Chapter 14 Internal auditing Internal audit has recently been in a state of transition, with a general move away from a traditional view of service to management (primarily on the basis of controls review) to a view of adding value to the client. This shift has given internal audit much more of a business risk assessment focus (which we call the new internal audit), consistent with the move that we have seen with external audit. We first examine traditional views of internal auditing, and then look at how internal auditing has evolved, and what is involved in the new internal auditing. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Learning objectives 14.1 Understand the evolving nature of internal auditing. 14.2 Appreciate the professional standards developed for internal auditing. 14.3 Understand what internal auditors do in practice. 14.4 Gain an appreciation of the issues that may face the internal audit profession in the future. 14.5 Appreciate the approaches to assessing risk management, control and governance processes. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Learning objective 14.1 The evolving nature of internal auditing (IA) The traditional view of internal auditing is that it is an independent appraisal function evaluating the adequacy and effectiveness of other controls within an organisation (controls orientation). (Refer AUASB Glossary). This view is evolving in many organisations so that internal audit is now seen as a service that promotes understanding and provides confidence to an organisation about risk exposures and control strategies (risk orientation). The traditional view of internal auditing is that it is an independent appraisal function, established within an entity as a service to the organisation. This view, however, is evolving. This section helps students contrast the traditional view of internal auditing with the more current or ‘new’ view as defined by the Institute of Internal Auditors (IIA). The ‘new’ definition of internal auditing is provided on slide 14-4. Terms to emphasise in this new definition are assurance and consulting, and adding value.   Students can also be guided through a brief history of the IIA, while gaining some insights into its current roles. They can also be stepped through what needs to be done to gain the CIA qualification. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

IIA definition of internal auditing Definition of internal auditing on the Institute of Internal Auditors (IIA) website www.theiia.org: ‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.’ Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Institute of Internal Auditors (IIA) Professional organisation, representing more than 170 000 members in more than 165 countries. Aim is to represent, promote and develop professional practice of internal auditing. First established in Australia in 1952. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Certified Internal Auditor (CIA) The IIA professional recognition is its Certified Internal Auditor (CIA) qualification. To be able to sit the CIA exam, a candidate must: be a member of IIA hold a bachelor’s degree or equivalent exhibit high moral and professional character complete 24 months of internal audit experience keep the contents of the exam confidential. The CIA examination covers: internal audit’s role in governance, risk and control conducting the internal audit engagement business analysis and information technology, and business management skills. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Learning objective 14.2 Current standards for internal auditor (issued by IIA) The IIA is the global standard setter for internal auditing. The International Professional Practices Framework (IPPF) is issued by IIA. Purposes: delineate basic principles provide a framework for performing and promoting IA activities establish the basis for the measurement of IA performance foster improved organisational processes and operations. The first slide provided for this section outlines the purposes of the IIA standards, while slide 14.8 outlines the recently developed International Professional Practices Framework (IPPF).  It is advisable for instructors to elaborate using subsequent slides, which distinguish between Attribute Standards and Performance Standards.   The four categories of attribute standards are outlined in the textbook. The slides, however, only cover two categories; independence and proficiency and due professional care. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

International Professional Practices Framework (IPPF) Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Attribute and performance standards The International IIA Standards consist of: Attribute standards (the 1000 Series): address characteristics of organisations and individuals performing IA activities. Performance standards (the 2000 Series): describe the nature of IA activities and provide criteria against which performance of these services can be measured. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Current attribute and performance standards of the IIA Attribute standards Performance standards 1000 Purpose, authority, and responsibility 2000 Managing the internal audit activity 1100 Independence and objectivity 2100 Nature of work 1200 Proficiency and due professional care 2200 Engagement planning 1300 Requirements of the quality assurance and improvement program 2300 Performing the engagement 2400 Communicating results 2500 Monitoring process 2600 Resolution of senior management’s acceptance of risks Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Internal audit charter Attribute standard 1000 outlines that the purpose, authority and responsibility of the internal audit activity should be formally defined and set out in an internal audit charter. The internal audit charter should: establish IA’s position within the organisation establish access to records, personnel and physical properties relevant to the performance of engagements, and define the scope of internal audit activities. This charter should be approved by the board of directors. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Independence and objectivity (IIA standard 1100) Essential that IA is, and is seen to be, independent of the area being audited. IA department should report to board of directors or audit committee. Head of IA should have direct access to board of directors. Board should approve appointment or removal of head of IA. Management and Board should be aware of work schedules, staff requirements and budgets of IA department. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Independence and objectivity (cont.) Organisational independence is aided by: reporting to a level that allows IA to fulfill its responsibilities head of IA having direct access to the board the board concurring with appointment or removal of head of IA management and the board being kept informed. Individual objectivity is aided by: audit staff assignments should be made to prevent possible bias IAs immediately reporting any conflicts of interest staff assignments being periodically rotated IAs not assuming operating responsibilities persons should not audit those activities they previously carried out until a reasonable period of time has elapsed. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Proficiency and due professional care IIA Standard 1220 outlines that it is the internal audit department’s responsibility to assign staff to each audit who collectively possess the knowledge, skills and other competencies needed to conduct the audit. The audit planning process should include a strategic audit plan and a tactical audit plan. In undertaking their planning, the auditor should consider the audit universe, which is an inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Performance standards Require IAs to plan each audit; collect, analyse, interpret and document information to support results; report results; and take appropriate follow up action. Should also be a periodic report to the board on IA’s purpose, authority, responsibility and performance relative to its plan. Require IA to consider: 2000: Management of the IA department 2100: Evolving nature of IA work 2200: Engagement planning 2300: Performing the engagement 2400: Communicating results 2500-2600: Monitoring progress and management’s acceptance of risks. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Learning objective 14.3 The practice of internal audit The responses to the 2011 PricewaterhouseCoopers survey of the current scope of IA work being undertaken in the US, showed the most common practices (in order) were traditional IA practices: financial audit operational audit compliance audit IT audit While 92% of Western European CEOs expect to expand their businesses in Asia, the 2011 survey shows that most IA is only marginally involved in assessing risks associated with cross-border acquisitions, and new joint ventures and strategic alliances. This covers the scope of internal audit work as determined by a survey undertaken in 2009, showing that most current practices are traditional functions. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

The practice of internal audit (cont.) Business risk assessment as a part of IA is slowly growing. The Leung, Cooper and Perera (2011) Australian survey found that IA’s spend their time as follows: internal control evaluation (21%) management and operations audit (15%) systems assurance (10%) business strategic risk assessment (9%) and internal consultancy (8%) It was however notable that corporate governance, social and environmental issues did not rank highly as internal audit objectives Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Learning objective 15.4 The future of internal audit Major issues confronting IA include: outsourcing of IA, especially to Big Four (Note that a client cannot outsource IA to their external auditor in the USA under the Sarbanes-Oxley Act) difficulty in changing profile of the IIA, so that members are seen to be more value adding than checking expectations gap between chief executive officers and internal audit managers development of specialised IA groups; e.g. quality and environmental auditors, and whether IIA can adequately cater for these groups. As individuals potentially entering the internal audit profession, students need to be made aware of key issues that are likely to arise. These slides provide a list of major issues, which can be expanded on by the instructor.   The section also identifies the driving factors of change. Slides detail risk-related tasks and control-related tasks that are considered important in internal auditing. Finally, the slides look at the future of the internal and external auditor relationships. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Factors driving change Ability of IA to show that it adds value. Benchmarking of IA departments as a means of assessing quality. Greater emphasis on corporate governance and risk management in current environment and IA’s increasing role in these areas: IA becoming more heavily involved in business strategic risk assessment but corporate governance and social and environmental issues still not ranking highly as IA objectives.   Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Expected future relationship with external auditors As both groups of auditors move to the risk analysis approach, greater co-ordination between IA and EA can be expected. Co-ordination aided by recent developments in corporate governance, with audit committee playing key co-ordination role. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Learning objective 14.5 Approaches to assessing risk management, control and governance processes IA assesses the effectiveness of risk management process by examining whether: an appropriate risk management framework exists; appropriate risk responses are selected by management and the board; and relevant risk information is communicated across the entity. IA focuses on how controls ensure: the effectiveness and efficiency of operations; the reliability and integrity of financial/operational information; the safeguarding of assets; and compliance with laws, regulations, and contracts. IA is a critical part of the corporate governance process. These slides gives an overview of the Australian risk management standard and the COSO Enterprise Risk Management (ERM) framework that are both commonly used in practice. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Approaches to assessing risk management, control and governance processes IA is expected to use similar approaches to assessing risk management, control and governance processes to those used by EA in evaluating business risk. There are two major frameworks that are used in practice to guide this analysis: in Australia and New Zealand, the framework outlined under the standard AS/NZS ISO 31000 Risk Management, and internationally, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

AS/NZS ISO 31000 Risk Management The emphasis in AS/NZS ISO 31000 is on business risk management. The main elements of the risk-management process are as follows: establishing the context identity risk analyse risk evaluate risk treat risks monitor and review record For each stage of the process adequate records should be kept, sufficient to satisfy independent audit. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

COSO Enterprise Risk Management (ERM) framework Another framework for assessing risk and quality control is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework. Enterprise risk management (ERM) is a process designed to identify potential events that may affect the entity, to manage risks within the entity’s risk ‘appetite’ and to provide reasonable assurance regarding the achievement of the entity’s objectives. There is a direct relationship between the entity’s objectives and the ERM components, which represent what is required in order to achieve those objectives. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

The relationship of objectives and components of COSO ERM framework Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett

Summary IA is a significant part of the auditing profession. The IIA has an important role to play in its promotion and development. Performance standards for IA include the auditing standards of the AUASB/IAASB (for CPA, ICAA, IPA) and the International Standards of the IIA. IA has traditionally been an important part of the monitoring mechanism of internal control, but it can also be used to improve managerial performance. Today IA is increasingly being used to evaluate and improve the effectiveness of risk management, control and governance processes. Copyright © 2012 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett