Chapter 3 Flashcards
This is a practical method of documenting all the elements of an operational audit review in a form which resembles the traditional internal control questionnaire (ICQ)
Standard Audit Program Guides (SAPGs)
What is the focus of SAPGs?
Its focus is on the risk in operational auditing and the control matrix approach to assessing risk and control effectiveness.
SAPG documents offer an ideal basis for control self assessment. They raise the right questions and encourage management and staff to consider whether controls are satisfactory to address the issues raised.
TRue
Risk and control issues are further divided into two groups, namely:
- Key issues
- Detailed Issues
These are the more significant and crucial points about the system under review and the aim should be always to take them into account during the audit.
Key issues
It takes the user into more of the underlying system considerations, and would be utilized only if there was a potential weakness revealed as a consequence of considering the key issues.
Detailed Issues
Purpose of SAPG
to guide the auditor through an examination of the issues specific to the system or activity with the intention of recording the nature of
measures and controls in place to ensure either that business objectives are achieved, or that risks and exposures are successfully avoided
Suggested form of the SAPG
title page
the risk/control issues
system interfaces
Three separate areas of the SAPG Title page
- an area which records the details of the subject matter covered by the SAPG and a reference number
- an area used to record details about the specific audit project
- a section which describes the control objectives for the relevant system
This is the main part of the SAPG and consists of a table based on the headings.
The Risk/Control Issues
This page of the SAPG is intended to alert auditors to the likely interfaces between the system or activity being addressed in the SAPG and any others.
System Interfaces
It is intended to draw auditors’ attention to systems with input or output connections. These connections may be based solely on data flow or have additional operational implications.
The System Interfaces Table
Risk in Operational Auditing
It is unlikely that any activity or system will operate in complete isolation but will need to interact with other data and systems in order to be fully effective.
At a simple level, such interaction could relate to the input of data from a source system and the generation of amended or enhanced data which can be output to the next process.
Alternative term for the size dimension of risk
Inherent risk
Alternative term for the probability dimension
Control risk or system risk
