12/06/20161 ObjectiveProcess Risk Inherent Risk – risk of not achieving objectives Inherent risk Inherent risk – before the assessment of any controls

12/06/20162 Risk & recommendations IMPACTx Likelihood Root cause – reasons for high likelihood focus: Audit objectives Field work Recommendations Effect – reasons for a high impact focus: Audit objectives Fieldwork Recommendations

12/06/20163 Different impacts Financial Financial Service delivery Service delivery Political Political Legal Legal Environmental Environmental Human resources Human resources

12/06/20164 Risk index

12/06/20165 Risk management strategy unacceptable risks acceptable risks 5 10

12/06/20166 ObjectiveControlProcess Risk Control to minimize risks Residual risk Inherent risk Residual risk – after the assessment of any controls

12/06/20167 COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Info and commu- nication Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Control activity - prevention Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Monitoring activities - detection Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency

Practical exercise Process overview flowchart Process overview flowchart SCRE SCRE Audit objective Audit objective Risk areas Risk areas Preventative and detection controls Preventative and detection controls Audit opinion Audit opinion

Enter data Application program Suppliers master file the change details to supplier Exception reports number of changes Phone call with password to cell phone INPUT OUTPUT PROCESSING Bank EDI Exception reports Frequency

Cheque payment/ EFT requisition Enter data Application program Purchase transaction file Cash disbursement transaction file Suppliers master file Accounts payable master file General ledger master file General ledger transaction file Disbursements journal Purchase journal General ledger summary Exception reports and KPI’s Remittance advice Cheque Purchase order Goods received note, supplier delivery note, invoice INPUT OUTPUT DOCUMENTATION PROCESSING

Enter data Application program Purchase transaction file Suppliers master file Purchase order Goods received note, supplier delivery note, invoice S C R E

To evaluate the adequacy and effectiveness of the controls relating to reliability and integrity of: Asset count forms Asset count forms Asset removal forms Asset removal forms Capturing Capturing Processing Processing Updating the fixed asset register Updating the fixed asset register

Enter data Application program Purchase transaction file Suppliers master file Purchase order Goods received note, supplier delivery note, invoice E S S R R R R

Audit objective To evaluate the adequacy and effectiveness of controls relating to: Safeguarding of assets in the goods received area Safeguarding of assets in the goods received area Reliability and integrity of information in the: Reliability and integrity of information in the: Capturing phase Capturing phase Processing phase Processing phase Updating the PTF Updating the PTF Updating the SMF Updating the SMF Economic, effective and efficient use of resources in the ordering phase Economic, effective and efficient use of resources in the ordering phase

Audit opinion The controls relating to: Safeguarding of assets in the goods received area Safeguarding of assets in the goods received area Reliability and integrity of information in the: Reliability and integrity of information in the: Capturing phase Capturing phase Processing phase Processing phase Updating the PTF Updating the PTF Updating the SMF Updating the SMF Economic, effective and efficient use of resources in the ordering phase Economic, effective and efficient use of resources in the ordering phase Are adequate and effective

Audit objective To evaluate the adequacy and effectiveness of controls relating to: Safeguarding of assets (access control) Safeguarding of assets (access control) Allocation of unique supplier profile passwords Allocation of unique supplier profile passwords in the capturing phase in the capturing phase Reliability and integrity of information in the: Reliability and integrity of information in the: Capturing phase Capturing phase Processing phase Processing phase Updating the SMF Updating the SMF Exception reports (quantity and frequency) Exception reports (quantity and frequency) confirmations confirmations

Audit opinion The controls relating to: Safeguarding of assets (access control) Safeguarding of assets (access control) Allocation of unique supplier profile passwords Allocation of unique supplier profile passwords in the capturing phase in the capturing phase To the availability of the suppliers file To the availability of the suppliers file Reliability and integrity of information in the: Capturing phase Capturing phase Processing phase Processing phase Updating the SMF Updating the SMF Exception reports (quantity and frequency) Exception reports (quantity and frequency) confirmations confirmations Are adequate and effectiveness

12/06/ Audit objectives To evaluate the adequacy and effectiveness of the internal control systems that ensures S C R E

12/06/ Audit objectives To evaluate the adequacy and effectiveness of the internal control systems (choose prevention, detection or correction) that ensures S C R E

12/06/ Audit objectives To evaluate the adequacy and effectiveness of the prevention controls that ensures R – reliability and integrity of information R – reliability and integrity of information

12/06/ Audit objectives To evaluate the adequacy and effectiveness of the prevention controls that ensures R – reliability and integrity of information R – reliability and integrity of information of the purchase order

12/06/ Risk response

12/06/ Objective ControlProcess Risk R > C Inadequate Control assessment C > R Inefficient C = R Adequate/effec tive CoC > CoR Uneconomic

12/06/ Control analysis Control activity Maintain physical security over goods received Segregate custodial and record keeping functions PreventionDetectionITManual Added value opportunity Computerise to increase efficiency, economy, effectiveness IT management information allows for effective detection controls Detection control allows development of prevention controls

12/06/ Added value IMPACTx LikelihoodIMPACTxLikelihood Inadequate controls Recommendation = Added value

12/06/ Finding Clear Clear Concise Concise Factual Factual Inadequate Inadequate Inefficient Inefficient Ineffective Ineffective Uneconomic Uneconomic Audit report - finding

12/06/ Determine the causes Determine what circumstances, if any, caused identified weaknesses. Determine what circumstances, if any, caused identified weaknesses. Consider materiality of effect, before spending much time determining causes. Consider materiality of effect, before spending much time determining causes. Determine if participants understand both purpose of and their role Determine if participants understand both purpose of and their role Determine if relationship between accounts payable process and other department processes is clear. Determine if relationship between accounts payable process and other department processes is clear. If process occurs at multiple locations, determine nature and scope of communication and coordination among components. If process occurs at multiple locations, determine nature and scope of communication and coordination among components.

12/06/ Determine if accounts payable process has adequate human, rand, time, and asset resources. If inadequate, determine if resources have been allocated according to materiality of accounts payable process relative to other processes. Negative trends in reports used to monitor outcome(s) - determine if reports are communicated to and used by appropriate parties to modify process. Determine what internal or external constraints or barriers, if any, must be removed in order to overcome these identified weaknesses. Review applicable laws or regulations to determine if any of them prevent necessary changes from being made in the accounts payable process. Determine the causes

12/06/ Determine the effect Compare actual process to a recommended alternative process(es) and determine if each weakness in department process is material. Materiality can be measured by comparing the rand cost, impact on economy, risks, etc. of actual process to recommended alternative process(es). Compare actual process to a recommended alternative process(es) and determine if each weakness in department process is material. Materiality can be measured by comparing the rand cost, impact on economy, risks, etc. of actual process to recommended alternative process(es). Measurements can be quantitative, qualitative, or both. Measurements can be quantitative, qualitative, or both. Identify benchmarks (industry standards, historical internal data, other comparable departments, etc.) for process in question and compare to actual performance. Identify benchmarks (industry standards, historical internal data, other comparable departments, etc.) for process in question and compare to actual performance. Measure difference, if possible. Measure difference, if possible. Include cost of additional controls or changes in process. Include cost of additional controls or changes in process.

12/06/ Estimate cost of the actual process and alternative process(es) and compare. Estimate quantity and/or quality of services provided by actual process and by alternative process(es) and compare. Identify risks associated with actual process and with alternative process(es). Measure and compare the risks. Determine the effect

12/06/ Develop recommendations Develop specific recommendations to correct weaknesses identified as material. Develop specific recommendations to correct weaknesses identified as material. In developing recommendations, consider tailored criteria, kind of process and control weaknesses identified, causes and barriers, effects, and additional resources In developing recommendations, consider tailored criteria, kind of process and control weaknesses identified, causes and barriers, effects, and additional resources Solicit solutions and recommendations from client. Solicit solutions and recommendations from client. Identify alternative solutions used by other business units. Identify alternative solutions used by other business units. Identify solutions for removing barriers. Identify solutions for removing barriers. Provide general guidelines as to objectives each solution should meet; then the department can tailor the solution to its specific situation. Provide general guidelines as to objectives each solution should meet; then the department can tailor the solution to its specific situation. Provide specific information, if available, on how each recommendation can be implemented. Provide specific information, if available, on how each recommendation can be implemented.

12/06/ Cause – directs recommendation Root cause of the finding What was inherent risk? What was inherent risk? Did management agree? Did management agree? Root cause? Root cause? Lack of budget/staff/skills? Inadequate detection Inadequate management information systems Lack of responsibility and accountability Infrastructure IMPACT Likelihood

12/06/ Effect Effect What is the effect? What is the effect? How will it be changed? How will it be changed? How will it be monitored? How will it be monitored? Does it reduce accountability? Does it reduce accountability? IMPACT Likelihood

12/06/ Recommendation Recommendation - teamwork real time-online real time-online detection focused detection focused reduce risk reduce risk change likelihood/root cause change likelihood/root cause reduce effect/impact reduce effect/impact enhance effectiveness, efficiency and economic use of resources enhance effectiveness, efficiency and economic use of resources assign responsibility assign responsibility Recommendation = responsibility

12/06/ Accept recommendation Accept the risk Management comment

12/06/ Inadequate Recommend new control that change effect residual risk Recommend new control that change effect residual risk Measure change Measure change Ineffective Non compliance Non compliance Cause Cause Disciplinary action Disciplinary action Audit report - recommendation Inefficient Difference between basic control and best practice Measure change Cost and benefit

12/06/ Audit report CriteriaCondition Cause and effect Recommendation Management Comment Accept? What? When? Who? How to fix it What? When? Who?

12/06/ Audit report - process Audit report Finding worksheet -effectiveness – IA - adequacy - AD Review by AD Benchmark and review by DD Quality control Final draft audit report AuditeeComments Final audit report

12/06/ Audit opinion The prevention controls that ensures R – reliability and integrity of information R – reliability and integrity of information are adequate and effective

12/06/ COSO – all five components must be present and functioning before a control system can be effective Control environment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Risk assessment Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Info and commu- nication Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Control activity - prevention Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency Monitoring activities - detection Safeguard assets Compliance with laws, regulations, contracts Reliability and integrity of information Economy, effectiveness and efficiency

12/06/ Audit opinion - adequacy & efficiency Controls are EfficientInefficient Adequate12 Partially adequate 34 InadequateN/A5/6

12/06/ Audit report CriteriaConditionCause Finding Recommendation Management Comment Effect AccountabilityResponsibility Accept the recommendation or accept the risk! Include in job descriptions! Root cause analysis Title of the finding

12/06/ Follow up Audit scope and objectives Document system (POF) Identify weaknesses Inadequate opinion No compliance work Recommendations Follow up audit Adequate controls Effectiveness audit Likelihood assessment ADD VALUE

12/06/ Follow up Identify the Scope for the Follow-up Audit Select the Sample Size and Items to be Tested Execute the Audit Work Develop Informal Queries and Discuss with the Client Report to Management