Overview on Internal Audit
-
Upload
alexander-santos-anasco -
Category
Documents
-
view
220 -
download
0
Transcript of Overview on Internal Audit
-
8/6/2019 Overview on Internal Audit
1/6
AASCO, ISAGANI S. Internal Auditing 9:00-12:00am/ 1:00-4:00pm /SAT.
OVERVIEW OF INTERNAL AUDITING FUNCTION AND ACTIVITIES
Most large companies, major
institutions, governmental agencies, and federal,state, and local governments have established
internal auditing functions. Job titles other than"internal auditor"such as internal consultants,compliance officers, quality assurance managers,
or operations analystsare sometimes given to
those performing internal audit functions.Regardless of the position title, it is the character
of service that classifies it as internal auditing.From their organization's point of view,
"internal" auditors serve in a self-evaluative or
self-assessing function. They compare existingconditions ("what is") to a standard ("what
should be") and suggest how to achieve the ideal.
A governing body, the Institute of
Internal Auditors (IIA), operates to bringuniformity and consistency to the practice of
internal auditing. The IIA is an internationalassociation with chapters operating inapproximately 120 countries. By 1999, the IIA
had grown to 70,000 individual members. The
IIA provides performance standards for internalaudit professionals and serves as a source for
education, training, research, and referencematerials. The Association also administers aCertified Internal Auditor program, which leadsto an internationally recognized certification
CIA.
In June 1999, the IIA Board of Directors
unanimously approved the following definition
of internal auditing produced by their Guidance
Task Force:
Internal auditing is an independent,
objective assurance and consulting activity
designed to add value and improve anorganization's operations. It helps anorganization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
There is theoretically no restriction onwhat internal auditors can evaluate and report
about within an organization. But, internal audit
projects tend to vary from one company toanother, reflecting particular objectives of
owners, directors, and senior management.Internal auditors typically operate under aboard-approved charter that defines their role,
objectives, and scope. The following five
directives from the IIA's Statement ofResponsibilities of Internal Auditing are included
in most charters:
y Review the reliability and integrity offinancial and operating information andthe means used to identify, measure,
classify, and report such information;
y Review the systems established toensure compliance with those policies,plans, procedures, laws, regulations, andcontracts which could have a significant
impact on operations and reports, and
determine whether the organization is incompliance;
y Review the means of safeguarding assetsand, as appropriate, verify the existence
of such assets;
y Appraise the economy and efficiencywith which resources are employed; and,
y Review operations or programs toascertain whether results are consistentwith established objectives and goalsand whether the operations or programs
are being carried out as planned.
HISTORY AND BACKGROUND
The double-entry bookkeeping systeminvented in the 13th century provided the means
for those engaged in commerce to controltransactions with suppliers and customers, and
check the work of employees. Historical records
suggest that internal auditors were being utilizedprior to the 15th century. These auditors,
employed by kings or merchants, were chargedwith detecting or preventing theft, fraud, andother improprieties. Control techniques such as
separation of duties, independent verification,
and questioning (i.e. "auditing") to detect and
-
8/6/2019 Overview on Internal Audit
2/6
prevent irregularities are thought to have
originated during that time. Thus, controlassessment and fraud detection have become
known as the "roots" of internal auditing.
As industry and commerce evolved, so
did control methods and auditing techniques.These methods migrated to the United Statesfrom England during the industrial revolution.
Managerial control through auditing continued to
gain favor up to and through the 20th century.
Many events contributed.
The economy of the United States wasgrowing rapidly after World War I and required
better techniques for planning, directing, and
evaluating business activities. Unfortunately, thegrowth was accompanied by a rise in price-fixing,interlocking directorates, stock manipulations,
and false statements of business performance.Regulatory actions followed and auditing wasused as a means to confirm that laws were being
followed. The Federal Trade Commission(FTC) was created in 1914. The Great Depressionand the 1930s brought more regulatory action
for publicly traded securities. The Securities Actof 1933, the Securities and Exchange Act of1934, the Public Utilities Holding Company Actof 1935, and the Investment Company Act of
1940 were enacted by the United StatesCongress.
As the need for auditing grew,corporations realized that they could no longerrely solely on external auditors from public
accounting firms. Corporations began hiringauditors as their own employees to verify
financial transactions and test compliance with
accounting controls. Many of these internalauditors were hired from external auditing firms.They brought to the companies that hired them
auditing methods used by public accountants
with a financial statementfocus. These internalauditors concentrated on financial auditing.
Management viewed these internal auditors as a
means to reduce external audit fees whilemaintaining the same level of financial auditcoverage. Within some organizations this image
of internal auditing still persists.
Internal auditing started to emerge as a
function distinctly different from externalauditing about the middle of the 20th century.
Then, a significant event brought internal
auditing to the forefrontthe Foreign CorruptPractices Act of 1977. The Act was thegovernment's response to outcries as news of
corporate wrong-doings increased. The Act waspassed to prevent secret funds and bribery. It
specifically prohibited offering of bribes to
foreign officials. It required organizations tomaintain adequate systems of internal control
and maintain complete and accurate financialrecords. While the Act did not specifically call foran internal auditing function, internal auditors
were poised and ready to help managementfulfill the requirements of this Act. Testing and
evaluation of internal controls within companies
increased significantly. The role of internal
auditors was viewed with new importance.
In the mid-to-late 1980s there were anumber of large business failures and financial
statement frauds. On several occasions externalauditing firms failed to detect those frauds. Theissues of fraudulent financial reporting were
examined by a group of private sector
organizations which included the AmericanInstitute of Certified Public Accounts (AICPA),
the American Accounting Association (AAA), the
Financial Executives Institute (FEI), the Instituteof Internal Auditors (IIA), and the NationalAssociation of Accountants (NAA). This group of
organizations, known as the Treadway
Commission, issued its final recommendations in1987. Several recommendations of the Treadway
Commission were of great significance to internalauditors. Among other recommendations, the
Commission's report directs companies tomaintain adequate internal control systems, to
establish effective and objective internal audit
functions staffed with adequate qualifiedpersonnel, and to coordinate internal auditing
with the external audit of the financial reports.The Commission's report also directed internalauditors to consider whether their findings of a
non-financial nature could impact the financial
statements. The Treadway Commission alsodirected its sponsoring organizations to develop
guidance on internal control. That sponsoringgroup did so, issuing its report Internal Control Integrated Framework in 1992, which againemphasized the importance of internal controls
in organizations.
The evolution of internal auditing tracks
changing business practices and concepts of
internal control. At the most basic level, internal
-
8/6/2019 Overview on Internal Audit
3/6
controls are individual preventive, detective,
corrective, or directive actions that keep theoperations functioning as intended. Basic
controls, when aggregated, create wholenetworks and systems of control procedures,
which are known as the organization's overall
system of internal control. During the 1990s,business process "reengineering" anddownsizing, removed layers of management and
flattened organizational hierarchies. Traditionalcontrols were loosened or dismantled to improve
efficiency and lower costs. In response, internalauditing's control orientation moved away from
evaluating individual process controls toward
assessing the overall control environmentintegrated control frameworks, corporategovernance, and the ethical climatewithin theorganization. Internal auditors increased their
use of risk assessments and aligned their
activities with broader organizational goals todeploy their own scarce audit resources. Internal
auditing's focus shifted to risk prevention and topromoting change. Even so, control assessment
and fraud detection, the "roots" of internalauditing, still retained a place in the internal
audit function.
THE INSTITUTE OF INTERNAL AUDITORS
In 1941, the Institute of InternalAuditors (IIA) was founded in New York by asmall group of practicing internal auditors. The
group recognized that they had manycommonalities in the way they worked despitethe fact that they worked in different businesses
and industries. They agreed that merely applying
external auditing techniques internally was notsufficient. They felt the need for a formal
approach to sharing and organizing their body of
knowledge and their mutual concerns. Theybegan the long process of achieving an identity
for internal auditing as a distinct profession
concerned with providing independentappraisals for all activities within anorganization. The first textbook for the practice,
Brinks Internal Auditing (United States), waspublished in 1941. A technical journal for thefield, Internal Auditor, distributed its first issue in
1943. The Institute developed the first version of
a Statement of Responsibilities in 1947 and hascontinued to revise it (1957,1971, 1976, 1981,1990) as internal auditing practices matured. In
1978 the IIA published the Standards for
Professional Practice to serve as the primary
source of reference for directing an internal audit
function. The Institute has modified or amendedthe Standards by issuing Statements on Internal
Auditing Standards and AdministrativeDirectives. Also, a Guidance Task Force,
chartered by The IIA board of directors in 1997,
has been reviewing the Standards to ensure thatthey reflect the current practices.
In 1974 the Institute began a
certification programCertified Internal Auditor(CIA). The credential requires a combination of
education and work experience with successful
completion of a four-part comprehensive examwhich tests: Internal Audit Process; InternalAudit Skills; Management, Control and
Information Technology; and, Audit
Environment. In 1992 the IIA completed andpublished an in-depth studyA Common Body of
Knowledge for the Practice of Internal Auditing. Itidentified 334 competencies in 20 differentdisciplines needed by practicing internal
auditors. The study lists needed disciplines in the
following order of perceived importance:reasoning, communications, auditing, ethics,
organizations, sociology, fraud, computers,
financial accounting, data gathering, managerialaccounting, government, legal, finance, taxes,quantitative methods, marketing, statistics,
economics, and international business.
The IIA Research Foundation
subsequently planned to update and expand theCommon Body of Knowledge. But, the projectexpanded to study, document, and define internal
auditing and its competencies on a global level.
The research, Competency Framework forInternal Auditing (CFIA), led by William P.
Birkett, was published in six separate modules:
1) Internal Auditing: The Global Landscape; 2)Competency: Best Practices and Competent
Practitioners ; 3) Internal Auditing Knowledge:
Global Perspectives; 4) The Future of InternalAuditing: A Delphi Study; 5) Assessing Competencyin Internal Auditing: Structures and
Methodologies; and, 6) Conceptual Foundations ofInternal Auditing.
The CFIA study found a need for a
universal definition of internal auditing. Thestudy observed that internal auditing had moved
beyond control evaluation and riskmanagement toward risk prevention, eventhough risk issues had become more complex
-
8/6/2019 Overview on Internal Audit
4/6
with complicated business relationships, new
products and services, rapid advances ininformation and network technology, and global
commerce. "Organizations are moving toward anideal where they will review and seek assurance
for their risk exposures in totality," Birkett said.
"Thus, areas that were previously viewed asseparate in terms of risk managementqualityassurance, environmental management,
occupational health and safety, and internalauditingare likely to be amalgamated." CFIA
predicts internal auditors in the future "willprovide advice, promote understanding, facilitate
change, and sponsor continuous improvement
programs, in addition to the traditional role of
providing assurance."
KEY ASSUMPTIONS ABOUT THE INTERNALAUDIT FUNCTION
There are three important assumptions
implicit in the definition, objectives, and scope
for internal auditing. First, is the assumption thatinternal auditors can evaluate objectively, freefrom conflicts of interest, political, or monetary
pressures that could inhibit their questioning,
bias their reporting, or compromise theirrecommendations. This is called auditor
independence. Independence and objectivity
should exist in appearance and in fact for acredible work product. Related to independenceis the assumption that internal auditors have
unrestricted access to whatever they might needto make an objective assessment. That includesunrestricted access to plans, forecasts, people,
data, products, facilities, and records necessary
to perform their independent evaluations.Second, is the assumption that the internal
auditing function is staffed with people
possessing the necessary education, experience,and proficiency to perform competently. Third, is
the presumption that the evaluations and
conclusions contained in internal auditingreports are directed internally to managementand the board, not to stockholders, regulators, or
the public.
It is presumed that management and the
board can resolve issues that have surfaced
through internal auditing and implementsolutions. After internal auditors present
conclusions, management and the board have
responsibility for subsequent decisionsto actor not to act. If action is taken, management has
responsibility to assure progress is made.
Internal auditors later can determine whetherthe actions had the desired results. If no action is
taken, internal auditors have responsibility todetermine if management and the boardunderstand and have assumed risks of inaction.
Under all circumstances, internal auditors havethe direct responsibility to notify managementand the board of significant matters that the
internal auditors believe need their attention.
INTERNAL AUDITING VS. EXTERNALAUDITING AND INDUSTRIAL ENGINEERING
The industrial engineer studies methods
of performing work, suggests improvements,
designs and installs work systems, and evaluatesresults. Internal auditors do utilize some of theanalytical techniques belonging to industrial
engineers, but do not focus on them. Further,internal auditors do not design and install
systems.
Internal auditors and external auditors
both audit, but have different objectives. Internal
auditors generally consider operations a wholerelative to objectives. External auditors focusprimarily on financial systems that have a direct,
significant effect on the amounts reported in
financial statements. Internal auditors considereven small amounts of fraud, waste, and abuse as
symptoms of underlying issues. The external
auditor considers just what materially affects thefinancial statements since that is the nature of
their engagement. Sawyer's Internal Auditing
summarizes the differences in the following way.
Management controls over financial
activities have been greatly strengthenedthroughout the years. The same cannot always be
said of controls elsewhere in the enterprise.
Embezzlement can hurt a corporation; the poormanagement of resources can bankrupt it.Therein lies the basic difference between
external auditing and modern internal auditing;
the first is narrowly focused and the second iscomprehensive in scope. True, the external
auditor performs services for management and
submits letters to management, whichrecommend improvement in systems andcontrols. By and large, however, these are
financially oriented. Also, the external auditor'soccasional sally into nonfinancial operations may
not benefit from the same depth of
-
8/6/2019 Overview on Internal Audit
5/6
understanding as does the resident internal
auditor, who is intimately familiar with the
organization's systems, people, and objectives.
"OUTSOURCING" OR "CO-SOURCING" THEINTERNAL AUDIT FUNCTION
The previous comparison of internal
auditing to external auditing considers only the
external auditors' traditional role of attesting tofinancial statements. During the 1990s a numberof the large professional service firms (the "Big
5" public accounting firms) began establishing
divisions offering internal auditing services inadditional to tax, financial planning, actuarial,
external auditing, and management consulting.
New firms also emerged offering internalauditing services but not attestation (externalaudits) of financial statements. Predictably, the
arrival of "outside" consultants ready to do"internal" audits caused a flurry of debate aboutindependence, objectivity, depth of
organizational knowledge, operationaleffectiveness, and long run costs to theorganization. Regardless, the trend continued
throughout the rest of the decade. Initial protests
gave way to acknowledgment that non-employees can indeed perform internal audits.
Orderly analyses of outsourcing's pros and cons
followed. "Co-sourcing" (using outsiders forselected projects) became a useful compromise.That option provided access to an outside firm's
resources while retaining a knowledgeable coreof internal auditors to direct and manage co-
sourced projects.
However, perceptions of impairedindependence continued when public accounting
firms providing opinions on financial statementsalso staffed the internal auditing function. In1998, the American Institute of Certified Public
Accounts (AICPA) decided that professionals
from the same CPA firm could serve as externalauditors of the financial statements and still
perform internal auditing functions (called
"extended services") without impairingindependence if certain conditions were met. TheAICPA required that outside professionals not act
as employees and not assume ongoing control or
other functions. It required management toretain responsibility for internal audit scope,
planning, and risk assessments and to designate
a competent executive to retain responsibility forthe overall internal audit function. In New
Zealand and several European countries, external
auditors of financial statements in public sectorcompanies may not provide internal audit
services to the same company.
TYPES OF AUDITS
Various types of audits are used toachieve particular objectives. The types of auditsbriefly described below illustrate a few
approaches internal auditing may take. The
examples are not all inclusive.
OPERATIONAL AUDIT.An operational audit is a systematic
review and evaluation of an organizational unit
to determine whether it is functioning effectively
and efficiently, whether it is accomplishingestablished objectives and goals, and whether itis utilizing all of its resources appropriately.
Resources in this context include funds,personnel, property, equipment, materials,information, intellectual property, or space.
Operational audits often include evaluations ofthe work flow and propriety of performancemeasurements. These audits are tailored to fit
the nature and objectives of the operations being
reviewed.
PROGRAM AUDIT.A program audit evaluates whether the
stated goals or objectives for a project or
initiative have been achieved. It may include an
appraisal of whether an alternative approach canachieve the desired results at a lower cost. Thesetypes of audits are also called performance audits
or management audits.
FRAUD AUDIT.A fraud audit investigates whether the
organization has suffered through
misappropriation of assets, manipulation of data,
omission of information, or illegal acts. It
assumes that deceptions were intentional.
ETHICAL BUSINESS PRACTICES AUDIT.An ethical business practices audit
determines the extent to which the organization,
management, and employees support established
codes of conduct, policies, and standards ofethical practices. Topics that may fall within the
scope of such audits include procurement
policies, conflicts of interest, gifts and gratuities,entertainment, political lobbying, patents,
-
8/6/2019 Overview on Internal Audit
6/6
copyrights, and licenses (including software use),
or fair trade practices
COMPLIANCE AUDIT.A compliance audit determines whether
a process or transaction is or is not following
applicable rules. Such rules can originateinternally as corporate bylaws, policies, andprocedures or externally as laws and regulations.
Characteristic of compliance audits are the
yes/no aspects of the evaluation. For eachprocess or transaction examined, the auditor
must ultimately decide whether it complies with
the rule or not. Reaching that conclusion is notnecessarily simple in domains governed bycomplex regulations (e.g. occupational health and
safety, environmental, federal grants and
contracts, employee pensions and benefits, orfederal tax). Compliance auditors and attorneys
specializing in these fields may be engaged toassist with evaluations if such specialists are not
part of the internal audit staff.
SYSTEMS DEVELOPMENT AND LIFE CYCLEREVIEW.
A systems development and life cycle
review is an information systems auditconducted in partnership with operating
personnel who are implementing a new
information system. The objective is to appraiseand independently test the system at variousstages throughout the design, development, and
installation. The approach intends to identifyissues and correct problems early becausemodifications made during developmental stages
are less costly. and some problems can be
avoided altogether. The concern about this typeof audit is that the internal auditor could lose
objectivity through extended participation in the
system design and installation.
CONTROL SELF-ASSESSMENT AUDIT.A control self-assessment audit enlists
management to share audit responsibility by
evaluating and reporting on the state of controls
and levels of risks under their supervision.Internal auditors provide training and act asfacilitators. In effect this become a problem
solving partnership and can be a cost-effective.
Its inherent risk is that management's self-evaluation may be biased. Although, the internal
auditor can retain the right to independently
verify any reported conclusions.
FINANCIAL AUDIT.A financial audit is an examination of the
financial planning and reporting process, the
conduct of financial operations, the reliabilityand integrity of financial records, and the
preparation of financial statements. Such a
review includes an appraisal of the system ofinternal controls related to financial functions.
INTERNAL AUDIT PLANNINGA prerequisite to successful internal
audit planning is a keen understanding of the
organization, its strategic plan, and how it
operates. In that context, the internal auditor candevelop audit priorities and strategies that takeinto account significance of activities, and
relative risk. The planning process is dynamic.
Departures of key people, shifts in markets, newdemographics, or drastic upheavals in the
business environment can totally transform acompany. Organizational processes can become
obsolete with new technology. Laws andregulations may change, as well as attitudes
about the degree of compliance necessary.
Consequently, organizational objectives andrelated audit strategies will change. The person
directing the internal audit function is usually theone responsible for creating a comprehensiveaudit plan. It is customary for senior
management to review the plan and submit it to
the board for approval.