Rittenberg/Schwieger/Johnstone Auditing: A Business Risk Approach Sixth Edition Chapter 19 Internal Auditing and Outsourcing Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license. 1 Internal Auditing Internal auditing is an independent and objective assurance and consulting activity that is designed to add value to improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, discipline approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 2 Internal Auditing (continued) Exists only because it adds value to the organization Must change as organizations change Proves objective assurance to top management and the board Reports problems, and also offers advice on needed improvements Encompasses all the important operations of an organization 3 Assurance & Consulting Activity Assurance services - objective services that improve the Quality of information about processes Effectiveness of controls Reliability of information Compliance with company, regulatory, or governmental procedures Effectiveness and efficiency of operations Consulting services: Advisory or partnering activities that add value and improve operations Both parties must agree on nature and scope of services Identifies problems and potential solutions Advisory; does not include decision making 4 Assurance & Consulting Activity (continued) Systematic and Disciplined Approach Internal auditing standards are designed to ensure objective, relevant, and sufficient evidence is gathered and evaluated Internal auditors identify risks, gather evidence, evaluate findings, and suggest improvements Elements of the systematic and disciplined approach: Defined audit objectives Risk analysis Audit work plan Defined audit procedures Use of technology Independent review of audit work Review of conclusions with management 5 Assurance & Consulting Activity (Continued) Corporate Governance, Risk Management, and Control Good governance requires organizations implement processes and controls designed to ensure Decisions are made at the appropriate level of the organization Processes comply with organization policies and government regulations Processes are efficient and effective Risks are identified and factored into decisions Controls are properly designed and implemented Effective whistle-blowing function is implemented 6 Review Internal Auditing & Corporate Governance Internal auditors should: Understand key governance issues, stakeholders, and accountability to those stakeholders Provide analysis to determine that top management understands risks and have processes in place to address such risks Ensure the organization has controls to address such risks, and that such controls are operating effectively Evaluate organization's processes for determining operating efficiency Determine that operations comply with organization policies as well as contracts, laws, and regulations Determine that an effective whistle-blowing function is in place 7 What is the internal audit charter? As the statement of the internal audit's role in an organization, the charter accomplishes two important objectives: Defines the scope of the internal audit activity including access to company records Defines the reporting relationships that exist between the audit activity and others within the organization such as audit committee members, senior management, and operating management Important issues that should be noted in the charter: Statement of the mission of the activity defined in terms of governance, risk, control, and operating efficiency Identification of audit accountabilities Defined responsibility to provide periodic reports Prohibition against performing operational tasks Identification of standards by which to judge performance of internal audit work 8 Internal Auditing & the Audit Committee Internal auditors assist the audit committee in a number of ways: Review the quality of internal controls over financial reporting Provide an independent viewpoint on major accounting issues Provide feedback on the efficiency of operations and compliance with company and regulatory policies Facilitate information flow to the audit committee Perform special projects or investigations as requested 9 Internal Auditing & the Audit Committee Monitor effectiveness of whistle-blowing activities Evaluate whether the company has met its reporting objectives Assess the "quality" of financial reporting Evaluate the effectiveness of risk management processes Provide independent assessments of risk Provide information to facilitate monitoring of key risks 10 Internal Audit Outsourcing Recent trend for companies to outsource their internal audit function to public accounting or other specialize firms This trend may slow as the SEC prohibits a CPA from providing both internal and external audit services for the same company Possible advantages of outsourcing internal audit function. Service provider may: Have greater expertise or specialized talents Be able to provide service at lower cost Have global presence and be able to provide service without language or cultural problems Provide greater flexibility in staffing and budgeting Possible disadvantages of outsourcing internal audit function: Employees may have greater knowledge of the company and its operations Loss of internal audit as a training ground to develop new managers 11 What is value-added internal auditing? Internal audit activities can be classified as: Risk analysis Organizations take risks to accomplish their objectives Organizations need processes to recognize risk and institute controls to minimize adverse outcomes Risk analysis examines whether processes are adequate to manage risks Information reliability Organizations need accurate, reliable, and timely information Information must also be protected Internal auditors perform periodic reviews of security and controls 12 What is value-added internal auditing? (continued) Control effectiveness Controls exist to address risks Internal auditors provide objective assessment as to whether Controls are adequate to manage risk Controls are operating effectively Operational effectiveness and efficiency Conformance with company policies and procedures Fraud investigations 13 What are operational audits? Evaluate organization's activities, systems, and controls Assess quality and efficiency of performance Identify opportunities and develop recommendations for improvement Criteria for evaluation of performance Past operations Best practices for similar operations Stated management objectives 14 Operational Audits Every operational audit follows the same ten-step process: 1. Understanding the operational area and management's interest in having the area audited 2. Develop background information about the audit area 3. Develop objective criteria regarding operational efficiency 4. Perform preliminary analysis of the audit area 5. Perform detailed risk analysis 6. Develop and analyze data that might indicate problems 7. Perform inquiry and testing to identify source of problems 8. Performed detailed tests of operating activities and controls 9. Summarize findings - prepare report and discuss with management 10. Develop mechanism to follow-up on recommendations 15 Operational Audits (continued) Detailed considerations: Establish criteria Objective criteria should be established prior to the audit Criteria should include both performance and control measures Perform preliminary risk analysis for all operational audit areas To determine whether organization has effective risk management process To identify important controls Perform analytical analysis To identify existence and source of potential operating problems Test controls and operations Every operational audit will have compliance testing component To determine whether operations follow company policies and meet company standards 16 Compliance Audits Performed to determine whether operations are being conducted in compliance with contracts, management's policies, or applicable laws and regulations Add value because they can Improve operational efficiency Provide assurance that organization is operating within applicable laws and regulations 17 Internal Auditing and Sarbanes-Oxley Internal auditors are an integral part of assisting organizations to implement provisions of the Sarbanes-Oxley Act Internal audit may assist in facilitating a control self-assessment by management assisting operating personnel understand controls and documentation 18 Internal Audit Standards Standards for the Professional Practice of Internal Auditing (IIA): Attribute Standards Purpose, Authority, and Responsibility Independence and Objectivity Proficiency and Due Professional Care Quality Assurance and Improvement Program Performance Standards Managing the Internal Audit Activity Nature of Work 19 Internal Audit Standards (continued) Performance Standards Engagement Planning Performing the Engagement Communicating Results Monitoring Progress Management's Acceptance of Risks Implementation Standards There may be multiple implementation standards derived from the concepts in the attribute and performance standards 20 What is the IIA Code of Ethics? Focuses on broad-based Principles and Rules of Conduct regarding: Integrity Objectivity Confidentiality Competence 21 Reporting Fraud The IIA's Code of Ethics makes it clear that an internal auditor should "Observe the law and make disclosures expected by the law and the profession" "Not knowingly be a party to any illegal activity, nor engage in acts that are discreditable to the profession of internal auditing or to the organization" 22 Reporting Fraud (continued) If an internal auditor uncovers evidence of fraud, the auditor should: Document the findings and include them in an audit report Report findings to the board of directors, the audit committee, and appropriate members of top management Consult with an attorney on actions appropriate to the particular case Consider the need for any additional action to disassociate from the fraud 23