1 / 41

Internal Auditing

Internal Auditing. Umair Ali shah CIA,ACCA. Corporate Governance. Corporate governance is a term that refers broadly to the rules, processes, or laws by which businesses, Organization are operated, regulated, and controlled.

eadoin
Download Presentation

Internal Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internal Auditing Umair Ali shah CIA,ACCA

  2. Corporate Governance Corporate governance is a term that refers broadly to the rules, processes, or laws by which businesses, Organization are operated, regulated, and controlled. The term can refer to internal factors defined by the officers, stockholders or constitution of a corporation, as well as to external forces such as consumer groups, clients, government regulations

  3. Control environment • Control environment is the control consciousness of an organization; it is the atmosphere in which people conduct their activities and carry out their control responsibilities. • Control activities are actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks.

  4. Internal control Internal controls are the fundamental building blocks in developing financial systems that are effective and consider potential risks. Internal controls should be purposeful in addressing risks, but should not unnecessarily restrict activities. The primary objectives of internal controls are: • To verify the efficiency and effectiveness of operations. • To ensure the reliability and completeness of financial and management information. • To comply with applicable laws, regulations, policies and agreement provisions. • To document and support the validity and authorization of financial transactions. • To safeguard resources.

  5. Internal control Preventive and Detective Controls. Controls can be either preventive or detective. The intent of these controls is different. Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets. Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses. Control activities include approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, segregation of duties, and controls over information systems.

  6. Keys element of internal control The following elements define proper internal controls. When developing local controls, a thorough understanding of the process as well as the potential risks is necessary. The documentation and training of policies and procedures are also key follow-up steps. 1. Transparency Information should be clearly and accurately reported and readily available for all that need it to make decisions or to assess organizational or programmatic performance. 2. Simplicity Offices can reduce the chance for errors or fraud if procedures are simple, clear, documented and well communicated.

  7. Keys element of internal control 3. Accountability Accountability should be ensured at all levels of authority. 4. Security Physical assets should be protected from harm or misuse. 5. Cost-effectiveness The benefits derived from internal controls should be proportional to their cost as well as the potential risk they are designed to address

  8. Basic Internal Controls The following concepts and practices comprise a basic list of internal controls that field offices should consider when developing local procedures or assigning roles and responsibilities. • Segregation of duties - Responsibilities in a process should be separated and delegated to several employees, with the goal of providing a system of checks and balances to prevent errors or dishonest behavior. For example, an accountant who is responsible for record keeping should not also be responsible for selecting vendors since the opportunity exists to hide fraudulent transactions. • Signature requirements– By requiring signatures, unauthorized transactions are prevented and accountability is established. For example, a purchase request signed by the manager ensures that he or she is aware of the purchase and accepts the subsequent charge to the Department.

  9. Basic Internal Controls • Physical controls- Measures should be taken to verify the existence of assets reported on the office’s books and records, such as an annual equipment inventory. • Monitoring and independent checks– Cross-checks and management spot checks should be made to ensure that policies and procedures are followed. Some examples would be a monitoring visit to a program site, an internal audit of a field office or a surprise cash count. • Dual controls– Double-checks or reviews should be performed to ensure that critical decisions, high-value transactions or external reports are substantially correct. For example, bank transactions should be made only upon the authorization of two parties and external financial reports should always be reviewed by a second person for accuracy. • Computer-related controls – Access to computer records should be restricted and the back upofkey information should be performed. Access to financial system files, for example, should be restricted to prevent intentional or unintentional changes to data.

  10. Basic Internal Controls • Fixed responsibility for resources - Access to resources should be restricted to specific individuals and those individuals should have authority over those resources. For example, only a limited number of employees should have keys to the cash box. The cashier should have exclusive access during the work day to ensure accountability. • Regular and timely reporting - Accounting and reporting functions should be specifically assigned to staff members and employees should be held accountable for timely and accurate reporting. Completion of functions should be documented with appropriate working papers that are available for inspection and are verifiable through signatures and dates. • Independent confirmations - Internally generated reports and documents should be reconciled to independent sources of information and proofs of accuracy should be performed on work at various stages of completion. An example would be reconciling the bank journal balance to an account statement obtained from the bank. • Manuals- Policies and procedures should be written to provide a clear understanding of functions and authorities.

  11. Internal auditing Definition of Internal Auditing The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

  12. The Purpose of Internal Auditing? • “Eyes and Ears” • “Policeman” • “Watchdog” • “Consultant” • “Catalyst”

  13. IIA Statement of Responsibilities Purpose: • Internal auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. • The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. • The audit objective includes promoting control at a reasonable cost.

  14. Types of Internal Audit There are several types of internal audits. There are financial audit, operational audit, management audit, compliance audit, IS audit and investigation audit. Each audit has different purpose and characteristic.Financial AuditThe purpose is express opinion on financial condition based on analysis, comparisons and test of accuracy. Its scope is on the financial records. The expected results from this audit is to give opinion on the accuracy and reliability of the financial statements.Operational AuditThe purpose is to analyze and improve methods of operations and performance. Its scope on the operational activities of a unit or department. The expected results from this audit is to give recommendations to management for the improvement of operations.

  15. Types of Internal Audit Management AuditThe purpose is to review and evaluate business and management issues to enhance profitability. Its scope is on the business support activities of a unit or the entire organization. The expected results from this audit is to give opinion on strategic issues and recommendations or solutions.Compliance AuditThe purpose is to express opinion as to adherence to internal policies and regulatory rules and requirements and applicable laws. Its scope on the specific aspects of operations and business. The expected results from this audit to make immediate rectification and compliance thereafter.IS/IT AuditThe purpose is to audit on the computer systems and the provision and management of information. Its scope is on the technical reviews on computer systems and their peripherals . The expected results from this audit is to give recommendations on computerization and information systems related.Investigation AuditThe purpose is to audit in dept into irregularities such as misappropriation of bank’s assets or reported fraud or allegations. Its scope is in the area specified to determine modus operandi. The expected results from this audit is to give conclusion to findings with recommendations to prevent recurrence.

  16. Code Of Ethic-Integrity Internal auditors are expected to apply and uphold the following principles: • Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Internal auditors: 1.1. Shall perform their work with honesty, diligence, and responsibility. 1.2. Shall observe the law and make disclosures expected by the law and the profession. 1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization. 1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

  17. Code Of Ethic-Objectivity • Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgment Internal auditors: 2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment. 2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

  18. Code Of Ethic- Confidentiality • Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Internal auditors: 3.1. Shall be prudent in the use and protection of information acquired in the course of their duties. 3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.

  19. Code Of Ethic- Competency • Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. Internal auditors: 4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing. 4.3. Shall continually improve their proficiency and the effectiveness and quality of their

  20. Responsibilities of IA Duties and responsibilities of Internal Auditor • Evaluates and provides reasonable assurance that risk management, control, and governance systems are functioning as intended and will enable the organization's objectives and goals to be met • Reports risk management issues and internal controls deficiencies identified directly to the audit committee and provides recommendations for improving the organization's operations, in terms of both efficient and effective performance • Evaluates information security and associated risk exposures. • Evaluates regulatory compliance program with consultation from legal counsel • Evaluates the organization's readiness in case of business interruption • Maintains open communication with management and the audit committee teams with other internal and external resources as appropriate • Engages in continuous education and staff development • Provides support to the company's anti-fraud programs.

  21. The Audit Process Model

  22. The Nature of Business Risk Risk is a concept used by auditors and managers to express concerns about the probable effects of an uncertain environment.

  23. Control and Risk Control mitigates risk:

  24. Phase I: AUDIT ASSIGNMENT Planning the Audit AND OBJECTIVE RESEARCH PRELIMINARY SURVEY RISK ASSESSMENT DEVELOP AUDIT PROGRAM Phase II: FIELDWORK Performing the Audit (TESTING) DISCUSS CONCLUSIONS Phase III: DRAFT AUDIT Documenting the Audit REPORT Internal AuditFramework • Planning • Performing • Reporting

  25. Establishing Audit Objectiveand Scope • Ensure a positive link between the audit objective and the entity’s goals. • Ensure the audit program will produce the evidence as required. • Ensure that each test will provide the evidence required by the audit program.

  26. Planning the Audit • Research • Risk Assessment • Audit Strategy • Preliminary Survey • Policies and Procedures • Inputs and Outputs • Control Steps • People

  27. Planning Step #1 Perform Research on Area under Audit Research is important for understanding, but we must be able to recognize when “enough is enough” Research tells us define the historical issues, current issues, marketing issues, pervasive risks, personnel issues, and future issues.

  28. Planning Step #2 Prepare Your Hypothesis 1. The activity is operating normally What is = What should Be 2. The activity is not operating as it should in some significant way What is does not = What should be 3. Some value in between There are minor differences between What is and What should be

  29. Planning Step #3 Send Engagement Memo • To executive management • Include the name of the audit effort and the initiation date • Request the name of a contact person

  30. Designing Audit Tests • Evidence is created from tests or questions. • The creation of the right test or question to ask is a process of working backwards from the audit objective.

  31. Documenting the Audit Automated Work Papers provide • A framework to guide the audit process. • Support for the conclusions reached by the audit. • A record of the audit process and its conformance to standards.

  32. Work Papers – Good Practices • Use electronic templates to capture data: * Background & Scope Document * Risk * Control * Test * Audit Point Sheet • Structure your work paper documents as carefully as you would the final audit report.

  33. A Framework for the Audit 1. Audit Strategy/ Audit Scope & Objective. 2. Creation of Risk Based Work Papers 3. Collection of basic reference materials (flow charts, etc.) 4. Determination of tests needed 5. Sample Design 6. Preparation of meeting agendas 7. Follow-up on information gleaned/re-direction 8. Documentation of test results and conclusions. 9. Creation of Audit Point Sheets. 10. Audit Report

  34. Writing Up Conclusions Best practices include: • Test description or question. • Results (clearly stated). • Conclusion reached as a result of that test.

  35. Best Practices (cont) • Discussion of the conclusion with management. • To avoid misunderstandings. • To give management a ‘heads-up’ about issues. • To encourage corrective action as soon as possible. • Cross-reference the audit point sheets to the conclusions in the audit work papers (and back-reference the conclusions to the report).

  36. Summarizing and Evaluating Results • The audit process creates evidence. • Evidence is summarized into conclusions. • Evidence (facts) + Context (impact) = Finding

  37. The Audit Point Sheet • Ensures all aspects of problems (findings) are captured. • Useful as ready documentation. • Serves as a basis for discussion. • Aids the summarization and report writing. Audit Point Sheet

  38. Writing Effective Audit Reports Reports are important because they: • Provide documented communication and assurance to senior management. • Provide operating management with assessments of operations and corrective action. • Provide the auditor with records for follow-up of audit results. • Provide the audit group with marketing opportunities to demonstrate added value.

  39. Following Up – Corrective Actions The control aspect of auditing is not complete until corrective action is taken (or the risk formally assumed by senior management). Effective statements of corrective action include: • The specific steps to be taken, • The completion date and • The person responsible for completion.

  40. Audit Interaction with Auditee

  41. Building Trust with Auditee • The slow way- Making and keeping commitments • The faster way - Collaboration.

More Related