Internal Audit
Internal Audit
Internal Audit
WHAT?
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
[The Institute of Internal Auditors, USA]
Internal Audit Framework 3
WHY?
The main objectives of internal audit are to provide assurance on the adequacy of the whole control environment, advise at an early stage in the implementation of any system developments or amendments to processes, development and implementation of organizational policies. Internal Audit provide assurance that the organizations values are met and that laws and regulations are complied with. It ensures that financial statements and other published information are accurate and reliable and that human, financial and other resources are managed efficiently and effectively. Internal audit also forms part of the wider antifraud and anti-corruption framework of a company.
Internal Audit Framework 4
TYPES
Following are the types of audits carried out by internal auditors:
Compliance audit: To ensure compliance with rules, regulations and laws applicable to a company. Operational audit: To ensure efficient and effective conduct of operations of a company. Information system audit: To ensure proper functioning of the information system throughout the life of a business. Performance audit: To ensure the efficient use of resources to obtain the objectives of a company. Environmental audits: To ensure compliance with the environmental laws and regulations Special assignments relate to investigations on fraud and corruption, or any other special service with the approval of the board.
Internal Audit Framework 5
Remember,
Internal auditors do not implement their recommendations. Implementation of solution alternatives is the sole responsibility of the management. The internal audit department should setup a mechanism to monitor objectivity in every assurance and consulting activity. Prompt actions must be taken to prevent potential loss to objectivity.
Internal Audit Framework 7
AUDIT COMMITTEE
An audit committee is an arm of the board of directors, generally composed of 3 to 5 members of the board, with a chairperson selected from among the committee members. The members should be board members and outsiders i.e. the individuals who are neither employees nor part of management. The audit committee has an oversight responsibility for internal and external audit functions. Audit committee acts as an independent check on management and helps the external financial statements users in assuring that financial statements accurately portray the business activities of a company. And that effective internal control system is in place. All laws and regulations are complied by the company.
Internal Audit Framework 9
Mandatory Guidance
Definition of I/A
Code of Ethics
The standards
Internal Audit Framework
THE STANDARDS
Internal auditors carry out their work in accordance with the given set of rules, regulations and standards. These standards are provided by the Institute of Internal Auditors, USA. The standards are known as, International Standards for the Professional Practice of Internal Auditing (the standards). These standards provide guidance on assurance and consulting activities. The application of these standards during work is mandatory upon internal auditors. Following are the types of the standards: Attribute Standards pertain to the company and team/staff performing the audit work. Performance Standards are about the nature of internal auditing and provide quality criteria for the performance of the work. Implementation Standards provide guidance for each attribute or performance standard to be applicable to assurance (A) or consulting (C) activity.
Internal Audit Framework 11
AUTHORITY
The staff of Internal Audit Office reports to CAE who reports to Audit Committee or the board directly. CAE have full and free access to the audit committee or the board. CAE for administrative purposes may report to the CEO but for functional purposes shall always report to audit committee or the board directly. Internal audit is fully authorized to:
Have complete and unrestricted access to records, personnel, and physical properties relevant to the performance of engagements. Delegate duties, allocate resources, select team, determine scope of works, and select required techniques to accomplish objectives. Obtain necessary assistance of personnel in audited units and other specialized services within or outside the organization.
RESPONSIBILITY
CAE, in the discharge of his duties, has the responsibility to:
Provide annual assessment on the effectiveness of the companys controls in managing its risks and activities. Identify and assess potential risks to the operations. Review the adequacy of controls established to ensure compliance with policies, plans, procedures, and business objectives. Provide periodic information on the status of the annual audit plan and the sufficiency of the Internal Audit Offices resources. Present a periodic (say quarterly) report to the audit committee. Assess the reliability and security of financial and management information and the systems and operations that produce the information. Assess the means of safeguarding assets. Review established procedures and systems and propose improvements. Appraise the use of resources with regard to economy, efficiency and effectiveness. Follow up recommendations to make sure that effective remedial action is taken.
13
RESPONSIBILITY
(continued)
Carry out appraisals, investigations, or reviews requested by the management. CAE and staff of the Internal Audit Office, in the discharge of their duties, have the responsibility to:
Develop an annual audit plan based on comprehensive risk assessment, including risks identified by the management. Submit the annual audit plan to the audit committee or the board for approval. Implement the annual audit plan as approved, including special requests by management. Issue periodic reports to the audit committee summarizing the results of the audits. Coordinate with and provide oversight of other controls and monitoring functions related to risk management, compliance, security, ethics, and environmental issues. Assist in the investigation of suspected fraudulent activities within the organization upon request made from management. Consider the scope of work of the external auditors and regulators to provide wider audit coverage. Consider the scope of work required of external service providers or consultants.
14
CONTROL ENVIRONMENT
The attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control.
The control environment includes the following elements:
Integrity and ethical values. Managements philosophy and operating style. Organizational structure. Assignment of authority and responsibility. Human resource policies and practices. Competence of personnel.
N.B.: External auditors take internal audit as component of the control environment.
Internal Audit Framework 15
FRAUD DETERRENCE
Managing the risk of fraud and corruption is the responsibility of management. Audit procedures alone, even when performed with due professional care, cannot guarantee that fraud or corruption will be detected. Internal audit does not have responsibility for the prevention or detection of fraud and corruption. Internal auditors will, however, be alert in all their work to risks and exposures that could allow fraud or corruption. Internal audit may be requested by management to assist with fraud examination work.
Internal Audit Framework 16
SCOPE
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization's governance, risk management, and internal process as well as the quality of performance in carrying out assigned responsibilities to achieve the organizations stated goals and objectives. This includes: Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information. Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization. Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets. Evaluating the effectiveness and efficiency with which resources are employed.
Internal Audit Framework 17
PLANNING
Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned. Monitoring and evaluating governance processes. Monitoring and evaluating the effectiveness of the organization's risk management processes. Evaluating the quality of performance of external auditors and the degree of coordination required with internal audit. Performing consulting and advisory services related to governance, risk management and control as appropriate for the company. Reporting periodically on the internal audit activitys purpose, authority, responsibility, and performance relative to its plan. Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board. Evaluating specific operations at the request of the board or management, as appropriate.
Internal Audit Framework 22
RISK COMPOSITION
Internal audit has a responsibility to cover financial, operational, information system, legal/regulatory and all other risks that may have significant impact on the business of an entity.
24
Risk qualification & prioritization Risk monitoring Risk mitigation & avoidance
Internal Audit Framework 25
26
27
28
REPORT RESULTS
In general, share important and sensitive findings with responsible managers immediately upon verification by the auditor; short memo reports may be used in this process. Prepare a first draft of the final report and discuss it with responsible managers immediately following the fieldwork.
Internal Audit Framework 29
30
FINAL REPORT
Issue final report to the management. Prepare checklist of issues to be discussed with the management in next period audit. Write down the comments of the management on report.
32
FOLLOW UP
At the completion of each audit, the auditor will send an evaluation survey form to the clients of the audit. This form should be completed and returned to the Office of Internal Audit, in order to ensure continuous improvement of these procedures and the internal audit function. Approximately six months following completion of each audit, the auditor will conduct a follow-up review to verify the completion of agreed-upon management actions and ascertain the status of open recommendations. A follow-up report will be generated annually for distribution to senior management and members of the Audit Committee.
33
AVOID PITFALLS
Richard Chambers, CIA, has shared his experience about failure of internal audit assignments. He has mentioned 6 main reasons for the failure of internal audit. We agree with him on the reasons of internal audit failure and wish them to be avoided while performing internal audit work. They are as given below:
1. Not setting aside enough time to properly plan the audit work. Proper planning is the glorious road to successful audit work. 2. Trying to audit too much, be relevant to risk. Keep one eye on relevance of work being done with overall objectives of the audit. 3. Not involving the client or the auditee personnel. 4. Failing to augment the audit team with functional expertise. 5. Forgetting that the audit should ultimately add value. 6. Forgetting to follow the risks. New risks may emerge during the progress of audit work. Change work plan according to them.
Internal Audit Framework 34
Internal Audit
Internal auditors are appointed and removed by the management of the company any time.
The scope of I/A is much broader and covers all risks to a business entity. The objective of I/A is to help management in risk management and add value by creating efficiency in systems and finally obtain the objectives of a business entity.
External Audit
External auditors are appointed and removed by the shareholders directly during AGM.
The scope of E/A is specified in the terms of reference signed with the company. The objective of E/A is to report on the truth and fairness of the financial statements by examining underlying records and based on the evaluation of evidence gathered during the work. External auditors report to the shareholders representatives, the members on the board of directors. They directly interact with members while sitting in AGM or EGM. The report of external auditors is shared with the shareholders and after being published is shared with public, in the case of listed company having share capital from public.
35
The report of internal auditors is shared with management via audit committee.
PRINCIPLES
The internal auditors are expected to apply and uphold the following principles: Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services..
Internal Audit Framework 37
RULES OF CONDUCT
1. Integrity
Internal Auditors:
Shall perform their work with honesty, diligence, and responsibility. Shall observe the law and make disclosures expected by the law and the profession. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization. Shall respect and contribute to the legitimate and ethical objectives of the organization.
2. Objectivity
Internal Auditors:
Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. Shall not accept anything that may impair or be presumed to impair their professional judgment. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
Internal Audit Framework 38
RULES OF CONDUCT
(continued)
3. Confidentiality
Internal Auditors: Shall be prudent in the use and protection of information acquired in the course of their duties. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
4. Competency
Internal Auditors: Shall engage only in those services for which they have the necessary knowledge, skills, and experience. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing. Shall continually improve their proficiency and the effectiveness and quality of their services.
39
1.
Add Value The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Adequate Control Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organizations risks have been managed effectively and that the organizations goals and objectives will be achieved efficiently and economically. Assurance Services An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.
2.
3.
4.
Board A board is an organizations governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee to whom the chief audit executive may functionally report.
Charter The internal audit charter is a formal document that defines the internal audit activitys purpose, authority, and responsibility. The internal audit charter establishes the internal audit activitys position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.
5.
41
6.
Chief Audit Executive Chief audit executive describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title of the chief audit executive may vary across organizations. Code of Ethics The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing. Compliance Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements. Conflict of Interest Any relationship that is, or appears to be, not in the best interest of the organization. A conflict of interest would prejudice an individuals ability to perform his or her duties and responsibilities objectively.
7.
8. 9.
10. Consulting Services Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organizations governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. 11. Control Processes The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process.
Internal Audit Framework 42
12. Control Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. 13. Control Environment The attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: Integrity and ethical values. Managements philosophy and operating style. Organizational structure. Assignment of authority and responsibility. Human resource policies and practices. Competence of personnel.
14. Control Processes The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process.
15. Engagement A specific internal audit assignment, task, or review activity, such as an internal audit, control selfassessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.
16. External Service Provider A person or firm outside of the organization that has special knowledge, skill, and experience in a particular discipline. Internal Audit Framework 43
17. Engagement Objectives Broad statements developed by internal auditors that define intended engagement accomplishments. 18. Engagement Work Program A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan. 19. Fraud Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. 20. Governance The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. 21. Impairment Impairment to organizational independence and individual objectivity may include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding). 22. Independence The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. 23. Information Technology Controls Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people.
Internal Audit Framework 44
24. Information Technology Governance Consists of the leadership, organizational structures, and processes that ensure that the enterprises information technology supports the organizations strategies and objectives. 25. Internal Audit Activity A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organizations operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes. 26. International Professional Practices Framework (IPPF) The conceptual framework that organizes the authoritative guidance promulgated by The IIA. Authoritative Guidance is comprised of two categories (1) mandatory and (2) strongly recommended. 27. Must The Standards use the word must to specify an unconditional requirement. 28. Objectivity An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.
29. Risk Appetite The level of risk that an organization is willing to accept.
30. Risk Management A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organizations objectives.
Internal Audit Framework 45
31. Should The Standards use the word should where conformance is expected unless, when applying professional judgment, circumstances justify deviation. 32. Significance The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives. 33. Residual Risk The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk. 34. Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. 35. Standard A professional pronouncement promulgated by the Internal Audit Standards Board that delineates the requirements for performing a broad range of internal audit activities, and for evaluating internal audit performance. 36. Technology-based Audit Techniques Any automated audit tool, such as generalized audit software, test data generators, computerized audit programs, specialized audit utilities, and computer-assisted audit techniques (CAATs).
46
#
1 2 3
TeamMate Compliance 360
Software name
Website
http://www.teammatesolutions.com http://www.compliance360.com http://www.metricstream.com
MetricStream Internal Audit Management Software Solution Audit Management Software - MKinsight Methodware easy2comply Internal Audit Management software Barnowl Internal Audit Cura Audit Enterprise GRC For Internal Audit RSA Archer Audit Management TrackWise audit management software Enablon IA - Internal Audit
Internal Audit Framework
4
5 6 7 8 9 10 11 12
http://www.mkinsight.com
http://www.methodware.com http://www.easy2comply.com http://www.barnowl.co.za http://www.curasoftware.com http://accelus.thomsonreuters.com http://www.emc.com http://www.spartasystems.com http://enablon.com 48
Software name
Symbiant Tracker ACL Mega internal audit management solution Galileo Audit Management BPS Resolvers GRC Suite
Website
http://www.symbiant.co.uk http://www.cqs.co.za http://www.mega.com http://www.horwathsoftware.com http://www.bpsresolver.com
13
14 15 16 17
18
19
IBM OpenPages Internal Audit Management http://www-142.ibm.com/software RSM TENON Intelex's Audits Management Software Rivo's web-based, Audit KMIs Audit & Inspection module http://www.rsmtenon.com/Services/InternalAudit/Internal-Audit-Tools.aspx http://www.intelex.com http://www.rivosoftware.com http://www.kminnovations.com
20
21 22 23 24
http://www.accusystem.com
http://www.align-alytics.com
49
# 25 26 27 28 29
Software name
Infor Approva Continuous Monitoring Bulldog Tax Audit - Bulldog Tax Audit CCH - CCH TeamMate CMO Compliane Complyant ComplianceAnalyzer Cornerstone OnDemand - Cornerstone Compliance Management Software Dakota Software - Dakota Auditor Datawatch - Monarch Professional Enterprise Auditor AuditXL EZ-R Stats - Audit Commander UMT Audit Software
Website
http://www.infor.com http://www.bulldogtaxaudit.com
http://www.cchgroup.com
http://www.cmo-compliance.com http://www.complyant.com http://www.complianceease.com http://www.cornerstoneondemand.com http://www.dakotasoft.com http://www.datawatch.com http://www.ecora.com/Ecora
30
31 32 33 34 35 36 37
http://www.solutionsforbusinessmanagement.com
http://www.ezrstats.com http://www.laubrass.com
50
ABBREVIATIONS
#
1 2
Abbreviation
AGM I/A
Description
Annual General Meeting Internal Audit
3
4 5 6
CAE
CEO Deptt. E/A
7
8 9 10
EGM
IIA IPPF ISPPIA
11
12 13
PAs
PPs PGs
Practice Advisories
Position Papers Practice Guides
Internal Audit Framework 51
Thank you!
Internal Audit Framework 52
ACKNOWLEDGEMENT
THE DEFINITION, THE OFFICIAL TERMINOLOGY AND THE CODE OF ETHICS USED IN THE PRESENTATION ARE GIVEN BY THE IIA. WE OWE A DEBT OF GRATITUDE TO THE IIA FOR USING THEM IN OUR PRESENTATION.
53
A presentation by
54