IA-108 EFFECTIVE IDENTIFICATION AND TESTING OF INTERNAL CONTROLS

IA-108 EFFECTIVE IDENTIFICATION AND TESTING OF INTERNAL CONTROLS

DESCRIPTION

Properly identifying, evaluating, and testing controls can be more difficult than anticipated in most organizations. The Public Company Accounting Oversight Board (PCAOB) routinely expresses concerns regarding the effectiveness of the testing completed for Internal Controls over Financial Statement Reporting by both internal and external auditors. While publicly traded companies can face extensive scrutiny over the effectiveness of their internal control environment, every organization benefits from effective controls. To ensure a control environment is indeed effective, auditors must know how to properly identify controls, assess their design, and test their operating effectiveness.

 

This course will teach auditors effective methods for planning, designing, assessing, and executing effective controls testing. The course is interactive, and participants will learn from lecture, discussions, and hands-on exercises. A case study will be used to develop an actual test program.

LEARNING OBJECTIVES:

  • Learning to develop an effective test program
  • Determining the appropriate sampling and testing approach to use
  • Learning testing methodologies—manual, automated, and others
  • Determining the testing objectives—aligning with business objectives
  • Learning to identify, evaluate, and prioritize risks
  • Understanding that risk prioritization drives the test plan
  • Learning to identify, assess, and test controls
  • Determining what to test—key controls, high-risk processes
  • Using narratives, flowcharts, and walkthroughs to identify gaps and potential risks

 

COURSE OUTLINE

Plans, Methods, and Approaches for Testing, Sampling, and Evidence Gathering

  • Developing the audit program
  • Pros and cons of standard audit programs vs. ad hoc audit programs
  • Testing methodologies—manual, automated, and others
  • Gathering audit evidence to support objectives
  • Comparing various sampling and testing approaches
  • Determining the appropriate sampling and testing approaches to use for each audit objective
  • Using risk matrices
  • Determining what to test—key controls, high-risk processes
  • Determining the testing objectives—aligning with business objectives
  • Scope changes, scope limitations, and running out of time
  • Reviewing and evaluating audit programs during execution
  • IIA/GASB/ISACA standards for evidence

Engagement Risk Assessments

  • Understanding risk | Types of risk | Identifying risk | Prioritizing risks
  • Evaluating risk—likelihood and significance, velocity and duration
  • Considering risk from operational and financial perspectives

Controls and the Control Environment

  • COSO and the control environment
  • Types of controls—Entity-wide controls | Activity-level controls
  • Understanding and documenting process controls
  • Using flowcharts, narratives, and walkthroughs
  • Evaluating controls—Design | Effectiveness

Testing

  • Testing methodologies and approaches—manual versus automated (data analytics)
  • Sampling approaches—random/judgmental/statistical
  • Design vs. operating effectiveness of controls
  • Tying controls to specific risks
  • Evaluating effectiveness of controls for risk
  • Developing test steps that address risk
  • Design approach | Avoiding SALLY
  • Test prioritization, sequencing, and overlap planning

Evidence and Evidence Gathering

  • Types of evidence | Sources of evidence
  • Levels of evidence reliability
  • Methods of gathering evidence
  • Quality of Evidence and Assurance
  • Using evidence to support conclusions
  • Risk vs. impact

Documenting, Communicating, and Reporting Testing Results

  • The 5 Cs of Audit Reporting
  • Framing issues from a business perspective
Duration

CPE

Delivery

Field

Level

Who Should Attend

Prerequisites

Advanced Preparation

2 Days

16

Group-Live

Auditing

Basic

Internal auditor staff and management of all levels

Auditors with at least 2 years of experience

None