INTRODUCTION TO INTERNAL AUDITING (4 - 7%) MODULE 1 INTRODUCTION TO INTERNAL AUDITING (4 - 7%) Lecturer: Dale Neuls, BA, CGA DN 14/15
MU1 OVERVIEW Module 1: Introduction to IA Module 2: Internal auditing standards Module 3: Risk management, control frameworks and governance Module 4: Planning the internal audit Module 5: Examination phase of IA Module 6: Internal audit communications and reporting Module 7: IT auditing Module 8: Marketing, purchasing and production Module 9: Human resources management, treasury and strategic planning Module 10: Internal auditing in the public and not-for-profit sectors
MANITOBA IN CLASS LECTURE NOTES 1. Log into MyCGA Web Services (https://www.mycgawebservices.org) 2. Go to the Student Centre > Course Info/History & Marks 3. Select the CGA Manitoba In-Class Lecture Schedules and Notes 4. Select MU1 from left hand navigation
INTERNAL AUDITING FAQs Internal Auditing What is internal auditing? Why should an organization have IA? What should be reporting lines for IA? How does internal auditing maintain independence and objectivity? How do internal and external auditors differ and how should they relate? What is Enterprise Risk Management and internal auditing role? Is it mandatory to have an IA activity?
Audit Committees/Governance What is appropriate relationship between IA and audit committee? What services can the internal auditors provide for audit committee? Why should an organization have an audit committee? Fraud What is role of internal auditing in preventing, detecting and investigating fraud?
Guidance What standards guide work of internal audit professionals? Staffing/Resources What are skill sets and staffing needs of IA activity? How does IA prioritize its resources? How should an organization go about sourcing its IA activity?
INTERNAL AUDITING an independent, objective assurance and consulting activity designed to add value and improve an organization operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes
independence - freedom from conditions that threaten the ability of IA to carry out responsibilities in an unbiased manner objectivity - unbiased mental attitude in performing audits with no subordination of judgment on audit matters assurance - objective examination to provide an independent assessment on risk management, control and governance processes three party reporting - IA reports to board about management
consulting - advisory services to client to improve risk management, control and governance processes two party reporting - IA reports to management adding value - in performing assurance and consulting activities IA identify opportunities for improvement and to reduce risks helping the organization - how IA can help management/board achieve organization objectives i.e. “think like management”
risk management processes - put in place by management to identify, assess, manage and control potential events that may impact achievement of goals control processes - policies and procedures designed to ensure that risks are within the tolerances established by risk management processes governance processes - the processes and structures implemented by board to direct, manage and monitor activities of organization toward achievement of objectives
Board Governance Accountability Framework Assessing Board Effectiveness The Board should have a process in place to assess how well it discharges its roles and responsibilities as part of the organization’s overall effectiveness. Approving and Monitoring Mission, Vision and Strategy The Board should approve and monitor the mission, vision and strategy of the agency, ensuring a plan of action is set for the future, thereby ensuring its continuing relevance in a changing environment and ensuring the organization’s chances of viability and success. Approving and Monitoring the Agency’s Ethical Values The Board should act as guardian of the agency’s values, promoting public confidence in how it is being operated from an ethical perspective.
Approving and Monitoring By-laws, Policies and Practices The Board should be approving and monitoring both governance and key operational policies. Monitoring Management Control The Board should have an appropriate understanding of the systems and controls that allow agency management to manage its resources efficiently and effectively. Ensuring Financial Stability The Board should be ensuring the agency could meet its current and future financial responsibilities.
Evaluating Senior Management The Board should be evaluating the chief executive officer on a regular basis. Overseeing External Communications The Board should be overseeing the agency’s communication to and from external parties. Advocacy The Board should be communicating to the public and its stakeholders, the mission and purpose of the agency, and should be advocating both public involvement and financial support for the program.
SCOPE OF IA IIA Performance Standards 2100 to 2130 describe nature of work for IA - evaluate risk exposures and adequacy/effectiveness of controls in responding to risks relating to governance, operations and information systems IA assess ACHIEVEMENT of organization strategic objectives INTEGRITY and RELIABILITY of financial/operating information COMPLIANCE with laws, policies and contracts SAFEGUARDING of assets 3 E’s - economy, efficiency, effectiveness of operations and programs
ECONOMY (acquisition) 3 E's ECONOMY (acquisition) terms and conditions where human and physical resources acquired appropriate quality and quantity at lowest cost EFFICIENCY (utilization) relationship between goods and services produced and resources used to produce them maximize output for resource input desire to increase productivity and profitability EFFECTIVENESS achievement of goals/objectives
FUNCTIONS OF MANAGEMENT IA must understand and support management functions Planning develops clear purpose of organization long term and short term plans policies, procedures, code of ethics Organizing and Staffing internal structure (centralization vs decentralization, line and staff) delegation of authority and responsibilities (job descriptions) human resource management recruitment, labour relations
Directing Controlling inducing members of organization to perform roles - communication and motivation Controlling comparing actual performance with predetermined standards/plans management control systems should be cost effective, focus on exceptions and be flexible - 6 steps set standard measure performance compare performance vs standard evaluate differences determine corrective action follow up corrective action
IIA Standards define risk ENTERPRISE RISK IIA Standards define risk possibility of an event occurring that will have an impact on the achievement of objectives risk measured in terms of impact and likelihood internal controls are designed and implemented to address business risks e.g. bad debts, security violations, fraud
Enterprise Risk Management (ERM) is process put in place by board and management, applied in strategy setting across the entire enterprise designed to identify potential events that may affect the entity manage risks to be within its risk appetite provide reasonable assurance regarding the achievement of entity objectives Consists of 1. risk identification 2. establishing acceptable tolerance limits for risks 3. putting controls in place to ensure risks remain within established tolerances
ROLE OF INTERNAL AUDITOR business consultant proficient in controls familiar principles of management cooperation between auditor and client (people skills) assist management identifying risks, evaluating design and implementation of control systems and making recommendations for improvement assist board corporate governance and accountability to shareholders
objective and scope of IA wider than financial audit (EA) IA more concerned with efficiency and effectiveness of wide range of activities defined under scope of IA IA more concerned with design and implementation of management processes EA concerned with opinion on f/s and completeness, accuracy and authorization of financial transactions EA obtain audit evidence to support opinion and may not test internal controls and rely on substantive testing of transactions/balances EA primary responsibilities to s/h, creditors, general public
TYPES OF INTERNAL AUDITS compliance audits review both controls and transactions to assess compliance with internal policies/procedures and external laws/regulations internal financial audits review processes used to generate financial information for management SOX 2002 requires CEO, CFO to attest to integrity of financial reports filed with regulatory agencies (IA conduct assurance reviews of reports)
comprehensive audits (public sector) operational audits review/evaluate performance of client operations (3E's) comprehensive audits (public sector) combination of compliance, internal financial and operational audits (value-for-money audits) information technology audits review design, implementation, operation (controls) and security of systems
fraud audits environmental audits special investigation which relies on company policies, procedures and controls to determine fraud (Corporate Code of Ethics) environmental audits assess compliance with internal policies/procedures and external environmental laws/regulations
INTERNAL AUDITING AND PERFORMANCE MEASUREMENT based on identifying measures critical to organizational success and setting measurable targets measurements form basis to assess performance and for managers to plan and structure organization and to control results measures should be SMART specific measurable attainable realistic trackable
e.g. Balanced Scorecard framework for developing set of performance measures (KPIs - key performance indicators) which links measures from 4 perspectives financial perspective “How do we look to shareholders?” business perspective “What must we excel at?” learning and growth perspective “Can we continue to improve and create value?” customer perspective “How do customers see us?”
KPIs developed using selection team which evaluates each measure against following set of criteria Does the measure support strategies? Does the measure support business processes? Is the measure easy to understand? Can the measure be calculated from obtainable data? Overall is the measure a good indicator of company performance? reported to senior management on monthly or quarterly basis
IA not generally involved with determination of KPIs but involved with continuous monitoring of indicators using computerized analytic tools to monitor business processes (changes in pattern) examples KPIs % staff attending training courses performance to budget inventory turnover # staff complaints per month % overall revenue generated from new products and services % customer orders processed incorrectly
# staff recognized for improvement suggestions gross margin per service/product # customer complaints per month % staff surveyed who view working environment as good or excellent # sick days per staff return on investment by product # customer improvement suggestions implemented per year processing cost per service actual versus planned processing volume
IA PERFORMANCE MEASUREMENT Client Feedback post audit client surveys Benchmarking audit processes and practices with other professionals counterparts audit budget number and average salaries of auditors Setting performance targets and measuring actual performance to targets annual audit plan
Monitoring career progression of IA staff within organization Measuring employee satisfaction annual performance appraisal PD/training/project rotation
ETHICAL CLIMATE AND CONSIDERATIONS ethical standards - IIA and CGA Code of Ethics provide code of behaviour to guide professional conduct provide public with reasonable expectation of behaviour from members of profession ethical situations monitoring compliance with conflict of interest guidelines carrying out fraud investigations which involved unethical actions respecting confidentiality of financial, operational and personal information obtained during audits aware of unethical business practices which could harm corporate environment and business reputation e.g. changing accounting principles, employee gifts, personal use property