Internal Auditors' Roles and Responsibilities - UMdrive

penredheadManagement

Nov 18, 2013 (3 years and 11 months ago)

68 views

Internal Auditors’ Roles and
Responsibilities

Chapter VIII



Chapter Objectives:



Understand

the

importance

and

value
-
added

nature

of

the

internal

audit

function
.



Review

the

qualities

of

an

effective

internal

audit

department
.



Discuss

the

role

of

internal

auditors

as

assurance

providers

and

consultants
.



Review

the

trends

of

the

internal

auditing

profession
.



Discuss

the

relationship

of

internal

audits

and

the

audit

committee
.



Analyze

the

determinants

of

an

effective

internal

audit
.



Discuss

the

professional

practices

framework

(PPF)

adopted

by

The

Institute

of

Internal

Auditors

(IIA)
.



Promote

the

best

practices

and

internal

audit

framework
.

Key Terms

Chief

audit

executive

(CAE)

Committee

of

Sponsoring

Organizations

of

the

Treadway

Commission

(COSO)

Foreign

Corrupt

Practices

Act

(FCPA)

of

1977

Institute

of

Internal

Auditors

(IIA)

Standards

for

the

Professional

Practice

of

Internal

Auditing

(SPPIA)


Video

( VIDEO)

Changing Definitions of Internal
Auditing


Internal auditors have made an impressive
progress during the past several decades. To
gain an appreciation of this progress, let’s
compare definitions of internal auditing as
provided by the IIA initially in 1947, and
subsequently in 1981 and 1999.

4

Changing Definitions of Internal
Auditing (cont.)

1947

1981

1999

Independent
appraisal activity

within an
organization for the
review of
accounting,
financial and other
operations as a
basis for protective
and constructive

service to
management

[emphasis added].

An independent
appraisal function

established within
an organization to
examine and
evaluate its
activities as a
service to the
organization

[emphasis added].

Internal auditing is an
independent, objective
assurance and consulting
activity

designed to add value
and improve an organization's
operations.


It helps an
organization accomplish its
objectives by bringing a
systematic, disciplined
approach to evaluate and
improve the effectiveness of
risk management, control,
and governance processes
[emphasis added].

5

Important Improvements in the

Definition of Internal Auditing

1.
The term “service” implies that internal auditing is a staff
rather than a line activity within the organization.

2.
There is a shift from “serving management” to “serving the
organization” to finally “an integral component of corporate
governance as a separate value
-
added
function”.

3.
The focus of internal auditing has shifted away from
appraisal and compliance activity toward objective
assurance and consulting
activities.

4.
The role of internal auditors has changed from providing
management with input and objective feedback to directly
participating in decision
-
making.

5.
These definitions view internal auditing as an “activity,”
which implies it can be performed either within the
organization or outsourced to external
auditors.

6

Reasons for Change

I suggest the IIA
revise
the latest definition and now view internal
auditing as a function for several reasons:

1.
The Sarbanes
-
Oxley Act prohibited outside auditors to perform
internal auditing services simultaneously with audit service.

2.
Listing standards (e.g., NYSE) require listed companies to
establish in
-
house internal audit function.

3.
Corporate governance reforms of other countries (e.g.,
Singapore) require companies to establish an independent audit
function.

4.
As a service activity, internal auditors would have limited
authority, resources, independence, and would be viewed as
assistants to management (eyes and ears of management).

5.
As a separate internal audit function, internal auditors would have
more authority, resources, and be viewed as the eyes and ears of
the audit committee.

6.
The PCAOB, in its Auditing Standards No. 2, indirectly
encourages a separate internal audit function to assist outside
auditors with Section 404
compliance.

7

Internal Auditors as Assurance
Providers

Assurance

reports

on

these

measures

are

currently

voluntary,

except

for

the

audit

report

on

economic

measures

(four

basis

financial

statements),

but

internal

auditors

are

well
-
trained

and

positioned

to

provide

numerous

assurance

services
.



Internal

auditors,

in

addition

to

these

voluntary

assurance

services,

can

assist

external

auditors

in

their

integrated

audit

of

internal

controls

and

financial

statements

(PCAOB

Auditing

Standard

(AS)

No
.

2
,

superseded

by

AS

No
.

5
)
.



Internal

auditors

may

assist

management

in

complying

with

Section

302

and

404

requirements

of

SOX

by

reviewing

management’s

certifications

on

internal

controls

and

financial

statements

or

providing

some

type

of

assurance

on

the

accuracy

of

those

certifications
.

Internal Auditors as Consultants

Internal

auditors

can

provide

a

variety

of

consulting

services

to

the

company’s

board

of

directors,

the

audit

committee,

management,

and

other

personnel

at

all

levels
.


1)
Consulting

services

to

the

board

of

directors

and

audit

committee

2)
Consulting

services

to

management

3)
Internal

auditor

training

services

Trend and Relevance of
Internal Auditors

1.
The

Foreign

Corrupt

Practices

Act

(FCPA)

1977

2.
COSO

Report

of

the

National

Commission

on

Fraudulent

Financial

Reporting

(
1987
)


3.
The

IIA

redefined

internal

auditing

in

1999

4.
SOX

Sections

302

and

404

(Keep

in

mind

that

SOX

does

not

directly

address

internal

auditor

responsibilities

or

internal

audit

function
.
)


5.
The

PCAOB

in

its

AS

No
.

2


Authorities and Responsibilities of
Internal Auditors

The

internal

audit

function

should

have

(
1
)

full

and

free

access

to

the

company’s

audit

committee
;

(
2
)

unrestricted

access

to

the

company’s

records,

documents,

property,

and

personnel
;

and

(
3
)

authority

to

discuss

initiatives,

policies,

and

procedures

regarding

risk

assessment,

internal

controls,

compliance,

financial

reporting,

and

governance

processes

with

management

and

other

corporate

governance

participants
.

Internal Auditing Function and
Corporate Governance


Comparison of Internal Audit (Pre
-

and Postcorporate
Governance Reforms)

Internal Audit Department at
WorldCom


Director reported to the company’s CFO rather than to the audit
committee.


No executive sessions between audit committee and internal
auditors


Internal audit’s budgets, staffing, compensation, and bonuses were
controlled by Ebbers.


Internal audit department failed to review and monitor ICFR.


Focused primarily on operation and efficiency audits of cost savings
and finding additional revenues to gain management acceptance.

Video

http://video.google.com/videosearch?hl=en&so
urce=hp&q=worldcom%20video&um=1&ie=U
TF
-
8&sa=N&tab=wv#



To achieve the effectiveness of internal and
oversight function, the audit committee should:


Hire, compensate, evaluate performance, and fire the company’s
chief audit executive (CAE, the director of the internal audit
department) and oversee the appointment, performance, and
termination of other key internal audit personnel.


Review and approve the company’s internal audit charter including
its role, responsibilities, resources, independence, and competence
to ensure the charter is in compliance with the guidance and
standards of the Institute of Internal Auditors (IIA).


Review and approve the budget and staffing for the company’s
internal audit department.


Oversee the cooperation and coordination of audit work between the
internal auditor and the independent auditor, particularly in the area
of internal control and risk assessment as suggested in the PCAOB
Auditing Standard
Nos. 2and 5.


Review the annual evaluation of the company’s internal audit
function including its reports, assessment, promotion, and rewards.


15

AUDIT COMMITTEE RELATIONSHIP
WITH INTERNAL AUDIT



The

audit

committee

can

contribute

to

the

success

of

internal

auditors

and

the

achievement

of

their

value
-
added

activities

by

ensuring

that

they

have
:

1
.

Sufficient

independence

from

management

by

reporting

to

and

being

held

accountable

to

the

audit

committee

2
.

Adequate

resources,

competence,

and

focus

to

assess

the

company’s

operational

efficiency,

internal

control

effectiveness,

ERM,

and

reliability

of

financial

reports

3
.

Proper

knowledge

of

the

company’s

corporate

governance,

internal

control,

financial

reporting,

and

audit

activities

4
.

The

mechanisms

and

confidence

to

bring

forward

controversial

financial

reporting

issues

5
.

A

process

for

communicating

directly

with

the

company’s

audit

committee

on

a

regular

and

timely

basis

6
.

Access

to

the

audit

committee

to

discuss

concerns

related

to

management

activities,

financial

reporting

risk,

and

fraudulent

financial

reporting

7
.

Audit

committee

approval

of

the

budget

and

staffing

of

the

internal

audit

function

Internal auditors’ close working relationship
with the audit committee enables them to:

1.
Gain a better recognition and greater cooperation from
management;

2.
Safeguard their independence; and

3.
Receive adequate authority and resources to fulfill their
assigned responsibilities.


This relationship assists the audit
committee to
assess:

1.
The company’s enterprise risk management pertaining
to internal controls, financial reporting, and operations;

2.
Cooperation and coordination of audit activities
between internal auditors and external auditors; and

3.
Unusual and risky transactions and events.


17

PWC Survey Findings

Outsourced Financial Functions

Used/Plan

Used/Plan

All
Multinational

U.S.

Europe

Payroll, billing or accounts payable services

63%

74%

48%

IT/Systems support

56%

45%

70%

Tax services

56%

54%

59%

Benefits & claims administration

52%

70%

29%

Legal services (related to finance)

43%

43%

42%

Advisory compliance services

37%

39%

34%

Accounting services (non
-
basic)

29%

22%

38%

Risk management

26%

32%

18%

Internal auditing

26%

34%

16%

Human resources/ hiring

24%

19%

30%

Asset management

19%

17%

22%

Other financial functions (volunteered)

3%

3%

3%

18

Source: http://www.pwc.com/outsourcing/

INTERNAL AUDIT
OUTSOURCING

The

decision

of

whether

to

establish

and

maintain

an

internal

audit

function

or

outsource

the

function

should

be

made

by

the

company’s

board

of

directors

and

its

representatives
.



The

SEC

rule

permits

internal

audit

outsourcing

to

the

client’s

independent

auditor

in

the

following

areas
:


1
.

Operational

internal

audits

that

are

not

related

to

internal

accounting

controls,

financial

systems,

or

financial

statements

2
.

Nonrecurring

assessment

of

discrete

items

or

other

programs

unrelated

to

outsourcing

of

the

internal

audit

function

Internal Auditor’s Role in
Internal Control

Section 404 Compliance



Institute of Internal Auditors


IIA’s Attribute Standard



Institute of Internal Auditors

IIA’s Performance Standards



Internal Audit Performance

Four
-
phase plan suggested by PCW:


Phase

1
:

Project

planning

consisting

of

establishing

specific

internal

audit

objectives

in

line

with

stakeholder

expectations


Phase

2
:

Value
-
driver

identification,

including

gathering

information

about

value

drivers

of

internal

audit


Phase

3
:

Current

state

assessment

consisting

of

reviews

and

analysis

of

internal

audit

core

processes,

benchmarks,

and

best

practices


Phase

4
:

Solution

development

of

preparing

report

findings,

observations,

and

recommendations

for

improvement

in

performance

Institute of Internal Auditors

Code of Ethics



Institute of Internal Auditors

Determinants of the Effective
Internal Auditor

Internal

Auditors

are

striving

to

fulfill

their

responsibilities

by

using

the

best

practices
.

PricewaterhouseCoopers

suggests

that

internal

auditors’

best

practices

should

include

the

following
:




Build

an

adequate

internal

audit

staff

to

support

the

needs

of

business
.



Structure

the

internal

audit

function

on

a

fluid

and

flexible

framework
.



Design

an

enterprise

wide

risk
-
based

audit

program
.



Broaden

audit

scope

to

address

third
-
party

and

vendor

risk
.



Combat

fraud

by

advocating

ethical

conduct

throughout

the

organization
.



Manage

information

systems

risk

proactively
.

Internal Audit Framework

Step

1

Reevaluate the risk assessment.

Step 2

Pre
-
validate stakeholder
expectations.

Step 3

Align the internal audit plan.

Step 4

Align resources, budget, and staff
skills.

Step 5

Rearticulate the internal audit
charter.

Step 6

Measure results.

Internal Auditing Education

The

Institute

of

Internal

Auditors

Research

Foundation

(IIARF)

is

in

the

process

of

establishing

the

Common

Body

of

Knowledge

(CBOK)

for

internal

auditors
.



The

IIA

has

established

the

Internal

Auditing

Education

Partnership

(IAEP)

program

to

promote

internal

auditing

in

colleges

and

universities

in

educating

the

next

generation

of

auditors
.


Form an opinion (IIA April 2009)



Relevance


Planning


Evidence gathering


Reporting

Relevance



A good guidance for internal auditors, board of directors,
executive and operating management, regulatory bodies
and other assurance provider whoever has an obligation to
form, review, or assess the opinion on an organization’s
governance, risk management and internal control systems.


Internal Audit opinions are very important, because they are
aimed to address stakeholders’ concerns (if there are any).
Those opinions are likely to be disclosed to the public
making those opinions a crucial channel of the
communication.


Applicable criteria used in expressing an opinion would be a
good example of the opinion expression which has to be
communicated to the stakeholders.


Planning



There are certain factors that need to be considered when planning for
the opinion:


-
Assess whether it will be a macro
-
level opinion (based on the results of
the multiple audit projects) or micro
-
level opinion (single or series of
short
-
term audit projects).


-

If the opinion is positive, then more evidence and a broader scope of
work is required.


-

Figure out what kind of evidence will be needed to prove that the
opinion is correct.


-

Agreement on the criteria that will be used in forming the opinion is
very important.


-

Time issue and the scope of the coverage should be carefully
considered.


-

Ensure that the proper support from management on the internal audit
plan is received.

Evidence Gathering


When expressing macro level opinions it is crucial to:


-

specify the purpose for which opinion will be used


-

denote whether opinion will be used


-

determine how risk averse particular organization is


-

identify the criteria for satisfactory performance


Limited macro opinion is possible if auditors were unable to collect
sufficient evidence; however, the potential of limited opinion should be
recognized in advance during the planning process. All the appropriate
methodologies should be established in advance.


When expressing micro level opinions, the following things are crucial:


-
audit
-
organizations have to establish clear criteria framework against
which to draw conclusions


Using a grading

scale on any level requires a well
-
defined evaluation
structure and the consistency of the grading scales over the course of
years the audit was conducted


Reporting


The chief assurance executive is the best individual who can provide assurance
on a macro
-
level.


-
Positive assurance implies a lot of responsibility and should be used with
caution and consideration.


-
Grading or color coding is used in an appropriate way.


-
Grades used in expressing opinion should be agreed upon.


-
Ideally, prior recommendations should also be included.


-

The opinion may be qualified, which means that it is overall satisfying, but there
are some red flags to watch for.




When the results are ready for the evaluation the following elements should be
considered:


-
Materiality
(residual risk that the business objective will not be achieved should
be assessed)


-

Impact
(It is very important to understand what kind of impact on the business
the internal auditors’ opinion will have. The scope of the issues is also
important.)

Internal auditors should comply with the local laws and regulations.

Conclusion




The

internal

audit

function

of

corporate

governance

provides

objective

and

independent

assurance

and

consulting

services

designed

to

add

value

and

improve

the

company’s

sustainable

performance

in

the

areas

of

operations,

risk

management,

internal

controls,

financial

reporting,

and

government

processes
.



Internal

auditors

are

well

trained

and

positioned

to

provide

numerous

assurance

services

to

their

organization
.

The

emerging

trend

toward

more

emphasis

on

MBL

of

governance,

economic,

ethical,

social,

and

environmental

performance

requires

organizations

to

provide

assurance

on

a

variety

of

their

performance

measures

and

achievements
.



SOX

does

not

directly

address

internal

auditor

responsibilities

or

internal

audit

function
.



The

internal

audit

function

should

have

(
1
)

full

and

free

access

to

the

company’s

audit

committee
;

(
2
)

unrestricted

access

to

the

company’s

records,

documents,

property,

and

personnel
;

and

(
3
)

authority

to

discuss

initiatives,

policies,

and

procedures

regarding

risk

assessment,

internal

controls,

compliance,

financial

reporting,

and

governance

processes

with

management

and

other

corporate

governance

participants
.

Conclusion




A

close

working

relationship

between

the

audit

committee

and

internal

auditors

can

improve

the

effectiveness

of

corporate

governance
.



Internal

auditors,

as

an

integral

component

of

the

organization’s

governance,

should

continue

to

improve

their

internal

audit

quality

and

effectiveness

to

secure

their

position

in

the

corporate

governance

continuum
.



The

IIA

has

promoted

the

role

of

internal

auditors

in

corporate

governance

as

providing

objective

and

independent

assurance

and

consulting

services

to

their

organizations
.



The

IIA

has

established

a

PPF,

which

provides

a

definition

of

internal

audits,

its

code

of

ethics,

SPPIA,

and

development

and

practice

aids
.