Internal Audit Riz.
-
Upload
gururaj1990 -
Category
Documents
-
view
221 -
download
0
Transcript of Internal Audit Riz.
-
8/9/2019 Internal Audit Riz.
1/26
INTERNAL AUDIT
Internal auditing is a profession and activity involved in helping
organizations achieve their stated objectives. It does this by using a
systematic methodology for analyzing business processes,procedures and activities with the goal of highlighting
organizational problems and recommending solutions.
Professionals called internal auditors are employed by
organizations to perform the internal auditing activity.
The scope of internal auditing within an organization is broad and
may involve topics such as the efficacy of operations, the
reliability of financial reporting, deterring and investigating fraud,safeguarding assets, and compliance with laws and regulations.
Internal auditing frequently involves measuring compliance with
the entity's policies and procedures. However, Internal auditors are
not responsible for the execution of company activities; they
advise management and the Board of Directors (or similar
oversight body) regarding how to better execute their
responsibilities. As a result of their broad scope of involvement,
internal auditors may have a variety of higher educational andprofessional backgrounds.
Publicly-traded corporations typically have an internal auditing
department, led by a Chief Audit Executive ("CAE") who
generally reports to the Audit Committee of the Board of
Directors, with administrative reporting to the Chief Executive
Officer.
The profession is unregulated, though there are a number of
international standard setting bodies, an example of which is the
Institute of Internal Auditors ("IIA"). The IIA has established
Standards for the Professional Practice of Internal Auditing[1] and
has over 150,000 members representing 165 countries, including
approximately 65,000 Certified Internal Auditors.
http://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Chief_Executive_Officerhttp://en.wikipedia.org/wiki/Chief_Executive_Officerhttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://d/Copy%20of%2012/Internal_audit.htm#cite_note-0http://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Chief_Executive_Officerhttp://en.wikipedia.org/wiki/Chief_Executive_Officerhttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://d/Copy%20of%2012/Internal_audit.htm#cite_note-0 -
8/9/2019 Internal Audit Riz.
2/26
History of internal auditing
The Internal Auditing profession evolved steadily with the
progress of management science after World War II. It is
conceptually similar in many ways to financial auditing by public
accounting firms, quality assurance and banking compliance
activities. Much of the theory underlying internal auditing is
derived from management consulting and public accounting
professions. With the implementation in the United States of the
Sarbanes-Oxley Act of 2002, the profession's growth accelerated,
as many internal auditors possess the skills required to helpcompanies meet the requirements of the law.
Organizational independence
To perform their role effectively, internalauditorsrequire organizational independence
from management, to enable unrestricted evaluation of management activities andpersonnel. Although internal auditors are part of company management and paid by the
company, the primary customer of internal auditactivity is the entity charged withoversight of management's activities. This is typically the [Audit Committee], a sub-
committee of the Board of Directors. To provide independence, mostChief Audit
Executives report to the Chairperson of the Audit Committee and can only be replaced
with the concurrence of that individual.
According to the Institute of Internal Auditors, the Internal Auditor's obligation of
Independence refers to:
1) The reporting line or status of the CAEThe Chief Audit Executive mustreport to a level within the organization that allows the internal audit activity to
fulfill its responsibilities. The chief audit executive must confirm to the board, at
least annually, the organizational independence of the internal audit activity.
2) Attitude of auditors, procedures of the internal audit department.The
internal audit activity must be free from interference in determining the scope of
internal auditing, performing work, and communicating results.
http://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Auditorshttp://en.wikipedia.org/wiki/Auditorshttp://en.wikipedia.org/wiki/Auditorshttp://en.wikipedia.org/wiki/Chief_Audit_Executive#Organizational_independencehttp://en.wikipedia.org/wiki/Managementhttp://en.wikipedia.org/wiki/Evaluationhttp://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Oversighthttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://en.wikipedia.org/w/index.php?title=Reporting_line&action=edit&redlink=1http://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Financial_audithttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Auditorshttp://en.wikipedia.org/wiki/Chief_Audit_Executive#Organizational_independencehttp://en.wikipedia.org/wiki/Managementhttp://en.wikipedia.org/wiki/Evaluationhttp://en.wikipedia.org/wiki/Audithttp://en.wikipedia.org/wiki/Oversighthttp://en.wikipedia.org/wiki/Board_of_Directorshttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Institute_of_Internal_Auditorshttp://en.wikipedia.org/w/index.php?title=Reporting_line&action=edit&redlink=1http://en.wikipedia.org/wiki/Chief_Audit_Executive -
8/9/2019 Internal Audit Riz.
3/26
3) Communication right.The chief audit executive must communicate andinteract directly with the Board of Directors.
Role in internal control
Internal auditing activity is primarily directed at improvinginternal control. Under theCOSO Framework, internal control is broadly defined as a process, effected by an entity's
board of directors, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following internal controlcategories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with laws and regulations.
Management is responsible for internal control. Managers establish policies and
processes to help the organization achieve specific objectives in each of these categories.Internal auditors perform audits to evaluate whether the policies and processes aredesigned and operating effectively and provide recommendations for improvement.
In the United States, internal auditors may assist management with compliance with the
Sarbanes-Oxley Act (SOX).
Role in risk management
Internal auditing professional standards require the function to monitor and evaluate the
effectiveness of the organization's Risk management processes. Risk management relatesto how an organization sets objectives, then identifies, analyzes, and responds to those
risks that could potentially impact its ability to realize its objectives.
Under the COSO enterprise risk management (ERM) Framework, risks fall understrategic, operational, financial reporting, and legal/regulatory categories. Management
performs risk assessment activities as part of the ordinary course of business in each of
these categories. Examples include: strategic planning, marketing planning, capitalplanning, budgeting, hedging, incentive payout structure, and credit/lending practices.
Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting
processes. Corporate legal counsel often prepares comprehensive assessments of the
current and potential litigation a company faces. Internal auditors may evaluate each ofthese activities, or focus on the processes used by management to report and monitor the
risks identified. For example, internal auditors can advise management regarding the
reporting of forward-looking operating measures to the Board, to help identify emergingrisks.
In larger organizations, major strategic initiatives are implemented to achieve objectives
and drive changes. As a member of senior management, the Chief Audit Executive
http://en.wikipedia.org/wiki/Internal_controlhttp://en.wikipedia.org/wiki/Internal_controlhttp://en.wikipedia.org/wiki/Internal_controlhttp://en.wikipedia.org/wiki/COSOhttp://en.wikipedia.org/wiki/United_Stateshttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/COSOhttp://en.wikipedia.org/wiki/Sarbanes-Oxleyhttp://en.wikipedia.org/wiki/Internal_controlhttp://en.wikipedia.org/wiki/COSOhttp://en.wikipedia.org/wiki/United_Stateshttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/COSOhttp://en.wikipedia.org/wiki/Sarbanes-Oxley -
8/9/2019 Internal Audit Riz.
4/26
(CAE) may participate in status updates on these major initiatives. This places the CAE
in the position to report on many of the major risks the organization faces to the Audit
Committee, or ensure management's reporting is effective for that purpose.
Internal auditors may help companies establish and maintain Enterprise Risk
Management processes. Internal auditors also play an important role in helpingcompanies execute a SOX 404 top-down risk assessment. In these latter two areas,
internal auditors typically are part of the project team in an advisory role.
Role in corporate governance
Internal auditing activity as it relates to corporate governance is generally informal,
accomplished primarily through participation in meetings and discussions with members
of the Board of Directors. Corporate governance is a combination of processes andorganizational structures implemented by the Board of Directors to inform, direct,
manage, and monitor the organization's resources, strategies and policies towards the
achievement of the organizations objectives. The internal auditor is often considered oneof the "four pillars" of corporate governance, the other pillars being the Board of
Directors, management, and the external auditor.
A primary focus area of internal auditing as it relates to corporate governance is helping
the Audit Committee of the Board of Directors (or equivalent) perform its responsibilitieseffectively. This may include reporting critical internal control problems, informing the
Committee privately on the capabilities of key managers, suggesting questions or topics
for the Audit Committee's meeting agendas, and coordinating carefully with the externalauditor and management to ensure the Committee receives effective information.
Nature of the internal audit activity
Based on a risk assessment of the organization, internal auditors, management and
oversight Boards determine where to focus internal auditing efforts. Internal auditingactivity is generally conducted as one or more discrete projects. A typical internal audit
project involves the following steps:
1. Establish and communicate the scope and objectives for the audit to appropriate
management.2. Develop an understanding of the business area under review. This includes
objectives, measurements, and key transaction types. This involves review ofdocuments and interviews. Flowcharts and narratives may be created if necessary.3. Describe the key risks facing the business activities within the scope of the audit.
4. Identify control procedures used to ensure each key risk and transaction type is
properly controlled and monitored.5. Develop and execute a risk-based sampling and testing approach to determine
whether the most important controls are operating as intended.
http://en.wikipedia.org/wiki/Enterprise_Risk_Managementhttp://en.wikipedia.org/wiki/Enterprise_Risk_Managementhttp://en.wikipedia.org/wiki/SOX_404_top-down_risk_assessmenthttp://en.wikipedia.org/wiki/Corporate_governancehttp://en.wikipedia.org/wiki/Risk_assessmenthttp://en.wikipedia.org/wiki/Enterprise_Risk_Managementhttp://en.wikipedia.org/wiki/Enterprise_Risk_Managementhttp://en.wikipedia.org/wiki/SOX_404_top-down_risk_assessmenthttp://en.wikipedia.org/wiki/Corporate_governancehttp://en.wikipedia.org/wiki/Risk_assessment -
8/9/2019 Internal Audit Riz.
5/26
6. Report problems identified and negotiate action plans with management to
address the problems.
7. Follow-up on reported findings at appropriate intervals. Internal audit departmentsmaintain a follow-up database for this purpose.
Project length varies based on the complexity of the activity being audited and InternalAudit resources available. Many of the above steps are iterative and may not all occur in
the sequence indicated.
By analyzing and recommending business improvements in critical areas, auditors help
the organization meet its objectives. In addition to assessing business processes,
specialists called Information Technology (IT) Auditors reviewinformation technology
controls.
Internal audit reports
Internal auditors typically issue reports at the end of each audit that summarize their
findings, recommendations, and any responses or action plans from management. An
audit report may have an executive summary; a body that includes the specific issues or
findings identified and related recommendations or action plans; and appendixinformation such as detailed graphs and charts or process information. Each audit finding
within the body of the report may contain five elements, sometimes called the "5 C's":
1. Condition: What is the particular problem identified?2. Criteria: What is the standard that was not met? The standard may be a company
policy or other benchmark.
3. Cause: Why did the problem occur?4. Consequence: What is the risk/negative outcome (or opportunity foregone)
because of the finding?
5. Corrective action: What should management do about the finding? What have
they agreed to do and by when?
http://en.wikipedia.org/wiki/Information_technology_controlshttp://en.wikipedia.org/wiki/Information_technology_controlshttp://en.wikipedia.org/wiki/Information_technology_controlshttp://en.wikipedia.org/wiki/Information_technology_controlshttp://en.wikipedia.org/wiki/Information_technology_controls -
8/9/2019 Internal Audit Riz.
6/26
The recommendations in an internal audit report are designed to help the organization
achieve its goals, which may relate to operations, financial reporting or legal/regulatorycompliance. They may relate to effectiveness (i.e., whether goals were met or compliance
with standards was achieved) or efficiency (i.e., whether the outputs were generated withminimum inputs).
Audit findings and recommendations also relate to particular assertions abouttransactions, such as whether the transactions audited were valid or authorized,
completely processed, accurately valued, processed in the correct time period, and
properly disclosed in financial or operational reporting, among other elements.
Developing the plan of engagements
Internal auditing standards require the development of a plan of audit engagements
(projects) based on a risk assessment, updated at least annually. The input of seniormanagement and the Board is typically included in this process. Many departments
update their plan of engagements throughout the year as risks or organizational priorities
changeThis effort helps ensure the audit activity is aligned with the organizationsobjectives, by answering two key questions: First, what goals are the organization trying
to accomplish in the upcoming period? Second, how can the Internal Audit Department
assist the organization in achieving these goals?
Internal auditors often conduct a series of interviews of senior management to identifypotential engagements. Changes in people, processes, or systems often generate audit
project ideas. Various documents are reviewed, such as strategic plans, financial reports,
consulting studies, etc. Further, the results of prior audits and resolution of open issuesare considered. For example, even if a business area is important, prior audit work and
the nature and status of open issues may render further audit effort unnecessary. If the
organization has a formal enterprise risk management (ERM) program, the risksidentified therein help limit the amount of separate risk assessment performed by Internal
Audit.
The preliminary plan of engagements is documented and prioritized. Audit resources and
expertise are then considered and a final plan is presented to senior management and theAudit Committee. The presentations vary based on the needs of the stakeholders and may
include the following:
-
8/9/2019 Internal Audit Riz.
7/26
Summary of key goals, risks and corresponding major audits, to illustrate
alignment;
Analyses of audit effort along a variety of dimensions (e.g., by business segment,
COSO objective category, IT, Sarbanes-Oxley, vs. prior year, etc.) along withcommentary regarding changes;
Brief description of critical projects identified; Projects requested but not planned for execution due to prioritization and
resources;
Required co-sourcing effort, typically where outside expertise is required orduring peak periods;
Coordination with other risk functions, such as legal, compliance or insurance, to
ensure coverage of key organizational risks;
Update on audit staffing levels, experience and certification; and
Appendix materials, such as planning approach, assumptions (e.g., days per
auditor and staffing level) and brief descriptions of all planned audits and relatedprioritization.
Best Practices in Internal Auditing
Measuring the internal audit function
The measurement of the internal audit function can involve abalanced scorecard
approach. Internal audit functions are primarily evaluated based on the quality of counseland information provided to the Audit Committee and top management. However, this is
primarily qualitative and therefore difficult to measure. Customer surveys sent to key
managers after each audit project or report can be used to measure performance, with anannual survey to the Audit Committee. Scoring on dimensions such as professionalism,
quality of counsel, timeliness of work product, utility of meetings, and quality of status
updates are typical with such surveys. Understanding the expectations of seniormanagement and the audit committee represent important steps in developing a
performance measurement process, as well as how such measures help align the audit
function with organizational priorities.
Quantitative measures can also be used to measure the functions level of execution andqualifications of its personnel. Key measures include:
Plan completion: This is a measure of the degree to which the annual plan ofengagements is completed, measured at a point in time. This may be measured using the
number of projects completed, weighted by the planned size of each project, withestimates for projects in-progress. Measured throughout the year, it is compared against
the percentage of the year elapsed.
Report issuance: This is a measure of the time elapsed from completion of testing to
issuance of the final audit report, including managements action plans. This can be
http://en.wikipedia.org/wiki/Balanced_scorecardhttp://en.wikipedia.org/wiki/Balanced_scorecard -
8/9/2019 Internal Audit Riz.
8/26
measured in average days or percentage of reports issued within a certain standard, such
as 30 days. Establishing expectations for the timing of managements response to report
recommendations is critical. In addition, the scope and degree of change involved in thereports action plans are key variables. For example, a report for a single retail store
requiring only the store managers action might take 35 days to issue. However, a report
consolidating findings from 20 retail stores, with action plans with national implicationsdetermined by top management, may take 3060 days in complex organizations.
Issue closure: Reported audit findings are often called issues or deficiencies.
Professional standards require audit functions to track reported findings to resolution,
which effectively requires the maintenance of an issues follow-up database. The numberof days that reported issues remain open, or open after their agreed-upon closure date, are
key measures. In addition, reporting database statistics such as the number of issues open
(unresolved), closed (resolved), and issues opened/closed during a given period are usefulstatistics.
Staff qualifications: This can be measured through the percentage of staff withprofessional certifications, graduate degrees, and overall years of experience.
Staff utilization rate: This is measured as the percentage of time spent on projects, as
opposed to administrative time such as training or vacation. Many internal auditdepartments track time by audit project. This is typically captured in a database or
spreadsheet.
Staffing level: The number of positions filled relative to the authorized staffing level. Due
to the challenge of finding qualified staff, departments may have rotational programs tobring in management to complete tours in the function or be "guest" auditors. Audit
departments also "co-source," meaning they obtain contract auditors from serviceproviders.
-
8/9/2019 Internal Audit Riz.
9/26
Developing and retaining staff
Developing and retaining quality professionals is a key concern in the professionKey
methods for developing and retaining internal audit staff personnel include:
Providing challenging, varied assignments
Ensuring quality supervision
Ensuring staff participates in projects from start to finish, to learn all phases of the
audit process Providing opportunities to lead (in-charge) projects, starting with more structured
projects such as Sarbanes-Oxley work
Participating on departmental improvement task forces, such as preparation for
quality assurance review Participating in the recruiting and interviewing process for new hires
Rotating through various audit teams (in larger departments) or audits of variousbusinesses
Providing both outside training (e.g., seminars) and in-house training (e.g.,
company systems) for two weeks/year
Participation in annual risk assessment activities, whether asking key questions or
just taking notes
Reporting of critical findings
The Chief Audit Executive (CAE) typically reports the most critical issues to the AuditCommitteequarterly, along with management's progress towards resolving them. Critical
issues typically have a reasonable likelihood of causing substantial financial or
reputational damage to the company. For particularly complex issues, the responsible
manager may participate in the discussion. Such reporting is critical to ensure thefunction is respected, that the proper "tone at the top" exists in the organization, and to
expedite resolution of such issues. It is a matter of considerable judgment to select
appropriate issues for the Audit Committee's attention and to describe them in the propercontext.
http://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Chief_Audit_Executivehttp://en.wikipedia.org/wiki/Audit_Committeehttp://en.wikipedia.org/wiki/Audit_Committee -
8/9/2019 Internal Audit Riz.
10/26
Internal auditing and fraud investigation
Internal Auditing
Internal Auditing is an independent, objective assurance
and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness of risk management, control, and
governance processes. Institute of Internal Auditors
Fraud Investigation
Fraud Investigation consists of the multitude of steps
necessary to resolve allegations of fraud interviewing witnesses, assembling evidence,
writing reports, and dealing with prosecutors and the courts.Association of Certified Fraud Examiners
http://www.facilitatedcontrols.com/internal-auditing/auditing.shtmlhttp://www.facilitatedcontrols.com/fraud-investigation/fraud.shtmlhttp://www.facilitatedcontrols.com/internal-auditing/auditing.shtmlhttp://www.facilitatedcontrols.com/fraud-investigation/fraud.shtml -
8/9/2019 Internal Audit Riz.
11/26
Articles on Internal Auditing
COSO - The Framework for Internal Control:A Strategic Approach to Internal AuditsCompiled by Mark R. Simmons, CIA CFE
In 1992, the American Institute of Certified Public Accountants, the Institute of Internal
Auditors, the American Accounting Association, the Institute of Management
Accountants and the Financial Executives Institute issued a jointly prepared body of workentitledInternal Control - An Integrated Framework. This authoritative document
identifies the fundamental and essential objectives of any business or government entity:
economy and efficiency of operations, including safeguarding of assets and achievement
of desired outcomes; reliability of financial and management reports; and compliancewith laws and regulations.
To achieve quality, processes must first be in control. To improve quality, controlled
processes must be measured and evaluated to identify obstacles to success. Effective
internal control opens the door that leads to achievement of success. The approachpresented by the Framework goes directly to the one key issue of any business - is therereasonable assurance of achieving our mission, objectives, goals and desired outcomes,
while adhering to laws and regulations; and can we accurately report our success and
outcomes to the public and interested third parties.
The Framework describes a unified approach for evaluation of the internal control
systems that management has designed to provide reasonable assurance of achieving the
fundamental business objectives described above.
What is Internal Control?
Internal control is a broadly defined process, effected by people, designed to provide
reasonable assurance regarding the achievement of the following three objectives that all
businesses strive for:
1. Economy and efficiency of operations, including achievement of performance goals
and safeguarding of assets against loss;
2. Reliable financial and operational data and reports; and
3. Compliance with laws and regulations
-
8/9/2019 Internal Audit Riz.
12/26
What is Needed to Help Assure the Achievement of these Primary
Business Objectives ?
A. A SOUND CONTROL ENVIRONMENT
* Managers and employees who possess integrity, ethical values and competence;
* Management's philosophy and operating style;
* Proper assignment of authority and responsibility;
* Proper organization of available resources;
* Proper training and development of people; and
* Proper attention and direction from senior management.
B. A SOUND RISK ASSESSMENT PROCESS
* An awareness of and ability to deal with the risks and obstacles to successful
achievement of business objectives;
* Establishment by management of a set of objectives that integrate all the organization's
resources so that the organization operates in concert; and
* Identification, analysis and management of the risks and obstacles to successfulachievement of the three primary business objectives.
C. SOUND OPERATIONAL CONTROL ACTIVITIES
* The establishment and execution of policies and procedures to help ensure effective
implementation of the actions identified by management as being necessary to address
risks and obstacles to achievement of business objectives.
(These control activities help ensure that management's directives are carried out; occurat all levels of the organization; and in all activities, units and functions. Examples
include authorizations, reviews of operating performance, security of assets, andsegregation of duties.)
-
8/9/2019 Internal Audit Riz.
13/26
D. A SOUND INFORMATION AND COMMUNICATIONS SYSTEM
* Information systems produce reports, containing operational, financial and compliance
related information, that make it possible to run and control a business. They deal withinternally generated data as well as the external activities, conditions and events
necessary to informed business decision making and external reporting.
* The organization's people must be able to capture and exchange the information needed
to conduct, manage and control operations.
* Pertinent information must be identified, captured and communicated in a form and
time frame that enables people to carry out their responsibilities.
* Effective communication must flow down, up and across the organization. (This
includes a clear message from top management to all personnel that controlresponsibilities must be taken seriously.)
* All personnel must understand their own role in the internal control system, as well as
how their individual activities relate to the work of others.
* All personnel must have a means of communicating significant information upstream.
* There must be effective communication with external parties.
E. EFFECTIVE MONITORING
* The entire control system must be monitored to assess the quality of the system's
performance over time.(Ongoing monitoring, which should occur in the normal course of operations, includes
such things as regular management and supervisory activities; and actions personnel takein performing their duties.)
* Internal deficiencies should be reported upstream, with serious matters reported to top
management.
* There should also be separate, independent evaluations of the internal control system.The scope and frequency of these independent evaluations depend primarily on the
assessment of risks and obstacles, and the effectiveness of ongoing monitoring
procedures.
Collectively, the three primary business objectives and the five components needed toachieve those objectives constitute the internal control framework.
-
8/9/2019 Internal Audit Riz.
14/26
How Can We Assess the Effectiveness of the Internal Control System?
When looking at any one of the three primary business objectives, all five components of
the control system must be present and functioning effectively in order to conclude thatinternal controls over operations are effective.
While internal control is a process, its effectiveness is a state or condition of the process
at a fixed point in time. When an internal control system meets the following standard, it
can be deemed "effective":
"Internal Control can be judged effective for each of the three business objectives ifmanagement have reasonable assurance that they understand the extent to which the
organization's objectives are being met; financial and management reports are being
prepared reliably; and applicable laws and regulations are being complied with."
Determining whether a particular internal control system is "effective" is a subjective
judgement resulting from an assessment of whether the five components of control arepresent and functioning effectively. Their effective functioning provides the "reasonable
assurance" regarding achievement of the primary objectives. The components thus formthe criteria for effective control.
Internal audits can use the Framework to focus on three different levels of control:
1. Strategic
planning, organizing and directing activities that address achieving the long rangemission and objectives of the entity under review.
2. Tacticalplanning, organizing and directing activities that address achieving short term (annual)
objectives and goals of the entity under review that lead to success in achieving theentity's strategic mission and objectives.
3. Operational
planning, organizing and directing controls that address the day- to-day operations of the
entity.
Using a survey tool based upon the five components, internal audits can be conducted at a
strategic, rather than operational, level. These strategic internal audits can be designed to
gather testimonial and documentary evidence to either support achievement of thestandard for effective internal control; or to identify to senior managers deficiencies andimprovement opportunities for achieving effective internal control. Essentially, this
means assessing planning activities; the means of measuring accomplishment; the
reliability of data used to benchmark, report and measure; and the resources used toachieve outcomes. The Framework approach provides an ideal vehicle for adding value
to the organization.
-
8/9/2019 Internal Audit Riz.
15/26
Some specific issues that internal auditors might look at include:
Management Plans
Management Objectives
Communication of Desired Outcomes and the Policies and Procedures to achieve
outcomes Written Standards to Measure Achievement of Desired Outcomes
Assignment of Responsibility and Granting of Authority Budget vs Workloads
Staffing Efficiency
Communications
Process Measurement
Corrective Actions Taken and Measures of Success
Outcome Measurement and Reporting Systems
To accomplish strategic internal audits most effectively, the audit process should start at
the top of the organization with interviews of senior executives. This provides for aprofessional assessment at the highest levels of operation; a benchmark against which to
compare lower level strategic internal control activities; and a clear message of supportfor the strategic internal audit process.
Articles on Internal Auditing
What is Internal AuditingAbout the Profession
Internal Auditing is an independent, objective assurance and consulting activity designed
to add value and improve an organization's operations. It helps an organizationaccomplish its objectives by bringing a systematic, disciplined approach to evaluate andimprove the effectiveness of risk management, control, and governance processes.
Managers are responsible for designing control processes that provide reasonable
assurance the following business objectives can be achieved:
Effective and efficient operations
Compliance with laws and regulations
Reliable financial reporting
Internal auditors evaluate how well the control processes designed by managers function,and therefore the extent to which managers can have reasonable assurance businessobjectives will be realized. The internal audit funciton reports to top management and
normally has direct communication with the audit committee and the board of directors.
Because of their expertise and thorough knowledge of operations, internal auditors oftenfulfill a consulting role to top management.
-
8/9/2019 Internal Audit Riz.
16/26
Statement of Responsibilities of Internal Auditing
The purpose of this statement is to provide in summary form a general understanding of
the responsibilities of internal auditing. For more specific guidance, readers should referto thestandards for the Professional Practice of Internal Auditing.
OBJECTIVE AND SCOPE
Internal Auditing is an independent appraisal function established within an organization
to examine and evaluate its activities as a service to the organization. The objective of
internal auditing is to assist members of the organization in the effective discharge oftheir responsibilities. To this end, internal auditing furnishes them with analyses,
appraisals, recommendations, counsel, and information concerning the activities
reviewed. The audit objective includes promoting effective control at reasonable cost.The members of the organization assisted by internal auditing include those in
management and the board of directors.
The scope of internal auditing should encompass the examination and evaluation of the
adequacy and effectiveness of the organization's system of internal control and the qualityof performance in carrying out assigned responsibilities. Internal auditors should:
Review the reliability and integrity of financial and operating information and the
means used to identify, measure, classify, and report such information.
Review the systems established to ensure compliance with those policies, plans,procedures, laws, and regulations which could have a significant impact on
operations and reports, and should determine whether the organization is in
compliance.
Review the means of safeguarding assets and, as appropriate, verify the existenceof such assets.
Appraise the economy and efficiency with which resources are employed.
Review operations or programs to ascertain whether results are consistent with
established objectives and goals and whether the operations or programs are being
carried out as planned.
http://www.theiia.org/guidance/standards-and-guidance/http://www.theiia.org/guidance/standards-and-guidance/ -
8/9/2019 Internal Audit Riz.
17/26
RESPONSIBILITY AND AUTHORITY
The internal auditing department is an integral part of the organization and functions
under the policies established by senior management and the board. The purpose,authority and responsibility of the internal auditing department should be defined in a
formal written document (charter). The director of internal auditing should seek approvalof the charter by senior management as well as acceptance by the board. The charter
should make clear the purposes of the internal auditing department, specify theunrestricted scope of its work, and declare that auditors are to have no authority or
responsibility for the activities they audit.
Throughout the world internal auditing is performed in diverse environments and withinorganizations which vary in purpose, size, and structure. In addition, the laws and
customs within various countries differ from one another. These differences may affect
the practice of internal auditing in each environment. The implementation of thetandards for the Professional Practice of Internal Auditing, therefore, will be governed
by the environment in which the internal auditing department carries out is assignedresponsibilities. Compliance with the concepts enunciated by the tandards for theProfessional Practice of Internal Auditingis essential before the responsibilities ofinternal auditors can be met. As stated in the ode of Ethics, members of The Institute of
Internal Auditors, Inc. and Certified Internal Auditors shall adopt suitable means to
comply with the Standards for the Professional Practice of Internal Auditing.
INDEPENDENCE
Internal auditors should be independent of the activities they audit. Internal auditors are
independent when they can carry out their work freely and objectively. Independence
permits internal auditors to render the impartial and unbiased judgments essential to theproper conduct of audits. It is achieved through organizational status and objectivity.
The organizational status of the internal auditing department should be sufficient to
permit the accomplishment of its audit responsibilities. The director of the internal
auditing department should be responsible to an individual in the organization withsufficient authority to promote independence and to ensure a broad audit coverage,
adequate consideration of audit reports, and appropriate action on audit
recommendations.
Objectivity is an independent mental attitude which internal auditors should maintain in
performing audits. Internal auditors are not to subordinate their judgment on audit mattersto that of others. Designing, installing, and operating systems are not audit functions.
Also, the drafting of procedures for systems is not an audit function. Performing such
activities is presumed to impair audit objectivity.
-
8/9/2019 Internal Audit Riz.
18/26
Articles on Internal Auditing
An Overview of the Professional Practice of Internal AuditingBy Mark R. Simmons, CIA CFE
With the various activities and reviews internal auditors are being called on to perform,
and changes taking place today in the practice of internal auditing, I have lately been
thinking more and more about the way internal auditing is perceived, and how it perhapsought to be perceived. About twelve years ago, I was offered the opportunity to expand
my professional development by moving into an internal audit department. At the time,
having come from a background in public accounting, and having no familiarity withinternal auditing standards, if you had asked me to define "internal auditing", I probably
would have said something like "it's auditing within an organization to help safeguard
assets". I'm willing to bet that in many organizations, if you where randomly to askemployees, managers and executives about their perception of internal auditing today,
many would tell you "it's the same thing that our external CPAs do, only it's done by
employees of the company". Others might say that "it's anything our internal auditorsdo".
The purpose of this article is to examine the concept of internal auditing from the
perspective of The Standards for the Professional Practice of Internal Auditing. For amoment, think about how important The Standards are in day to day professional internal
audit activities. Some of the routine ways internal audit professionals apply the standards
include how they plan and carry out their work, how the audit director determines whatthat work will be, and how the results of their efforts are communicated. By obtaining a
clearer understanding of the essence of professional internal auditing standards, we can
develop a clearer understanding of the essence of internal auditing itself. Obtaining that
understanding is critical not only to presenting ourselves in the most professional way,but also to clearly defining our area of expertise and thus the value we can provide to our
organizations.
The basic framework of The Standards For The Professional Practice Of InternalAuditing consists of:
the Statement of Responsibilities of Internal Auditing
the Code of Ethics
the Standards for the Professional Practice of Internal Auditing, consisting of fivegeneral standards, twenty five specific standards, and suggested guidelines for
complying with the standards. the Statements on Internal Auditing Standards
professional practice releases
-
8/9/2019 Internal Audit Riz.
19/26
Some of the key points emphasized in the introduction to The Standards are:
the principal elements of the organization served by internal auditing are
management and the board of directors, with internal auditors owing aresponsibility to both
"the board" means the board of directors, the audit committees of such boards,heads of agencies or legislative bodies to whom the internal auditors report,
boards of trustees, or any other designated governing body of organizations. "Management" is anyone in an organization with responsibility for setting and/or
achieving objectives.
"senior management" is the individual, or group of individuals in management towhom the director of internal auditing is responsible.
The purpose of The Standards is:
* to impart an understanding of the role of internal auditing* to establish a basis for the guidance and measurement of internal auditing
performance
* to improve the practice and professionalism of internal auditing Compliance with the concepts enunciated by the standards is essential before the
responsibilities of internal audit can be met.
When performing internal audits, the Code of Ethics of the Institute of Internal Auditors(IIA) requires each member of the Institute and each Certified Internal Auditor (CIA) to
adopt suitable means to comply with The Standards and to conduct internal audits in
accordance with the requirements and spirit of The Standards. This is one of the key
provisions of the Code of Ethics.
Not everything that an internal auditor might be called on to do is internal auditing. If youare a member of the IIA and/or are a CIA, it is your responsibility to understand the
essence of what internal auditing is; to know what is, and is not, an internal auditing
activity; to distinguish internal auditing from other types of audit activity that are notinternal audits; and to distinguish internal auditing from other types of non-audit
activities that an internal auditor might be called on to perform. The following table
compares internal auditing (as defined by The Standards) with other activities performedby internal auditors.
-
8/9/2019 Internal Audit Riz.
20/26
PROFESSIONAL
INTERNAL
AUDITING
UNDER THE
STANDARDS
A REVIEW OF HOW
MANAGERS PLAN,ORGANIZE AND DIRECT
OPERATIONS
CONDUCTED BYMEMBERS OF THE
ORGANIZATION
TO FORM AN OPINION ASTO WHETHER OR NOT
MANAGEMENT HASREASONABLE ASSURANCE
THAT:
Assets are safeguarded
Laws, rules, regulations,
policies and proceduresare complied with
Business objectives are
met
Financial andmanagement data is
accurate and reliable
Operations are carriedout efficiently and
economically
Professional Internal Auditing
focuses on an evaluation of thesystem or framework of internal
control
OTHER AUDIT ACTIVITIES
CONTRACT AUDITING
COMPLIANCE AUDITING
VOUCHER AUDITING
CLAIMS AUDITING
FINANCIAL STATEMENT AUDITING
PERFORMANCE AUDITING
EXTERNAL AUDITING OF OTHERORGANIZATIONS
OR ANY MANAGEMENT ACTIVITY
ASSOCIATED WITH THE PLANNING,ORGANIZING AND DIRECTING OF
OPERATIONS
While these all may be value-added activities that
auditors perform, they do not meet the criteria of"Internal Auditing" described by The Standards". Many,
if not all, of these audit activities are governed by other
professional auditing standards, such as those of theAICPA and the General Accounting Office; or various
federal regulations such as OMB Circular A-133.
-
8/9/2019 Internal Audit Riz.
21/26
As practiced under the Standards, professional internal auditing focuses on an evaluation
of the system or framework of internal control, which the Standards describe as "theintegrated collection of control systems developed by the organization to achieve its
objectives and goals". There is a very close correlation between the Standards and COSO(for a detailed discussion, see "The Standards and the Framework", Internal Auditor,
April 1997). The primary objective of internal controls is to give managers reasonableassurance that:
financial and operating information is accurate and reliable
policies, procedures, plans, laws and regulations are complied with
assets are safeguarded against loss and theft
resources are used economically and efficiently
established program/operating goals and objectives will be met.
The elements of internal auditing therefore consist of :
Appraising the reliability and integrity of financial and operating information byevaluating the means developed by management to identify, classify, measure,
and report such information
Appraising the systems management has established to ensure compliance withpolicies, plans, procedures, laws and regulations that could have a significant
impact on operations and reports, and determining whether the organization is in
compliance
Appraising the means management has established to safeguard assets, and, asappropriate, verifying the existence of such assets
Appraising the systems management has established to ensure economical andefficient use of resources
Appraising the systems management has established to ensure results are
consistent with established objectives/goals and operations or programs are
carried out as planned.
Although there is some degree of overlap, these five elements differ from performance
audits. The primary objective of a performance audit is to evaluate operational processes
(which may or may not include internal controls) and the related results of operations,
rather than the system of control itself (GAO Yellow Book, 1994 Revision, Chapter 2,sections 2.6 through 2.9). While some might consider this distinction insignificant, under
the Standards, it is not the internal auditor's job to evaluate a manager's performance; to
decide what the organization's objectives and goals are, or whether they are the correctobjectives and goals. These determinations and decisions are the responsibility of
management. The SPPIA instead focuses the internal auditor primarily on forming an
opinion as to whether or not management has reasonable assurance that desiredobjectives and goals are being achieved, and the degree to which controls provide the
-
8/9/2019 Internal Audit Riz.
22/26
reasonable assurance that managers need (SPPIA 300.04, 300.08, and 300.08.2.c).
When we combine the definition of internal control with the scope of internal auditing,five possible audit objectives emerge regarding how managers plan, organize and direct
activities. Internal auditors seek to answer one or more of the following questions:
Do controls over financial and operating data provide managers with reasonable
assurance that the financial and operating data is accurate and reliable Do controls over compliance with policies, procedures, plans, laws and
regulations provide managers with reasonable assurance that proper compliance
actually occurs
Do controls over assets provide managers with reasonable assurance that assets
exist and are protected against loss that could result from theft, fire, improper or
illegal activities, or exposure to the elements
Do controls over operations provide managers with reasonable assurance that
resources are used efficiently and economically. In this context, the auditor wants
to know whether operating standards have been established for measuringeconomy and efficiency; whether operating standards are understood and arebeing met; whether deviations from operating standards are identified, analyzed
and communicated to those responsible for corrective action; and whether
effective corrective action has been taken
Do controls over operations and programs provide managers with reasonable
assurance that the operations and programs are being carried out as planned, and
that the results of operations are consistent with established goals and objectives.
To meet these audit objectives, internal auditors evaluate the things managers do to plan,organize and direct activities and operations. The reasonable assurance that managers
need comes about when managers plan, organize and direct in such a way that in thenormal course of doing business, cost-effective actions are taken to minimize the risk thatundesired outcomes will occur, and maximize the likelihood that desired outcomes will
occur.
After examining the way managers have planned, organized and directed the activities of
the organization, the internal auditor draws conclusions about the adequacy and the
effectiveness of the controls. The internal auditor then expresses an opinion as to whether
or not the control system provides the necessary reasonable assurances. When the internalauditor is of the opinion that weaknesses or conditions are present that significantly
reduce the likelihood that reasonable assurance exists, the internal auditor reports to
senior management:
the condition(s) found
criteria or standard against which the condition is being measured
the cause(s) that produced the condition
potential or actual effect(s) on desired outcomes; and recommendations forcorrective action that will improve the degree of reasonable assurance.
-
8/9/2019 Internal Audit Riz.
23/26
Internal auditors perform other activities, such as: contract auditing; compliance auditing;voucher auditing; claims auditing; financial statement auditing; performance auditing;
external auditing of other organizations; and other management activities associated withthe planning, organizing and directing of operations. While these all may be value-added
activities, they do not meet the criteria of "Internal Auditing" described by theStandards". Many, if not all, of these audit activities are governed by other standards. In
the United States, for example, these might be those of the American Institute of CPAs;
the US General Accounting Office' Government Auditing Standards; regulations andlaws of the Securities and Exchange Commission; or various other federal regulations
such as Circular A-133 of the US Office of Management and Budget. Does that mean
internal auditors should refrain from doing these other things when requested to do so?No. But they should not confuse these other activities with internal audits; and should not
represent them as being internal audits.
What about consulting? Almost all of us at one time or another get involved in"consulting" situations within our organizations. How does internal auditing activity
compare to consulting work?
According to studies by the IIA:
Internal Audits
are based on past or current activities
address management's reasonable assurance of achieving objectives
are initiated by the Audit Director have the Audit Committee/Senior Management as the primary client
are conducted primarily by members of the internal audit department
lead to production of a standard audit report.
Consulting Activities
are future oriented
address implementing activities
are initiated by a line manager
have the line manager as the primary client
involves staff outside the internal audit department yield a product or outcome other than an audit report opinion
-
8/9/2019 Internal Audit Riz.
24/26
Based on the IIA research, most internal auditors agree that the following activities are
examples of consulting:
Business Planning
Non-Accounting System Consulting
Business or Project Feasibility Studies Accounting System Design and Implementation
Total Quality Management
The more progressive practitioners of internal auditing have recognized the value of and
have embraced the idea that partnering with audit clients can improve significantly the
results of internal audit work. These innovative approaches and the required paradigm
shifts are endorsed by the IIA. While the Standards do not pose any impediments to theiruse, additional implementation guidance is needed. This is particularly true regarding the
issue of auditor independence vis a vis auditing in consultation with management.
"Auditor Independence" has been a cornerstone of the profession for many years - a
carryover from internal audit's roots in public accounting. IIA studies indicate that somepractitioners, in hiding behind The Standards' guidance on independence, have needlessly
sacrificed opportunities to make significant contributions to their organizations. This is anarea requiring further study by the IIA.
These issues also have sparked some interesting observations regarding the exclusion ofcompliance audits and performance audits from the "internal audit" category. The
material above briefly touches on the issue of performance audits. Regarding compliance
audits, the issue is one of focus. Further examination may serve as an example of how an
internal audit is conducted under the Standards.
The objective in a typical compliance audit is to determine whether an entity hasfollowed applicable laws and regulations or followed proper procedures. For example, inan audit of a youth detention center, if government regulations require that the cafeteria
only serve items listed on a dinner menu, and the kitchen runs out of the listed ice cream
and serves pudding for dessert, a compliance audit would cite the center for failing tofollow the regulations (a ludicrous, but true example). The compliance auditor doesn't
really care about the system of internal control. In audit parlance, internal control risk is
assessed at maximum (i.e., it is assumed controls are not effective). Nor does the
compliance auditor necessarily care why a violation has occurred. The complianceauditor's job is to identify violations or deviations, and, where necessary, impose
sanctions, withhold payments, obtain refunds, identify and report employee mistakes, etc.
This is not an internal audit; and more importantly, using this methodology to carry outan internal audit is not a particularly efficient or effective way to identify systemic,
mission critical control problems.
An internal audit of the detention center under the Standards, however, would focus on
whether or not the management of the detention center has reasonable assurance that
significant applicable laws and regulations are being complied with. The internal auditorwould want to see evidence, for example, that management has conveyed the importance
-
8/9/2019 Internal Audit Riz.
25/26
of compliance to the employees; that employees have the necessary tools and resources to
effect compliance; that employees have been properly trained in and understand
compliance issues; that management has assessed and addressed the risks and obstaclesassociated with compliance; that policies and procedures have been established to address
identified risks; that information and communications systems provide necessary data in
an accurate and timely way regarding issues associated with effective compliance; andthat monitoring activities will, in the normal course of events, identify and correct
problems, and bring significant issues to light for attention, corrective action and follow
up by higher level management. If this sounds very much like COSO, it should, since theSPPIA and COSO are two sides of the same coin (as might be expected since the IIA is
one of the sponsoring organizations). The SPPIA actually is a framework for audit
implementation of COSO theory.
If the internal auditor determines significant weaknesses exist in the control system over
compliance, he/she may conclude that the required reasonable assurance does not exist,
and recommend corrective actions. To reinforce the need for corrective action, the
internal auditor may test for evidence of errors, omissions or other adversities associatedwith non-compliance that are so serious that immediate intervention by management is
required to mitigate the resultant business risks. If the internal auditor believes theinternal control system is effective, and that as a result management has the requisite
reasonable assurance, some testing may still be done to confirm the effectiveness of the
control system (it depends on the internal auditor's assessment of his/her own risk of
arriving at an incorrect opinion).
Conclusion
We, as internal audit professionals, have to be clear about what it is we are "expert" in.
That clarity comes from the Standards. Our reason for being as a profession is to supportexecutive management and the board of directors in carrying out corporate governance.We do that by providing them professional opinions about the degree to which reasonable
assurance exists that business objectives will be achieved (i.e. the state of internal
control) and by keeping them informed about critical control issues that impact onachievement of business objectives. Does that mean we can't help operating management
do a better job in the process? No. Does that mean we hide behind the Standards and
avoid going in new directions? No. Does that mean we do whatever we feel like, orwhatever our management requests, in disregard of the Standards, and still call it
"internal auditing"? While that might appear beneficial on an individual level, we can't,
as a profession, do that either, because in the larger picture, doing so confuses, obscures
and weakens the role of our profession in corporate governance; undermines ourprofession's value to those we are supposed to serve; and ultimately hurts us as a
profession. But does that mean internal auditors should refrain from doing such things
when requested to? No, it does not. However, we should not confuse these other activitieswith internal audits; and we should not represent them as being internal audits.
-
8/9/2019 Internal Audit Riz.
26/26