STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT
Transcription
STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT
STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM T24: TESTING TOOL – WORK PAPER REVIEW The purpose of this tool is to evaluate the effectiveness of the guidance provided to the internal audit activity (IA activity) staff and of the coordination with management for planning, conducting, reporting, and following up of individual engagements. Most of this objective can be met by examining the work papers for selected engagements. The following review guide is designed to determine whether the IA activity staff and supervisors are adhering to IIA Standards and to provide information on which to base recommendations for enhancing the effectiveness of the IA activity. Preparation Notes: 1. Obtain and review the IA activity’s policies and procedures for audit and consulting engagements and work paper preparation to use for criteria to determine if written for conformance with IIA Standards. 2. Note any condition of noncompliance with the IA activity’s policies and procedures as you review the selected work papers and complete the next sections of this tool. 3. List the information relative to the work paper file/report to be reviewed in the tables provided below. 4. Use the W/P Reference column to cite relevant work papers (both from the W/P file reviewed and from the QA W/P), as necessary, to support your comments and conclusions. 5. Write brief notes and comments in the reference tables below or refer to the relevant comments on the Observations and Issues Tool (located in the Appendix) where they are discussed. 1. Name of audit /consulting engagement: Dates performed: Report issue date: Date reviewed: QA member name: Comments on exceptions noted: 2. Name of audit /consulting engagement: Dates performed: Report issue date: Date reviewed: QA member name: T24-1 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM Comments on exceptions noted: 3. Name of audit /consulting engagement: Dates performed: Report issue date: Date reviewed: QA member name: Comments on exceptions noted: 4. Name of audit /consulting engagement: Dates performed: Report issue date: Date reviewed: QA member name: Comments on exceptions noted: T24-2 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM WORKPAPER (W/P) FILE REVIEW A. Engagement Planning (Standard 2200). Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing, and resource allocations. A.1. Assess the relevance and completeness of the background information gathered in advance of the engagement. The following items are examples of items that should have been considered/reviewed by the engagement team, in reviewing the structure, functions, and accountabilities of the customer: • Organization charts, financial budgets, and reports. • Relevant organization policies and processes (especially recent changes). • Developments/practices in the industry and relevant government regulations. • Prior IA activity engagements and their work papers. • External audit and consulting reports (and work papers, if available). Conclusion: 1 2 3 4 A.2. Review the consultative process with the customer (including the opening conference — either before or after the preliminary survey of controls). Evaluate the means used to obtain information about management controls, business processes, and accountabilities, as well as such techniques as surveys, interviews, and on-site observations. Determine whether the opening conference included: • The customer’s expectations and suggestions for the engagement. • Planned scope and objectives for the engagement. • Agreement on the risks in the area covered. • Special concerns and requests of customer management. • Potential use of self-assessment and/or participation of customer staff in the engagement. • Other measures of leveraging IA activity resources and reducing cycle time. • When and with whom issues and potential recommendations will be discussed. Conclusion: T24-3 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM WORKPAPER (W/P) FILE REVIEW A.3. Assess the preliminary survey of relevant controls — including discussions with customer management and staff, flowcharting and other systems analysis, systems walkthrough, etc., covering the principal areas of activity and the related management controls. Determine whether appropriate matters were considered, preliminary survey results were satisfactory, and these were adequately documented. Here are some examples of specific items: (Standards 2201, 2210.A1, 2220.A2) • Strengths and weaknesses in systems and processes (and relevant causes). • Significant policies and operating practices. • Clear assignment of responsibilities and accountabilities. • Adequate supervisory reviews and controls to prevent/detect override. • Were major processes, systems, and controls identified? • Was the potential for fraud considered? • Were potential high risks/exposures identified and noted for testing? • Were potential process improvements noted for further review? • If significant areas were not reviewed or potential weaknesses noted during testing, was an appropriate discussion with IA activity management documented and/or an adequate explanation of why this was not done? Conclusion: 1 2 3 4 A.4. Planning memorandum (Standard 2201.C1) – determine whether engagement scope and objectives reflect significant risks/issues disclosed by the background information, preliminary survey, and discussions with the customer. In particular: • Was there adequate consideration of these risks/issues in establishing the time budget and the timing of the phases of the engagement? • Were the risk assessment and other factors from the IA activity’s annual plan appropriately taken into account (particularly if there were significant differences in the annual plan and the engagement plan)? • Were appropriate staff, including specialists, assigned and was full advantage taken of the potential for selfassessment, availability of customer staff, and other assistance from outside the IA activity? (2230) T24-4 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM WORKPAPER (W/P) FILE REVIEW • Was the prior audit and current planned work of the external auditors taken into account, including the possibility of a joint engagement? • If there are other oversight/monitoring functions (evaluations, process improvement, quality assurance, etc.), was their past and planned work taken into account, including the possibility of a joint engagement? Conclusion: 1 2 3 4 A.5. Engagement program (Standard 2240) – Determine whether it considered such factors as listed below, changes to it represented appropriate empowerment of staff, and these were discussed and agreed with IA activity management: • Based on the preliminary review and planning memorandum. • Appropriately covered the planned scope and objectives. • Reviewed and approved by IA activity management. • Prompted the engagement team to look for process and other customer service opportunities improvement. Conclusion: A.6. Scope of work (Standard 2110.A2) – based on the objectives and scope set out in the engagement program, up to five of the following assurance Standards areas should be covered and/or other relevant consulting services areas: • Reliability and integrity of financial and operational information • Compliance with policies, plans, procedures, laws, or regulations • Safeguarding assets • Efficiency of operations • Accomplishment of established goals and objectives for programs or operations (program effectiveness) A.6.1 Reliability and integrity of information – did the program include appropriate procedures to determine whether systems and controls provided for: • Adequate, complete, and current records? • Properly reviewed and approved transactions? • Accurate, timely, and relevant information produced by the systems? • Adequate controls to detect/prevent errors and T24-5 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM WORKPAPER (W/P) FILE REVIEW irregularities? A.6.2. Compliance with policies, plans, procedures, laws, or regulations: 1 2 3 4 • Were there skills and expertise represented on the engagement team, did the program contain tests of policies, plans, procedures, and laws or regulations and were they performed and documented adequately? If not, are there appropriate justifications of omissions and approval of management of the IA activity? A.6.3. Safeguarding of assets – did the program contain appropriate procedures and were they performed and documented adequately to cover, for example: • Adequate separation of duties and staffing of functions? • Rotation of sensitive duties among competent employees? • Adequate verification and reconciliation procedures? • Review and approval by authorized supervisors, including surprise reviews? • Adequate physical protection of assets and records? A.6.4 Efficiency of operations – did the program contain appropriate procedures and were they performed and documented adequately to cover: • Clear identification of operating standards and measurement criteria? • Whether standards are aligned with organizational goals and objectives? • Management and staff understanding of their application? • Whether standards are being met? • Identification and analysis of deviations from standards? • Identification and analysis of inefficient or uneconomic use of resources and other opportunities for improvement? Conclusion: A.7. Accomplishment of established objectives and goals for operations or programs (program effectiveness) – was the program adequate and was it performed so that there was appropriate coverage of: • Identification and assessment of relevant objectives and goals, along with the systems to measure how well these were met? T24-6 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM WORKPAPER (W/P) FILE REVIEW • Appropriate measurement criteria for evaluating operation or program effectiveness? • Determination of whether objectives and goals were met? • Assessment of whether customer’s techniques and data measured effectiveness and led to remedial actions where appropriate? • Evidence that process improvement was part of the operation or program? • Evidence that the engagement team looked for and pursued additional potential improvements and other customer service opportunities? 1 2 3 4 Conclude as to overall adequacy of preparation and engagement planning, scope of the work, and related program. Identify opportunities for improvement: WORKPAPER (W/P) FILE REVIEW B. Examining and evaluating information (Standards 23102340) – to assess how well the engagement team executed the program, documented their work, and supported their conclusions and recommendations. B.1. Through review and testing of the workpapers, evaluate whether the nature and extent of the engagement team’s work met the stated scope and objectives and represented a reasonable execution of the program. B.2. Determine whether the workpapers support the findings, conclusions, and recommendations contained in the report. Did these show condition, criteria, risk, and potential effect? B.3. If findings, particularly if they appear significant, in the workpapers were not included in the report, evaluate the explanation of why these were excluded. B.4. Appraise engagement team/supervisory relationships and actions when the conditions encountered indicate changes should have been made to the audit procedures — were they made or not, and how were the new procedures communicated and approved (and documented)? Conclusion: T24-7 1 2 3 4 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM WORKPAPER (W/P) FILE REVIEW B.5. Guidance for workpaper preparation suggests standards for labeling, referencing, content, and documentation formats. If an automated workpaper package is used by the IA activity, similar standards should be incorporated and the appropriate electronic evidence should be indicated therein. Determine whether the following were applied (or reasonable alternatives were followed): • Cross-referenced to the program. • Labeled with a heading describing the engagement, its date or period, and the specific test or procedure the workpaper supports. • Initialed and dated by the auditor and, for at least section summaries and a reasonable sample of detailed workpapers, by the reviewer. • Indexed and numbered systematically. • Documented or referenced to show clearly the source of information or materials examined/tested. • Footnoted with explanations of any symbols used. • Adequately explained/justified as to how samples and other tested items were selected. • Summarized descriptions of test results, conclusions, and recommendations. • Evidence of discussions with the customer about findings, recommendations, and possible remedial actions — with the customer’s response, where appropriate. No “loose ends” or other evidence of unresolved matters. • Orderly filing, ready for permanent storage. 1 2 3 4 Conclude as to overall program execution and other elements of engagement performance, as evidenced by the work papers. Identify opportunities for improvement and other “best practice” alternatives. WORKPAPER (W/P) FILE REVIEW C. Due professional care (Standard 1220) – relating primarily to additional care and procedures employed in assisting management to deter and detect fraud. C.1. Determine what the auditors did to assist management in testing and evaluating adequacy/effectiveness of internal controls, commensurate with exposures/risks in areas audited, and whether these audit steps were reasonable for deterrence and T24-8 1 2 3 4 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM WORKPAPER (W/P) FILE REVIEW detection of fraud. For example, did they determine whether: • The organizational environment fostered adequate control consciousness? • Realistic organizational goals and objectives were set? • Written policies, including a code of conduct, existed — that described prohibited activities and actions to be taken when violations are discovered? • Appropriate authorization policies were established and maintained for transactions, contracts, and other commitments of resources? • Policies, procedures, reports, and other mechanisms were developed to monitor activities and safeguard assets, particularly in high-risk areas? • Communications channels provided management with adequate and reliable information, particularly with respect to confidential employee reporting? • There were potential opportunities for enhancement of controls and these were included for discussion and consideration as recommendations? C.2. Determine whether the auditors were alert to opportunities that could allow fraud. If these were found, did the internal auditors: • Conduct additional tests and investigation directed toward finding other indicators of fraud — such as unauthorized transactions, override of controls, unexplained exceptions, unusual trends, or similar exceptions? • Pursued these indicators until there was a determination whether fraud had been committed and what further actions, including remedial steps, should be taken? • Notified proper authorities within the agency/university and determined that appropriate action would be taken? 1 2 3 4 Conclude as to whether the internal auditors exercised due professional care and performed the procedures necessary in the circumstances, as well as covering these matters adequately in their report. Identify further opportunities for improvement of the audit and reporting process and for assisting management in improving controls for prevention and detection of fraud. (These could include new techniques and “best practices” of fraud prevention and detection, such as a “soft controls” questionnaire, confidential employee hotline for T24-9 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM reporting improper or suspicious activities, and broad-based self-assessment, evaluation, and reporting of controls.) WORKPAPER (W/P) FILE REVIEW D. Communications with the customer up to completion of the engagement (Standard 2400) – to assess the effectiveness of these processes, as evidenced by the work papers. D.1. Include an evaluation of timing and content of communications (of potential report matters and other significant issues) during the engagement, agenda, and attendance for the closing/exit conference (to enhance buy-in and likelihood of achieving “closure”), and related customer relations matters. E. Supervision (Standard 2340) – to assess the quality of supervision of the engagement, as well as the empowerment of staff, adequacy and timing of communication between the supervisor/reviewer(s) and the engagement team, and adequate documentation of supervisory involvement. • Appropriate involvement in preparation and planning for the engagement, obtaining input from the customer, determining scope and objectives, and preparation of the program. • Assistance, as necessary, in leveraging IA activity resources, including encouragement of self-assessment by the customer and participation in the engagement. • • • 1 2 3 4 Appropriate, timely availability during the engagement for discussion of potential changes to scope and objectives, customer requests, sensitive issues, etc. Timely review of work papers and report draft (preferably stratified into detailed “peer” review and higher level managerial review of summary work papers and significant findings and potential report matters). Appropriate, timely involvement in the closing/exit conference, including preparation of the agenda. E.1. Determine whether there was adequate evidence in the work papers of supervisory guidance and review. Consider both the level(s) of those with supervisory/review roles and the value their involvement added to the engagement. T24-10 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM Conclude as to the adequacy of supervisory guidance and review. Identify opportunities for improvement, both in supervisory processes and empowerment of engagement staff. WORKPAPER (W/P) FILE REVIEW F. Communicating results and follow-up (Standards 24002500) – to assess the effectiveness of report preparation and issuance cycle, appropriateness of the report(s), and adequacy of implementation follow-up. F.1. If the findings or the time needed to finalize the project made an interim report desirable, determine whether one was issued to provide the customer with relevant information (e.g., for commencement of remedial actions) while awaiting the final report. F.2. Determine whether there was an adequate draft or outline report prepared in time for the closing/exit conference, to enable the customer and the engagement team to discuss, face to face, all significant findings and potential report matters. Test such draft/outline against the work papers to determine whether the potential report matters are adequately referenced and supported by the work papers. F.3. Does the closing/exit conference memo contain adequate evidence of management’s responses and decisions, indicating whether they agree with the potential recommendations or, if they do not agree, they have appropriate alternative actions or have consciously assumed the risk of not taking remedial actions? F.4. Review the report agreement and issuance process for evidence of adequate, timely communication with the customer, resolution of differences, and determination of responses/planned remedial actions. F.5. Was the final report(s) stratified/segregated into significant issues and “minor matters” (for resolution by the customer, without the need for higher levels of management to be involved or IA activity’s prompt follow-up)? F.6. Review the final report and assess it as to appropriateness in relation to the processes documented/discussed in F.4 above, its indicated distribution, and its timely issuance. F.7. Determine whether there was timely follow-up (repeated, as necessary) to ensure that adequate remedial actions had been taken or appropriate notification made to higher levels of management. F.8. Inquire as to how significant matters are communicated to senior management and the board (e.g., in periodic executive T24-11 1 2 3 4 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM WORKPAPER (W/P) FILE REVIEW summaries of important issues, needed remedial actions with applicability beyond the engagement from which the report originated, and for dissemination of “best practices”). 1 2 3 4 Conclude as to the adequacy of the report agreement, issuance, and follow-up processes and identify opportunities for improvement. WORKPAPER (W/P) FILE REVIEW G. Engagement management (Standard 2030) – assess the effectiveness of the use of a time budget and other engagement process improvement tools. • Hours budgeted and actual hours by engagement segment? • Variances, with explanations of significant variances? G.1. Did the work papers contain memoranda on engagement problems and potential improvements to enhance effectiveness, customer relations, tools and techniques, etc.? In particular, did these memoranda address potential improvements in the engagement performance and report issuance cycles? G.2. Were procedures in place to ensure that the Internal Audit Director and/or other IA activity management were aware of engagement problems and opportunities to improve effectiveness on a timely basis and was there corresponding evidence in the work papers? 1 2 3 4 Conclude as to the effectiveness of engagement management and continuous improvement thereof: Prepared by: Date: Reviewed by: Date: T24-12 Testing Tool – Work Paper Review STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT PEER REVIEW PROGRAM T24-13 Testing Tool – Work Paper Review