Successfully reported this slideshow.
Internal Audit-Best Practices                                                                              Sonali SinghThe...
Internal Audit and Good Governance“An effective internal audit function is a fundamental component of good governance”-Can...
‘New Public Management’ in New Zealand and the United Kingdom or “reinventinggovernment” in the United States, seek to imp...
Against the background of the plethora of reforms in monetary and fiscal managementand the complex challenges being thrown...
v It has the potential to act as an independent and objective appraisal mechanism       within the organization whose find...
determined by technical and scientific factors concerning the primary processes of       the entity and the economically l...
often the only instrument available, unlike in the private sector where the market signalsact as warning signals. Furtherm...
properly; employing discretion; avoiding conflict of interest; meeting public obligations;managing financial obligation pr...
intelligence gathered by other functions within the organization, in devising the auditplan the internal auditors should h...
follow up by internal audit to verify the implementation could be done within six monthsand if necessary a second follow u...
Internal audit practitioners point to the need for independence of the internal auditfunction by citing the lesson learnt ...
protocols before hand so that communication and agreements of audit results can takeplace in a timely manner.The IIA stand...
The IIA has identified key elements of an effective public sector audit activity which canserve as a starting point to dev...
and in the process, by ignoring best practice, he not only raised the performance bar butalso created the new best practic...
References:              15
Upcoming SlideShare
Loading in …5
×

Internal audit article

1,821 views

Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Internal audit article

  1. 1. Internal Audit-Best Practices Sonali SinghThe Cambridge dictionary defines best practice as a working method (or set of workingmethods), which is officially accepted as being the best to use in a particular business orindustry. These methods or best practices are usually described formally or in detail.Therefore, best practices are those generally understood operational characteristics oforganizations, or procedures that have proved to be successful in practice.The concept of best practice belongs to the field of management and is described bymanagement ‘gurus’ as the most efficient and effective way of accomplishing a task,based on repeatable procedures that have proven themselves over time for large numbersof people. About a hundred years ago Fredrick Taylor stated that “among the variousmethods and implements used in each element of each trade there is always one methodand one implement which is quicker and better than any of the rest”. However, by its verydefinition, best practice is a dynamic concept, an approach based around continuouslearning and improvement, rather than a static, inflexible, unchanging method of doingthings. Best practices also change and/or improve as times change and things evolve.What is critical is the adoption of good processes and proper planning, even following astandard way of doing things that other successful organizations are doing, but at thesame time, the adaptation and molding of these best practices to suit the particular needsand to balance the uniqueness of an organization with practices it has in common withother organizations. Therefore while best practices do not have one template or form foreveryone to follow, it can certainly be the idea that with the proper processes andplanning, the organization can achieve the desired result with fewer problems andunforeseen complications. What is needed is the commitment to using all the knowledgeand technology at ones disposal to ensure success of the organization. 1
  2. 2. Internal Audit and Good Governance“An effective internal audit function is a fundamental component of good governance”-Canada Office of the Auditor General.The terms governance and good governance are widely used today. Traditionallygovernance refers to forms of political systems and the manner in which power isexercised in utilizing a country’s economic and social resources for development. It hasalso been described as a process of decision making and the process by which decisionsare implemented or not implemented. It involves public institutions in the conduct ofpublic affairs and the management of public resources, which should be utilized mostefficiently and effectively. Good governance has been described as an ideal which can beunderstood as a set of eight characteristics i.e. participation, rule of law, transparency,responsiveness, consensus orientation, equity and inclusiveness, effectiveness andefficiency, and accountability. It involves transparency which means that the decisionstaken and their enforcement done in a manner that follows rules and regulations. Goodgovernance means responsiveness. It means effectiveness and efficiency in ensuring thatprocesses and institutions produce results that meet the needs of society while making thebest use of resources at their disposal. It necessitates accountability which means thatgovernment institutions will be accountable to the public, and to all those who areaffected by their decisions.The 1992 World Bank report entitled “Governance and Development” identified sevenspecific aspects of ‘good governance’, which became a concern in considering projectsfor assistance and these included public sector management, accountability, transparencyetc. Good governance therefore became very much a part of the reforms agenda andentered the lexicon of governments of developing countries. India was no exception. Theprocess however had started somewhat earlier worldwide, with governments embarkingon an ambitious journey to improve government performance- the New PublicManagement, under which reformers have sought to radically change the manner inwhich the public business is conducted. All the initiatives whether under the banner of 2
  3. 3. ‘New Public Management’ in New Zealand and the United Kingdom or “reinventinggovernment” in the United States, seek to improve governmental performance byemphasizing customer service, decentralization, market mechanisms, cross functionalcollaboration and accountability for results.While public sector reforms are pervasive in the developing countries, what is required isa citizen centric governance framework which combines participatory decentralization,with results oriented management and evaluation. Traditionally evaluations have tendedto be uni- dimensional, concentrating only on fiscal probity and rule adherence. Thesetrends are in evidence in India as well since the government has embarked upon reforms.The Fiscal Responsibility and Budget Management (FRBM) Act seeks to put in placestringent fiscal controls in government, the Right to Information Act seeks to bring abouttransparency and accountability in governments functioning. With the introduction of theOutcome Budget the Government has addressed the need to track not just theintermediate physical outputs of schemes/programmes but also the outcomes which arethe end objectives of State interventions. In this scenario internal audit can act as apowerful tool to improve accountability, it can give the required inputs which can be fedinto the planning process, inputs that can be utilized to monitor implementation.The audit function has traditionally been seen as being part of the governments financialmanagement function, and increasingly as a way for improving the performance of thegovernment sector. It has provided assurance that public funds received and spent are incompliance with appropriations and other relevant laws, and that the reported use offunds is a fair and accurate representation of the financial position of the government.Beyond this, audit in many countries has evolved to take a more comprehensive view ofthe economic and social implications of governments operations or value-for-money orperformance audit. In recent years the demand for greater transparency and accountabilityin governments, has resulted in a move by managers within government organizations, toimprove internal audit procedures in a way that would ensure some protection fromadverse reports of external audit and also so that internal audit gives them so minimallevel of assurances. 3
  4. 4. Against the background of the plethora of reforms in monetary and fiscal managementand the complex challenges being thrown up by the second generation of reforms withinthe country, the Government felt the need to have a re look at some of theinstitutionalized financial management systems. Acknowledging the need for change andperhaps the potential of the Internal Audit Wing (IAW) within the ministries/departments the Ministry of Finance (MoF) recently reviewed the scheme of ‘IntegratedFinancial Advisor(IFA)’ and issued a Revised Scheme of IFA on June 1, 2006 whichenvisages a larger role for the Chief Controller of Accounts( CCA)/ Controller ofAccounts(CA) In so far as internal audit is concerned the new guidelines mandate that theInternal Audit Wings working under the control and supervision of the CCAs/CAs shallassist the Financial Advisers in the appraisal, monitoring and evaluation of individualschemes. It specifies that internal audit would focus on: v Assessment of adequacy and effectiveness of internal controls in general, and soundness of financial systems and reliability of financial and accounting reports in particular; v Identification and monitoring of risk factors (including those contained in the Outcome Budget); v Critical assessment of economy, efficiency and effectiveness of service delivery mechanism to ensure value for money; and v Providing an effective monitoring system to facilitate and course corrections.What the IA can doWith the enlarged mandate and given the scope, objectives and functions of IAW underthe CGA’s organization internal audit in Government today is of critical value for severalreasons all of which are well known to us: v It is potentially of major importance as an effective internal audit system leads to improved accountability, ethical and professional practices. v It can improve the quality of output, support decision making and performance tracking. 4
  5. 5. v It has the potential to act as an independent and objective appraisal mechanism within the organization whose findings and recommendations can act as a tool enabling the ministry or department within which it functions, to take suitable corrective action with respect to service delivery and also procedures. v It can be used to examine and evaluate activities, as a service to the organization promoting effective control at a reasonable cost. v If internal audit can become an inherent part of management reporting by suggesting remedies for the problem areas identified, it can truly fit into the fundamental and critical area of financial reform which focuses on outcomes, of objectives being achieved at a reasonable cost. It will integrate internal auditing with the ongoing public financial management reforms.What sets Government Audit Apart?It is necessary to bring out the differences that exist between auditing in the governmentsector, and auditing in the private sector. v The environment of the audited government organization is vastly different from what exists in the private sector, and is a significant reason for the difference between the two. The government audit is carried out in an environment determined by legal rules and a great deal of importance is attached to lawful and rightful conduct within the governments flowing from the need for governments to act in accordance with laws and regulations laid down by the government itself v In the public sector moreover, the auditor’s opinion serves the interest of the public in general and is not confined to only providing a full and fair view to the stakeholders as is the case with the private sector audit. v By extension therefore, the primary purpose of an auditor’s opinion is to serve in the formal discharging procedure in the democratic process. Effectively then, the stakeholders are many in case of the government audit v It is also a fact that the decision making process in government is much more complex when compared to the private sector where decisions are predominantly 5
  6. 6. determined by technical and scientific factors concerning the primary processes of the entity and the economically limiting conditions . v In the government arena, success cannot be translated in terms of the bottom line of income and expenditure account but rather needs other criteria as a measure of performance. v The auditing of the accounting system of a government organization is important not only as a track to the financial report but also because the accounts contain important information which is vital for the process of decision making which in the government sector, by its very nature, has wider implications. v Auditing in the government sector therefore has a substantive importance. Attention for the processes like acquisition of resources (economy), use of resources (efficiency), satisfaction of needs of society (effectiveness) which implies that audit of financial management as such, including compliance of laws and regulations in the rightfulness audit, is often defined as a substantive object of audit in the audit assignment. v Financial reporting in the public sector is also different from that in the private sector because the laws and regulations regarding financial reporting in the public sector are different on account of the need for transparency on part of the government regarding the government’s plans and the resource allocations. Therefore the laws and regulations on financial reporting in the public sector start with regulating the procedure of the budgeting process and the structure of the presentation of information in the budget documents. v Furthermore, as far as the government is concerned, its primary goal is not to earn a profit over and above the cost of production as is the case with private entities. Rather the goal of government is to realize the maximal possible usefulness for society from a limited amount of resources and the performance indicators are also different since the success of government entities is not expressed only in financial terms.For a government organization, a system of internal controls is of key importance as aprecondition for better government performance because the system of internal control is 6
  7. 7. often the only instrument available, unlike in the private sector where the market signalsact as warning signals. Furthermore the principle in the new governance model in themodernization of governments which stresses on integrity and objectivity for services andthe stewardship of funds requires more effective internal controls. With a shift from thetraditional centralized controls to a greater delegation and a more distributive controlwhere the management is responsible for the checking and monitoring, effective internalcontrols are necessary.Best PracticesWith the expanded and extended role of internal audit now stretching beyond itstraditional focus on compliance and financial audit, to encompass an assessment of theorganizations efficiency and effectiveness in achievement of its objectives, internal audithas become a management tool. In the over all scheme of financial reform aimed at betterfinancial management, best practices in internal control and internal audit, will generatekey benefits. The overall design of the internal audit system, including best practices,should be geared towards the specific priorities of the organizations taking into accounteach organizations own circumstances and requirements. But an overall Best PracticesFramework is necessary to evaluate the adequacy of internal controls and theperformance of the organization as well as of the internal audit. Best practices couldinclude those relating to roles, responsibilities and authorities and oversight of internalaudit, resourcing the internal audit function, planning internal audit’s activities, auditprocesses, and evaluating internal audit’s performanceInternal Audit practitioners talk about an appropriate “tone at the top” as being a keycomponent of the internal control structure of the organization. Best practice emphasizesthe responsibility of the Board/CEO to establish an appropriate ‘corporate’ culture,including codes of ethics and standards of conduct to enhance the organizationsreputation for fair and responsible dealings and to help maintain high standards ofbehaviour throughout the organization. (TPP). These attributes include: acting withhonesty and good faith; exercising due care and diligence; using information and position 7
  8. 8. properly; employing discretion; avoiding conflict of interest; meeting public obligations;managing financial obligation prudently and maintaining confidentiality. Since internalcontrols and internal audit is a process rather than an end in itself, and more importantly,it is a process driven or effected by people at every level of the organization, the keyattributes and attitudes of the most senior level within the organization, are critical notonly to the effectiveness of the audit but also to the achievement of the organizationsgoals. Documenting and implementing a code of conduct or a code of ethics would serveto address the importance of maintaining confidentiality, avoiding conflict of interest,explain the nature and significance of illegal or other improper acts.Best practices now encourage the organization to establish effective audit committeeswhich would help preserve the independence of the internal audit function and ensureappropriate and timely action is taken on audit findings. “The Audit Committee serves ina special capacity as an important communication link between external and internalauditors and operating management, and as a means of reducing the risk that managementwill override key elements of an agency’s internal control structure”.Designing effective internal control procedures which provide reasonable assuranceregarding the achievement of the organizations objectives is important to a Best PracticeFramework. The identification of the functions performed by the organization in theachievement of its strategic objectives, and the breaking down into individual tasks andrelated risks and the control procedures built in to mitigate these risks are important. BestPractice therefore requires the preparation of a Risk Management Plan which will providethe framework for monitoring the risk management activities. Once the whole array ofrisks has been identified, the next step is to rank the risks and draw up an audit planaccordingly. One way to effectively prioritize the processes for audit purposes is to lookat the matrix of probability of occurrence versus severity of loss for each of the processesand develop a risk based audit plan according to this classification (Moody). It is alsodesirable if the audit plan is devised with a holistic view as to the nature and significanceof the risks facing the organization/activity rather than focusing only on the financialreporting risks. While in the process of identifying these risks the audit team may use 8
  9. 9. intelligence gathered by other functions within the organization, in devising the auditplan the internal auditors should have an independent view on risks. Best practices alsodemand timely and comprehensive coverage by audit across a spectrum of risks Whilewe grade risks using simple ranking of high, medium and low risk, timeliness of the auditas per this categorization is important, with high risk areas being covered annually and soon. This does not imply that there should be slippage in covering the low risk areasbecause even these can create problems. In fact internal audit practitioners consider itadvisable to annually re assess the organizations’ risk profile annually. Given that therisks to the organization/activity would change over time, with new risks emerging,revisiting the risk based plan is imperative to an effective audit function.The effectiveness of audit is dependent on its ability to not only spot problem areas orareas where improvements can be suggested, but also on its ability to ensure speedyremedial action after audit has been completed. This in turn is dependent on timelycompletion and submission of the audit report. Any delay in this would defeat the verypurpose and function of internal audit. It is considered a best practice if auditprofessionals rank or grade their reports, using a simple system, to enable the clientsdistinguish problematic audit reports from others. There could for instance be onecategory of reports that are highly critical where significant remedial actions arerecommended; others that list out deficiencies that need to be corrected but where thelapses are not too significant; and a third category of those reports that are by and large a‘clean bill of health’ though some improvement opportunities are identified. Effectiveand timely follow up to reports is essential particularly the speedy implementation ofremedial actions recommended in highly critical reports. Best practices calls for suchunits that receive highly critical reports or those units that have significantly delayedimplementation of recommendations of audit, to report the reasons for the problems andproposed corrective actions, to the highest level over seeing the internal audit functionwithin the organization. An effective tracking system for audit reports would ensure aneffective and timely follow up to audit. A rigorous audit follow up process could forinstance include a Follow up Action Report form to be attached for the auditeddepartment to use for reporting when the audit recommendations are implemented. The 9
  10. 10. follow up by internal audit to verify the implementation could be done within six monthsand if necessary a second follow up could be done within one year, depending on variousfactors. The follow up process however ensures the timely and effective implementationof audit recommendations in addition to ensuring management’s responsibility andaccountability and is therefore a critical element.Upgrades to the internal audit function capabilities in terms of increased manpower andresources available as well as capacity building, will contribute to a more effectivecontrol environment. Best practices support greater independence for the internal auditfunction and this can be achieved though a significant audit committee role in setting andapproving the audit functions staffing and budget; periodic benchmarking of auditfunctions with peers and industry best practices; clarity in internal audits role inoperational risk and pre-implementation control development matters; reporting by theaudit head to the audit committee(functionally) and to the CEO( administratively);empowerment of the audit function by communicating the importance of internal auditthroughout the organization; adopting a balanced staffing model and maintaining aneffective working relationship between internal and external audit.According to the IIA, appropriate reporting relationships are critical if internal audit is toachieve independence, objectivity and organizational stature necessary to fulfill itsobligations and mandate. On the reporting lines for the chief audit executive, the IIAstates that best practice indicates that the internal audit activity should have a dualreporting relationship The IIA International Standards for the Professional Practice ofInternal Auditing (Standards) require that the chief audit executive (CAE) report to alevel within the organization that allows the internal audit activity to fulfill itsresponsibilities. To achieve necessary independence, best practices suggest the CAEshould report directly to the audit committee or its equivalent. For day to dayadministrative purposes, the CAE should report to the most senior executive (i.e., thechief executive officer [CEO]) of the organization. This reporting line is stated to be theultimate source of its independence and authority. 10
  11. 11. Internal audit practitioners point to the need for independence of the internal auditfunction by citing the lesson learnt from the challenges faced by the internal auditfunction at the now defunct WorldCom .Here since the internal audit function was notfully accepted and supported by top management, the function diverted from its role andfocused on finding ways to assist the company to maximize revenues, reduce costs andimprove efficiencies. The internal auditors did not fulfill their role as the company’s“internal audit police” but rather sought to gain acceptance as team players by focusingon operational audits and projects that would be seen to be adding value to the company.In the end the function failed to detect the accounting improprieties that were reported atan earlier stage by WorldCom. Other cases cited are of Enron and Global Crossing,where the accounting misrepresentations and dealings of the top executives coststockholders tens of billions of dollars, and could have been avoided had the internalauditors performed their traditional roles as “watchdogs” instead of succumbing topressure to de emphasise audits of sensitive and high risk areas and focus instead onadvising management on ways to increase the bottom line. IIA standards which guide theprofessional practice of internal auditing list independence of the internal audit functionas the first standard and on this is dependent the success of any internal audit function itseffectiveness and its organizational status. The higher the level within the organization towhich the auditor reports, the more effective the auditor is in selecting areas to audit andreporting the findings without fear of retaliation or peer pressure.Best practices also require that the right internal audit methodology is designed and usedto facilitate effective and efficient delivery of high quality services. This can be doneonce the expectations of the organization are understood so that the right audits areexecuted at the right time with the right resources. According to the methodologyprescribed by the Committee of Sponsoring Organisations (COSO) there should be threecomponents namely, risk assessment, control evaluation and reporting. Risk assessmentis done at the organizational level and from this emerges the internal audit plan. Sinceeffective reporting is a key element in the methodology and since significant delays canundermine the organizations perception of the internal audits values and efficiency aswell as impact the completion of planned work, it is best practice to agree on reporting 11
  12. 12. protocols before hand so that communication and agreements of audit results can takeplace in a timely manner.The IIA standards and the GAO Government Accounting Standards require an externalquality assessment to assess internal audit compliance with standards and appraisal of thequality of operations of internal audit While a periodic external quality assessment orpeer review of the internal audit function is essential for a comprehensive qualityassurance programme, a self assessment can also contribute to quality assurance. Thisprovided the self assessment addresses all attribute and performance standards, dulysupported with relevant documentation. Best practices require that the indicators used formeasuring internal audit performance should be linked to the organizations objectives.Internal audit should therefore develop and implement a system of performanceindicators to measure its own performance. The Statement of Best Practice InternalControl and Internal Audit developed by the New South Wales treasury Departmentincludes as performance indicator service delivery benchmarks such as percentage ofinternal audits actually completed as per the original plan for the period, the future dollarcosts saved or revenues earned as a result of implementation of audit recommendations orthe number of internal audit findings implemented as a percentage of the numbers raisedin their reports etc. Costs control benchmarks include the actual costs of internal audit asa percentage of internal audits budgeted costs for the period. A survey of managementexpectations or a “customer survey” sent to key managers after each audit or after issueof report can be used to measure audit performance. It will help focus internal audit effortand for this purpose the key performance measures suggested in the Statement includeeffectiveness of the audit in covering key areas, feedback on the findings of audit,duration of audit, timeliness of audit, accuracy of findings and value of auditrecommendations, clarity of the audit report, professionalism of the auditors and valueadded by the audit. The list could be expanded depending on the requirements. The pointis to develop a concise structured list of performance indicators to review performance,the results of the review being reported to the audit committee, at regular intervals. 12
  13. 13. The IIA has identified key elements of an effective public sector audit activity which canserve as a starting point to developing best practices for internal audit in the public sector.The importance of the internal audit activity in the public sector has been highlighted inthe foregoing section. IIAs professional guidance document on the Role of Auditing inPublic Sector Governance, states that “Auditors perform an especially important functionin those aspects of governance that are crucial in the public sector for promotingcredibility, equity, and appropriate behavior of government officials, while reducing therisk of public corruption.” The key elements listed by IIA as the minimum forGovernment audit activity to achieve its mandate and to act with integrity and producereliable services, are: v • Organizational independence. v • A formal mandate. v • Unrestricted access. v • Sufficient funding. v • Competent leadership.. v • Competent staff. v • Stakeholder support. v • Professional audit standardsWhile the need for improving processes over time is necessary as is the need to adopt ordevelop those processes which are the most efficient and effective way of accomplishinga task, it is equally important to take into account individual need or circumstances. Duecare needs to be exercised to ensure that best practices do not result in practice that is infact not the best when the results of the best practice are in fact contrary to the real idealsituation or when best practice is used to prevent challenges to rules and systems that arein reality not best practice. A Wikipedia article cites the case of Dick Fosbury, whorevolutionized high jumping technique-we have all heard of the Fosbury Flop. Hechallenged the existing best practice by going over the bar back first instead of head first 13
  14. 14. and in the process, by ignoring best practice, he not only raised the performance bar butalso created the new best practice.Best practice can be exchanged, adopted, adapted and developed. The key issue is ‘whatis possible?’ and not merely ‘what is somebody else doing?’ 14
  15. 15. References: 15

×