SSA 315 – Identifying and Assessing ROMM through Understanding Entity and the Environment

Auditor needs to perform risk assessment procedures (includes inquiries of management (those charged with governance, employees etc), analytical procedures, observation and inspection of documents and reports) for the identification and assessment of ROMM at the FS and assertion levels.

Audit partner needs to discuss the susceptibility of the entity’s FS to MM and communicate with the team members not involved in the discussion.

Understanding the entity includes operations, governance structures, type of investments and how the entity is structured. For relevant controls relating to financial reporting, the auditor needs to evaluate the design and effectiveness of these controls. For the control environment, determine whether management has a culture of honest and ethical behaviour. If possible, auditor should obtain management assessment of business risks etc.

Basically, matters relating to financial reporting must be examined. In addition, it is important to understand risks relating to IT.

The auditor needs to understand the nature of IA function’s responsibilities, organisational status and the activities performed. If necessary, audit reports relating to findings on financial reporting should be read and understood. However, some IA do not focus on controls over financial reporting and hence, their reports may not be directly relevant. If IA looks at financial reporting areas, the auditor may want to modify the nature and timing and extent of their testing. If so, please apply SSA 610.

The auditor needs to identify risks and evaluate whether they concern the FS level or affect many assertions. The auditor needs to assess which are significant risks as well. There is a need to include planning matters as audit documentation.

The auditor might want to perform substantive procedures or test of controls to assess ROMM.

Analytical procedures can also be performed to examine trends between financial and non-financial information. However, such broad evidence may be inconclusive and the auditor might need to collaborate with other information.

Auditor needs to understand the information from prior audit periods and see whether it’s still applicable in the current period. By performing walkthroughs, one can get a better sense of whether there are any changes.

It Is necessary to understand industry factors like suppliers, the competitive environment, suppliers and customer relationships etc. The auditor can understand regulatory factors as well.

Understanding the entity includes understanding the business operations, investment activities, financing activities, financial reporting practices etc, entity’s selection and application of accounting policies.

Not all business risks give rise to material misstatements, but business risks might have financial consequences and increase the likelihood of identifying ROMM. This FRS covers issues and events that may indicate ROMM. Understanding the financial performance indicators can help the auditor understand the pressure management faces. Industry related information might also serve as useful trends.

There are limitations to internal control, which the auditor needs to understand. Controls can be override by management as well. The SSA divides internal control into 5 components: control environment (influence the effectiveness of internal controls and the auditor’s assessment of ROMM); risk assessment process; information system and related business process; control activities and monitoring of controls.

There are both manual and automated controls. However, the use of IT automated controls present risks such as inaccurate processing of data, unauthorised access to data, changes to master files, failure to make changes. Manuals controls are more suitable when judgment is involved. They are less suitable for voluminous transactions etc.

Some information required in the FS may not be stored in IT systems. Non-standard journal entries must be examined by the auditor. The auditor should understand how transactions are originated.

It is possible for the auditor to test the operating effectiveness of the control in determining the extent of substantive testing required. The auditor could focus activities for areas with higher ROMM. Main transaction cycle could include things like revenue, purchases and employment expenses.

Auditors need to understand both general and application controls in relation to financial systems for financial reporting. They also need to question the source of information from control monitoring activities and whether they are accurate.

SSA 705 talks about the issuance of a qualified opinion.

Some assertions for transactions could be occurrence, completeness, accuracy, cut-off, classification, presentation etc.

Some assertions for balances are existence, rights and obligations, completeness, accuracy valuation and allocation, classification, and presentation.

 

SSA 260 – Communication with Those Charged with Governance

SSA 260 – Communication with Those Charged with Governance

This SSA 260 concerns auditor’s responsibility to communicate with those charged with governance (CWG) in an audit of Financial Statements.

SSA 265 talks about the requirements to communicate (in writing), in a timely manner, significant deficiencies to those CWG.

There is a need for two-way communication between the auditor and those CWG.

Management also needs to communicate important matters to those CWG.

Some of the things to be communicated by the auditor are auditor’s responsibilities (express opinion on the FS, significant risks etc), scope and timing of the audit. In additions, matters like accounting policies, accounting estimates and financial statement disclosures should be communicated. Other things include whether the firm has complied with relevant ethical requirements regarding independence, safeguards to eliminate threats of independence. Significant difficulties faced in the audit should also be highlighted.

A subgroup of those CWG could be the audit committee. Auditor must assess whether this must also be highlighted to the Board.

Good governance principles highlight that (i) Auditor will be invited to attend meetings of the AC; (ii) Chair of the AC and other members will liaise with the auditor periodically; (iii) AC will meet the auditor without management’s presence.

Often, critical accounting estimates and critical accounting policies or practices are required to be disclosed in the FS.

IIA Magazine Feb 2017 issue

IIA Feb 2017 Issue

Internal Auditors need to provide maximum return on investment and audit the right things. They need to understand the company’s strategic mission, objectives and KPIs. More auditors need to base their work on the International Standards for the Professional Practice of Internal Auditing.

The 5 emerging threats are (i) global economic uncertainty; (ii) increased regulatory burden; (iii) significant industry changes; (iv) business model disruption; (v) cybersecurity threats. Global economic uncertainty seems to a bigger risk in 2017 as compared to previous years. In the compliance space, with the new US administration, enforcement areas could see some change. Trump could change the legislative, regulatory and executive actions under Obama’s reign.

Although most companies feel that they could detect a sophisticated cyberattack, many of them do not have an adequate communication strategy in the event of a significant attack. Also, some of the BCP might be lacking. The continuous monitoring of cyberattacks is also a challenge.

Data Mining. By leveraging data, internal auditors can address issues beyond the reach of traditional analysis techniques. It involves making use of data which had previously no formulated relationships, patterns. Artificial intelligence, machine learning, statistics and database systems all come into play. Some of the techniques auditors can use are predictive modeling (IF), data segmentation (data clustering), neural networks (artificial intelligence), link analysis (links between records), deviation detection (red flags). The use of email mining can identify red flags in fraud etc. Social network analysis is also possible. IA should continue to look for ways to innovate their audit testing.

Intelligent Assessments. Use cognitive technology to help identify high-risk areas. These are intelligent computer systems that can aid in the performance of risk assessments. For instance, this tool can extract and analyze text from audit reports and analyze trends and high-risk areas. Natural language processing (NLP) has the power to tap into every sentence of every report to churn out more information. The machine will convert text to a certain structure and add meaning to the text and teach the computer to understand audit concepts. Words like ‘fraud’, ‘finding’, ‘auditee’ can be flagged out.

Turning Up the Heat on Fraud. A fraud risk assessment can help auditors take the organization’s ethical temperature. There are many ways to do it, example, through surveys, focus groups, workshops etc. The focus is mainly on fraud risk. It works best in small brainstorming sessions with operational management. Using the ACFE’s Fraud Risk Assessment Tool can be useful as it provides a structured approach. Risk assessment is about identifying where fraud might occur and the potential perpetrators. IA can do surveys to measure the ethical climate and voting can be anonymous. The results of the survey can be discussed with management. If there are high risk areas with fraud risks, IA can pay more attention to them.

The Accidental Discovery. Small or remote locations can be more susceptible to embezzlement, especially when they are not audited regularly. Confront someone after the facts have been reviewed. Look at the big picture. Controls that aren’t operating effectively are as good as them not being there.

Auditing what matters. Add value by selecting audits that contribute to achievement of strategic objectives. Auditors now should start looking at this area. Look at where the company spends the most money, what their main programmes are etc. Find out who is responsible for the strategy and make them IA’s stakeholders. Traditional audit activities can move towards strategy too. IA should use the COSO ERM framework in its entirety. The aim is for IA to a strategic partner to management. Don’t fear failure and find out more from the auditee by talking to them. The trick is to engage with processor owners easy and evaluate control design. IA should do the following: (i) Identify and define the risks; (ii) rate the risks; (iii) address risks in detail. Getting management buy-in is also important. The CAE must convince the AC to highlight the need for a strategic approach. Most IA wants to be a trusted advisor.

Core Principles and the QAIP. The new IPPF in 2015 can be incorporated into the QAIP to show that the IA is aligned with the mandatory IPPF elements. Learn to develop a concept and approach that is easy to understand. Core principles are a mandatory element of the IPPF. IA need to have general conformance with the Code of Ethics and Standards. The 5 steps are (i) establish a maturity framework (ineffective, partially effective, effective, sustainable, world class); (ii) map core principles with the standards and code of ethics; (iii) Define characteristics of maturity in 3 aspects of standards and QAIP characteristics, infrastructure and process characteristics, core principles and specific characteristics; (iv) perform internal and external assessment consistent with requirements of QAIP; (v) Evaluate and report maturity levels for core principles.

Champion of Trust. By modelling high standards of ethical behaviour, IA can help shore up faith in the organizations they serve. How can IA be a trusted advisor that is well respected? One way is via ethical commitment. IA needs to model ethical conduct in everything they do. IA must have the courage to sound off before things get in trouble. Ethical commitment is the key to a well-functioning IA. Ethics should come naturally to all. We also need to build ethical resilience (integrity, courage, honesty, accountability, trustworthiness).

Infusing IT Auditing into Engagements via a three-phase approach. The tech sector is growing at a rapid rate. Internal auditors also need to develop IT-related capabilities. IA needs to think about the future of integrated auditing. For a start, IA can incorporate IT perspectives into current audit engagements. This can involve documenting down what are the IT automated controls. One can also read IT policies or those on change management. One should also identify resources and pinpoint where they are stored (example: servers). Map core IT resources and data to key business objectives. Respond to IT risks and identify audit objectives that can add value. An integrated audit can help in this. In the middle term, IA can build an IT audit team, understand the IT framework like COBIT, perform IT audits and also foster relationships with IT and management. In the long term, IA can leverage on data analytics and obtain professional certifications (like IIA and CISA).

Breaking Down The Standards. With the right strategy, practitioners can divide conformance into bite-size, easily digested portions. The standards consist of attribute standards (series 1000 to 1322) and performance standards (series 2000 to 2600). Some IA may neglect the attribute standards and focus on the performance standards instead. However, both are very important. IA should perform an assessment of how well they are conforming to the Standards. An external assessment must be conducted once every 5 years. The audit work program needs to be reviewed and approved by the CAE before engagement commencement. Ultimately, conforming and understanding the principles behind the Standards are important.

Auditing Organizational Governance. IA has an integral role to play in improving the organization’s strategic performance. This area is becoming increasingly important in recent years. Governance reviews can help prevent governance failures. Less than 1 in 6 IAs conduct reviews for their organization’s strategy. Sometimes, it might be difficult to conduct a separate governance review. Rather, it might be easier to incorporate it as part of routine audits. One can focus on both the governance structures as well as the organizational culture. Some of the soft controls can include management competence/style; mutual trust and openness; strong leadership; high performance and quality expectations; shared values and understanding; high ethical standards. However, for some of these measures, there are no hard data to analyse. Hence, it is important for IA to read the signs. IA can also provide a more advisory role, which is educating board about developments and trends in the industry and governance best practices. In terms of strategic reviews, IA has much to work on. There is a tendency to focus on weaknesses in financial reporting etc.

Good Governance is All About Quality. The 5 quality rules are (i) customer focus; (ii) management leadership; (iii) Teamwork; (iv) Measurement; (v) Total commitment to continuous improvement.

 

Audit Analytics by Sean Elrington

Data analytics is useful for good governance as it provides better assurance as compared to manual sampling. Is the need to hire consultants necessary for straight-forward audit tests? It can help recover unnecessary spending. There may be resistance from the other departments if audit wants to perform 100% checks. There are still auditors which do not use data analytics.

Common Objections to Using Audit Analytics. Some auditors are too busy to learn and to change. The data may not be readily available. In addition, the cost has to be justified. Some are too intimidated by change. You need an understanding of ERP, database structures, views, tables etc. The benefit is that you might save time for data analysis. How will analytics help audit productivity? As it requires less man-hours, analytics can be useful. Although in the short-run, probably more work will be required. If the error is systematic, testing 100% of the population might not be very useful. In such cases, it will be better just to test a few samples and fix the control first. Analytics is here to stay.

Questions that the IT manager will ask you. Why can’t the auditors use Excel? Excel has its limitations on data size. Random sampling is not a good way to detect fraud. Data can be amended easily in excel and it does not have much data security. Sorting can be slow and Excel lacks functions like Benford’s Analysis. Modern audit software have data logs too. It is good to host the data on a server especially when there are multiple users. If you rely on the IT department to generate data for you, there is a risk that the data could be manipulated before being provided to you. There is an issue of how much access that an audit should be given. Data should be obtained from production and not the data warehouse. In the data warehouse, bad data might have been removed already. Application controls rely on passwords and roles to work. Relying on the controls in the ERP system might not be useful when there is collusion. Data might be present from different systems and auditors can’t simply draw the data from one ERP system.

Considerations when choosing audit software. Some of the functions that are heavily used are extract, join, relate, summarize, stratify, classify and age. Continuous monitoring is a lot more expensive and complicated. Is training a big consideration? Do you need to write your own scripts? Or can you buy scripts? What is your required return on investment? Will learning the software help the auditors in their career development? How much technical support is needed? What are the server requirements?

Analytic Software Tools. Picalo is a free tool that can be downloaded online. Some of the other software besides Excel are TopCATTs, Arbutus Software, IDEA, Monarch, Picalo, ACL. ACL usually requires a lot of training before users will know how to use.

Testing for Duplicate Payments. One can test both exact and fuzzy matches. There are multiple reasons why this might occur. First, you have to ensure that there are no duplicate vendors by scrutinizing the vendor’s details. For exact match testing, you can use ‘Substring’; ‘Include’; ‘Exclude’; ‘Alltrim’ formulae to remove dashes, hyphens etc. Testing should be performed on fields like Invoice Number, Vendor Number, PO Number, Date, Amount etc. Deconstruction techniques are used for Fuzzy matches. They use techniques like Soundex, Soundslike, HEX etc. Some of the algorithms are Levenshtein distance, Metaphone etc.

P2P Vendor Analytics. Some of the objectives are 1) vendor master file is correct; 2) employees are not vendors; 3) no duplicate or unused vendors. Match vendor information with employee information. Check out vendor addresses to ensure that they are not mail drop addresses used by delivery services. Sort the number of vendors by payments per year. Use a vendor name fuzzy match. Find vendors with missing fields to check whether the vendor master is well-kept or not.

Purchase Card Analytics. Objectives are 1) only authorized employees are using cards; 2) card purchases are acceptable. Try and detect transactions by authorized card-holders. Find cardholders not in employee master file. List top spenders by department. Find transactions in excess of authorization limits. Identify weekend and holiday purchases.

FCPA analytics. Objectives are 1) test that there are no suspicious payments made to individuals or entities; 2) verify that gifts received are permitted. Identify payments made to high risk countries. Identify cash payments. Identify unusual gifts. Identify credit card spending with unusual Merchant Category Codes. Find unusual vendors, like PEPs etc. Flag out payments with the words ‘facilitate’. Match to watch-lists, world-check etc.

P2P Payment Analytics. Objectives: 1) POs are unique and properly filled; 2) SODs are working; 3) controls to match invoice and PO amounts are accurate. Detect split purchases. Find duplicate payments. Find POs that were raised late. Look out for people who can create and approve their own POs. Look out for unauthorized purchasers. Ensure that there is approval for all POs. Compare a list of payments to prohibited vendor lists.

GL Analytics. Objectives: 1) Only authorized employees are making GL entries; 2) GL entries are acceptable. Detect duplicate GL entries. Look for suspicious wordings like ‘park’; ‘temp’; ‘reverse’; ‘suspense’. Detect GLs made at odd timings. Detect payment voucher and look out for approvals etc. Look out for frequently changed or reversed accounts. Find temporary accounts.

Healthcare Analytics. Objectives: 1) procedures billed to the correct code; 2) appropriate charges are billed to correct account; 3) reasonable timeline of patient activities.

Fraud Facts. Whistle-blower hotlines are a great way to detect fraud. Some level of fraud might be acceptable. It depends on the organizational culture. It is not the auditor’s responsibility to detect fraud. Look out for transactions with fraud symptoms. In general, there are two types of fraud: 1) Fraudulent financial reporting and 2) misappropriation of assets. It is hard to distinguish whether it was an honest mistake or fraudulent. The top from the top must be correct.

Common Business Frauds. You might need the help of a skilful financial auditor to deconstruct fraudulent financial reporting. Financial fraud is a very serious matter. Misappropriation of assets often involve kickbacks. Multiple payees could be an issue. Duplicate payments are a potential source of fraud too. A shell company could be used to deliver fictitious services. Detect maintenance which has been performed too frequently. Physical inspection of works/goods can help. Look out for defective delivery of goods/services by having good IC over the receipting of goods and services. See how often different employees reject or accept goods based on their quality. Inaccurate pricing is one of the type of risks too. Contract rigging means awarding to the lowest bid, but later subsequently changing the product specs so that the contractor will have to deliver more and thus can earn more money. Check contracted projects over their original budgets. Contract rigging is difficult to detect if you are not familiar with the goods. Bid rigging is very difficult to detect. Ensure that there are no phantom employees or contractors. Look out for invalid employees’ wages.

Interesting Fraud Stories. The fraud triangle occurs when there is 1) opportunity; 2) motivation; 3) rationalization. Don’t let non-trained employees do the accounts. Do not let the salespeople collect the cash. Be wary of bribery to win contracts etc.

The Essential Guide to Internal Auditing by KH Spencer Pickett

Introduction. Auditors are expected to deliver. They have to present ‘big picture’ risks. They also need to identify risks with the departments. The audit report must add value to the organization. Visit the IIA website and keep up to date with the latest information. It is now a full-blown profession. An IA function can provide good governance. We now need to take into account internal audit standards, and the work of academics etc. This book makes reference to a lot of IIA standards. Please read the IIA standards. Chapter 2 – Corporate Governance; Chapter 3 – Managing Risk; Chapter 4 – Internal Controls; Chapter 5 – The Internal Audit role; Chapter 6 – Professionalism; Chapter 7 – The Audit Approach; Chapter 8 – Setting an Audit Strategy; Chapter 9 – Audit Fieldwork; Chapter 10 – Meeting the Challenge. This guide can improve an auditor’s professionalism. The internal audit function has evolved over the years. It has moved from accounting data in the past to ‘risk management, control and governance processes’. In the past, internal auditors’ job was to try to pick up fraud more quickly than the external auditors. In the past, the focus was more on low-level, detailed checking. Most ACs are required to have non-executive directors as well. Now, audits involves recognizing risks and then seeing how the controls can address the risk. Should the CAE report to the main board and not just the AC? ERM is also increasing in importance. These are exciting times as IA is also taking on a greater consulting role. However, the assurance aspect is still necessary.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. – IIA definition

Corporate Governance Perspectives. An organization should strive for performance, but at the same time adhere to guidelines and regulations. The tone from the top and investor’s expectations do matter as well. Corporate scandals can undermine the trust in the society etc. That is why there are corporate governance codes that are put to practise. Understand the agency model of how the shareholders vote in the directors, the directors oversee the managers and the mangers run the operations. The directors set targets for management and the directors report results to shareholders at the end of the year. Shareholders have a right to dividends. Directors have to protect the business and account for their activities. In reality, directors may not be aware of their role. There are many stakeholders involved in a company. There is a lot more attention on shareholders and how they are treated nowadays. Giving shareholders more information may not work as they might not understand such information. Why do we need business ethics if everyone is honest? Research has shown that people are not fully aware of what an ethical culture entails. External auditors make sure that the accounts can be relied upon. For public sector, the focus on VFM is greater and the owners are the taxpayers. Ethical standards should be made clear to all. There are problems, for example: a CEO which is too powerful; board members which are not independent; incompetent boards; employees who abuse the system; no accountability framework; poor tone from the top etc. Shareholders do not like short-term growth. However, managers want instant results. There can be confusion over levels of authority, and the legislative framework etc. Corporate governance aims to combat inappropriate behaviour. The 5 key principles of governance are 1) Rights of shareholders must be protected; 2) There should be equitable treatment of shareholders; 3) Timely and adequate disclosure; 4) Disclosure and transparency; 5) Responsibility of the board. Countries should adopt international accounting standards. Independent directors should meet at least once a year. Independent directors should ask tough questions to the CEO. Management should optimize shareholder return. Transparency is important. ASX has developed an important set of corporate governance principles. The OECD has global principles of good corporate governance. There should be effective interaction between board, management, external auditor and the internal auditor. IA must report directly to the AC. The AC should select the external auditor and evaluate both external and internal auditor performance. Fraud Risk Assessment must be performed. The internal auditor is more concerned with internal control to determine whether organizational objectives can be met. Sometimes, the EA and IA audit methodologies can appear to be quite similar. IA’s role is to promote suitable organizational controls. The IA should make use of IIA standards in their work. Both EA and IA should communicate with one another. IA is interested in system weaknesses that lead to potential loopholes or fraud. Most of the time, IA staff are employees of the company. EA is usually a legal requirement. IA is mainly in charge of fraud investigations. IA can focus more on operational audits. IA may also cover operational efficiency and VFM initiatives. The IA function is also active the entire year. IA and EA should exchange their audit plans. The ideal situation is where IA and EA sit together and fully integrate their plans. Most ACs meet at least quarterly. The AC is very important in the role of corporate governance. The AC is mandatory for most international stock exchanges. The AC has many governance related responsibilities to fulfil. Where is the link to risk management and internal control? All foreseeable risks must be anticipated. A well governed organization should have good internal controls in place. The annual report should spell out clearly the responsibilities of every committee etc. The codes of corporate governance does change over time. KPIs should be integrated with KRIs.

Managing Risk. There are different types of risk management, including ERM and CSA. The audit should move towards the future, by perceiving risk. There is a move away from compliance. Risk can be controlled. Management needs to take a certain risk appetite. Risk is measured in terms of consequence and likelihood. Risk only has meaning when related to an objective. A mission statement is useful. Risk has both an upside and downside. Excessive controls should also be cut as it affects productivity. Risk management is a dynamic process. Flexibility is important. However, some risks will be unanticipated. The risk owner must be identified. There must be open communication with management on risk-related matters. All risk must be identified. There needs to be strategies to tackle high risk impact areas. The entire process must be reviewed periodically. With a good ERM structure, shareholder value should be enhanced. Risk owners should be the ones implementing controls. After controls, the residual risk can be measured. 1) Terminate – stop the activity; 2) controls – are we doing enough to reduce risk to an acceptable level?; 3) Transfer – this could be through taking an insurance policy; 4) Contingency – BCP in case high risk events occur (high impact, low likelihood); 5) Take more risk; 6) Communicate; 7) Tolerate (esp for low risk areas); 8) Commission research; 9) Tell someone; 10) Check compliance . A company should keep risk registers. The approach for residual risk is to 1) more risk; 2) accept risk; 3) implement more controls. Take note that controls are costly. The tone of the top must be set. However, risk management is sometimes conducted based on gut feel. The risk analysis must be compared with a set criteria (different areas). The organization should prepare a risk appetite statement and define the control environment etc. There needs to be both qualitative and quantitative statements (limits, thresholds, key risk indicators). Risk workshops are good. However, risk workshops could be seen as cumbersome and a waste of time. There must be a board member sponsoring the process. There should be a risk management committee. The board and the audit committee should work together on a risk assessment around corporate strategy. The CE can act as the board sponsor. It is important to get the people on the ground’s buy-in. It is important for the risk policy to be established (It should contain governance, policy scope, policy applicability, risk management process, risk appetite, reporting, roles & accountability, variations and dispensations). COSO defines ERM as ‘A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.’. Look out for cross-functional risks. CSAs could be used to get information. In addition, interviews could be made. The use of CRA workshops are one option as well. Use a properly prioritized risk register to focus on the bigger risk issues. Risk can be classified into ‘strategic, programme, project, financial and operational.’ IA needs to work with the RM team to have streamlined ERM. ERM has a big role to play in strategic planning. There have been some new developments in the ERM space. For banks, it is very important to have a CRO. Even smaller organizations are paying more attention to risk management. Risk management is a good way to improve corporate performance.

Internal Controls. IC is very important to an internal auditor. A good understanding of internal control is important. IC is important and has to put in place. Poor controls can lead to losses. There is no substitute for IC. The control environment is important. Management must determine whether there is a need for controls. Once this has been identified, suitable controls needs to be identified. Next, they need to be implemented. Controls must be applied effectively. They need to be maintained and updated too. Do understand that there are different types of controls. It is all about the people. Beware of burdensome controls. Controls must be reviewed adequately. Controls should be a way of managing risk in the organization. IC must be implemented in the working procedures. The COSO framework is a good guide. The control framework helps drives the control environment. ICs must be communicated and monitored. Purpose à Commitment à Capability à Learning & Monitoring. People must learn to challenge old assumptions. CoBiT is for IT. There is also the Basel Committee on Banking Supervision. IC is closely linked to RM. Control mechanisms should be clearly defined. There are 4 types of controls: 1) directive; 2) preventive; 3) detective; 4) corrective. Some of the types of controls are: 1) authorization; 2) physical access restrictions; 3) supervision; 4) compliance checks; 5) procedural manuals; 6) recruitment and staff development policies; 7) SOD; 8) Sequential numbering of documents and controlled stationery; 9) Reconciliations; 10) Project and procurement management; 11) Financial system controls; 12) IT security; 13) Performance management. Warning signs: 1) Ability of senior management to override accepted control; 2) Lack of staff and vacant posts; 3) Poor control culture; 4) Staff collusion; 5) Reliance on a single KPI; 6) Reliance on memory; 7) Retrospective transaction recording; 8) Uncontrolled delegation of tasks. Understand the importance of soft controls. Control mechanisms must be designed appropriately. Use integrated controls. The fallacy of perfection. Control measures are costly. Management override of control is an issue which needs to be addressed. Ownership of control is very important. New developments are important to follow. SOX was being implemented.

If government organizations are to be effective, we must establish and maintain a system of internal control to protect government resources against fraud, waste, mismanagement or misappropriation. Employees often underestimate the importance of internal controls, or think internal controls amount to merely separating duties. However, internal controls encompass a comprehensive system that is critical to helping an organization achieve its goals and mission. – State of New York, Office of the State Comptroller

The IA role. Learn to define IA. An audit charter is needed. Internal auditing must be objective in nature. IA must attempt to add value to the organization. IA should also improve an organization’s operations. It must be systematic and disciplined. There is a need to continually improve the system. Risk management and control must be executed. The IA function should achieve 1) reliability and integrity of financial and operational information; 2) effectiveness and efficiency of operations; 3) safeguarding of assets; 4) compliance with laws, regulations and contracts. Much expertise is required from internal auditors. Sometimes, IA can provide an advisory role in relation to compliance and let the compliance do the rest of the job. MIS audits are also very important and have to be conducted. VFM is also related to audit work. The use of specialists may also be necessary. An audit charter needs to be written. The audit charter should cover areas recommended by the IIA Attribute Standard 1000. There are many possible types of audits that can be conducted by IA. IA must also appear to be independent when performing their work. IA must be impartial and provide unbiased views. The manager of the department cannot dictate what the auditor should do. Audit Ethics is important. IIA should refer to the ethics code. A code of ethics is necessary. Sometimes, the word ‘audit’ has a negative connotation. The auditor should have a good understanding of what the client is doing. Information must be extracted in an efficient manner. Dealing with people is important in the job. Planning for audits in the AC forum is important. IA should not just simply do work that management expects of them. Useful information should be listed on the IA website. What are some of the competencies required of internal auditors? Certifications help to showcase competency. Example: CIA. What makes good internal auditors? Auditors should be aware of 1) internal audit procedures/guidelines; 2) accounting principles; 3) indicators of fraud; 4) key IT risks; 5) management principles and materiality; 6) Appreciate and fundamentals of business subjects; 7) Soft and hard skills. Professional Development is important for the auditor. A certain number of CPE numbers is needed to retain membership to IIA. Workshops are useful for identifying training gaps. Appoint a training co-ordinator. This person should be able to carry out basic in-house training. The IA team should read journals etc. Work closely with SMM to ensure that risks are identified. Identify skill gaps etc.

The perception that operational management is very busy doing important work while the auditor is simply checking some of the basic accounting data that relates to the area can create a great imbalance. This sets the auditor at a disadvantage from day one of the audit. – KH Spencer Pickett

Professionalism. Internal auditors need to go through a detailed training programme. They must be knowledgeable. IA are professionals. IA is now a professional discipline and this is considered a huge achievement. IIA has issued its professional practice framework. You may read the attribute standards. An auditor needs to exhibit due professional care. All audits must be performed according to certain standards. Disclosure by IA must be made for consulting services etc. Quality assurance is important. IA needs to ensure that it complies with code of conduct and other relevant standards. Appropriate evidence of supervision is documented and retained. ‘The team leader, audit manager, and CAE each have a duty to ensure that they are available to direct staff as that audit is being conducted.’. Supervisors must review each workpaper and sign off. Questions or review notes must be addressed. Internal reviews or on-going monitoring is important. External reviews must be conducted once every 5 years. A pleasant audit image must be created. A feedback questionnaire needs to be conducted. A formal complaint procedure should be voiced out.

The internal auditor’s objectivity is not adversely affected when the audit recommends standards of control for systems or review procedures before they are implemented. The auditor’s objectivity is considered to be impaired if the auditor designs, installs, drafts procedures for, or operates such systems. – KH Spencer Pickett

The Audit Approach. IA can be performed in many different ways. Use a risk based systems approach. It can be more useful to examine the proper functioning of systems. Internal auditing provides a powerful level of review. There are several stages on RBSA. The use of CRSA is also possible. IA must be equipped with the right skills to perform the role. Fraud which have yet to be discovered is very alarming indeed. For fraud to take place, there must be the 4 elements: 1) motive; 2) attraction; 3) opportunity; 4) concealment. It is important to set the tone from the top etc. It is important to plan the investigation. Fraud risk assessment must be built in to the risk assessment workshops. VFM audits also may have to be performed. Management should be able to identify cost saving areas. VFM is concerned with the following: 1) economy; 2) efficiency; 3) effectiveness. IA can now also provide consulting services. Learn to manage change. Management is more concerned with the future than the past. IT governance is important as well.

Setting an Audit Strategy. The CAE must ensure that the audit activity adds value to the organization. Objectives must be present. The main role of audit is to give assurance work. The AC must understand clearly what IA is doing. The scope of services must be defined clearly. Audit objective must be geared to the organization’s objectives as well. The CSA approach has its perks. Sometimes, PESTL and SWOT analysis must be done. Audit plans should be driven based on ERM assessment. An audit universe must be defined. Management must be involved in the risk assessment process at least annually. Weaknesses in staff morale etc must be addressed so that the IA team can perform well. The resources used must be able to execute the audit plan. Auditors must be motivated to do their work. Low to medium risk audits can be performed on a rotation basis. An appraisal scheme must be suitably designed. There must be formal appraisal criteria. An auditor should have a career plan. There are many ways to assess an auditor’s performance. An audit manual needs to be written.

Audit Fieldwork. An auditor needs to perform the fieldwork. For each audit, the following must be defined: 1) engagement’s objectives; 2) scope; 3) timing; 4) resource allocations. Try and read through previous audit files. Every audit needs to have an outstanding matters list. Carry out your background research. Get the basic facts with management. Understand the nature of the audit. Highlight the type of audit skills required. If the audit is too difficult or the resources are not sufficient, the audit should be aborted. The senior staff should lead the preliminary meetings. Next, develop audit procedures. Define the tasks that need to be performed, even for the lead auditors. Define the extent of testing. The audit scope must be sufficient to achieve the objectives. For large audits, break them down into deliverables. A trend is for a move away from teamwork with a single auditor being given an audit to streamline resources.