ACCT 599

Mandatory Guidance

Specifies essential organizational structure, relationships, and characteristics of internal audit services, including attributes, competencies, and behavioral norms.

Recommended Guidance

Provides more specific, non-mandatory guidance, such as Implementation and Supplemental Guidance.

Functional Reporting Line

CAE reports functionally to the Board for unbiased assessments directly to the board.

Administrative Reporting Line

CAE reports administratively to a senior executive aligning with organizational goals and operational support.

Governance Activities

Encompass governance, risk management, control systems, reliability of reporting, operational efficiency, and compliance with laws.

ERM Activities

Include establishing context, risk identification, assessment, response, control activities, information, and communication.

Impact

refers to the adverse effect of a risk outcome

Residual Risk

The level of risk remaining after implementing risk mitigation strategies or controls.

COSO ERM Framework

Used for assessing risks across an organization, including strategic, operational, financial, and compliance risks.

Internal Controls Framework

Specifically designed for IT governance development and assessment, supplementing COSO.

Internal Audit Procedures

Include evidence types like inquiry, observation, inspection, vouching, tracing, reperformance, analytical procedures, and confirmation.

Evidence Quality

Components include relevance, reliability, sufficiency, appropriateness, and persuasiveness.

Effective Interviewing

Involves preparing, conducting, and documenting interviews with appropriate management representatives.

Management's Assertions

Include authorization, validity, accuracy, timeliness, confidentiality, integrity, and availability.

Analytical Procedures for internal auditors

what could I do to find where someone is circumventing controls? An employee always just being under the approval limits

Efficiency analytics: shows auditee if they are being inefficient

Sampling 1) missing because client can’t find the support

count as an observation

Communications about Audit Findings

Include interim, preliminary, and final engagement communications, detailing observations, facts, and conclusions.

Fraud Triangle

Comprises pressure/incentive, rationalization, and opportunity, adapted in the fraud diamond and M.I.C.E. models.

Theory of Differential Association

Individuals learn criminal behavior from close social groups.

Psychology Traits

Include narcissism, Machiavellianism, psychopathy, low self-control, hedonistic, and confidence in one's authority.

Materiality

Materiality does not have to be quantitative and could relate to a specific severity of impact such as reputational damage.

Fraud

Any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.

Red flags of a toxic culture

Signs include lack of strong "tone at the top," insufficient skepticism in financial reporting, and poor communication among participants.

Fraud detection methods

Include whistleblower hotlines for reporting suspicious activities anonymously and process controls like reconciliations and internal audits.

Forensic accounting data analytics

Techniques like rules-based descriptive tests, keyword searches, topic modeling, statistical analysis, and data visualization for fraud detection.

Fraud specialist

Utilized for fraud awareness training, assessing antifraud programs, testing fraud controls, investigating improprieties, and conducting full-fledged investigations.

Reporting on fraud investigations

Involves assisting in fraud risk assessment, developing data analysis tools, providing fraud awareness training, and informing management of potential risks.

Investigative interviewing

Crucial steps include capturing allegations, planning, conducting interviews, and reporting findings while considering biases, rapport, and question structure.

Expert witness

Requirements include offering opinions based on specialized knowledge, maintaining neutrality, clear communication during testimony, and awareness of trick questions.

likelihood

assesses the probability of the risk occurring.

Inherent limitations of internal controls

cannot prevent bad judgments or decisions, or external events that can cause an organization to fail to achieve its operational goals

High quality evidence

you created/3rd party directly

Medium quality evidence

got from 3rd party through the organization

Low quality evidence

company created

Sufficient evidence

has the internal auditor obtained enough evidence? Does the evidence corroborate with another?

Appropriate evidence

measure of the quality of audit evidence, that is, its relevance and reliability

Persuasive evidence

component evidence; reasonably free from error and bias; enables the internal auditor to formulate well-founded conclusions

Relevant evidence

is the evidence pertinent to the audit log? Logically support? Timely; produced and able to be used to support conclusion or advice?

Reliable evidence

did the evidence come from credible sources? Directly obtain the evidence?

Sampling 2) missing because it was voided and never used

check if it was truly voided and then randomly test for another sample item

Conclusion statements

“I am % confident that the true, but unknown, population deviation rate is less than or equal to %.” The confidence interval is 100% - what the risk of assessing control risk too low. The deviation rate is the upper deviation limit that the chart returned.

If the achieved upper deviation limit is less than or equal to the tolerable deviation rate, the quantitative attribute sampling results indicate

the tested control is acceptably effective. Conversely, if the achieved upper deviation limit is greater than the tolerable deviation rate, the quantitative results indicate that the tested control is not acceptably effective.

Statistical sampling

measure the sufficiency of evidence obtained and quantitatively evaluate the sampling results. quantify, measure, and control sampling risk. normally thought to provide more persuasive evidence, but is costlier

Statistical sampling step 1

Identify a specific internal control objective and the prescribed control(s) aimed at achieving that objective.

Statistical sampling step 2

Define what is meant by a control deviation

Statistical sampling step 3

Define the population and sampling unit

Statistical sampling step 4

Determine the appropriate values of the parameters affecting sample size

Statistical sampling step 5

Determine the appropriate sample size.

Statistical sampling step 6

Randomly select the sample

Statistical sampling step 7

Audit the sample items selected and count the number of deviations from the prescribed control.

Statistical sampling step 8

Determine the achieved upper deviation limit

Statistical sampling step 9

Evaluate the sample results

Non-statistical sampling

judgemental sampling. Allows more latitude regarding sample selection and evaluation. Ex: haphazard

No confidence statement (ex: “I am 95% confident that…”)

Forensic investigations

Systematic examination of financial records to uncover fraud or irregularities

Dispute services

Offering specialized accounting services to resolve financial disputes or litigation (investigating financial discrepancies, providing expert witness testimony, assessing damages and losses)

Litigation services

Providing accounting expertise for legal proceedings and disputes. Assessing financial evidence, offering expert witness testimony, quantifying damages or losses, analyzing financial data for legal arguments

Fraud auditing

Examination of financial records to detect and prevent fraudulent activities.Examine potential fraud indicators, investigating suspicious transactions, gathering evidence for legal proceedings, implementing fraud prevention measures.

Narcissism

self-absorbed focus highlighted by delusions of grandeur as well as a preoccupation with power, prestige, and vanity; accompanied with a lack of empathy to others.

Machiavellianism

Someone who will disregard morality in favor of deceit in order to achieve personal gain

Psychopathy

Low levels of empathy alongside high levels of impulsivity, paired with antisocial behavior highlighted by selfishness, callousness, and remorselessness

Low self-control

engage in actions that promote immediate gratification and provide a benefit to the individual—despite the associated risks and potential for harm. (develops during childhood)

Hedonistic

value indulgence and the pursuit of wealth. (extreme emphasis on material success)

Confidence in one’s own authority

identified as a classic abuse of power for personal or company gain.

FCPA

FCPA stands for Foreign Corrupt Practices Act. It is a US law that prohibits bribery of foreign officials by companies listed on US stock exchanges.

6 topics that are pertinent for internal auditors focused on compliance

anti bribery, record keeping controls, due diligence, internal investigations, related business issues, measures for steering clear of FCPA violations

Whistleblower hotlines

most common method of fraud detection

allow individuals to report their concerns about suspicious activities and remain anonymous

Process controls

most common detective control

detect fraudulent activity include reconciliations, independent reviews, physical inspections or counts, certain types of analysis, and internal audits or other monitoring activities.

Proactive fraud detection procedures

data analysis, continuous auditing, and the use of other technology tools that can flag anomalies, trends, and risk indicators warranting attention.

Rules-based descriptive tests and reporting

historical data with simple and complex analytical weighted tests, significant value can be achieved to identify areas of risk

Keyword search

process scans free text fields and unstructured data sources to identify suspicious or high-risk language used. Companies can develop their own library of high-risk terms that incorporate industry and company-specific jargons, acronyms, and cultural slangs

Topic modeling and linguistic analysis

text analytics to identify suspicious phrases, high-risk topics, or unusual patterns of behavior in the free text components of the data. Beyond keyword searching, topic modeling seeks to cluster, quantify and group the key noun or noun phrases in the data, enabling the investigative team to quickly gain an understanding of what information may have been compromised or the corrupt intent of certain business activities

Statistical analysis and machine learning

leverages historical facts in the data and machine learning to make predictions about future or otherwise unknown events. The incorporation of statistical models into this approach further increases the confidence that items identified as outliers warrant additional review, thus limiting the amount of false positives and increasing the efficiency of the review process

Data visualization: pattern and link analysis

provides insights, hidden patterns, and relationships from vast, seemingly unrelated data sources

When to use a fraud specialist

Conducting fraud awareness training.

Assessing the design of antifraud programs and controls.

Testing the operating effectiveness of fraud controls.

Investigating improprieties and whistleblower complaints.

Conducting a full-fledged investigation at the request of management or the audit committee

Only _____ can offer opinions, which must be based on specialized knowledge

expert witnesses

Expert witnesses must maintain ______ and advocate only for their opinion, not the client or attorney

neutrality

CVs

validate credentials

engagement letters

outline terms, including disclaimers, indemnification, and payment terms.