Role of internal auditor Review acs & I.C.S Assist with identification of significant risks Review 3 E’s of operations- VFM audit Examine financial & operating information Special investigations , e.g suspected fraud Review compliance with laws & external regulations
Financial audit Operational audit Project audit VFM audit Social & environmental audit Mgmt audit I.A looks at controls - PAPAMOSS Types of audit work
Need for I.A I.A is a mgmt control- PAPA(M)OSS I.A review effectiveness of other controls in the org. Ensure controls are working properly I.A is also often a statutory requirement Good corporate governance may also suggest an I.A dept I.A is 100% audit – VFM audit Chief internal auditor is in charge of the dept and reports to the audit committee.
Need for I.A Factors affecting the need for I.A Scale & complex operations No of employees Cost benefit analysis Change in: org structure, reporting process or Mgmt.Info.Sys Change in key risks- change in PESTEL factors Problems with existing ICS Unexplained / doubtful txns
Need for I.A Per Turnbull report:
In absence of I.A function , mgmt needs to find other monitoring process.
To reassure the BOD that ICS are working properly
BOD will assess whether procedures provide sufficient & objective assurance.
INDEPENDENCE Auditor independence Independent objective assurance activity Ensure activity is carried out objectively I.A must be independent and must be seen as independent Independence is achieved by having a structure within which I.A work Independence assured by I.A following ethical & work stds
INDEPENDENCE Risks if No Independence Failure to report control breaches Accepting info without checking No professional skepticism Blind on unethical matters Give undeserved positive feedback
INDEPENDENCE Threats to independence Threat to independence is when the opinion of the auditor is doubted. Threats can be either REAL or PERCEIVED ACCA code of ethics : Self interest Familiarity Advocacy Self review Intimidation
INDEPENDENCE Other measures to protect independence
Attribute standards :
Deal with characteristics of the org
Deal with parties performing Int Audit
Describe nature of Int Audit activities
Provide quality criteria for evaluating I.A services
Attribute stds for internal audit Independence I.A should be independent . Head of I.A should be accountable to people who wont undermine his/her independence There should be no interference when deciding about scope of work, when performing the work & when reporting findings. Objectivity I.A should be free from bias- objective – rely on facts only. Impartial attitude – avoid conflict of interests. Professional care Professional care & competence Knowledge of key IT risks & CAATs
Performance standards for internal audit Managing internal audit
Head I.A manages IA activity to add value to the org
Head IA : establish risk based plans, decide on work priorities, is consistent with org’s objectives.
Review IA plan annually
Head I.A submit plans to senior mgmt & BOD for approval
No interference of senior mgmt in the work of I.A
I.A identify & evaluate significant risk exposure
I.A contribute to improvement of risk mgmt & ICS
Evaluate risk exposure relating to : governance , ops , information sys.
Effectiveness & efficiency of ops
Comply with law, regulations, contracts.
Performance standards for internal audit Control
I.A helps to maintain effective internal controls
Helps evaluate efficiency & effectiveness of controls
Promotes continuous improvement
I.A assess Corporate governance process
Makes recommendations where possible
Independence maintained if I.A can report breach of C.G without fear of dismissal or retaliation.
Performance standards for internal audit
Internal audit work
Independence achieved when I.A can show that normal stds of I.A work have been followed
No pressure to “ cut-corners” from mgmt because of low std work.
IA work will be to : identify, analyseevaluate , record sufficient evidence to achieve objectives of the engagement .
Info should be : reliable , relevant , useful wrt objectives of the engagement
Auditor conclusion – based on suitable analysis & evaluation
Evidence should be recorded.
Performance standards for internal audit I.A communicates results of engagement Communicates conclusions, findings , recommendations. Communicate to appropriate officials. Independence maintained where IA can communicate to audit committee or Risk committee Or to any person with enough power to act upon recommendations of Int audit report.
Audit committee- reporting to s/h Per combined code
BOD should maintain sound ICS- to safeguard s/h investment & assets
S/h are owners of the Co. They are entitled to know if ICS are sufficient to protect their Inv & help maximizing value.
Provide s/h with sufficient assurance – BOD conduct annual review of ICS & report to s/h about effectiveness of controls.
Review cover all material controls eg. Financial , operational , risk mgmt.
Review done in line with COSO elements of effective ICS
Annual report- inform members of the work of IA
There may be additional reporting under SOX
SOX reporting on ICS- s404
Mgmt must report on ICS
Audit committee Audit work:
Audit committee Composition Consist of NED’s – at least 3 At least one NED should have recent financial expertise
Audit committee Roles Oversight, assessment, review of other functions / systems in the company. Board delegates work to audit comm to meet objectives pertaining to ICS Review ICS, oversee work of IA, monitor integrity of FS , review work of external audit Role of audit comm was considered in combined code & SOX and Kings report contain similar recommendations.
Audit committee Factors affecting role of audit comm Effectiveness of audit comm depends on how it is constituted and the power vested in that committee. Factors:
BOD decide how much power to grant audit comm
Audit comm should have min 3 annual meetings to coincide with external audit assignment.
Audit comm should meet once a yr with only internal & external audit – without mgmt. so that the auditors can voice out concern.
Chairman of audit comm can informally meet mgmt to get more indepth info about important matters.
Disagreement between audit comm members will be referred to main BOD for resolution
Audit comm reviews annually its TOR & effectiveness & recommend changes to the BOD
To be effective , the audit comm should be kept informed regularly by senior mgmt.
Audit comm & compliance Primary responsibility under SOX Check compliance with external reporting regulations Review significant financial reporting issues & judgments in connection with preparation of F/S. Audit comm can also drill for more info Ensure that FS received from mgmt & auditors are acceptable i.e adequate acc policies used, reasonable estimates & judgements, enquire methods used to account for significant / unusual txns , ensure clarity & completeness of FS disclosures. Listens to auditors views on matters above. If not satisfied then the audit comm will inform the BOD. Audit comm- review financial related info included in the FS & corporate govstmts , relative to audit & risk mgmt.
Audit committee & internal control Audit committee role
Review financial control
Supervise major txn
Receive reports from internal & external auditors iro Control Mechanisms
Approve Audit report- Internal control stmt
Review Fraud Risk Mgmt – ensure awareness promoted & a proper reporting/ investigating mechanism exist. Receive reports on conclusions of tests of ctrls by I.A & Ext aud and consider their recommendations.