Internal Audit Riz.

8/9/2019 Internal Audit Riz.

1/26

INTERNAL AUDIT

Internal auditing is a profession and activity involved in helping

organizations achieve their stated objectives. It does this by using a

systematic methodology for analyzing business processes,procedures and activities with the goal of highlighting

organizational problems and recommending solutions.

Professionals called internal auditors are employed by

organizations to perform the internal auditing activity.

The scope of internal auditing within an organization is broad and

may involve topics such as the efficacy of operations, the

reliability of financial reporting, deterring and investigating fraud,safeguarding assets, and compliance with laws and regulations.

Internal auditing frequently involves measuring compliance with

the entity's policies and procedures. However, Internal auditors are

not responsible for the execution of company activities; they

advise management and the Board of Directors (or similar

oversight body) regarding how to better execute their

responsibilities. As a result of their broad scope of involvement,

internal auditors may have a variety of higher educational andprofessional backgrounds.

Publicly-traded corporations typically have an internal auditing

department, led by a Chief Audit Executive ("CAE") who

generally reports to the Audit Committee of the Board of

Directors, with administrative reporting to the Chief Executive

Officer.

The profession is unregulated, though there are a number of

international standard setting bodies, an example of which is the

Institute of Internal Auditors ("IIA"). The IIA has established

Standards for the Professional Practice of Internal Auditing[1] and

has over 150,000 members representing 165 countries, including

approximately 65,000 Certified Internal Auditors.
http://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Chief_Executive_Officerhttp://en.wikipedia.org/wiki/Chief_Executive_Officerhttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://d/Copy%20of%2012/Internal_audit.htm#cite_note-0http://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Chief_Executive_Officerhttp://en.wikipedia.org/wiki/Chief_Executive_Officerhttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://d/Copy%20of%2012/Internal_audit.htm#cite_note-0


2/26

History of internal auditing

The Internal Auditing profession evolved steadily with the

progress of management science after World War II. It is

conceptually similar in many ways to financial auditing by public

accounting firms, quality assurance and banking compliance

activities. Much of the theory underlying internal auditing is

derived from management consulting and public accounting

professions. With the implementation in the United States of the

Sarbanes-Oxley Act of 2002, the profession's growth accelerated,

as many internal auditors possess the skills required to helpcompanies meet the requirements of the law.

Organizational independence

To perform their role effectively, internalauditorsrequire organizational independence

from management, to enable unrestricted evaluation of management activities andpersonnel. Although internal auditors are part of company management and paid by the

company, the primary customer of internal auditactivity is the entity charged withoversight of management's activities. This is typically the [Audit Committee], a sub-

committee of the Board of Directors. To provide independence, mostChief Audit

Executives report to the Chairperson of the Audit Committee and can only be replaced

with the concurrence of that individual.

According to the Institute of Internal Auditors, the Internal Auditor's obligation of

Independence refers to:

1) The reporting line or status of the CAEThe Chief Audit Executive mustreport to a level within the organization that allows the internal audit activity to

fulfill its responsibilities. The chief audit executive must confirm to the board, at

least annually, the organizational independence of the internal audit activity.

2) Attitude of auditors, procedures of the internal audit department.The

internal audit activity must be free from interference in determining the scope of

internal auditing, performing work, and communicating results.
http://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Auditorshttp://en.wikipedia.org/wiki/Auditorshttp://en.wikipedia.org/wiki/Auditorshttp://en.wikipedia.org/wiki/Chief_Audit_Executive#Organizational_independencehttp://en.wikipedia.org/wiki/Managementhttp://en.wikipedia.org/wiki/Evaluationhttp://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Oversighthttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://en.wikipedia.org/w/index.php?title=Reporting_line&action=edit&redlink=1http://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Auditorshttp://en.wikipedia.org/wiki/Chief_Audit_Executive#Organizational_independencehttp://en.wikipedia.org/wiki/Managementhttp://en.wikipedia.org/wiki/Evaluationhttp://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Oversighthttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://en.wikipedia.org/w/index.php?title=Reporting_line&action=edit&redlink=1http://en.wikipedia.org/wiki/Chief_Audit_Executive


3/26

3) Communication right.The chief audit executive must communicate andinteract directly with the Board of Directors.

Role in internal control

Internal auditing activity is primarily directed at improvinginternal control. Under theCOSO Framework, internal control is broadly defined as a process, effected by an entity's

board of directors, management, and other personnel, designed to provide reasonable

assurance regarding the achievement of objectives in the following internal controlcategories:

Effectiveness and efficiency of operations.

Reliability of financial reporting.

Compliance with laws and regulations.

Management is responsible for internal control. Managers establish policies and

processes to help the organization achieve specific objectives in each of these categories.Internal auditors perform audits to evaluate whether the policies and processes aredesigned and operating effectively and provide recommendations for improvement.

In the United States, internal auditors may assist management with compliance with the

Sarbanes-Oxley Act (SOX).

Role in risk management

Internal auditing professional standards require the function to monitor and evaluate the

effectiveness of the organization's Risk management processes. Risk management relatesto how an organization sets objectives, then identifies, analyzes, and responds to those

risks that could potentially impact its ability to realize its objectives.

Under the COSO enterprise risk management (ERM) Framework, risks fall understrategic, operational, financial reporting, and legal/regulatory categories. Management

performs risk assessment activities as part of the ordinary course of business in each of

these categories. Examples include: strategic planning, marketing planning, capitalplanning, budgeting, hedging, incentive payout structure, and credit/lending practices.

Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting

processes. Corporate legal counsel often prepares comprehensive assessments of the

current and potential litigation a company faces. Internal auditors may evaluate each ofthese activities, or focus on the processes used by management to report and monitor the

risks identified. For example, internal auditors can advise management regarding the

reporting of forward-looking operating measures to the Board, to help identify emergingrisks.

In larger organizations, major strategic initiatives are implemented to achieve objectives

and drive changes. As a member of senior management, the Chief Audit Executive
http://en.wikipedia.org/wiki/Internal_controlhttp://en.wikipedia.org/wiki/Internal_controlhttp://en.wikipedia.org/wiki/Internal_controlhttp://en.wikipedia.org/wiki/COSOhttp://en.wikipedia.org/wiki/United_Stateshttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/COSOhttp://en.wikipedia.org/wiki/Sarbanes-Oxleyhttp://en.wikipedia.org/wiki/Internal_controlhttp://en.wikipedia.org/wiki/COSOhttp://en.wikipedia.org/wiki/United_Stateshttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/COSOhttp://en.wikipedia.org/wiki/Sarbanes-Oxley


4/26

(CAE) may participate in status updates on these major initiatives. This places the CAE

in the position to report on many of the major risks the organization faces to the Audit

Committee, or ensure management's reporting is effective for that purpose.

Internal auditors may help companies establish and maintain Enterprise Risk

Management processes. Internal auditors also play an important role in helpingcompanies execute a SOX 404 top-down risk assessment. In these latter two areas,

internal auditors typically are part of the project team in an advisory role.

Role in corporate governance

Internal auditing activity as it relates to corporate governance is generally informal,

accomplished primarily through participation in meetings and discussions with members

of the Board of Directors. Corporate governance is a combination of processes andorganizational structures implemented by the Board of Directors to inform, direct,

manage, and monitor the organization's resources, strategies and policies towards the

achievement of the organizations objectives. The internal auditor is often considered oneof the "four pillars" of corporate governance, the other pillars being the Board of

Directors, management, and the external auditor.

A primary focus area of internal auditing as it relates to corporate governance is helping

the Audit Committee of the Board of Directors (or equivalent) perform its responsibilitieseffectively. This may include reporting critical internal control problems, informing the

Committee privately on the capabilities of key managers, suggesting questions or topics

for the Audit Committee's meeting agendas, and coordinating carefully with the externalauditor and management to ensure the Committee receives effective information.

Nature of the internal audit activity

Based on a risk assessment of the organization, internal auditors, management and

oversight Boards determine where to focus internal auditing efforts. Internal auditingactivity is generally conducted as one or more discrete projects. A typical internal audit

project involves the following steps:

1. Establish and communicate the scope and objectives for the audit to appropriate

management.2. Develop an understanding of the business area under review. This includes

objectives, measurements, and key transaction types. This involves review ofdocuments and interviews. Flowcharts and narratives may be created if necessary.3. Describe the key risks facing the business activities within the scope of the audit.

4. Identify control procedures used to ensure each key risk and transaction type is

properly controlled and monitored.5. Develop and execute a risk-based sampling and testing approach to determine

whether the most important controls are operating as intended.
http://en.wikipedia.org/wiki/Enterprise_Risk_Managementhttp://en.wikipedia.org/wiki/Enterprise_Risk_Managementhttp://en.wikipedia.org/wiki/SOX_404_top-down_risk_assessmenthttp://en.wikipedia.org/wiki/Corporate_governancehttp://en.wikipedia.org/wiki/Risk_assessmenthttp://en.wikipedia.org/wiki/Enterprise_Risk_Managementhttp://en.wikipedia.org/wiki/Enterprise_Risk_Managementhttp://en.wikipedia.org/wiki/SOX_404_top-down_risk_assessmenthttp://en.wikipedia.org/wiki/Corporate_governancehttp://en.wikipedia.org/wiki/Risk_assessment


5/26

6. Report problems identified and negotiate action plans with management to

address the problems.

7. Follow-up on reported findings at appropriate intervals. Internal audit departmentsmaintain a follow-up database for this purpose.

Project length varies based on the complexity of the activity being audited and InternalAudit resources available. Many of the above steps are iterative and may not all occur in

the sequence indicated.

By analyzing and recommending business improvements in critical areas, auditors help

the organization meet its objectives. In addition to assessing business processes,

specialists called Information Technology (IT) Auditors reviewinformation technology

controls.

Internal audit reports

Internal auditors typically issue reports at the end of each audit that summarize their

findings, recommendations, and any responses or action plans from management. An

audit report may have an executive summary; a body that includes the specific issues or

findings identified and related recommendations or action plans; and appendixinformation such as detailed graphs and charts or process information. Each audit finding

within the body of the report may contain five elements, sometimes called the "5 C's":

1. Condition: What is the particular problem identified?2. Criteria: What is the standard that was not met? The standard may be a company

policy or other benchmark.

3. Cause: Why did the problem occur?4. Consequence: What is the risk/negative outcome (or opportunity foregone)

because of the finding?

5. Corrective action: What should management do about the finding? What have

they agreed to do and by when?
http://en.wikipedia.org/wiki/Information_technology_controlshttp://en.wikipedia.org/wiki/Information_technology_controlshttp://en.wikipedia.org/wiki/Information_technology_controlshttp://en.wikipedia.org/wiki/Information_technology_controlshttp://en.wikipedia.org/wiki/Information_technology_controls


6/26

The recommendations in an internal audit report are designed to help the organization

achieve its goals, which may relate to operations, financial reporting or legal/regulatorycompliance. They may relate to effectiveness (i.e., whether goals were met or compliance

with standards was achieved) or efficiency (i.e., whether the outputs were generated withminimum inputs).

Audit findings and recommendations also relate to particular assertions abouttransactions, such as whether the transactions audited were valid or authorized,

completely processed, accurately valued, processed in the correct time period, and

properly disclosed in financial or operational reporting, among other elements.

Developing the plan of engagements

Internal auditing standards require the development of a plan of audit engagements

(projects) based on a risk assessment, updated at least annually. The input of seniormanagement and the Board is typically included in this process. Many departments

update their plan of engagements throughout the year as risks or organizational priorities

changeThis effort helps ensure the audit activity is aligned with the organizationsobjectives, by answering two key questions: First, what goals are the organization trying

to accomplish in the upcoming period? Second, how can the Internal Audit Department

assist the organization in achieving these goals?

Internal auditors often conduct a series of interviews of senior management to identifypotential engagements. Changes in people, processes, or systems often generate audit

project ideas. Various documents are reviewed, such as strategic plans, financial reports,

consulting studies, etc. Further, the results of prior audits and resolution of open issuesare considered. For example, even if a business area is important, prior audit work and

the nature and status of open issues may render further audit effort unnecessary. If the

organization has a formal enterprise risk management (ERM) program, the risksidentified therein help limit the amount of separate risk assessment performed by Internal

Audit.

The preliminary plan of engagements is documented and prioritized. Audit resources and

expertise are then considered and a final plan is presented to senior management and theAudit Committee. The presentations vary based on the needs of the stakeholders and may

include the following:


7/26

Summary of key goals, risks and corresponding major audits, to illustrate

alignment;

Analyses of audit effort along a variety of dimensions (e.g., by business segment,

COSO objective category, IT, Sarbanes-Oxley, vs. prior year, etc.) along withcommentary regarding changes;

Brief description of critical projects identified; Projects requested but not planned for execution due to prioritization and

resources;

Required co-sourcing effort, typically where outside expertise is required orduring peak periods;

Coordination with other risk functions, such as legal, compliance or insurance, to

ensure coverage of key organizational risks;

Update on audit staffing levels, experience and certification; and

Appendix materials, such as planning approach, assumptions (e.g., days per

auditor and staffing level) and brief descriptions of all planned audits and relatedprioritization.

Best Practices in Internal Auditing

Measuring the internal audit function

The measurement of the internal audit function can involve abalanced scorecard

approach. Internal audit functions are primarily evaluated based on the quality of counseland information provided to the Audit Committee and top management. However, this is

primarily qualitative and therefore difficult to measure. Customer surveys sent to key

managers after each audit project or report can be used to measure performance, with anannual survey to the Audit Committee. Scoring on dimensions such as professionalism,

quality of counsel, timeliness of work product, utility of meetings, and quality of status

updates are typical with such surveys. Understanding the expectations of seniormanagement and the audit committee represent important steps in developing a

performance measurement process, as well as how such measures help align the audit

function with organizational priorities.

Quantitative measures can also be used to measure the functions level of execution andqualifications of its personnel. Key measures include:

Plan completion: This is a measure of the degree to which the annual plan ofengagements is completed, measured at a point in time. This may be measured using the

number of projects completed, weighted by the planned size of each project, withestimates for projects in-progress. Measured throughout the year, it is compared against

the percentage of the year elapsed.

Report issuance: This is a measure of the time elapsed from completion of testing to

issuance of the final audit report, including managements action plans. This can be
http://en.wikipedia.org/wiki/Balanced_scorecardhttp://en.wikipedia.org/wiki/Balanced_scorecard


8/26

measured in average days or percentage of reports issued within a certain standard, such

as 30 days. Establishing expectations for the timing of managements response to report

recommendations is critical. In addition, the scope and degree of change involved in thereports action plans are key variables. For example, a report for a single retail store

requiring only the store managers action might take 35 days to issue. However, a report

consolidating findings from 20 retail stores, with action plans with national implicationsdetermined by top management, may take 3060 days in complex organizations.

Issue closure: Reported audit findings are often called issues or deficiencies.

Professional standards require audit functions to track reported findings to resolution,

which effectively requires the maintenance of an issues follow-up database. The numberof days that reported issues remain open, or open after their agreed-upon closure date, are

key measures. In addition, reporting database statistics such as the number of issues open

(unresolved), closed (resolved), and issues opened/closed during a given period are usefulstatistics.

Staff qualifications: This can be measured through the percentage of staff withprofessional certifications, graduate degrees, and overall years of experience.

Staff utilization rate: This is measured as the percentage of time spent on projects, as

opposed to administrative time such as training or vacation. Many internal auditdepartments track time by audit project. This is typically captured in a database or

spreadsheet.

Staffing level: The number of positions filled relative to the authorized staffing level. Due

to the challenge of finding qualified staff, departments may have rotational programs tobring in management to complete tours in the function or be "guest" auditors. Audit

departments also "co-source," meaning they obtain contract auditors from serviceproviders.


9/26

Developing and retaining staff

Developing and retaining quality professionals is a key concern in the professionKey

methods for developing and retaining internal audit staff personnel include:

Providing challenging, varied assignments

Ensuring quality supervision

Ensuring staff participates in projects from start to finish, to learn all phases of the

audit process Providing opportunities to lead (in-charge) projects, starting with more structured

projects such as Sarbanes-Oxley work

Participating on departmental improvement task forces, such as preparation for

quality assurance review Participating in the recruiting and interviewing process for new hires

Rotating through various audit teams (in larger departments) or audits of variousbusinesses

Providing both outside training (e.g., seminars) and in-house training (e.g.,

company systems) for two weeks/year

Participation in annual risk assessment activities, whether asking key questions or

just taking notes

Reporting of critical findings

The Chief Audit Executive (CAE) typically reports the most critical issues to the AuditCommitteequarterly, along with management's progress towards resolving them. Critical

issues typically have a reasonable likelihood of causing substantial financial or

reputational damage to the company. For particularly complex issues, the responsible

manager may participate in the discussion. Such reporting is critical to ensure thefunction is respected, that the proper "tone at the top" exists in the organization, and to

expedite resolution of such issues. It is a matter of considerable judgment to select

appropriate issues for the Audit Committee's attention and to describe them in the propercontext.
http://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Audit_Committee


10/26

Internal auditing and fraud investigation

Internal Auditing

Internal Auditing is an independent, objective assurance

and consulting activity designed to add value and improve an organization's operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness of risk management, control, and

governance processes. Institute of Internal Auditors

Fraud Investigation

Fraud Investigation consists of the multitude of steps

necessary to resolve allegations of fraud interviewing witnesses, assembling evidence,

writing reports, and dealing with prosecutors and the courts.Association of Certified Fraud Examiners
http://www.facilitatedcontrols.com/internal-auditing/auditing.shtmlhttp://www.facilitatedcontrols.com/fraud-investigation/fraud.shtmlhttp://www.facilitatedcontrols.com/internal-auditing/auditing.shtmlhttp://www.facilitatedcontrols.com/fraud-investigation/fraud.shtml


11/26

Articles on Internal Auditing

COSO - The Framework for Internal Control:A Strategic Approach to Internal AuditsCompiled by Mark R. Simmons, CIA CFE

In 1992, the American Institute of Certified Public Accountants, the Institute of Internal

Auditors, the American Accounting Association, the Institute of Management

Accountants and the Financial Executives Institute issued a jointly prepared body of workentitledInternal Control - An Integrated Framework. This authoritative document

identifies the fundamental and essential objectives of any business or government entity:

economy and efficiency of operations, including safeguarding of assets and achievement

of desired outcomes; reliability of financial and management reports; and compliancewith laws and regulations.

To achieve quality, processes must first be in control. To improve quality, controlled

processes must be measured and evaluated to identify obstacles to success. Effective

internal control opens the door that leads to achievement of success. The approachpresented by the Framework goes directly to the one key issue of any business - is therereasonable assurance of achieving our mission, objectives, goals and desired outcomes,

while adhering to laws and regulations; and can we accurately report our success and

outcomes to the public and interested third parties.

The Framework describes a unified approach for evaluation of the internal control

systems that management has designed to provide reasonable assurance of achieving the

fundamental business objectives described above.

What is Internal Control?

Internal control is a broadly defined process, effected by people, designed to provide

reasonable assurance regarding the achievement of the following three objectives that all

businesses strive for:

1. Economy and efficiency of operations, including achievement of performance goals

and safeguarding of assets against loss;

2. Reliable financial and operational data and reports; and

3. Compliance with laws and regulations


12/26

What is Needed to Help Assure the Achievement of these Primary

Business Objectives ?

A. A SOUND CONTROL ENVIRONMENT

* Managers and employees who possess integrity, ethical values and competence;

* Management's philosophy and operating style;

* Proper assignment of authority and responsibility;

* Proper organization of available resources;

* Proper training and development of people; and

* Proper attention and direction from senior management.

B. A SOUND RISK ASSESSMENT PROCESS

* An awareness of and ability to deal with the risks and obstacles to successful

achievement of business objectives;

* Establishment by management of a set of objectives that integrate all the organization's

resources so that the organization operates in concert; and

* Identification, analysis and management of the risks and obstacles to successfulachievement of the three primary business objectives.

C. SOUND OPERATIONAL CONTROL ACTIVITIES

* The establishment and execution of policies and procedures to help ensure effective

implementation of the actions identified by management as being necessary to address

risks and obstacles to achievement of business objectives.

(These control activities help ensure that management's directives are carried out; occurat all levels of the organization; and in all activities, units and functions. Examples

include authorizations, reviews of operating performance, security of assets, andsegregation of duties.)


13/26

D. A SOUND INFORMATION AND COMMUNICATIONS SYSTEM

* Information systems produce reports, containing operational, financial and compliance

related information, that make it possible to run and control a business. They deal withinternally generated data as well as the external activities, conditions and events

necessary to informed business decision making and external reporting.

* The organization's people must be able to capture and exchange the information needed

to conduct, manage and control operations.

* Pertinent information must be identified, captured and communicated in a form and

time frame that enables people to carry out their responsibilities.

* Effective communication must flow down, up and across the organization. (This

includes a clear message from top management to all personnel that controlresponsibilities must be taken seriously.)

* All personnel must understand their own role in the internal control system, as well as

how their individual activities relate to the work of others.

* All personnel must have a means of communicating significant information upstream.

* There must be effective communication with external parties.

E. EFFECTIVE MONITORING

* The entire control system must be monitored to assess the quality of the system's

performance over time.(Ongoing monitoring, which should occur in the normal course of operations, includes

such things as regular management and supervisory activities; and actions personnel takein performing their duties.)

* Internal deficiencies should be reported upstream, with serious matters reported to top

management.

* There should also be separate, independent evaluations of the internal control system.The scope and frequency of these independent evaluations depend primarily on the

assessment of risks and obstacles, and the effectiveness of ongoing monitoring

procedures.

Collectively, the three primary business objectives and the five components needed toachieve those objectives constitute the internal control framework.


14/26

How Can We Assess the Effectiveness of the Internal Control System?

When looking at any one of the three primary business objectives, all five components of

the control system must be present and functioning effectively in order to conclude thatinternal controls over operations are effective.

While internal control is a process, its effectiveness is a state or condition of the process

at a fixed point in time. When an internal control system meets the following standard, it

can be deemed "effective":

"Internal Control can be judged effective for each of the three business objectives ifmanagement have reasonable assurance that they understand the extent to which the

organization's objectives are being met; financial and management reports are being

prepared reliably; and applicable laws and regulations are being complied with."

Determining whether a particular internal control system is "effective" is a subjective

judgement resulting from an assessment of whether the five components of control arepresent and functioning effectively. Their effective functioning provides the "reasonable

assurance" regarding achievement of the primary objectives. The components thus formthe criteria for effective control.

Internal audits can use the Framework to focus on three different levels of control:

1. Strategic

planning, organizing and directing activities that address achieving the long rangemission and objectives of the entity under review.

2. Tacticalplanning, organizing and directing activities that address achieving short term (annual)

objectives and goals of the entity under review that lead to success in achieving theentity's strategic mission and objectives.

3. Operational

planning, organizing and directing controls that address the day- to-day operations of the

entity.

Using a survey tool based upon the five components, internal audits can be conducted at a

strategic, rather than operational, level. These strategic internal audits can be designed to

gather testimonial and documentary evidence to either support achievement of thestandard for effective internal control; or to identify to senior managers deficiencies andimprovement opportunities for achieving effective internal control. Essentially, this

means assessing planning activities; the means of measuring accomplishment; the

reliability of data used to benchmark, report and measure; and the resources used toachieve outcomes. The Framework approach provides an ideal vehicle for adding value

to the organization.


15/26

Some specific issues that internal auditors might look at include:

Management Plans

Management Objectives

Communication of Desired Outcomes and the Policies and Procedures to achieve

outcomes Written Standards to Measure Achievement of Desired Outcomes

Assignment of Responsibility and Granting of Authority Budget vs Workloads

Staffing Efficiency

Communications

Process Measurement

Corrective Actions Taken and Measures of Success

Outcome Measurement and Reporting Systems

To accomplish strategic internal audits most effectively, the audit process should start at

the top of the organization with interviews of senior executives. This provides for aprofessional assessment at the highest levels of operation; a benchmark against which to

compare lower level strategic internal control activities; and a clear message of supportfor the strategic internal audit process.


What is Internal AuditingAbout the Profession

Internal Auditing is an independent, objective assurance and consulting activity designed

to add value and improve an organization's operations. It helps an organizationaccomplish its objectives by bringing a systematic, disciplined approach to evaluate andimprove the effectiveness of risk management, control, and governance processes.

Managers are responsible for designing control processes that provide reasonable

assurance the following business objectives can be achieved:

Effective and efficient operations

Compliance with laws and regulations

Reliable financial reporting

Internal auditors evaluate how well the control processes designed by managers function,and therefore the extent to which managers can have reasonable assurance businessobjectives will be realized. The internal audit funciton reports to top management and

normally has direct communication with the audit committee and the board of directors.

Because of their expertise and thorough knowledge of operations, internal auditors oftenfulfill a consulting role to top management.


16/26

Statement of Responsibilities of Internal Auditing

The purpose of this statement is to provide in summary form a general understanding of

the responsibilities of internal auditing. For more specific guidance, readers should referto thestandards for the Professional Practice of Internal Auditing.

OBJECTIVE AND SCOPE

Internal Auditing is an independent appraisal function established within an organization

to examine and evaluate its activities as a service to the organization. The objective of

internal auditing is to assist members of the organization in the effective discharge oftheir responsibilities. To this end, internal auditing furnishes them with analyses,

appraisals, recommendations, counsel, and information concerning the activities

reviewed. The audit objective includes promoting effective control at reasonable cost.The members of the organization assisted by internal auditing include those in

management and the board of directors.

The scope of internal auditing should encompass the examination and evaluation of the

adequacy and effectiveness of the organization's system of internal control and the qualityof performance in carrying out assigned responsibilities. Internal auditors should:

Review the reliability and integrity of financial and operating information and the

means used to identify, measure, classify, and report such information.

Review the systems established to ensure compliance with those policies, plans,procedures, laws, and regulations which could have a significant impact on

operations and reports, and should determine whether the organization is in

compliance.

Review the means of safeguarding assets and, as appropriate, verify the existenceof such assets.

Appraise the economy and efficiency with which resources are employed.

Review operations or programs to ascertain whether results are consistent with

established objectives and goals and whether the operations or programs are being

carried out as planned.
http://www.theiia.org/guidance/standards-and-guidance/http://www.theiia.org/guidance/standards-and-guidance/


17/26

RESPONSIBILITY AND AUTHORITY

The internal auditing department is an integral part of the organization and functions

under the policies established by senior management and the board. The purpose,authority and responsibility of the internal auditing department should be defined in a

formal written document (charter). The director of internal auditing should seek approvalof the charter by senior management as well as acceptance by the board. The charter

should make clear the purposes of the internal auditing department, specify theunrestricted scope of its work, and declare that auditors are to have no authority or

responsibility for the activities they audit.

Throughout the world internal auditing is performed in diverse environments and withinorganizations which vary in purpose, size, and structure. In addition, the laws and

customs within various countries differ from one another. These differences may affect

the practice of internal auditing in each environment. The implementation of thetandards for the Professional Practice of Internal Auditing, therefore, will be governed

by the environment in which the internal auditing department carries out is assignedresponsibilities. Compliance with the concepts enunciated by the tandards for theProfessional Practice of Internal Auditingis essential before the responsibilities ofinternal auditors can be met. As stated in the ode of Ethics, members of The Institute of

Internal Auditors, Inc. and Certified Internal Auditors shall adopt suitable means to

comply with the Standards for the Professional Practice of Internal Auditing.

INDEPENDENCE

Internal auditors should be independent of the activities they audit. Internal auditors are

independent when they can carry out their work freely and objectively. Independence

permits internal auditors to render the impartial and unbiased judgments essential to theproper conduct of audits. It is achieved through organizational status and objectivity.

The organizational status of the internal auditing department should be sufficient to

permit the accomplishment of its audit responsibilities. The director of the internal

auditing department should be responsible to an individual in the organization withsufficient authority to promote independence and to ensure a broad audit coverage,

adequate consideration of audit reports, and appropriate action on audit

recommendations.

Objectivity is an independent mental attitude which internal auditors should maintain in

performing audits. Internal auditors are not to subordinate their judgment on audit mattersto that of others. Designing, installing, and operating systems are not audit functions.

Also, the drafting of procedures for systems is not an audit function. Performing such

activities is presumed to impair audit objectivity.


18/26


An Overview of the Professional Practice of Internal AuditingBy Mark R. Simmons, CIA CFE

With the various activities and reviews internal auditors are being called on to perform,

and changes taking place today in the practice of internal auditing, I have lately been

thinking more and more about the way internal auditing is perceived, and how it perhapsought to be perceived. About twelve years ago, I was offered the opportunity to expand

my professional development by moving into an internal audit department. At the time,

having come from a background in public accounting, and having no familiarity withinternal auditing standards, if you had asked me to define "internal auditing", I probably

would have said something like "it's auditing within an organization to help safeguard

assets". I'm willing to bet that in many organizations, if you where randomly to askemployees, managers and executives about their perception of internal auditing today,

many would tell you "it's the same thing that our external CPAs do, only it's done by

employees of the company". Others might say that "it's anything our internal auditorsdo".

The purpose of this article is to examine the concept of internal auditing from the

perspective of The Standards for the Professional Practice of Internal Auditing. For amoment, think about how important The Standards are in day to day professional internal

audit activities. Some of the routine ways internal audit professionals apply the standards

include how they plan and carry out their work, how the audit director determines whatthat work will be, and how the results of their efforts are communicated. By obtaining a

clearer understanding of the essence of professional internal auditing standards, we can

develop a clearer understanding of the essence of internal auditing itself. Obtaining that

understanding is critical not only to presenting ourselves in the most professional way,but also to clearly defining our area of expertise and thus the value we can provide to our

organizations.

The basic framework of The Standards For The Professional Practice Of InternalAuditing consists of:

the Statement of Responsibilities of Internal Auditing

the Code of Ethics

the Standards for the Professional Practice of Internal Auditing, consisting of fivegeneral standards, twenty five specific standards, and suggested guidelines for

complying with the standards. the Statements on Internal Auditing Standards

professional practice releases


19/26

Some of the key points emphasized in the introduction to The Standards are:

the principal elements of the organization served by internal auditing are

management and the board of directors, with internal auditors owing aresponsibility to both

"the board" means the board of directors, the audit committees of such boards,heads of agencies or legislative bodies to whom the internal auditors report,

boards of trustees, or any other designated governing body of organizations. "Management" is anyone in an organization with responsibility for setting and/or

achieving objectives.

"senior management" is the individual, or group of individuals in management towhom the director of internal auditing is responsible.

The purpose of The Standards is:

* to impart an understanding of the role of internal auditing* to establish a basis for the guidance and measurement of internal auditing

performance

* to improve the practice and professionalism of internal auditing Compliance with the concepts enunciated by the standards is essential before the

responsibilities of internal audit can be met.

When performing internal audits, the Code of Ethics of the Institute of Internal Auditors(IIA) requires each member of the Institute and each Certified Internal Auditor (CIA) to

adopt suitable means to comply with The Standards and to conduct internal audits in

accordance with the requirements and spirit of The Standards. This is one of the key

provisions of the Code of Ethics.

Not everything that an internal auditor might be called on to do is internal auditing. If youare a member of the IIA and/or are a CIA, it is your responsibility to understand the

essence of what internal auditing is; to know what is, and is not, an internal auditing

activity; to distinguish internal auditing from other types of audit activity that are notinternal audits; and to distinguish internal auditing from other types of non-audit

activities that an internal auditor might be called on to perform. The following table

compares internal auditing (as defined by The Standards) with other activities performedby internal auditors.


20/26

PROFESSIONAL

INTERNAL

AUDITING

UNDER THE

STANDARDS

A REVIEW OF HOW

MANAGERS PLAN,ORGANIZE AND DIRECT

OPERATIONS

CONDUCTED BYMEMBERS OF THE

ORGANIZATION

TO FORM AN OPINION ASTO WHETHER OR NOT

MANAGEMENT HASREASONABLE ASSURANCE

THAT:

Assets are safeguarded

Laws, rules, regulations,

policies and proceduresare complied with

Business objectives are

met

Financial andmanagement data is

accurate and reliable

Operations are carriedout efficiently and

economically

Professional Internal Auditing

focuses on an evaluation of thesystem or framework of internal

control

OTHER AUDIT ACTIVITIES

CONTRACT AUDITING

COMPLIANCE AUDITING

VOUCHER AUDITING

CLAIMS AUDITING

FINANCIAL STATEMENT AUDITING

PERFORMANCE AUDITING

EXTERNAL AUDITING OF OTHERORGANIZATIONS

OR ANY MANAGEMENT ACTIVITY

ASSOCIATED WITH THE PLANNING,ORGANIZING AND DIRECTING OF

OPERATIONS

While these all may be value-added activities that

auditors perform, they do not meet the criteria of"Internal Auditing" described by The Standards". Many,

if not all, of these audit activities are governed by other

professional auditing standards, such as those of theAICPA and the General Accounting Office; or various

federal regulations such as OMB Circular A-133.


21/26

As practiced under the Standards, professional internal auditing focuses on an evaluation

of the system or framework of internal control, which the Standards describe as "theintegrated collection of control systems developed by the organization to achieve its

objectives and goals". There is a very close correlation between the Standards and COSO(for a detailed discussion, see "The Standards and the Framework", Internal Auditor,

April 1997). The primary objective of internal controls is to give managers reasonableassurance that:

financial and operating information is accurate and reliable

policies, procedures, plans, laws and regulations are complied with

assets are safeguarded against loss and theft

resources are used economically and efficiently

established program/operating goals and objectives will be met.

The elements of internal auditing therefore consist of :

Appraising the reliability and integrity of financial and operating information byevaluating the means developed by management to identify, classify, measure,

and report such information

Appraising the systems management has established to ensure compliance withpolicies, plans, procedures, laws and regulations that could have a significant

impact on operations and reports, and determining whether the organization is in

compliance

Appraising the means management has established to safeguard assets, and, asappropriate, verifying the existence of such assets

Appraising the systems management has established to ensure economical andefficient use of resources

Appraising the systems management has established to ensure results are

consistent with established objectives/goals and operations or programs are

carried out as planned.

Although there is some degree of overlap, these five elements differ from performance

audits. The primary objective of a performance audit is to evaluate operational processes

(which may or may not include internal controls) and the related results of operations,

rather than the system of control itself (GAO Yellow Book, 1994 Revision, Chapter 2,sections 2.6 through 2.9). While some might consider this distinction insignificant, under

the Standards, it is not the internal auditor's job to evaluate a manager's performance; to

decide what the organization's objectives and goals are, or whether they are the correctobjectives and goals. These determinations and decisions are the responsibility of

management. The SPPIA instead focuses the internal auditor primarily on forming an

opinion as to whether or not management has reasonable assurance that desiredobjectives and goals are being achieved, and the degree to which controls provide the


22/26

reasonable assurance that managers need (SPPIA 300.04, 300.08, and 300.08.2.c).

When we combine the definition of internal control with the scope of internal auditing,five possible audit objectives emerge regarding how managers plan, organize and direct

activities. Internal auditors seek to answer one or more of the following questions:

Do controls over financial and operating data provide managers with reasonable

assurance that the financial and operating data is accurate and reliable Do controls over compliance with policies, procedures, plans, laws and

regulations provide managers with reasonable assurance that proper compliance

actually occurs

Do controls over assets provide managers with reasonable assurance that assets

exist and are protected against loss that could result from theft, fire, improper or

illegal activities, or exposure to the elements

Do controls over operations provide managers with reasonable assurance that

resources are used efficiently and economically. In this context, the auditor wants

to know whether operating standards have been established for measuringeconomy and efficiency; whether operating standards are understood and arebeing met; whether deviations from operating standards are identified, analyzed

and communicated to those responsible for corrective action; and whether

effective corrective action has been taken

Do controls over operations and programs provide managers with reasonable

assurance that the operations and programs are being carried out as planned, and

that the results of operations are consistent with established goals and objectives.

To meet these audit objectives, internal auditors evaluate the things managers do to plan,organize and direct activities and operations. The reasonable assurance that managers

need comes about when managers plan, organize and direct in such a way that in thenormal course of doing business, cost-effective actions are taken to minimize the risk thatundesired outcomes will occur, and maximize the likelihood that desired outcomes will

occur.

After examining the way managers have planned, organized and directed the activities of

the organization, the internal auditor draws conclusions about the adequacy and the

effectiveness of the controls. The internal auditor then expresses an opinion as to whether

or not the control system provides the necessary reasonable assurances. When the internalauditor is of the opinion that weaknesses or conditions are present that significantly

reduce the likelihood that reasonable assurance exists, the internal auditor reports to

senior management:

the condition(s) found

criteria or standard against which the condition is being measured

the cause(s) that produced the condition

potential or actual effect(s) on desired outcomes; and recommendations forcorrective action that will improve the degree of reasonable assurance.


23/26

Internal auditors perform other activities, such as: contract auditing; compliance auditing;voucher auditing; claims auditing; financial statement auditing; performance auditing;

external auditing of other organizations; and other management activities associated withthe planning, organizing and directing of operations. While these all may be value-added

activities, they do not meet the criteria of "Internal Auditing" described by theStandards". Many, if not all, of these audit activities are governed by other standards. In

the United States, for example, these might be those of the American Institute of CPAs;

the US General Accounting Office' Government Auditing Standards; regulations andlaws of the Securities and Exchange Commission; or various other federal regulations

such as Circular A-133 of the US Office of Management and Budget. Does that mean

internal auditors should refrain from doing these other things when requested to do so?No. But they should not confuse these other activities with internal audits; and should not

represent them as being internal audits.

What about consulting? Almost all of us at one time or another get involved in"consulting" situations within our organizations. How does internal auditing activity

compare to consulting work?

According to studies by the IIA:

Internal Audits

are based on past or current activities

address management's reasonable assurance of achieving objectives

are initiated by the Audit Director have the Audit Committee/Senior Management as the primary client

are conducted primarily by members of the internal audit department

lead to production of a standard audit report.

Consulting Activities

are future oriented

address implementing activities

are initiated by a line manager

have the line manager as the primary client

involves staff outside the internal audit department yield a product or outcome other than an audit report opinion


24/26

Based on the IIA research, most internal auditors agree that the following activities are

examples of consulting:

Business Planning

Non-Accounting System Consulting

Business or Project Feasibility Studies Accounting System Design and Implementation

Total Quality Management

The more progressive practitioners of internal auditing have recognized the value of and

have embraced the idea that partnering with audit clients can improve significantly the

results of internal audit work. These innovative approaches and the required paradigm

shifts are endorsed by the IIA. While the Standards do not pose any impediments to theiruse, additional implementation guidance is needed. This is particularly true regarding the

issue of auditor independence vis a vis auditing in consultation with management.

"Auditor Independence" has been a cornerstone of the profession for many years - a

carryover from internal audit's roots in public accounting. IIA studies indicate that somepractitioners, in hiding behind The Standards' guidance on independence, have needlessly

sacrificed opportunities to make significant contributions to their organizations. This is anarea requiring further study by the IIA.

These issues also have sparked some interesting observations regarding the exclusion ofcompliance audits and performance audits from the "internal audit" category. The

material above briefly touches on the issue of performance audits. Regarding compliance

audits, the issue is one of focus. Further examination may serve as an example of how an

internal audit is conducted under the Standards.

The objective in a typical compliance audit is to determine whether an entity hasfollowed applicable laws and regulations or followed proper procedures. For example, inan audit of a youth detention center, if government regulations require that the cafeteria

only serve items listed on a dinner menu, and the kitchen runs out of the listed ice cream

and serves pudding for dessert, a compliance audit would cite the center for failing tofollow the regulations (a ludicrous, but true example). The compliance auditor doesn't

really care about the system of internal control. In audit parlance, internal control risk is

assessed at maximum (i.e., it is assumed controls are not effective). Nor does the

compliance auditor necessarily care why a violation has occurred. The complianceauditor's job is to identify violations or deviations, and, where necessary, impose

sanctions, withhold payments, obtain refunds, identify and report employee mistakes, etc.

This is not an internal audit; and more importantly, using this methodology to carry outan internal audit is not a particularly efficient or effective way to identify systemic,

mission critical control problems.

An internal audit of the detention center under the Standards, however, would focus on

whether or not the management of the detention center has reasonable assurance that

significant applicable laws and regulations are being complied with. The internal auditorwould want to see evidence, for example, that management has conveyed the importance


25/26

of compliance to the employees; that employees have the necessary tools and resources to

effect compliance; that employees have been properly trained in and understand

compliance issues; that management has assessed and addressed the risks and obstaclesassociated with compliance; that policies and procedures have been established to address

identified risks; that information and communications systems provide necessary data in

an accurate and timely way regarding issues associated with effective compliance; andthat monitoring activities will, in the normal course of events, identify and correct

problems, and bring significant issues to light for attention, corrective action and follow

up by higher level management. If this sounds very much like COSO, it should, since theSPPIA and COSO are two sides of the same coin (as might be expected since the IIA is

one of the sponsoring organizations). The SPPIA actually is a framework for audit

implementation of COSO theory.

If the internal auditor determines significant weaknesses exist in the control system over

compliance, he/she may conclude that the required reasonable assurance does not exist,

and recommend corrective actions. To reinforce the need for corrective action, the

internal auditor may test for evidence of errors, omissions or other adversities associatedwith non-compliance that are so serious that immediate intervention by management is

required to mitigate the resultant business risks. If the internal auditor believes theinternal control system is effective, and that as a result management has the requisite

reasonable assurance, some testing may still be done to confirm the effectiveness of the

control system (it depends on the internal auditor's assessment of his/her own risk of

arriving at an incorrect opinion).

Conclusion

We, as internal audit professionals, have to be clear about what it is we are "expert" in.

That clarity comes from the Standards. Our reason for being as a profession is to supportexecutive management and the board of directors in carrying out corporate governance.We do that by providing them professional opinions about the degree to which reasonable

assurance exists that business objectives will be achieved (i.e. the state of internal

control) and by keeping them informed about critical control issues that impact onachievement of business objectives. Does that mean we can't help operating management

do a better job in the process? No. Does that mean we hide behind the Standards and

avoid going in new directions? No. Does that mean we do whatever we feel like, orwhatever our management requests, in disregard of the Standards, and still call it

"internal auditing"? While that might appear beneficial on an individual level, we can't,

as a profession, do that either, because in the larger picture, doing so confuses, obscures

and weakens the role of our profession in corporate governance; undermines ourprofession's value to those we are supposed to serve; and ultimately hurts us as a

profession. But does that mean internal auditors should refrain from doing such things

when requested to? No, it does not. However, we should not confuse these other activitieswith internal audits; and we should not represent them as being internal audits.


26/26

Internal Audit Riz.

Documents

Transcript of Internal Audit Riz.