STATE OF NORTH CAROLINA COUNCIL OF INTERNAL AUDITING OFFICE OF INTERNAL AUDIT

STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
T24: TESTING TOOL – WORK PAPER REVIEW
The purpose of this tool is to evaluate the effectiveness of the guidance provided to the internal
audit activity (IA activity) staff and of the coordination with management for planning,
conducting, reporting, and following up of individual engagements. Most of this objective can
be met by examining the work papers for selected engagements. The following review guide is
designed to determine whether the IA activity staff and supervisors are adhering to IIA
Standards and to provide information on which to base recommendations for enhancing the
effectiveness of the IA activity.
Preparation Notes:
1. Obtain and review the IA activity’s policies and procedures for audit and consulting
engagements and work paper preparation to use for criteria to determine if written
for conformance with IIA Standards.
2. Note any condition of noncompliance with the IA activity’s policies and procedures
as you review the selected work papers and complete the next sections of this tool.
3. List the information relative to the work paper file/report to be reviewed in the
tables provided below.
4. Use the W/P Reference column to cite relevant work papers (both from the W/P file
reviewed and from the QA W/P), as necessary, to support your comments and
conclusions.
5. Write brief notes and comments in the reference tables below or refer to the
relevant comments on the Observations and Issues Tool (located in the Appendix)
where they are discussed.
1. Name of audit /consulting engagement:
Dates performed:
Report issue
date:
Date
reviewed:
QA member name:
Comments on exceptions noted:
2. Name of audit /consulting engagement:
Dates performed:
Report issue
date:
Date
reviewed:
QA member name:
T24-1
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
Comments on exceptions noted:
3. Name of audit /consulting engagement:
Dates performed:
Report issue
date:
Date
reviewed:
QA member name:
Comments on exceptions noted:
4. Name of audit /consulting engagement:
Dates performed:
Report issue
date:
Date
reviewed:
QA member name:
Comments on exceptions noted:
T24-2
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
WORKPAPER (W/P) FILE REVIEW
A. Engagement Planning (Standard 2200). Internal auditors
should develop and record a plan for each engagement,
including the scope, objectives, timing, and resource allocations.
A.1. Assess the relevance and completeness of the background
information gathered in advance of the engagement. The
following items are examples of items that should have been
considered/reviewed by the engagement team, in reviewing the
structure, functions, and accountabilities of the customer:
• Organization charts, financial budgets, and reports.
• Relevant organization policies and processes (especially
recent changes).
• Developments/practices in the industry and relevant
government regulations.
• Prior IA activity engagements and their work papers.
• External audit and consulting reports (and work papers,
if available).
Conclusion:
1
2
3
4
A.2. Review the consultative process with the customer
(including the opening conference — either before or after the
preliminary survey of controls). Evaluate the means used to
obtain information about management controls, business
processes, and accountabilities, as well as such techniques as
surveys, interviews, and on-site observations. Determine
whether the opening conference included:
• The customer’s expectations and suggestions for the
engagement.
• Planned scope and objectives for the engagement.
• Agreement on the risks in the area covered.
• Special concerns and requests of customer management.
• Potential use of self-assessment and/or participation of
customer staff in the engagement.
• Other measures of leveraging IA activity resources and
reducing cycle time.
• When and with whom issues and potential
recommendations will be discussed.
Conclusion:
T24-3
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
WORKPAPER (W/P) FILE REVIEW
A.3. Assess the preliminary survey of relevant controls —
including discussions with customer management and staff,
flowcharting and other systems analysis, systems walkthrough,
etc., covering the principal areas of activity and the related
management controls. Determine whether appropriate matters
were considered, preliminary survey results were satisfactory,
and these were adequately documented. Here are some examples
of specific items: (Standards 2201, 2210.A1, 2220.A2)
• Strengths and weaknesses in systems and processes (and
relevant causes).
• Significant policies and operating practices.
• Clear assignment of responsibilities and accountabilities.
• Adequate supervisory reviews and controls to
prevent/detect override.
• Were major processes, systems, and controls identified?
• Was the potential for fraud considered?
• Were potential high risks/exposures identified and noted
for testing?
• Were potential process improvements noted for further
review?
• If significant areas were not reviewed or potential
weaknesses noted during testing, was an appropriate
discussion with IA activity management documented
and/or an adequate explanation of why this was not done?
Conclusion:
1
2
3
4
A.4. Planning memorandum (Standard 2201.C1) – determine
whether engagement scope and objectives reflect significant
risks/issues disclosed by the background information,
preliminary survey, and discussions with the customer. In
particular:
• Was there adequate consideration of these risks/issues in
establishing the time budget and the timing of the phases
of the engagement?
• Were the risk assessment and other factors from the IA
activity’s annual plan appropriately taken into account
(particularly if there were significant differences in the
annual plan and the engagement plan)?
• Were appropriate staff, including specialists, assigned
and was full advantage taken of the potential for selfassessment, availability of customer staff, and other
assistance from outside the IA activity? (2230)
T24-4
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
WORKPAPER (W/P) FILE REVIEW
• Was the prior audit and current planned work of the
external auditors taken into account, including the
possibility of a joint engagement?
• If there are other oversight/monitoring functions
(evaluations, process improvement, quality assurance,
etc.), was their past and planned work taken into account,
including the possibility of a joint engagement?
Conclusion:
1
2
3
4
A.5. Engagement program (Standard 2240) – Determine
whether it considered such factors as listed below, changes to it
represented appropriate empowerment of staff, and these were
discussed and agreed with IA activity management:
•
Based on the preliminary review and planning
memorandum.
• Appropriately covered the planned scope and objectives.
• Reviewed and approved by IA activity management.
• Prompted the engagement team to look for process and
other customer service opportunities improvement.
Conclusion:
A.6. Scope of work (Standard 2110.A2) – based on the
objectives and scope set out in the engagement program, up to
five of the following assurance Standards areas should be
covered and/or other relevant consulting services areas:
•
Reliability and integrity of financial and operational
information
• Compliance with policies, plans, procedures, laws, or
regulations
• Safeguarding assets
• Efficiency of operations
• Accomplishment of established goals and objectives for
programs or operations (program effectiveness)
A.6.1 Reliability and integrity of information – did the program
include appropriate procedures to determine whether systems
and controls provided for:
• Adequate, complete, and current records?
• Properly reviewed and approved transactions?
• Accurate, timely, and relevant information produced by
the systems?
• Adequate controls to detect/prevent errors and
T24-5
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
WORKPAPER (W/P) FILE REVIEW
irregularities?
A.6.2. Compliance with policies, plans, procedures, laws, or
regulations:
1
2
3
4
•
Were there skills and expertise represented on the
engagement team, did the program contain tests of
policies, plans, procedures, and laws or regulations and
were they performed and documented adequately? If not,
are there appropriate justifications of omissions and
approval of management of the IA activity?
A.6.3. Safeguarding of assets – did the program contain
appropriate procedures and were they performed and
documented adequately to cover, for example:
• Adequate separation of duties and staffing of functions?
• Rotation of sensitive duties among competent
employees?
• Adequate verification and reconciliation procedures?
• Review and approval by authorized supervisors,
including surprise reviews?
• Adequate physical protection of assets and records?
A.6.4 Efficiency of operations – did the program contain
appropriate procedures and were they performed and
documented adequately to cover:
• Clear identification of operating standards and
measurement criteria?
• Whether standards are aligned with organizational goals
and objectives?
• Management and staff understanding of their
application?
• Whether standards are being met?
• Identification and analysis of deviations from standards?
• Identification and analysis of inefficient or uneconomic
use of resources and other opportunities for
improvement?
Conclusion:
A.7. Accomplishment of established objectives and goals for
operations or programs (program effectiveness) – was the
program adequate and was it performed so that there was
appropriate coverage of:
• Identification and assessment of relevant objectives and
goals, along with the systems to measure how well these
were met?
T24-6
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
WORKPAPER (W/P) FILE REVIEW
• Appropriate measurement criteria for evaluating
operation or program effectiveness?
• Determination of whether objectives and goals were
met?
• Assessment of whether customer’s techniques and data
measured effectiveness and led to remedial actions where
appropriate?
• Evidence that process improvement was part of the
operation or program?
• Evidence that the engagement team looked for and
pursued additional potential improvements and other
customer service opportunities?
1
2
3
4
Conclude as to overall adequacy of preparation and engagement planning, scope of the
work, and related program. Identify opportunities for improvement:
WORKPAPER (W/P) FILE REVIEW
B. Examining and evaluating information (Standards 23102340) – to assess how well the engagement team executed the
program, documented their work, and supported their
conclusions and recommendations.
B.1. Through review and testing of the workpapers, evaluate
whether the nature and extent of the engagement team’s work
met the stated scope and objectives and represented a reasonable
execution of the program.
B.2. Determine whether the workpapers support the findings,
conclusions, and recommendations contained in the report. Did
these show condition, criteria, risk, and potential effect?
B.3. If findings, particularly if they appear significant, in the
workpapers were not included in the report, evaluate the
explanation of why these were excluded.
B.4. Appraise engagement team/supervisory relationships and
actions when the conditions encountered indicate changes
should have been made to the audit procedures — were they
made or not, and how were the new procedures communicated
and approved (and documented)?
Conclusion:
T24-7
1
2
3
4
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
WORKPAPER (W/P) FILE REVIEW
B.5. Guidance for workpaper preparation suggests standards for
labeling, referencing, content, and documentation formats. If an
automated workpaper package is used by the IA activity, similar
standards should be incorporated and the appropriate electronic
evidence should be indicated therein. Determine whether the
following were applied (or reasonable alternatives were
followed):
• Cross-referenced to the program.
• Labeled with a heading describing the engagement, its
date or period, and the specific test or procedure the
workpaper supports.
• Initialed and dated by the auditor and, for at least section
summaries and a reasonable sample of detailed
workpapers, by the reviewer.
• Indexed and numbered systematically.
• Documented or referenced to show clearly the source of
information or materials examined/tested.
• Footnoted with explanations of any symbols used.
• Adequately explained/justified as to how samples and
other tested items were selected.
• Summarized descriptions of test results, conclusions, and
recommendations.
• Evidence of discussions with the customer about
findings, recommendations, and possible remedial
actions — with the customer’s response, where
appropriate. No “loose ends” or other evidence of
unresolved matters.
• Orderly filing, ready for permanent storage.
1
2
3
4
Conclude as to overall program execution and other elements of engagement
performance, as evidenced by the work papers. Identify opportunities for improvement
and other “best practice” alternatives.
WORKPAPER (W/P) FILE REVIEW
C. Due professional care (Standard 1220) – relating primarily
to additional care and procedures employed in assisting
management to deter and detect fraud.
C.1. Determine what the auditors did to assist management in
testing and evaluating adequacy/effectiveness of internal
controls, commensurate with exposures/risks in areas audited,
and whether these audit steps were reasonable for deterrence and
T24-8
1
2
3
4
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
WORKPAPER (W/P) FILE REVIEW
detection of fraud. For example, did they determine whether:
• The organizational environment fostered adequate
control consciousness?
• Realistic organizational goals and objectives were set?
• Written policies, including a code of conduct, existed —
that described prohibited activities and actions to be
taken when violations are discovered?
• Appropriate authorization policies were established and
maintained for transactions, contracts, and other
commitments of resources?
• Policies, procedures, reports, and other mechanisms were
developed to monitor activities and safeguard assets,
particularly in high-risk areas?
• Communications channels provided management with
adequate and reliable information, particularly with
respect to confidential employee reporting?
• There were potential opportunities for enhancement of
controls and these were included for discussion and
consideration as recommendations?
C.2. Determine whether the auditors were alert to opportunities
that could allow fraud. If these were found, did the internal
auditors:
• Conduct additional tests and investigation directed
toward finding other indicators of fraud — such as
unauthorized transactions, override of controls,
unexplained exceptions, unusual trends, or similar
exceptions?
• Pursued these indicators until there was a determination
whether fraud had been committed and what further
actions, including remedial steps, should be taken?
• Notified proper authorities within the agency/university
and determined that appropriate action would be taken?
1
2
3
4
Conclude as to whether the internal auditors exercised due professional care and
performed the procedures necessary in the circumstances, as well as covering these
matters adequately in their report.
Identify further opportunities for improvement of the audit and reporting process and for
assisting management in improving controls for prevention and detection of fraud.
(These could include new techniques and “best practices” of fraud prevention and
detection, such as a “soft controls” questionnaire, confidential employee hotline for
T24-9
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
reporting improper or suspicious activities, and broad-based self-assessment, evaluation,
and reporting of controls.)
WORKPAPER (W/P) FILE REVIEW
D. Communications with the customer up to completion of
the engagement (Standard 2400) – to assess the effectiveness
of these processes, as evidenced by the work papers.
D.1. Include an evaluation of timing and content of
communications (of potential report matters and other
significant issues) during the engagement, agenda, and
attendance for the closing/exit conference (to enhance buy-in
and likelihood of achieving “closure”), and related customer
relations matters.
E. Supervision (Standard 2340) – to assess the quality of
supervision of the engagement, as well as the empowerment of
staff, adequacy and timing of communication between the
supervisor/reviewer(s) and the engagement team, and adequate
documentation of supervisory involvement.
• Appropriate involvement in preparation and planning for
the engagement, obtaining input from the customer,
determining scope and objectives, and preparation of the
program.
• Assistance, as necessary, in leveraging IA activity
resources, including encouragement of self-assessment
by the customer and participation in the engagement.
•
•
•
1
2
3
4
Appropriate, timely availability during the engagement
for discussion of potential changes to scope and
objectives, customer requests, sensitive issues, etc.
Timely review of work papers and report draft
(preferably stratified into detailed “peer” review and
higher level managerial review of summary work papers
and significant findings and potential report matters).
Appropriate, timely involvement in the closing/exit
conference, including preparation of the agenda.
E.1. Determine whether there was adequate evidence in the work
papers of supervisory guidance and review. Consider both the
level(s) of those with supervisory/review roles and the value
their involvement added to the engagement.
T24-10
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
Conclude as to the adequacy of supervisory guidance and review. Identify opportunities
for improvement, both in supervisory processes and empowerment of engagement staff.
WORKPAPER (W/P) FILE REVIEW
F. Communicating results and follow-up (Standards 24002500) – to assess the effectiveness of report preparation and
issuance cycle, appropriateness of the report(s), and adequacy of
implementation follow-up.
F.1. If the findings or the time needed to finalize the project
made an interim report desirable, determine whether one was
issued to provide the customer with relevant information (e.g.,
for commencement of remedial actions) while awaiting the final
report.
F.2. Determine whether there was an adequate draft or outline
report prepared in time for the closing/exit conference, to enable
the customer and the engagement team to discuss, face to face,
all significant findings and potential report matters. Test such
draft/outline against the work papers to determine whether the
potential report matters are adequately referenced and supported
by the work papers.
F.3. Does the closing/exit conference memo contain adequate
evidence of management’s responses and decisions, indicating
whether they agree with the potential recommendations or, if
they do not agree, they have appropriate alternative actions or
have consciously assumed the risk of not taking remedial
actions?
F.4. Review the report agreement and issuance process for
evidence of adequate, timely communication with the customer,
resolution of differences, and determination of
responses/planned remedial actions.
F.5. Was the final report(s) stratified/segregated into significant
issues and “minor matters” (for resolution by the customer,
without the need for higher levels of management to be involved
or IA activity’s prompt follow-up)?
F.6. Review the final report and assess it as to appropriateness in
relation to the processes documented/discussed in F.4 above, its
indicated distribution, and its timely issuance.
F.7. Determine whether there was timely follow-up (repeated, as
necessary) to ensure that adequate remedial actions had been
taken or appropriate notification made to higher levels of
management.
F.8. Inquire as to how significant matters are communicated to
senior management and the board (e.g., in periodic executive
T24-11
1
2
3
4
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
WORKPAPER (W/P) FILE REVIEW
summaries of important issues, needed remedial actions with
applicability beyond the engagement from which the report
originated, and for dissemination of “best practices”).
1
2
3
4
Conclude as to the adequacy of the report agreement, issuance, and follow-up processes
and identify opportunities for improvement.
WORKPAPER (W/P) FILE REVIEW
G. Engagement management (Standard 2030) – assess the
effectiveness of the use of a time budget and other engagement
process improvement tools.
• Hours budgeted and actual hours by engagement
segment?
• Variances, with explanations of significant variances?
G.1. Did the work papers contain memoranda on engagement
problems and potential improvements to enhance effectiveness,
customer relations, tools and techniques, etc.? In particular, did
these memoranda address potential improvements in the
engagement performance and report issuance cycles?
G.2. Were procedures in place to ensure that the Internal Audit
Director and/or other IA activity management were aware of
engagement problems and opportunities to improve
effectiveness on a timely basis and was there corresponding
evidence in the work papers?
1
2
3
4
Conclude as to the effectiveness of engagement management and continuous
improvement thereof:
Prepared by:
Date:
Reviewed by:
Date:
T24-12
Testing Tool –
Work Paper Review
STATE OF NORTH CAROLINA
COUNCIL OF INTERNAL AUDITING
OFFICE OF INTERNAL AUDIT
PEER REVIEW PROGRAM
T24-13
Testing Tool –
Work Paper Review