Audit & compliance


Published on

Published in: Education, Business, Technology
  • Be the first to comment

Audit & compliance

  1. 1. Audit & compliance<br />
  2. 2.
  3. 3. Role of internal auditor<br />Review acs & I.C.S<br />Assist with identification of significant risks<br />Review 3 E’s of operations- VFM audit<br />Examine financial & operating information<br />Special investigations , e.g suspected fraud<br />Review compliance with laws & external regulations<br />
  4. 4. Financial audit<br />Operational audit<br />Project audit<br />VFM audit<br />Social & environmental audit<br />Mgmt audit<br />I.A looks at controls - PAPAMOSS<br />Types of audit work<br />
  5. 5. Need for I.A<br />I.A is a mgmt control- PAPA(M)OSS<br />I.A review effectiveness of other controls in the org.<br />Ensure controls are working properly<br />I.A is also often a statutory requirement<br />Good corporate governance may also suggest an I.A dept<br />I.A is 100% audit – VFM audit<br />Chief internal auditor is in charge of the dept and reports to the audit committee.<br />
  6. 6. Need for I.A<br />Factors affecting the need for I.A<br />Scale & complex operations<br />No of employees<br />Cost benefit analysis<br />Change in: org structure, reporting process or Mgmt.Info.Sys<br />Change in key risks- change in PESTEL factors<br />Problems with existing ICS<br />Unexplained / doubtful txns<br />
  7. 7. Need for I.A<br />Per Turnbull report:<br /><ul><li>In absence of I.A function , mgmt needs to find other monitoring process.
  8. 8. To reassure the BOD that ICS are working properly
  9. 9. BOD will assess whether procedures provide sufficient & objective assurance.</li></li></ul><li>INDEPENDENCE<br />Auditor independence<br />Independent objective assurance activity<br />Ensure activity is carried out objectively<br />I.A must be independent and must be seen as independent <br />Independence is achieved by having a structure within which I.A work<br />Independence assured by I.A following ethical & work stds<br />
  10. 10. INDEPENDENCE<br />Risks if No Independence<br />Failure to report control breaches<br />Accepting info without checking<br />No professional skepticism<br />Blind on unethical matters<br />Give undeserved positive feedback<br />
  11. 11. INDEPENDENCE<br />Threats to independence<br />Threat to independence is when the opinion of the auditor is doubted.<br />Threats can be either REAL or PERCEIVED<br />ACCA code of ethics : Self interest <br /> Familiarity<br /> Advocacy<br /> Self review<br /> Intimidation<br />
  12. 12. INDEPENDENCE<br />Other measures to protect independence<br /><ul><li>Attribute standards :
  13. 13. Deal with characteristics of the org
  14. 14. Deal with parties performing Int Audit
  15. 15. Performance stds
  16. 16. Describe nature of Int Audit activities
  17. 17. Provide quality criteria for evaluating I.A services</li></li></ul><li>Attribute stds for internal audit<br />Independence<br />I.A should be independent .<br />Head of I.A should be accountable to people who wont undermine his/her independence<br />There should be no interference when deciding about scope of work, when performing the work & when reporting findings.<br />Objectivity<br />I.A should be free from bias- objective – rely on facts only.<br />Impartial attitude – avoid conflict of interests.<br />Professional care<br />Professional care & competence<br />Knowledge of key IT risks & CAATs<br />
  18. 18. Performance standards for internal audit<br />Managing internal audit<br /><ul><li>Head I.A manages IA activity to add value to the org
  19. 19. Head IA : establish risk based plans, decide on work priorities, is consistent with org’s objectives.
  20. 20. Review IA plan annually
  21. 21. Head I.A submit plans to senior mgmt & BOD for approval
  22. 22. No interference of senior mgmt in the work of I.A</li></ul>Risk management<br /><ul><li>I.A identify & evaluate significant risk exposure
  23. 23. I.A contribute to improvement of risk mgmt & ICS
  24. 24. Evaluate risk exposure relating to : governance , ops , information sys.
  25. 25. Effectiveness & efficiency of ops
  26. 26. Safeguard assets
  27. 27. Comply with law, regulations, contracts. </li></li></ul><li>Performance standards for internal audit<br />Control<br /><ul><li>I.A helps to maintain effective internal controls
  28. 28. Helps evaluate efficiency & effectiveness of controls
  29. 29. Promotes continuous improvement</li></ul>Governance<br /><ul><li>I.A assess Corporate governance process
  30. 30. Makes recommendations where possible
  31. 31. Independence maintained if I.A can report breach of C.G without fear of dismissal or retaliation.</li></li></ul><li>Performance standards for internal audit<br /><ul><li>Internal audit work
  32. 32. Independence achieved when I.A can show that normal stds of I.A work have been followed
  33. 33. No pressure to “ cut-corners” from mgmt because of low std work.
  34. 34. IA work will be to : identify, analyseevaluate , record sufficient evidence to achieve objectives of the engagement .
  35. 35. Info should be : reliable , relevant , useful wrt objectives of the engagement
  36. 36. Auditor conclusion – based on suitable analysis & evaluation
  37. 37. Evidence should be recorded.</li></li></ul><li>Performance standards for internal audit<br />I.A communicates results of engagement <br />Communicates conclusions, findings , recommendations.<br />Communicate to appropriate officials.<br />Independence maintained where IA can communicate to audit committee or Risk committee <br />Or to any person with enough power to act upon recommendations of Int audit report.<br />
  38. 38. Audit committee- reporting to s/h<br />Per combined code<br /><ul><li>BOD should maintain sound ICS- to safeguard s/h investment & assets
  39. 39. S/h are owners of the Co. They are entitled to know if ICS are sufficient to protect their Inv & help maximizing value.
  40. 40. Provide s/h with sufficient assurance – BOD conduct annual review of ICS & report to s/h about effectiveness of controls.
  41. 41. Review cover all material controls eg. Financial , operational , risk mgmt.
  42. 42. Review done in line with COSO elements of effective ICS
  43. 43. Annual report- inform members of the work of IA
  44. 44. There may be additional reporting under SOX</li></li></ul><li>SOX reporting on ICS- s404<br /><ul><li>Mgmt must report on ICS</li></ul>Audit committee<br />
  45. 45. Audit committee<br />Audit work:<br />
  46. 46. Audit committee<br />Composition<br />Consist of NED’s – at least 3<br />At least one NED should have recent financial expertise<br />
  47. 47. Audit committee<br />Roles<br />Oversight, assessment, review of other functions / systems in the company.<br />Board delegates work to audit comm to meet objectives pertaining to ICS<br />Review ICS, oversee work of IA, monitor integrity of FS , review work of external audit<br />Role of audit comm was considered in combined code & SOX and Kings report contain similar recommendations.<br />
  48. 48. Audit committee<br />Factors affecting role of audit comm<br />Effectiveness of audit comm depends on how it is constituted and the power vested in that committee.<br />Factors:<br /><ul><li>BOD decide how much power to grant audit comm
  49. 49. Audit comm should have min 3 annual meetings to coincide with external audit assignment.
  50. 50. Audit comm should meet once a yr with only internal & external audit – without mgmt. so that the auditors can voice out concern.
  51. 51. Chairman of audit comm can informally meet mgmt to get more indepth info about important matters.
  52. 52. Disagreement between audit comm members will be referred to main BOD for resolution
  53. 53. Audit comm reviews annually its TOR & effectiveness & recommend changes to the BOD
  54. 54. To be effective , the audit comm should be kept informed regularly by senior mgmt.</li></li></ul><li>Audit comm & compliance<br />Primary responsibility under SOX<br />Check compliance with external reporting regulations<br />Review significant financial reporting issues & judgments in connection with preparation of F/S.<br />Audit comm can also drill for more info<br />Ensure that FS received from mgmt & auditors are acceptable<br />i.e adequate acc policies used, reasonable estimates & judgements, enquire methods used to account for significant / unusual txns , ensure clarity & completeness of FS disclosures.<br />Listens to auditors views on matters above. If not satisfied then the audit comm will inform the BOD.<br />Audit comm- review financial related info included in the FS & corporate govstmts , relative to audit & risk mgmt.<br />
  55. 55. Audit committee & internal control<br />Audit committee role<br /><ul><li>Review financial control
  56. 56. Supervise major txn
  57. 57. Receive reports from internal & external auditors iro Control Mechanisms
  58. 58. Approve Audit report- Internal control stmt
  59. 59. Review Fraud Risk Mgmt – ensure awareness promoted & a proper reporting/ investigating mechanism exist. Receive reports on conclusions of tests of ctrls by I.A & Ext aud and consider their recommendations.
  60. 60. Review compliance- regulation, legislation, ethics)
  61. 61. Monitor adequacy of ICS – focus on ctrl environment , mgmt attitude, mgmt control.</li>