Internal Auditing (continued)

advertisement
Rittenberg/Schwieger/Johnstone
Auditing: A Business Risk Approach
Sixth Edition
Chapter 19
Internal Auditing and
Outsourcing
Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo,
and South-Western are trademarks used herein under license.
1
Internal Auditing
Internal auditing is an independent and
objective assurance and consulting activity
that is designed to add value to improve
an organization's operations. It helps an
organization accomplish its objectives by
bringing a systematic, discipline approach
to evaluate and improve the effectiveness
of risk management, control, and
governance processes.
2
Internal Auditing
(continued)
Exists only because it adds value to the
organization
Must change as organizations change
Proves objective assurance to top
management and the board
Reports problems, and also offers advice
on needed improvements
Encompasses all the important operations
of an organization
3
Assurance & Consulting Activity
Assurance services - objective services that improve the
 Quality of information about processes
 Effectiveness of controls
 Reliability of information
 Compliance with company, regulatory, or governmental
procedures
 Effectiveness and efficiency of operations
Consulting services:
 Advisory or partnering activities that add value and improve
operations
 Both parties must agree on nature and scope of services
 Identifies problems and potential solutions
 Advisory; does not include decision making
4
Assurance & Consulting Activity
(continued)
Systematic and Disciplined Approach
Internal auditing standards are designed to ensure
objective, relevant, and sufficient evidence is
gathered and evaluated
Internal auditors identify risks, gather evidence,
evaluate findings, and suggest improvements
Elements of the systematic and disciplined approach:
Defined audit objectives
Risk analysis
Audit work plan
Defined audit procedures
Use of technology
Independent review of audit work
Review of conclusions with management
5
Assurance & Consulting Activity
(Continued)
Corporate Governance, Risk Management, and
Control
Good governance requires organizations implement
processes and controls designed to ensure
Decisions are made at the appropriate level of the
organization
Processes comply with organization policies and government
regulations
Processes are efficient and effective
Risks are identified and factored into decisions
Controls are properly designed and implemented
Effective whistle-blowing function is implemented
6
Review Internal Auditing &
Corporate Governance
Internal auditors should:
Understand key governance issues, stakeholders,
and accountability to those stakeholders
Provide analysis to determine that top management
understands risks and have processes in place to
address such risks
Ensure the organization has controls to address such
risks, and that such controls are operating effectively
Evaluate organization's processes for determining
operating efficiency
Determine that operations comply with organization
policies as well as contracts, laws, and regulations
Determine that an effective whistle-blowing function is
in place
7
What is the internal audit
charter?
As the statement of the internal audit's role in an
organization, the charter accomplishes two important
objectives:
 Defines the scope of the internal audit activity including access
to company records
 Defines the reporting relationships that exist between the audit
activity and others within the organization such as audit
committee members, senior management, and operating
management
Important issues that should be noted in the charter:
 Statement of the mission of the activity defined in terms of
governance, risk, control, and operating efficiency
 Identification of audit accountabilities
 Defined responsibility to provide periodic reports
 Prohibition against performing operational tasks
 Identification of standards by which to judge performance of
internal audit work
8
Internal Auditing & the Audit
Committee
Internal auditors assist the audit committee in a
number of ways:
Review the quality of internal controls over financial
reporting
Provide an independent viewpoint on major
accounting issues
Provide feedback on the efficiency of operations and
compliance with company and regulatory policies
Facilitate information flow to the audit committee
Perform special projects or investigations as
requested
9
Internal Auditing & the Audit
Committee
Monitor effectiveness of whistle-blowing
activities
Evaluate whether the company has met its
reporting objectives
Assess the "quality" of financial reporting
Evaluate the effectiveness of risk management
processes
Provide independent assessments of risk
Provide information to facilitate monitoring of key
risks
10
Internal Audit Outsourcing
Recent trend for companies to outsource their internal audit
function to public accounting or other specialize firms
This trend may slow as the SEC prohibits a CPA from
providing both internal and external audit services for the
same company
Possible advantages of outsourcing internal audit function.
Service provider may:
 Have greater expertise or specialized talents
 Be able to provide service at lower cost
 Have global presence and be able to provide service without language or
cultural problems
 Provide greater flexibility in staffing and budgeting
Possible disadvantages of outsourcing internal audit function:
 Employees may have greater knowledge of the company and its
operations
 Loss of internal audit as a training ground to develop new managers
11
What is value-added internal
auditing?
Internal audit activities can be classified as:
Risk analysis
Organizations take risks to accomplish their objectives
Organizations need processes to recognize risk and institute
controls to minimize adverse outcomes
Risk analysis examines whether processes are adequate to
manage risks
Information reliability
Organizations need accurate, reliable, and timely information
Information must also be protected
Internal auditors perform periodic reviews of security and
controls
12
What is value-added internal
auditing? (continued)
Control effectiveness
Controls exist to address risks
Internal auditors provide objective assessment as to
whether
Controls are adequate to manage risk
Controls are operating effectively
Operational effectiveness and efficiency
Conformance with company policies and
procedures
Fraud investigations
13
What are operational audits?
Evaluate organization's activities, systems,
and controls
Assess quality and efficiency of performance
Identify opportunities and develop
recommendations for improvement
Criteria for evaluation of performance
Past operations
Best practices for similar operations
Stated management objectives
14
Operational Audits
Every operational audit follows the same ten-step
process:
1. Understanding the operational area and management's interest
in having the area audited
2. Develop background information about the audit area
3. Develop objective criteria regarding operational efficiency
4. Perform preliminary analysis of the audit area
5. Perform detailed risk analysis
6. Develop and analyze data that might indicate problems
7. Perform inquiry and testing to identify source of problems
8. Performed detailed tests of operating activities and controls
9. Summarize findings - prepare report and discuss with
management
10. Develop mechanism to follow-up on recommendations
15
Operational Audits
(continued)
Detailed considerations: Establish criteria
 Objective criteria should be established prior to the audit
 Criteria should include both performance and control measures
Perform preliminary risk analysis for all operational audit
areas
 To determine whether organization has effective risk management
process
 To identify important controls
Perform analytical analysis
 To identify existence and source of potential operating problems
Test controls and operations
 Every operational audit will have compliance testing component
 To determine whether operations follow company policies and
meet company standards
16
Compliance Audits
Performed to determine whether operations are
being conducted in compliance with contracts,
management's policies, or applicable laws and
regulations
Add value because they can
Improve operational efficiency
Provide assurance that organization is operating
within applicable laws and regulations
17
Internal Auditing and
Sarbanes-Oxley
Internal auditors are an integral part of
assisting organizations to implement
provisions of the Sarbanes-Oxley Act
Internal audit may assist in facilitating a
control self-assessment by management
assisting operating personnel understand
controls and documentation
18
Internal Audit Standards
Standards for the Professional Practice of Internal
Auditing (IIA):
Attribute Standards
Purpose, Authority, and Responsibility
Independence and Objectivity
Proficiency and Due Professional Care
Quality Assurance and Improvement Program
Performance Standards
Managing the Internal Audit Activity
Nature of Work
19
Internal Audit Standards
(continued)
Performance Standards
Engagement Planning
Performing the Engagement
Communicating Results
Monitoring Progress
Management's Acceptance of Risks
Implementation Standards
There may be multiple implementation
standards derived from the concepts in the
attribute and performance standards
20
What is the IIA Code of Ethics?
Focuses on broad-based Principles
and Rules of Conduct regarding:
Integrity
Objectivity
Confidentiality
Competence
21
Reporting Fraud
The IIA's Code of Ethics makes it clear that
an internal auditor should
"Observe the law and make disclosures
expected by the law and the profession"
"Not knowingly be a party to any illegal
activity, nor engage in acts that are
discreditable to the profession of internal
auditing or to the organization"
22
Reporting Fraud
(continued)
If an internal auditor uncovers evidence of
fraud, the auditor should:
Document the findings and include them in
an audit report
Report findings to the board of directors, the
audit committee, and appropriate members of
top management
Consult with an attorney on actions
appropriate to the particular case
Consider the need for any additional
action to disassociate from the fraud
23
Download