Internal Audit Indonesia's

Juli 15, 2010

Entity Level Internal Audit Methodology

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

How does it work?

IIA Standards
Information Technology

How does it work?

This graphic represents the flow of phases of an entity level internal audit project. Each phase in blue has several corresponding tools that you will see if you click on the phase. The first phase is Determine Client Expectations. The second phase – Understand and Analyze the Business – has four important components. These components are on the bottom part of the graphic and are linked to the second phase by the gold triangle that says “Entity Level Business Risk Analysis”.

The next phase is Identify Target Processes and Risks. Once these have been analyzed you move on to Communicate Results. The Next Steps phase includes suggestions for following up and measuring quality.

The grey bar at the bottom of the graphic symbolizes the communication with clients and management that is crucial at all phases.

Delve down into the methodology to find overviews of each phase and tools to help you carry out a successful entity level internal audit.

Overview of Entity Level Methodology

Companies are under constant competitive pressure to identify and manage business risks and improve the performance of their business processes. They are demanding higher levels of assurance about:

Internal audit can respond to these demands through the use of Business Process Auditing (BPA). The BPA approach allows internal auditors to combine their existing skills and competence with new tools and knowledge bases to provide high value assurance and improvement services to their companies. These services include:

Financial statement audits focus on financial measures of business performance and usually involve only those business processes associated with processing accounting transactions and reporting financial information. Generally Accepted Accounting Principles (GAAP) is the assurance standard against which financial auditors compare the financial statements.

The BPA approach also takes into account over 70 business risks found in the Protiviti Risk ModelSM. The assurance standard can be best practices, peer performance within the industry (based on financial or nonfinancial measures), or operating policies and performance expectations set by the company itself.

The objectives of BPA are to:

Business Process Auditing is designed to analyze and respond to important questions such as:

Using The BPA Approach

The BPA approach is designed to be adaptable and creative. While all the “phases” and “steps” of the BPA are generally needed to complete an effective audit, the BPA tools and specific methods can be used in a very flexible manner. The BPA can be used to audit sub-processes, to perform compliance audits or to audit a function. Many of the tools are alternatives, not required approaches. The tools range from guidelines and checklists to templates and problem-solving methods.

The flexibility of the BPA allows for the great variety in the following:

The Entity Level BPA methodology focuses on understanding and analyzing the business. These phases are intended to provide an understanding of company strategies, metrics, processes, and high level risks and controls. This understanding is primarily used to identify the target processes and risks during the audit planning process.

IIA Standards

The BPA approach meets the Institute for Internal Auditors (IIA) standards for the professional practice of internal auditing. The standards can also be found in their entirety within this website in the Competency Center.


1. Communicate with management not just at the start of the audit but also and throughout the audit. Communication should include the objectives,the audit process, reporting format and protocols, where to spend resources, and assistance required.
2. Concentrate on the information to be included in the audit report throughout the entire audit (beginning to end).
3. Empower the in-charge auditor to discuss findings with management throughout the audit.
4. Focus on the entire business process rather than a specific function or department.
5. Focus on business risks and on improving process performance.

Information Technology

Companies are placing increasing reliance on information technology in almost every aspect of their business. The internal auditor cannot gain a satisfactory understanding of a company’s business, business processes, and risks without an understanding of how information technology (IT) is used.

The internal audit team must answer the following questions regarding Information Technology:

The internal audit team should assess the level of the company’s IT complexity and the level and nature of IT skills that will be needed in the engagement.

IT skills can be used in the following Business Process Audit phases:

1. Determine Client Expectations:
Identify the auditee’s expectations with regards to IT and identify ways in which the audit team can meet and exceed these expectations.
2. Understand and Analyze the Business:

3. Identify Target Processes/Risks:

4. Analyze Target Processes/Risks:

5. Communicate Results:
The audit team should communicate to the auditee its findings and recommendations regarding the functioning of IT processes as well as IT-related business risks in other processes.

Reviewing Information Technology

A review of the use and management of IT should be included in the audit to identify information technology risks and controls. Information Processing/Technology Risks can be defined as follows:

Access Risk:

The risk that access to information (data or programs) will be inappropriately granted or refused. IT access risks include risks of improper segregation of duties in IT processes and in application systems use, risks associated with the integrity of data and databases, and risks associated with information confidentiality.

Integrity Risks:

Relevance Risks:

Availability Risk:

The risk that information will not be available when needed, for reasons including loss of communications, loss of basic processing capability, operational difficulties, natural disasters, vandalism, sabotage, and accidents.

The potential business impacts associated with IT-related risks include the following:

Prioritizing IT Risks:

The techniques used in prioritizing IT audits follow the same basic techniques as for other types of audits:

Determining the auditable information systems activities requires that the audit team survey all known data processing centers, distributed processing applications and end-user computing applications to obtain an inventory of hardware, software, policies and procedures, and existing applications, including those in current development. Other useful information includes budgetary data and long-range plans. The objective in gathering this information is to define the overall information systems audit universe.

Criteria that may be used to prioritize the IT audit universe include:

Information Technology Controls

IT controls are sometimes categorized as either general controls or application controls. This is not always a useful distinction. In older information systems environments, where there was a separate IT function which was responsible for all computer resources, this function performed all aspects of developing and maintaining the operating environment and all application systems used in business processes. The controls over the risks in these activities were “general controls” because they applied generally to all IT resources.

Many businesses today have a variety of IT environments, typically run by the individual divisions, departments or locations of the business. If there is a central IT function, it is likely to have little or no control over these environments. While the same IT risks may exist in each environment, it is not possible to assess one set of “general controls” and assume that they will mitigate IT risks throughout the organization. The audit team needs to identify and understand each technology platform related to key business processes, and assess the risks and controls relevant to each important application and its technology environment, to the extent that the environment is dedicated to a process or business unit.

To the extent that they are applicable in an auditee environment, general controls and application controls can be described as follows:

General Controls:

1. Relate to IT organization, management, and operations processes and help to ensure a controlled environment within which applications can be developed, maintained, and used.
2. May relate to communications systems and networks as well as the computer itself.
3. Are general only to the extent that they are pervasive over all or most applications in both the data processing and user environments.
4. Affect the strengths and weaknesses of individual applications.
5. May include:

Application Controls:

1. Are specific to each application. Each application has its own inherent risks. The developers of the application build in controls, and the users establish additional controls around the application, in order to address these risks. Therefore, risks and controls need to be considered for each application separately. The input, processing and output processes related to the application need to be evaluated.
2. Are designed for the flow of transactions for a particular process and application, to meet the following general control objectives:

When an application control is identified as critical, the related general controls must also be effective to ensure the consistent and continuous operation of the application control over time.

Additional details regarding General and Application Controls can be found in the Systems Auditability and Control (SAC) Report, Module 2, Audit & Control Environment, pages 2-5 to 2-17.

Using Information Technology During the Audit

Information technology systems provide the internal auditor with the opportunity to use the computer to enhance the efficiency of the audit.

Information Technology can be used to support the conduct of more complete, efficient and effective audit engagements in the following ways:


Fraud is intentional deception, commonly described as lying, cheating, or stealing. Fraud can be perpetrated against customers, creditors, investors, suppliers, insurers, or governmental authorities and can be seen in the form of tax fraud, stock fraud, and short weights and counts.

The risk of fraudulent activities and ethical violations must be taken seriously. No organization or institution appears to be exempt from fraud. How much fraud is there? Estimates of fraud include:

A survey involving over 3,000 large and mid-size companies indicated that:

Fraud schemes are becoming more complex and, therefore, more difficult to detect. While some internal auditors are already fraud sensitive, using fraud assessment tools can improve the likelihood that complex frauds will be detected.

The Institute of Internal Auditors (IIA) professional standards state that the internal auditor is responsible for:

IIA standards also state that the internal auditor is not responsible for:

Foreign Corrupt Practices Act (FCPA)

The issue of fraudulent financial reporting has been examined by the National Commission on Fraudulent Financial Reporting (the Treadway Commission). The report of the Commission emphasized the importance of an ethical “tone at the top,” effective controls, written codes of conduct, internal auditors, and audit committees as deterrents to fraudulent reporting. The FCPA mandates that controls be established which are adequate to either prevent or detect illegal payments, with a reasonable degree of probability.

Given this primary role of management in establishing and monitoring the control system, a key concern is whether a high likelihood exists that management could override the control system. A higher probability of management override is associated with:

The Fraud Environment

The environment within a company is generally developed and maintained by senior management and the board of directors. To deter fraud, the environment should be a demanding one. Management should clearly set forth written policies demonstrating its commitment to fair dealing, its position on conflicts of interest, its requirement that only honest employees be hired, its insistence on strong internal controls that are well policed, and its resolve to prosecute the guilty.

There are three conditions that, when combined, move people to commit fraudulent acts:

Neither managers nor internal auditors can do much about an individual’s situational pressures. Managers can reduce the perceived opportunities by installing appropriate controls, and internal auditors can evaluate the adequacy and effectiveness of these controls.

One of the most effective ways to deter dishonest conduct is by not hiring dishonest employees. Management should at least verify backgrounds of employees. Senior management should insist on proper hiring practices; internal auditors should see that those practices are carried out as intended.

The possibility of detecting fraud increases with auditor awareness of where fraud may occur, with the use of modern techniques, and with an inquisitive audit approach that pursues suspicious conditions.

The Narrow Objective of Fraud Audits

A fraud audit has the narrow objective of uncovering the presence, scope, and means of intentional misstatement of records or misappropriation of assets. A fraud audit tends to be more detailed in approach, since it must uncover that which has been intentionally hidden. Flows of accounting numbers, as well as assets, may have to be reconstructed without an audit trail. The term fraud indicates some sort of deceptive act which harms another party. It is this deception which makes the discovery of fraud far more difficult than the discovery of errors.

The Impetus for Fraud Audits

An auditor must be alert to clues which suggest possible irregularities. Alertness and healthy skepticism may well be two of the auditor’s most important skills. Critical inquiry as to what irregularities are possible should be followed by an assessment of their likelihood, given the controls, supervisory practices, and the overall control environment. Anything detected as questionable should be resolved. Most often, the impetus for a fraud audit offers some sign of an unusual transaction or missing record.

Although the dollar magnitude may be relatively small, a fraud is considered to be qualitatively material. the reasons for this definition are that:
1. Frauds, by their very nature, can balloon quickly if not deterred
2. The existence of fraud in and of itself indicates a weakness in controls; and
3. Frauds imply integrity issues that may have far-reaching consequences.
For example, if management made illegal payments, the company and the individual executives involved could face legal consequences and highly adverse publicity.

A key indicator of the more likely types of exposure faced by an auditee is the auditee’s past experience. Past occurrences of fraud have implications about management’s attitudes and integrity. In addition, such occurrences can serve as a signal to employees as to what type of reaction can be expected if they are discovered to be involved in an impropriety. A lack of corrective and/or disciplinary actions in the past can encourage future problems.

Usually, it is less expensive to prevent fraud than to detect it. Therefore, fraud prevention should take precedence over detection. Internal controls alone do not prevent fraud; they merely facilitate its detection. Fraud prevention measures include:

Fraud prevention requires creating a work environment that values honesty. Senior managers who are role models for integrity and fairness in their daily interactions with their peers and subordinates can create such an environment. Prevention also means regularly monitored and enforced internal controls. Therefore, prevention strategies include tight controls, ethical codes, fair treatment, awareness training, applicant screening, and honest role models.

Detection strategies include monitoring variance reporting systems, internal auditing, compliance auditing, and intelligence gathering.

Fraud auditing is creating an environment that encourages the detection and prevention of frauds in commercial transactions. Fraud auditing cannot be reduced to a simple checklist. It is an awareness, in the broadest sense, of many components, such as the human element, organizational behavior, knowledge of fraud, evidence and standards of proof, an awareness of the potentiality of fraud, and an appreciation of so-called red flags.

Fraud prevention within a company would include having in place, and communicating to all employees, an effective corporate code of conduct that should also include conflict-of-interest policy guidelines signed by employees. This will provide a clear understanding of the intent of management and the level of expectations. The company’s agreements, especially with its vendors, should contain a clause that allows the company to inspect the vendors’ records in the normal course of business.


Tinggalkan sebuah Komentar »

Belum ada komentar.

RSS feed for comments on this post. TrackBack URI

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:


You are commenting using your account. Logout /  Ubah )

Foto Google+

You are commenting using your Google+ account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )


Connecting to %s

Buat situs web atau blog gratis di

%d blogger menyukai ini: