definitions part 2 Flashcards
(181 cards)
1
Q
Governance
A
“The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.” (The IIA Glossary)
2
Q
Risk management
A
“A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.” (The IIA Glossary)
3
Q
Control processes
A
The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.” (The IIA Glossary)
4
Q
Control
A
“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.” (The IIA Glossary)
5
Q
Compliance
A
adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.”
6
Q
Assurance services
A
“An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.” (The IIA Glossary)
7
Q
Consulting services
A
“Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.” (The IIA Glossary)
8
Q
board
A
[t]he highest level governing body . . . charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable.
9
Q
Participative auditing
A
is a collaboration between the internal auditor and management during the auditing process. The objective is to minimize conflict and build a shared interest in the engagement. People are more likely to accept changes if they have participated in the decisions and in the methods used to implement changes.
10
Q
Assurance mapping
A
Connects significant risk categories and sources of assurance and
Assesses each category.
11
Q
combined assurance model
A
the internal audit activity coordinates activities with second line activities, such as compliance, to minimize “the nature, frequency and redundancy of internal audit engagements.” (Implementation Guide 2050)
12
Q
Compliance assurance
A
s the review of controls intended to ensure organization adherence to relevant laws and regulations, contractual arrangements, internal policies that support compliance, and other organizational objectives. An example is auditing the process and sign off of an annual requirement for employees to review and agree to the corporate code of ethics.
13
Q
Operational assurance
A
is the review of a function or process to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives. The scope includes areas such as (1) product quality, (2) customer service, (3) revenue maximization, (4) expense minimization, (5) fraud prevention, (6) asset safeguarding, (7) corporate social responsibility and citizenship, (8) streamlined workflows, (9) safety, and (10) staffing.
14
Q
IT assurance
A
is the review and testing of IT (for example, computers, technology infrastructure, IT governance, mobile devices, and cloud computing) to assure the integrity of information. Traditionally, IT auditing has been done in separate projects by IT audit specialists, but increasingly it is being integrated into all audits.
15
Q
The three primary approaches of CSA programs are
A
Workshop facilitation
Survey (questionnaire)
Self-certification
16
Q
objective-based format for workshops
A
focuses on the best way to accomplish a business objective. The workshop begins by identifying the controls presently in place to support the objective and then determines the residual risks remaining. The aim of the workshop is to decide whether the control procedures are working effectively and are resulting in residual risks within an acceptable level.
17
Q
risk-based format workshop
A
focuses on the risks to achieving an objective. The workshop begins by listing all possible barriers, obstacles, threats, and exposures that might prevent achieving an objective and then examines the control procedures to determine whether they are sufficient to manage the key risks. The workshop’s aim is to determine significant residual risks. This format takes the work team through the entire objective-risks-controls formula.
18
Q
control-based format workshop
A
focuses on how well the controls in place are working. This format is different from the objective-based and risk-based formats because the facilitator identifies the key risks and controls before the beginning of the workshop. During the workshop, the work team assesses how well the controls mitigate risks and promote the achievement of objectives. The aim of the workshop is to produce an analysis of the gap between how controls are working and how well management expects those controls to work.
19
Q
process-based format workshop
A
focuses on selected activities of a chain of processes. The processes are usually a series of related activities that go from some beginning point to an end, such as the various steps in purchasing, product development, or revenue generation. This type of workshop usually covers the identification of the objectives of the whole process and the various intermediate steps. The workshop’s aim is to evaluate, update, validate, improve, and even streamline the whole process and its component activities.
20
Q
fixed-price contracts
A
are used when the requirements are well-defined, uncertainties can be identified and costs estimated, and competition is adequate.
reviewing such an agreement may require consideration of the following:
Progress payments
Incentives (e.g., for early completion)
An escalator clause (e.g., one causing the entire price to be due in the event of some breach of the contract)
Adjustments for labor costs (e.g., premiums paid to obtain necessary labor)
Change orders
21
Q
Cost-plus contracts
A
are ways to cope with uncertainties about costs by setting a price equal to the cost plus a fixed amount or the cost plus a fixed percentage of cost. A problem is that the contractor may have little incentive for economy and efficiency, a reason for careful review by the internal auditors. These contracts may have provisions for
Maximum costs, with any savings shared by the parties, or
Incentives for early completion.
22
Q
Unit-price contracts
A
often are used when a convenient measure of work is available, such as person-hours logged, acres of land cleared, cubic yards of earth moved, or square footage patrolled by a security service. The key issue is the accurate measurement of the work performed.
23
Q
Source Code Escrow Clause
A
When reviewing a contract for the purchase of a business application system, the internal auditor should recommend that the contract contain a source code escrow clause.
It requires the application source code to be held in escrow by a trusted third party.
24
Q
total quality management (TQM)
A
TQM is the continuous pursuit of quality in every aspect of organizational activities through
A philosophy of doing it right the first time,
Employee training and empowerment,
Promotion of teamwork,
Improvement of processes, and
Attention to satisfaction of internal and external customers.
25
Personal privacy
physical and psychological
26
Privacy of space
freedom from surveillance
27
Privacy of communication
freedom from monitoring
28
Privacy of information
collection, use, and disclosure of personal information by others
29
Performance audit engagements
involve the review of (1) the business, (2) control environment, and (3) key performance indicators against established criteria. Methods include (1) balanced scorecards, (2) SWOT analysis, and (3) management control evaluation.
30
balanced scorecard
is a performance measurement tool that relates critical success factors determined in a strategic analysis with financial and nonfinancial measures. The purpose is to balance (1) long- with short-term considerations and (2) financial with nonfinancial elements.
31
SWOT analysis
An organization uses SWOT analysis, which evaluates internal factors (strengths and weaknesses) and external factors (opportunities and threats), to identify critical success factors.
32
Process (functional) engagements
are operational audit engagements that follow process-crossing organizational lines, service units, and geographical locations.
33
Program-results engagements
obtain information about the costs, outputs, benefits, and effects of a program.
34
Fraudulent financial reporting
involves intentional misstatements or omissions to deceive users, such as (1) altering accounting records or documents, (2) misrepresenting or omitting significant information, and (3) misapplying accounting principles.
35
Misappropriation of assets
involves theft, embezzlement, or an action that causes payment for items not received.
36
environmental management system
s an organization’s structure of responsibilities and policies, practices, procedures, processes, and resources for protecting the environment and managing environmental issues.
37
Environmental compliance audits
are the most common form for industrial organizations. The scope depends on the risk of noncompliance. They are detailed, site-specific audits of current operations, past practices, and planned future operations. They usually involve a review of all potential contamination, including air, water, land, and wastewater. Compliance audits range from preliminary assessments to performance of detailed tests, installation of groundwater monitoring wells, and laboratory analyses.
38
Environmental management systems audits
determine whether systems are in place and operating properly to manage future environmental risks. Environmental issues may arise from practices that were legal when they were undertaken.
39
Transactional audits
comprehensively assess the environmental risks and liabilities of land or facilities prior to property sale or purchase. Current landowners may be responsible for contamination whether or not they caused it. A transactional audit may include qualitative site assessments involving (a) a review of records and site reconnaissance, (b) sampling for potential contamination, (c) confirming the rate and extent of contaminant migration and cost of remediation, and (d) independent verification of corrective action.
40
treatment, storage, and disposal facility (TSDF) audits
The law may require that hazardous materials be tracked from their acquisition or creation to disposal by means of a document (a manifest). All owners in the chain of title may be liable. TSDF audits are conducted on facilities the organization owns, leases, or manages, or on externally owned facilities where the organization’s waste is treated, stored, or disposed.
41
pollution prevention audit
determines how waste can be minimized and pollution can be eliminated at the source. The following is a pollution prevention hierarchy from most desirable (recovery) to least (release without treatment):
Recovery as a usable product
Elimination at the source
Recycling and reuse
Energy conservation
Treatment
Disposal
Release without treatment
42
Environmental liability accrual audits
are performed to recognize, quantify, and report liability accruals. They assess the probability, measurability, and estimability of environmental effects. When an environmental issue becomes a liability is not always clear and may require consultation with legal professionals. Internal auditors need to review the reasonableness of cost estimates for environmental remediation. Assistance may be needed from independent experts, such as engineers.
43
Product audits
determine whether products are environmentally friendly and whether product and chemical restrictions are being met. This process may result in the development of fully recyclable products, changes in the use and recovery of packaging materials, and the phaseout of some chemicals.
44
Formal consulting
engagements are planned and subject to written agreement.
45
Informal consulting
engagements involve routine activities, such as (1) participation on standing committees, (2) limited-life projects, (3) ad-hoc meetings, and (4) routine information exchange.
46
Special consulting
engagements include participation on a merger and acquisition team or system conversion team.
47
Emergency consulting
engagements include participation on a team (1) established for recovery or maintenance of operations after a disaster or other extraordinary business event or (2) assembled to supply temporary help to meet a special request or unusual deadline.
48
Advisory engagements
are initiated by clients to receive actionable suggestions based on internal auditors’ independent perspectives and insights.
49
Educational engagements
are intended to impart the specialized knowledge and understanding that internal auditors have of particular areas to the staff working in those areas.
50
Facilitative engagements
use the expertise of the internal auditor to assist management and staff in assessing issues and solutions related to their areas of responsibility.
51
Benchmarking
Benchmarking is the use of reference points to compare current performance with that of other appropriate entities. The comparison is typically with entities that apply leading or best practices. The objective is to identify and implement actions to achieve improvement.
Customer satisfaction percentages
Dollar-sales per headcount
Days from customer order to delivery
Labor rates for comparable workers at a competitor’s plant
Bad debt write-offs
Inventory spoilage
52
Internal benchmarking
compares performance with other areas within the business. Stores in a retail chain could be compared using a range of metrics to identify strong and weak performers. Insights can be gained from the reasons for the superior performance of the leading stores. The causes of under-performance also can be investigated and remedied to improve the weak performers.
53
External benchmarking
also known as competitive benchmarking, overcomes this disadvantage by comparisons with competitors, peers, or other leading exponents of the benchmarked activity. Competitive benchmarking involves organizations within the same industry.
54
generic benchmarking
of similar processes in different industries offers scope for greater collaboration and mutual benefit.
55
Process or functional benchmarking
identifies ways to optimize functions of the organization by studying operations of entities with similar processes. An example is the time taken to research, develop, and bring a new product to market.
56
Performance benchmarking
assesses how the organization performs in terms of the outcomes of its processes. Sales growth is a relevant example for assessing the effect of the introduction of a new product.
57
Strategic benchmarking
is the review of business approaches and models to enhance priorities and strategic planning.
58
due diligence engagement
A due diligence engagement is a service in which internal auditors and others (e.g., external auditors, tax experts, finance professionals, and attorneys) verify the business justification for a major transaction (e.g., business combination, joint venture, and divestiture) and whether that justification is valid.
Internal auditors might, for example, review (1) operations (e.g., purchasing, shipping and receiving, and inventory management), (2) the acquiree’s internal controls, (3) the compatibility of the organizational cultures, (4) finance and accounting issues (e.g., financial statements and disclosures), (5) compliance with relevant laws, and (6) integration of an acquiree with an acquirer.
59
Business Process Mapping
Business process reengineering focuses on outcomes, not tasks. It seeks to (1) eliminate unnecessary tasks, (2) automate tasks if possible, and (3) optimize the remaining tasks requiring human involvement. The emphasis is on simplification and elimination of nonvalue-adding activities.
60
audit universe
a compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks
61
inherent risk
is the combination of internal and external risk factors in their uncontrolled state, or the existing gross risk, assuming no internal controls are in place (The IIA Glossary). For example, cash and assets easily converted to cash, such as precious metals, have high inherent risk.
62
risk appetite
level of risk that an organization is willing to accept
63
Risk tolerance
is the acceptable variation in performance relative to achieving objectives
64
Residual risk
the portion of inherent risk that remains after management executes its risk response (sometimes referred to as net risk
65
Audit risk
is the risk of reaching invalid audit conclusions or providing faulty advice based on the audit work
66
Inherent risk
is the combination of internal and external risk factors in their uncontrolled state, or the existing gross risk, assuming no internal controls are in place
67
Control risk
the potential that controls will fail to reduce controllable risk to an acceptable level
68
Detection risk
is the risk that the audit procedures intended to reduce audit risk to an acceptably low level will not detect a material misstatement
69
audit risk
Audit risk = (Inherent risk × Control risk) × Detection risk
70
Control activities
are the policies and procedures applied to ensure that management directives are executed and actions are taken to address risks affecting achievement of objectives.
71
Occurrence
Recorded transactions and events actually occurred.
72
Completeness
All transactions and events that should have been recorded were recorded.
73
Accuracy
Amounts and other data were recorded appropriately.
74
Cutoff
Transactions and events were recorded in the proper period.
75
Classification
Transactions and events were recorded in the proper accounts.
76
Existence
Assets, liabilities, and equity interests exist.
77
Rights and obligations
The entity holds or controls the rights to assets, and liabilities are its obligations.
78
Completeness of account balances
All assets, liabilities, and equity interests that should have been recorded were recorded.
79
Valuation and allocation
Assets, liabilities, and equity interests are included at appropriate amounts, and any valuation or allocation adjustments are appropriately recorded.
80
Occurrence and rights and obligations
Disclosed transactions, events, and other matters have occurred and pertain to the entity.
81
Classification and understandability
Financial information is appropriately presented and described, and disclosures are clearly expressed.
82
Accuracy and valuation
Information is disclosed fairly and at appropriate amounts.
83
Tests of controls
determine their operating effectiveness in preventing, or detecting and correcting, instances of noncompliance, whether material misstatements of the financial statements, failures to comply with laws or regulations, or other undesirable outcomes.
84
Substantive procedures
are used to detect material misstatements at the relevant assertion level. They include tests of details and substantive analytical procedures.
85
Inquiry
asks for information from knowledgeable people within or outside the organization. Inquiry may range from informal oral queries and responses to formal written inquiries. Evaluation by the auditor of the responses received is an essential element of the inquiry processes.
86
Observation
watches an activity and provides evidence that a process or procedure is being performed appropriately at that moment in time. Observation does not provide evidence on whether the activity is performed in the manner observed at other times, particularly when the act of being observed may influence the way the activity is performed.
87
Inspection
is the examination of records or documents, whether internal or external, in paper form, electronic form, or other media, or a physical examination of an asset. Inspection of records and documents provides audit evidence of varying degrees of reliability, depending on their nature and source and, in the case of internal records and documents, on the effectiveness of the controls over their production.
88
Vouching
tracks a result backward to the originating event, ensuring that a recorded amount is properly supported. Vouching is used to gain assurance regarding the existence assertion, for example, that a receivable claimed on the statement of financial position is supported by a sale to a customer.
89
Tracing
follows a transaction forward from the triggering event to a resulting event, ensuring that the transaction was accounted for properly. Tracing is used to obtain assurance about the completeness assertion, for example, that a liability was properly accrued for all goods received.
90
Confirmations
are commonly used to verify the amounts of accounts receivable, goods on consignment, and liabilities. They are a reliable source of audit evidence because debtors are independent of the creditor-auditee.
91
Reperformance
(recalculation) is the auditor’s replication of the auditee’s work and assessment of the results to confirm accuracy.
92
Analytical procedures
evaluate financial information by analysis of relationships among financial and nonfinancial data. The basic premise is that plausible relationships among data may reasonably be expected to exist and continue in the absence of known conditions to the contrary.
93
pro forma
standardized work program
94
Sufficient Information
The conclusions reached should be those of a prudent, informed person.
Sufficiency is enhanced when samples are chosen using standard statistical methods.
95
Reliable Information
nformation is sufficient and reliable when it is obtained and documented so that a prudent, informed individual can produce the same results and draw the same conclusions. Thus, the internal auditor’s results should be verifiable by others. Verifiability is facilitated by systematic documentation.
Reliable information is valid. It accurately represents the observed facts and is free from error and bias.
96
Relevant Information
Relevant information has a logical relationship to what it is offered to prove.
97
Useful Information
Information is useful when it helps the organization meet its objectives.
98
Conclusive evidence
is absolute proof, by itself.
The classic example is that of a watch in the desert. The mere fact of finding the watch proves that someone put it there. It did not assemble itself spontaneously out of sand.
99
Direct evidence
establishes a particular fact or conclusion without having to make any assumptions.
Testimony by a witness to an event is a form of direct evidence.
100
Corroborative evidence
serves to confirm a fact or conclusion that can be inferred from other evidence.
An example is an employee who claims to have been working late on a certain night. A member of the building custodial staff can provide corroborating evidence that this employee was seen in the office.
101
Circumstantial evidence
establishes a fact or conclusion that can then lead by inference to another fact.
For example, the analysis of accounts receivable shows a large increase in the current year’s accounts receivable since last year. An auditor could conclude that management inflated sales in the current year. However, the auditor should corroborate this conclusion by testing the credit sales receipts.
102
Physical information
consists of the internal auditor’s direct observation and inspection of people, property, or activities, e.g., of the counting of inventory.
103
Documentary information
exists in some permanent form, such as checks, invoices, shipping records, receiving reports, and purchase orders.
104
Analytical information
is drawn from the consideration of the interrelationships among data or, in the case of internal control, the particular policies and procedures of which it is composed.
105
Testimonial information
consists of written or spoken statements of client personnel and others in response to inquiries or interview questions.
106
Discrete variables
such as whether invoice payments were or were not appropriately authorized, are tested using attribute sampling
107
Continuous variables
such as the monetary amounts of accounts receivable, are tested using variables sampling
108
mean
is the arithmetic average of a set of numbers
109
median
is the middle value if data are arranged in numerical order. Thus, half the values are smaller than the median, and half are larger. It is the 50th percentile.
110
mode
is the most frequently occurring value. If all values are unique, no mode exists
111
normal distribution
the mean, median, and mode are the same, and the tails are identical
112
standard deviation
The standard deviation is a measure of the dispersion of a set of data from its mean. When the items have little dispersion, the standard deviation is small.
113
confidence level
is the percentage of times that a sample is expected to be representative of the population; i.e., a confidence level of 95% should result in representative samples 95% of the time.
114
confidence (or precision) interval
for a given confidence level is the range around a sample value that is expected to contain the true population value. It is constructed using the confidence coefficient for the number of standard deviations (based on the normal distribution) for the confidence level chosen.
115
Detection risk
is the risk that audit procedures may fail to detect an issue in the population being audited. Detection risk consists of nonsampling risk and sampling risk.
116
Nonsampling risk
is detection risk not related to sampling. A common nonsampling risk is the auditor’s failure to recognize an error in a sample.
117
Nondetection of an error
in a sample can be caused by auditor inattention or fatigue. It also can be caused by misinterpretation of audit evidence or application of an inappropriate audit procedure, such as looking for the wrong approvals in a sample of documents.
118
Sampling risk
is the risk that a sample is not representative of the population. An unrepresentative sample may result in an incorrect conclusion.
119
random sample
every item in the population has an equal and nonzero chance (probability) of being selected.
120
interval (systematic) sampling
Interval sampling divides the population by the sample size and selects every nth item after a random start in the first interval. Interval sampling is appropriate when, for instance, an auditor wants to test whether controls were operating throughout an entire year. (A random sample might result in all items being selected from a single month.)
121
Block (cluster) sampling
randomly selects groups of items as the sampling units rather than individual items. An example is the inclusion in the sample of all cash payments for May and September. A possible disadvantage is that the variability of items within the clusters may not be representative of the variability within the population.
122
stratification
to divide the population into subpopulations or strata
Stratification also allows the auditor to apply more audit effort to larger elements or more risky parts of the population.
123
attribute sampling
each item in the population has an attribute of interest to the auditor, e.g., evidence of proper authorization. Thus, attribute sampling is appropriate for discrete variables. Attribute sampling is used for tests of controls, i.e., when two outcomes are possible (compliance or noncompliance).
124
sample size for an attribute test depends on the following four factors
confidence level
population size
expected deviation rate
tolerable deviation rate
125
sample deviation rate
is the number of deviations observed in a sample divided by the sample size. This rate is the best estimate of the population deviation rate
126
achieved upper deviation limit (UDL)
is based on the sample size and the number of deviations discovered. Auditors use standard tables to calculate the UDL. In Table 1 below (adapted from an Audit Practice Release of the AICPA), the intersection of the sample size and the number of deviations indicates the achieved upper deviation limit.
127
allowance for sampling risk (achieved precision)
is the difference between the achieved UDL determined from a standard table and the sample deviation rate.
128
Discovery sampling
is appropriate when even a single deviation (noncompliance) is critical. The occurrence rate is assumed to be at or near 0%, and the method cannot be used to evaluate results statistically if deviations are found in the sample. The sample size is calculated so that it will include at least one instance of a deviation if deviations occur in the population at a given rate. Discovery sampling uses a fixed sample size.
129
stop-or-go sampling
also called sequential sampling, is to reduce the sample size when the auditor believes the deviation rate in the population is low. The auditor examines only enough sample items to be able to state that the deviation rate is below a specified rate at a specified level of confidence. If the auditor needs to expand the sample to obtain the desired level of confidence, (s)he can do so in stages. Because the sample size is not fixed, the internal auditor can achieve the desired result, even if deviations are found, by enlarging the sample sufficiently. In contrast, discovery sampling uses a fixed sample size.
130
Variables sampling
is used for measurements, such as weights or monetary amounts. Variables sampling provides information about whether a stated amount (e.g., the balance of accounts receivable) is materially misstated. Thus, variables sampling is useful for substantive tests. The auditor can determine, at a specified confidence level, a range that is expected to include the true value.
131
Mean-per-unit (MPU) estimation
(also called unstratified MPU) averages the audited amounts of the sample items. It multiplies the average by the number of items in the population to estimate the population amount. An achieved precision at the desired level of confidence is then calculated.
132
Stratified MPU
is a means of increasing audit efficiency by separating the population into logical groups, usually by various ranges of the tested amounts. By creating multiple populations, the variability within each is reduced, allowing for a smaller overall sample size.
133
Difference estimation
estimates the misstatement of an amount by calculating the difference between the observed and recorded amounts for items in the sample. This method is appropriate only when per-item recorded amounts and their total are known.
134
Ratio estimation
it estimates the population misstatement by multiplying the recorded amount of the population by the ratio of the total audited amount of the sample items to their total recorded amount.
135
Monetary-unit sampling (MUS)
also known as probability-proportional-to-size (PPS) sampling, uses a monetary unit as the sampling unit. It applies attribute sampling methods to reach a conclusion about the probability of overstating monetary amounts. Under MUS, the sampling unit is a unit of money rather than, for example, an invoice or an account balance. The item (invoice, account, etc.) containing the sampled monetary unit is selected for testing.
136
Acceptance sampling
determines the probability that the rate of defective items in a batch is less than a specified level.
137
Statistical control charts
are graphic aids for monitoring the status of any process subject to acceptable or unacceptable variations during repeated operations.
138
P charts
show the percentage of defects in a sample. They are based on an attribute (acceptable/not acceptable) rather than a measure of a variable.
139
C charts
also are attribute control charts. They show defects per item
140
R chart
shows the range of dispersion of a variable, such as size or weight. The center line is the overall mean.
141
X-bar chart
shows the sample mean for a variable. The center line is the average range
142
cost-benefit analysis
Probability of being out of control × Cost of corrective action
+ Probability of being in control × Investigation cost
=Total expected cost
143
Pareto diagram
is a bar chart that assists managers in what is commonly called 80:20 analysis. The 80:20 rule states that 80% of all effects are the result of only 20% of all causes. For quality control, managers optimize their time by focusing their effort on the sources of most problems
144
histogram
displays a continuous frequency distribution of the independent variable
145
ishbone (Ishikawa) diagram
(also called a cause-and-effect diagram) is a total quality management process improvement technique. Fishbone diagrams are useful in studying causation (why the actual and desired situations differ). This format organizes the analysis of causation and helps to identify possible interactions among causes. The head of the skeleton contains the statement of the problem. The principal classifications of causes are represented by lines (bones) drawn diagonally from the heavy horizontal line (the spine). Smaller horizontal lines are added in their order of probability in each classification.
146
Code comparison
Software compares source code with object code to detect unauthorized program changes or analyze unexecuted code. Manual comparison of the output of an auditor’s audit program with the client program’s error listings also is possible.
147
Parallel simulation
Parallel simulation tests the controls in a client’s application program. The auditor’s audit program processes the client’s actual data and compares the output and the exceptions report with results of the client’s program.
148
Test data
Creating dummy transactions tests controls chosen by the auditor against expected results using the client’s programs controlled by the auditor. Also, only one transaction of each needs to be tested.
149
integrated test facility (ITF)
or minicompany method, includes dummy transactions with live ones for processing of the actual program without the knowledge of the client’s personnel. However, the fictitious entries must be identified and reversed to avoid contamination.
150
Embedded audit modules
Embedding code in the entity’s programs to routinely extract (select) certain transactions or details accessible only by the auditor allows for continuous monitoring. But an auditor may need to be involved in design, which may impair independence.
151
Expert systems
Using software to automate the knowledge and logic of experts helps an auditor with decision making and risk analysis.
152
Artificial intelligence (AI)
AI computer software is designed to perceive, reason, learn, and understand in order to make decisions related to audit tasks.
153
Process mapping
represents a system or process as a diagram called a process map or flowchart.
154
Flowchart symbol: oval
Starting or ending point of a process
155
Flow chart symbol: rectangle
Process
156
Flow shart symbol: inverted quadrangle
Manual operation
157
Flow chart symbol: lozenge
input/output
158
Flow chart symbol: cylinder
database or data storage
159
flowchart symbol: diamond
decision point
160
flowchart symbol: upside down triangle
manual storage
161
horizontal system flowchart
is a symbolic representation of a system or series of sequential processes with flows across organizational units.
162
spaghetti map
depicts the flow of people, material, and information from the first to last steps of a process. It highlights the number of key steps and spatial relationships of a particular process by tracing each step of the process. The resulting traces resemble “spaghetti.”
163
RACI diagram
used to clarify decision-making assignments in cross-functional or departmental projects and processes.
R – Responsible. A person who is responsible for performing the particular task.
A – Accountable. A person who is the final decision maker and is ultimately accountable for the task.
C – Consulted. A person who must be consulted before completing the task or making a decision.
I – Informed. A person who is informed after a decision is made or when the task is completed.
164
data flow diagram
shows (1) how data flows to, from, or within a system and (2) the processes that apply to the data. Accordingly, a data flow diagram does not have a symbol for documents or other outputs.
165
action diagram
consists of process logic notations combining graphics and text to help define technical rules.
166
program structure chart
s a graphic depiction of the hierarchy of modules or instructions in a program.
167
Confirmed
directly verified by third-party evidence
168
Traced
followed information forward to a subsequently prepared document or record to test for completeness
169
Vouched
followed information backward to a previously prepared record or document or other evidence to test for validity
170
Calculated
independently re-performed calculation to check for arithmetical accuracy
171
Criteria
are the standards, measures, or expectations used in making an evaluation (the correct state). Criteria form a hypothesis.
EXAMPLE: Before issuing a payment voucher, the accounts payable function should record a payable for inventory after reconciling copies of the purchase requisition, purchase order, and receiving report with the vendor invoice.
172
Condition
is the factual evidence that the internal auditor found in the examination (the current state). The condition is what is actually observed (audit findings) that proves or disproves the hypothesis.
EXAMPLE: Accounts payable issued payment vouchers without purchase requisitions. The cash disbursement function issued checks for those transactions also without a purchase requisition.
173
Cause
is the reason for the difference between expected and actual conditions. Recommendations should address cause.
Answers the question, Why? EXAMPLE: The purchasing function did not issue a purchase requisition for 10 transactions.
174
Effect
is the risk or exposure the organization or others encounter because the condition is not consistent with the criteria (the result of the difference). The effect is the projection of the observations and recommendations on the organization’s operations and financial statements. In simplest terms, it is what happened.
EXAMPLE: The 10 transactions not supported by full documentation totaled $150,000, an amount material to the entity.
175
Accurate communications
use precise wording supported by evidence gathered during the engagement. The IIA’s Code of Ethics requires internal auditors to “disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.”
176
Objective communications
require an unbiased mental attitude and use similarly unbiased language that focuses on deficiencies in processes and their execution.
177
Clear communications
use language that is easily understood by the intended audience and is consistent with terminology used in the organization and industry. Clear communications avoid unnecessary technical language.
Clarity is enhanced when internal auditors communicate important observations and logically support recommendations and conclusions for a particular engagement.
High-connotation (strong) language should be chosen carefully.
178
Concise communications
exclude information that is unnecessary, insignificant, or unrelated to the engagement.
Effective organization and use of short and simple sentences and active voice verbs promote concision and understanding.
179
Constructive communications
communications reflect the severity of the observations while enabling a collaborative process for determining solutions that facilitate positive change within the organization. Ultimately, internal auditors seek to help the organization accomplish its objectives.
179
Complete written communications
generally enable the reader to reach the same conclusion as the internal audit activity.
179
Timely communications
are submitted by the deadlines established during the planning phase. Timeliness may be different for each organization and relates to the nature of the engagement subject.
