Chapter 14 Internal auditing Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-1 Learning objective 1: The evolving nature of internal auditing (IA) • The traditional view of internal auditing is that it is an independent appraisal function evaluating the adequacy and effectiveness of other controls within an organisation (controls orientation). (Refer AUASB Glossary). • This view is evolving in many organisations so that internal audit is now seen as a service that promotes understanding and provides confidence to an organisation about risk exposures and control strategies (risk orientation). Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-2 IIA definition of internal auditing • ‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.’ – The definition of internal auditing contained on the Institute of Internal Auditors (IIA) website <http://www.theiia.org> Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-3 Institute of Internal Auditors (IIA) • Professional organisation, represented in > 165 countries. • Aim is to represent, promote and develop professional practice of internal auditing. • First established in Australia in 1952. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-4 Certified Internal Auditor (CIA) • The IIA professional recognition is its Certified Internal Auditor (CIA) qualification. – – To be able to sit the CIA exam, a candidate must: Be a member of IIA Hold a Bachelor’s degree or equivalent Exhibit high moral and professional character Complete 24 months of internal audit experience Keep the contents of the exam confidential. The CIA examination covers: The internal audit activity’s role in governance, risk and control Conducting the internal audit engagement Business analysis and information technology; and Business management skills. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-5 Learning objective 2: Current standards for internal auditor (issued by IIA) • The IIA is the global standard setter for internal auditing. • The International Professional Practices Framework (IPPF) is issued by IIA. • Purposes: – – – – Delineate basic principles Provide a framework for performing and promoting IA activities Establish the basis for the measurement of IA performance Foster improved organisational processes and operations. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-6 International Professional Practices Framework (IPPF) Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-7 Attribute and performance standards The International IIA Standards consist of: • Attribute standards (the 1000 Series): – Address characteristics of organisations and individuals performing IA activities. • Performance standards (the 2000 Series): – Describe the nature of IA activities and provide criteria against which performance of these services can be measured. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-8 Current attribute and performance standards of the IIA Attribute standards Performance standards 1000 Purpose, authority, and responsibility 2000 Managing the internal audit activity 1100 Independence and objectivity 2100 Nature of work 1200 Proficiency and due professional care 2200 Engagement planning 1300 Quality assurance and improvement 2300 Performing the engagement program 2400 Communicating results 2500 Monitoring process 2600 Resolution of senior management’s acceptance of risks Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-9 Internal audit charter • Attribute standard 1000 outlines that the purpose, authority and responsibility of the internal audit activity should be formally defined and set out in an internal audit charter. • The internal audit charter should: – – – Establish IA’s position within the organisation Establish access to records, personnel and physical properties relevant to the performance of engagements, and Define the scope of internal audit activities. • This charter should be approved by the board of directors. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-10 Independence and objectivity (IIA standard 1100) • Essential that IA is, and is seen to be, independent • • • • of the area being audited. IA department should report to board of directors or audit committee. Head of IA should have direct access to board of directors. Board should approve appointment or removal of head of IA. Management and Board should be aware of work schedules, staff requirements and budgets of IA department. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-11 Independence and objectivity (cont.) – Organisational independence is aided by: – Reporting to a level that allows IA to fulfill its responsibilities Head of IA having direct access to the board The board concurring with appointment or removal of head of IA Management and the board being kept informed. Individual objectivity is aided by: Audit staff assignments should be made to prevent possible bias IAs immediately reporting any conflicts of interest Staff assignments being periodically rotated IAs not assuming operating responsibilities Persons should not audit those activities they previously carried out until a reasonable period of time has elapsed. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-12 Proficiency and due professional care • IIA Standard 1220 outlines that it is the internal audit department’s responsibility to assign staff to each audit who collectively possess the knowledge, skills and other competencies needed to conduct the audit. • The audit planning process should include a strategic audit plan and a tactical audit plan. • In undertaking their planning, the auditor should consider the audit universe, which is an inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-13 Performance standards • Require IAs to plan each audit; collect, analyse, interpret and document information to support results; report results; and take appropriate follow up action. • Should also be a periodic report to the board on IA’s purpose, authority, responsibility and performance relative to its plan. Require IA to consider: – – – – – – 2000: Management of the IA department 2100: Evolving nature of IA work 2200: Engagement planning 2300: Performing the engagement 2400: Communicating results 2500- 2600: Monitoring progress and management’s acceptance of risks. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-14 Learning objective 3: The practice of internal audit • The responses to the 2009 PricewaterhouseCoopers survey of the current scope of IA work being undertaken in the US, showed the most common practices (in order) were traditional IA practices: – – – – Financial audit Operational audit Compliance audit IT audit • Fraud was not specifically addressed in the 2009 survey. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-15 Learning objective 4: The future of internal audit • Major issues confronting IA include: – Outsourcing of IA, especially to Big Four (Note that a client cannot outsource IA to their external auditor in the USA under the Sarbanes-Oxley Act) – Difficulty in changing profile of the IIA, so that members are seen to be more value adding than checking – Expectations gap between chief executive officers and internal audit managers – Development of specialised IA groups; e.g. quality and environmental auditors, and whether IIA can adequately cater for these groups. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-16 Factors driving change • Ability of IA to show that it adds value. • Benchmarking of IA departments as a means of assessing quality. • Greater emphasis on corporate governance and risk management in current environment, and IA’s increasing role in these areas. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-17 Risk-related tasks of importance to IAs • Provide advice about risk exposures and their • • • • • management Raise awareness about risk exposures Contribute to the improvement of risk management systems Provide ongoing assurance about the efficiency and effectiveness of risk-management systems Focus on those risk exposures associated with the achievement of an organisation’s objectives The services provided by IA will be related to the management of risk exposures – Refer Exhibit 14.3 (p. 707) Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-18 Control-related tasks of importance to IAs • Provide advice about control strategies, structures and systems • Raise awareness about risk exposures and related controls • Contribute to improvement of control systems • Provide assurance about efficiency and effectiveness of control strategies, structures and systems • Contribute enhanced understandings of different types of control that can be used in organisations • Focus on control as a facet of risk management • The services provided by IA will be distinctly related to management of risk exposures – Refer Exhibit 14.4 (p. 708) Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-19 Expected future relationship with external auditors • As both groups of auditors move to the risk analysis approach, greater co-ordination between IA and EA can be expected. • Co-ordination aided by recent developments in corporate governance, with audit committee playing key co-ordination role. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-20 Learning objective 5: Approaches to assessing risk management, control and governance processes • IA is expected to use similar approaches to assessing risk management, control and governance processes to those used by EA in evaluating business risk. • There are two major frameworks that are used in practice to guide this analysis: – In Australia and New Zealand, the framework outlined under the standard AS/NZS 4360 Risk Management, and – Internationally, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-21 AS/NZS 4360 Risk Management • The emphasis in AS/NZS 4360 is on business risk management. • The main elements of the risk-management process are as follows: – – – – – – – Establishing the context Identity risk Analyse risk Evaluate risk Treat risks Monitor and review Communicate and consult. • For each stage of the process adequate records should be kept, sufficient to satisfy independent audit. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-22 COSO Enterprise Risk Management (ERM) framework • Another framework that is gaining acceptance for assessing risk and quality control in organisations is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework. • Enterprise risk management (ERM) is a process designed to identify potential events that may affect the entity, to manage risks within the entity’s risk ‘appetite’ and to provide reasonable assurance regarding the achievement of the entity’s objectives. • There is a direct relationship between the entity’s objectives and the ERM components, which represent what is required in order to achieve those objectives. Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-23 The relationship of objectives and components of COSO ERM framework Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 14-24