INTERNAL AUDITING

ACCT 465

History, Evolution, and Prospects

1
 Types of Auditing

Two types of auditing:

External Auditing - focuses on assuring
stockholders on the fair presentation of an
organizations financial statements.
Internal Auditing focuses on appraising the
management on various facets of the
organization on its activities.

2
 Internal Auditing
A definition
Internal auditing is an independent
appraisal function established within an
organization to examine and evaluate its
activities as a service to the organization.

What are the essential words in this definition?

It is an independent function.
It is an appraisal function.
It is initiated by the organization.
Its purpose is to examine and evaluate organizational activities and
Report to management as a service to the organization.

Internal auditing is nothing more an organizational control func tion to ensure

that things are taking place as they should be and are not taking place as they
are not intended.
It is also an evaluation of the controls that management has established and the
effectiveness of those controls.

3
 Internal Auditing
The basic role
At the most basic level, when one person assesses
another persons work, internal auditing has taken
place.
It can be done by anyone: a manager, a supervisor
or even a third party.
As an organization grows, such simple monitoring
(auditing) will not be sufficient.
In a larger organization, a separate and
independent individuals or units will perform the
monitoring and assessment (the internal auditors).

4
 Internal Auditing
The History
Early days, book-keeping was simple.
As organizations grew, complexity also
grew.
With separation of ownership from
management, need for control became
essential.
Result: Evaluation of internal controls by an
independent body became necessary.

Early days, accounting was mostly book-keeping. A owner, in most

circumstances, a single individual, maintained his/her financial records. There
was no obligation to report the performance to third parties. Over and above,
technology was hardly existing and there was no need for wide area networks
and inter-connected organizational systems that made information security a
nightmare. Under these conditions, checking the veracity of information and
verifying the process of record-keeping, the accounting system, and the people
who maintain them was not difficult.

However, with the growth of technology and the even more important growth
of organizational structures and the formation of large and medium- sized
firms, evaluating the information system processes with an organization would
be an extremely difficult process.
Consequently, managers, owners, as well as stockholders have to depend on an
independent group of people to review, evaluate and report on the operations,
the controls, and the processes that govern the accounting and finance system
within an organization.

5
 The Internal Auditor
Early days
Had a very limited role and limited
responsibility.
More of a verifier of records or
Reconciler of bank records and statements.
Over the years, the internal auditor moved
from being a mere checker to an auditor
an independent appraiser.

Over the years, the internal auditor moved from being a mere checker of
records to an investigator and questioner of exceptions and deviations from the
norm.

6
 The Internal Audit-related
organizations and regulations
1942, the IIA was formed
Foreign corrupt practices Act, 1970
COSO (Committee of Sponsoring
Organizations)
ISACA (Information System Audit and
Control Association)

7
 The complexity is growing
Globalization of businesses has introduced
new control issues.
Quality control and risk management and
accountability take on new dimensions.
Business process outsourcing and
distributed manufacturing and services
introduce new business issues.

8
 The new definition of
Internal Auditing
Internal auditing is an independent,
objective assurance and consulting activity
designed to add value and improve an
organizations operations. It helps an
organization accomplish its objectives by
bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of
risk management control, and governance
processes.

An objective activity that is, it is not necessarily established within an

organization and can be offered by outsiders.
Assurance and consulting services focuses on pro-active, customer- focused
and deals with risk management and corporate governance.
Designed to add value the usefulness of internal audit

9
 The objective of Internal Audit
Assist members of the organization
Furnish analyses, appraisals,
recommendations, counsel, and information
concerning the activities reviewed.
IA should promote effective control at
reasonable cost.

10
 Scope of Internal Audit

Please read the scope page 8 of Research

opportunities in Internal Auditing

11
 Internal Audit functions performed
Today
Financial reviews and audits
Operational reviews (program audits,
performance audits)
Management audits
Compliance audits

Today, internal auditors perform various roles. Report at a much higher level
of their organizations and derive wide powers because they report to audit
committees of independent board of directors.

12
 Financial Reviews and Audits
Financial auditing is an external reporting
function.
Usually performed by external auditors or
public accountants
Internal auditor play a significant role in
supporting the external auditors functions.

You must remember that, as it relates to internal financial reports generated by

a management for management control purposes or as a basis for later
preparation of external financial statements, the internal auditor has a limited
role to perform.

The internal auditor helps the external auditor in verification of balances etc.
for financial statements. However, the proper compliance with reporting
regulations or procedures rests with the external auditors, and not the internal
auditors. Similarly, an internal auditor, under normal circumstances, does not
match expenditure or revenue items with actual or authorized exp enditures and
revenues. Such a job rests primarily with the external auditors as part of their
audit routine. Unless specifically authorized to perform the task of
authorizations or verifications, an internal auditor does not perform these tasks
as part of auditing the internal financial reports. The internal auditors role is
primarily to verify the internal controls surrounding the preparation of the
statements.

13
Areas of where Internal auditors can
help external auditors
Verification of account balances and
accounting records.
Analytical procedures.
Report preparation (not the external audit
report but supporting reports).
Note: Therefore, it will improve audit
efficiency if both external and internal
auditors coordinate their activities.

14
 Operational/Performance Audit
All financial records eventually results from
operational activities (transaction documents,
record-keeping, data entry, etc.).
Verification of product quality
inspections/procedures.
Customer service relationship issues.
Examining input, processing and output controls.

15
 Management Audit
Audit of capital budget decisions
Project implementation audits
Employee training/recruiting policies

16
 Compliance audits
Compliance with regulatory policies.
SEC reporting
IRS documents and filings
Compliance with GAPP

17
 The Internal Auditing Standards
SIAS
Adopted by the IIA in 1978.
Internal auditing is an independent appraisal
activity
Established within an organization.
It is a control function that examines and
evaluates the adequacy and effectiveness of
other controls.

18
 Why IAs need standards?
Standards provide a benchmark for
management to evaluate IA performance
and for IAs to evaluate themselves.
Provides comprehensive direction or
guidelines for IAs to deal with various
conditions that arise during the course of an
internal audit.

The Standards for the Professional Practice of Internal Auditing issued in 1979
takes precedence over other standards that an IA may follow (AICPA, CFE.
Etc.).

The standards provide guidance to the Internal auditors on how to deal with
various situations and what to do and what not to do under specific conditions.
For example, if the internal auditors detect management fraud, how should the
IA deal with the situation? They are responsible for detecting, investigating,
and reporting the act to the audit committee and also make sure that there is
sufficient follow up actions taken to mitigate the situation.

The standards also provide technical guidance .

19
 A few important standards
Internal auditors assist management and the
BOD. They are responsible to both and
provide them with information about:
Adequacy and effectiveness of the
organizations system of internal control and
quality of performance.
IA department is an integral part of the
organization and the policies established by
senior management.

20
 Standards related to IA skills
The Standards require that internal auditors
possess the following skills:
Internal auditors should understand human
relations and be skilled in dealing with people.
Internal auditors should be able to recognize and
evaluate the materiality and significance of
deviations from good business practices.
Internal auditors should be skilled in oral and
written communication.

However, internal auditors need not be experts on subjects such as economics,

commercial law, taxation, finance, and information technology.

21
 IA independence
Internal auditors should be independent of
the activities they audit. Such independence
permits internal auditors to perform their
work freely and objectively. Without
independence, the desired results of internal
auditing cannot be realized.

For example, internal auditors should not be involved in audit of departments

that they have recently been working in or is likely to be moving into.
However, it is perfectly OK for internal auditors to be involved in a special
committee to examine the controls for a new supply chain system being
implemented or make recommendations on employee contracts being drafted
by the management. These are part of the responsibilities and duties of an
internal auditor.

There are situations where an internal auditor would have a conflict on

whether to go forward or not to go forward. For example, if an internal auditor
participates in a company-sponsored gift scheme and wins a sizeable gift.
Should he/she accept it or reject it? Is offered a promotion and then asked to
overlook certain controls weaknesses should he/she go forward with the
managements request? These are questions that are answered not only by the
professional standards and auditor independence concepts but also the code of
ethics.

Similarly, there are other conflicting situations. The IA brother in law is the
sales agent for another company that is negotiating a huge sales with the firm.
Should the IA examine this contract for validity and proper cost negotiations?
How should the internal auditor go about this responsibility? Again, these are
not only issues of professional standards but also professional ethics.

22
 Professional care
IAs should exhibit professional care in their
duties.
Organizational status of the internal
auditing department should be sufficient to
permit accomplishment of audit
responsibilities.

What is professional care under a certain circumstance depends on the circumstance. For
example, auditors may conduct sample audit tests. Some of them are serious tests because of
materiality, context, etc. and must be documented in the audit report. Others may be less
severe or small tests and need not be documented. Because the auditor did not document a
certain audit procedure or test does not automatically imply that he did not exercise
professional care. It depends on the circumstances. Similarly, not all audit work involves
examining financial reports or compliance with regulations. Because an auditor did not
examine compliance with regulations or financial data does not automatically imply lack of
professional care. However, an auditor is bound to report non-compliance with regulations or
financial policies (materiality) or even more seriously, irregularities on the part of employees
or management to the audit committee. If the auditor fails to report an irregularity or a serious
non-compliance of management policy, he would be failing in due professional care.

Similarly, there are other circumstances that would not only be a violation of the general IIA
standards but also the specific standard of professional care. For example, an auditor may be
asked by the management to audit a specific issue for which the auditor lacks qualified staff or
it requires technical expertise that go far beyond what is available within the internal audit
department. For example, internal audit of a complex computing system may be beyond the
knowledge of the internal auditing staff. The management may pressurize the auditors to start
the work soon. However, the auditor has the right to not start the audit right away and inform
the management that he and his staff do not have the skills or resources to do the work and
they need to hire an outside consultant or expert to help them. This would not be considered a
violation of professional care even though the task that the auditor was asked to audit may be
of high risk.

23
 Code of Ethics
Management must trust the internal auditors
implicitly.
When internal auditors report something,
management must have the secure feeling
that it is just, valid, and objective and also
without bias.

Professional code of ethics evolved as a result of the special relationship between members of
the learned professions and their clients. Professional practitioners do not keep those they
serve at arms length. At the same time, a client must place their trust in the ethical behavior
of the professional. This trust is enhanced when the professional is required to take an oath to
serve the public honestly and diligently and so be governed by s trict rules of ethical behavior.

The IIA Code of Ethics applies to all internal auditing professionals and applies to all
individuals and organizations performing internal auditing, regardless of location or
relationship to the organization.

For example, internal auditors should not perform personal work for employees or managers;
they should not be connected with suppliers or competing firms; thsy should not put their
knowledge of the enterprise to personal use; and they should not accept gifts of any material
value from entity employees. The prohibitions are many and impossible to catalog, but
internal auditors should take steps to avoid even a hint that objectivity is being compromised.
In such cases the perception is as important as the reality. Also, internal auditors must exhibit
loyalty to their employers. They must not knowingly be party to any illegal or improver
activity. Where such activity is encountered, it should be reported to the proper authorities
within the enterprise. Under the code of ethics internal auditors have no responsibility to
report to agencies outside the enterprise unless they are specifically compelled to do so by law.

24
 Training IA staff

The IIA standards require the Director of IA

to keep organizational objectives in mind
when educating and training the IA staff.

The organizational objectives are the primary issue that must direct the
education of IA staff and other constraints such as what should be taught,
budget constraints are secondary issues.

25
 IAs role in Corporate Governance

IAs must be absolutely independent from

the operating staff.
IAs report to the board of directors, the
auditor committee and to the external
auditors.
IAs work with external auditors.
IAs advise managers.

26
 BOD, Audit Committee
and the Internal Auditors
The SEC now requires that a certain no. of BODs
are external members.
BODs are expected to assume greater
responsibility for corporate governance.
A corporate scandal or failure during their watch
is detrimental to their own reputation.
BODs are supported in their role by audit
committees.
The IAs are a liaison for both these groups.

27
 Audit Committee
Is established by the BOD.
Consists of outside directors to understand,
monitor, coordinate, and interpret internal controls
and reports of an organization.
Internal auditors help audit committee by:
Assessing controls
Reliability of financial reports
Effectiveness and efficiency of operations and
Compliance with applicable laws and regulations.

28
 The functions of the Audit
Committee include:
Preventing organizational problems and
making constructive suggestions for
improving them.
Defining internal audit roles and
responsibilities.
Nominating the Director of IA
Approving internal audit plans and budgets

29
 IAs duties to Audit Committee
The director of audit must attend meetings
of Audit committees.
Submit periodic reports to the audit
committee
Provide support for the selection and
retention of external auditors
Perform special audits at the behest of the
audit committee.

30
 External Auditors
and the Internal Auditors
Internal auditing is often considered an
extension of external auditing.
Since many IAs are from public accounting,
they are conversant with public accounting
standards and ethical codes.
While their missions differ, they also have
quite in common.

31
 IAs and Corporate Management
Although IAs are employee of an
organization, they should not interfere I line
functions.
Their role is information-providing and
advisory and not implementation.

32
CORPORATE GOVERNANCE

33
 Corporate Governance
Ure of strong independent oversight, risks
the link between a companys management,
directors, and its financial reporting
system. Arthur Levitt, former SEC
Chairman.
Governance that does not promote a
culture of strong independent oversight
risks stability and future health.

Corporate governance is a broad concept. What is effective corporate

governance depends on organizational structures, culture, and environment.

34
 Key attributes of
corporate governance
Procedures used to monitor risk and control
processes.
Monitoring of organizational risks.
Assurance that controls exist and are
capable of mitigating risks.
Accountability to stakeholders
Effective stewardship.

35
 Corporate governance
the participants
Beneficiaries: stockholders, employees,
investors, suppliers, creditors.
Participants in the governing process
Management, Board of Directors, Audit
Committees, Internal Auditors, Regulators,
External Auditors

36
 Internal Auditors Role in Corporate Governance

Management Requests of IA Function

Independent evaluation of controls
Assistance in preparing report on controls
Evaluation of efficiency of processes
Assistance in designing controls
Risk Analysis
Risk assurance
Facilitation of risk and control self-assessment

Internal Audit Function

Audit Committee Requests of IA Function

Assurance re: controls
Independent evaluation of accounting practices and processes
Risk analysis of internal accounting control and financial reporting.
Fraud analysis and special investigation

From the above slide you can recognize that all organizational governance
begins with the central role of management as the drivers of organizational
governance. By setting the tone at the top (Treadway Commission, 1987) and
handling the day-to-day operations of the entity, managements influence on
the quality of governance is significant. Management is respons ible for
monitoring organizational risks and implementing controls to mitigate such
risks.

37
 Role of Internal Auditors in
Corporate Governance
IAF defines internal auditing as an independent, objective
assurance and consulting activity designed to add value
and improve an organizations operations. It helps an
organization to accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and
governance processes.
What is common between this definition and corporate
governance slide you just saw:
Assurance
Risk
Controls

38