SSA 220 – Quality Control for an Audit of Financial Statements

This SSA concerns the responsibilities of the auditor relating to quality control procedures and also the responsibilities of the EQCR (engagement quality control reviewer). This is necessary in order to comply with SSQC1. EQCR is useful as it gives assurance that the audit complies with professional standards and applicable legal and regulatory requirements.

The engagement partner shall take responsibility for the overall quality on each audit engagement. Quality is essential in performing audit engagements. He needs to remain alert for evidence of non-compliance with ethical requirements (ACRA code). If there is non-compliance, appropriate action must be taken.

The partner also needs to assess and conclude on the independence requirements (eliminate the activity, withdraw the engagement if not-independent). He needs to be satisfied on appropriate procedures in relation to acceptance and continuance of client relationships and audit engagements. He needs to be satisfied that the engagement team has the right competence and capabilities. He is also responsible for the right direction, supervision (track progress of engagement, address significant matters, identify matters for consultation) and performance of the audit engagement.

In addition, they are responsible for consultations that are taken within the engagement team.

For audits that require EQCR, the partner shall discuss significant matters arising during the engagement with the EQCR reviewer. The audit report should only be stated on or after the EQCR review and the EQCR should be conducted in a timely manner.

The EQCR needs to look at discussion of significant matters, review of FS, review of selected audit documentation and evaluation of the conclusions reached. They also might need to examine independence of the audit firm, and whether there is appropriate consultation.

There needs to be a proper monitoring process for EQCR as well, and to ensure that P&P relating to system of quality control are relevant, adequate and operating effectively. Partners can usually rely on the system of quality control and the role of engagement teams.

Reviews by the engagement partner must be timely in nature and they should examine areas like critical areas of judgment, significant risks, other areas etc. The engagement partner need not review all audit documentation, but may do so. However, as required by SSA230, the partner documents the extent and timing of the reviews.

 

IIA Magazine Jun 2016 issue

A toxic culture is present when your work negatively affects your health – physically and emotionally. An example of such could be a change in management or management through fear and intimidation. The two options are to leave or to name the problem and discuss to make it better. Payroll should have continuous checks and balances. It is not good to report risks on an ad-hoc basis. Talent issues and development need to be addressed. There is a strong need to fight corruption. However, whistle-blowing hotlines might be underutilized, as employees fear retaliation after reporting. There are some companies which do not trust enterprise cloud deployments still.

The Fire Drill. Auditors can learn to deliver a focused message that results in management action. Effective planning of our work is the key. For instance, we can look at past audit findings. Next, one should compensate with competence, meaning backing up observation with data and experience. Sell with the passion of a champion. Findings should be sold to address a control weakness that is causing an unacceptable risk. One needs to communicate the big risks well. In the end, we need to deliver a focused message that can result in management action.

The Tech-Savvy Auditor. Effective use of audit technology can enable audit departments to provide valuable insights. Most IA staff are not familiar with IT or have weak IT backgrounds. This is not acceptable. Technology can lead to a more efficient audit and also might cut fraud losses. There is a need to improve the audit software. There should be a data analytics centre in-house. There is a need to review software usage.

Integrating Key Risks and Performance Indicators. IA can leverage its risk knowledge to improve operational performance and reduce risks exposures. IA can provide assurance on the achievement of objectives. IA can encourage the formalization of KPIs and KRIs. KRIs can serve as an early signal of increasing risk exposure. There needs to be a formal project charter. There needs to be a KPI framework with proper planning, reporting, monitoring etc. The key metrics need to be identified and a dashboard can help to present graphically the results. The KRI should be closely linked to the KPI.

Toxic Leaders, Toxic Culture. IA can identify unhealthy behaviors that may undermine the organization. Culture will affect an organization’s success. Therefore, identifying the toxic leader is important. Toxic leaders want power and control. These tend to be autocratic leaders. They could have a strong sense of entitlement and focus on themselves and not the organization. Exerting power through fear can undermine morale. They do not like to be challenged and seek to manipulate others. Closed-minded leaders think of ‘My way or the highway’. There is no need to confront the toxic leader. IA can refer the person to compliance or legal counsel. One can use behavioural psychology to analyse. For a more objective method, one can look at the reasons for turnover and examine turnover rates. One can also look at employee engagement survey results. One needs to use experience and facts as much as possible.

Analytics and the small audit department. No matter the size of an audit function, analytics can be implemented for big gains. How to go about using analytics? Some simple ones to consider are benchmarking, variance analysis, ROA, turnover etc. The analytics must have goals and performance measures. Selecting the right data source is the key and there is a need to verify the accuracy of the source. Brainstorming can help to identify key data. It is crucial to have a plan that will allow IA to continue to improve its analytics capability. It is important to attain small wins in analytics.

Business Risk. Keynote speakers for this year’s IIA International Conference identify emerging risks facing organizations. Cyber risks is at the top of the priority list for many. Ransomware is a big threat to hospitals nowadays. Other threats include politics, the economy and terrorism. Social media risks sometimes aren’t within an organization’s control. Auditors should use corporate culture to work in their favour. An organization must monitor the external environment closely. There should be a common understanding of what the risk appetite and risk cultures are. Audit needs to adjust fast and invest continually in education. IA now also needs to learn to be innovative.

An Anti-corruption Check-up. Capability maturity models can help organizations assess the effectiveness of the anti-corruption programs. This model was developed at Carnegie Mellon University. One can use the model to identify strengths and weaknesses. There are basically 4 levels of maturity. There are 7 components that form the basis of anti-corruption maturity model. There is a need to tally the scorecard too.

Craft Our Role. IA should create the role for themselves that is best for both the organization and their own personal development. IA needs to be ingenious, use creativity and resourcefulness when developing their role. Do not limit the scope to be too small. It is important to be familiar with the business in order to value add properly. The control environment needs to be evaluated properly. One can develop business acumen. It is crucial to ask the right questions. IA should network more with the other departments to build rapport and also to get a feel about the management style in the department. Learn to practise combined assurance. One can work with another dept for a joint review. This is the way to maximize external resources.

Fraud and related-party transactions. IA can identify red flags and reduce the risk and impact of related-party fraud. IA need to be able to recognize related-party fraud risks. Providing loans at below market rates is a red flag. Failing to disclose the related-party nature of the loan is a red flag. IA should try to identify related party transactions. Try to identify whether employees have link to companies that transact with the organization itself. It is also possible to compare cost variations among vendors to see how they differ from the average cost. The organization should not pay costs significantly above market prices.

Communicating Results. Sharing audit observations is one of the most important tasks auditors perform. Communicating properly can help enhance rapport. Make sure the observations are correct and are not challenged by management. Plan the timing of issue dissemination, which is as soon as possible. Try not to surprise management at the end of the audit. Write clearly. Exercise diplomacy.

‘One of the quickest ways to lose management’s respect is to make it clear that IA does not understand what is has been auditing. The answer is to take the time to learn the business, processes, and risk associated with the audited area.’

Care and Feeding of The Company’s Culture. How can IA help to ensure a healthy organizational culture? Auditing culture is certainly work examining. Healthy organizations should have guidance on norms and expectations and a healthy tone at the top. Transparency is important. Management should think long term and have a sound strategy. Ask yourself whether the root cause is behavioural or cultural in nature. The problem with culture is that it is not clear cut and might be hard to evaluate. Those who are toxic in nature might be held accountable and be responsible.

 

IIA Magazine Aug 2016 issue

Cybersecurity is an area where it is lacking among major companies. Companies need to step up to beef this area up. Productivity is a main concern for employees. Ethical pressure is greater during organizational change. The COSO framework is expected to be updated in 2017. It will be updated to include the latest risk management thinking and principles. IoT is going to have a big impact moving forward and there needs to be a comprehensive approach to go about doing it.

Analytics-Driven Audits. Before tackling data analytics, internal auditors need to understand the types of data, how it is stored, and how to apply it. Automated audits are the new trend now. It can be applied to many aspects of the audit too. Understand what are qualitative and quantitative data and their measurements. Understand how data is stored and the various formats. Any outliers should be thoroughly investigated. There are 4 types: descriptive, diagnostic, predictive and prescriptive. Learn to gain insight into the business.

The Mind of a Credit Card Hacker. Smart hackers usually lay low. They can steal credit card details and then sell them. Hackers use a vector to steal data, such as phishing. They also need to collect the data quickly and then cover their tracks. The hacker will verify that the cards are valid and start off with transactions of small amounts. If they go undetected, they may get bolder. IA can encourage the company to encrypt the credit card information and monitor access to networks. Access control needs to be checked too. IA is the third line of defence.

Make the Most of Assurance. Assurance maps can enable internal audit to team with other assurance providers to visually convey how risk is managed. IA can work with other assurance providers and depict the results in an assurance map. The map allows one to spot gaps in risk coverage or any overlaps. Assurance maps can enhance and give value to AC too. The map should not be too complex.

Tough Consequences. Adequate contract administration can save organizations a tremendous amount of grief and money. It is important to monitor vendor contracts properly. The contract administrator should be the liaison party and highlight any non-compliance. There needs to be adequate financial controls over the cash receipts and revenue cycles at the vendor’s end.

A World of Connections. The IoT requires IA to confront risks that are not so neatly contained. The impact of this is growing. IoT is about interacting with the environment for business benefit. Emerging risks from IoT must be monitored closely. There are many benefits from using IoT devices too. Management needs to be aware of the risks too. There needs to be a deployment strategy too. A policy needs to be drawn up.

Cyber Resilience. IA should work collaboratively and proactively to address breaches and build resistance to future attacks. Banks need to protect the SWIFT codes. A cyber breach might definitely occur in future. There is increasing use of software to pick up behavioural anomalies. There needs to be both a protective and detective strategy. A response plan is important. Customer data should be given top priority in a cyberattack response. IA needs to understand IT from a technical and controls perspective.

Auditing the Cloud. IA should delve into the complexities and unique risks of moving to a cloud platform. Many companies are making use of the cloud as compared to traditional data center infrastructure. Less manpower is needed to maintain a cloud as well. Servers can be added on demand too. IA needs to verify the security, reliability and availability of the data. No two clouds are the same but the common ones are infrastructure as a service, software as a service, platform as a service etc. It is good to obtain the SSAE 16 report on the vendor as evidence of its controls. It is difficult to track cloud deployment. Cloud assets can keep varying as well and it is difficult to monitor. The data is now stored on the same physical equipment as other organizations and there is a risk of leakage. A security program is still a must. Penetration testing needs to be done periodically to prevent hackers. Relying on the SSAE 16 report is useful, but not sufficient.

Trust but Verify. Control self-assessments can increase audit efficiency and spread control awareness throughout the organization. This is for process owners to self-evaluate the effectiveness of controls. This could be done via workshops/ questionaires etc. Sometimes, it is not possible to deploy a team to perform audits in every area. When CSAs are used, IA needs to explain the rationale to the management. The process owners must be identified clearly. IA needs to independently verify some of their responses. For example, only key controls or only those rated as ineffective may be selected for further testing. Continuous support is a must and training must be provided. The right level of project sponsorship is important too. It can be implemented gradually. CSA enables IA to allocate resources to focus on areas with significant control weaknesses.

Audit Never Sleeps. IA must keep innovating and improving and focus on the organizations that we love. We need to constantly do the right thing and hone our communication skills. Effective communication is the key and getting to know the auditees well is the key. Listening well is crucial too. Nowadays, IA should adopt an integrated mindset. We need to broaden our IT knowledge to meet stakeholder expectations. Applying soft skills are important too. Our work must be guarded by ethics and transparency. We need our approach our work with a strategic focus too. There is also a need to focus on our future.

Optimizing IA. IA are being continually challenged to improve their effectiveness to better meet growing expectations and workloads. IA staffing levels remain relatively constant. IA must be aware of strategy and ensure that procedures align with that strategy. IA should understand what the external risks are. As for operational efficiency, IA should offer cost effective and sustainable solutions. Quality assurance is important to ensure quality and compliance with regulations. IA should identify cost savings, understand business goals, increase collaboration, optimize technologies and strive for continuous monitoring.

Invest like a Pro in 10 Days

Everyone needs a budget. Personal finance affects every aspect of your life. Everyone should be investing. Many people believe that they will not have enough money to retire. You need to spend money in accordance with your values. It is important to save for a rainy day. A budget can be altered over time. This book doesn’t delve into complicated material or technical terms. Warren Buffett believes in value investing and not active investing.

Why Should You Invest? Do not invest if you want to make a quick buck or your aunt recommends you a stock. You must understand what you are investing in. You must set a clear goal. The main reason is to build wealth. The average wealthy person invests at least 20% of their income. The trick is to give every dollar a job to do. By investing, you are making the money work for you. This is what is meant by ‘leveraging’ your money. Wealth is a boring motivator. However, one can do a lot with more money. For one, one could retire early. You can use the money for your child’s education. Weddings are getting more and more costly. You might also aim to buy a car in future. Your investment goals must be SMART in nature. For instance, a goal could be ‘I will invest $xx each month into my investment account so that I can purchase a new car costing $yy in 5 years time’. To go the distance, you will need goals.

Investment Growth. One invests so that their wealth can grow. Understand the concept of compound growth. Investments boil down to 3 components: a) amount; b) length of time; (c) rate of return. Remember that in investing, time is your best friend. You can use the Rule of 72 to find out how long it takes before your money doubles. Factors like taxes, inflation, transaction fee can affect your rate of return. Taxes can be huge and should be minimized. Brokers will charge you a transaction fee for buying/selling. Hence, it makes sense to buy/sell large quantities .Mutual fund expense ratios can be quite high. Be wary of fees that are pegged to AUM. 401k fees also erode your net returns.

How to Win the Investment Game. There are plenty of books on investing. The key is to start now and set your investments on auto-pilot. The key is to be boring, there is no need to talk a lot about your investments. Understand about risk/reward. The mix of your assets is your asset allocation. Different instruments have different risks associated with them. Depending on what are your goals and at what stage of life you are in, invest appropriately. Diversify your portfolio. Apply dollar-cost averaging on your portfolio so as to in general, ‘buy low sell high’. Timing the market is stupid and unreliable. If you wait too long for the perfect time to enter the market, chances are you will miss out on a lot of potential income.

Become a Control Freak. You can control the following: When you will invest, How you will invest. Focus on your investment goals, before looking at your expenses. Always focus on only what you can truly control. Markets are irrational and it doesn’t make sense trying to analyse market performance. Be lazy and set everything to autopilot.

Since you cannot successfully time the market or select individual stocks, asset allocation should be the major focus of your investment strategy, because it is the only factor affecting your investment risk and return that you can control. – William Bernstein

Investment Types. Stocks are traded on exchanges and it is like owning a small stake in the company. When they are riskier, they provide greater returns. A mutual fund consists of different stocks. One share might represent different stocks, but the fund also has its own expenses. An index fund is a passively managed one. Mutual funds are run by investment professionals. The author believes in the power of index funds. Even Warren Buffett recommends index funds for most people. The fees are also the lowest. ETFs are tough to beat and have very minimal expense ratios. Stocks are valued via discounted cash flow or the dividend growth model.

All About Bonds. Bondholders are paid before stockholders in a liquidation. There is an expiry date on the bond and the principal will be returned to you at the end of the tenure. Bondholders receive interest first and companies are obligated to pay bondholders their coupon interest. However, you must be concerned with default risk, interest rate risk, inflation risk. Federal bonds are safer than municipal bonds. Corporate bonds have credit ratings. If people anticipate interest rates to go up, then bond values will go down and vice versa. They are useful to add if you are more conservative in your investing style. There are also bond ETFs available.

The Essential Guide to Internal Auditing by KH Spencer Pickett

Introduction. Auditors are expected to deliver. They have to present ‘big picture’ risks. They also need to identify risks with the departments. The audit report must add value to the organization. Visit the IIA website and keep up to date with the latest information. It is now a full-blown profession. An IA function can provide good governance. We now need to take into account internal audit standards, and the work of academics etc. This book makes reference to a lot of IIA standards. Please read the IIA standards. Chapter 2 – Corporate Governance; Chapter 3 – Managing Risk; Chapter 4 – Internal Controls; Chapter 5 – The Internal Audit role; Chapter 6 – Professionalism; Chapter 7 – The Audit Approach; Chapter 8 – Setting an Audit Strategy; Chapter 9 – Audit Fieldwork; Chapter 10 – Meeting the Challenge. This guide can improve an auditor’s professionalism. The internal audit function has evolved over the years. It has moved from accounting data in the past to ‘risk management, control and governance processes’. In the past, internal auditors’ job was to try to pick up fraud more quickly than the external auditors. In the past, the focus was more on low-level, detailed checking. Most ACs are required to have non-executive directors as well. Now, audits involves recognizing risks and then seeing how the controls can address the risk. Should the CAE report to the main board and not just the AC? ERM is also increasing in importance. These are exciting times as IA is also taking on a greater consulting role. However, the assurance aspect is still necessary.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. – IIA definition

Corporate Governance Perspectives. An organization should strive for performance, but at the same time adhere to guidelines and regulations. The tone from the top and investor’s expectations do matter as well. Corporate scandals can undermine the trust in the society etc. That is why there are corporate governance codes that are put to practise. Understand the agency model of how the shareholders vote in the directors, the directors oversee the managers and the mangers run the operations. The directors set targets for management and the directors report results to shareholders at the end of the year. Shareholders have a right to dividends. Directors have to protect the business and account for their activities. In reality, directors may not be aware of their role. There are many stakeholders involved in a company. There is a lot more attention on shareholders and how they are treated nowadays. Giving shareholders more information may not work as they might not understand such information. Why do we need business ethics if everyone is honest? Research has shown that people are not fully aware of what an ethical culture entails. External auditors make sure that the accounts can be relied upon. For public sector, the focus on VFM is greater and the owners are the taxpayers. Ethical standards should be made clear to all. There are problems, for example: a CEO which is too powerful; board members which are not independent; incompetent boards; employees who abuse the system; no accountability framework; poor tone from the top etc. Shareholders do not like short-term growth. However, managers want instant results. There can be confusion over levels of authority, and the legislative framework etc. Corporate governance aims to combat inappropriate behaviour. The 5 key principles of governance are 1) Rights of shareholders must be protected; 2) There should be equitable treatment of shareholders; 3) Timely and adequate disclosure; 4) Disclosure and transparency; 5) Responsibility of the board. Countries should adopt international accounting standards. Independent directors should meet at least once a year. Independent directors should ask tough questions to the CEO. Management should optimize shareholder return. Transparency is important. ASX has developed an important set of corporate governance principles. The OECD has global principles of good corporate governance. There should be effective interaction between board, management, external auditor and the internal auditor. IA must report directly to the AC. The AC should select the external auditor and evaluate both external and internal auditor performance. Fraud Risk Assessment must be performed. The internal auditor is more concerned with internal control to determine whether organizational objectives can be met. Sometimes, the EA and IA audit methodologies can appear to be quite similar. IA’s role is to promote suitable organizational controls. The IA should make use of IIA standards in their work. Both EA and IA should communicate with one another. IA is interested in system weaknesses that lead to potential loopholes or fraud. Most of the time, IA staff are employees of the company. EA is usually a legal requirement. IA is mainly in charge of fraud investigations. IA can focus more on operational audits. IA may also cover operational efficiency and VFM initiatives. The IA function is also active the entire year. IA and EA should exchange their audit plans. The ideal situation is where IA and EA sit together and fully integrate their plans. Most ACs meet at least quarterly. The AC is very important in the role of corporate governance. The AC is mandatory for most international stock exchanges. The AC has many governance related responsibilities to fulfil. Where is the link to risk management and internal control? All foreseeable risks must be anticipated. A well governed organization should have good internal controls in place. The annual report should spell out clearly the responsibilities of every committee etc. The codes of corporate governance does change over time. KPIs should be integrated with KRIs.

Managing Risk. There are different types of risk management, including ERM and CSA. The audit should move towards the future, by perceiving risk. There is a move away from compliance. Risk can be controlled. Management needs to take a certain risk appetite. Risk is measured in terms of consequence and likelihood. Risk only has meaning when related to an objective. A mission statement is useful. Risk has both an upside and downside. Excessive controls should also be cut as it affects productivity. Risk management is a dynamic process. Flexibility is important. However, some risks will be unanticipated. The risk owner must be identified. There must be open communication with management on risk-related matters. All risk must be identified. There needs to be strategies to tackle high risk impact areas. The entire process must be reviewed periodically. With a good ERM structure, shareholder value should be enhanced. Risk owners should be the ones implementing controls. After controls, the residual risk can be measured. 1) Terminate – stop the activity; 2) controls – are we doing enough to reduce risk to an acceptable level?; 3) Transfer – this could be through taking an insurance policy; 4) Contingency – BCP in case high risk events occur (high impact, low likelihood); 5) Take more risk; 6) Communicate; 7) Tolerate (esp for low risk areas); 8) Commission research; 9) Tell someone; 10) Check compliance . A company should keep risk registers. The approach for residual risk is to 1) more risk; 2) accept risk; 3) implement more controls. Take note that controls are costly. The tone of the top must be set. However, risk management is sometimes conducted based on gut feel. The risk analysis must be compared with a set criteria (different areas). The organization should prepare a risk appetite statement and define the control environment etc. There needs to be both qualitative and quantitative statements (limits, thresholds, key risk indicators). Risk workshops are good. However, risk workshops could be seen as cumbersome and a waste of time. There must be a board member sponsoring the process. There should be a risk management committee. The board and the audit committee should work together on a risk assessment around corporate strategy. The CE can act as the board sponsor. It is important to get the people on the ground’s buy-in. It is important for the risk policy to be established (It should contain governance, policy scope, policy applicability, risk management process, risk appetite, reporting, roles & accountability, variations and dispensations). COSO defines ERM as ‘A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.’. Look out for cross-functional risks. CSAs could be used to get information. In addition, interviews could be made. The use of CRA workshops are one option as well. Use a properly prioritized risk register to focus on the bigger risk issues. Risk can be classified into ‘strategic, programme, project, financial and operational.’ IA needs to work with the RM team to have streamlined ERM. ERM has a big role to play in strategic planning. There have been some new developments in the ERM space. For banks, it is very important to have a CRO. Even smaller organizations are paying more attention to risk management. Risk management is a good way to improve corporate performance.

Internal Controls. IC is very important to an internal auditor. A good understanding of internal control is important. IC is important and has to put in place. Poor controls can lead to losses. There is no substitute for IC. The control environment is important. Management must determine whether there is a need for controls. Once this has been identified, suitable controls needs to be identified. Next, they need to be implemented. Controls must be applied effectively. They need to be maintained and updated too. Do understand that there are different types of controls. It is all about the people. Beware of burdensome controls. Controls must be reviewed adequately. Controls should be a way of managing risk in the organization. IC must be implemented in the working procedures. The COSO framework is a good guide. The control framework helps drives the control environment. ICs must be communicated and monitored. Purpose à Commitment à Capability à Learning & Monitoring. People must learn to challenge old assumptions. CoBiT is for IT. There is also the Basel Committee on Banking Supervision. IC is closely linked to RM. Control mechanisms should be clearly defined. There are 4 types of controls: 1) directive; 2) preventive; 3) detective; 4) corrective. Some of the types of controls are: 1) authorization; 2) physical access restrictions; 3) supervision; 4) compliance checks; 5) procedural manuals; 6) recruitment and staff development policies; 7) SOD; 8) Sequential numbering of documents and controlled stationery; 9) Reconciliations; 10) Project and procurement management; 11) Financial system controls; 12) IT security; 13) Performance management. Warning signs: 1) Ability of senior management to override accepted control; 2) Lack of staff and vacant posts; 3) Poor control culture; 4) Staff collusion; 5) Reliance on a single KPI; 6) Reliance on memory; 7) Retrospective transaction recording; 8) Uncontrolled delegation of tasks. Understand the importance of soft controls. Control mechanisms must be designed appropriately. Use integrated controls. The fallacy of perfection. Control measures are costly. Management override of control is an issue which needs to be addressed. Ownership of control is very important. New developments are important to follow. SOX was being implemented.

If government organizations are to be effective, we must establish and maintain a system of internal control to protect government resources against fraud, waste, mismanagement or misappropriation. Employees often underestimate the importance of internal controls, or think internal controls amount to merely separating duties. However, internal controls encompass a comprehensive system that is critical to helping an organization achieve its goals and mission. – State of New York, Office of the State Comptroller

The IA role. Learn to define IA. An audit charter is needed. Internal auditing must be objective in nature. IA must attempt to add value to the organization. IA should also improve an organization’s operations. It must be systematic and disciplined. There is a need to continually improve the system. Risk management and control must be executed. The IA function should achieve 1) reliability and integrity of financial and operational information; 2) effectiveness and efficiency of operations; 3) safeguarding of assets; 4) compliance with laws, regulations and contracts. Much expertise is required from internal auditors. Sometimes, IA can provide an advisory role in relation to compliance and let the compliance do the rest of the job. MIS audits are also very important and have to be conducted. VFM is also related to audit work. The use of specialists may also be necessary. An audit charter needs to be written. The audit charter should cover areas recommended by the IIA Attribute Standard 1000. There are many possible types of audits that can be conducted by IA. IA must also appear to be independent when performing their work. IA must be impartial and provide unbiased views. The manager of the department cannot dictate what the auditor should do. Audit Ethics is important. IIA should refer to the ethics code. A code of ethics is necessary. Sometimes, the word ‘audit’ has a negative connotation. The auditor should have a good understanding of what the client is doing. Information must be extracted in an efficient manner. Dealing with people is important in the job. Planning for audits in the AC forum is important. IA should not just simply do work that management expects of them. Useful information should be listed on the IA website. What are some of the competencies required of internal auditors? Certifications help to showcase competency. Example: CIA. What makes good internal auditors? Auditors should be aware of 1) internal audit procedures/guidelines; 2) accounting principles; 3) indicators of fraud; 4) key IT risks; 5) management principles and materiality; 6) Appreciate and fundamentals of business subjects; 7) Soft and hard skills. Professional Development is important for the auditor. A certain number of CPE numbers is needed to retain membership to IIA. Workshops are useful for identifying training gaps. Appoint a training co-ordinator. This person should be able to carry out basic in-house training. The IA team should read journals etc. Work closely with SMM to ensure that risks are identified. Identify skill gaps etc.

The perception that operational management is very busy doing important work while the auditor is simply checking some of the basic accounting data that relates to the area can create a great imbalance. This sets the auditor at a disadvantage from day one of the audit. – KH Spencer Pickett

Professionalism. Internal auditors need to go through a detailed training programme. They must be knowledgeable. IA are professionals. IA is now a professional discipline and this is considered a huge achievement. IIA has issued its professional practice framework. You may read the attribute standards. An auditor needs to exhibit due professional care. All audits must be performed according to certain standards. Disclosure by IA must be made for consulting services etc. Quality assurance is important. IA needs to ensure that it complies with code of conduct and other relevant standards. Appropriate evidence of supervision is documented and retained. ‘The team leader, audit manager, and CAE each have a duty to ensure that they are available to direct staff as that audit is being conducted.’. Supervisors must review each workpaper and sign off. Questions or review notes must be addressed. Internal reviews or on-going monitoring is important. External reviews must be conducted once every 5 years. A pleasant audit image must be created. A feedback questionnaire needs to be conducted. A formal complaint procedure should be voiced out.

The internal auditor’s objectivity is not adversely affected when the audit recommends standards of control for systems or review procedures before they are implemented. The auditor’s objectivity is considered to be impaired if the auditor designs, installs, drafts procedures for, or operates such systems. – KH Spencer Pickett

The Audit Approach. IA can be performed in many different ways. Use a risk based systems approach. It can be more useful to examine the proper functioning of systems. Internal auditing provides a powerful level of review. There are several stages on RBSA. The use of CRSA is also possible. IA must be equipped with the right skills to perform the role. Fraud which have yet to be discovered is very alarming indeed. For fraud to take place, there must be the 4 elements: 1) motive; 2) attraction; 3) opportunity; 4) concealment. It is important to set the tone from the top etc. It is important to plan the investigation. Fraud risk assessment must be built in to the risk assessment workshops. VFM audits also may have to be performed. Management should be able to identify cost saving areas. VFM is concerned with the following: 1) economy; 2) efficiency; 3) effectiveness. IA can now also provide consulting services. Learn to manage change. Management is more concerned with the future than the past. IT governance is important as well.

Setting an Audit Strategy. The CAE must ensure that the audit activity adds value to the organization. Objectives must be present. The main role of audit is to give assurance work. The AC must understand clearly what IA is doing. The scope of services must be defined clearly. Audit objective must be geared to the organization’s objectives as well. The CSA approach has its perks. Sometimes, PESTL and SWOT analysis must be done. Audit plans should be driven based on ERM assessment. An audit universe must be defined. Management must be involved in the risk assessment process at least annually. Weaknesses in staff morale etc must be addressed so that the IA team can perform well. The resources used must be able to execute the audit plan. Auditors must be motivated to do their work. Low to medium risk audits can be performed on a rotation basis. An appraisal scheme must be suitably designed. There must be formal appraisal criteria. An auditor should have a career plan. There are many ways to assess an auditor’s performance. An audit manual needs to be written.

Audit Fieldwork. An auditor needs to perform the fieldwork. For each audit, the following must be defined: 1) engagement’s objectives; 2) scope; 3) timing; 4) resource allocations. Try and read through previous audit files. Every audit needs to have an outstanding matters list. Carry out your background research. Get the basic facts with management. Understand the nature of the audit. Highlight the type of audit skills required. If the audit is too difficult or the resources are not sufficient, the audit should be aborted. The senior staff should lead the preliminary meetings. Next, develop audit procedures. Define the tasks that need to be performed, even for the lead auditors. Define the extent of testing. The audit scope must be sufficient to achieve the objectives. For large audits, break them down into deliverables. A trend is for a move away from teamwork with a single auditor being given an audit to streamline resources.