Upload
jack-davidsz
View
3.084
Download
3
Embed Size (px)
DESCRIPTION
I composed this presentation as to prepare candidates for the Certified Internal Auditor's Part I examination. During the training we use other study aids as well.
Citation preview
Part IInternal Audit Role in
Governance, Risk & Control
CIA exam review course
Prepared by Jack Davidszwww.mas-online.nl
Part IInternal Audit’s Role in Governance, Risk,
and Control 13 th edition Gleim1. Standards and Proficiency2. Charter, Independence, & Objectivity3. Internal Audit Roles I4. Internal Audit Roles II5. Control I6. Control II7. Planning & Supervising the Engagement8. Managing the Internal Audit Activity I9. Managing the Internal Audit Acitivity II10. Engagement Procedures, Ethics and Fraud
Internal Auditing is a management-oriented
discipline
Evolved from a function concerned with financial and accounting matters to one that addresses the entire range of operating activities.
• Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.
• It helps an organization accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control, and governance processes.
IIA Board of Directors, June 1999.
Attribute Standards
1000 Purpose, Authority and Responsibility
1100 Independence and Objectivity
1200 Proficiency and Due Professional Care
1300 Quality Assurance and Improvement Program
Performance Standards
2000 Managing the Internal Audit Activity
2100 Nature of Work
2200 Engagement Planning
2300 Performing the Engagement
2400 Communicating Results
2500 Monitoring Progress
2600 Management’s Acceptance of Risk
Consulting Services
Advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization’s operations.
Assurance Services > 1 year
Formal consulting engagement
Independence and objectivity are strengthened by
• Assigning different auditors• Independent management and supervision• Separate accountability for the projects• Disclosing the presumed impairment
Obtaining Services to Support or complement the Internal Audit Activity
CAE should assess the competency, independence and objectivity of the outside service provider.
When the outside service provider performs Internal Auditing activities the CAE should specify and ensure that the work complies with the SPPIA.
Due Professional careExpected of a reasonably prudent and competent internal auditor, who should be alert to the possibility of intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest
Due care impliesReasonable care and competence not infallibility or extraordinary performance.
Charter:
• Mission and Scope of work
• Accountability
• Independence
• Responsibility
• Authority
Chief Audit Executive Reporting Lines
Functional,Directly to the Audit Committee or equivalent to ensure independence and communication
Administrative,To the CEO or an other executive to afford support to accomplish day-to-day activities.
The comprehensive scope of work of internal auditing should provide reasonable
assurance that management’s
• Risk management system is effective
• System of internal control is effective and efficient
• Governance process is effective
Primary objectives of the overall management process
• Relevant, reliable and credible information
• Effective and efficient use of resources
• Safeguarding of assets
• Identification of risk exposures
• Objectives and goals for operations and programs
• Compliance with laws, regulations, ethical and business norms, and contracts.
Governance
Processes and structures implemented by the board to inform, direct, manage and monitor activities toward achievement of objectives (Glossary)
Ethical Culture
• Nature of the governance process
• Link to ethical culture
• Everyone an ethics advocate
• Enhanced ethical culture
(PA 2130-1)
Governance
Meeting the following responsibilities
• Complying with society’s legal and regulatory rules
• Satisfying the generally accepted business norms, ethical precepts
• Providing overall benefits to society
• Reporting fully and truthfully
Internal auditor should take an active role in support of the organization’s ethical culture.
Monitoring Progress
A system to monitor the disposition of results
communicated to management
Follow up
Effective corrective action taken
Board/management has assumed the risk of not taken action
Compliance
• Compliance programs• Compliance standards and procedures• Specific high level personnel• Screening employees• Communication of standards and procedures• Systems for detecting illegality• Adequate and case-specific discipline• Documentation• After detection appropriate response
Compliance programs
Assist in preventing inadvertent employee violations, detecting illegal activities and discouraging intentional employee violations.
Help prove insurance claims, determine director liability, create or enhance corporate identity, and decide the appropriateness of punitive damages.
Compliance
There should be a monitoring and auditing system to detect criminal conduct and a reporting system whereby employees can report criminal conduct by others without fear of retribution.
CAE should obtain an understanding of management’s and board’s expectations of the internal audit activity in the organization’s risk management process.
Internal auditors can facilitate or enable risk management processes, but they should not “own” or be responsible for the management of the risks identified.
Depending on size and complexity of the organization’s business activities, risk
management processes can be
• Formal ↔ informal• Quantitative ↔ subjective• Business unit ↔ at corporate level
The internal audit activity’s role can change overtime
• No role
• Auditing the risk management process
• Active, continuous support and involvement
• Managing and coordinating
Environment, health and safety risks
CAE environmental audit chief
EH&S audit program
• Compliance - focused
• Management system –focused
• Combination
5 Key objectivesof a riskmanagement process
1. Risks arising from business strategies and activities are identified and prioritized
2. Management and board have determined the level of risks acceptable to the organization
- continued
3. Risk mitigation activities are designed and implemented
4. Monitoring activities to reassess risk and effectiveness of controls
5. Reports of the results of the risk management processes
Internal auditors should evaluate the organization’s readiness to deal with business interruptions.
The organization should be able to prove its best efforts to collect information with regard to an incident and its appropriate action.
Disaster recovery plan
Internal auditors can
• Assist with the risk analysis
• Evaluate the design and comprehensiveness of the plan
• Perform periodic assurance engagements
Internal auditors should periodically assess information security practices and recommend, as appropriate, enhancements to, or implementation of new controls and safeguards.
Privacy
• Laws require privacy controls
• Personal information identifies a specific individual
• The auditor must comply with all laws
• Access to or use of personal information may be inappropriate or illegal in certain engagements
Control
Any action taken by management to enhance the likelihood that established objectives and goals will be achieved
• Preventive
• Detective
• Directive
• Mitigating
The CAE reports on the state of the organization’s control processes to senior management and the audit committee.
Challenge for IAA
Evaluation of the effectiveness of the system of controls, based on many individual assessments
Three key considerations
• Significant discrepancies?
• Corrections or improvements?
• Pervasive condition → unacceptable risk?
CSA
Objectives:
• Identifying risks
• Assessing control processes
• Developing action plans
• Determining likelihood of achieving business objectives
Three primary forms of CSA
• Facilitated team workshops, representing different levels in the business unit
• Survey form utilizes a questionnaire• Management produced analyses cover
most other approaches
A CSA program should focus internal audit’ work on reviewing high-risk processes and unusual situations.
Quarterly Financial Reporting
Disclosures
Management Certifications
Sarbanes – Oxley Act
The executive officer(s) and financial officer(s) certify in each
quarterly and annual report
• True and fair presentation
• Disclosure controls and procedures
The same officers disclose to the external auditors and to the audit committee
• All significant deficiencies in internal controls
• Any fraud
• Significant changes in internal controls
Recommended Actions
1. Internal auditor’s role from initial designer to independent assessor
2. Clearly defined role and responsibilities
3. Organization’s formal policy and procedures
4. Disclosure committee
Recommended Actions- continued
5. Periodically review and evaluation of quarterly reporting and disclosure processes
6. Recommendation of best practises7. Comparison of processes for complying
regarding quarterly financial reporting & disclosures and management annual assessment & public report on internal controls
Systems approach to control
Input Process Output
Feedback
Feed forward
System boundary
Classification of controls
• Feedback
• Concurrent
• Feed forward
Characteristics of an effective control system
• Economical
• Meaningful
• Appropriate
• Congruent
• Timely
• Simple
• Operational
Internal Control (COSO)
A process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Internal Control - continued
• Effectiveness and efficiency of operations;• Reliability of financial reporting;• Compliance with applicable laws and regulations;• Safeguarding of assets against unauthorized acquisition, use or disposition.
Components of the Internal Control System
•Control Environment CE
•Risk Assessment RA
•Control Activities CA
•Information and Communication IC
•Monitoring MO
Enterprise Risk Management
• Process ..
• Applied in strategy setting and across..
• Designed to identify potential events..
• Manage risks..
• To provide reasonable assurance..
• Achievement of entity objectives
CoCoCriteria of Control Board of CICA20 criteria grouped into the following 4 components
• Purpose
• Commitment
• Capability
• Monitoring and Learning
COSO and CoCo models emphasize soft controls e.g.
CoCo : ethical values, mutual trust
COSO : part of the control environment
Organization
The way individual work efforts within an entity are assigned and integrated for achievement of objectives and goals.
Organizational Control
The means of achieving the most effective possible use of organizational arrangements
Means of control (Sawyer)
• Organization
• Policies
• Procedures
• Personnel
• Accounting
• Budgeting
• Reporting
No control system is so perfect that it can function without outside review.
Resistance to organizational changes may be overcome by a participative management.
Organizational structure
• Authority: right to direct and exact performance from others
• Responsibility: obligation to perform
• Accountability: duty to account for the fulfillment of the responsibility
Leadership = directing process
Process of influencing people so they will strive toward the achievement of group goals.
Styles of leadership
• Autocratic
• Consultative
• Participative
• Free-rein = laissez faire
• Bureaucratic
Two behavior patterns
1. Initiating structure
2. Initiating consideration
Contingency approach
The right person at the right time may rise to a position of leadership if his personality and needs of the situation complement each other.
Situational leadership theory
The appropriate leadership style depends on followers maturity (= willingness to be responsible for directing their own behavior).
Influence
An attempt to change the behavior of others e.g. consultation, persuasion, inspirational appeals.
Conflict may be constructive or destructive
Communication, structure and personal variables are conditions that may result in conflict.
Conflict may result in better decision making, a reduction in complacency, more self-criticism, greater creativity, and solutions to problems.
Conflicts may be solved e.g. as follows:
• Problem solving
• Smoothing
• Forcing
• Subordinate goals
• Compromise
• Avoidance
4 Phases of an audit engagement
1. Planning
2. Performing the engagement
3. Communicating results
4. Monitoring progress
Engagement Planning
Engagement objectives should reflect the results of the risk assessment.
Engagement procedures are the means to attain engagement objectives
Taken together they define the scope of the internal auditor’s work
Background information
Engagement Planning- continued
Engagement resource allocationCommunicating with all who need to know
about the auditDetermining how, when and to whom audit
results will be communicatedSurvey to become familiar with the
activities, risks and controls to identify areas for audit emphasis.
Engagement Work Program
Directions for the examination and evaluation of the information needed to meet audit objectives within the scope of the audit engagement.
• Engagement work program should be approved in writing by the CAE prior to the commencement of engagement work.
• Engagements should be properly supervised to ensure objectives are achieved, quality is assured and staff is developed. Appropriate evidence of supervision should be documented and retained.
• Working papers should be reviewed to ensure that they properly support the engagement communications.
Planning for the IAA involves establishing
• Goals
• Engagement work schedules
• Staffing plans and financial budgets
• Activity reports
The IAA’s plan should be based on a risk assessment, undertaken at least annually.
The CAE should report periodically to the board and senior management on the IAA’s purpose, authority, responsibility, and performance relative to its plan.
Audit Committee Functions
• Select an external auditor and review the audit fee
• Review the external auditor’s overall audit plan• Review preliminary annual and interim financial
statements• Review results of engagements performed by
external auditors, including the management letter.
• Approve the charter of the IAA
Audit Committee Functions-continued
• Review and approve the IAA’s plans and resource requirements
• Directly communicate with the CAE
• Review evaluations of risk management, control and governance processes reported by the internal auditors
• Ensure that engagements results are given due consideration
SOX requirements
Audit committee• Consists of independent members of the board
of directors• Includes at least one financial expert• Is responsible for appointing, compensating and
overseeing the work of the public accounting firm. The audit firm must report directly to the audit committee
• Should implement procedures regarding complaints about accounting and auditing matters
• Must be appropriately funded by the issuer
IIA standards require internal auditors to “share information and coordinate activities with other internal and external providers of relevant assurance and consulting services”.
For that reason it is advisable for internal auditors to have some role or involvement in the selection or retention of the external auditors and in the definition of scope of work.
Coordination of audit efforts involves periodic meetings
regarding
• Audit coverage
• Access to each other’s audit programs and working papers
• Exchange of audit reports and management letter
• Common understanding of audit techniques, methods and terminology
A board or audit committee approved policy can facilitate the periodic request for external audit services and position such exercises as normal business activities.
Quality assurance and Improvement Program covers all aspects of the IAA and continuously monitors its effectiveness.
Should help the IAA add value and improve the organization’s operations and provide assurance that the IAA is in conformity with the Standards and Code of Ethics
Internal Assessments
• Ongoing Reviews
• Periodic Reviews
Establishing measures to support reviews of
Internal Audit Activity Performance
Balanced Scorecard Framework
For
Internal Auditing Departments
(page 354)
External Assessments
Should be conducted at least once every five years by a qualified independent reviewer from outside the organization
A reviewer should
• Be a competent certified audit professional, who possesses current knowledge of the Standards
• Be well versed in the best practices of the profession
• Have at least three years of recent experience in the practice of internal auditing
Benchmarking
Entails analysis and measurement of key output against those of the best organizations.
Own process performance versus performance by the best in the class.
Audit procedures
Internal auditors apply engagement (audit) procedures to obtain sufficient, competent, relevant and useful information to achieve the engagement’s objectives.
Sawyer’s six categories of procedures
1. Observing
2. Questioning
3. Analysis
4. Verifying
5. Investigating
6. Evaluating
In financial audits internal auditors must develop and use engagement procedures to test assertions made by information e.g. in the annual accounts
Assertion model from AICPA
• Completeness
• Rights and Obligations
• Valuation or Allocation
• Existence or Occurrence
• Statement Presentation and Disclosure
FS
UnderlyingAccountingData
Corroboratinginformation
Economic Transactions
Audit evidence in financial audits
CompletenessTest
ExistenceTest
Code of Ethics
•Principles
•Rules of Conduct
The Rules of Conduct
HOW ?
1. Integrity
2. Objectivity
3. Confidentiality
4. Competency
1. Integrity
• Work with honesty, diligence and responsibility• Observe the law and make disclosures• Be not a party to any illegal activity• Respect the ethical objectives of the organization
2. Objectivity
• Do not participate in any activity that may impair unbiased assessment
• Do not accept anything that may impair professional judgment
• Disclose all material facts
3. Confidentiality
• Be prudent in the use and protection of information• Do not use information for any personal gain
4. Competency
• Knowledge, skills, and experience• Perform in accordance with the Standards• Continually improve services
Fraud
Encompasses an array of irregularities and illegal acts
characterized by intentional deception. It can be perpetrated for the benefit of or to the detriment of the organization and by persons outside as well inside the organization.
Fraud
• Deterrence• Detection• Investigation• Reporting
Deterrence of fraud
Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of control, commensurate with the extent of the potential exposure/risk in the various segments of the entity’s operations.
Detection of fraud
Responsibilities of the internal auditor• Have sufficient knowledge of fraud to be able to identify
indicators• Be alert to opportunities, such as control weaknesses• Evaluate the indicators that fraud might have been
committed• Notify the appropriate authorities within the organization
if there are sufficient indicators to recommend an investigation.
Investigation of fraud
Responsibilities of the internal auditor• Assess the probable level and the extent of complicity in
the fraud within the organization• Determine the knowledge, skills and disciplines needed
to effectively carry out the investigation• Design procedures to follow in attempting to identify the
perpetrators, extent of fraud, techniques used and cause of the fraud
• Coordinate activities with management personnel, legal counsel and other specialists
• Be cognizant of the rights of alleged perpetrators and personnel.
Reporting of fraud
Responsibilities of the internal auditor• A preliminary or final report may be desirable at the
conclusion of the detection phase• When the incidence of significant fraud has been
established management or the board should be notified immediately
• If fraud has had a materially adverse effect on the financial position and results of an organization on which financial statements have already been issued, the internal auditor should inform management and the audit committee.
Reporting of fraud-continued
Responsibilities of the internal auditor• A written report should be issued at the conclusion of the
investigation phase. It should include findings, conclusions, recommendations, and corrective action taken.
• A draft should be submitted to legal counsel for review.
Resumé