Chapter 18

Internal Auditing and Outsourcing

Define Internal Auditing

Internal auditing is an independent and objective assurance and consulting activity that is designed to add value to improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, discipline approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Discuss Internal Auditing

Exists only because it adds value to the organization

Must change as organizations changeProves objective assurance to top

management and the boardReports problems, and also offers

advice on needed improvementsEncompasses all the important

operations of an organization

Assurance & Consulting Activity

Assurance services - objective services that improve the Quality of information about processes Effectiveness of controls Reliability of information Compliance with company, regulatory, or

governmental procedures Effectiveness and efficiency of operationsConsulting services: Advisory or partnering activities that add value and

improve operations Both parties must agree on nature and scope of

services Identifies problems and potential solutions Advisory; does not include decision making

Discuss Assurance & Consulting Activity

Systematic and Disciplined Approach Internal auditing standards are designed to ensure

objective, relevant, and sufficient evidence is gathered and evaluated

Internal auditors identify risks, gather evidence, evaluate findings, and suggest improvements

Elements of the systematic and disciplined approach: Defined audit objectives Risk analysis Audit work plan Defined audit procedures Use of technology Independent review of audit work Review of conclusions with management

Assurance & Consulting Activity (Continued)

Corporate Governance, Risk Management, and Control

Good governance requires organizations implement processes and controls designed to ensureDecisions are made at the appropriate level of the

organizationProcesses comply with organization policies and

government regulationsProcesses are efficient and effectiveRisks are identified and factored into decisionsControls are properly designed and implemented Effective whistle-blowing function is implemented

Review Internal Auditing & Corporate Governance

Internal auditors should: Understand key governance issues, stakeholders,

and accountability to those stakeholders Provide analysis to determine that top management

understands risks and have processes in place to address such risks

Ensure the organization has controls to address such risks, and that such controls are operating effectively

Evaluate organization's processes for determining operating efficiency

Determine that operations comply with organization policies as well as contracts, laws, and regulations

Determine that an effective whistle-blowing function is in place

What is the internal audit charter?

Statement of the internal audit's role in an organization, the charter accomplishes two important objectives:

Defines the scope of the internal audit activity including access to company records

Defines the reporting relationships that exist between the audit activity and others within the organization such as audit committee members, senior management, and operating management

Important issues that should be noted in the charter: Statement of the mission of the activity defined in terms of

governance, risk, control, and operating efficiency Identification of audit accountabilities Defined responsibility to provide periodic reports Prohibition against performing operational tasks Identification of standards by which to judge performance of

internal audit work

Review Internal Auditing & the Audit Committee

Internal auditors assist the audit committee in a number of ways:

Review the quality of internal controls over financial reporting

Provide an independent viewpoint on major accounting issues

Provide feedback on the efficiency of operations and compliance with company and regulatory policies

Facilitate information flow to the audit committee Perform special projects or investigations as

requested

Monitor effectiveness of whistle-blowing activities

Evaluate whether the company has met its reporting objectives

Assess the "quality" of financial reportingEvaluate the effectiveness of risk

management processesProvide independent assessments of riskProvide information to facilitate monitoring

of key risks

Review Internal Auditing & the Audit Committee

Discuss Internal Audit Outsourcing

Recent trend for companies to outsource their internal audit function to public accounting or other specialize firms

This trend may slow as the SEC prohibits a CPA from providing both internal and external audit services for the same company

Possible advantages of outsourcing internal audit function. Service provider may:

Have greater expertise or specialized talents Be able to provide service at lower cost Have global presence and be able to provide service without

language or cultural problems Provide greater flexibility in staffing and budgetingPossible disadvantages of outsourcing internal audit function: Employees may have greater knowledge of the company and

its operations Loss of internal audit as a training ground to develop new

managers

What is value added internal auditing?

Internal audit activities can be classified as: Risk analysis

Organizations take risks to accomplish their objectives Organizations need processes to recognize risk and

institute controls to minimize adverse outcomes Risk analysis examines whether processes are adequate to

manage risks Information reliability

Organizations need accurate, reliable, and timely information

Information must also be protected Internal auditors perform periodic reviews of security and

controls

Control effectivenessControls exist to address risksInternal auditors provide objective assessment as

to whetherControls are adequate to manage riskControls are operating effectively

Operational effectiveness and efficiencyConformance with company policies and

proceduresFraud investigations

What is value added internal auditing? (Continued)

What are operational audits?

Evaluate organization's activities, systems, and controls

Assess quality and efficiency of performanceIdentify opportunities and develop

recommendations for improvement

Criteria for evaluation of performancePast operationsBest practices for similar operationsStated management objectives

Further Discussion of Operational Audits

Every operational audit follows the same ten step process: Understanding the operational area and management's

interest in having the area audited Develop background information about the audit area Develop objective criteria regarding operational

efficiency Perform preliminary analysis of the audit area Perform detailed risk analysis Develop and analyze data that might indicate problems Perform inquiry and testing to identify source of

problems Performed detailed tests of operating activities and

controls Summarize findings - prepare report and discuss with

management Develop mechanism to follow-up on recommendations

More Operational Audits

Detailed considerations: Establish criteria Objective criteria should be established prior to the audit Criteria should include both performance and control

measuresPerform preliminary risk analysis for all operational audit areas To determine whether organization has effective risk

management process To identify important controlsPerform analytical analysis To identify existence and source of potential operating

problemsTest controls and operations Every operational audit will have compliance testing

component To determine whether operations follow company policies

and meet company standards

Discuss Compliance Audits

Performed to determine whether operations are being conducted in compliance with contracts, management's policies, or applicable laws and regulations

Add value because they canImprove operational efficiencyProvide assurance that organization is

operating within applicable laws and regulations

Internal Auditing and Sarbanes-Oxley

Internal auditors are an integral part of assisting organizations to implement provisions of the Sarbanes-Oxley Act

Internal audit may assist in facilitating a control self-assessment by management assisting operating personnel understand controls and documentation

Review Internal Audit Standards

Standards for the Professional Practice of Internal Auditing (IIA):

Attribute StandardsPurpose, Authority, and ResponsibilityIndependence and ObjectivityProficiency and Due Professional CareQuality Assurance and Improvement

ProgramPerformance StandardsManaging the Internal Audit ActivityNature of Work

Performance Standards Engagement PlanningPerforming the EngagementCommunicating ResultsMonitoring ProgressManagement's Acceptance of RisksImplementation StandardsThere may be multiple implementation

standards derived from the concepts in the attribute and performance standards

Review Internal Audit Standards (Continued)

What is the IIA Code of Ethics?

Focuses on broad-based Principles and Rules of Conduct regarding:

Integrity

Objectivity

Confidentiality

Competence

Comment on Reporting Fraud

The IIA's Code of Ethics makes it clear that an internal auditor should

"Observe the law and make disclosures expected by the law and the profession"

"Not knowingly be a party to any illegal activity, nor engage in acts that are discreditable to the profession of internal auditing or to the organization"

If an internal auditor uncovers evidence of fraud, the auditor should:

Document the findings and include them in an audit report

Report findings to the board of directors, the audit committee, and appropriate members of top management

Consult with an attorney on actions appropriate to the particular case

Consider the need for any additional action to disassociate from the fraud

Comment on Reporting Fraud