Title: Module D Internal Auditing
1Module D Internal Auditing
2Introduction
- Definition of internal auditing
- Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organizations operations.
It helps an organization accomplish its
objectives by bringing a systematic, disciplined
approach to evaluate and improve the
effectiveness of risk management, control, and
governance processes
3Introduction
- Users of internal auditing
- Any type of organization can benefit from
internal auditing - Used by corporations, not-for-profit
organizations, and governments
4Introduction
- What is internal auditing?
- It provides services to management
- that risks to the organization are understood and
managed appropriately - by providing an in-house consulting function
- Every organization, regardless of size, should
have some type of internal audit process
5History
- History of internal auditing
- Traced to early 1900s
- Evolved from the accounting function
- Originally a very clerical function
- Many corporations began using IA function
6Professional Organizations
- Institute of Internal Auditors
- Established in 1941
- 84,000 members in 120 countries
- Established a code of conduct for internal
auditors - Established professional standards for internal
auditing - gt80 IIA chapters worldwide
7Certifications
- Certified Internal Auditor
- In existence for 30 years
- About 40,000 worldwide
- Shows competence in the principles and practices
of internal auditing
8Professional Certifications
- CIA - Certified Internal Auditor
- CCSA - Control Self-Assessment Auditor
- CGAP - Certified Government Auditing Professional
- CFSA - Certified Financial Services Auditor
9Standards
- Source of standards IIA
- The Standards are part of the Professional
Practices Framework includes definitions, Code
of Ethics, and the Standards - Latest standards issued in 2001
10Purpose of the standards
- Delineate basic principles that represent the
practice of internal auditing as it should be - Provide a framework for performing and promoting
a broad range of value-added internal audit
activities
11Purpose of the standards
- Establish the basis for the measurement of
internal audit performance - Foster improved organizational processes and
operations
12Categories of standard
- Attribute standards (1000 series)
- address the characteristics of organizations and
individuals performing internal audit activities
13Categories of standard
- Performance standards (2000 series)
- describe the nature of internal audit activities
and provide quality criteria against which the
performance of these services can be measured - attribute and performance standards apply to
internal audit services in general
14Categories of standard
- Implementation standards
- apply the Attribute and Performance Standards to
specific types of engagements - there are only one set of Attribute and
Performance standards, but there can be multiple
sets of Implementation Standards
15Overview of Internal Auditing
16Selection of the auditee (step 1)
- Auditee the part of the organization being
audited - Systematic selection
- annually, IA department compiles list of possible
audits - rank list by probability of loss
- precise probability of loss difficult to compute
- make best estimate of potential loss and
probability of loss
17Selection of the auditee (step 1)
- auditees with higher levels of risk are scheduled
first - those with lower risks are scheduled later if
time and resources permit
18Selection of the auditee (step 1)
- Ad hoc audits
- squeaky wheel gets the grease
- management or BoD identify problem area that
needs immediate attention - example receive notice that loan repayment is
due, but loan is not recorded in books BoD may
direct IA department to begin immediate review
over the loan processing procedures
19Selection of the auditee (step 1)
- Auditee requests
- a manager may feel that he needs the impute of
the IA department to evaluate the operations in
his division - because of various factors (internal politics,
PR, etc.) IA department may rank request higher
than original risk ranking
20Audit planning (step 2)
- Similar to external audit, except for
determination of scope and objectives - Determination of objectives and scope of audit is
an important step in an internal audit - there are not standard objectives as in an
external audit
21Audit planning (step 2)
- Objectives of the audit
- the purpose of the audit
- e.g., examine economy and efficiency, examine
program results, study and evaluate internal
control structure, financial statement type audit
procedures, etc.
22Audit planning (step 2)
- Scope relates to the specific parts of the
organization and information system that will be
audited - focus may be on a narrow or broad aspect of
operations - depth may be superficial or very in-depth
- after both objectives and scope specified, can
estimate the necessary resources needed (size of
audit team, time, travel, etc.)
23Audit planning (step 2)
- Study of background information
- interviews with management
- learn about auditees policies and procedures
- look for concerns the auditee may have from
previous audits - look for attitudes of auditee toward control
consciousness and auditors
24Audit planning (step 2)
- Review reports from previous audits
- some argue that the review of files from previous
audits should not be done until after completion
of the preliminary survey - they believe it could unduly influence you toward
previous audit procedures and results - others believe reviewing files from previous
audits now allows you to be better prepared for
the preliminary survey
25Audit planning (step 2)
- Selection of audit team
- Makeup of audit team (for large audit smaller
audits fewer people) - CAE has overall responsibility provides final
review and approval for major steps in audit
process (i.e., selection of auditee, approval of
objectives and scope, audit program, report)
26Audit planning (step 2)
- manager responsible for overall coordination of
audit work (i.e., selecting audit team,
scheduling audit, reviewing all audit
documentation) - senior auditor responsible to conduct the audit
and coordinate the day-to-day activities - staff auditor responsible for doing most of the
routine audit work
27Audit planning (step 2)
- Preliminary communication with auditee
- notify auditee of dates for the audit
- this allows the auditee to make necessary
preparations to accommodate the auditors (e.g.,
access to records, facilities, access to
employees, etc.)
28Audit planning (step 2)
- Preparation of preliminary audit program
- contains
- objectives and scope of audit
- questions to be asked at preliminary survey
- procedures to be carried out
- evidence to be examined
29Audit planning (step 2)
- Planning the audit report
- the audit report communicates the results of
audit findings - however, beginning to think of the report now is
useful - determine who will write the report
- determine who will review and edit the report
- determine when report will be presented to
auditee - schedule closing conference date and location
- select alternative dates
30Preliminary survey (step 3)
- Objectives of preliminary survey
- gain initial impressions of auditee
- gather preliminary evidence for further planning
- gain cooperation of auditee
31Preliminary survey (step 3)
- Opening conference
- between audit team and auditee management
- outlines audit schedule to coordinate with
auditees activities
32Preliminary survey (step 3)
- On-site tour
- auditors learn nature of auditees operations,
work climate, physical facilities,
interrelationships with other departments, work
flow
33Preliminary survey (step 3)
- Document study
- determine what documents exist, how they are
organized, how they are stored, whether they have
adequate security - Written description
- document auditees operations
- Conduct analytical procedures
- helps to better understand auditees operations,
and for planning additional audit procedures
34ICS description, analysis, and evaluation (step
4)
- Preparing a description of controls
- documented in flowcharts, questionnaires, or
narratives
35ICS description, analysis, and evaluation (step
4)
- Conduct walk-through tests
- helps to identify critical control points (where
potential risks are at their highest) - documentation walk-through
- tracing each step of a transaction through the
organizational records - procedural walk-through
- performing the procedures yourself during the
walk-through
36ICS description, analysis, and evaluation (step
4)
- Testing of controls
- determine effectiveness of controls
- e.g., testing quality controls
- select sample of rejected items and sample of
accepted items - make sure each meet the criteria to be classified
as they were - look for persuasive evidence
- audit evidence rarely provides absolute certainty
37ICS description, analysis, and evaluation (step
4)
- Evaluation
- reach conclusions about the quality of the
internal control system with regard to objectives
and risks - matrix method
- column 1 critical control points
- column 2 potential risks
- column 3 proper control methods
- column 4 evaluation of auditees controls
38ICS description, analysis, and evaluation (step
4)
- Risk reassessment
- determine if any changes are needed in objectives
or scope of audit - determine how much, if any, expanded audit work
is needed
39ICS description, analysis, and evaluation (step
4)
- First risk assessment was done to rank potential
auditees - this reassessment considers additional evidence
gathered - leads to two possible paths
- do no additional testing
- believe would provide little additional
information - believe, even if find additional information,
other audits are more important - do additional testing
40Expanded testing (step 5)
- Expand audit program
- Determine additional resources needed
- additional auditors
- additional time
- additional travel funds
- Perform additional tests
41Findings and recommendations (step 6)
- Develop findings and determine changes necessary
to improve operations - Findings include
- conditions as actually observed
- criteria used to evaluate the conditions
- risk associated with the observed problems
- causes of the problems
42Findings and recommendations (step 6)
- Recommendations may be
- make no change
- the problems investigated were not actually
problems - the problems are not as serious as originally
believed - add new controls or modify existing controls
43Findings and recommendations (step 6)
- Recommendations may be
- obtain insurance to mitigate the risks
- there are no controls that could be added or
modified - insurance is more cost effective
- recommend an increase in the required rate of
return for this activity - controls cannot be modified
- insurance is not available or cost prohibitive
44Reporting (step 7)
- The IA departments reputation is largely based
on audit reports - it is the only formal presentation of the IAs
expertise and performance
45Reporting (step 7)
- Report addresses audits
- objectives
- scope
- procedures
- findings
- recommendations
46Reporting (step 7)
- Who writes the report?
- one person or team effort?
- Presentation of report
- done at the closing conference
- if auditee has previous opportunity to view
report - interaction on findings and recommendations takes
place
47Reporting (step 7)
- If misunderstandings or conflicts are unresolved
- auditee may prepare formal response to audit
report - audit report and auditees response are submitted
to top executives and/or BoDs - some IA departments include auditees responses
(whether positive or negative) in the audit report
48Reporting (step 7)
- Some auditors believe that the IA department
report should not make recommendations but only
present alternatives and let top management
determine the action to follow without IAs
recommendations
49Follow-up (step 8)
- Steps
- top management determines if and when audit
recommendations will be implemented - auditee makes changes
- IA department examines the effect of the changes
50Follow-up (step 8)
- Some auditors believe all follow-up examinations
should be conducted by the auditee under the
supervision of top management - Follow-up (regardless of who performs it) is
necessary or cannot evaluate the benefit of
internal auditing
51Evaluation of the audit (step 9)
- Evaluation made by the auditors of their own
performance - determine any ongoing concern
- evaluate effectiveness of audit
- identify any procedures in conduct of audit that
should be changed
52Evaluation of the audit (step 9)
- Conduct performance of audit team
- used as basis of promotions, salary adjustments,
continuing employment status