Chapter 14 Internal auditing 14-1 Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay

Chapter 14

Internal auditing

14-1Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger SimnettSlides prepared by Roger Simnett

Learning objective 1: The evolving nature of internal

auditing (IA)

• The traditional view of internal auditing is that it is an independent appraisal function evaluating the adequacy and effectiveness of other controls within an organisation (controls orientation). (Refer AUASB Glossary).

• This view is evolving in many organisations so that internal audit is now seen as a service that promotes understanding and provides confidence to an organisation about risk exposures and control strategies (risk orientation).


IIA definition of internal auditing

• ‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.’

– The definition of internal auditing contained on the Institute of Internal Auditors (IIA) website <http://www.theiia.org>


Institute of Internal Auditors (IIA)

• Professional organisation, represented in > 165 countries.

• Aim is to represent, promote and develop professional practice of internal auditing.

• First established in Australia in 1952.


Certified Internal Auditor (CIA)• The IIA professional recognition is its Certified

Internal Auditor (CIA) qualification.– To be able to sit the CIA exam, a candidate must:

Be a member of IIA Hold a Bachelor’s degree or equivalent Exhibit high moral and professional character Complete 24 months of internal audit experience Keep the contents of the exam confidential.

– The CIA examination covers: The internal audit activity’s role in governance, risk and

control Conducting the internal audit engagement Business analysis and information technology; and Business management skills.


Learning objective 2:Current standards for internal auditor

(issued by IIA)

• The IIA is the global standard setter for internal auditing.

• The International Professional Practices Framework (IPPF) is issued by IIA.

• Purposes:– Delineate basic principles– Provide a framework for performing and promoting IA

activities– Establish the basis for the measurement of IA performance– Foster improved organisational processes and operations.


International Professional Practices Framework (IPPF)


Attribute and performance standards

The International IIA Standards consist of:• Attribute standards (the 1000 Series):

– Address characteristics of organisations and individuals performing IA activities.

• Performance standards (the 2000 Series):– Describe the nature of IA activities and provide

criteria against which performance of these services can be measured.


Current attribute and performance standards of the IIA

Attribute standards Performance standards

1000 Purpose, authority, and responsibility 2000 Managing the internal audit activity

1100 Independence and objectivity 2100 Nature of work

1200 Proficiency and due professional

care

2200 Engagement planning

1300 Quality assurance and improvement

program

2300 Performing the engagement

2400 Communicating results

2500 Monitoring process

2600 Resolution of senior management’s acceptance of risks


Internal audit charter• Attribute standard 1000 outlines that the purpose,

authority and responsibility of the internal audit activity should be formally defined and set out in an internal audit charter.

• The internal audit charter should:– Establish IA’s position within the organisation– Establish access to records, personnel and physical

properties relevant to the performance of engagements, and

– Define the scope of internal audit activities.

• This charter should be approved by the board of directors.


Independence and objectivity(IIA standard 1100)

• Essential that IA is, and is seen to be, independent of the area being audited.

• IA department should report to board of directors or audit committee.

• Head of IA should have direct access to board of directors.

• Board should approve appointment or removal of head of IA.

• Management and Board should be aware of work schedules, staff requirements and budgets of IA department.


Independence and objectivity (cont.)

– Organisational independence is aided by: Reporting to a level that allows IA to fulfill its responsibilities Head of IA having direct access to the board The board concurring with appointment or removal of head of

IA Management and the board being kept informed.

– Individual objectivity is aided by: Audit staff assignments should be made to prevent possible

bias IAs immediately reporting any conflicts of interest Staff assignments being periodically rotated IAs not assuming operating responsibilities Persons should not audit those activities they previously

carried out until a reasonable period of time has elapsed.


Proficiency and due professional care• IIA Standard 1220 outlines that it is the internal audit

department’s responsibility to assign staff to each audit who collectively possess the knowledge, skills and other competencies needed to conduct the audit.

• The audit planning process should include a strategic audit plan and a tactical audit plan.

• In undertaking their planning, the auditor should consider the audit universe, which is an inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process.


Performance standards• Require IAs to plan each audit; collect, analyse,

interpret and document information to support results; report results; and take appropriate follow up action.

• Should also be a periodic report to the board on IA’s purpose, authority, responsibility and performance relative to its plan. Require IA to consider:

– 2000: Management of the IA department– 2100: Evolving nature of IA work– 2200: Engagement planning– 2300: Performing the engagement– 2400: Communicating results– 2500- 2600: Monitoring progress and management’s

acceptance of risks.


Learning objective 3: The practice of internal audit

• The responses to the 2009 PricewaterhouseCoopers survey of the current scope of IA work being undertaken in the US, showed the most common practices (in order) were traditional IA practices:

– Financial audit– Operational audit– Compliance audit– IT audit

• Fraud was not specifically addressed in the 2009 survey.


Learning objective 4: The future of internal audit

• Major issues confronting IA include:– Outsourcing of IA, especially to Big Four (Note that a

client cannot outsource IA to their external auditor in the USA under the Sarbanes-Oxley Act)

– Difficulty in changing profile of the IIA, so that members are seen to be more value adding than checking

– Expectations gap between chief executive officers and internal audit managers

– Development of specialised IA groups; e.g. quality and environmental auditors, and whether IIA can adequately cater for these groups.


Factors driving change

• Ability of IA to show that it adds value.

• Benchmarking of IA departments as a means of assessing quality.

• Greater emphasis on corporate governance and risk management in current environment, and IA’s increasing role in these areas.


Risk-related tasks of importance to IAs

• Provide advice about risk exposures and their management

• Raise awareness about risk exposures

• Contribute to the improvement of risk management systems

• Provide ongoing assurance about the efficiency and effectiveness of risk-management systems

• Focus on those risk exposures associated with the achievement of an organisation’s objectives

• The services provided by IA will be related to the management of risk exposures

– Refer Exhibit 14.3 (p. 707)


Control-related tasks of importance to IAs

• Provide advice about control strategies, structures and systems

• Raise awareness about risk exposures and related controls

• Contribute to improvement of control systems

• Provide assurance about efficiency and effectiveness of control strategies, structures and systems

• Contribute enhanced understandings of different types of control that can be used in organisations

• Focus on control as a facet of risk management

• The services provided by IA will be distinctly related to management of risk exposures

– Refer Exhibit 14.4 (p. 708)


Expected future relationship with external auditors

• As both groups of auditors move to the risk analysis approach, greater co-ordination between IA and EA can be expected.

• Co-ordination aided by recent developments in corporate governance, with audit committee playing key co-ordination role.


Learning objective 5: Approaches to assessing risk management,

control and governance processes

14-21

• IA is expected to use similar approaches to assessing risk management, control and governance processes to those used by EA in evaluating business risk.

• There are two major frameworks that are used in practice to guide this analysis:– In Australia and New Zealand, the framework outlined

under the standard AS/NZS 4360 Risk Management, and

– Internationally, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework.

Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger SimnettSlides prepared by Roger Simnett

AS/NZS 4360 Risk Management

14-22

• The emphasis in AS/NZS 4360 is on business risk management.

• The main elements of the risk-management process are as follows:

– Establishing the context– Identity risk– Analyse risk– Evaluate risk– Treat risks– Monitor and review– Communicate and consult.

• For each stage of the process adequate records should be kept, sufficient to satisfy independent audit.


COSO Enterprise Risk Management (ERM) framework

14-23

• Another framework that is gaining acceptance for assessing risk and quality control in organisations is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework.

• Enterprise risk management (ERM) is a process designed to identify potential events that may affect the entity, to manage risks within the entity’s risk ‘appetite’ and to provide reasonable assurance regarding the achievement of the entity’s objectives.

• There is a direct relationship between the entity’s objectives and the ERM components, which represent what is required in order to achieve those objectives.


The relationship of objectives and components of COSO ERM framework


Documents

Chapter 14 Internal auditing 14-1 Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay