Chapter 18
Internal Auditing and Outsourcing
Define Internal Auditing
Internal auditing is an independent and objective assurance and consulting activity that is designed to add value to improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, discipline approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Discuss Internal Auditing
Exists only because it adds value to the organization
Must change as organizations changeProves objective assurance to top
management and the boardReports problems, and also offers
advice on needed improvementsEncompasses all the important
operations of an organization
Assurance & Consulting Activity
Assurance services - objective services that improve the Quality of information about processes Effectiveness of controls Reliability of information Compliance with company, regulatory, or
governmental procedures Effectiveness and efficiency of operationsConsulting services: Advisory or partnering activities that add value and
improve operations Both parties must agree on nature and scope of
services Identifies problems and potential solutions Advisory; does not include decision making
Discuss Assurance & Consulting Activity
Systematic and Disciplined Approach Internal auditing standards are designed to ensure
objective, relevant, and sufficient evidence is gathered and evaluated
Internal auditors identify risks, gather evidence, evaluate findings, and suggest improvements
Elements of the systematic and disciplined approach: Defined audit objectives Risk analysis Audit work plan Defined audit procedures Use of technology Independent review of audit work Review of conclusions with management
Assurance & Consulting Activity (Continued)
Corporate Governance, Risk Management, and Control
Good governance requires organizations implement processes and controls designed to ensureDecisions are made at the appropriate level of the
organizationProcesses comply with organization policies and
government regulationsProcesses are efficient and effectiveRisks are identified and factored into decisionsControls are properly designed and implemented Effective whistle-blowing function is implemented
Review Internal Auditing & Corporate Governance
Internal auditors should: Understand key governance issues, stakeholders,
and accountability to those stakeholders Provide analysis to determine that top management
understands risks and have processes in place to address such risks
Ensure the organization has controls to address such risks, and that such controls are operating effectively
Evaluate organization's processes for determining operating efficiency
Determine that operations comply with organization policies as well as contracts, laws, and regulations
Determine that an effective whistle-blowing function is in place
What is the internal audit charter?
Statement of the internal audit's role in an organization, the charter accomplishes two important objectives:
Defines the scope of the internal audit activity including access to company records
Defines the reporting relationships that exist between the audit activity and others within the organization such as audit committee members, senior management, and operating management
Important issues that should be noted in the charter: Statement of the mission of the activity defined in terms of
governance, risk, control, and operating efficiency Identification of audit accountabilities Defined responsibility to provide periodic reports Prohibition against performing operational tasks Identification of standards by which to judge performance of
internal audit work
Review Internal Auditing & the Audit Committee
Internal auditors assist the audit committee in a number of ways:
Review the quality of internal controls over financial reporting
Provide an independent viewpoint on major accounting issues
Provide feedback on the efficiency of operations and compliance with company and regulatory policies
Facilitate information flow to the audit committee Perform special projects or investigations as
requested
Monitor effectiveness of whistle-blowing activities
Evaluate whether the company has met its reporting objectives
Assess the "quality" of financial reportingEvaluate the effectiveness of risk
management processesProvide independent assessments of riskProvide information to facilitate monitoring
of key risks
Review Internal Auditing & the Audit Committee
Discuss Internal Audit Outsourcing
Recent trend for companies to outsource their internal audit function to public accounting or other specialize firms
This trend may slow as the SEC prohibits a CPA from providing both internal and external audit services for the same company
Possible advantages of outsourcing internal audit function. Service provider may:
Have greater expertise or specialized talents Be able to provide service at lower cost Have global presence and be able to provide service without
language or cultural problems Provide greater flexibility in staffing and budgetingPossible disadvantages of outsourcing internal audit function: Employees may have greater knowledge of the company and
its operations Loss of internal audit as a training ground to develop new
managers
What is value added internal auditing?
Internal audit activities can be classified as: Risk analysis
Organizations take risks to accomplish their objectives Organizations need processes to recognize risk and
institute controls to minimize adverse outcomes Risk analysis examines whether processes are adequate to
manage risks Information reliability
Organizations need accurate, reliable, and timely information
Information must also be protected Internal auditors perform periodic reviews of security and
controls
Control effectivenessControls exist to address risksInternal auditors provide objective assessment as
to whetherControls are adequate to manage riskControls are operating effectively
Operational effectiveness and efficiencyConformance with company policies and
proceduresFraud investigations
What is value added internal auditing? (Continued)
What are operational audits?
Evaluate organization's activities, systems, and controls
Assess quality and efficiency of performanceIdentify opportunities and develop
recommendations for improvement
Criteria for evaluation of performancePast operationsBest practices for similar operationsStated management objectives
Further Discussion of Operational Audits
Every operational audit follows the same ten step process: Understanding the operational area and management's
interest in having the area audited Develop background information about the audit area Develop objective criteria regarding operational
efficiency Perform preliminary analysis of the audit area Perform detailed risk analysis Develop and analyze data that might indicate problems Perform inquiry and testing to identify source of
problems Performed detailed tests of operating activities and
controls Summarize findings - prepare report and discuss with
management Develop mechanism to follow-up on recommendations
More Operational Audits
Detailed considerations: Establish criteria Objective criteria should be established prior to the audit Criteria should include both performance and control
measuresPerform preliminary risk analysis for all operational audit areas To determine whether organization has effective risk
management process To identify important controlsPerform analytical analysis To identify existence and source of potential operating
problemsTest controls and operations Every operational audit will have compliance testing
component To determine whether operations follow company policies
and meet company standards
Discuss Compliance Audits
Performed to determine whether operations are being conducted in compliance with contracts, management's policies, or applicable laws and regulations
Add value because they canImprove operational efficiencyProvide assurance that organization is
operating within applicable laws and regulations
Internal Auditing and Sarbanes-Oxley
Internal auditors are an integral part of assisting organizations to implement provisions of the Sarbanes-Oxley Act
Internal audit may assist in facilitating a control self-assessment by management assisting operating personnel understand controls and documentation
Review Internal Audit Standards
Standards for the Professional Practice of Internal Auditing (IIA):
Attribute StandardsPurpose, Authority, and ResponsibilityIndependence and ObjectivityProficiency and Due Professional CareQuality Assurance and Improvement
ProgramPerformance StandardsManaging the Internal Audit ActivityNature of Work
Performance Standards Engagement PlanningPerforming the EngagementCommunicating ResultsMonitoring ProgressManagement's Acceptance of RisksImplementation StandardsThere may be multiple implementation
standards derived from the concepts in the attribute and performance standards
Review Internal Audit Standards (Continued)
What is the IIA Code of Ethics?
Focuses on broad-based Principles and Rules of Conduct regarding:
Integrity
Objectivity
Confidentiality
Competence
Comment on Reporting Fraud
The IIA's Code of Ethics makes it clear that an internal auditor should
"Observe the law and make disclosures expected by the law and the profession"
"Not knowingly be a party to any illegal activity, nor engage in acts that are discreditable to the profession of internal auditing or to the organization"
If an internal auditor uncovers evidence of fraud, the auditor should:
Document the findings and include them in an audit report
Report findings to the board of directors, the audit committee, and appropriate members of top management
Consult with an attorney on actions appropriate to the particular case
Consider the need for any additional action to disassociate from the fraud
Comment on Reporting Fraud