The role of auditors extends beyond providing assurance on companies’ financial information. In light of today’s rapidly evolving business environment and the increasing integration between technology and business processes, assurance services also play a role in ensuring that business processes are effective, efficient, and economical.
Assurance and the 3 E’s: Efficiency, Effectiveness, and Economy
1. Assurance and the Three E’s: Efficiency, Effectiveness, and Economy Ruoyu (Sophia) Cui
2. Agenda Role of Assurance Processionals within Assurance Frameworks Opportunities within Internal Control Frameworks Tools, Methodologies, and Techniques Market for Consulting Services Impact of SOX and Role of Internal Auditor
3. Role of Assurance Processionals within Assurance Frameworks Canadian Auditing Standards (CAS) Understanding of entity, including internal controls Assess adequacy of controls Communicate control deficiencies and other significant matters International Auditing and Assurance Standards Board (IAASB) Assertion based framework facilitate better governance More timely identification and resolution of control deficiencies
4. Role of Assurance Processionals within Assurance Frameworks (cont’d) SOX 404 Management to report on assessment of internal control Auditor to assess management’s report June 2010 Proviti SOX compliance survey1: “70 percent of the 400 executive respondents in year four or beyond of their SOX-compliance programs agreed that improving their internal control environment was highly beneficial to their operations”, “SOX compliance…has triggered benefits that include increased efficiency and effectiveness of processes and operations, greater understanding of control design, and operating effectiveness.” 1S. Glover, “SOX Compliance Proves Beneficial To Organizations, Fuels Risk Consciousness”, National Underwriter (Nov 2010): 34, 36. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011).
5. Opportunities within Internal Control Frameworks COSO Promotes risk-based approach to designing the internal control system COBIT Three integrated dimensions: IT processes, IT resources, business requirements (including effectiveness and efficiency) Four domains in IT governance : planning, acquisition and implementation, delivery and support, and monitoring and evaluation
6. COBIT Framework for IT Process Defined within the Four Domains of IT Governance Source: COBIT 3rd Edition Implementation Tool Set. COBIT Steering Committee and the IT Governance Institute. (July 2000).
7. Tools, Methodologies, and Techniques Enterprise Resource Planning (ERP) and Business Process Management (BPM) systems Continuous auditing and business monitoring Risk-focused approach to internal audit
8. ERP and BPM Systems ERP Eliminates duplicate files and redundant manual data entry. Incorporates control features that support SOX and other types of compliance E.g. establishes security roles, user IDs, passwords, and specific module accesses Unable to retaining complete histories in the transaction processes Lack of documentation of policies and procedures. Difficult to obtain a consolidated picture of the entity’s operations BPM Fills in gaps in the ERP system Integration of information contained in separate business applications Self-documenting and secure audit trails
9. Continuous Auditing and Business Monitoring Identify key risk indicators (KRI) Enhance controls over current and potential risks Software to assist management with regular evaluation
10. Risk-Focused Approach to Internal Audit “KMAP” (KPMG’s Management Assurance Process) internal audit methodology PwC 2012 Internal Audit Report: “internal audit groups with a risk-centric mind-set will focus on providing assurance over both risk and control by 2012”1 1R. Cathcart and G. Kapoor, “An Internal Audit Upgrade”, The Internal Auditor, 67, no. 3 (June 2010): 47. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011).
11. Market for Consulting Services ERP and BPM systems design and implementation Change management Adoption of continuous auditing SOX compliance Evaluation control processes Internal audit services
12. Impact of SOX 9 types of non-audit services prohibited, including: financial information system design and implementation internal auditing outsourcing expert services Non-audit services received from external auditors pre-SOX were not replaced by hiring other consulting firms1 Non-audit services were either permanently reduced or absorbed into the workload of companies’ internal auditors1 Increased level of responsibility placed on internal auditors 1 C. Grant, N. Park, and S. Wheeler, “Non-audit, external audit, and internal audit services in a post-SOX world”, Internal Auditing 1 (Jan 2009): 28-32, 34-35. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011).
13. Conclusion Assurance professionals can assist businesses in improving processes: Under the current assurance and internal control frameworks Through consulting work relating to design and implementation of systems/tools/methodologies. SOX severely limits external auditors’ ability to perform non-assurance type services Increased responsibility for internal auditors Need to ensure internal audit staff has the necessary level of expertise and competence
15. List of References B. Tsay, “Designing an Internal Control Assessment Program Using COSO's Guidance on Monitoring”, The CPA Journal 80, no. 5, (May 1): 52-57. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed July 3, 2011). Canadian Auditing Standards, Knotia.ca, accessed July 2, 2011. C. Grant, N. Park, and S. Wheeler, “Non-audit, external audit, and internal audit services in a post-SOX world”, Internal Auditing 1 (Jan 2009): 28-32, 34-35. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011) C. O’Connor, “IT Process and Control Frameworks” (University of Waterloo, Waterloo, ON, Feb 8, 2010). COBIT 3rd Edition Implementation Tool Set. COBIT Steering Committee and the IT Governance Institute. (July 2000). E. Zimmer, “The Next Wave of Business Monitoring”, The Internal Auditor, 67, no. 4 (Aug 2010): 43. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). F. Lin, L. Guan, and W. Fang. “Critical Factors Affecting the Evaluation of Information Control Systems with the COBIT Framework”, Emerging Markets, Finance & Trade 46, no. 1, (January 1, 2010): 42. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed July 4, 2011).
16. List of References (cont’d) J. Lollar, H. Beheshti, and B. Whitlow, “The role of integrative technology in competitiveness”, Competitiveness Review, 20, no. 5 (Sept 2010): 423-433. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). J. Oringel and G. R. Aldhizer, “Continuous Auditing and Monitoring: Enhancing the Efficiency and Effectiveness of Auditing and ERM”, Internal Auditing, Vol. 24, Iss. 5 (Oct 2009): 17-26. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). K. Lumpur, “KPMG offers cost-effective approach to managing risk”, Business Times (Feb 2001): 4. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). K. Walker, “SOX, ERP, and BPM: A Trifecta That Can Make Your Business Run Better”, Strategic Finance, 90, no. 6 (Dec 2010): 47-53. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). M. Jones and J. Iwasaki, “Governance Benefits of New Assurance Reports,” International Journal of Disclosure and Governance 8, no. 1 (Feb 2011): 4-15. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). R. Cathcart and G. Kapoor, “An Internal Audit Upgrade”, The Internal Auditor, 67, no. 3 (June 2010): 47. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). S. Glover, “SOX Compliance Proves Beneficial To Organizations, Fuels Risk Consciousness”, National Underwriter (Nov 2010): 34, 36. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011).