Cia Part I June 2009


Published on

I composed this presentation as to prepare candidates for the Certified Internal Auditor's Part I examination. During the training we use other study aids as well.

Cia Part I June 2009

  1. 1. Part I Internal Audit Role in Governance, Risk & Control CIA exam review course Prepared by Jack Davidsz
  2. 2. Part I Internal Audit’s Role in Governance, Risk, and Control 13 th edition Gleim <ul><li>Standards and Proficiency </li></ul><ul><li>Charter, Independence, & Objectivity </li></ul><ul><li>Internal Audit Roles I </li></ul><ul><li>Internal Audit Roles II </li></ul><ul><li>Control I </li></ul><ul><li>Control II </li></ul><ul><li>Planning & Supervising the Engagement </li></ul><ul><li>Managing the Internal Audit Activity I </li></ul><ul><li>Managing the Internal Audit Acitivity II </li></ul><ul><li>Engagement Procedures, Ethics and Fraud </li></ul>
  3. 3. Internal Auditing is a management-oriented discipline <ul><li>Evolved from a function concerned with financial and accounting matters to one that addresses the entire range of operating activities. </li></ul>
  4. 4. <ul><li>Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. </li></ul><ul><li>It helps an organization accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control, and governance processes. </li></ul><ul><li>IIA Board of Directors, June 1999. </li></ul>
  5. 5. Attribute Standards <ul><li>Purpose, Authority and Responsibility </li></ul><ul><li>1100 Independence and Objectivity </li></ul><ul><li>1200 Proficiency and Due Professional Care </li></ul><ul><li>1300 Quality Assurance and Improvement Program </li></ul>
  6. 6. Performance Standards <ul><li>2000 Managing the Internal Audit Activity </li></ul><ul><li>2100 Nature of Work </li></ul><ul><li>2200 Engagement Planning </li></ul><ul><li>2300 Performing the Engagement </li></ul><ul><li>2400 Communicating Results </li></ul><ul><li>2500 Monitoring Progress </li></ul><ul><li>2600 Management’s Acceptance of Risk </li></ul>
  7. 7. Consulting Services <ul><li>Advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization’s operations. </li></ul>
  8. 8. <ul><li>Assurance Services </li></ul><ul><li> > 1 year </li></ul><ul><li>Formal consulting engagement </li></ul><ul><li>Independence and objectivity are strengthened by </li></ul><ul><li>Assigning different auditors </li></ul><ul><li>Independent management and supervision </li></ul><ul><li>Separate accountability for the projects </li></ul><ul><li>Disclosing the presumed impairment </li></ul>
  9. 9. Obtaining Services to Support or complement the Internal Audit Activity <ul><li>CAE should assess the competency, independence and objectivity of the outside service provider. </li></ul><ul><li>When the outside service provider performs Internal Auditing activities the CAE should specify and ensure that the work complies with the SPPIA. </li></ul>
  10. 10. <ul><li>Due Professional care </li></ul><ul><li>Expected of a reasonably prudent and competent internal auditor, who should be alert to the possibility of intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest </li></ul><ul><li>Due care implies </li></ul><ul><li>Reasonable care and competence not infallibility or extraordinary performance. </li></ul>
  11. 11. Charter : <ul><li>Mission and Scope of work </li></ul><ul><li>Accountability </li></ul><ul><li>Independence </li></ul><ul><li>Responsibility </li></ul><ul><li>Authority </li></ul>
  12. 12. Chief Audit Executive Reporting Lines <ul><li>Functional, </li></ul><ul><li>Directly to the Audit Committee or equivalent to ensure independence and communication </li></ul><ul><li>Administrative, </li></ul><ul><li>To the CEO or an other executive to afford support to accomplish day-to-day activities. </li></ul>
  13. 13. The comprehensive scope of work of internal auditing should provide reasonable assurance that management’s <ul><li>Risk management system is effective </li></ul><ul><li>System of internal control is effective and efficient </li></ul><ul><li>Governance process is effective </li></ul>
  14. 14. Primary objectives of the overall management process <ul><li>Relevant, reliable and credible information </li></ul><ul><li>Effective and efficient use of resources </li></ul><ul><li>Safeguarding of assets </li></ul><ul><li>Identification of risk exposures </li></ul><ul><li>Objectives and goals for operations and programs </li></ul><ul><li>Compliance with laws, regulations, ethical and business norms, and contracts. </li></ul>
  15. 15. Governance Processes and structures implemented by the board to inform, direct, manage and monitor activities toward achievement of objectives (Glossary)
  16. 16. Ethical Culture <ul><li>Nature of the governance process </li></ul><ul><li>Link to ethical culture </li></ul><ul><li>Everyone an ethics advocate </li></ul><ul><li>Enhanced ethical culture </li></ul><ul><li>(PA 2130-1) </li></ul>
  17. 17. Governance <ul><li>Meeting the following responsibilities </li></ul><ul><li>Complying with society’s legal and regulatory rules </li></ul><ul><li>Satisfying the generally accepted business norms, ethical precepts </li></ul><ul><li>Providing overall benefits to society </li></ul><ul><li>Reporting fully and truthfully </li></ul>
  18. 18. <ul><li>Internal auditor should take an active role in support of the organization’s ethical culture. </li></ul>
  19. 19. Monitoring Progress A system to monitor the disposition of results communicated to management
  20. 20. Follow up Effective corrective action taken Board/management has assumed the risk of not taken action
  21. 21. Compliance <ul><li>Compliance programs </li></ul><ul><li>Compliance standards and procedures </li></ul><ul><li>Specific high level personnel </li></ul><ul><li>Screening employees </li></ul><ul><li>Communication of standards and procedures </li></ul><ul><li>Systems for detecting illegality </li></ul><ul><li>Adequate and case-specific discipline </li></ul><ul><li>Documentation </li></ul><ul><li>After detection appropriate response </li></ul>
  22. 22. Compliance programs <ul><li>Assist in preventing inadvertent employee violations, detecting illegal activities and discouraging intentional employee violations. </li></ul><ul><li>Help prove insurance claims, determine director liability, create or enhance corporate identity, and decide the appropriateness of punitive damages. </li></ul>
  23. 23. Compliance <ul><li>There should be a monitoring and auditing system to detect criminal conduct and a reporting system whereby employees can report criminal conduct by others without fear of retribution. </li></ul>
  24. 24. <ul><li>CAE should obtain an understanding of management’s and board’s expectations of the internal audit activity in the organization’s risk management process. </li></ul>
  25. 25. <ul><li>Internal auditors can facilitate or enable risk management processes, but they should not “own” or be responsible for the management of the risks identified. </li></ul>
  26. 26. Depending on size and complexity of the organization’s business activities, risk management processes can be <ul><li>Formal ↔ informal </li></ul><ul><li>Quantitative ↔ subjective </li></ul><ul><li>Business unit ↔ at corporate level </li></ul>
  27. 27. The internal audit activity’s role can change overtime <ul><li>No role </li></ul><ul><li>Auditing the risk management process </li></ul><ul><li>Active, continuous support and involvement </li></ul><ul><li>Managing and coordinating </li></ul>
  28. 28. Environment, health and safety risks <ul><li>CAE environmental audit chief </li></ul><ul><li>EH&S audit program </li></ul><ul><li>Compliance - focused </li></ul><ul><li>Management system –focused </li></ul><ul><li>Combination </li></ul>
  29. 29. 5 Key objectives of a riskmanagement process <ul><li>Risks arising from business strategies and activities are identified and prioritized </li></ul><ul><li>Management and board have determined the level of risks acceptable to the organization </li></ul>
  30. 30. - continued <ul><li>Risk mitigation activities are designed and implemented </li></ul><ul><li>Monitoring activities to reassess risk and effectiveness of controls </li></ul><ul><li>Reports of the results of the risk management processes </li></ul>
  31. 31. <ul><li>Internal auditors should evaluate the organization’s readiness to deal with business interruptions. </li></ul>
  32. 32. <ul><li>The organization should be able to prove its best efforts to collect information with regard to an incident and its appropriate action. </li></ul>
  33. 33. Disaster recovery plan <ul><li>Internal auditors can </li></ul><ul><li>Assist with the risk analysis </li></ul><ul><li>Evaluate the design and comprehensiveness of the plan </li></ul><ul><li>Perform periodic assurance engagements </li></ul>
  34. 34. <ul><li>Internal auditors should periodically assess information security practices and recommend, as appropriate, enhancements to, or implementation of new controls and safeguards. </li></ul>
  35. 35. Privacy <ul><li>Laws require privacy controls </li></ul><ul><li>Personal information identifies a specific individual </li></ul><ul><li>The auditor must comply with all laws </li></ul><ul><li>Access to or use of personal information may be inappropriate or illegal in certain engagements </li></ul>
  36. 36. Control <ul><li>Any action taken by management to enhance the likelihood that established objectives and goals will be achieved </li></ul><ul><li>Preventive </li></ul><ul><li>Detective </li></ul><ul><li>Directive </li></ul><ul><li>Mitigating </li></ul>
  37. 37. <ul><li>The CAE reports on the state of the organization’s control processes to senior management and the audit committee. </li></ul>
  38. 38. Challenge for IAA <ul><li>Evaluation of the effectiveness of the system of controls, based on many individual assessments </li></ul><ul><li>Three key considerations </li></ul><ul><li>Significant discrepancies? </li></ul><ul><li>Corrections or improvements? </li></ul><ul><li>Pervasive condition -> unacceptable risk? </li></ul>
  39. 39. CSA <ul><li>Objectives: </li></ul><ul><li>Identifying risks </li></ul><ul><li>Assessing control processes </li></ul><ul><li>Developing action plans </li></ul><ul><li>Determining likelihood of achieving business objectives </li></ul>
  40. 40. Three primary forms of CSA <ul><li>Facilitated team workshops, representing different levels in the business unit </li></ul><ul><li>Survey form utilizes a questionnaire </li></ul><ul><li>Management produced analyses cover most other approaches </li></ul><ul><li>A CSA program should focus internal audit’ work on reviewing high-risk processes and unusual situations. </li></ul>
  41. 41. <ul><li>Quarterly Financial Reporting </li></ul><ul><li>Disclosures </li></ul><ul><li>Management Certifications </li></ul><ul><li>Sarbanes – Oxley Act </li></ul>
  42. 42. The executive officer(s) and financial officer(s) certify in each quarterly and annual report <ul><li>True and fair presentation </li></ul><ul><li>Disclosure controls and procedures </li></ul>
  43. 43. The same officers disclose to the external auditors and to the audit committee <ul><li>All significant deficiencies in internal controls </li></ul><ul><li>Any fraud </li></ul><ul><li>Significant changes in internal controls </li></ul>
  44. 44. Recommended Actions <ul><li>Internal auditor’s role from initial designer to independent assessor </li></ul><ul><li>Clearly defined role and responsibilities </li></ul><ul><li>Organization’s formal policy and procedures </li></ul><ul><li>Disclosure committee </li></ul>
  45. 45. Recommended Actions - continued <ul><li>5. Periodically review and evaluation of quarterly reporting and disclosure processes </li></ul><ul><li>6. Recommendation of best practises </li></ul><ul><li>7. Comparison of processes for complying regarding quarterly financial reporting & disclosures and management annual assessment & public report on internal controls </li></ul>
  46. 46. Systems approach to control Input Process Output Feedback Feed forward System boundary
  47. 47. Classification of controls <ul><li>Feedback </li></ul><ul><li>Concurrent </li></ul><ul><li>Feed forward </li></ul>
  48. 48. Characteristics of an effective control system <ul><li>Economical </li></ul><ul><li>Meaningful </li></ul><ul><li>Appropriate </li></ul><ul><li>Congruent </li></ul><ul><li>Timely </li></ul><ul><li>Simple </li></ul><ul><li>Operational </li></ul>
  49. 49. Internal Control (COSO) A process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
  50. 50. Internal Control - continued <ul><li>Effectiveness and efficiency of operations; </li></ul><ul><li>Reliability of financial reporting; </li></ul><ul><li>Compliance with applicable laws and regulations; </li></ul><ul><li>Safeguarding of assets against unauthorized acquisition, use or disposition. </li></ul>
  51. 51. Components of the Internal Control System <ul><li>Control Environment CE </li></ul><ul><li>Risk Assessment RA </li></ul><ul><li>Control Activities CA </li></ul><ul><li>Information and Communication IC </li></ul><ul><li>Monitoring MO </li></ul>
  52. 52. Enterprise Risk Management <ul><li>Process .. </li></ul><ul><li>Applied in strategy setting and across.. </li></ul><ul><li>Designed to identify potential events.. </li></ul><ul><li>Manage risks.. </li></ul><ul><li>To provide reasonable assurance.. </li></ul><ul><li>Achievement of entity objectives </li></ul>
  53. 53. CoCo Criteria of Control Board of CICA <ul><li>20 criteria grouped into the following 4 components </li></ul><ul><li>Purpose </li></ul><ul><li>Commitment </li></ul><ul><li>Capability </li></ul><ul><li>Monitoring and Learning </li></ul>
  54. 54. COSO and CoCo models emphasize soft controls e.g. <ul><li>CoCo : ethical values, mutual trust </li></ul><ul><li>COSO : part of the control environment </li></ul>
  55. 55. Organization <ul><li>The way individual work efforts within an entity are assigned and integrated for achievement of objectives and goals. </li></ul>
  56. 56. Organizational Control <ul><li>The means of achieving the most effective possible use of organizational arrangements </li></ul>
  57. 57. Means of control (Sawyer) <ul><li>Organization </li></ul><ul><li>Policies </li></ul><ul><li>Procedures </li></ul><ul><li>Personnel </li></ul><ul><li>Accounting </li></ul><ul><li>Budgeting </li></ul><ul><li>Reporting </li></ul>
  58. 58. <ul><li>No control system is so perfect that it can function without outside review. </li></ul>
  59. 59. <ul><li>Resistance to organizational changes may be overcome by a participative management. </li></ul>
  60. 60. Organizational structure <ul><li>Authority: right to direct and exact performance from others </li></ul><ul><li>Responsibility: obligation to perform </li></ul><ul><li>Accountability: duty to account for the fulfillment of the responsibility </li></ul>
  61. 61. <ul><li>Leadership = directing process </li></ul><ul><li>Process of influencing people so they will strive toward the achievement of group goals. </li></ul>
  62. 62. Styles of leadership <ul><li>Autocratic </li></ul><ul><li>Consultative </li></ul><ul><li>Participative </li></ul><ul><li>Free-rein = laissez faire </li></ul><ul><li>Bureaucratic </li></ul>
  63. 63. Two behavior patterns <ul><li>Initiating structure </li></ul><ul><li>Initiating consideration </li></ul>
  64. 64. Contingency approach <ul><li>The right person at the right time may rise to a position of leadership if his personality and needs of the situation complement each other. </li></ul>
  65. 65. Situational leadership theory <ul><li>The appropriate leadership style depends on followers maturity (= willingness to be responsible for directing their own behavior). </li></ul>
  66. 66. Influence <ul><li>An attempt to change the behavior of others e.g. consultation, persuasion, inspirational appeals. </li></ul>
  67. 67. Conflict may be constructive or destructive <ul><li>Communication, structure and personal variables are conditions that may result in conflict. </li></ul>
  68. 68. <ul><li>Conflict may result in better decision making, a reduction in complacency, more self-criticism, greater creativity, and solutions to problems. </li></ul>
  69. 69. Conflicts may be solved e.g. as follows: <ul><li>Problem solving </li></ul><ul><li>Smoothing </li></ul><ul><li>Forcing </li></ul><ul><li>Subordinate goals </li></ul><ul><li>Compromise </li></ul><ul><li>Avoidance </li></ul>
  70. 70. 4 Phases of an audit engagement <ul><li>Planning </li></ul><ul><li>Performing the engagement </li></ul><ul><li>Communicating results </li></ul><ul><li>Monitoring progress </li></ul>
  71. 71. Engagement Planning <ul><li>Engagement objectives should reflect the results of the risk assessment. </li></ul><ul><li>Engagement procedures are the means to attain engagement objectives </li></ul><ul><li>Taken together they define the scope of the internal auditor’s work </li></ul><ul><li>Background information </li></ul>
  72. 72. Engagement Planning - continued <ul><li>Engagement resource allocation </li></ul><ul><li>Communicating with all who need to know about the audit </li></ul><ul><li>Determining how, when and to whom audit results will be communicated </li></ul><ul><li>Survey to become familiar with the activities, risks and controls to identify areas for audit emphasis. </li></ul>
  73. 73. Engagement Work Program <ul><li>Directions for the examination and evaluation of the information needed to meet audit objectives within the scope of the audit engagement. </li></ul>
  74. 74. <ul><li>Engagement work program should be approved in writing by the CAE prior to the commencement of engagement work. </li></ul><ul><li>Engagements should be properly supervised to ensure objectives are achieved, quality is assured and staff is developed. Appropriate evidence of supervision should be documented and retained. </li></ul><ul><li>Working papers should be reviewed to ensure that they properly support the engagement communications. </li></ul>
  75. 75. Planning for the IAA involves establishing <ul><li>Goals </li></ul><ul><li>Engagement work schedules </li></ul><ul><li>Staffing plans and financial budgets </li></ul><ul><li>Activity reports </li></ul>
  76. 76. <ul><li>The IAA’s plan should be based on a risk assessment, undertaken at least annually. </li></ul>
  77. 77. <ul><li>The CAE should report periodically to the board and senior management on the IAA’s purpose, authority, responsibility, and performance relative to its plan. </li></ul>
  78. 78. Audit Committee Functions <ul><li>Select an external auditor and review the audit fee </li></ul><ul><li>Review the external auditor’s overall audit plan </li></ul><ul><li>Review preliminary annual and interim financial statements </li></ul><ul><li>Review results of engagements performed by external auditors, including the management letter. </li></ul><ul><li>Approve the charter of the IAA </li></ul>
  79. 79. Audit Committee Functions -continued <ul><li>Review and approve the IAA’s plans and resource requirements </li></ul><ul><li>Directly communicate with the CAE </li></ul><ul><li>Review evaluations of risk management, control and governance processes reported by the internal auditors </li></ul><ul><li>Ensure that engagements results are given due consideration </li></ul>
  80. 80. SOX requirements <ul><li>Audit committee </li></ul><ul><li>Consists of independent members of the board of directors </li></ul><ul><li>Includes at least one financial expert </li></ul><ul><li>Is responsible for appointing, compensating and overseeing the work of the public accounting firm. The audit firm must report directly to the audit committee </li></ul><ul><li>Should implement procedures regarding complaints about accounting and auditing matters </li></ul><ul><li>Must be appropriately funded by the issuer </li></ul>
  81. 81. <ul><li>IIA standards require internal auditors to “ share information and coordinate activities with other internal and external providers of relevant assurance and consulting services”. </li></ul>
  82. 82. <ul><li>For that reason it is advisable for internal auditors to have some role or involvement in the selection or retention of the external auditors and in the definition of scope of work. </li></ul>
  83. 83. Coordination of audit efforts involves periodic meetings regarding <ul><li>Audit coverage </li></ul><ul><li>Access to each other’s audit programs and working papers </li></ul><ul><li>Exchange of audit reports and management letter </li></ul><ul><li>Common understanding of audit techniques, methods and terminology </li></ul>
  84. 84. <ul><li>A board or audit committee approved policy can facilitate the periodic request for external audit services and position such exercises as normal business activities. </li></ul>
  85. 85. <ul><li>Quality assurance and Improvement Program covers all aspects of the IAA and continuously monitors its effectiveness. </li></ul><ul><li>Should help the IAA add value and improve the organization’s operations and provide assurance that the IAA is in conformity with the Standards and Code of Ethics </li></ul>
  86. 86. Internal Assessments <ul><li>Ongoing Reviews </li></ul><ul><li>Periodic Reviews </li></ul>
  87. 87. <ul><li>Establishing measures to support reviews of </li></ul><ul><li>Internal Audit Activity Performance </li></ul>
  88. 88. <ul><li>Balanced Scorecard Framework </li></ul><ul><li>For </li></ul><ul><li>Internal Auditing Departments </li></ul><ul><li>(page 354) </li></ul>
  89. 89. External Assessments <ul><li>Should be conducted at least once every five years by a qualified independent reviewer from outside the organization </li></ul>
  90. 90. A reviewer should <ul><li>Be a competent certified audit professional, who possesses current knowledge of the Standards </li></ul><ul><li>Be well versed in the best practices of the profession </li></ul><ul><li>Have at least three years of recent experience in the practice of internal auditing </li></ul>
  91. 91. Benchmarking <ul><li>Entails analysis and measurement of key output against those of the best organizations. </li></ul><ul><li>Own process performance versus performance by the best in the class. </li></ul>
  92. 92. Audit procedures <ul><li>Internal auditors apply engagement (audit) procedures to obtain sufficient, competent, relevant and useful information to achieve the engagement’s objectives. </li></ul>
  93. 93. Sawyer’s six categories of procedures <ul><li>Observing </li></ul><ul><li>Questioning </li></ul><ul><li>Analysis </li></ul><ul><li>Verifying </li></ul><ul><li>Investigating </li></ul><ul><li>Evaluating </li></ul>
  94. 94. <ul><li>In financial audits internal auditors must develop and use engagement procedures to test assertions made by information e.g. in the annual accounts </li></ul>
  95. 95. Assertion model from AICPA <ul><li>C ompleteness </li></ul><ul><li>Rights and O bligations </li></ul><ul><li>V aluation or Allocation </li></ul><ul><li>E xistence or Occurrence </li></ul><ul><li>S tatement Presentation and Disclosure </li></ul>
  96. 96. FS Underlying Accounting Data Corroborating information Economic Transactions Audit evidence in financial audits Completeness Test Existence Test
  97. 97. <ul><li>Code of Ethics </li></ul><ul><li>Principles </li></ul><ul><li>Rules of Conduct </li></ul>
  98. 98. The Rules of Conduct HOW ? <ul><li>Integrity </li></ul><ul><li>Objectivity </li></ul><ul><li>Confidentiality </li></ul><ul><li>Competency </li></ul>
  99. 99. 1. Integrity <ul><li>Work with honesty, diligence and responsibility </li></ul><ul><li>Observe the law and make disclosures </li></ul><ul><li>Be not a party to any illegal activity </li></ul><ul><li>Respect the ethical objectives of the organization </li></ul>
  100. 100. 2. Objectivity <ul><li>Do not participate in any activity that may impair unbiased assessment </li></ul><ul><li>Do not accept anything that may impair professional judgment </li></ul><ul><li>Disclose all material facts </li></ul>
  101. 101. 3. Confidentiality <ul><li>Be prudent in the use and protection of information </li></ul><ul><li>Do not use information for any personal gain </li></ul>
  102. 102. 4. Competency <ul><li>Knowledge, skills, and experience </li></ul><ul><li>Perform in accordance with the Standards </li></ul><ul><li>Continually improve services </li></ul>
  103. 103. Fraud <ul><li>Encompasses an array of irregularities and illegal acts </li></ul><ul><li>characterized by intentional deception. It can be perpetrated for the benefit of or to the detriment of the organization and by persons outside as well inside the organization. </li></ul>
  104. 104. Fraud <ul><li>Deterrence </li></ul><ul><li>Detection </li></ul><ul><li>Investigation </li></ul><ul><li>Reporting </li></ul>
  105. 105. Deterrence of fraud <ul><li>Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of control , commensurate with the extent of the potential exposure/risk in the various segments of the entity’s operations. </li></ul>
  106. 106. Detection of fraud <ul><li>Responsibilities of the internal auditor </li></ul><ul><li>Have sufficient knowledge of fraud to be able to identify indicators </li></ul><ul><li>Be alert to opportunities, such as control weaknesses </li></ul><ul><li>Evaluate the indicators that fraud might have been committed </li></ul><ul><li>Notify the appropriate authorities within the organization if there are sufficient indicators to recommend an investigation. </li></ul>
  107. 107. Investigation of fraud <ul><li>Responsibilities of the internal auditor </li></ul><ul><li>Assess the probable level and the extent of complicity in the fraud within the organization </li></ul><ul><li>Determine the knowledge, skills and disciplines needed to effectively carry out the investigation </li></ul><ul><li>Design procedures to follow in attempting to identify the perpetrators, extent of fraud, techniques used and cause of the fraud </li></ul><ul><li>Coordinate activities with management personnel, legal counsel and other specialists </li></ul><ul><li>Be cognizant of the rights of alleged perpetrators and personnel. </li></ul>
  108. 108. Reporting of fraud <ul><li>Responsibilities of the internal auditor </li></ul><ul><li>A preliminary or final report may be desirable at the conclusion of the detection phase </li></ul><ul><li>When the incidence of significant fraud has been established management or the board should be notified immediately </li></ul><ul><li>If fraud has had a materially adverse effect on the financial position and results of an organization on which financial statements have already been issued, the internal auditor should inform management and the audit committee. </li></ul>
  109. 109. Reporting of fraud -continued <ul><li>Responsibilities of the internal auditor </li></ul><ul><li>A written report should be issued at the conclusion of the investigation phase . It should include findings, conclusions, recommendations, and corrective action taken. </li></ul><ul><li>A draft should be submitted to legal counsel for review. </li></ul>
  110. 110. Resumé