Assurance Engagements

Created by

Jinny D

Cards (67)

what is an assurance service?
Assurance services are an objective examination of the evidence for the purpose of providing an independent assessment on governance, risk management, and control processes of the organization.
What are the types of assurance engagements?
operational
security
financial/financial reporting
compliance
performance
external business relationships
privacy
quality
due diligence
what are operational audits focused on?
Operational audits are focused on providing assurance on governance, risk management, and controls in regard to the effectiveness and efficiency of operations.
What are operational audits NOT focused on in particular?
Finance or compliance in particular
Operational engagements that examine anything about an organisation with an underlying business process is called WHAT in government environments?
Management audits
What should be considered in evaluating the overall effectiveness of the GRC processes of a given business process?
Were significant discrepancies or weaknesses discovered from the audit work performed and other assessment information gathered?
If so, were corrections or improvements made after the discoveries?
Do the discoveries and their consequences lead to the conclusion that a pervasive condition exists resulting in an unacceptable level of business risk?
What stakeholders will be responsible for addressing audit recommendations?
Specific business process owners
What are operational ineffectiveness risks?
business processes fail to work toward organisational objectives
achieving goals in a way that is more costly than the value added or the selected benchmark.
sub-optimisation that affects both efficiency and effectiveness (optimising one business process at the expense of the overall goals)
Security audits focus on GRCs related to?
Safeguarding of assets.
Reliability and integrity of information.
Security audits can span the operations and facilities or can be focused on one subject, such as information technology security or head office security. Therefore, stakeholders will include all parties directly responsible for the security of the area to be audited, including security guards, if any, and IT professionals.
What risks does a security policy include?
Unauthorized physical access to or attack on a facility or organizational personnel
Theft of or willful damage to products, inventory, supplies, assets, or information
Fraud by employees or third parties
What can play a major part in providing the most effective and efficient assurance coverage for PUBLIC-COMPANY ICFR audits?
Internal and external audit coodination and reliance efforts.
external auditors focus on the fairness of an organization’s financial statements and ICFR, i.e., for audits of public companies.
internal auditors focus on assurance over internal controls but may also review the quality and usefulness of the organization’s managerial accounting and internal reporting systems.
What is the objective of financial reporting?
To prepare relevant and reliable financial statements that fairly and accurately represent the recent historical activities of the organization.
What should form the basis for the majority of internal controls?
Financial reporting objectives
What is the objective of assurance audits of ICFR?
To provide assurance regarding the effectiveness of the controls that help the organization’s financial reporting to be:
Reliable.
Timely.
Transparent.
Complete.
Who is the owner of the control environment and financial information, including the footnotes and disclosures, which are integral to the financial statements? 
Senior management
What are the risks among the the events and transactions of a financial/financial reporting audit?
New businesses—including mergers and acquisitions.
New products and systems.
Joint ventures and partnerships.
Restructuring.
Management estimates, budgets, and forecasts.
Regulatory compliance.
Fraud risks—often from overstating revenues or assets and/or understating expenses or liabilities.
What do the compliance audit evaluate?
Compliance audits evaluate the adequacy and effectiveness of controls that keep the organization in compliance with applicable laws and regulations, contracts, and the organization’s own policies.
What are the objectives of an effective compliance program?
Identify and discourage intentional and unintentional violations.
Detect illegal activities.
Ensure that adequate organization-wide compliance training programs are in place.
Assist in proving insurance claims.
Encourage proper behaviour by providing incentives.
Enhance and create corporate identity.
Internal audit scope for a review of the compliance review to see if?
Written materials are effective.
Employees have received communications.
Detected violations have been handled appropriately.
Discipline has been even-handed.
Whistleblowers have not suffered retaliation.
The overall compliance function has fulfilled its responsibilities.
What are environmental health and safety risks?
ineffective organizational reporting structures;
the likelihood of environmental harm;
damage to the health and safety of workers, customers, or the community;
fines and penalties;
expenditures mandated by environmental or health and safety agencies;
and negative publicity and loss of reputation and public image.
What do performance audit engagements assess?
Whether management has appropriate, necessary, and sufficient monitoring and controlling activities in place to assess how the areas are performing in meeting strategic, tactical, and/or operational objectives and goals.
What areas do performance audits assess?
The organization as a whole
Specific units or functional areas
Specific job roles or individuals
Performance audits can also determine whether the information is:
Gathered and analyzed in a timely enough fashion to be useful.
Being leveraged for informed decision making and management control.
What should be designed and written to allow personnel to measure progress toward goals?
Standards and KPIs
Performance audit engagements might determine whether:
The right things are being measured.
The measurement process is efficient and is being performed correctly.
Data is collected and analyzed per the desired schedule.
Reports highlight the critical information needed for control.
The information is being used to make informed decisions.
What can be measured can be managed, so failure to measure performance introduces the risk that performance cannot be managed.
What are the risks of performance not managed?
Measuring the wrong key performance indicators so that workers or processes fail to work toward organizational goals or objectives.
Receiving information too late to be of use.
Measuring too many performance indicators rather than just the key ones.
How are External Business Relationships (EBRs) defined by the organisations?
external business partners
extended relationships
contractual relationships
What are examples of EBRs?
Joint venture partners.
Outsourced service providers.
Agents.
Contract workers.
Vendors.
Franchisees.
Internal audits of EBRs range from an audit of a single contract or relationship to an audit of an overall process that includes some organizational processes and some EBR processes. Audits of EBRs often take the form of contract assurance.
What are the elements associated with EBRs?
Initiating a relationship.
Contracting and defining a relationship.
Procurement.
Managing and monitoring the continued relationship (inc. control environment, objectivity and independence of those responsible for managing and monitoring).
Discontinuing the relationship.
Risks for external business relationships include all of the risks of the business process that is being outsourced, since the end result is still the organization’s responsibility. The organization will be held responsible for the actions of its partners and perhaps even for the partners of those partners (i.e., the third tier in the supply chain). Contracts can help transfer some of this risk, but other risks, such as reputation risk, cannot be transferred.
Controls to monitor and manage EBR risks?
Finding the most appropriate partners.
Establishing controls over partners and contract management.
Contract compliance auditing.
Customer and supplier relationship management.
Internal auditors can perform due diligence audits at the start of a relationship to determine the risks of the EBR misrepresenting the organization’s values.
Another risk is that not all EBRs are formally arranged and documented. For example, a procurement professional could have a relationship with an unofficial supplier that weakens the official purchasing contract relationships. Poor partner accounting or reporting is also a risk; this could impact the organization’s required accounting (e.g., there could be uncollected revenues) and reporting (e.g., the organization could be unable to verify if a certain toxic substance is found in supplier subcomponents).
What should the internal auditors review to verify that the EBR has sufficient and effective insurance to address insurable risks?
Workers’ compensation coverage.
Coverage for liability to the public or of professionals.
Vehicle insurance.
What may allow some EBRs to continue if they have conflicts of interest, e.g. working with a competitor? 
Requiring conflict-of-interest disclosures may allow some relationships to continue if they are within the organization’s risk tolerance level.
In some EBRs, the organisation must share confidential information, so what may be at risk? 
Intellectual property
What can reduce the risks of theft of intellectual property or the associated revenue streams?
Clear contracts, which can be designed to share the risk of poor intellectual property control with the EBR, such as a mutual loss of revenue.