CHAPTER 10 AUDIT EVIDENCE AND WORKING PAPERS
Learning Objectives
Understand what it means to gather and evaluate sufficient appropriate audit evidence. Know the manual procedures used by internal auditors to gather audit evidence. Be familiar with selected computer-assisted audit techniques, including generalized audit software. Understand the importance of well- prepared audit wo rking papers.
In this chapter, we first focus on gathering and documenting audit evidence- a very significant component of all internal audit engagements. The quality of internal auditors’ conclusions and advice depends on their ability ab ility to gather and appropriately evaluate sufficient appropriate audit evidence. Audit procedures are performed throughout the audit process to gather the evidence needed to achieve the prescribed engagement objectives. Engagement objectives are described and illustrated in chapters 12 through 15, which we refer to collectively as the Internal Audit Process chapters. We then discuss audit working papers, which serve as the principal record of the procedures p rocedures completed, evidence obtained, conclusions reached, and recommendation formulated by the internal auditors assigned to an engagement (that is, the internal audit team). The working papers also serve serve as the primary support for the internal audit au dit team’s communication to the auditee, senior management, the board of directions , and other stakeholders .
AUDIT EVIDENCE
Recall from chapter 1,”Introductions to Internal Auditing, ”that internal aud iting is iting is based on logic , which involves reasoning and drawing inferences. Internal auditors rely extensively on seasoned, professional judgment when they formulate conclusions and advice based on evidence they gather and evaluate. The quality of internal auditors’ auditors’ conclusions and advice depends on their ability to gather and evaluate sufficient approp riate evidence to support their conclusions and advice. Gathering sufficient appropriate evidence requires extensive interaction and co mmunication with auditee personnel throughout the engagement. Such interactions and communications are critical to conducting the engagement engage ment effectively. It is important, therefore, for internal auditors to be open, communicative, and collaborative. The internal auditor must always be mindful, however, that the managers and employees from whom evidence is gathered may not adequately
understand the purpose, objectives, and scope of the engagement, or the manner in which the engagement is conducted. Moreover, some managers or employees may see the engagement as a threat to them- in other words, think that the internal auditors are specifically looking for things they have done wrong. Unfortunately, the threat of management and/or employee errors and fraud always exists. EXHIBIT 10-1 IPPF GUIDANCE RELEVANT TO CHAPTER 10 Standard 1220 – 1220 – Due Due professional care Standard 2200 - Engagement Planning Standard 2240 – 2240 – Engagement Engagement work program Standard 2300 – 2300 – Performing Performing the Engagement Standard 2310 – 2310 – Identifying Identifying Information Standard 2320- Analysis and Evaluation Standard 2330- Documenting Information Practice Advisory 2240-1: Engagement work program Practice Advisory 2330-1: Documenting Information Practice Advisory 2330.A1-1 : Control of Engagement Records Practice Advisory 2330.A2-1 : Retention of Records
Professional Skepticism and Reasonable Assurance
The internal auditor must always remember to apply a healthy level of professional skepticism when evaluating audit evidence. Professional evidence. Professional skepticism means skepticism means that internal auditors take nothing for granted; they continuously question what they hear and see and critically assess audit evidence. They do not assume by default that auditee personnel are either honest or dishonest. Applying professional skepticism throughout the engagement helps internal auditors remain unbiased and maintain an open mind to form judgments based on the preponderance of evidence gained during an engagement, and not just individual pieces of information. Professional skepticism is discussed in the context context of fraud in chapter 8, “ Risk of Fraud and Illegal Acts.” Internal auditors are rarely, if ever, in a position to provide absolute assurance regarding the truthfulness of management’s assertions regarding the system of internal controls and performance. Even experienced internal auditors are rarely convinced beyond all doubt. This is due to the nature and extent of evidence they gather and the types of decisions they make. Frequently, internal auditors must rely on evidence tha t is persuasive rather than absolutely convincing, and audit decisions are rarely black and white. Moreover, internal auditors’ conclusions and advice must be formed at a reasonable cost within a reasonable reaso nable length of time to add economic value. Accordingly, Acc ordingly, internal auditors strive to obtain sufficient appropriate evidence to provide a reasonable rea sonable basis for formulating their conclusions and advice. This con cept is referred to by internal auditors as reasonable assurance.
Persuasiveness of Audit Evidence Audit evidence is persuasive if it enables the internal auditors to formulated well founded conclusions and advice confidently. To be persuasive, evidence must be:
Relevant. Is the evidence pertinent to the audit objective? Does it logically support the internal auditor’s conclusions or advice? Reliable. Did the evidence come from a credible source? Did the internal auditor directly obtain the evidence? Sufficient. Has the internal auditors obtained enough evidence? Do different, but related, pieces of evidence corroborate each other?
The American Institute of Certified Public Accountants (AICPA) (AICPA) states that “ Appropriateness is Appropriateness is the measure of the quality of audit aud it evidence, that is, it’s relevance and reliability..” and that “ Sufficiency is the measure of the quantity of audit evidence.” Why audit evidence must be relevant to be persuasive is clear: relying on evidence that has little or no pertinence p ertinence to a specific audit objective greatly increases audit risk, that is, the risk of reachin g invalid conclusions and/or providing faulty advice based on the audit work conducted. Example: Assume that an internal auditors wants to determine whether a particular vehicle included in the company’s compa ny’s fixed asset ledger exists and is owned by the company. The internal auditors locates the vehicle in the compa ny’s parking lot. Can the internal auditors reasonably conclude that the vehicle exists just by seeing it? Yes. Can the internal auditor reasonably conclude that the company owns the vehicle just by seeing it? No. the internal auditor would need to inspect pertinent documentary evidence, such as a title of ownership. Although there are no hard and fast rules regarding reliability and sufficiency of evidence, there are useful guidelines internal auditors can follow if they remember that guidelines are generally characterized by exceptions. Such guidelines include:
Evidence obtained from independent third parties pa rties is more reliable than evidence obtained from auditee personnel. Evidence produced by a process or system with effective controls is more reliable than evidence produced by a process or system with ineffective controls. Evidence obtained directly by the internal a uditors is more reliable than evidence obtained indirectly. Documented evidence is more reliable than undocumented evidence. Timely evidence is more reliable than untimely evidence. Corroborated evidence is more sufficient than uncorroborated or contradictory evidence. Larger samples produce more sufficient evidence than smaller samples.
Documentary evidence is significant portion of the evidence gathered during most internal audit engagement. The reliability of documentary evidence depends, to a large extent, on its origin and
the route it follows before being examined by the internal auditor. Exhibit 10-2 10 -2 illustrates this point. EXHIBIT 10-2 RELIABILITY OF DOCUMENTARY EVIDENCE Levels of Reliability Descriptions
Example Documentary
Documents prepared by the internal auditor.
Inventory test counts Process maps Risk and control matrices.
Documents sent directly from a third party to the internal auditor
Confirmations Cutoff bank statements Letters from outside attorneys
Documents created by third party, sent to the organization, and requested from the organization by the internal auditor
Vendor invoices Customer purchase orders Bank statements
Documents created by the organization, sent to a third party, returned to the organization, and requested from the organization by the internal auditor Documents created by the organization and requested from the organization by the internal auditor
Remittance advices Canceled checks Deposit slips
High
Medium
Low
Written policy statements Receiving reports Time cards
AUDIT PROCEDURES
Audit procedures Audit procedures are specific tasks performed by the internal auditor to gather the evidence required to achieve the prescribed audit aud it objectives. They are applied during the audit process to:
Obtain a thorough understanding of the auditee, aud itee, including the auditee’s objectives, risks, and controls. Test the design adequacy and operating effectiveness of the targeted targeted area’s system of internal controls. Analyze plausible relationships among different elements of data. Directly test recorded financial and nonfinancial information for errors and fraud.
Obtaining sufficient appropriate evidence to achieve the prescribed audit objectives involves determining the nature, extent, and timing of audit procedures to perform.
Nature of audit procedures. The nature of audit procedures relates to the types of tests the internal auditor performs to achieve his or her obj ectives. One to one relationships between aud it objectives and audit procedures are rare. Individual audit procedures often provide evidence that is pertinent to more than one audit au dit objective, and more than one on e audit procedure often is required to meet a particular audit objective. Different types o f tests provide varying levels of assurance, take different amounts of time to conduct, and a nd are more or less of expensive. ex pensive. The internal auditor must weigh the relative benefits and costs of cond ucting different types of procedures. Depending on the nature of the engagement, an internal auditor may use manual audit procedures, computer assisted audit techniques (CAATs), or a combination of the two to gather sufficient appropriate evidence. Manual audit procedures and CAATs are discussed further in subsequent sections of this chapter. Extent of audit procedures. The extent of audit procedures pertains to how much audit evidence the internal auditor must obtain to achieve his o r her objectives. An internal auditor must, for example, determine the appropriate combination of procedures to apply. The degree to which individual tests are to be conducted, that some types of transactions should be tested 10 0 percent, where as other may be tasted on a sample basis. Audit sampling is discussed d iscussed in detail in chapter 11, “Audit sampling.” Ultimately, the internal auditor must gather and evaluate enough evidence to support well-founded conclusions and advice. Timing of audit procedures. The timing of audit procedures pertains to when the tests te sts are conducted and the period of time covered by the tests. For example:
An internal auditor testing testing the operating effectiveness of a manual control over a period of time on a sample basis must take appropriate ap propriate steps to gain assurance that the sample selected is representative of the entire period. An internal auditors testing whether transactions are recorded in the approp riate fiscal year will focus his or her tests on transactions immediately before and after year - end. An internal auditor will tests the operations of a computerized ap plication control at a given time to determine whether the control is o perating effectively at that time. The internal auditor will then rely on different tests, such as tests over access and modifications of applications programs during a period of time, to g ain assurance that the control operated consistently over that period of the time.
Manual Audit Procedures
Commonly performed manual audit procedures include inquiry, observation, inspection, vouching, tracing, reperformance, analytical procedures and confirmation. Each of these procedure is defined and discussed below. Example applications of each procedure are presented in exhibit 10-3.
Inquiry entails asking questions of auditee personnel or third p arties and obtaining their oral or written responses. Inquiry produces indirect evidence, which b y itself is rarely persuasive. This is especially true when inquiries are directed to au ditee personnel from whom the internal auditor cannot count on receiving unbiased u nbiased responses. More formal types of inquiry include interviews and circulating surveys and questionnaires. Key c omponents of effective interviewing are outlined in exhibit 10-4. EXHIBIT 10-3 ILLUSTRATIVE APPLICATIONS OF MANUAL AUDIT PROCEDURES Procedures Illustrative Applications Circulate a questionnaire among senior executives asking them to identify the “top 10” risks threatening the organization. Ask the organization’s outside legal counsel to provide information about any litigation, claims, Inquiry and/or assessments against the organization. Interview managers and employee involved in the cash disbursements process to identify key process controls.
Observation
Inspection
Vouching
Tour the auditee’s facility auditee’s facility to gain a general understanding of day to day operations. Observe the care with which employees count on the year end physical inventory. Watch employees involved in executing and recording cash disbursement transaction to determine whether they are performing their assigned responsibilities and only their assigned responsibilities. Review the minute of board of directions’ meeting looking for authorization of significant events (for example, the acquisition of another company). Inspect selected inventory items to determine their condition and salability. Read the cash disbursements policies and procedures to obtain an understanding of key elements of the process (for example, assigned roles and responsibilities). Vouch a sample of inventory items from the accounting records to the warehouse to see that the inventory items text. Vouch a sample of sales invoices to corresponding shipping documents to verify that the shipments occurred.
Tracing
Reperformance
Analytical procedures
Confirmation
Vouch a sample of check copies to supporting voucher packages to test the validity of the checks. Trace internal auditor test counts of inventory to the auditee’s inventory compilation records to verify that the counts are properly included in the compilation. Trace receiving reports for goods received to the corresponding voucher and then to the voucher register to verify that the receipts of goods are properly recorded as liabilities. Trace checks dated within a period of several days before and after year end to the accounting records to ensure the check were recorded in the proper year. Recalculate accumulated depreciation and depreciation expense to verify that they were calculated correct. Independently estimate the allowance for doubtful accounts to test the reasonable of the accounting department’s estimate. Reperform auditee prepared bank reconciliations to test whether they were completed correctly. Prepare common size financial statements for the current year and preceding two years; look specifically for variances or unexpected trends. Compare the organization’s common size financial statements with published industry common size information looking for unexpected inconsistencies. Calculate accounts payable turnover for the current year and preceding two years as evidence of vendor payment periods. Confirm a sample of accounts receivable subsidiary ledger balances with customers. Confirm the principal balance of a notes payable and (ga jelas ) with the lender. Confirm cash accounts bank balances with bank.
EXHIBIT 10-4 KEY COMPONENTS OF EFFECTIVE INTERVIEWING Interviewing objectives : Gather information (that is, audit evidence) relevant to the engagement. Establish a rapport that fosters a positive working relationship throughout the engagement. The interviewing process: Prepare for the interview: Define the purpose Identify the appropriate interviewee.
Gather background information about the audit area and interviewee Create the right set of questions (what, why, how, where, when, who). Establish expectations with the interviewee and identify information needs. Arrange logistics (date, time, location, length). Prepare an outline. Conduct the interview: Establish rapport and create an atmosphere that encourages openness. Review the purpose of the interview, the topics to be covered, and the estimated time needed. Ask straightforward questions and meaningful follow- up questions. Avoid technical jargon. Use periods of silence effective. Listen. Summarize and confirm key points. Discuss next steps. Arrange follow-up contact. Thank the interviewee. Document the interview outcomes (as soon as pos sible after the interview): Reflect on the interview and review notes. Record the result of the interview in good form. Characteristic common among effective interviewers : Professionalism (for example, prepared, respectful, courteous, on time). Outstanding interpersonal and oral communication skills, including listening skills. The capacity to display confidence and command respect without being arrogant. An innate curiosity. Objectivity (that is, remain impartial and refrain from injecting personal opinions). Common barriers to effective interviews : Auditee impediments such as competing demands on time, preconceived notions about internal auditors, and fear of reprisal. Flaws in the interview process. Lack of requisite competencies on the part pa rt of the internal auditor. Critical success factors: Be prepared. Know and respect the interviewee. Establish credibility and trust. Speak the interviewee’s language Expect the unexpected.
Observations entails watching people, procedures, or processes. Observation is generall y considered more persuasive than inquiry in the sen se that the internal auditor is obtaining direct evidence. For example, the internal auditor’s direct personal observation of an employee
applying a control generally providers more assurance than simply asking the employee about the application of the control. A significant limitation of observation is that it provides evidence at a certain time. The internal auditor typically cannot conclude that what is observed is representative of what happened throughout the year, especially given the propensity of people to behave differently when they know they are being watched. Inspection entails studying documents and records and physically examining tangible resources.
Inspection of documents and records providers direct evidence of their contents. Likewise, physical examination of tangible resource (for example, a building or piece of equipment) provides the internal auditors with direct personal knowledge of the resources’ existence and physically condition. Internal auditors must, however, acknowledge and take into account their level of expertise (that is, their capacity to comprehend what they read and see). For example, formulating valid conclusions about the value of precious gems based on inspection may be outside the scope of the internal auditor’s expertise. The internal auditor might, in this case, need to rely on the assistance of a precious gems expert to help validate the gem’ value. Vouching entails tracking information backward from one document or record to a previously
prepared document or record, or to a tangible resource. Vouching is performed specifically to test the validity of documented or recorded information. For example, a sale of goods typically should not be recorded unless the goods have been shipped. Vouching a sales invoices to a shipping document provides evidence that the shipment upon which the invoice is based actually occurred. Likewise, vouching the recording of a vehicle in the f ixed asset ledger to the actually vehicle provides evidence that the vehicle really exists. Within the context of financial audits, vouching is used to test for overstatements in recorded amounts. Tracing entails tracking information forward from one document, record, or tangible resources
to a subsequently prepared document or record. Tracing is performed specifically to test the completeness of documented or recorded information. For example, purchases of goods typically should be recorded when the goods are received. Tracking a receiving report for goods received near the end of the year to the accounting records provides evidence that both the asset and liability were recorded in the same year the goods were received. Within the context of financial audits, tracing is used to test for understatement in recorded amounts. Reperformance entails redoing controls or other procedures. Reperforming a control provides
direct audit evidence regarding its operating effectiveness. Reperforming calculations provides direct evidence as to whether the auditee’s calculating are correct. Independently formulating an accounting estimate, such as the allowance, for bad debts, and comparing it with the auditee’s estimate provides direct evidence regarding the reasonable of the auditee’s estimate.
Analytical procedures procedures entail assessing information obtained during an engagement by
comparing the information with expectations identified or developed by the internal auditor. A basic premise underlying the use of analytical procedures in internal auditing is that the internal
auditor may reasonably expect certain in internal auditing is that the internal auditor may reasonably expect certain relationships among different pieces of information to continue in the absence of known conditions to the contrary. It is important for internal auditors to develop expectations independently based on knowledge of the auditee, the organization’s industry, and the economy before accumulating and analyzing information to ensure that the ensuing comparisons are unbiased. Internal auditors use analytical procedures while planning and performing an engagement to identify anomalies information such as unexpected fluctuations, differences, and correlations as well as the absence of expected fluctuations, differences, and correlations. Such anomalies may be indicative of unusual or nonrecurring transactions or events, error, or fraudulent activities that warrant further attention the gathering of corroborative audit evidence. Common analytical procedures performed by internal auditors include:
Analysis of common size financial statements. The internal auditor expresses financial statement line items as percentage of relevant totals (for example, income statement items are expressed as percentage of sales, and balance sheet items are expressed as percentages of total assets). Ratio analysis. The internal auditor calculates pertinent financial rations ( for example, current ratio, gross profit percentage, inventory turnover, and cost of raw materials purchased divided by cost of finished goods produced) and rations involving nonfinancial values (for example, sales divided by square footage of sales space, payroll expense divided by average number of employees and percentage of defective units procedure). Illustrative process performance ratios are presented in exhibit 10-5. It is important, however, to realize that the only true constraints on working with ratios are the availability of the necessary information to calculate the rations and the internal auditor’s creativity. Trend analysis. The internal auditor compares performance information (for example, individual amounts, common size percentages, and/or rations) for the current fiscal period with like information for one or more prior periods. Analysis of future- oriented information. The internal auditor compares current fiscal period information with budgets or forecasts. External benchmarking. The internal auditor compares performance information of the organizations with like information of other individual organizations or the industry in which the organization operates. Published industry data for specific industries is available for comparison purpose from source such as Dun & Bradstreet and standard & poor’s. Internal benchmarking. The internal auditor compares performance information of one organizational unit with like information for other organizational units.
Confirmation entails obtaining direct written verification of the accuracy of information from
independent third parties. Evidence obtained via confirmation generally is considered very reliable because it comes to the internal auditor directly from independent source. There are two common types of confirmation requests: positive confirmations ask recipients to respond regardless of whether or not they believe the information provided to them is correct, and negative confirmations ask recipients to respond only when they believe the information provided to them incorrect. A positive confirmations may ask the recipient to provide the information of interest (referred to as a blank confirmation) or include the information of interest and ask the recipient to indicate agreement or disagreement with the information. EXHIBIT 10-5 ILLUSTRATIVE PROCESS PERFORMANCE RATIONS Sales, Accounts Receivable, and Cash Receipts: Net sales ÷ Average or year – end Net Accounts Receivable (Accounts Receivable Turnover) 365 ÷ Accounts Receivable Turnover (Average Days to collect ) Net sales ÷ square footage of sales space On time Deliveries to customers ÷Total Deliveries to customers Bad Debt Expense ÷ Net sale Year – end Allowance for bad debts ÷ Year Ye ar – end Accounts Receivable. Purchase, Accounts payable, and cash Disbursements: Disbursements: Raw Materials purchased ÷Cost of Finished Goods Produced On time Deliveries from suppliers ÷ Total Deliveries from supplies Purchase Return ÷Total Purchase or cost of goods sold Cost of goods sold or Net Purchases ÷ Averages or year- end Accounts Payable (Accounts payable Turnover ) Inventory and Cost of Goods sold : Cost of goods sold ÷ Average or year- end Inventory (Inventory Turnover) 365 ÷Inventory Turnover (Average Days to sell) Number of Defective Units Produced ÷ Total Units Produced Cost or Scrap/waste/spoilage ÷ Net sales or cost of goods sold Gross profit ÷ Net sales (Gross Profit Percentage) Human Resource and Payroll : Number of employees leaving voluntarily and/or Involuntarily During the year ÷ Average or Year – end number of employees ( Employee Turnover) Man Days Lost to absenteeism ÷ Total man days Number of Overtime Hours Worked ÷ Total Hours worked Payroll Expense ÷ Average or year –end Number of employees
Computer – assisted Audit Techniques
“In exercising due professional care, internal auditors must consider the use of technology – based audit and other data analysis techniques. “ (Standard 1220.A2)
ISACA (formerly known as the Information System Audit and Control As -sociation) defines a technology – based audit technique, or CAAT, as “any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities. “Some of the more common CAATs are defined by ISACA as follows: Generalized audit software (GAS) is “multipurpose software that can be used for
[general purpose] such as record selection, matching, recalculation and reporting.” Utility software is comprised of “computer programs provided by a computer hardware
manufacturer or or software vendor and and used in running system the system. This technique can be used to examine processing activities; to test programs, system activities, and operational procedures; to evaluate data file activity; and, to analysis job accounting data.” Test data are “simulated transaction that can be used to test processing logic,
computations and controls actually programmed in computer applications. Individual programs or an entire system can be tested.. This technique include integrated test facilities (ITFs) and base case system evaluation (BCSEs). (BCSEs). ” Application software software tracing and mapping are “specialized tools that can be used to
analyze the flow of data through the processing logic of the appl ication software and document the logic, paths, paths, control conditions and processing sequences. sequences. Both the command language or job control statement and programming language can be analyzed. This technique include program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.” comparisons.” Audit expert expert system are " expert expert or decision support system that can be used to assist IS
(information systems) auditors in the decision- making process by automating the knowledge of expert in the field. This Thi s technique include automated risk analysis, system software and control objectives software packages.” Continuous Continuous auditing "allows IS auditors to monitor system reliability on a continuous
basis and to gather selective audit evidence through the computer.”
These definition indicate that internal auditors can use CAATs to directly test (1) controls built computerized information systems and (2) data contained in computer files. It should be noted that, by directly testing data contained in computer files, internal auditors obtain indirect evidence about the effectiveness of the controls in the application that processed the data.
Example: An internal auditor uses generalized audit software to directly test whether any duplicate payments of invoices exist in the company’s cash disbursements transaction file. The internal auditor uncover several duplicate payments made throughout the year. The internal auditor may correctly infer that controls to prevent and/or detect such payments on a timely basis did not exist, were designed inadequately, or did not operate effectively. An in depth discussion of each type of CAAT defined above is beyond the scope of this textbook. However, GAS and the types of data analyses internal auditors can perform with GAS warrant bit more attention. Some internal auditors continue to harbor the belief that GAS is a tool to be used only by IT audit specialists. However, as indicated by the following quote from GTAG 16: Data Analysis Technologies (of The IIA’s Global Technology Audit Guide series), this is i s no longer true. “A reality of today’s highly automated world is that almost every auditor must analyze
data. What was once considered a special expertise, a job for IT auditors, or a task that was easily outsourced to another department or organization, has become a core competency for the profession of internal auditing.” Fortunately, GAS has advanced to the stage where it is relatively easy to use, even by internal auditors with little audit – related IT training. It combines a user – friendly interface with powerful data analysis functionalities such as:
Examining files and records for validity, completeness, and accuracy.
Recalculating recorded value and calculating other values of audit interest.
Selecting and printing samples and calculating sample result.
Comparing information in separate files.
Summarizing, resequencing, and reformatting data.
Creating pivot tables for multidimensional analysis.
Searching for anomalies in data that may indicate errors or fraud.
Preparing and printing reports.
Automatically generating a historical log of data analyses performed.
Benefits of using GAS. There are many benefits of using GAS:
It allows internal auditors to conduct audit procedures in a wide variety of hardware and software environments with minimal customization. It enables internal auditors to perform tests on data independently of the company’s company’s IT personnel.
Using GAS enables the internal auditor to deftly analyze very large quantities of data.
Some applications of GAS facilities 100 percent examination of data populations almost instantaneously as opposed to testing a sample of data items manually. Using GAS to perform necessary but routine audit tasks frees up time for the internal auditor to think analytically.
Obstacles to implementing GAS successfully. There are also legitimate obstacles that an internal auditor must overcome to implement GAS successfully:
Obtaining access privileges to relevant and reliable data.
Gaining physical access to the data.
Understanding how the data is stored and formatted in the system.
Extracting the data and downloading in to the internal auditor’s personal computer (pc).
Importing the data in a usable format into the audit software.
Overcoming these obstacles might, in some cases, require the assistance of an IT audit expert. However, the only “show stopper“ limitations of adding value by using GAS are the availability of relevant data in electronic format and the internal auditor’s ingenuity. ACL and IDEA software . The two predominant GAS programs used by internal auditors, ACL
(Audit Command Language) and IDEA (originally an acronym for Interactive Data Extraction and Analysis ), accompany this text –book. Both the ACL data analysis software and IDEA are windows – based and can be operated easily on th e internal auditor’s PC. The ACL software is a product of ACL services Ltd. Interested readers can learn more about ACL services by visiting the company’s website at www.acl.com . The DVD-ROM accompanying this textbook contains the following materials relevant to ACL in addition to the ACL software itself:
Getting started manual.
ACL in practice manual.
Data access guide. ACL help.
The ACL in practice manual contains contains an extensive tutorial involving a hypothetical hypothetical company and real- world data, which provides a good introduction to ACL ’s analysis and reporting capabilities. The IDEA software is product of case ware IDEA Inc., a privately held software development and marketing company. Audimation Audimation Service Inc., which is referred to on the front of the IDEA DVDROM, is the U.S. business partner with case ware IDEA Inc. Interested readers can learn more about these companies and IDEA by visiting their websites: www.CASeWare-IDEA.com and www.audimation.com.. The DVD-ROM accompanying www.audimation.com accompanying this textbook also contains the following materials relevant to IDEA in additions to the software itself:
Installation Guide.
IDEA Tutorial.
Report Reader Tutorial.
IDEA help.
Case study for IDEA Version Eight.
IDEA Advanced Statistical Methods Case study.
The Getting starred Tutorial in section Four of the IDEA tutorial, which can be completed by using the sample data files contained on the DVD-ROM, provides a good introduction to IDEA’s functionality. The Case study for IDEA Version Eight and the IDEA Advanced statistical Methods case study can be used for supplement practice with the software.
WORKING PAPERS
IIA standard 2330: Documenting Information requires internal auditors to record the evidence they accumulate as support for engagement outcomes. Practice Advisory 2330 -1: Documenting Information provides guidance regarding working papers and their preparation.
Purpose and Content of Working Papers
Because of the many purpose working papers serve, it is difficult to overstate their importance. For example, working papers:
Aid in planning and performing the engagement.
Facilitate supervision of the engagement and reviews of the work completed.
Indicate whether engagement objectives were achieved.
Provide the principal support for the internal auditors’ communication to the auditee, senior management, the board of directions, and appropriate third parties.
Serve as a basis for evaluating the internal audit function quality assurance program.
Contribute to the professional development of the internal audit staff.
Demonstrate the internal audit function’s f unction’s compliance with the IIA’s International Standards for the Professional Practice of Internal Auditing (Standards).
The content of internal audit engagement working papers will depend on the nature of the engagement. They should always, however, provide complete, accurate, and concise documentation of the engagement process. Types of working papers
A wide variety of working papers are prepared during an internal audit engagement. The following list is intended to be illustrative rather than all inclusive:
Work programs used to document the nature, extent, and timing of the specific audit procedures. Engagement time budgets and resource allocation worksheets. Questionnaires used to obtain information about the a uditee, including its objective, risks, controls, operating activities, etc. Process maps or flowcharts used to document process activities, risks, and controls. (Common process mapping symbols and illustrative process maps are presented in chapter 5, “Business Process and Risks.” Common flowcharting symbols and illustrative flowcharts are presented in chapter 13, “conducting the Assurance Engagement.” Engagement.” Charts, graphs, and diagrams, such as a risk map used to plot the i mpact and likelihood of business risks (an illustrative risk map is presented in chapter 13). Agendas for internal audit team meetings and meetings with the auditee. Narrative memoranda used to document the result of interviews and other meeting with auditees. Pertinent auditee organizational information, such as organization charts, job descriptions, and operating and financial policies and procedures. Copies of source documents, such such as purchase requisitions, purchase purchase orders, receiving report, vendor invoices, vouchers, and checks.
Copies of other important i mportant documents, such as minutes of meeting and contracts.
IT-related documents, such as program listing and exception reports.
Accounting records, such as trial balances and excerpts from journals and ledgers.
Evidence obtained from third parties, such as confirmation responses from customers and representations from outside legal counsel. Worksheets prepared by the internal auditor, such as a risk and control matrix used to document process- level risks, key control descriptions, the internal auditor’s evaluation of control design adequacy, the tests of controls performed, and the rest results (an illustrative risk and control matrix is presented in chapter 13 ). Other types of working papers prepared by the internal auditor that reflect work performed (for example, analytical procedures, computerized data analysis, and direct tests of transactions, events, account balances, and performance measurements). Evidence compiled by the auditee and tested by the internal auditor (for example, bank reconciliations). Written correspondence and documentation of oral correspondence with the auditee during the engagement. The internal audit team’s write ups of observations, recommendations, and conclusions. (Illustrative write ups are discussed in chapter 13.)
Final engagement communications and management’s responses. (Illustrative audit communications communications are presented in chapter 14, “communicating “communicating Assurance Engagement Outcomes and performing Follow-up procedures.”)
Guidelines for working paper preparations
The chief audit executive (CAE) is responsible for establishing working paper policies and procedures. Well- written policies and procedures promote effective and efficient work and facilities consistence adherence to quality assurance standards. standards. Standardized working paper formats help to streamline the audit process and facilitate consistent, high –quality work across engagement. Care should be taken, however, not to standardize working papers so standardize working papers so ri gidly that they inhibit internal auditor ingenuity and creativity. Appropriate working paper standardization may include:
A uniform cross-referencing system for all engagements.
Consistent working paper layouts.
Standarlized “tick marks” (that is, symbols used on working papers to represent specific audit procedures).
A prescription for the types of information to store in permanent or carry-forward files (that is, files containing pertinent information of continuing importance for a particular auditee). Working paper files should be completed and well-organized. At the end of an engagement, the files should be cleared out so they contain only the final versions of the working papers completed during the engagement. Each individual working paper should stand on its own merits. This means, for example, that each working paper should :
Contain an appropriate index or reference number.
Identify the engagement and describe the purpose or contents of the working paper.
Be signed (or initialed) and dated by both the internal auditor who performed the work and the internal auditor(s) who reviewed the work. (Note that such a signature may be electronic).
Clearly identify the source of auditee data included on the working paper.
Include clear explanations of the specific procedures performed.
Be clearly written and easy to understand by internal auditors unfamiliar with the work performed ( for example, an internal auditor who refers to the working paper at a later date).
The bottom line is that the working paper should contain sufficient information for an internal auditor, other than the one who performed the work, to be able to reperform it. On the other hand, working papers should not contain more information than is necessary, they should be as concise as possible. Moreover, because time is a precious audit resource, internal auditors must always strive to prepare working papers the right way the first time. There is no time allocated for rewriting
them. The vital need for working papers to be prepared correctly, clearly, concisely, and quickly is one important reason why internal auditor proficiency in written communications is not an option- it is imperative. Working papers may be prepared in paper form, electronic form, or both. Using automated working paper software, whether purchased purchased from outside vendors or developed inin - house, is mow common. This software increase efficiency and facilities consistent organization and retention of documentation supporting an internal audit engagement. The Te am Mate case assignments the end of chapter 6, “Internal Control,” and chapter 12, “Introduction to the Engagement Process, “provide readers an opportunity to gain hands- on experience with the Team Mate EWP( Electronic Working Working Papers) software. software.
SUMMARY
This chapter focused on gathering and documenting audit evidence. The chapter began with a discussion of audit evidence and the procedures, both manual procedures and CAATs, that internal auditors use gather sufficient appropriate evidence. The chapter concluded with a discussion of working papers, which serve as the principal record of the procedures completed, evidence obtained, conclusions reached, and recommendations formulated by the internal audit team during the engagement. Eleven important things to remember about audit evidence and working papers are listed in exhibit 10-6. EXHIBIT 10-6 11 IMPORTANT THINGS TO REMEMBER ABOUT AUDIT EVIDENCE AND WORKING PAPERS 1. The quality of internal auditors’ conclusions and advice depends in their ability to gather and evaluate sufficient appropriate supporting evidence. 2. Professional skepticism means that internal auditor take nothing for granted, they continuously question what they hear and see and critically assess audit evidence. 3. To be persuasive, audit evidence must be relevant, reliable, and sufficient. 4. Audit procedures are specific tasks performed to gather the evidence required to achieve prescribed audit objectives. 5. Vouching involves tracking backward, backward, it is used to test the completeness of information. 6. Tracing involves tracking information forward, it is used to test the completeness of information. 7. Analytical procedures involve the comparison of information obtained during an engagement with predetermined expectations. 8. Internal auditors mush know how use generalized audit software (GAS), such as ACL or IDEA to extract and analyze electronically stored data. 9. Working papers serve as the principal record of the procedures completed, evidence obtained, conclusions reached, and recommendations formulated during an internal
audit engagement. 10. Working papers serve as the primary support for the internal audit team’s communications to the auditee, senior management, the board of director, and other stakeholders. 11. Electronic working papers, such as Team Mate EWP, increase audit efficiency and facilitate consistent organization and retention of audit documentation.
