Examined during audit procedures Footed Footed and cross-footed Traced to ledger balance Traced to cash receipts deposit slips Verified computation
EXHIBIT 16.9 Workpaper Auditor Tick Marks Examples
used for each. Rather than asking the auditor to develop a legend, many internal audit departments have a standard set of tick mark symbols for use in all workpapers. For example, a check mark with a line through it means that the workpaper item was traced to a supporting schedule and the numbers at each were correct. These standard tick marks should be used by all members of the audit staff for all audits. Standard tick marks improve communication, as audit management can easily review and understand workpapers. Exhibit 16.9 illustrates a set of traditional tick marks developed in the pencil-and-paper days. Although these same symbols may not be available through Microsoft Word, similar special characters can be designated for the same purpose. Of course, auditors might develop another mark to indicate some other type of cross-check performed in the course of an individual audit, which then must be clearly explained. (iii) REFERENCES TO EXTERNAL AUDIT SOURCES Internal auditors often record information taken from outside sources. For example, an internal auditor may gain an understanding of an operational area through an interview with management. The auditor would record that interview through workpaper notes and rely on that information as the basis of further audit tests or conclusions. It is always important to record the source of such commentary directly in the workpapers. For example, a workpaper exhibit could show how the auditor gained an understanding of a sample system, and the source that provided that information should be documented. Auditors may need to reference laws or regulations to support their audit work. Similarly, they may perform a vendor-related review and access a Web search to verify vendor existence. It is usually not necessary to include in the workpapers a copy of what may be a voluminous regulation, or a copy of a page from the search. However, workpapers should clearly indicate the title and source of all external references, including the Internet address if appropriate. Extract page copies can be included to make a specific point when necessary, but a reference notation is normally sufficient. (iv) WORKPAPER ROUGH NOTES When conducting interviews, internal auditors often make very rough notes, written in a personal form of shorthand readable only by the author. Auditors should rewrite or reenter these rough notes into workpaper commentary. Because there may be a reason to review them again, these original note sheets should be included in the workpapers, placed in the back of the workpaper manual binder or even in a separate file. Historically, most workpapers were prepared in pencil. Schedules were recorded on accounting spreadsheet forms, commentaries were written in longhand, and any exhibits were attached. Most internal audit departments have now automated their workpapers through the use of spreadsheet and word-processing software. This automation does not change the workpaper standards, but it usually makes the workpapers easier to read and to access. The typical workpaper today may use a mix of manual and automated schedules and audit commentaries. However, todays workpaper is usually a computer systems folder with perhaps some references to paper documents. Technology is always changing, and we may be seeing different formats of audit evidence supporting audit workpapers in future years. Digital image scanners are very common today. They can be passed over a paper document, creating a digital image of that document for later audit evidence retrieval. Similarly, some computers are now equipped with a pen stylus for the user to write directly on the computer screen. The data are captured on computer files. These and other evolving technologies offer opportunities for audit workpaper automation. (e) Workpaper Review Processes All workpapers should go through an independent internal audit review process to assure that necessary work has been performed, that it is properly described, and that audit findings are adequately supported. The chief audit executive (CAE), reporting to the audit committee, has the overall responsibility for this review but usually delegates that work to supervisory members of the internal audit department. Depending on the size of the audit staff and the relative importance of a given audit, there may be multiple reviews of a set of workpapers, one by the in-charge auditor and another by a more senior member of internal audit management. Evidence of this supervisory review should consist of the reviewers initials and dates on each workpaper sheet reviewed. Some internal audit functions prepare a memorandum or workpaper review checklist to document the nature and extent of their reviews. In any case, there should be documented evidence that all workpapers have received a proper level of supervisory review. In addition to initialing completed workpapers, the supervisory reviewer should prepare a set of review notes with any questions raised during the review process to give to the responsible auditor for resolution. Some of these review points or questions may simply highlight clerical errors, such as missing cross-references. Others may be of a more significant nature and may require the auditor to do some additional follow-up work. Review questions should be cleared promptly, and the reviewer should take responsibility to ensure that any open questions are resolved. This workpaper review process should always take place prior to the issuance of the final audit report. This will ensure that all report findings have been properly supported by audit evidence as documented in the workpapers. 16.4 Internal Audit Document Records Management Efforts to document processes or to describe an internal audit processes through effective workpapers are of little value unless an internal function has a strong document retention function covering all of its work products, including auditor notes, copies of meeting minutes, IT files, and many others. As we move to largely paperless business and internal audit environments, this document retention need has become much more of a challenge than in the old days of paper-and-pencil records. In those old days, documents were often retained in formal filing cabinets. Access required getting a key from an office administrator, supervisor reviews were evidenced by a familiar signed initial on the form, and attempts to make unauthorized changes resulted in smudged erasures. The ease and flexibility of things today raises document risks, such as the loss of audit workpapers due to a stolen laptop to process errors in a CAATT developed by internal audit. In the first section of this chapter, we discussed internal audit documentation requirements and outlined the need to keep all relevant internal audit documentation for seven years after the completion of an internal audit. This can sometimes cause a challenge in our paperless auditing environment today. Operating systems or file formats may change, and we may not be able to access or read a document. Documents can disappear due to someone mistakenly hitting DELETE, or documents can disappear because of a failure to download an auditors laptop system to a central server system. An internal audit function needs to implement strong and consistent document management policies with assigned administrative responsibilities for the tasks. Chapter 18 discusses IT general controls and IT Infrastructure Library (ITIL) best practices. Many of the latter ITIL best practices cover such areas as establishing con- figuration management controls over IT resources and IT change manage processes. While ITIL focuses on the IT infrastructure, many of best practice concepts apply to internal audit document management. The next list discuss some important or even essential needed document management practices for an internal audit function in todays environment of auditor laptops and wireless networks:
Document standards and review processes.
Internal audit needs to establish standards for the software used, laptop computer configurations, and general document and template standards. The goal should be that every member of the internal audit team is using the same equipment andwith the exception of some specialized IT toolseveryone is following the same formats and standards. An objective of an internal audits documentation processes should be to eliminate all separate paper documents. When an internal auditor needs to use paper forms or other evidential materials, digital scanners should be employed to capture the material. Formal and secure processes should be set for each scheduled audit. An internal auditor at a field location may be assigned a laptop with a preliminary audit program as well as workpapers from a prior review all secured and loaded. The lead auditor may encounter situations where an established audit program needs to be modified, but these proposed changes can be passed through a secure virtual private network for review and approval by audit management. That audit work, loaded on the lead auditors laptop and shared with others on the audit team, should be the prime records repository for a given internal audit. At the conclusion of the audit, the workpaper materialsincluding the audit reportshould be downloaded to the audit departments central server system. Backup, security, and continuity. This is perhaps the most critical and highrisk area for laptop-based internal audit systems. Many of the cybersecurity and privacy controls discussed in Chapter 20 are very appropriate for automated internal audit work as well. A good starting idea here is to configure and assign auditor laptop systems as internal audit tools only. There should be no outside links to the Internet or permitted downloads to USB devices. For personal e- mails back home and the like, an internal auditor can use one of the many small portable devices available. While we should not chain an audit laptop to the internal auditors body, strong security measures should be applied to keep the system secure. Strong security and password controls should be installed such that if a system is stolen, its contents cannot be easily accessed. (We use the word easily because strong computer forensics experts can access almost anything.) Procedures should also be established for internal audit files to be backed up and downloaded to the internal audit server system on a regular basis. Hardware and software resource management. Once some internal audit functions used central IT records for their automated workpapers. Today, with relatively efficient and lower-cost resources available, there is really no strong reason why an internal audit function does not have a server system dedicated to just internal audit purposes. A secure system should be installed as a repository for all internal audit activities. The systems key file folders should be folded in with the IT functions continuity planning processes, as discussed in Chapter 22. CAATT repository. Chapter 21 discusses IT tools to improve access and improve audit efficiencies. All too often, these tools and processes were viewed as part of the IT audit specialists domains and kept separate from other internal audit documentation and materials. Every effort should be made to group and organize all CAATT-related materials with other internal audit workpaper records. Audit reports, risk management, and internal audit administration. Internal audit has a need to prepare and distribute a large body of materials, including audit reports, risk management analyses, budgets, and communications with the audit committee. The same seven-year document retention rule should apply to these internal audit administrative records, and they should be placed in secure folders on the audit department server system. The seven-year retention rule can place demands on physical storage facilities. Many enterprises have used secure storage facilities for off-site storage of their older paper documents that have retention requirements. Vendors will pick up an enterprises critical documents, catalog them by some broad retrieval categories, and then store the in secure, fire-protected facilities. These storage vendors provide insurance-company protection of stored documents and will deliver any document requested in a relatively short time frame. Although originally oriented to paper documents, similar vendors provide retention facilities for electronic documents. Internal audit should make arrangements for some type of secure off-site storage for key internal audit digital and paper documents.
16.5 Importance of Internal Audit Documentation
Adequate documentation is required for virtually all internal audit processes. This chapter has emphasized the importance of audit workpapers to document internal audit activities as well as process modeling to describe enterprise activities. The ability to prepare descriptive and effective workpapers is a key internal CBOK requirement. In addition, all internal auditors, from the CAE to audit staff, should be comfortable and familiar with the many IT tools available to describe and document internal audit processes.