8/6/2019 Overview on Internal Audit

1/6

AASCO, ISAGANI S. Internal Auditing 9:00-12:00am/ 1:00-4:00pm /SAT.

OVERVIEW OF INTERNAL AUDITING FUNCTION AND ACTIVITIES

Most large companies, major

institutions, governmental agencies, and federal,state, and local governments have established

internal auditing functions. Job titles other than"internal auditor"such as internal consultants,compliance officers, quality assurance managers,

or operations analystsare sometimes given to

those performing internal audit functions.Regardless of the position title, it is the character

of service that classifies it as internal auditing.From their organization's point of view,

"internal" auditors serve in a self-evaluative or

self-assessing function. They compare existingconditions ("what is") to a standard ("what

should be") and suggest how to achieve the ideal.

A governing body, the Institute of

Internal Auditors (IIA), operates to bringuniformity and consistency to the practice of

internal auditing. The IIA is an internationalassociation with chapters operating inapproximately 120 countries. By 1999, the IIA

had grown to 70,000 individual members. The

IIA provides performance standards for internalaudit professionals and serves as a source for

education, training, research, and referencematerials. The Association also administers aCertified Internal Auditor program, which leadsto an internationally recognized certification

CIA.

In June 1999, the IIA Board of Directors

unanimously approved the following definition

of internal auditing produced by their Guidance

Task Force:

Internal auditing is an independent,

objective assurance and consulting activity

designed to add value and improve anorganization's operations. It helps anorganization accomplish its objectives by

bringing a systematic, disciplined approach to

evaluate and improve the effectiveness of risk

management, control, and governance processes.

There is theoretically no restriction onwhat internal auditors can evaluate and report

about within an organization. But, internal audit

projects tend to vary from one company toanother, reflecting particular objectives of

owners, directors, and senior management.Internal auditors typically operate under aboard-approved charter that defines their role,

objectives, and scope. The following five

directives from the IIA's Statement ofResponsibilities of Internal Auditing are included

in most charters:

y Review the reliability and integrity offinancial and operating information andthe means used to identify, measure,

classify, and report such information;

y Review the systems established toensure compliance with those policies,plans, procedures, laws, regulations, andcontracts which could have a significant

impact on operations and reports, and

determine whether the organization is incompliance;

y Review the means of safeguarding assetsand, as appropriate, verify the existence

of such assets;

y Appraise the economy and efficiencywith which resources are employed; and,

y Review operations or programs toascertain whether results are consistentwith established objectives and goalsand whether the operations or programs

are being carried out as planned.

HISTORY AND BACKGROUND

The double-entry bookkeeping systeminvented in the 13th century provided the means

for those engaged in commerce to controltransactions with suppliers and customers, and

check the work of employees. Historical records

suggest that internal auditors were being utilizedprior to the 15th century. These auditors,

employed by kings or merchants, were chargedwith detecting or preventing theft, fraud, andother improprieties. Control techniques such as

separation of duties, independent verification,

and questioning (i.e. "auditing") to detect and

8/6/2019 Overview on Internal Audit

2/6

prevent irregularities are thought to have

originated during that time. Thus, controlassessment and fraud detection have become

known as the "roots" of internal auditing.

As industry and commerce evolved, so

did control methods and auditing techniques.These methods migrated to the United Statesfrom England during the industrial revolution.

Managerial control through auditing continued to

gain favor up to and through the 20th century.

Many events contributed.

The economy of the United States wasgrowing rapidly after World War I and required

better techniques for planning, directing, and

evaluating business activities. Unfortunately, thegrowth was accompanied by a rise in price-fixing,interlocking directorates, stock manipulations,

and false statements of business performance.Regulatory actions followed and auditing wasused as a means to confirm that laws were being

followed. The Federal Trade Commission(FTC) was created in 1914. The Great Depressionand the 1930s brought more regulatory action

for publicly traded securities. The Securities Actof 1933, the Securities and Exchange Act of1934, the Public Utilities Holding Company Actof 1935, and the Investment Company Act of

1940 were enacted by the United StatesCongress.

As the need for auditing grew,corporations realized that they could no longerrely solely on external auditors from public

accounting firms. Corporations began hiringauditors as their own employees to verify

financial transactions and test compliance with

accounting controls. Many of these internalauditors were hired from external auditing firms.They brought to the companies that hired them

auditing methods used by public accountants

with a financial statementfocus. These internalauditors concentrated on financial auditing.

Management viewed these internal auditors as a

means to reduce external audit fees whilemaintaining the same level of financial auditcoverage. Within some organizations this image

of internal auditing still persists.

Internal auditing started to emerge as a

function distinctly different from externalauditing about the middle of the 20th century.

Then, a significant event brought internal

auditing to the forefrontthe Foreign CorruptPractices Act of 1977. The Act was thegovernment's response to outcries as news of

corporate wrong-doings increased. The Act waspassed to prevent secret funds and bribery. It

specifically prohibited offering of bribes to

foreign officials. It required organizations tomaintain adequate systems of internal control

and maintain complete and accurate financialrecords. While the Act did not specifically call foran internal auditing function, internal auditors

were poised and ready to help managementfulfill the requirements of this Act. Testing and

evaluation of internal controls within companies

increased significantly. The role of internal

auditors was viewed with new importance.

In the mid-to-late 1980s there were anumber of large business failures and financial

statement frauds. On several occasions externalauditing firms failed to detect those frauds. Theissues of fraudulent financial reporting were

examined by a group of private sector

organizations which included the AmericanInstitute of Certified Public Accounts (AICPA),

the American Accounting Association (AAA), the

Financial Executives Institute (FEI), the Instituteof Internal Auditors (IIA), and the NationalAssociation of Accountants (NAA). This group of

organizations, known as the Treadway

Commission, issued its final recommendations in1987. Several recommendations of the Treadway

Commission were of great significance to internalauditors. Among other recommendations, the

Commission's report directs companies tomaintain adequate internal control systems, to

establish effective and objective internal audit

functions staffed with adequate qualifiedpersonnel, and to coordinate internal auditing

with the external audit of the financial reports.The Commission's report also directed internalauditors to consider whether their findings of a

non-financial nature could impact the financial

statements. The Treadway Commission alsodirected its sponsoring organizations to develop

guidance on internal control. That sponsoringgroup did so, issuing its report Internal Control Integrated Framework in 1992, which againemphasized the importance of internal controls

in organizations.

The evolution of internal auditing tracks

changing business practices and concepts of

internal control. At the most basic level, internal

8/6/2019 Overview on Internal Audit

3/6

controls are individual preventive, detective,

corrective, or directive actions that keep theoperations functioning as intended. Basic

controls, when aggregated, create wholenetworks and systems of control procedures,

which are known as the organization's overall

system of internal control. During the 1990s,business process "reengineering" anddownsizing, removed layers of management and

flattened organizational hierarchies. Traditionalcontrols were loosened or dismantled to improve

efficiency and lower costs. In response, internalauditing's control orientation moved away from

evaluating individual process controls toward

assessing the overall control environmentintegrated control frameworks, corporategovernance, and the ethical climatewithin theorganization. Internal auditors increased their

use of risk assessments and aligned their

activities with broader organizational goals todeploy their own scarce audit resources. Internal

auditing's focus shifted to risk prevention and topromoting change. Even so, control assessment

and fraud detection, the "roots" of internalauditing, still retained a place in the internal

audit function.

THE INSTITUTE OF INTERNAL AUDITORS

In 1941, the Institute of InternalAuditors (IIA) was founded in New York by asmall group of practicing internal auditors. The

group recognized that they had manycommonalities in the way they worked despitethe fact that they worked in different businesses

and industries. They agreed that merely applying

external auditing techniques internally was notsufficient. They felt the need for a formal

approach to sharing and organizing their body of

knowledge and their mutual concerns. Theybegan the long process of achieving an identity

for internal auditing as a distinct profession

concerned with providing independentappraisals for all activities within anorganization. The first textbook for the practice,

Brinks Internal Auditing (United States), waspublished in 1941. A technical journal for thefield, Internal Auditor, distributed its first issue in

1943. The Institute developed the first version of

a Statement of Responsibilities in 1947 and hascontinued to revise it (1957,1971, 1976, 1981,1990) as internal auditing practices matured. In

1978 the IIA published the Standards for

Professional Practice to serve as the primary

source of reference for directing an internal audit

function. The Institute has modified or amendedthe Standards by issuing Statements on Internal

Auditing Standards and AdministrativeDirectives. Also, a Guidance Task Force,

chartered by The IIA board of directors in 1997,

has been reviewing the Standards to ensure thatthey reflect the current practices.

In 1974 the Institute began a

certification programCertified Internal Auditor(CIA). The credential requires a combination of

education and work experience with successful

completion of a four-part comprehensive examwhich tests: Internal Audit Process; InternalAudit Skills; Management, Control and

Information Technology; and, Audit

Environment. In 1992 the IIA completed andpublished an in-depth studyA Common Body of

Knowledge for the Practice of Internal Auditing. Itidentified 334 competencies in 20 differentdisciplines needed by practicing internal

auditors. The study lists needed disciplines in the

following order of perceived importance:reasoning, communications, auditing, ethics,

organizations, sociology, fraud, computers,

financial accounting, data gathering, managerialaccounting, government, legal, finance, taxes,quantitative methods, marketing, statistics,

economics, and international business.

The IIA Research Foundation

subsequently planned to update and expand theCommon Body of Knowledge. But, the projectexpanded to study, document, and define internal

auditing and its competencies on a global level.

The research, Competency Framework forInternal Auditing (CFIA), led by William P.

Birkett, was published in six separate modules:

1) Internal Auditing: The Global Landscape; 2)Competency: Best Practices and Competent

Practitioners ; 3) Internal Auditing Knowledge:

Global Perspectives; 4) The Future of InternalAuditing: A Delphi Study; 5) Assessing Competencyin Internal Auditing: Structures and

Methodologies; and, 6) Conceptual Foundations ofInternal Auditing.

The CFIA study found a need for a

universal definition of internal auditing. Thestudy observed that internal auditing had moved

beyond control evaluation and riskmanagement toward risk prevention, eventhough risk issues had become more complex

8/6/2019 Overview on Internal Audit

4/6

with complicated business relationships, new

products and services, rapid advances ininformation and network technology, and global

commerce. "Organizations are moving toward anideal where they will review and seek assurance

for their risk exposures in totality," Birkett said.

"Thus, areas that were previously viewed asseparate in terms of risk managementqualityassurance, environmental management,

occupational health and safety, and internalauditingare likely to be amalgamated." CFIA

predicts internal auditors in the future "willprovide advice, promote understanding, facilitate

change, and sponsor continuous improvement

programs, in addition to the traditional role of

providing assurance."

KEY ASSUMPTIONS ABOUT THE INTERNALAUDIT FUNCTION

There are three important assumptions

implicit in the definition, objectives, and scope

for internal auditing. First, is the assumption thatinternal auditors can evaluate objectively, freefrom conflicts of interest, political, or monetary

pressures that could inhibit their questioning,

bias their reporting, or compromise theirrecommendations. This is called auditor

independence. Independence and objectivity

should exist in appearance and in fact for acredible work product. Related to independenceis the assumption that internal auditors have

unrestricted access to whatever they might needto make an objective assessment. That includesunrestricted access to plans, forecasts, people,

data, products, facilities, and records necessary

to perform their independent evaluations.Second, is the assumption that the internal

auditing function is staffed with people

possessing the necessary education, experience,and proficiency to perform competently. Third, is

the presumption that the evaluations and

conclusions contained in internal auditingreports are directed internally to managementand the board, not to stockholders, regulators, or

the public.

It is presumed that management and the

board can resolve issues that have surfaced

through internal auditing and implementsolutions. After internal auditors present

conclusions, management and the board have

responsibility for subsequent decisionsto actor not to act. If action is taken, management has

responsibility to assure progress is made.

Internal auditors later can determine whetherthe actions had the desired results. If no action is

taken, internal auditors have responsibility todetermine if management and the boardunderstand and have assumed risks of inaction.

Under all circumstances, internal auditors havethe direct responsibility to notify managementand the board of significant matters that the

internal auditors believe need their attention.

INTERNAL AUDITING VS. EXTERNALAUDITING AND INDUSTRIAL ENGINEERING

The industrial engineer studies methods

of performing work, suggests improvements,

designs and installs work systems, and evaluatesresults. Internal auditors do utilize some of theanalytical techniques belonging to industrial

engineers, but do not focus on them. Further,internal auditors do not design and install

systems.

Internal auditors and external auditors

both audit, but have different objectives. Internal

auditors generally consider operations a wholerelative to objectives. External auditors focusprimarily on financial systems that have a direct,

significant effect on the amounts reported in

financial statements. Internal auditors considereven small amounts of fraud, waste, and abuse as

symptoms of underlying issues. The external

auditor considers just what materially affects thefinancial statements since that is the nature of

their engagement. Sawyer's Internal Auditing

summarizes the differences in the following way.

Management controls over financial

activities have been greatly strengthenedthroughout the years. The same cannot always be

said of controls elsewhere in the enterprise.

Embezzlement can hurt a corporation; the poormanagement of resources can bankrupt it.Therein lies the basic difference between

external auditing and modern internal auditing;

the first is narrowly focused and the second iscomprehensive in scope. True, the external

auditor performs services for management and

submits letters to management, whichrecommend improvement in systems andcontrols. By and large, however, these are

financially oriented. Also, the external auditor'soccasional sally into nonfinancial operations may

not benefit from the same depth of

8/6/2019 Overview on Internal Audit

5/6

understanding as does the resident internal

auditor, who is intimately familiar with the

organization's systems, people, and objectives.

"OUTSOURCING" OR "CO-SOURCING" THEINTERNAL AUDIT FUNCTION

The previous comparison of internal

auditing to external auditing considers only the

external auditors' traditional role of attesting tofinancial statements. During the 1990s a numberof the large professional service firms (the "Big

5" public accounting firms) began establishing

divisions offering internal auditing services inadditional to tax, financial planning, actuarial,

external auditing, and management consulting.

New firms also emerged offering internalauditing services but not attestation (externalaudits) of financial statements. Predictably, the

arrival of "outside" consultants ready to do"internal" audits caused a flurry of debate aboutindependence, objectivity, depth of

organizational knowledge, operationaleffectiveness, and long run costs to theorganization. Regardless, the trend continued

throughout the rest of the decade. Initial protests

gave way to acknowledgment that non-employees can indeed perform internal audits.

Orderly analyses of outsourcing's pros and cons

followed. "Co-sourcing" (using outsiders forselected projects) became a useful compromise.That option provided access to an outside firm's

resources while retaining a knowledgeable coreof internal auditors to direct and manage co-

sourced projects.

However, perceptions of impairedindependence continued when public accounting

firms providing opinions on financial statementsalso staffed the internal auditing function. In1998, the American Institute of Certified Public

Accounts (AICPA) decided that professionals

from the same CPA firm could serve as externalauditors of the financial statements and still

perform internal auditing functions (called

"extended services") without impairingindependence if certain conditions were met. TheAICPA required that outside professionals not act

as employees and not assume ongoing control or

other functions. It required management toretain responsibility for internal audit scope,

planning, and risk assessments and to designate

a competent executive to retain responsibility forthe overall internal audit function. In New

Zealand and several European countries, external

auditors of financial statements in public sectorcompanies may not provide internal audit

services to the same company.

TYPES OF AUDITS

Various types of audits are used toachieve particular objectives. The types of auditsbriefly described below illustrate a few

approaches internal auditing may take. The

examples are not all inclusive.

OPERATIONAL AUDIT.An operational audit is a systematic

review and evaluation of an organizational unit

to determine whether it is functioning effectively

and efficiently, whether it is accomplishingestablished objectives and goals, and whether itis utilizing all of its resources appropriately.

Resources in this context include funds,personnel, property, equipment, materials,information, intellectual property, or space.

Operational audits often include evaluations ofthe work flow and propriety of performancemeasurements. These audits are tailored to fit

the nature and objectives of the operations being

reviewed.

PROGRAM AUDIT.A program audit evaluates whether the

stated goals or objectives for a project or

initiative have been achieved. It may include an

appraisal of whether an alternative approach canachieve the desired results at a lower cost. Thesetypes of audits are also called performance audits

or management audits.

FRAUD AUDIT.A fraud audit investigates whether the

organization has suffered through

misappropriation of assets, manipulation of data,

omission of information, or illegal acts. It

assumes that deceptions were intentional.

ETHICAL BUSINESS PRACTICES AUDIT.An ethical business practices audit

determines the extent to which the organization,

management, and employees support established

codes of conduct, policies, and standards ofethical practices. Topics that may fall within the

scope of such audits include procurement

policies, conflicts of interest, gifts and gratuities,entertainment, political lobbying, patents,

8/6/2019 Overview on Internal Audit

6/6

copyrights, and licenses (including software use),

or fair trade practices

COMPLIANCE AUDIT.A compliance audit determines whether

a process or transaction is or is not following

applicable rules. Such rules can originateinternally as corporate bylaws, policies, andprocedures or externally as laws and regulations.

Characteristic of compliance audits are the

yes/no aspects of the evaluation. For eachprocess or transaction examined, the auditor

must ultimately decide whether it complies with

the rule or not. Reaching that conclusion is notnecessarily simple in domains governed bycomplex regulations (e.g. occupational health and

safety, environmental, federal grants and

contracts, employee pensions and benefits, orfederal tax). Compliance auditors and attorneys

specializing in these fields may be engaged toassist with evaluations if such specialists are not

part of the internal audit staff.

SYSTEMS DEVELOPMENT AND LIFE CYCLEREVIEW.

A systems development and life cycle

review is an information systems auditconducted in partnership with operating

personnel who are implementing a new

information system. The objective is to appraiseand independently test the system at variousstages throughout the design, development, and

installation. The approach intends to identifyissues and correct problems early becausemodifications made during developmental stages

are less costly. and some problems can be

avoided altogether. The concern about this typeof audit is that the internal auditor could lose

objectivity through extended participation in the

system design and installation.

CONTROL SELF-ASSESSMENT AUDIT.A control self-assessment audit enlists

management to share audit responsibility by

evaluating and reporting on the state of controls

and levels of risks under their supervision.Internal auditors provide training and act asfacilitators. In effect this become a problem

solving partnership and can be a cost-effective.

Its inherent risk is that management's self-evaluation may be biased. Although, the internal

auditor can retain the right to independently

verify any reported conclusions.

FINANCIAL AUDIT.A financial audit is an examination of the

financial planning and reporting process, the

conduct of financial operations, the reliabilityand integrity of financial records, and the

preparation of financial statements. Such a

review includes an appraisal of the system ofinternal controls related to financial functions.

INTERNAL AUDIT PLANNINGA prerequisite to successful internal

audit planning is a keen understanding of the

organization, its strategic plan, and how it

operates. In that context, the internal auditor candevelop audit priorities and strategies that takeinto account significance of activities, and

relative risk. The planning process is dynamic.

Departures of key people, shifts in markets, newdemographics, or drastic upheavals in the

business environment can totally transform acompany. Organizational processes can become

obsolete with new technology. Laws andregulations may change, as well as attitudes

about the degree of compliance necessary.

Consequently, organizational objectives andrelated audit strategies will change. The person

directing the internal audit function is usually theone responsible for creating a comprehensiveaudit plan. It is customary for senior

management to review the plan and submit it to

the board for approval.