Need for I.A<br />I.A is a mgmt control- PAPA(M)OSS<br />I.A review effectiveness of other controls in the org.<br />Ensure controls are working properly<br />I.A is also often a statutory requirement<br />Good corporate governance may also suggest an I.A dept<br />I.A is 100% audit – VFM audit<br />Chief internal auditor is in charge of the dept and reports to the audit committee.<br />
Need for I.A<br />Factors affecting the need for I.A<br />Scale & complex operations<br />No of employees<br />Cost benefit analysis<br />Change in: org structure, reporting process or Mgmt.Info.Sys<br />Change in key risks- change in PESTEL factors<br />Problems with existing ICS<br />Unexplained / doubtful txns<br />
Need for I.A<br />Per Turnbull report:<br /><ul><li>In absence of I.A function , mgmt needs to find other monitoring process.
To reassure the BOD that ICS are working properly
BOD will assess whether procedures provide sufficient & objective assurance.</li></li></ul><li>INDEPENDENCE<br />Auditor independence<br />Independent objective assurance activity<br />Ensure activity is carried out objectively<br />I.A must be independent and must be seen as independent <br />Independence is achieved by having a structure within which I.A work<br />Independence assured by I.A following ethical & work stds<br />
INDEPENDENCE<br />Risks if No Independence<br />Failure to report control breaches<br />Accepting info without checking<br />No professional skepticism<br />Blind on unethical matters<br />Give undeserved positive feedback<br />
INDEPENDENCE<br />Threats to independence<br />Threat to independence is when the opinion of the auditor is doubted.<br />Threats can be either REAL or PERCEIVED<br />ACCA code of ethics : Self interest <br /> Familiarity<br /> Advocacy<br /> Self review<br /> Intimidation<br />
INDEPENDENCE<br />Other measures to protect independence<br /><ul><li>Attribute standards :
Provide quality criteria for evaluating I.A services</li></li></ul><li>Attribute stds for internal audit<br />Independence<br />I.A should be independent .<br />Head of I.A should be accountable to people who wont undermine his/her independence<br />There should be no interference when deciding about scope of work, when performing the work & when reporting findings.<br />Objectivity<br />I.A should be free from bias- objective – rely on facts only.<br />Impartial attitude – avoid conflict of interests.<br />Professional care<br />Professional care & competence<br />Knowledge of key IT risks & CAATs<br />
Performance standards for internal audit<br />Managing internal audit<br /><ul><li>Head I.A manages IA activity to add value to the org
Head IA : establish risk based plans, decide on work priorities, is consistent with org’s objectives.
Independence maintained if I.A can report breach of C.G without fear of dismissal or retaliation.</li></li></ul><li>Performance standards for internal audit<br /><ul><li>Internal audit work
Independence achieved when I.A can show that normal stds of I.A work have been followed
No pressure to “ cut-corners” from mgmt because of low std work.
IA work will be to : identify, analyseevaluate , record sufficient evidence to achieve objectives of the engagement .
Info should be : reliable , relevant , useful wrt objectives of the engagement
Auditor conclusion – based on suitable analysis & evaluation
Evidence should be recorded.</li></li></ul><li>Performance standards for internal audit<br />I.A communicates results of engagement <br />Communicates conclusions, findings , recommendations.<br />Communicate to appropriate officials.<br />Independence maintained where IA can communicate to audit committee or Risk committee <br />Or to any person with enough power to act upon recommendations of Int audit report.<br />
Audit committee- reporting to s/h<br />Per combined code<br /><ul><li>BOD should maintain sound ICS- to safeguard s/h investment & assets
S/h are owners of the Co. They are entitled to know if ICS are sufficient to protect their Inv & help maximizing value.
Provide s/h with sufficient assurance – BOD conduct annual review of ICS & report to s/h about effectiveness of controls.
Review cover all material controls eg. Financial , operational , risk mgmt.
Review done in line with COSO elements of effective ICS
Annual report- inform members of the work of IA
There may be additional reporting under SOX</li></li></ul><li>SOX reporting on ICS- s404<br /><ul><li>Mgmt must report on ICS</li></ul>Audit committee<br />
Audit committee<br />Composition<br />Consist of NED’s – at least 3<br />At least one NED should have recent financial expertise<br />
Audit committee<br />Roles<br />Oversight, assessment, review of other functions / systems in the company.<br />Board delegates work to audit comm to meet objectives pertaining to ICS<br />Review ICS, oversee work of IA, monitor integrity of FS , review work of external audit<br />Role of audit comm was considered in combined code & SOX and Kings report contain similar recommendations.<br />
Audit committee<br />Factors affecting role of audit comm<br />Effectiveness of audit comm depends on how it is constituted and the power vested in that committee.<br />Factors:<br /><ul><li>BOD decide how much power to grant audit comm
Audit comm should have min 3 annual meetings to coincide with external audit assignment.
Audit comm should meet once a yr with only internal & external audit – without mgmt. so that the auditors can voice out concern.
Chairman of audit comm can informally meet mgmt to get more indepth info about important matters.
Disagreement between audit comm members will be referred to main BOD for resolution
Audit comm reviews annually its TOR & effectiveness & recommend changes to the BOD
To be effective , the audit comm should be kept informed regularly by senior mgmt.</li></li></ul><li>Audit comm & compliance<br />Primary responsibility under SOX<br />Check compliance with external reporting regulations<br />Review significant financial reporting issues & judgments in connection with preparation of F/S.<br />Audit comm can also drill for more info<br />Ensure that FS received from mgmt & auditors are acceptable<br />i.e adequate acc policies used, reasonable estimates & judgements, enquire methods used to account for significant / unusual txns , ensure clarity & completeness of FS disclosures.<br />Listens to auditors views on matters above. If not satisfied then the audit comm will inform the BOD.<br />Audit comm- review financial related info included in the FS & corporate govstmts , relative to audit & risk mgmt.<br />
Review Fraud Risk Mgmt – ensure awareness promoted & a proper reporting/ investigating mechanism exist. Receive reports on conclusions of tests of ctrls by I.A & Ext aud and consider their recommendations.