Key Audit and Risk Management Concepts - Essay Example

+ Supervisor Submitted Part (A) Control and Risk Introduction The “COSO Model” is an integrated framework used by organizations in developing, implementing and assessing internal control with the objective of achieving improved performance. The model facilitates control and mitigation of risks to an appropriate level thereby enhancing managerial decision making and governance strategy. “Recently, organizations have advanced to become technologically driven and the stakeholders require them to become more transparent, responsible and accountable” (Arwinge 2013, 89). Due to these factors, entities incorporate this integrated framework in their operations to efficiently and effectively maintain internal control systems thus increasing their likelihood of achieving organizational goals and objectives. Internal control It is the process undertaken by senior and middle class managers in providing assurance with regards to the organization’s ability to achieve its objectives of compliance, reporting and operations. Internal control involves inclusion of policies and procedures into actions of people at different levels of the organization. However, internal control is faced with risks and uncertainties such as human error inherent in judgmental analysis causing it to have a limitation of not achieving absolute assurance. Purposes of the framework The framework is integrated into organizations to facilitate efficiency in different activities that will illustrate the managerial commitment in achieving set objectives and in return develop confidence from stakeholders. The activities can be summarized as follows: Operations The activity relates to the achievement of the fundamental objective of organizational consistency and growth while depending on the entities’ structure, industry and performance. “Internal control framework will facilitate efficiency in operations hence increase quality and reduce waste” (Moeller 2011, 121). Further, the organization will have reduced production costs, improved innovations and stakeholder satisfaction. Reporting Internal control provides preparation of reliable and accurate reports. Reporting may relate to financial and non financial reporting or internal and external. Internal reporting is influenced by requirements such as strategic decisions, performance metrics and operational plans while external reporting is mostly regulatory or standard by accounting bodies. External financial reporting objectives Reliable reports from the internal control framework are used as a prerequisite in accessing the capital markets and also a basis for investors to analyze performance. In addition, it is standard for organizations to report on internal controls as required by accepted accounting principles. External non-financial reporting In regards to the international organization for standards (ISO), organizations may report on their conformance with the quality standards through an independent auditor. Internal financial and non-financial reporting Internal reporting facilitates the management team with crucial information for decision making and assessment of activities that may enhance the general performance. Compliance As stated by Moeller 2011, (56), to enhance internal control organizations must undertake their activities in accordance with the set laws and regulations. The internal control framework will ensure alignment of these requirements into the organization and thereby enhancing compliance. Internal control framework components Control environment It is the foundation of all the other components of internal control and includes a set of standards, structures and principles for carrying out the framework in the organization. Directors set the tone regarding the importance of internal control while managers reinforce the expectations at different levels of the organization. Therefore, the control environment provides integrity, discipline, structure and process to the internal control. The resulting control environment will have a pervasive impact on the control system and hence important on the overall performance. Some principles relating to the control environment include; the organization demonstrates ethical values and commitment to attract deploy and retain competent staff. Likewise, there should be independence, responsibility and accountability of organizations individuals. Risk assessment According to Taylor 2014 (67), a risk is the likelihood that an event may occur and affect adversely achievement of objectives. Risk assessment involves a dynamic process of identifying and analyzing risks for the objective of achieving optimal results. Given that risks change with time, the assessment will form a basis for managing future occurrences relating to more implications or loss. Managing risks involves establishment of possible changes and setting objectives that are linked at different levels of the entity. Its principles entail; organization sets specific objectives, identifies possible risks across the entity, considers potential fraud during risk assessment and identifies changes that could significantly impact the internal control framework. Control activities This component relates to actions generated through policies and procedures that ensure management’s directive to minimize risks are undertaken. They are carried out on all levels of the organization and stages involved in the business process while also using the technological environment. “These actions may be customized to either be preventive or detective in nature through authorizations and approvals, reconciliations, verifications and business performance reviews” (McKay 2011, 235). In addition, segregation of duties is used in selection and development of control mechanisms given that more people will be accountable for a given activity. Its principles are defined as; the organization creates control activities that mitigate risks in achieving set objectives, it develops control measures over technology and deploys procedures and policies to be followed in all levels of the entity. Information and communication Information is a crucial component of the internal control framework in effectively implementing control strategies and policies that attain organizational goals. The managerial team generates and obtains information from both internal and external sources to support functions of other components of the internal control framework. They also use information in formulating strategic ideas through judgment and forecasting. Communication involves a continuous process of sharing and providing information that gives clear directions both internally and externally. Internal communication is done across the entity from top to down and thereby enabling the subordinate staff to receive a clear message on control responsibility. Externally, communication delivers information to stakeholders regarding the organization’s expectations and requirements. Its principles entail; the organization uses relevant and quality information, communicates its objectives and always stays in contact with external parties. Monitoring activities Monitoring of the components of internal control involves ongoing or separate evaluations. Ongoing processes are integrated into business processes at all levels of the entity while separate investigations are conducted periodically. Implementation of each evaluation process will depend on the effectiveness of ongoing evaluations, risk assessment and other management considerations. In this component of internal control, analyses are done against the established criterion by regulators and standards set by respective bodies to establish any deficiencies or incompetence. The findings are then communicated to the board of directors who deploy counter measures to enhance control. Its principles are; the organization evaluates the internal control and communicates deficiencies to the senior managers. Application of the framework in a computerized environment Independent auditors An independent auditor is engaged by an organization to audit or examine its effectiveness of the internal control in financial reporting. The auditor will examine the entity’s financial statements if due process has been followed and that they represent a true and fair analysis. Robertson and Allan 2005, (110) indicate that auditors can assess the organization’s system of internal control in regards to the framework by investigating how the organization has selected, established and deployed control measures. They may use computer aided software to establish the reliability of the reported figures. Professional organizations Bodies providing guidance to other entities on operations, compliance and reporting may consider their standards in comparison to the framework. By incorporating the framework into their guidelines, it is possible to establish better standards whereby all parties involved will benefit from the advancement. This will involve restructuring and reorganization of activities to suit entities that have advanced technologically. Board of directors The board should assess the probable risks that may be encountered in the organization and develop policies to mitigate such risks in relation to McKay 2011, (135). They also require feedback on evaluation of the internal control from either senior managers or internal auditors who are to review application of the framework. They also need to update their system to match technological advancements through analysis of the existing system using illustrative tools. Part (B) Critical overview of audit software IDEA is data analysis software designed to help auditors in evaluating accounting and financial systems in order to detect fraud and meet documentation standards. As stated by Curtis and Payne 2014, (23) it is a powerful and user-friendly tool that allows quick importing, joining, analyzing, sampling and extracting data from any source including statements printed in PDF or text files. IDEA can conduct any type of file interrogation thus making it highly versatile with a wide range of information sources for the auditing process. Main features Import and export data IDEA allows users to import data from a multitude of formats that may include files derived from large mainframe computers and any accounting software. Further, data can be imported from legacy mainframes and big ERP systems in order to evaluate compliance in conducted operations. “By using IDEA, data can be read from texts of both fixed and variable lengths, AS-400, Microsoft Access or excel, XML, SAP and AIS databases. Users of IDEA can use ODBC to connect to all relational databases such as Oracle, SQL, DB2 and SAP” (Gee, 2014, 54). In the case of reporting, IDEA can save files into different formats including PDF, HTML, Excel, Access, and many more depending on the needs of users. Organize data The software effectively explores data by adding extra fields and grouping them relatively for further analysis. It creates a new database that can be physically sorted in a given order and organizes the data using group record tasks that match indexed fields into collapsible units. IDEA as indicated by Mueller 2011, (188) can be used to convert formats, manipulate entered text and compute numeric financial data. In addition, there are custom functions where the user can create own equation functions using visual basic in a rich interface. In an effort to maintain convenient visibility, results and findings are organized in a graphical format using scatter diagrams, histograms, bar graphs and flow charts. Likewise, it links related fields that can be accessed easily through clicking on a value in a field and assign the preferred action. Analyze data IDEA’s powerful tasks and ease of use have enabled accountants and auditors to conduct personal analysis of financial reports easily. It can extract specific records efficiently by identifying items that satisfy a given criteria. In analysis of data, users can identify missing and duplicate records within the database such as numbers, addresses or insurance claims. In addition it also searches for gaps in numeric or alphabetic sequences in order to detect possible fraud or any other irregularities while using Benford’s law. “The law states that digits and their sequences in a dataset should follow a predictable pattern thus any inconsistency is analyzed and compared to predict results” (Caseware international Inc 2002, 12). Also, IDEA can be used to forecast future data by analyzing trends in the historical and current data. By using correlation, trend analysis and time series users can predict the future position of a company. Sampling Users of IDEA can develop samples and calculate their sizes using different mechanisms based on the parameters entered. These mechanisms entail; systematic sampling which extracts a number of records from a database at equal intervals, Random sampling which generates its cluster automatically and monetary sampling which uses cell intervals or classical proportions to create samples. Report and review of data IDEA develops a record of the changes made to all its databases in a project and maintains an audit log or trail of all operations and thus making it easy for users to view history of each tasks performed. Further, the software generates a project overview that provides a graphical audit trail for an entire working folder. Application of the software by auditors Auditors of a company either external or internal may use IDEA in evaluating the sales figures as indicated in the screenshots (Verschoor 2008, 345). First the auditors will extract all information relating to analysis of the sales figures and inventories. The next step is for summarization and stratification of data into identifiable groups thereby enhancing gap detection. IDEA will then generate a detailed list of findings where inconsistencies and errors are displayed. The information is used by auditors to form an opinion on the reliability of the sales entries. Application by IT experts “IDEA can be used by IT experts in a dynamic environment to perform security reviews and analyze network operations. Likewise, they can use the software in review of phone and firewall logs to determine a specific objective” (Caseware international Inc 2002, 12). The procedure will involve extraction of the required entries, for example in managing a network, the IP addresses used and security logs used to access the network. The IT technician will then organize the derived data in accordance with their characteristics by using the stratification methodology in the IDEA software. Gap detection is undertaken to identify where the network has experienced loopholes and thereby evaluating the security status. Analysis of the network’s security convenience is undertaken by the IDEA software that generates findings for review by the It specialist. The software through a simple click will create a report of the loopholes and recommend further actions. Screenshots Extraction Stratification Gap detection Sorting References CASEWARE INTERNATIONAL INC. (2002). IDEA data analysis software. Toronto, CaseWare International. CURTIS M.B., & PAYNE E.A. (2014). Modeling voluntary CAAT utilization decisions in auditing. Managerial Auditing Journal. 29, 304-326. GEE, S. (2014). Fraud and fraud detection: a data analytics approach. OLOF ARWINGE. (2013). Internal Control. Physica-Verlag HD. http://lib.myilibrary.com?id=416210. MCKAY, S. (2011). Risk assessment for mid-sized companies: tools for developing a tailored approach to risk management. New York, NY, American Institute of CPAs. MOELLER, R. R. (2011). COSO enterprise risk management: establishing effective governance, risk, and compliance processes. Hoboken, N.J., Wiley. MUELLER, J. (2011). Mastering IDEAScript: the definitive guide. Hoboken, N.J., Wiley. TAYLOR, L. (2014). Practical enterprise risk management: how to optimize business strategies through managed risk taking. http://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&AN=783325. ROBERTSON, J., & ALLAN, W. (2005). Risk and Control Strategy. Burlington, Elsevier. http://public.eblib.com/EBLPublic/PublicView.do?ptiID=300692. VERSCHOOR, C. C. (2008). Audit committee essentials. Hoboken, N.J., John Wiley & Sons, Inc. Read More