Module D Internal Auditing

1
Module D Internal Auditing
2
Introduction

• Definition of internal auditing
• Internal auditing is an independent, objective
  assurance and consulting activity designed to add
  value and improve an organizations operations.
  It helps an organization accomplish its
  objectives by bringing a systematic, disciplined
  approach to evaluate and improve the
  effectiveness of risk management, control, and
  governance processes

3
Introduction

• Users of internal auditing
• Any type of organization can benefit from
  internal auditing
• Used by corporations, not-for-profit
  organizations, and governments

4
Introduction

• What is internal auditing?
• It provides services to management
• that risks to the organization are understood and
  managed appropriately
• by providing an in-house consulting function
• Every organization, regardless of size, should
  have some type of internal audit process

5
History

• History of internal auditing
• Traced to early 1900s
• Evolved from the accounting function
• Originally a very clerical function
• Many corporations began using IA function

6
Professional Organizations

• Institute of Internal Auditors
• Established in 1941
• 84,000 members in 120 countries
• Established a code of conduct for internal
  auditors
• Established professional standards for internal
  auditing
• gt80 IIA chapters worldwide

7
Certifications

• Certified Internal Auditor
• In existence for 30 years
• About 40,000 worldwide
• Shows competence in the principles and practices
  of internal auditing

8
Professional Certifications

• CIA - Certified Internal Auditor
• CCSA - Control Self-Assessment Auditor
• CGAP - Certified Government Auditing Professional
• CFSA - Certified Financial Services Auditor

9
Standards

• Source of standards IIA
• The Standards are part of the Professional
  Practices Framework includes definitions, Code
  of Ethics, and the Standards
• Latest standards issued in 2001

10
Purpose of the standards

• Delineate basic principles that represent the
  practice of internal auditing as it should be
• Provide a framework for performing and promoting
  a broad range of value-added internal audit
  activities

11
Purpose of the standards

• Establish the basis for the measurement of
  internal audit performance
• Foster improved organizational processes and
  operations

12
Categories of standard

• Attribute standards (1000 series)
• address the characteristics of organizations and
  individuals performing internal audit activities

13
Categories of standard

• Performance standards (2000 series)
• describe the nature of internal audit activities
  and provide quality criteria against which the
  performance of these services can be measured
• attribute and performance standards apply to
  internal audit services in general

14
Categories of standard

• Implementation standards
• apply the Attribute and Performance Standards to
  specific types of engagements
• there are only one set of Attribute and
  Performance standards, but there can be multiple
  sets of Implementation Standards

15
Overview of Internal Auditing

• 9 Step Process

16
Selection of the auditee (step 1)

• Auditee the part of the organization being
  audited
• Systematic selection
• annually, IA department compiles list of possible
  audits
• rank list by probability of loss
• precise probability of loss difficult to compute
• make best estimate of potential loss and
  probability of loss

17
Selection of the auditee (step 1)

• auditees with higher levels of risk are scheduled
  first
• those with lower risks are scheduled later if
  time and resources permit

18
Selection of the auditee (step 1)

• Ad hoc audits
• squeaky wheel gets the grease
• management or BoD identify problem area that
  needs immediate attention
• example receive notice that loan repayment is
  due, but loan is not recorded in books BoD may
  direct IA department to begin immediate review
  over the loan processing procedures

19
Selection of the auditee (step 1)

• Auditee requests
• a manager may feel that he needs the impute of
  the IA department to evaluate the operations in
  his division
• because of various factors (internal politics,
  PR, etc.) IA department may rank request higher
  than original risk ranking

20
Audit planning (step 2)

• Similar to external audit, except for
  determination of scope and objectives
• Determination of objectives and scope of audit is
  an important step in an internal audit
• there are not standard objectives as in an
  external audit

21
Audit planning (step 2)

• Objectives of the audit
• the purpose of the audit
• e.g., examine economy and efficiency, examine
  program results, study and evaluate internal
  control structure, financial statement type audit
  procedures, etc.

22
Audit planning (step 2)

• Scope relates to the specific parts of the
  organization and information system that will be
  audited
• focus may be on a narrow or broad aspect of
  operations
• depth may be superficial or very in-depth
• after both objectives and scope specified, can
  estimate the necessary resources needed (size of
  audit team, time, travel, etc.)

23
Audit planning (step 2)

• Study of background information
• interviews with management
• learn about auditees policies and procedures
• look for concerns the auditee may have from
  previous audits
• look for attitudes of auditee toward control
  consciousness and auditors

24
Audit planning (step 2)

• Review reports from previous audits
• some argue that the review of files from previous
  audits should not be done until after completion
  of the preliminary survey
• they believe it could unduly influence you toward
  previous audit procedures and results
• others believe reviewing files from previous
  audits now allows you to be better prepared for
  the preliminary survey

25
Audit planning (step 2)

• Selection of audit team
• Makeup of audit team (for large audit smaller
  audits fewer people)
• CAE has overall responsibility provides final
  review and approval for major steps in audit
  process (i.e., selection of auditee, approval of
  objectives and scope, audit program, report)

26
Audit planning (step 2)

• manager responsible for overall coordination of
  audit work (i.e., selecting audit team,
  scheduling audit, reviewing all audit
  documentation)
• senior auditor responsible to conduct the audit
  and coordinate the day-to-day activities
• staff auditor responsible for doing most of the
  routine audit work

27
Audit planning (step 2)

• Preliminary communication with auditee
• notify auditee of dates for the audit
• this allows the auditee to make necessary
  preparations to accommodate the auditors (e.g.,
  access to records, facilities, access to
  employees, etc.)

28
Audit planning (step 2)

• Preparation of preliminary audit program
• contains
• objectives and scope of audit
• questions to be asked at preliminary survey
• procedures to be carried out
• evidence to be examined

29
Audit planning (step 2)

• Planning the audit report
• the audit report communicates the results of
  audit findings
• however, beginning to think of the report now is
  useful
• determine who will write the report
• determine who will review and edit the report
• determine when report will be presented to
  auditee
• schedule closing conference date and location
• select alternative dates

30
Preliminary survey (step 3)

• Objectives of preliminary survey
• gain initial impressions of auditee
• gather preliminary evidence for further planning
• gain cooperation of auditee

31
Preliminary survey (step 3)

• Opening conference
• between audit team and auditee management
• outlines audit schedule to coordinate with
  auditees activities

32
Preliminary survey (step 3)

• On-site tour
• auditors learn nature of auditees operations,
  work climate, physical facilities,
  interrelationships with other departments, work
  flow

33
Preliminary survey (step 3)

• Document study
• determine what documents exist, how they are
  organized, how they are stored, whether they have
  adequate security
• Written description
• document auditees operations
• Conduct analytical procedures
• helps to better understand auditees operations,
  and for planning additional audit procedures

34
ICS description, analysis, and evaluation (step
4)

• Preparing a description of controls
• documented in flowcharts, questionnaires, or
  narratives

35
ICS description, analysis, and evaluation (step
4)

• Conduct walk-through tests
• helps to identify critical control points (where
  potential risks are at their highest)
• documentation walk-through
• tracing each step of a transaction through the
  organizational records
• procedural walk-through
• performing the procedures yourself during the
  walk-through

36
ICS description, analysis, and evaluation (step
4)

• Testing of controls
• determine effectiveness of controls
• e.g., testing quality controls
• select sample of rejected items and sample of
  accepted items
• make sure each meet the criteria to be classified
  as they were
• look for persuasive evidence
• audit evidence rarely provides absolute certainty

37
ICS description, analysis, and evaluation (step
4)

• Evaluation
• reach conclusions about the quality of the
  internal control system with regard to objectives
  and risks
• matrix method
• column 1 critical control points
• column 2 potential risks
• column 3 proper control methods
• column 4 evaluation of auditees controls

38
ICS description, analysis, and evaluation (step
4)

• Risk reassessment
• determine if any changes are needed in objectives
  or scope of audit
• determine how much, if any, expanded audit work
  is needed

39
ICS description, analysis, and evaluation (step
4)

• First risk assessment was done to rank potential
  auditees
• this reassessment considers additional evidence
  gathered
• leads to two possible paths
• do no additional testing
• believe would provide little additional
  information
• believe, even if find additional information,
  other audits are more important
• do additional testing

40
Expanded testing (step 5)

• Expand audit program
• Determine additional resources needed
• additional auditors
• additional time
• additional travel funds
• Perform additional tests

41
Findings and recommendations (step 6)

• Develop findings and determine changes necessary
  to improve operations
• Findings include
• conditions as actually observed
• criteria used to evaluate the conditions
• risk associated with the observed problems
• causes of the problems

42
Findings and recommendations (step 6)

• Recommendations may be
• make no change
• the problems investigated were not actually
  problems
• the problems are not as serious as originally
  believed
• add new controls or modify existing controls

43
Findings and recommendations (step 6)

• Recommendations may be
• obtain insurance to mitigate the risks
• there are no controls that could be added or
  modified
• insurance is more cost effective
• recommend an increase in the required rate of
  return for this activity
• controls cannot be modified
• insurance is not available or cost prohibitive

44
Reporting (step 7)

• The IA departments reputation is largely based
  on audit reports
• it is the only formal presentation of the IAs
  expertise and performance

45
Reporting (step 7)

• Report addresses audits
• objectives
• scope
• procedures
• findings
• recommendations

46
Reporting (step 7)

• Who writes the report?
• one person or team effort?
• Presentation of report
• done at the closing conference
• if auditee has previous opportunity to view
  report
• interaction on findings and recommendations takes
  place

47
Reporting (step 7)

• If misunderstandings or conflicts are unresolved
• auditee may prepare formal response to audit
  report
• audit report and auditees response are submitted
  to top executives and/or BoDs
• some IA departments include auditees responses
  (whether positive or negative) in the audit report

48
Reporting (step 7)

• Some auditors believe that the IA department
  report should not make recommendations but only
  present alternatives and let top management
  determine the action to follow without IAs
  recommendations

49
Follow-up (step 8)

• Steps
• top management determines if and when audit
  recommendations will be implemented
• auditee makes changes
• IA department examines the effect of the changes

50
Follow-up (step 8)

• Some auditors believe all follow-up examinations
  should be conducted by the auditee under the
  supervision of top management
• Follow-up (regardless of who performs it) is
  necessary or cannot evaluate the benefit of
  internal auditing

51
Evaluation of the audit (step 9)

• Evaluation made by the auditors of their own
  performance
• determine any ongoing concern
• evaluate effectiveness of audit
• identify any procedures in conduct of audit that
  should be changed

52
Evaluation of the audit (step 9)

• Conduct performance of audit team
• used as basis of promotions, salary adjustments,
  continuing employment status