Evaluating the Design and Effectiveness of Internal Control


Overview

Internal auditing adds value to the organization by helping it accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal auditing follows a structured, logical, and organized series of steps and procedures.  The audit process is primarily an evidence-gathering process.
  • Planning
  • Gathering and Evaluating Audit Evidence
  • Reporting
  • Follow Up
Course Objectives

After studying this module, you should be able to
  • Understand the criteria in the evaluating the design and effectiveness of internal control
  • Understand different methodologies used in evaluating internal control
  • Apply these methodologies and evaluate internal control components, including deficiencies and significant deficiencies in internal control
  • Understand the nature and explain the rationale for conducting tests of controls
  • Discuss the requirements and methods of how reporting significant deficiencies in internal control are provided to management and those charged with governance
Course Materials

Planning

Auditor should plan the audit so that the engagement will be performed in an effective manner. Audit plan includes the nature, timing, and extent of audit procedures to be performed by auditor in order to obtain sufficient appropriate audit evidence to support audit conclusion whether internal control is effective.

In conducting the internal audit, the chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. This means that the audit plan must be logically related to identified risks of the organization.

In planning, internal auditor usually conduct preliminary survey in order to accumulate relevant information about the operation to be audited – the objectives, the people, the processes, and the systems involved. Internal Auditor can start with a review of previous audit reports and other relevant documentation, develop checklists, internal control questionnaires, conduct interviews and walkthroughs, as part of the preliminary survey of the engagement area.

In preparing the risk-based plan, the internal auditor must assess the risks faced by the organization we discussed in Chapter 5 & 6 and the risk that the auditor will not detect conditions relevant to support its opinion. The combination of these risks is called audit risk. IIA has no official definition of audit risk and its components, hence we can adopt the AICPA Audit Risk Model.

Audit Risk = Inherent Risk x Control Risk x Detection Risk

In audit of historical financial statements, obtaining an understanding of an entity’s controls is not sufficient to test their operating effectiveness, unless there is some automation that provides for the consistent operation of the controls.

In assessing control risk, an auditor must consider design of controls, whether they have been placed in operation, and, if they are in use, their effectiveness. Design refers to the controls that have been established, and effectiveness refers to how the controls actually function.

A risk control matrix is a useful tool to help ensure that internal auditors adequately account for risk at the engagement level and ensure that all significant risks identified are addressed in subsequent fieldwork. Flowcharts and narrative techniques are sometimes used in conjunction with a risk control matrix.

Gathering and Evaluating Audit Evidence

Audit evidence is necessary to support the auditor’s conclusion as to the effectiveness of internal control. Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives.

Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Sufficiency is the measure of the quantity of audit evidence. The quantity of audit evidence needed is affected by the auditor’s assessment of the risks – the higher the assessed risks, the more audit evidence is likely to be required.

Reliability and relevance measure the quality (appropriateness) of audit evidence in providing support for the conclusions on which the auditor’s opinion is based. The quality affects the quantity of evidence - the higher the quality, the less evidence may be required.

Reliable information is the best attainable information through the use of appropriate engagement techniques. Reliability of information is influenced by its source and its nature, and the circumstances under which it is obtained, for example:
  • The reliability of audit evidence is increased when it is obtained from independent sources outside the entity.
  • The reliability of audit evidence that is generated internally is increased when the related controls, including those over its preparation and maintenance, imposed by the entity are effective.
  • Audit evidence obtained directly by the auditor (for example, observation of the application of a control) is more reliable than audit evidence obtained indirectly or by inference (for example, inquiry about the application of a control).
  • Audit evidence in documentary form, whether paper, electronic, or other medium, is more reliable than evidence obtained orally (for example, a contemporaneously written record of a meeting is more reliable than a subsequent oral representation of the matters discussed).
  • Audit evidence provided by original documents is more reliable than audit evidence provided by photocopies or facsimiles, or documents that have been filmed, digitized or otherwise transformed into electronic form, the reliability of which may depend on the controls over their preparation and maintenance.
Audit evidence is obtained by performing audit procedures:
  • Analytical procedures
  • External confirmation
  • Inspection
  • Inquiry
  • Observation
  • Reperformance
  • Recalculation
Analytical procedures consist of evaluations of financial information made by a study of plausible relationships among both financial and non-financial data. Analytical procedures also encompass the investigation of identified fluctuations and relationships that are inconsistent with other relevant information or deviate significantly from predicted amounts. Analytical procedures may include: Reasonableness tests, Variance analysis, Trend analysis, Ratio analysis, Regression analysis, Cause and effect diagrams, Pareto analysis, Period to period comparisons, Comparisons with budgets, forecasts, and economic information, Comparison with independent causal or related factors

A confirmation represents audit evidence obtained by the auditor as a direct written response to the auditor from a third party (the confirming party), in paper form, or by electronic or other medium. For example, confirmation of bank balances and other information, account receivable balances, or inventories held on consignment. There are two types of confirmation:

Positive confirmation asks the respondent to reply to the auditor in all cases either by indicating the respondents’ agreement with the given information, or by asking the respondent to fill in information (blank confirmation).
Negative confirmation asks the respondent to reply only in the event of disagreement with the information provided in the request.

Inspection involves examining records or documents, whether internal or external, in paper form, electronic form, or other media, or a physical examination of an asset. For example, review of board of director’s minutes of meeting for evidence of authorization or inspection of company building to determine its condition.

Inquiry consists of seeking information of knowledgeable persons, both financial and nonfinancial, within the entity or outside the entity. Inquiry is used extensively throughout the audit in addition to other audit procedures. For example, questionnaire asking senior management to rank risks faced by the organization or letter to legal counsel asking for information about litigation, claims, and assessments against the company.

Observation consists of looking at a process or procedure being performed by others, for example, the auditor’s observation of inventory counting by the entity’s personnel, or of the performance of control activities. Observation provides audit evidence about the performance of a process or procedure but is limited to the point in time at which the observation takes place, and by the fact that the act of being observed may affect how the process or procedure is performed. For example, observation of the year-end physical inventory count or tour of the facility to observe the day-to-day operations.

Reperformance involves the auditor’s independent execution of procedures or controls that were originally performed as part of the entity’s internal control. For example, independently preparing the bank reconciliation or the aging of account receivables.

Recalculation consists of checking the mathematical accuracy of documents or records. Recalculation may be performed manually or electronically. For example, checking the calculation of depreciation expense, prepaid expense, etc., testing the mathematical accuracy of sales invoice and inventory, adding journals and subsidiary ledger.

Audit Sampling

The audit procedures will then be applied to items selected for testing or evaluation. The auditor may select All items, Specific items, Samples.

The auditor may decide that it will be most appropriate to examine the entire population of items.

The auditor may decide to select specific items from a population. This is also known as non-statistical (or judgmental) sampling. The judgmental selection of specific items is subject to non-sampling risk or the risk that the auditor reaches an erroneous conclusion for any reason not related to sampling risk. Examples of non-sampling risk include use of inappropriate audit procedures, or misinterpretation of audit evidence, and failure to recognize a misstatement or deviation. Judgmental sampling relies upon the experience of the auditor to determine the size and nature of the sample.

Under PSA 530, audit sampling (a.k.a. statistical sampling) is the application of audit procedures to less than 100% of items within a population of audit relevance such that all sampling units have a chance of selection in order to provide the auditor with a reasonable basis on which to draw conclusions about the entire population. 

Statistical sampling methods produce a scientifically random sample with test result that can be quantified in terms of a confidence level and precision. It has the following characteristics: Random selection of the sample items and the use of probability theory to evaluate sample results, including measurement of sampling risk.

For example, an auditor can conclude that he is 95% confident that the error rate of the population is 3% plus or minus 2%. Say the auditor testes 100 transactions from a population of 1,000, the auditor is 95% confident (not 100% certain) that 30 to 50 transactions are in error.

Sampling is not perfect. It is subject to sampling risk or the risk that the auditor’s conclusion based on a sample may be different from the conclusion if the entire population were subjected to the same audit procedure. Audit may conclude that controls are more or less effective than they actually are.

Sample size is determine based on the following factors: Confidence level, Tolerable deviation rate (acceptable sampling risk), Expected population deviation rate. You can determine sample size using a sample size calculator, a published statistical table, or a formula (e.g. Slovins’s formula, Cochran formula, etc.).

If the confidence level is 95%, tolerable deviation rate is 5% and the expected population deviation rate is 10%. Compute the sample size using Cochran formula.

By mere looking at the formula, we can determine the relationship of the factors and the sample size. Remember that the numerator is directly related to the sample size, and the denominator is inversely related to the sample size. Thus, increase in the z-value or the expected population deviation rate will increase the sample size; while increase in the tolerable deviation rate will decrease the sample size.

If Tolerable deviation rate Increases, sample size will Decrease; If Expected deviation rate Increase, sample size will Increase; If Confidence level increases, sample size will Increase.

After determining the sample size, the next step is to select the items to be tested. Some commonly methods in sample selection are discussed in the succeeding paragraphs:

Random sampling. Each item in the population has an equal chance and nonzero probability of selection. It is usually accompanied by generating random number from a random number of table or computer program and tracing them to associated documents or items in the population.

Systematic selection or interval sampling. Instead of using random numbers, an auditor may decide to choose items that are a certain interval apart on a list. For example, an auditor might select every 30th item starting at a randomly selected point.

Stratified random sampling. If the population is heterogenous, an auditor may subdivide it into more coherent units, subpopulations or strata before selecting random samples from each unit.

Cluster sampling. This is akin to stratified random sampling. But in this case, the clusters already exist, and the auditor does not select the characteristics for grouping them. A cluster might be a box, a room, or a building containing the sampling unit that makes up the population. Instead of aggregating all the items, the auditor selects clusters to test and then decide to sample items in a cluster or test them all.

Haphazard sampling. From the name itself, this lacks credibility. The auditor selects sample without following a structure technique. The auditor simply takes whatever items are convenient. This is not appropriate for statistical sampling. Note that this method is not random sampling. This usually takes place when the auditor sends questionnaire to a selected group and uses response returned voluntarily. In no sense it is random since the sample contains only those interested enough to respond and is likely biased towards some shared characteristic of the respondents.

Stop-and-Go sampling. When the auditor expects relatively error-free population, the auditor may begin testing with a small sample. If the sample demonstrates the anticipated low error rate, the auditor may choose to stop sampling. Otherwise, the auditor will go ahead with further sampling or to full-scale statistical sampling.

Discovery sampling. This does not intend to characterize a population on the basis of a sample. Instead, its objective is to uncover at least one instance of suspected serious problem such as fraud. It is appropriate when the management policy is zero tolerance. (Your girlfriend scanning your phone is probably one example of discovery sampling.)

Evaluation

After performing the sampling plan, the auditor summarizes and evaluates the results. The evaluation involves comparing the upper deviation rate and the tolerable rate of deviation and evaluate the effectiveness of a control accordingly. The upper deviation rate is the sum of the sample deviation rate (number of deviations observed/sample size) and the allowance for sampling risk. If the upper deviation rate is equal or less than the tolerable deviation rate, it implies that a control is effective. Conversely, if the upper deviation rate is greater than the tolerable deviation rate, it suggests that the control is not effective.

In non-statistical sampling, sampling deviation rate is compared with tolerable rate or expected population deviation rate. In the evaluating the result of audit sampling, the auditor must consider qualitative information such as the nature of the deviations.

Reporting

Unlike audit report by external auditors, internal auditor’s report is customized and based on auditor’s discretion. What Standard 2400 requires is that the internal auditor communicate the results of the engagement. The final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided.

Usually, the internal auditor’s report presents facts, findings, conclusions, opinions, and recommendations.

References

Reading materials you may use in this course are the following: