4 T H EDITION

Internal Auditing:
Assurance &
Advisory Services

Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
 CHAPTER 10

Audit Evidence and Working

Papers

Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
LEARNING OBJECTIVES

◼ Understand what it means to gather and

evaluate sufficient appropriate audit
evidence.
◼ Know the manual procedures used by
internal auditors to gather audit evidence.
◼ Be familiar with selected computer-
assisted audit techniques, including
generalized audit software.
◼ Understand the importance of well-
prepared audit working papers.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
STANDARDS RELEVANT TO
MANAGING THE INTERNAL AUDIT
FUNCTION

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 10: Audit Evidence and Working
Papers
AUDIT EVIDENCE

 The quality of internal auditors’ conclusions and advice depends on their

ability to gather and evaluate sufficient appropriate evidence to support
their conclusions and advice.

 Gathering sufficient appropriate evidence requires extensive interaction

and communication with auditee personnel throughout the engagement.
Such interactions and communications are critical to conducting the
engagement effectively and efficiently. It is important, therefore, for
internal auditors to be open, communicative, and collaborative.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
PROFESSIONAL SKEPTICISM AND
REASONABLE ASSURANCE
Professional skepticism means:
 Taking nothing for granted
 Continuously questioning what you hear and see
 Critically assessing audit evidence
 Not assuming that auditee personnel are either honest or dishonest

Internal Auditors provide reasonable (not absolute) assurance due to:

 The nature and extent of evidence gathered and the types of decisions made
 Reliance on evidence that is persuasive rather than absolutely convincing
 Audit decisions that are rarely black and white
 The fact that internal auditors’ conclusions and advice must be formed at a reasonable
cost within a reasonable length of time to add economic value

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 10: Audit Evidence and Working
Papers
PERSUASIVENESS OF AUDIT EVIDENCE

Audit evidence is persuasive if it enables the internal auditor to formulate

well-founded conclusions and advice confidently. To be persuasive, evidence
must be:
 
 Relevant. Is the evidence pertinent to the audit objective? Does it
logically support the internal auditor’s conclusion or advice?
 Reliable. Did the evidence come from a credible source? Did the
internal auditor directly obtain the evidence?
 Sufficient. Has the internal auditor obtained enough evidence? Do
different, but related, pieces of evidence corroborate each other?

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
RELIABILITY OF DOCUMENTARY
EVIDENCE

General guidelines for reliability and sufficiency of evidence include:

 
 Evidence obtained from independent third parties is more reliable than evidence
obtained from auditee personnel.
 Evidence produced by a process or system with effective controls is more reliable
than evidence produced by a process or system with ineffective controls.
 Evidence obtained directly by the internal auditor is more reliable than evidence
obtained indirectly.
 Documented evidence is more reliable than undocumented evidence.
 Timely evidence is more reliable than untimely evidence.
 Corroborated evidence is more sufficient than uncorroborated or contradictory
evidence.
 Larger samples produce more sufficient evidence than smaller samples.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
RELIABILITY OF DOCUMENTARY
EVIDENCE (CONT’D)

Documentary evidence is a
significant portion of the evidence
gathered during most internal audit
engagements. The reliability of
documentary evidence depends, to
a large extent, on its origin and the
route it follows before being
examined by the internal auditor.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
AUDIT PROCEDURES

Audit procedures are specific tasks performed by the internal auditor to gather the
evidence required to achieve the prescribed audit objectives. They are applied during the
audit process to:
 Obtain a thorough understanding of the auditee, including the auditee’s objectives,
risks, and controls.
 Test the design adequacy and operating effectiveness of the targeted area’s system of
internal controls.
 Analyze plausible relationships among different elements of data.
 Directly test recorded financial and nonfinancial information for errors and fraud.
 Obtain sufficient appropriate evidence to achieve the prescribed audit objectives
involved in determining the nature, extent, and timing of audit procedures to perform.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
NATURE OF AUDIT PROCEDURES

◼ The nature of audit procedures relates to the types of tests the internal
auditor performs to achieve his or her objectives.
◼ One-to-one relationships between audit objectives and audit procedures are
rare.
◼ Individual audit procedures often provide evidence that is pertinent to more
than one audit objective, and more than one audit procedure often is required
to meet a particular audit objective.
◼ Different types of tests provide varying levels of assurance, take different
amounts of time to conduct, and are more or less expensive.
◼ The internal auditor must weigh the relative benefits and costs of conducting
different types of procedures.
◼ Audit procedures could be manual or computer assisted.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
EXTENT OF AUDIT PROCEDURES.

◼ The extent of audit procedures pertains to how much audit evidence the
internal auditor must obtain to achieve his or her objectives (sufficiency).
◼ An internal auditor must, for example, determine the appropriate
combination of procedures to apply.
◼ The degree to which individual tests are to be conducted also must be
determined.
◼ The internal auditor might decide, for example, that some types of
transactions should be tested 100 percent, whereas others may be tested on a
sample basis.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
TIMING OF AUDIT PROCEDURES

◼ The timing of audit procedures pertains to when the tests are conducted and the
period of time covered by the tests. For example:
■ An internal auditor testing the operating effectiveness of a manual
control over a period of time on a sample basis must take appropriate
steps to gain assurance that the sample selected is representative of the entire period.
■ An internal auditor testing whether transactions are recorded in the appropriate fiscal
year will focus his or her tests on transactions immediately before and after year-end.
■ An internal auditor will test the operation of a computerized application control at a
given time to determine whether the control is operating effectively at that time. The
internal auditor will then rely on different tests, such as tests over access and
modification of application programs during a period of time, to gain assurance that the
control operated consistently over that period of time.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
MANUAL AUDIT PROCEDURES

Commonly performed manual audit

procedures include:
 Inquiry
 Observation
 Inspection
 Vouching
 Tracing
 Reperformance
 Analytical procedures
 Confirmation

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
COMPUTER-ASSISTED AUDIT
TECHNIQUES

“In exercising due professional care, internal auditors must consider the use of
technology-based audit and other data analysis techniques.” (Standard 1220.A2)

ISACA defines a technology-based audit technique, or CAAT, as “any automated audit

technique, such as generalized audit software (GAS), test data generators, computerized
audit programs and specialized audit utilities.” Common CAATs include:
 Generalized audit software (GAS) 
 Utility software
 Test data 
 Application software tracing and mapping 
 Audit expert systems
 Continuous auditing

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
PURPOSES AND CONTENT OF
WORKING PAPERS

Because of the many purposes working papers serve, their importance cannot be
overstated. For example, working papers:
 Aid in planning and performing the engagement.
 Facilitate supervision of the engagement and review of the work completed.
 Indicate whether engagement objectives were achieved.
 Provide the principal support for the internal auditors’ communications to the
auditee, senior management, the board of directors, and appropriate third parties.
 Serve as a basis for evaluating the internal audit function’s quality assurance
program.
 Contribute to the professional development of the internal audit staff.
 Demonstrate the internal audit function’s compliance with The IIA’s International
Standards for the Professional Practice of Internal Auditing (Standards).

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 10: Audit Evidence and Working
Papers
TYPES OF WORKING PAPERS

A wide variety of working papers are prepared during an internal audit engagement. The
following list is intended to be illustrative rather than all-inclusive:
 Work programs used to document the nature, extent, and timing of the specific audit
procedures.
 Engagement time budgets and resource allocation worksheets.
 Questionnaires used to obtain information about the auditee, including its objectives,
risks, controls, operating activities, etc.
 Process maps or flowcharts used to document process activities, risks, and controls.
 Charts, graphs, and diagrams, such as a risk map used to plot the impact and
likelihood of business risks.
 Agendas for internal audit team meetings and meetings with the auditee.
 Narrative memoranda used to document the results of interviews and other meetings
with auditees.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 10: Audit Evidence and Working
Papers
TYPES OF WORKING PAPERS
(CONT’D)

 Pertinent auditee organizational information, such as organization charts, job

descriptions, and operating and financial policies and procedures.
 Copies of source documents, such as purchase requisitions, purchase orders,
receiving reports, vendor invoices, vouchers, and checks.
 Copies of other important documents, such as minutes of meetings and contracts.
 IT-related documents, such as program listings and exception reports.
 Accounting records, such as trial balances and excerpts from journals and ledgers.
 Evidence obtained from third parties, such as confirmation responses from
customers and representations from outside legal counsel.
 Worksheets prepared by the internal auditor, such as a risk and control matrix used
to document process-level risks, key control descriptions, the internal auditor’s
evaluation of control design adequacy, the tests of controls performed, and the test
results.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 10: Audit Evidence and Working
Papers
TYPES OF WORKING PAPERS
(CONT’D)

 Other types of working papers prepared by the internal auditor that reflect work
performed (for example, analytical procedures, computerized data analysis, and
direct tests of transactions, events, account balances, and performance
measurements).
 Evidence compiled by the auditee and tested by the internal auditor.
 Controls performed by the auditee and reperformed by the internal auditor (for
example, bank reconciliations).
 Written correspondence and documentation of oral correspondence with the auditee
during the engagement.
 The internal audit team’s write-ups of observations, recommendations, and
conclusions.
 Final engagement communications and management’s responses.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 10: Audit Evidence and Working
Papers
GUIDELINES FOR WORKING
PAPER PREPARATION

Appropriate working paper standardization may include:

 A uniform cross-referencing system for all engagements.
 Consistent working paper layouts.
 Standardized “tick marks” (that is, symbols used on working papers to
represent specific audit procedures).
 A prescription for the types of information to store in permanent or
carry-forward files (that is, files containing pertinent information of
continuing importance for a particular auditee).

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 10: Audit Evidence and Working
Papers
GUIDELINES FOR WORKING
PAPER PREPARATION (CONT’D )

To stand on its own merits, each working paper should:

 Contain an appropriate index or reference number.
 Identify the engagement and describe the purpose or contents of the working paper.
 Be signed (or initialed) and dated by both the internal auditor who performed the work
and the internal auditor(s) who reviewed the work. (Note that such a signature may be
electronic.)
 Clearly identify the sources of auditee data included on the working paper.
 Include clear explanations of the specific procedures performed.
 Be clearly written and easy to understand by internal auditors unfamiliar with the work
performed (for example, an internal auditor who refers to the working paper at a later
date).
The bottom line is that the working paper should contain sufficient information for an
internal auditor, other than the one who performed the work, to be able to reperform it.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 10: Audit Evidence and Working
Papers
THE LAST WORD ON WORKING
PAPERS

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.