What is a complete and exhausted description of the system as found in operation by the auditors?

Operators must have systems in place to manage fatigue, maintenance and dimension and loading. The following templates and forms are provided to help you implement these sytems. 

 Learn more in our WAHVA Operator Frequently Asked Questions.

Prescribed electricity entities must have a safety management system (SMS) in place that contains the following details:

• The system's safety objectives.
• The systems and procedures by which the objectives are to be achieved.
• The performance criteria to be met.
• The way in which adherence to the performance criteria is to be maintained.

On an annual basis a safety management system performance audit is conducted to verify:

• that the prescribed entity is giving effect to the safety management system
• the safety management system documentation continues to comply with legislation
• that the safety management system is achieving its objectives
• that the safety management system is adhering to and maintaining the performance criteria
• that the auditing system of the prescribed entity's safety management system is effective
• that any modification compliance audits have been done when necessary.

More information

Last updated 18 September 2019

Is this page useful? Give feedback about this page

As a small business owner, you need to conduct regular audits to ensure your records are accurate. Although many business owners dislike the idea of auditing, audits can be beneficial to your company. Learn more about the different types of audit below.

Different types of audit

As a brief recap, an audit examines your financial records and transactions to verify they are accurate. Typically, audits look at your financial statements and accounting books to compare information.

You or your employees may conduct audits. Or, you might have a third party audit your information (e.g., IRS audits).

Many business owners have routine audits, such as once per year. If you are not organized or don’t keep thorough records, your audits might take more time to complete.

Types of auditing can vary from business to business. For example, a construction business might conduct an audit to analyze how much they spent on a specific project (e.g., costs for contractors or supplies).

Overall, audits help ensure your business is operating smoothly. So, what are the various types of audit?

1. Internal audit

Internal audits take place within your business. As the business owner, you initiate the audit while someone else in your business conducts it.

Businesses that have shareholders or board members may use internal audits as a way to update them on their business’s finances. And, internal audits are a good way to check in on financial goals.

Although there are many reasons you may conduct an internal audit, some common reasons include to:

• Propose improvements
• Monitor effectiveness
• Make sure your business is compliant with laws and regulations
• Review and verify financial information
• Evaluate risk management policies and procedures
• Examine operation processes

2. External audit

An external audit is conducted by a third party, such as an accountant, the IRS, or a tax agency. The external auditor has no connection to your business (e.g., not an employee). And, external auditors must follow generally accepted auditing standards (GAAS).

Like internal audits, the main objective of an external audit is to determine the accuracy of accounting records.

Investors and lenders typically require external audits to ensure the business’s financial information and data is accurate and fair.

Audit reports

When your business is audited, external auditors usually give you an audit report. Audit reports include details of the audit process and what was found. And, the report includes whether your financial records are accurate, missing information, or inaccurate.

3. IRS tax audit

IRS tax audits are used to assess the accuracy of your company’s filed tax returns. Auditors look for discrepancies in your business’s tax liabilities to make sure your company did not overpay or underpay taxes. And, tax auditors review possible errors on your small business tax return.

Auditors usually conduct IRS audits randomly. IRS audits can be conducted via mail or through in-person interviews.

4. Financial audit

A financial audit is one of the most common types of audit. Most types of financial audits are external.

During a financial audit, the auditor analyzes the fairness and accuracy of a business’s financial statements.

Auditors review transactions, procedures, and balances to conduct a financial audit.
After the audit, the third party usually releases an audit opinion about your business to lenders, creditors, and investors.

Streamline your books with Patriot’s Accounting

• Easily track your income and expenses
• Import your customers, vendors and trial balance
• Create invoices, pay bills, and generate financial reports

5. Operational audit

Operational audits are similar to internal audits. An operational audit analyzes your company’s goals, planning processes, procedures, and operation results.

Generally, operational audits are conducted internally. However, an operational audit can be external.

The goal of an operational audit is to fully evaluate your business’s operations and determine ways to improve them.

6. Compliance audit

A compliance audit examines your business’s policies and procedures to see if they comply with internal or external standards.

Compliance audits can help determine whether or not your business is compliant with paying workers’ compensation or shareholder distributions. And, they can help determine if your business is compliant with IRS regulations.

7. Information system audit

Information systems audits mostly impact software and IT companies. Business owners use information system audits to detect issues relating to software development, data processing, and computer systems.

This type of audit ensures the system provides accurate information to users and makes sure unauthorized parties do not have access to private data.

Also, IT and non-software businesses should regularly conduct mini cybersecurity audits to ensure their systems are secure from fraud and hackers.

8. Payroll audit

A payroll audit examines your business’s payroll processes to ensure they are accurate. When conducting payroll audits, look at different payroll factors, such as pay rates, wages, tax withholdings, and employee information.

Payroll audits are typically internal. Conducting internal payroll audits helps prevent possible external audits in the future.

Businesses should conduct internal payroll audits annually to check for errors in their payroll processes and remain compliant.

9. Pay audit

Pay audits allow you to identify pay discrepancies among your employees.

A pay audit can help you spot unequal pay at your company. During a pay audit, analyze things like disparities due to race, religion, age, and gender.

Pay audits can also help you ensure workers are paid fairly based on your business’s industry and location.

Importance of audits

You must conduct audits regularly to understand different aspects of your business. And, audits can help catch issues early on before they snowball into big mistakes. If you don’t conduct audits, you may find yourself reviewing inaccurate information, which can impact your business later.

Before you kick the idea of audits to the curb, think about how they can benefit your small business. Audits can help you:

• Find financial problems
• Catch errors
• Boost your business’s bottom line
• Stay organized
• Make better business decisions

This article has been updated from its original publication date of April 18, 2019.

This is not intended as legal advice; for more information, please click here.

1. Which is not the purpose of Risk analysis?
1. It supports risk based audit decisions
2. Assists the Auditor in determining Audit objectives
3. Ensures absolute safety during the Audit
4. Assists the Auditor in identifying risks and threats
2. Which term best describes the difference between the sample and the population in the sampling process?
1. Precision
2. Tolerable error rate
3. Level of Risk
4. Analytical Data
3. Name one of the purposes of creating Business Continuity Plan
1. To maximise the number of decisions made during an incident
2. To minimise decisions needed during a crisis
3. To lower business insurance premiums
4. To provide guidance for federal regulations
4. Failing to prevent or detect a material error would represent which type of risk?
1. Overall Audit Risk
2. Detection Risk
3. Inherent Risk
4. Control Risk
5. Which is one of the bigger concerns regarding asset disposal?
1. Residual Asset Value
2. Employees taking disposed property home
3. Standing data
4. Environmental Regulations
6. Who should issue ogranisational policies?
1. Policies should originate from the bottom and move upto the middle management level for approval
2. The policy should be issued in accordance with the approved standards by the middle management level
3. Policy can be issued by any level of management based on a case to case basis
4. The policy should be signed and enforced by the highest level of management
7. A program check that ensures data entered by a data entry operator is complete is an example of a
1. Detective Control
2. Preventive Control
3. Corrective Control
4. Redundancy Control
8. What is the primary objective in problem escalation?
1. Improve customer satisfaction
2. Optimise the number of skilled personnel
3. Ensure the correct response
4. Prove that the IT staff is competent
9. Which of the following is LEAST important when Auditors review Internal Controls?
1. The existence of an Audit Committee in the Organisation
2. The Organisational structure and the Management style used by the Organisation
3. The existence of a Budgeting System
4. The number of Personnel working for the Organisation
10. What is the best example of why plan testing is important?
1. To prove the plan worked the first time
2. To find the correct problems
3. To show the team that is not pulling their own weight
4. To verify that everyone shows up at the recovery site
11. Continuity planners can create plans without the business impact analysis (BIA) process because
1. Business Impact Analysis is not required
2. Management already dictated all the key processes to be used
3. Not possible, critical processes continuously changes
4. Risk assessment is acceptable
12. What are the three competing demands to be addressed by the Project Management?
1. Scope, Authority and Availability of Resources
2. Time, Cost and Scope
3. Requirements, Authority and Responsibility
4. Authority, Organisational Culture and Scope
13. How should management act to best deal with emergency changes?
1. Emergency changes can not be made without advanced testing
2. All changes should still undergo review
3. The changes control process does not apply to emergency conditions
4. Emergency changes are not allowed under any condition
14. Which is the following is not an objective of a control?
1. Reduce expected losses from irregularities
2. Reduce the probability of an error occurring
3. Reduce the amount of loss if an occurs
4. Provide for all the failures and to ensure that business is protected fully from such failures
15. IT audit is the process of collecting and evaluating evidence to determine
1. Whether a computer system safeguards assets
2. Whether maintains data integrity
3.  Whether allows organisational goals to be achieved effectively and uses resources efficiently
4. All of the above
16. The objectives of IT audit include
1. Ensures asset safeguarding
2. Ensures that the attributes of data or information are maintained
3. Both (a) and (b)
4. None of the above
17. Which is not an attribute of data or information
1. Compliance
2. Integrity
3. Confidentiality
4. Technology
18. Which among the following does not encompass organisational and management controls within the information processing facility (IPF)
1. Sound human resource policies and management practices
2. Methods to assess effective and efficient operations.
3. The regulatory framework within which the business is carried out
4. Separation of duties within the information processing environment
19. The essential aspect to be understood about the organisation subject to IT audit is
1. Organisation’s business and its strategic goals and objectives
2. The number of operating units / locations and their geographic dispersion
3. Major pending projects in progress
4. All of the above
20. While understanding the type of software used in the organisation the IT auditor has to
1. See the policy decision on developing software inhouse or to buy commercial products.
2. Collect details of operating systems, application system and database management system
3. Collect information relating to network architecture and technology to establish connectivity.
4. All of the above
21. The security goals of the organisation does not cover
1. Confidentiality
2. Probability and impact of occurrence
3. Availability
4. Integrity
22. Find out the incorrect statement with reference to Risk assessment
1. The detailed audit is needed where the risk assessment is low and the risk management is high
2. An independent assessment is necessary whether threats have been countered / guarded against effectively and economically
3. The assessment of the soundness of IT system will necessarily have to study the policies and process of risk management
4. None of the above
23. Consider the following statement and find out the correct one w.r.t. IT audit
1. In inherent risk there is an assumption that there are related internal controls.
2. In control risk errors will not be prevented or detected and corrected by the internal control system.
3. The control risk associated with computerised data validation procedures is ordinarily high.
4. None of the above
24. What is the characteristic of ‘detective control’
1. Minimise the impact of a threat
2. Use controls that detect and report the occurrence of an error, omission or malicious act.
3. Detect problems before they occur
4. None of the above
25. Which among the following is not characteristic of ‘preventive control’
1. Monitor both operation and imports
2. Prevent error, omission or malicious act from occurring
3. Correct errors from occurring
4. None of the above
26. IT access is not controlled or regulated though password it indicates
1. Poor security control
2. High risk of the system getting hacked
3. High risk of the system getting breached
4. All of the above
27. Basic risk areas which the external Govt. auditor may come across when reviewing internal audit’s work include
1. Availability of sufficient resources, in terms of finance, staff and skills required
2. Involvement of internal audit with IT system and under development
3. Management not required to act on internal audit’s recommendations
4. None of the above
28. Which is the common audit objectives for an IT audit
1. Review of the security of the IT system
2. Evaluation of the performance of a system
3. Examination of the system development process and the procedures followed at various stages involved
4. All of the above.
29. The type of audit evidence which the auditor should consider using in IT audit includes
1. Observed process and existence of physical items
2. Documentary audit evidence excluding electronic records
3. Analysis excluding IT enabled analysis using
4. None of the above
30. Match the following w.r.t interviews to be conducted with staff and purpose interviewing Kinds of staff / personnel Purpose of interview

(A) System analysis of programmers	(A) To determine whether any application system to consume abnormal amounts of resources.
(B) Clerical / Data entry staff	(B) To determine their perceptions of how the system has affected the quality of working life
(C) Users of an application systems	(C) To determine how they correct input data.
(D) Operation staff	(D) To obtain a better understanding of the functions and controls embedded with the system.

1. A–B; B–A; C–D; D–C
2. A–D; B–C; C–A; D–A
3. A–C; B–D; C–A; D–B
4. None of the above
31. Which of the following type of questions need to be included in the questionnaire(s)
1. Ambiguous questions
2. Leading questions
3. Presumptuous questions
4. Specific questions
32. Analytical procedures are useful in the following way in collecting audit evidence in IT audit
1. Use comparisons and relationships to determine whether account balances appear reasonable
2. To decide which accounts do not need further verification
3. To decide which audit areas should be more thoroughly investigated
4. All of the above
33. What is the commonly used example of generalised audit software?
1. CAAT
2. IDEA
3. COBIT
4. None of the above
34. A higher risk of system violation happens where
1. The audit module is not operational
2. The audit module has been disabled
3. The audit module is not periodically reviewed
4. All of the above
35. Which among the following is not a compliance test as related to IT environment
1. Determining whether passwords are changed periodically.
2. Determining whether systems logs are reviewed
3. Determining whether program changes are authorised.
4. Reconciling account balances
36. Substantive tests as they relate to the IT environment does not include
1. Conducting system availability analysis
2. Conducting system outage analysis
3. Performing system storage media analysis
4. Determining whether a disaster recovery plan was tested
37. Find out the incorrect statement w.r.t. attribute sampling used by IT auditors
1. Attribute sampling is used in substantive testing situations
2. Attribute sampling deals with the presence or absence of the attribute
3. It provides conclusions that are expressed in rates of incidence
4. None of the above
38. Variable sampling is used and deals with and provide
1. Applied in substantive testing situations
2. Deals with population characteristics that vary
3. Provides conclusions related to deviations from the norm
4. All of the above
39. Which among the following is true as to Audit Reporting
1. Normal reporting format is not adhered to in the case of IT Audit
2. In IT audit, the base of the focus is the system
3. In IT audit the audience for the report should normally be ignored
4. None of the above
40. The conclusions of the IT audit report does not include
1. Sweeping conclusions regarding absence of controls and risks
2. A mismatch between hardware procurement and software development in the absence of IT policy
3. Haphazard development which cannot be ascribed to lack of IT policy
4. All of the above
41. Which among the following is not a limitation in IT Audit
1. Data used not from production environment
2. If these is only production environment and audit could not test dummy data
3. “Read only Access” given to audit
4. None of the above
42. With the help of what tools, IT auditor can plan for 100% substantive testing
1. CAATs tools
2. CMM (Software)
3. COBIT
4. None of the above
43. The reason for management’s failure to use information properly is
1. Failure to identify significant information
2. Failure to interpret the meaning and value of the acquired information
3. Failure to communicate information to the decision maker
4. All of the above
44. Find out the incorrect statement
1. Distributed networks may decrease the risk of data inconsistencies
2. Application software developed inhouse may have lower inherent risk than vendor supplied software
3. Peripheral access devices or system interfaces can increase inherent risk
4. None of the above
45. Categories of general control do not include
1. Logical access controls
2. Acquisition and program change controls
3. Control over standing data and master files
4. None of the above
46. Application controls includes
1. IT operational controls
2. Control over processing
3. Physical controls
4. None of the above
47. What legal protection is available to prevent theft illegal copying of software
1. Computer misuse legislation
2. Data protection and privacy legislation
3. Copyright laws
4. None of the above
48. Match the following w.r.t. the following critical elements and its impact

(A) Poor reporting structures	(A) Cannot satisfactorily review the computer systems and associated controls
(B) Inappropriate or no IT planning	(B) Leads to security breaches, data loss fraud and errors
(C) Security policies not in place or not enforced	(C) Leads to business growth being constrained by a lack of IT resources
(D) Ineffective internal audit function	(D) Leads to inadequate decision making and affect the future as a going concern

1. A–D; B–A; C–B; D–C
2. A–D; B–C; C–B; D–A
3. A–B; B–A; C–D; D–C
4. None of the above
49. The risk areas associated with poorly controlled computer operations include
1. Applications not run correctly
2. Loss or corruption of financial applications
3. lack of backups and contingency planning
4. All of the above
50. In case of outsourcing IT activities the IT auditor should
1. Review the policies and procedures which ensure the security of the financial data
2. Obtain a copy of the contract to determine if adequate controls have been specified
3. Ensure that audit needs are taken into account and included in the contracts
4. All of the above
51. While reviewing the network management and control the IT auditor is required to
1. Review the security and controls in non-financial systems
2. Review the security and controls in financial system’
3. Either (a) or (b) depending upon scope of audit and SAI’s mandate
4. None of the above
52. Which among the following is not true w.r.t. logical access controls
1. Logical access control usually depend on the in – built security facilities
2. The importance of logical access controls is increased where physical access control is more effective
3. logical access control exits at both an installation and application level
4. None of the above
53. Weak input control may increase the risk of
1. Entry of an authorised data
2. incomplete data entry
3. Entry of duplicate / redundant data
4. All of the above
54. Weak process controls would lead to:
1. Unauthorised changes or amendments to the existing data
2. Absence of audit trial rendering, sometimes the application unauditable
3. Inaccurate processing of transactions leading to wrong outputs / results
4. All of the above