CHAPTER 10

1. What are some of the limitations of periodic, manual, and sample-based audits?

Periodic audits are usually carried out at the end of the accounting period. Performing audits
periodically may present some limitations. Since it is done at the end of the period, the problem could
have been going on for more than a year by the time the internal auditor identify the errors, and if it had
a cumulative cost or financial loss effect, the sum may be very large by the time it was found, which
could have a bad impact on the organization.

Since technology nowadays plays an important role in our lives, manual audits may not as
reliable as before. Its limitation includes wasted time, high cost, and expenses to the organization,
documents may be exposed to theft or damage and human errors may be made. Sample-based audits,
on the other hand, may generate biased selection as it is conducted either statistically or randomly or by
judgment. As the representative sample is not appropriate for drawing a reasonable inference, this can
hinder the internal auditors to provide sound judgment and recommendation (Murdock, 2016, p. 232).

2. Explain why auditing every transaction may be a requirement in today's risk environment.

Organizations are always exposed to significant errors, risks, and threats that may result in
financial losses and may elevate levels of risks. Auditing every transaction of an organization helps to
avoid errors and possible risks from occurring. In this way, each transaction is monitored and can be
easily analyzed to identify anomalies as they occur. If errors are immediately detected, internal auditors
may provide solutions and recommendations quickly in dealing with a certain issue. It may also allow
internal auditors to track and control risks associated with each transaction.

3. Is auditing all transactions feasible? Why or why not?

In my own opinion, auditing every transaction is not feasible because it would be very
exhausting since businesses have several transactions every day. It will be very expensive to do so, and it
will take a lot of resources and time.

4. Explain how auditing all transactions may in fact enable risk-based auditing and sample-based
auditing perpetuate control-based auditing. Support your answer with examples.

Auditing all transactions using risk-based auditing will assist the auditor to mitigate the risks in
the main areas. For instance, a business that manufactures furniture audits all the transactions in which
they engaged. In this way, it is easier for the company to recognize mistakes to minimize possible risks,
do less work, and carry out solutions and changes to achieve its goals.

Sample-based auditing is a methodology that enables auditors to conclude an audit without

having to audit every single transaction. In the above example, using this approach can also help internal
auditors save resources and time because it helps them to draw judgments and opinions without having
to review any other information or data in the production of furniture as it would be highly inefficient to
inspect the entire production.

If risk-based and sample-based audits are implemented effectively, this will allow the
organization to have good internal control. In this way, the efficacy of vital controls can easily be
assessed by the internal auditor and they can examine if these controls are put in place to reduce risks.
Having strong internal controls in a business that manufactures furniture or in any other business will
give assurance to the organization that their resources are properly utilized for its intended purposes.
Strong internal controls can also help the organization to easily detect and avoid anomalies and take
measures or actions to address it.

5. Describe five continuous analysis routines and how they support the efforts of internal auditors.

Each organization can implement several continuous review routines that help to continuously
evaluate the efficiency and effectiveness of controls. One of these routines is to duplicate payment to
ensure that liabilities are compensated only once. Another is the segregation of duties, to make sure
transactions are legitimate and authorized. Routines regarding critical data should also have continuous
routines to make sure expected values and formats exist and are followed.

Also, check the invoice sequence to detect suspicious number sequencing and check the staff
and vendor match to identify suspicious demographics and transactions between employees and
vendors. It would support the efforts of internal auditors and make it easier for internal auditors to
conduct audit procedures if these routines are regularly analyzed (Murdock, 2016, p. 234).

6. Explain the concept and use of KPIs and KRIs for management review and operational auditors.

A Key Performance Indicator (KPI) is a measurable value that indicates how successfully a
business achieves its goals and objectives such as revenue, production figures, and so on.

A Key Risk Indicator is also a metric capable of demonstrating that an organization has a high
probability to be exposed to possible risks. They are important to the measurement and monitoring of
risk and performance optimization. Such metrics can help in effectively reporting risk management
performance results. The morale level of workers, the number of accidents suffered, and errors caused
during the production process are all examples of KRIs (Murdock, 2016, pp. 238-239).

KPIs focus on business performance while KRIs concentrates on risk management performance.
It can be a great help for operational auditors and business managers to connect KPIs and KRIs as it
enables them to understand the relationship between risk and business results that will assist in making
sound business decisions.

7. List five continuous monitoring/auditing routines you would recommend to a client for a payment
processing operation. Specify what data would be collected, how it would be analyzed, the reporting
mechanism, and the frequency of its preparation.

(1) Segregation of duties.

Internal auditors should evaluate the roles and responsibilities of employees involved in the
recording, reporting, and analysis of payment processing transactions. They should also check who has
access to every technology platform connected to these transactions to prevent fraud and to make sure
all transactions made are authorized.

(2) Charging to correct accounts.

The payment received must be credited to the corresponding customer account as a reduction
in their liability. Payment processing entities should include this in their continuously monitored and
audited routines because failure to do so may present additional workloads and costs (Murdock, 2016,
p. 239).

(3) Recording of payment to a suspense account.

This happens when funds are received but there is no corresponding customer credit. The
amount should be placed in a suspense account. It is needed to continuously be monitored and audited
because if the customer credit is identified, the payment should be credited to the corresponding
customer (Murdock, 2016, p. 240).

(4) Checking of unprocessed payments.

Internal auditors must be notified after payments have been remained unprocessed for a certain
time and date because it signifies that controls are not effective since the problem is still present.
Internal auditors must check if there are unprocessed payments and may take actions to address this
issue. Failure to do so may arise additional workloads and unnecessary expenditures (Murdock, 2016, p.
240).

(5) Check for processing and authorization errors.

This occurs when merchants do not follow best practices when attempting to gain authorization
for a credit card transaction that may lead to a loss of revenue. Internal auditors should look at the
descriptors, customer information, and processing procedures (Franke, 2020).

8. List five continuous monitoring/auditing routines you would recommend to a client for a customer
call center facility. Specify what data would be collected, how it would be analyzed, the reporting
mechanism, and the frequency of its preparation.

Call centers are one of the sectors that deal directly with consumers, and thus the need for
maintaining high standards of performance and efficiency is high.

(1) Performances in call centers.

Continuous monitoring and auditing of its performances should be carried out. Data such as the
average calls per agent, cost per call, quality of service, handling time, the accuracy of forecasting, and
many more should be collected and included in the review since it is essential to the business. ("BONUS:
Call Center Audit Checklist", n.d.).

(2) Processes and policies.

Processes and policies in a call center facility should also be monitor and audited continuously to
see if it is accessible, well-defined, and understandable for everyone in a call center business. It should
be analyzed by evaluating whether the steps in procedures and procedures are appropriate and relevant
to the organization's overall success.

(3) Recruitment process.

Call center businesses should continuously monitor their recruitment process and their
employees' training. To ensure that future and current personnel of an organization can provide
consumers with a high degree of satisfaction, the hiring strategy should be customized to the
organization's needs and should observe whether the people applying for the job are suitable for the
position.

(4) Employees training.

An organization should also provide training to its employees and track each employee's
progress. Continuous auditing must examine whether the training programs of the organization is
addressing the right training that employees need to improve themselves.

(5) Employees engagement

Also, continuous monitoring and auditing should be done to employees' engagement. The
internal auditor should be able to verify whether employees earn bonuses and feel secured, or if they
are faced with pressure in the workplace.

9. List five continuous monitoring/auditing routines you would recommend to a client for an IT service
enter. Specify what data would be collected, how it would be analyzed, the reporting mechanism, and
the frequency of its preparation.

(1) Data Backups.

Creating back-ups must be included in the continuous monitoring/auditing routines of a

business that provides IT services. Since common threats to these kinds of businesses are hacking and
accidental loss of information, it is better to develop a plan for regular back-ups. By doing so, the
business is prepared for any potential natural disasters and cyberattacks. (McCormick, 2020).

(2) Identity and access management.

Organizations should also monitor and regulate who should have access to a particular facility
for technology. Personnel must identify themselves either manually or automatically to be authorized
and authenticated. In this way, employees are prohibited from accessing data that they are not allowed
to access.

(3) Regulatory Compliance.

It is also essential for businesses to provide IT services to ensure that they function under
current laws and legislation.

(4) Hardware.

Testing the organization's hardware must be also included in the continuous

monitoring/auditing routines to ensure that each equipment still meets the overall performance criteria
in providing IT services. If not, then it must be replaced by the company and purchase a new one so that
it can help deliver high-level customer support.

(5) Data Security (Software)

Evaluating the network for security vulnerabilities or ensuring that wireless networks are
protected is important. To avoid putting this critical information in the wrong hands, companies that
provide IT services must ensure that they preserve confidential data properly.
10. List five continuous monitoring/auditing routines you would recommend to an environmental
health and safety manager. Specify what data would be collected, how it would be analyzed, the
reporting mechanism, and the frequency of its preparation.

Environmental health and safety managers inspect and evaluate the environment, equipment,
and processes in working areas to ensure compliance with government safety regulations and industry
standards (Locsin, 2020). The environmental health and safety manager should (1) monitor compliance
with safety and environmental programs and (2) continue to establish health and safety protocols for all
areas of the organization. (3) Continuous facility inspection may help identify safety, health, and
environmental risks. If these threats are known, it will be easier to take corrective actions necessary to
address this issue. Also, the environmental health and safety manager (4) must carry out regular
assessments and audits and shall continue to (5) respond to everyday health and safety concerns.
REFERENCES:

Franke, J. (2020, June 24). Conducting an audit of your payment systems. Retrieved from
https://emspayments.com/conducting-an-audit-of-your-payment-systems/

BONUS: call center audit checklist. (n.d.). Retrieved from https://www.liveagent.com/academy/call-

center-audit-checklist/

McCormick, S. (2020, April 2). IT audit checklist for your IT department. Retrieved from
https://reciprocitylabs.com/it-audit-checklist-for-your-it-department/

Locsin, Aurelio. (n.d.). Job description of an Environmental Health and Safety Manager. Retrieved from
https://work.chron.com/job-description-environmental-health-safety-manager-10481.html