Internal Auditing and Internal ControlsInternal Controls

By Leo Wachira

GOVERNANCEGOVERNANCE

OVERSIGHT P li OVERSIGHT – Policy Setting

STEWARDSHIP M i STEWARDSHIP - Managers in charge of full business units

TACTICAL / OPERATIONAL – Includes Line / Supervisory management

ASSURANCE – Includes Internal Audit/ External Audit, M&E and Internal Affairs

AGENDA OF PRESENTATIONAGENDA OF PRESENTATION

What is Internal Auditing? What is Internal Auditing? Why and How is Internal Auditing carried out in

the Government of Liberia?the Government of Liberia? What are Internal Controls? What are Some Common irregularities resulting

from a failure in Internal Controls? Question & Answers

WHAT IS INTERNAL AUDITING?WHAT IS INTERNAL AUDITING?

Some Definitions: is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations It helps an organization accomplish its objectives operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes……The IIA Definition

An appraisal activity established or provided as a service to the entity Its functions include amongst other things examining entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control. …………The ISA 610 and ISSAI 1003 Definition

INTERNAL AUDITING IN GOLINTERNAL AUDITING IN GOL

The Auditor-General is the is the principal responsible for conducting comprehensive post audits, special Financial investigations, reconciliation's and analyses, and continuous reconciliation s and analyses, and continuous audits on a routine basis…… Section 53.3 of the Executive Law of 1972.

The function reporting responsibilities and The function, reporting responsibilities and activities of internal auditors shall be prescribed in regulations under this Act, supplemented by instructions and guidelines issued by the Minister in Collaboration with the Auditor General….Section 38, PFM Act (2009)

INTERNATIONAL BEST PRACTICEINTERNATIONAL BEST PRACTICE

Internal auditing is conducted in diverse legal and cultural environments; within organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization. and by persons within or outside the organization. While differences may affect the practice of internal auditing in each environment, conformance with The IIA's International conformance with The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) is essential in meeting the responsibilities of internal auditors and the internal audit activity.

GOL INTERNAL AUDIT STRATEGY 1/3GOL INTERNAL AUDIT STRATEGY 1/3

Adopted by the Cabinet as a structural benchmark (2008)Id ifi d k h l d d M di T Identified as a key support to the newly adopted Medium Term Framework (2010/ 2011) – Part of PFM Reform

Proposed a Two phase approach of Consolidating existing capacity and Expanding this after one year (Institutions Identified through and Expanding this after one year (Institutions Identified through Portion of National Budget, Residual Risk, PRS importance and donor expectations (risk)

Proposed Consolidation begins at Ministries of Finance, Health, p g , ,Education, Public Works and Lands Mines & Energy

Proposes an Institutional Framework covering a Governance Board, Secretariat and Audit Committees in Line Ministries

Proposes the Governance board establishes Common Audit Priorities for the M&As

Proposes adoption of a 5 level IA Capability Maturity framework

GOL INTERNAL AUDIT STRATEGY -2/3GOL INTERNAL AUDIT STRATEGY 2/3

Risks facing the GOL IA Strategy Risks facing the GOL IA Strategy Appointment of a Board

The Governance board consisting 5 members, including The Governance board consisting 5 members, including the GAC, MoF, CSA, PPCC and a Private Sector Member is currently being formulated and could be in place soon.

A lack of demand for IA functions Limited capacity to undertake Internal Audits Failure of External Audit/ GAC to coordinate with IA Failure to include IA in objective setting

GOL INTERNAL AUDIT STRATEGY -3/3GOL INTERNAL AUDIT STRATEGY 3/3

Key Secretariat Deliverables outstanding Key Secretariat Deliverables outstanding Audit Manual Audit Committee Charter Audit Committee Charter Annual Risk Assessment (Audit Priority) Audit Plan Audit Plan Audit Announcement letter

A dit ki g Audit working papers The Audit Report

WHAT IS INTERNAL CONTROL?WHAT IS INTERNAL CONTROL?

internal control is defined as a process effected by an g i ti ' t t k d th it fl l organization's structure, work and authority flows, people

and management information systems, designed to help the organization accomplish specific goals or objectives.Th C t l h ld b bl f di i kl t The Control should be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment.I l C l i f 5 i l d Internal Control consists of 5 inter-related components Control Environment Risk Assessment Information and Communication Processes Monitoring Existing Control Activities

THE CONTROL ENVIRONMENTTHE CONTROL ENVIRONMENT

The control environment sets the tone of an organization, ginfluencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure Control environment factors providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity’s people; management’s philosophy and operating style; th t i th it d ibilit d the way management assigns authority and responsibility, and organises and develops its people; and the attention and direction provided by the Oversight board.

RISKS ASSESSMENT 1/4RISKS ASSESSMENT 1/4

Every entity faces a variety of risks from external and i t l th t t b d A diti t internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to the identification and analysis of relevant risks to achievement of objectives, forming a basis for determining how the risks should be managed.

Because economic industry regulatory and operating Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with changechange.

There are many techniques available for identifying risk. Some are detail based and offer quantification, others are scenario-based or qualitativescenario-based or qualitative.

RISK ASSESSMENT 2/4RISK ASSESSMENT 2/4

RISK ASSESSMENT 3/4RISK ASSESSMENT 3/4

For those risks that are controllable, the company must decide whether to accept those risks or whether to mitigate the risk through control procedures. For those risks that cannot be procedures. For those risks that cannot be controlled, the Board must decide whether to accept the risks or to withdraw from, or reduce the level of business activity concernedlevel of business activity concerned.

Contingency plans should be considered where Contingency plans should be considered where the Board elects to accept uncontrollable significant risks.

RISK ASSESSMENT - AFTER 4/4RISK ASSESSMENT AFTER 4/4

RISK DECISION MAKING

Tolerate / Accept risk; simply take the chance that the negative impact will be incurred

Terminate/ Avoid risk; changing plans in order to prevent the problem from arisingprevent the problem from arising

Transition/ Mitigate risk; lessening its impact through intermediate stepsg p

Transfer risk; outsource risk to a capable third party that can manage the outcome

INFORMATION AND COMMUNICATION PROCESSES 1/2

Pertinent information must be identified, captured and i d i f d i f h bl communicated in a form and timeframe that enables

people to carry out their responsibilities. Information systems produce reports, containing y p p , g

operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated y y y gdata, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting bus ess dec s o a g a d e te a epo t gEffective communication must also occur in a broader sense, flowing down, across and up the organisation.

INFORMATION AND COMMUNICATION PROCESSES 2/2

All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as own role in the internal control system, as well as how individual activities relate to the work of others. Th h f i i They must have a means of communicating significant information upstream. There also needs to be effective communication with external eeds to be e ect e co u cat o t e te aparties, such as customers, suppliers, regulators and shareholders.

MONITORINGMONITORING

Internal control systems need to be monitored - a process th t th lit f th t ’ f that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. On going monitoring occurs in the course of operations It On going monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties.

The scope and frequency of separate evaluations will The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream with control deficiencies should be reported upstream, with serious matters reported to top management and the Board.

EXISTING CONTROL ACTIVITIESEXISTING CONTROL ACTIVITIES

Control activities are the policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement actions are taken to address risks to achievement of the entity’s objectives.

Control activities occur throughout the i i ll l l d i ll f i Th organisation, at all levels and in all functions. They

include a range of activities as diverse as approvals, authorisations, verifications, app o a s, aut o sat o s, e cat o s,reconciliations, reviews of operating performance, security of assets and segregation of duties.

CRIMECRIME

Control E i t

Risk A t

Information and C i tiEnvironment Assessment Communication

Monitoring Existing Control Activitiesg Activities

INHERENT WEAKNESSES OF INTERNAL CONTROLS

Internal Control provide only reasonable Internal Control provide only reasonable assurance due to following inherent weaknessesweaknessesHuman error which includes error in design and use

of automated controlsof automated controlsDeliberate circumvention of controlsManagement over rideManagement over ride Cost-benefit considerations

AUDIT RISK/ RESIDUAL RISKAUDIT RISK/ RESIDUAL RISK

Audit risk (also referred to as residual risk) ( )refers to acceptable audit risk, i.e. it indicates the auditor's willingness to accept that the financial statements may be materially misstated after the audit is completed and an

lifi d ( l ) i i i d If th unqualified (clean) opinion was issued. If the auditor decides to lower audit risk, it means that he wants to be more certain that the that he wants to be more certain that the financial statements are not materially misstated.misstated.