Part IInternal Audit Role in

Governance, Risk & Control

CIA exam review course

Prepared by Jack Davidszwww.mas-online.nl

Part IInternal Audit’s Role in Governance, Risk,

and Control 13 th edition Gleim1. Standards and Proficiency2. Charter, Independence, & Objectivity3. Internal Audit Roles I4. Internal Audit Roles II5. Control I6. Control II7. Planning & Supervising the Engagement8. Managing the Internal Audit Activity I9. Managing the Internal Audit Acitivity II10. Engagement Procedures, Ethics and Fraud

Internal Auditing is a management-oriented

discipline

Evolved from a function concerned with financial and accounting matters to one that addresses the entire range of operating activities.

• Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.

• It helps an organization accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control, and governance processes.

IIA Board of Directors, June 1999.

Attribute Standards

1000 Purpose, Authority and Responsibility

1100 Independence and Objectivity

1200 Proficiency and Due Professional Care

1300 Quality Assurance and Improvement Program

Performance Standards

2000 Managing the Internal Audit Activity

2100 Nature of Work

2200 Engagement Planning

2300 Performing the Engagement

2400 Communicating Results

2500 Monitoring Progress

2600 Management’s Acceptance of Risk

Consulting Services

Advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization’s operations.

Assurance Services > 1 year

Formal consulting engagement

Independence and objectivity are strengthened by

• Assigning different auditors• Independent management and supervision• Separate accountability for the projects• Disclosing the presumed impairment

Obtaining Services to Support or complement the Internal Audit Activity

CAE should assess the competency, independence and objectivity of the outside service provider.

When the outside service provider performs Internal Auditing activities the CAE should specify and ensure that the work complies with the SPPIA.

Due Professional careExpected of a reasonably prudent and competent internal auditor, who should be alert to the possibility of intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest

Due care impliesReasonable care and competence not infallibility or extraordinary performance.

Charter:

• Mission and Scope of work

• Accountability

• Independence

• Responsibility

• Authority

Chief Audit Executive Reporting Lines

Functional,Directly to the Audit Committee or equivalent to ensure independence and communication

Administrative,To the CEO or an other executive to afford support to accomplish day-to-day activities.

The comprehensive scope of work of internal auditing should provide reasonable

assurance that management’s

• Risk management system is effective

• System of internal control is effective and efficient

• Governance process is effective

Primary objectives of the overall management process

• Relevant, reliable and credible information

• Effective and efficient use of resources

• Safeguarding of assets

• Identification of risk exposures

• Objectives and goals for operations and programs

• Compliance with laws, regulations, ethical and business norms, and contracts.

Governance

Processes and structures implemented by the board to inform, direct, manage and monitor activities toward achievement of objectives (Glossary)

Ethical Culture

• Nature of the governance process

• Link to ethical culture

• Everyone an ethics advocate

• Enhanced ethical culture

(PA 2130-1)

Governance

Meeting the following responsibilities

• Complying with society’s legal and regulatory rules

• Satisfying the generally accepted business norms, ethical precepts

• Providing overall benefits to society

• Reporting fully and truthfully

Internal auditor should take an active role in support of the organization’s ethical culture.

Monitoring Progress

A system to monitor the disposition of results

communicated to management

Follow up

Effective corrective action taken

Board/management has assumed the risk of not taken action

Compliance

• Compliance programs• Compliance standards and procedures• Specific high level personnel• Screening employees• Communication of standards and procedures• Systems for detecting illegality• Adequate and case-specific discipline• Documentation• After detection appropriate response

Compliance programs

Assist in preventing inadvertent employee violations, detecting illegal activities and discouraging intentional employee violations.

Help prove insurance claims, determine director liability, create or enhance corporate identity, and decide the appropriateness of punitive damages.

Compliance

There should be a monitoring and auditing system to detect criminal conduct and a reporting system whereby employees can report criminal conduct by others without fear of retribution.

CAE should obtain an understanding of management’s and board’s expectations of the internal audit activity in the organization’s risk management process.

Internal auditors can facilitate or enable risk management processes, but they should not “own” or be responsible for the management of the risks identified.

Depending on size and complexity of the organization’s business activities, risk

management processes can be

• Formal ↔ informal• Quantitative ↔ subjective• Business unit ↔ at corporate level

The internal audit activity’s role can change overtime

• No role

• Auditing the risk management process

• Active, continuous support and involvement

• Managing and coordinating

Environment, health and safety risks

CAE environmental audit chief

EH&S audit program

• Compliance - focused

• Management system –focused

• Combination

5 Key objectivesof a riskmanagement process

1. Risks arising from business strategies and activities are identified and prioritized

2. Management and board have determined the level of risks acceptable to the organization

- continued

3. Risk mitigation activities are designed and implemented

4. Monitoring activities to reassess risk and effectiveness of controls

5. Reports of the results of the risk management processes

Internal auditors should evaluate the organization’s readiness to deal with business interruptions.

The organization should be able to prove its best efforts to collect information with regard to an incident and its appropriate action.

Disaster recovery plan

Internal auditors can

• Assist with the risk analysis

• Evaluate the design and comprehensiveness of the plan

• Perform periodic assurance engagements

Internal auditors should periodically assess information security practices and recommend, as appropriate, enhancements to, or implementation of new controls and safeguards.

Privacy

• Laws require privacy controls

• Personal information identifies a specific individual

• The auditor must comply with all laws

• Access to or use of personal information may be inappropriate or illegal in certain engagements

Control

Any action taken by management to enhance the likelihood that established objectives and goals will be achieved

• Preventive

• Detective

• Directive

• Mitigating

The CAE reports on the state of the organization’s control processes to senior management and the audit committee.

Challenge for IAA

Evaluation of the effectiveness of the system of controls, based on many individual assessments

Three key considerations

• Significant discrepancies?

• Corrections or improvements?

• Pervasive condition → unacceptable risk?

CSA

Objectives:

• Identifying risks

• Assessing control processes

• Developing action plans

• Determining likelihood of achieving business objectives

Three primary forms of CSA

• Facilitated team workshops, representing different levels in the business unit

• Survey form utilizes a questionnaire• Management produced analyses cover

most other approaches

A CSA program should focus internal audit’ work on reviewing high-risk processes and unusual situations.

Quarterly Financial Reporting

Disclosures

Management Certifications

Sarbanes – Oxley Act

The executive officer(s) and financial officer(s) certify in each

quarterly and annual report

• True and fair presentation

• Disclosure controls and procedures

The same officers disclose to the external auditors and to the audit committee

• All significant deficiencies in internal controls

• Any fraud

• Significant changes in internal controls

Recommended Actions

1. Internal auditor’s role from initial designer to independent assessor

2. Clearly defined role and responsibilities

3. Organization’s formal policy and procedures

4. Disclosure committee

Recommended Actions- continued

5. Periodically review and evaluation of quarterly reporting and disclosure processes

6. Recommendation of best practises7. Comparison of processes for complying

regarding quarterly financial reporting & disclosures and management annual assessment & public report on internal controls

Systems approach to control

Input Process Output

Feedback

Feed forward

System boundary

Classification of controls

• Feedback

• Concurrent

• Feed forward

Characteristics of an effective control system

• Economical

• Meaningful

• Appropriate

• Congruent

• Timely

• Simple

• Operational

Internal Control (COSO)

A process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Internal Control - continued

• Effectiveness and efficiency of operations;• Reliability of financial reporting;• Compliance with applicable laws and regulations;• Safeguarding of assets against unauthorized acquisition, use or disposition.

Components of the Internal Control System

•Control Environment CE

•Risk Assessment RA

•Control Activities CA

•Information and Communication IC

•Monitoring MO

Enterprise Risk Management

• Process ..

• Applied in strategy setting and across..

• Designed to identify potential events..

• Manage risks..

• To provide reasonable assurance..

• Achievement of entity objectives

CoCoCriteria of Control Board of CICA20 criteria grouped into the following 4 components

• Purpose

• Commitment

• Capability

• Monitoring and Learning

COSO and CoCo models emphasize soft controls e.g.

CoCo : ethical values, mutual trust

COSO : part of the control environment

Organization

The way individual work efforts within an entity are assigned and integrated for achievement of objectives and goals.

Organizational Control

The means of achieving the most effective possible use of organizational arrangements

Means of control (Sawyer)

• Organization

• Policies

• Procedures

• Personnel

• Accounting

• Budgeting

• Reporting

No control system is so perfect that it can function without outside review.

Resistance to organizational changes may be overcome by a participative management.

Organizational structure

• Authority: right to direct and exact performance from others

• Responsibility: obligation to perform

• Accountability: duty to account for the fulfillment of the responsibility

Leadership = directing process

Process of influencing people so they will strive toward the achievement of group goals.

Styles of leadership

• Autocratic

• Consultative

• Participative

• Free-rein = laissez faire

• Bureaucratic

Two behavior patterns

1. Initiating structure

2. Initiating consideration

Contingency approach

The right person at the right time may rise to a position of leadership if his personality and needs of the situation complement each other.

Situational leadership theory

The appropriate leadership style depends on followers maturity (= willingness to be responsible for directing their own behavior).

Influence

An attempt to change the behavior of others e.g. consultation, persuasion, inspirational appeals.

Conflict may be constructive or destructive

Communication, structure and personal variables are conditions that may result in conflict.

Conflict may result in better decision making, a reduction in complacency, more self-criticism, greater creativity, and solutions to problems.

Conflicts may be solved e.g. as follows:

• Problem solving

• Smoothing

• Forcing

• Subordinate goals

• Compromise

• Avoidance

4 Phases of an audit engagement

1. Planning

2. Performing the engagement

3. Communicating results

4. Monitoring progress

Engagement Planning

Engagement objectives should reflect the results of the risk assessment.

Engagement procedures are the means to attain engagement objectives

Taken together they define the scope of the internal auditor’s work

Background information

Engagement Planning- continued

Engagement resource allocationCommunicating with all who need to know

about the auditDetermining how, when and to whom audit

results will be communicatedSurvey to become familiar with the

activities, risks and controls to identify areas for audit emphasis.

Engagement Work Program

Directions for the examination and evaluation of the information needed to meet audit objectives within the scope of the audit engagement.

• Engagement work program should be approved in writing by the CAE prior to the commencement of engagement work.

• Engagements should be properly supervised to ensure objectives are achieved, quality is assured and staff is developed. Appropriate evidence of supervision should be documented and retained.

• Working papers should be reviewed to ensure that they properly support the engagement communications.

Planning for the IAA involves establishing

• Goals

• Engagement work schedules

• Staffing plans and financial budgets

• Activity reports

The IAA’s plan should be based on a risk assessment, undertaken at least annually.

The CAE should report periodically to the board and senior management on the IAA’s purpose, authority, responsibility, and performance relative to its plan.

Audit Committee Functions

• Select an external auditor and review the audit fee

• Review the external auditor’s overall audit plan• Review preliminary annual and interim financial

statements• Review results of engagements performed by

external auditors, including the management letter.

• Approve the charter of the IAA

Audit Committee Functions-continued

• Review and approve the IAA’s plans and resource requirements

• Directly communicate with the CAE

• Review evaluations of risk management, control and governance processes reported by the internal auditors

• Ensure that engagements results are given due consideration

SOX requirements

Audit committee• Consists of independent members of the board

of directors• Includes at least one financial expert• Is responsible for appointing, compensating and

overseeing the work of the public accounting firm. The audit firm must report directly to the audit committee

• Should implement procedures regarding complaints about accounting and auditing matters

• Must be appropriately funded by the issuer

IIA standards require internal auditors to “share information and coordinate activities with other internal and external providers of relevant assurance and consulting services”.

For that reason it is advisable for internal auditors to have some role or involvement in the selection or retention of the external auditors and in the definition of scope of work.

Coordination of audit efforts involves periodic meetings

regarding

• Audit coverage

• Access to each other’s audit programs and working papers

• Exchange of audit reports and management letter

• Common understanding of audit techniques, methods and terminology

A board or audit committee approved policy can facilitate the periodic request for external audit services and position such exercises as normal business activities.

Quality assurance and Improvement Program covers all aspects of the IAA and continuously monitors its effectiveness.

Should help the IAA add value and improve the organization’s operations and provide assurance that the IAA is in conformity with the Standards and Code of Ethics

Internal Assessments

• Ongoing Reviews

• Periodic Reviews

Establishing measures to support reviews of

Internal Audit Activity Performance

Balanced Scorecard Framework

For

Internal Auditing Departments

(page 354)

External Assessments

Should be conducted at least once every five years by a qualified independent reviewer from outside the organization

A reviewer should

• Be a competent certified audit professional, who possesses current knowledge of the Standards

• Be well versed in the best practices of the profession

• Have at least three years of recent experience in the practice of internal auditing

Benchmarking

Entails analysis and measurement of key output against those of the best organizations.

Own process performance versus performance by the best in the class.

Audit procedures

Internal auditors apply engagement (audit) procedures to obtain sufficient, competent, relevant and useful information to achieve the engagement’s objectives.

Sawyer’s six categories of procedures

1. Observing

2. Questioning

3. Analysis

4. Verifying

5. Investigating

6. Evaluating

In financial audits internal auditors must develop and use engagement procedures to test assertions made by information e.g. in the annual accounts

Assertion model from AICPA

• Completeness

• Rights and Obligations

• Valuation or Allocation

• Existence or Occurrence

• Statement Presentation and Disclosure

FS

UnderlyingAccountingData

Corroboratinginformation

Economic Transactions

Audit evidence in financial audits

CompletenessTest

ExistenceTest

Code of Ethics

•Principles

•Rules of Conduct

The Rules of Conduct

HOW ?

1. Integrity

2. Objectivity

3. Confidentiality

4. Competency

1. Integrity

• Work with honesty, diligence and responsibility• Observe the law and make disclosures• Be not a party to any illegal activity• Respect the ethical objectives of the organization

2. Objectivity

• Do not participate in any activity that may impair unbiased assessment

• Do not accept anything that may impair professional judgment

• Disclose all material facts

3. Confidentiality

• Be prudent in the use and protection of information• Do not use information for any personal gain

4. Competency

• Knowledge, skills, and experience• Perform in accordance with the Standards• Continually improve services

Fraud

Encompasses an array of irregularities and illegal acts

characterized by intentional deception. It can be perpetrated for the benefit of or to the detriment of the organization and by persons outside as well inside the organization.

Fraud

• Deterrence• Detection• Investigation• Reporting

Deterrence of fraud

Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of control, commensurate with the extent of the potential exposure/risk in the various segments of the entity’s operations.

Detection of fraud

Responsibilities of the internal auditor• Have sufficient knowledge of fraud to be able to identify

indicators• Be alert to opportunities, such as control weaknesses• Evaluate the indicators that fraud might have been

committed• Notify the appropriate authorities within the organization

if there are sufficient indicators to recommend an investigation.

Investigation of fraud

Responsibilities of the internal auditor• Assess the probable level and the extent of complicity in

the fraud within the organization• Determine the knowledge, skills and disciplines needed

to effectively carry out the investigation• Design procedures to follow in attempting to identify the

perpetrators, extent of fraud, techniques used and cause of the fraud

• Coordinate activities with management personnel, legal counsel and other specialists

• Be cognizant of the rights of alleged perpetrators and personnel.

Reporting of fraud

Responsibilities of the internal auditor• A preliminary or final report may be desirable at the

conclusion of the detection phase• When the incidence of significant fraud has been

established management or the board should be notified immediately

• If fraud has had a materially adverse effect on the financial position and results of an organization on which financial statements have already been issued, the internal auditor should inform management and the audit committee.

Reporting of fraud-continued

Responsibilities of the internal auditor• A written report should be issued at the conclusion of the

investigation phase. It should include findings, conclusions, recommendations, and corrective action taken.

• A draft should be submitted to legal counsel for review.

Resumé