Chapter 14
Internal auditing
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-1
Learning objectives
14.1 Understand the evolving nature of internal auditing.
14.2 Appreciate the professional standards developed for
internal auditing.
14.3 Understand what internal auditors do in practice.
14.4 Gain an appreciation of the issues that may face the
internal audit profession in the future.
14.5 Appreciate the approaches to assessing risk management,
control and governance processes.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-2
Learning objective 14.1
The evolving nature of internal
auditing (IA)
• The traditional view of internal auditing is that it is
an independent appraisal function evaluating the
adequacy and effectiveness of other controls within
an organisation (controls orientation).
(Refer AUASB Glossary).
• This view is evolving in many organisations so that
internal audit is now seen as a service that
promotes understanding and provides confidence to
an organisation about risk exposures and control
strategies (risk orientation).
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-3
IIA definition of internal auditing
Definition of internal auditing on the Institute of
Internal Auditors (IIA) website www.theiia.org:
‘Internal auditing is an independent, objective
assurance and consulting activity designed to
add value and improve an organisation’s
operations. It helps an organisation accomplish
its objectives by bringing a systematic,
disciplined approach to evaluate and improve
the effectiveness of risk management, control
and governance processes.’
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-4
Institute of Internal Auditors (IIA)
• Professional organisation, representing more than
170 000 members in more than 165 countries.
• Aim is to represent, promote and develop
professional practice of internal auditing.
• First established in Australia in 1952.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-5
Certified Internal Auditor (CIA)
The IIA professional recognition is its Certified Internal
Auditor (CIA) qualification.
•
To be able to sit the CIA exam, a candidate must:
–
–
–
–
–
•
be a member of IIA
hold a bachelor’s degree or equivalent
exhibit high moral and professional character
complete 24 months of internal audit experience
keep the contents of the exam confidential.
The CIA examination covers:
internal audit’s role in governance, risk and control
– conducting the internal audit engagement
– business analysis and information technology, and
– business management skills.
–
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-6
Learning objective 14.2
Current standards for internal auditor
(issued by IIA)
•
The IIA is the global standard setter for internal
auditing.
• The International Professional Practices Framework
(IPPF) is issued by IIA.
• Purposes:
–
–
–
–
delineate basic principles
provide a framework for performing and promoting IA
activities
establish the basis for the measurement of IA
performance
foster improved organisational processes and
operations.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-7
International Professional Practices
Framework (IPPF)
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-8
Attribute and performance standards
The International IIA Standards consist of:
•
Attribute standards (the 1000 Series):
–
•
address characteristics of organisations and individuals
performing IA activities.
Performance standards (the 2000 Series):
–
describe the nature of IA activities and provide criteria against
which performance of these services can be measured.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-9
Current attribute and performance
standards of the IIA
Attribute standards
Performance standards
1000 Purpose, authority, and
responsibility
2000 Managing the internal audit activity
1100 Independence and objectivity
2100 Nature of work
1200 Proficiency and due professional
care
2200 Engagement planning
1300 Requirements of the quality
assurance and improvement program
2300 Performing the engagement
2400 Communicating results
2500 Monitoring process
2600 Resolution of senior management’s
acceptance of risks
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-10
Internal audit charter
• Attribute standard 1000 outlines that the purpose,
authority and responsibility of the internal audit
activity should be formally defined and set out in an
internal audit charter.
• The internal audit charter should:
–
–
–
establish IA’s position within the organisation
establish access to records, personnel and physical
properties relevant to the performance of engagements,
and
define the scope of internal audit activities.
• This charter should be approved by the board of
directors.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-11
Independence and objectivity
(IIA standard 1100)
• Essential that IA is, and is seen to be, independent
•
•
•
•
of the area being audited.
IA department should report to board of directors
or audit committee.
Head of IA should have direct access to board
of directors.
Board should approve appointment or removal
of head of IA.
Management and Board should be aware of
work schedules, staff requirements and budgets
of IA department.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-12
Independence and objectivity (cont.)
•
Organisational independence is aided by:
–
reporting to a level that allows IA to fulfill its responsibilities
head of IA having direct access to the board
the board concurring with appointment or removal of head of IA
management and the board being kept informed.
–
–
–
• Individual objectivity is aided by:
–
–
–
–
–
audit staff assignments should be made to prevent possible bias
IAs immediately reporting any conflicts of interest
staff assignments being periodically rotated
IAs not assuming operating responsibilities
persons should not audit those activities they previously carried out
until a reasonable period of time has elapsed.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-13
Proficiency and due professional care
• IIA Standard 1220 outlines that it is the internal
audit department’s responsibility to assign staff to
each audit who collectively possess the
knowledge, skills and other competencies needed
to conduct the audit.
• The audit planning process should include a
strategic audit plan and a tactical audit plan.
• In undertaking their planning, the auditor should
consider the audit universe, which is an inventory
of audit areas that is compiled and maintained to
identify areas for audit during the audit planning
process.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-14
Performance standards
•
Require IAs to plan each audit; collect, analyse,
interpret and document information to support results;
report results; and take appropriate follow up action.
• Should also be a periodic report to the board on IA’s
purpose, authority, responsibility and performance
relative to its plan. Require IA to consider:
–
–
–
–
–
–
2000: Management of the IA department
2100: Evolving nature of IA work
2200: Engagement planning
2300: Performing the engagement
2400: Communicating results
2500-2600: Monitoring progress and management’s
acceptance of risks.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-15
Learning objective 14.3
The practice of internal audit
•
The responses to the 2011 PricewaterhouseCoopers
survey of the current scope of IA work being undertaken
in the US, showed the most common practices (in order)
were traditional IA practices:
–
–
–
–
•
financial audit
operational audit
compliance audit
IT audit
While 92% of Western European CEOs expect to
expand their businesses in Asia, the 2011 survey shows
that most IA is only marginally involved in assessing
risks associated with cross-border acquisitions, and new
joint ventures and strategic alliances.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-16
The practice of internal audit (cont.)
• Business risk assessment as a part of IA is slowly
growing. The Leung, Cooper and Perera (2011)
Australian survey found that IA’s spend their time
as follows:
–
–
–
–
–
internal control evaluation (21%)
management and operations audit (15%)
systems assurance (10%)
business strategic risk assessment (9%) and
internal consultancy (8%)
• It was however notable that corporate governance,
social and environmental issues did not rank
highly as internal audit objectives
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-17
Learning objective 15.4
The future of internal audit
Major issues confronting IA include:
•
•
•
•
outsourcing of IA, especially to Big Four (Note that a client
cannot outsource IA to their external auditor in the USA under
the Sarbanes-Oxley Act)
difficulty in changing profile of the IIA, so that members are
seen to be more value adding than checking
expectations gap between chief executive officers and
internal audit managers
development of specialised IA groups; e.g. quality and
environmental auditors, and whether IIA can adequately cater
for these groups.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-18
Factors driving change
• Ability of IA to show that it adds value.
• Benchmarking of IA departments as a means of
assessing quality.
• Greater emphasis on corporate governance and
risk management in current environment and IA’s
increasing role in these areas:
–
–
IA becoming more heavily involved in business strategic
risk assessment
but corporate governance and social and environmental
issues still not ranking highly as IA objectives.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-19
Expected future relationship with
external auditors
• As both groups of auditors move to the risk
analysis approach, greater co-ordination between
IA and EA can be expected.
• Co-ordination aided by recent developments in
corporate governance, with audit committee
playing key co-ordination role.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-20
Learning objective 14.5
Approaches to assessing risk management,
control and governance processes
•
IA assesses the effectiveness of risk management
process by examining whether:
–
an appropriate risk management framework exists;
– appropriate risk responses are selected by management and
the board; and
– relevant risk information is communicated across the entity.
•
IA focuses on how controls ensure:
–
the effectiveness and efficiency of operations;
– the reliability and integrity of financial/operational information;
– the safeguarding of assets; and
– compliance with laws, regulations, and contracts.
•
IA is a critical part of the corporate governance process.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-21
Approaches to assessing
risk management, control and
governance processes
•
IA is expected to use similar approaches to assessing
risk management, control and governance processes
to those used by EA in evaluating business risk.
• There are two major frameworks that are used in
practice to guide this analysis:
–
–
in Australia and New Zealand, the framework outlined
under the standard AS/NZS ISO 31000 Risk
Management, and
internationally, the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)
Enterprise Risk Management (ERM) framework.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-22
AS/NZS ISO 31000 Risk Management
•
The emphasis in AS/NZS ISO 31000 is on business
risk management.
• The main elements of the risk-management process
are as follows:
–
–
–
–
–
–
–
•
establishing the context
identity risk
analyse risk
evaluate risk
treat risks
monitor and review
record
For each stage of the process adequate records
should be kept, sufficient to satisfy independent audit.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-23
COSO Enterprise Risk Management
(ERM) framework
•
Another framework for assessing risk and quality
control is the Committee of Sponsoring Organizations
of the Treadway Commission (COSO) Enterprise Risk
Management (ERM) framework.
• Enterprise risk management (ERM) is a process
designed to identify potential events that may affect
the entity, to manage risks within the entity’s risk
‘appetite’ and to provide reasonable assurance
regarding the achievement of the entity’s objectives.
• There is a direct relationship between the entity’s
objectives and the ERM components, which represent
what is required in order to achieve those objectives.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-24
The relationship of objectives and
components of COSO ERM framework
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-25
Summary
• IA is a significant part of the auditing profession.
• The IIA has an important role to play in its
promotion and development.
• Performance standards for IA include the auditing
standards of the AUASB/IAASB (for CPA, ICAA,
IPA) and the International Standards of the IIA.
• IA has traditionally been an important part of the
monitoring mechanism of internal control, but it can
also be used to improve managerial performance.
• Today IA is increasingly being used to evaluate
and improve the effectiveness of risk management,
control and governance processes.
Copyright © 2012 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-26