Deloitte professionals can quickly help you identify and prioritize key areas of potential risk and opportunity across your enterprise, based on the current competitive environment, regulatory climate, operational strengths and weaknesses of your organization and many other factors.

Deloittes internal audit professionals can help provide organizations with a greater level of assurance, as well as insights and recommendations on business strategy execution and redeploying valuable resources toward achieving strategic goals and objectives.

Results include benchmarking statistics, recommendations and suggestions for improvement leading to an improved and more effective internal audit function with an enhanced image within your organisation.

Developing strong board and management processes to enable effective governance;

Guiding management to develop a clear "tone from the top";

Measuring and monitoring your control culture;

Ensuring your processes incorporate expected levels of key controls;

Documenting your process flows and controls needed to support US SOX, C-SOX and any other relevant regulations;

Using IT to provide 24/7 review of key processes to identify issues (i.e. continuous monitoring);

Developing monitoring systems to ensure your controls work to support local governance and reporting needs; and

Delivering internal controls training to management and staff.

Internal auditing can provide managers and the Board with

valuable assistance by giving objective assurance about

their organizations governance, risk management and

control processes. Establishing a robust internal audit

function is a long-term and worthwhile investment for most

organizations because an internal audit department can act

as an independent advisor for the Board and senior

management. Where an organization has not established an

internal audit department, the identification of the benefits

and role(s) internal audit could play should be the initial

step. Where an internal audit function has been in

operation, a review of its recent performance to identify

improvement opportunities is recommended.

Internal auditing provides opportunities for companies

to improve based on independent analysis and advice.

Internal audit also helps the Board and senior management

to monitor the organization. To preserve the integrity and

The bottom line: it is time for executives to lead, managers

to manage, boards to govern, and auditors to provide

assurances to the Board and management that things are as

people say they are. Your next audit planning effort should

make this clear to everyone.

1: Introduction to Internal Audit

48

independence of audits, auditors maintain a delicate balance

between offering advice (mainly consulting services) and

providing opinions about a process, system, account

balance, or other subject matter (assurance services).

Internal auditing provides unbiased information to

management and the Board to help them make better

decisions. Internal-audit conclusions and recommendations

are based primarily on independently gathered evidence and

knowledge.

Audits exist to assess how well a business unit meets the

performance goals of the organization, as dictated by the

CEO, CFO (chief financial officer), board, investors and

others. Accordingly, managements goal is to demonstrate

how well operations, controls and results meet the needs of

the business.

Auditors exist to provide the Board and senior management

with an objective, independent assessment of a business

unit or program (such as information security), including

what they see as key opportunities for improvement.

53

CHAPTER 2: THE PROFESSIONAL PRACTICE OF

INTERNAL AUDIT

Quality is never an accident; it is always the result of high

intention, sincere effort, intelligent direction, and skillful

execution; it presents the wise choice of many alternatives.

William A Foster

20 questions for directors to ask internal auditors

The internal audit departments unique position within a

company provides management and audit committee

members with valuable assistance, by giving objective

assurance on governance, risk management and control

processes. Audit committees, of course, are responsible for

providing oversight to the internal audit efforts within the

organization so how audit committees work with their

internal audit staff is crucial to the success of the entire

internal audit operation.

As one of the cornerstones of corporate governance (along

with the Board of Directors, senior management and

external auditing), internal auditing can provide strategic,

operational and tactical value to an organizations

operations. For example, internal auditing is:

A resource to the Board and management for helping to

ensure the entire organization has the resources, systems,

and processes for operating an efficient and effective

organization.

An assurance service for management and the Board that

confirms adequate controls are in place. By ensuring that

qualified professional reviews and tests are performed,

2: The Professional Practice of Internal Audit

54

the Board and management can advance their goals of

overseeing the organizations operations and helping to

ensure continuous improvement and success.

An independent validation that the organizations efforts

are proactive and effective against current and emerging

threats.

A high-quality internal audit function meets or exceeds

stakeholder expectations, while ensuring that value is added

to the organization. The most critical factor in achieving

internal audit quality is the auditors competency and

proficiency in evaluating the organizations risk

management, control and governance processes. Each

internal audit department should have a program, not only

to ensure top quality internal audit reports, investigations,

consulting and other services, but it should also have a way

to effect continuous improvement in its service to

stakeholders.

Serving as an enterprise consultant is an expanded and important role for many

internal auditors. Internal consulting may not fit in all internal audit functions

As mentioned throughout this volume, the purpose of an internal audit is to assist

management by providing analysis, information, and recommendations for the

improvement of controls and operations. Internal controls may be evaluated for:

Compliance with policies and procedures, rules, and regulations

_ Reliability and integrity of financial and operational information

_ Effectiveness and efficiency of operations

_ Safeguarding of assets

Serving as internal consultants, internal auditors can be held to higher standards

of performance and accountability. In these situations, they need to act as objective

and critical outsiders within their own enterprises, delivering the hard facts and

bad news beyond audit report findings, including issues that management sometimes

does not want to hear

they need to be prepared to deliver the truth to

management beyond just errors, omissions, and internal control weaknesses

They

also need to be good at off-the-record consulting-related conversations, which are

sometimes more important than the written audit report. Internal auditors who master

the principles of effective internal consulting can use the related methods and

techniques to dig deeper and deliver the truth.

To fulfill its responsibilities, Internal Audit shall:

_ Identify and assess potential risks to the Banks operations.

_ Review the adequacy of controls established to ensure compliance with policies, plans,

procedures, and business objectives.

_ Assess the reliability and security of financial and management information and

supporting systems and operations that produce this information.

_ Assess the means of safeguarding assets.

_ Review established processes and propose improvements.

_ Appraise the use of resources with regard to economy, efficiency, and effectiveness.

_ Follow up recommendations to make sure that effective remedial action is taken.

_ Carry out ad hoc appraisals, investigations, or reviews requested by the Audit

Committee and Management.

_ Perform independent consulting projects at the specifi request of management .

There are often many areas

within an enterprise where internal audits skills can meet needs and offer some help

and expertise. A good example might be when management formally requests help

with the SOx Section 404 internal controls compliance review, and internal audit

assists. (This process is discussed in Chapter 4.)

Beyond specific internal audit riskbased

audit assignments, internal audit often can provide consulting help in a wide

variety of areas. Examples might include helping to build effective internal controls

in a new IT application, discussed in Chapter 19, or helping to launch an ethics hotline

function, as discussed in Chapter 24. By providing internal consulting support,

internal audit can be a major help to the overall enterprise.

Whether youre looking to establish an internal audit function, attain or maintain compliance with Sarbanes-Oxley Section 404 (SOX 404) or government contracts, mitigate your risk of fraud, or gain an overall assessment of your internal controls, you can count on Moss Adams for reliable and timely business solutions

Of course you want your internal audit function to help maintain compliancebut a high-quality outsourced audit function can provide benefits well beyond fulfilling your organizations obligations. You want to work with a firm that brings an understanding of your industry, knowledgeable staff, and experience that will instill confidence in your board, your investors, and the public while uncovering ways to reduce your costs, streamline your operations, and improve your organizations value.

The dedicated professionals at Moss Adams will become an extension of your organization and provide a thorough understanding of internal controls, system controls, and business processes. And because we organize our professionals by industry, youll gain the efficiency of working with a turnkey team: one whos already well versed in the requirements and best practices of your industry and can provide you with excellent value in exchange for the time and resources you invest in your audit.

Youll gain the peace of mind that comes with knowing youve not only met your compliance and business needs but brought your organization closer to achieving its performance goals.

Our team brings deep expertise in a wide variety of areas, including:

Operations

Compliance

Accounting

Information technology

Risk assessment and risk management

Construction

Fraud prevention

Fraud, theft, and many other types of business and accounting improprieties can cause significant harm to the people and companies involved. Weve helped solve these problems for numerous individuals, companies, and law firms, allowing them to recover losses and get back to business.

Our team can investigate suspected fraud, abnormalities, and irregularities as well as provide expert witness testimony. With fraud examiners working closely with industry professionals, we have the training, experience, and bandwidth to help you fight fraud and recover from its effects.

Our forensic accounting and investigative experience includes:

Misappropriation of assets

Conflicts of interest

Embezzlement

Fraudulent financial reporting

Insolvency and bankruptcy fraud

Insurance claims fraud

Litigation

We also offer extensive expertise in:

Fraud Risk Management

We can help you develop and evaluate your risk management program to decrease your vulnerability to fraud and misconduct. We use interviews, surveys, and focus groups to analyze your existing strategies, refine your fraud-risk profile, and establish the right protocols to avoid the types of problems your business is most susceptible to.

Data Analysis

We can uncover potentially fraudulent behavior with analytical tools that reveal inconsistencies in data. To do this, we employ both custom-made and industry-leading tools, including ACL software that analyzes and cross-references large amounts of data from disparate sources.

Agreed-Upon Procedures

We can serve as an independent practitioner to perform agreed-upon procedures established by two parties. We have extensive experience conducting these engagements, working proactively to gain a set of clear, precise procedures that address the nature, timing, and extent of the work to be done. Such planning helps avoid ambiguity later on that would inhibit achievement of your desired outcomes.

We can provide a report containing results that are clear and easily used by the specified parties to achieve validation of compliance and resolution of concerns. We have a diverse range of in-house expertise, allowing us to quickly assemble a project team capable of addressing unique technical and industry-specific matters.

Control Assurance Services

You may want assurance on a specific set of controls or control processes. We can scale our services for one or more specific projects in a wide range of technical and industry areas, from construction to health care.

Our team of more than 50 practitioners, each steeped in a particular internal audit discipline, brings specialized expertise to each project, so you get seasoned auditors with finely tuned expertise and an average of more than 10 years of experience. Youll benefit from the high return on investment our services provide.

Moss Adams offers comprehensive performance audit services designed to help you identify and overcome the critical challenges your organization faces. Our performance audits generally follow a six-phase process:

1. Perform risk assessment, if needed

2. Develop audit plan

3. Conduct fact finding

4. Analyze performance

5. Prepare findings and recommendations

6. Provide draft and final report

7. Investigations - investigations are independent evaluations of allegations generally focused on improper government activities, including misuse of university resources, fraud, financial irregularities, significant control weaknesses, and unethical behavior or actions.

8. Investigation reports are confidential and distribution is limited to the requesting or impacted principal officer or senior campus official; the campus local designated official and/or campus Investigation Workgroup; and the UC compliance and audit officer and UC director of investigations if the investigation reaches required reporting thresholds

What is the process for conducting internal audits?

The audit process consists of the following components:

Key steps in the Internal Audit process are outlined below.

PlanningThe client department or unit is notified and a planning meeting is conducted with the responsible principal officer to discuss and obtain input on the initial objectives and scope of the engagement, the timing of the review, and reporting process.Preliminary SurveyA preliminary survey is conducted which usually begins with a meeting with the principal/senior officer of the activity to discuss potential scope and concerns; interviewing management and staff, and gathering background information; identifying key strategic, operational, and compliance objectives; reviewing formal guidance; gaining an understanding of organizational governance, risk management processes, and regulatory compliance; reviewing budgetary information, flowcharting key departmental processes, and identifying and testing key departmental processes and controls. The preliminary survey may indicate that additional field work is necessary to focus on areas where controls could be improved. The result of the survey is the generation of a risk matrix leading to the development of an audit program.Field Work- The auditor conducts steps to test key objectives identified in the project risk matrix; gathers, classifies, and appraises information to measure and evaluate the effectiveness of specific processes and controls. Sample transactions for a specific test period are often evaluated. Throughout the course of audit fieldwork, the auditor confers with client management about areas where improvements may be appropriate.Draft Report -Upon completion of the field work, the auditor prepares a draft audit report which outlines the conclusion (executive summary), audit objective, scope, observations, and recommendations/agreements. Meetings are conducted with individuals and/or impacted units. In these meetings, the observations are discussed with the client with the goal of reaching agreement as to the appropriate corrective action to address the observation(s). The other goal is to resolve any misunderstandings regarding the content and accuracy of the report.Principal Officer Concurrence-Following these meetings(s), the report is revised as needed and recommendations are changed to agreements where possible. A review copy of the final report is shared with the principal officer for concurrence prior to release of the final report.Corrective actions agreed to by management and Internal Audit is included in the final report in lieu of a subsequent written departmental response.Final report- The finalized report is is issued to the campus principal or senior officer who has responsibility over the area; to the campus Audit Committee; and to the UC Ethics and Audit Office.Follow-up-IAS performs follow-up on observations to determine whether departments have implemented corrective actions. The follow-up is generally performed quarterly, with an audit inquiry as to the status of corrective action followed by a validation of completion if so indicated by the client. When it has been determined that corrective actions have been conducted as agreed to resolve the underlying audit issue, the audit is considered closed. Management corrective actions are maintained electronically in a secure database (TeamCentral). A report is generated monthly and distributed to the Principal Officers and responsible party to assist in the resolution of open, agreed upon management corrective actions.