Internal Audit Testing and Sampling Techniques Chartered Institute of Internal Auditors May 2014
Controls Testing Slide 1
Testing Priorities Risk B1 Risk A1 Risk B2 Risk A2 Risk C2 Risk C1
Controls testing Testing techniques Inquiry Observation Inspection/ Examination Re-performance Slide 3
Controls testing Control testing Tests of controls are designed to obtain evidence to assess their operating effectiveness. Operating effectiveness means that the controls are functioning as designed on a consistent basis over the period under examination. - Inquiry consists of seeking information of knowledgeable people within the client - Observation consists of looking at a process being performed by others - Examination inspection of information or data walkthrough confirming our understanding of a process by tracing individual transactions from beginning to end - Re-performance independent execution of procedures that were originally performed as part of management s internal controls Slide 4
Controls testing Determining which Testing technique to use Re-performance Level of Comfort Inspection/ Examination Observation Inquiry Slide 5
Controls testing Determining which testing technique to use Considerations: The susceptibility of the control to change. The frequency and extent of the control. Our initial view of the likelihood of control weakness. Significance of the control to the control environment and how much reliance is being placed on it. Slide 6
Value Protection - execute Sampling Sampling is the application of auditing procedures to a representative group of less than 100% of the items within a homogenous population We use non-statistical sampling 3 Steps to follow: 1. Determine the control test objective, population and sampling unit 2. Determining the sample size 3. Selecting the sample for testing Slide 7
Value protection Execute Sampling Manual Controls Depends on: Frequency of control or population size Level of evidence that is judged to be necessary The table below, can be used as a general rule; however, we may use a smaller sampling size: Frequency of Control Assumed population size Annual 1 1 Quarterly 4 2 Monthly 12 Sample Size 2 (minimum) to 5 (maximum), Select 3 if you require a mid-range. Weekly 52 5 to 15. Select 10 if you require a mid-range Daily 250 20 to 40. Select 30 if you require a mid-range Multiple times per day Over 250 25 to 60. Select 30 or 45 if you require a mid-range Slide 8
Value protection Execute Sampling Manual Controls Following factors may indicate that sample sizes should be selected at the higher end of the ranges: - The greater the potential financial loss or adverse event to the company if the control is not effective or fails: - The more complex the control - The greater the degree of judgment in control operation Slide 9
Value protection Execute Sampling Automated Controls If IT General Controls have been tested and found to be effective, it may be sufficient to only test one operation of the Automated Control Slide 10
Documentation Audit documentation Audit documentation must contain sufficient information to enable an experienced auditor, having no previous connection with the engagement to: - Understand the nature, timing, extent and results of the procedures performed, evidence obtained, and conclusions reached - Determine who performed the work and the date such work was completed, as well as the person who reviewed the work and the date of such review. - Understand the linkage between conclusions and facts Remember: if what you did isn t documented, it s the equivalent of not performed! - Document what you have done and how you reached your conclusions Slide 11
Confidential The changing shape of internal audit Increased use of technology Drivers for change (top 3): 1. Complexity increased use of technology within the business higher volume of transactions increased automation businesses driven by data devil is in the detail how do you find a needle in the hay stack? 2. More for less pressure to deliver more with less value quality efficiency insight pressure to deliver with less resource and using samples? 3. Resources skills sets innovation technologically minded team reduced fear factor development opportunities for your people? May 2014 12 CIIA - 14 May 2014
Confidential May 2014 13 CIIA - 14 May 2014
Confidential What are CAATs? Computer Assisted Audit Techniques A means of accessing large amounts of data in a format that can provide transparency not attainable through other auditing procedures. The results may be used to identify areas of key risk, fraud, errors or misuse; improve business efficiencies; verify process effectiveness; or influence business decisions. (ISACA August 2011) May 2014 14 CIIA - 14 May 2014
Confidential Data analytics - methodology May 2014 Extract and upload raw data Map and organise data Analyse and visualise data Finalise audit evidence, identify anomalies and insight 15 CIIA - 14 May 2014
Computer Assisted Audit Techniques Advantages How can you ever pick a sample that is representative? 1 Expandable model, allowing tests to be refined, tuned, added, removed 2 Standing still or moving with the times? 3 You can quickly identify and address emerging issues and risks 4 In the future it will allow audit tests to be pushed into the organisation as monitoring controls 5 Increased coverage 100% of transactions Efficiency repeatable and automated Value and insight improve the perception of IA Basis for prioritisation of where to look next in the organisation Climb the maturity curve predictive business enabler May 2014 16 CIIA - 14 May 2014
Confidential Data analytics on vendor standing data Identify duplicate vendors based on the same or similar (fuzzy match) vendor name. Identifying and resolving duplicate vendor records is important as otherwise this could lead to loss, error or fraud. For example: loss of purchasing volume discounts available where spend with a specific supplier is recorded across two or more records for the same supplier, error if one vendor record is updated but the duplicate vendor record is not resulting in incorrect and inconsistent records, and fraud for example where duplicate vendor records are used to process payments below a review threshold. 12,253 vendors listed in standing data 1,031 perfect duplicates May 2014 46 fuzzy match with 1 character difference 96 fuzzy match with 2 character difference 231 fuzzy match with 3 character difference 17 CIIA - 14 May 2014
Exercise You are the internal auditors to an NHS Trust. You have been asked to undertake a review to assess the accuracy of the information used to support the KPIs that are reported to the Board on a monthly basis and to external regulators quarterly. What would you consider in devising a testing approach? 18
Exercise You are the internal auditors to an NHS Trust. You have been asked to undertake a review to assess the accuracy of the information used to support the KPIs that are reported to the Board on a monthly basis and to external regulators quarterly. You are driving to work and hear on the radio that a NHS Trust in another part of the country has got into serious trouble for mis-reporting cancer waiting times data. There seems to be an issue in distinguishing between cancellations and DNAs. Would you do anything differently. May 2014 19
Exercise You are the internal auditors to an NHS Trust. You have been asked to undertake a review to assess the accuracy of the information used to support the KPIs that are reported to the Board on a monthly basis and to external regulators quarterly. You are driving to work and hear on the radio that a NHS Trust in another part of the country has got into serious trouble for mis-reporting cancer waiting times data. There seems to be an issue in distinguishing between cancellations and DNAs. In checking the above with the client you realise that they may have innocently mis-interpreted the above and that this might mean that they have been misreporting data to their external regulators. What would you do? May 2014 20
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.