1

The auditor should develop and document an audit plan that includes a
description of:

a. The planned nature, timing, and extent of the risk assessment

procedures;11
b. The planned nature, timing, and extent of tests of controls and
substantive procedures;12 and
c. Other planned audit procedures required to be performed so that the
engagement complies with PCAOB standards.
2

The Five Components of an Internal Control

System
In 2013, COSO released its revised Internal Control – Integrated
Framework (first released in 1992). The updated framework helps
organizations to design internal controls, implement audit procedures to
assess and improve these controls, and mitigate risks to acceptable levels.

The framework consists of five components that together create an

effective and integrated enterprise controls system.

1. Control Environment

The control environment is how senior management tries to inculcate a

strong sense of ethics and high performance across the whole enterprise.
It includes all the standards, processes, policies, and rules that enable an
organization to implement and improve its internal controls. The control
environment provides a foundation so the company’s other, more specific
controls can:
 Support its strategic objectives
 Assure reliable financial reporting to stakeholders
 Improve business efficiency and effectiveness
 Facilitate compliance with all applicable laws and regulations
 Safeguard assets from the effects of careless errors or malicious activities

An effective control environment includes these seven important factors:

 Integrity and ethical values

 Commitment to competence
 Audit committee or board of directors
 Management philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Human resource policies

These factors demonstrate the organization’s commitment to responsible

and ethical operations. A strong tone from the top is crucial to build a
strong control environment. Senior managers must reiterate the
importance of internal controls and establish the expected standards of
conduct throughout the organization. Only then can the environment help
to:

 Align business processes with applicable laws, regulations, and industry-

standard practices
 Attract and retain competent staff
 Increase accountability throughout the organization in pursuit of
objectives
2. Risk Assessment

Risk assessment is the basis for risk management. For effective risk
assessment, management must identify possible changes in the internal
and external environment that may impede the organization’s ability to
achieve its goals. Managers must also:
 Act in a timely manner to manage the effect of these changes
 Consider risk tolerance when assessing acceptable risk levels
 Consider risk severity after considering its velocity, persistence, impact,
and likelihood

The COSO internal control framework suggests that risk assessment

should be a “dynamic and iterative process” – meaning, risk assessments
should happen at regular intervals. The risk assessment should also
include sub-processes for risk identification, risk analysis, and risk
response.

3. Control Activities

Control activities are the specific actions that allow the enterprise to
mitigate risk and achieve its objectives. These actions are usually
described in standards, policies, and control procedures, and are
communicated to all stakeholders.

Control activities can be preventive, detective, or corrective. They are

performed at all levels of the business and at various stages of business
processes.

4. Information and Communication

Information is an important element in an internal control system

because it supports the other components and allows the organization to
achieve its objectives. Effective, clear, and honest communication is
required to assure that the necessary information is available whenever
required to manage and optimize the internal control system.

Communication then disseminates the information, so the relevant

stakeholders can carry out daily internal control activities. For example, if
an audit identifies a major flaw in cybersecurity, the audit findings should
 then be communicated to the IT department, the CISO, and perhaps even
the board or legal team. Those executives will then (ideally) understand
their responsibilities for assuring that the findings are addressed and
internal controls work as expected.

5. Monitoring Activities

Internal or external auditors must regularly monitor the internal control

system to verify that it is functioning properly. They should also evaluate
the findings and communicate internal control deficiencies to top
management and the board.

Per COSO’s framework, ongoing evaluations should be built into routine

operations and performed in real-time. Regular spot checks instead of an
annual “big bang evaluation” can help to identify and fix control gaps
quickly, before the company suffers significant harm.

What’s the difference between

internal audit & internal
control?
By: Jean-Grégoire Manoukian

If you want to successfully manage risk, it helps to use the

correct risk terms and expressions. Many people use risk terms
without realizing that they may not be using the right
terminology.
It’s easy to become confused because sometimes the field of risk management uses similar terms
for different purposes. For example, “Operational Risk Management” has a different meaning in
the banking and insurance industry, compared to other industries (oil & gas, mining,
manufacturing, chemicals, etc.).

Similarly, the term “audit” can refer either to an internal audit conducted by an organization
itself, or an external audit performed by an auditing firm hired by the organization. Some people
confuse the two when using the term “audit”. This is important because an internal audit and
external audit may assess different things, and have different frameworks and workflows.

Recently, I came across another confusion between two terms: Internal Audit and Internal
Control. The source of the confusion stems mainly from the fact that an internal audit assesses
the effectiveness of controls put in place to mitigate risks. Let’s take a deeper look at both
concepts.

Internal audit is a function performed at specific times

Many people in risk management use this simple formula to explain the difference between
Internal Audit and Internal Control: Internal Audit is a function, while Internal Control is a
system. Internal audits are performed at specific times to assess: 1) if the company has a good
understanding of the risks that it faces, and 2) if the controls put in place to mitigate risks are
effective. There is one very important distinction to be made: it is not the job of internal auditors
to identify risks, nor to specify the controls that are needed. Internal Audit evaluates whether the
process leading to the identification of risks is working well, checks whether controls already in
place are working according to the way they are intended to, and evaluates an organization’s
governance system and process.

Internal control is an ongoing system

Internal Control is made up of procedures, policies and measures designed to make sure that an
organization meets its objectives, and that risks that can prevent an organization from meeting its
objectives are mitigated. While the Internal Audit function is performed by internal auditors,
Internal Control is the responsibility of operational management functions. Another point of
contrast is frequency. An internal audit is a check that is conducted at specific times, whereas
Internal Control is responsible for checks that are on-going to make sure operational efficiency
and effectiveness are achieved through the control of risks. Some risk experts even say that
Internal Control is a part of a company’s day-to-day management and administration.

The relationship between internal audit and internal control

The best way to illustrate the relationship between Internal Audit and Internal Control is to show
where they both fit in the Three Lines of Defense Model. Here’s an image of the model from The
Institute of Internal Auditors:

Three lines of defense model from The Institute of Internal

Auditors
Internal Control is part of the first line of defense because it is the responsibility of Operational
Management, which itself is accountable to Senior Management. Internal Audit is part of the
third line of defense. It even assesses the effectiveness of the first (Operational Management
functions) and second (Risk and Compliance Management functions) lines of defense. Moreover,
unlike Internal Control, Internal Audit may report directly to the Board of Directors and
specifically the Audit Committee, in order to maintain a certain independence and objectivity
when assessing other functions in the company that operate at the first two lines of defense.

Finally, if you are considering , knowing the difference between Internal Audit and Internal
Control becomes even more important, because both must be managed in different ways due to
their unique characteristics. Make sure that the software under consideration addresses the
unique needs of both.
4
DOWNLOAD PAGE CONTENT

AMEND CONTENT

10.2 DOCUMENTS REQUIRED THROUGH THE PROCUREMENT PROCESS

Form Instructions Sample

All purchases require the staff member who is requesting the goods to
submit an approved purchase requisition form to the procurement unit.
The form must be signed by an authorised signatory within the financial
Purchase Requisition
limits established by the CO’s finance and purchasing policy. In an
Form Annex 12.7
emergency, these limits should be increased automatically to help with
more rapid procurement (refer to section 3).
If using PeopleSoft this functionality and workflow approval is in the
system.

All RFQs that are sent out should be logged and tracked. All
Tracking of request corresponding responses from vendors should also be logged. This will
for quotes and ensure that there is a clear record of bids, and will help with tracking of Annex 12.6
responses who has and who has not sent in their bids. If using PeopleSoft and
approved vendors this functionality is in the system.

Summary of Bid Prepare and maintain a Summary of Bid Analysis for each purchase and
Annex 12.8
Analysis ensure this is filed in the Master Purchase Order file.

If a decision is made to source from only one provider (refer to section

Sole/Single-Source
6.3), a Sole or Single-Source Justification Form must be completed and Annex 12.11
Justification Form
filed.

When vendors have been selected, all purchases must be confirmed by

issuing a purchase order. The purchase order forms the contract for the
purchase of goods.
The CO should have or implement a standard purchase order form. The
Annex 12.9 Annex
Purchase Orders purchase order must include some standard clauses and terms and
12.10
conditions that are normally printed on the reverse of the purchase
order.
If using PeopleSoft the purchase order is generated in the system from
an approved requisition.

Tracking of purchase All purchase orders must be tracked using a control log for purchase Annex 12.13
orders orders. This log must be stored in a secure location. PeopleSoft users will
Form Instructions Sample

use system functionality to create report.

When goods have been received, the following documents should be

completed and filed:

 goods receiving note (including a report of the inspection of goods

Received Goods noting any damages, losses or differences in the goods delivered Annex 12.12
against the order)
 copy of delivery note
 copy of final invoice.
 PeopleSoft users will also enter the receipt in the system.

Files for each individual purchase should be maintained with copies of all
relevant documentation, including:

 the purchase request/requisition form

 copy of the request for quotes sent out to prospective vendors
 listing of vendors to whom such requests were sent out
Master Purchase  copies of bids
 summary of bid analysis
Order files
 sole/single-source justification (if applicable)
 copies of waivers from donors (if applicable)
 copy of the purchase order
 copy of delivery notes
 goods receiving notes
 copy of the final invoice
 all relevant correspondence between CARE and the final vendor.

Maintain separate files for each approved vendor. This file should have
all relevant information relating to the vendor, including:
Vendor files Annex 12.4
 vendor questionnaire
 verification of vendor clearance using Bridger. (PeopleSoft users will
use the system functionality)

Importance of Working Papers

Working papers are an essential part of every audit for effectively planning the audit, providing a record
of the evidence accumulated and the results of the tests, deciding the proper type of audit report, and
reviewing the work of assistants.

Working papers are important because:

  Working papers assist in the planning and performance of the audit.
 Working papers are necessary for audit quality control purposes.
 Working papers assure that the work delegated by the audit partner has been properly
completed.
 Working papers provide evidence that an effective audit has been carried out.
 Working papers increase the economy, efficiency, and effectiveness of the audit.
 Working papers contain sufficiently detailed and up-to-date facts which justify the
reasonableness of the auditor’s conclusions.
 Working papers retain a record of matters of continuing significance to future audits.
 The preparation of the working papers is a means to give training to the audit clerks as to how
to summarize the work done by them.
 The working papers enable the auditor to point out to the client the weakness of the operation’s
internal control system and the accountancy system’s inefficiency. Therefore, he may be in a
position to advise his client on how to avoid such pitfalls.
 The working papers enable the auditor to prepare the report to be issued without wasting time.

What Is Auditing?
Auditing, or a financial audit, is an official examination and verification of a business’s
financial records.

The main goal of auditing is to make sure that a company’s financial statements are accurate
and are following regulatory guidelines. Auditing also gives investors, creditors, and other
stakeholders reasonable assurance that they can rely on a company and its integrity.

Now, it’s important to note that auditing doesn’t provide a complete guarantee that every
digit recorded in a company’s financial reports is accurate. Auditors work within a specific,
reasonable margin of error known as materiality. The volume of materiality depends on the
size of the company and its reported revenue and expenses.

For small businesses, an accounting error of a few thousand dollars might be significant, but
for a large corporation like Apple or Amazon, such a material mistake may be considered as a
conventional mistake and not a cause for concern.

Want to learn how to correctly manage and prepare your financial reports? Head over to our
guide on financial reporting for small businesses

7
What are the three types of audits?
First-Party Audits
First-party audits are the internal audits we mentioned earlier. Typically,
they are performed by a company’s staff to measure how well the
company is (or isn’t) achieving business objectives. This ISO audit is a
conformity assessment to check for compliance gaps and to prepare an
organization for an external ISO certification audit (that is, a third-party
audit).

Usually, first-party auditors will be enterprise employees, but they

shouldn’t be vested in the audit results.

Second-Party Audits
A second-party or external audit is usually performed at a customer’s
request (often by an audit firm contracted to act on the customer’s behalf)
on a supplier of products or services.

The second-party audit assures that the supplier is doing what it has
promised to do based on the contractual agreements. In this case,
qualified staff members or employees of an outside consulting firm can
perform a second-party audit.

A company will likely want to combine the results of a second-party audit

with its first-party audits so the company will know when it’s ready for an
ISO certification.

Third-Party Audits
The third-party audit is a certification audit. An organization typically
undertakes a third-party audit to achieve an ISO certification. During the
certification audit, a “certification body auditor” (an auditor formally
 certified to perform audits for the ISO standard in question) assesses
whether an enterprise complies with the appropriate ISO standard. If so,
the certification body auditor will award the certification.

As part of this audit process, the auditor may:

 Assess the company’s adherence to the ISO standard’s requirements.

These could include (but are not limited to) time, temperature,
responsiveness, and component mixture.

 Look closely at the resources, methods, and environment the company

uses to transform inputs into outputs and the criteria used to determine
performance.

 Examine the process controls to ensure they are both efficient and
effective. The auditor may also take a closer look at daily operations and
training procedures to verify that the expectations for the standard have
been met.

Since most ISO standards that are eligible for certification govern systems
(for example, quality systems, information security management systems,
food safety management systems, and environmental management
systems), ISO certification audits are generally system audits.

There are more than 23,000 ISO standards – including the ISO 9000 family
of standards, which govern quality management systems. ISO 9001 is the
only standard in this group eligible for certification. ISO 14001 offers
direction on how to develop an effective environmental management
system. ISO 27001/27002 is an information security standard. These
represent just a few examples of ISO standards organizations may pursue
for certification, including the corresponding surveillance audits.

8
Generally Accepted Auditing Standards generally termed as GAAS is a step
by step guideline that auditors use while performing audits. The audits are of
the financial records of the companies. They make sure that the audit is
conforming correctness and compatibility. They submit the detailed report of
the auditors so that their performance can be verified. The AICPA (American
Institute of Certified Public Accountants) formed a board, commonly called
ASB (Auditing Standards Board). This board introduced GAAS.