Presented byMark R. Kolman, CPA, CIA, CISA, CFE, CGAP

June 2, 2017

1. Gain an understanding of the IIA’s IPPF guidance.2. Discuss tips for managing audit assignments.3. Identify the qualities of good audit work papers.4. Review the essentials of workpaper techniques.5. Discuss the effective timing of work papers.6. Review the favorable use of tickmarks.7. Discuss writing an audit comment/finding.8. Examine the art of cross referencing.9. Discuss review note techniques.10. Identify techniques for handling time constraints.

Have You Ever Been to a Training Session Like The One In This Picture?

The Audit Model

Source: The Institute of Internal Auditors

The IPPF Mandatory

Guidance

Performance Standard 2300

Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.

Interpretation:

Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Usefulinformation helps the organization meet its goals.

2320 – Analysis and Evaluation Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.

2330 – Documenting Information Internal auditors must document relevant information to support the conclusions and engagement results.

2330.A1 – The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

2330.A2 – The chief audit executive must develop retention requirements for engagement records,regardless of the medium in which each record is stored. These retention requirements must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

2330.C1 – The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. These policies must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

2340 – Engagement Supervision Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.

Managing Audit Assignments

What are some ways to manage audit assignments?

Managing Audit AssignmentsRead the engagement planning memo and understand the purpose of the audit.

Review the audit program objectives to make sure the goal is understood.

Get comfortable with the audit work assigned.

Establish deadline(s) for audit work. Due date(s) are identified and agreed upon.

Read over the audit step and envision what is needed in order to complete the step. Does it involve interviewing, observing, or testing? Who should be interviewed, what to look for, what documents will need to be obtained . . . etc.?

Establish budget hours for the audit work.

Creating world class work papers

What would they look like?

Audit Work Papers

Audit Documentation can be presented many ways. Three of the most common are:

1. memo or narrative format

2. work paper schedule or test workmatrix

3. flow chart or walk-through document, etc.

Purchase Process

AP

p3

V

P

P2

How are your World Class work papers designed?

ALL WORK PAPERS SHOULD HAVE:

Objective(s) (or Purpose):

Scope: (Optional)

Source: This defines "the source" of the information or document(s) being tested.

Procedure(s):

Conclusion:

Basics of Work PapersAesthetically pleasing work papers are easier to read!

•Logically organize

•Be concise and eliminate non-essential information.

•Work papers must conform to your audit department standards

•Use the client's reports, schedules, listings, etc., whenever possible, to avoid duplication of effort on the auditor's part.

•Perform test work right on the client's documents. Client obtained documents makes work papers more credible.

Effective Timing of Work Papers

What are some of the “things” you take into consideration concerning the timely documentation of work papers?

Effective Timing of Work Papers

Client discussions must be documented as soon after completion as possible! This enables the auditor to determine if any issues were not adequately addressed in the interview.

The date, client's name and title should be documented. This will facilitate follow up, if necessary.

The date and time of the interview/discussion should be documented if it is material to the issue being discussed.

We should communicate to the client any control weaknesses and discuss possible causes and solutions. Document the possible "causes and solutions" in the work papers.

The audit test work should be concluded on and completed as soon as possible so that you do not have to re-learn or “figure out” your conclusion.

Audit Comments should be documented immediately after test work/analysis and discussed with the client as soon as possible after the work paper documentation is complete or nearly complete.

Effective Timing of Work Papers

Favorable Use of Tickmarks

What are Tickmarks?

What is a Tickmark Legend?

Favorable Use of Tickmarks

Tickmarks should be concise and should adequately explain the results of the audit procedure performed.

It should be evident as to whether or not an error or weakness was noted.

Suggested Standard Tickmarks √ = attribute tested successfully

F = Foots.

CF = cross-foots

R = recalculated without exception

N/A = (attribute) not applicable

S = identified control strength

W = identified control weakness

GL = agreed to general ledger

T = traced successfully to

PBC = Prepared by client

WI = waived due to immateriality

Rx = reasonable explanation

E#= Exception (with the sub-script “#” replaced with number 1, 2, 3, etc)

JE = error corrected with journal entry # . Therefore, no exception noted.

O = verified by auditor observation # X

Potential Audit Comments

THE PURPOSE OF AUDIT COMMENTS

-To summarize audit results-To facilitate report writing-To facilitate discussions with the client-To recommend solutions to problems identified-To document client responses to problems identified

How To Write Potential Audit Comments1. Prepare them as soon as the problem is discovered and the

potential audit concern has been substantiated.

2. Complete each section of the prescribed audit concern format: (IPPF PA 2410-1 #7)

Condition,Criteria,

Cause, (See IPPF PA 2320-2 for Root Cause Analysis)

Effect, Recommendation.

In some cases it is better to ask the client for assistance in determining what the correct "effect," "recommendation" and "cause" should be.

Root Cause Analysis

IPPF Practice Advisory 2320-2, #7

“A true root cause analysis will seek to understand why good people make bad or inadequate decisions (e.g., Why did the person who made the decision think it was the right thing to do at the time?)”

Root Cause Analysis

IPPF Practice Advisory 2320-2, #5

The resources spent on root cause analysis should be commensurate with the impact of the issue or potential future issues and risks. In certain circumstances, root cause analysis may be as simple as asking “five whys”

Root Cause AnalysisThe Five (5) Whys

Example: Why did the worker fall?Why ? (1): Because of oil on the floor.Why ? (2): Because of a broken part.Why ? (3): Because the part keeps failing.Why ? (4): Because of changes in procurement practices.Why ? (5): Because budget cuts were ordered.

By why 5, you should have identified or have been close to identifying the true root cause (why the decision was made?)

The Art of Cross Referencing

When in doubt of whether or not to hyperlink for a cross-reference, ask yourself - can I follow the logic/flow of this audit step .

(ELECTRONIC) Hyperlink to the supporting work paper and back?

(MANUAL) from the lead (or first) work paper to the supporting work paper and/or test work and back? Out on the right, in on the left!

Responding To Audit Review Notes

Communicates audit workpaper review.

Pet peeves about review notes

What do you like?

What do you not like?

How can we improve the review/coaching note process?

Responding to Review Notes

1. The most common mistake in answering review notes is that the auditor answers the noteon the review note page rather than in the actual work papers;

2. When in doubt as to whether the reviewer is asking a rhetorical question or “justwondering” note the respond with a "Let's Discuss" or L/D;

3. The auditor should note on the review note sheet the exact spot where the reviewnote was answered in the work papers;

4. All review notes should be removed from the work papers by the reviewer; TRUE?

5. If the auditor generates a new work paper or updates a work paper when answering areview note, the auditor’s response should clearly state what work paper wascreated or changed. This facilitates the re-review process;

6. Each review note should be signed off by the auditor answering them unless thenote was redirected to the auditor responsible for that work;

7. Review notes should not be considered critical or threatening!

Understanding Time Constraints

What are some of the time constraints you face performing the audit work?

Understanding Time ConstraintsEach auditor involved must discuss their assignment with the Senior Auditor and/or Manager and establish reasonable, achievable deadlines in order for the overall audit milestones or deadlines to be reached.

Each auditor is responsible for their audit efforts and producing results in a timely, efficient, and effective manner.

Auditors must be aware of and appreciate the deadlines for completing assignments.

Auditor assignments are part of the entire audit project which must be strategically planned and then completed on time.

Being more efficient and effective in our audits!

Six Common Mistakes That Will Derail an Internal AuditRichard Chambers

1. Not setting aside enough time to adequately plan the audit.

2. Trying to audit too much (and scope creep).

3. Not involving the client.

4. Failing to augment the audit team with "functional expertise.

5. Forgetting the audit should ultimately add value.

6. Forgetting to follow the risks.

QUESTIONS?