Uploaded byFraterne1
PPT, PDF95 views

vdocuments.mx_cia-part-1-slides.ppt

This document discusses the internal audit activity's role in governance, risk, and control. It covers several topics: - Section A of Part 1 of the CIA exam focuses on complying with the Attribute Standards of the IIA. - The development of internal auditing as a profession began with railroad executives needing assurance about stationmasters handling receipts. - Internal auditors differ from external auditors in that they are employed by the organization and focus on evaluating controls to assure goals, while external auditors are independent contractors focused on financial statements. - An internal audit charter formally defines the internal audit activity's purpose, authority, and responsibilities as approved by the board. The charter establishes the activity's independence,

Embed presentation

Download to read offline
1 / 328
2 / 328
3 / 328
4 / 328
5 / 328
6 / 328
7 / 328
8 / 328
9 / 328
10 / 328
11 / 328
12 / 328
13 / 328
14 / 328
15 / 328
16 / 328
17 / 328
18 / 328
19 / 328
20 / 328
21 / 328
22 / 328
23 / 328
24 / 328
25 / 328
26 / 328
27 / 328
28 / 328
29 / 328
30 / 328
31 / 328
32 / 328
33 / 328
34 / 328
35 / 328
36 / 328
37 / 328
38 / 328
39 / 328
40 / 328
41 / 328
42 / 328
43 / 328
44 / 328
45 / 328
46 / 328
47 / 328
48 / 328
49 / 328
50 / 328
51 / 328
52 / 328
53 / 328
54 / 328
55 / 328
56 / 328
57 / 328
58 / 328
59 / 328
60 / 328
61 / 328
62 / 328
63 / 328
64 / 328
65 / 328
66 / 328
67 / 328
68 / 328
69 / 328
70 / 328
71 / 328
72 / 328
73 / 328
74 / 328
75 / 328
76 / 328
77 / 328
78 / 328
79 / 328
80 / 328
81 / 328
82 / 328
83 / 328
84 / 328
85 / 328
86 / 328
87 / 328
88 / 328
89 / 328
90 / 328
91 / 328
92 / 328
93 / 328
94 / 328
95 / 328
96 / 328
97 / 328
98 / 328
99 / 328
100 / 328
101 / 328
102 / 328
103 / 328
104 / 328
105 / 328
106 / 328
107 / 328
108 / 328
109 / 328
110 / 328
111 / 328
112 / 328
113 / 328
114 / 328
115 / 328
116 / 328
117 / 328
118 / 328
119 / 328
120 / 328
121 / 328
122 / 328
123 / 328
124 / 328
125 / 328
126 / 328
127 / 328
128 / 328
129 / 328
130 / 328
131 / 328
132 / 328
133 / 328
134 / 328
135 / 328
136 / 328
137 / 328
138 / 328
139 / 328
140 / 328
141 / 328
142 / 328
143 / 328
144 / 328
145 / 328
146 / 328
147 / 328
148 / 328
149 / 328
150 / 328
151 / 328
152 / 328
153 / 328
154 / 328
155 / 328
156 / 328
157 / 328
158 / 328
159 / 328
160 / 328
161 / 328
162 / 328
163 / 328
164 / 328
165 / 328
166 / 328
167 / 328
168 / 328
169 / 328
170 / 328
171 / 328
172 / 328
173 / 328
174 / 328
175 / 328
176 / 328
177 / 328
178 / 328
179 / 328
180 / 328
181 / 328
182 / 328
183 / 328
184 / 328
185 / 328
186 / 328
187 / 328
188 / 328
189 / 328
190 / 328
191 / 328
192 / 328
193 / 328
194 / 328
195 / 328
196 / 328
197 / 328
198 / 328
199 / 328
200 / 328
201 / 328
202 / 328
203 / 328
204 / 328
205 / 328
206 / 328
207 / 328
208 / 328
209 / 328
210 / 328
211 / 328
212 / 328
213 / 328
214 / 328
215 / 328
216 / 328
217 / 328
218 / 328
219 / 328
220 / 328
221 / 328
222 / 328
223 / 328
224 / 328
225 / 328
226 / 328
227 / 328
228 / 328
229 / 328
230 / 328
231 / 328
232 / 328
233 / 328
234 / 328
235 / 328
236 / 328
237 / 328
238 / 328
239 / 328
240 / 328
241 / 328
242 / 328
243 / 328
244 / 328
245 / 328
246 / 328
247 / 328
248 / 328
249 / 328
250 / 328
251 / 328
252 / 328
253 / 328
254 / 328
255 / 328
256 / 328
257 / 328
258 / 328
259 / 328
260 / 328
261 / 328
262 / 328
263 / 328
264 / 328
265 / 328
266 / 328
267 / 328
268 / 328
269 / 328
270 / 328
271 / 328
272 / 328
273 / 328
274 / 328
275 / 328
276 / 328
277 / 328
278 / 328
279 / 328
280 / 328
281 / 328
282 / 328
283 / 328
284 / 328
285 / 328
286 / 328
287 / 328
288 / 328
289 / 328
290 / 328
291 / 328
292 / 328
293 / 328
294 / 328
295 / 328
296 / 328
297 / 328
298 / 328
299 / 328
300 / 328
301 / 328
302 / 328
303 / 328
304 / 328
305 / 328
306 / 328
307 / 328
308 / 328
309 / 328
310 / 328
311 / 328
312 / 328
313 / 328
314 / 328
315 / 328
316 / 328
317 / 328
318 / 328
319 / 328
320 / 328
321 / 328
322 / 328
323 / 328
324 / 328
325 / 328
326 / 328
327 / 328
328 / 328
1 1 CIA Part 1 INTERNAL AUDIT ACTIVITY’S ROLE IN GOVERNANCE, RISK AND CONTROL
2 2 SECTION A COMPLY WITH THE IIA’S ATTRIBUTE STANDARDS
3 3 Section A  Section A comprises approximately 15% to 25% (15 to 25 questions) of the Part 1 exam.  There are six primary sections in Section A, including: 1) Purpose, Authority and Responsibility, 2) Organizational Independence & Objectivity, 3) Proficiency and Due Professional Care, 4) Continuing Professional Development, 5) Quality Assurance & Improvement Program, and 6) The IIA’s ‘Code of Ethics’.
4 4 The Development of Internal Auditing  The concept of internal auditing goes back as far as 5,000 years. Early civilizations had to verify what they had, particularly verifying the amount of grain they had.  The formal development of internal auditing as a profession was started by the railroads.  Railroad executives had to have some assurance that their stationmasters in many distant places were properly handling receipts and submitting all of the money that they should.  Railroad executives felt that the external auditors did not adequately address this issue because of a focus on the financial statements.
5 5 DifferencebetweenExternal & Internal Auditors The Internal Auditor…  Is employed by the organization.  Focuses on futureeventsby evaluating controls designed to assure the accomplishment of entity goals and objectives.  Is notindependentof the activities audited but is ready to respond to the needs and desires of management.  Behaves with objectivity even though they are not independent.  Is directlyconcernedwith the prevention of fraud in any form or extent in all aspects of the business.  Reviews activities continually. The External Auditor…  Is an independent contractor.  Serves third parties who need reliable financial information.  Focuses on the accuracy and understandability of historical eventsas expressed in the financial statements.  Is independentof management and the board of directors both in fact and in mental attitude.  Is incidentallyconcernedwith the prevention and detection of fraud in general, but is directly concerned when financial statements may be materially affected.  Reviews records supporting financial statements periodically – usually annually.
6 6 The Definition of Internal Auditing  Over the past few decades, the profession of internal auditing has undergone major changes.  The IIA defines Internal Auditing as: “An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
7 7 IIA Professional Standards  The Standards are the criteria by which internal auditors perform their work.  The Standards are intended to represent the best practices of internal auditing.  The Standards have the following four purposes: 1) Delineate basic principles that represent the practice of internal auditing as it should be. 2) Provide a framework for performing and promoting a broad range of value-added internal audit activities. 3) Establish the basis for the evaluation of the internal audit performance. 4) Foster (support) improved organizational processes and operations.
8 8 Professional Standards  The professional Standards consist of Attribute Standards, Performance Standards and Implementation Standards.  Attribute Standards are concerned with the characteristics of the organization and the parties who will be performing the auditing activities.  Performance Standards describe the internal audit activities and criteria against which the performance of these services can be evaluated.  Implementation Standards apply to the specific types of engagements, whether assurance or consulting.
9 9 1000: Purpose, Authority and Responsibility  According to the Standards, “the purpose, authority, and responsibility of the internal audit activity (IAA) must be:  Formally defined in a charter,  Consistent with the Definition of Internal Auditing, the Code of Ethics, and Standards, and  Approved by the board.”  The IAA should encompass every part of the organization’s operation, and should have access to the company’s documents, records or properties.  Internal auditing has developed to assist management in carrying out its monitoring responsibilities effectively and efficiently.  The IAA should promote effective control at a reasonable cost.
10 10 Organizational Status of the IAA  In order for the IAA to accomplish its responsibilities it must have the necessary status within the organization.  To have the necessary status the IAA should report to the board of directors through the audit committee.  Along with organizational status the IAA must also have organizational independence.  This means that the IAA should not have relationships with the various departments it will be auditing.  Status and independence can be achieved by having a properly designed Internal Audit Charter.
11 Review Text Questions Q1-3, page 8
12 12 The Internal Audit Charter  It is the Charter that provides the IAA with the formal mandate to do its work.  The Charter should be written by and come from the board of directors and senior management.  The Charter should include:  The scope of the services and work to be performed,  The objectives of the IAA,  The authority that the IAA has to access records, personnel and physical properties in the organization,  The accountability of the IAA, and  The responsibility of the IAA.
13 13 The Charter  The IAA should report to an organizational level that is high enough to be effective, and independent of the functions that will be audited.  This means that the Chief Audit Executive (CAE) should report to the Chief Executive Officer (CEO), or board of directors.  The accounting department, chief accountant or finance director would not normally be a good level to report to.  Ideally the CAE should:  Functionally report to the audit committee or its equivalent and  Administratively to the CEO.
14 14 The Audit Committee  The audit committee is a subcommittee of the board of directors.  The members of the audit committee should be external directors.  The audit committee itself should have its charter approved by the board.
15 15 The Audit Committee, continued  The primary duties and responsibilities of the audit committee are:  To ensure that the external auditors are completely independent.  Discuss with management and external auditor the effects of changes in accounting standards, and the implications of these proposed changes.  Ensure that both internal and external auditors have sufficient resources to carry out their functions.  Act as a mediator between management and the auditors if there is a dispute.  Appoint or replace the external auditor, who shall report directly to the Audit Committee.  Be directly responsible for the compensation and oversight of the work of the external auditor.
16 16 The Audit Committee, continued  Other functions of the Audit Committee include:  Review copies of all external and internal audit reports and communications, and management’s response to them.  Review all financial communications and statements to be publicly issued.  Review the strategy, activity and work plan of the IAA.  Review evaluations of risk management, control and governance reported by the auditors.  Communication as necessary with the CEO.  Review policies to eliminate illegal and unethical practices.
17 Review Text Questions Q4-7, page 10
18 Consulting Services 18
19 19 ConsultingServices  As we have seen in the beginning, internal auditing has expanded to include consulting services.  Consulting services are defined as “advisory and related client services, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization's operations.”  Examples include counsel, advice, facilitation, process design and training.
20 20 ConsultingServices, continued  Consulting services undertaken by the IAA may be formal or informal, and they may or may not be connected to an assurance engagement.  There are 12 principles to help guide the internal auditor.  Valueis addedby the IAA when they perform both assurance and consulting services. The IAA is in a very good position to provide consulting services to the company because of its professional standards and its knowledge of the company and its operations.  The fact that the IAA is able to provide consulting services (and any other appropriate services) should be includedin theinternalaudit charter. Additionally, any rules or standards applicable to the consulting services should also be included in the charter.
21 21 ConsultingServices, continued  Principles, continued.  The IAA may also provide other services besides assurance and consulting, i.e., investigating fraud, and due diligence.  Consulting servicesdo not impair the objectivityof either the individual internal auditor or the IAA (objectivity is addressed in more detail separately). However, the auditor needs to remember that his/her first duty is as an auditor and so all actions need to be governed by the applicable internal audit guidelines and standards as applicable. Objectivity is not impaired as long as the internal auditor provides advice and does not take ownership of a specific process.
22 Independence and Objectivity 22
23 23 1100: Independence andObjectivity  Independence is an issue for the internal auditor, as well as the external auditor.  Because internal auditors are auditing the company that employs them, it is impossible for the internal auditors to be independent in the same manner as external auditors.  Therefore, internal auditors use a different term to refer to the way they act in the performance of their work. The term is “objective.”  Internal auditors must be objective in their work, and the IAA needs to be independent with the organization.  Considered independent and objective if they perform their work freely and objectively.
24 24 Independence and Objectivity, continued  Independence is achieved largely through the organizational status of the IAA.  The independence of the IAA is enhanced if it reports directly to the board of directors.  If they report to the chief accountants and it is perceived that they do not add value to the organization, or are not viewed as important by the board, the IAA will have less independence and their work will be less useful to the organization.
25 25 1110: Organizational Independence  The ideal reporting line is for the CAE to report administratively to the CEO of the organization, and functionally to the audit committee, board of directors, or some other appropriate governing authority.  Functional reporting is the ultimate source of independence and authority for the IAA.  Administrative reporting is the reporting relationship within the organization’s management structure that facilitates the day-to-day operation of the IAA.
26 26 1120: Individual Objectivity  In addition to independence, the IAA as a whole has to remain objective.  Remaining objective means  Being impartial,  Having an unbiased attitude, and  Avoiding conflicts of interest.  Conflicts of interest should be minimized.  For example, someone involved in an engagement should not audit an area where that person’s friend works.  In addition, the acceptance of a gift or money from a client will impair the objectivity of the auditor, even if the auditor maintained objectivity.
27 27 1130: Impairments to Independence or Objectivity  Any time that there is a conflict of interest, or objectivity has been impaired, the auditor should inform the CAE and the auditor should be removed from that particular engagement.  If impairment arises during an engagement, it should be reported immediately to the manager of the engagement.  Objectivity is not considered impaired if the auditor recommends standards of control or review procedures before being implemented.  Objectivity is considered to be impaired if the auditor designs, installs, or draft procedures for, or operates such systems.
28 28 Impairment to Objectivity, continued  Objectivity is assumed to be impaired if an auditor performs an assurance review of any activity over which he or she recently had responsibility.  Individuals who are assigned to or transferred to the IAA should not audit areas that worked unit a reasonable period of time has elapsed (at least one year).
29 29 Objectivity in ConsultingEngagements  For a number of reasons it is more common for internal auditors to provide consulting services relating to operations for which they had previous responsibility.  This is not forbidden, but the internal auditor should still act in an independent and objective manner.  To assess objectivity, the internal auditor should consider:  The appropriate requirements of the standards of the profession.  Expectations of the stakeholders, directors, the audit committee and legislative bodies.  Restrictions that are in the charter.  Disclosures that may be required by standards.  Subsequent audit work, its scope and coverage.
30 Review Text Questions Q8-9, page 14
31 Proficiency and Due Professional Care 31
32 32 1200: Proficiency and Due Professional care  The Standards states that “Engagements must be performed with proficiency and with due professional care.”
33 33 1210: Proficiency  Proficiency is when an individual possesses the knowledge, skills and other competencies needed to perform their individual responsibilities.  The skills and knowledge necessary for the internal auditor to perform his or her job will depend on the work needed to be performed. For example, if an internal auditor does a lot of financial statement work, then he or she needs skills related to the appropriate GAAP (IFRS, US GAAP…).  On the other hand, if an internal auditor works in the area of internal controls, then detailed knowledge of GAAP would probably not be necessary.
34 Proficiency, continued  Related to proficiency are two other terms that you have to understand. These terms are understanding and appreciation.  Understanding is the ability to  Apply broad knowledge to situations likely to be encountered,  Recognize material deviations, and  Be able to perform research to arrive at conclusions.  Appreciation is the ability to:  Recognize the existence of problems and potential problems, and  Determine if further work is required. 34
35 35 Proficiency, continued  If the internal auditor does not have the needed skills and competencies to perform the engagement, the CAE has to either decline the engagement or go outside the department to get the skills.  If using the services from an outside service organization, the CAE also needs to consider the independence and objectivity of the outside organizations.  Any work done by an outside organization needs to be reviewed by either the CAE or other internal person with sufficient experience and understanding to review the work.
36 Review Text Questions Q10-14, page 16
37 37 1220: Due Professional Care  Due professional care means that internal auditors need to apply the skill and care expected of a reasonable competent and prudent internal auditor.  This means that an internal auditor is not expected to perform a detailed review of every statement or document they receive, but are expected to examine and verify the documents as appropriate given the information contained in them.  Material items will be examined in more detail than immaterial items.
38 Review Text Questions Q15-17, page 20
39 39 1230: Continuing Professional Development  Certified Internal Auditors (CIA) are required to maintain the skills and knowledge necessary to successfully complete their tasks, which is done through Continued Professional Development, referred to as Continuous Professional Education (CPE).  CPE is a method of helping keep the internal auditor informed about improvements and current developments in internal audit standards, procedures, and techniques.  CIAs must obtain sufficient CPE credits in order to satisfy requirements related to the professional certification held.
40 Quality Assurance and Improvement Program 40
41 41 1300: Quality Assurance and ImprovementProgram  A function of the CAE is to be assured of the quality of the work performed by the internal audit activity.  Based on the Standards, the CAE must develop and maintain a Quality Assurance and Improvement Program (QAIP) that covers all aspects of the IAA and continuously monitors its effectiveness.  The QAIP should include both  Periodic internal and external quality assessments and  Ongoing internal monitoring.  In essence, the IAA is really auditing itself.
42 42 1310: Requirement of QAIP  The CAE is responsible to implement a quality program that monitors and assesses the overall effectiveness of the quality program.  Quality program must include both internal and external assessments.  The purpose of the quality program is for the company’s stakeholders to feel comfortable with the services the IAA is providing to the organization.
43 43 1311: Internal Assessments  Internal reviews should be carried out periodically to assure the CAE that subordinates are complying with the Standards and other applicable criteria.  Internal assessment must include ongoing review of performance of the IAA, as well as a periodic review of the program from an independent person within the organization who is familiar with the internal auditing program.  Ongoing review could include:  Supervising the internal auditor’s work during an engagement,  Feedback from audit customers and other stakeholders,  Analyses of performance metrics (e.g., cycle time and recommendations accepted), and  Project budgets, cost recoveries, etc.
44 Internal Assessments, continued  Periodic internal assessments may:  Be more in-depth interviews and surveys of stakeholder groups,  Be performed by members of the IAA (self-assessment),  Be performed by CIAs, or other competent audit professionals,  Encompass a combination of self-assessment and preparation of materials subsequently reviewed by CIAs, or other competent professionals, and  Include benchmarking of the IAA practices and performance metrics against relevant best practices of the internal audit profession.
45 45 External Assessments  External assessments are performed by an external party.  It is recommended that an external assessment is conducted at least once every five years.  External reviewers must be independent of the organization and of the IAA.  External assessor will tend to focus on:  The adequacy of the IAA charter,  The goals, objectives, policies and procedures of the IAA,  Whether or not the IAA complies with the Definition of Internal Auditing, Code of Ethics, and Standards,  The skills and work performed by the individuals in the IAA, and  Whether or not the IAA adds value and improves operations.
46 46 External Assessments, continued  There are two approaches to conducting an external assessment: 1. Have a full external assessment conducted by an external assessor, or review team, or 2. Have an independent validation of the internal self- assessment and a report completed by the internal audit activity.  You would prefer to have the full external assessment, but might not always be possible, or practical. Examples, might include:  Be in an industry that is subjected to strict regulation and supervision,  Have been subjected to an external review in which there was extensive benchmarking with best practices, and
47 47 1320: Reportingon the QAIP  The results of the external assessment must be reported to the board.  The assessor issues a formal, written report that contains an opinion on the IAA’s compliance with the Standards.  The report should also address compliance with the IAA charter and other applicable standards and include appropriate recommendations for improvement.  Appropriate follow-up is the responsibility of the CAE.
48 48 1321: “Conforms withthe Standards”  Internal auditors are encouraged to report that their activities conforms with the International Standards for the Professional Practice of Internal Auditing.  This statement can be used only if the quality assessments demonstrate that the internal auditors are, in fact, in compliance with the Standards.  In case full compliance is not possible due to lack of skilled and qualified personnel, or for some other reason, disclosure of noncompliance should be made to senior management and the board. Noncompliance might be due to the lack of skill and qualified people, or for some other reason.
49 Review Text Questions Q18-23, page 22
50 The IIA ‘Code of Ethics’ 50
51 51 The IAA‘Codeof Ethics’  The ‘Code of Ethics’ is intended to be an ethical guide of conduct for internal auditors.  The IAA ‘Code of Ethics’ applies to both individuals and entities that provide internal auditing services.  The two essential components of the Code are:  Principles are the values that internal auditors are expected to uphold, and  Rules of Conduct are an aid for interpreting the Principles into practical applications and are intended to guide the ethical behavior of the internal auditors.
52 52 Principles  There are four principles that internal auditors are expected to follow: 1. Integrity – The integrity of the internal auditors establishes trust and thus provides the basis for reliance on their judgment. 2. Objectivity – The internal auditors are expected to exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. 3. Confidentiality – Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. 4. Competency - Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing.
53 53 Rulesof Conduct 1. Integrity - Internal auditors:  1.1. Shall perform their work with honesty, diligence, and responsibility. [In other words, the auditor does the right thing.]  1.2. Shall observe the law and make disclosures expected by the law and the profession.  1.3. Shall not knowingly by a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.  1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
54 54 Rulesof Conduct 2. Objectivity – Internal auditors:  2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.  2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment. [For example, a material gift (use of beach house) is considered to impair objectivity.]  2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. [For example, there may be some items that were capitalized instead of expensed. This fact needs to be disclosed to management and the Audit Committee.]
55 55 Rulesof Conduct 3. Confidentiality – Internal auditors:  3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.  3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. 4. Competency – Internal auditors:  4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.  4.2. Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.  4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.
56 Review Text Questions Q24, page 29
57 57 SECTION B MANAGING THE INTERNAL AUDIT ACTIVITY
58 58 Section B  Section B covers the topics of planning, communications, resource management, policies and procedures, and coordination.  This section will account for approximately 15 – 25% (15 – 25 questions) of the Part 1 Exam.  The main topics within this section are:  Planning and Communication,  Resource Management,  Policies and Procedures, and  Coordination.
59 59 2000: Managingthe IAA  The CAE must manage the IAA to ensure that it adds value to the organization as a whole.  The CAE’s responsibility is to ensure that:  The engagement work fulfills the general purposes and responsibilities described in the charter that was approved by senior management and accepted by the board of directors (or audit committee).  The resources of the IAA are efficiently and effectively employed.  Engagement work that is performed conforms to the Standards for the Professional Practice of Internal Auditing.
60 60 2010: Planning  The CAE must establish risk based plans to determine the priorities of the IAA, and make certain that they are consistent with the organization goals.  Planning includes the establishment of:  Goals,  Engagement work schedules,  Staffing plans and financial budgets, and  Activity reports.  Now we want to discuss next category in more depth.
61 61 Goals  The goals that are set for the IAA should be:  Specific - Goals should be specifically defined.  Measurable - The method of measuring the goals should be defined.  Agreedto – All interested parties should agree on the stated goals. Interested parties include senior management and the board.  Realistic andAchievable– Goals must realistic and they should be attainable. If they’re not, then they are superfluous.  Timely- Goals should be specific as to when they are to be achieved. As we can see, the goals of the IAA should be SMART.
62 62 Engagement WorkSchedule  The engagement work schedule is a critical responsibility and is relevant at both the larger IAA level as well as each individual engagement.  Specific work schedule should include:  What engagements should be performed,  When they will be performed,  The estimated time required to perform the engagements, and  Which engagements should be given higher priority.  Once these questions have been answered, it is then possible for the individual work program for a specific engagement to be developed.
63 63 Engagement WorkSchedule, continued  The CAE makes the final decision regarding which engagements will be performed.  The consideration of risk is one of the most important elements in determining which engagements have the highest priority.  But, risk is not the only factor in prioritizing the engagements. Other important factors are:  The length of time since the last engagement was performed.  Request from senior management, audit committee, etc.  Changing circumstances in the business, programs, etc.  Changes in risk environment.  Potential benefits that could be achieved.  Changes in the skills of the staff.
64 64 Long-termPlanning  The CAE needs to look beyond the short or immediate term.  The CAE needs to establish a longer term strategic plan.  The purpose of this plan is to make sure that all areas of the business are audited at least periodically.  Some areas (based on risk assessment) might need annual auditing, or even more often, while other areas may be addressed once every two or three years.  Without a long-term plan, it could be possible that one area of the business would never be audited because it would never meet the requirements for the short-term audit.
65 Review Questions 25-31, pg. 35
66 66 2030: Resource Management  The CAE has to make sure the internal audit staff are professional. This means the “right people are in the right positions.”  According to the Standards, “the CAE must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.”  The CAE needs to oversee the assignment of individual staff to the engagements (both short and long term).  In the short term, engagements should be staffed by auditors who can get the job done at the highest level.  However, in the long term, staff might be assigned to jobs that will allow them to grow so they can become senior auditors.
67 67 Resource Management, continued  Some of the things to consider when assigning staff to individual engagements.  The complexity of the engagement,  The resources that are available in IAA,  The experience (skill level) of the staff, and  The training and developmental needs of the audit staff.
68 68 Recruitingand Promoting  A big issue for the IAA is its ability to recruit qualified audit staff and keeping them within the organization.  This is something that both the CAE and the HR function will be involved in.  When recruiting, the most important criterion is the education and experience of the candidate.  This does not mean that every candidate needs to be a CIA, but they should be able to provide some indication that they can get the job done.  Not every staff member needs to be a trained accountant.  Candidates should be good communicators (both written and oral).
69 69 Recruitingand Promoting, continued  Once the staff has been hired, the next HR issue relates to staff promotion and filling of higher-level positions in the IAA.  When a higher-level position become available, there are two basic options in filling the position.  Hire someone from inside the organization, or  Hire someone outside the organization.  The advantage of hiring someone from inside the organization are:  It is often done quicker and requires less ‘start-up’ time for the person.  The person knows the company, so there is less risk involved.  It is also a good motivating factor.
70 70 Recruitingand Promoting, continued  Hiring someone from outside the organization is riskier, but it also has its advantages.  The outside person could bring new ideas and new perspective to the job.  It is also possible that management training costs could be lower since it is assumed that the person is already trained.  An important basis for recruitment and promotion of staff is the job description.  The job description lists the necessary skills and requirements for the position.  Having detailed and complete job descriptions makes it easier for the CAE to determine if the IAA is properly staffed.
71 71 Training, Staff Development and Performance Evaluations  The CAE is also responsible for the training, counseling and performance evaluations of the staff.  Training should have the goal of providing the staff with the necessary skills to perform their jobs in the short term, and broaden skills in the long term.  A well-developed training program is an excellent recruiting tool for the company.  Counseling and mentoring program is an excellent way of developing staff.
72 72 Training, Staff Development and Performance Evaluations  Performance appraisals should be conducted at least annually, and more often if needed.  Performance reviews give employees the opportunity to identify their weaknesses and give them an opportunity to improve their performance.  The evaluation should not be based on likes or dislikes, or other non-job related factors.  There should be sufficient time for everyone to prepare for the evaluation.  The evaluation can be a standard form (and will be standard form in large companies).
73 Review Questions 32-33, pg. 40
74 74 2060: Reportingto Senior Management and Board  “The CAE must periodically report to senior management and the board on the IAA’s purpose, authority, responsibility, and performance relative to its plan.”  “Reporting must also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by senior management and the board.”
75 75 ActivityReports  The CAE must submit and activity report to senior management and the board at least once a year.  This should be done if the work volume or nature of the work requires closer involvement of the board. This may be the case if there are high-risk areas that are being audited.  Activity reports should:  Be communicated in writing (preferably),  Highlight significant engagement observations,  Identify recommendations that have arisen from the engagement,  Compare actual performance with the IAA’s goals,  Compare expenditures to financial budgets.
76 76 Significant Engagement Observations  Significant observations are those conditions that, in the judgment of the CAE, could adversely affect the organization.  Examples might include: illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and others.  After discussion with senior management, the CAE should communicate these significant engagement observations and recommendations with the board, whether or not they have been satisfactorily resolved.
77 77 Management Responsibility for Significant Engagement Observations  Management is responsible to make decisions on the appropriate action to take regarding significant engagement observations and recommendations.  Management may decide to assume the risk of not correcting the reported condition because of cost and other considerations.  Management needs to inform the board of their decision on all significant observations and recommendations.  Internal auditors should only provide the information and alternative courses of action.
78 78 CAE Considerations on ReportingSignificant Engagement Observations  The CAE should consider whether it is appropriate to inform the board regarding previously reported, significant observations and recommendations in those instances where senior management and the board assumed the risk of not correcting the reported condition.  If the board is aware of the risks and has chosen to not address them, the item probably does not need to be reported each year.  However, if there has been significant changes in the organization, board, or senior management, the item should probably be reported again.
79 79 Relationship withAudit Committee  Internal auditors are the “eyes and ears” of the audit committee.  Internal auditors should be the committees’ trusted advisors.  Keys to the relationship are:  Assisting the audit committee to ensure that its charter, activities, and processes are appropriate to fulfill its responsibilities.  Ensuring that the charter, role, and activities of internal audit are clearly understood and responsive to the needs of the audit committee and the board.  Maintaining an open, effective communications with the audit committee and the chairperson.
80 80 Communications withthe Audit Committee  To a great extent, the effectiveness of the CAE will revolve around the communications between the CAE and the audit committee.  Good communications is fostered by:  Meeting regularly with the committee to discuss sensitive issues.  Providing annual summary reports.  Issuing periodic reports summarizing results of the IAA.  Keeping the audit committee informed of emerging trends, etc.  Discussing fulfillment of committee information needs.  Reviewing information submitted to the committee for completeness and accuracy.  Confirming there is an effective and efficient work coordination of activities between internal and external auditors.
81 Review Questions 34-37, pg. 44
82 82 2020: Communication and Approval  CAE needs to ensure that the plans and resources requirements are communicated to senior management and to the board for review and approval.  Communications should include any significant interim changes, and the impact of resources limitations.  Engagement plans and resource requirements must be submitted on an annual basis and should include a summary of the IAA’s work schedule, staffing plan and financial budget.  This type of information will ascertain whether the IAA objectives and plans are congruent with the organization.
83 83 2040: Policies and Procedures  The CAE must also establish policies and procedures to guide the IAA and the individual internal auditors in their work.  The extent, depth and formalization of the policies and procedures will depend upon the size and structure of the IAA and the complexity of the IAA’s work.  A small IAA will be managed much more informally with a lot of personal and daily contact.  A larger IAA will be managed much more formally with a more formal set of policies and procedures.
84 Review Questions 38-39, pg. 46
85 85 2050: Coordination of Activities  The CAE has the responsibility to share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts.  Internal and external participants might include:  External auditors,  Regulatory oversight bodies (e.g., government auditors, etc.), and  Other internal assurance functions (e.g., health and safety dept.)
86 86 Coordination withExternal Auditor  Coordination with external auditor is important because of the potential to increase the efficiency of both audit areas and reduce the cost of the external audit.  Two main reasons why the level of coordination between the external and internal auditors is growing and becoming more of an issue for companies:  The internal auditing profession has become increasingly professional with more internal auditors being former external auditors or professional internal auditors.  The cost of external audit has grown so much in recent years that companies are looking for any way to reduce the costs.
87 87 Assistance Provided by the Internal Auditor  This is the area where the CAE can reduce the cost of the external audit by providing support, direction and do some of the testing for the external auditor.  Before the external auditor will rely on any of the work of the internal auditor, the external auditor needs to assess the competence and objectivity of the internal auditor.  Competence is whether or not the IAA has the needed skills and abilities to perform acceptable work.  Objectivity is whether or not the IAA performs its work without any influence from management or others in the organization.  Even if the the external auditor relies on the work done by the IAA, the external auditor will still need to review the work of the IAA.
88 88 Assistance Provided by the External Auditor  There might be cases where the work of the external auditor will be beneficial and useful to the internal auditor.  In these cases, the internal auditor can rely on some of the work performed by the external auditor, as long as the CAE is comfortable with the work that was done by the external auditor.  Just as the external auditor reviewed the work of the internal auditor, the internal auditor will want to review the work that was done and the conclusions drawn.  Review of the external’s work will require the permission of the external auditor.
89 89 Control andUse of the Auditors’ Working Papers  Working papers contain all of the work and tests that were performed during the engagement and they will be the basis for the conclusions drawn by the internal auditor.  Working papers belong to the party that developed them.  This means that the working papers of the external auditor belong to the external auditor.  Likewise, the working papers of the internal auditor belong to the internal auditor.  The CAE should not provide the external working papers to anyone without the permission of the external auditor.
90 Review Questions 40-42, pg. 48
91 91 Coordination withRegulatoryBodies  Some industries such as banking and insurance are heavily regulated. Thus, they will be audited by a government agency.  In these cases, the CAE should coordinate audits with the regulatory body that is responsible for the oversight of the company.  This coordination should be done with the approval of the board.  A benefit to the organization is that the internal auditor would be given the chance to provide of compliance testing through its internal working papers and other documents.
92 92 Coordination withother Internal Assurance Functions  It is possible that there are other dept within the organization are equally concerned with control.  Even though, their interest might be only on the technical aspect, it is highly probably that these control measures may complement the internal auditor’s interest in the administrative forms of controls. Examples might be:  Security dept is concerned with control over specific irregularities.  Quality control dept is concerned with control over product reliability and conformance to specifications.  Safety and health dept is concerned with control over accidental prevention.  Industrial engineering dept is concerned with control over operating practices and procedures.
93 Review Questions 43-45, pg. 51
94 Sarbanes-Oxley Act
95 95 Sarbanes-Oxley Act  The Public Company Accounting Reform and Investor Protection Act of 2002, or more commonly referred to as the Sarbanes-Oxley Act (SOX) was enacted in response to the accounting scandals of Enron, WorldCom and others.  The primary purpose of SOX is to:  Improve quality and transparency of financial reports.  Enhance the standard setting process for accounting practices.  Strengthen the independence of public accounting firms.  Increase corporate responsibility.  Protect the objectivity and independence of securities analysts.
96 96 SOX provisions  Many of the act’s provisions had to do with the external auditor, but many had to do with internal control issues, particularly in regard to the audit committee and board.  These provisions include:  Audit committees are to be directly responsible for the appointment (subject to shareholder approval), compensation, and supervision of the registered public accounting firm. This overview includes resolution of any disagreements between management and the auditor regarding financial reporting.  Audit committees are to be provided with the proper authority and funding to engage independent counsel and advisors.  Auditors (both internal and external) are required to report to the audit committee.  Members of audit committee have to be independent.
97 97 SOX provisions  The audit committee should have at least one financial expert. If not, then the fact should be disclosed.  Audit committee should adopt written procedures to receive and address complaints regarding accounting, internal controls and auditing issues, including procedures to maintain the confidentiality of the whistle blower.  It is unlawful for any corporate officers or director to knowingly to manipulate or mislead any accountant engaged in preparing an audit for the purpose or rendering the audit report materially misleading.  There should be a statement saying management is responsible the company’s internal controls.  The company is required to disclose whether it has adopted a Code of Ethics.
98 Review Questions 46-47, pg. 53
99 99 SECTION C NATURE of the INTERNAL AUDITOR’S WORK
100 100 Section C  In Section C we start to discuss the nature of the internal auditor’s work, including what it entails and how it contributes to the improvement of an organization’s risk management, control and governance processes.  Control and control processes will be discussed in Section D.  This section will account for approximately 15 – 25% (15 – 25 questions) of the Part 1 Exam.
101 101 2100: Nature of the Internal Auditor’s Work  The work that the internal auditor is going to be doing is diverse and covers all of the different areas of the business.  The function of the IAA is to contribute to the improvement of risk management, control and governance processes.  “The adequacy of risk management, control, and governance processes is present if management has planned and designed for these items in a manner, which provides reasonable assurance that the organization’s objectives and goals will be achieved efficiently and economically.”
102 102 Nature of Work  Management is responsible:  For the sustainability of the whole organization, and  Accountability for the organization’s actions, conduct and performance to the owners, other stakeholders, regulators, and general public.  Primary purpose of the overall management process are to achieve:  Relevant, reliable and credible financial/operating information,  Effective/efficient use of the org. resources,  Safeguarding of assets,  Compliance with laws, regulations, etc.,  Identification of risk exposures and use of strategies to control them, and  Establish objectives and goals for operations or programs.
103 103 Nature of Work, continued  Control is any action taken by management to enhance the likelihood that established objectives and goals will be achieved.  Controls may be:  Preventive – to deter undesirable events from occurring,  Detective – to detect and correct undesirable events which occur, or  Directive – to cause or encourage a desirable event to occur.
104 Review Questions 48-53, pg. 55
105 105 Information Security  It is management’s responsibility to ensure that company information is properly safeguarded.  Internal auditors should also work to ensure that any potential problems related to information security will be reported to management and the board.  The CAE has to make certain that the IAA has the necessary skills and resources to evaluate the information security.  Internal auditors need to assess the effectiveness of the controls in place.  This assessment should be made periodically, including recommendations for improvement.
106 106 The Internal Auditor’s Role in Risk Management  Risk management is the responsibility of management.  The role of the IA is to assist both management and the board, i.e., audit committee by examining, evaluating, reporting and recommending improvements on the adequacy and effectiveness of management’s risk processes.  The role of the IA is likely to be determined by such factors as culture in the organization, ability of the IA staff, and local conditions and customs of the country.  If IA’s come across risk exposures in any engagement, this should be addressed and evaluated further as necessary.
107 107 IA’s Role without a Risk Management Process  Possible that the company does not have an established risk management process.  If this is the case, than the IA needs to bring this to the attention of management.  It is generally acceptable for IA to play a proactive role in the development of such system.  However, caution must be taken to ensure that the IAA is not too closely involved as this might impair their independence for future work regarding risk.
108 108 Compliance Programs  All companies in all countries have to be in compliance with something.  Compliance programs provide guidance for individuals within the organization to prevent inadvertent employee violations, detect illegal activities and discourage intentional employee violations.  In addition, these compliance programs can also help prove insurance claims, determine director and officer liability, create or enhance corporate identity, and decide the appropriateness of punitive damages.  Regarding compliance, organizations should develop a written business code of conduct.
109 109 Compliance Programs, continued  In addition, there should be an organizational chart that outlines who is responsible for compliance issues.  The code of conduct must be communicated to all members of the organization once it is created.  Important that the code is enforced in the same manner for all individuals, regardless of level.  When a violation occurs, it must be documented and kept in the individual’s personal file. This is necessary to support why the individual was fired.  The violation should be documented even if not significant disciplinary action is taken.
110 Review Questions 54-59, pg. 58
111 111 Control & Audit Implications of E-commerce Activities  E-commerce is defined as “conducting commercial activities over the Internet.” E-commerce can be B2B (business to business), B2C (business to consumer), and B2E (business to employee).  Major elements of auditing E-commerce are:  Assess the internal audit structure, including the tone at the top,  Provide reasonable assurance that goals and objectives can be achieved,  Determine if the risks are acceptable,  Understand the information flow,  Review interface issues,  Evaluate the business continuity and disaster recovery plans.
112 112 E-commerce, continued  The CAE needs to assess whether the IAA has the necessary skills and capacity to conduct an E-commerce engagement.  Factors that constrain the IAA are:  Does the IAA have the sufficient skills to conduct the engagement?  Are training or other resources necessary?  Is the staffing level sufficient for the near-term and long-term?  Can the expected audit plan be delivered?
113 113 E-commerce, continued  The difference between auditing a regular business system and an e-commerce system are that  There may not be any hard copies,  Some data may exist for a very short period of time, or  There is no paper trail at all.  The critical risk and control issues that the IA must address are:  General project risk,  Specific security threats, such as denial of service, physical attacks, viruses, identity theft, and unauthorized access or disclosure of data,  Maintenance of transaction integrity under complex network of links to legacy systems and data warehouses,
114 114 E-commerce, continued  Website content review and approval when there are frequent changes and sophisticated customer features and capabilities that offer around-the-clock service,  Rapid technology changes,  Legal issues, such as increasing regulations throughout the world to protect individual privacy; enforceability of contracts outside of the organization’s country; and tax and accounting issues, and  Changes to surrounding business processes and organizational structures.
115 115 Audit Objectives forE-commerce Audit  The audit objectives for an E-commerce engagement may include:  Evidence of E-commerce transactions,  Availability and reliability of security systems,  Effective interface between E-commerce and financial systems,  Security of monetary transactions,  Effectiveness of customer authentication process,  Compliance with common security standards,  Effective use and control of digital signatures,  Adequacy of systems policies and procedures,  Adequacy and timeliness of operating data and information,  Documented evidence of an effective system of internal control.
116 Review Questions 60-62, pg. 63
117 117 Environmental Risks  Internal auditors should include risks in the areas of the environment, health and safety (EH&S).  This is particularly important where there are very high fines and penalties for environmental damages, employees rights lawsuits, and safety liability.  The CAE needs to determine that these risks have been assessed and addressed as needed.  In larger companies, this may be done by a separate environmental audit function.  When there is a separate function, the org. needs to make sure that it does not report to the group or individuals responsible for these areas.
118 118 Privacy  Privacy includes “individuals’ rights to be left alone and for any pertinent information of an individual not to be disclosed by other parties that happen to possess such information. This means that a company must keep control over the personal information it has about its customers and may not release this information to third parties without parties without the individual’s agreement.”  The privacy of information is also maintained and not distributed to unauthorized people, even within the organization. Example, the company’s database should not be disclosed to a third party without the proper consent of the customer.
119 119 Privacy, continued  Implications to the organization for these vulnerabilities are numerous.  To the individual, this could be embarrassment, inconvenience, unfairness, and others.  To the organization, these negative implications could include lawsuits, penalties, fines and of particular importance, negative goodwill and negative publicity.  There are no guarantees, but organizations have the responsibility to ensure that all reasonable measures have been enacted to safeguard data and information.
120 120 2110: Risk Management  The IAA must assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.  Risk is the probability that some future envent or action could adversely impact the organization. Risk is based in terms of impact (in dollars) and likelihood (probability).  Risk assessment is the process of assessing and integrating professional judgment about probable adverse conditions and/or events.  Risk management is the process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organizations
121 121 Roles in Risk Management Process  The responsibility of assessing the potential risks falls on the shoulders of management.  This is an on-going process and management has the responsibility to review and make necessary changes in order to mitigate potential risks that can hinder the achievement of objectives.  The board of directors (and audit committee) have the responsibility to provide an oversight role, making sure that the proper level of risk management is in place and effective.
122 122 Roles, continued  Internal Auditors assist management, board, and/or committee by examining, evaluating, testing, reporting and recommending improvements in the adequacy of the organization’s risk management system.  The IAA’s role in the risk management process can range from:  No role, to  Auditing the risk management process as part of the internal audit plan, to  Active, continuous support and involvement in the risk management process.  Managing and coordinating the risk management process. In this case, the IA is not taking ownership of the risk, only the process.
123 123 Assessing the Adequacy of Risk Management Process  The IAA should evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the:  Reliability and integrity of financial and operational information,  Effectiveness and efficiency of operations,  Safeguarding of assets, and  Compliance with laws, regulations, and contracts.  The five key objectives of a risk management process are: 1. Risks that arise are identified and prioritized. 2. Management and the board have determined the level of risk that is acceptable to the organization.
124 124 Risk Management Processes 3. Risk mitigation activities are designed and implemented to reduce risk at levels that are acceptable. 4. Risk is periodically reassessed on an ongoing basis. 5. Reports are given periodically to the board and management on the results of the risk assessment process.  The IAA needs to assess whether or not these five objectives have been met in order to form an opinion on the adequacy of the risk management processes.  Internal auditors need to continuously look for things that may indicate a problem or cause for concern related to risk management.
125 125 Assessing the Adequacy of Risk Management ProcessesforFormal ConsultingServices  Consulting service is defined as advisory and related client service activities, the nature and scope of which are agreed upon with the client, i.e., counsel, advise, facilitation and training.  Internal auditors should address risk consistent with the engagement’s objectives and should be alert to the existence of other significant risks.  With consulting services, the internal auditor should:  Determine the significance of exposures or weaknesses and the actions taken or contemplated to mitigate or correct these exposures or weaknesses; and  Ascertain the expectations of management, the audit committee and board in having these matters reported.
126 Review Questions 63-66, pg. 65
127 127 Business Continuity Process  Business continuity process has to do with the organization’s ability to continue to operate during some sort of crisis or disaster, and its ability to restart operations after having been interrupted.  It is not a matter if a crisis will occur, but when.  Internal auditors can assist in the planning for disasters and other interruptions to the business; evaluate the design and comprehensiveness of the plan after it has been drawn up; and perform periodic assurance engagements to verify that the plan is kept up-to-date.
128 128 Business Continuity Process, continued  Need to be aware that disaster recovery plans can become quickly outdated.  Coping with and responding to changes is an inevitable part of the task of management.  Turnover of managers and executives and changes in system configurations, interfaces, and software can have a major impact on these plans.  The IAA needs to determine whether the recovery plan:  Is structured to incorporate important changes that could take place over time, and  The revised plan will be communicated to the appropriate people, inside and outside the organization.
129 129 Internal Auditor’s Role aftera Disaster  Once there has been a disaster, the internal auditor can play an important role immediately after a disaster occurs.  This is when the company is most vulnerable to lapses in controls and procedures, and could possibly lead to exploitation (internally and externally).  During recovery process the internal auditor should:  Supervise the effectiveness of the recovery and control of operations;  Identify areas where controls and mitigating actions can be improved;  Recommend improvements to the plan; and  Possibly provide support during the recovery activity.
130 Review Questions 67-68, pg. 71
131 131 2130: Governance  The IIA defines governance as the system by which organizations are directed and controlled.  Governance also includes the rules and procedures for making decisions on corporate affairs to ensure success while maintaining the right balance with the stakeholders’ interest.  The four cornerstones of corporate governance are the board, management, internal auditors and external auditors.  Effective governance means making sure that inappropriate and unethical behavior is not tolerated.  Review the 10 basic principles necessary in the development of sound corporate governance (pg. 72).
132 132 Role of the IAA in the Governance Process  The IAA serves as the “eyes and ears” of management, audit committee and external auditors.  As such, the IAA should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:  Promoting appropriate ethics and values within the organization,  Ensuring effective organizational performance management and accountability,  Effectively communicating risk and control information within the organization, and  Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.
133 133 Role of IAA in the Ethical Culture of an Org.  Corporate culture of the organization is very important in the creation of the ethical climate of the organization.  Ethical climate starts at the top, but all people should assume the role of ethics advocates.  Organizations use various forms, structure, strategies, and procedures to ensure that it:  Complies with society’s legal and regulatory rules,  Satisfies the generally accepted business norms, ethical precepts, and social expectations of society,  Provides overall benefit to society and enhances the interest of the specific stakeholders in both long term and short term, and  Reports fully and truthfully to its owners, regulators, other stakeholders, and general public to ensure accountability for its decisions, actions, conduct, and performance.
134 134 IAA as Ethical Advocate  Internal auditors and the IAA should take an active role in support of the organization’s ethical culture.  They possess a high level of trust and integrity within the organization and the skills to the effective advocates of ethical conduct.  They have the competence and capacity to appeal to the enterprise’s leaders, managers, and the other employees to comply with the legal, ethical, and societal responsibilities of the organization.
135 135 Assessment of the Organization’s Ethical Climate  Occasionally, the IAA should assess the state of the ethical climate of the organization and the effectiveness of its strategies, tactics, communications, and other processes in achieving the desired level of legal and ethical compliance.  Having written well-stated code of ethics does not necessarily guarantee that an organization will not have a higher standard of ethical behavior.  Nor does not having a code of conduct prevent the internal auditor from conducting a successful audit of ethical behavior since this behavior may already be documented in the company’s protocols.
136 Review Questions 69-70, pg. 76
137 137 SECTION D CONTROL
138 138 Section D  In Section D we will be covering topic of control, what it is, what are the components of control, and what are the tools used for controlling.  This section will account for approximately 20 – 30% (20 – 30 questions) of the Part 1 Exam.
139 139 2120: Control  It is through control that management is able to accomplish its wishes.  As defined by the IIA, control is “any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.”
140 140 DefiningControl  Control can also be defined as “any action taken by management to enhance the likelihood that established objectives and goals would be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events which occurred), or directive (to cause or encourage a desirable event to occur). The concept of a system of control is the integrated collection of control components and activities that are used by an organization to achieve its objectives and goals.”
141 141 Benefits of Control  Controls are meant to provide assurance on the following:  Reliability and integrity of financial and operational information,  Effectiveness and efficiency of operations,  Safeguarding assets, and  Compliance with laws, regulations, and contracts.  Other benefits of control are:  Lower external audit costs,  Better control over and usage of company assets, and  More reliable information that may be used for decision making by managers and others in the company.
142 142 Who Benefits fromHavinga StrongInternal Control System?  There are a number of diverse parties that are interested in the internal control system of a company:  Potential investors rely on the IC system to be able to evaluate management and the performance of the company.  External auditors will base the amount of work that they perform in part on the effectiveness of the IC system.  Legislative and regulatory bodies rely on the IC system to help ensure that the company is operating in compliance with applicable laws and regulations.  Management uses the information that comes out of the internal systems so management needs to make certain that the information that they receive is correct.  Customers benefit with reduced costs.
143 143 Who is Responsible for Internal Controls  The Board of Directors is responsible for overseeing the internal control system.  The CEO is responsible for the “tone at the top.”  Senior management delegates the responsibility for the implementation of the IC system to the appropriate departments and personnel.  Financial and accounting officers and staff are the people with the most close contact with the IC system.  External parties such as independent auditors often provide information useful to effective internal control.
144 144 The Internal Auditor’s Role in the Control Process  Internal auditors is to evaluate the effectiveness of the organization’s systems of controls based on the aggregation of many individual assessments.  These assessments might come from the internal auditors own engagements, or from management’s self-assessment, or from the external auditors.  During the course of the internal auditor’s own engagement, the internal auditor should communicate to the appropriate level of management any, and all control discrepancies and weaknesses.  If discrepancies or weaknesses are found, this does not necessarily mean that it is pervasive and poses an unacceptable risk to the company.
145 145 Internal Auditor’s Role, continued  A report of the CAE on the state of the organization’s control processes should be presented, at least, once a year. More if deemed necessary.  The report should include major recommendations for improvement and information about current control discrepancies or weaknesses.  In addition the report can include information about current control issues and trends, such as technology and information security exposures, patterns of control discrepancies or weaknesses.  This information can add value to the report and minimize potential difficulties in complying with laws or regulations.
146 146 Internal Auditor’s Role, continued  In regards to the internal auditors role, there is a term to be familiar with. This term is “expectancy gap.”  Expectancy gap is where on the one hand management and the board usually have high expectations as to the level of assurance that is provided by the IAA.  But, on the other hand, there is the reality of what the IAA can actually provide assurance on. The IAA can only provide reasonable assurance but not a guarantee.
147 Reviewquestion 71, pg. 81
148 Control Self-Assessment (CSA)
149 149 Control Self-Assessment (CSA)  Control Self-Assessment (CSA) is an examination and assessment process of the effectiveness of the control system within an organization performed by the organization’s personnel with the help of facilitators.  This process is shared among all employees of the organization and responsibility for control is expanded to include all individuals of the organization.  The employees thereby become the process owners.  An important aspect of CSA is when people are able to identify their own problems, they are more committed to resolving them than they are if the same problems are identified for them in an audit.
150 150 CSA, continued  Assessments are performed through a series of workshops or meetings or by means of questionnaires.  Assessments can be applied to any area of the organization: projects, processes, business units, or functions.  Whatever format is used, the goal is to help organizations assess the likelihood of achieving their objectives by using the knowledge of the workers who are responsible for making it happen.
151 151 CSA Procedures  CSA procedures include the following:  Identifying potential risks and exposures,  Assessing the control processes that mitigate or manage those risks,  Developing action plans to reduce risks to acceptable levels, and  Determining the likelihood of achieving the business objectives.
152 152 Advantages of CSA  For an organization the primary advantages of a CSA program are that it:  Enhances employee understanding of the company’s risk and controls.  Enhances employee control consciousness.  Provides a mechanism for early risk detection.  Encourages more open communication, teamwork and continuous improvement.  Empowers the employees and enhances accountability.
153 153 Approachesto CSA  Each CSA program that is implemented by an organization should be customized to fit that organization.  This means that the program should be dynamic and be able to change as the organization changes.  The three primary approaches to CSA are:  Facilitated team workshops,  Surveys / Questionnaires, and  Management-produced, or self-auditing/self certification.  Organizations often combine more than one approach to accommodate their self-assessment.
154 154 Facilitated TeamWorkshop  The facilitated team workshop is the process of gathering information from work teams that represent different levels in the organization.  For a facilitated team workshop, there needs to be a facilitator who brings the team together, and in essence, facilitates the process.  It is crucial for the facilitator to have no hidden agenda.  The team members need to be very truthful about what is working well and what is not working well.
155 155 Facilitated TeamWorkshop formats  There are four basic CSA-facilitated meeting formats:  Control-based. This format reviews how well the control in place are working. The purpose of the workshop is to produce an analysis of the gap between how controls are working and how well management expects those controls to work.  Objective-based. This format focuses on the best way to accomplish the organization’s objectives. The aim of the workshop is to decide whether the necessary controls are in place and working effectively and are resulting in residual risks within an acceptable level.
156 156 Facilitated TeamWorkshop formats, continued  Risk-based. This format focuses on listing the risks to achieving the organization’s objectives. The aim of the workshop is to determine significant residual risk. This workshop starts by listing all possible barriers, obstacles, threats and exposures that might prevent the organization from achieving its objects.  Process-based. This format focuses on selected activities that are elements of the process chain. The general aim of this workshop is to evaluate, update, validate, improve and even streamline the whole process and its component activities.
157 157 Surveysand Questionnaires  Surveys or questionnaires tend to ask simple “Yes-No” or “Have-Have Not” questions.  The questions may be customized for the unit’s regulatory environment or other specific needs.  The questions relate to the primary internal controls and how the controls are monitored.
158 158 Management-produced Analysis  This approach does not use a facilitated meeting or survey.  Through this approach, management produces a staff study of the organizational processes.  The CSA specialist (who is generally an internal auditor) combines the results of the study with information gathered from sources such as other managers and key personnel.  The specialist then synthesizes the information and develops an analysis that process owners can use in their CSA efforts.
159 Internal Auditor’s Role in Quarterly Financial Reporting, Disclosures, and Management Certification
160 160 IA’s Role in QuarterlyFinancial Reporting, Disclosures, and Management Certification  Because of the recent accounting scandals, internal auditors are now playing an even more important role.  The role the internal auditor plays may range from  The initial designer of the process, participant on a disclosure committee, coordinator, or  Liaison between management and its auditors, to  Independent assessor of the process.
161 161 Recommended Actionsfor Internal Auditors  Summary of recommendations of the IA’s role, including:  Be involved in some capacity in the quarterly reporting and disclosure process.  Ensure that the organizations have written policies and procedures that govern the quarterly financial reports.  Encourage the establishment of a disclosure committee. This disclosure committee’s help with transparency.  Periodically review and evaluate the quarterly reporting and disclosure processes.  Recommend appropriate improvement in the policies, etc.  Compare processes for compliance with SOX.
162 The Control Process
163 163 Establishingthe Control Process  The control process is established by management.  Without any control process, the planning process becomes much less valuable and less useful to the organization than it should.  Three main steps in the control process are:  Setting the standards (objectives) that are to be achieved,  Measuring the performance against a standard, and  Evaluating the results and then correcting, or regulating the performance as a result of what was measured.
164 164 Setting the Standards  Setting Standards (Objectives) – When setting standards that are expected to be achieved in terms of something (Quantity – number of units produced, Quality – number of defects, Time – the length of time required, Cost – cost of materials), it is critical to use the item that is most responsible for the incurrence of additional costs.  After the achievable standards are determined, it is important to select the time (or point) in the process at which you will measure performance compared to the standard. These points are called Control Points.
165 165 Setting the Standards, continued  Whatever standards an organization sets, the organization must remember that these are the standards for a moment in time.  The standards need to be reviewed on an ongoing basis and revised (or even eliminated) based on changes in the circumstances or processes.  It is important to get the people involved in the measurement process to also be involved in the process of developing the standards and methods used. By being involved, the employees will feel more ownership of the process and should be more motivated to achieve something that they contributed setting up.
166 166 MeasuringPerformance  Every product or service can be measured in some way against some standard.  It is management’s job to determine what measurement is to be used.  For example, if management is simply trying to increase production, then efficiency measurements might not be appropriate.  Another important part of the measuring process is determining who is going to do the measurement.  Self-measurement is preferable in it builds employee morale and empowerment and it is cheaper.  Second party measurement is more expensive, but may lead to better and more pertinent results.
167 167 MeasuringPerformance, continued  A performance report should be aligned with the objectives of the firm and include a specific time frame. This report should also be limited to items that are controllable by the person responsible. The report should not get into items that are outside the scope of the timeframe or the responsibilities of the person.
168 168 Evaluation and Correction  This is the critical part of the control process. Without this last part the control process is useless.  There are a number of items that you must keep in mind when making the evaluations of results.  Need to make sure you are comparing like items to like items.  If there are significant changes in the process from one period to the next, it is not accurate or effective to compare to prior periods.  It is easier to measure something that is either yes or no. For example, something like defects will be measured and evaluated this way.
169 169 Evaluation and Correction, continued  However, some things are measured in a more subjective manner, for example, “How well does the person complete his or her tasks?”  These are trait-based decisions, and more care must be taken in the evaluation of the results and it may be best to have more than one person involved in the decision process.  Trait-based decisions are more subjective and more easily influenced by the emotions of the people involved.
170 170 Systems of Control  A control system is designed so it will help the company achieve or maintain the desired actions, behaviors or results.  There are three elements to any control system: input, processing, and output.  Systems may be classified as either open or closed.  Open system is impacted by its environment. System may receive uncontrollable input information from the outside and this information will affect the system.  Closed system does not receive any uncontrollable inputs. Example of a closed system is the one to regulate the temperature in your house.
171 171 Feedback Element of the Control System  Feedback plays an important part in any control system.  Feedback ensures that a desired state is attained and maintained.  The five components to a feedback system are:  A control object – this is the element or variable that is being monitored,  The detector – this is what is happening in the control object,  The reference point – this is the standard that the control object is measured against,  The comparator (analyzer) – this is comparing what is happening and what should be happening, and  The activator – this is the decision-maker in respect to the decision.
172 172 The Timingof Controls  It is better to prevent mistakes than to detect them after they have occurred.  There are three types of controls that are classified depending on when in the production process the control identifies the defective unit.  Feedforward controls detect the problem before it occurs.  Concurrent controls operate at the same time as the production process.  Feedback controls identify when something has already gone wrong.
173 Reviewquestion 72, pg. 86
174 174 Characteristics of Effective Controls  An effective control system has the following characteristics.  Economical - there is a positive cost/benefit, meaning that the organization saves more than it costs to implement the control.  Meaningful – it is important to only control important items.  Appropriate – the control system should actually reflect what we are trying to measure and control.  Congruent – the control should be in line with what it is measuring.  Timely – the information must be available in enough time to act upon it.  Simple – the control must be understandable.  Operational – the control should provide benefit to real operations.
175 Reviewquestion 73, pg. 87
176 176 Control andTechnology  Computer technology has made it easier and cheaper to have control systems that cover many areas and that are able to provide real-time feedback.  Has lead to the increased popularity of Total Quality Management (TQM) and Reengineering.
177 177 Total Quality Management (TQM)  The premise of TQM is that quality improvement is a way of increasing revenues and decreasing costs.  It is based on producing a product “right the first time.”  Another feature of TQM is quality circles. Quality circle is a small group of employees who work together and meet regularly to discuss and resolve work-related problems.  With TQM, every person in the organization is responsible for finding errors and correcting problems.
178 178 Reengineering  Reengineering is when a company is determined to find a new way of doing something.  Reengineering is NOT simply improving an existing system, but developing a completely new system or approach.  Because of effort and time involved, reengineering should only be done for the most important processes.
179 Reviewquestions 74-76, startingon pg.89
180 Means of Achieving Control
181 181 Means of Achieving Control  There are a number of different ways that internal controls can be set up. Some of the different means are discussed below:  Organizational methods is where responsibilities are split up so no one individual controls more than one part of a transaction (segregation of duties).  Policies are stated principles that provide guidance in behavior. Policies are directive controls. Policies should be clearly written and communicated to all employees. Policies should be occasionally reviewed to make sure they are still relevant.  Procedures are the actions for carrying out the policies.
182 182 Means of Achieving Control, continued  Pre-numbered forms is another method to control and safeguard documents. Need to remember that no pre-numbered form should be disposed of, even if the form is not correct. In these cases, the pre-numbered form should be kept and stated that it was cancelled.  Personnel is making sure that good people are hired and there is a high standard of supervision. Employees should be trained and reviewed on a periodic basis.  Accounting is a crucial part of the system because this is where the financial information is accumulated and produced.  Budgeting is done so actual results can be compared with anticipated results. People who will be held responsible for the achievement of the budget should be involved in creating it.
183 183 Means of Achieving Control, continued  Reporting has to do with management receiving the reports that are relevant to their responsibilities. Reports should not only include actual results, but compared against the budget. Reports have to be provided in a timely manner so management can act upon the information. This timeliness is control function that helps management identify potential problems.
184 Reviewquestion 77, pg. 93
185 Internal Controls Models
186 186 Internal Control Models  A series of control models were developed during the 1990s. The models we will be looking at are:  Internal Control – Integrated Framework (COSO),  CoCo model, and  The IIA model.  For the most part, these controls have the same goal as to provide management with a better understanding of their control systems so they can make judgment about their effectiveness.
187 187 The COSOModel  During the 1980s there was a private sector initiative, sponsored by five organizations, that attempted to identify the causes of fraudulent financial reporting and to make recommendations to reduce its incidence.  The five sponsoring organizations are:  American Institute of Certified Public Accountants (AICPA),  American Accounting Association (AAA),  Institute of Internal Auditors (IIA),  Institute of Management Accountants (IMA), and  Financial Executives International (FEI).
188 188 Componentsof Internal Control  There are five components that make up internal control  The Control Environment,  Risk assessment,  Control activities,  Information and communication, and  Monitoring.  You can remember these components by the mnemonic CRIME (bolded letters).
189 Control Environment, continued  This is the most important element of internal controls because it is the basis on which the other elements are built.  This element sets the tone for the entire organization.  Control environment factors include:  Integrity, ethical values and the competence of the company’s people.  Management’s commitment to competence.  Human Resource policies and procedures.  Assigning authority and responsibility (assigning decision rights).  Management’s philosophy and operating style.  Board of directors and audit committee oversight.
190 Control Environment, continued  The control environment is set by management by the actions, deeds and behaviors. If management communicates and behaves in such a way to indicate that controls are important, employees are more likely to follow the controls in place.  Management plays the most important role in establishing the control environment.  Management’s commitment to competence is another factor influencing the control environment. All personnel need to be competent enough to accomplish their duties.
191 191 Control Environment,continued  Controls are more likely to work if management believes controls are important and communicate that support to all employees.  Organizations with effective controls set a positive “tone at the top.”  Transmit guidance both verbally and by example.  Foster a “control consciousness” by setting formal and clearly communicated policies and procedures that are followed at all times, without exception.  Making sure employees are in the right positions can be done through training, as well as providing counseling, and performance evaluations.  Board of directors is responsible for setting corporate policy and for seeing that the company is operated in the best interest of shareholders.
192 Control Environment, continued  A company’s organizational structure plays an important role in internal controls.  Factors that need to be properly addressed are:  Defining authority and responsibility, as well as the corresponding delegations,  Matching a structure with the needs of the business, and  Creating an atmosphere of accountability within the company
193 193 Risk Assessment  This is management’s assessment of the risks that the agency faces. Risks may be internal or external.  Internal Risks include employee embezzlement accompanied by falsification of records to conceal theft; lack of compliance with governmental regulations; or other illegal acts by employees, such as taking a bribe. These risks can include disruption in computer systems, poor management decisions, errors, or accidents.  External Risks include changes in technology, changes in federal legislation, natural disasters, economic changes, or being defrauded, or robbed.
194 194 Risk Assessment, continued  A pre-condition of risk assessment is the establishment of objectives.  Once risks have been identified, management needs to analyze their possible effect. Risk analysis includes:  Estimating the likelihood of the risk’s occurrence,  Deciding how to best manage the risk, and  What actions can be taken to mitigate the risk.  If management is unable to identify the risks that the agency faces, they are much less likely to be able to address those risks.
195 195 Control Activities  These are the policies that are developed to address the risks of the agency. These risks may be fraudulent reporting or theft (misappropriation of assets).  Control activities should be designed to mitigate risk, wherever risk exposure is determined to exist, for the purpose of protecting the organization’s ability to achieve its objectives.  Controls that are implemented must have a benefit that is greater than the cost of that control.  Because of this, not all controls are implemented and the control environment cannot provide a guarantee that all risks are eliminated.
196 196 Classifications of Control Activities  Control activities may be classified by their objective  Preventive controls attempt to prevent the mistake from ever occurring in the first place. Examples would include segregation of duties, suitable authorization of transactions, checking the credit worthiness of a customer before goods are shipped.  Directive controls attempt to ensure the occurrence of a desirable event. Examples would include managers of a construction company instruction their project managers to hire local workers in order to create a favorable image in the community in which the company operates.
197 197 Classifications of Control Activities, continued  Detective controls attempt to find the mistake after it has occurred. Examples would include bank reconciliations, check for missing document numbers in pre-numbered documents, performance reporting with variances.  Corrective controls attempt to fix the problem after it has occurred. Examples of corrective control would be finding an error when doing a bank reconciliation, etc.  Compensating controls attempt to address a weakness in controls in one place by setting up additional controls in a related area. We look at compensating controls in more detail a bit later.
198 198 Examples of Control Activities  Top level review of actual performance  Reviews by management at the functional or activity level  Management of human capital  Controls over information processing  Physical controls to protect assets (cash and other assets)  Various performance indicators  Documents and record protection and authorization  Pre-numbered documents  Performance evaluations  Hiring controls to ensure that qualified personnel are hired  Control over system modifications  Segregation of Duties
199 199 Segregation of Duties  By dividing specific duties (listed on the next slide) between different individuals, the likelihood of errors or inappropriate behavior (theft or fraud) is greatly reduced.  The separation of duties can be done in the following steps:  Identify a function that is indispensable, but potentially subject to abuse.  Divide that function into separate steps, each of which is necessary for the function to work, or for the power that enables that function to be abused.  Assign each step (or duty) to a different person or organization.
200 200 Dutiesto be Segregated  The following duties need to be segregated between different people:  The authorization of a transaction,  The recording (record keeping) of the transaction,  Keeping physical custody of the asset, and  The periodic reconciliation of the records of the asset (how much there should be) to the actual amount of the asset (how much there is).
201 201 Dutiesto be Segregated, continued  More examples of Segregation of Duties:  One person has authority to adjust accounts receivable, while a different person posts payments on customer accounts. Without segregation here, one person could divert cash receipts and then falsify the account balances of the customers who paid the cash in order to conceal the diversion.  One person is responsible for preparing the bank deposit, while a different person reconciles the checking account. Without segregation, one person could divert cash receipts and cover the activity by creating “reconciling items” in the account reconciliation.
202 202 Dutiesto be Segregated, continued  Examples of Segregations of Duties:  One person has custody of cash receipts, while a different person has the authority to authorize account write-offs. Without segregation, one person could authorize a false write-off while diverting the collection on the account.  One person authorizes issuance of purchase orders, while a different person is responsible for recording receipt of inventory. Without such segregation, one person could issue a purchase order to a fictitious vendor using a post office box rented for the purpose, then prepare a fictitious receiving record and mail an invoice to the company using a post office box personally rented for the purpose, resulting in the company’s paying for something it never ordered or received.
203 203 Limitationsof Segregation of Duties  No system is perfect and no system can eliminate all of the risks that a company faces.  Some of the reasons that risk can not be completely eliminated are:  Collusion - when two or more people work together to get around the controls in place. If the people whose duties are segregated collude, the benefit of the segregation of duties is lost.  Human judgment - decisions are made by humans, often under pressure and time constraints, based only on information at hand. If this is not enough information, then poor decisions will be made and controls may not be maintained.
204 Reviewquestions 78-83, pg. 97
205 205 Information and Communication  Information needs to be obtained and communicated to people to allow them to perform their duties.  Information needs to be  Relevant,  Reliable, and  Timely.  Information needs to be available before a decision needs to be made.  Duties and responsibilities need to be communicated to all effected parties.  Communication needs to be both internal and external.
206 206 Information and Communication, continued  Communication must be on-going, both within and between the various levels and activities of the organization.  Effective communications flows up, down and across the organization.  Program managers use reports containing operational and financial information in order determine whether they are meeting their objectives.  Operational information is also necessary to determine whether the agency is in compliance with various laws and regulations.  Financial information is needed for periodic external reporting, and, on a day-to-day basis.
207 207 Monitoring  Monitoring is the process of reviewing the controls over time to make sure that they are still relevant and still functioning as they were intended to function.  As technologies change and business operations change, some of the controls that had been relevant may no longer be relevant.  Monitoring needs to be undertaken on a regular (if not relatively constant) basis.
208 Reviewquestion 84, pg. 100
209 209 The CoCo Model  The CoCo model was designed by the Criteria of Control Board of the Canadian Institute of Chartered Accountants.  Model is an adaptation of the COSO model.  Thought to be better than COSO for auditing purposes.  The model has 4 components which are: 1. Purpose, 2. Commitment, 3. Capability, and 4. Monitoring and Learning.  These 4 components are then broken down into 20 criteria, shown on the next few pages.
210 210 Purpose  Objectives should be established and communicated.  Significant internal and external risks should be identified and assessed.  Policies to support the achievement of the organization’s objectives should be designed, communicated and implemented.  Plans should be established and communicated to assist in the achievement of objectives.  There should be measurable performance targets in the objectives and plans.
211 211 Commitment  Ethical values should be established and practiced at all levels in the organization.  Human resources policies should be consistent with the firm’s ethical values.  Authority, responsibility and accountability should be clearly defined and consistent with the organization’s objectives.  An atmosphere of mutual trust should be supported through the flow of information and communication.
212 212 Capability  People should have the needed knowledge, skills and tools to support the achievement of the organization’s objectives.  Communication should support the values and achievement of objectives.  Sufficient and relevant information should be identified and communicated to the appropriate party in a timely manner.  Decision-making in the company should be coordinated between departments.  Control activities should be designed and implemented.
213 213 Monitoringand Learning  External and Internal environments should be monitored for feedback on the achievement of objectives.  Performance should be monitored against targets and goals.  The assumptions used in the development of plans and goals should be reviewed periodically.  Information and communication needs to be periodically reviewed.  Follow-up procedures should be implemented to ensure that the needed changes occur and are effective.  There should be periodic review of the effectiveness of the control system.
214 214 IIA andInternal Control  The IIA came out with their own Internal Control model, referred to as the “Systems Assurance and Controls study.”  SAC defined internal control as: “means established to provide reasonable assurance that the overall objectives and goals of the organization are achieved in an efficient, effective and economical manner.”  The key concepts of internal control are: 1) Reasonable assurance. 2) Objectives as desired accomplishments of the organization. 3) Goals are identifiable, measurable, attainable, and consistent with objectives.
215 Control Techniques
216 216 Control Techniques  The following are the tools and techniques that contribute to the control process.  Budgets are the more common control device used by businesses.  A budget is “a realistic plan for the future expressed in quantitative terms.”  The budget is a way for management to communicate the goals of the company as well as linking the goals of the present with the strategy of the future.  By understanding how much is expected to be made or spent, the company creates a series of ground rules for people within the organization to follow throughout the year.  Comparing actual results with budget gives the company an idea of the efficiency (or lack of) of the company.
217 217 Gantt Charts  In the Gantt chart, the project is divided into parts, activities, or tasks which are plotted on a chart that has tasks listed on the left side and time across the top or bottom.  The tasks are then placed into the time frame during which they need to be completed.  The chart shows when the different steps need to be completed.  However, Gantt charts have two weaknesses:  It does not show the interconnection between the different steps of the project, and  It is does not show the critical path of the project.  Review graph on pg. 104.
218 218 PERT / CPM  Program Evaluation and Results Technique (PERT) takes the Gantt one step further and shows the interconnection between the different steps of the project.  PERT and CPM were developed separately but in fact are very similar.  These methods are very similar and for the purposes of the materials are used interchangeably.
219 219 A PERT/CPMDiagram  A PERT/CPM diagram looks as follows:  The diagram is read from left to right and you do not go backwards on the diagram A B C D E F 4 8 2 5 3 6 2 S 2
220 220 The Critical Path  The critical path is the path through the network that has the longest time of completion.  All of the activities that are along the critical path are part of that path.  If the company needs to reduce the time to complete the project, they should try to shorten (called “crashing”) the activities along the critical path.  The first activity to be crashed should be the one that has the lowest cost per time period to crash.  Once activities have been crashed, another path may become the critical path.
221 221 SlackTime  Slack time is any activity that is not on the critical path has slack time. Slack time means that the completion of this task may be delayed without delaying the completion of the project as a whole.
222 222 Control Charts (Statistical Quality Control Techniques)  A control chart records observations of an operation taken at regular intervals.  In other words, it’s sampling.  It is use to determine whether all the observations fall within the specified range for the operation.  It is said to be in statistical control is no sample observation falls outside the specified limits, if all the samples are randomly distributed with no apparent patterns, and if the number of observations that are above and below the center of the specified range are about equal.
223 223 Histograms  A histogram is a bar graph that represents the frequency of events in a set of data.  Patterns that might not be apparent when looking at a set of numbers can become clear with a histogram.  If one particular production line is experiencing most of the difficulty, a histogram detailing the types of problems and their frequency can help determine what types of problems are causing the problems most often.
224 224 Pareto Diagrams  A Pareto Diagram is a specific type of histogram.  It is based on the 80-20 observation (20% of the population causes 80% of the problems, or 20% of the population is doing 80% of the good things).  This is useful because management can then focus its efforts on improving the areas that are likely to have the greatest overall impact.
225 225 Cause-and-Effect Diagrams  Also known as the Ishikawa Diagram, or fishbone diagram.  This is a method to visually sort out root causes and identify relationships between causes.  The diagram consists of a spine, ribs and bones, therefore looking like a fishbone.  At the end of the horizontal spine is a the problem. Bones pointing to each rib are contributing factors to the cause.  In manufacturing, the typical main causes for problems are “4 Ms”: machines, materials, methods, and manpower.
226 226 Flowcharting  Flowcharting is a useful tool for better understanding internal controls and systems development.  A flowchart is a pictorial diagram which describes operations, data flow, equipment and etc.  Advantages of flowcharts is that it gives the internal auditor the ability to get a visual grasp of the system.  Another advantage is that it can help highlight areas of audit emphasis.  The different flowcharts you need to understand are:  Horizontal flowchart shows the different departments or functions involved in a process.
227 227 Flowcharting, continued  A horizontal identifies specific control points in the system. Control point is a point in a process where an error or irregularity is likely to occur, creating a need for control. For example, in the invoicing department, the supervisor may be required to review the invoices for completeness and accuracy before they are sent.  The horizontal flowchart is good for showing the segregation of duties.  Vertical flowchart depicts the specific steps in a process and how they are executed.  It does not show the system components as clearly as a horizontal flowchart.  A data flow diagram is a graphic illustration (symbolic) of a system’s processes and data flows. It shows data flow instead of control flow.  It includes the data source, data flow transformation processes, data destination, and data storage.
228 228 Correlation Analysis  Correlation analysis is a method used in internal auditing to measure the linear relationship of two or more variables.  Can be shown by plotting their values on a graph (scatter diagram).  A high correlation is indicated if the points tend to form a straight-line.  A random pattern indicates little correlation.  From an internal auditing standpoint, the numbers must stand the “test of reason.”  This means that even though there is a high correlation between numbers, it may be based on coincidence, and the numbers, in fact, may not be related.
229 229 Time Series or Tend Analysis  These are regression models in which the independent variable is time.  In time series analysis, the value of the next time is frequently dependent on the value of the time period before it.  Time series relies on past experience. The four components of time series analysis are:  Trend – This is a long-term change that occurs in a series.  Cyclical – This are variations in the level of activity in business periods.  Seasonal – are short-term variations.  Irregular – This is random happenings.
230 230 Special Control Programs  These programs are used to educate employees about the control requirements.  The problem is defined and communicated.  Employees are then given information about how their actions will impact the number of deviations.  This type of program requires employees to be educated about the program and process. The idea is to stop defects before they occur.  A zero-defect program is one where the goal is zero defects.  Management must play a role in this process. There are two approaches:  Imposed control – This is where the goals are set.  Self-control – This is where the employees are encouraged to take a more active role in prevention of defects.
231 231 Peoplein the Control System  One of the most important factors for the success of a control program is the reaction of the people who are impacted by the control process.  Critical to gain and keep the support of the people who will be monitored.  People resist controls because they are afraid of being criticized and do not to be confronted.  For the system to work, people nee to see the implementation of the system as something positive.  Also, the more people themselves are involved in the control process the more they will support the project.
232 232 Surveillance andMonitoring of Control System  There has to be a control on the control system.  Over time, the nature, individuals and processes in a business will change.  It is critical that the control system change with the business as well.  Because the control system worked in the past, doesn’t mean it will work in the future.  Need to monitor the system to keep it up-to-date.  Because there are people involved in the process, there will always be the possibly of intentional falsifying or hiding information.
233 Reviewquestions 85-86, pg. 109
234 Control Implications of Organizational Structure
235 235 Control Implications of Organizational Structure  Organizational structure will have an impact on the control environment.  No matter the type of organizational structure there must be a unity of objective throughout the company.  This unity of objective means that the objectives of the individuals and departments are in agreement with the larger organizational goals.  The relationship between the individuals, groups and departments needs to be considered.  These relationships are to varying degrees based upon authority, responsibility, and accountability.
236 236 Authority, Responsibility and Accountability  Authority is the right to direct the performance of others.  This includes the right to describe the means and methods by which the work will be performed.  Responsibility is the obligation a person has to perform.  Under the classical approach this comes from the superior and is part of every job.  Accountability is the duty to account for the completion of the responsibility.  Responsibility is delegated downwards, but the person who did the delegating is still ultimately responsible for the task that has been delegated.
237 237 Elementsof Organizational Structure  Structure of the organization can be defined in terms of its  Complexity,  Formalization, and  Centralization.  Complexity – The type of differentiation that exists within the organization will determine how complex the company is.  Vertical differentiation – the more levels there are in the company, the more complex it is and the slower and less effective it will be in adapting to changing conditions. These will be Tall Organizations.  Horizontal differentiation – this relates to the special skills and knowledge required to complete a tasks. These are flat org.  Spatial differentiation – this relates to the geographical separation of the organization’s activities.
238 238 Elementsof OrgStructure, continued  Formalization is the extent to which jobs are standardized and the clarity of the procedures and tasks that need to be performed.  The lower the level of formalization, the more room there is for employee decisions.  A strong corporate culture reduces the need for the formal expression of all corporate standards because these are disseminated and monitored naturally as part of the corporate culture.  Centralization has to with the company’s authority and freedom of decision-making.
239 239 Centralization vs. Decentralization  In a centralized organization, all the decision-making is done by senior management at the top of the organization.  Lower level managers have very little input into the decision- making process but simply carry out top management’s directions.  In a decentralized organization, responsibility for decisions is delegated to lower level managers on the theory that they are closest to what is going on.  This structure permits action to be taken more quickly to solve problems. Furthermore, input used for decision-making comes from a greater number of people, and employees feel less separated from the people who are making the decisions that affect them.
240 240 Advantages of Decentralization  Some of the advantages for a company to have a more decentralized organization are:  Greater speed in making operational decisions.  Encourages better communication and imitative among employees.  Requires the understanding of company goals throughout the organization.  Identifies and trains good decision-making at lower levels.  Gives responsibility and authority to lower level managers.  Frees top management from operations duties and enables them to focus on strategic goals.  Enables the financial measurement of a particular unit.
241 241 Disadvantages of Decentralization  Some of the drawbacks of decentralization are:  Tendency to focus on short-term local issues rather than long- term success of the larger organization.  Increased risk due to the loss of control by top management.  More difficulty in coordinating interdependent units. Lower levels of management may make conflicting decisions.  Greater danger of satisficing decisions by lower management. Satisficing is coming to a decision that is just OK, but it might not be the best decision (this is good enough so we will do it).
242 242 Delegation  A key part to decentralization is make sure there is proper delegation of authority.  Delegation is the process of passing power downward from one individual to his or her subordinate.  Under classical approach, this process of delegation should be avoided because it is a reduction of power of the manager.  The behavioral approach sees this as a useful step because no one has time to make every decision and subordinates like to be involved in the process.  Delegation can help subordinates develop confidence and initiative in situations where there are proper controls in place.
243 243 Delegation, continued  Delegation is part of the process of becoming a manger.  In order to successfully delegate the following must exit:  The necessary skills and a sound knowledge of the organization objectives,  A feedback system that allows assessment of performance,  A faith in the abilities of the subordinate,  A recognition of the need to delegate,  A willingness to accept risk, and  The desire to develop and train subordinates.
244 244 Delegation, continued  The delegation process involves the following steps: 1) Determination of the expected results, 2) Assignment of tasks and responsibilities, 3) Delegation of the necessary authority to complete those tasks, 4) Recruitment of responsible subordinates, 5) Clear communication of what is responsible, and 6) Follow-up on process because ultimate authority still remains with the manger.
245 Reviewquestion 87, pg. 113
246 246 Structure of the Organization  There are two types of structures: mechanistic or organic.  Mechanistic is a very set and detailed system in which there are tight controls, extensive division of labor and high formulation. This type of structure is best for mass production and any time there is concern for operational efficiency.  Organic structure has low complexity, a low amount of formulation and a high participative decision-making structure. Organic structures tend to be more flexible than mechanistic. They are also more adaptive to change and are better in more dynamic (changing) and complex environments. Is better for product development or for high-tech companies.
247 247 Structure andStrategy  Structure that a company chooses will be a function of its strategy.  If strategy is one of innovation than an organic structure will work better.  If strategy is based on cost-minimization than a mechanistic structure will work better.  If strategy is to imitate other than a combination of organic and mechanistic will work better.  Structure will be a function of:  Its organizational size – Larger companies tend to be more mechanistic.  Technology – High-tech companies tend to be organic.  Environment – More stable, the more mechanistic.
248 248 Componentsof an Organization  Henry Mintzberg identified five components to any organization: 1. Strategic Apex – These are the top managers. 2. Middle Line – These are the managers who connect the strategic apex to the operating core. 3. Operating Core – These are the employees who perform the basic production tasks. 4. Technostructure – This is made up of analysts who make certain that there is a level of standardization in the organization. 5. Support Staff – Provide indirect support services.
249 249 Componentsof an Organization, continued  The different types of structures that each of these components creates are:  Operating core creates a professional bureaucracy. This is a complex and formal organization, but also one that is decentralized in which the specialists of production have great amount of independence. Top management gives up a lot of control, but there might be low creativity in the process and there may be low performance because of inflexibility and an impersonal environment.  Strategic Apex creates a simple structure. There is low complexity and authority is centralized. Characteristic of small companies.
250 250 Componentsof an Organization, continued  Middle management creates a divisional structure. Each division essentially operates as its own company.  Technostructure creates a machine bureaucracy. This a complex and formal organization that performs highly routine tasks. There is a strict chain of command and line and staff functions are separated.  Support Staff creates an adhocracy. This is an organization with low complexity and is not very formal. There is low vertical differentiation and high horizontal differentiation. The emphasis is on flexibility and response.
251 Reviewquestions88-94, pg. 113
252 252 Departmentalization  Departmentalization is grouping tasks together in order to coordinate those that have something in common.  It can be accomplished in various ways, and large organizations often use all of the forms:  By function performed, such as engineering, accounting, manufacturing, personnel and marketing.  By geographical territory, such as the sales divided according to sales territory.  By product or service, with all functions for that product or service placed under the authority of a senior manager.  By type of customer served, such as the consumer market, small businesses or large corporate customers.  By project, such as ship building, military contracts, etc.
253 253 MatrixOrganization  The matrix organization actually violates the unity of command principal; but, in certain situations, it is useful.  A typical matrix organization combines product or project departmentalization with functional departmentalization (such as accounting, marketing, etc.).  Each employee has two supervisors: one for the product or project, and one for the function.  A matrix organization is useful under situations of pressure:  When there are multiple factors, both internal and external and all requiring maximum attention;  When information-processing needs are great; and  When there is a need to share resources.
254 254 MatrixOrganization,continued  Members of a matrix structure might work on one project for six months and then be reassigned to another project for another period of time.  Communication is improved between the project unit and the functional unit, and solutions to problems may come from either group.  Problems with the matrix form of organization include conflicts for employees because of the dual reporting system and power struggles among management over who has the last word on various issues.  Sometimes it is difficult in a matrix organization to determine who is in charge and who is accountable. In addition, sometimes group decision-making is done when it is not appropriate.
255 Reviewquestion 95, pg. 117
256 256 Span of Control  Span of control refers to the number of subordinates one manager can effectively supervise. The span of control governs the number of levels and the number of managers an organization will have.  Up to a point, larger spans are more efficient.  A wider span will require fewer managers and will save on managerial salaries.  Beyond a certain point, the span can become too large and supervisors cannot provide the necessary support to employees.
257 257 Span of Control,continued  Narrow spans of control also have drawbacks: 1. They are expensive in terms of increased managerial salaries. 2. Communication within the organization becomes more complex, because the greater number of levels within the organization isolates upper management and slows decision-making. 3. They can lead to too-close supervision of employees, discouraging their individual initiatives.  A manager can handle a wider span of control if his or her employees are all well trained in their jobs. Thus, when organizations have wide spans of control, they need to invest more in employee training.
258 Reviewquestions 96-97, pg. 118
259 259 Leadership  Leadership is the process of influencing others so they are willing to work toward the achievement of goals of the group.  The classical view is holds that even though authority and decision-making may be decentralized, the characteristic of leadership is a characteristic of an individual and cannot be subdivided and transferred to others.  Some of the characteristics of an effective leader are:  Intelligence,  Maturity,  Social participation, and  Socioeconomic status.
260 260 Styles of Leadership  The different styles of leadership that have been identified by behaviorist:  Autocratic – the manager dictates instead of allowing input from the employees.  Consultative – the manger makes the decisions, but does take into account the opinions of the employees.  Participative – the manager makes the decision, but must take into account the opinions of the other members of the team or group.  Free-rein (laissez-faire) – employees make their own decisions.  Bureaucratic – manages by rules and policies.  Transformational – this is a leader who is a supporter and implementer of change.
261 261 Transformational Leader  The transformational leader is able to inspire others in the company in order in the company in order to achieve more than he or she thought possible.  There are many characteristics of a transformational leader, including:  A person who emphasizes vision, is able to articulate a vision, and can challenge traditional assumptions.  Encourages individual development, provides workers with regular feedback, and gives individualized consideration.  Has charisma, is inspirational and able to motive employees.
262 262 LeadershipStudies  Studies have found two behavioral patterns: initiator of structure and initiator of consideration.  Initiator of structure is geared toward the completion of tasks and includes defining duties, establishing procedures and planning and organizing the work.  Initiator of consideration is the establishment of a personal relationship between the manager and the subordinate.  Which pattern is present will depend on situation, but in most cases both patterns will be present.
263 263 Contingency Approach  The contingency approach is focused on finding a better answer to the questions, “What is an effective leader?” “How do we train them?”  Fred Fiedler developed the earliest contingency model, proposing that effective group performance is a function of a good match between the leader’s style and the situation.  This means that the right person at the right time will be a good leader, but the same person in a different situation may be very ineffective.
264 264 Fiedler’s Contingency Theory  There are three dimensions to the contingency theory model:  Position power – this is a function of formal authority.  Task structure – this relates to the clarity of the responsibilities and tasks.  Leader-member relations – this is the extent to the group members like, trust and are willing to follow the leader.  Fielder's research showed two types of leaders:  Task-oriented leadership is more effective when the situation is either very favorable or very unfavorable, e.g., natural disaster.  Relationship-oriented leadership is most effective when the situation is in the middle, or less extreme.
265 265 The Path-Goal Theory of Leadership  The path-goal theory attempts to bring together the work on structure and consideration.  There are two factors that affect the relationship between the behavior of the leader and the outcomes:  Environmental factors, which are items beyond the control of the subordinate, and  Subordinate factors, such as location of control, experience and ability.  Style of leadership should complement, but not duplicate the factors in the environment and should be consistent with the characteristics of the subordinates.
266 266 Path-goal Theory, continued  Path-goal theory identifies four leadership behaviors: 1) A directive leader lets subordinates know what is expected of them, gives specific guidance on accomplishing tasks, schedules the work and sets standards of performance. 2) A supportive leader is friendly and concerned for the needs of subordinates. 3) A participative leader consults with subordinates and considers their suggestions in making a decision. 4) An achievement-oriented leader sets challenging goals for subordinates and expects them to perform at their maximum level.  The theory assumes that the leader can be flexible and need not behave in the same manner at all time but may behave differently in different situations.
267 267 Vroom-Yetton-Jago Model  This model of leadership focuses on helping the leader to determine how best to arrive at, communicate, and execute a decision.  The Vroom-Yetton-Jago model is a decision-making tree that attempts to determine an appropriate leadership style for various situations and assumes a leader may use different leadership styles.  The model identifies five styles, ranging from autocratic to group-based.  By asking oneself a series of questions about the nature of the problem, etc., the leader can decide how much to involve others in the decision and also the style.
268 268 Decision Tree Approach,continued  After choosing which decision tree to use, the leader evaluates a series of seven factors (the factors themselves are outside the scope of the exam) to determine how much participative decision-making is appropriate and decides among five alternatives:  Autocratic (1) - Leader decides alone.  Autocratic (2) - Leader obtains additional information and then decides alone.  Consultative (1) - Leader consults with group members individually but then decides alone.  Consultative (2) - Leader consults with group members collectively but then decide alone.  Group - Leader meets with group to discuss situation, defining the problem and facilitating discussion as the group makes the decision.
269 Reviewquestions98-99, pg. 121
270 270 Influence  Influence is the attempt to change the behavior of someone in the workplace.  The different tactics used to influence someone are:  Consultation – allows the other person to participate in the change.  Rational persuasion – tries to convince others by relying on logic.  Ingratiating tactics – attempts to be nice to the person.  Coalition tactics – getting others to support you in this project.  Pressure tactics – intimidation, threats and demands.  Upward appeals – this uses the formal structure of management.  Exchange tactics – offer a trade of “I do this, now you do that.”
271 Negotiations and Conflict Management
272 272 Negotiations  Negotiating is the process of bargaining an agreement for the exchange of goods or services at an agreed upon rate of exchange.  The two main approaches to negotiating are:  Distributive bargaining occurs when there is a zero-sum situation. It is unlikely that a true win-win situation will come out. Each party will create a desired result and a minimum acceptable result. If the two ranges overlap, then there will be chance of a successful negotiation.  Integrative bargaining occurs when there is a possibility for both sides to win.  There is another type of negotiation called subordination bargaining. This is when the person who is in the position of the subordinate agrees to anything that is reasonable.
273 273 Third Party Negotiator  There may be a situation where parties are unable to come to an agreement.  In these situations, a third party negotiator might be needed. The methods of third party negotiations are:  Mediation is an intervention between parties with the intent of facilitating an agreement.  Arbitration is a situation in which a third party decides the situation.  Consultation occurs when an expert in conflict resolution is engaged in an attempt to improve the communication between the parties.
274 274 Conflict  Conflict can arise from many different situations.  The more common conflict triggers are:  Unclear job boundaries and unclear responsibilities.  Competition for scarce resources.  Differences between people in the their status.  Personality clashes.  Unrealistic expectations.  Communication problems.  The interactionist theory views conflict as possibly beneficial.
275 275 Conflict, continued  Whether conflict is healthy or not depends on how it is handled.  Competition generally does not help the company. With competition one person must win.  Collaboration is generally helpful. This is the process of all of the people in the conflict trying to find a satisfactory solution for all.  Avoidance of the conflict does not help.  Compromise may help at times.  Accommodation may be helpful in the short-run, but in the long-run it may cause greater problems.  Conflicts may be resolved in a number of ways:  Problem solving is a process of confronting the problem and removing its causes.
276 276 Conflict, continued  Smoothing is a short-term avoidance process whereby the parties are asked to forget their differences for the short-term.  Forcing occurs when the superior position uses its position to solve the conflict.  Superordinate goals are those goals that are above the goals of the individual.  Compromise is where both parties have to give up something.  Expanding resources is a possible solution but only if the conflict was the result of insufficient resources.  Changing the human element attempts to change the behavior of the individual involved.
277 277 Conflict, continued  Diffusion is the process of trying to solve the smaller, less critical issues in order to build a feeling of success and cooperation before dealing with the larger issue.  The public media at times can become the venue in which the conflict is played out. This is risky thing because public opinion may not always be as expected, but the pressure of the media attention may force people to solve their differences.
278 Reviewquestions 100-104, pg. 123
279 Change Management
280 280 Change Management  Organizational change is the process of changing the organization structure of the company.  All organizations at some time go through change as the business changes, the environment changes and as the people in the business change.  Individuals may resist these changes for many reasons.  The main reason may be fear – fear of the unknown and fear that the change is simply the first part of larger changes that will lead to an individual’s termination.  Another cause of fear may be an apparent disregard by management about the way management treats employees, and possible disruption to the way that things were.
281 281 Change Management, continued  In order to minimize disruption the following can be done:  Communicate the nature, extent and reasons for the changes to all affected by the change.  Make sure that there is sufficient notice before the change is made.  Allow the participation of those who will be affected by the change in the process of implementation.  Have formal and informal conferences about the change.  Anticipate the perceived impact of the change on the economic, social and psychological needs of employees.
282 282 Nadlerand Tushman Model  Nadler and Tushman developed a model of the different types of change that a company may undertake.  The comparatives of the change are anticipatory vs. reactive and incremental vs. strategic.  Anticipatory changes: planned changes based on expected situation.  Reactive changes: changes made in response to unexpected situations.  Incremental changes: subsystem adjustments required to keep the organization on track.  Strategic changes: altering the overall shape or direction of the organization.
283 283 Nadlerand Tushman Model, continued  When the change is Anticipatory and Incremental in scope, it is called Tuning. You are anticipating problems before something goes wrong.  When the change is Anticipatory and Strategic in scope, it is called Reorientation. Causes the organization to be significantly redirected.  When the change is Reactive and Incremental in scope, it is called Adaptation. Changes are made in reaction to external problems, events, or pressures.  When the change is Reactive and Strategic in scope, it is called Re-creation. This is an intense and risky decisive change that reinvents the organization.
284 284 SECTION E ENGAGEMENT PLANNING
285 285 Section E  Section E covers the topics of engagement planning, engagement supervision, audit procedures and fraud.  This section will account for approximately 15 – 25% (15 – 25 questions) of the Part 1 Exam.  An engagement has to do with the planning, performing, communicating and monitoring the results of the engagement. This section describes the planning process and provides criteria for evaluating the process.
286 286 2200: Engagement Planning  Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations.  Four stages to any internal audit engagement:  Planning the engagement,  Performing the engagement,  Communicating results, and  Monitoring progress.  These steps are similar to external auditing, except external auditors do not monitor progress.
287 287 Planningthe Engagement  During the process of planning the audit, the internal auditor must consider:  The objectives of the activity being audited.  Significant risks to the activity.  Adequacy and effectiveness of the activity’s risk management and control systems.  Opportunities to make significant improvements in the activities risk management and control systems.  After the above is done, the internal auditor is able to establish:  The objectives,  The scope of the engagement,  The necessary resources, and  The work program.
288 Reviewquestions 105-106, pg. 129
289 Engagement Objectives
290 290 2210: Engagement Objectives  Should address risks, controls and governance processes associated with the activities that are being reviewed.  Engagement objectives are broad statements that define what the engagement is supposed to accomplish.  Risk is one of the main elements that should be addressed when an activity is being audited.  Risk is the uncertainty of an event occurring that could have an impact on the achievement of objectives.  Auditor is looking for the events that could impact the activity that being audited.
291 291 Risk Assessment in Engagement Planning  Internal auditors should always consider risk when planning an audit. In the consideration of risk, the auditor should review the following:  Objectives and goals of the activity.  Policies, plans and procedures, laws, contracts that may impact the activity.  Organizational information about the activity, i.e., key employees, job descriptions, details of recent changes in org., etc.  Budget information.  Prior working papers.  Results of other engagements (from external auditors).  Correspondence files to determine significant issues.  Authoritative and tech literature if relevant.
292 292 Surveys  Sometimes surveys are used to become familiar with activities.  They are particularly useful in the first engagement when little information is known about activity.  Surveys can assist in:  Understanding the activity.  Identifying areas requiring special attention.  Obtaining information for use in the performance of the engagement.  Determining where further work is necessary.  Developing a good relationship with the staff of the activity being audited.  We discuss surveys in more detail later.
293 Reviewquestions 107-108, pg. 130
294 Engagement Scope
295 295 2220: Engagement Scope  The engagement scope tells you what needs to be done in order to satisfy the engagement objectives.  Scope of an assurance engagement should include considerations of relevant systems, records, personnel, and physical properties.  In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives.  If the auditor has reservations about the scope, the auditor should discuss the reservations with the client to determine whether to continue with engagement or not.
296 Engagement Resources
297 297 2230: Engagement Resource Allocation  Internal auditors should determine appropriate resources to achieve engagement objectives.  Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.  When determining necessary resources, the auditor should consider the following:  Number and experience of the auditing staff.  Knowledge and skills and other competencies of the auditing staff.  Future training needs of the auditors.  Consideration of the use of external resources.
298 Engagement Work Program
299 299 2240: Engagement Work Program  Work program should be written and developed for each engagement.  The work program details the work that is to be done.  The work program should include:  Information about the objectives of the area that is being audited.  Description of the controls that are in place as well as those that need to be in place.  Procedures that are necessary in order to carry out the audit.  Work programs may be pro forma or individualized.  Approval of the work program should come from the CAE, and in writing.  Any adjustments made to the work program should be approved in a timely manner.
300 Preliminary Survey
301 301 The Preliminary Survey  The preliminary survey is also referred to an “on-site” survey.  This is the first step in the audit process.  Purpose is to give the auditor the opportunity to become familiar with the preliminary information about the activity to be audited.  The preliminary survey allows the auditor to become:  Become familiar with the clients: Objectives and goals. Organizational structure. Operations, facilities, key customers and suppliers. Risk management, control and goverance. Information systems.
302 302 Preliminary Survey, continued  Concentrate the work program on matters of significance.  Identify areas of lower risk and then reduce the audit time spent in these low-risk areas.  Create a cooperative tone for the engagement.  To maximize the benefit of the preliminary survey, the auditor should:  Read all relevant background information.  Prepare the questionnaire based on this information.  Know whom to see to obtain additional and needed information.  Document the information received in this process.  Understand the objectives and goals.  Identify the risks implicit in the areas under review.
303 303 Preparation for the Preliminary Meeting  The auditor needs to be prepared when meeting the engagement client for the first time.  The survey should be sent to the client in advance to give the client the chance to complete it before the meeting.  The questions should highlight the key risk areas, and the methods and extent to which management is controlling those risks.
304 304 The Preliminary Meeting  The first meeting with the client should:  Set the cooperative tone of the engagement;  Explain the engagement in detail; and  Stress that all observations and recommendations will be discussed with the client before being reported to the board.  In addition, the auditor should explain that any corrective action taken by the client prior to circulation would be acknowledged by the auditor.  Another result of the meeting is to collect as much relevant documentation as possible.  Conduct a walk-through of the premises.
305 305 Further Meetings  If the client wishes, a further meeting can be arranged to discuss initial impressions and the general thrust of the engagement work program.  The cost of further meetings should be a consideration in planning the additional meetings.
306 306 Documentation of the Preliminary Survey  A comprehensive report of the preliminary survey should be documented.  Using the documents obtained from the meeting, the auditor will produce, or update the permanent file.  Permanent file provides relevant information about the client that each engagement will use.  Includes such items as client objectives and goals, organization structure, unit addresses, flowcharts, bank accounts, etc.
307 Reviewquestions109-113, pg. 134
308 Engagement Supervision
309 309 2340: Engagement Supervision  This is obvious, but all engagements should be properly supervised.  Proper supervision ensures that objectives are achieved, quality is assured and the staff is developed.  Proper supervision starts at the planning stages and continues all of the way through until the issuance of the report.  Ultimate responsibility for supervision lies with the CAE.  The CAE should periodically review each job in respect to budget and actual time spent and expected completion time as well as a review of any control or technical issues that have arisen and not yet been resolved.
310 310 Engagement Supervision, continued  The extent and amount of supervision required for an engagement will be determined by the skills and experience of the internal auditors and the complexity of the engagement.  Proper supervision includes:  Ensuring the assigned auditors have the necessary knowledge, skills and other competencies.  Determining that working papers adequately support observations, conclusions and recommendations.  Ensuring that communications are accurate, clear and concise.  Ensuring budgetary controls.  Resolving differences of judgment between CAE and auditors.
311 Reviewquestions114-116, pg. 138
312 Engagement Procedures
313 313 Engagement Procedures  The engagement work is made up of a series of procedures that are to be performed by the auditor.  Procedures may be as simple as checking to see if a particular document was signed, or something more complex as the valuation of a derivative.  Procedures that are to be performed are written in the work program.  For any engagement, the auditor will need to perform procedures to gather evidence. This evidence will provide the support for the opinion that the auditor concludes.  Auditors must collect information until they have collected sufficient and competent evidence.
314 314 Sufficiency of Evidence  The question of how much evidence is enough evidence cannot be answered definitively or quantitatively.  The question has be answered using the professional judgment of the auditor and it depends on many factors.  Main factor depends on the effectiveness of the client’s internal controls.  If controls are working, then the amount of evidence required by the auditor will be less than if controls are not working.  Though, need to remember that no matter how well controls are working, the auditor must always obtain some amount of direct evidence to confirm the numbers by the client.
315 315 Sufficiency of Evidence, continued  In the determination of sufficiency, the auditor will also consider the item’s materiality and inherent risk.  The less material or less risky the item, the less evidence the auditor will require in order to reach a sufficient amount of evidence.
316 316 Competence of Evidence  For evidence to be competent, the evidence must be both valid and relevant.  Relevance of data is related to how closely related the evidence is to what the auditor is testing.  The validity of evidence relates to the extent to which the auditor can believe and trust the evidence. The most valid evidence is evidence that is obtained directly by the auditor. The auditor obtains this evidence may times through observations. The next best source is from a 3rd party that does not have a direct interest in the client, e.g., bank statements, account receivable confirmations. The least valid evidence is any information obtained by the client.
317 317 Sourcesof Evidence  There are two main types of auditing evidence:  Underlying accounting data – this is the information that is part of the accounting system. It includes the original documents, journals, ledgers, supporting information and the output from the accounting systems.  Corroborative evidence – this is essentially all other evidence. This is evidence that is obtained from somewhere else or is a document that can be verified with a third party, such as an invoice, a check, contracts or similar type of document.
318 318 Selected Engagement Procedures  There are six major categories of procedures outlined by Sawyer. 1) Observing. This is a visual examination by the auditor. 2) Questioning. The auditor may accomplish this either orally or in written form, such as a questionnaire. 3) Analyzing. This is a process of understanding something larger by looking at the individual components that make it up. 4) Verifying. This is a process of checking one source of information against another. 5) Investigating. This is the search for evidence or facts that are not openly available. 6) Evaluating. This is the process of taking all of the available information, putting it together and coming up with a conclusion.
319 319 Tracing andVouching  This is mostly related to financial statements.  These can be performed anytime there is an original source document and place where the event is ultimately recorded.  Tracing is the process of starting with the original source document, and following it through the accounting records to the final ledger. Tracing is testing for completeness. This makes sure that every event or transaction that occurred is actually recorded.  Vouching is the opposite of tracing. Start with an amount in a ledger and find the supporting documentation for it. Vouching is testing for existence. This makes sure that every event or transaction that has been recorded in the records has actually occurred.
320 Reviewquestions 117-122, pg. 142
321 Understanding Fraud
322 322 Fraud  The IIA defines fraud as “any illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property or service; to avoid payment or loss of service; or to secure personal or business advantage.”
323 323 Consideration of Fraud in the Planningof a Financial Statement Audit  Internal auditor should develop and plan the audit with a reasonable assurance of detecting material fraud or misstatements.  Due to the fact that perpetrators of fraud will try to hide the fact, it is not possible to guarantee discovery of material frauds.  Fraud is different from an error in that fraud is an intentional misstatement while an error is unintentional.
324 324 Types of Fraud  There are two main classifications of fraud: 1) Misstatements from fraudulent financial reporting.  These are intentional misstatements in the financial statements that are made to mislead users. This includes omission of information from the financial statements and a misapplication of accounting principles. 2) Misappropriation of company assets.  This includes theft, embezzlement and any action that causes the company to expend cash for things that will not benefit the company. 3) Corruption.  Corruption includes illegal gratuities, brides and kickbacks, conflict of interest, economic extortion.
325 325 Consideration of Fraud, continued  The auditor is supposed to find material misstatements, the risk of misstatement due to fraud needs to be specifically considered in the planning of the audit.  A major risk that could indicate possible fraudulent financial reporting is the occurrence of management override of controls.  When fraud is suspected, the internal auditor should determine the possible effects and discuss the matter with the appropriate level of management.  It is generally not the internal auditor’s place to report the matter outside the organization, although they may in some cases report the event to the SEC, a predecessor auditor, a court, or to a governmental agency.
326 326 Detection and Prevention of Fraud  The internal auditor is responsible fo examining the controls that are in place to determine if they are adequate to prevent or detect fraud.  It is preferable (and usually cheaper) to prevent fraud than it is to discover it after the fact.  When fraud is detected, the auditor should immediately contact the appropriate level of management.
327 327 Detection and Prevention of Fraud, continued  The following items do not indicate that fraud is occurring, but rather that conditions exist in which fraud may occur more easily.  No segregation of duties,  Not limiting the access to assets,  Failing to compare existing assets with recorded assets,  Executing transactions without proper authorization,  Lack of personnel or qualified personnel,  Collusion among employees,  The existence of high-value, small, liquid assets, and  Management override of controls that are in place.
328 Reviewquestions 123-124, pg. 146

More Related Content

PDF
International Professional Practices Framework (IPPF)pdf
byAavyaSidhu
 
PPT
PART II INTERNAL AUDITING in local government.ppt
byCamellaCandon
 
PPTX
The Internal Audit Framework
byAhmad Tariq Bhatti
 
PDF
Auditing activities of microfinance institutions
byFrank Kabuye, CPA
 
PPTX
Recently Updated International Professional Practices Framework
byAziz Fataliyev, Internal Audit Practitioner
 
PPTX
Internal Auditor Roles
byIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
PPTX
Effective oversight role of audit committees
byKabelo Mabokela
 
PPTX
Unit 1
byabedreziq
 
International Professional Practices Framework (IPPF)pdf
byAavyaSidhu
 
PART II INTERNAL AUDITING in local government.ppt
byCamellaCandon
 
The Internal Audit Framework
byAhmad Tariq Bhatti
 
Auditing activities of microfinance institutions
byFrank Kabuye, CPA
 
Recently Updated International Professional Practices Framework
byAziz Fataliyev, Internal Audit Practitioner
 
Internal Auditor Roles
byIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Effective oversight role of audit committees
byKabelo Mabokela
 
Unit 1
byabedreziq
 

Similar to vdocuments.mx_cia-part-1-slides.ppt

PPTX
CIA part 1 essentials of internal auditing
byariundalai1
 
PPTX
Chapter 1 auditing and internal control
byTommy Zul Hidayat
 
PPTX
Chapter 1 auditing and internal control
byjayussuryawan
 
PDF
Full download Solution Manual For AUDITING ASSURANCE SERVICES by William F. M...
bydawonnosce86
 
PPTX
International Professional Practices Framework Mandatory Guidance
byAziz Fataliyev, Internal Audit Practitioner
 
PDF
The Internal Auditing Handbook.pdf
byRNHolder
 
PPTX
Performance audit adding value
byicgfmconference
 
PDF
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
bybraiggladipc
 
PDF
The iia s 2017 international professional practices framework
byDr. Zar RDJ
 
PPTX
Basics of internal audit
bycomplianceonline123
 
PPTX
internal audit and its characteristic and features .pptx
byAnshuman Parashar
 
PDF
Chapter 9 PPT 4th edition.pdf internal audit
byNhtLNguyn9
 
PPT
3a 2 Internal Audit A Bane Or Boon
byRajeswaran Muthu Venkatachalam
 
PPT
Technology Auditing, Assurance, Internal Control
byZefren Edior
 
PPT
Internal_audit
byVishal Joshi
 
PDF
CIA Part I review course 2017
byJack Davidsz
 
PDF
Iias Certified Internal Auditor Cia Learning System Individual Part 1 Book Th...
bymawenaxoxa
 
PPT
Understanding Internal Auditing Presentation
byDanielFrancis68
 
PPT
Be Independent & Objective
bySalih Islam
 
PDF
LTE_IIA Prof Stds 2009
byLee T. Emmenderfer, Jr., MBA, CPA
 
CIA part 1 essentials of internal auditing
byariundalai1
 
Chapter 1 auditing and internal control
byTommy Zul Hidayat
 
Chapter 1 auditing and internal control
byjayussuryawan
 
Full download Solution Manual For AUDITING ASSURANCE SERVICES by William F. M...
bydawonnosce86
 
International Professional Practices Framework Mandatory Guidance
byAziz Fataliyev, Internal Audit Practitioner
 
The Internal Auditing Handbook.pdf
byRNHolder
 
Performance audit adding value
byicgfmconference
 
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
bybraiggladipc
 
The iia s 2017 international professional practices framework
byDr. Zar RDJ
 
Basics of internal audit
bycomplianceonline123
 
internal audit and its characteristic and features .pptx
byAnshuman Parashar
 
Chapter 9 PPT 4th edition.pdf internal audit
byNhtLNguyn9
 
3a 2 Internal Audit A Bane Or Boon
byRajeswaran Muthu Venkatachalam
 
Technology Auditing, Assurance, Internal Control
byZefren Edior
 
Internal_audit
byVishal Joshi
 
CIA Part I review course 2017
byJack Davidsz
 
Iias Certified Internal Auditor Cia Learning System Individual Part 1 Book Th...
bymawenaxoxa
 
Understanding Internal Auditing Presentation
byDanielFrancis68
 
Be Independent & Objective
bySalih Islam
 
LTE_IIA Prof Stds 2009
byLee T. Emmenderfer, Jr., MBA, CPA
 

Recently uploaded

PPTX
Top Inventory Financing Mistakes Small Businesses Must Avoid
byAvon River Ventures
 
PDF
Buy LinkedIn Accounts_Best Step-by-Step Guide for 2025.pdf
bymarketing
 
PDF
_How to Buy////// TikTok Seller Account.pdf
byhi1885171
 
PDF
_how to buy Buy/// Self Bank Account.pdf
bymarketing
 
PPTX
Reinventing Procurement Through Big Data (1).pptx
byamitshovon2
 
PPTX
Income_Tax_Master_Presentation_All_Modules.pptx
byRohitGupta920212
 
PDF
The $410.7 Billion Question Every CFO Needs to Answer
byPrima Consulting
 
PDF
New Monthly Enterprises Survey. Issue 40. (08.2025) Ukrainian Business in War...
byІнститут економічних досліджень та політичних консультацій
 
PDF
New Monthly Enterprises Survey. Issue 41. (09.2025) Ukrainian Business in War...
byІнститут економічних досліджень та політичних консультацій
 
PPTX
Structure of Office of the dad PCDA O.pptx
bysasdad209601
 
PDF
7 Trading Themes for 2026 - Special report for Deriv traders by veteran trade...
byVince Stanzione
 
PDF
20251203_A. Stotz All Weather Strategy - Weights update & Performance review ...
bybeamploynaphat
 
DOCX
How to buy LinkedIn accounts from us A new of it_.docx
byhi1885171
 
DOCX
How to register and verify your profile on the Western Union ....docx
bymarketing
 
PDF
TriStar Gold Corporate Presentation - 2025-12.pdf
byAdnet Communications
 
PPTX
4_Housing for Animals and resources.pptx
bybishnugup999
 
PDF
Anatomy of a Capture: How One Foreclosure Exposes a National Equity Machine
byJeremy Bass
 
DOCX
Best Platforms to Buy Verified Wise Accounts in the US.docx
by#SEO, #usaallhub, #socialmedia, #USAaccounts, #seoservice, #Digitalmarketer
 
PDF
How To Convert Sidra Tokens To SDA - New Method
byTRADERS / CRYPTO SPACE 💱
 
DOCX
CNCPW Market Report: Silk Road Bitcoin Transfers and Liquidity Analysis
byCNCPW Sobrenome
 
Top Inventory Financing Mistakes Small Businesses Must Avoid
byAvon River Ventures
 
Buy LinkedIn Accounts_Best Step-by-Step Guide for 2025.pdf
bymarketing
 
_How to Buy////// TikTok Seller Account.pdf
byhi1885171
 
_how to buy Buy/// Self Bank Account.pdf
bymarketing
 
Reinventing Procurement Through Big Data (1).pptx
byamitshovon2
 
Income_Tax_Master_Presentation_All_Modules.pptx
byRohitGupta920212
 
The $410.7 Billion Question Every CFO Needs to Answer
byPrima Consulting
 
New Monthly Enterprises Survey. Issue 40. (08.2025) Ukrainian Business in War...
byІнститут економічних досліджень та політичних консультацій
 
New Monthly Enterprises Survey. Issue 41. (09.2025) Ukrainian Business in War...
byІнститут економічних досліджень та політичних консультацій
 
Structure of Office of the dad PCDA O.pptx
bysasdad209601
 
7 Trading Themes for 2026 - Special report for Deriv traders by veteran trade...
byVince Stanzione
 
20251203_A. Stotz All Weather Strategy - Weights update & Performance review ...
bybeamploynaphat
 
How to buy LinkedIn accounts from us A new of it_.docx
byhi1885171
 
How to register and verify your profile on the Western Union ....docx
bymarketing
 
TriStar Gold Corporate Presentation - 2025-12.pdf
byAdnet Communications
 
4_Housing for Animals and resources.pptx
bybishnugup999
 
Anatomy of a Capture: How One Foreclosure Exposes a National Equity Machine
byJeremy Bass
 
Best Platforms to Buy Verified Wise Accounts in the US.docx
by#SEO, #usaallhub, #socialmedia, #USAaccounts, #seoservice, #Digitalmarketer
 
How To Convert Sidra Tokens To SDA - New Method
byTRADERS / CRYPTO SPACE 💱
 
CNCPW Market Report: Silk Road Bitcoin Transfers and Liquidity Analysis
byCNCPW Sobrenome
 

vdocuments.mx_cia-part-1-slides.ppt

  • 1.
    1 1 CIA Part 1 INTERNALAUDIT ACTIVITY’S ROLE IN GOVERNANCE, RISK AND CONTROL
  • 2.
    2 2 SECTION A COMPLY WITHTHE IIA’S ATTRIBUTE STANDARDS
  • 3.
    3 3 Section A  SectionA comprises approximately 15% to 25% (15 to 25 questions) of the Part 1 exam.  There are six primary sections in Section A, including: 1) Purpose, Authority and Responsibility, 2) Organizational Independence & Objectivity, 3) Proficiency and Due Professional Care, 4) Continuing Professional Development, 5) Quality Assurance & Improvement Program, and 6) The IIA’s ‘Code of Ethics’.
  • 4.
    4 4 The Development ofInternal Auditing  The concept of internal auditing goes back as far as 5,000 years. Early civilizations had to verify what they had, particularly verifying the amount of grain they had.  The formal development of internal auditing as a profession was started by the railroads.  Railroad executives had to have some assurance that their stationmasters in many distant places were properly handling receipts and submitting all of the money that they should.  Railroad executives felt that the external auditors did not adequately address this issue because of a focus on the financial statements.
  • 5.
    5 5 DifferencebetweenExternal & InternalAuditors The Internal Auditor…  Is employed by the organization.  Focuses on futureeventsby evaluating controls designed to assure the accomplishment of entity goals and objectives.  Is notindependentof the activities audited but is ready to respond to the needs and desires of management.  Behaves with objectivity even though they are not independent.  Is directlyconcernedwith the prevention of fraud in any form or extent in all aspects of the business.  Reviews activities continually. The External Auditor…  Is an independent contractor.  Serves third parties who need reliable financial information.  Focuses on the accuracy and understandability of historical eventsas expressed in the financial statements.  Is independentof management and the board of directors both in fact and in mental attitude.  Is incidentallyconcernedwith the prevention and detection of fraud in general, but is directly concerned when financial statements may be materially affected.  Reviews records supporting financial statements periodically – usually annually.
  • 6.
    6 6 The Definition ofInternal Auditing  Over the past few decades, the profession of internal auditing has undergone major changes.  The IIA defines Internal Auditing as: “An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
  • 7.
    7 7 IIA Professional Standards The Standards are the criteria by which internal auditors perform their work.  The Standards are intended to represent the best practices of internal auditing.  The Standards have the following four purposes: 1) Delineate basic principles that represent the practice of internal auditing as it should be. 2) Provide a framework for performing and promoting a broad range of value-added internal audit activities. 3) Establish the basis for the evaluation of the internal audit performance. 4) Foster (support) improved organizational processes and operations.
  • 8.
    8 8 Professional Standards  Theprofessional Standards consist of Attribute Standards, Performance Standards and Implementation Standards.  Attribute Standards are concerned with the characteristics of the organization and the parties who will be performing the auditing activities.  Performance Standards describe the internal audit activities and criteria against which the performance of these services can be evaluated.  Implementation Standards apply to the specific types of engagements, whether assurance or consulting.
  • 9.
    9 9 1000: Purpose, Authorityand Responsibility  According to the Standards, “the purpose, authority, and responsibility of the internal audit activity (IAA) must be:  Formally defined in a charter,  Consistent with the Definition of Internal Auditing, the Code of Ethics, and Standards, and  Approved by the board.”  The IAA should encompass every part of the organization’s operation, and should have access to the company’s documents, records or properties.  Internal auditing has developed to assist management in carrying out its monitoring responsibilities effectively and efficiently.  The IAA should promote effective control at a reasonable cost.
  • 10.
    10 10 Organizational Status ofthe IAA  In order for the IAA to accomplish its responsibilities it must have the necessary status within the organization.  To have the necessary status the IAA should report to the board of directors through the audit committee.  Along with organizational status the IAA must also have organizational independence.  This means that the IAA should not have relationships with the various departments it will be auditing.  Status and independence can be achieved by having a properly designed Internal Audit Charter.
  • 11.
  • 12.
    12 12 The Internal AuditCharter  It is the Charter that provides the IAA with the formal mandate to do its work.  The Charter should be written by and come from the board of directors and senior management.  The Charter should include:  The scope of the services and work to be performed,  The objectives of the IAA,  The authority that the IAA has to access records, personnel and physical properties in the organization,  The accountability of the IAA, and  The responsibility of the IAA.
  • 13.
    13 13 The Charter  TheIAA should report to an organizational level that is high enough to be effective, and independent of the functions that will be audited.  This means that the Chief Audit Executive (CAE) should report to the Chief Executive Officer (CEO), or board of directors.  The accounting department, chief accountant or finance director would not normally be a good level to report to.  Ideally the CAE should:  Functionally report to the audit committee or its equivalent and  Administratively to the CEO.
  • 14.
    14 14 The Audit Committee The audit committee is a subcommittee of the board of directors.  The members of the audit committee should be external directors.  The audit committee itself should have its charter approved by the board.
  • 15.
    15 15 The Audit Committee,continued  The primary duties and responsibilities of the audit committee are:  To ensure that the external auditors are completely independent.  Discuss with management and external auditor the effects of changes in accounting standards, and the implications of these proposed changes.  Ensure that both internal and external auditors have sufficient resources to carry out their functions.  Act as a mediator between management and the auditors if there is a dispute.  Appoint or replace the external auditor, who shall report directly to the Audit Committee.  Be directly responsible for the compensation and oversight of the work of the external auditor.
  • 16.
    16 16 The Audit Committee,continued  Other functions of the Audit Committee include:  Review copies of all external and internal audit reports and communications, and management’s response to them.  Review all financial communications and statements to be publicly issued.  Review the strategy, activity and work plan of the IAA.  Review evaluations of risk management, control and governance reported by the auditors.  Communication as necessary with the CEO.  Review policies to eliminate illegal and unethical practices.
  • 17.
  • 18.
  • 19.
    19 19 ConsultingServices  As wehave seen in the beginning, internal auditing has expanded to include consulting services.  Consulting services are defined as “advisory and related client services, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization's operations.”  Examples include counsel, advice, facilitation, process design and training.
  • 20.
    20 20 ConsultingServices, continued  Consultingservices undertaken by the IAA may be formal or informal, and they may or may not be connected to an assurance engagement.  There are 12 principles to help guide the internal auditor.  Valueis addedby the IAA when they perform both assurance and consulting services. The IAA is in a very good position to provide consulting services to the company because of its professional standards and its knowledge of the company and its operations.  The fact that the IAA is able to provide consulting services (and any other appropriate services) should be includedin theinternalaudit charter. Additionally, any rules or standards applicable to the consulting services should also be included in the charter.
  • 21.
    21 21 ConsultingServices, continued  Principles,continued.  The IAA may also provide other services besides assurance and consulting, i.e., investigating fraud, and due diligence.  Consulting servicesdo not impair the objectivityof either the individual internal auditor or the IAA (objectivity is addressed in more detail separately). However, the auditor needs to remember that his/her first duty is as an auditor and so all actions need to be governed by the applicable internal audit guidelines and standards as applicable. Objectivity is not impaired as long as the internal auditor provides advice and does not take ownership of a specific process.
  • 22.
  • 23.
    23 23 1100: Independence andObjectivity Independence is an issue for the internal auditor, as well as the external auditor.  Because internal auditors are auditing the company that employs them, it is impossible for the internal auditors to be independent in the same manner as external auditors.  Therefore, internal auditors use a different term to refer to the way they act in the performance of their work. The term is “objective.”  Internal auditors must be objective in their work, and the IAA needs to be independent with the organization.  Considered independent and objective if they perform their work freely and objectively.
  • 24.
    24 24 Independence and Objectivity,continued  Independence is achieved largely through the organizational status of the IAA.  The independence of the IAA is enhanced if it reports directly to the board of directors.  If they report to the chief accountants and it is perceived that they do not add value to the organization, or are not viewed as important by the board, the IAA will have less independence and their work will be less useful to the organization.
  • 25.
    25 25 1110: Organizational Independence The ideal reporting line is for the CAE to report administratively to the CEO of the organization, and functionally to the audit committee, board of directors, or some other appropriate governing authority.  Functional reporting is the ultimate source of independence and authority for the IAA.  Administrative reporting is the reporting relationship within the organization’s management structure that facilitates the day-to-day operation of the IAA.
  • 26.
    26 26 1120: Individual Objectivity In addition to independence, the IAA as a whole has to remain objective.  Remaining objective means  Being impartial,  Having an unbiased attitude, and  Avoiding conflicts of interest.  Conflicts of interest should be minimized.  For example, someone involved in an engagement should not audit an area where that person’s friend works.  In addition, the acceptance of a gift or money from a client will impair the objectivity of the auditor, even if the auditor maintained objectivity.
  • 27.
    27 27 1130: Impairments toIndependence or Objectivity  Any time that there is a conflict of interest, or objectivity has been impaired, the auditor should inform the CAE and the auditor should be removed from that particular engagement.  If impairment arises during an engagement, it should be reported immediately to the manager of the engagement.  Objectivity is not considered impaired if the auditor recommends standards of control or review procedures before being implemented.  Objectivity is considered to be impaired if the auditor designs, installs, or draft procedures for, or operates such systems.
  • 28.
    28 28 Impairment to Objectivity,continued  Objectivity is assumed to be impaired if an auditor performs an assurance review of any activity over which he or she recently had responsibility.  Individuals who are assigned to or transferred to the IAA should not audit areas that worked unit a reasonable period of time has elapsed (at least one year).
  • 29.
    29 29 Objectivity in ConsultingEngagements For a number of reasons it is more common for internal auditors to provide consulting services relating to operations for which they had previous responsibility.  This is not forbidden, but the internal auditor should still act in an independent and objective manner.  To assess objectivity, the internal auditor should consider:  The appropriate requirements of the standards of the profession.  Expectations of the stakeholders, directors, the audit committee and legislative bodies.  Restrictions that are in the charter.  Disclosures that may be required by standards.  Subsequent audit work, its scope and coverage.
  • 30.
  • 31.
    31 Proficiency and DueProfessional Care 31
  • 32.
    32 32 1200: Proficiency andDue Professional care  The Standards states that “Engagements must be performed with proficiency and with due professional care.”
  • 33.
    33 33 1210: Proficiency  Proficiencyis when an individual possesses the knowledge, skills and other competencies needed to perform their individual responsibilities.  The skills and knowledge necessary for the internal auditor to perform his or her job will depend on the work needed to be performed. For example, if an internal auditor does a lot of financial statement work, then he or she needs skills related to the appropriate GAAP (IFRS, US GAAP…).  On the other hand, if an internal auditor works in the area of internal controls, then detailed knowledge of GAAP would probably not be necessary.
  • 34.
    34 Proficiency, continued  Relatedto proficiency are two other terms that you have to understand. These terms are understanding and appreciation.  Understanding is the ability to  Apply broad knowledge to situations likely to be encountered,  Recognize material deviations, and  Be able to perform research to arrive at conclusions.  Appreciation is the ability to:  Recognize the existence of problems and potential problems, and  Determine if further work is required. 34
  • 35.
    35 35 Proficiency, continued  Ifthe internal auditor does not have the needed skills and competencies to perform the engagement, the CAE has to either decline the engagement or go outside the department to get the skills.  If using the services from an outside service organization, the CAE also needs to consider the independence and objectivity of the outside organizations.  Any work done by an outside organization needs to be reviewed by either the CAE or other internal person with sufficient experience and understanding to review the work.
  • 36.
  • 37.
    37 37 1220: Due ProfessionalCare  Due professional care means that internal auditors need to apply the skill and care expected of a reasonable competent and prudent internal auditor.  This means that an internal auditor is not expected to perform a detailed review of every statement or document they receive, but are expected to examine and verify the documents as appropriate given the information contained in them.  Material items will be examined in more detail than immaterial items.
  • 38.
  • 39.
    39 39 1230: Continuing ProfessionalDevelopment  Certified Internal Auditors (CIA) are required to maintain the skills and knowledge necessary to successfully complete their tasks, which is done through Continued Professional Development, referred to as Continuous Professional Education (CPE).  CPE is a method of helping keep the internal auditor informed about improvements and current developments in internal audit standards, procedures, and techniques.  CIAs must obtain sufficient CPE credits in order to satisfy requirements related to the professional certification held.
  • 40.
    40 Quality Assurance andImprovement Program 40
  • 41.
    41 41 1300: Quality Assuranceand ImprovementProgram  A function of the CAE is to be assured of the quality of the work performed by the internal audit activity.  Based on the Standards, the CAE must develop and maintain a Quality Assurance and Improvement Program (QAIP) that covers all aspects of the IAA and continuously monitors its effectiveness.  The QAIP should include both  Periodic internal and external quality assessments and  Ongoing internal monitoring.  In essence, the IAA is really auditing itself.
  • 42.
    42 42 1310: Requirement ofQAIP  The CAE is responsible to implement a quality program that monitors and assesses the overall effectiveness of the quality program.  Quality program must include both internal and external assessments.  The purpose of the quality program is for the company’s stakeholders to feel comfortable with the services the IAA is providing to the organization.
  • 43.
    43 43 1311: Internal Assessments Internal reviews should be carried out periodically to assure the CAE that subordinates are complying with the Standards and other applicable criteria.  Internal assessment must include ongoing review of performance of the IAA, as well as a periodic review of the program from an independent person within the organization who is familiar with the internal auditing program.  Ongoing review could include:  Supervising the internal auditor’s work during an engagement,  Feedback from audit customers and other stakeholders,  Analyses of performance metrics (e.g., cycle time and recommendations accepted), and  Project budgets, cost recoveries, etc.
  • 44.
    44 Internal Assessments, continued Periodic internal assessments may:  Be more in-depth interviews and surveys of stakeholder groups,  Be performed by members of the IAA (self-assessment),  Be performed by CIAs, or other competent audit professionals,  Encompass a combination of self-assessment and preparation of materials subsequently reviewed by CIAs, or other competent professionals, and  Include benchmarking of the IAA practices and performance metrics against relevant best practices of the internal audit profession.
  • 45.
    45 45 External Assessments  Externalassessments are performed by an external party.  It is recommended that an external assessment is conducted at least once every five years.  External reviewers must be independent of the organization and of the IAA.  External assessor will tend to focus on:  The adequacy of the IAA charter,  The goals, objectives, policies and procedures of the IAA,  Whether or not the IAA complies with the Definition of Internal Auditing, Code of Ethics, and Standards,  The skills and work performed by the individuals in the IAA, and  Whether or not the IAA adds value and improves operations.
  • 46.
    46 46 External Assessments, continued There are two approaches to conducting an external assessment: 1. Have a full external assessment conducted by an external assessor, or review team, or 2. Have an independent validation of the internal self- assessment and a report completed by the internal audit activity.  You would prefer to have the full external assessment, but might not always be possible, or practical. Examples, might include:  Be in an industry that is subjected to strict regulation and supervision,  Have been subjected to an external review in which there was extensive benchmarking with best practices, and
  • 47.
    47 47 1320: Reportingon theQAIP  The results of the external assessment must be reported to the board.  The assessor issues a formal, written report that contains an opinion on the IAA’s compliance with the Standards.  The report should also address compliance with the IAA charter and other applicable standards and include appropriate recommendations for improvement.  Appropriate follow-up is the responsibility of the CAE.
  • 48.
    48 48 1321: “Conforms withtheStandards”  Internal auditors are encouraged to report that their activities conforms with the International Standards for the Professional Practice of Internal Auditing.  This statement can be used only if the quality assessments demonstrate that the internal auditors are, in fact, in compliance with the Standards.  In case full compliance is not possible due to lack of skilled and qualified personnel, or for some other reason, disclosure of noncompliance should be made to senior management and the board. Noncompliance might be due to the lack of skill and qualified people, or for some other reason.
  • 49.
  • 50.
    50 The IIA ‘Codeof Ethics’ 50
  • 51.
    51 51 The IAA‘Codeof Ethics’ The ‘Code of Ethics’ is intended to be an ethical guide of conduct for internal auditors.  The IAA ‘Code of Ethics’ applies to both individuals and entities that provide internal auditing services.  The two essential components of the Code are:  Principles are the values that internal auditors are expected to uphold, and  Rules of Conduct are an aid for interpreting the Principles into practical applications and are intended to guide the ethical behavior of the internal auditors.
  • 52.
    52 52 Principles  There arefour principles that internal auditors are expected to follow: 1. Integrity – The integrity of the internal auditors establishes trust and thus provides the basis for reliance on their judgment. 2. Objectivity – The internal auditors are expected to exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. 3. Confidentiality – Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. 4. Competency - Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing.
  • 53.
    53 53 Rulesof Conduct 1. Integrity- Internal auditors:  1.1. Shall perform their work with honesty, diligence, and responsibility. [In other words, the auditor does the right thing.]  1.2. Shall observe the law and make disclosures expected by the law and the profession.  1.3. Shall not knowingly by a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.  1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
  • 54.
    54 54 Rulesof Conduct 2. Objectivity– Internal auditors:  2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.  2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment. [For example, a material gift (use of beach house) is considered to impair objectivity.]  2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. [For example, there may be some items that were capitalized instead of expensed. This fact needs to be disclosed to management and the Audit Committee.]
  • 55.
    55 55 Rulesof Conduct 3. Confidentiality– Internal auditors:  3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.  3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. 4. Competency – Internal auditors:  4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.  4.2. Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.  4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.
  • 56.
  • 57.
    57 57 SECTION B MANAGING THEINTERNAL AUDIT ACTIVITY
  • 58.
    58 58 Section B  SectionB covers the topics of planning, communications, resource management, policies and procedures, and coordination.  This section will account for approximately 15 – 25% (15 – 25 questions) of the Part 1 Exam.  The main topics within this section are:  Planning and Communication,  Resource Management,  Policies and Procedures, and  Coordination.
  • 59.
    59 59 2000: Managingthe IAA The CAE must manage the IAA to ensure that it adds value to the organization as a whole.  The CAE’s responsibility is to ensure that:  The engagement work fulfills the general purposes and responsibilities described in the charter that was approved by senior management and accepted by the board of directors (or audit committee).  The resources of the IAA are efficiently and effectively employed.  Engagement work that is performed conforms to the Standards for the Professional Practice of Internal Auditing.
  • 60.
    60 60 2010: Planning  TheCAE must establish risk based plans to determine the priorities of the IAA, and make certain that they are consistent with the organization goals.  Planning includes the establishment of:  Goals,  Engagement work schedules,  Staffing plans and financial budgets, and  Activity reports.  Now we want to discuss next category in more depth.
  • 61.
    61 61 Goals  The goalsthat are set for the IAA should be:  Specific - Goals should be specifically defined.  Measurable - The method of measuring the goals should be defined.  Agreedto – All interested parties should agree on the stated goals. Interested parties include senior management and the board.  Realistic andAchievable– Goals must realistic and they should be attainable. If they’re not, then they are superfluous.  Timely- Goals should be specific as to when they are to be achieved. As we can see, the goals of the IAA should be SMART.
  • 62.
    62 62 Engagement WorkSchedule  Theengagement work schedule is a critical responsibility and is relevant at both the larger IAA level as well as each individual engagement.  Specific work schedule should include:  What engagements should be performed,  When they will be performed,  The estimated time required to perform the engagements, and  Which engagements should be given higher priority.  Once these questions have been answered, it is then possible for the individual work program for a specific engagement to be developed.
  • 63.
    63 63 Engagement WorkSchedule, continued The CAE makes the final decision regarding which engagements will be performed.  The consideration of risk is one of the most important elements in determining which engagements have the highest priority.  But, risk is not the only factor in prioritizing the engagements. Other important factors are:  The length of time since the last engagement was performed.  Request from senior management, audit committee, etc.  Changing circumstances in the business, programs, etc.  Changes in risk environment.  Potential benefits that could be achieved.  Changes in the skills of the staff.
  • 64.
    64 64 Long-termPlanning  The CAEneeds to look beyond the short or immediate term.  The CAE needs to establish a longer term strategic plan.  The purpose of this plan is to make sure that all areas of the business are audited at least periodically.  Some areas (based on risk assessment) might need annual auditing, or even more often, while other areas may be addressed once every two or three years.  Without a long-term plan, it could be possible that one area of the business would never be audited because it would never meet the requirements for the short-term audit.
  • 65.
  • 66.
    66 66 2030: Resource Management The CAE has to make sure the internal audit staff are professional. This means the “right people are in the right positions.”  According to the Standards, “the CAE must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.”  The CAE needs to oversee the assignment of individual staff to the engagements (both short and long term).  In the short term, engagements should be staffed by auditors who can get the job done at the highest level.  However, in the long term, staff might be assigned to jobs that will allow them to grow so they can become senior auditors.
  • 67.
    67 67 Resource Management, continued Some of the things to consider when assigning staff to individual engagements.  The complexity of the engagement,  The resources that are available in IAA,  The experience (skill level) of the staff, and  The training and developmental needs of the audit staff.
  • 68.
    68 68 Recruitingand Promoting  Abig issue for the IAA is its ability to recruit qualified audit staff and keeping them within the organization.  This is something that both the CAE and the HR function will be involved in.  When recruiting, the most important criterion is the education and experience of the candidate.  This does not mean that every candidate needs to be a CIA, but they should be able to provide some indication that they can get the job done.  Not every staff member needs to be a trained accountant.  Candidates should be good communicators (both written and oral).
  • 69.
    69 69 Recruitingand Promoting, continued Once the staff has been hired, the next HR issue relates to staff promotion and filling of higher-level positions in the IAA.  When a higher-level position become available, there are two basic options in filling the position.  Hire someone from inside the organization, or  Hire someone outside the organization.  The advantage of hiring someone from inside the organization are:  It is often done quicker and requires less ‘start-up’ time for the person.  The person knows the company, so there is less risk involved.  It is also a good motivating factor.
  • 70.
    70 70 Recruitingand Promoting, continued Hiring someone from outside the organization is riskier, but it also has its advantages.  The outside person could bring new ideas and new perspective to the job.  It is also possible that management training costs could be lower since it is assumed that the person is already trained.  An important basis for recruitment and promotion of staff is the job description.  The job description lists the necessary skills and requirements for the position.  Having detailed and complete job descriptions makes it easier for the CAE to determine if the IAA is properly staffed.
  • 71.
    71 71 Training, Staff Developmentand Performance Evaluations  The CAE is also responsible for the training, counseling and performance evaluations of the staff.  Training should have the goal of providing the staff with the necessary skills to perform their jobs in the short term, and broaden skills in the long term.  A well-developed training program is an excellent recruiting tool for the company.  Counseling and mentoring program is an excellent way of developing staff.
  • 72.
    72 72 Training, Staff Developmentand Performance Evaluations  Performance appraisals should be conducted at least annually, and more often if needed.  Performance reviews give employees the opportunity to identify their weaknesses and give them an opportunity to improve their performance.  The evaluation should not be based on likes or dislikes, or other non-job related factors.  There should be sufficient time for everyone to prepare for the evaluation.  The evaluation can be a standard form (and will be standard form in large companies).
  • 73.
  • 74.
    74 74 2060: Reportingto SeniorManagement and Board  “The CAE must periodically report to senior management and the board on the IAA’s purpose, authority, responsibility, and performance relative to its plan.”  “Reporting must also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by senior management and the board.”
  • 75.
    75 75 ActivityReports  The CAEmust submit and activity report to senior management and the board at least once a year.  This should be done if the work volume or nature of the work requires closer involvement of the board. This may be the case if there are high-risk areas that are being audited.  Activity reports should:  Be communicated in writing (preferably),  Highlight significant engagement observations,  Identify recommendations that have arisen from the engagement,  Compare actual performance with the IAA’s goals,  Compare expenditures to financial budgets.
  • 76.
    76 76 Significant Engagement Observations Significant observations are those conditions that, in the judgment of the CAE, could adversely affect the organization.  Examples might include: illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and others.  After discussion with senior management, the CAE should communicate these significant engagement observations and recommendations with the board, whether or not they have been satisfactorily resolved.
  • 77.
    77 77 Management Responsibility forSignificant Engagement Observations  Management is responsible to make decisions on the appropriate action to take regarding significant engagement observations and recommendations.  Management may decide to assume the risk of not correcting the reported condition because of cost and other considerations.  Management needs to inform the board of their decision on all significant observations and recommendations.  Internal auditors should only provide the information and alternative courses of action.
  • 78.
    78 78 CAE Considerations onReportingSignificant Engagement Observations  The CAE should consider whether it is appropriate to inform the board regarding previously reported, significant observations and recommendations in those instances where senior management and the board assumed the risk of not correcting the reported condition.  If the board is aware of the risks and has chosen to not address them, the item probably does not need to be reported each year.  However, if there has been significant changes in the organization, board, or senior management, the item should probably be reported again.
  • 79.
    79 79 Relationship withAudit Committee Internal auditors are the “eyes and ears” of the audit committee.  Internal auditors should be the committees’ trusted advisors.  Keys to the relationship are:  Assisting the audit committee to ensure that its charter, activities, and processes are appropriate to fulfill its responsibilities.  Ensuring that the charter, role, and activities of internal audit are clearly understood and responsive to the needs of the audit committee and the board.  Maintaining an open, effective communications with the audit committee and the chairperson.
  • 80.
    80 80 Communications withthe AuditCommittee  To a great extent, the effectiveness of the CAE will revolve around the communications between the CAE and the audit committee.  Good communications is fostered by:  Meeting regularly with the committee to discuss sensitive issues.  Providing annual summary reports.  Issuing periodic reports summarizing results of the IAA.  Keeping the audit committee informed of emerging trends, etc.  Discussing fulfillment of committee information needs.  Reviewing information submitted to the committee for completeness and accuracy.  Confirming there is an effective and efficient work coordination of activities between internal and external auditors.
  • 81.
  • 82.
    82 82 2020: Communication andApproval  CAE needs to ensure that the plans and resources requirements are communicated to senior management and to the board for review and approval.  Communications should include any significant interim changes, and the impact of resources limitations.  Engagement plans and resource requirements must be submitted on an annual basis and should include a summary of the IAA’s work schedule, staffing plan and financial budget.  This type of information will ascertain whether the IAA objectives and plans are congruent with the organization.
  • 83.
    83 83 2040: Policies andProcedures  The CAE must also establish policies and procedures to guide the IAA and the individual internal auditors in their work.  The extent, depth and formalization of the policies and procedures will depend upon the size and structure of the IAA and the complexity of the IAA’s work.  A small IAA will be managed much more informally with a lot of personal and daily contact.  A larger IAA will be managed much more formally with a more formal set of policies and procedures.
  • 84.
  • 85.
    85 85 2050: Coordination ofActivities  The CAE has the responsibility to share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts.  Internal and external participants might include:  External auditors,  Regulatory oversight bodies (e.g., government auditors, etc.), and  Other internal assurance functions (e.g., health and safety dept.)
  • 86.
    86 86 Coordination withExternal Auditor Coordination with external auditor is important because of the potential to increase the efficiency of both audit areas and reduce the cost of the external audit.  Two main reasons why the level of coordination between the external and internal auditors is growing and becoming more of an issue for companies:  The internal auditing profession has become increasingly professional with more internal auditors being former external auditors or professional internal auditors.  The cost of external audit has grown so much in recent years that companies are looking for any way to reduce the costs.
  • 87.
    87 87 Assistance Provided bythe Internal Auditor  This is the area where the CAE can reduce the cost of the external audit by providing support, direction and do some of the testing for the external auditor.  Before the external auditor will rely on any of the work of the internal auditor, the external auditor needs to assess the competence and objectivity of the internal auditor.  Competence is whether or not the IAA has the needed skills and abilities to perform acceptable work.  Objectivity is whether or not the IAA performs its work without any influence from management or others in the organization.  Even if the the external auditor relies on the work done by the IAA, the external auditor will still need to review the work of the IAA.
  • 88.
    88 88 Assistance Provided bythe External Auditor  There might be cases where the work of the external auditor will be beneficial and useful to the internal auditor.  In these cases, the internal auditor can rely on some of the work performed by the external auditor, as long as the CAE is comfortable with the work that was done by the external auditor.  Just as the external auditor reviewed the work of the internal auditor, the internal auditor will want to review the work that was done and the conclusions drawn.  Review of the external’s work will require the permission of the external auditor.
  • 89.
    89 89 Control andUse ofthe Auditors’ Working Papers  Working papers contain all of the work and tests that were performed during the engagement and they will be the basis for the conclusions drawn by the internal auditor.  Working papers belong to the party that developed them.  This means that the working papers of the external auditor belong to the external auditor.  Likewise, the working papers of the internal auditor belong to the internal auditor.  The CAE should not provide the external working papers to anyone without the permission of the external auditor.
  • 90.
  • 91.
    91 91 Coordination withRegulatoryBodies  Someindustries such as banking and insurance are heavily regulated. Thus, they will be audited by a government agency.  In these cases, the CAE should coordinate audits with the regulatory body that is responsible for the oversight of the company.  This coordination should be done with the approval of the board.  A benefit to the organization is that the internal auditor would be given the chance to provide of compliance testing through its internal working papers and other documents.
  • 92.
    92 92 Coordination withother InternalAssurance Functions  It is possible that there are other dept within the organization are equally concerned with control.  Even though, their interest might be only on the technical aspect, it is highly probably that these control measures may complement the internal auditor’s interest in the administrative forms of controls. Examples might be:  Security dept is concerned with control over specific irregularities.  Quality control dept is concerned with control over product reliability and conformance to specifications.  Safety and health dept is concerned with control over accidental prevention.  Industrial engineering dept is concerned with control over operating practices and procedures.
  • 93.
  • 94.
  • 95.
    95 95 Sarbanes-Oxley Act  ThePublic Company Accounting Reform and Investor Protection Act of 2002, or more commonly referred to as the Sarbanes-Oxley Act (SOX) was enacted in response to the accounting scandals of Enron, WorldCom and others.  The primary purpose of SOX is to:  Improve quality and transparency of financial reports.  Enhance the standard setting process for accounting practices.  Strengthen the independence of public accounting firms.  Increase corporate responsibility.  Protect the objectivity and independence of securities analysts.
  • 96.
    96 96 SOX provisions  Manyof the act’s provisions had to do with the external auditor, but many had to do with internal control issues, particularly in regard to the audit committee and board.  These provisions include:  Audit committees are to be directly responsible for the appointment (subject to shareholder approval), compensation, and supervision of the registered public accounting firm. This overview includes resolution of any disagreements between management and the auditor regarding financial reporting.  Audit committees are to be provided with the proper authority and funding to engage independent counsel and advisors.  Auditors (both internal and external) are required to report to the audit committee.  Members of audit committee have to be independent.
  • 97.
    97 97 SOX provisions  Theaudit committee should have at least one financial expert. If not, then the fact should be disclosed.  Audit committee should adopt written procedures to receive and address complaints regarding accounting, internal controls and auditing issues, including procedures to maintain the confidentiality of the whistle blower.  It is unlawful for any corporate officers or director to knowingly to manipulate or mislead any accountant engaged in preparing an audit for the purpose or rendering the audit report materially misleading.  There should be a statement saying management is responsible the company’s internal controls.  The company is required to disclose whether it has adopted a Code of Ethics.
  • 98.
  • 99.
    99 99 SECTION C NATURE ofthe INTERNAL AUDITOR’S WORK
  • 100.
    100 100 Section C  InSection C we start to discuss the nature of the internal auditor’s work, including what it entails and how it contributes to the improvement of an organization’s risk management, control and governance processes.  Control and control processes will be discussed in Section D.  This section will account for approximately 15 – 25% (15 – 25 questions) of the Part 1 Exam.
  • 101.
    101 101 2100: Nature ofthe Internal Auditor’s Work  The work that the internal auditor is going to be doing is diverse and covers all of the different areas of the business.  The function of the IAA is to contribute to the improvement of risk management, control and governance processes.  “The adequacy of risk management, control, and governance processes is present if management has planned and designed for these items in a manner, which provides reasonable assurance that the organization’s objectives and goals will be achieved efficiently and economically.”
  • 102.
    102 102 Nature of Work Management is responsible:  For the sustainability of the whole organization, and  Accountability for the organization’s actions, conduct and performance to the owners, other stakeholders, regulators, and general public.  Primary purpose of the overall management process are to achieve:  Relevant, reliable and credible financial/operating information,  Effective/efficient use of the org. resources,  Safeguarding of assets,  Compliance with laws, regulations, etc.,  Identification of risk exposures and use of strategies to control them, and  Establish objectives and goals for operations or programs.
  • 103.
    103 103 Nature of Work,continued  Control is any action taken by management to enhance the likelihood that established objectives and goals will be achieved.  Controls may be:  Preventive – to deter undesirable events from occurring,  Detective – to detect and correct undesirable events which occur, or  Directive – to cause or encourage a desirable event to occur.
  • 104.
  • 105.
    105 105 Information Security  Itis management’s responsibility to ensure that company information is properly safeguarded.  Internal auditors should also work to ensure that any potential problems related to information security will be reported to management and the board.  The CAE has to make certain that the IAA has the necessary skills and resources to evaluate the information security.  Internal auditors need to assess the effectiveness of the controls in place.  This assessment should be made periodically, including recommendations for improvement.
  • 106.
    106 106 The Internal Auditor’sRole in Risk Management  Risk management is the responsibility of management.  The role of the IA is to assist both management and the board, i.e., audit committee by examining, evaluating, reporting and recommending improvements on the adequacy and effectiveness of management’s risk processes.  The role of the IA is likely to be determined by such factors as culture in the organization, ability of the IA staff, and local conditions and customs of the country.  If IA’s come across risk exposures in any engagement, this should be addressed and evaluated further as necessary.
  • 107.
    107 107 IA’s Role withouta Risk Management Process  Possible that the company does not have an established risk management process.  If this is the case, than the IA needs to bring this to the attention of management.  It is generally acceptable for IA to play a proactive role in the development of such system.  However, caution must be taken to ensure that the IAA is not too closely involved as this might impair their independence for future work regarding risk.
  • 108.
    108 108 Compliance Programs  Allcompanies in all countries have to be in compliance with something.  Compliance programs provide guidance for individuals within the organization to prevent inadvertent employee violations, detect illegal activities and discourage intentional employee violations.  In addition, these compliance programs can also help prove insurance claims, determine director and officer liability, create or enhance corporate identity, and decide the appropriateness of punitive damages.  Regarding compliance, organizations should develop a written business code of conduct.
  • 109.
    109 109 Compliance Programs, continued In addition, there should be an organizational chart that outlines who is responsible for compliance issues.  The code of conduct must be communicated to all members of the organization once it is created.  Important that the code is enforced in the same manner for all individuals, regardless of level.  When a violation occurs, it must be documented and kept in the individual’s personal file. This is necessary to support why the individual was fired.  The violation should be documented even if not significant disciplinary action is taken.
  • 110.
  • 111.
    111 111 Control & AuditImplications of E-commerce Activities  E-commerce is defined as “conducting commercial activities over the Internet.” E-commerce can be B2B (business to business), B2C (business to consumer), and B2E (business to employee).  Major elements of auditing E-commerce are:  Assess the internal audit structure, including the tone at the top,  Provide reasonable assurance that goals and objectives can be achieved,  Determine if the risks are acceptable,  Understand the information flow,  Review interface issues,  Evaluate the business continuity and disaster recovery plans.
  • 112.
    112 112 E-commerce, continued  TheCAE needs to assess whether the IAA has the necessary skills and capacity to conduct an E-commerce engagement.  Factors that constrain the IAA are:  Does the IAA have the sufficient skills to conduct the engagement?  Are training or other resources necessary?  Is the staffing level sufficient for the near-term and long-term?  Can the expected audit plan be delivered?
  • 113.
    113 113 E-commerce, continued  Thedifference between auditing a regular business system and an e-commerce system are that  There may not be any hard copies,  Some data may exist for a very short period of time, or  There is no paper trail at all.  The critical risk and control issues that the IA must address are:  General project risk,  Specific security threats, such as denial of service, physical attacks, viruses, identity theft, and unauthorized access or disclosure of data,  Maintenance of transaction integrity under complex network of links to legacy systems and data warehouses,
  • 114.
    114 114 E-commerce, continued  Websitecontent review and approval when there are frequent changes and sophisticated customer features and capabilities that offer around-the-clock service,  Rapid technology changes,  Legal issues, such as increasing regulations throughout the world to protect individual privacy; enforceability of contracts outside of the organization’s country; and tax and accounting issues, and  Changes to surrounding business processes and organizational structures.
  • 115.
    115 115 Audit Objectives forE-commerceAudit  The audit objectives for an E-commerce engagement may include:  Evidence of E-commerce transactions,  Availability and reliability of security systems,  Effective interface between E-commerce and financial systems,  Security of monetary transactions,  Effectiveness of customer authentication process,  Compliance with common security standards,  Effective use and control of digital signatures,  Adequacy of systems policies and procedures,  Adequacy and timeliness of operating data and information,  Documented evidence of an effective system of internal control.
  • 116.
  • 117.
    117 117 Environmental Risks  Internalauditors should include risks in the areas of the environment, health and safety (EH&S).  This is particularly important where there are very high fines and penalties for environmental damages, employees rights lawsuits, and safety liability.  The CAE needs to determine that these risks have been assessed and addressed as needed.  In larger companies, this may be done by a separate environmental audit function.  When there is a separate function, the org. needs to make sure that it does not report to the group or individuals responsible for these areas.
  • 118.
    118 118 Privacy  Privacy includes“individuals’ rights to be left alone and for any pertinent information of an individual not to be disclosed by other parties that happen to possess such information. This means that a company must keep control over the personal information it has about its customers and may not release this information to third parties without parties without the individual’s agreement.”  The privacy of information is also maintained and not distributed to unauthorized people, even within the organization. Example, the company’s database should not be disclosed to a third party without the proper consent of the customer.
  • 119.
    119 119 Privacy, continued  Implicationsto the organization for these vulnerabilities are numerous.  To the individual, this could be embarrassment, inconvenience, unfairness, and others.  To the organization, these negative implications could include lawsuits, penalties, fines and of particular importance, negative goodwill and negative publicity.  There are no guarantees, but organizations have the responsibility to ensure that all reasonable measures have been enacted to safeguard data and information.
  • 120.
    120 120 2110: Risk Management The IAA must assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.  Risk is the probability that some future envent or action could adversely impact the organization. Risk is based in terms of impact (in dollars) and likelihood (probability).  Risk assessment is the process of assessing and integrating professional judgment about probable adverse conditions and/or events.  Risk management is the process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organizations
  • 121.
    121 121 Roles in RiskManagement Process  The responsibility of assessing the potential risks falls on the shoulders of management.  This is an on-going process and management has the responsibility to review and make necessary changes in order to mitigate potential risks that can hinder the achievement of objectives.  The board of directors (and audit committee) have the responsibility to provide an oversight role, making sure that the proper level of risk management is in place and effective.
  • 122.
    122 122 Roles, continued  InternalAuditors assist management, board, and/or committee by examining, evaluating, testing, reporting and recommending improvements in the adequacy of the organization’s risk management system.  The IAA’s role in the risk management process can range from:  No role, to  Auditing the risk management process as part of the internal audit plan, to  Active, continuous support and involvement in the risk management process.  Managing and coordinating the risk management process. In this case, the IA is not taking ownership of the risk, only the process.
  • 123.
    123 123 Assessing the Adequacyof Risk Management Process  The IAA should evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the:  Reliability and integrity of financial and operational information,  Effectiveness and efficiency of operations,  Safeguarding of assets, and  Compliance with laws, regulations, and contracts.  The five key objectives of a risk management process are: 1. Risks that arise are identified and prioritized. 2. Management and the board have determined the level of risk that is acceptable to the organization.
  • 124.
    124 124 Risk Management Processes 3.Risk mitigation activities are designed and implemented to reduce risk at levels that are acceptable. 4. Risk is periodically reassessed on an ongoing basis. 5. Reports are given periodically to the board and management on the results of the risk assessment process.  The IAA needs to assess whether or not these five objectives have been met in order to form an opinion on the adequacy of the risk management processes.  Internal auditors need to continuously look for things that may indicate a problem or cause for concern related to risk management.
  • 125.
    125 125 Assessing the Adequacyof Risk Management ProcessesforFormal ConsultingServices  Consulting service is defined as advisory and related client service activities, the nature and scope of which are agreed upon with the client, i.e., counsel, advise, facilitation and training.  Internal auditors should address risk consistent with the engagement’s objectives and should be alert to the existence of other significant risks.  With consulting services, the internal auditor should:  Determine the significance of exposures or weaknesses and the actions taken or contemplated to mitigate or correct these exposures or weaknesses; and  Ascertain the expectations of management, the audit committee and board in having these matters reported.
  • 126.
  • 127.
    127 127 Business Continuity Process Business continuity process has to do with the organization’s ability to continue to operate during some sort of crisis or disaster, and its ability to restart operations after having been interrupted.  It is not a matter if a crisis will occur, but when.  Internal auditors can assist in the planning for disasters and other interruptions to the business; evaluate the design and comprehensiveness of the plan after it has been drawn up; and perform periodic assurance engagements to verify that the plan is kept up-to-date.
  • 128.
    128 128 Business Continuity Process,continued  Need to be aware that disaster recovery plans can become quickly outdated.  Coping with and responding to changes is an inevitable part of the task of management.  Turnover of managers and executives and changes in system configurations, interfaces, and software can have a major impact on these plans.  The IAA needs to determine whether the recovery plan:  Is structured to incorporate important changes that could take place over time, and  The revised plan will be communicated to the appropriate people, inside and outside the organization.
  • 129.
    129 129 Internal Auditor’s Roleaftera Disaster  Once there has been a disaster, the internal auditor can play an important role immediately after a disaster occurs.  This is when the company is most vulnerable to lapses in controls and procedures, and could possibly lead to exploitation (internally and externally).  During recovery process the internal auditor should:  Supervise the effectiveness of the recovery and control of operations;  Identify areas where controls and mitigating actions can be improved;  Recommend improvements to the plan; and  Possibly provide support during the recovery activity.
  • 130.
  • 131.
    131 131 2130: Governance  TheIIA defines governance as the system by which organizations are directed and controlled.  Governance also includes the rules and procedures for making decisions on corporate affairs to ensure success while maintaining the right balance with the stakeholders’ interest.  The four cornerstones of corporate governance are the board, management, internal auditors and external auditors.  Effective governance means making sure that inappropriate and unethical behavior is not tolerated.  Review the 10 basic principles necessary in the development of sound corporate governance (pg. 72).
  • 132.
    132 132 Role of theIAA in the Governance Process  The IAA serves as the “eyes and ears” of management, audit committee and external auditors.  As such, the IAA should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:  Promoting appropriate ethics and values within the organization,  Ensuring effective organizational performance management and accountability,  Effectively communicating risk and control information within the organization, and  Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.
  • 133.
    133 133 Role of IAAin the Ethical Culture of an Org.  Corporate culture of the organization is very important in the creation of the ethical climate of the organization.  Ethical climate starts at the top, but all people should assume the role of ethics advocates.  Organizations use various forms, structure, strategies, and procedures to ensure that it:  Complies with society’s legal and regulatory rules,  Satisfies the generally accepted business norms, ethical precepts, and social expectations of society,  Provides overall benefit to society and enhances the interest of the specific stakeholders in both long term and short term, and  Reports fully and truthfully to its owners, regulators, other stakeholders, and general public to ensure accountability for its decisions, actions, conduct, and performance.
  • 134.
    134 134 IAA as EthicalAdvocate  Internal auditors and the IAA should take an active role in support of the organization’s ethical culture.  They possess a high level of trust and integrity within the organization and the skills to the effective advocates of ethical conduct.  They have the competence and capacity to appeal to the enterprise’s leaders, managers, and the other employees to comply with the legal, ethical, and societal responsibilities of the organization.
  • 135.
    135 135 Assessment of theOrganization’s Ethical Climate  Occasionally, the IAA should assess the state of the ethical climate of the organization and the effectiveness of its strategies, tactics, communications, and other processes in achieving the desired level of legal and ethical compliance.  Having written well-stated code of ethics does not necessarily guarantee that an organization will not have a higher standard of ethical behavior.  Nor does not having a code of conduct prevent the internal auditor from conducting a successful audit of ethical behavior since this behavior may already be documented in the company’s protocols.
  • 136.
  • 137.
  • 138.
    138 138 Section D  InSection D we will be covering topic of control, what it is, what are the components of control, and what are the tools used for controlling.  This section will account for approximately 20 – 30% (20 – 30 questions) of the Part 1 Exam.
  • 139.
    139 139 2120: Control  Itis through control that management is able to accomplish its wishes.  As defined by the IIA, control is “any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.”
  • 140.
    140 140 DefiningControl  Control canalso be defined as “any action taken by management to enhance the likelihood that established objectives and goals would be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events which occurred), or directive (to cause or encourage a desirable event to occur). The concept of a system of control is the integrated collection of control components and activities that are used by an organization to achieve its objectives and goals.”
  • 141.
    141 141 Benefits of Control Controls are meant to provide assurance on the following:  Reliability and integrity of financial and operational information,  Effectiveness and efficiency of operations,  Safeguarding assets, and  Compliance with laws, regulations, and contracts.  Other benefits of control are:  Lower external audit costs,  Better control over and usage of company assets, and  More reliable information that may be used for decision making by managers and others in the company.
  • 142.
    142 142 Who Benefits fromHavingaStrongInternal Control System?  There are a number of diverse parties that are interested in the internal control system of a company:  Potential investors rely on the IC system to be able to evaluate management and the performance of the company.  External auditors will base the amount of work that they perform in part on the effectiveness of the IC system.  Legislative and regulatory bodies rely on the IC system to help ensure that the company is operating in compliance with applicable laws and regulations.  Management uses the information that comes out of the internal systems so management needs to make certain that the information that they receive is correct.  Customers benefit with reduced costs.
  • 143.
    143 143 Who is Responsiblefor Internal Controls  The Board of Directors is responsible for overseeing the internal control system.  The CEO is responsible for the “tone at the top.”  Senior management delegates the responsibility for the implementation of the IC system to the appropriate departments and personnel.  Financial and accounting officers and staff are the people with the most close contact with the IC system.  External parties such as independent auditors often provide information useful to effective internal control.
  • 144.
    144 144 The Internal Auditor’sRole in the Control Process  Internal auditors is to evaluate the effectiveness of the organization’s systems of controls based on the aggregation of many individual assessments.  These assessments might come from the internal auditors own engagements, or from management’s self-assessment, or from the external auditors.  During the course of the internal auditor’s own engagement, the internal auditor should communicate to the appropriate level of management any, and all control discrepancies and weaknesses.  If discrepancies or weaknesses are found, this does not necessarily mean that it is pervasive and poses an unacceptable risk to the company.
  • 145.
    145 145 Internal Auditor’s Role,continued  A report of the CAE on the state of the organization’s control processes should be presented, at least, once a year. More if deemed necessary.  The report should include major recommendations for improvement and information about current control discrepancies or weaknesses.  In addition the report can include information about current control issues and trends, such as technology and information security exposures, patterns of control discrepancies or weaknesses.  This information can add value to the report and minimize potential difficulties in complying with laws or regulations.
  • 146.
    146 146 Internal Auditor’s Role,continued  In regards to the internal auditors role, there is a term to be familiar with. This term is “expectancy gap.”  Expectancy gap is where on the one hand management and the board usually have high expectations as to the level of assurance that is provided by the IAA.  But, on the other hand, there is the reality of what the IAA can actually provide assurance on. The IAA can only provide reasonable assurance but not a guarantee.
  • 147.
  • 148.
  • 149.
    149 149 Control Self-Assessment (CSA) Control Self-Assessment (CSA) is an examination and assessment process of the effectiveness of the control system within an organization performed by the organization’s personnel with the help of facilitators.  This process is shared among all employees of the organization and responsibility for control is expanded to include all individuals of the organization.  The employees thereby become the process owners.  An important aspect of CSA is when people are able to identify their own problems, they are more committed to resolving them than they are if the same problems are identified for them in an audit.
  • 150.
    150 150 CSA, continued  Assessmentsare performed through a series of workshops or meetings or by means of questionnaires.  Assessments can be applied to any area of the organization: projects, processes, business units, or functions.  Whatever format is used, the goal is to help organizations assess the likelihood of achieving their objectives by using the knowledge of the workers who are responsible for making it happen.
  • 151.
    151 151 CSA Procedures  CSAprocedures include the following:  Identifying potential risks and exposures,  Assessing the control processes that mitigate or manage those risks,  Developing action plans to reduce risks to acceptable levels, and  Determining the likelihood of achieving the business objectives.
  • 152.
    152 152 Advantages of CSA For an organization the primary advantages of a CSA program are that it:  Enhances employee understanding of the company’s risk and controls.  Enhances employee control consciousness.  Provides a mechanism for early risk detection.  Encourages more open communication, teamwork and continuous improvement.  Empowers the employees and enhances accountability.
  • 153.
    153 153 Approachesto CSA  EachCSA program that is implemented by an organization should be customized to fit that organization.  This means that the program should be dynamic and be able to change as the organization changes.  The three primary approaches to CSA are:  Facilitated team workshops,  Surveys / Questionnaires, and  Management-produced, or self-auditing/self certification.  Organizations often combine more than one approach to accommodate their self-assessment.
  • 154.
    154 154 Facilitated TeamWorkshop  Thefacilitated team workshop is the process of gathering information from work teams that represent different levels in the organization.  For a facilitated team workshop, there needs to be a facilitator who brings the team together, and in essence, facilitates the process.  It is crucial for the facilitator to have no hidden agenda.  The team members need to be very truthful about what is working well and what is not working well.
  • 155.
    155 155 Facilitated TeamWorkshop formats There are four basic CSA-facilitated meeting formats:  Control-based. This format reviews how well the control in place are working. The purpose of the workshop is to produce an analysis of the gap between how controls are working and how well management expects those controls to work.  Objective-based. This format focuses on the best way to accomplish the organization’s objectives. The aim of the workshop is to decide whether the necessary controls are in place and working effectively and are resulting in residual risks within an acceptable level.
  • 156.
    156 156 Facilitated TeamWorkshop formats,continued  Risk-based. This format focuses on listing the risks to achieving the organization’s objectives. The aim of the workshop is to determine significant residual risk. This workshop starts by listing all possible barriers, obstacles, threats and exposures that might prevent the organization from achieving its objects.  Process-based. This format focuses on selected activities that are elements of the process chain. The general aim of this workshop is to evaluate, update, validate, improve and even streamline the whole process and its component activities.
  • 157.
    157 157 Surveysand Questionnaires  Surveysor questionnaires tend to ask simple “Yes-No” or “Have-Have Not” questions.  The questions may be customized for the unit’s regulatory environment or other specific needs.  The questions relate to the primary internal controls and how the controls are monitored.
  • 158.
    158 158 Management-produced Analysis  Thisapproach does not use a facilitated meeting or survey.  Through this approach, management produces a staff study of the organizational processes.  The CSA specialist (who is generally an internal auditor) combines the results of the study with information gathered from sources such as other managers and key personnel.  The specialist then synthesizes the information and develops an analysis that process owners can use in their CSA efforts.
  • 159.
    159 Internal Auditor’s Rolein Quarterly Financial Reporting, Disclosures, and Management Certification
  • 160.
    160 160 IA’s Role inQuarterlyFinancial Reporting, Disclosures, and Management Certification  Because of the recent accounting scandals, internal auditors are now playing an even more important role.  The role the internal auditor plays may range from  The initial designer of the process, participant on a disclosure committee, coordinator, or  Liaison between management and its auditors, to  Independent assessor of the process.
  • 161.
    161 161 Recommended Actionsfor InternalAuditors  Summary of recommendations of the IA’s role, including:  Be involved in some capacity in the quarterly reporting and disclosure process.  Ensure that the organizations have written policies and procedures that govern the quarterly financial reports.  Encourage the establishment of a disclosure committee. This disclosure committee’s help with transparency.  Periodically review and evaluate the quarterly reporting and disclosure processes.  Recommend appropriate improvement in the policies, etc.  Compare processes for compliance with SOX.
  • 162.
  • 163.
    163 163 Establishingthe Control Process The control process is established by management.  Without any control process, the planning process becomes much less valuable and less useful to the organization than it should.  Three main steps in the control process are:  Setting the standards (objectives) that are to be achieved,  Measuring the performance against a standard, and  Evaluating the results and then correcting, or regulating the performance as a result of what was measured.
  • 164.
    164 164 Setting the Standards Setting Standards (Objectives) – When setting standards that are expected to be achieved in terms of something (Quantity – number of units produced, Quality – number of defects, Time – the length of time required, Cost – cost of materials), it is critical to use the item that is most responsible for the incurrence of additional costs.  After the achievable standards are determined, it is important to select the time (or point) in the process at which you will measure performance compared to the standard. These points are called Control Points.
  • 165.
    165 165 Setting the Standards,continued  Whatever standards an organization sets, the organization must remember that these are the standards for a moment in time.  The standards need to be reviewed on an ongoing basis and revised (or even eliminated) based on changes in the circumstances or processes.  It is important to get the people involved in the measurement process to also be involved in the process of developing the standards and methods used. By being involved, the employees will feel more ownership of the process and should be more motivated to achieve something that they contributed setting up.
  • 166.
    166 166 MeasuringPerformance  Every productor service can be measured in some way against some standard.  It is management’s job to determine what measurement is to be used.  For example, if management is simply trying to increase production, then efficiency measurements might not be appropriate.  Another important part of the measuring process is determining who is going to do the measurement.  Self-measurement is preferable in it builds employee morale and empowerment and it is cheaper.  Second party measurement is more expensive, but may lead to better and more pertinent results.
  • 167.
    167 167 MeasuringPerformance, continued  Aperformance report should be aligned with the objectives of the firm and include a specific time frame. This report should also be limited to items that are controllable by the person responsible. The report should not get into items that are outside the scope of the timeframe or the responsibilities of the person.
  • 168.
    168 168 Evaluation and Correction This is the critical part of the control process. Without this last part the control process is useless.  There are a number of items that you must keep in mind when making the evaluations of results.  Need to make sure you are comparing like items to like items.  If there are significant changes in the process from one period to the next, it is not accurate or effective to compare to prior periods.  It is easier to measure something that is either yes or no. For example, something like defects will be measured and evaluated this way.
  • 169.
    169 169 Evaluation and Correction,continued  However, some things are measured in a more subjective manner, for example, “How well does the person complete his or her tasks?”  These are trait-based decisions, and more care must be taken in the evaluation of the results and it may be best to have more than one person involved in the decision process.  Trait-based decisions are more subjective and more easily influenced by the emotions of the people involved.
  • 170.
    170 170 Systems of Control A control system is designed so it will help the company achieve or maintain the desired actions, behaviors or results.  There are three elements to any control system: input, processing, and output.  Systems may be classified as either open or closed.  Open system is impacted by its environment. System may receive uncontrollable input information from the outside and this information will affect the system.  Closed system does not receive any uncontrollable inputs. Example of a closed system is the one to regulate the temperature in your house.
  • 171.
    171 171 Feedback Element ofthe Control System  Feedback plays an important part in any control system.  Feedback ensures that a desired state is attained and maintained.  The five components to a feedback system are:  A control object – this is the element or variable that is being monitored,  The detector – this is what is happening in the control object,  The reference point – this is the standard that the control object is measured against,  The comparator (analyzer) – this is comparing what is happening and what should be happening, and  The activator – this is the decision-maker in respect to the decision.
  • 172.
    172 172 The Timingof Controls It is better to prevent mistakes than to detect them after they have occurred.  There are three types of controls that are classified depending on when in the production process the control identifies the defective unit.  Feedforward controls detect the problem before it occurs.  Concurrent controls operate at the same time as the production process.  Feedback controls identify when something has already gone wrong.
  • 173.
  • 174.
    174 174 Characteristics of EffectiveControls  An effective control system has the following characteristics.  Economical - there is a positive cost/benefit, meaning that the organization saves more than it costs to implement the control.  Meaningful – it is important to only control important items.  Appropriate – the control system should actually reflect what we are trying to measure and control.  Congruent – the control should be in line with what it is measuring.  Timely – the information must be available in enough time to act upon it.  Simple – the control must be understandable.  Operational – the control should provide benefit to real operations.
  • 175.
  • 176.
    176 176 Control andTechnology  Computertechnology has made it easier and cheaper to have control systems that cover many areas and that are able to provide real-time feedback.  Has lead to the increased popularity of Total Quality Management (TQM) and Reengineering.
  • 177.
    177 177 Total Quality Management(TQM)  The premise of TQM is that quality improvement is a way of increasing revenues and decreasing costs.  It is based on producing a product “right the first time.”  Another feature of TQM is quality circles. Quality circle is a small group of employees who work together and meet regularly to discuss and resolve work-related problems.  With TQM, every person in the organization is responsible for finding errors and correcting problems.
  • 178.
    178 178 Reengineering  Reengineering iswhen a company is determined to find a new way of doing something.  Reengineering is NOT simply improving an existing system, but developing a completely new system or approach.  Because of effort and time involved, reengineering should only be done for the most important processes.
  • 179.
  • 180.
  • 181.
    181 181 Means of AchievingControl  There are a number of different ways that internal controls can be set up. Some of the different means are discussed below:  Organizational methods is where responsibilities are split up so no one individual controls more than one part of a transaction (segregation of duties).  Policies are stated principles that provide guidance in behavior. Policies are directive controls. Policies should be clearly written and communicated to all employees. Policies should be occasionally reviewed to make sure they are still relevant.  Procedures are the actions for carrying out the policies.
  • 182.
    182 182 Means of AchievingControl, continued  Pre-numbered forms is another method to control and safeguard documents. Need to remember that no pre-numbered form should be disposed of, even if the form is not correct. In these cases, the pre-numbered form should be kept and stated that it was cancelled.  Personnel is making sure that good people are hired and there is a high standard of supervision. Employees should be trained and reviewed on a periodic basis.  Accounting is a crucial part of the system because this is where the financial information is accumulated and produced.  Budgeting is done so actual results can be compared with anticipated results. People who will be held responsible for the achievement of the budget should be involved in creating it.
  • 183.
    183 183 Means of AchievingControl, continued  Reporting has to do with management receiving the reports that are relevant to their responsibilities. Reports should not only include actual results, but compared against the budget. Reports have to be provided in a timely manner so management can act upon the information. This timeliness is control function that helps management identify potential problems.
  • 184.
  • 185.
  • 186.
    186 186 Internal Control Models A series of control models were developed during the 1990s. The models we will be looking at are:  Internal Control – Integrated Framework (COSO),  CoCo model, and  The IIA model.  For the most part, these controls have the same goal as to provide management with a better understanding of their control systems so they can make judgment about their effectiveness.
  • 187.
    187 187 The COSOModel  Duringthe 1980s there was a private sector initiative, sponsored by five organizations, that attempted to identify the causes of fraudulent financial reporting and to make recommendations to reduce its incidence.  The five sponsoring organizations are:  American Institute of Certified Public Accountants (AICPA),  American Accounting Association (AAA),  Institute of Internal Auditors (IIA),  Institute of Management Accountants (IMA), and  Financial Executives International (FEI).
  • 188.
    188 188 Componentsof Internal Control There are five components that make up internal control  The Control Environment,  Risk assessment,  Control activities,  Information and communication, and  Monitoring.  You can remember these components by the mnemonic CRIME (bolded letters).
  • 189.
    189 Control Environment, continued This is the most important element of internal controls because it is the basis on which the other elements are built.  This element sets the tone for the entire organization.  Control environment factors include:  Integrity, ethical values and the competence of the company’s people.  Management’s commitment to competence.  Human Resource policies and procedures.  Assigning authority and responsibility (assigning decision rights).  Management’s philosophy and operating style.  Board of directors and audit committee oversight.
  • 190.
    190 Control Environment, continued The control environment is set by management by the actions, deeds and behaviors. If management communicates and behaves in such a way to indicate that controls are important, employees are more likely to follow the controls in place.  Management plays the most important role in establishing the control environment.  Management’s commitment to competence is another factor influencing the control environment. All personnel need to be competent enough to accomplish their duties.
  • 191.
    191 191 Control Environment,continued  Controlsare more likely to work if management believes controls are important and communicate that support to all employees.  Organizations with effective controls set a positive “tone at the top.”  Transmit guidance both verbally and by example.  Foster a “control consciousness” by setting formal and clearly communicated policies and procedures that are followed at all times, without exception.  Making sure employees are in the right positions can be done through training, as well as providing counseling, and performance evaluations.  Board of directors is responsible for setting corporate policy and for seeing that the company is operated in the best interest of shareholders.
  • 192.
    192 Control Environment, continued A company’s organizational structure plays an important role in internal controls.  Factors that need to be properly addressed are:  Defining authority and responsibility, as well as the corresponding delegations,  Matching a structure with the needs of the business, and  Creating an atmosphere of accountability within the company
  • 193.
    193 193 Risk Assessment  Thisis management’s assessment of the risks that the agency faces. Risks may be internal or external.  Internal Risks include employee embezzlement accompanied by falsification of records to conceal theft; lack of compliance with governmental regulations; or other illegal acts by employees, such as taking a bribe. These risks can include disruption in computer systems, poor management decisions, errors, or accidents.  External Risks include changes in technology, changes in federal legislation, natural disasters, economic changes, or being defrauded, or robbed.
  • 194.
    194 194 Risk Assessment, continued A pre-condition of risk assessment is the establishment of objectives.  Once risks have been identified, management needs to analyze their possible effect. Risk analysis includes:  Estimating the likelihood of the risk’s occurrence,  Deciding how to best manage the risk, and  What actions can be taken to mitigate the risk.  If management is unable to identify the risks that the agency faces, they are much less likely to be able to address those risks.
  • 195.
    195 195 Control Activities  Theseare the policies that are developed to address the risks of the agency. These risks may be fraudulent reporting or theft (misappropriation of assets).  Control activities should be designed to mitigate risk, wherever risk exposure is determined to exist, for the purpose of protecting the organization’s ability to achieve its objectives.  Controls that are implemented must have a benefit that is greater than the cost of that control.  Because of this, not all controls are implemented and the control environment cannot provide a guarantee that all risks are eliminated.
  • 196.
    196 196 Classifications of ControlActivities  Control activities may be classified by their objective  Preventive controls attempt to prevent the mistake from ever occurring in the first place. Examples would include segregation of duties, suitable authorization of transactions, checking the credit worthiness of a customer before goods are shipped.  Directive controls attempt to ensure the occurrence of a desirable event. Examples would include managers of a construction company instruction their project managers to hire local workers in order to create a favorable image in the community in which the company operates.
  • 197.
    197 197 Classifications of ControlActivities, continued  Detective controls attempt to find the mistake after it has occurred. Examples would include bank reconciliations, check for missing document numbers in pre-numbered documents, performance reporting with variances.  Corrective controls attempt to fix the problem after it has occurred. Examples of corrective control would be finding an error when doing a bank reconciliation, etc.  Compensating controls attempt to address a weakness in controls in one place by setting up additional controls in a related area. We look at compensating controls in more detail a bit later.
  • 198.
    198 198 Examples of ControlActivities  Top level review of actual performance  Reviews by management at the functional or activity level  Management of human capital  Controls over information processing  Physical controls to protect assets (cash and other assets)  Various performance indicators  Documents and record protection and authorization  Pre-numbered documents  Performance evaluations  Hiring controls to ensure that qualified personnel are hired  Control over system modifications  Segregation of Duties
  • 199.
    199 199 Segregation of Duties By dividing specific duties (listed on the next slide) between different individuals, the likelihood of errors or inappropriate behavior (theft or fraud) is greatly reduced.  The separation of duties can be done in the following steps:  Identify a function that is indispensable, but potentially subject to abuse.  Divide that function into separate steps, each of which is necessary for the function to work, or for the power that enables that function to be abused.  Assign each step (or duty) to a different person or organization.
  • 200.
    200 200 Dutiesto be Segregated The following duties need to be segregated between different people:  The authorization of a transaction,  The recording (record keeping) of the transaction,  Keeping physical custody of the asset, and  The periodic reconciliation of the records of the asset (how much there should be) to the actual amount of the asset (how much there is).
  • 201.
    201 201 Dutiesto be Segregated,continued  More examples of Segregation of Duties:  One person has authority to adjust accounts receivable, while a different person posts payments on customer accounts. Without segregation here, one person could divert cash receipts and then falsify the account balances of the customers who paid the cash in order to conceal the diversion.  One person is responsible for preparing the bank deposit, while a different person reconciles the checking account. Without segregation, one person could divert cash receipts and cover the activity by creating “reconciling items” in the account reconciliation.
  • 202.
    202 202 Dutiesto be Segregated,continued  Examples of Segregations of Duties:  One person has custody of cash receipts, while a different person has the authority to authorize account write-offs. Without segregation, one person could authorize a false write-off while diverting the collection on the account.  One person authorizes issuance of purchase orders, while a different person is responsible for recording receipt of inventory. Without such segregation, one person could issue a purchase order to a fictitious vendor using a post office box rented for the purpose, then prepare a fictitious receiving record and mail an invoice to the company using a post office box personally rented for the purpose, resulting in the company’s paying for something it never ordered or received.
  • 203.
    203 203 Limitationsof Segregation ofDuties  No system is perfect and no system can eliminate all of the risks that a company faces.  Some of the reasons that risk can not be completely eliminated are:  Collusion - when two or more people work together to get around the controls in place. If the people whose duties are segregated collude, the benefit of the segregation of duties is lost.  Human judgment - decisions are made by humans, often under pressure and time constraints, based only on information at hand. If this is not enough information, then poor decisions will be made and controls may not be maintained.
  • 204.
  • 205.
    205 205 Information and Communication Information needs to be obtained and communicated to people to allow them to perform their duties.  Information needs to be  Relevant,  Reliable, and  Timely.  Information needs to be available before a decision needs to be made.  Duties and responsibilities need to be communicated to all effected parties.  Communication needs to be both internal and external.
  • 206.
    206 206 Information and Communication,continued  Communication must be on-going, both within and between the various levels and activities of the organization.  Effective communications flows up, down and across the organization.  Program managers use reports containing operational and financial information in order determine whether they are meeting their objectives.  Operational information is also necessary to determine whether the agency is in compliance with various laws and regulations.  Financial information is needed for periodic external reporting, and, on a day-to-day basis.
  • 207.
    207 207 Monitoring  Monitoring isthe process of reviewing the controls over time to make sure that they are still relevant and still functioning as they were intended to function.  As technologies change and business operations change, some of the controls that had been relevant may no longer be relevant.  Monitoring needs to be undertaken on a regular (if not relatively constant) basis.
  • 208.
  • 209.
    209 209 The CoCo Model The CoCo model was designed by the Criteria of Control Board of the Canadian Institute of Chartered Accountants.  Model is an adaptation of the COSO model.  Thought to be better than COSO for auditing purposes.  The model has 4 components which are: 1. Purpose, 2. Commitment, 3. Capability, and 4. Monitoring and Learning.  These 4 components are then broken down into 20 criteria, shown on the next few pages.
  • 210.
    210 210 Purpose  Objectives shouldbe established and communicated.  Significant internal and external risks should be identified and assessed.  Policies to support the achievement of the organization’s objectives should be designed, communicated and implemented.  Plans should be established and communicated to assist in the achievement of objectives.  There should be measurable performance targets in the objectives and plans.
  • 211.
    211 211 Commitment  Ethical valuesshould be established and practiced at all levels in the organization.  Human resources policies should be consistent with the firm’s ethical values.  Authority, responsibility and accountability should be clearly defined and consistent with the organization’s objectives.  An atmosphere of mutual trust should be supported through the flow of information and communication.
  • 212.
    212 212 Capability  People shouldhave the needed knowledge, skills and tools to support the achievement of the organization’s objectives.  Communication should support the values and achievement of objectives.  Sufficient and relevant information should be identified and communicated to the appropriate party in a timely manner.  Decision-making in the company should be coordinated between departments.  Control activities should be designed and implemented.
  • 213.
    213 213 Monitoringand Learning  Externaland Internal environments should be monitored for feedback on the achievement of objectives.  Performance should be monitored against targets and goals.  The assumptions used in the development of plans and goals should be reviewed periodically.  Information and communication needs to be periodically reviewed.  Follow-up procedures should be implemented to ensure that the needed changes occur and are effective.  There should be periodic review of the effectiveness of the control system.
  • 214.
    214 214 IIA andInternal Control The IIA came out with their own Internal Control model, referred to as the “Systems Assurance and Controls study.”  SAC defined internal control as: “means established to provide reasonable assurance that the overall objectives and goals of the organization are achieved in an efficient, effective and economical manner.”  The key concepts of internal control are: 1) Reasonable assurance. 2) Objectives as desired accomplishments of the organization. 3) Goals are identifiable, measurable, attainable, and consistent with objectives.
  • 215.
  • 216.
    216 216 Control Techniques  Thefollowing are the tools and techniques that contribute to the control process.  Budgets are the more common control device used by businesses.  A budget is “a realistic plan for the future expressed in quantitative terms.”  The budget is a way for management to communicate the goals of the company as well as linking the goals of the present with the strategy of the future.  By understanding how much is expected to be made or spent, the company creates a series of ground rules for people within the organization to follow throughout the year.  Comparing actual results with budget gives the company an idea of the efficiency (or lack of) of the company.
  • 217.
    217 217 Gantt Charts  Inthe Gantt chart, the project is divided into parts, activities, or tasks which are plotted on a chart that has tasks listed on the left side and time across the top or bottom.  The tasks are then placed into the time frame during which they need to be completed.  The chart shows when the different steps need to be completed.  However, Gantt charts have two weaknesses:  It does not show the interconnection between the different steps of the project, and  It is does not show the critical path of the project.  Review graph on pg. 104.
  • 218.
    218 218 PERT / CPM Program Evaluation and Results Technique (PERT) takes the Gantt one step further and shows the interconnection between the different steps of the project.  PERT and CPM were developed separately but in fact are very similar.  These methods are very similar and for the purposes of the materials are used interchangeably.
  • 219.
    219 219 A PERT/CPMDiagram  APERT/CPM diagram looks as follows:  The diagram is read from left to right and you do not go backwards on the diagram A B C D E F 4 8 2 5 3 6 2 S 2
  • 220.
    220 220 The Critical Path The critical path is the path through the network that has the longest time of completion.  All of the activities that are along the critical path are part of that path.  If the company needs to reduce the time to complete the project, they should try to shorten (called “crashing”) the activities along the critical path.  The first activity to be crashed should be the one that has the lowest cost per time period to crash.  Once activities have been crashed, another path may become the critical path.
  • 221.
    221 221 SlackTime  Slack timeis any activity that is not on the critical path has slack time. Slack time means that the completion of this task may be delayed without delaying the completion of the project as a whole.
  • 222.
    222 222 Control Charts (StatisticalQuality Control Techniques)  A control chart records observations of an operation taken at regular intervals.  In other words, it’s sampling.  It is use to determine whether all the observations fall within the specified range for the operation.  It is said to be in statistical control is no sample observation falls outside the specified limits, if all the samples are randomly distributed with no apparent patterns, and if the number of observations that are above and below the center of the specified range are about equal.
  • 223.
    223 223 Histograms  A histogramis a bar graph that represents the frequency of events in a set of data.  Patterns that might not be apparent when looking at a set of numbers can become clear with a histogram.  If one particular production line is experiencing most of the difficulty, a histogram detailing the types of problems and their frequency can help determine what types of problems are causing the problems most often.
  • 224.
    224 224 Pareto Diagrams  APareto Diagram is a specific type of histogram.  It is based on the 80-20 observation (20% of the population causes 80% of the problems, or 20% of the population is doing 80% of the good things).  This is useful because management can then focus its efforts on improving the areas that are likely to have the greatest overall impact.
  • 225.
    225 225 Cause-and-Effect Diagrams  Alsoknown as the Ishikawa Diagram, or fishbone diagram.  This is a method to visually sort out root causes and identify relationships between causes.  The diagram consists of a spine, ribs and bones, therefore looking like a fishbone.  At the end of the horizontal spine is a the problem. Bones pointing to each rib are contributing factors to the cause.  In manufacturing, the typical main causes for problems are “4 Ms”: machines, materials, methods, and manpower.
  • 226.
    226 226 Flowcharting  Flowcharting isa useful tool for better understanding internal controls and systems development.  A flowchart is a pictorial diagram which describes operations, data flow, equipment and etc.  Advantages of flowcharts is that it gives the internal auditor the ability to get a visual grasp of the system.  Another advantage is that it can help highlight areas of audit emphasis.  The different flowcharts you need to understand are:  Horizontal flowchart shows the different departments or functions involved in a process.
  • 227.
    227 227 Flowcharting, continued  Ahorizontal identifies specific control points in the system. Control point is a point in a process where an error or irregularity is likely to occur, creating a need for control. For example, in the invoicing department, the supervisor may be required to review the invoices for completeness and accuracy before they are sent.  The horizontal flowchart is good for showing the segregation of duties.  Vertical flowchart depicts the specific steps in a process and how they are executed.  It does not show the system components as clearly as a horizontal flowchart.  A data flow diagram is a graphic illustration (symbolic) of a system’s processes and data flows. It shows data flow instead of control flow.  It includes the data source, data flow transformation processes, data destination, and data storage.
  • 228.
    228 228 Correlation Analysis  Correlationanalysis is a method used in internal auditing to measure the linear relationship of two or more variables.  Can be shown by plotting their values on a graph (scatter diagram).  A high correlation is indicated if the points tend to form a straight-line.  A random pattern indicates little correlation.  From an internal auditing standpoint, the numbers must stand the “test of reason.”  This means that even though there is a high correlation between numbers, it may be based on coincidence, and the numbers, in fact, may not be related.
  • 229.
    229 229 Time Series orTend Analysis  These are regression models in which the independent variable is time.  In time series analysis, the value of the next time is frequently dependent on the value of the time period before it.  Time series relies on past experience. The four components of time series analysis are:  Trend – This is a long-term change that occurs in a series.  Cyclical – This are variations in the level of activity in business periods.  Seasonal – are short-term variations.  Irregular – This is random happenings.
  • 230.
    230 230 Special Control Programs These programs are used to educate employees about the control requirements.  The problem is defined and communicated.  Employees are then given information about how their actions will impact the number of deviations.  This type of program requires employees to be educated about the program and process. The idea is to stop defects before they occur.  A zero-defect program is one where the goal is zero defects.  Management must play a role in this process. There are two approaches:  Imposed control – This is where the goals are set.  Self-control – This is where the employees are encouraged to take a more active role in prevention of defects.
  • 231.
    231 231 Peoplein the ControlSystem  One of the most important factors for the success of a control program is the reaction of the people who are impacted by the control process.  Critical to gain and keep the support of the people who will be monitored.  People resist controls because they are afraid of being criticized and do not to be confronted.  For the system to work, people nee to see the implementation of the system as something positive.  Also, the more people themselves are involved in the control process the more they will support the project.
  • 232.
    232 232 Surveillance andMonitoring ofControl System  There has to be a control on the control system.  Over time, the nature, individuals and processes in a business will change.  It is critical that the control system change with the business as well.  Because the control system worked in the past, doesn’t mean it will work in the future.  Need to monitor the system to keep it up-to-date.  Because there are people involved in the process, there will always be the possibly of intentional falsifying or hiding information.
  • 233.
  • 234.
    234 Control Implications ofOrganizational Structure
  • 235.
    235 235 Control Implications ofOrganizational Structure  Organizational structure will have an impact on the control environment.  No matter the type of organizational structure there must be a unity of objective throughout the company.  This unity of objective means that the objectives of the individuals and departments are in agreement with the larger organizational goals.  The relationship between the individuals, groups and departments needs to be considered.  These relationships are to varying degrees based upon authority, responsibility, and accountability.
  • 236.
    236 236 Authority, Responsibility andAccountability  Authority is the right to direct the performance of others.  This includes the right to describe the means and methods by which the work will be performed.  Responsibility is the obligation a person has to perform.  Under the classical approach this comes from the superior and is part of every job.  Accountability is the duty to account for the completion of the responsibility.  Responsibility is delegated downwards, but the person who did the delegating is still ultimately responsible for the task that has been delegated.
  • 237.
    237 237 Elementsof Organizational Structure Structure of the organization can be defined in terms of its  Complexity,  Formalization, and  Centralization.  Complexity – The type of differentiation that exists within the organization will determine how complex the company is.  Vertical differentiation – the more levels there are in the company, the more complex it is and the slower and less effective it will be in adapting to changing conditions. These will be Tall Organizations.  Horizontal differentiation – this relates to the special skills and knowledge required to complete a tasks. These are flat org.  Spatial differentiation – this relates to the geographical separation of the organization’s activities.
  • 238.
    238 238 Elementsof OrgStructure, continued Formalization is the extent to which jobs are standardized and the clarity of the procedures and tasks that need to be performed.  The lower the level of formalization, the more room there is for employee decisions.  A strong corporate culture reduces the need for the formal expression of all corporate standards because these are disseminated and monitored naturally as part of the corporate culture.  Centralization has to with the company’s authority and freedom of decision-making.
  • 239.
    239 239 Centralization vs. Decentralization In a centralized organization, all the decision-making is done by senior management at the top of the organization.  Lower level managers have very little input into the decision- making process but simply carry out top management’s directions.  In a decentralized organization, responsibility for decisions is delegated to lower level managers on the theory that they are closest to what is going on.  This structure permits action to be taken more quickly to solve problems. Furthermore, input used for decision-making comes from a greater number of people, and employees feel less separated from the people who are making the decisions that affect them.
  • 240.
    240 240 Advantages of Decentralization Some of the advantages for a company to have a more decentralized organization are:  Greater speed in making operational decisions.  Encourages better communication and imitative among employees.  Requires the understanding of company goals throughout the organization.  Identifies and trains good decision-making at lower levels.  Gives responsibility and authority to lower level managers.  Frees top management from operations duties and enables them to focus on strategic goals.  Enables the financial measurement of a particular unit.
  • 241.
    241 241 Disadvantages of Decentralization Some of the drawbacks of decentralization are:  Tendency to focus on short-term local issues rather than long- term success of the larger organization.  Increased risk due to the loss of control by top management.  More difficulty in coordinating interdependent units. Lower levels of management may make conflicting decisions.  Greater danger of satisficing decisions by lower management. Satisficing is coming to a decision that is just OK, but it might not be the best decision (this is good enough so we will do it).
  • 242.
    242 242 Delegation  A keypart to decentralization is make sure there is proper delegation of authority.  Delegation is the process of passing power downward from one individual to his or her subordinate.  Under classical approach, this process of delegation should be avoided because it is a reduction of power of the manager.  The behavioral approach sees this as a useful step because no one has time to make every decision and subordinates like to be involved in the process.  Delegation can help subordinates develop confidence and initiative in situations where there are proper controls in place.
  • 243.
    243 243 Delegation, continued  Delegationis part of the process of becoming a manger.  In order to successfully delegate the following must exit:  The necessary skills and a sound knowledge of the organization objectives,  A feedback system that allows assessment of performance,  A faith in the abilities of the subordinate,  A recognition of the need to delegate,  A willingness to accept risk, and  The desire to develop and train subordinates.
  • 244.
    244 244 Delegation, continued  Thedelegation process involves the following steps: 1) Determination of the expected results, 2) Assignment of tasks and responsibilities, 3) Delegation of the necessary authority to complete those tasks, 4) Recruitment of responsible subordinates, 5) Clear communication of what is responsible, and 6) Follow-up on process because ultimate authority still remains with the manger.
  • 245.
  • 246.
    246 246 Structure of theOrganization  There are two types of structures: mechanistic or organic.  Mechanistic is a very set and detailed system in which there are tight controls, extensive division of labor and high formulation. This type of structure is best for mass production and any time there is concern for operational efficiency.  Organic structure has low complexity, a low amount of formulation and a high participative decision-making structure. Organic structures tend to be more flexible than mechanistic. They are also more adaptive to change and are better in more dynamic (changing) and complex environments. Is better for product development or for high-tech companies.
  • 247.
    247 247 Structure andStrategy  Structurethat a company chooses will be a function of its strategy.  If strategy is one of innovation than an organic structure will work better.  If strategy is based on cost-minimization than a mechanistic structure will work better.  If strategy is to imitate other than a combination of organic and mechanistic will work better.  Structure will be a function of:  Its organizational size – Larger companies tend to be more mechanistic.  Technology – High-tech companies tend to be organic.  Environment – More stable, the more mechanistic.
  • 248.
    248 248 Componentsof an Organization Henry Mintzberg identified five components to any organization: 1. Strategic Apex – These are the top managers. 2. Middle Line – These are the managers who connect the strategic apex to the operating core. 3. Operating Core – These are the employees who perform the basic production tasks. 4. Technostructure – This is made up of analysts who make certain that there is a level of standardization in the organization. 5. Support Staff – Provide indirect support services.
  • 249.
    249 249 Componentsof an Organization,continued  The different types of structures that each of these components creates are:  Operating core creates a professional bureaucracy. This is a complex and formal organization, but also one that is decentralized in which the specialists of production have great amount of independence. Top management gives up a lot of control, but there might be low creativity in the process and there may be low performance because of inflexibility and an impersonal environment.  Strategic Apex creates a simple structure. There is low complexity and authority is centralized. Characteristic of small companies.
  • 250.
    250 250 Componentsof an Organization,continued  Middle management creates a divisional structure. Each division essentially operates as its own company.  Technostructure creates a machine bureaucracy. This a complex and formal organization that performs highly routine tasks. There is a strict chain of command and line and staff functions are separated.  Support Staff creates an adhocracy. This is an organization with low complexity and is not very formal. There is low vertical differentiation and high horizontal differentiation. The emphasis is on flexibility and response.
  • 251.
  • 252.
    252 252 Departmentalization  Departmentalization isgrouping tasks together in order to coordinate those that have something in common.  It can be accomplished in various ways, and large organizations often use all of the forms:  By function performed, such as engineering, accounting, manufacturing, personnel and marketing.  By geographical territory, such as the sales divided according to sales territory.  By product or service, with all functions for that product or service placed under the authority of a senior manager.  By type of customer served, such as the consumer market, small businesses or large corporate customers.  By project, such as ship building, military contracts, etc.
  • 253.
    253 253 MatrixOrganization  The matrixorganization actually violates the unity of command principal; but, in certain situations, it is useful.  A typical matrix organization combines product or project departmentalization with functional departmentalization (such as accounting, marketing, etc.).  Each employee has two supervisors: one for the product or project, and one for the function.  A matrix organization is useful under situations of pressure:  When there are multiple factors, both internal and external and all requiring maximum attention;  When information-processing needs are great; and  When there is a need to share resources.
  • 254.
    254 254 MatrixOrganization,continued  Members ofa matrix structure might work on one project for six months and then be reassigned to another project for another period of time.  Communication is improved between the project unit and the functional unit, and solutions to problems may come from either group.  Problems with the matrix form of organization include conflicts for employees because of the dual reporting system and power struggles among management over who has the last word on various issues.  Sometimes it is difficult in a matrix organization to determine who is in charge and who is accountable. In addition, sometimes group decision-making is done when it is not appropriate.
  • 255.
  • 256.
    256 256 Span of Control Span of control refers to the number of subordinates one manager can effectively supervise. The span of control governs the number of levels and the number of managers an organization will have.  Up to a point, larger spans are more efficient.  A wider span will require fewer managers and will save on managerial salaries.  Beyond a certain point, the span can become too large and supervisors cannot provide the necessary support to employees.
  • 257.
    257 257 Span of Control,continued Narrow spans of control also have drawbacks: 1. They are expensive in terms of increased managerial salaries. 2. Communication within the organization becomes more complex, because the greater number of levels within the organization isolates upper management and slows decision-making. 3. They can lead to too-close supervision of employees, discouraging their individual initiatives.  A manager can handle a wider span of control if his or her employees are all well trained in their jobs. Thus, when organizations have wide spans of control, they need to invest more in employee training.
  • 258.
  • 259.
    259 259 Leadership  Leadership isthe process of influencing others so they are willing to work toward the achievement of goals of the group.  The classical view is holds that even though authority and decision-making may be decentralized, the characteristic of leadership is a characteristic of an individual and cannot be subdivided and transferred to others.  Some of the characteristics of an effective leader are:  Intelligence,  Maturity,  Social participation, and  Socioeconomic status.
  • 260.
    260 260 Styles of Leadership The different styles of leadership that have been identified by behaviorist:  Autocratic – the manager dictates instead of allowing input from the employees.  Consultative – the manger makes the decisions, but does take into account the opinions of the employees.  Participative – the manager makes the decision, but must take into account the opinions of the other members of the team or group.  Free-rein (laissez-faire) – employees make their own decisions.  Bureaucratic – manages by rules and policies.  Transformational – this is a leader who is a supporter and implementer of change.
  • 261.
    261 261 Transformational Leader  Thetransformational leader is able to inspire others in the company in order in the company in order to achieve more than he or she thought possible.  There are many characteristics of a transformational leader, including:  A person who emphasizes vision, is able to articulate a vision, and can challenge traditional assumptions.  Encourages individual development, provides workers with regular feedback, and gives individualized consideration.  Has charisma, is inspirational and able to motive employees.
  • 262.
    262 262 LeadershipStudies  Studies havefound two behavioral patterns: initiator of structure and initiator of consideration.  Initiator of structure is geared toward the completion of tasks and includes defining duties, establishing procedures and planning and organizing the work.  Initiator of consideration is the establishment of a personal relationship between the manager and the subordinate.  Which pattern is present will depend on situation, but in most cases both patterns will be present.
  • 263.
    263 263 Contingency Approach  Thecontingency approach is focused on finding a better answer to the questions, “What is an effective leader?” “How do we train them?”  Fred Fiedler developed the earliest contingency model, proposing that effective group performance is a function of a good match between the leader’s style and the situation.  This means that the right person at the right time will be a good leader, but the same person in a different situation may be very ineffective.
  • 264.
    264 264 Fiedler’s Contingency Theory There are three dimensions to the contingency theory model:  Position power – this is a function of formal authority.  Task structure – this relates to the clarity of the responsibilities and tasks.  Leader-member relations – this is the extent to the group members like, trust and are willing to follow the leader.  Fielder's research showed two types of leaders:  Task-oriented leadership is more effective when the situation is either very favorable or very unfavorable, e.g., natural disaster.  Relationship-oriented leadership is most effective when the situation is in the middle, or less extreme.
  • 265.
    265 265 The Path-Goal Theoryof Leadership  The path-goal theory attempts to bring together the work on structure and consideration.  There are two factors that affect the relationship between the behavior of the leader and the outcomes:  Environmental factors, which are items beyond the control of the subordinate, and  Subordinate factors, such as location of control, experience and ability.  Style of leadership should complement, but not duplicate the factors in the environment and should be consistent with the characteristics of the subordinates.
  • 266.
    266 266 Path-goal Theory, continued Path-goal theory identifies four leadership behaviors: 1) A directive leader lets subordinates know what is expected of them, gives specific guidance on accomplishing tasks, schedules the work and sets standards of performance. 2) A supportive leader is friendly and concerned for the needs of subordinates. 3) A participative leader consults with subordinates and considers their suggestions in making a decision. 4) An achievement-oriented leader sets challenging goals for subordinates and expects them to perform at their maximum level.  The theory assumes that the leader can be flexible and need not behave in the same manner at all time but may behave differently in different situations.
  • 267.
    267 267 Vroom-Yetton-Jago Model  Thismodel of leadership focuses on helping the leader to determine how best to arrive at, communicate, and execute a decision.  The Vroom-Yetton-Jago model is a decision-making tree that attempts to determine an appropriate leadership style for various situations and assumes a leader may use different leadership styles.  The model identifies five styles, ranging from autocratic to group-based.  By asking oneself a series of questions about the nature of the problem, etc., the leader can decide how much to involve others in the decision and also the style.
  • 268.
    268 268 Decision Tree Approach,continued After choosing which decision tree to use, the leader evaluates a series of seven factors (the factors themselves are outside the scope of the exam) to determine how much participative decision-making is appropriate and decides among five alternatives:  Autocratic (1) - Leader decides alone.  Autocratic (2) - Leader obtains additional information and then decides alone.  Consultative (1) - Leader consults with group members individually but then decides alone.  Consultative (2) - Leader consults with group members collectively but then decide alone.  Group - Leader meets with group to discuss situation, defining the problem and facilitating discussion as the group makes the decision.
  • 269.
  • 270.
    270 270 Influence  Influence isthe attempt to change the behavior of someone in the workplace.  The different tactics used to influence someone are:  Consultation – allows the other person to participate in the change.  Rational persuasion – tries to convince others by relying on logic.  Ingratiating tactics – attempts to be nice to the person.  Coalition tactics – getting others to support you in this project.  Pressure tactics – intimidation, threats and demands.  Upward appeals – this uses the formal structure of management.  Exchange tactics – offer a trade of “I do this, now you do that.”
  • 271.
  • 272.
    272 272 Negotiations  Negotiating isthe process of bargaining an agreement for the exchange of goods or services at an agreed upon rate of exchange.  The two main approaches to negotiating are:  Distributive bargaining occurs when there is a zero-sum situation. It is unlikely that a true win-win situation will come out. Each party will create a desired result and a minimum acceptable result. If the two ranges overlap, then there will be chance of a successful negotiation.  Integrative bargaining occurs when there is a possibility for both sides to win.  There is another type of negotiation called subordination bargaining. This is when the person who is in the position of the subordinate agrees to anything that is reasonable.
  • 273.
    273 273 Third Party Negotiator There may be a situation where parties are unable to come to an agreement.  In these situations, a third party negotiator might be needed. The methods of third party negotiations are:  Mediation is an intervention between parties with the intent of facilitating an agreement.  Arbitration is a situation in which a third party decides the situation.  Consultation occurs when an expert in conflict resolution is engaged in an attempt to improve the communication between the parties.
  • 274.
    274 274 Conflict  Conflict canarise from many different situations.  The more common conflict triggers are:  Unclear job boundaries and unclear responsibilities.  Competition for scarce resources.  Differences between people in the their status.  Personality clashes.  Unrealistic expectations.  Communication problems.  The interactionist theory views conflict as possibly beneficial.
  • 275.
    275 275 Conflict, continued  Whetherconflict is healthy or not depends on how it is handled.  Competition generally does not help the company. With competition one person must win.  Collaboration is generally helpful. This is the process of all of the people in the conflict trying to find a satisfactory solution for all.  Avoidance of the conflict does not help.  Compromise may help at times.  Accommodation may be helpful in the short-run, but in the long-run it may cause greater problems.  Conflicts may be resolved in a number of ways:  Problem solving is a process of confronting the problem and removing its causes.
  • 276.
    276 276 Conflict, continued  Smoothingis a short-term avoidance process whereby the parties are asked to forget their differences for the short-term.  Forcing occurs when the superior position uses its position to solve the conflict.  Superordinate goals are those goals that are above the goals of the individual.  Compromise is where both parties have to give up something.  Expanding resources is a possible solution but only if the conflict was the result of insufficient resources.  Changing the human element attempts to change the behavior of the individual involved.
  • 277.
    277 277 Conflict, continued  Diffusionis the process of trying to solve the smaller, less critical issues in order to build a feeling of success and cooperation before dealing with the larger issue.  The public media at times can become the venue in which the conflict is played out. This is risky thing because public opinion may not always be as expected, but the pressure of the media attention may force people to solve their differences.
  • 278.
  • 279.
  • 280.
    280 280 Change Management  Organizationalchange is the process of changing the organization structure of the company.  All organizations at some time go through change as the business changes, the environment changes and as the people in the business change.  Individuals may resist these changes for many reasons.  The main reason may be fear – fear of the unknown and fear that the change is simply the first part of larger changes that will lead to an individual’s termination.  Another cause of fear may be an apparent disregard by management about the way management treats employees, and possible disruption to the way that things were.
  • 281.
    281 281 Change Management, continued In order to minimize disruption the following can be done:  Communicate the nature, extent and reasons for the changes to all affected by the change.  Make sure that there is sufficient notice before the change is made.  Allow the participation of those who will be affected by the change in the process of implementation.  Have formal and informal conferences about the change.  Anticipate the perceived impact of the change on the economic, social and psychological needs of employees.
  • 282.
    282 282 Nadlerand Tushman Model Nadler and Tushman developed a model of the different types of change that a company may undertake.  The comparatives of the change are anticipatory vs. reactive and incremental vs. strategic.  Anticipatory changes: planned changes based on expected situation.  Reactive changes: changes made in response to unexpected situations.  Incremental changes: subsystem adjustments required to keep the organization on track.  Strategic changes: altering the overall shape or direction of the organization.
  • 283.
    283 283 Nadlerand Tushman Model,continued  When the change is Anticipatory and Incremental in scope, it is called Tuning. You are anticipating problems before something goes wrong.  When the change is Anticipatory and Strategic in scope, it is called Reorientation. Causes the organization to be significantly redirected.  When the change is Reactive and Incremental in scope, it is called Adaptation. Changes are made in reaction to external problems, events, or pressures.  When the change is Reactive and Strategic in scope, it is called Re-creation. This is an intense and risky decisive change that reinvents the organization.
  • 284.
  • 285.
    285 285 Section E  SectionE covers the topics of engagement planning, engagement supervision, audit procedures and fraud.  This section will account for approximately 15 – 25% (15 – 25 questions) of the Part 1 Exam.  An engagement has to do with the planning, performing, communicating and monitoring the results of the engagement. This section describes the planning process and provides criteria for evaluating the process.
  • 286.
    286 286 2200: Engagement Planning Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations.  Four stages to any internal audit engagement:  Planning the engagement,  Performing the engagement,  Communicating results, and  Monitoring progress.  These steps are similar to external auditing, except external auditors do not monitor progress.
  • 287.
    287 287 Planningthe Engagement  Duringthe process of planning the audit, the internal auditor must consider:  The objectives of the activity being audited.  Significant risks to the activity.  Adequacy and effectiveness of the activity’s risk management and control systems.  Opportunities to make significant improvements in the activities risk management and control systems.  After the above is done, the internal auditor is able to establish:  The objectives,  The scope of the engagement,  The necessary resources, and  The work program.
  • 288.
  • 289.
  • 290.
    290 290 2210: Engagement Objectives Should address risks, controls and governance processes associated with the activities that are being reviewed.  Engagement objectives are broad statements that define what the engagement is supposed to accomplish.  Risk is one of the main elements that should be addressed when an activity is being audited.  Risk is the uncertainty of an event occurring that could have an impact on the achievement of objectives.  Auditor is looking for the events that could impact the activity that being audited.
  • 291.
    291 291 Risk Assessment inEngagement Planning  Internal auditors should always consider risk when planning an audit. In the consideration of risk, the auditor should review the following:  Objectives and goals of the activity.  Policies, plans and procedures, laws, contracts that may impact the activity.  Organizational information about the activity, i.e., key employees, job descriptions, details of recent changes in org., etc.  Budget information.  Prior working papers.  Results of other engagements (from external auditors).  Correspondence files to determine significant issues.  Authoritative and tech literature if relevant.
  • 292.
    292 292 Surveys  Sometimes surveysare used to become familiar with activities.  They are particularly useful in the first engagement when little information is known about activity.  Surveys can assist in:  Understanding the activity.  Identifying areas requiring special attention.  Obtaining information for use in the performance of the engagement.  Determining where further work is necessary.  Developing a good relationship with the staff of the activity being audited.  We discuss surveys in more detail later.
  • 293.
  • 294.
  • 295.
    295 295 2220: Engagement Scope The engagement scope tells you what needs to be done in order to satisfy the engagement objectives.  Scope of an assurance engagement should include considerations of relevant systems, records, personnel, and physical properties.  In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives.  If the auditor has reservations about the scope, the auditor should discuss the reservations with the client to determine whether to continue with engagement or not.
  • 296.
  • 297.
    297 297 2230: Engagement ResourceAllocation  Internal auditors should determine appropriate resources to achieve engagement objectives.  Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.  When determining necessary resources, the auditor should consider the following:  Number and experience of the auditing staff.  Knowledge and skills and other competencies of the auditing staff.  Future training needs of the auditors.  Consideration of the use of external resources.
  • 298.
  • 299.
    299 299 2240: Engagement WorkProgram  Work program should be written and developed for each engagement.  The work program details the work that is to be done.  The work program should include:  Information about the objectives of the area that is being audited.  Description of the controls that are in place as well as those that need to be in place.  Procedures that are necessary in order to carry out the audit.  Work programs may be pro forma or individualized.  Approval of the work program should come from the CAE, and in writing.  Any adjustments made to the work program should be approved in a timely manner.
  • 300.
  • 301.
    301 301 The Preliminary Survey The preliminary survey is also referred to an “on-site” survey.  This is the first step in the audit process.  Purpose is to give the auditor the opportunity to become familiar with the preliminary information about the activity to be audited.  The preliminary survey allows the auditor to become:  Become familiar with the clients: Objectives and goals. Organizational structure. Operations, facilities, key customers and suppliers. Risk management, control and goverance. Information systems.
  • 302.
    302 302 Preliminary Survey, continued Concentrate the work program on matters of significance.  Identify areas of lower risk and then reduce the audit time spent in these low-risk areas.  Create a cooperative tone for the engagement.  To maximize the benefit of the preliminary survey, the auditor should:  Read all relevant background information.  Prepare the questionnaire based on this information.  Know whom to see to obtain additional and needed information.  Document the information received in this process.  Understand the objectives and goals.  Identify the risks implicit in the areas under review.
  • 303.
    303 303 Preparation for thePreliminary Meeting  The auditor needs to be prepared when meeting the engagement client for the first time.  The survey should be sent to the client in advance to give the client the chance to complete it before the meeting.  The questions should highlight the key risk areas, and the methods and extent to which management is controlling those risks.
  • 304.
    304 304 The Preliminary Meeting The first meeting with the client should:  Set the cooperative tone of the engagement;  Explain the engagement in detail; and  Stress that all observations and recommendations will be discussed with the client before being reported to the board.  In addition, the auditor should explain that any corrective action taken by the client prior to circulation would be acknowledged by the auditor.  Another result of the meeting is to collect as much relevant documentation as possible.  Conduct a walk-through of the premises.
  • 305.
    305 305 Further Meetings  Ifthe client wishes, a further meeting can be arranged to discuss initial impressions and the general thrust of the engagement work program.  The cost of further meetings should be a consideration in planning the additional meetings.
  • 306.
    306 306 Documentation of thePreliminary Survey  A comprehensive report of the preliminary survey should be documented.  Using the documents obtained from the meeting, the auditor will produce, or update the permanent file.  Permanent file provides relevant information about the client that each engagement will use.  Includes such items as client objectives and goals, organization structure, unit addresses, flowcharts, bank accounts, etc.
  • 307.
  • 308.
  • 309.
    309 309 2340: Engagement Supervision This is obvious, but all engagements should be properly supervised.  Proper supervision ensures that objectives are achieved, quality is assured and the staff is developed.  Proper supervision starts at the planning stages and continues all of the way through until the issuance of the report.  Ultimate responsibility for supervision lies with the CAE.  The CAE should periodically review each job in respect to budget and actual time spent and expected completion time as well as a review of any control or technical issues that have arisen and not yet been resolved.
  • 310.
    310 310 Engagement Supervision, continued The extent and amount of supervision required for an engagement will be determined by the skills and experience of the internal auditors and the complexity of the engagement.  Proper supervision includes:  Ensuring the assigned auditors have the necessary knowledge, skills and other competencies.  Determining that working papers adequately support observations, conclusions and recommendations.  Ensuring that communications are accurate, clear and concise.  Ensuring budgetary controls.  Resolving differences of judgment between CAE and auditors.
  • 311.
  • 312.
  • 313.
    313 313 Engagement Procedures  Theengagement work is made up of a series of procedures that are to be performed by the auditor.  Procedures may be as simple as checking to see if a particular document was signed, or something more complex as the valuation of a derivative.  Procedures that are to be performed are written in the work program.  For any engagement, the auditor will need to perform procedures to gather evidence. This evidence will provide the support for the opinion that the auditor concludes.  Auditors must collect information until they have collected sufficient and competent evidence.
  • 314.
    314 314 Sufficiency of Evidence The question of how much evidence is enough evidence cannot be answered definitively or quantitatively.  The question has be answered using the professional judgment of the auditor and it depends on many factors.  Main factor depends on the effectiveness of the client’s internal controls.  If controls are working, then the amount of evidence required by the auditor will be less than if controls are not working.  Though, need to remember that no matter how well controls are working, the auditor must always obtain some amount of direct evidence to confirm the numbers by the client.
  • 315.
    315 315 Sufficiency of Evidence,continued  In the determination of sufficiency, the auditor will also consider the item’s materiality and inherent risk.  The less material or less risky the item, the less evidence the auditor will require in order to reach a sufficient amount of evidence.
  • 316.
    316 316 Competence of Evidence For evidence to be competent, the evidence must be both valid and relevant.  Relevance of data is related to how closely related the evidence is to what the auditor is testing.  The validity of evidence relates to the extent to which the auditor can believe and trust the evidence. The most valid evidence is evidence that is obtained directly by the auditor. The auditor obtains this evidence may times through observations. The next best source is from a 3rd party that does not have a direct interest in the client, e.g., bank statements, account receivable confirmations. The least valid evidence is any information obtained by the client.
  • 317.
    317 317 Sourcesof Evidence  Thereare two main types of auditing evidence:  Underlying accounting data – this is the information that is part of the accounting system. It includes the original documents, journals, ledgers, supporting information and the output from the accounting systems.  Corroborative evidence – this is essentially all other evidence. This is evidence that is obtained from somewhere else or is a document that can be verified with a third party, such as an invoice, a check, contracts or similar type of document.
  • 318.
    318 318 Selected Engagement Procedures There are six major categories of procedures outlined by Sawyer. 1) Observing. This is a visual examination by the auditor. 2) Questioning. The auditor may accomplish this either orally or in written form, such as a questionnaire. 3) Analyzing. This is a process of understanding something larger by looking at the individual components that make it up. 4) Verifying. This is a process of checking one source of information against another. 5) Investigating. This is the search for evidence or facts that are not openly available. 6) Evaluating. This is the process of taking all of the available information, putting it together and coming up with a conclusion.
  • 319.
    319 319 Tracing andVouching  Thisis mostly related to financial statements.  These can be performed anytime there is an original source document and place where the event is ultimately recorded.  Tracing is the process of starting with the original source document, and following it through the accounting records to the final ledger. Tracing is testing for completeness. This makes sure that every event or transaction that occurred is actually recorded.  Vouching is the opposite of tracing. Start with an amount in a ledger and find the supporting documentation for it. Vouching is testing for existence. This makes sure that every event or transaction that has been recorded in the records has actually occurred.
  • 320.
  • 321.
  • 322.
    322 322 Fraud  The IIAdefines fraud as “any illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property or service; to avoid payment or loss of service; or to secure personal or business advantage.”
  • 323.
    323 323 Consideration of Fraudin the Planningof a Financial Statement Audit  Internal auditor should develop and plan the audit with a reasonable assurance of detecting material fraud or misstatements.  Due to the fact that perpetrators of fraud will try to hide the fact, it is not possible to guarantee discovery of material frauds.  Fraud is different from an error in that fraud is an intentional misstatement while an error is unintentional.
  • 324.
    324 324 Types of Fraud There are two main classifications of fraud: 1) Misstatements from fraudulent financial reporting.  These are intentional misstatements in the financial statements that are made to mislead users. This includes omission of information from the financial statements and a misapplication of accounting principles. 2) Misappropriation of company assets.  This includes theft, embezzlement and any action that causes the company to expend cash for things that will not benefit the company. 3) Corruption.  Corruption includes illegal gratuities, brides and kickbacks, conflict of interest, economic extortion.
  • 325.
    325 325 Consideration of Fraud,continued  The auditor is supposed to find material misstatements, the risk of misstatement due to fraud needs to be specifically considered in the planning of the audit.  A major risk that could indicate possible fraudulent financial reporting is the occurrence of management override of controls.  When fraud is suspected, the internal auditor should determine the possible effects and discuss the matter with the appropriate level of management.  It is generally not the internal auditor’s place to report the matter outside the organization, although they may in some cases report the event to the SEC, a predecessor auditor, a court, or to a governmental agency.
  • 326.
    326 326 Detection and Preventionof Fraud  The internal auditor is responsible fo examining the controls that are in place to determine if they are adequate to prevent or detect fraud.  It is preferable (and usually cheaper) to prevent fraud than it is to discover it after the fact.  When fraud is detected, the auditor should immediately contact the appropriate level of management.
  • 327.
    327 327 Detection and Preventionof Fraud, continued  The following items do not indicate that fraud is occurring, but rather that conditions exist in which fraud may occur more easily.  No segregation of duties,  Not limiting the access to assets,  Failing to compare existing assets with recorded assets,  Executing transactions without proper authorization,  Lack of personnel or qualified personnel,  Collusion among employees,  The existence of high-value, small, liquid assets, and  Management override of controls that are in place.
  • 328.