Wiley Cia Exam Review Edited

Download as pdf or txt
Download as pdf or txt
You are on page 1of 19

MANAGING AN INTERNAL AUDIT FUNCTION • Evaluate the plans or actions taken to correct

reported conditions for satisfactory disposition


Internal Audit Director of audit findings. If corrective action is
needs to comply with the IIA’s Attribute Standards, considered unsatisfactory, hold further
which say that the chief audit executive (CAE) is discussions to achieve acceptable disposition.
responsible for properly managing the department so • Provide adequate follow-up to ensure that proper
that: corrective action is taken and that it is effective.
(1) audit work fulfills the general purposes and Authority
responsibilities approved by senior management • The IA department will have full, free, and
and accepted by the board, unrestricted access to records, personnel, and
(2) resources of the internal auditing (IA) physical proper- ties relevant to the performance
department are efficiently and effectively of an audit.
employed, and • Internal auditors have neither authority over nor
(3) audit work conforms to the Standards. responsibility for the activities they audit.
• Audit director should have direct access to the
Internal Audit Charter audit committee since it tends to enhance IA’s
• Basic policy statement under which the internal independence and objectivity.
auditing (IA) department operates.
• Establishes the IA department’s position in the Responsibility
organization’s hierarchy. IA department
• IA department operates independently of all other accomplishes its purpose of assisting
departments in the organization. management by reviewing, examining, and evaluating
• Describes the organizational status that the director activities, furnishing analyses and appraisals, and
of internal auditing should report to the chief executive reporting findings and recommendations. This audit
officer (CEO) but have access to the board of responsibility cannot relieve any operating manager of the
directors. A dual reporting relationship exists here: requirement for ensuring proper control within his or her
reporting administratively to the president or CEO, area of concern.
and reporting functionally to the audit committee of also has the responsibility to perform audit work
the board of directors. with due professional care and with appropriate
• Describes the purpose, authority, and responsibility of education, experience, certification, professional image
the IA department. and attitude, and personal integrity.

Mission or Purpose of the IA Department Planning


• Review organization’s activities to determine The director of internal auditing should establish plans to
whether it is efficiently and effectively carrying out carry out the responsibilities of the internal auditing
its function of controlling in accordance with department. These plans should be consistent with the
management’s instructions, policies, and charter and with the goals for the organization. The
procedures. planning process involves establishing goals, audit work
• Determine the adequacy and effectiveness of the schedules, staffing plans and financial budgets, and
system of internal controls in all areas of activity. activity reports.
• Review the reliability and integrity of financial During audit planning, internal auditors should review all
information and the means used to identify, relevant information such as risk models/risk analysis,
measure, classify, and report such information. audit plans, audit assignments, and activity reports.
• Review the means of safeguarding assets and,
as appropriate, verify the existence of such Risk Models/Risk Analysis
assets. • Used in conjunction with development of
• Appraise the economy and efficiency with which long-range audit schedules.
resources are employed, identify opportunities to • Judgment of the internal auditor and the
improve operating performance, and recommend results of quantitative risk assessment are
solutions to problems where appropriate. the basis for audit planning work.
• Review operations and plans to ascertain • Factors to be considered during risk analysis
whether results are consistent with established include:
objectives and goals, and whether the operations • Financial exposure
and plans are being carried out as intended. • Potential loss of assets
• Coordinate audit efforts, where appropriate, with • Results of prior audits
those of the external auditors. • Major operating changes
• Review the planning, design, development, • Damage to assets
implementation, and operation of relevant • Failure to comply with laws and regulations
computer-based systems to determine whether • Skills available on the audit staff are not a risk
a) adequate controls are incorporated in factor since missing skills can be obtained
the systems; elsewhere.
The CAE should allocate the audit work schedule to
b) thorough system testing is performed at
managers based on risk analysis performed by auditors
appropriate stages; and skill analysis of the audit managers
c) system documentation is complete and
accurate; and Audit Plan
d) needs of the users are met.
The audit plan should include:
• Conduct periodic audits of computer centers and • A detailed schedule of areas to be audited during
make post installation evaluations of relevant the coming year
data processing systems to determine whether • An estimate of the time required for each audit
those systems meet their intended purposes • Risk
and objectives. • Exposure
• Participate in the planning and performance of • Potential loss to the organization
audits of acquisitions. Follow up to ensure the • The approximate starting date for each audit.
proper accomplishment of the audit objective.
• Report to those members of management who Audit Assignment
should be informed, or who should take
corrective action, the results of audit Documentation needed to plan an audit
examinations, the audit opinions formed, and assignment should include evidence that resources
the recommendations made. needed to complete the audit were considered. When the
audit director makes audit assignments for inclusion in the noted. This is because time is of the essence here.
work schedule, those assignments should be based on The final audit report should be reviewed, approved, and
the relative risk of the auditable areas. signed by the director of internal auditing or his designee.
Criteria should be established when the audit When illegal acts are being performed by several of the
resources are limited and a decision has to be made to highest-ranking officers of the company, the audit report
choose between two operating departments for should be addressed to the audit committee of the board
scheduling an audit. The most important criteria are: of directors.
major changes in operations in one of the departments,
more opportunities to achieve operating benefits in one of Follow-up
the departments than in the other, and when potential loss The CAE should ensure follow-up of prior audit findings
is significantly greater in one department than the other. and recommendations to determine whether corrective
Least important criteria are whether the audit staff has action was taken and is achieving the desired results. If
recently added an individual with experience in one of the the auditor finds that no corrective action has been taken
auditable areas. on a prior audit finding that is still valid, the auditor should
determine whether management or the board has
Activity Reports assumed the risk of not taking corrective action.
Activity reports submitted periodically by the audit
director to management and to the board should compare Personnel Management and Development
performance with audit work schedules. This requires The CAE should establish a program for selecting and
comparing audits completed with audits planned. developing the human resources of the internal auditing
department. A well-developed set of selection criteria is a
Policies and Procedures key factor in the success of an audit department’s human
The CAE should provide written policies and resource program.
procedures to guide the audit staff. An audit policies and
procedures manual is most essential for guiding the audit Hiring
staff in maintaining daily compliance with the The audit staff should include members proficient in
department’s standards of performance, and least applying internal auditing standards, procedures, and
important to audit quality control reviews, auditor techniques. When hiring an entry-level audit staff, the
position/job descriptions, and auditor performance most likely predictors of an applicant’s success as an
appraisals. auditor would be the ability to organize and express
thoughts well; the least likely predictors would be: grade
Audit Manual point average on college accounting courses; ability to fit
The need to issue formal manuals will largely well socially into a group; and the level of detail of
depend on the size of the department. Any department knowledge of the company. When hiring an auditor,
with five or more staff members, or whose auditors work reasonable assurance should be obtained as to each
alone, should probably have one. The manual should prospective auditor’s qualifications and proficiency. It
address such things as administrative matters (e.g., should include obtaining college transcript(s), checking an
progress reports, time and attendance, travel), adherence applicant’s references, and determining previous job
to the department’s guidelines, relationships with experience.
auditees, auditing techniques, reporting audit results, and
working paper standards (whether paper media, Selection Criteria
electronic media, or a combination). The CAE should establish the evaluation criteria for the
selection of new internal audit staff members. Criteria
Staff Meetings would be an appreciation of the fundamentals of
• Staff meetings are conducted periodically to accounting, an understanding of management principles,
improve communications. and the ability to recognize deviations from good business
• Audit staff are afforded a venue where problems practices. Criteria would not include proficiency in
are discussed and receive updates regarding computerized operations and the use of computers in
departmental policies. auditing.
• The CAE can address rumors affecting the audit
department and the company. Performance Criteria
The CAE should establish guidelines for evaluating the
Audit Reports performance of audit staff members: the evaluator should
issued by an internal auditor should contain an justify very high and very low evaluations because of their
expression of opinion when an opinion will improve impact on the employee; evaluations should be made
communications with the reader of the report. Due annually or more frequently to provide the employee with
professional care requires that the auditor’s opinions be feedback about competence; and the first evaluation
based on sufficient factual evidence that warrants the should be made shortly after commencing work to serve
expression of the opinions. Due care does not require the as an early guide to the new employee. But the evaluator
performance of extensive audit examination. It calls for should not use standard evaluation comments, because
reasonable work. there are so many employees whose performance is
completely satisfactory. The performance appraisal
Type of Audit Report system for evaluating an auditor should include specific
(Final, interim, or combination) accomplishments directly related to the performance of
the audit program.
Form of Communication
(Oral, written, or combination) Continuing Education
The CAE is responsible for establishing continuing
Type of audience to receive the audit report education and training opportunities to develop the
(Internal management, external auditors, or combination) human resources of the audit department. The main
purpose of audit department training is to achieve both
Type of participants (by job title in the audit and the individual and departmental goals in training.
auditee department) to attend the entrance conference
and the exit audit conference should be spelled out in the External Auditors
audit department policies and procedures manual. The CAE should coordinate internal and external audit
efforts to minimize duplication of audit work and to
An audit policy should require that final audit reports not increase the effectiveness of audit work.
be issued without a management response. How- ever,
when an audit with significant findings is complete except
for management’s response, the best alternative is to
issue an interim report regarding the important issues
Quality Assurance The Standards
The CAE should establish and maintain a quality part of the Professional Practices Framework.
assurance program to evaluate the operations of the
internal auditing department. The standard calls for three Professional Practices Framework includes
elements for the quality assurance program: supervision, • Definition of Internal Auditing
internal reviews, and external reviews. The audit • Code of Ethics
department should have periodic quality assurance • Standards
reviews. Accomplishing the intended results and • Other guidance
demonstrating consistent quality are also part of the
quality assurance task. Guidance
regarding how the Standards might be applied is
Post audit Quality Review included in Practice Advisories that are issued by the
provides top managers with an independent Professional Issues Committee.
assessment of the extent to which the audit organization
complies with professional standards and its own policies IIA’S ATTRIBUTE STANDARDS
and procedures.
Purpose, Authority, and Responsibility
Reviewing individual assignments • Formally defined in a charter, consistent with the
provides valuable feedback to managers on how Standards, and approved by the board (IIA
well-selected auditable units consistently achieve the Standard 1000).
expected quality. The number and type of assignments • The nature of assurance services provided to the
selected for testing should provide a reasonable basis for organization should be defined in the audit
making this assessment. charter. If assurances are to be provided to
parties outside the organization, the nature of
INTERNATIONAL STANDARDS FOR THE these assurances should also be defined in the
PROFESSIONAL PRACTICE OF INTERNAL AUDITING charter (IIA Standard 1000.A1).
(STANDARDS) • The nature of consulting services should be
defined in the audit charter (IIA Standard
Internal audit activities 1000.C1).
performed in diverse legal and cultural environments;
within organizations that vary in purpose, size, Organizational Independence
complexity, and structure; and by persons within or • The CAE should report to a level within the
outside the organization. While differences may affect the organization that allows the internal audit activity to
practice of internal auditing in each environment, fulfill its responsibilities (IIA Standard 1110).
compliance with the International Standards for the • The internal audit activity should be free from
Professional Practice of Internal Auditing is essential if the interference in determining the scope of internal
responsibilities of internal auditors are to be met. If auditing, performing work, and communicating results
internal auditors are prohibited by laws or regulations from (IIA Standard 1110.A1).
complying with certain parts of the Standards, they should
comply with all other parts of the Standards and make Individual Objectivity
appropriate disclosures. • Internal auditors should have an impartial, unbiased
attitude and avoid conflicts of interest (IIA Standard
4 purposes of the Standards are to: 1120).
1. Delineate basic principles that represent the
practice of internal auditing as it should be. Impairments to Independence or Objectivity
2. Provide a framework for performing and • If independence or objectivity is impaired in fact
promoting a broad range of value-added internal or appearance, the details of the impairment
audit activities. should be disclosed to appropriate parties. The
3. Establish the basis for the evaluation of internal nature of the disclosure will depend on the
audit performance. impairment (IIA Standard 1130).
4. Foster improved organizational processes and • Internal auditors should refrain from assessing
operations. specific operations for which they were previously
responsible. Objectivity is presumed to be
The Standards consist of impaired if an internal auditor provides assurance
1. Attribute Standards services for an activity for which the internal
2. Performance Standards auditor had responsibility within the previous year
3. Implementation Standards. (IIA Standard 1130.A1).
• Assurance engagements for functions over which
Attribute Standards the CAE has responsibility should be overseen by
address the characteristics of organizations and a party outside the internal audit activity (IIA
parties performing internal audit activities. Standard 1130.A2).
• Internal auditors may provide consulting services
Performance Standards relating to operations for which they had previous
describe the nature of internal audit activities and responsibilities (IIA Standard 1130.C1).
provide quality criteria against which the performance of • If internal auditors have potential impairments to
these services can be evaluated. independence or objectivity relating to proposed
consulting services, disclosure should be made to
Attribute and Performance Standards the engagement client prior to accepting the
apply to all internal audit services engagement (IIA Standard 1130.C2).

Implementation Standards Proficiency and Due Professional Care


apply to specific types of engagements.
Proficiency
There is one set of Attribute and Performance Standards; Internal auditors should possess the knowledge, skills,
however, there are multiple sets of Implementation and other competencies needed to perform their
Standards: a set for each of the major types of internal individual responsibilities. The internal audit activity
audit activity. The Implementation Standards have been collectively should possess or obtain the knowledge,
established for assurance (A) and consulting (C) skills, and other competencies needed to perform its
activities. responsibilities (IIA Standard 1210).
The CAE should obtain competent advice and assistance
if the internal audit staff lacks the knowledge, skills, or
other competencies needed to perform all or part of the Standards” (IIA Standard 1330)
engagement (IIA Standard 1210.A1). • Disclosure of Noncompliance (IIA Standard 1340)
The internal auditor should have sufficient knowledge to
identify the indicators of fraud but is not expected to have
the expertise of a person whose primary responsibility is IIA’S CODE OF ETHICS
detecting and investigating fraud (IIA Standard 1210.A2).
Internal auditors should have knowledge of key The IIA’s Code of Ethics promotes an ethical culture in the
information technology risks and controls and available profession of internal auditing.
technology-based audit techniques to perform their Internal auditing is an independent, objective assurance
assigned work. However, not all internal auditors are and consulting activity designed to add value and improve
expected to have the expertise of an internal auditor an organization’s operations. It helps an organization
whose primary responsibility is information technology accomplish its objectives by bringing a systematic,
auditing (IIA Standard 1210.A3). disciplined approach to evaluate and improve the
The CAE should decline the consulting engagement or effectiveness of risk management, control, and
obtain competent advice and assistance if the internal governance processes.
audit staff lacks the knowledge, skills, or other The IIA’s Code of Ethics extends beyond the definition of
competencies needed to perform all or part of the internal auditing to include two essential components:
engagement (IIA Standard 1210.C1). (1) Principles
(2) Rules of Conduct.
Due Professional Care
Internal auditors should apply the care and skill The Code of Ethics together with the IIA’s Professional
expected of a reasonably prudent and competent internal Practices Framework and other relevant Institute
auditor. Due professional care does not imply infallibility pronouncements provide guidance to internal auditors
(IIA Standard 1220). serving others.
The internal auditor should exercise due
professional care (IIA Standard 1220.A1) by considering Internal auditors
the refers to Institute members, recipients of or
• Extent of work needed to achieve the candidates for IIA professional certifications
engagement’s objectives those who provide internal auditing services
• Relative complexity, materiality, or significance of within the definition of internal auditing.
matters to which assurance procedures are
applied Applicability and Enforcement
• Adequacy and effectiveness of risk management, This Code of Ethics applies to both individuals and entities
control, and governance processes that provide internal auditing services. For Institute
• Probability of significant errors, irregularities, or members and recipients of or candidates for IIA
noncompliance professional certifications, breaches of the Code of Ethics
• Cost of assurance in relation to potential benefits will be evaluated and administered according to the
Institute’s Bylaws and Administrative Guidelines. The fact
In exercising due professional care, the internal auditor that a particular conduct is not mentioned in the Rules of
should consider the use of computer-assisted audit tools Conduct does not prevent it from being unacceptable or
and other data analysis techniques (IIA Standard discreditable, and therefore, the member, certification
1220.A2). holder, or candidate engaging in such conduct can be
The internal auditor should be alert to the significant risks liable for disciplinary action.
that might affect objectives, operations, or resources.
However, assurance procedures alone, even when Principles and Rules of Conduct
performed with due professional care, do not guarantee • Integrity
that all significant risks will be identified (IIAStandard • Objectivity
1220.A3). • Confidentiality
• Competency
The internal auditor should exercise due professional care
during a consulting engagement (IIA Standard 1220.C1) MANAGING THE INTERNAL AUDIT ACTIVITY
by considering the
• Needs and expectations of clients, including the CAE
nature, timing, and communication of responsible for properly managing the internal
engagement results audit activity so that
• Relative complexity and extent of work needed to • Audit work fulfills the general purposes and
achieve the engagement’s objectives responsibilities described in the charter and approved
• Cost of the consulting engagement in relation to by the board and senior management as appropriate.
potential benefits • Resources of the internal audit activity are efficiently
and effectively employed.
Continuing Professional Development • Audit work conforms to the International Standards for
Internal auditors should enhance their knowledge, skills, the Professional Practice of Internal Auditing
and other competencies through continuing professional (Standards).
development (IIA Standard 1230).
PLANNING
Quality Assurance and Improvement Program CAE should establish risk-based plans to
The CAE should develop and maintain a quality determine the priorities of the internal audit activity,
assurance and improvement program that covers all consistent with the organization’s goals (IIA Standard
aspects of the internal audit activity and continuously 2010).
monitors its effectiveness. Each part of the program The internal audit activity’s plan of engagements should
should be designed to help the internal auditing activity be based on a risk assessment, undertaken at least
add value and improve the organization’s operations and annually. The input of senior management and the board
to pro- vide assurance that the internal audit activity is in should be considered in this process (IIA Standard
conformity with the Standards and the Code of Ethics: 2010.A1).
• Quality Program Assessments (IIA Standard The CAE should consider accepting proposed consulting
1310) engagements based on the engagement’s potential to
• Internal Assessments (IIA Standard 1311) improve management of risks, add value, and improve the
• External Assessments (IIA Standard 1312) organization’s operations. Those engagements that have
• Reporting on the Quality Program (IIA Standard been accepted should be included in the plan
1320)
• Use of “Conducted in Accordance with the
Linking the Audit Plan to Risk and Exposures COORDINATION
• Any organization faces a number of uncertainties and
risks that can both negatively and positively affect the • Internal and external auditing work should be
organization. coordinated to ensure adequate audit coverage and
• The internal audit activity’s audit plan should be to minimize duplicate efforts.
designed based on an assessment of risk and • Oversight of the work of external auditors, including
exposures that may affect the organization. coordination with the internal audit activity, is the
• The audit universe can include components from the responsibility of the board. Actual coordination should
organization’s strategic plan. be the responsibility of the CAE.
• Changes in management direction, objectives, • In coordinating the work of internal auditors with the
emphasis, and focus should be reflected in updates work of external auditors, the CAE should ensure that
to the audit universe and related audit plan. work to be performed by internal auditors in fulfillment
• Audit work schedules should be based on, among of Section 2100 of the Standards does not duplicate
other factors, an assessment of risk priority and the work of external auditors, which can be relied on
exposure. for purposes of internal auditing coverage.
• Management reporting and communication should • The CAE may agree to perform work for external
convey risk management conclusions and auditors in connection with their annual audit of the
recommendations to reduce exposures. For financial statements. Work performed by internal
management to fully understand the degree of auditors to assist external auditors in fulfilling their
exposure, it is critical that audit reporting identify the responsibility is subject to all relevant provisions of
criticality and consequence of the risk exposure to the Standards.
achieving objectives. • The CAE should make regular evaluations of the
coordination between internal and external auditors.
COMMUNICATION AND APPROVAL • In exercising its oversight role, the board may request
the CAE to assess the performance of external
• The CAE should submit annually to the board for auditors.
approval, and to senior management as appropriate,
a summary of the internal audit activity’s work Audit Coverage
schedule, staffing plan, and financial budget. The Planned audit activities of internal and external auditors
CAE should also submit all significant interim should be discussed to ensure that audit coverage is
changes for approval and information. Engagement coordinated and duplicate efforts are minimized.
work schedules, staff- ing plans, and financial Sufficient meetings should be scheduled during the audit
budgets should inform senior management and the process to ensure coordination of audit work and efficient
board of the scope of internal auditing work and of any and timely completion of audit activities and to determine
limitations placed on that scope. whether observations and recommendations from work
• The approved engagement work schedule, staffing performed to date require that the scope of planned work
plan, and financial budget, along with all significant be adjusted.
interim changes, should contain sufficient information
to enable the board to ascertain whether the internal Access to Each Other’s Audit Programs and Working
audit activity’s objectives and plans support those of Papers
the organization and the board. Access to the external auditors’ programs and working
papers may be important in order for internal auditors to
RESOURCE MANAGEMENT be satisfied as to the acceptability for internal audit
purposes of relying on the external auditors’ work. Such
• Staffing plans and financial budgets, including the access carries with it the responsibility for internal
number of auditors and the knowledge, skills, and auditors to respect the confidentiality of those programs
other competencies required to perform their and working papers. Similarly, access to the internal
work, should be determined from engagement auditors’ programs and working papers should be given
work schedules, administrative activities, to external auditors in order for external auditors to be
education and training requirements, and audit satisfied as to the acceptability, for external audit
research and development efforts. purposes, of relying on the internal auditors’ work.
• The CAE should establish a program for selecting
and developing the human resources of the Exchange of Audit Reports and Management Letters
internal audit activity. Internal audit final communications, management’s
• The CAE should consider using persons from responses to those communications, and subsequent
cosourcing arrangements, other consultants, or internal audit activity follow-up reviews should be made
company employees from other departments to available to external auditors. These communications
provide specialized or additional skills where assist external auditors in determining and adjusting the
needed. scope of work. In addition, the internal auditors need
access to the external auditors’ management letters.
POLICIES AND PROCEDURES Matters discussed in management letters assist internal
auditors in planning the areas to emphasize in future
The form and content of written policies and procedures internal audit work.
should be appropriate to the size and structure of the
internal audit activity and the complexity of its work. Common Understanding of Audit Techniques,
Formal administrative and technical audit manuals may Methods, and Terminology
not be needed by all internal auditing entities. A small • The CAE should understand the scope of work
internal audit activity may be managed informally. Its audit planned by external auditors and should be
staff may be directed and controlled through daily, close satisfied that the external auditors’ planned work,
supervision and written memoranda. In a large internal in conjunction with the internal auditors’ planned
audit activity, more formal and comprehensive policies work, satisfies the requirements of Section 2100
and procedures are essential to guide the audit staff in the of the Standards.
consistent compliance with the internal audit activity’s • The CAE should ensure that the external
standards of performance. auditors’ techniques, methods, and terminology
are sufficiently understood by internal auditors.
The CAE should also ensure that the reverse
situation is taking place.
Acquisition of External Audit Services Communications with the Audit Committee
• The internal auditor’s participation in the Audit committees should:
selection, evaluation, and retention of the • Meet privately with the CAE on a regular basis to
organization’s external auditors may vary from no discuss sensitive issues.
role in the process, to advising management or • Provide an annual summary report or
the audit committee, assistance or participation in assessment on the results of the audit activities
the process, management of the process, or relating to the defined mission and scope of audit
auditing the process. Since the IIA Standards work.
require internal auditors to “share information and • Issue periodic reports to the audit committee and
coordinate activities with other internal and management summarizing results of audit
external providers of relevant assurance and activities.
consulting services,” it is advisable for internal • Keep the audit committee informed of emerging
auditors to have some role or involvement in the trends and successful practices in internal
selection or retention of the external auditors and auditing.
in the definition of scope of work. • Discuss with the external auditor and the CAE
• A board- or audit committee–approved policy can about fulfillment of committees’ information
facilitate the periodic request for external audit needs.
services and position such exercises as normal • Review information submitted to the audit
business activities so that the current service committee for completeness and accuracy.
providers do not view a decision to request • Confirm there is effective and efficient work
proposals as a signal that the organization is coordination of activities between internal and
dissatisfied with current services. external auditors. It also should determine
whether there is any duplication between the
REPORTING TO THE BOARD AND SENIOR work of the internal and external auditors and give
MANAGEMENT the reasons for such duplication.

Internal auditors should consider the following NATURE OF WORK


suggestions when reporting to the board and senior
management: • The scope of internal auditing work encompasses
• Significant engagement observations may a systematic, disciplined approach to evaluating
include conditions dealing with irregularities, and improving the adequacy and effectiveness of
illegal acts, errors, inefficiency, waste, risk management, control, and governance
ineffectiveness, conflicts of interest, and control processes and the quality of performance in
weaknesses. carrying out assigned responsibilities.
• Management’s responsibility is to make decisions • Adequacy of risk management, control, and
on the appropriate action to be taken regarding governance processes is present if management
significant engagement observations and has planned and designed processes in a
recommendations. The CAE should consider manner that provides reasonable assurance that
whether it is appropriate to inform the board the organization’s objectives and goals will be
regarding previously reported significant achieved efficiently and economically.
observations and recommendations in those • Effectiveness of risk management, control, and
instances where senior management and the governance processes is present if management
board assumed the risk of not correcting the directs processes in such a manner as to provide
reported condition. This may be particularly reasonable assurance that the organization’s
necessary where there have been changes in objectives and goals will be achieved.
organization, board, senior manage- ment, or • The primary objectives of the overall
other changes. management process are to achieve: relevant,
• Activity reports should also compare (a) actual reliable, and credible financial and operating
performance with the internal audit activity’s information; effective and efficient use of the
goals and audit work schedules, and (b) organization’s resources; safeguarding of the
expenditures with financial budgets. Reports organization’s assets; compliance with laws,
should explain the reason for major variances regulations, ethical and business norms, and
and indicate any action taken or needed. contracts; identification of risk exposures and use
of effective strategies to control them; established
Relationship with the Audit Committee objectives and goals for operations or programs.
Three areas of activities are key to an effective • Control is any action taken by management to
relationship between the audit committee and the internal enhance the likelihood that established objectives
audit function, mainly through the CAE: and goals will be achieved.
1. Assisting the audit committee to ensure that its • All business systems, processes, operations,
charter, activities, and processes are appropriate functions, and activities within the organization
to fulfill its responsibilities are subject to the internal auditors’ evaluations.
2. Ensuring that the charter, role, and activities of The comprehensive scope of work of internal
internal audit are clearly understood and auditing should provide reasonable assurance
responsive to the needs of the audit committee that management’s risk management system is
and the board effective; system of internal control is adequate,
3. Maintaining open and effective communications effective, and efficient; and governance process
with the audit committee and the chairperson is effective by establishing and preserving values,
setting goals, monitoring activities and
Internal Audit Activity’s Role performance, and defining the measures of
The CAE’s relationship to the audit committee should accountability.
revolve around a core role of the CAE ensuring that the
audit committee understands, supports, and receives all RISK MANAGEMENT
assistance needed from the internal audit function. The
IIA supports the concept that sound governance is The internal audit activity should:
dependent on the synergy generated among the four • Assist the organization by identifying and
principal components of effective corporate governance evaluating significant exposures to risk and
systems: boards of directors, management, internal contributing to the improvement of risk
auditors, and external auditors. In that structure, internal management and control systems (IIA Standard
auditors and audit committees are mutually supportive. 2110). Monitor and evaluate the effectiveness of
the organization’s risk management system (IIA
Standard 2110.A1).
• Evaluate risk exposures relating to the
organization’s governance, operations, and Auditor’s Role in Identifying and Reporting
information systems regarding the (IIA Standard Environmental Risks
2110.A2) reliability and integrity of financial and Internal auditors should be alert to the potential risks that
operational information; effectiveness and may result from the organizational placement and
efficiency of operations; safeguarding of assets; reporting relationships of environmental auditors. The
compliance with laws, regulations, and contracts. risks related to environmental noncompliance, fines and
• During consulting engagements, internal auditors penalties, and other mismanagement may result in
should address risk consistent with the significant losses for the organization.
engagement’s objectives and be alert to the
existence of other significant risks (IIA Standard Potential Risks
2110.C1). • The CAE should include the environmental,
• Internal auditors should incorporate knowledge of health, and safety (EH&S) risks in any entity-wide
risks gained from consulting engagements into risk management assessment and assess the
the process of identifying and evaluating activities in a balanced manner relative to other
significant risk exposures of the organization (IIA types of risk associated with an entity’s
Standard 2110.C2). operations.
• Where the CAE finds that the management of the
Assessing the Adequacy of Risk Management EH&S risks largely depends on an environmental
Processes audit function, the CAE needs to consider the
Internal auditors may be charged with the responsibility implications of that organizational structure and
for providing assurance to management and the audit its effects on operations and the reporting
committee on the adequacy of the organization’s risk mechanisms. If the CAE finds that the exposures
management processes. This responsibility would require are not adequately managed and residual risks
the auditor to formulate an opinion on whether the exist, that conclusion would normally result in
organization’s risk management process is sufficient to changes to the internal audit activity’s plan of
protect the assets, reputation, and ongoing operations of engagements and further investigations.
the organization. • The majority of environmental audit functions
• Risk management is a key responsibility of report to their organization’s environmental
management. However, internal auditors acting component or general counsel, not to the CAE.
in a consulting role can assist the organization in
identifying, evaluating, and implementing risk CONTROL
management methodologies and controls to
address those risks. The internal audit activity should assist the organization in
• Developing assessments and reports on the maintaining effective controls by evaluating their
organization’s risk management processes is effectiveness and efficiency and by promoting continuous
normally a high audit priority. improvement (IIA Standard 2120).
• Each organization may choose a particular
methodology to implement its risk management • Based on the results of the risk assessment, the
process. internal audit activity should evaluate the
adequacy and effectiveness of controls
5 key objectives of a risk management process are: encompassing the organization’s governance,
operations, and information systems (IIA
1. Risks arising from business strategies and activities Standard 2120.A1).
are identified and prioritized. • Internal auditors should ascertain the extent to
2. Management and the board have determined the which operating and program goals and
level of risks acceptable to the organization, including objectives have been established and conform to
the acceptance of risks designed to accomplish the those of the organization (IIA Standard 2120.A2).
organization’s strategic plans. • Internal auditors should review operations and
3. Risk mitigation activities are designed and programs to ascertain the extent to which results
implemented to reduce, or otherwise manage, risk at are consistent with established goals and
levels that were determined to be acceptable to objectives to determine whether operations and
management and the board. programs are being implemented or performed as
4. Ongoing monitoring activities are conducted to intended (IIA Standard 2120.A3).
periodically reassess risk and the effectiveness of • Adequate criteria are needed to evaluate
controls to manage risk. controls. Internal auditors should ascertain the
5. The board and management receive periodic reports extent to which management has established
of the results of the risk management processes. The adequate criteria to determine whether objectives
corporate governance processes of the organization and goals have been accomplished. If adequate,
should provide periodic communication of risks, risk internal auditors should use such criteria in their
strategies, and controls to stakeholders. evaluation. If inadequate, internal auditors should
work with management to develop appropriate
• Internal auditors should recognize that there evaluation criteria (IIA Standard 2120.A4).
could be significant variations in the techniques • During consulting engagements, internal auditors
used by various organizations for their risk should address controls consistent with the
management practices. Risk management engagement’s objectives and be alert to the
processes should be designed for the nature of existence of any significant control weaknesses
an organization’s activities. Depending on the (IIA Standard 2120.C1).
size and complexity of the organization’s • Internal auditors should incorporate knowledge of
business activities, risk management processes controls gained from consulting engagements
can be: into the process of identifying and evaluating
• Formal or informal significant risk exposures of the organization (IIA
• Quantitative or subjective Standard 2120.C2).
• Embedded in the business units or
centralized at a corporate level Assessing and Reporting on Control Processes
• Internal auditors should obtain sufficient • One of the tasks of a board of directors is to
evidence to satisfy themselves that the five establish and maintain the organization’s
key objectives of the risk management governance processes and obtain assurances
processes are being met in order to form an concerning the effectiveness of the risk
opinion on the adequacy of risk management management and control processes. Senior
processes. management’s role is to oversee the
establishment, administration, and assessment of are more easily identified and evaluated; people
that system of risk management and control are motivated to take ownership of the control
processes. processes in their units, and corrective actions
• Among the responsibilities of the organization’s taken by the work teams are often more effective
managers is the assessment of the control and timely; the entire organization is subject to
processes in their respective areas. Internal and greater monitoring and continuous improvement;
external auditors provide varying degrees of internal auditors become involved in and
assurance about the state of effectiveness of the knowledgeable about the self-assessment
risk management and control processes in select process; internal audit activity acquires more
activities and functions of the organization. information about the control processes within the
• Senior management and the board normally organization; managers will be less tempted to
expect that the CAE will perform sufficient audit abdicate those activities to specialists; primary
work and gather other available information role of the internal audit activity will continue to
during the year so as to form a judgment about include the validation of the evaluation process by
the adequacy and effectiveness of the risk performing tests and the expression of its
management and control processes. professional judgment on the adequacy and
• The CAE should develop a proposed audit plan effectiveness of the whole risk management and
normally for the coming year that ensures control systems.
sufficient evidence will be obtained to evaluate • The wide variety of approaches used for CSA
the effectiveness of the risk management and processes in organizations reflects the
control processes. differences in industry, geography, structure,
• In determining the proposed audit plan, the CAE organizational culture, degree of employee
should consider relevant work that will be empowerment, dominant management style, and
performed by others in order to minimize the manner of formulating strategies and policies.
duplication and inefficiencies. • The three primary forms of CSA programs are
• The CAE should evaluate the coverage of the facilitated team workshops, surveys, and
proposed plan from two viewpoints: adequacy management- produced analysis. Organizations
across organizational entities and inclusion of a often combine more than one approach.
variety of transaction and business-process • Facilitated team workshops gather information
types. from work teams representing different levels in
• The challenge for internal audit is to evaluate the the business unit or function. The format of the
effectiveness of the organization’s system of risk workshop may be based on objectives, risks,
management and controls based on the controls, or processes. A report is created during
aggregation of many individual assessments. the deliberations session and the team reviews
Those assessments are largely gained from the report before the end of the final session.
internal audit engagements, management’s self- • The survey form of CSA utilizes a questionnaire
assessments, and external auditors’ work. that tends to ask mostly simple “Yes–No” or
• Three key considerations in reaching an “Have–Have Not” questions.
evaluation of the overall effectiveness of the • The management-produced analysis form of CSA
organization’s risk management and control covers most other approaches by management
processes are: (1) Were significant discrepancies groups to produce information about selected
or weaknesses discovered from the audit work business processes, risk management activities,
performed and other assessment information and control procedures.
gathered?; (2) If so, were corrections or
improvements made after the discoveries?; and • All self-assessment programs are based on
(3) Do the discoveries and their consequences managers and members of the work teams
lead to the conclusion that a pervasive condition possessing an understanding of risks and
exists resulting in an unacceptable level of controls concepts and using those concepts in
business risk? communications.
• The CAE’s report on the state of the • Internal audit’s investment in some CSA
organization’s risk management and control programs is fairly significant. It may sponsor,
processes should be presented, usually once a design, implement, and, in effect, own the
year, to senior management and the board. process, conducting the training, supplying the
• Ample evidence exists of an “expectation gap” facilitators, scribes, and reporters, and
surrounding the internal audit activity’s work in orchestrating the participation of management
evaluating and providing assurance about the and work teams. In other CSA programs, internal
state of risk management and control processes. audit’s involvement is minimal, serving as
interested party and consultant of the whole
Processes process and as ultimate verifier of the evaluations
• Senior management is charged with overseeing produced by the teams. In most programs,
the establishment, administration, and evaluation internal audit’s investment in the organization’s
of the processes of risk management and control. CSA efforts is somewhere between the two
Operating managers’ responsibilities include extremes just described.
assessment of the risks and controls in their units. • A CSA program augments the traditional role of
Internal and external auditors provide varying internal audit activity by assisting management in
degrees of assurance about the state of fulfilling its responsibilities to establish and
effectiveness of the risk management and control maintain risk management and control processes
processes of the organization. and to evaluate the adequacy of that system.
• A methodology encompassing self-assessment • Although providing staff support for the CSA
surveys and facilitated workshops called control program as facilitator, scriber, reporter, trainer,
self- assessment (CSA) is a useful and efficient and specialist, the internal audit activity often
approach for managers and internal auditors to finds that it may reduce the effort spent in
collaborate in assessing and evaluating control gathering information about control procedures
procedures. In its purest form, CSA integrates and eliminate some testing.
business objectives and risks with control
processes. Control self-assessment is also • Auditor’s Role in Quarterly Financial Reporting,
referred to as control/risk self-assessment Disclosures, and Management Certifications
(CRSA). • Internal auditors should consider the following
• Outcomes that may be derived from self- guidance regarding quarterly financial reports,
assessment methodologies are: People are disclosures, and management certifications
trained and experienced; informal, “soft” controls related to requirements of the Securities and
Exchange Commission (SEC) applicable to both compatible will contribute to operational
U.S. registrants and foreign registrants. efficiencies and reduce the likelihood or risk for
• The strength of all financial markets depends on problems and errors to occur or go undetected.
investor confidence. Events involving allegations
of misdeeds by corporate executives, Auditing the Financial Reporting Process
independent auditors, and other market
participants have undermined that confidence. In • Executive management
response to this threat, U.S. legislative bodies the owner of the control environment and
and regulatory agencies in other countries financial information, including the notes
passed legislation and regulations affecting accompanying the financial statements and the
corporate disclosures and financial reporting accompanying disclosures in the financial report.
(e.g., in the United States, the Sarbanes-Oxley
Act of 2002 required additional disclosures and • External Auditor
certifications of financial statements by principal assures the financial report user that the
executive and financial officers). reported information fairly presents the financial
• The new law challenges companies to devise condition and result of operations of the
processes that will permit senior officers to organization in accordance with generally
acquire the necessary assurances on which to accepted accounting principles.
base their personal certification. A key
component of the certification process is the • Internal Auditor
management of risk and internal controls over the performs procedures to provide a level of
recording and summarizing of financial assurance to senior management and the audit
information. or other committee of the governing board that
controls surrounding the processes supporting
New Statutory Requirements the development of financial reports are effective.
Section 302 of the Sarbanes-Oxley Act outlines the
corporate responsibility for financial reports, and the Reporting on Internal Control
Securities and Exchange Commission (SEC) has issued • An organization’s audit or other board committee
guidance to implement the Act. As adopted, SEC Rules and internal auditing activity have interlocking
13a-14 and 15d-14 require an issuer’s principal executive goals.
officer(s) and the principal financial officer(s), or persons • Core Role of the CAE
performing similar functions, to certify in each quarterly to ensure that the audit committee receives
and annual report, including transition reports, filed or the support and assurance services it needs and
submitted by the issuer under Section 13(a) or 15(d) of requests.
the Exchange Act, that they have complied with the Act. • Internal audit activity’s work plans and specific
assurance engagements begin with a careful
identification of the exposures facing the
Recommended Actions organization, and internal audit’s work plan is
• The internal auditor’s role in such processes may based on the risks and the assessment of the risk
range from initial designer of the process, management and controls processes maintained
participant on a disclosure committee, or by management to mitigate those risks.
coordinator or liaison between management and
its auditors, to independent assessor of the
process. A Framework for Internal Control
• All internal auditors involved in quarterly reporting Several widely accepted control models exist to
and disclosure processes should have a clearly assess the internal control system of an organization
defined role and evaluate responsibilities with (e.g., COSO and CoCo). Any other recognized and
appropriate IIA Consulting and Assurance credible model is appropriate to use.
Standards and with guid- ance contained in The COSO model states:
related Practice Advisories. • Internal control is not limited to accounting
• Internal auditors should ensure that organizations controls and is not narrowly restricted to financial
have a formal policy and documented procedures reporting.
to govern processes for quarterly financial • While accounting and financial reports are
reports, related disclosures, and regulatory important issues, there are other important
reporting requirements. factors such as resource protection, operational
• Internal auditors should encourage organizations efficiency and effectiveness, and compliance with
to establish a “disclosure committee” to rules, regulations, and organization policies that
coordinate the process and provide oversight to impact the financial reporting.
participants. Representatives from key areas of • Internal control is management’s responsibility
the organization should be represented on the and requires the participation of all persons within
committee. an organization, if it is to be effective.
• Internal auditors should periodically review and • The control framework is tied to the business
evaluate quarterly reporting and disclosure objectives and is flexible enough to be adaptable.
processes, disclosure committee activities, and
related documentation, and provide management Reporting on the Effectiveness of Internal Control
and the audit com- mittee with an assessment of • The CAE should provide to the audit committee
the process and assurance concerning overall the internal audit’s assessment of the
operations and compliance with policies and effectiveness of the organization’s system of
procedures. controls, including its judgment on the adequacy
• Internal auditors should recommend appropriate of the control model or design. A governing board
improvements to the policies, procedures, and must rely on management to maintain an
process for quarterly reporting and related adequate and effective internal control system. It
disclosures based on the results of an will reinforce that reliance with independent
assessment of related activities. oversight.
• Internal auditors should compare processes for
complying with Section 302 of the Sarbanes- • Internal controls cannot ensure success. Bad
Oxley Act (quarterly financial reporting and decisions, poor managers, or environmental
disclosures) to procedures developed to comply factors can negate controls. Also, dishonest
with Section 404 concerning management’s management may override controls and ignore or
annual assessment and public report on internal stifle communications from subordinates.
controls. Processes designed to be similar or
Roles for the Internal Auditor performance is commonly referred to as its governance
• The CAE needs to review internal audit’s risk process. The organization’s governing body and its
assessment and audit plans for the year, if senior management are accountable for the
adequate resources have not been committed to effectiveness of the governance process.
helping senior management, the audit committee,
and the external auditor with their responsibilities Shared Responsibility for the Organization’s Ethical
in the upcoming year’s financial reporting Culture
regimentation. All people associated with the organization share some
• The CAE should allocate the internal audit’s responsibility for the state of its ethical culture. Because
resources to the financial reporting, governance, of the complexity and dispersion of decision-making
and control processes consistent with the processes in most enterprises, each individual should be
organization’s risk assessment. The CAE should encouraged to be an ethics advocate, whether the role is
perform procedures that provide a level of delegated officially or merely conveyed informally.
assurance to senior management and the audit
committee that controls surrounding the Codes of conduct and statements of vision and policy
processes supporting the development of important declarations of the organization’s
financial reports are adequately designed and values and goals, the behavior expected of its people, and
effectively executed. the strategies for maintaining a culture that aligns with its
• Topics that the CAE may consider in supporting legal, ethical, and societal responsibilities.
the organization’s governance process and the
oversight responsibilities of the governing board Internal Audit Activity as Ethics Advocate
and its audit committee (or other designated • Internal auditors and the internal audit activity
committee) to ensure the reliability and integrity should take an active role in support of the
of financial reports should include financial organization’s ethical culture.
reporting, corporate governance, and corporate • The internal audit activity may assume one of
control. several different roles as an ethics advocate.
Those roles include chief ethics officer
Control Criteria (ombudsman, compliance officer, management
• Before controls can be evaluated, management ethics counselor, or ethics expert), member of an
should determine the level of risk they want to internal ethics council, or assessor of the
take in the area to be reviewed. Internal auditors organization’s ethical climate. In some circum-
should identify what that level of risk is. stances, the role of chief ethics officer may
• If management has not identified the key risks conflict with the independence attribute of the
and the level of risk they want to take, the internal internal audit activity.
audit may be able to help them through the
facilitation of risk identification workshops or other Assessment of the Organization’s Ethical Climate
techniques used by the organization. At a minimum, the internal audit activity should
• Once the risk level is determined, the controls periodically assess the state of the ethical climate of the
currently in place can be assessed to determine organization and the effectiveness of its strategies,
how successful they are expected to be in tactics, communications, and other processes in
reducing the risk to the desired level. achieving the desired level of legal and ethical
compliance.
GOVERNANCE
ETHICS/COMPLIANCE
The internal audit activity should assess and make
appropriate recommendations for improving the Role of Corporate Code of Ethics
governance process in its accomplishment of the
following objectives (IIA Standard 2130): Ethics
• Promoting appropriate ethics and values within knowing what is right or wrong, proper or
the organization improper.
• Ensuring effective organizational performance forms basic ground rules for individuals
management and accountability to follow.
• Effectively communicating risk and control
information to appropriate areas of the Conflict of Interest
organization conflict-of-interest policy often is considered a
• Effectively coordinating the activities of and part of the overall ethics policies.
communicating information among the board, Conflict-of-interest concerns sometimes
external and internal auditors, and management constitute the main part of ethics standards.
• The internal audit activity should evaluate the
design, implementation, and effectiveness of the Options for Facilitating Ethical Behavior
organization’s ethics-related objectives, • Distributing the code in a training program with
programs, and activities (IIA Standard 2130.A1). top management attendance
• Consulting engagement objectives should be • Transmitting the code with the chief executive
consistent with the overall values and goals of the officer’s personal letter (tone-from-the-top)
organization (IIA Standard 2130.C1). • Showing ethics examples in a workshop (role-
playing)
Role of the Internal Audit Activity and Internal Auditor • Showing videotapes with top management
in the Ethical Culture of an Organization supportive comments
Governance and Organizational Culture
Monitoring Compliance with the Code of Conduct
The way in which an organization chooses to conduct its
affairs to meet the following 4 responsibilities: Compliance with the code of conduct
(1) Complies with society’s legal and regulatory rules an ongoing responsibility of each
(2) Satisfies the generally accepted business norms, employee and is primarily based on the honor
ethical precepts, and social expectations of society system. Employees should be asked to certify or
(3) Provides overall benefit to society and enhances the sign a form asserting that they have complied with
interests of the specific stakeholders in both the long term the code or to list exceptions to such compliance.
and the short term
(4) Reports fully and truthfully to its owners, regulators,
other stakeholders, and general public to ensure
accountability for its decisions, actions, conduct, and
Fraud in Financial Reporting • Insider trading scandals.
• Board member liability.
Treadway Commission in 1987 • Improving corporate governance:
made specific recommendations on the Code of (1) changes in boards of directors,
Corporate Conduct, as follows: (2) increased role of shareholders.
The public company should develop and
enforce written codes of corporate conduct. ALTERNATIVE CONTROL FRAMEWORKS OR
Codes of conduct should foster a strong ethical MODELS
climate and open channels of communication to
help protect against fraudulent financial reporting. Committee of Sponsoring Organizations (COSO)—
As a part of its ongoing oversight of the United States
effectiveness of internal controls, a company’s
audit committee should annually review the Definition of Internal Control
program that management establishes to monitor Internal controls have objectives, concepts, and
compliance with the code. components. Internal control is a process, effected by an
entity’s board of directors, management, and other
EXAMPLE OF THE CONTENT OF A CODE OF personnel, designed to provide reasonable assurance
CONDUCT regarding the achievement of objectives.

Although each organization is different in some respects, 5 Internal Control Interrelated Components
certain types of employee behavior can be expected in all 1. Control Environment
organizations. The contents of a code of conduct are 2. Risk Assessment
divided into 3 groups: 3. Control Activities
(1) mandatory (those items that should always appear in 4. Information and Communication
a code-of-conduct document), 5. Monitoring.
(2) strongly suggested, and
(3) desirable. Factors that determine what is appropriate Tiered Approach to Audits
for each specific code are based on a complete When there is a conflict between the choices, the COSO-
understanding of the business and corporate culture. based approach should not override the risk-based
approach to audits. Self-assessment questionnaires,
IIA’S PERFORMANCE STANDARDS which are soft controls, can be applied at any
Nature of Work organizational level (first tier). The second tier is the
The internal audit activity should evaluate and contribute activity level (e.g., process, subprocess, function, or
to the improvement of risk management, control, and department). Hard controls, such as documenting and
governance processes using a systematic and disciplined testing control activities, are evaluated during the second
approach (IIA Standard 2100). tier. The best approach is analytical, starting from
objectives, and then identifying risks and controls,
Risk Management evaluating the design of the controls, and testing control
• The internal audit activity should assist the effectiveness.
organization by identifying and evaluating significant
exposures to risk and contributing to the improvement Relationship of Internal Control Objectives and
of risk management and control systems (IIA Components
Standard 2110). direct relationship between objectives, which
• The internal audit activity should monitor and evaluate are what an entity strives to achieve, and the components,
the effectiveness of the organization’s risk which represent what is needed to achieve the objectives.
management system (IIA Standard 2110.A1). Information is needed for all three objective categories—
• The internal audit activity should evaluate risk to effectively manage business operations, to prepare
exposures relating to the organization’s governance, financial statements reliably, and to deter- mine
operations, and information systems (IIA Standard compliance. All five components are applicable and
2110.A2). important to achievement of operations objectives. Each
• During consulting engagements, internal auditors component cuts across and applies to all three objectives
should address risk consistent with the engagement’s categories.
objectives and be alert to the existence of other
significant risks (IIA Standard 2110.C1). Responsibility for Internal Control
• Internal auditors should incorporate knowledge of Who is responsible for establishing and ensuring an
risks gained from consulting engagements into the adequate and effective internal control environment within
process of identifying and evaluating significant risk the organization? It is the management, the audit
exposures of the organization (IIA Standard committee, and the board of directors—not the auditors.
2110.C2). Auditors are responsible for ensuring an adequate and
effective system of internal control in the organization.
CORPORATE GOVERNANCE According to the COSO study, everyone in an
refers to the method by which a firm is being organization has responsibility for internal control:
governed, directed, administered, or controlled and to the management, board of directors, internal auditors, and
goals for which it is being governed. It is concerned with other personnel.
the relative roles, rights, and accountability of such
stakeholder groups as owners, boards of directors, COSO’s Internal Control Standards Summary
managers, employees, and others who assert to be
stakeholders. Standard 1: Control Environment
1. Integrity and ethical values
Corporate Governance Principles and Issues 2. Commitment to competence
• Components of corporate governance. 3. Management’s philosophy and operating style
• Roles of four major groups. 4. Organizational structure
• Separation of ownership from control. 5. Assignment of authority and responsibility
• Role of the board of directors. 6. Human resources policies and practices
• Need for board independence. 7. Oversight groups
• Issues surrounding compensation. Major issues
Standard 2: Risk Assessment
include CEO compensation and outside director
1. Risk identification
compensation.
2. Risk analysis
• Consequences of merger, acquisition, and takeover
3. Managing risk during change
wave.
Standard 3: Control Activities • Up-front planning and preliminary audit work
1. Types of control activities • Gathering of process owners with a meeting
2. Integration with risk assessment facilitator
3. Control over information systems • Structured agenda to examine the process’s risks
4. Entity-specific control activities and controls
• Note-taker and electronic voting technology to
Standard 4: Information and Communication input comments and opinions
1. Information • Reporting the results and the development of
2. Communications corrective action plans
3. Means of communicating
Scope of CSA
Standard 5: Monitoring CSA can be done either as a standalone project or as a
1. Ongoing monitoring activities supplement to traditional audit work. CSA is not suit- able
2. Separate evaluations to situations such as finding fraud or compliance reviews
3. Internal reporting of deficiencies (e.g., regulatory audits), or when participants have
conflicting objectives, as in third-party contracts. CSA can
Limitations of Internal Control be applied to numerous situations, business issues, and
• Internal control—even effective internal control— industries, regardless of size. It is a management tool that
operates at different levels with respect to different has equal application to horizontal (organization-wide),
objectives. For objectives related to the effectiveness vertical (single department), or diagonal (process
and efficiency of an entity’s operations—achievement inquiries) issues.
of its basic mission, profitability goals, and the like—
internal control can help to ensure that management Effect on Auditors
is aware of the entity’s progress, or lack of it. But it CSA can be used to assess business and financial
cannot provide even reasonable assurance that the statement risks, control activities, ethical values, and
objectives themselves will be achieved. The first set control effectiveness; the controls that mitigate those
of limitations acknowledges that certain events or risks; and overall compliance with policies and
conditions are simply outside management’s control. procedures.
• Internal control cannot provide absolute assurance
with respect to any of the three objectives categories. Interrelationships between CSA, CoCo, and COSO
The second set of limitations has to do with the reality CSA can be an effective tool for accomplishing the
that no system will always do what it is intended to do. objectives of both CoCo and COSO. CSA acts as a link to
The best that can be expected in any internal control the CoCo and COSO.
system is that reasonable assurance is obtained.
Cadbury Report—United Kingdom
Criteria of Control (CoCo)—Canada The Cadbury Report of the committee on the financial
The Canadian Institute of Chartered Accountants (CICA) aspects of corporate governance consists of internal
has issued 20 “criteria of control” (CoCo) as a frame- work controls, fraud, audit (internal and external), financial
for making judgments about control. The term “control” reporting practices, audit committees, shareholders,
has a broader meaning than internal control over financial corporate governance, the board of directors, and the
reporting. CoCo defines control as “those elements of an code of best practice.
organization (including its resources, sys- tems, The external auditors’ role is to report whether the
processes, culture, structure, and tasks) that, taken financial statements give a true and fair view, and the
together, support people in the achievement of the audit is designed to provide a reasonable assurance that
organization’s objectives.” It defines three categories of the financial statements are free of material
objectives: effectiveness and efficiency of operations; misstatements. The auditors’ role is not (to cite a few of
reliability of internal and external reporting; and the misunderstandings) to prepare the financial
compliance with applicable laws, regulations, and internal statements, or to provide absolute assurance that the
policies. figures in the financial statements are correct, or to
provide a guarantee that the company will continue to
exist.
CoCo Defines Four Types of Criteria: Purpose,
Commitment, Capability, and Monitoring and Turnbull Model—United Kingdom
Learning The London Stock Exchange has developed a Combined
The purpose type groups criteria that provide a sense of Code for corporate governance that requires com- pany
the organization’s direction and address objectives directors to (at least annually) conduct a review of the
(including mission, vision, and strategy); risks (and effectiveness of the system of internal control and report
opportunities); policies; planning; and performance to shareholders that they have reviewed the effectiveness
targets and indicators. The commitment type groups of all three types of controls, including financial,
criteria that provide a sense of the organization’s identity operational, and compliance control.
and values and address ethical values, including integrity,
human resource policies, authority, responsibility, King Model—South Africa
accountability, and mutual trust. The capability type The Institute of Directors in South Africa has established
groups criteria that provide a sense of the organization’s the King Committee on Corporate Governance. The
competence and address knowledge, skills, and tools; committee has developed a Code of Corporate Practices
communication processes; information; coordination; and and Conduct, and compliance with the code is a
control activities. The monitoring and learning type groups requirement to be listed in the Johannesburg stock
criteria that provide a sense of the organization’s exchange Securities Exchange in South Africa.
evolution and address monitoring internal and external
environment, monitoring performance, challenging KonTraG Model—Germany
assumptions, reassessing information needs and affects control and transparency in business, as
information systems, follow-up procedures, and part of reforming the corporate governance. Specifically,
assessing the effectiveness of controls. it impacts the board of directors, supervisory board,
corporate capitalization principles, authorization of no-
Control Self-Assessment (CSA)—United States par-value shares, small nonlisted stock corporations,
CSA deals with evaluating the system of internal control banks investing in industrial companies, and the
in any organization. CSA is a shared responsibility among acceptance of internationally recognized accounting
all employees in the organization, not just internal auditing standards.
or senior management.

Elements of CSA
ENTERPRISE RISK MANAGEMENT VOCABULARY, urban unrest, increasingly complex technology, and
CONCEPTS, AND TECHNIQUES changing attitude of legislatures and courts about a
variety of issues.
Enterprise risk management (ERM)
defined as a rigorous and coordinated approach Subjective risk
to assessing and responding to all risks that affect the refers to the mental state of an individual who
achievement of an organization’s strategic and financial experiences doubt or worry as to the outcome of a given
objectives. This includes both upside and downside risks. event. In addition to being subjective, a particular risk may
be either pure or speculative and either static or dynamic.
ERM risks are classified as follows:
• Financial Risk Objective risk
• Hazard Risk differs from subjective risk primarily in the sense
• Strategic Risk that it is more precisely observable and there- fore
• Operational Risk. measurable. In general, objective risk is the probable
variation of actual from expected experience.
ERM Vocabulary
Hazard Risk assessment (risk analysis)
a condition that creates or increases the the process of identifying the risks and
probability of a loss. determining the probability of occurrence, the resulting
impact, and additional safeguards that would mitigate this
Three types of hazards exist: impact. It includes risk measurement and prioritization.
1. Physical Hazard
2. Moral Hazard Risk financing
3. Morale Hazard. includes internal funding for risks (self-insurance
and residual risk) and external transfer of risks, such as
Hedging insurance and hedging.
taking a position opposite to the exposure or risk.
Risk management
Insurance the total process of identifying, controlling, and
an economic device whereby an individual or a mitigating risks as it deals with uncertainty.
corporation substitutes a small certain cost (the premium)
for a large uncertain financial loss (the claim, or Risk mitigation
contingency insured against) that would exist if it were not includes designing and implementing controls
for the insurance policy (contract). and control-related procedures to minimize risks.

Insurable interest Risk monitoring


an interest that might be damaged if the peril includes internal and external reporting and feedback into
insured against occurs; the possibility of a financial loss to risk assessment, continuing the loop.
an individual or a corporation that can be protected
against through insurance. Risk transfer
involves payment by one party (the transferor) to
Natural hedges another party (the transferee, or risk bearer). Five forms
created from the relationship between revenues of risk transfer are:
and costs of a business unit or a subsidiary. (1) hold-harmless agreements
(2) incorporation
Peril (3) diversification,
the cause of possible loss, the event insured (4) hedging
against. (5) insurance.

Open peril Self-insurance


term used to describe a broad form of property risk-retention program that incorporates elements
insurance in which coverage applies to loss arising from of the insurance mechanism where the self-insured
any fortuitous cause other than those perils or causes organization pays the claims rather than an insurance
specifically excluded. company.

Portfolio effect Approaches to ERM


considers risk and return of a firm when it is An ERM approach can be viewed in three dimensions:
investing in acquisition or expansion projects. 1. The range of organization operations. This
includes business units or locations, starting
Risk small as pilot projects and eventually rolling out to
possibility of loss. the entire enterprise (i.e., institutionalization).
2. The sources of risk (hazard, financial,
Pure risk operational, and strategic). This may include
condition in which there is the possibility of loss property catastrophe risk and currency risk.
or no loss. 3. The types of risk management activities or
processes (risk identification, risk measurement,
Speculative risk risk mitigation, and risk monitoring).
exists when there is uncertainty about an event
that could produce either a profit or a loss.
Static risks 5 Alternative Risk-Transfer Tools other than traditional
which can be either pure or speculative, stem from an insurance, include:
unchanging society that is in stable equilibrium.
(1) Financial Insurance
Pure static risk (2) Multiline/Multiyear Insurance
include the uncertainties due to such random (3) Multiple-Trigger Policies
events as lightning, windstorms, and death. In contrast, (4) Securitization. Multiple-trigger policies and
dynamic risks are produced because of changes in securitization tools are more commonly used.
society.

Dynamic risks also can be either pure or speculative.


Examples of sources of dynamic risk include
Implementation of ERM Geographic location departments
Senior management support and commitment is needed Customer classification departments.
to properly implement the ERM program in the
organization. A dedicated group of cross-functional staff RISK/CONTROL IMPLICATIONS OF DIFFERENT
is needed to push it through the organization. Most LEADERSHIP STYLES
organizations are implementing the ERM program
incrementally. Some are beginning by layering additional Control environment
sources of risk, one at a time, into their exiting processes has a pervasive influence on the way business
for risk assessment and risk mitigation. Some are activities are structured, objectives are established, and
embracing all sources of risk at the outset, but are tackling risks are assessed.
the processes one at a time, with most starting with risk also influences control activities, information and
assessment. Others are taking on all risk sources and all communication systems, and monitoring activities.
processes, but on a small, manageable subset of their
operations as a pilot project. Control Environment Factors
• Integrity and ethical values
Internal Auditing in ERM Implementation • Commitment to competence
• Board of directors or audit committee
CAE • Management’s philosophy and operating style
an ERM champion and should use risk- • Organizational structure
based audit plans that are consistent with the • Assignment of authority and responsibility
organization’s goals. • Human resource policies and practices

Internal auditing CHANGE MANAGEMENT


The implementation arm of an ERM
program. Internal auditors act as facilitators in Agents of Change
cross-functional risk assessment workshops Organizations must change to survive in a competitive
conducted in the business units. environment. This requires everyone in the organization
believing in and accepting the change. Ideally, managers
RISK/CONTROL IMPLICATIONS OF DIFFERENT need to be architects or agents of change rather than the
ORGANIZATIONAL STRUCTURES victims of change. When managers are acting as agents
of change, their company will be much more responsive,
Organization flexible, and competitive. In addition to managers, internal
“a system of consciously coordinated activities or auditors can act as change agents due to the nature of
forces of two or more persons.” their work. Auditors facilitate change through their
In other words, when people gather together and recommendations to management. Each
formally agree to combine their efforts for a common recommendation auditors make requires some change in
purpose or goal, an organization is the result. the existing policies, procedures, and practices or the
creation of new ones.
Organizations share four characteristics:
1. Coordination of effort How to Change
2. Common goal or purpose A corporation can change by reengineering business
3. Division of labor policies, processes, jobs, and procedures; outsourcing
4. Hierarchy of authority nonstrategic activities; partnering with major suppliers
and customers; implementing total quality management
Four categories of organizations exist, although some programs; redesigning the organizational structure to fit
large and complex organizations have overlapping the business strategy; renovating physical plants and
categories: facilities; installing computer-based systems and
(1) Business organizations technologies; understanding one’s own products,
(2) Nonprofit service organizations services, markets, and customers as well as those of
(3) Mutual-benefit organizations competitors; and installing performance measurement
(4) Commonwealth organizations. methods and reward systems.

Theories of Organization Types of Organizational Change


• Anticipatory change
1. Traditional View • Reactive change
has closed-system thinking, • Incremental change
2. Modern View • Strategic change
incorporates open-system thinking.
Resistance to Change
Theories of Organizing Organizational change comes in all forms, sizes, and
• Bureaucracy shapes, and with varying degrees of impact and con-
• administrative theory sequences for employees. Among the most common
• scientific management theory reasons for resistance to change are: surprise, inertia,
• human relations theory misunderstanding, emotional side effects, lack of trust,
• contingency design theory. fear of failure, personality conflicts, lack of tact, threat to
job status or security, and breakup of work groups.
Types of Departmentalization Management faces the challenge of foreseeing and
neutralizing resistance to change, as the resistance is
2 common forms of integration both rational and irrational.
1. Hierarchical Chain of Command
2. Departmentalization.

Some integration is needed to offset the negative effects Factors in the Change Process
of differentiation. It is through departmentalization that Internal auditors should consider the following factors of
related jobs, activities, or processes are grouped into change process during their audit work:
major organizational subunits such as departments, • Paradigm shift
divisions, groups, or units. • Motivating stakeholders
• Grapevine
4 basic types of departmentalization include: • Employee empowerment
Functional departments • Barriers to change
Product- service departments • Departmental border- crossing
• Performance measurement system Feedback Control
• Cultural differences at workplace. used to evaluate past activity to improve future
performance. It measures actual performance against a
Organizational Development (OD) standard to ensure that a defined result is achieved.
a systematic approach to planned change
programs intended to help employees and organizations Contemporary Management Controls
function more effectively. Many new management controls have evolved over the
OD combines the knowledge from various years, including
disciplines, such as behavioral science, psychology, • Economic-value-added (EVA)
sociology, education, and management. • Market-value-added (MVA)
OD is a process of fundamental change in an • Activity-based costing (ABC)
organization’s culture. For OD programs to be effective, • Open-book management
not only must they be tailored to unique situations, but • Balanced scorecard system.
they also must meet the 7 common objectives in order
to develop trust: TYPES OF CONTROL

1. Deepen the sense of organizational purpose and Control Characteristics


align individuals with that purpose.
2. Strengthen interpersonal trust, communication, Control
cooperation, and support. any positive and negative action taken by
3. Encourage a problem-solving rather than a management that would result in accomplishment of the
problem-avoiding approach to organizational organization’s goals, objectives, and mission.
problems. Controls should not lead to compulsion or
4. Develop a satisfying work experience capable of become a constraint on employees.
building enthusiasm. Controls should be natural and should be
5. Supplement formal authority with authority based embedded in the organizational functions and operations.
on personal knowledge and skill. Controls should be accepted by the employees
6. Increase personal responsibility for planning and using or affected by them. Use and implementation of
implementing. controls should be inviting, not inhibiting.
7. Encourage personal willingness to change. Controls should be seen as beneficial from the
employee’s personal and professional viewpoints.
CONFLICT MANAGEMENT
involves accepting or even encouraging Control Requirements
constructive conflict as necessary. The key point is to The auditor needs to understand the control requirements
minimize the destructive form of conflict. of an application system or a business operation before
assessing control strengths and weaknesses. In other
Personal Conflict Prevention and Control Methods words, there should be a basis or baseline in place (i.e.,
Although it is impossible to totally eradicate conflict, standards, guidelines, and benchmarks) prior to control
personal conflict prevention and control can avert much measurement and assessment. In the absence of a
needless strife (unrealistic conflict). Both individuals and baseline of standards, auditor’s findings, conclusions, and
institutions need to develop prevention and control recommendations will be questioned and will not be
methods. accepted by the auditee.

Combination, Complementary, and Compensating


Group or Organizational Conflict Prevention and Controls
Control Methods
Combination Controls
Individual actions alone are not enough. Group and/or Rarely would a single control suffice to meet control
organizational actions are needed to prevent and control objectives. Rather, a combination of controls or
the conflict that occurs in the workplace. The way an complementary controls are needed to make up a whole
organization is structured has a bearing on the amount of and to provide a synergistic effect.
conflict generated in it. The potential for conflict tends to
be greater in centralized, bureaucratic organizations than Complementary Controls (hand-in-hand controls)
in decentralized organizations. The more rigid institutions have an important place in both the manual and
have less effective communication and are less adept at the automated control environment.
managing conflict constructively than are the different from compensating controls in that, in
organizations at the other end of the continuum. the latter category, weak controls in one area or function
are balanced by strong controls in other areas or
MANAGEMENT CONTROL TECHNIQUES functions, and vice versa. A function or an area need not
be weak to use complementary controls.
Management controls can enhance the effectiveness of two or more
broadest sense, include the plan of organization, controls when applied to a function, program, or
methods, and procedures adopted by management to operation.
ensure that its goals and objectives are met
also known as internal controls, include Compensating Controls
accounting and administrative controls. Normally the auditor will find more control-related
problems if it is a first-time audit of an area. Generally the
Traditional Management Controls more frequently an area is audited, the lower the
Management controls include the process for planning, probability of many control weaknesses. Therefore,
organizing, directing, and controlling the entity’s determining the nature of efficient and effective
operations. They include the management control operations needs both audit instinct and business
systems for measuring, reporting, and monitoring judgment. During the control evaluation process, the
operations. auditor should consider the possibility of availability of
compensating controls as a way to mitigate or minimize
Managerial control can be divided into feedforward and the impact of inadequate or incomplete controls. In
feedback controls. essence, the concept of compensating controls deals with
the balancing of weak internal controls in one area with
Feedforward Control strong internal controls in other areas of the organization.
a proactive control such as defect prevention, Here the word “area” can include a section within a user
inspection, training, and budgeting. or IS department.
Control Assessment Inventory of Controls in Business Application
During an assessment of control strengths and Systems
weaknesses, the auditor might run into situations where a
business function, system, or manual/automated Application controls
procedure is overcontrolled or undercontrolled. This designed to control computerized application
means that there may be too many controls in one area systems, helping to ensure the completeness and
and not enough controls in other areas. Also, there may accuracy of transaction processing, authorization, and
be duplication or overlapping of controls between two or validity.
more areas. Under these conditions, the auditor should
recommend to eliminate either some user controls, some Nature of each control
IS controls, some manual controls, some automated (preventive, detective, and corrective)
controls, or a combination of them.
Brevity codes Accuracy Control
Cost-Benefit Analysis Data attribute checks Accuracy Control
advised during the process of designing each Accuracy Control is Both a
type of control into an application system during its Preventive Control and a
development and maintenance as well as during its Validity checks Detective Control
operation. Compatibility tests Security Control.
Ideally, costs should never exceed the benefits Processing parameters Continuity Control
to be derived from installing controls. However, costs Prenumbered forms Completeness Control
should not always be the sole determining factor, because System-assigned
it may be difficult or impractical to quantify benefits such numbers Accuracy Control
as timeliness, improved quality and relevance of data and Precoded
information, and improved customer service and system forms/screens. Accuracy Control
response time. Turnaround documents Accuracy Control
Reference values or
Costs versus Controls versus Convenience codes kept outside the
Costs of controls vary with their implementation time and program Continuity Control
the complexity of the system or operation. Control Transaction cancellation Completeness Control
implementation time is important to realize benefits from Management approvals Authorization Control
installing appropriate controls. There are tradeoffs among Concurrent access
costs, controls, and convenience factors. The same is controls. Security Control.
true among system usability, maintainability, auditability, Two-person controls Accuracy Control
controllability, and securability attributes of systems.
Both a Security Control and an
Overrides Authorization Control
Control by Dimension
Control can be viewed through three different dimensions
Type of control
of timing: precontrol, concurrent control, and postcon- trol.
(completeness, accuracy, continuity, authorization,
Control can also be viewed through two different
consistency, and security) is indicated where necessary.
dimensions of action: feedback control and feedforward
control.
Preventive Controls
Specific Types of Controls
Corrective Controls
Controls prevent the adverse effects of risks.

Specific types of controls include Program Consistency Control


• Controls by function comments
• Controls by objectives Job control Consistency Control
comments
Controls by function Automatic error Continuity Control
• Directive Controls correction
• Preventive Controls Overrides by Continuity Control and an
• Detective Controls supervisors Authorization Control
• Corrective Controls Audit trail report Accuracy Control
• Manual Controls Control report Accuracy Control
• Computer Controls Exception report Accuracy Control
• Management Controls. Error report Accuracy Control
Before/after Accuracy Control
Controls by objectives image record
• Data Completeness reporting for file
• Data Timeliness maintenance
• Data Accuracy Clear and Continuity Control
• Data Authorization complete error
• Data Consistency. messages
Error total Accuracy Control
Controls in Business Application Systems Documentation Continuity Control
• Data origination, preparation, and data input Automatic backup Continuity Control
• Data processing and recovery
• System-related file maintenance Journaling Continuity Control
• Data output Checkpoint Continuity Control
• Application system documentation control
• Spreadsheet work
Transaction back- Continuity Control
• Data integrity
out
• User satisfaction assessment.
Recovery logging Continuity Control
Fallback Continuity Control
procedure
Detective Controls
Staff Plans
Both an Accuracy control and a Staff planning should include assigning staff with the
Summary integrity completeness control, and appropriate skills and knowledge for the job, assigning an
check similar to a batch-control adequate number of experienced staff and supervisors to
technique. the audit (consultants should be used when necessary),
Accuracy control and a and providing for on-the-job training of staff.
Batch totals
Completeness control
Hash totals Accuracy Control Audit Plans
Limit check Accuracy Control A written audit plan should be prepared for each audit and
Reasonableness is essential to conducting audits efficiently and effectively.
Accuracy Control
test The form and content of the written audit plan will vary
Check digit Accuracy Control among audits. The plan generally should include an audit
Overflow check Accuracy Control program and a memorandum or other appropriate
Format checks Accuracy Control documentation of key decisions about the objectives,
Accuracy Control and a scope, and methodology of the audit and of the auditors’
Date checks
Continuity Control basis for those decisions.
Label check Continuity Control
Completeness test Completeness Control ANALYTICAL REVIEWS
Range test Accuracy Control
Range check Accuracy Control As a part of fieldwork, the internal auditor should perform
Discrete value analytical reviews to understand the relationships
Consistency Control between various data. The focus is on determining the
check
Accuracy Control and a reasonableness of data. Techniques such as regression
Record count analysis, simple ratio analysis, and trend analysis can be
Continuity Control
Sign test Accuracy Control used to provide insights into the financial and operational
Size test Completeness Control data. The outcome of the review is to provide a “red flag”
Sequence check Completeness Control to the auditor so that he or she can adjust the audit scope
and the audit procedures accordingly.
Duplicate checks Completeness Control
Cross-field editing Consistency Control
PLANNING MATERIALITY
Cross-record
Consistency Control
editing
Material errors, irregularities, and illegal acts will have a
System matching Completeness Control direct and material effect on financial statement amounts.
Field combination
Accuracy Control
tests. Materiality
Accuracy Control and a the magnitude of a misstatement that would
Run-to-run totals
Continuity Control influence the judgment of a reasonable user of financial
Suspense file Completeness Control statements. Audit procedures must be designed to
Header and trailer provide reasonable assurance of detecting material
Accuracy Control
record verification financial statement misstatements (i.e., material errors
Balance controls Accuracy Control and irregularities).
System logging of refers to the level of precision (or accuracy) of the
Security Control
transactions financial statements; the lower the materiality, the greater
Comparison the precision and vice versa. From an internal audit
Consistency Control
controls viewpoint, materiality refers not only to the financial
Computation statements but also to the business operations and
Accuracy Control
controls computer systems.
Ratio test Consistency Control
Rounding 3 Types of Errors
Accuracy Control
technique 1. Known Errors (Detected Errors)
Relationship test Consistency Control 2. Likely Errors (Estimated Errors)
Descriptive read- 3. Possible Errors (errors implicit in sampling work).
Accuracy Control Errors are defined as financial statement
back
Data checks Accuracy Control misstatements that are either intentional or
Key verification Accuracy Control unintentional.
One-for-one accuracy control and a
checking completeness control Who Should Set the Materiality Level?
Cross footing Accuracy Control The auditor and the auditee should arrive at an
understanding about the levels of materiality and the
assurance level to be applied in an audit. This
AUDIT PROCESS understanding should be based on cost-benefit
considerations.
Conducting an audit is a process with a series of activities
to be reviewed and a series of procedures to be followed. What Is Material and Immaterial?
A structured methodology, consisting of audit phases or Due professional care requires that the auditor consider
stages, can be used during the audit process to ensure the relative materiality or significance of matters to which
quality and to ensure that all required activities are audit procedures are applied. Various studies suggest
accomplished—starting from the beginning of an audit to that the magnitude of an error as a percentage of income
the completion of the audit. Each phase has defined tasks is the most important factor in determining its materiality;
to be completed. Five such phases include items that have a more than 10% effect on income would
(1) the preliminary survey, normally be considered material, while items constituting
(2) the audit program, less than 5% of income would normally be considered
(3) fieldwork, immaterial.
(4) reporting, and
(5) monitoring and follow-up. The audit report is the end Qualitative versus Quantitative Materiality
product of the audit process. Sometimes the nature of disclosure (sensitive or not) and
the evidence of a desire to mislead (accidental or
2 KINDS OF AUDIT PLANNING deliberate) are more important than quantitative factors.
(1) Staff Plans The auditor should weigh more toward human behavior.
(2) Audit Plans Quantitative materiality is applicable during the planning
stage of an audit. Qualitative materiality is applicable preclude unnecessary work, while concomitantly meeting
during the evaluation stage of an audit since it is not the assignment’s purpose.
practical to plan the audit to detect qualitative
misstatements. Audit Scope
The scope of an internal audit is initially defined by the
How to Compute Materiality audit objectives. Preliminary survey, audit programs, audit
Materiality is computed by taking a base and multiplying project scheduling, and time estimates are driven by audit
that by a percentage. The base, in declining order of objectives. An example of an audit objective is evaluating
importance, includes total revenues, total expenditures, whether cash receipts are adequately safeguarded.
total assets, retained earnings, and income. The Scope is the boundary of the audit. Deter- mining the
percentage used can be a flat percentage or one obtained scope of the audit is part of audit planning. It addresses
from a sliding scale. A flat percentage is based on the such things as the period and number of locations to be
notion that materiality is completely relative; a sliding covered. The audit scope should include financial,
scale is based on the notion that some amounts are large operational, and compliance audits.
enough to be always material.
Considerations for Audit Scope
DETAILED RISK ASSESSMENT Determining the audit scope normally involves matters
such as the number of locations to be visited, time frames
Audit resources are limited and expensive, and hence to be covered, and the type and depth of work needed to
they should be properly allocated and scheduled for ensure that assignment objectives are accomplished and
maximum utilization. Risk models or risk analysis is often that all applicable audit standards are met.
used in conjunction with development of long-range audit
schedules. Performing risk analysis and risk assessment Audit Scope Impairments
is a major step in audit planning work. A risk is defined as During the audit engagement, auditors may find scope
the probability that an unfavorable event occurs that could impairments. When factors external to the audit
lead to a financial or other form of loss. The potential organization and the auditor restrict the audit scope or
occurrence of such an event is called exposure. Risks are interfere with the auditor’s ability to form objective
caused by exposures. Controls can reduce or eliminate opinions and conclusions, the auditor should attempt to
risks and exposures. remove the limitation or, failing that, report the limitation.

Audit Risk Factors AUDIT WORK PROGRAM


High-risk areas should receive high priority while low-risk
areas should be given low priority. A systematic risk Preparing an audit program is the next step after
assessment approach is better than a haphazard, trial- completing the preliminary survey work. An audit program
and-error approach. Potentially important audit risk serves as a roadmap for the auditor. The audit program
factors include: provides the auditor the necessary guidance to pro- ceed
• Quality of internal control system (most important with the detailed audit work in terms of audit procedures
factor) to be conducted and required audit evidence to be
• Competence of management collected during the audit. The audit program should focus
• Integrity of management on major activities and key controls within and around
• Size of unit such activities. Two types of audit programs exist: (1)
• Recent change in accounting system standard audit program, and (2) customized audit
• Complexity of operations program.
• Liquidity of assets
• Recent change in key personnel PLANNING THE AUDIT WORK
• Economic condition of unit Planning and managing an audit assignment starts from
• Rapid growth developing work plans to completing the audit engage-
• Extent of computerized data processing ment. The majority of the audit work takes place in the
• Time since last audit fieldwork phase. In planning, auditors define the audit’s
• Pressure on management to meet objectives objectives, scope, and methodology. Planning continues
• Extent of government regulation throughout the audit, and auditors should document their
• Level of employee morale plan and changes to it. The most important task is to make
• Audit plans of independent auditors sure that sufficient staff and other resources are available
• Political exposure to do the audit work. The audit work can be done either at
• Need to maintain appearance of independence the headquarters (home office) and/or at the field offices.
by internal auditor
• Distance of unit from home office (least important IIA’S PERFORMANCE STANDARDS
factor) Engagement Planning
• Internal auditors should develop and record a
Approaches to Risk Assessment plan for each engagement, including the scope,
The purposes of risk analysis and assessment are to objectives, timing, and resource allocations (IIA
identify risks and exposures, calculate the damage or Standard 2200).
loss, and make cost-effective control recommendations. • Internal auditors should consider the objectives of
Several risk assessment techniques and approaches are the activity being reviewed and the means by
available to quantify risks. Some of them, used in which the activity controls its performance (IIA
combination, are judgment and intuition, scoring Standard 2201).
approach, Delphi technique, and quantitative methods. • Internal auditors should consider the significant
risks to the activity, its objectives, resources, and
operations, and the means by which the potential
DETERMINING AUDIT OBJECTIVES AND SCOPE impact of risk is kept to an acceptable level (IIA
Audit Objectives Standard 2201).
Audit objectives are what the audit project is going to • Internal auditors should consider the adequacy
accomplish. Clearly defining the audit assignment and effectiveness of the activity’s risk
objective(s) is a must at the beginning of each audit since management and control systems compared to a
it guides the extensiveness of internal control relevant control framework or model (IIA
assessment, as well as the scope and methodology of the Standard 2201).
audit work. Audit assignments with broad objectives are • Internal auditors should consider the
generally more difficult to accomplish and require more opportunities for making significant
staff resources and time than do assignments with improvements to the activity’s risk management
specific objectives. Therefore, to the extent possible, audit and control systems (IIA Standard 2201).
objective(s) should be defined as precisely as possible to • When planning an engagement for parties
outside the organization, internal auditors should Appendix: Sarbanes-Oxley Act of 2002
establish a written understanding with them about
objectives, scope, respective responsibilities, and The Sarbanes-Oxley Act of 2002 (SOX) contains
other expectations, including restrictions on provisions affecting the corporate governance, auditing,
distribution of the results of the engagement and and financial reporting of public companies, including
access to engagement records (IIA Standard provisions intended to deter and punish corporate
2201.A1). accounting fraud and corruption. The SOX act generally
• Internal auditors should establish an applies to those companies required to file reports with
understanding with consulting engagement the SEC under the Securities Act of 1933 and the
clients about objectives, scope, respective Securities Exchange Act of 1934.
responsibilities, and other client expectations. For Title 1—Public Company Accounting Oversight Board
significant engagements, this under- standing (PCAOB) Section 101: PCAOB establishment
should be documented (IIA Standard 2201.C1). Section 102: Registration with the PCAOB
Section 103: Auditing, quality control, and independence
Engagement Objectives standards and rules Section 104: Inspections of
• Audit objectives should be established for each registered public accounting firms
engagement (IIA Standard 2210). Section 105: Investigations and disciplinary proceedings
• Internal auditors should conduct a preliminary
assessment of the risks relevant to the activity
under review. Engagement objectives should
reflect the results of this assessment (IIA
Standard 2210.A1).
• The internal auditor should consider the
probability of significant errors, irregularities,
noncompliance, and other exposures when
developing the engagement objectives (IIA
Standard 2210.A2).
• Consulting engagement objectives should
address risks, controls, and governance
processes to the extent agreed on with the client
(IIA Standard 2210.C1).

Engagement Scope
• The established scope should be sufficient to
satisfy the objectives of the engagement (IIA
Standard 2220).
• The scope of the engagement should include
consideration of relevant systems, records,
personnel, and physical properties, including
those under the control of third parties (IIA
Standard 2220.A1).
• If significant consulting opportunities arise during
an assurance engagement, a specific written
under- standing as to the objectives, scope,
respective responsibilities, and other
expectations should be reached and the results
of the consulting engagement communicated in
accordance with consulting standards (IIA
Standard 2220.A2).
• In performing consulting engagements, internal
auditors should ensure that the scope of the
engagement is sufficient to address the agreed-
on objectives. If internal auditors develop
reservations about the scope during the
engagement, these reservations should be
discussed with the client to determine whether to
continue with the engagement (IIA Standard
2220.C1).

Engagement Resource Allocation


Internal auditors should determine appropriate
resources to achieve engagement objectives. Staffing
should be based on an evaluation of the nature and
complexity of each engagement, time constraints, and
available resources (IIA Standard 2230).

Engagement Work Program


• Internal auditors should develop work programs
that achieve the engagement objectives. These
work pro- grams should be recorded (IIA
Standard 2240).
• Work programs should establish the procedures
for identifying, analyzing, evaluating, and
recording information during the engagement.
The work program should be approved prior to its
implementation, and any adjustments should be
approved promptly (IIA Standard 2240.A1).
• Work programs for consulting engagements may
vary in form and content depending on the nature
of the engagement (IIA Standard 2240.C1).

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy