Deloitte’s internal audit professionals can help provide organizations with a greater level of assurance, as well as insights and recommendations on business strategy execution and redeploying valuable resources toward achieving strategic goals and objectives.

Results include benchmarking statistics, recommendations and suggestions for improvement – leading to an improved and more effective internal audit function with an enhanced image within your organisation.

Developing strong board and management processes to enable effective governance; Guiding management to develop a clear "tone from the top"; Measuring and monitoring your control culture; Ensuring your processes incorporate expected levels of key controls; Documenting your process flows and controls needed to support US SOX, C-SOX and

any other relevant regulations; Using IT to provide 24/7 review of key processes to identify issues (i.e. continuous

monitoring); Developing monitoring systems to ensure your controls work to support local governance

and reporting needs; and Delivering internal controls training to management and staff.

Internal auditing can provide managers and the Board withvaluable assistance by giving objective assurance abouttheir organization‟s governance, risk management andcontrol processes. Establishing a robust internal auditfunction is a long-term and worthwhile investment for mostorganizations because an internal audit department can actas an independent advisor for the Board and seniormanagement. Where an organization has not established aninternal audit department, the identification of the benefitsand role(s) internal audit could play should be the initialstep. Where an internal audit function has been inoperation, a review of its recent performance to identifyimprovement opportunities is recommended.

Internal auditing provides opportunities for companiesto improve based on independent analysis and advice.Internal audit also helps the Board and senior managementto monitor the organization. To preserve the integrity andThe bottom line: it is time for executives to lead, managersto manage, boards to govern, and auditors to provideassurances to the Board and management that things are aspeople say they are. Your next audit planning effort shouldmake this clear – to everyone.

1: Introduction to Internal Audit48independence of audits, auditors maintain a delicate balancebetween offering advice (mainly consulting services) andproviding opinions about a process, system, accountbalance, or other subject matter (assurance services).

Internal auditing provides unbiased information tomanagement and the Board to help them make betterdecisions. Internal-audit conclusions and recommendationsare based primarily on independently gathered evidence andknowledge.

Audits exist to assess how well a business unit meets theperformance goals of the organization, as dictated by theCEO, CFO (chief financial officer), board, investors andothers. Accordingly, management‟s goal is to demonstratehow well operations, controls and results meet the needs ofthe business.

Auditors exist to provide the Board and senior managementwith an objective, independent assessment of a businessunit or program (such as information security), includingwhat they see as key opportunities for improvement.

53CHAPTER 2: THE PROFESSIONAL PRACTICE OFINTERNAL AUDITQuality is never an accident; it is always the result of highintention, sincere effort, intelligent direction, and skillfulexecution; it presents the wise choice of many alternatives.William A Foster20 questions for directors to ask internal auditorsThe internal audit department‟s unique position within acompany provides management and audit committeemembers with valuable assistance, by giving objectiveassurance on governance, risk management and controlprocesses. Audit committees, of course, are responsible forproviding oversight to the internal audit efforts within theorganization – so how audit committees work with theirinternal audit staff is crucial to the success of the entireinternal audit operation.

As one of the cornerstones of corporate governance (alongwith the Board of Directors, senior management andexternal auditing), internal auditing can provide strategic,operational and tactical value to an organization‟soperations. For example, internal auditing is:A resource to the Board and management for helping toensure the entire organization has the resources, systems,and processes for operating an efficient and effectiveorganization.An assurance service for management and the Board thatconfirms adequate controls are in place. By ensuring thatqualified professional reviews and tests are performed,2: The Professional Practice of Internal Audit54the Board and management can advance their goals ofoverseeing the organization‟s operations and helping toensure continuous improvement and success.An independent validation that the organization‟s effortsare proactive and effective against current and emergingthreats.

A high-quality internal audit function meets or exceedsstakeholder expectations, while ensuring that value is addedto the organization. The most critical factor in achievinginternal audit quality is the auditor‟s competency andproficiency in evaluating the organization‟s riskmanagement, control and governance processes. Eachinternal audit department should have a program, not onlyto ensure top quality internal audit reports, investigations,consulting and other services, but it should also have a wayto effect continuous improvement in its service tostakeholders.

Serving as an enterprise consultant is an expanded and important role for manyinternal auditors. Internal consulting may not fit in all internal audit functions

As mentioned throughout this volume, the purpose of an internal audit is to assistmanagement by providing analysis, information, and recommendations for theimprovement of controls and operations. Internal controls may be evaluated for:

Compliance with policies and procedures, rules, and regulations_ Reliability and integrity of financial and operational information_ Effectiveness and efficiency of operations_ Safeguarding of assets

Serving as internal consultants, internal auditors can be held to higher standardsof performance and accountability. In these situations, they need to act as objectiveand critical “outsiders” within their own enterprises, delivering the hard facts andbad news beyond audit report findings, including issues that management sometimesdoes not want to hear

they need to be prepared to deliver the truth tomanagement beyond just errors, omissions, and internal control weaknesses

Theyalso need to be good at off-the-record consulting-related conversations, which aresometimes more important than the written audit report. Internal auditors who masterthe principles of effective internal consulting can use the related methods andtechniques to dig deeper and deliver the truth.

To fulfill its responsibilities, Internal Audit shall:_ Identify and assess potential risks to the Bank’s operations._ Review the adequacy of controls established to ensure compliance with policies, plans,procedures, and business objectives._ Assess the reliability and security of financial and management information andsupporting systems and operations that produce this information._ Assess the means of safeguarding assets._ Review established processes and propose improvements._ Appraise the use of resources with regard to economy, efficiency, and effectiveness._ Follow up recommendations to make sure that effective remedial action is taken._ Carry out ad hoc appraisals, investigations, or reviews requested by the AuditCommittee and Management._ Perform independent consulting projects at the specifi request of management .

There are often many areaswithin an enterprise where internal audit’s skills can meet needs and offer some helpand expertise. A good example might be when management formally requests helpwith the SOx Section 404 internal controls compliance review, and internal auditassists. (This process is discussed in Chapter 4.)

Beyond specific internal audit riskbasedaudit assignments, internal audit often can provide consulting help in a widevariety of areas. Examples might include helping to build effective internal controlsin a new IT application, discussed in Chapter 19, or helping to launch an ethics hotlinefunction, as discussed in Chapter 24. By providing internal consulting support,internal audit can be a major help to the overall enterprise.

Whether you’re looking to establish an internal audit function, attain or maintain compliance with Sarbanes-Oxley Section 404 (SOX 404) or government contracts, mitigate your risk of fraud, or gain an

overall assessment of your internal controls, you can count on Moss Adams for reliable and timely business solutions

Of course you want your internal audit function to help maintain compliance—but a high-quality outsourced audit function can provide benefits well beyond fulfilling your organization’s obligations. You want to work with a firm that brings an understanding of your industry, knowledgeable staff, and experience that will instill confidence in your board, your investors, and the public while uncovering ways to reduce your costs, streamline your operations, and improve your organization’s value.

The dedicated professionals at Moss Adams will become an extension of your organization and provide a thorough understanding of internal controls, system controls, and business processes. And because we organize our professionals by industry, you’ll gain the efficiency of working with a turnkey team: one who’s already well versed in the requirements and best practices of your industry and can provide you with excellent value in exchange for the time and resources you invest in your audit.

You’ll gain the peace of mind that comes with knowing you’ve not only met your compliance and business needs but brought your organization closer to achieving its performance goals.

Our team brings deep expertise in a wide variety of areas, including:

Operations Compliance Accounting Information technology Risk assessment and risk management Construction Fraud prevention

Fraud, theft, and many other types of business and accounting improprieties can cause significant harm to the people and companies involved. We’ve helped solve these problems for numerous individuals, companies, and law firms, allowing them to recover losses and get back to business.

Our team can investigate suspected fraud, abnormalities, and irregularities as well as provide expert witness testimony. With fraud examiners working closely with industry professionals, we have the training, experience, and bandwidth to help you fight fraud and recover from its effects.

Our forensic accounting and investigative experience includes:

Misappropriation of assets Conflicts of interest Embezzlement Fraudulent financial reporting Insolvency and bankruptcy fraud

Insurance claims fraud Litigation

We also offer extensive expertise in:

Fraud Risk Management

We can help you develop and evaluate your risk management program to decrease your vulnerability to fraud and misconduct. We use interviews, surveys, and focus groups to analyze your existing strategies, refine your fraud-risk profile, and establish the right protocols to avoid the types of problems your business is most susceptible to.

Data Analysis

We can uncover potentially fraudulent behavior with analytical tools that reveal inconsistencies in data. To do this, we employ both custom-made and industry-leading tools, including ACL software that analyzes and cross-references large amounts of data from disparate sources.

Agreed-Upon Procedures

We can serve as an independent practitioner to perform agreed-upon procedures established by two parties. We have extensive experience conducting these engagements, working proactively to gain a set of clear, precise procedures that address the nature, timing, and extent of the work to be done. Such planning helps avoid ambiguity later on that would inhibit achievement of your desired outcomes.

We can provide a report containing results that are clear and easily used by the specified parties to achieve validation of compliance and resolution of concerns. We have a diverse range of in-house expertise, allowing us to quickly assemble a project team capable of addressing unique technical and industry-specific matters.

Control Assurance Services

You may want assurance on a specific set of controls or control processes. We can scale our services for one or more specific projects in a wide range of technical and industry areas, from construction to health care.

Our team of more than 50 practitioners, each steeped in a particular internal audit discipline, brings specialized expertise to each project, so you get seasoned auditors with finely tuned expertise and an average of more than 10 years of experience. You’ll benefit from the high return on investment our services provide.

Moss Adams offers comprehensive performance audit services designed to help you identify and overcome the critical challenges your organization faces. Our performance audits generally follow a six-phase process:

1. Perform risk assessment, if needed2. Develop audit plan3. Conduct fact finding4. Analyze performance5. Prepare findings and recommendations6. Provide draft and final report

7. Investigations - investigations are independent evaluations of allegations generally focused on improper government activities, including misuse of university resources, fraud, financial irregularities, significant control weaknesses, and unethical behavior or actions. 

8. Investigation reports are confidential and distribution is limited to the requesting or impacted principal officer or senior campus official; the campus local designated official and/or campus Investigation Workgroup; and the UC compliance and audit officer and UC director of investigations if the investigation reaches required reporting thresholds

What is the process for conducting internal audits?

The audit process consists of the following components:

Key steps in the Internal Audit process are outlined below.

Planning – The client department or unit is notified and a planning meeting is conducted with the responsible principal officer to discuss and obtain input on the initial objectives and scope of the engagement, the timing of the review, and reporting process.

Preliminary Survey – A preliminary survey is conducted which usually begins with a meeting with the principal/senior officer of the activity to discuss potential scope and concerns; interviewing management and staff, and gathering background information; identifying key strategic, operational, and compliance objectives; reviewing formal guidance; gaining an understanding of organizational governance, risk management processes, and regulatory compliance; reviewing budgetary information, flowcharting key departmental processes, and identifying and testing key departmental processes and controls. The preliminary survey may indicate that additional field work is necessary to focus on areas where controls could be improved. The result of the survey is the generation of a risk matrix leading to the development of an audit program.

Field Work - The auditor conducts steps to test key objectives identified in the project risk

matrix; gathers, classifies, and appraises information to measure and evaluate the effectiveness of specific processes and controls. Sample transactions for a specific test period are often evaluated. Throughout the course of audit fieldwork, the auditor confers with client management about areas where improvements may be appropriate.

Draft Report - Upon completion of the field work, the auditor prepares a draft audit report which outlines the conclusion (executive summary), audit objective, scope, observations, and recommendations/agreements. Meetings are conducted with individuals and/or impacted units. In these meetings, the observations are discussed with the client with the goal of reaching agreement as to the appropriate corrective action to address the observation(s). The other goal is to resolve any misunderstandings regarding the content and accuracy of the report.

Principal Officer Concurrence - Following these meetings(s), the report is revised as needed and recommendations are changed to agreements where possible. A review copy of the final report is shared with the principal officer for concurrence prior to release of the final report. Corrective actions agreed to by management and Internal Audit is included in the final report in lieu of a subsequent written departmental response.

Final report - The finalized report is is issued to the campus principal or senior officer who has responsibility over the area; to the campus Audit Committee; and to the UC Ethics and Audit Office.

Follow-up - IAS performs follow-up on observations to determine whether departments have implemented corrective actions. The follow-up is generally performed quarterly, with an audit inquiry as to the status of corrective action followed by a validation of completion if so indicated by the client. When it has been determined that corrective actions have been conducted as agreed to resolve the underlying audit issue, the audit is considered closed. Management corrective actions are maintained electronically in a secure database (TeamCentral). A report is generated monthly and distributed to the Principal Officers and responsible party to assist in the resolution of open, agreed upon management corrective actions.