Understanding the Links Between Audit Risks and Audit Steps: The Case of Procurement Cards

This case requires students to conduct an internal audit of a procurement card (PCard) program at a fictitious university. The primary objective of this case is to help students (1) understand the link between risks and controls for a given organization and then (2) link those risks and controls with the appropriate substantive and control tests. Students must complete a Risk-Control Matrix, develop an audit plan, and then conduct substantive audit tests on PCard transactions using Excel or generalized audit software. This audit provides a rich setting for students to complete a variety of real-world audit tasks to identify compliance (or non-compliance) with the PCard Program rules and to prepare business memos to communicate findings. Student feedback indicates that the case not only is realistic, interesting, and a positive learning experience, but also encourages critical thinking. In addition, the case significantly increased students' perceptions regarding their familiarity with PCards, use of generalized audit software (GAS) in compliance audits, and understanding of internal audit uses of GAS.