Internal Auditors’ Roles and
Responsibilities
Chapter VIII
Chapter Objectives:
•
Understand
the
importance
and
value
-
added
nature
of
the
internal
audit
function
.
•
Review
the
qualities
of
an
effective
internal
audit
department
.
•
Discuss
the
role
of
internal
auditors
as
assurance
providers
and
consultants
.
•
Review
the
trends
of
the
internal
auditing
profession
.
•
Discuss
the
relationship
of
internal
audits
and
the
audit
committee
.
•
Analyze
the
determinants
of
an
effective
internal
audit
.
•
Discuss
the
professional
practices
framework
(PPF)
adopted
by
The
Institute
of
Internal
Auditors
(IIA)
.
•
Promote
the
best
practices
and
internal
audit
framework
.
Key Terms
Chief
audit
executive
(CAE)
Committee
of
Sponsoring
Organizations
of
the
Treadway
Commission
(COSO)
Foreign
Corrupt
Practices
Act
(FCPA)
of
1977
Institute
of
Internal
Auditors
(IIA)
Standards
for
the
Professional
Practice
of
Internal
Auditing
(SPPIA)
Video
( VIDEO)
Changing Definitions of Internal
Auditing
•
Internal auditors have made an impressive
progress during the past several decades. To
gain an appreciation of this progress, let’s
compare definitions of internal auditing as
provided by the IIA initially in 1947, and
subsequently in 1981 and 1999.
4
Changing Definitions of Internal
Auditing (cont.)
1947
1981
1999
Independent
appraisal activity
within an
organization for the
review of
accounting,
financial and other
operations as a
basis for protective
and constructive
service to
management
[emphasis added].
An independent
appraisal function
established within
an organization to
examine and
evaluate its
activities as a
service to the
organization
[emphasis added].
Internal auditing is an
independent, objective
assurance and consulting
activity
designed to add value
and improve an organization's
operations.
It helps an
organization accomplish its
objectives by bringing a
systematic, disciplined
approach to evaluate and
improve the effectiveness of
risk management, control,
and governance processes
[emphasis added].
5
Important Improvements in the
Definition of Internal Auditing
1.
The term “service” implies that internal auditing is a staff
rather than a line activity within the organization.
2.
There is a shift from “serving management” to “serving the
organization” to finally “an integral component of corporate
governance as a separate value
-
added
function”.
3.
The focus of internal auditing has shifted away from
appraisal and compliance activity toward objective
assurance and consulting
activities.
4.
The role of internal auditors has changed from providing
management with input and objective feedback to directly
participating in decision
-
making.
5.
These definitions view internal auditing as an “activity,”
which implies it can be performed either within the
organization or outsourced to external
auditors.
6
Reasons for Change
I suggest the IIA
revise
the latest definition and now view internal
auditing as a function for several reasons:
1.
The Sarbanes
-
Oxley Act prohibited outside auditors to perform
internal auditing services simultaneously with audit service.
2.
Listing standards (e.g., NYSE) require listed companies to
establish in
-
house internal audit function.
3.
Corporate governance reforms of other countries (e.g.,
Singapore) require companies to establish an independent audit
function.
4.
As a service activity, internal auditors would have limited
authority, resources, independence, and would be viewed as
assistants to management (eyes and ears of management).
5.
As a separate internal audit function, internal auditors would have
more authority, resources, and be viewed as the eyes and ears of
the audit committee.
6.
The PCAOB, in its Auditing Standards No. 2, indirectly
encourages a separate internal audit function to assist outside
auditors with Section 404
compliance.
7
Internal Auditors as Assurance
Providers
Assurance
reports
on
these
measures
are
currently
voluntary,
except
for
the
audit
report
on
economic
measures
(four
basis
financial
statements),
but
internal
auditors
are
well
-
trained
and
positioned
to
provide
numerous
assurance
services
.
Internal
auditors,
in
addition
to
these
voluntary
assurance
services,
can
assist
external
auditors
in
their
integrated
audit
of
internal
controls
and
financial
statements
(PCAOB
Auditing
Standard
(AS)
No
.
2
,
superseded
by
AS
No
.
5
)
.
Internal
auditors
may
assist
management
in
complying
with
Section
302
and
404
requirements
of
SOX
by
reviewing
management’s
certifications
on
internal
controls
and
financial
statements
or
providing
some
type
of
assurance
on
the
accuracy
of
those
certifications
.
Internal Auditors as Consultants
Internal
auditors
can
provide
a
variety
of
consulting
services
to
the
company’s
board
of
directors,
the
audit
committee,
management,
and
other
personnel
at
all
levels
.
1)
Consulting
services
to
the
board
of
directors
and
audit
committee
2)
Consulting
services
to
management
3)
Internal
auditor
training
services
Trend and Relevance of
Internal Auditors
1.
The
Foreign
Corrupt
Practices
Act
(FCPA)
1977
2.
COSO
Report
of
the
National
Commission
on
Fraudulent
Financial
Reporting
(
1987
)
3.
The
IIA
redefined
internal
auditing
in
1999
4.
SOX
Sections
302
and
404
(Keep
in
mind
that
SOX
does
not
directly
address
internal
auditor
responsibilities
or
internal
audit
function
.
)
5.
The
PCAOB
in
its
AS
No
.
2
Authorities and Responsibilities of
Internal Auditors
The
internal
audit
function
should
have
(
1
)
full
and
free
access
to
the
company’s
audit
committee
;
(
2
)
unrestricted
access
to
the
company’s
records,
documents,
property,
and
personnel
;
and
(
3
)
authority
to
discuss
initiatives,
policies,
and
procedures
regarding
risk
assessment,
internal
controls,
compliance,
financial
reporting,
and
governance
processes
with
management
and
other
corporate
governance
participants
.
Internal Auditing Function and
Corporate Governance
Comparison of Internal Audit (Pre
-
and Postcorporate
Governance Reforms)
Internal Audit Department at
WorldCom
Director reported to the company’s CFO rather than to the audit
committee.
No executive sessions between audit committee and internal
auditors
Internal audit’s budgets, staffing, compensation, and bonuses were
controlled by Ebbers.
Internal audit department failed to review and monitor ICFR.
Focused primarily on operation and efficiency audits of cost savings
and finding additional revenues to gain management acceptance.
Video
http://video.google.com/videosearch?hl=en&so
urce=hp&q=worldcom%20video&um=1&ie=U
TF
-
8&sa=N&tab=wv#
To achieve the effectiveness of internal and
oversight function, the audit committee should:
•
Hire, compensate, evaluate performance, and fire the company’s
chief audit executive (CAE, the director of the internal audit
department) and oversee the appointment, performance, and
termination of other key internal audit personnel.
•
Review and approve the company’s internal audit charter including
its role, responsibilities, resources, independence, and competence
to ensure the charter is in compliance with the guidance and
standards of the Institute of Internal Auditors (IIA).
•
Review and approve the budget and staffing for the company’s
internal audit department.
•
Oversee the cooperation and coordination of audit work between the
internal auditor and the independent auditor, particularly in the area
of internal control and risk assessment as suggested in the PCAOB
Auditing Standard
Nos. 2and 5.
•
Review the annual evaluation of the company’s internal audit
function including its reports, assessment, promotion, and rewards.
15
AUDIT COMMITTEE RELATIONSHIP
WITH INTERNAL AUDIT
The
audit
committee
can
contribute
to
the
success
of
internal
auditors
and
the
achievement
of
their
value
-
added
activities
by
ensuring
that
they
have
:
1
.
Sufficient
independence
from
management
by
reporting
to
and
being
held
accountable
to
the
audit
committee
2
.
Adequate
resources,
competence,
and
focus
to
assess
the
company’s
operational
efficiency,
internal
control
effectiveness,
ERM,
and
reliability
of
financial
reports
3
.
Proper
knowledge
of
the
company’s
corporate
governance,
internal
control,
financial
reporting,
and
audit
activities
4
.
The
mechanisms
and
confidence
to
bring
forward
controversial
financial
reporting
issues
5
.
A
process
for
communicating
directly
with
the
company’s
audit
committee
on
a
regular
and
timely
basis
6
.
Access
to
the
audit
committee
to
discuss
concerns
related
to
management
activities,
financial
reporting
risk,
and
fraudulent
financial
reporting
7
.
Audit
committee
approval
of
the
budget
and
staffing
of
the
internal
audit
function
Internal auditors’ close working relationship
with the audit committee enables them to:
1.
Gain a better recognition and greater cooperation from
management;
2.
Safeguard their independence; and
3.
Receive adequate authority and resources to fulfill their
assigned responsibilities.
This relationship assists the audit
committee to
assess:
1.
The company’s enterprise risk management pertaining
to internal controls, financial reporting, and operations;
2.
Cooperation and coordination of audit activities
between internal auditors and external auditors; and
3.
Unusual and risky transactions and events.
17
PWC Survey Findings
Outsourced Financial Functions
Used/Plan
Used/Plan
All
Multinational
U.S.
Europe
Payroll, billing or accounts payable services
63%
74%
48%
IT/Systems support
56%
45%
70%
Tax services
56%
54%
59%
Benefits & claims administration
52%
70%
29%
Legal services (related to finance)
43%
43%
42%
Advisory compliance services
37%
39%
34%
Accounting services (non
-
basic)
29%
22%
38%
Risk management
26%
32%
18%
Internal auditing
26%
34%
16%
Human resources/ hiring
24%
19%
30%
Asset management
19%
17%
22%
Other financial functions (volunteered)
3%
3%
3%
18
Source: http://www.pwc.com/outsourcing/
INTERNAL AUDIT
OUTSOURCING
The
decision
of
whether
to
establish
and
maintain
an
internal
audit
function
or
outsource
the
function
should
be
made
by
the
company’s
board
of
directors
and
its
representatives
.
The
SEC
rule
permits
internal
audit
outsourcing
to
the
client’s
independent
auditor
in
the
following
areas
:
1
.
Operational
internal
audits
that
are
not
related
to
internal
accounting
controls,
financial
systems,
or
financial
statements
2
.
Nonrecurring
assessment
of
discrete
items
or
other
programs
unrelated
to
outsourcing
of
the
internal
audit
function
Internal Auditor’s Role in
Internal Control
Section 404 Compliance
Institute of Internal Auditors
IIA’s Attribute Standard
Institute of Internal Auditors
IIA’s Performance Standards
Internal Audit Performance
Four
-
phase plan suggested by PCW:
Phase
1
:
Project
planning
consisting
of
establishing
specific
internal
audit
objectives
in
line
with
stakeholder
expectations
Phase
2
:
Value
-
driver
identification,
including
gathering
information
about
value
drivers
of
internal
audit
Phase
3
:
Current
state
assessment
consisting
of
reviews
and
analysis
of
internal
audit
core
processes,
benchmarks,
and
best
practices
Phase
4
:
Solution
development
of
preparing
report
findings,
observations,
and
recommendations
for
improvement
in
performance
Institute of Internal Auditors
Code of Ethics
Institute of Internal Auditors
Determinants of the Effective
Internal Auditor
Internal
Auditors
are
striving
to
fulfill
their
responsibilities
by
using
the
best
practices
.
PricewaterhouseCoopers
suggests
that
internal
auditors’
best
practices
should
include
the
following
:
•
Build
an
adequate
internal
audit
staff
to
support
the
needs
of
business
.
‡
Structure
the
internal
audit
function
on
a
fluid
and
flexible
framework
.
‡
Design
an
enterprise
wide
risk
-
based
audit
program
.
‡
Broaden
audit
scope
to
address
third
-
party
and
vendor
risk
.
‡
Combat
fraud
by
advocating
ethical
conduct
throughout
the
organization
.
‡
Manage
information
systems
risk
proactively
.
Internal Audit Framework
Step
1
Reevaluate the risk assessment.
Step 2
Pre
-
validate stakeholder
expectations.
Step 3
Align the internal audit plan.
Step 4
Align resources, budget, and staff
skills.
Step 5
Rearticulate the internal audit
charter.
Step 6
Measure results.
Internal Auditing Education
The
Institute
of
Internal
Auditors
Research
Foundation
(IIARF)
is
in
the
process
of
establishing
the
Common
Body
of
Knowledge
(CBOK)
for
internal
auditors
.
The
IIA
has
established
the
Internal
Auditing
Education
Partnership
(IAEP)
program
to
promote
internal
auditing
in
colleges
and
universities
in
educating
the
next
generation
of
auditors
.
Form an opinion (IIA April 2009)
•
Relevance
•
Planning
•
Evidence gathering
•
Reporting
Relevance
•
A good guidance for internal auditors, board of directors,
executive and operating management, regulatory bodies
and other assurance provider whoever has an obligation to
form, review, or assess the opinion on an organization’s
governance, risk management and internal control systems.
•
Internal Audit opinions are very important, because they are
aimed to address stakeholders’ concerns (if there are any).
Those opinions are likely to be disclosed to the public
making those opinions a crucial channel of the
communication.
•
Applicable criteria used in expressing an opinion would be a
good example of the opinion expression which has to be
communicated to the stakeholders.
Planning
•
There are certain factors that need to be considered when planning for
the opinion:
•
-
Assess whether it will be a macro
-
level opinion (based on the results of
the multiple audit projects) or micro
-
level opinion (single or series of
short
-
term audit projects).
•
-
If the opinion is positive, then more evidence and a broader scope of
work is required.
•
-
Figure out what kind of evidence will be needed to prove that the
opinion is correct.
•
-
Agreement on the criteria that will be used in forming the opinion is
very important.
•
-
Time issue and the scope of the coverage should be carefully
considered.
•
-
Ensure that the proper support from management on the internal audit
plan is received.
Evidence Gathering
•
When expressing macro level opinions it is crucial to:
•
-
specify the purpose for which opinion will be used
•
-
denote whether opinion will be used
•
-
determine how risk averse particular organization is
•
-
identify the criteria for satisfactory performance
•
Limited macro opinion is possible if auditors were unable to collect
sufficient evidence; however, the potential of limited opinion should be
recognized in advance during the planning process. All the appropriate
methodologies should be established in advance.
•
When expressing micro level opinions, the following things are crucial:
•
-
audit
-
organizations have to establish clear criteria framework against
which to draw conclusions
•
Using a grading
–
scale on any level requires a well
-
defined evaluation
structure and the consistency of the grading scales over the course of
years the audit was conducted
Reporting
•
The chief assurance executive is the best individual who can provide assurance
on a macro
-
level.
•
-
Positive assurance implies a lot of responsibility and should be used with
caution and consideration.
•
-
Grading or color coding is used in an appropriate way.
•
-
Grades used in expressing opinion should be agreed upon.
•
-
Ideally, prior recommendations should also be included.
•
-
The opinion may be qualified, which means that it is overall satisfying, but there
are some red flags to watch for.
•
When the results are ready for the evaluation the following elements should be
considered:
•
-
Materiality
(residual risk that the business objective will not be achieved should
be assessed)
•
-
Impact
(It is very important to understand what kind of impact on the business
the internal auditors’ opinion will have. The scope of the issues is also
important.)
Internal auditors should comply with the local laws and regulations.
Conclusion
•
The
internal
audit
function
of
corporate
governance
provides
objective
and
independent
assurance
and
consulting
services
designed
to
add
value
and
improve
the
company’s
sustainable
performance
in
the
areas
of
operations,
risk
management,
internal
controls,
financial
reporting,
and
government
processes
.
•
Internal
auditors
are
well
trained
and
positioned
to
provide
numerous
assurance
services
to
their
organization
.
The
emerging
trend
toward
more
emphasis
on
MBL
of
governance,
economic,
ethical,
social,
and
environmental
performance
requires
organizations
to
provide
assurance
on
a
variety
of
their
performance
measures
and
achievements
.
‡
SOX
does
not
directly
address
internal
auditor
responsibilities
or
internal
audit
function
.
•
The
internal
audit
function
should
have
(
1
)
full
and
free
access
to
the
company’s
audit
committee
;
(
2
)
unrestricted
access
to
the
company’s
records,
documents,
property,
and
personnel
;
and
(
3
)
authority
to
discuss
initiatives,
policies,
and
procedures
regarding
risk
assessment,
internal
controls,
compliance,
financial
reporting,
and
governance
processes
with
management
and
other
corporate
governance
participants
.
Conclusion
•
A
close
working
relationship
between
the
audit
committee
and
internal
auditors
can
improve
the
effectiveness
of
corporate
governance
.
‡
Internal
auditors,
as
an
integral
component
of
the
organization’s
governance,
should
continue
to
improve
their
internal
audit
quality
and
effectiveness
to
secure
their
position
in
the
corporate
governance
continuum
.
‡
The
IIA
has
promoted
the
role
of
internal
auditors
in
corporate
governance
as
providing
objective
and
independent
assurance
and
consulting
services
to
their
organizations
.
‡
The
IIA
has
established
a
PPF,
which
provides
a
definition
of
internal
audits,
its
code
of
ethics,
SPPIA,
and
development
and
practice
aids
.
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment