Professional Documents
Culture Documents
STRATEGIES &
EVIDENCE-
GATHERING
INTAUD1 - H006
(For In ternal Use Onl y)
Introduction
Testing is the act of securing suitable evidence to support an audit. It
confirms the auditor’s initial opinion on the state of internal controls. It is a step
in control evaluation, although many auditors test for the sole purpose of
highlighting errors or non-adherence with laid down procedure. It depends on
the audit objective. The IIA Practice Advisory 2240-1 requires audit procedures
to be planned:
Page | 1
The Four Types of Tests
a) Walkthrough - This involves taking a small sample of items that are traced
through the system to ensure that the auditor understands the system. It
occurs during the ascertainment stage of the audit and may lead into further
tests later. The client may be asked to refer to named documents
representative of the transaction cycle that will be cross-referenced to the
interview record to assist this process of ‘capturing’ the system.
Testing Considerations
The relative risks
Management needs
Previous audit cover
The auditor’s own experiences
Page | 2
The level of managerial support for the audit
The availability of evidence
The audit objectives
The level of materiality of the item reviewed
The time available for the tests
The assessment of internal control
Testing Techniques
There are many ways that one can gather the necessary evidence to support the
testing objective. The number and types of techniques are limited only by the
imagination of the auditor:
g) Interviews - More often than not the best way to find something out is
simply to ask and much useful information can be obtained through the
interview forum.
Page | 3
h) Review of published reports/research - Another source of supportive
evidence is to be found in reports that impact on the area under review.
Page | 4
2330 - Recording Information: Internal auditors should record relevant
information to support the conclusions and engagement results.
Evidence Attributes
Sufficient - This is in line with materiality, level of risk and the level of
auditors’ knowledge of the operation. Sufficient means it should be
enough to satisfy the auditor’s judgement or persuade management to
make any changes advocated by audit.
Practical - One would weigh up the evidence required, the cost and
time taken to obtain it and sensitivity.
Page | 5
Audit Sampling
Sampling involves selecting representative items from a population (an
entire group of items), examining those selected items, and drawing a
conclusion about the population based on the results derived from the
examination of the selected items.
Page | 6
The use of probability theory to evaluate sample results,
including measurement of sampling risk.
Page | 7
i) Tolerable misstatement – A monetary amount set by the auditor in
respect of which the auditor seeks to obtain an appropriate level of
assurance that the monetary amount set by the auditor is not exceeded
by the actual misstatement in the population.
When using systematic selection, the auditor would need to determine that
sampling units within the population are not structured in such a way that
the sampling interval corresponds with a particular pattern in the
population.
Page | 8
4. Cluster (Block) selection involves selecting a block(s) of contiguous items
from within the population. Block selection cannot ordinarily be used in
audit sampling because most populations are structured such that items in a
sequence can be expected to have similar characteristics to each other, but
different characteristics from items elsewhere in the population.
Determining the Sample Size - The sample size for an attribute test
depends on the following four factors:
Page | 9
c) The expected deviation rate (expected rate of occurrence) is
an estimate of the deviation rate in the current population. The
greater the population deviation (variability in the population),
the larger the sample size should be.
The auditor examines only enough sample items to be able to state that
the deviation rate is below a specified rate at a specified level of
confidence. If the auditor needs to expand the sample to obtain the
desired level of confidence, (s)he can do so in stages.
Page | 10
Because the sample size is not fixed, the internal auditor can achieve
the desired result, even if deviations are found, by enlarging the sample
sufficiently. In contrast, discovery sampling uses a fixed sample
size.
Determining the Sample Size - The sample size for a variables test
depends on the following four factors:
Page | 11
Factors Affecting Variables Sample Size
As the confidence level increases, the sample size must increase.
As the estimated standard deviation increases, the sample size must increase.
As the population size increases, the sample size must increase.
As the tolerable misstatement increases, the sample size can decrease.
Page | 12
Ratio estimation is preferable to MPU estimation when the
standard deviation of the distribution of ratios is less than the
standard deviation of the sample item amounts.
Page | 13
Analytical Review Techniques
Internal auditors must base conclusions and engagement results on
appropriate analyses and evaluations.
Unexpected differences.
The absence of differences when they are expected.
Potential errors.
Potential fraud or illegal acts.
Other unusual or nonrecurring transactions or events” (para. 2).
Page | 14
d) Comparing information with expectations based on similar information
for other organizational units as well as for the industry in which the
organization operates” (para. 3).
Ratio Analysis
One of the most common analytical procedures is ratio analysis, the
comparison of one financial statement element with another. Ratios are
used frequently to assess an organization’s liquidity and profitability.
Page | 15
The accounts receivable turnover ratio measures the number
of times the organization’s average balance in receivables is
converted to cash during a fiscal year (or financial statement
cycle).
Ratio Comparisons
Trend analysis tracks the changes in a ratio over time, e.g., the last 3
fiscal years. It helps assess the effects of changes in the overall
economy or the relative success of a marketing campaign.
Page | 16
Industry analysis compares the organization’s ratios with those of
competitors or with the published averages for the entire industry.
These must be used with caution because different organizations in the
same industry may have different cost structures.
The auditor may ask management about the reasons for the difference
and would corroborate management’s explanation, for example, by modifying
expectations and recalculating the difference or by applying other audit
procedures. In particular, the internal auditor needs to be satisfied that the
explanation considers both the direction of the change (e.g., sales decreased)
and the amount of the difference (e.g., sales decreased by 10 percent).
Page | 17
Results or relationships that are not adequately explained may indicate
a situation to be communicated to senior management and the board in
accordance with Standard 2060. Depending on the circumstances, the internal
auditor may recommend appropriate action” (para. 6).
4) “The chief audit executive establishes working paper policies for the
various types of engagements performed. Standardized engagement
working papers, such as questionnaires and audit programs, may
improve the engagement’s efficiency and facilitate the delegation of
engagement work. Engagement working papers may be categorized as
permanent or carry-forward engagement files that contain information
of continuing importance” (para. 4).
Page | 18
Working Papers - Preparation
Neat, not crowded, and written on only one side (if written
at all).
Uniform in size and appearance.
Economical, avoiding unnecessary copying, listing, or
scheduling. They should use copies of engagement clients’
records if applicable.
Arranged in a logical and uniform style. The best
organization is that of the work program. Each section
should have statements of purpose and scope followed by
observations, conclusions, recommendations, and
corrective action.
Clear, concise, and complete.
Restricted to matters that are relevant and significant.
Written in a simple style. While clarity, concision, and
accuracy are desirable qualities of working papers,
completeness and support for conclusions are the most
important considerations.
2. Other Content
a) Working papers should document such matters as how sampling
populations were defined and how statistical samples were
selected.
Page | 19
3. Indexing
a) Indexing permits cross-referencing. It is important because it
simplifies supervisory review either during the engagement or
subsequently by creating a trail of related items through the
working papers.
Page | 20
6. Computerized Working Papers
a) Electronic working papers have the following advantages:
Uniformity of format
Ease of storage
Searchability and automated cross-indexing
Backup and recovery functions
Built-in audit methodologies, such as sampling routines
Page | 21
Control of Working Papers
a) The primary objective of maintaining security over working papers is
to prevent unauthorized changes or removal of information.
The working papers are essential to the proper functioning of
the internal audit activity. Among many other purposes, they
document the information obtained, the analyses made, and the
support for the conclusions and engagement results.
The responsibility for the safety and security of the working papers is
set out in the Implementation Standard above. The IIA has issued two
Practice Advisories to provide guidance on this topic, one on control of
working papers and one on access.
Page | 22
b) One potential use of engagement working papers is to provide support
in the organization’s pursuit of insurance claims, fraud cases, or
lawsuits. In such cases, management and other members of the
organization may request access to engagement working papers. This
access may be necessary to substantiate or explain engagement
observations and recommendations or to use engagement
documentation for other business purposes.
Page | 23
Working Papers - Retention
The chief audit executive must develop retention requirements for
engagement records, regardless of the medium in which each record is stored.
These retention requirements must be consistent with the organization’s
guidelines and any pertinent regulatory or other requirements.
The IIA does not prescribe the length of time that an internal audit
activity should retain its working papers after conclusion of the
engagement. This can only be established by the CAE’s professional judgment
in consultation with the organization’s legal counsel.
Page | 24