual standpoint. 

Question: An audit client has requested a draft of the financial statements in spite of the fact that we are only 70% complete with the audit. The financial statements will require significant adjustments before the audit is complete, but the client has been unable to provide information we need to adjust the statements.

Are auditors precluded from providing draft financial statements that are not fully audited and will require significant adjustments? Is there any specific audit standard that covers this?

Answer:  Financial statements of an audit client are the client's not the
auditor's financial statements. What the auditor does is "audit" the financial statements presented by the client and render an opinion. This opinion includes required financial statement adjustments before the auditor
will certify these financial statements.

If the client needs a financial statement before the audit is completed, they
should be able to prepare it from their existing financial records. The auditor performing the certified audit for any client should not provide, assist in developing, and be associated with any financial statements, preliminary or final, they have not audited and that have not been adjusted as required from the auditor's work. This is especially true when the auditor knows there will be significant adjustments to these financial statements!

Question: I'm an IS/IT professional who was just been asked to participate in the review of an ongoing IT project to build an internet brokering service. As part of a team of 5 we have two weeks to put a 'wobbly' project back on track. The project involves some outsourced development, interfacing between components and some internal build.  I'd appreciate some guidance on where to start. Are there any useful guidelines/checklists I could get hold of prior to the start of this exercise. I have a week.

Answer: Most projects share unique issues relating to the project and
organization. However, there is similarity in the approach to project
management. Information from the Internet sites below may help your team 
quickly identify the major problems and issues. You should also search the
Internet for additional project management information. The actual solutions
to these problems, however, will be specific to your situation.

http://www.stsc.hill.af.mil/ProcessPlan/prplp.asp

Project Management Institute - http://www.pmi.org/

Commonwealth of Virginia, Project Management Guidelines -
http://www.cim.state.va.us/pubs/Guidelines/g91_3.pdf

California, DIT, Project Management information -
http://www.doit.ca.gov/SIMM/default.asp#ProjMngmntMthdology

Question: A CFO of an organization recently resigned unexpectedly and I've been asked to do a review to ensure that there was nothing odd going on before he left. Is there anything specific I should be looking for - are there any audit programs for this type of review?

Answer: A full-coverage audit of the CFO's operations can be a very large audit, consuming a lot of time. You need to focus in on the areas of concern. Thus, you need to discuss with those who requested this audit, why they think an audit is needed. Do they have any specific concerns, or possible allegations? This will provide direction to any CFO audit. Before beginning this audit, you should discuss this information and the scope of the CFO audit with the Audit Committee, getting their approval of the audit scope and direction.

Question: Is it appropriate to use a "Management Representation Letter"; when performing an audit of Internal Controls as an Internal Auditor?

Answer:  The IIA Standards are mute on management representation letters. It is required practice (SAS 85) for CPA's and others performing financial statements audits to request a management representation letter at the end of the audit. 

Some management representation letter information can be found at:
http://www.abrema.net/abrema/mrl_g.html,
http://www.nysscpa.org/cpajournal/2000/0400/Features/f43400a.htm,

There are also other types of management representation letters, including legal, taxes, and environmental. However, these do not appear to apply to your situation

You need to define your management representation letters needs; that is, why you think you need it. Next, you need to discuss these with your Audit Committee, getting their approval before requesting any management representation letter.

Question: What is the difference between a strategic plan and an annual audit plan? Can you please advise how to create and also provide sample of a corporate strategic plan and an annual audit plan?

Answer: The annual audit plan sets the audit priorities and forms the basis of the internal auditing department's budget and work program. It outlines which audit tasks will be performed in what areas of the company. It often includes staffing assumptions and descriptions of risk evaluation methods used. A strategic audit plan would simply have a longer time horizon (3-5 years).

If you are referring to a corporate strategic plan, this is a plan that determines what a company is and wants to become and guides strategic planning at all organizational levels; it involves developing a corporate vision, formulating corporate objectives, allocating resources, determining how to achieve desired growth, and establishing business units.

Here are some resources that may help you:

Question: I am looking to further automate a department's audit workpapers. Do you know of any place that would assist or provide me with automated work papers for financial institutions and/or healthcare providers?

Answer: Here are some vendors of automated workpaper systems:

Question: I am working in an electronic manufacturing company. Can you please advise how I can come up with an annual audit plan. Can you reference me to a sample corporate annual audit plan.

Answer: See if these resources are helpful:

Question: I'm beginning my first due dilligence project in the telecommunication business. What facts and figures do I need to know concerning Human Resources and how can I describe the culture of the assessed company?

Answer: There are lots of resources out there to assist you. Here are a few:

Question: Is there an audit process a supervisor can use to ensure that contractors under their control are conforming to health and safety standards?

Answer: Sure! Of course, your legal department should make sure that the contract spells out the contractor's responsibility for ensuring the health and safety of his employees.

Some resources you may want to consider:

Question: I work in the internal audit department of a utility company and I'm looking to gain an understanding of derivative contracts as they relate to power sales and purchases. Any suggestions?

Answer: Lots! Try these resources on for size:

Question: I am an internal auditor in a small company which has recently taken a 30% holding in a subsidiary. Another company owns the 70% holding. How do you suggest that my company's interests are protected? Should I demand access to all the subsidiary's internal audit reports and any other relevant reports? Should I ask to attend audit committee meetings? Indeed, should I be on the audit committee? I am more interested in what you regard as good practice rather than legal issues.

Answer: A general answer would be you need to take steps to keep informed about your organization's minority interest to the extent of the risk it represents to your organization and/or as desired by your management. A lot will depend on the acquisition agreement of the parties. Is your company's minority interest an active or passive investment? Does your minority interest supply a critical product or service to your company? What are the risks associated with the minority interest either as an investment or as a product or service? I think a "reasonable" approach based on the risks involved is the way to go...as a minority investor I don't know how much "demanding" can be done!

The Institute of Internal Auditors is developing audit guidance on this issue that is due sometime in October 2000.

Question: Do you have any resources for identifying risks and controls regarding migrating all core systems (policy issue, billing, collection, claims, etc.) from one environment to another, including data extraction, transformation and conversion controls. Basically it's migrating all one company's systems to the other company's systems following a merger.

Answer: That's a tough one. Check out this site that lists several major steps in controlling system conversions.

Question: Am in the process of updating antiquated position descriptions for our Internal Audit department. Is there anything on the web that would help with updated/recent descriptions encompassing risk or possibly provide description templates?

Answer: Absolutely! Check these resources out:

Question: Would you please suggest some resources on building an internal audit program for a bank using a risk based approach?

Answer: If you're really wanting to start from scratch, here are several risk assessment tools and resources you can use to build your program:

If you'd like to review some bank audit programs, go here.

Question: When calculating the precision using a poisson distribution assuming a 95% confidence level and assuming zero errors, the calculation can be done as follows: ln0.05 =3.00. How do I calculate the precision value when there is one error or more?

Answer: Check out this Statistical Sampling Tool you can use to calculate the sampling error (precision) of an Attributes or Variables sample.

Question: How do you develop an Audit report to show the effectiveness of the system, conforming issues, observations and non-conformances?

Answer:  Please click here for a discussion of the format of audit reports.

Question: I recently went to work for a farming/ranching company. I need to be able to track the fuel that the workers are using from the on site fuel pumps. Where/How do I start?

Answer: If your company's refueling operation is large, you might consider looking into a computerized Fuel Management System. Click here for an example of such a system on the market (I am not endorsing this or any other system, this is only for illustration purposes).

If your operation doesn't justify the cost of such a system, you could require your workers to fill out a simple log form kept at the pumps. The log form would be used to record information such as date, pump number, gallons pumped, truck number and worker name. At the end of the month or what ever period you choose, you could enter the log information into an excel spreadsheet or access database and track fuel use. You should also compare the logged fuel use with the pumps' metered use. Any significant differences should be investigated. Such differences may demonstrate the need for improving control over fuel use.

Question: I need your help. I would like to know whether you have any idea how to audit a pager(beeper) service by the operator?

Answer: While I do not know of any audit programs for paging services, I do have some suggestions:

In conducting an internal audit, the following areas could be included:

  • Reviewing the paging service agreement to understand the billing terms and conditions
  • Comparing rates and terms billed for a sample of billings to the agreement to ensure the rates are properly applied
  • Conducting an inventory of pagers, to compare with the latest billing to ensure your company is being billed only for pagers used.
  • Conducting a usage analysis of the pagers assigned to employees to determine if their use is warranted

To get a better understanding of how paging systems work, you may wish to obtain one of these books:

You might consider co-sourcing the audit to a firm that will perform the audit on a contingency fee basis (i.e., they collect fees only out of actual savings they find). Here's one such firm (NOTE: No representation is made as to this firm's ability to do the job.): Utility Audits.com

Question: What is audit sampling?

Answer: Audit sampling is the means by which auditors conduct tests involving less than 100% of the population to be tested. Click on the link for a discussion of Statistical Sampling.

Question: Prevent software piracy.

Answer: Click on this link for a discussion of software piracy, the methods involved, the potential solutions, and the social implications. Click on the following link to go to the Software & Information Industry Association's Anti-Piracy Page where you can:

  • Use their online report forms to report cases of retail, corporate and Internet piracy.
  • Obtain information about worldwide anti-piracy initiatives and information on how to become software compliant.
  • Download the SPAudit Software Management Tool, including WRQ Express Inventory, SPA Edition and/or Sassafras KeyAudit.
  • Get information on attending an informative one-day course that can help individuals and corporations become effective software managers.
  • Research the latest auditing, metering and virus protection software to help you effectively control the use of software within your organization and protect your systems from crippling viruses and possible substantial fines.
Question: I have to prepare workpaper procedures for my audit department. Where can I find a comprehensive listing of procedures?

Answer: Click on the link for a discussion of workpaper procedures. For a full treatment of the subject, purchase Larry Sawyer's book, Sawyer's Internal Auditing.

Question: Team audits

Answer: Since you didn't state a question, one of my witty colleagues would have responded, "Teamwork is an excellent virtue for any organization to have, including team audits."

However, I'll assume you're asking about participative audits, where auditees (or customers, as we now call them) become more involved in the audit. This may mean providing more information to the customer about the audit, frequent status information during the audit, working with the customer to identify solutions and, in some cases, having the customer take part in the audit itself. As noted by Sawyer, (Sawyer's Internal Auditing, 4th Edition, IIA, 1996), people are more willing to assist others when they feel they'll share in the benefits and are working toward the same goal. The fear and distrust that often occurs should dissipate when the auditors and their customers are working together in a cooperative spirit.

While participative audits can increase the effectiveness of audit work, the auditor remains duty bound to ensure adherence to audit standards.

Question: Could you provide me guidelines or names of textbooks for drawing flow charts as part of the documentation of the working papers and audit reports?

Answer: Patton and Patton have created a list of flowcharting resources that should help you.

Question: Can you tell me the difference between primary controls and compensating controls?

Answer: Primary controls are those control procedures that are considered the best means of achieving a given control objective. As noted in the SAC Research Study, IIA, 1991, compensating controls overcome or mitigate a weakness caused by the lack of a primary control. For example, file balancing procedures may not be automated in an application system, but manual user balancing procedures may compensate for this weakness and achieve the control objective.

Question: In an attempt to acquire a new banking system package, what type of recommendations should an internal audit and control department make to the management, most especially those areas which directly affect internal audit function?

Answer: The auditor needs to understand the principal control objectives, tools and implementations of internal controls in a financial application system. This includes controls inside and outside the application itself, since outside controls affect the integrity of the application.

Each situation is different, but here are some questions that auditors should get answers to:

  1. Input Controls:

    • How will inputs be properly authorized?
    • What will ensure that inputs contain correct data?
    • Will inputs only be entered once?
    • What will prevent inputs from being lost?
    • Will inputs be associated with the persons authorizing and entering them?
    • What will ensure that all errors will be corrected?
    • Will error corrections be subject to the same level of control as the original transaction?

  2. Transaction Processing Controls:

    • What ensures the processing of transactions is done correctly?
    • What ensures that all transaction processing conforms to the general or specific directions of management?
    • What ensures that all transaction processing complies with laws and regulations?
    • What ensures that all transaction processing is done in a manner that supports the maintenance of accountability?

  3. Output Controls:

    • What ensures that outputs produced are correct?
    • What ensures that all reports and screen images will go to the appropriate persons?
    • What will ensure that confidential data is protected from disclosure?
    • What will ensure that all outputs are distributed in a timely fashion?

  4. File Integrity Controls:

    • What ensures that all appropriate transactions will be properly recorded in appropriate files?
    • What ensures that only correct and valid data will be recorded in files and databases?
    • What ensures that access to files will be limited to authorized persons and programs?
    • What ensures that data in files is protected from intentional and accidental modification, destruction or disclosure?

  5. Auditability:

    • What ensures that detail reports or data files showing how a transaction has affected an account or other object will be maintained?

Your recommendations to management will be determined by the answers to the above questions.

Question: What are the inherent risks in the operations of an Accounts Department of a financial institution?

How do I identify the inherent risk of a particular department?

Answer: Check out the following resource on the Internet which includes guidance on developing financial institution audit programs:

  • Resource for Bank Internal Auditors

Click here to download a tool (in Word format) you can use to identify, evaluate and prioritize a group of business risks which could significantly impact a company's or business unit's ability to accomplish its business strategies.

Question: What are the major problems faced by an external auditor for businesses strongly involved in E-Commerce and how can we solve it?

Answer: The number one rated concern for both businesses and consumers in establishing and participating in E-Commerce is the potential loss of assets and privacy due to breaches in the security of commercial transactions and corporate systems.

Auditors can help ensure companies adequately address the following areas:

  • Encryption
  • Secured payment methods
  • Web site security
  • Security between a company's site, the back-end servers and databases supporting it.

For a good treatment of these issues, obtain the book, E-Commerce Security : Weak Links, Best Defenses, by Anup K. Ghosh, John Wiley & Sons, 1998.

Question: My institution is a banking institution. Our audit focus in recent time has been tilted towards Risk Management. We are currently reviewing our Marketing Department, we would appreciate a calalog of possible risks in the marketing of financial products, i.e., deposit sourcing function. An audit program and checklist would also be appreciated.

Answer: Check out the following resource on the Internet which includes guidance on developing audit programs:

  • Resource for Bank Internal Auditors
Question: We are about to develop an audit procedural manual. What are the important areas which the manual should address? A sample manual would be appreciated.

Answer: An audit manual reflects the philosophy of the individual audit department and its director. Consideration should be given to the structure of the department and how big it is. Small departments may not need written procedures to function effectively. The larger the department, however, the greater is the need for written policies and procedures that cover the following areas:

  • Department Policies and Procedures - Administrative

  • Department Policies and Procedures - Audit Process

  • Miscellaneous Information

It's important to make sure the audit manual is kept up-to-date. Maintaining the manual in an online format such as HTML will allow immediate updates and avoid the task of having to distribute hard copies to each staff member. Click here to see an index page to a sample audit manual.

Question: How do I set target and goal for my audit assistant?

Answer: One way, assuming the question refers to assigning work to an Assisting Auditor on a specific audit, would be to prepare a detailed work plan that assigns specific auditors to specific tasks. The In-Charge Auditor must be aware of the skills and capabilities of the Assisting Auditor. In addition, try to understand where the assistant wants more experience and assign them tasks where they can get the exposure and growth they want. It may be appropriate in some cases for the In-Charge Auditor and the Assisting Auditor to jointly prepare the work plan. In any case, it is important to ensure that the Assisting Auditor understands the tasks he/she is to perform and believes the time table for completing them is realistic. The In-Charge should check with the assistant from time to time to keep informed of progress and any difficulties.

Question: How best can I audit administrative functions?

Answer: One way would be to use the general guidelines given in the last question below and making use of our Assurance Review Guide Tool.

Question: How do I audit the Treasury Function in a financial institution?

Answer: One way would be to use the general guidelines given for the question below and making use of the following resources on the Internet:

Question: I'm a new internal auditor. How do I prepare an effective audit program for an area not audited before?

Answer: There are many good methods for preparing an audit program. The method you choose will be the one that makes the most sense for you, based on your level of experience and your department's standards and practices. For new internal auditors, some guidelines include:

  1. Perform a preliminary review to determine the objectives of the area or function you're auditing, the existing system of control and any risks. Make sure the auditee agrees with the objectives.

  2. Review internal audit literature which relates to the operation that may provide some ideas:

    • Bibliography of the Internal Auditor magazine for articles on the function being audited.

    • A good auditing text for suggested audit steps.

    • Any research studies developed by the IIA.

    • Available audit programs on the Internet.

  3. For each audit objective, list the risks that must be covered by the function or operation and its significance.

  4. For each risk listed, show any controls in effect or which would be needed to meet the objective and protect against the risk.

  5. For each control, list the audit steps that would be needed to test the effectiveness of the control if it exists, or recommendation to install the needed control.

  6. Format your program to provide columns for workpaper referencing to support the work performed.

Disclaimer

The Ask the Auditor question answers highlight general information on a particular matter and are not exhaustive reviews of such subjects. Accordingly, the information in this website is not intended to constitute legal, accounting, tax, investment, consulting, or other professional advice or services. Before making any decision or taking any action which might affect your business or personal finances , you should consult a qualified professional advisor.