0% found this document useful (0 votes)

1K views

Department of Auditing

Uploaded by

Obert Marongedza

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

1K views

Department of Auditing

Uploaded by

Obert Marongedza

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 197

Department of Auditing

© 2019 University of South Africa

All rights reserved

Printed and published by the

University of South Africa
Muckleneuk, Pretoria

AUI3703/1/2019-2021

70683840

Shutterstock.com images used

InDesign

MNB_Style

ii
CONTENTS

PREFACE............................................................................................................... iv

PART A KEY FACTORS IN PERFORMING ADVANCED INTERNAL AUDITS ............... 1

TOPIC 1 Risk-based internal auditing ................................................................................ 1

TOPIC 2 Introduction to specific internal audit engagements ......................................... 18

PART B CONDUCTING SPECIFIC INTERNAL AUDIT ASSIGNMENTS ...................... 31

TOPIC 3 Performance auditing ........................................................................................ 32

TOPIC 4 Fraud Auditing ................................................................................................... 77

TOPIC 5 Information systems auditing .......................................................................... 108

TOPIC 6 Other types of internal audit engagements ..................................................... 149

PART C INTERNAL AUDIT REPORTING AND FOLLOW-UP ................................. 159

TOPIC 7 Reporting and follow-up on the completion of audit assignments .................. 160

iii
PREFACE
STUDY OVERVIEW

Because risk is an integral part of everyday life, we need to:

• identify
• assess
• respond
to these risks to reach our objectives.

Being in charge of your life, you would have set certain objectives for yourself. Registering as a student
for this module indicates that one of your objectives is to obtain a degree from Unisa.

Since this is a third-level module, you should be aware of the risks that may keep you from reaching
this objective, such as the following:

• not having adequate time to study

• not being able to pay for your studies
• falling ill and not being able to study and/or write the examination

Having reached this level of study also indicates that you have implemented adequate controls to
keep these risks from manifesting.

The following are possible controls that you may have implemented:

Risks Controls
• Diarise deadlines for assignments and plan
to complete them
• Arrange adequate study leave in advance
to prepare for examinations
• Limit social activities to weekends only
Not having adequate time to study
• Make sure you pass, then your sponsors will
be willing to continue paying for your
studies
• Be a diligent and reliable worker so that
you will continue earning money to pay for
Not being able to pay for your studies your own studies
• Restrict yourself to a budget to enable you
to pay for your studies
• Eat healthily
• Get enough sleep
• Exercise frequently

Falling ill and not being able to study and/or

write the examination

iv
The ultimate proof to yourself that you have implemented adequate controls will be when you receive
positive results at the end of the semester. However, if you are wise enough, you will perform interim
tests of controls on the controls you have implemented to provide assurance to yourself that the
controls are working. By testing the controls, you will be able to assess whether the controls that you
have implemented are working as intended, or whether additional controls or adjustments to the
existing controls may be necessary. How would you test the adequacy of these controls?

Risks Controls Test of Controls

● Diarise deadlines of ● Confirm with your employer and
assignments and plan your friends that you have diarised all
time to complete them. commitments and that you still have
● Arrange adequate study time to complete the assignments as
leave in advance to planned.
prepare for examinations. ● Obtain written approval of your leave
● Limit social activities to arrangements from management.
weekends only. ● Page through your diary and reflect on
your time management for the past
two weeks and the two coming weeks
to ensure that you are not engaging in
social activities during the week.
● Make sure you pass, so ● Check on myUnisa that the university
that your sponsors will be has received your assignments before
willing to continue paying the cut-off date and that you have
for your studies. admission to the examinations.
● Be a diligent and reliable ● Discuss your performance with your
worker so that you will supervisor/manager to find out if he
continue to earn money to or she is satisfied or whether you
pay for your own studies. should improve and how.
● Restrict yourself to a ● Check your expenses against your
budget so that you will budget and make sure you keep with-
have money to pay for in the limits set for yourself.
your studies.
● Eat healthy food. From time to time, reflect on the
● Get enough sleep. following:
● Exercise frequently. ● when last you had a decent meal
● what time you have been going to
bed
● when last you exercised

This module is all about the application of the fundamental internal auditing principles and techniques
which are normally considered and applied while performing specific types of audit assignments and
the reporting thereof at the completion of an audit. As you have seen in the example above, controls
do not apply to financial systems only. Controls are developed to mitigate and manage the risks that
threaten the achievement of objectives pertaining to risk categories such as fraud risk, IT risk and
operational risk.

To understand this module better you need to have passed the second-level module
AUI2601: Internal Auditing – Theory and Principles.

v
THE ICONS FOR ACTIVITIES USED IN YOUR STUDY MATERIAL

Each learning unit contains various activities that you should perform. The study activities, for
example, refer you to the study material in the study guide and tutorial letters that you are required
to study; the doing and thinking activities require you to perform certain actions and to answer
certain questions.

The icons that will be used in this study guide and the tutorial letters are listed below, together with
a description of what each of them means.

Icon Description
Key concepts. The key concepts icon draws your attention to certain keywords or
concepts that you will come across in the topic or learning unit.

Learning outcomes. The learning outcomes indicate what parts of the topic or
learning units you must master and demonstrate that you have mastered.

Mind map. Mind maps are provided to help you see the relationship between various
parts of the learning material.

Study. The study icon indicates which sections of the prescribed book or the study
guide you need to study and internalise.

Read. The read icon will direct you to read certain sections of the prescribed book
for background information.

Activity. The activity icon refers to activities that you must do to develop a deeper
understanding of the study material.

Reflection. The reflection icon requires you to reflect on the important issues or
problems dealt with in the learning unit.

Online assessment. When you see the online assessment icon, you will be required to
test your knowledge, understanding and application of the material you have just
studied.
Feedback. The feedback icon indicates that you will receive feedback on your
answers to the self-assessment activities.

Multimedia. The multimedia icon indicates that you must refer to any audio
material, screencasts, podcasts, videos or DVD material that may be included in your
study material as additional resources.
Time-out. The time-out icon indicates that you should take a rest because you have
reached the end of a learning unit or topic.

Discussion. Use the Discussion tool for this module on myUnisa to share valuable
information about assignments, topics that are related to this module, etc. Make sure
that you are using the correct Discussion tool.
Additional resources. Here you will find your assignments, additional documents,
resources, PowerPoint presentations and links to articles related to this module.

vi
Internet source. You will receive a link to access web content from an external
website.
Frequently asked questions. Frequently asked questions on the topic will be posted
on myUnisa.

Blog. Join the discussion on the Blog provided on myUnisa.

STUDY SOURCES

The study material for this module comprises the discussions and explanations contained in this study
guide and tutorial letters, as well as those contained in the following prescribed books:

● Coetzee, G.P., Du Bruyn, R., Fourie, H. & Plant, K. 2018. Assurance: An Audit Perspective. 1ST
edition. LexisNexis, Johannesburg, South Africa.
● Coetzee, GP, Du Bruyn, R, Fourie H & Plant, K. 2017. 6th Edition. Internal Auditing an
introduction. Lexis Nexis, Johannesburg, South Africa.
● Coetzee, G.P., Du Bruyn, R., Fourie, H. & Plant, K. 2017. 6th Edition. Performing audit
engagements. LexisNexis Johannesburg, South Africa.

vii
OUTLINE OF MODULE

PART A – Key factors in performing advanced internal audits

Topic 1: Risk-based internal Learning Unit 1 Mission and mandate of the Internal Audit (lA) function
auditing Learning Unit 2 Risk and risk management concepts
Learning Unit 3 Risk-based internal auditing

Topic 2: Introduction to specific Learning Unit 4 Different types of specific internal audit engagements
internal audit Learning Unit 5 Qualities and abilities required of internal auditors
engagements
PART B – Conducting specific internal audit engagements
Topic 3: Performance auditing Learning Unit 6 The concept of performance auditing
Learning Unit 7 Specific considerations in performance auditing
Learning Unit 8 Purpose and components of performance auditing
Learning Unit 9 Identifying the audit field and the performance audit
process

Topic 4: Fraud auditing Learning Unit 10 The basic concepts of fraud

Learning Unit 11 Fraud risk
Learning Unit 12 Fraud prevention and detection
Learning Unit 13 Fraud investigations

Topic 5: Information systems Learning Unit 14 Information technology (IT) governance

auditing Learning Unit 15 IT risk
Learning Unit 16 IT control activities: general and application controls
Learning Unit 17 Computer audit process
Learning Unit 18 CAATTs
Learning Unit 19 Auditing security and privacy of information assets

Topic 6: Other types of internal Learning Unit 20 Treasury and contract auditing
audit engagements Learning Unit 21 Consulting engagement

PART C – Internal audit reporting and follow-up

Topic 7: Reporting and follow-up Learning Unit 22 Reporting on completed audit assignments
on the completion of Learning Unit 23 Presenting internal audit reports
audit assignments Learning Unit 24 Follow-up on completed audit assignments

This module consists of the following three sections:

• Part A – Key factors in performing advanced internal audits
• Part B – Conducting specific internal audit engagements
• Part C – Internal audit reporting and follow-up

Part A explains the mission of internal audit, risk and risk-based auditing. It also deals with the relevant
internal audit standards, and the skills and experience required from internal auditors in performing
advanced internal audits. (See LU 1–5.)

Part B focuses on specific internal audit engagements, such as performance auditing, fraud auditing,
and IT auditing. Other specific internal audit engagements, such as environmental auditing is not
covered in this module. it introduces other engagements such as treasury audits, contract audits and
consulting engagements, or “advise and insight” engagements (as it is referred to in the mission
statement of internal audit). Specific guidelines on consulting activities are covered in this section. (See
LU 6–21.)

Part C is concerned with communicating the findings to the relevant stakeholders, as well as following
up on the implementation of actionable recommendations. (See learning units 22–24.)
PART A
KEY FACTORS IN PERFORMING
ADVANCED INTERNAL AUDITS
PART A – Key factors in performing advanced internal audits
Topic 1: Risk-based internal Learning Unit 1 Mission and mandate of the Internal Audit (lA) function
auditing Learning Unit 2 Risk and risk management concepts
Learning Unit 3 Risk-based internal auditing

TOPIC 1
Risk-based internal auditing

Contents
4
LEARNING UNIT 1: Mission and mandate of the internal audit (IA) function 2
LEARNING UNIT 2: Risk and risk management concepts 10
LEARNING UNIT 3: Risk-based internal auditing 16

INTRODUCTION TO AND PURPOSE OF THE TOPIC

This topic explains the mission of internal auditing, risk, and risk-based auditing.

LEARNING OUTCOMES

After studying this topic, you should be able to do the following:

– Construct the components of the IIA’s mission of internal audit and explain how
they align with the definition of internal auditing (LU 1).
– Analyse the concept of risk and the key risk categories related to advanced internal
audit topics (LU 2).
– Explain the nature and importance of risk-based internal auditing (LU 3).

1 AUI3703/SG
Learning unit 1
Mission and mandate of the internal audit
(IA) function

Contents
1.1 INTRODUCTION 2
1.2 MISSION OF INTERNAL AUDITING 2
1.3 MODELS OF CORPORATE GOVERNANCE 4
1.4 MANDATE FOR THE INTERNAL AUDIT FUNCTION 5

1.1 INTRODUCTION
The mission statement defines the core purpose of the internal audit function, followed by a
definition of internal auditing, informing us what internal auditing is about. Both elements are
critical for an efficient and effective internal audit function, and they need to be formally adopted
by the board, the audit committee, and senior management in the internal audit charter.

1.2 MISSION OF INTERNAL AUDITING

What is the purpose of the internal audit function in an organisation?

The mission of internal auditing articulates what internal auditing aspires to accomplish in an
organisation. Its place in the new International Professional Practices Framework (IPPF) is
fundamentally important, demonstrating how practitioners should leverage the entire
framework to facilitate their ability to achieve the mission (IIA website: https://global.theiia.org)

2
The mission statement is formulated as follows:

To enhance and protect organisational value by providing risk-

based and objective assurance, advice, and insight

Source: https://global.theiia.org

The mission statement describes the core purpose and focus of internal auditing.

The mission statement consists of the following key components:

• enhancing and protecting organisational value

• being objective in performing duties
• following a risk-based approach
• providing assurance
• providing advice and insight (consulting)

An example of a typical internal audit mission statement is as follows:

“The mission of Internal Audit is to contribute to the achievement of ABC Limited’s mission
and strategic objectives by providing risk-based and objective assurance, advice and insight
to the Board ensuring that financial and operational controls and arrangements are
functioning efficiently and effectively and that the significant risks to the organisation are
being managed.”

The mission statement is aligned with the definition of internal auditing. The definition of internal
auditing is as follows:

Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organisation’s operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes. (IIA website:
https://global.theiia.org )

Although accounting is an important skill for an internal auditor, the focus of internal auditors is
the evaluation of operational processes, risk management, internal control, and governance
processes of the organisation (IIA website: https://global.theiia.org).

The internal audit function enhances and protects organisational value, as it is designed to add
value and improve an organisation’s operations by evaluating and improving the effectiveness of
risk management, control, and governance processes.

The systematic, disciplined approach of the internal audit function should be risk based. This
involves risk-based internal auditing (LU 3).

3 AUI3703/SG
In the mission statement, the words “advice and insight” are used rather than “consulting”
according to the definition of internal auditing. The words “advice and insight” are more descriptive
than the word “consulting”, although it refers to the same activity. The advisory services, or consulting,
are usually performed at the request of the engagement client.

Advisory services, intended to add value and improve the organisation’s governance, risk
management, and control processes, are the core component of consulting services. The nature and
scope of advisory assignments are subject to agreement with the engagement client. However, the
internal auditor should maintain objectivity and not assume management responsibility.

The internal audit function also provides insight into improving controls, processes, procedures,
performance, and risk management and into reducing expenses, enhancing revenues, and improving
profits.

STUDY
Section 2.7.1 of your prescribed book: Internal Auditing: An Introduction

ACTIVITY 1

• Review the mission statement of your internal audit department (or that of any other
organisation).
• Compare your internal audit mission, with the mission statement of internal
auditing according to the IPPF.
• Propose an updated version to your internal audit department. Give reasons for the
proposed changes.

FEEDBACK

You will find an example of an internal audit mission in Section 1.2 above.

1.3 ROLE OF INTERNAL AUDITORS

The internal audit function is an important mechanism in the organisation to ensure that strategic
and operational objectives are achieved. Internal audit has a governance, risk, and control focus.
Board and executive management support is crucial for internal auditing to fulfil its assurance and
consulting functions.

STUDY

Study section 2.8 of your prescribed book: Internal Auditing: An Introduction

4
1.4 MANDATE FOR THE INTERNAL AUDIT FUNCTION

It is quite clear from the IA mission that the mandate for the internal audit function is no longer
limited to the traditional assurance function of predominantly performing internal audits in the
financial area of the organisation.

First, and foremost, internal auditors need to have expert knowledge of internal controls, risk
management, and corporate governance (especially business ethics). It is also expected of the
internal auditor, especially the CAE, to have a good working knowledge in areas such as business
strategy and effective business operations.

The expanded role of the internal audit function includes three key components as per figure 1.1
(see below).

The internal audit function can only effectively enhance and protect organisational value if it
thoughtfully incorporates all three components in its approach to internal auditing.

Figure 1.1: Internal audit mandate

Source: Based on the IIA mission statement

The purpose, authority and responsibility of the IA function should be formally documented in an
internal audit charter, as required by the IIA Standards. The IA charter should be consistent with
the mission and definition of internal auditing.

This means that internal audit functions should revisit their internal audit charters and ensure that
it is consistent with the internal audit mission. All required changes should be formally approved
by the audit committee and communicated to all relevant stakeholders, such as management and
the external auditors.

The nature of both assurance services and consulting services, provided by the internal audit
function, should be clearly defined in the internal audit charter.

5 AUI3703/SG
The IIA Standards define the internal audit charter as follows:

Attribute Standard 1000. The internal audit charter is a formal document that defines the
internal audit activity’s purpose, authority, and responsibility. The internal audit charter
establishes the internal audit activity’s position within the organization, including the nature of
the chief audit executive’s functional reporting relationship with the board; authorizes access to
records, personnel, and physical properties relevant to the performance of engagements; and
defines the scope of internal audit activities. Final approval of the internal audit charter resides
with the board.

The audit charter may be used in a positive fashion to underpin the marketing task that is
discharged by audit management. It can also be used to defend audit services in the event of a
dispute or an awkward audit. The charter formally documents the raison d’être of the audit
function.

INTERNET SOURCE
An example of an internal audit charter is available on myUnisa under “Additional
Resources”.

ACTIVITY 2

Refer to the case study, section 3.8 in your prescribed textbook, Internal Auditing: An
Introduction.
Do only part C of the case study.

STUDY

Study the following:

• Mission of Internal Audit

• Attribute Standard 1000
• Study section 2.7 in your prescribed textbook: Internal Auditing: An Introduction

ONLINE ASSESSMENT QUESTION

Do the online assessment multiple-choice questions on myUnisa.

6
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

7 AUI3703/SG
Learning unit 2
Risk and risk management concepts

Contents
2.1 INTRODUCTION 8
2.2 RISK AND RISK MANAGEMENT CONCEPTS 9
2.3 RISK CATEGORIES 10

2.1 INTRODUCTION
The internal auditor needs to understand the concept of risk and the key risk categories related to
advanced internal audit topics.

The Internal Audit Standards requires the following:

Standard 2120 – Risk Management. The internal audit activity must evaluate the
effectiveness and contribute to the improvement of risk management processes.

The Risk Management Standard, ISO Guide 73: 2009 defines risk management simply as “the
coordinated activities to direct and control an organisation with regard to risk.” (Visit web-site:
https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en )

The internal audit function adds value to the organisation by evaluating the risk management
governance and processes of the organisation, making recommendations for improving risk
management, and lastly, identifying and communicating high-risk areas and emerging risks to
management and the audit committee.

8
INTERNET SOURCE
What is risk?
Click on the hyperlink below and watch the YouTube video to help you understand the
term risk - https://www.youtube.com/watch?v=CbnIlLXeHw0

2.2 RISK AND RISK MANAGEMENT CONCEPTS

Risk

Risk is about the uncertainty of events, including the likelihood of such events occurring and their
effect, both positive and negative, on the achievement of the organisation’s objectives. (King IV,
2016)

Enterprise risk management (ERM)

ERM refers to the extension of risk management across the organisation on a macro level by
integrating all the risk management initiatives, including strategic and operational levels.

READ

Chapter 4, section 4.2 of your prescribed textbook, Assurance: An Audit Perspective for
the concept of risk, and section 4.3 for the concept of risk management.

Risk identification

Risk identification is the process of finding, listing and characterising elements of risk. These
elements can include source or hazard, event, consequence and probability.

Risk identification can also reflect the concerns of stakeholders, as recommended by the King IV
Report on Corporate Governance for South Africa, 2016.

Risk analysis

Risk analysis is about developing an understanding of the risk involved. Risk analysis provides an
input to risk evaluation and to decisions on whether risks should be treated and what the most
appropriate risk treatment strategies and methods would be.

Risk optimisation

This process, related to a risk to exploit the risk opportunities, minimises the negative and
maximises the positive consequences and their respective probabilities (King IV,2016).

Risk register

An organisation should record its risks in a risk register. The register can include the following
information: a unique identifier number, risk category, description of risk, and the date at which

9 AUI3703/SG
the risk has been identified and by whom. Other possible data include the likelihood of risk,
consequences, interdependencies with other risks and a monetary estimation.

Risk management policy

Before responses can be developed for each of the risks identified, it is necessary to determine
the organisation’s attitude to risk or its risk appetite. The risk appetite will be influenced by the
size and type of organisation, its culture and its capacity to withstand the influences of adverse
occurrences.

Other concepts of risk and risk management are explained in chapter 4, sections 4.1 to 4.5 of your
prescribed textbook, Assurance: An Audit Perspective.

2.3 RISK CATEGORIES

Risks may be classified in the major categories of financial risk, fraud risk, IT risk, compliance risk,
operational risk, environmental and strategic risk. Financial risks are one of many categories of
risks that organisations face

READ

Chapter 4, section 4.6 of your prescribed textbook, Assurance: An Audit Perspective for
the types of risk categories

The typical risk categories are as follows:

• financial reporting risks

• fraud risks
• IT risks
• compliance risks
• process risks
• strategic risks
• environmental risks

The risk categories are linked to advanced audit types (as in figure 2.1 below), ensuring that key
risk areas are covered in the annual internal audit plan.

10
Figure 2.1: Linking broad risk categories to advanced audit types

In this module, we will focus specifically on the risk categories set out below:

Fraud risk (topic 4 in this module)

The fraud risk identification process requires an understanding of the universe of fraud risks and
the subset of risks specific to the organisation.

See section 4.6.3, fraud risk of your prescribed textbook, Assurance: An Audit Perspective for a
discussion of the fraud triangle, and the internal factors that increase the probability of fraud.

IT risk (topic 5 in this module)

COBIT 5 for Risk defines IT risk as business risk, specifically business risk associated with the use,
ownership, operation, involvement, influence and adoption of IT in an enterprise. IT risk consists
of IT-related events that could potentially affect the business.

See Section 4.6.4 of your prescribed textbook, Assurance: An Audit Perspective for a detailed
discussion of the basic risks related to information technology.

Process risk (topic 3 in this module)

Process risks arise when business processes do not achieve the objectives for which they have
been designed. Process risk is discussed in greater detail in Section 4.6.1 of your prescribed
textbook, Assurance: An Audit Perspective.

Environmental risk (not covered in detail in this module)

Environmental risk involves the risk that the organisation could have a negative influence on the
natural environment.

11 AUI3703/SG
ACTIVITY 3

Question 1

You are employed as a forensic auditor of a large telecommunications organisation.

Your task is to compile a high-level fraud risk assessment.

• Explain the process that you would follow to identify the company’s key risk areas
and mitigating controls.
• List at least five key risks pertaining to the organisation, as well as effective
controls to mitigate these risks.

FEEDBACK

Join the Discussion forum on myUnisa and provide your answer to the Activity above.

The risk management process is discussed in section 4.9 of your prescribed textbook,
Assurance: An Audit Perspective.

STUDY
• Performance Standard 2120 – Risk Management
• Assurance: An Audit Perspective – Chapter 4: Enterprise risk management

RECOMMENDED READING
Click on the hyperlink below to help you understand the integrated approach towards
effective and sustainable risk management: ERM: An integrated approach towards
effective and sustainable risk management.
http://www.ey.com/Publication/vwLUAssets/EY-enterprise-risk-management/$FILE/
EY-enterprise-risk-management.pdf

ONLINE ASSESSMENT QUESTION

Do the online assessment multiple-choice questions on myUnisa.

SUMMARY

In this topic, we explained the mission of internal auditing, its components and how
the mission links to the definition of internal auditing.

We also familiarised ourselves with the most important concepts of risk and risk
management and also highlighting the key risk categories internal audit is likely to
audit in an organisation.

We dealt with the nature of risk based internal auditing and the importance of the
approach in an organisation.

12
NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

13 AUI3703/SG
Learning unit 3
Risk-based internal auditing

Contents
3.1 INTRODUCTION 14
3.2 RISK-BASED INTERNAL AUDITING VERSUS TRADITIONAL INTERNAL AUDITING 14
3.3 PERFORMING A RISK-BASED INTERNAL AUDIT ENGAGEMENT 15

3.1 INTRODUCTION

The IIA (UK) defines risk-based internal auditing (RBIA) as a methodology that links internal
auditing to an organisation’s overall risk management framework. RBIA allows internal auditing
to provide assurance to the Board that risk management processes put in place are managing
risks effectively in relation to the risk appetite.

3.2 RISK-BASED INTERNAL AUDITING VERSUS TRADITIONAL

INTERNAL AUDITING
Risk-based internal auditing differs from traditional internal auditing in that the engagement
programme is adapted in such a manner that either only the most important control activities are
tested, or the control activities are tested more thoroughly than those dealing with low risks. (See
Section 4.10.3 in your prescribed textbook, Assurance: An Audit Perspective)

The CAE must prepare the internal audit plan based on the significant risks of the
organisation. Proposed engagements are prioritised on the level of risk involved, as the
organisation has limited internal audit resources available.

Performance Standard 2010: The chief audit executive must establish a risk-based plan
to determine the priorities of internal audit activity, consistent with the organization’s
goals.

14
Interpretation: To develop the risk-based plan, the chief audit executive consults with
senior management and the board and obtains an understanding of the organization’s
strategies, key business objectives, associated risks, and risk management processes.
The chief audit executive must review and adjust the plan, as necessary, in response to
changes in the organization’s business, risks, operations, programs, systems, and controls.

According to Standard 2010.A1, the internal audit plan must be based on a documented risk
assessment, undertaken at least annually, that considers the input of senior management and the
board must be considered in this process.

It is easier to implement a Risk-based IA if the organisation has some level of risk management in
place.

According to the Implementation Guide 2010,

• The CAE considers the maturity of the organization’s risk management processes, including
whether the organization uses a formal risk management framework to assess, document, and
manage risk. Less mature organizations may use less formal means of risk management;
• The CAE’s preparation usually involves reviewing the results of any risk assessments that
management may have performed. The CAE may employ tools such as interviews, surveys,
meetings, and workshops to gather additional input about the risks from management at
various levels throughout the organization, as well as from the board and other stakeholders;
• This review of the organization’s approach to risk management may help the CAE decide how
to organize or update the audit universe, which consists of all risk areas that could be subject
to audit, resulting in a list of possible audit engagements that could be performed;
• To ensure that the audit universe covers all of the organization’s key risks (to the extent
possible), the internal audit activity typically independently reviews and corroborates the key
risks that were identified by senior management.

3.3 PERFORMING A RISK-BASED INTERNAL AUDIT ENGAGEMENT

King IV (paragraph 58) requires that the governing body, usually the board of directors, ensure
that

• the internal audit function follows an approved risk-based internal audit plan
• the internal audit function reviews the organisational risk profile regularly

The implementation and ongoing operation of RBIA has three stages:

• Stage 1: Assessing and reporting to the audit committee and the board on the adequacy and
effectiveness of risk management in the organisation
• Stage 2: Preparing the risk-based annual internal audit plan
• Stage 3: Performing risk-based internal audit engagements

15 AUI3703/SG
The following flow chart (in figure 3.1) gives an overview of the three stages involved:

Figure 3.1: The three stages of risk-based auditing

Source: Chartered Institute of Internal Auditors

KEY CONCEPTS
Performing risk-based audit engagements is discussed in detail in section 4.10.3 of the
prescribed textbook: Assurance: An Audit Perspective. The risk assessment is plotted on
a graph, giving a visual presentation of the major risks in the organisation. This is also
referred to as a risk matrix.

STUDY

• Performance Standard 2120 – Risk Management

• Internal Auditing: An Introduction Engagements – par 6.3.2 & 6.6.4
• Performing Internal Audit Engagements – Chapter 1, Section 1.3 – 1.4
• Assurance: An Audit Perspective, Chapter 4, Enterprise risk management, sections
4.10.1 to 4.10.3

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

16
NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_______________________________________________________________

17 AUI3703/SG
TOPIC 2
Introduction to specific internal audit
engagements
Contents

LEARNING UNIT 4: Different types of specific internal audit engagements 19

LEARNING UNIT 5: Qualities and abilities required of internal auditors 27

INTRODUCTION TO AND PURPOSE OF THE TOPIC

Internal auditing has shown significant growth in complexity and innovative, cutting-edge ways
of auditing, ensuring that the internal audit function adds value to the governance, risk
management, and controls of the organisation.

The aim of this topic is to introduce the internal auditor to advanced audit engagements and the
continuing demands the different types of auditing place on the internal auditors.

LEARNING OUTCOMES

After you have studied this topic, you should be able to do the following:
– Explain the development of a variety of applications in internal auditing (LU 4).
– Demonstrate knowledge of the purpose and nature of the various forms of
internal auditing (LU 4).
– Understand and the qualities and abilities an internal auditor should possess
(LU5).

18
Learning unit 4
Different types of specific internal audit
engagements

Contents
4.1 INTRODUCTION 19
4.2 DEVELOPMENT OF A VARIETY OF APPLICATIONS IN INTERNAL AUDITING 19
4.3 THE PURPOSE AND NATURE OF VARIOUS FORMS OF INTERNAL AUDITING 20

4.1 INTRODUCTION

In auditing, different types of audits can be conducted. In this learning unit, we will give a brief
description of the various specific internal audit engagements.

4.2 DEVELOPMENT OF A VARIETY OF APPLICATIONS IN INTERNAL

AUDITING

The top management of an organisation need support in the form of internal auditing to ensure
that the policy and procedures introduced in an effort to achieve the organisational goals are
being complied with. Internal auditors originally performed only financial and compliance audits.

Treasury and compliance auditing concentrate on compliance with policy and procedures within
the financial systems of an organisation to ensure that the assets of the organisation are being
properly safeguarded, that the information produced by the financial systems of an organisation
is accurate and reliable, and that the Acts and regulations applicable to the organisation are being
complied with.

The general role and responsibilities of internal auditing have changed, however, as the discipline
has developed, and the support of management and improvement of organisational performance
have gradually become more important.

19 AUI3703/SG
Value-for-money auditing, performance auditing and operational auditing are some of the terms
used to ensure the economy, efficiency and effectiveness of the operations of an organisation.

Because modern internal auditing evaluates all the activities of an organisation and each
organisation has many facets to it, various specialised fields in internal auditing have developed
over time, such as management auditing, environmental auditing, and quality auditing.

With the development of computer technology, another specialised field in auditing has emerged,
namely computer auditing.

4.3 THE PURPOSE AND NATURE OF VARIOUS FORMS OF INTERNAL

AUDITING

Internal audit functions perform different types of internal audit engagements. Since all internal
audit engagements strive to improve organisational performance in some way, there is no
fundamental difference in the underlying philosophy of the types of internal auditing discussed
below.

The differences lie in what aspect of performance they are focusing on, if they deal with the extent
to which a unit meets its performance objectives (effectiveness), and how well the unit is using
resources (efficiency and economy).

Compliance audits

Compliance can be defined as conformity and adherence to applicable laws and regulations as
well as policies, plans, procedures, contracts or other requirements. Laws and regulations are
imposed externally and must be complied with. Inadequate information systems may lead to the
organisation inadvertently breaching the laws of the country, resulting in losses because of fines
and penalties.

Compliance audits are carried out to determine whether a business entity has complied with
specific policies, plans, procedures, laws, regulations or contracts that affect the organisation.

To complete a compliance audit successfully established criteria must exist, against which
compliance can be measured.

Compliance objectives pertain to the adherence to laws and regulations to which the entity is
subject to. They are dependent on external factors, such as environmental regulations, and they
tend to be similar across all entities in some cases, and across an industry in others.

Compliance testing seeks to establish the degree to which control mechanisms are being applied
as prescribed and the results should highlight non-compliance in pursuit of the defined test
objective.

Often what is meant to happen does not, and procedures that should be in place are ignored.

20
A company may require several compliance audits to review regulatory adherence in multiple
departments such as finance, IT, manufacturing and human resources as well as in certain types
of industries, for example financial institutions, telecommunications and the public sector.

The focus of compliance auditing is on compliance with laws and regulations, statutes and internal
policies. A compliance audit therefore aims to discover how well a unit or organisation complies
with an established set of “rules”. Clearly, the level of compliance with formal rules is an aspect of
performance.

Although it is an important aspect, it is not the only one with which an auditor is concerned.

STUDY

• Section 1.2.1 in your prescribed textbook: Performing Internal audit Engagements

• Section 6.8.1.1 in your prescribed textbook: Internal auditing: An Introduction
Engagements

Treasury audits

Many internal audit departments admit that the treasury function is not an area that they review
on an annual basis. Some also admit that they find it a difficult area to audit, as the technical
aspects – and risks – associated with foreign exchange, hedging, and investments can be
daunting. But it is a vital area of any business, particularly given its roles in managing cash flow,
ensuring access to capital, and managing risk in treasury operations (IIA-UK).

The following treasury risks are discussed in chapter 12, section 12.2.2 (Refer to electronic copy
uploaded under Additional Resources - Additional Study Material folder. Chapter
12_Other_Types of Engagements for this section)

• credit risk
• market risk
• liquidity risk
• interest rate risk
• operational risk
• foreign exchange risk
• commodity risk
• regulatory risk
• reputational risk

Treasury audits are also discussed in learning unit 20 of this study guide.

Performance audits

Performance audits are also known as operational audits or value-for-money audits, the various
names can be used interchangeable.

21 AUI3703/SG
Performance auditing involves firstly determining management’s objectives and then
establishing whether the management controls that exist lead to effectiveness, efficiency and
economy.

An internal auditor must determine -

• which key performance indicators are in use

• whether they are appropriate
• whether control objectives have been achieved

Performance auditing will be discussed in more detail in topic 3 of this module.

Example

Performance auditing, also known as operational auditing, deals with the extent to which a unit
meets its performance objectives (effectiveness) and how well it uses resources (efficiency and
economy).

STUDY

• Section 1.2.3 in your prescribed textbook: Performing Internal audit Engagements

• Section 6.8.3 in your prescribed textbook: Internal auditing: An Introduction
Engagements

Performance auditing will be discussed in more detail in topic 3 of this module.

Environmental audits

During a typical environmental audit, a team of qualified inspectors conduct a comprehensive

examination of a plant or other facility to determine whether it is complying with environmental
laws and regulations.

The team systematically verifies compliance with applicable requirements using professional
judgement and evaluations of on-site conditions. The team may also evaluate the effectiveness
of systems that are in place to manage compliance and assess the environmental risks associated
with the facility’s operations.

Effective environmental audit programmes have several common characteristics. They require
the strong support of their organisation’s management.

They also require adequate allocation of resources to hire and train audit personnel. In addition,
to be effective audit programmes must operate with freedom from internal or external pressure
and employ quality assurance procedures to ensure the accuracy and thoroughness of audits.

A fraud auditor must know -

• the realm of fraud possibilities (How can it happen?)

• the sources of information and evidence (Where do I look?)
• whether the environment is conducive to fraud (Is fraud likely?)
• the areas of fraud opportunity (Where can it happen?)
• the laws of evidence (How can I prove it?)

A fraud auditor must be capable of conducting a review of internal controls, assessing the
strengths and weaknesses of those controls, identifying abnormal transactions and distinguishing
between errors and fraudulent entries. This may involve following a computerised audit trail.

A fraud auditor’s job is to determine whether a fraud, theft or embezzlement has occurred and, if
so, whether criminal law exists to deal with the matter and whether there is an apparent breach
of that law, since not all fraud can be prosecuted under criminal law.

An internal auditor must be alert for red flags and indicators such as personal behaviour pattern
changes, substantial departmental growth, or decline behind the norms.

Fraud detection may be reactive, meaning that an internal auditor reacts to allegations and
complaints, suspicions and management’s intuition. Proactive auditing involves ensuring
adequate internal controls through periodic audits, intelligence gathering, reviewing, or variances
or logging of exceptions.

Fraud auditing will be discussed in more detail in topic 4 of this module.

Quality audits

Quality auditing may be defined as a systematic and independent examination to determine

whether quality-related activities are implemented effectively and whether they comply with the
quality systems and/or quality standards.

Quality auditing is an important part of an organisation’s quality management system and is a key
element in the International Organisation for Standardisation (ISO) quality system standard, ISO
9001.

23 AUI3703/SG
As seen by internal auditors, quality audits cannot be directly equated with assuring quality in
the normal sense of the word (synonymous with excellence). Quality auditing is a technical term
for auditing that is focused on systems and processes rather than on outcomes. This follows the
corporate governance concept that a properly constituted organisation should be based on a
system of well-controlled systems and processes.

Quality auditing has become associated with older forms of management of quality such as Total
Quality Management (TQM). As such, quality auditing is associated with quality enhancement
strategies rather than the traditional quality control inspections.

Quality enhancement focuses on creating a corporate culture centred on quality, as opposed to

quality control that was a reactive process after the event and involved rejecting sub-standard
products and services.

Quality audits are typically performed at predefined time intervals and they ensure that the
institution has clearly defined internal system monitoring procedures linked to effective action.
This can help determine if the organisation complies with the defined quality system processes
and can involve procedural or results-based assessment criteria.

With the upgrade of the ISO9000 series of standards from the 1994 to 2008 series, the focus of
the audits has shifted from purely procedural adherence to measurement of the actual
effectiveness of the quality management system (QMS) and the results that have been achieved
by implementing a QMS.

Quality audits can be an integral part of compliance or regulatory requirements. If quality is

viewed according to the appropriateness of systems and processes rather than the more
traditional achievement of the correct outcomes, auditing moves from the necessity of having to
define best practice and desirable outcomes to evaluating the quality of the processes
themselves. Defining the key performance indicators has always been a contentious point in
negotiating with management for the audit.

Reaching agreement on standard systems of practice is normally considerably easier, since little
interpretation is required. From this, it follows that a proper organisational structure is
comprehensively systemised and documented, and therefore fully auditable.

Programme results audits

Programme results auditing involves auditing the accomplishment of established goals and
objectives for operations and programmes. In practical terms, it means audits that determine
whether the desired results are being achieved, and whether management has considered
alternatives to achieve the same results at a lower cost.

Conducting such audits involves the following:

• ascertaining whether a specific objective or goal has been clearly defined for a particular
function

24
• ascertaining whether the objective or goal is relevant and consistent with management’s
intent
• evaluating any variance between the results and the originally stated goals and objectives

In addition, the cost-effectiveness of a given programme is evaluated, as it is the cost benefit of

continuing a programme. Many internal auditors make extensive use of statistical analysis over
a period, drawing inferences from the results of the statistics.

Complaint records may give a good indication of the extent to which given operations of
programmes are satisfying the needs of the target market.

Management themselves may well be able to give advice on the appropriateness of the
programmes and the measurement criteria.

Information Technology (IT) / Information Systems (IS) audits

IT audits come in a variety of forms. Any of the above types of internal auditing could involve the
use of computers or, for that matter, the audit of computer systems.

IS auditing will be discussed in more detail in topic 5 of this module.

Application audits

Application audits such as the auditing of inventory, payrolls, procurement, sales, treasury and
other specific business functions have their own specific characteristics and the audit programme
will typically involve a certain degree of standard audit tests.

Both internal and external auditors may perform these types of audits.

Once again, the emphasis of traditional external auditing is on fairness of financial representation,
whereas internal auditing's emphasis is on assisting managers and boards of directors, or similar
governing bodies, with optimum governance and the proper discharge of their duties.

ACTIVITY 4

You are the audit senior in the audit department of a large corporation. The managing
director (MD) of the company has asked you to explain the difference between fraud
audits and financial audits.

FEEDBACK

Join the Discussion forum on myUnisa and provide your answers to the Activity above.

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

25 AUI3703/SG
NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
__________________________________________________________________

26
Learning unit 5
Qualities and abilities required of internal
auditors

Contents
5.1 INTRODUCTION 27
5.2 QUALITIES AND ABILITIES OF AN INTERNAL AUDITOR 27

5.1 INTRODUCTION
Every internal audit is unique in the sense that the environment in which it is carried out differs
from one assignment to the next.

5.2 QUALITIES AND ABILITIES OF AN INTERNAL AUDITOR

An internal auditor should be capable of handling any internal audit situation with confidence and
assessing the relevant accountability correctly in the light of the prevailing economic and specific
business conditions.

Internal Auditing Standard 1200 states that internal audit engagements must be performed with
proficiency and due professional care. Internal auditors should therefore have thorough
knowledge of management principles, financial and management accounting and information
systems. They should also have experience in several systems, and complete competence in
internal auditing.

A successful internal auditor should possess at least the following qualities and abilities:

• Curiosity: The internal auditor should not take anything for granted. By asking questions
and discovering the reasons for particular policies and procedures, the auditor gets to know
the audit environment and acquires information that is of value in the operational audit
process.

27 AUI3703/SG
• Analytical qualities: The ability to identify problem areas by rapidly examining a given
situation and the ability to identify critical problem areas by distinguishing between material
and nonmaterial aspects are important here.
• Qualities of persuasion: The success of an internal audit is measured by the extent to which
the auditor’s recommendations are implemented. Implementation is directly proportional to
the qualities of persuasion the auditor displays when conveying recommendations to
management.
• Good business judgment: This quality depends on the knowledge and experience acquired
by the auditor and includes the ability to view a problem from a manager’s point of view and
ask appropriate questions. Internal auditors should be able to put themselves in the position
of management, which may be difficult because the auditor is not likely to have personal
experience of an operational management position.
• Logical thinking: Analysing an activity, identifying risks and weaknesses and making
recommendations that could lead to the improvement of existing systems require not only
knowledge but also logical thinking. Only logical thinking can enable the auditor to make
meaningful and practical recommendations.
• Objectivity: When performing any audit assignment, objectivity is a basic requirement.
Even if, for instance, the auditor was previously involved in an advisory capacity in the
development and implementation of systems within an activity and irrespective of any
personal relationships with any of the people working within an activity, the audit
assignment should be approached objectively.
• Communication skills: The ability to communicate the results of an internal audit effectively
is extremely important in ensuring that the shortcomings shown up by an operational audit
are understood and effectively dealt with by the auditee.
• Good human relations: In general, employees like to shine in the eyes of their employers.
Because there is a possibility that an audit may cast a negative reflection on their work, many
people are reluctant to subject their work to an audit. Auditors must remain independent and
cannot allow their opinions to be influenced by feelings of sympathy or of dislike or fear.
Internal auditors must undertake audit projects in sections and areas that have never
formerly been subjected to audits, but one of the difficulties facing them is that the auditees
are frequently unable to see any purpose in the audit. Furthermore, a greater degree of
subjectivity is involved in operational auditing than in other forms of auditing, which also
increases the potential for conflict between the auditors and staff. Consequently, auditors
need to understand human relations issues and be able to deal with them effectively if they
wish to be successful in operational auditing.
• Independence: The internal auditor should be independent of the activity being audited. The
auditor should therefore be able to carry out his or her task objectively and without
restrictions. Independence is achieved through the auditor’s objectivity and the status of the
internal audit function in an organisation. This enables the auditor to make impartial and
unprejudiced decisions during the conduct of an audit.
• Self-confidence: Internal auditors should have sufficient self-confidence to counter the
challenges posed by every operational audit. They should also carry out their task and
present their opinions with the necessary self-confidence, making management feel obliged
to respond positively.
• Initiative in developing techniques: The unique nature of every internal audit project
requires the internal auditor to display initiative and creativity in developing audit
programmes, performance measurement techniques, and better working methods that will
achieve better results.
28
STUDY

International Professional Practice Framework (IPPF)

Standards Description
1200 Proficiency and due professional care
1210 Proficiency
1210.A1, A2, A3 Proficiency
1210.C1 Proficiency
1220-1 Due professional care
1220. A1, A2, A3 and C1 Due professional care
Implementation Guides
IG 1210 Proficiency
IG 1220 Due professional care

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

SUMMARY

In this topic, we dealt briefly with the origins of various internal audit applications.

We noted that internal auditing focuses predominantly on financial, compliance and

operational auditing, but various specialised applications have also developed over
time.

We analysed the relationship between the different internal auditing applications and
found that all the audit applications ultimately aim at improving the performance of
the organisation.

We also discussed the specific qualities that internal auditors should possess to be able
to conduct a successful internal audit.

29 AUI3703/SG
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

30
PART B
CONDUCTING SPECIFIC INTERNAL AUDIT
ASSIGNMENTS

PART B – Conducting specific internal audit engagements

Topic 3: Performance auditing Learning Unit 6 The concept of performance auditing
Learning Unit 7 Specific considerations in performance auditing
Learning Unit 8 Purpose and components of performance auditing
Learning Unit 9 Identifying the audit field and the performance audit
process

Topic 4: Fraud auditing Learning Unit 10 The basic concepts of fraud

Learning Unit 11 Fraud risk
Learning Unit 12 Fraud prevention and detection
Learning Unit 13 Fraud investigations

Topic 5: Information systems Learning Unit 14 Information technology (IT) governance

Topic 6: Other types of Learning Unit 20 Treasury and contract auditing

internal audit Learning Unit 21 Consulting engagement
engagements

31 AUI3703/SG
TOPIC 3
Performance auditing
Contents

LEARNING UNIT 6: The concept of performance auditing 33

LEARNING UNIT 7: Specific considerations in performance auditing 41
LEARNING UNIT 8: Purpose and components of performance auditing 50
LEARNING UNIT 9: Identifying the audit field and the performance audit process 70

INTRODUCTION TO AND PURPOSE OF THE TOPIC

This topic deals with the nature of performance auditing, its advantages and disadvantages, the
Internal Auditing Standards, and concepts specifically applicable to performance auditing.

LEARNING OUTCOMES

After you have studied this topic, you should be able to do the following:

– Analyse the definition of performance auditing and discuss its principal elements
and characteristics.
– Comment on the role of performance auditing according to the definition of
internal auditing.
– Evaluate the qualities of an internal auditor involved in performance auditing.
– Comment on the purpose of performance auditing.
– Differentiate between the concepts of economy, efficiency and effectiveness of
performance auditing and indicate the relationship between them.
– Advise on the advantages and problems associated with performance auditing.
– Analyse the specific considerations in the choice of an audit field.
– Identify the steps taken in the choice of an audit field

32
Learning unit 6
The concept of performance auditing

Contents
6.1 INTRODUCTION 33
6.2 DEFINITION OF INTERNAL AUDITING AND AN ACCOUNT OF THE
RESPONSIBILITIES OF THE INTERNAL AUDITOR 33

6.3 DEFINITION OF PERFORMANCE AUDITING AND DISCUSSION OF ITS

PRINCIPAL ELEMENTS AND CHARACTERISTICS 37

6.1 INTRODUCTION
In this learning unit, we will discuss the broad definition of performance auditing and its principal
elements. The suitability of performance auditing is explained by analysing its role according to
the broad definition of internal auditing. The basic qualities and abilities of a performance auditor
are also discussed.

Your prescribed textbook, Assurance: An Audit Perspective, section 3.4 deals with performance
auditing and describes performance auditing as follows:

Performance audit engagements are performed to evaluate and report on the management
actions implemented to ensure the economical acquisition and the efficient and effective
utilisation of resources, according to formal predetermined criteria and objectives.

Internal auditors should assess the efficiency and effectiveness of operations, whether in the
public sector or in the private sector, with great care, as many challenges are involved.

6.2 DEFINITION OF INTERNAL AUDITING AND AN ACCOUNT OF THE

RESPONSIBILITIES OF THE INTERNAL AUDITOR

REFLECTION
By now you will have dealt with the definition of internal auditing in the other internal
auditing modules and you should already be familiar with it.

33 AUI3703/SG
Because the definition of internal auditing describes the nature of internal auditing and
internal auditing practice, it is obvious that we should begin this module by analysing
this definition to determine how performance auditing fits in as part of internal
auditing.

The following definition of internal auditing was approved by the International Institute of Internal
Auditors:

Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organisation’s operations. It helps an organisation accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.

KEY CONCEPTS
The key factors in the above definition will be briefly analysed in the following sections.

Internal auditing is an activity

Internal auditing services may be performed by a function in an organisation or by an external

firm, consultant or group of consultants. It can be in a form of a department, division, team of
consultants or other practitioner that renders a service to an organisation as defined in the
definition of internal auditing.

An independent and objective activity

In the definition of internal auditing, independence is linked to the positioning of the audit
function in an organisation and objectivity to conducting the audit process.

Objectivity refers to an independent mental attitude that requires that internal auditors conduct
their engagements in such a manner that they have an honest belief in their work product and do
not make any quality compromises.

With regards to independence, the chief audit executive must report to a level within the
organisation that allows the internal audit activity to fulfil its responsibilities. In addition, the chief
audit executive must confirm to the board, at least annually, the organisational independence of
the internal audit activity.

An activity that offers assurance and advice

An internal audit activity is in the unique position of being able to perform two types of services to
improve an organisation’s operations, namely assurance services and consulting services.

Assurance services encompass the traditional auditing services but recognise that assurance can
be offered at various levels, such as positive assurance, which includes compliance auditing,
investigation and testing with reporting of results, performance evaluation, and limited-scope
overviews that offer limited assurance.

34
Consulting services and improvement of operations may overlap with assurance services because
the knowledge acquired during the performance of assurance services is important in enabling
the internal auditor to act in an advisory capacity and improve the operations of the organisation.

An activity designed to add value to an organisation’s operations and improve them

Adding value lies at the heart of business operations today. Organisations demand that each
activity should add value and internal auditors cannot ignore this demand.

The internal audit activity adds value to the organisation (and its stakeholders) when it provides
objective and relevant assurance, and contributes to the effectiveness and efficiency of
governance, risk management and control processes.

In the process of gathering data to understand and assess risk, internal auditors develop
significant insight into operations and opportunities for improvement that can be extremely
beneficial to their organisation.

An activity that helps an organisation accomplish its objectives

By focusing on an organisation and its objectives, rather than on individuals and their
responsibilities, the definition emphasises that the primary concern of internal auditing is the
success of the entire organisation, rather than the success of a specific area or individual.

As experts on risk and control, internal auditors should see and market themselves as being in the
vanguard of the campaign for ethical corporate governance. They should display due diligence in
complementing the efforts of management and the board of directors.

An activity that follows a systematic, disciplined approach

The systematic, disciplined approach is the basis for the internal auditors’ unique
occupation and their success. “Systematic” refers to methodical or proceeding
according to plan and “Disciplined” involves being able to act and work in a controlled
manner.

This systematic, disciplined approach constitutes the internal audit process.

An activity that evaluates and improves the effectiveness of risk management, control
processes and management processes

Effectiveness measures the degree of success in achieving predefined goals.

According to Standard 2110, which deals with governance, the internal audit activity must assess
and make appropriate recommendations to improve the organization’s governance processes for:
• Making strategic and operational decisions.
• Overseeing risk management and control.
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and accountability.
• Communicating risk and control information to appropriate areas of the organization.

35 AUI3703/SG
• Coordinating the activities of, and communicating information among, the board,
external and internal auditors, other assurance providers, and management.

Governance processes refers to the combination of processes and structures implemented by the
board to inform, direct, manage and monitor the activities of the organisation in achieving its
objectives.

In addition, the internal audit activity should monitor and evaluate the effectiveness of an
organisation’s risk management systems.

According to Standard 2120, which deals with risk management, the internal audit activity must
evaluate the effectiveness and contribute to the improvement of risk management processes.

Control processes refers to the policies, procedures and activities that are part of a control
framework designed to ensure that risks are contained within the risk tolerances established by
the risk management process.

According to Standard 2130, which deals with control, the internal audit activity must assist the
organization in maintaining effective controls by evaluating their effectiveness and efficiency and by
promoting continuous improvement.

Therefore, internal auditing evaluates and improves the extent to which an organisation succeeds
in achieving its predefined goals of governance, risk management and control processes.
Furthermore, it reviews operations and programs to ensure consistency with organisational
values.

6.3 DEFINITION OF PERFORMANCE AUDITING AND DISCUSSION OF

ITS PRINCIPAL ELEMENTS AND CHARACTERISTICS

Introduction to performance auditing

This form of auditing is known under various names. Performance auditing is a term that is used
mainly in the public sector to describe the auditing of the economy, efficiency and effectiveness
of activities or processes in organisations.

For this course, the following terms may be regarded as synonyms of performance auditing:

• management auditing
• operational auditing (used in the private sector)
• value-for-money auditing
• functional auditing

Performance auditing is characterised by the internal auditor’s approach, way of thinking and
attitude in respect of an audit and not by unique methods. It could be merely an extension of a
normal financial or systems audit. During a performance audit, the talents, experience and
training of individual internal auditors are applied in the operating systems of an organisation.

36
Performance auditing is becoming highly popular, especially with the internal audit function and
the audit committee, as it is tangible proof of the value that internal auditors add to the
organisation.

Defining performance auditing

Reider (1993) defines performance auditing as follows:

Performance auditing is an audit of operations performed from a management viewpoint
to evaluate the economy, efficiency, and effectiveness of all operations, limited only by
management’s desires.

In section 1.2.3 of the prescribed textbook Performing Internal Audit Engagements the purpose of
performance auditing is simply defined as evaluating the economy, efficiency and effectiveness
of the operations of an organisation.

We will now examine the principal elements of Reider’s definition of performance auditing in
greater detail.

An audit of operations

Performance auditing can be conducted in all the functional areas of an organisation, such as
marketing, sales, production and human resources.

In addition to providing an assurance that the financial information is a true reflection of facts,
performance auditing concentrates on the evaluation of policy, procedures, division of authority,
quality of management, effectiveness of methods, special problems and other aspects of an
organisation’s operations.

From a management point of view

The principal focus of performance auditing is the achievement of management’s objectives in

the most economic, efficient and effective manner.

A general purpose of internal auditing, according to the definition of internal auditing, is to assist
organisations in accomplishing their objectives. This support is directed mainly at management,
from the highest to the lowest levels.

For this reason, it is important that a performance auditor should understand the way of thinking,
objectives and concerns of top management particularly and should focus on the aspects that are
important to management.

Evaluation of economy, efficiency and effectiveness

The aim of performance auditing is to assess the economy, efficiency and effectiveness of the
operations of organisations.

In an audit of economy and efficiency, the auditor considers the optimum balance between costs
and results. Every effort will be made to keep costs to a minimum (economy), without adversely

37 AUI3703/SG
affecting the achievement of results. At the same time, the auditor will attempt to refine the
production processes (efficiency), without incurring excessive costs.

In an audit of effectiveness, the auditor would determine whether an operation is fulfilling the
purpose for which it was established; the emphasis is thus on results and the achievement of
goals.

The concepts of “economy”, “efficiency” and “effectiveness” are discussed in section 3.4.1in your
prescribed textbook, Assurance: An Audit Perspective.

All operating systems in an organisation

This means that a performance audit can focus on any component of an organisation, whether it
is an operating unit, a functional area, a department or an activity within a department, where
the audit objective is to review the economy, efficiency and effectiveness with which
management are achieving their goals.

Only the needs of management restrict the scope of operational auditing

As we mentioned previously, performance auditing should focus on the aspects that are
important to management. It is also important that management realise the significance of
performance auditing to be able to support performance auditing projects and encourage a
positive attitude towards performance auditing in the organisation.

To encourage a favourable attitude towards performance auditing, performance audits should

be conducted professionally and should add value to the organisation.

The freedom of the internal audit function to evaluate all the activities of an organisation,
including planning, policy, procedures and records, should be incorporated in the internal audit
mandate.

Key characteristics of performance auditing

The aim of performance auditing

Performance auditing aims at improving an organisation’s future performance and it focuses

mainly on management’s policy, planning, control and decisions.

It is the performance auditors’ task to determine whether the necessary policy, systems and
procedures exist and are being complied with and, if they are, to evaluate the extent to which
those policies, systems and procedures contribute to economy, efficiency and effectiveness in
the enterprise.

Independence

The potential benefits of performance auditing can only be reaped if the auditors are competent,
if they enjoy the support of the executive management, and if they are permitted to use their
own discretion in all matters.

38
Independence should be guaranteed by the policy of the organisation, reflected in the status of
the internal audit function in the organisation, and upheld by the professional conduct of the
internal auditors.

Independence means that internal auditors -

• must not be involved in or be responsible for any operational matters within an activity that
is being audited
• must be able to develop audit programmes without being influenced
• must have full access to all evidence and members of staff wherever this is required for the
purposes of the audit
• must be objective in collecting and evaluating information and evidence
• must be able to prepare audit reports on any matters which they consider necessary to
report on.

Systematic approach

A well-planned and systematic approach should be followed in the conduct of any performance
audit.

This involves gaining a comprehensive grasp of the auditing environment, developing objectives,
determining what information and evidence are available for the attainment of these objectives,
collecting and evaluating vouchers, developing findings, reporting to management, and
following up on the audit report.

Criteria for performance appraisal

Acceptable criteria for evaluating performance are essential for successful performance auditing
because it is impossible to evaluate activities without a yardstick of some kind.

It is management’s responsibility to develop suitable criteria for performance measurement and

to apply them in the organisation. In the performance of an audit, the performance auditor can
use any existing criteria.

In the absence of criteria or if the criteria are inadequate, the performance auditor should develop
his or her own criteria or borrow them from other sources and then obtain management’s
approval for their use in the performance audit.

Objective criteria for performance appraisal, which both the auditee and the auditor consider
appropriate and reasonable, are necessary if the audit is to be successful.

ACTIVITY 5

Discuss the definition of performance auditing, as indicated in section 3.4.1 of your

prescribed textbook, Assurance: An Audit Perspective.

39 AUI3703/SG
FEEDBACK

Join the Discussion forum on myUnisa and provide your answer to the Activity above.

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

40
Learning unit 7
Specific considerations in performance
auditing

Contents
7.1 INTRODUCTION 41
7.2 INTERNAL AUDIT STANDARDS APPLICABLE TO PERFORMANCE AUDITING 41
7.3 ADVANTAGES OF PERFORMANCE AUDITING 43
7.4 PROBLEMS ASSOCIATED WITH PERFORMANCE AUDITING 47

7.1 INTRODUCTION
In this learning unit, we will deal with the internal auditing standards applicable to performance
auditing. We will also study the benefits of performance auditing and the unique problems
associated with it.

7.2 INTERNAL AUDIT STANDARDS APPLICABLE TO PERFORMANCE

AUDITING

Performance auditing is a form of internal auditing and the internal auditing standards are as
applicable to performance auditing as to any other form of internal auditing.

However, a few provisions in the internal auditing standards require special attention from
performance auditors.

In this learning unit, we will consider the internal auditing standards that justify conducting
performance auditing in organisations as well as the requirements laid down by the internal
auditing standards for effectively conducting performance audits.

41 AUI3703/SG
READ

Read the following chapter in your prescribed textbook to remind yourself of The
international professional practices framework (IPPF): Internal Auditing: An
Introduction, Chapter 2, section 2.7 “The international professional practices
framework”.

Justification for performance auditing based on the internal auditing standards

According to the definition of internal auditing, it is an activity that helps an organisation

accomplish its objectives by creating a systematic, disciplined approach to evaluating and
improving the effectiveness of governance, risk management and control.

Internal Auditing Standard 2100 describes the nature of the work of an internal audit activity and
expands on the provisions contained in the definition of internal auditing, under the headings of
governance, risk management and control.

Standard 2100 – Nature of Work

The internal audit activity must evaluate and contribute to the improvement of the
organization’s governance, risk management, and control processes using a systematic and,
disciplined, and risk-based approach. Internal audit credibility and value are enhanced when
auditors are proactive and their evaluations offer new insights and consider future impact.

According to Standard 2110, which deals with governance, the internal audit activity must assess,
and make appropriate recommendations on, improving the governance processes in its
accomplishment of the following objectives:

• making strategic and operational decisions.

• overseeing risk management and control.
• promoting appropriate ethics and values within the organisation.
• ensuring effective organizational performance management and accountability.
• communicating risk and control information to appropriate areas of the organisation.
• coordinating the activities of, and communicating information among, the board, external
and internal auditors, other assurance providers, and management.

Standard 2110.A1 provides that the internal audit activity must evaluate the design,
implementation and effectiveness of the organisation’s ethics-related objectives, programmes and
activities.

Standard 2110.A2 provides that the internal audit activity must assess whether the information
technology governance of the organisation supports the organisational strategies and objectives.

Standard 2120 provides that the internal audit activity must evaluate the effectiveness of and
contribute to the improvement of risk management processes.

Standard 2120.A1 provides that the internal audit activity must evaluate risk exposures relating to
the organization’s governance, operations, and information systems regarding the:

42
• achievement of the organization’s strategic objectives
• reliability and integrity of financial and operational information
• effectiveness and efficiency of operations and programmes
• safeguarding of assets
• compliance with laws, regulations, policies, procedures and contracts

Standard 2130 provides that the internal audit activity must assist the organisation in maintaining
effective controls by evaluating their effectiveness and efficiency by promoting continuous
improvement.

Standard 2130.A1 provides that the internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the organization’s governance, operations, and
information systems regarding the -

• achievement of the organisation’s strategic objectives

• reliability and integrity of financial and operational information
• effectiveness and efficiency of operations and programs
• safeguarding of assets
• compliance with laws, regulations, policies, procedures, and contracts

Whereas the aim of financial auditing is to confirm the accuracy and reliability of the information
disclosed in financial statements and financial reports, and compliance auditing is more
concerned with an organisation’s compliance with laws and regulations, performance auditing is
specifically concerned with assessing the economy, effectiveness and efficiency of all the
operations of an organisation.

The passages from the auditing standards referred to above make it clear that the internal
auditing standards make provision for the performance of performance auditing.

One could even conclude that internal audit activities that do not include performance auditing
but confine themselves to financial and compliance auditing are not really implementing the
internal auditing standards.

STUDY

• Make a detailed study of the standards discussed previously, which you will find in
the International Professional Practice Framework (IPPF). It is available at:
https://na.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-
2017.pdf

• A copy of the standards is also available on myUinsa under “Additional Resources”

7.3 ADVANTAGES OF PERFORMANCE AUDITING

Performance auditing has the following advantages:

• identification of problem areas, the factors that cause the problems, and alternatives that
could improve the situation

43 AUI3703/SG
• reducing costs by identifying opportunities to reduce wastage and inefficiency
• identifying opportunities to increase income
• identifying undefined goals, objectives, policy and procedures
• identifying criteria for evaluating the achievement of the organisation’s objectives and goals
• recommendations on improvements to an organisation’s policy, procedures and structure
• evaluating the performance of individuals and sections in an organisation
• inquiry into compliance with legal requirements and the organisation’s policy, objectives and
procedures
• testing for the existence of unauthorised, fraudulent or otherwise irregular actions
• evaluation of management information systems and control systems
• identification of possible problem areas in future activities
• provision of an additional communication channel between people at the operational level
and top management
• provision of an independent, objective evaluation of the organisation as a whole

Performance auditing is beneficial to management and employees of an organisation in the

respects as set out below.

Identification of problem areas, the factors that cause the problems, and alternatives that
could improve the situation

This is an important advantage of performance auditing. In many cases, management become

aware of a problem, but they are unable to determine its scope or implications.

The objective views of the internal auditor, as a third party, often put an organisation’s
operational problems into the correct perspective. Sometimes all that is required to identify
problems is to talk to the staff and then convey their views to management. The employees of an
organisation are often more aware of the problems and the reasons for them than management
are.

The function of internal auditors is to identify the true causes of problems (not the symptoms or
possible causes). Their experience and contact with various departments put internal auditors in
a position to formulate practical solutions to identified problems, thereby making a positive
contribution to the activities of the organisation. (It is to the advantage of the internal audit
department to be able to offer support in the implementation of any recommendations that are
made.)

Reducing costs by identifying opportunities to reduce wastage and inefficiency

Every cent saved, without sacrificing efficiency and effectiveness in the process, eventually
contributes to the organisation’s profit figures. Cost saving is a major component of performance
auditing.

The internal auditor should, however, be very careful not to introduce short-term cost savings
that will cause problems in the long term.

It is the task of internal auditors to assist management in operating businesses at the lowest
possible cost through proper planning. It is important to cost accurately, and if a decision is taken
44
to cut costs, the decision should be carefully considered to ensure that it does not have negative
implications for the organisation at a later stage.

This approach to cost reduction differs from simple cost cutting in a way that could interfere with
the proper functioning of the organisation.

Identifying opportunities to increase income

Higher income also leads to increased profits, although there is not a rand-to-rand
correspondence as in the case of cost savings.

The eventual contribution to the profit figure is influenced by the costs incurred to produce the
increase in income. Internal auditors should be careful not to make recommendations that could
lead to a temporary increase in income but would lead to additional costs and reduced
effectiveness in the long term.

It should be remembered, however, that the internal auditor may be able to identify valuable
opportunities during an operational audit which, if preceded by proper planning, could contribute
to increased income and better profit figures.

Identifying undefined goals, objectives, policy and procedures

Unfortunately, not all organisations carry out proper strategic planning and it is frequently found
that the organisation’s goals, objectives, policy and procedures have not been formally defined.

This means that before they can begin a performance audit, internal auditors frequently must
help management identify undefined goals, objectives, policy and procedures because unless it
is done, it is impossible to evaluate the effectiveness of an organisation.

Identifying criteria for evaluating the achievement of the organisation’s objectives and goals

Even if all the organisation’s goals, objectives, policies and procedures have been properly
formulated, often no criteria are available for evaluating the extent to which they are being
achieved. Internal auditors can help management develop criteria for assessing effectiveness.

Recommendations on improvements to an organisation’s policy, procedures and structure

The internal auditor may well find that the cause of a problem lies in existing policy and
procedures.

Policy is laid down by management and is related to the basic principles according to which the
business is run. “The customer comes first” is an example of a statement that conveys the policy
of an organisation.

Procedures, which are normally also established by management, can be regarded as the
methods used to carry out the various functions of the enterprise.

45 AUI3703/SG
When an activity or process is too strictly controlled, the policy and procedures may actually
hamper staff in carrying out their duties, and efficiency and effectiveness could be affected.

In such a case, the policy and procedures may be inappropriate and should be corrected. The
structure of an organisation usually develops over time, as the organisation expands and
develops.

More personnel are usually appointed as the need arises, with little thought to economy,
efficiency and effectiveness when such appointments are made. In an operational audit, which
involves an objective examination of an organisation’s policy, procedures and structures, the
problem areas can be identified and resolved.

Evaluating the performance of individuals and sections in an organisation

A performance audit involves the objective monitoring of the progress made by sections and
individuals towards achieving established objectives.

The internal auditors determine whether the necessary criteria and procedures for measuring
performance are in place.

Inquiry into compliance with legal requirements and the organisation’s policy, objectives and
procedures

Internal auditors must make certain that an organisation is complying with any laws applicable
to it as well as with established policy and procedures, and that the organisation’s goals and
objectives are being achieved.

If the organisation is not complying with some laws, procedures or policies, the possible
consequences of such non-compliance should be analysed and pointed out to management.

Testing for the existence of unauthorised, fraudulent or otherwise irregular actions

When conducting any form of internal audit, internal auditors should be on the lookout for the
possibility of fraud or other irregularities.

In performance auditing, too, where the emphasis is on actions that could have a negative
influence on the functioning of an organisation, the internal auditors should be vigilant for
unauthorised, fraudulent or otherwise irregular actions and point these out to management.

Evaluation of management information systems and control systems

Here, the internal auditor would pay attention to aspects that include the following:

• Are the management information systems adequate and are they giving management and
the appropriate members of staff timely, accurate and reliable information to enable them
to run the organisation effectively?
• Are the amount and nature of management information in proportion to the risk attached
to the activity and the level of operations within the structure of the organisation? More
46
management information is required as the risk attached to an activity increases, but less
detailed information is needed at higher levels of decision-making.
• Is any information not being supplied that could influence the successful operation of the
organisation?
• Are all the key factors being considered in decision-making?

Identification of possible problem areas in future activities

Their experience and knowledge of the various activities of an enterprise often make it possible
for internal auditors to predict future problems based on past events and to point them out to
management in good time.

Provision of an additional communication channel between people at the operational level

and top management

In many organisations, a clear distinction is made between management – as the decision makers
and people in authority – and the operating staff who must carry out the decisions.

Because the internal auditors engaged in performance auditing have a good grasp of both the
management and the operation of an organisation, they can act as intermediaries between
management and operating staff and convey the needs and concerns of one party to the other.

Performance auditing involves employees at all levels of the organisation, with the result that
management and operating staff are given the opportunity to meet for discussions of all the
activities of the organisation.

Provision of an independent, objective evaluation of the organisation as a whole

Management and employees of an organisation are usually so closely involved with the activities
of the organisation that they cannot tell in what direction the business as a whole is heading and
whether the organisation is being effectively run or not.

During a performance audit, the internal auditors examine the whole organisation objectively
and point out both the areas of good performance and the areas that need to be improved (Reider
1995:16–19).

7.4 PROBLEMS ASSOCIATED WITH PERFORMANCE AUDITING

Performance auditing makes high demands on human relations

Most people feel uncomfortable when their work is subjected to auditing, especially since they
like to look good in management’s eyes and they know that any errors that are discovered will be
reported. In performance auditing, the auditor becomes involved in areas that have never
previously been subjected to auditing.

Whereas the people who work in the financial sections are used to auditors, the auditor who is
conducting an operational audit of one of the nonfinancial activities of an organisation deals with

47 AUI3703/SG
people whose work has probably never before been subjected to external evaluation and more
antagonism will probably be displayed towards the internal auditor.

A higher degree of subjectivity is involved in performance auditing than in financial and other
forms of auditing, which can lead to conflict between the internal auditor and the operating staff.

To ensure the success of performance auditing, the internal auditor should understand the effect
of performance auditing on human relations and deal with this correctly.

Performance auditing requires special proficiency and skills

Most trained auditors have been schooled in financial auditing, where the left-brain skills of
calculation and logic are emphasised. To be successful in performance auditing internal auditors
require equal quantities of left-brain and right-brain skills. In other words, they should be capable
of creative as well as analytical thinking and possess good powers of observation.

Internal auditors who engage in performance auditing should have a good grounding in
management principles. Performance auditing also requires an in-depth knowledge of the
business of the organisation or the activity being audited.

Another important requirement is communication and facilitation skills because communicating

with the staff working on the activity or at the organisation being audited is often a major source
of information in an operational audit. Very few people possess all the required knowledge and
skills to conduct a performance audit; therefore, it is often necessary to recruit the services of
specialists.

If an internal audit activity wants an operational auditing to be conducted, the chief audit
executive must ensure that the necessary expertise is developed within the activity or that
expertise is acquired by appointing people from different disciplines who are able to complement
the skills available in the internal audit activity.

High cost of performance auditing

Performance auditing can only be successfully conducted by an audit team who have the
necessary knowledge and experience. If the audit team do not have sufficient knowledge of a
particular area, the assistance of experts is often required in order to perform the audit.

The cost of using an audit team consisting of people with advanced training and experience as
well as specialists is obviously high. In addition, management are expected to make bigger inputs
as members of the audit control committee, which will boost the cost of the audit even further.

Although the savings effected by an operational audit should always exceed the costs attached to
the audit, those costs must be incurred immediately, whereas the savings only become apparent
over time as the recommendations arising from the audit are implemented.

The willingness of management to invest in performance audit projects will depend largely on the
proven success of previous performance audit projects in the organisation.

Management involvement in and support of performance auditing

Performance auditing requires the continuous support of the entire organisation, especially of
executive management.

48
To be able to carry out performance auditing successfully the internal auditor requires a mandate
to perform performance audits, and the service that the internal auditor is able to render must be
acceptable to management.

Management’s most important function is to achieve the organisation’s mission and goals and if
the audit does not contribute to this, it will be difficult to get management involved.

Developing and maintaining good relations with the personnel and management of an
organisation rests with the internal auditors and it is their responsibility to ensure that they
understand the auditing environment, management style and management’s expectations of the
operational auditing.

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

49 AUI3703/SG
Learning unit 8
Purpose and components of performance
auditing

Contents
8.1 INTRODUCTION 50
8.2 THE AIM AND COMPONENTS OF PERFORMANCE AUDITING 50
8.3 THE COMPONENTS OF PERFORMANCE AUDITING 51
8.4 ECONOMY, EFFICIENCY AND EFFECTIVENESS AS SPECIFIC CONCEPTS OF
PERFORMANCE AUDITING AND THEIR RELATIONSHIP IN ASSESSING
ORGANISATIONAL PERFORMANCE 53

8.5 DEVELOPING PERFORMANCE OBJECTIVES 58

8.1 INTRODUCTION

If service to management and improved organisational performance can be seen as the

foundation for performance auditing, the components of performance auditing that will be
discussed in this learning unit are regarded as the building blocks.

To conduct a performance audit, it is necessary to have a thorough knowledge of its components

and an understanding of the role that each of the components plays in the performance auditing
process.

In this learning unit, we will begin by dealing with the foundation for or purpose of performance
auditing before discussing its building blocks or components.

8.2 THE AIM AND COMPONENTS OF PERFORMANCE AUDITING

General aims of performance auditing

The general aims of performance auditing are set out below.

a) Performance appraisal

50
Performance auditing involves an appraisal of the performance of the organisation/activity that
is being investigated. A performance appraisal involves a comparison of the way in which an
organisation performs its activities with

• the goals set by management or the persons who requested the audit, for example
organisational policy, standards, objectives and targets
• other relevant criteria

b) Identification of opportunities to make improvements

Most improvements fall into the broad categories of improved economy, efficiency and
effectiveness.

Opportunities for improvement can be identified by means such as conducting interviews with
people inside and outside the organisation, observing operational activities, examining reports
and transactions, and drawing comparisons with industry standards. Professional judgment and
previous experience play a very important role here.

c) Recommendations on the improvement of existing procedures and future action

The nature and scope of recommendations that arise from performance audit projects vary
considerably from one project to the next. In some cases, the auditor may be able to make specific
recommendations, but in others, further research may be required before appropriate
improvements and a future course of action can be recommended.

The basis for all three of these aims of performance auditing is to support management in the
performance of their duties. Management might request a performance audit for various
reasons. These reasons could be regarded as the specific objectives of a particular performance
audit assignment.

General risk considerations

The public sector faces specific risks factors that are different from those of the private sector.

It is important to understand these risks as explained in section 3.2.3, of your prescribed textbook:
Assurance: An Audit Perspective.

8.3 THE COMPONENTS OF PERFORMANCE AUDITING

Performance auditing has four principal components:

• financial
• compliance
• economy and efficiency
• effectiveness

51 AUI3703/SG
Financial component

This component is concerned with proper and adequate accounting and reporting procedures. It
closely resembles traditional financial auditing, the difference being that in operational auditing,
it is only one element of an audit assignment and it is made applicable to all the activities of an
organisation.

Compliance component

Compliance is usually dealt with in conjunction with the financial component. It comprises
compliance with Acts, regulations and internal policy and procedures.

In a performance audit assignment, the auditors assess compliance not only with financial
legislation, regulations, policy and procedures, but also with all the rules that regulate the
operation of an organisation.

Economy and efficiency component

This component involves achieving an optimum balance between costs and results. Costs should
be cut to the minimum, but not at the expense of results. At the same time, productivity should
be improved, but without incurring excessive costs.

In an investigation into economy and efficiency, the auditors analyse the way in which the
organisation is applying its resources such as human resources, facilities, equipment, materials
and funds.

The following aspects are included:

• purchasing policy of the organisation

• material prices and service costs
• staffing in relation to the functions that must be performed
• surplus stock on hand
• use of more expensive equipment than necessary
• prevention of losses and wastage of resources
• division of projects into logically manageable tasks
• efficiency and application of operating systems and procedures
• efficiency of documentation flow
• performance of unnecessary tasks or duplication of tasks
• allocation of responsibilities and authority in an organisation
• speed of production and completion time of projects

Effectiveness component

This component is concerned with achieving results and gaining the resultant benefits. In an
investigation of effectiveness, internal auditors try to establish whether an activity is achieving
its purpose and whether the results of an organisation or activity correspond to the targets set,
the objectives, or any other criterion. An investigation into effectiveness is concerned with quality
rather than with quantity.
52
The following procedures would, for example, form part of an investigation into effectiveness:

• evaluating the organisation’s approach to developing realistic targets, objectives and

procedures for attaining those targets and objectives

• evaluating the adequacy of management’s method of measuring effectiveness

• establishing the extent to which results are being achieved
• identifying the factors that impede satisfactory performance or the achievement of results

The concepts of economy, efficiency and effectiveness, as specific concepts of performance

auditing, will now be discussed in greater detail.

8.4 ECONOMY, EFFICIENCY AND EFFECTIVENESS AS SPECIFIC

CONCEPTS OF PERFORMANCE AUDITING AND THEIR
RELATIONSHIP IN ASSESSING ORGANISATIONAL PERFORMANCE

The components that are unique to performance auditing are economy, efficiency and
effectiveness. In your study and application of performance auditing, you will be continually
confronted with these concepts.

A proper understanding of each of these terms, and of the relationship between them, is
therefore essential.

Organisational performance

As indicated in the previous learning unit, the main purpose of internal auditing is to add value to
and improve an organisation’s operations. This is achieved primarily by evaluating and improving
the effectiveness of the organisation’s risk management and control and its management
processes.

The need to do so has forced internal auditors to gain a sound understanding of the philosophy
and practice of management. Internal auditors can add value to the organisation by improving
how it performs its activities and the quality of its managers (Barlow et al
1995:41).

Internal auditing can help managers at all levels of an organisation improve the effectiveness,
efficiency and economy of the areas under their control.

The definition of internal auditing, however, only mentions the improvement of “effectiveness”.
This is because effectiveness has to do with the results of operations. Focusing on improving the
results of activities adds more to organisational performance than focusing on improving the
efficiency and economy of activities.

This point is illustrated in the following example:

53 AUI3703/SG
Assume that you, as an internal auditor, are performing an operational audit of the organisation’s
canteen activity. If you make suggestions that result in the organisation paying less for the food,
you will save it money in running the canteen activity. The canteen will be more economical and
may save the organisation hundreds of rand every month.

If, on the other hand, you make suggestions that result in labour savings or less food wastage,
you will have made a greater contribution to the organisation’s profitability. The canteen will be
more efficient and may save thousands of rand every month.
However, if you make suggestions that result in the canteen providing a better-quality service,
which allows it to charge higher prices and/or attract more customers, you will make an even
greater contribution. The canteen will be more effective and may make tens of thousands of rand
in additional income (Barlow et al 1995:41).

To contribute to organisational performance internal auditors must have a thorough knowledge

of the business. If they do not understand the business, they may focus on the wrong areas or fail
to provide meaningful recommendations for improving organisational performance (Barlow et al
1995:41).

How do economy, efficiency and effectiveness relate to organisational performance?

What matters most to organisational stakeholders is the organisation’s performance or how well
it reflects its mission and achieves its objectives. Performance is an important aspect of an
organisation’s operation.

An organisation must be focused on fulfilling its mission and enhancing its performance.
Performance is all about how well organisational activities are performed. For example, internal
auditors should be concerned with how well they audit activities. Say, for instance, that an
internal auditor audits a section to achieve certain performance objectives. To establish how well
he/she is performing the internal auditor can look at how well he/she has achieved those set
objectives.

There are three aspects of organisational performance that an internal auditor should be aware
of. Commonly referred to as the “3Es”, they are as follows:
• effectiveness
• efficiency
• economy

All three are measures of how well an activity performs.

Effectiveness is the extent to which an activity achieves its stated performance objectives. If you
do not perform the activities required to achieve a particular performance objective, you cannot
possibly expect to achieve it. Effectiveness amounts to doing the right things.

Doing the right things is about performing the right activities to achieve a performance objective.
If you perform the right activities, you will achieve the performance objective and be effective.
Improving effectiveness, will improve organisational performance.

54
See section 3.4.1 in your prescribed textbook, Assurance: An Audit Perspective for the 12 sub-
elements of effectiveness, which consist of the following:
• management directive and guidance
• relevancy
• applicability
• achieving of results
• acceptability
• secondary impact
• costs and productivity
• adaptability
• financial results
• working environment
• safeguarding of assets
• monitoring and reporting

Efficiency is the extent to which a process or activity has been optimised such that all other things
remaining constant -
• its output has been maximised for a given amount of input, or
• its input has been minimised for a given amount of output

An efficient process or activity is one that cannot be further optimised. An inefficient system has
some potential for optimisation. Improving the efficiency of a process or activity requires better
use of resources to achieve optimal resource usage. This prevents unnecessary waste of resources
and produces concomitant cost savings.

Improving efficiency is a means of reducing costs. If you do not do things right in performing an
activity, you will waste resources. You will also be inefficient, even if you are effective. It is also
possible to do the wrong things, but to do them in the right way, in other words to be ineffective
but efficient. Efficiency considers effectiveness in that it recognises the need to keep other things
constant when optimising the input: output ratio.

You should maintain the same level of effectiveness (quality) throughout the process. It is
pointless to optimise efficiency if the level of effectiveness or quality is reduced during the
process.

Economy is the extent to which an organisation, unit or activity obtains the right quantity and
quality of a resource at the right time and at the best possible price. Obtaining resources at the
best price should never be done at the expense of the results obtained.

Since economy is concerned with optimising the cost of inputs, it can be considered part of
efficiency.

The relationship between the 3Es

Organisations can set performance objectives that will satisfy the need for efficiency and
economy in their activities.

55 AUI3703/SG
The concept of effectiveness therefore encompasses both these performance parameters. Since
organisational performance encompasses effectiveness, it also encompasses efficiency and
economy. Cost-effectiveness combines the concepts of effectiveness and cost. It shows the cost
of achieving a certain level of effectiveness.

The total cost of an activity is the sum of the costs of all inputs (organisational resources used).

The purpose of activity-based costing (ABC) systems is to generate this information for many
activities in the organisation and to make it available to managers to analyse the cost-
effectiveness of their activities.

A cost-effective activity performs to the required standards at the lowest possible cost. Since
total cost is affected by an activity’s level of resource usage, a cost-effective activity will often be
an efficient one. The concepts of cost and efficiency are different. Efficiency considers the input
and output of an activity. Cost deals with the input side.

You can reduce the cost of an activity without improving its efficiency. Cost-effectiveness is an
important concept because improvements in effectiveness usually require the use of more
resources, which cost money. There is thus a trade-off between improving effectiveness and cost.
Raising the performance standards relating to the quality of the output of an activity will
invariably increase the cost of the activity. Changes in efficiency can also affect effectiveness.

It is possible to maximise efficiency at the expense of effectiveness, and output quality

particularly. Experience has shown that cost-cutting programmes have often led to reduced
levels of effectiveness, which in turn have caused customers to switch to competitors. The
resulting loss of profits has often far outweighed the “savings” achieved through reduced costs.

The following two diagrams illustrate the interrelationship between economy, efficiency and
effectiveness:

Figure 7.1: The performance auditing triangle

Source: Reider (1993)

56
Figure 7.2: The three Es

Source: Chambers and Rand (1997)

(1) Economy – the relationship between planned inputs and actual inputs regarding unit costs
(2) Efficiency – the relationship between actual inputs and actual outputs
(3) Effectiveness – the relationship between actual outputs and planned outputs

ACTIVITY 6

You are an audit manager employed by DWARF Limited, a manufacturer of optical

equipment for weaponry and aircraft.

The chief internal auditor of DWARF Limited requests you to perform a preliminary
review of the company’s mechanical plant for conducting an operational audit.

You are required to formulate five (5) audit objectives for assessing the economic and
efficient functioning of DWARF Limited’s mechanical plant.

FEEDBACK

Audit objectives for assessing the economic and efficient functioning of DWARF’s
mechanical plant

(1) to determine whether the organisation’s policy on purchases will ensure the most
economical and effective utilisation of resources
(2) to determine whether the stock holding is economical without jeopardising the
effectiveness of the mechanical plant
(3) to determine whether losses and waste in the mechanical plant are minimised
(4) to determine whether the activities of the mechanical plant are grouped in logical,
feasible processes or tasks
(5) to determine whether document flow and provision of management information
throughout the mechanical plant are efficient.

57 AUI3703/SG
In this question, you had to apply your theoretical knowledge of economy and efficiency
and use that knowledge to formulate audit objectives.

A general problem is that students formulate audit objectives that do not refer to or
include the economy or efficiency component. For this question, write down all the
aspects that relate to economy and efficiency and then formulate an audit objective that
include each of these aspects, taking into account the information provided in the
question.

For example, efficiency is concerned with efficient documentation flow. An audit

objective would read as follows: “To determine (formulation of audit objective) whether
document flow and provision of management information (theoretical knowledge of
efficiency) throughout the delivery department of DWARF Limited (application to
question) are optimised”.

Take note: No marks will be awarded if the audit objectives are not correctly formulated!

8.5 DEVELOPING PERFORMANCE OBJECTIVES

Although management have the responsibility to monitor the extent to which an organisation is
achieving results within the objectives set, clear objectives or measurement criteria do not always
exist, which internal auditors can use for conducting a performance audit.

Internal auditors should then, in cooperation with management, determine objectives, develop
acceptable criteria for measurement and work out methods for acquiring the information
necessary to evaluate the achievement of results.

To develop meaningful objectives, the internal auditor must have knowledge of the nature of and
requirements for performance objectives.

A performance objective is a clear statement of what an organisation, unit or activity wants

to achieve. When we talk about a performance objective, we automatically include its measure
and standard.

You must be able to measure the level of achievement of the performance objective. In addition,
you must be able to determine if the level of performance achieved, that is, actual performance,
meets or exceeds required performance as specified by the standard.

The role of performance objectives

Performance is concerned with how well activities are performed.

You cannot evaluate the performance of an activity unless you have established clear
performance objectives which enable you to measure and evaluate the level of performance
objective achievement.

Performance objectives are therefore the backbone of organisational performance. Without

them, it is impossible to measure and evaluate performance objectively. If you cannot measure
58
performance, then you cannot evaluate actual performance against what is required.

If you cannot evaluate performance, then you cannot identify performance problems and take
corrective action.

For which aspects of performance should performance objectives be set?

Performance objectives should deal with the quality and quantity of the output of an activity, the
time taken to perform it, and the cost.

You can therefore set performance objectives for the following aspects of any activity:
• quality (how well)
• quantity (how many)
• time (how soon)
• cost (how much)

This means that performance objectives must be set for the effectiveness, efficiency and
economy aspects of activities (Barlow et al 1995:85).

For which aspects of the business should performance objectives be set?

An internal auditor needs to understand that an organisation must achieve its performance
objectives to survive and grow.

To assist managers in improving organisational performance, you must consider all performance
objectives that make an organisation effective. Simply achieving financial performance objectives
does not necessarily make an organisation effective.

Furthermore, you must ensure that all aspects of the business that could have a significant
influence on organisational performance are covered.

Top managers must set performance objectives for all those aspects that could have a significant
influence on the organisation’s performance if they were not managed effectively.

At the very least, these objectives should include activities involved in -

• growing and developing the business

• producing and delivering services and/or products
• managing relationships with stakeholders
• managing the organisation’s resources, for example finance, information, materials,
equipment, people or technology

Similarly, unit managers must set performance objectives for all activities that could have a
significant impact on the organisation’s performance if they were not managed effectively.

Performance objectives can be specified for all activities, from the lowest level to the highest
level. Highest-level activities may include marketing, production, sales, materials, information
systems, finance, and personnel. They specify what an activity is trying to achieve regarding
quantity, quality, time and cost.

59 AUI3703/SG
For example, a possible performance objective is to produce the right quantity of the right quality
toys at the right time and at the lowest cost.

Alternatively, it can be specified as four separate but related performance objectives that deal
with each parameter individually, for example to produce the right quality toys.

Measuring the achievement of performance objectives through performance measures

A performance measure is a yardstick against which the achievement of a performance objective

can be determined. It is often possible to identify and define several measures for one
performance objective, but it is more practical to use only one measure.

For example, a wooden toy manufacturer has set a performance objective of paying creditors
within 30 days of invoice date. A possible performance measure is the number of creditors that
are outstanding 30 days after invoice date.

Let’s assume that the accounts department manager has been monitoring the performance of
the accounts payable clerk and has found that two creditors have not been paid within the 30-day
period.

Is the clerk’s performance good or poor?

You do not know. You need some way of determining what constitutes good or poor
performance. You can identify good or poor performance by using performance standards.

To be able to make a value judgment on whether the level of performance is good or poor, you
must have predetermined standards of performance against which to compare and evaluate
actual performance.

A performance standard is the minimum required level of performance. Performance standards

define required performance. They are defined according to the performance measures and are
used for evaluating performance. Without a performance standard, you cannot evaluate
performance – you cannot decide whether actual performance is good or poor. It is a benchmark,
based on the performance measure, against which you can compare actual performance.

By comparing actual performance with the required performance (standard), you can decide
whether performance is good (above standard), poor (below standard) or acceptable (same as the
standard).

Let’s look at an example.

Punctuality might be a personal performance objective of yours. But what performance standard
do you use to evaluate your performance?

First, you must identify a suitable performance measure. You can use the number of times that
you are more than five minutes late for appointments over a month.

Next, you must set your performance standard – the minimum required performance would be
not being more than five minutes late for appointments for more than five times per month.

60
If you achieve the performance standard, you can give yourself a pat on the back for being
punctual. If you perform consistently better than the performance standard, perhaps you need to
make the standard more demanding.

Sometimes a standard is set at the upper end of a performance measure. For example, one of your
performance objectives could be to maintain confidentiality of your information.

You decide to measure achievement of this objective by monitoring and recording the number of
unauthorised accesses to the information over a set period. You set a tough performance
standard of no unauthorised access per month.

If you achieve the standard, that is, zero recorded unauthorised access, your performance would
be judged as good. If you clock up one unauthorised access or more, you do not achieve the
standard and your performance is judged as unacceptable, unsatisfactory or simply poor.

The hierarchy of performance objectives

Activities can be broken down progressively into lower-level activities through the process of
functional decomposition.

Each high-level activity creates a hierarchy of lower-level activities.

If performance objectives are established for all activities in the hierarchy, then a corresponding
hierarchy of performance objectives is created. It follows that all activities obtained from the
analysis of one high-level activity must be performed to complete the high-level activity.

Similarly, all performance objectives relating to a family of activities at one level must be achieved
to attain the performance objective relating to the parent activity. To achieve one high-level
performance objective, the organisation or unit must achieve all its subordinate performance
objectives.

Not achieving one lower-level performance objective will affect the achievement of the high-level
performance objective. To achieve its mission fully, an organisation or unit must achieve its
lowest-level performance objectives.

The decomposition of activities creates a hierarchy of performance objectives.

You can define different types of performance objective according to their level in the hierarchy.

For example, you could define four types:

• mission – the highest-level performance objective

• unit performance objectives
• key performance objectives
• specific performance objectives

Figure 7.3: Performance objective hierarchy

61 AUI3703/SG
Source: Barlow et al (1995:89)

A unit performance objective (UPO in figure 7.3) is a clear statement of what a high-level activity
within a unit is trying to achieve or what it is marketing or producing.
Unit performance objectives must be supportive of and subordinate to the unit’s mission. Let’s
look at an example: If delivering services is one of the unit’s key activities, a unit
performance objective could be to deliver services that meet or exceed the service level
expectations of all customers in the most efficient manner.

A key performance objective (KPO in figure 7.3) is a clear statement of what a sub-activity of a
high-level activity is trying to achieve (advertising could be a sub-activity of marketing). A key
performance objective contributes to achieving its parent unit performance objective.

The unit performance objective, in turn, contributes to the achievement of the mission. Key
performance objectives must be supportive of and subordinate to a unit performance objective.

Achieving a family of key performance objectives relating to a unit performance objective will
result in the achievement of that unit performance objective.

A specific performance objective is a clear statement of what a low-level activity is trying to

achieve (e.g. preparing advertisements is a low-level activity of marketing). A specific
performance objective contributes to the achievement of its parent key performance objective.
Specific performance objectives must be supportive of and subordinate to a key performance
objective.

Achieving a family of specific performance objectives that relate to a key performance objective
will result in the achievement of that key performance objective (Barlow et al 1995:88–90).

Mission of the organisation

62
In the field of organisational performance, the mission is the ultimate performance objective of
an organisation or unit. It conveys the reason for the organisation or unit’s existence and what it
is trying to achieve.

The mission should be the starting point for any formal organisational performance management
system. The establishment of performance objectives at progressively lower levels in the
organisation must be governed by those established above and therefore ultimately, by the
organisation’s mission.

The direction and focus provided by the organisation’s mission cascade down in the organisation.

The mission drives organisational performance, since the performance of the entire
organisation’s units, no matter how they are defined, must be focused on achieving the
organisation’s mission (Barlow et al 1995:90).

The relationship between the mission and performance objectives

The mission of an organisation or unit is the highest-level performance objective. Achieving a

performance objective can be seen as putting a single piece of a puzzle in
its place. To complete the puzzle all the pieces must be put in their right places.

To achieve its mission, an organisation or unit must achieve all its performance objectives.
Achieving all but one performance objective will leave the picture incomplete (Barlow et al
1995:91).

The mission statement is a clearly worded, concise statement of what the organisation is trying
to achieve, how it intends to achieve it, and why (Barlow et al 1995:92).

The mission statement articulates the organisation’s vision of the future. It is a statement of how
the organisation’s top management see it at some future date (David 2014). It has been found
that, regarding their market value service, manufacturing companies in the United States have
mission statements that often include a pronouncement on one or more of the following
components:

• Customers: Who are the company’s customers?

• Products or services: What are the company’s major products or services?
• Location: Where does the company compete?
• Technology: What basic technology is the company using?
• Concern for survival: What is the company’s commitment to economic objectives?
• Philosophy: What are the company’s basic beliefs, values, aspirations and philosophical
priorities?
• Self-concept: What are the company’s major strengths and competitive advantages?
• Public image: What are the company’s public responsibilities and what image does it desire?
• Employees: What is the company’s attitude towards its employees?

Establishing performance objectives

The starting point for establishing the performance objectives of an organisation or unit is its
mission. Given the mission, you can identify the highest-level activities that the organisation or
unit must perform if it wants to achieve its mission.

63 AUI3703/SG
In units, unit-level performance objectives can be established for these key activities. Then,
through functional decomposition, you can break down the highest-level activities
into their component sub-activities and thus begin to define the activity hierarchy.

You can complete the hierarchy by repeating the process at successive levels.

You can use the activity hierarchy to establish a hierarchy of performance objectives which must
be internally consistent, in other words, performance objectives that are specified at one level
must define fully the performance objectives at the next level, higher up in the hierarchy. It should
reflect what an activity’s customers want regarding its output. Performance objectives must
therefore be output oriented.

Good performance objectives are -

• measurable (quantitative)
• specific
• results (output) centred
• realistic and attainable
• time-bound

In contrast to this, unsound performance objectives are -

• non-measurable (quantitative)
• general
• minimal or unattainable
• time-extended

Unit managers are responsible for establishing performance objectives for their activities in
collaboration with their immediate manager. They may not set the performance objectives
unilaterally. They should first agree on them with their higher-level manager.

Once agreed on, the performance objectives must be communicated to all unit staff to gain their
commitment to achieving them (Barlow et al 1995:92–94). Internal auditors need to be prepared
to assist managers at all levels in establishing performance objectives.

Formally defined performance objectives are relevant to the business, measurable, and
supportive of and subordinate to the organisation’s mission.

As an internal auditor, you must have the skills and knowledge required to set performance
objectives. If you do not have the required skills and knowledge or lack the self-confidence
required to guide the manager through the task, you should enlist the help of a suitably qualified
consultant.

Performance objectives should not be set in concrete. Managers should review them regularly
and adjust them if necessary.

Assessing the performance objective component

As part of assessing a unit manager’s control system, the internal auditor should assess the quality
of the performance objective component. This means assessing the quality of the unit’s
performance objectives, including its mission, performance measures and standards.

64
If an activity within a unit is being audited, the internal auditor needs to assess both the
performance objective component of the activity and the consistency between the unit’s overall
mission and the mission of the activity.

To be able to assess the quality of performance objectives the internal auditor needs standards
against which to compare the manager’s objectives. These standards must be either generally
accepted standards used in the organisation or generally accepted standards agreed on with the
manager before the evaluation commences.

Performance objectives should -

• have three elements – an objective, a measure and a standard
• be clearly stated and unambiguous
• be consistent with higher-level performance objectives
• be relevant to the activity
• relate to the quality or quantity of the output of the activity, its cost or the time taken to
produce it (quality, quantity, time and cost)
• be realistic and achievable within the planning period, usually the financial year
• be documented
• be communicated to all staff members who are involved in achieving them

Commitment must be obtained to achieve performance objectives. Unit managers must

implement commitment controls that provide assurance that staff will be committed to achieving
the unit’s performance objectives (Barlow et al 1995:94–95).

Assessing missions

When assessing the mission of the organisation or a unit, the internal auditor must first find out
whether the organisation or unit has established its mission and communicated it in some form
of mission statement.

An internal auditor needs to ascertain whether the organisation has established its mission. If not,
he/she must report this and the potential effect it may have on organisational performance to top
management and/or the audit committee.

The internal auditor must encourage top management to establish and communicate the
organisation’s mission.

The internal auditor needs to assess first if the mission statement has been formally defined.
Without a mission statement, the organisation or unit will be without direction.
It will struggle to -
• ensure unanimity of purpose within the organisation
• provide a basis, or standard, for allocating organisational resources
• establish a general tone or organisational climate
• serve as a focal point for individuals to identify with the organisation’s purpose and
direction
• deter those, who cannot identify with the organisation’s purpose and direction, from
participating further in the organisation’s activities
• facilitate the translation of objectives into a work structure involving the assignment of
tasks to the elements responsible in the organisation

65 AUI3703/SG
• specify organisational purposes and the translation of these purposes into objectives in
such a way that cost, time and performance parameters can be assessed and controlled

Secondly, the internal auditor needs to assess if the mission statement conveys the organisation
or unit’s reason for existence. To assess this the internal auditor must have a good understanding
of the organisation or unit, particularly its purpose.

The internal auditor must report any shortcomings to top management and/or the audit
committee. Shortcomings usually occur when an organisation or unit does not fully understand
the nature of its business and underlying purpose.

For example, many manufacturing organisations fail to appreciate that they are in the service
business. They tend to pay more attention to their products than to the services they deliver. It
means that they have a product rather than a customer focus.

Manufacturers love their products and forget that customers buy them because they meet a need
or specific want.

Think about the number of products that you have bought that don’t satisfy your need –
screwdrivers that do not have a good grip, pens that mess ink, teapots that pour everywhere but
into your cup, and so on.

Thirdly, the internal auditor needs to assess if the mission has been translated correctly into
performance objectives.

Even when an organisation or unit has established a good mission statement, it may fail to set
performance objectives for those activities that are central to the achievement of its mission. This
will not happen if the organisation or unit has a good understanding of what business it is in and
the customer needs that it is satisfying.

Fourthly, the internal auditor needs to assess if managers are keeping their mission statements
in line with the changing needs and wants of their customers.

Fifthly, in publicly funded organisations, the internal auditor needs to assess if the organisation’s
reason for existence is still valid and that customers still have a genuine need for the service
provided (Barlow et al 1995:95–96).

When assessing the quality of the organisation or unit’s mission, the internal auditor must exercise
diplomacy. Managers do not take kindly to being told bluntly that their objective statements are
wrong. Point out shortcomings and suggest improvements.

The illustration below shows the mission and objectives and the planned outcomes of the
organisation in relation to the organisational processes. It shows where economy, efficiency and
effectiveness fits into these processes.

66
ACTIVITY 7

Describe the meaning of a mission in the context of organisational performance and

explain the relationship between the mission and performance objectives.

FEEDBACK

This question covers the theory of the mission statement and performance objectives of
an organisation, which is discussed in detail in your study guide.
You had to start by explaining what a mission statement is and then link it to performance
objectives.
Ensure that you study all your theoretical work in detail!

ACTIVITY 8

As an internal auditor at an organisation that manufactures stationery, you are

currently compiling an audit programme to conduct an operational audit on the plant
that manufactures pencils.
Your audit objective is to evaluate the economy, efficiency and effectiveness of the
plant.

During the preliminary survey, you acquired the following information on the activities
of the pencil plant and the purchase and stock keeping of materials for production
purposes:

67 AUI3703/SG
• Purchases of production material are done on behalf of the pencil plant by
personnel from the finance section who are responsible for handling purchases for
the pencil plant.
• Stock levels of production material are monitored by computer. All purchases,
requisitions and write-offs are keyed into the computer by the assistant to the
storeroom foreman.
• Purchases of production material are based on notices printed by the computer and
approved by the head of the plant as soon as the stock reaches certain minimum
levels.

Based on the information given in the question, you are required to formulate four (4)
audit procedures for each of the three E’s that you would include in your audit
programme in order to evaluate the economy, efficiency and effectiveness of the
pencil plant.

FEEDBACK

In this question, you had to apply the theoretical knowledge you have acquired of
economy, efficiency and effectiveness and use that knowledge to formulate audit
procedures.

A general problem is that students formulate audit procedures that do not refer to
economy, efficiency or effectiveness. For this question, write down all the aspects that
relate to economy, efficiency or effectiveness and then formulate an audit procedure that
relates to each of those aspects, considering the information provided in the question.

For example, effectiveness deals with the achievement of results. An audit procedure
would read as follows:
To identify (formulation of audit procedure – can also use “to evaluate”, “to inspect” or
“to identify”) factors that impeded the achievement of results (theoretical knowledge
regarding effectiveness) throughout the manufacturing department of ABC Ltd
(application to question).

Take note: No marks will be allocated if the audit procedures are not correctly formulated!

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
68
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

69 AUI3703/SG
Learning unit 9
Identifying the audit field and the
performance audit process

Contents
9.1 INTRODUCTION 70
9.2 SPECIFIC CONSIDERATIONS IN THE CHOICE OF AN AUDIT FIELD 70
9.3 STEPS IN THE CHOICE OF THE AUDIT FIELD 72
9.4 THE PERFORMANCE AUDIT PROCESS 73

9.1 INTRODUCTION
This learning unit will deal with the identification of the audit field as the first and one of the
major steps of the performance audit process.

We will begin by discussing certain considerations that apply when identifying the audit field and
then discuss the steps that should be followed in this process.

The most critical question the internal auditor must answer when conducting a performance audit
is which section, function or activity should be audited. In other words, where is a performance
audit most needed and on what should the audit focus.

The elements of the definition as point of departure

The three basic elements of the definition of performance auditing need to be considered during
the planning of the performance audit engagement – see section 3.4.4: elements of the definition
as point of departure in your prescribed textbook, Assurance: An Audit Perspective.

9.2 SPECIFIC CONSIDERATIONS IN THE CHOICE OF AN AUDIT FIELD

The long-term planning of the internal audit department

Here we will focus on the specific matters that affect the performance audit process. Internal
auditors usually operate on a limited budget regarding the funds and hours available for
performance auditing.

70
Consequently, the available time and money must be used in those areas with the greatest
possibility of improved performance.

Because the purpose of the internal audit activity is to support management of the organisation
in discharging their responsibilities, internal audit projects should focus on the aspects that are
important to management in achieving both their own goals and those of the organisation.
The bigger the effect of a particular activity on the attainment of the goals of the organisation,
the more important the effective functioning of that activity is for management.

The long-term planning of the internal audit activity, which is approved by management and the
audit committee, should also provide for operational audit projects. When the chief audit
executive prepares the long-term planning of the internal audit activity, he or she needs to
evaluate the risks faced by that enterprise and identify the critical conditions within the
enterprise.

The following factors could reveal critical conditions for the purposes of performance auditing
and indicate possible risk areas:

• income, expenses, concentration of fixed assets, sales, production volumes, staff numbers
and staff costs for one activity or department that appears to be high in comparison with the
figures for other activities or departments in the organisation
• poor control, for example owing to an inadequate manufacturing control system, poor
management reporting or poor planning and control system
• cases of abuse or carelessness, for example a production and control system in which
transactions are not recorded or an ineffective personnel evaluation process
• conditions that make it difficult to exercise control, such as inadequate storage facilities, or
delays in a shipping process
• activities that are not efficiently or economically carried out, such as ineffective procedures,
duplication of tasks, unnecessary work and surplus staff
• trends shown up by in-depth analyses, such as major increases or decreases in sales, cost per
item, staff numbers, stock levels, et cetera
• areas in which management have identified specific weaknesses or the need for
improvement, such as personnel functions, manufacturing procedures, data-processing
methods and management reporting

Support from management and employees during the performance of the audit

An important consideration in the choice of the audit field for a performance audit is the
willingness of management and the personnel in the chosen audit field to cooperate with the
auditors.

First, management must display a need for the auditing of a particular activity and be prepared
to cooperate in improving that activity. Secondly, the staff working on that activity must be
prepared to cooperate with the internal auditors in carrying out the performance audit and
implementing any proposals that may arise from the audit.

The cooperation of the staff of the organisation when the auditors are conducting a performance
audit is of cardinal importance to its success.

71 AUI3703/SG
The budget of the internal audit activity

Any decision about the number of performance audit projects that the internal audit activity will
undertake and the scope of each performance audit must consider the size of the internal audit
activity’s budget.
In comparison with financial audit projects, operational (performance) audit projects require a
greater input in respect of planning, information gathering and research, which will influence the
costs attached to operational auditing directly.

When they are compared to the potential advantages and savings, however, the costs become
less important. Therefore, when deciding how much time and money should be spent on an
operational audit, a cost-benefit approach should be used.

The following factors should be considered when drawing up a budget for an operational
(performance) audit:

• Scope of the operational audit: This includes everything that will be subject to the audit.
• Regularity of the operational audit: Is it a once-off audit that requires a major planning
input or is it a repeat audit that will require less planning time?
• Nature of the business: An operational audit of a business that is geared to rendering a
service, or which concentrates on a single product, usually takes less time than an
operational audit of a manufacturing concern or an organisation that produces a wide variety
of products.
• Effectiveness of management: Activities that are not managed effectively usually take
more time to audit than activities that are managed effectively.
• Potential benefits of the operational audit: More auditing time should be spent on areas
with the biggest potential benefits to be derived from an operational audit. The greater the
benefits that could be produced, the more time it will usually take to conduct the audit.

9.3 STEPS IN THE CHOICE OF THE AUDIT FIELD

Identify and describe the problem

The first step is to identify and describe the problems that should be dealt with when conducting
a performance audit.

Management usually have the major burden of identifying problem areas and deciding on the
areas to which attention should be given in an operational audit.

However, the internal auditors can assist management with the identification of problem areas
at their request or carry out preliminary investigations or studies (impact studies) on their own
initiative to identify areas that would benefit from an operational audit. Impact study
questionnaires can be used as an auditing aid to identify critical areas for further investigation.

The purpose of these questionnaires is to establish as quickly as possible what functions are
carried out, who is responsible for carrying them out and why, and how they are carried out.
Answers to these questions can provide information on matters such as the organisation’s goals,
activities, operating methods, systems, procedures and authority structures.

72
The internal auditor uses the questionnaire as a guide when deciding on further action and he or
she does not rely blindly on the information it contains; it must be supported by adequate
evidence. Impact studies can be conducted to determine what influence a particular section has
on an organisation, or a particular activity has on a section. These studies should be conducted as
part of the long-term planning of the internal audit activity but can also be used to identify
specific areas for performance auditing.

Collect information and evidence

The second step is to collect relevant supporting evidence. If an impact study was conducted as
part of the first step, the internal auditor will already have a large amount of evidence.

The aim of this step is to provide background information about the problem areas identified in
the first step, which can serve as evidence of the problem situations that have been identified.

Evaluate conditions in the organisation

This step involves weighing up the prevailing conditions in the organisation. Factors such as the
organisational structure, available resources, peak times and down times, which might affect the
conduct of the audit, are considered for the submission that must be made to management.

Obtain the approval of management for the operational (performance) audit

When the internal audit activity has gathered sufficient evidence on the areas that have been
identified for conducting a performance audit and it has decided to perform a performance audit,
top management’s approval must be obtained.

The planning of a performance audit on the initiative of the internal audit activity should be
embodied in the audit planning schedule, which should be submitted to top management
annually according to the internal auditing standards.

Any changes in such planning should be resubmitted to management for approval.

The result of this stage of a performance audit is a list of potential performance auditing areas.

9.4 THE OPERATIONAL (PERFORMANCE) AUDIT PROCESS

Although no specific IIA Standards or guidelines exist, several phases in the performance audit
process has been identified in section 3.4.3 to 3.4.5 of your prescribed textbook: Assurance: An
Audit Perspective i.e. planning phase, execution phase and reporting phase.

Planning phase
This formal process of performance auditing commences once the audit field has been identified.
As with any other audit engagement performed by the IAA, the planning of a performance audit
should also comply with the Standards. Internal Auditing Standards 2200 and 2201 lay down
guidelines for the planning of an audit engagement.

STUDY
• Performing Internal Audit Engagements, par 1.3.1
• Internal Auditing: An Introduction, par 6.5

73 AUI3703/SG
• Assurance: An Audit Perspective, par 3.4.4

A well-structured operational engagement programme is a prerequisite for the effective and

efficient performance of a performance audit.

Execution phase
In order to be able to carry out the fieldwork phase of a performance audit, the auditor requires a
thorough knowledge of the following:
• performance measurement
• basic audit procedures
• collection of information and record keeping

It is especially important in the execution of the fieldwork phase for appropriate, adequate, complete and
accurate information to be collected and that the information should be properly documented in audit
working papers to support audit findings.

STUDY
Performing Internal Audit Engagements:
• Par 3.9 (p 135)
• Par 4.9 (p 192)
• Par 5.9 (p 252)
• Par 6.10 (p 320)
• Par 7.9 (p 357)
• Par 8.6 (p 374)

Reporting phase
The main purpose of the performance audit report is to bring useful and timely information on
material operational deficiencies to the attention of management and recommend
improvements.

STUDY

• Assurance: An Audit Perspective (2018), par 3.4.5

• Performing Internal Audit Engagements (2017), Chapter 9
• Learning Unit 3 and revise the following topics applicable to operational auditing:
• Aim and principles of operational audit reporting
• Drafting an operational audit report
• Following up audit results

If the audit has been correctly carried out, the audit findings will already have been discussed
with interested members of staff and management by this time and efforts will already have
been made to rectify deficiencies in the system. The final operational audit report is basically
merely a summary of the operational audit, documenting the following:

(1) what the operational audit team has achieved

(2) what was found in the course of the audit
(3) the extent of the operating deficiencies in the section reviewed
(4) the steps taken by the operating personnel to rectify the situation

74
REFLECTION

Refer to Additional Resources on myUnisa on “A simple approach to developing an

audit finding”.

Figure: Elements of an audit finding (adapted form Waring & Morgan (2007))

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

SUMMARY

In this topic, we dealt with the nature and properties of operational (performance)
auditing and we looked at the possible contribution that performance auditing could
make to the internal audit function and the organisation as a whole.

We saw that operational (performance) auditing is a form of internal audit that

concentrates on achieving the goals of the organisation in the most economic,
efficient and effective manner in order to optimise the performance of the
organisation.

75 AUI3703/SG
We have studied the main components of operational (performance) auditing, namely
financial, compliance, economy, efficiency and effectiveness. The concepts of
economy, efficiency and effectiveness were studied in greater detail.

Because performance objectives are an important element of any investigation into an

organisation’s effectiveness and the internal auditor frequently has to develop
performance objectives in cooperation with management, we established that
operational (performance) auditing is justified according to the internal auditing
standards.

We also saw that all the internal auditing standards are applicable to operational
(performance) auditing, but that special attention should be paid in operational
(performance) auditing to particular aspects of the internal auditing standards.

Furthermore, we analysed the advantages of operational (performance) auditing and

considered the problems related to operational (performance) auditing.

We dealt with the considerations and steps associated with the identification of the
audit field. We saw that the choice of the audit field is an important step of the
operational (performance) auditing process and that it largely determines the success
of the operational (performance) audit.

Once this step has been completed and the internal auditors have obtained a mandate
to conduct the audit, the steps of the performance audit process, namely planning,
audit programme development, fieldwork, developing recommendations, and
reporting, are carried out formally.

At the request of management, the internal auditors can also assist with the
implementation of the proposed improvements.

76
TOPIC 4
Fraud Auditing
Contents
LEARNING UNIT 10: The basic concepts of fraud 78

LEARNING UNIT 11: Fraud risk 88

LEARNING UNIT 12: Fraud prevention and detection 94

LEARNING UNIT 13: Fraud investigations 102

INTRODUCTION TO AND PURPOSE OF THE TOPIC

The internal auditing standards require internal auditors to exercise due professional care in
performing internal audits. This presupposes that internal auditors should be alert to conditions
and kinds of activities where irregularities are most likely to occur.

To meet this requirement internal auditors, need a basic knowledge of the ways in which fraud is
committed in practice, the symptoms of fraud, methods of detecting and preventing fraud, and
the internal auditor’s responsibilities regarding fraud.

In this topic, we will define fraud, discuss the basic concepts and elements of fraud and determine
the responsibility of the internal auditor and management in respect of fraud prevention, fraud
detection and fraud investigations.

LEARNING OUTCOMES

After you have studied this topic, you should be able to do the following:

– Acquire basic knowledge of the ways in which fraud is committed in practice and of
the symptoms of fraud (LU 10).
– Identify fraud risks (LU 11).
– Determine the responsibility of management and of the internal auditor in respect
of fraud prevention and detection (LU 12).
– Explain the nature of a fraud investigation, as well as the procedures followed when
conducting a forensic audit (LU 13).

77 AUI3703/SG
Learning unit 10
The basic concepts of fraud

Contents
10.1 INTRODUCTION 78
10.2 DEFINITION OF FRAUD 78
10.3 FACTORS OF AND REASONS FOR PERPETRATING FRAUD 79
10.4 FRAUD INDICATORS 80
10.5 CATEGORIES, FORMS AND EXAMPLES OF FRAUD 81

10.1 INTRODUCTION
The cost of employee fraud runs into billions of rand annually in South Africa alone.

Although efforts are made on a national scale to combat fraud – such as the establishment of the
Investigating Directorate: Serious Economic Offences that concentrates on fraud investigations –
fraud is expected to continue increasing.

In this learning unit, we will define fraud and explain the elements by which it can be recognised.
We will introduce various, widespread forms of fraud and the main factors that motivate people
to commit fraud.

10.2 DEFINITION OF FRAUD

Fraud is an unlawful and intentional misrepresentation that causes actual prejudice or that is
potentially prejudicial.

The IPPF defines fraud as follows:

“Any illegal act characterised by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and
organisations to obtain money, property, or services; to avoid payment or loss of services; or to
secure personal or business advantage.”

78
Fraud in an organisation refers to a situation in which a person uses his or her occupation for
personal gain through intentionally misusing or misappropriating the organisation’s resources
and/or assets.

According to Wells (2011), four general elements must be present for a fraud to exist:
• a material false statement;
• knowledge that the statement was false when it was uttered;
• reliance of the victim on the false statement; and
• damages resulting from the victim’s reliance on the false statement.

10.3 FACTORS OF AND REASONS FOR PERPETRATING FRAUD

Figure 10.1: Three factors leading to fraud

Pressure (motivation): First, pressure is exerted on an individual, which could be either internal
pressure caused by debt or a desire for riches, or external pressure in the form of pressure exerted
by the organisation on management to achieve projected profit figures and budgets.

Opportunity: Second, uncontrolled access to organisational assets tempts employees to

appropriate these assets for their own profit.

Rationalisation: Third, personality disorders in people are contributing to fraud being

perpetrated. Most people generally want to be honest; unfortunately, some people choose to be
dishonest.

Understanding the nature of these four elements and the context thereof in a specific organisation
is foundational for effective fraud risk management.

Opportunity is the element that the organisation can best manage by implementing the necessary
internal controls and procedures – even though internal controls can never provide absolute
safeguards against fraud.

79 AUI3703/SG
Characteristics of fraudsters

See section 6.1, 6.2: fraud versus corruption & fraud, 6.2.1: psychology of fraud in your prescribed
textbook: Assurance: An Audit Perspective, for the psychological characteristics of a fraudster.
These fraudsters are well aware of their actions and the harm done to their unsuspected victims.

STUDY

• International Professional Practice Framework (IPPF), Attribute Standard 1210-

A2.
• Chapter 6.2.1: reasons for organisational fraud in your prescribed textbook:
Assurance: An Audit Perspective

Supplemental Guide: Internal Auditing and Fraud

10.4 FRAUD INDICATORS

Fraud indicators, or as it is commonly known, “red flags”, are key indicators in an organisation of
poor internal controls or of the fact that irregularities have already occurred in the organisation.

Typical fraud indicators are the following:

• missing documents
• cash shortages
• high personnel turnover
• low employee morale

A detailed list of fraud indicators can be found in Chapter 6.2.1: fraud indicators of your prescribed
textbook: Assurance: An Audit Perspective.

Personal red flags are often quite obvious, for example a person living above his or her means, or
in cases of nepotism, doing business with family members.

STUDY
Sections 6.2.1: fraud indicators in your prescribed textbook: Assurance: An Audit
Perspective

ACTIVITY 9

The internal auditors of a bank suspect that one of the bank officials has given loans to
fictitious businesses, then transferred the loan amounts to her own bank account, and
never paid the instalments, as a result of which the bank has suffered material losses.

80
The bank official’s colleagues believe that her luxurious house and expensive vehicles,
irrespective of her average income, can be attributed to her working wisely with her
money by investing it carefully. They are not surprised that she is in a management
position at a relatively young age because she gets on well with everyone in the bank,
does favours for management, works more overtime than any other official, and never
takes any leave.

The internal auditors were therefore surprised at first by the bank official’s nervous
appearance and her unwillingness to answer their questions.

REQUIRED
(1) Name and briefly discuss the elements of fraud that are present in the bank
official’s behaviour.

(2) Identify the warning signs in the case study that strengthen the suspicion that the
bank official has probably committed fraud.

FEEDBACK

(1) Elements of fraud present in the bank official’s behaviour

• Unlawful and intentional: The actions of the bank official were intentional.
Ap- proving loans to fictitious companies and then appropriating the funds for
own use was intentional, because she was aware that her actions were unlawful
and that the bank would incur a loss as a result.
• Misrepresentation: The bank official made a purposeful misrepresentation to
the bank by creating the impression that the bank was lending money to
companies, while she misappropriated the funds for herself.
• Prejudice: The actions of the bank official caused actual prejudice for the bank
as the loan instalments were not paid and the bank was not able to recover the
money.

(2) Warning signals reinforcing the suspicion that the bank official probably
committed fraud

• The bank official owns a luxury house and motor cars, but she earns an
average income.
• She gets on well with everybody in the bank and does favours for management.
• She works more overtime than any other official at the bank.
• She never takes any leave.
• The bank official appears to be nervous during the audit and is unwilling to
answer questions, even though she seems to get on well with everybody.

10.5 CATEGORIES, FORMS AND EXAMPLES OF FRAUD

To ensure that you will recognise fraud in practice it is important that you should be familiar with
the different ways in which fraud can be committed.

81 AUI3703/SG
People from inside or outside the organisation can perpetrate fraud to benefit the organisation.
However, fraud can also be perpetrated by people from inside or outside the organisation to the
detriment of the organisation.

Specific forms of fraud are identified both in literature and in practice. The most common forms
are as follows:
• misappropriation
• embezzlement
• white collar fraud
• external fraud
• computer fraud
• management fraud
• employee fraud

Misappropriation takes place when a person, to whom the responsibility for certain assets
belonging to another party has been entrusted, uses such assets or allows them to be used in any
way that conflicts with the interests or instructions of the owner of the assets, usually with
malicious or deceptive intent.

The following are examples of misappropriation by employees:

• improper appropriation of money, whether generated by cash sales, collected from debtors,
or generated by the unauthorised sale of assets
• irregular appropriation of cash received from the sale of assets of which proper record was
not kept, for example portable tools, spares, obsolete or unusable inventory or assets that
had been written off
• theft of goods, stationery, assets, etc, that belong to the organisation
• irregular transfer of goods or money to a fictitious third party

Misappropriation becomes embezzlement when any attempt is made to conceal the act of
misappropriation, for example by offering false explanations or falsifying documents.

Both misappropriation and embezzlement can be committed against individuals or organisations.

The following are examples of embezzlement that are attempts to conceal the act of
misappropriation:

• altering documents, records or vouchers

• creating false invoices or credit notes
• creating fictitious supplier accounts
• creating false purchase invoices or destroying suppliers’ credit notes
• purchasing items for private use on the organisation’s accounts and using the organisation’s
credit cards for personal purchases
• submitting false claims for remuneration for expenses
• creating fictitious employees on the organisation’s payroll
• approving unauthorised deliveries
• granting special favours or concessions to clients or other parties in exchange for
remuneration in the form of cash or benefits
82
• using the organisation’s contacts to run a business that is in competition with the employer

White collar crime is a term used for fraud committed by a respected person or a professional
person who enjoys high social status in the exercise of his or her profession.

White collar fraud largely coincides with other forms of fraud discussed in this learning unit. The
following are some examples:

• crimes committed by people on an individual or ad hoc basis, such as buying goods on credit,
fully knowing that they do not have the means to pay for them
• crimes committed by virtue of a person’s position in an organisation or government or other
body, which is in conflict with his or her duties or loyalty towards his or her employer, possibly
in the form of bribery, embezzlement or misuse of confidential information to which he or
she has access
• crimes designed to benefit the organisation, such as publishing false information in financial
reports, over-valuating security rendered to secure a loan, or placing misleading
advertisements
• conducting a business that is of a criminal nature, such as misleading or deceptive insurance
schemes or property transactions

External fraud takes place when people outside the organisation perpetrate fraud against the
organisation.

To be able to perpetrate fraud against an organisation, these people (suppliers, customers and
their staff) must know the organisation’s controls and procedures and how to gain access to the
organisation’s assets in the ordinary course of business.

External fraud can also be committed by the organisation’s own staff against other organisations
with which the organisation has business relations. Collusion between staff from various
organisations to derive advantage from transactions between the organisations is also possible.

The following are examples of external fraud:

• short deliveries at a point where the control of the quantities delivered is inadequate
• false claims against suppliers for shortfalls on deliveries and products of poor quality
• false statements about work done on construction sites, or repair and service contracts,
where inadequate control is exercised over these contracts
• purchasing goods on credit, fully knowing that it will not be possible to pay the account or
tendering a stolen credit card or a falsified cheque
• misusing confidential information of an organisation by people in a position of trust, for
example misusing computer access controls, or disclosing or selling sensitive marketing
information to a competitor of the organisation

Computer fraud

The form of fraud in which computer programs and computer-stored data are manipulated to gain
unlawful access to funds and other resources is known as computer fraud. Computer fraud is
perpetrated by people with a thorough knowledge of computers and computer applications.

83 AUI3703/SG
Computer fraud can take numerous forms and is increasing all the time. The following are only a
few basic examples of computer fraud:

• unauthorised alteration of master files

• manipulation of computer input
• manipulation or destruction of computer output
• unauthorised modification of an application program or a transaction procedure
• unauthorised modification of computer operating systems or hardware

The best protection against computer fraud is prevention.

Management fraud

Management fraud is the deliberate manipulation of financial and other reports to mislead the
users of the reports about the performance of management.

Management fraud can be perpetrated for personal gain, to obtain bigger bonuses or promotions,
or for the benefit of the organisation, for example to evade taxation or make the organisation’s
financial performance look better.

Management fraud is a serious offence, which is very difficult to detect because it is committed
by a person who has the power to manipulate records and destroy evidence.

The following are examples of management fraud:

• withholding or destroying documents that contain information on activities and differ from
other reports on such activities
• falsifying documents or other evidence to support fictitious records or reports
• colluding with third parties to create false records and evidence to support fictitious records
and reports
• over-reporting of profits and profitability, for example by failing to record certain purchase
invoices to make expenditure appear lower, by taking fictitious credit notes into account
when calculating the purchasing figures, by deliberately overvaluing inventory, or by
underreporting provision for uncollectible debt or losses
• manipulating accounting cut-off procedures to prevent the matching of income and
expenditure, for example where credit notes for the current year are taken into account, but
the purchase invoice to which the credit note refers is shown under the following financial
year
• issuing falsified financial statements with the object of misleading shareholders

Management fraud is also discussed in chapter 6, section 6.2.1: management fraud, of your
prescribed textbook: Assurance: An Audit Perspective.

Employee fraud

Employee fraud refers to cases where individual employees defraud their employers, such as
misappropriating assets (e.g. a company laptop).

84
Employee fraud is discussed in chapter 6, section 6.2.1: employee fraud, of your prescribed
textbook: Assurance: An Audit Perspective.

Note: Although we have distinguished between various forms of fraud in this section, any use of
the word “fraud” in the rest of this study guide should be taken to refer to fraud in all the possible
forms in which it can occur in practice.

ACTIVITY 10

Incident 1

During the review of casual wages in a small and remote branch, it was found that small
amounts of money were being paid from the casual wages float.

The fact that the amount was too small to be a casual wage led to the investigation.
When the person responsible for paying the casual wages was questioned, she broke
down in tears and admitted to stealing the amount to pay for her car wash every week.

Upon further investigation it became clear that the casual wages paid are not
authorised, as the amounts are insignificant.

Incident 2

The following incident was reported anonymously via the fraud hotline.

All brochures of the organisation are printed on a regular basis by a specific printing
company that was appointed due to its knowledge of the tourism industry, reasonable
pricing and the good quality of the brochures it supplies. These brochures are printed
on a quarterly basis to ensure that all the specials for the different seasons are included.

During the investigation, it became clear that a newly formed company was doing the
printing of the brochures. Through further investigation, it became clear that the
owner of the company is the brother of the procurement officer responsible for
ordering the brochures.

It came to light that over the past few months, the brochures were not printed at the
best price or quality and that the price paid was higher than the average market price.
This was evidenced by the doubling of printing costs over the past financial year. In
addition, it was noted that a part of the printing costs was classified as advertising
costs.

It was also discovered that the procurement officer received 25% in cash back from his
brother for all brochures ordered from the company.

Once the brochures ordered had been compared with the brochures delivered, it
became evident that the brochures ordered were not all delivered.

85 AUI3703/SG
Incident 3

This incident relates to the cancelled bookings process currently being implemented
by all the branches.

During a review of the refunds made to individuals, it became clear that a significant
amount of money was refunded to a specific individual on a regular basis.

Through an investigation, it became clear that the person was employed by a large
organisation and her sole responsibility at the company was booking the flights and
hotels for the executive team of that company. Owing to her frequent dealings with
Easy Travel’s personnel, she became good friends with some of the employees at a
specific branch.

Comment on whether the incidents investigated constitute fraud, or not, as defined by

South African law:
• Incident 1
• Incident 2
• Incident 3

FEEDBACK

Incident 1

This incident is clearly fraud. The fact that the amount is small is not important as an
amount was unlawfully and intentionally misrepresented as casual wages.

Incident 2

This incident is clearly fraud. The procurement officer received a 25% kickback for all
orders placed with the company. This incident is unlawful and intentionally done by the
procurement officer. The additional costs are misrepresented as advertising costs.

Incident 3

This incident is an indication of possible fraud that might have been committed. The
information is not sufficient to decide whether or not fraud was committed. Additional
evidence will have to be collected in order to prove or disprove that there was an unlawful
act, an intention to defraud and misrepresentation.

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________

86
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

87 AUI3703/SG
Learning unit 11
Fraud risk

Contents
11.1 INTRODUCTION 88
11.2 KEY PRINCIPLES OF MANAGING FRAUD RISK 88
11.3 GOVERNANCE OF THE FRAUD RISK MANAGEMENT PROGRAMME AND
FRAUD RISK ASSESSMENT 91

11.1 INTRODUCTION

All organisations are exposed to fraud risk in any process that involves people.

An organisation’s exposure to fraud is a function of the fraud risks inherent in the business, the
extent to which effective internal controls are present, and the integrity of those involved in the
process.

Fraud risk is the probability that fraud will occur and the potential consequences for the
organisation when it occurs. The probability of a fraudulent activity is based, typically, on how
easy it is to commit fraud, the motivational factors leading to fraud, and the organisation’s fraud
history.

In this learning unit, we will look at identifying fraud risk, performing a fraud risk assessment, and
explaining the key principles of managing fraud risk.

Refer to your prescribed textbook, Assurance: An Audit Perspective, Section 6.3, Management’s
role and responsibility.

11.2 KEY PRINCIPLES OF MANAGING FRAUD RISK

The comprehensive fraud risk management approach, as set out in figure 11.1 below, recognises
and emphasises the fundamental difference between internal control weaknesses, resulting in
errors, and weaknesses, resulting in fraud.

88
Figure 11.1: Fraud risk management principles

Source: Committee of Sponsoring Organizations of the Treadway Commission (COSO)

The organisation should implement five components of risk management to establish an

environment that will help it proactively and effectively manage its fraud risk:

• fraud risk governance plan

• fraud risk assessment
• fraud risk mitigation strategies
• regular fraud reporting
• fraud monitoring

The components of fraud risk management program are explained below:

Fraud risk governance plan

Fraud risk governance is an integral component of corporate governance and the internal control
environment. The governance plan should explain the strategies, structures, processes and
systems of the organisation, required to reduce fraud. It should also include the recovery of losses
due to fraud, and improved controls to prevent and detect future fraud incidents.

Fraud risk assessment

A fraud risk assessment is a dynamic and iterative process for identifying and assessing fraud risks
relevant to the organisation.

89 AUI3703/SG
Fraud risk mitigation

Fraud risk mitigation, which is aimed at deterring, preventing and detecting fraud, usually
consists of fraud control activities that are established by means of policies and procedures and
implemented by management.

Fraud control activities are generally classified as either preventive (designed to avoid a
fraudulent event or transaction at the time of initial occurrence) or detective (designed to
discover a fraudulent event or transaction after the initial processing has occurred).

The selection, development, implementation, and monitoring of fraud preventive and fraud
detective control activities are crucial elements of managing fraud risk.

Fraud control activities are documented with descriptions of the identified fraud risk and scheme,
the fraud control activity that is designed to mitigate the fraud risk, and the identification of those
responsible for the fraud control activity.

Fraud reporting

The organisation establishes a communication process to obtain information about potential

fraud and deploys a coordinated approach to investigation and corrective action to deal with
fraud appropriately and timely.

Fraud risk management monitoring activities

The fifth fraud risk management component relates to monitoring the overall fraud risk
management process.

Internal audit

The roles and responsibilities of internal audit as they relate to fraud management activities are
discussed in chapter 6, of your prescribed textbook. The IIA Standards require that the internal
audit function must identify red flags and review the effectiveness of the fraud risk management
processes.

IIA Standard 2120.A2 – The internal audit activity must evaluate the potential for the occurrence
of fraud and how the organization manages fraud risk.

STUDY

Section 6.4.1, Internal Audit Activity in your prescribed textbook, Assurance: An Audit
Perspective.

90
11.3 GOVERNANCE OF THE FRAUD RISK MANAGEMENT PROGRAMME
AND FRAUD RISK ASESSMENT

The IIA defines fraud risk as the probability that fraud will occur and the potential consequences
to the organisation when it occurs. The probability of a fraudulent activity is based, typically, on
how easy it is to commit fraud, the motivational factors leading to fraud, and the organisation’s
fraud history.

Governance of fraud risk management emphasises the importance of a corporate culture,

including the board obtaining assurance about the ethical conduct of management and
employees.

The roles and responsibilities in a fraud risk management programme must be formal and
communicated fully. The tone at the top refers to the entity-side attitude of integrity and control
consciousness, as exhibited by the most senior executives of an organisation.

The scope of the fraud risk assessment may vary widely depending on the organisation’s size,
complexity, or industry.

All organisations are exposed to fraud risk in any process where human involvement is required.
A fraud risk assessment is often a critical component of an organisation’s larger enterprise risk
management programme.

Fraud risk assessment is a tool that assists management and internal auditors in systematically
identifying where and how fraud may occur and who may be in a position to commit fraud.

11.3.1 Supplemental Guide: Internal Auditing and Fraud (Fraud Risk Assessment)

An organisation’s exposure to fraud is a function of the fraud risks inherent in the business, the
extent to which effective internal controls re-present either to prevent or detect fraud, and the
honesty and integrity of those involved in the process.

A fraud risk assessment is often a critical component of an organization’s larger enterprise risk
management program. In addition, is a tool that assists management and internal auditors in
systematically identifying where and how fraud may occur and who may be in a position to
commit fraud. It further, concentrates on fraud schemes and scenarios to determine the presence
of internal controls and whether or not the controls can be circumvented.

A fraud risk assessment generally includes five key steps:

a) Identify relevant fraud risk factors.
b) Identify potential fraud schemes and prioritize them based on risk.
c) Map existing controls to potential fraud schemes and identify gaps.
d) Test operating effectiveness of fraud prevention and detection controls.
e) Document and report the fraud risk assessment.

The scope of the fraud risk assessment may vary widely depending on the organization's size,
complexity, or industry. The five steps are explained in detailed below:

91 AUI3703/SG
a) Identify relevant fraud risk factors
The first step is to gather information about the organisation's business activities to gain an
understanding of fraud risks, including external business relationship partners. This process
includes review of documentation of previous frauds and suspected frauds committed
against or on behalf of the organization, evaluation of related frauds at similar organizations,
and review of the organization's performance measures over the past few years compared
with competitors.

b) Identify potential fraud schemes and prioritize them based on risk.

This is where a fraud risk assessment team engage in strategic reasoning to anticipate both
the fraud scheme and the individuals within and outside the organization who could be in a
position to perpetrate each scheme. A fraud risk assessment team is typically composed of
individuals from the internal audit activity, finance, legal, IT, security, and potentially other
functions depending on the nature of the organization. During the process of assessment,
the team reviews the organization's activities, schemes relevant to the industry, geography,
and programs, always considering the basic characteristics of fraud (pressure/incentive,
opportunity, and rationalization). The fraud areas should be identified without consideration
of existing or effectiveness of internal controls.

c) Map existing controls to potential fraud schemes and identify gaps

The fraud risk assessment team identifies preventive and detective controls in place to
address each fraud risk and to assess the likelihood and significance of each potential fraud.
Entity level anti-fraud controls such as the existence of a whistle-blower hotline and whistle-
blower protection policy, board oversight, results of continuous monitoring, code of conduct,
and the tone of management's communications regarding their tolerance for fraud risk are
important elements in this exercise.

d) Test operating effectiveness of fraud prevention and detection controls

Internal auditing typically plays an important role in assessing the operating effectiveness of
internal controls. Internal auditors consider not only the existence of the internal control, but
also the effectiveness of the internal control through periodic testing of the control. For
example, an organisation may implement a security policy over network passwords, which
requires passwords to be changed every 30 days; however, the network system access
controls do not block user access if the password is not changed as required. In this case, the
internal control is present, but is not operationally effective.

e) Document and report the fraud risk assessment

Organisations need to document the process that identifies and evaluates fraud risk. Key
elements that would likely be documented in a fraud risk assessment for each significant
business area include:
The types of fraud that have some chance of occurring; the inherent risk of fraud; the
adequacy of existing anti-fraud programs, monitoring, and preventative controls; the
potential gaps in the organization's fraud controls; the likelihood of a significant fraud
occurring and the business impact/significance of a fraud.

According to IIA Standard 2060: Reporting to Senior Management and the Board, the CAE must
report periodically to senior management and to the board significant risk exposures and control
issues, including fraud risks.

Source: IPPF – Supplemental Guide Internal Auditing and Fraud

92
ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

93 AUI3703/SG
Learning unit 12
Fraud prevention and detection

Contents
12.1 INTRODUCTION 94
12.2 FRAUD PREVENTION 94
12.3 FRAUD DETECTION 97

12.1 INTRODUCTION
In this learning unit, we will deal with the prevention and detection of fraud in organisations from
a practical point of view. With the internal auditing standards as the basis, different methods and
criteria are discussed that can be used to prevent and detect fraud in an organisation.

STUDY
Section 6.5.1 to 6.5.3, Fraud prevention, Fraud detection & Fraud Investigation in your
prescribed textbook: Assurance: An Audit Perspective.

12.2 FRAUD PREVENTION

Fraud prevention entails the implementation of policies and procedures to prevent fraudulent
practices. The best action to take against fraud is prevention. Fraud flourishes in an environment
where it is tolerated and where the measures introduced to combat it are not strict enough.

Fraud is infectious. If members of staff realise that it is tolerated, more of them will attempt
committing fraud. An organisation that does not follow a strict policy against fraud may
unconsciously tend to employ dishonest people, thus further increasing the risk to it.

Fraud prevention involves those actions that should be taken to discourage the commission of
fraud and limit fraud exposure when it occurs.

The most important measure in the prevention of fraud is control, and the primary responsibility
for the introduction and maintenance of control procedures rests with management.

94
Internal auditors contribute to the prevention of fraud by evaluating the adequacy and
effectiveness of the internal control system in relation to the degree of exposure and risk that
exists in the different segments of an organisation.

STUDY
Pages 171 to 173, section 6.5.1 and 6.5.2 in your prescribed textbook: Assurance: An
Audit Perspective.

The responsibility of internal auditors in deterring fraud

The responsibility of internal auditors in deterring fraud is set out mainly in the internal auditing
standards and is based on the requirement that internal auditors should exercise due
professional care when conducting internal audit assignments.

Internal auditors are not expected to possess the knowledge of someone whose primary
responsibility it is to detect and investigate fraud, and it is accepted that basic internal audit
procedures will not necessarily lead to the detection of fraud.

Certain specific requirements are, however, laid down regarding the internal auditor’s
responsibility for the prevention, detection, investigation, reporting on and following up of
fraud, and these will be discussed in greater detail in the learning units that follow.

Management’s responsibility for controlling fraud

The environment in an organisation is generally developed and maintained by senior

management and the board of directors. To deter fraud, the environment should be rigorously
controlled.

Management should clearly indicate in written policies their commitment to fair dealing, their
position on conflict of interest, their requirement that only honest employees be hired, their
insistence on strong internal controls that are well policed, and their resolve to prosecute the
guilty.

The policy should be carefully drafted, with input from the organisation. The following should be
considered when establishing a fraud policy:

• All illegal activities, including fraud for the benefit of the organisation, are prohibited.
• The responsibility for conducting investigations will be clearly defined. Usually, it is assigned
to security or internal auditing, or both.
• Any employee suspecting wrongdoing is required to notify immediately his or her superiors
or those responsible for investigations.
• Any suspected wrongdoing will be investigated fully.
• All suspects and perpetrators will be treated consistently, regardless of the position held or
length of service.
• Managers are responsible for being aware of exposures to wrongdoing and for establishing
controls and procedures to deter and detect suspected wrongdoing.

95 AUI3703/SG
• Managers are required to cooperate fully with law enforcement and regulators, including
reporting to law enforcement and supporting prosecution.
• Cover-ups and retaliation against witnesses will be reported to the board of directors and the
audit committee.

One of the most effective ways of deterring dishonest conduct is not hiring dishonest employees.
The least management can do is to try verifying employees’ backgrounds. Senior management
should insist on proper hiring practices; internal auditors should establish whether those practices
are carried out as intended.

It is the responsibility of management of an organisation to spell out the organisation’s attitude

towards fraud in the form of a written policy and to communicate it clearly to all employees.

Management should also delegate the necessary authority to the internal auditors to enable them
to discharge their responsibilities with regard to fraud. In addition, every organisation should have
an ethical code with which employees must comply and disciplinary procedures that follow any
breach of the ethical code should be known to all employees.

The King IV Report on Corporate Governance in South Africa, which is published by the Institute
of Directors Southern Africa, provides that every organisation’s ethical code be implemented as
part of that organisation’s corporate control.

The best mechanism for controlling fraud is a strict and efficient internal control system.
Management are responsible for establishing and maintaining an organisation’s internal control
system as well as for controlling the functions in the organisation.

Management can use the following operational methods to exercise control over the functions in
the organisation:
• organising
• policy
• procedures
• personnel
• accounting
• budgets
• reporting

STUDY
Chapter 6, sections 6.5.1 to 6.5.2, in your prescribed textbook: Assurance: An Audit
Perspective.

ACTIVITY 11

Apply the provisions of the internal auditing standards regarding the prevention of
fraud:

• Determine management’s responsibility for controlling fraud.

• Determine the responsibility of internal auditors for deterring fraud.

96
FEEDBACK

Management is responsible for overseeing the activities of employees and typically does
so by implementing and monitoring processes and internal controls. In addition,
management assesses the vulnerability of the entity to fraudulent activity.

Fraud prevention entails implementing policies and procedures, employee training, and
management communication to educate employees about fraudulent activities

Responsibility of internal auditors for deterring fraud

IIA Standard 1200: Proficiency and Due Professional Care

1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of
fraud and the manner in which it is managed by the organisation, but are not
expected to have the expertise of a person whose primary responsibility is detecting
and investigating fraud.

IIA Standard 1220: Due Professional Care

1220.A1 – Internal auditors must exercise due professional care by considering the:
• Extent of work needed to achieve the engagement’s objectives.
• Relative complexity, materiality, or significance of matters to which assurance
procedures are applied.
• Adequacy and effectiveness of governance, risk management, and control
processes.
• Probability of significant errors, fraud, or noncompliance.
• Cost of assurance in relation to potential benefits.

IIA Standard 2060: Reporting to Senior Management and the Board

Reporting must also include significant risk and control issues, including fraud risks,
governance issues, and other matters that require the attention of senior
management and/or the board.

IIA Standard 2120: Risk Management

2120.A2 – The internal audit activity must evaluate the potential for the occurrence
of fraud and how the organisation manages fraud risk.

IIA Standard 2210: Engagement Objectives 2210.A2 – Internal auditors must consider
the probability of significant errors, fraud, noncompliance, and other exposures when
developing the engagement objectives.

Source: IPPF – Practice Guide Internal Auditing and Fraud

12.3 FRAUD DETECTION

Fraud has two characteristics that contribute to its detection.

97 AUI3703/SG
In the first place, fraud cannot be undone once it has taken place, despite the most determined
efforts to conceal it and, secondly, fraud is always committed with a view to deriving direct or
indirect financial advantage.

The detection of fraud involves identifying sufficient indications that fraud has taken place,
leading to a recommendation that a formal investigation be conducted. Indications that fraud
has taken place can come to light through the successful operation of internal controls specially
geared to detect fraud, through audit tests carried out by the internal auditors, or through other
sources, either inside or outside the organisation.

Provisions of the internal auditing standards relating to the detection of fraud

The internal auditing standards focus mainly on the internal auditor’s responsibility for the
detection of fraud. The internal auditor’s responsibility arises from the requirement that internal
auditors should exercise due professional care and display competence in the performance of
every audit project.

Due care implies that the internal auditor should conduct a reasonable amount of investigation
and verification, but not that he should necessarily audit every transaction in detail.

Consequently, internal auditors cannot provide assurance that no fraud or irregularities have
occurred at an organisation. Nevertheless, the possibility of irregularities and fraud should always
be considered when an internal auditor undertakes an internal audit assignment.

Implementation Guide 1220: Due Professional Care

Along with the IPPF, the internal audit activity’s policies and procedures provide a systematic and
disciplined approach to planning, executing, and documenting internal audit work. By following
this systematic and disciplined approach, internal auditors essentially apply due professional
care. However, what constitutes due professional care partially depends upon the complexities
of the engagement. Standards 1220.A1, 1220.A2, 1220.A3, and 1220.C1 describe the elements
that internal auditors must consider in exercising due professional care.

For example, internal auditors must consider the possibility of significant errors, fraud, and
noncompliance and are expected to conduct examinations and verifications to the same extent
as would a reasonably prudent and competent internal auditor in the same or similar
circumstances.

Yet, Standard 1220 also specifies that due professional care does not imply infallibility. Therefore,
internal auditors are not expected to give absolute assurance that noncompliance or irregularities
do not exist (Source: IIA,2017)

Supplemental Guide: Internal Auditor and Fraud (Fraud Prevention and Detection)

Although fraud prevention and detection are related concepts, they are not the same. Fraud
prevention involves those actions taken to discourage the commission of fraud and limit fraud
exposure when it occurs such as implementing policies and procedures, employee training, and
management communication to educate employees about fraudulent activities. On the other

98
hand, fraud detection entails activities and programs designed to identify fraud or misconduct
that is occurring or has occurred.
a) Fraud Prevention

A strong principal mechanism for preventing fraud is effective and efficient internal controls.

COSO identified five components in its Internal Control-Integrated Framework: control

environment, risk assessment, control activities, information and communication, and monitor-
ing that may serve as the premise for the design of controls to fight fraud.

The elements are deeply intertwined and overlapping in their nature and provide a natural
interactive process to promote the type of environment in which fraud will not be tolerated at
any level.

b) Fraud Detection

Detective controls are designed to provide warnings or evidence that fraud is occurring or has
occurred. Effective internal controls are one of the strongest deterrents to fraudulent behaviour
and fraudulent actions. Although detective internal controls may provide evidence that fraud
exists, detective internal controls are not intended to prevent fraud.

Fraud detection methods need to be flexible, adaptable, and continuously changing to meet the
changes in the risk environment. While preventive measures are apparent and readily
identifiable, detective controls may not be as apparent (i.e., they operate in the background).

Source: IPPF – Practice Guide Internal Auditing and Fraud

STUDY

• Section 6.5.2 of your prescribed textbook: Assurance: An Audit Perspective

• International Professional Practice Framework (IPPF), Attribute Standard 1220 &

A1220.A1

Practical considerations in fulfilling the internal auditor’s responsibilities for the detection of
fraud

The possibility of fraud is one of the risk factors that threatens the achievement of the goals of
management.

The principal function of internal audit is to support management in the economic, efficient and
effective achievement of their goals. To fulfil this function properly, the internal auditor should:

• have sufficient knowledge of fraud to be able to identify the signs that point to the existence
of fraud
• be alert to conditions such as weaknesses in internal control that could allow fraud to be
committed
• have knowledge of the procedures that should be followed when any suspicion arises that
fraud has taken place

99 AUI3703/SG
REFLECTION
Sufficient knowledge of fraud

The internal auditor must understand the concept of fraud, as dealt with in learning
unit 10 of this module.

The internal auditor must have knowledge of the different forms of fraud that can be
committed in practice. The different forms of fraud, with explanatory examples of
each, are dealt with in learning unit 10 of this module.

Be alert to conditions that could allow fraud

The internal auditor should have thorough knowledge of internal control systems and
of the minimum internal controls that should be in operation in each organisation and
system to ensure good control.
When an internal auditor realises that basic controls have not been implemented or
applied, or if he establishes that a system is being manipulated to circumvent internal
controls, he or she should be on the lookout for fraud and should perform additional
audit tests to determine whether fraud is being committed or has been committed.

Irrespective of the results of these tests, identified deficiencies in internal control

systems that encourage fraud should be reported to management in writing.

ACTIVITY 12

• Apply the provisions of the internal auditing standards that relate to the detection
of fraud.

• Apply your knowledge of the practical considerations in fulfilling the internal

auditor’s responsibilities for the detection of fraud.

• Determine the warning signs or indications that could point to fraud.

FEEDBACK

Warning signs or indications that could point to fraud

Fraudsters often display certain behaviours or characteristics that may serve as warning
signs or red flags. For example, some perpetrators act unusually irritable, some suddenly
start spending lavishly, and some become increasingly secretive about their activities.

Red flags include overrides of controls by management or officers, irregular or poorly

explained management activities, consistently exceeding goals/objectives regardless of
changing business conditions and/or competition, preponderance of non-routine
transactions or journal entries, problems or delays in providing requested information,
and significant or unusual changes in customers or suppliers.

100
Red flags also include transactions that lack documentation or normal approval,
employees or management hand-delivering checks, customer complaints about delivery,
and poor IT access controls such as poor password controls.

Personal red flags include living beyond one’s means; conveying dissatisfaction with the
job to fellow employees; unusually close association with suppliers; severe personal
financial losses; addiction to drugs, alcohol or gambling; change in personal
circumstances; and developing outside business interests.

In addition, there are fraudsters who consistently rationalize poor performance, perceive
beating the system to be an intellectual challenge, provide unreliable communications
and reports, and rarely take vacations or sick time (and when they are absent, no one
performs their work).

These red flags are often indicators of misconduct, and an organization’s management
and internal auditors need to be trained to understand and identify the potential warning
signs of fraudulent conduct.

Source: IPPF – Practice Guide Internal Auditing and Fraud

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

101 AUI3703/SG
Learning unit 13
Fraud investigations

Contents
13.1 INTRODUCTION 102
13.2 PRACTICAL PERFORMANCE OF FRAUD INVESTIGATIONS 103
13.3 REPORTING AT THE CONCLUSION OF A FRAUD INVESTIGATION 104

13.1 INTRODUCTION

The transactions and activities that the auditor examines when conducting a fraud investigation
are usually isolated transactions involving only one person or a small group of people. Each
problem is unique and requires special analysis.

Fraud investigations, like all other internal audit projects, should be approached in a structured
manner to ensure the best results for the organisation.

In this learning unit, we will discuss the nature of the internal auditor’s responsibility once it has
been decided to carry out a fraud investigation and the practical aspects of fraud investigations.

The procedures that should be followed when conducting a fraud investigation will be discussed,
as are different matters that internal auditors should attend to when they must participate in fraud
investigations.

STUDY
Section 6.5.3 in your prescribed textbook: Assurance: An Audit Perspective

As soon as the internal auditor has established the presence of fraud of a nature that requires
investigation, he should report it to the most senior executive manager at the organisation.

The next step is to decide what kind of investigation will be conducted, and in what depth, and
what resources will be used in the process. Senior management should take a decision on this.
Fraud investigations are time-consuming, intensive and demanding, and they frequently require
102
specific technical knowledge or experience of the operating environment in which the fraud has
occurred.

Depending on what management decides, the internal auditor will be involved to a greater or
lesser degree in fraud investigations.

13.2 PRACTICAL PERFORMANCE OF FRAUD INVESTIGATIONS

There is a big difference between the objectives of a fraud investigation and the objectives of
other internal auditing projects.

In a normal auditing project, the internal auditor’s tasks consist of the following:

• looking for symptoms that indicate that problems may exist

• looking for weaknesses in the system, or susceptibility of the system to problems
• making recommendations on improving efficiency, economy and effectiveness
• reassuring management
• emphasising compliance with developed procedures and controls and improving them

In contrast with the normal internal audit, a fraud investigation is geared towards detection.

In a fraud investigation, the internal auditor’s tasks involve the following:

• looking for evidence supporting an identified irregularity

• determining the particulars of the irregularity
• quantifying the loss or the scope of the problem and the period in which it occurred, the
method used, and the people involved
• acting as a gatherer of information and evidence

A general programme for fraud examiners should, at a minimum, include the following:

(1) Collecting industry data: This includes general information about how the industry
performs relative to financial and nonfinancial operations.

(2) Financial analysis: Included here is financial analytical data for the organisation as
compared to that of other organisations in the industry. Techniques that should be used
are as follows:
• ratio analysis
• vertical analysis
• horizontal analysis
• nonfinancial data (comparisons of different parts of statements, financial and
operational, that should have a relationship)
• cash flow information
• net income adjustments (depreciation, receivables, amortisation tables, etc)

(3) Reviewing of internal controls: This is to determine that

• transactions are executed according to management authorisation
103 AUI3703/SG
• transactions are properly recorded
• assets are safeguarded
• assets conform to records

(4) Evidence gathering: This involves techniques to be used to gather evidence about
fraudulent activities. Examples are as follows:
• interviewing
• internal control charts and visual comparisons
• document examination
• employee searches
• investigation (close supervision of suspects during an examination period)
• observation (spying or snooping)
• working undercover
• inspecting specific items; collecting evidence related to the fraud

(5) Evaluating: Evidence is analysed to determine if fraud has actually occurred.

(6) Reporting of findings are done to appropriate parties.

STUDY

Section 6.5.3 in your prescribed textbook: Assurance: An Audit Perspective

13.3 REPORTING AT THE CONCLUSION OF A FRAUD

INVESTIGATION

On completion of a fraud investigation, the internal auditors should issue a formal, written report
that contains all observations, conclusions, recommendations and corrective actions taken.

A preliminary copy of this report should be handed to the legal advisors for evaluation.

The basic principles of reporting on the finalisation of audit projects also apply to reporting
at the conclusion of a fraud investigation.

STUDY
Section 6.5.3 in your prescribed textbook: Assurance: An Audit Perspective:

ACTIVITY 13

This is an example of a comprehensive question that covers what we have discussed

in this topic.

The following incident in the maintenance division came to your attention recently:

One of the maintenance team leaders, John Smit, has been adjusting his staff’s
overtime hours on the overtime claim forms for the past year.

104
Consequently, his staff received more remuneration than staff in other teams. Being
a team leader, John could never claim overtime remuneration for himself, but by
“looking after his staff”, as he described it, he motivated them and retained them,
putting his team in a position to deliver excellent turnaround times.

A team leader from another team, who stood in for John while he was on sick leave,
became suspicious and reported his suspicions to the departmental head.

While busy with the investigation into the allegations made against John Smit, you
received the following anonymous message on the fraud hotline: “I noticed that some
of the orders for paint are delivered to a new address. Have you opened a new
warehouse or storage place recently?”

Preliminary investigations into this matter revealed the following:

• The staff of the maintenance department is divided into four teams, each team
with its own team leader. All the roads are painted and maintained according to
a schedule prepared by the departmental head.
• The stock controller is responsible for ordering the paint and distributing it to the
various team leaders on a weekly basis. Lately, a shortage of paint has been
experienced and some of the teams are currently behind schedule.
• All the painters are appointed on a contract basis and they are paid per hour. The
painters work a considerable amount of overtime to ensure that minimum
disruptions are caused to peak-time traffic.
• The stock controller is also responsible for stock taking and the final paint
inventory figures. After attending the stock taking, it became clear that there
were shortfalls in the paint on hand figures and that numerous corrections had
been made to the paint inventory figures.
• The stock controller, Jack Smit, has been the stock controller for the past ten
years. The head of the division mentioned that Jack Smit is related to John Smit,
one of the team leaders in the maintenance division.
• Over the past few years, Jack Smit declined various opportunities for promotion,
claiming that he did not want to take on any additional responsibilities.

The divisional head further mentioned that Jack has a balance of more than 100 days
of leave available to him because Jack never takes annual leave (as he is so committed
to his work).

One of the staff members revealed that Jack and John recently opened a small
business on the side, selling paint to members of the public. Since the start of this side-
line business, extravagant lifestyle changes have been noted in both John and Jack
Smit’s personal lifestyles.

REQUIRED
• Discuss whether John Smit’s actions pertaining to the overtime claims would be
regarded as fraud according to the South African definition of fraud, or not.
• List five (5) red flags that could suggest that fraud is being committed.
• Briefly discuss the factors that motivate people to commit fraud.

105 AUI3703/SG
FEEDBACK

(1) Whether or not John Smit’s actions with regard to overtime claims would be
regarded as fraud in the context of the South African definition of fraud

• John Smit’s actions can be seen as fraud in terms of the South African definition of
fraud as all four elements of fraud are present. Both the intention to deceive as well
as the intention to defraud the company are present in John Smit’s behaviour.
• John misrepresented information by making unauthorised changes to the claim
forms of the employees working for him.
• The company incurred financial losses by paying excessive overtime for work not
performed; the financial loss is referred to as prejudice.
• Any fraudulent misrepresentation is unlawful. Any unauthorised changes made to
the claim forms can be seen as unlawful.
• John Smit’s actions were intentional as he knew that they would lead to
unauthorised payments made to individuals, which could lead to financial losses.

(2) Red flags that could indicate the possibility of the theft of paint

• shortfalls in the paint-on-hand figures

• recent shortage of paint
• numerous corrections to the paint-on-hand figures
• delivery of paint to a new address
• John and Jack Smit’s dramatic lifestyle changes
• Jack Smit not taking leave
• Jack Smit declining several opportunities for promotion

(3) Factors that motivate people to commit fraud

• Firstly, there may be pressure on the individual, either internal pressure in the form
of debt or a desire for riches, or external pressure in the form of pressure exerted by
the organisation on management to achieve projected profit figures and adhere to
budgets.
• Secondly, opportunity in the form of uncontrolled access to organisational assets
tempts employees to misappropriate them for their own profit.
• Thirdly, personality disorders (lack of ethics) may exist. Most people generally prefer
to be honest, but unfortunately there are the exceptions who prefer to be dishonest.

106
SUMMARY
In this topic, we discussed the nature and elements of fraud. We saw that fraud takes
many forms in practice. We identified the factors that motivate people to perpetrate
fraud.

In this topic, we also covered fraud risk, fraud risk assessment and governance of the
fraud risk management programme. We established that fraud risk is the probability
that fraud will occur and discussed the potential consequences to the organisation
when it occurs. A fraud risk assessment is a critical component of an organisation’s
larger enterprise risk management programme.

We further discussed the important role of management in providing oversight for the
successful completion of a fraud risk assessment to give management a better
understanding of fraud risks and the controls in place to mitigate those risks.

We studied the execution of the internal auditor’s basic responsibilities in terms of the
internal auditing standards regarding the prevention and detection of fraud.

We noted that prevention is the most important step in deterring fraud, that
management have the most important part to play, and that the internal auditors
support management in discharging their responsibility by evaluating existing
procedures through investigation and testing.

We looked at the internal auditor’s responsibility in fraud investigations. We explained

certain aspects of the process of investigating fraud and dealt with some of the
considerations to bear in mind when conducting a fraud investigation.

107 AUI3703/SG
TOPIC 5
Information systems auditing
Contents

LEARNING UNIT 14: Information technology (IT) governance 109

LEARNING UNIT 15: IT Risk 113
LEARNING UNIT 16: IT control activities: general and application controls 119
LEARNING UNIT 17: Computer audit process 126
LEARNING UNIT 18: CAATTs 131
LEARNING UNIT 19: Auditing security and privacy of information assets 139

INTRODUCTION TO AND PURPOSE OF THE TOPIC

Information technology (IT) is an integral part of any organisation and it has a major influence on
the achievement of organisational objectives.

The accounting system for an internal control system of an entity is influenced by the
computerised information system used. A computerised information system environment is any
environment in which a computer, of any type or size, is used in the processing of financial and
non-financial information.

A computerised information system environment influences the procedures followed by an

auditor:
• the audit procedures that need to be carried out to acquire a sufficient understanding of the
accounting and internal control systems of an organisation
• the factors to be considered in respect of the inherent and control risk of an organisation to
reach a decision on the audit risk the auditor is prepared to accept
• the design and execution of audit procedures to achieve the audit objectives

LEARNING OUTCOMES
After you have studied this topic, you should be able to do the following:
– Define key IT concepts and describe IT governance in an organisation (LU 14).
– Identify and describe significant IT risks (LU 15).
– Explain the general and application control required to mitigate IT risks in an
organisation (LU 16).
– Understand and explain the IT audit process from an internal audit perspective
(LU 17).
– Explain the concept of computer-assisted audit techniques and integrate them at
a multi-disciplinary level (LU 18).
– Define and describe the audit of information security and privacy of information
assets (LU 19).

108
Learning unit 14
Information technology (IT) governance

Contents
14.1 INTRODUCTION 109
14.2 IT CONCEPTS 109
14.3 IT GOVERNANCE 110
14.4 KEY CONSIDERATION FOR INTERNAL AUDITORS 111

14.1 INTRODUCTION

IT governance can be considered a framework that supports effective and efficient management
of IT resources to facilitate the achievement of a company’s strategic objectives (King IV).

Regardless of the wording used in defining IT governance the Information Systems Audit and
Control Association (ISACA) believes that IT governance involves at least the following five key
areas:

• accountability of IT
• IT compliance to rules and regulations
• satisfying the needs of the board and stakeholders
• managing IT risk
• providing value to the business and control of work done

This learning unit will explain key IT concepts, IT governance, and the key considerations for IT
auditors.

14.2 IT CONCEPTS

It is important for internal auditors to be familiar with the relevant terms and concepts associated
with the IT environment of an organisation. The key concepts are set out below.

109 AUI3703/SG
Hardware

Hardware is essentially the physical components of the IT environment, which can be observed
by the internal auditor. Hardware includes items such as a terminal, central processing unit (CPU),
and printer.

Software

Software is essentially the components of the IT environment, which cannot be physically

observed by the internal auditor. Software generally refers to application software, operating
systems, and database management systems.

Input

Input refers to data capturing, batch data preparation and data entry. This phase involves the
human element, and it is prone to human errors.

Processing

Processing is performed by the IT system, and it involves activities such as data validation,
calculations, and file updating.

Output

Output, usually stored in electronic format, can be expressed in various types of reports, including
management reports, exception reports, and error reports.

STUDY
Section 2.1.5 in your prescribed textbook: Performing Internal Audit Engagements.

14.3 IT GOVERNANCE
The IIA Standards defines IT governance as “consisting of the leadership, organisational
structures, and processes that ensure that the enterprise’s information technology supports the
organization’s strategies and objectives”.

Alternatively, ISO 38500 defines the governance of IT simply as “the system by which the current
and future use of IT is directed and controlled.”

IT is totally integrated in formulating and executing the strategic plans of most organisations. It
involves not only using existing systems effectively, but also investing in future systems that are
supposed to add significant value to the organisation.

King IV requires, in terms of principle 12, that “the governing body should govern technology and
information in a way that supports the organisation setting and achieving its strategic objectives.”
This principle is supported by eight recommended practices that the governing body should
delegate to management for implementation.

Key IT systems include applications such as inventory management systems, management

information systems, and customer relationship management systems.

110
Disaster recovery and the breach of security and the privacy of information are IT areas that
should be of major importance to the governing body, management and the IT auditor.

“The internal audit activity must assess whether the information technology governance of
the organization supports the organization’s strategies and objectives.” (IIA Standard 2110.
A2).

STUDY

Section 2.6 in your prescribed textbook: Performing Internal Audit Engagements.

14.4 KEY CONSIDERATIONS FOR INTERNAL AUDITORS

Proficiency

IIA Standard 1210.A3 requires that internal auditors be aware of key IT risks and controls and
available technology-based audit techniques to perform their assigned work. The internal audit
staff should also be familiar with CAATTs (see learning unit 18).

The CAE should, considering the complexity and significance of IT in an organisation, use the
services of expert IT auditors, preferably CISA-qualified individuals. The CAE should also consider
obtaining the services of IT experts outside the organisation to perform specialised IT audits, for
example, auditing revenue assurance systems used by mobile operators.

Due professional care

“In exercising due professional care, internal auditors must consider the use of technology-
based audit and other data analysis techniques.” (Standard 1220.A2).

Software solutions

ACL and IDEA are typical data analysis software solutions currently used by internal audit
functions.

Learning unit 18 deals specifically with computer-assisted audit techniques (CAATTs).

Main approaches to auditing in an IT environment

The following main approaches to auditing in an IT environment exist:

• auditing around the computer

• auditing with the computer
• auditing through the computer

111 AUI3703/SG
STUDY
Section 2.1.3 in your prescribed textbook: Performing Internal Audit Engagements

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

112
Learning unit 15
IT risk

Contents
15.1 INTRODUCTION 113
15.2 AUDIT RISK 114
15.3 IDENTIFICATION OF IT RISK 115
15.4 ASSESSMENT OF IT RISKS 116
15.5 MITIGATION OF IT RISKS 117

15.1 INTRODUCTION

Although technology provides opportunities for growth and development, it also represents
threats, such as disruption, deception, theft, and fraud.

Identifying and managing IT risks will enable the IT activity to run the business of IT more
effectively, while also identifying potential opportunities to improve its practices (Source: GTAG
2012).

Definition of risk

Risk is any uncertain event that could influence the achievement of the organisational objectives.

IT risks integrated in the enterprise risk profile

The King IV report acknowledges that IT risks do not exist in isolation. Therefore, they should be
seen as part of enterprise-wide risk management.

Specific risk areas such as business continuity, the protection of information, sourcing and
implementing new IT systems, and outsourced IT services should be monitored by the governing
body on a regular basis.

113 AUI3703/SG
Risk management process

The IT risk management process consists of risk identification, risk assessment and risk response,
which is mostly achieved via the implementation of IT controls.

15.2 AUDIT RISK

Three risks need to be considered when using a risk-based audit approach. They are inherent risk,
control risk and detection risk, which are collectively known as audit risk.

Inherent risk

Inherent risk is the likelihood of a significant loss occurring before taking into account any risk-
reducing factors. In evaluating inherent risk, an auditor should consider what the types and nature
of risks are and what factors indicate that a risk exists.

Control risk

Control risk is the likelihood that the control processes established to limit or manage inherent
risk will be ineffective.

To ensure that an auditor evaluates the controls properly, the auditor must understand how to
determine which controls are effective. This will involve identifying those controls that provide
the most assurance that risks are being minimised in the business.

It is quite clear from the descriptions of inherent and control risk that when the risk approach is
followed in the conduct of an audit, these are the risks that should serve as the basis for assessing
exposure to risk.

Detection risk

Detection risk is the risk that if a material problem that would affect the conclusion pertaining to
an audit objective has occurred, the auditors will not find it. This might arise because entries and
activities are not fully examined.

Audit risk

Audit risk is not a type of audit approach, but rather an audit concept. This concept is, however,
related to aspects of auditing risk and is defined as follows in Puttick and Van Esch (2003:138–
144):

Audit risk is the risk that audit coverage will not address significant business exposures. Audit risk
consists of three components, namely inherent risk, control risk and detection risk. The total audit
risk is determined by means of the following formula: AR (audit risk) = IR (inherent risk) x CR
(control risk) x DR (detection risk).

The following section discusses IT risk assessment. Organisations use risk assessment to determine
the extent of the potential threat and the risk associated with an IT system. The output of this
process helps to identify appropriate controls for reducing or eliminating risk during the risk
mitigation process (NIST, 2002).

114
Inherent, control and audit risk should be taken into consideration when compiling the
programme to ensure that unnecessary procedures are not included, but essential procedures are.
The following diagram explains where the risks fit into the audit process.

IR = Inherent Risks
RR = Residual Risks (Raindrops outside the umbrella)
CR = Control Risk (possibly the umbrella leaks)
Risk Appetite = How big the umbrella is.

15.3 IDENTIFICATION OF IT RISKS

The risk identification phase seeks to create a comprehensive list of events that may prevent,
degrade or delay the achievement of the business objectives. Comprehensive identification is
critical because a risk that is not identified at this stage will not be included in the risk analysis
phase.

There are numerous tools and techniques that can be used to facilitate the identification and
analysis of risks. The business and service owners and subject matter experts from both the
business and ICT are key role players.

In order to manage risk, the potential threats to the information systems need to be identified. This
is achieved by defining risk scenarios. Risk scenarios are methods of determining if any risks exist

115 AUI3703/SG
that could adversely affect the confidentiality, integrity or availability of the information system
and therefore affect the business objectives.

COBIT 5 for Risk, defines IT risk as “business risk, specifically, the business risk associated with the
use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk
consists of IT-related events that could potentially impact the business.”

IT risk are categorised as follows in COBIT 5:

• IT benefit/value enablement risk: This is associated with missed opportunities to use

technology to improve efficiency or effectiveness of business processes or as an enabler for
new business initiatives.
• IT programme and project delivery risk: This risk refers to the contribution of IT to new or
improved business solutions, usually in the form of projects and programmes as part of
investment portfolios.
• IT operations and service delivery risk: This risk is associated with all aspects of the business
regarding normal performance of IT systems and services, which can bring destruction or
reduction of value to the enterprise

Threats may come from external or internal sources and they may be intentional or unintentional
as well as malicious or non-malicious. Internal threats may come from users, management, IS staff,
IS auditors and others, acting alone or in collusion.

When identifying risk, it is important to clearly describe it so that it can be assessed and evaluated.
Once the risk description has been defined and documented consideration should be given to the
risk drivers. Capturing the risk drivers is useful when identifying and selecting controls to manage
the risk. Example of risk drivers in the IT environment are:
• The information system is an attractive target to criminals/hacktivists.
• Patches may not be applied in a timely manner.
• Default accounts/passwords are not changed or removed

Once the relevant risks have been identified the likelihood and impact of them eventuating must
be assessed and rated. Risk analysis is discussed in the next section.

15.4 ASSESSMENT OF RISKS

Risk assessment process includes qualifying or quantifying risk and its potential effects. Typically,
the likelihood and impact of a risk eventuating are rated using a qualitative scale. The business
owners are responsible for rating the identified risks with the assistance of subject matter experts.
GTAG 1, stipulates that risk analysis should be performed with involvement from various roles and
departments in an organisation, including the chief risk officer (CRO), CAE, IT activity, and business
representatives.

Regardless of whether the risk assessment is being performed for an information system that is in
production or as part of the development lifecycle process for a new information system there will
already be controls in place to reduce the likelihood and/or impact of some of the risks that have
been identified.

116
Analysing and assessing risk in relation to IT can be complex. The IT infrastructure comprises
hardware, software, communications, applications, protocols (i.e. rules), and data, as well as their
implementation in a physical space, in the organisational structure, and between the organisation
and its external environment. Infrastructure includes the people interacting with the physical and
logical elements of systems (Source: GTAG 1: Risk and Controls).

GTAG 1: IT Risks and Controls, provides the following basic questions as a guide when performing
risk assessment:

• Which IT assets (including both tangible and intangible IT assets, such as information or
reputation) are at risk, and what is the value of their confidentiality, integrity, and availability?
• What could happen to affect the asset value of that information adversely (threat event)?
Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats
and potentially affected information assets.
• If a threat event happened, how far reaching could its effect be?
• How often might the event be expected to occur (frequency of occurrence)?
• How certain are the answers to the first four questions (uncertainty analysis)?
• What can be done to reduce the risk?
• How much will it cost?
• Are the measures to reduce risk cost-efficient?

15.5 MITIGATION OF IT RISKS

Although the implementation of additional mitigating controls is typically beyond the scope of the
risk assessment process, the identification and selection of them is not. The business owner can
choose to avoid, treat, transfer or accept the risk.

IT controls
A control can reduce the risk by reducing the likelihood of an event, the impact or both. Assessing
the effect that the control has on the overall risk leads to determining the residual risk rating.

IT controls are selected and implemented based on the risks they are designed to manage. As risks
are identified, suitable risk responses are determined, which may range from doing nothing and
accepting the risk as a cost associated with doing business to applying a wide scope of specific
controls (Source: GTAG 1).

Usually there will be a number of controls that can be implemented either individually or in
combination with each other to reduce the likelihood and/or impact of a risk eventuating. The risk
assessment should clearly identify the priority for implementing the proposed controls.

To be able to evaluate internal controls, make recommendations on possible weaknesses, and

suggest improvements to internal control systems, internal auditors require a thorough knowledge
of and extensive insight into control activities and the related internal control measures.

General and application controls will be discussed in learning unit 16.

117 AUI3703/SG
ACTIVITY 14

• Distinguish between inherent, control, audit and detection risk.

• Discuss your understanding of risk identification, risk assessment and risk
mitigation.

FEEDBACK

Inherent, control, audit and detection risk are defined in Section 15.1 of this Study Guide.
Risk identification, risk assessment and risk mitigation are discussed in Section 15.3 to 15.5
of this Study Guide.

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

118
Learning unit 16
IT control activities: general and application
controls

Contents
16.1 INTRODUCTION 119
16.2 CONTROL ACTIVITIES 119
16.3 CONTROLS IN AN “IT” ENVIRONMENT 122
16.4 GENERAL CONTROLS 124
16.5 APPLICATION CONTROLS 124

16.1 INTRODUCTION

The actual internal controls introduced in organisations to attain the internal control objectives
can be related to certain generally applicable control activities.

To be able to evaluate internal controls and make recommendations on possible weaknesses and
suggest improvements to internal control systems, IT auditors require a thorough knowledge of
and extensive insight into control activities and the related internal control measures for
computerised information systems (CISs).

16.2 CONTROL ACTIVITIES

Control

A control may be defined as any action taken by management to enhance the likelihood that
established objectives and goals will be achieved.

119 AUI3703/SG
Controls are the responsibility of management. It is up to them to ensure effective and efficient
controls by planning, organising and directing. In the IT environment, management should ensure
that -
• systems are functioning as planned
• data integrity is maintained
• information and data are confidential
• that systems and information are available when needed
• data is accurate, complete and valid
• access to systems and programs are only granted to authorised users

Internal controls

Internal control is designed and implemented to deal with business risks that could endanger the
achievement of any of the above organisational objectives.

It is the task of management, and not the auditor, to design and implement effective internal
control systems to manage business risks and ensure that attention is paid to all aspects of control.

If you were introduced to the principles of business management in the past, you will remember
the following elements of management:

• planning
• organising
• directing
• controlling

Internal control, as an element of overall control, is therefore regarded as an element of

management. It is defined as the process designed and affected by those charged with
governance, by management, and by other personnel, to provide reasonable assurance about the
achievement of organisational objectives regarding the following three categories:

• reliability and integrity of financial reporting

• effectiveness and efficiency of operations
• compliance with applicable laws and regulations

Internal control in a computer environment is achieved by implementing and maintaining

general controls and application controls.

Each category would probably include user (manual) and programmed (computerised)
controls.

System of internal control

A system of internal control is a combination of the individual elements of control. The object of
such a system of control is to ensure that

• the computer system is properly developed, implemented and maintained

120
• proper controls are in place to ensure the validity, completeness and accuracy of transactions
and data

Below is a framework setting out the general and application controls. These are the main
categories of controls in an IT environment.

Figure 16.1: Controls in an IT environment

Source: IPPF: Global Technology Audit Guide (GTAG) 1. 2nd Edition Information Technology Risk and
Controls

Certain controls fall under both general and application controls. Access controls apply to both
categories, as illustrated below.

• General controls – to control access to data and programs

• Application controls – to control access to specific program functions to ensure the validity
of input, processing and output

Control structures must be designed to ensure the following:

• segregation of duties
• competence and integrity of people
• appropriate levels of authority
• accountability
• adequate resources
• supervision and review

121 AUI3703/SG
IT controls relate directly to the IT risks found in an organisation and ultimately, to good IT
governance. Without effective general and application controls, IT risks will not be adequately
mitigated, and good IT governance will not be possible.

16.3 CONTROLS IN AN “IT” ENVIRONMENT

To be able to evaluate internal controls, make recommendations on possible weaknesses, and

suggest improvements to internal control systems, internal auditors require thorough knowledge
of and extensive insight into control activities and the related internal control measures.

Internal control in an IT environment is achieved by implementing and continuing both general

controls and application controls (these controls are explained in detail below).

It is important to note that assurance must be provided by the IT controls in the system of internal
controls. It should be continuous, and a dependable audit trail must be provided.

The auditor depends on the internal controls for assurance, but his or her assessment thereof is
independent and objective. This assessment will include obtaining an understanding of this
control environment, examining it, and assessing the key controls on which reliance is placed.

As these controls can range from simple to extremely technical, the auditor must interact very
closely with the IT staff of an entity and the persons in positions of responsibility to enable him or
her to gain a proper understanding of the controls.

The IT environment in an entity is not static; it changes with new IT technologies, changing
requirements, strategies, risks, new business processes, etc. For the auditor, this creates
difficulties, as the audit of an IT environment requires continuous learning and re-assessment.
Therefore, this is a continuous process.

Audit plans and methods of obtaining audit assurance should be adopted continuously to
accommodate changes in the IT environment. IT controls are needed for various reasons. These
reasons include the need to control costs of the entity, to remain competitive in the market in
which the organisation is operating, and to comply with governance, laws and regulations.

According to GTAG (Information Technology Controls), the key indicators of effective IT

controls include the following:

• the ability to execute and plan new work such as IT infrastructure upgrades required to
support new products and services
• development projects that are delivered on time and within budget, resulting in cost-
effective and better product and service offerings compared to those of competitors
• the ability to allocate resources predictably
• consistent availability and reliability of information and IT services across the organisation
and for customers, business partners, and other external interfaces
• clear communication to management of key indicators of effective controls

122
• the ability to protect against new vulnerabilities and threats and to recover from any
disruption of IT services quickly and efficiently
• efficient use of a customer support centre or help desk
• heightened security awareness on the part of the users and a security-conscious culture
throughout the organisation

By implementing a control framework (formal or informal), an entity will be able to identify,

monitor and assess IT controls that were implemented to deal with specific risks.

The auditor can use the COSO control framework when gaining an understanding of the IT control
environment. However, it should be noted that although controls might look good on paper, they
might not always be functioning as intended or not be performed at all.

Proper IT controls can protect the entity against significant threats. They are essential in ensuring
reliable financial processes and reporting.

Governance controls

According to GTAG (Information Technology Controls), governance controls are those mandated
and controlled by either the entire board of directors or a board committee in conjunction with the
organisation’s executive management. These controls are linked with the concepts of corporate
governance, which are driven both by organisational goals and strategies and by outside bodies
such as regulators.

IT control at governance level involves ensuring that effective information management and
security principles, policies, and processes are in place and performance and compliance metrics
demonstrate ongoing support for that framework.

An important distinction between governance and management controls is the concept of ‘noses
in, fingers out’. The board’s responsibility involves oversight rather than actually performing
control activities. For example, the audit committee of the board does no auditing, but it does
oversee both the internal and external auditing of the organisation.

Management controls

According to GTAG (Information Technology Controls), management controls are mechanisms

and processes to mitigate and manage risks (protect, monitor, and measure results).

Management responsibility for internal controls typically involves reaching into all areas of the
organisation with special attention to critical assets, sensitive information, and operational
functions.

Consequently, close collaboration among board members and executive managers is essential.

Management must make sure the IT controls needed to achieve the organisation’s established
objectives are applied and ensure reliable and continuous processing.

123 AUI3703/SG
Technical controls

According to GTAG (Information Technology Controls), technical controls form the foundation
that ensures the reliability of virtually every other control in the organisation. For example, by
protecting against unauthorised access and intrusion, they provide the basis for reliance on the
integrity of information – including evidence of all changes and their authenticity.

These controls are specific to the technologies in use within the organisation’s IT infrastructures.

The ability to automate technical controls that implement and demonstrate compliance with
management’s intended information-based policies is a powerful resource to the organisation.

16.4 GENERAL CONTROLS

A common classification of IT controls is general controls and application controls (GTAG 1).

General controls apply to all systems components, processes, and data for a given organisation or
systems environment. General controls include, but are not limited to, IT governance, risk
management, resource management, IT operations, application development and maintenance,
user management, logical security, physical security, change management, backup and recovery,
and business continuity (GTAG 1).

Some general controls are business related (e.g. segregation of duties or governance
arrangements), whereas others are very technical (e.g. system software controls and network
software controls) and relate to the underlying infrastructure (GTAG 1).

General controls are reviewed by internal auditing because they form the basis for the IT control
environment. If the general controls are weak and unreliable (e.g. change and access control), and
cannot be relied on, the auditor may need to alter the testing approach for those areas affected
(GTAG 1).

STUDY
Section 2.3 in your prescribed textbook: Performing Internal Audit Engagements

16.5 APPLICATION CONTROLS

Application controls pertain to the scope of individual business processes or application systems
and include controls within an application regarding input, processing, and output. Application
controls can also include data edits, segregation of business functions (e.g. transaction initiation
versus authorisation), balancing of processing totals, transaction logging, and error reporting
(GTAG 1).

STUDY

Section 2.4 in your prescribed textbook: Performing Internal Audit Engagements

124
ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

125 AUI3703/SG
Learning unit 17
Computer audit process

Contents
17.1 INTRODUCTION 126
17.2 INTRODUCTION TO THE IT AUDIT PROCESS 126

17.1 INTRODUCTION
Auditing may take different forms, such as IS, and internal or external auditing in the private or
the public sector.

The process of executing IT audit work is generally no different than the process of executing any
other audit work. The auditor plans the audit, identifies and documents relevant controls, tests
the design and operating effectiveness of the controls, concludes, and reports (GTAG 4: Managing
IT Audits).

IS auditing involves planning of a specific audit to ensure that the IT audit strategy and objectives
are achieved, and that audit evidence is obtained that is sufficient, reliable, relevant and useful for
attaining the audit objectives.

17.2 INTRODUCTION TO THE IT AUDIT PROCESS

A computer information systems environment exists when a computer of any kind or size is used
in the processing of an entity’s financial or other information. The use of a computer influences
the generation of transactions, their processing, and the storage and communication of
information.

The use of computers may affect the accounting and internal control systems. Computer
information systems do not alter the necessity for internal control systems. They also do not affect
the objectives of internal control or the need to apply auditing standards. Take note that in this
learning unit, we will only provide an overview of the IT audit process.

126
Step 1: Preliminary activities

Gather organisational information.

• This information will serve as a basis for creating the audit plan.
• The organisation’s strategy of and responsibilities for managing and controlling computer
applications will be identified.
• Obtain general data about the company, identify financial application areas, and prepare an
audit plan.

Step 2: Audit planning process

Proper planning will ensure that the audit is conducted in an effective and efficient manner. The
planning process involves the following:

• Identify the tasks to be performed during an audit.

• Allocate those tasks to specific auditors.
• Decide when a task should commence.
• Quantify the duration of each individual task based on the auditor allocated.
• Determine the objectives and scope of the audit tentatively.
• Determine overall business objectives of the area to be reviewed as well as control objectives.
• For each key performance area (KPA), establish performance objectives.
• Review the design of the internal control system for adequacy and tests of compliance with
the designed control system and evaluate the effectiveness of the implementation of the
control system.
• Select the audit team.
• Ensure initial communication with auditees and others involved.
• Prepare the preliminary audit programme.
• Plan the audit report.
• Approve the audit approach. Structure the plan.
• Preliminary survey – gain an initial understanding of the operations.
• Internal control description and analysis: Prepare detailed descriptions of the internal
controls relating to the area under review.
• Expanded tests: Do tests that would be included in the final audit programme.
• Findings and recommendations: Develop findings and recommendations to improve the
internal controls.
• Report production: Document and communicate the final results.

Step 3: Evaluation of internal controls

Define internal control

COSO defines internal control as “a process, influenced by an entity’s board of directors,

management, and other personnel that is designed to provide reasonable assurance in the
effectiveness and efficiency of operations, reliability of financial reporting and the compliance of
applicable laws and regulations”.

Evaluate the five control components

• Control environment – management’s philosophy and operating style

127 AUI3703/SG
• Risk assessment – risk identification and analysis
• Control activities – policies and procedures implemented in the organisation
• Information and communication – all important information obtained and communicated
throughout the organisation
• Monitoring – review output generated by control activities

The following controls should be implemented by an organisation: Preventive controls intended

to stop an error from occurring; detective controls that detect whether an error has occurred or
not; and mitigating controls that mitigate the risks associated with key controls.

Evaluation of general and application controls

• General controls cover the entire CIS environment within which each set of application
controls functions. General controls are related to all applications and they provide a
framework within which the CIS department exercises control over the development,
operation and maintenance of individual applications.
• Application controls are user and programmed controls that are embedded in each of the
data-processing functions, namely input, processing and output.

Tests of control

• Determine the effectiveness of the operation of internal control.

• Determine whether the design of the control is such that the control prevents material errors
from occurring.
• Assess how the control was applied, whether the control was applied consistently, and who
applied it.
• The main focus is to re-perform the application of the controls themselves.

Step 4: Fieldwork – audit procedures

Define audit procedures

• The procedures include the tasks/audit tests performed by the auditor to gather evidence to
ensure that the audit objectives are met.

Audit sampling

• This involves application of an audit procedure to less than 100% of the population to evaluate
audit evidence.
• Sampling risk is the risk that the conclusion reached may differ from the conclusion that
would be reached if the entire population were tested.
• Sampling objectives as well as the sampling method used must be documented in the audit
working papers.

Audit evidence

• Evidence is obtained to support the final conclusions of the audit.

• Audit evidence should be reliable, sufficient, relevant and useful in supporting findings and
conclusions.
• All audit evidence should be documented to support findings.
• The following procedures can be used to obtain audit evidence:
– enquiry

128
– observation
– inspection
– re-performance/calculation
– monitoring/analysing
– CAATTs

Step 5: Completing the audit

Reporting

• All findings are disclosed in the audit report issued to management. For each finding,
recommendations should be provided.

Written reports

• Refer to chapter 9, section 9.4 of your prescribed textbook: Performing Internal Audit
Engagements

Basic audit report

• The contents of the audit report include the following:

– background, scope and objectives
– summary of major findings
– audit opinion
– detailed findings and recommendations
– acknowledgements of satisfactory performance
– detailed technical appendices

Audit documentation

• Working papers should include notes, documents, flow charts, correspondence, plans and
results of tests, etc.
• The working papers should support the findings and recommendations stated in the report.
• Working papers should be evaluated by a partner or manager based on the following:
– completeness
– accuracy
– appropriate findings and recommendations
– follow-up to findings and recommendations (proposed actions)

Follow-up activities

• The auditor should ensure that appropriate action was taken to deal with the findings raised
in the report.
• The nature, timing and extent of follow-up activities should be considered together with the
effect on the organisation if corrective action is not taken.

ACTIVITY 15

You are the audit senior of an IT audit. One of the junior auditors asks you to explain
what steps should be followed when performing an IT audit?

129 AUI3703/SG
FEEDBACK

You would mention the five different steps of the IT audit process and give a short
description of each step. Refer to steps 1 to 5 above.

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

130
Learning unit 18
CAATTs

Contents
18.1 INTRODUCTION 131
18.2 INTRODUCTION TO COMPUTER-ASSISTED AUDIT TOOLS
AND TECHNIQUES (CAATTS) 131
18.3 CONSIDERATIONS IN THE USE OF CAATTS 134
18.4 PLANNING FOR THE USE OF CAATTS 135
18.5 APPLICATION OF CAATTS 137

18.1 INTRODUCTION

The use of computers forms part of everyday life for most of today’s auditors. They carry out and
document their work using laptops (or desk-top computers) and they are required, in the early
stages of the audit, to gain an understanding of their clients’ accounting systems, most of which
are computerised.

18.2 INTRODUCTION TO COMPUTER-ASSISTED AUDIT TOOLS AND

TECHNIQUES (CAATTS)

The concept of computer-assisted audit tools and techniques (CAATTs)

In today’s environment, a review of business systems will almost inevitably involve the use of
appropriate information retrieval and analysis programs and procedures.

Computer-assisted audit tools and techniques (CAATTs) are needed because of the large volumes
of data stored in multiple locations involved in managing a complex business environment. The
use of CAATTs involves merging software into an audit program.

131 AUI3703/SG
Information retrieval and analysis programs and procedures include programs that organise,
combine, extract and analyse information.

The ready availability of microcomputer-based software, which provides computing power

without requiring technical expertise, makes direct data analysis part of the toolkit of any auditor.
The primary requirement is for the auditor to understand the business application and how data
relates to it.

The overall objective and scope of an audit do not change in a computerised information system
(CIS) environment. The use of a computer does, however, change the method of recording
transactions, and the processing, storage and communication of financial information.

A CIS environment is any environment in which a computer, of any type or size, is used in the
processing of financial information.

Possible uses of computer-assisted audit tools and techniques

CAATTs can best be used for the following audit functions:

• Sorting and file reorganisation: Data can be sorted by date, customer name, department
name, etc.
• Summarisation, stratification and frequency analysis: Data can be summarised in account
number order, departmental order and the frequency with which certain items are bought
and used.
• Extracting samples, exception reporting, and file comparison (for example current- year
masterfile to prior-year masterfile): These comparisons can be used to develop certain ratios
to contrast exceptions and deviations.
• Analytical review: An example of analytical review is the extraction of ratios.
• Casting and recalculation.
• Examining records: Reports are inspected for inconsistencies, inaccuracies and missing data
and for creating reports.

The most important of these techniques, which are usually found in auditing software packages,
are the following:

• The performance of the following procedures, where only one computer file is used:
– sorting or indexing items
– including or excluding items
– accounting computations
– summarising of information
– statistical sampling

• The performance of the following procedures in which two computer files are used:
– collating information
– fitting or selecting information
– updating information
– adding information

132
The advantages of CAATTs

General benefits

General benefits include the following:

• improved efficiency and effectiveness of individual audits and of the audit department
• ability to evaluate a larger universe and increase audit coverage
• increased analytical capabilities
• improved quality of activities performed during the audit
• consistent application of audit procedures and techniques
• increased cost-effectiveness through the reusability and extensibility of computerised
techniques
• improved integration of financial/information systems audit skills
• increased independence from information systems functions and greater credibility for the
audit organisation
• greater opportunities to develop new approaches
• better management of audit data and working papers

Benefits in the conduct phase

• Data analysis: General audit software can be used to draw samples or to test 100% of the
population because these tasks can be performed by a computer in a fraction of the time it
would take to do them manually. Other tasks such as sorting and comparing can also be done
more quickly by a computer.
• Increased coverage: It can take weeks to review systems containing millions of transactions
manually, but using computers, the auditor can analyse, sort and compare, as well as look for
trends in thousands of transactions within minutes to increase audit coverage.
• Better use of auditor resources: Automation allows auditors to spend more time on activities
in which they must use their judgement.
• Improved results: The auditor is able to conduct a thorough analysis of transactions within
shorter time frames, which will produce improved results.

The disadvantages (or reasons for the non-use) of CAATTs

• Too costly to purchase and maintain: Some audit organisations believe that audit software
is costly and they have not been proven as cost-effective. This may have been the case, but
recently, the costs have decreased substantially. Modern audit software is more flexible, and
it can be used on a variety of applications.
• Too technical and complex for non-IS auditors: Modern audit software is more user friendly
and can be used more freely without the assistance of programmers.
• Client system and data compromised: Previously, audit software had to be loaded and run
on the auditee’s computer system. Modern technology allows auditors to download the data
on to their personal computer and analyse the data on the auditee’s premises.

133 AUI3703/SG
ACTIVITY 16

• Explain what is meant by the concept of computer-assisted audit techniques.

• List the advantages of computer-assisted audit techniques.
• Indicate why auditors are sometimes hesitant about using computer-assisted audit
techniques.

FEEDBACK

• The answers to these questions can be found in section 18.2 above, in this Study Guide.
What is meant by the concept of computer-assisted audit techniques is explained under
the sub-heading “The concept of computer-assisted audit tools and techniques
(CAATTs)”.

• The advantages of computer-assisted audit techniques are listed under the sub-
heading”. The advantages of CAATS”,

• The reasons why auditors are sometimes hesitant about CAATS are listed under the
sub-heading “The disadvantages of CAATS”.

18.3 CONSIDERATIONS IN THE USE OF CAATTS

Using CAATTs in the following conditions may be appropriate:

• lack of audit trails to trace transactions to final records or to source documents

• computer printouts that are extremely voluminous, and which make manual extraction,
summarisation or sorting too time-consuming or virtually impossible
• when information is not available in a format suitable for manual use
• when the volume of transactions is so vast that extensive testing (large samples) is necessary
to obtain meaningful results
• the extent of computerisation at the auditee – the more extensive the computerisation, the
more desirable the use of CAATTs
• when the effectiveness and efficiency of the audit would be increased
• when detection risk would be significantly decreased because of more extensive testing
capabilities

When an auditor first considers using CAATTs in carrying out the audit process, the first step is to
attend to the following factors:

• the computer knowledge, expertise and experience required to use CAATTs

• the availability of suitable CAATTs and suitable computer facilities
• whether it would be impractical to use ordinary (non-computer-assisted) audit techniques
• whether the effectiveness and efficiency of the audit process would be increased if CAATTs
were used
• the timing of the execution of CAATTs
• the auditing software that will be used

134
Considerations in the implementation of CAATTs

If an auditor decides, after considering the factors mentioned above, to use CAATTs, it is essential
that management of the internal audit section should make a formal commitment to
implementing CAATTs and offer the necessary support to develop the required knowledge and
competence for the application of CAATTs.

ACTIVITY 17

List the conditions that indicate that the use of CAATTs is appropriate.

• Describe the factors that the auditor should consider when deciding on whether to
use CAATTs in carrying out the audit process.
• Describe the factors the auditor should consider when implementing CAATTs.

FEEDBACK

The answer to these questions can be found above in Section 18.3 of this Study Guide.
Seven conditions that indicate whether the use of CAATTs is appropriate, are listed,
followed by the factors that the auditor should consider when deciding on whether to use
CAATTs in carrying out the audit process. The factors the auditor should consider when
implementing CAATTs are discussed under sub-heading “Considerations in the
implementation of CAATTs”.

18.4 PLANNING FOR THE USE OF CAATTS

Planning considerations

Proper planning for the use of CAATTs is just as important as, if not more important than, the
planning phase of the audit process in which the computer is not used. In addition to ordinary
planning matters, attention should be given to the matters listed below, which are of exceptional
importance when applying CAATTs.

The auditor should consider the following specific planning items:

a) knowledge of the auditee’s business

b) audit plan

c) data file reconciliation

a) Knowledge of the auditee’s business

With respect to the possible audit software, the auditor should consider accumulating the
following information at the planning stage of the audit:

• the influence of the auditor’s access to the auditee’s data, hardware, software and networks

135 AUI3703/SG
• the main systems of financial significance, and the data retention policies, related file layouts,
and volumes of transactions

b) Audit plan

The audit plan should be reviewed to ensure that optimum use is made of the available audit
software.

Appropriate resources should be available to support the audit plan.

The auditor should pay attention to the following aspects:
• the need for continuity of staff on each audit to ensure that the use of audit software increases
over time
• experience of scheduled audit staff in the use of audit software
• training requirements for audit staff before the fieldwork begins
• need for, and timing of, technical support
• specialised hardware or software required to access the auditee’s data
• the need for auditees to retain data that is necessary for the audit and to ensure that the
auditor is made aware of changes in, for example, file structures and content

c) Data file reconciliation

It is important to reconcile the auditee’s data which are used for audit testing with the subject
matter of the engagement, for example financial statements or auditee’s control totals. The
auditee should be asked to provide the information, such as the control totals of the more
important numerical fields, to ensure that all transactions have been processed.

It is also important to reconcile the number of records back to the source population.

Consequences of inadequate planning

The failure to plan adequately for the use of CAATTs can result in:

• cost and time overruns

• arriving at the wrong audit conclusion
• failure to achieve the desired objective of the test
• significant frustration to both the auditor and the auditee

ACTIVITY 18

• Indicate the specific aspects to which the auditor should pay attention during the
planning phase when using CAATTs.
• Discuss the possible consequences of inadequate planning when using CAATTs.

FEEDBACK

The an The answer to these questions can be found above in Section 18.4 of this Study Guide.

136
18.5 APPLICATION OF CAATTS

CAATTs can be used to do tests of controls or substantive procedures.

System-oriented CAATTs concentrate on the accounting system, while related control procedures
and data-oriented CAATTs are mainly concerned with substantive testing.

The testing of controls when using system-oriented CAATTs would be regarded as auditing
through the computer. When the client has a computerised accounting system, it would be more
effective and efficient to use CAATTs in performing substantive audit procedures. This will also be
regarded as data-oriented CAATTs.

Typical ways in which CAATTs can be applied are indicated below.

Audit working papers

The audit firm’s audit working papers and audit methodology may be available on generally
accepted audit software packages such as Caseware, BarnOwl, or CURA.
The working papers would document the audit programs and schedules analysing account
balances and significant classes of transactions in detail.

Substantive analytical procedures

• CAATTs may be used to download information from the computerised accounting records of
the auditee and then, using spreadsheets and modelling programs, the full range of analytical
procedures may be performed.
• CAATTs may be used to analyse all journal entries processed during the period to identify all
large and unusual journal entries for substantive testing. The auditor should be alert to the
risk of management overriding controls over non-standard journal entries and to the fact that
little or no visible evidence may be found of such overriding action.

Sample selection

Sampling software can facilitate the selection of random and other samples of source documents
or transactions recorded.

Data sorting and analysis, and printing of exception reports

CAATTs may be used to sort data within the computerised accounts according to the
specifications of the auditor, for example:

• revenue transactions
• payroll transactions
• inventory listings
• re-calculations

137 AUI3703/SG
Effective and efficient internal auditing requires the use and application of CAATTs. As technology
evolved CAATTs also evolved into what is known as data analytics which also provide the auditor
with means to do a detailed analysis of computer data in an efficient manner.

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

138
Learning unit 19
Auditing security and privacy of information
assets

Contents
19.1 INTRODUCTION 139
19.2 INFORMATION SYSTEM SECURITY 139
19.3 INFORMATION SYSTEM SECURITY POLICY 140
19.4 ENCRYPTION AND OTHER INFORMATION SECURITY TOOLS AND CONTROL
TECHNIQUES 142
19.5 THE AUDITOR AND THE INTERNET 144

19.1 INTRODUCTION

Information security may be defined as security around and in the computer environment and
associated equipment as well as security associated with the people using the computer and
equipment.

Information security includes issues such as access management and protection of personal
information of customers and staff members.

19.2 INFORMATION SYSTEMS SECURITY

Information security is all about protecting and preserving organisational information and
information about customers and staff members.

The information security standard BS7799-1:1991 defines information security (IS) as follows:

139 AUI3703/SG
• Confidentiality – ensuring that information is accessible only to those authorised to have
access
• Integrity – safeguarding the accuracy and completeness of information and processing
methods
• Availability – ensuring that authorised users have access to information and associated
assets, if required

Information system security has become very complex because of distributed IT environments. It
involves a multitude of servers, databases and desktops and have multiple users. It is also more
than making your network and internet services secure; it involves authenticating employees,
customers, remote offices, suppliers, and partners.

The hardware, software and firmware of the company also need to be protected against
unauthorised use or even abuse by staff members. Hardware, software and firmware coexist, and
an auditor cannot examine one aspect in isolation. The interaction of these components provides
complexity; therefore, an auditor should look on access control as a complex exercise in risk
management technology.

It is important to note that information security is the responsibility of all employees of an

organisation, from management downwards. Management’s security concerns focus on the
effects of a breakdown in security rather than on the technical implementation of a security
system.

However, organisations must be aware that identity and access management (IAM) programs
frequently collect personal information about system users, which can be a breach of the privacy
and data protection laws. The auditor should give assurance that any IAM programs are aligned
with the necessary laws and regulations, such as the Electronic Communications Act 36 of 2005 of
South Africa.

Various control techniques can be applied to deal with the risk regarding information security.
Management should start with a proper risk assessment (risk management process) regarding
information security to determine the biggest challenges and decide on a plan of action on how to
resolve any weaknesses in a cost-efficient manner.

Some of the tools and techniques (controls) available to manage risks are the following:

• information security policy

• identity and access management (IAM)
• encryption

19.3 INFORMATION SYSTEMS SECURITY POLICY

An information security policy expresses a general commitment, direction or intention by

management to safeguard information assets. Such policy covers the hardware, software and
information found in the IT environment.

140
All stakeholders, including management and the users of information technology in a company,
must realise that information security is not an add-on to the IT environment but an essential part
that should be seen as a component of a high-quality system.

For the auditor, the questions to be answered when auditing the information security policy are as
follows:
(1) Are there policies in place for managing and administering user identities and access
activities?
(2) Is there a strategy in place for dealing with the risks associated with the IAM process?
(3) Is there a reference model the organisation can use during the administration process?

When the auditor evaluates the answers to these questions, it is important to determine whether
documentation already exists that covers these issues to some degree.

The business’s existing policies and procedures should support the workflow and the information
system environment. However, it is necessary to have a specific policy in place for information
security.

The basic security policy should address the following five pillars:

• Authentication: Users must be identifiable before they may gain access to the system.
• Authorisation: The user must have the necessary authority to obtain access to the system
and to use specific programs and software in the system as well as to get access to specific
information.
• Integrity: The integrity of the information and the performance of the system should be
protected. Users must be confident that processing will take place effectively and efficiently
and that the results will be reliable.
• Confidentiality: Users should know that access to certain programs and information is a
privilege and they should be able to be trusted to use the information for business purposes
only.
• Nonrepudiation: There must be an audit trail so that the system can prove that the person
who accessed as the user has actually been the person doing the work on the system.

Over and above the five pillars identified above, the following key aspects should form part of the
security policy:
• Employees should see information as an important asset of the organisation and must be
protected as such.
• There is complies with all applicable laws and regulations regarding information security and
the organisation ensures that its employees will do so as well.
• Access to information is granted to individuals when required for the performance of their
business functions.
• Confidentiality of information is maintained.
• Information is appropriately protected against unauthorised modification.
• Information is available as and when required to support the authorised and the judgement
business functions of the organisation.
• The appropriate control structures are implemented to ensure the integrity, confidentiality and
availability of information.

141 AUI3703/SG
ACTIVITY 19

Discuss what an information security policy involves and the detail that should be
included in the policy.

FEEDBACK

The information security policy should provide the fundamental guidelines used in
assessing the value of the information assets and the impact should an untoward event
occur.

The following information should be included:

• Information is an important asset of the organisation and must be protected as such.

• By protecting information assets, the organisation will comply with all applicable laws
and regulations and will ensure that its employees do so as well.
• Access to information will be granted to individuals when required for the performance
of their business functions.
• Confidentiality of information will be maintained.
• Information must be appropriately protected against unauthorised modification.
• Information will be available as and when required to support the authorised and the
judgement business functions of the organisation.
• The appropriate control structures must be implemented to ensure the integrity,
confidentiality and availability of information.

ACTIVITY 20

What are the most important elements of the information system security policy that
an auditor should be aware of?

FEEDBACK

The answer to the elements of information security policy is found in section 19.3 of this
study guide.

19.4 ENCRYPTION AND OTHER INFORMATION SECURITY TOOLS

AND CONTROL TECHNIQUES

Controlling access to computer resources

To control access to all computer resources, including hardware, software and information, proper
identity and access management systems must be in place.

These will now be discussed.

a) Identity and access management

142
The system of controls is a complex system comprising various policies, procedures, activities and
technologies to deal with security risks.

It is necessary to involve different departments, such as the IT department and human resources,
to put a proper internal control system in place.

The important questions to be asked while implementing such a system are the following:

• Who has access to what information? A decision needs to be taken about who should have
access to which resources, applications and information.
• Is the access appropriate for the job being performed? Is the job description supported by
the access given or is access given to a person which could be in conflict with and threaten the
segregation of duties principle?
• Are the access and activity monitored, logged and reported appropriately? The system
should be designed in a way that supports regulatory compliance in the different
environments. It should also facilitate the auditing process by logging all access, enabling
access to be traced to ensure that only legitimate users have accessed the system.

Identity and access management is based on the following principles:

• Identity – the element or combination of elements used to uniquely describe a person or

equipment
• Access – the information representing the rights that the identity was granted (These
information access rights can be granted to allow users to perform transactional functions at
various levels.)
• Access rights or entitlements – the collection of access rights to perform transactional
functions

For identities to become part of the identity and access management system, three stages need to
be followed:

• Provisioning: Request, validate, approve, propagate and communicate the process in line
with the security policy.
• Identity management: Monitor and manage passwords, audit and reconcile, administer
policies and strategize or manage systems.
• Enforce: Authenticate, authorise and log activities.

Encryption

Data that are communicated between two computers or other devices should be secured against
eavesdropping or even manipulation. One way to ensure the security of data is to use encryption
and in South Africa, the Electronic Communications and Transactions Act (ECT Act) 25 of 2002
must be adhered to regarding specific communication protocol and infrastructure. The act can be
accessed at the following website: http://www.acts. co.za/ect_act/index.htm

According to Cascarino (2007:302), cryptography is the name given to the use of mathematical
algorithms to transform data. Its primary use is the protection of information and it is a

143 AUI3703/SG
fundamental tool used in underpinning many aspects of computer security, including data
confidentiality, data integrity, user authentication, and electronic signatures.

Encryption is a technique for turning messages into unreadable codes by scrambling up the data in
such a way that the legitimate recipient can unscramble or “decrypt” the message easily, but an
unauthorised recipient would only see garbage.

In terms of the ECT Act, 2002, Chapters 4, 5 and 11, specific provisions are given relating to
cryptography providers and encryption standards that a business should take note of.

The auditor needs to test

• that secure socket layer (SSL) communication protocol is used to secure sensitive information
as it makes use of a two-key encryption standard
• that public key infrastructure (PKI) is utilised in conjunction with SSL

19.5 THE AUDITOR AND THE INTERNET

Although you have probably encountered concepts such as the “information highway”, or
“cyberspace”, some of you may not yet know what the internet really consists of and what an
advantage it can be to auditors.

This section of the module provides an auditor with the basic concept of internet/internet literacy.

Gaining access to the internet

To gain access to the internet, you require the following:

• a personal computer
• a telephone line
• a modem for connecting the personal computer to the telephone line
• the necessary software
• an internet connection

Normally, you can be connected to the internet by means of

• a direct connection, or
• an intel connection by telephone line from a remote place to an internet service provider

Direct connection to the internet

A direct connection to the internet is usually available in big organisations which are linked to the
internet for business reasons. A direct connection with the internet is effected by means of a rented
line that is allocated to a particular user.

The following factors should be borne in mind when a direct connection with the internet is being
considered:

144
• This type of connection is relatively expensive, but it provides a rapid and reliable connection
to the internet.
• It offers a full range of internet services such as electronic mail, file transfer, and access to the
world wide web.
• Many users in the organisation can gain access to the internet.
• Management of the organisation can exercise control over access to the internet.
• A direct connection requires specialised knowledge of and skills for installation and
maintenance.

Intel connection to an internet service supplier

An intel connection is obtained by phoning an internet service provider (ISP) that is linked to your
computer by means of a modem.

The following factors should be borne in mind when considering an intel connection with the
internet:

• type of modem required for linking your computer to the internet by telephone line through
the agency of your service provider
• software required for access to the internet through your service provider (usually supplied by
your service provider)
• the internet services you require
• that this service is usually slower than a direct internet connection
• the geographical location of your point of access to the internet, since this determines the call
charge for your telephone call

Internet services that are of special use to auditors

The internet is a valuable source of information to auditors, as it may be used in research, problem-
solving or communicating with clients or other auditors.

The following internet services are very important to auditors (will be discussed in greater detail
below):

• electronic mail (e-mail)

• downloading files (FTP)
• world wide web (WWW)

Electronic mail (e-mail)

Electronic mail is the most basic internet services and also most widely used. E-mail enables you to
communicate by way of your computer with any other person anywhere in the world if that person
has an e-mail address.

An e-mail address is normally your log-in code on your local network.

Apart from sending information to or receiving information from other people connected to the
internet, e-mail also enables the auditor to subscribe to mailing lists or discussion groups on the

145 AUI3703/SG
internet. Discussion groups bring auditors with particular interests or particular problems together
electronically.

File transfer protocol (FTP)

The file transfer protocol of the internet enables the auditor to download and upload computer
files on other computers connected to the internet.

For FTP purposes, access to other computers on the internet is controlled by the organisation from
which you want to download or to which you want to upload files. Most organisations require you
to be a registered user but some will allow nonregistered users to access their computer systems.
The FTP function of the internet enables auditors, for example, to exchange audit programs and
other files electronically. The FTP address is normally written in the following format: fttp:// plus
the unique site name, the location of the file (the directory) and the name of the particular file. The
ftp:// (file transfer protocol) is the generally accepted way of identifying sites offering file transfer
facilities.

To download files from a remote computer you must know the unique IP address of the computer
as well as the location and name of the particular file you want to download on that computer.
World Wide Web (WWW)

The WWW on the internet is based on hypertext technology which ensures easy access to
information on the internet. Hypertext technology is also able to handle graphic and sound files.
To be able to use the WWW you need a browser such as Netscape or Internet Explorer.

If you want to visit a particular site on the WWW, you need to know the address or URL (uniform
resource locator) of the computer in question.

The following is an example of the format in which this address is normally written:
http://www.unisa.ac.za/. The http (hypertext transfer protocol) is the generally accepted method
of
identifying computers on the WWW. The part of the URL that follows the letters http:// is the
unique name of the computer where the information is situated.

Risks associated with an internet connection

In spite of the cost-efficiency and business advantages, significant risks are associated with an
internet connection.

These risks can be grouped into the following six main areas:

• Masquerade: This is a normal attachment where a user imitates somebody by using that
person’s login name and password to obtain additional privileges.
• Disclosure: It is quite simple for someone to wire tap into a communication transmitted via
the internet, including e-mail files and passwords.
• Unauthorised access: Despite programmers’ attempts to deal with this problem, some
internet software packages still contain vulnerable areas which make their systems vulnerable

146
to attacks. On top of this, many of these systems are large, causing difficulties in their
configuration and resulting in a large percentage of incidents of unauthorised access.
• Loss of data integrity: One of the threats that is commonly overlooked is the modification
of data while on a computer or in transit. The simple addition of the word “not” in a document,
or the addition of several zeros at the end of an amount, is enough reason to cause chaos in
the electronic trade.
• Refusal of service: Refusal of service occurs when an internet network is flooded with data
and/or requests which must be serviced. This can cause the computer to stop functioning and
be unavailable for any other purpose.
• Theft of services and resources: Theft of services is a huge threat for those enterprises
offering special services to specific clients via the internet.

SUMMARY

A computer information systems environment exists when a computer of any kind or

size is used in the processing of an entity’s financial or other information.

The use of computers may have an influence on the accounting and internal control
systems. We introduced the concept of computer risks and exposures and emphasised
that the major types of risk faced in the information system function must be
understood to be dealt with.

The actual internal controls introduced in organisations to attain the internal control
objectives can be related to certain generally applicable control activities. To be able to
evaluate internal controls, make recommendations on possible weaknesses, and
suggest improvements to internal control systems, IT auditors require a thorough
knowledge of control activities and the related internal control measures.

This topic introduced you to the concept of computer-assisted audit techniques and
tools. The advantages and disadvantages of using computer-assisted audit techniques
were also discussed. The factors that auditors should consider when they intend using
CAATTs in carrying out the audit process were discussed in this topic. Attention was
also given to the factors that are important in implementing CAATTs.

The scope of computer security is virtually all-embracing, and it covers just about
everything that could go wrong. In this learning unit, we mainly discussed the IS security
policy.

The principles of information security and controlling access to computer resources and
encryption were explained. The internet is a steadily growing combination of networks
used by millions of people all over the world for a variety of purposes.

In the auditing field, both external and internal auditors are making increasing use of
the internet in executing their duties. Internet literacy has therefore become extremely
important to auditors.

147 AUI3703/SG
ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

148
TOPIC 6
Other types of internal audit engagements
Contents

LEARNING UNIT 20: Treasury and contract auditing 150

LEARNING UNIT 21: Consulting engagements 154

INTRODUCTION TO AND PURPOSE OF THE TOPIC

Internal auditing is required on a regular basis to perform assurance and consulting engagements
in specialised areas, such as treasury and contract environments. Poor treasury management and
poor contract management can result in catastrophic losses for an organisation. Traditionally, it is
also areas often targeted by internal and external fraudsters

LEARNING OUTCOMES

After you have studied this topic, you should be able to do the following:

– Understand, explain and apply the principles of treasury auditing (LU 20).
– Understand, explain and apply the principles of contract auditing (LU 20).
– Explain the difference between consulting and assurance activities (LU 21).
– Discuss the different types of consulting services (LU 21).
– Describe the consulting engagement process (LU 21).

149 AUI3703/SG
Learning unit 20
Treasury and contract auditing

Contents
20.1 INTRODUCTION 150
20.2 INTRODUCTION TO TREASURY AUDITING 150
20.3 INTRODUCTION TO CONTRACT AUDITING 151

20.1 INTRODUCTION

Internal audit functions are in a prime position to increase the value they add to the organisation
by expanding the number and type of assurance and consulting services they provide, especially
in the treasury and contract management areas.

STUDY

Go to ‘Additional Resource” in myUnisa and study electronic copy of “Other Types of

Engagements”, chapter 12, section 12.1, 12.2 and 12.3.

20.2 INTRODUCTION TO TREASURY AUDITING

Two types of treasury environments

In most organisations, the treasury function refers to the department in Finance that deals with
the cash management of the organisation, inclusive of cash position and foreign exchange
transactions.

Treasury auditing may also be conducted in financial institutions. In financial institutions, the
treasury department is usually much larger in size and structure, and more complex.

150
Key treasury risks

Credit risk and liquidity risk are two of the key risk categories of treasury risks.

STUDY
Go to ‘Additional Resource” in myUnisa and study electronic copy of “Other Types of
Engagements”, chapter 12, section 12.2.2

Treasury controls

“The internal audit activity must assist the organization in maintaining effective controls
by evaluating their effectiveness and efficiency and by promoting continuous
improvement.” Standard 2130 – Control

Key control aspects include the following:

• existence of, and compliance with treasury policies and procedures

• delegated authorities in the treasury department
• transaction limits
• monitoring and reporting of treasury activities

STUDY
Go to ‘Additional Resource” in myUnisa and study electronic copy of “Other Types of
Engagements”, chapter 12, section 12.2.2

Treasury audits

Treasury audits usually cover both investment and borrowing activities.

The internal auditor should have a thorough understanding of the treasury function and its
activities prior to performing an assurance or consulting engagement. Internal auditors may
require the services of external experts to assist them in auditing complex treasury transactions,
for example financial derivatives.

STUDY
Go to ‘Additional Resource” in myUnisa and study electronic copy of “Other Types of
Engagements”, chapter 12, section 12.2.3

20.3 INTRODUCTION TO CONTRACT AUDITING

Contractual compliance

Companies enter into contracts in many ways. Purchase orders, sales orders, labour agreements,
licensing agreements, and rental agreements are entered into on a regular basis by the company.

151 AUI3703/SG
The rights and obligations of the parties and the remedies available if contracts are breached are
usually spelled out in the contracts themselves. In some cases, severe penalties are enforceable if
either party fails to perform.

Internal auditors must understand the material contractual agreements in force for their
organisation and the measures used to monitor compliance (Coetzee et al 2015a).

Contract auditing is probably the one area in which an internal audit can save the company a
significant amount of money. Especially large contracts that exceed one year are often not as
closely managed as required.

Main categories

The three main categories of contracts include the following:

• lump-sum contracts
• cost-plus contracts
• unit-price contracts

STUDY

Go to ‘Additional Resource” in myUnisa and study electronic copy of “Other Types of

Engagements”, chapter 12, section 12.3.1

Phases of contract auditing

The role of internal auditing involves four distinct phases:

• The organisation’s activities of control over the contract

• Pre-award contract phase
• After-award and during-contract phase
• Post-completion and follow-up phase

13 STUDY
Go to ‘Additional Resource” in myUnisa and study electronic copy of “Other Types of
Engagements”, chapter 12, section 12.3.2

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

152
NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

153 AUI3703/SG
Learning unit 21
Consulting engagements

Contents
21.1 INTRODUCTION 154
21.2 DEFINITION OF CONSULTING SERVICES 154
21.3 RISK MANAGEMENT AND CONSULTING SERVICES 155
21.4 DIFFERENCES BETWEEN AN ASSURANCE ENGAGEMENT AND A CONSULTING
ENGAGEMENT 156
21.5 THE CONSULTING ENGAGEMENT PROCESS 157

21.1 INTRODUCTION

Internal auditors provide assurance and consulting (advice and insight) services, either of which
can be control focused and/or performance focused.

21.2 DEFINITION OF CONSULTING SERVICES

Definition of consulting services

The IIA defines consulting services as follows:

Advisory and related client service activities, the nature and scope of which are agreed
with the client, are intended to add value and improve an organisation’s governance, risk
management and control processes without the internal auditor assuming management
responsibility.

The mission of internal audit specifically includes “to enhance organisational value” by “providing
risk-based and objective advice and insight”.

154
Nature of consulting services

Consulting services can be requested, formally or informally, and it is often not incorporated in
the annual internal audit plan.

STUDY

Go to ‘Additional Resource” in myUnisa and study electronic copy of “Other Types of

Engagements”, chapter 12, section 12.4

Scope of consulting services

The CAE needs to manage effectively the expectations of the engagement client and the
independence and proficiency of the internal auditors performing the consulting engagement.

The consulting services should contribute to adding value or enhancing governance, risk
management and control processes.

Not assuming management responsibility

The CAE should refuse any consulting service activity that may be perceived as or result in
assuming management responsibility. The CAE should discuss requests for consulting services
with the chairperson of the audit committee prior to accepting the assignment.

Types of consulting service

Consulting services comprise a wide range of activities based on management’s needs. The
specific consulting engagements that an internal audit function can perform are
limited only by the needs of the organisation and the resources of the function, provided they do
not impair the independence of the internal audit function or the objectivity of the internal
auditors.

Types of consulting service are as follows:

• advisory consulting engagements

• training consulting engagements
• facilitative consulting engagements
• blended engagements

21.3 RISK MANAGEMENT AND CONSULTING SERVICES

Standard 2120.C1 – During consulting engagements, internal auditors must address risk
consistent with the engagement’s objectives and be alert to the existence of other
significant risks.

Management and the board are responsible for their organisation’s risk management and control
processes. However, internal auditors acting in a consulting role can assist the organisation in

155 AUI3703/SG
identifying, evaluating, and implementing risk management methodologies and controls to deal
with those risks (IIA, Practice Advisory 2120-1).

Standard 2120.C2 – Internal auditors must incorporate knowledge of risks gained

from consulting engagements into their evaluation of the organisation’s risk
management processes.

The internal auditor will probably identify additional risks when performing the consulting
engagement.

Standard 2120.C3 – When assisting management in establishing or improving risk

management processes, internal auditors must refrain from assuming any management
responsibility by actually managing risks.

The internal audit function cannot take ownership of the risk management processes in an
organisation. Management are responsible for risk management.

STUDY

• Standard 2120.C1; 2120.C2; and 2120.C3

• Go to ‘Additional Resource” in myUnisa and study electronic copy of “Other Types
of Engagements”, chapter 12, section 12.4

21.4 DIFFERENCES BETWEEN AN ASSURANCE ENGAGEMENT

AND A CONSULTING ENGAGEMENT

What are the differences between an assurance engagement and a consulting engagement?
Internal audit consulting engagements differ from assurance engagements as follows:

• The nature and scope of an assurance engagement are determined by the internal audit
function, whereas the nature and scope of a consulting engagement are subject to
agreement with the engagement customer.
• Consulting agreements are more discretionary in nature than assurance engagements.

Internal audit consulting is similar to assurance engagement in terms of the three major phases
of an engagement, namely:

• planning the engagement

• performing the engagement
• communicating the results

156
21.5 THE CONSULTING ENGAGEMENT PROCESS

The internal audit function is uniquely positioned to add value and influence the organisation
when performing consulting engagements.

Consulting services provided by the internal audit function can be very valuable to the
organisation. These services provide many opportunities for internal auditors to increase their
knowledge and skills in areas that may not be part of the assurance engagement environment.

In this learning unit, we will discuss the consulting engagement process. Given that consulting
engagements can differ so greatly in nature and scope, the process for conducting them also
varies from engagement to engagement.

You should carefully study the following outline of a consulting engagement process:

• Planning the advisory consulting engagement

– Determine engagement objectives and scope.

– Obtain final approval of objectives and scope from consulting engagement customer.
– Understand the engagement environment and relevant business processes.
– Understand relevant risks, if appropriate.
– Understand relevant controls, if appropriate.
– Evaluate control design, if appropriate.
– Determine engagement approach.
– Allocate resources to the engagement.

• Performing the advisory consulting engagement

– Gather and evaluate evidence.

– Formulate advice.

• Communicating and follow-up

– Determine the nature and form of communications with engagement.

– Give advice to the engagement customer.
– Conduct interim and preliminary engagement communications.
– Develop final engagement communications.
– Distribute final engagement communications.
– Perform monitoring and follow up if appropriate.

STUDY

Go to ‘Additional Resource” in myUnisa and study electronic copy of “Other Types of

Engagements”, chapter 12, section 12.4

SUMMARY
For Internal audit to add value in an organisation, its role is not limited to assurance
assignment only but expand to consulting assignments. In this topic, we learnt about

157 AUI3703/SG
other types of engagements internal audit function is responsible for, specifically
treasury and contract management engagement.

We explained the principles of both treasury and contract management engagements

and how to apply those principles when auditing.

We also explained the difference between consulting and assurance activities and
further explained the process involved in performing consulting engagement.

Both assurance and consulting activities should be considered by the internal audit
function when drafting the internal audit plan.

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

158
PART C
INTERNAL AUDIT REPORTING AND
FOLLOW-UP
PART C – Internal audit reporting and follow-up
Topic 7: Reporting and follow-up Learning Unit 22 Reporting on completed audit assignments
on the completion of Learning Unit 23 Presenting internal audit reports
audit assignments Learning Unit 24 Follow-up on completed audit assignments

159 AUI3703/SG
TOPIC 7
Reporting and follow-up on the completion
of audit assignments

Contents
LEARNING UNIT 22: Reporting on completed audit assignments 161
LEARNING UNIT 23: Presenting internal audit reports 175
LEARNING UNIT 24: Follow-up on completed audit assignments 1854

INTRODUCTION TO AND PURPOSE OF THE TOPIC

The results of an internal audit assignment are communicated in the audit report to all interested
parties. The principal purpose of the internal audit report is to bring useful and timely information
on deficiencies to the attention of management and recommend improvements.

In this topic, we will introduce you to the general reporting principles and discuss the
authoritative requirements for reporting and follow-up. We will also cover writing internal audit
reports, presenting internal audit reports, and doing a follow-up on completed projects.

LEARNING OUTCOMES

After you have studied this topic, you should be able to do the following:
– Identify the aim and principles of internal audit reporting.
– Produce good internal audit reports.
– Communicate information through presentations.
– Evaluate the follow-up on audit results.

160
Learning unit 22
Reporting on completed audit assignments

Contents
22.1 INTRODUCTION 161
22.2 WRITING INTERNAL AUDIT REPORTS 161

22.1 INTRODUCTION

Reporting is one of the internal auditor’s biggest headaches, particularly as far as achieving
balanced reporting and reporting at the appropriate level are concerned.

In this learning unit, we will discuss how to write an internal audit report, the principles and
analysis of audit findings, and how to finalise the audit report.

22.2 WRITING INTERNAL AUDIT REPORTS

Aim and principles of internal audit reporting

The internal auditor is required to give an overall opinion and then report on the findings in detail.
The internal auditor will determine that a manager is either

• meeting the standard, or

• not meeting the standard

If the internal auditor decides that a manager is meeting the standard, he or she will indicate this
in his or her overall opinion. The internal auditor should summarise his or her conclusions on the
relevant working paper to be used as input in forming the overall audit opinion.

It is unlikely that the internal auditor will want to report each standard that the manager is
meeting, as this will make reporting cumbersome and less effective. Readers do not want to see
a list of all the things the manager is doing right, but they do want a summary of them as well as
information about corrective actions when the manager is not doing things right.

161 AUI3703/SG
However, in some circumstances, the internal auditor may want to report on the standards with
which managers are complying. For example, an internal auditor may have previously found
major problems in a department but on revisiting the department, the auditor finds that the
manager has corrected the problems. In this case, the internal auditor may wish to report that the
corrective action has been taken.

This creates good relations between the internal auditor and departmental managers. But, more
importantly, it gives top managers feedback, indicating that the departmental manager has taken
corrective action and that this manager is now managing the department more effectively.

Purpose of reporting

In the reporting phase of an internal audit, the audit team communicates the results of the audit
to management and interested employees. The basic objectives of internal audit reports are as
follows:

• to supply useful and timely information on operational deficiencies and other aspects
• to suggest improvements to the way in which the organisation is run

The internal audit report is the audit team’s opportunity to get management’s undivided
attention. The internal audit report therefore serves a two-fold purpose:

• to communicate the results of an internal audit

• to persuade management and call for action

If the audit has been conducted correctly, the audit findings will already have been discussed with
interested members of staff and management, and efforts will already have been made to rectify
deficiencies in the system.

The final internal audit report is basically merely a summary of the completed audit, documenting
the following:

• what the internal audit team has achieved

• what was found during the audit
• the extent of the deficiencies in the auditee organisation
• steps taken by the personnel to rectify the situation

When internal audit findings have not yet been communicated to interested members of staff and
management, verbal and written audit reports are used to persuade management to take
corrective action. This method is suitable for audit projects that cover a short time span or for a
general review type of audit, where there is not sufficient opportunity during the audit to convey
the findings.

In other circumstances, the auditors should announce their audit findings as they are generated.

The presentation of operational audit reports creates an opportunity for the internal auditors to
market their activity in the organisation. Sufficient attention should therefore be paid to the
presentation of audit reports.
162
IPPF requirements for reporting on completed audit assignments

An effective audit report ensures that the reader understands all the important information in the
shortest possible time. This objective will be realised only if the arrangement and presentation of
the report meet all the requirements of sound communication.
The report should first inform the person to whom it is directed about the subject of the audit and
continue to give the findings and any audit opinion and recommendations that require the
attention of someone at that level of management.

The audit report must be objective, clear, concise, constructive and timely. Each of these
elements is an important principle of communication, and they must therefore be understood and
applied as such.

All these elements are relative, and they cannot be determined or measured precisely, except for
the elements of objectivity and timeliness, which are to some extent measurable. It is therefore
vital for the internal auditor to acquire the skills necessary to apply them effectively and efficiently
in any form of communication, but especially when producing written reports.

STUDY

Internal Audit Standards

• Communicating results 2400
• Criteria for communicating 2410, 2410.A1, 2410.A2
• Quality of communications 2420
• Errors and omissions 2421
• Use of “Conducted in conformance with the International Standards for the
Professional Practice of Internal Auditing” 2430
• Disseminating results 2440, 2440.A1, 2440.A2, 2440.C1, 2440.C2
• Overall Opinions 2450
• Monitoring progress 2500, 2500.A1, 2500.C1
• Resolution of Senior Management’s Acceptance of Risks 2600

Prescribed textbook: Performing Internal Audit Engagements, Chapter 9

• Section 9.1: Introduction
• Section 9.2: Purpose of Reporting
• Section 9.9: Writing Skills

Principles of the analysis and interpretation of audit findings

The need for findings

Findings can arise from any phase of the audit. They are fundamental to the auditing process.
Findings provide managers with feedback on their performance and with corrective action to
rectify problems.

If the internal auditor has discovered areas in which improvement is needed and management
have agreed to corrective action, managers will be able to correct the problem and improve unit
performance. It is vital that the internal auditor develops findings that lead to managers taking

163 AUI3703/SG
corrective action. Internal auditors often do not develop their findings adequately and therefore
do not maximise their contribution to organisational performance.

One reason that internal auditors fail is that they neglect to analyse the findings in sufficient detail
to convince management of the need for corrective action. Unless management are convinced of
the need to take corrective action, they will not. An excellent audit cannot be effective unless
corrective action is taken where risks are identified.

Favourable and unfavourable findings

Findings can be favourable or unfavourable. Favourable findings are on activities that the
manager is doing right. The internal auditor wants to report them to the manager, but they do
not require corrective action.

Unfavourable findings are activities that the manager is doing wrong. They require corrective
action and must be reported.

STUDY

Chapter 9, section 9.6 (“Findings”) in your prescribed textbook: Performing Internal

Audit Engagements.

Elements of an audit finding

Internal audit findings may be positive or negative. All audit findings consist of at least two
components, namely the criteria or standards that should be achieved and the true state of affairs.

Negative findings have three additional components, namely the cause, the effect and the
recommendations for rectifying the situation. The role of the various elements of audit findings
may be summed up as follows:

Statement of condition

Fact-gathering forms part of every audit project. Facts that constitute part of the state of affairs
should be accurate, properly supported, and clearly and precisely defined.

Every fact should be so thoroughly supported by working papers that its accuracy cannot be
questioned. This includes the who, what, where and how element:
• What was found?
• What was observed?
• What is not functioning effectively or efficiently and what is defective?
• Is the condition isolated or widespread?

Criteria/standards

The internal auditor’s choice of criteria or standards for assessing existing conditions requires
experience and wisdom. The reasonableness of audit findings depends on the choice of the
correct criteria or standards for assessing the performance of the organisation and applying those
criteria or standards correctly.

164
It is the responsibility of the internal auditors to persuade interested parties that the criteria they
are using are reasonable. This element comprises comparing the ideal with the actual, that is:
• What should the position be?
• What is the standard of comparison?
• What is the standard procedure or standard practice?
• Is it a formal or an informal procedure?

Cause

Recommendations generally arise directly from the cause, and it is therefore desirable to present
the cause and the audit recommendations together in the audit report. Constructive
recommendations depend largely on identifying the cause accurately. If the auditors know why a
certain event took place, it is easier to make recommendations to prevent recurrence in future.

This element involves an investigation into the factors that give rise to the problem that has been
identified:
• Why did it happen?
• What was the underlying cause of the deviation?
• What caused the activities to become inefficient and uneconomic?

Effect

The effect section of the audit findings quantifies the influence of the deficiencies and encourages
management to take corrective action. The materiality of a deficiency is judged by its effect.

This element is an analysis of the present and potential effect of a finding on operations:
• What is the significance?
• What is the consequence of the finding?
• What will the result be if the condition continues?

Recommendations

It is important that the users of the audit report should know exactly why a particular audit
recommendation has been made, in other words what do the auditors intend to rectify and what
benefits would be achieved from the implementation of the recommendations.
The most important point is that anyone affected by the recommendations should agree on the
benefits of the proposed changes to be able to implement the proposals. Because many people
experience change negatively, it is important to discuss all proposals with the interested parties
before the final report is issued to make certain that they agree to the proposals and are prepared
to implement them.

This element involves a consideration of the steps that could be taken to improve or rectify the
existing situation, such as the following:

• What could be done to rectify the situation?

• What recommendations are practicable and reasonably acceptable?
• Who should implement the recommendations?

165 AUI3703/SG
STUDY
Chapter 9, section 9.6 (“Findings”), in your prescribed textbook: Performing Internal
Audit Engagements.

ACTIVITY 21

The following statements have been taken from internal audit findings and they are
not necessarily related. Opposite each statement, indicate the element of an audit
finding that the statement represents, using the following code: A = description of the
condition, B = criterion/standard, C = cause, D = effect or E = recommendation.

(1) The actual project costs on 31 December 2014 were R16 685,00, which amounted
to more than 10% of total project costs.
(2) The above situation occurred because the person in charge of the assets did not
exercise proper control over the receipt of the equipment.
(3) In addition, no procedures were in place for monitoring the activities of
employees.
(4) The required ledger control accounts should be created and kept up to date to
ensure control over funds.
(5) We are of the opinion that the practice of keeping duplicate records also
contributed to the unnecessarily high labour and costs.
(6) According to a recommendation by the Commissioner of Inland Revenue,
personal computers should be depreciated over three years.
(7) We were informed that only a verbal agreement was established between the
departmental manager and the provider of the service.
(8) In our opinion, it is essential for the proper management of and control over funds
that local offices submit timely and accurate reports on their final expenditure
figures.
(9) Consequently, the administrative costs of the department were overstated by an
amount of R258 784,00, according to our calculations.
(10) The approval of projects is one of the most important responsibilities of the board
of directors and we believe that management should take all possible measures
to ensure that the information submitted to them is accurate and reliable.

FEEDBACK

Feedback on the above statements:

(1) A&B
(2) C
(3) C
(4) E
(5) D
(6) B
(7) A
(8) B
(9) D
(10) B & E
The above is based on Reider (1995)

166
ACTIVITY 22

As part of the internal audit of the purchasing department of XYZ, the auditors
examined the procedures followed by the person responsible for the administration
and control of company cars in the organisation.

It is common practice in the business sector in question to lease vehicles and allocate
them to members of staff in cases where lease costs are less than the allowance paid
to the employee for official trips at the prevailing tariff.

Analyses that were conducted showed that 24 of the 87 leased vehicles had been
issued to employees who used them to cover short distances every day. It was also
found that 37 members of staff use their own, private motor vehicles for official trips
on a regular basis and then claim an allowance of R1,20 per kilometre. This allowance
paid to them monthly amounts to more than the cost of leasing a vehicle.

The auditors drew up a schedule to analyse the optimum allocation of company

vehicles in the organisation. An evaluation of the entire situation, considering the
recommendations regarding the allocation of vehicles, showed that potential savings
would amount to a minimum of R50 000,00 per year.

REQUIRED

Develop a complete audit finding based on the information provided above.

FEEDBACK

Description of the condition

Our analysis of the use of fleet vehicles by your staff for the year ended 30 June 20XX
indicated the following:

a. Of the 87 vehicles in the vehicle fleet, 24 vehicles are not used sufficiently to justify
their cost. It would be more economical for the organisation to allow those employees
to use their own vehicles and then remunerate them for the kilometres covered at the
present rate of R1,20 per kilometre.

b. On the other hand there are 37 employees who make so much use of their own vehicles
for official trips that the remuneration they receive annually at R1,20 per kilometre
exceeds the cost of leasing a vehicle and allocating it to them permanently.

Criteria
In this business sector it is general practice to lease vehicles and allocate them to
personnel in cases where the lease costs are lower than the allowance that would be paid
to the employee for official trips at the prevailing tariff.

167 AUI3703/SG
Cause
At present there is no procedure for analysing the utilisation of company vehicles and
private vehicle allowances for official purposes for a specific period. As a result the present
state of affairs has developed over a number of years.

Effect
The present situation has resulted in losses to the organisation of over R50 000,00 per
year.

Recommendation
We recommend that the organisation should implement a procedure for monitoring the
utilisation of company vehicles and private vehicles on a continuous basis. The present
state of affairs should be rectified by revising the allocation of company vehicles in
accordance with the attached schedule, which would lead to an annual saving of at least
R50 000, 00

The above section is based on Reider (1995).

Discussion of the findings with management

If the operational audit has been successful, many of the recommendations made by the audit
team will be implemented as the audit project progresses.

Findings should be discussed with management throughout the audit. This ensures that attention
will be given to the auditor’s findings right from the beginning of the audit and it will not be
necessary to repeat everything in the final operational audit report. The final operational audit
report may eventually contain no more than a summary of findings and management’s response
to them.

Management’s response may be either to agree with the findings and introduce changes or to
gather more information on the recommendations and reach a decision on implementation or to
disagree with the findings and accordingly, not to implement the recommendations.

Agreeing on corrective action

The first step in developing corrective action is to confirm the internal auditor’s objective, the
manager’s objective and the actual performance (quality of control, or quality of performance).

When the manager’s objectives (at the required level of performance) and the actual performance
are below the required performance, the internal auditor should develop a deficiency finding and
agree with the manager on corrective action.
Actual performance which exceeds required performance may require corrective action,
depending on the reasons for exceeding the required performance. The internal auditor should
discuss and agree all deficiency findings with the responsible managers.

Once this has been done, the recommendations made and the causes identified will form the base
on which managers can agree on corrective action.

168
Agreed corrective action

In theory, properly developed, recommended corrective action supported by appropriate

information should sell itself. However, in practice, even when the finding is supported by
information and the recommended corrective action is logical and reasonable, the manager may
not agree to implement the corrective action.

Once the internal auditor has developed recommended corrective actions, he or she should
discuss them with the appropriate manager. During this discussion, the internal auditor should
refer to the manager’s objective, his actual performance, the effect and the cause thereof.

The internal auditor should not wait to discuss his or her findings; they should be dealt with while
they are still fresh in the internal auditor’s mind. He or she should also emphasise that the agreed
action will be reported, thereby acknowledging the manager’s participation in the process.

The manager should agree on the objective, substandard performance and the cause and effect
thereof. If the manager disputes any of these, the internal auditor should show the manager the
supporting information.
The manager may produce new information. If so, the internal auditor should consider this new
information and decide if it changes his or her evaluation of the manager’s performance, or his or
her recommended corrective action.

Once the facts have been agreed on with the manager, the internal auditor should discuss the
effect of the finding and obtain the manager’s agreement. Only then can the internal auditor
discuss the recommended corrective action. The internal auditor should make it clear that the
action to be carried out is the manager’s responsibility.

The internal auditor should therefore encourage the unit manager to suggest courses of action,
always respecting the manager’s opinions. For example, implementing the internal auditor’s
recommendation may be impractical because of unforeseen considerations. The internal
auditor’s objective is to get agreement on action that will deal with the cause and reduce the
potential effect to an acceptable level.

If the manager comes up with a course of action that meets these requirements, the internal
auditor should agree. No matter how good his or her recommendation may be, if the manager’s
action will resolve the substandard performance, the internal auditor cannot insist that his or her
recommendation be followed.

The agreement should cover the three parts of the recommended action: what action, by when
and by whom. This commits the manager to the agreed action, and it will be used by the internal
auditor in deciding when to follow up.

No agreement on action

Even if the effect has been well researched, the cause is thoroughly analysed and understood, and
the recommended corrective action is based on the cause, it is still possible that the manager will
not agree to the recommended corrective actions. There may be many reasons for this.

169 AUI3703/SG
For example, a manager, despite being involved in the participatory process, may still fear his
boss’s response when the report hits his desk. The internal auditor should not change his or her
original recommended corrective action, as long as the auditor’s information is sound, or unless
the unit manager provides other information that requires the internal auditor to re-evaluate his
or her recommended corrective action.

Where deadlock is reached, the internal auditor should record both his or her recommended
corrective action and the manager’s comments on why he refuses to take corrective action. The
internal auditor may then wish to take the matter up with the manager’s manager. If agreement
is still not reached, both the internal auditor and the managers’ viewpoints should be reported.

Their viewpoints can then be considered at a higher level. Top managers must then decide to force
the unit manager either to take corrective action or to accept the risk that arises from not
implementing the internal auditor’s recommended corrective action.

Once the findings have been discussed and agreed on, the internal auditor can include them into
his report. The effect of the findings will determine how they are reported. High-impact findings
should usually be reported separately. Medium-impact findings are reported in the body of the
report, while low-impact findings are usually reported verbally – they are not included in the
written report.

Drafting an audit report

An audit can be considered successful only after an effective and efficient audit report has been
issued.

In the first place, an effective audit report must reflect the achievement of the objectives of the
particular internal audit task. Secondly, the presentation of the audit report must conform to
generally accepted principles of communication.

These factors constitute the points of departure for a discussion of the content and presentation
of an audit report based on a specific audit task.

STUDY

Chapter 9, section 9.3 (“Reporting Process”), in your prescribed textbook: Performing

Internal Audit Engagements.

Basic characteristics of good internal audit reporting

The basic characteristics of good internal audit reporting are the following:

• Only important matters should be reported.

• Internal audit reports should be useful and timely.
• Internal audit reports should be accurate and adequately supported by relevant vouchers.
• The findings should prompt management and personnel involved to take action.
• Audit reports should be objective and contain sufficient information to give their readers the
necessary perspective.

170
• Internal audit reports should be clearly and simply presented.
• Internal audit reports should be concise.
• Internal audit reports should have a constructive impact.
• Internal audit reports should be logically arranged and positive.

The format of internal audit reports

There is no generally accepted or prescribed format for internal audit reports. Nevertheless,
standard formats for audit reports are used in internal audit departments.

A format that is flexible and comprehensive and can be used for any internal audit report that is
not longer than four typed pages is the following:

• management summary (if applicable)

• background
• overview
• opinion/general evaluation
• findings, recommendations and conclusions
• comments by the auditee

As soon as the report exceeds four pages, the auditor is required to draw up an executive summary
of the report and attach it.

STUDY
Chapter 9, section 9.5 (“Layout of final Reports)” in your prescribed textbook:
Performing Internal Audit Engagements.

ACTIVITY 23

You are a senior internal auditor at a large manufacturing organisation and your audit
team has just completed the annual audit of the purchasing department. You have
assigned one of the junior members of the audit team to prepare the draft internal
audit report for the audit.

The following draft report is presented to you for approval:

Audit of the purchasing department

Introduction

The purchasing department is solely responsible for all acquisitions, except those
requiring executive approval.

During the past months, 10 110 purchase orders, to the value of R2 157 000, were issued
for all kinds of products.

The audit covered only 5 of the 12 product classifications for which purchasing was
done.

171 AUI3703/SG
Purpose and scope

The audit was performed to determine whether

• competitive bidding was employed

• purchase orders were being approved at an appropriate level
• the buyers performed the required follow-up procedures

Findings and opinion

• New acquisition procedures require a control system in which supervision is used to

ascertain that all the approved suppliers have the opportunity to bid.
• We found that 57 purchase orders, each exceeding R12 000, had been approved by
the buyer only. We reported this finding.
• Follow-up action on purchases that were received late indicated that the problem
still exists. Based on a sample of 200 items, the error rate in the purchase orders is-
sued should not exceed 2%.

REQUIRED
Evaluate the draft report and, where necessary, recommend improvements, using the
internal auditing standards relating to reporting as a basis for your evaluation.

FEEDBACK

Weaknesses and suggested improvements to the report provided in the Activity above.

Weaknesses in the report Improvements suggested

The date of the report is not stated. The report should have a date.

The report is not properly addressed. The report should be addressed to the relevant
interested parties.

“… except those requiring executive Criteria for requiring executive approval must
approval.” be explained.

“During the past months …” The exact date of the audit must be noted.
The scope of the audit is vaguely Explain how the scope was determined or why
outlined in the introduction. it was limited to 5 out of 12 products. (If
necessary, related activities not audited
should be identified to delineate the
boundaries of the audit.)

The purpose of audit is not clear. The purpose should describe the audit
objectives and may, where necessary, inform
the reader why the audit was conducted and
what the expected results were.

172
State that the purpose of the audit was to
determine whether the buyers had initiated
follow-up procedures when orders were not
received on time.

Findings and opinion Findings should be based on criteria,

conditions, cause and effect and opinions –
that is the conclusion – should follow the
findings in an orderly and logical way.

Does not respond to original stated Add a comment that competitive bids have
audit objectives always been obtained in the past.

Does not indicate the procedures Criteria must be stated – what should exist. All
followed to arrive at the findings. orders exceeding R12 000 must be approved by
the head of purchasing; also out of 200 items
examined we found.

Does not clearly substantiate Audit findings emerge by a process of

findings or explain significance of comparing what should be with what is.
findings. Relate the sample to the total population and
then base all the findings on
• what should exist
• what does exist
• why there is a difference
• the impact of the difference

There is no indication of the sample The report should include the sample method,
method, error rate or confidence level error rate and confidence level used.
used.
(The nature and extent of the auditing
performed should be described in the scope.)

Does not explain the significance of Explain the risk or exposure because of the late
the findings on late shipments. shipments.

The report does not include positive Constructive reports help the auditee and the
remarks on procedures and controls organisation and lead to improvement where
that may be operating effectively. necessary.

Reports may acknowledge satisfactory

performance and corrective action.)

The report is not signed. Only a signed audit report may be issued.

173 AUI3703/SG
NOTES
Make your own notes here:
_____________________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________

174
Learning unit 23
Presenting internal audit reports

Contents
23.1 INTRODUCTION 175
23.2 REASONS FOR PRESENTING 175
23.3 THE PRESETING PROCESS 176
23.4 USING VISUAL AIDS 181

23.1 INTRODUCTION

Many similarities exist between the report writing and the presenting process. This should not be
a surprise, as the only significant difference is the delivery method.

In this learning unit, we will discuss the reasons for presenting, the presenting process, and using
visual aids.

23.2 REASONS FOR PRESENTING

By gaining a clear understanding of the purpose of the presentation, the internal auditor has a
better chance of achieving the main objective. Many reasons can be given for communicating
information in the form of a presentation.

Promoting two-way communication and feedback

Written reports do not allow for two-way, interactive communication between the writer and the
reader. Neither do they allow the reader to give the writer immediate feedback on the content and
to clarify and emphasise certain ideas.

The presentation is an opportunity to check how effectively the information is understood.

175 AUI3703/SG
Communicating an urgency and immediacy to the subject

The spoken word is very persuasive when used effectively. In addition, nonverbal cues and the form
of the presentation allow the internal auditor to communicate a great deal more than could be
transmitted on paper.

The oral medium allows direct expression of human feelings and emotions. Often, such feelings
and emotions are the basis for the acceptance or rejection of ideas.

Enhancing the internal auditor’s flexibility

In a written report, there is little opportunity to clarify the message or any points that may be
unclear to the reader. This is often because some managers have provided insufficient or late
feedback on the internal auditor’s report. It may also be difficult for the internal auditor to convey
all pertinent information gathered in an audit to management.

Presentations, on the other hand, give the internal auditor the opportunity to clarify his or her
findings and opinion based on the manager’s reactions.

The internal auditor who is sensitive to these reactions and adapts his or her position accordingly,
will be more likely to reach his or her goals.

Enhancing the internal auditor’s credibility

Internal auditors become managers because of their ability to perform a job effectively. Many
success stories are told about internal auditors who gained immediate visibility owing to an
effectively handled presentation on an important subject. An internal auditor’s organisation,
preparation, decisiveness, articulateness and ability to deal with different reactions in front of a
group will give managers a good idea of his or her leadership potential.

Facilitating group ownership and commitment

Presentations are generally given at meetings in which a manager from a particular unit has an
interest. The presentation allows for the kind of exchange necessary to create group cohesiveness,
ownership and commitment.

If the group members must carry out the corrective action, they will do so more effectively if they
have been involved in formulating the actions.

23.3 THE PRESENTING PROCESS

If the audit work is deficient, the presentation will be too. The secret to good reporting is good
audit work. The better the quality of the working papers, the easier the presentation will be. To be
able to meet a wide range of expectations it is essential to be organised.

Thorough and complete planning will lay the foundations for success.

176
While planning the presentation, it is advisable to obtain the input of an internal auditor who has
experience in presenting. He or she will provide guidance on the outline and structure of the
presentation. Remember that the internal auditor should not try to develop the perfect
presentation in one go.

The internal auditor should split the process into its creative and logical components:
• preparing the outline
• structuring the outline
• preparing the draft presentation
• editing the draft presentation
• selecting the presentation method

These five steps are described in detail below.

Preparing the outline

The secret to a successful presentation is to plan in good time, fully and thoroughly, and for
success. Sixty per cent of the effort should go into the planning stage.

To prepare effectively the internal auditor needs to find a place and time where no one will
interrupt him or her. He or she must have the information needed close at hand and work according
to the project deadlines.

The starting point for an effective presentation is knowing the following:

• who the recipients are

• what message is to be communicated
• what action the internal auditor wants the recipient to take

It takes a great deal of planning and good presentation skills to maintain the involvement, interest
and attention of the managers during a presentation.

Many presentations lack direction due to poor planning and presenting skills. The internal auditor
must think about why he or she is presenting, what he or she wants to achieve and who the target
audience is. The more the internal auditor can keep the managers’ attention, the more receptive
they will be to the message of the presentation.

The first step is to find out as much as possible about the audience:

• Which managers will be present at the presentation?

• Do they all do the same type of job or are they from different units?
• Why are the managers attending the presentation?
• How much do the managers know about the contents of the presentation?
• What are their attitudes towards the audit findings and the internal auditors?
• Is there any possibility that their attitudes may change?
• Who is the decision-maker among them and where does the power base lie?

177 AUI3703/SG
The message conveyed during the presentation decides the action that managers will take. It is
therefore important to decide on the purpose of the presentation.

The “tell” purpose is most appropriate when the objective of the presentation is to give information
accurately, completely and with clarity. This is when the internal auditor states important facts and
findings related to the audit. Managers must first understand the information before they can
decide about it.

“Sell” purposes are particularly appropriate in the following circumstances:

• when the managers are already in favour of the internal auditor’s ideas and the objective is to
clarify the information
• when the managers have little background information about or knowledge of the ideas being
presented
• when the internal auditor has not been specifically asked to make a decision or
recommendation, but simply to clarify all the alternatives to make all options clearly
understood

The “sell” purpose involves more persuasion. It is not only for presenting information, but also for
persuading managers to accept the ideas being communicated or to commit themselves to specific
action.

“Sell” purposes are most appropriate in the following circumstances:

• when the internal auditor is expected to present specific recommendations

• when a manager needs to know why such recommendations are being made
• when the internal auditor is recognised as an expert on the subject
• when the information relates to some specific changes or decisions being considered

The “resolve” purpose relates to decisions or recommendations that are expected to receive an
unfavourable response. During this kind of presentation, the internal auditor needs to be sensitive
not to embarrass or anger any managers. This type of presentation is used in the following
circumstances:

• when the internal auditor must communicate bad news

• when the internal auditor anticipates unfavourable reactions
• when managers are knowledgeable of aspects relating to both sides of an issue or a decision

Presentations by internal auditors rarely involve just one purpose. One purpose may be primary,
but a presentation may involve all three purposes. When the presentation involves more than one
purpose, it is helpful to decide on the primary and secondary purposes. For example, the primary
purpose may be to gain acceptance for possible change (sell), and the secondary purpose to deal
with staff resistance (resolve).

Structuring the outline

If the outline is sufficiently detailed, it should provide adequate information for key point notes and
overheads.
178
Structuring the presentation has the following advantages:

• It reduces anxiety, as the internal auditor knows what will be said next and where key points
will be stressed.
• It ensures the presentation is management oriented.
• It helps the internal auditor present his or her findings and opinions logically.
• It enables the managers to follow easily.
• It provides a framework to fall back on if the discussion moves away from the original purpose.

The information should be structured clearly and logically. Managers are normally more receptive
at the beginning of the presentation. The internal auditor should therefore put the most important
message first. The other items can then be presented in order of importance and must always be
supported by sufficient information.

Presentations are usually structured in the following way:

• an initial outline of the theme – the introduction (including the most important message)
• development of the theme – the body
• summary of the theme – the conclusion, followed by a request for action and what should be
done next

The introduction

The introduction has several clear and specific functions. The basis for any successful presentation
is laid during the first five minutes. A good introduction gains favourable attention, motivates
managers to want to hear more, specifies clearly what the subject matter is, and establishes the
credibility of the speaker.

In delivery time, the introduction can take as much as 20% of the total presentation. A common
presentation structure is the AIDA outline:
• A: Win their attention.
• I: Arouse their interest.
• D: Create a desire.
• A: Stimulate action or obtain agreement.

Managers are not always ready when the presentation begins. To overcome distraction and gain
their attention, the internal auditor should choose a technique most appropriate to the subject and
obtain the managers’ attention.

To motivate the managers to listen, the internal auditor needs to tell them why it is worth their
while to listen. The opening words should create a first impression and should therefore summarise
the main theme and spell out the main points.

The body

The body contains factual support for the purpose. It should include the following elements:

• a statement of facts

179 AUI3703/SG
• sufficient information to support the findings and opinion of the internal auditor
• a refutation of contrary views

Up to five main points can be included, but preferably three only. Information used to support the
internal auditor’s findings and opinion should be the strongest evidence available.

Think of quality, not quantity.

If detailed information is needed to ensure all managers have the same understanding, it should
be presented right after the introduction.

A point can essentially be conveyed in two ways: clarifying it or proving it. To clarify a point, the
internal auditor should use definitions, short examples, comparisons or contrasts, explanations,
illustrations, demonstrations and analogies. To prove a point, he or she should use examples,
statistics, expert testimony, illustrations and demonstrations.

The conclusion

In this section, the presentation should produce results. This is what the internal auditor wants the
managers to take away with them.

The purpose of the conclusion is to reinforce the main points and to have the managers accept
them in line with the original objective. The conclusion should always tie in with the opening. It
should leave no doubt about what the managers should do next.

The finish should be forceful and confident. A weak, inconclusive or apologetic closing can kill even
the best presentation.

Preparing the draft and editing the presentation

Provide sufficient information to support the key points identified in the outline. The guidance
given above on structuring the presentation should be used. The draft should flesh out the
structure developed in the previous stage.

As with report writing, the most important guideline is for the internal auditor to put him- or herself
in the position of the audience for the presentation.

Although the structure of a report is important, the structure of a presentation is arguably more
important. The internal auditor must capture the attention of the managers almost immediately
and hold it until the end. In editing the presentation, the internal auditor should consider the
structure and detailed contents.

In editing, the internal auditor should ask the following questions:

• Have I considered the managers’ needs?
• What benefits and values can the managers gain?
• What are the facts?
• Is the intended message coming through?
• Am I being honest?
180
If the internal auditor ignores possible objections, the presentation may fail.

Planning the venue and equipment

An unfavourable environment can detract from the quality of a presentation. The internal auditor
should consider the following before the presentation:

• booking of the venue and equipment

• ensuring the presentation room will be adequate, that is, tables, chairs, lighting and air
conditioning
• ensuring everybody can see the presenter and the various projected images
• arranging the tables and chairs to facilitate group discussion
• removing any superfluous equipment or furniture from the room
• setting up the apparatus and testing how the various equipment works beforehand

23.4 USING VISUAL AIDS

Using visual aids

Smell, touch and taste account for a mere 6%, sound for 11%, and sight for 83% of our learning
intake. Information presented audio visually is retained with greater accuracy for a longer period
than information presented purely orally.

By introducing a visual aid, the internal auditor gives him- or herself props to talk from. These also
act as reminders or prompts during the presentation. The props must be used professionally, or
managers may remember only the technical blunders as opposed to the presented content.

When preparing visuals, be conscious of time; visuals do not deserve more time than the presenter.
When choosing the type of visual to use, the internal auditor should consider the venue and
audience size in relation to the medium chosen as well as his or her own preferences when doing
presentations.

Should the equipment or facilities fail to function beyond immediate repair, the presenter must be
able to continue without the aids.

The following visual aids can be used:

• whiteboard
• magnetic board
• flipchart
• films or videos
• slides
• overhead projectors

181 AUI3703/SG
Giving the presentation

Before giving the actual presentation, it is advisable to have a dry-run for some fellow internal
auditors.

Body language plays a key role in the impact of the presentation: 93% of a message is nonverbal
and only 7% is verbal. Of the 93%:
• 55% is conveyed through body language
• 38% is conveyed through tone of voice, vocal inflection and other sounds

Verbal communication

The internal auditor should choose his or her words carefully. He or she should use, where
applicable, short, simple words. Managers will not be impressed by someone who, through the
language used, tries to show how educated he or she is. To the contrary, this often clouds the issue.

Active verbs are stronger and more direct than passive ones and therefore more powerful. Jargon
should be used only when the managers know what the words used mean. Some other dos and
don’ts are set out below.

Do:
• speak clearly
• speak slowly
• stress main points
• speak with confidence
• vary speaking pace and tone of voice
• use deliberate pauses discreetly

Don’t:
• speak monotonously
• speak too fast or too slow
• shout
• pronounce words at the end of sentences too softly or articulate them poorly

Nonverbal communication

Interpersonal communication is not limited to verbal symbols. Movement and position of the body
are important components of the total message. Factors that play a role in forming those
important first impressions are the following:

• personal appearance
• neatness
• eye contact
• posture or stance
• gesturing

182
Working with visual aids

Aids should be numbered and neatly arranged in the correct order. The internal auditor should -

• check that the screen is shaded from excessive light

• have a pointer readily available for referring to the aid
• make a simple illustration of a complex issue
• ensure that the slides are straightforward and easily understood
• resist the temptation to talk while the managers are trying to read the aid
• never divide the attention of the managers
• ensure that the path of the image to the screen is not obstructed
• be familiar with equipment so that adjusting images does not waste time
• give the managers time to absorb the information on the slide

No matter what visual aids the internal auditor uses, he or she must remain the primary focus of
attention. The internal auditor is the primary vehicle of communication; everything else is just an
aid to conveying the information effectively (Barlow et al 1995:384).

The internal auditor should consider distributing notes prior to the presentation or handing out
notes at the actual presentation.

ACTIVITY 24
The chief audit executive (CAE) wants to market the internal auditing department, and
especially operational auditing, in his organisation. He therefore encourages the audit
managers to put in some effort when personally presenting their audit findings and
audit reports.

REQUIRED
Indicate why it is important for the internal auditor to structure a personal presentation
properly.

FEEDBACK

Reasons for properly structuring personal presentations:

• It reduces anxiety, as the internal auditor knows what he or she will say next and where
key points will be stressed.
• It ensures that the presentation is management oriented.
• It helps the internal auditor present his or her findings and opinions logically.
• It enables the auditee managers to follow the presentation easily.
• It provides a framework to fall back on if the discussion moves away from the original
purpose.

183 AUI3703/SG
NOTES
Make your own notes here:
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

184
Learning unit 24
Follow-up on completed audit assignments

Contents
24.1 INTRODUCTION 185
24.2 FOLLOWING UP ON AUDITS RESULTS 185
24.3 FOLLOWING UP AND MONITORING THE AUDIT RECOMMENDATIONS 186

24.1 INTRODUCTION

In this learning unit, we will briefly discuss the importance of following up on audit results and
monitoring the audit recommendations.

24.2 FOLLOWING UP ON AUDIT RESULTS

The internal auditing process is not complete before all the procedural modifications have been
introduced. Organisational policy should require that written commentary on every internal audit
report be submitted to the chief audit executive by the people to whom the audit report was
addressed.

The following should be specified in a company’s policy:

• the format in which feedback should be produced

• how much time should be allowed for a response to internal audit reports
• who is responsible for drawing up and signing comments on internal audit reports

The chief audit executive should receive copies of all comments on audit reports and should pass
on any reservations on such feedback to top management.

Irrespective of whether the internal auditors have checked the comments on their audit reports
and accepted them, they should still carry out the necessary follow-up action to determine
whether any corrective measures have been taken and whether they are satisfactory.

185 AUI3703/SG
Management may decide to take different steps to rectify a problem from the steps suggested
by the auditors. The decision rests with management, but the results of the decision should still
be weighed up by the internal auditors. If management implement the steps proposed by the
auditors, the auditors should still follow up to evaluate the results achieved.

If the audit findings showed up material problems, it may be necessary to schedule a full follow-
up audit to make certain that the desired results have been achieved by implementing the audit
recommendations.

STUDY

Standards 2500, 2500.A1, 2500.C1 and 2600

24.3 FOLLOWING UP AND MONITORING THE AUDIT

RECOMMENDATIONS
The reporting process, and thus the entire audit process, is not complete until the auditee’s
reaction to the report has been gauged. The audit process will essentially be a futile exercise if
the audit findings do not receive the necessary attention.

Follow-up and monitoring can be managed by dividing the recommendations into different
categories for follow-up, depending on the importance and urgency of the implementation of the
recommendations.

Consider the policies and procedures in place in the organisation that apply to the specific auditee
before you decide on how and when to perform follow-up procedures. These policies and
procedures could affect the timing and extent of the follow-up procedures.

The normal controls process should apply when the follow-up process finds that the
recommended improvements do not properly resolve the identified problem. In this way,
management of the auditee are allowed the opportunity to amend the improvements until the
problem is in fact sorted out.

Implementation Guide 2500: Monitoring Progress

Monitoring processes can be sophisticated or rather simple, depending on a number of factors,

including the size and complexity of the audit organization and the availability of exception tracking
software. Whether sophisticated or simple, it is important for the CAE to develop a process that
captures the relevant observations, agreed corrective action, and current status. For outstanding
observations, the information tracked and captured typically includes:
• The observations communicated to management and their relative risk rating.
• The nature of the agreed corrective actions.
• The timing/deadlines/age of the corrective actions and changes in target dates.
• The management/process owner responsible for each corrective action.
• The current status of corrective actions, and whether internal audit has confirmed the status.

186
The frequency and approach to monitoring (the extent of audit staff work to verify that corrective
action was taken) is determined based on the CAE’s professional judgment, as well as the
expectations set by the board and senior management. For example, some CAEs may choose to
inquire periodically, such as quarterly, about the status of all corrective actions that were due to be
completed in the prior period. Others may choose to perform periodic follow-up engagements for
audits with significant recommendations to specifically assess the quality of the corrective actions
taken. Others may choose to follow up on outstanding actions during a future audit scheduled in the
same area of the organization. The approach is determined based on the adjudged level of risk, as
well as the availability of resources.
(Source: IIA,2017)

STUDY
Chapter 9, section 9.10 (“Monitoring Progress”), in your prescribed textbook:
Performing Internal Audit Engagements.

ONLINE ASSESSMENT

Do the online assessment multiple-choice questions on myUnisa.

SUMMARY

In this topic, we dealt with the formulation of internal audit findings. Specific attention
was paid to the five elements of audit findings and their practical application, as well
as to the development of recommendations and submission of findings to
management.

We also discussed the reporting stage of the internal auditing process and we showed
that this stage is an extension of the other stages of the internal audit process. We
briefly discussed the aim and functions of the operational audit report, its
characteristics, a proposed format for operational audit reports, and the follow-up of
audit results.

The internal auditor’s responsibility to follow up on the reported issues and to monitor
any improvement prompted by the report was discussed.

187 AUI3703/SG
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_________________________________

188
BIBLIOGRAPHY
Barlow, P, Large, N, Le Roux, K, Helberg, S. 2011. The business approach to internal auditing.
Cape Town, South Africa, Juta Academics.
Cascarino, RE. 2007. Auditor’s Guide to Information Systems Auditing. Hoboken, New Jersey:
John Wiley & Sons.
Coetzee, GP, Du Bruyn, R, Fourie, H & Plant, K. 2015a. Advanced internal audit topics. 4th edition.
Johannesburg, South Africa: Lexis Nexis.
Coetzee, GP, Du Bruyn, R, Fourie, H & Plant, K. 2018. Assurance: An Audit Perspective. 1st edition.
Johannesburg, South Africa: Lexis Nexis.
Coetzee, GP, Du Bruyn, R, Fourie, H & Plant, K. 2017. Internal auditing: an introduction. 6th
edition. Johannesburg, South Africa: Lexis Nexis.
Coetzee, GP, Du Bruyn, R, Fourie, H & Plant, K. 2017. Performing internal audit engagements. 6th
edition. Johannesburg, South Africa: Lexis Nexis.
Cotton, DL, Johnigan, S & Givarz, L. 2016. COSO: Fraud risk management guide.
David, ME. David, FR (2014). Mission statement theory and practice: a content analysis and new
direction. International Journal of Business, Marketing, and Decision Sciences Volume 7,
Number 1.
Flora, G & Rai, S. 2015. Navigating Technology’s Top 10 Risks: Internal Audit’s Role. Altamonte
Springs, Florida: The Institute of Internal Auditors Research Foundation (IIARF). IIA
website: https://global.theiia.org
IPPF: Global Technology Audit Guide (GTAG) 1. 2nd Edition Information Technology Risk and
Controls
ISO Guide 73. 2009. Risk Management – Vocabulary. Geneva, Switzerland, ISO.
Puttick, G & van Esch, SD. 2003. 8th Edition. The Principles and Practice of Auditing. Cape
Town, South Africa, Juta Academics.
Reider, HR. 1993. The complete guide to operational auditing. California, USA, John Wiley
& Sons.
Spencer Pickett, KH. 2010. The Internal Auditing Handbook. 3rd Edition, West Sussex, United
Kingdom, John Wiley & Sons.
Wells, JT. 2011. The Corporate Fraud Handbook. California, USA, John Wiley & Sons.

189 AUI3703/SG

Van Romburgh Et Al. 2019. Managerial Accounting, Finance and Strategy Question Book. First Edition. Durban LexisNexis.
No ratings yet
Van Romburgh Et Al. 2019. Managerial Accounting, Finance and Strategy Question Book. First Edition. Durban LexisNexis.
359 pages
Management, 4th Canadian Edition John R. Schermerhorn Jr. - The complete ebook set is ready for download today
100% (2)
Management, 4th Canadian Edition John R. Schermerhorn Jr. - The complete ebook set is ready for download today
62 pages
TAX3761 - Test April 2024
No ratings yet
TAX3761 - Test April 2024
6 pages
Information Systems - What Every Business Student Needs To Know, Second Edition
No ratings yet
Information Systems - What Every Business Student Needs To Know, Second Edition
391 pages
ECS1601 Exam Pack
100% (1)
ECS1601 Exam Pack
81 pages
Report of Ethics Corporate Governance
No ratings yet
Report of Ethics Corporate Governance
24 pages
Aui3701 Exam Pack
No ratings yet
Aui3701 Exam Pack
56 pages
How To Think and Reason in Macroeconomics
No ratings yet
How To Think and Reason in Macroeconomics
3 pages
Fac3701 Exam Pack
No ratings yet
Fac3701 Exam Pack
68 pages
BBA Year 3 The Business Environment and Ethics Semester 2 January 2021
No ratings yet
BBA Year 3 The Business Environment and Ethics Semester 2 January 2021
127 pages
Stuvia 601752 Mac3702 Exam Solution Pack 2020 Mac3702
100% (1)
Stuvia 601752 Mac3702 Exam Solution Pack 2020 Mac3702
102 pages
FIA 141 2022 Project 1 PDF
No ratings yet
FIA 141 2022 Project 1 PDF
6 pages
FINANCIAL MANAGEMENT Assignment Questions 22
No ratings yet
FINANCIAL MANAGEMENT Assignment Questions 22
12 pages
ECS1601 Study Notes
No ratings yet
ECS1601 Study Notes
20 pages
Management Accounting Iii (Costing)
No ratings yet
Management Accounting Iii (Costing)
244 pages
Prinsloo J
No ratings yet
Prinsloo J
405 pages
Public Finance Management Act PFMA Course Outline Booking
No ratings yet
Public Finance Management Act PFMA Course Outline Booking
10 pages
Activity 5.1 - Which Objectives For Which Business?: © Enderoth
No ratings yet
Activity 5.1 - Which Objectives For Which Business?: © Enderoth
1 page
Ecobank PDF
No ratings yet
Ecobank PDF
2 pages
AR1 Audit - Report (Stage 2) Majik
No ratings yet
AR1 Audit - Report (Stage 2) Majik
8 pages
Audit NC Examples
100% (5)
Audit NC Examples
4 pages
AUI3702-501 2014 3 B
No ratings yet
AUI3702-501 2014 3 B
189 pages
Exam Notes AUI3703
No ratings yet
Exam Notes AUI3703
20 pages
TaxNotesForSouthAfricanStudents
No ratings yet
TaxNotesForSouthAfricanStudents
16 pages
Ecs1601 Questions Answers 2020
No ratings yet
Ecs1601 Questions Answers 2020
34 pages
AUI3702 - 2023 - Assessment 2 Questions
No ratings yet
AUI3702 - 2023 - Assessment 2 Questions
4 pages
MNG Exampack 1 All Relevant Questions Pertaining To Exams
No ratings yet
MNG Exampack 1 All Relevant Questions Pertaining To Exams
42 pages
Isa 315
No ratings yet
Isa 315
1 page
AUE Study Guide 001 - 2020 - 4 - B
0% (1)
AUE Study Guide 001 - 2020 - 4 - B
170 pages
Stuvia 1071004 Tax3701 Assignment 2 Semester 2 2022
No ratings yet
Stuvia 1071004 Tax3701 Assignment 2 Semester 2 2022
7 pages
Fundamental Accounting: 7th Edition Chapter 1: The Exciting World of Accounting
100% (1)
Fundamental Accounting: 7th Edition Chapter 1: The Exciting World of Accounting
47 pages
Aue T4
No ratings yet
Aue T4
119 pages
PE Exam March 2012
No ratings yet
PE Exam March 2012
31 pages
FAC3702 Study Guide
No ratings yet
FAC3702 Study Guide
308 pages
Learning Unit 1 2024 FAC4866
No ratings yet
Learning Unit 1 2024 FAC4866
109 pages
Enterprise Management (Revision Summaries) : Cima Managerial Level - Paper E2
No ratings yet
Enterprise Management (Revision Summaries) : Cima Managerial Level - Paper E2
73 pages
Managerial Finance 7th Edition Frederick Owen Skae - The latest ebook version is now available for instant access
100% (2)
Managerial Finance 7th Edition Frederick Owen Skae - The latest ebook version is now available for instant access
47 pages
ACCA F5 LSBF Class Notes December 2011
No ratings yet
ACCA F5 LSBF Class Notes December 2011
15 pages
Mac4861 2024 TL 102 0 B
No ratings yet
Mac4861 2024 TL 102 0 B
231 pages
Tutorial Letter 202/1/2016: Semester 1
No ratings yet
Tutorial Letter 202/1/2016: Semester 1
16 pages
Acca Tips F7, F8, F9
No ratings yet
Acca Tips F7, F8, F9
3 pages
Tutorial Letter 101/0/2023: Financial Strategy
No ratings yet
Tutorial Letter 101/0/2023: Financial Strategy
14 pages
AUE3761_2024_TL_103_0_B
No ratings yet
AUE3761_2024_TL_103_0_B
175 pages
How To Become A CA (SA) Through Unisa: College of Accounting Sciences
No ratings yet
How To Become A CA (SA) Through Unisa: College of Accounting Sciences
2 pages
Aui3701 Final Feb 2022 Exam
No ratings yet
Aui3701 Final Feb 2022 Exam
12 pages
Tax2601 2019 TL 201 3 B
100% (1)
Tax2601 2019 TL 201 3 B
17 pages
MNG3702 Notes
No ratings yet
MNG3702 Notes
27 pages
EAGR271 SU4 Payroll and personnel cycle _controls (2)
No ratings yet
EAGR271 SU4 Payroll and personnel cycle _controls (2)
49 pages
Auditing
No ratings yet
Auditing
134 pages
Chapter24 Cashflowstatements2008
100% (2)
Chapter24 Cashflowstatements2008
21 pages
Business Examinations
100% (1)
Business Examinations
51 pages
MBA5949 May-June 2024 Examination Question Paper
No ratings yet
MBA5949 May-June 2024 Examination Question Paper
5 pages
AUE4862 Paper 1 Suppl Exam_2024 Scenario and Required- Final
No ratings yet
AUE4862 Paper 1 Suppl Exam_2024 Scenario and Required- Final
12 pages
FAC1501 Glossary
No ratings yet
FAC1501 Glossary
13 pages
[Ebooks PDF] download (eBook PDF) Management and Cost Accounting 10th Edition by Colin Drury full chapters
100% (6)
[Ebooks PDF] download (eBook PDF) Management and Cost Accounting 10th Edition by Colin Drury full chapters
52 pages
(eBook PDF) Financial Accounting: Tools for Business Decision-Making, 7th Canadian Edition - Read the ebook online or download it for a complete experience
100% (5)
(eBook PDF) Financial Accounting: Tools for Business Decision-Making, 7th Canadian Edition - Read the ebook online or download it for a complete experience
55 pages
Examiner Report May 2020 PDF
No ratings yet
Examiner Report May 2020 PDF
155 pages
AUI3701 June 2022 EXAM Final
No ratings yet
AUI3701 June 2022 EXAM Final
12 pages
Hfac302 1 July Dec2023 Sa1 GT V3 11072023
No ratings yet
Hfac302 1 July Dec2023 Sa1 GT V3 11072023
9 pages
Ain Study Guide
No ratings yet
Ain Study Guide
224 pages
SAICA Code of Professional Conduct 2022 (For Printing)
No ratings yet
SAICA Code of Professional Conduct 2022 (For Printing)
207 pages
Business Marketing
From Everand
Business Marketing
Andleeb Kamal
No ratings yet
How to Be Led By the Spirit of God and Guided By the Word of God: Volume 2 Where Are We Now?
From Everand
How to Be Led By the Spirit of God and Guided By the Word of God: Volume 2 Where Are We Now?
Walter K Laidler Jr
No ratings yet
Introduction Into Internal Auditing
100% (1)
Introduction Into Internal Auditing
163 pages
Internal Auditing PDF
No ratings yet
Internal Auditing PDF
4 pages
L000
No ratings yet
L000
12 pages
2022 Accounting 3A - Test 2
No ratings yet
2022 Accounting 3A - Test 2
4 pages
Summary Genetics
No ratings yet
Summary Genetics
102 pages
0452 s17 QP 21 PDF
No ratings yet
0452 s17 QP 21 PDF
24 pages
Unit 14 - Homeostasis v2
No ratings yet
Unit 14 - Homeostasis v2
47 pages
Example On Formulating Audit Objectives and Procedures
No ratings yet
Example On Formulating Audit Objectives and Procedures
2 pages
Cambridge International AS & A Level: Mathematics 9709/13
No ratings yet
Cambridge International AS & A Level: Mathematics 9709/13
20 pages
AUI3703 Exam Notes
No ratings yet
AUI3703 Exam Notes
34 pages
Satisfy Customers With Top-Value Branded Product Protect The Environment Remain Largest Soft Drinks Company
No ratings yet
Satisfy Customers With Top-Value Branded Product Protect The Environment Remain Largest Soft Drinks Company
1 page
Stakeholders Within Any Business: Stakeholder Group Main Features Most Likely Objectives For The Stakeholder Group
No ratings yet
Stakeholders Within Any Business: Stakeholder Group Main Features Most Likely Objectives For The Stakeholder Group
2 pages
0452 s17 QP 11
No ratings yet
0452 s17 QP 11
20 pages
1.4 - Revision Questions
100% (2)
1.4 - Revision Questions
3 pages
Bio-Ext P1 PDF
No ratings yet
Bio-Ext P1 PDF
16 pages
Access To Finance: Small Enterprise Foundation
No ratings yet
Access To Finance: Small Enterprise Foundation
6 pages
Vol 12-2 and 13-1..mabid Al Jarhi..Universal Banking - Mabid
No ratings yet
Vol 12-2 and 13-1..mabid Al Jarhi..Universal Banking - Mabid
65 pages
42 Mixed Transformations2
No ratings yet
42 Mixed Transformations2
8 pages
Econ 101 Tutorial Questions
No ratings yet
Econ 101 Tutorial Questions
2 pages
Screenshot 2024-10-30 at 11.58.03 AM
No ratings yet
Screenshot 2024-10-30 at 11.58.03 AM
3 pages
Docx
No ratings yet
Docx
5 pages
ACTIVITY 2 Internal-Controls
No ratings yet
ACTIVITY 2 Internal-Controls
7 pages
4b - Exhibit A - Internal Audit Activty
No ratings yet
4b - Exhibit A - Internal Audit Activty
15 pages
GGSR Reviewer Midterm
No ratings yet
GGSR Reviewer Midterm
4 pages
Checklist Aero AS9100 PDF
No ratings yet
Checklist Aero AS9100 PDF
2 pages
Tenth Version of National Assembly Public Financial Management Handbook
No ratings yet
Tenth Version of National Assembly Public Financial Management Handbook
284 pages
1_CA Final Audit QB Additions File
No ratings yet
1_CA Final Audit QB Additions File
50 pages
Example Authorization Matrix
100% (1)
Example Authorization Matrix
2 pages
Risk MGMT Ques PDF
No ratings yet
Risk MGMT Ques PDF
21 pages
IA-CM For The Public Sector - Using The IA-CM As A Self-Assessment Tool
No ratings yet
IA-CM For The Public Sector - Using The IA-CM As A Self-Assessment Tool
16 pages
Sri Manakula Vinayagar Engineering College
No ratings yet
Sri Manakula Vinayagar Engineering College
40 pages
Internal Audit Program Revised
No ratings yet
Internal Audit Program Revised
3 pages
Chapter Four Internal Control System
No ratings yet
Chapter Four Internal Control System
28 pages
Ey Ia Coso
No ratings yet
Ey Ia Coso
8 pages
Resume-Vinit Khurana
No ratings yet
Resume-Vinit Khurana
4 pages
Business Name: Davao Sugar Central Corporations (DASUCECO)
No ratings yet
Business Name: Davao Sugar Central Corporations (DASUCECO)
3 pages
At.3208-Understanding The Entity and Its Environment
No ratings yet
At.3208-Understanding The Entity and Its Environment
6 pages
Amf-P-08 Procedure For Internal Audit Competency
No ratings yet
Amf-P-08 Procedure For Internal Audit Competency
1 page
2019 Risk Management Framework v6 2019 FINAL
No ratings yet
2019 Risk Management Framework v6 2019 FINAL
18 pages
Internal Auditing School I - October 2024 - Online
No ratings yet
Internal Auditing School I - October 2024 - Online
15 pages
Tools of Auditing: and Audit Working Papers
No ratings yet
Tools of Auditing: and Audit Working Papers
11 pages
MRM Record
100% (1)
MRM Record
6 pages
WTK Annual Report
No ratings yet
WTK Annual Report
135 pages
Advanced Audit and Assurance: Acca Aaa
No ratings yet
Advanced Audit and Assurance: Acca Aaa
4 pages
Cge101 2019 02 TL3
No ratings yet
Cge101 2019 02 TL3
6 pages
PSA-610 Using The Work of Internal Auditors
No ratings yet
PSA-610 Using The Work of Internal Auditors
13 pages