Slide 1

Chapter 18

Internal Auditing andOutsourcing

Define Internal Auditing

Internal auditing is an independent andobjective assurance and consultingactivity that is designed to add value toimprove an organization's operations. Ithelps an organization accomplish itsobjectives by bringing a systematic,discipline approach to evaluate andimprove the effectiveness of riskmanagement, control, and governanceprocesses.

Discuss Internal Auditing

Exists only because it adds value to theorganization

Must change as organizations change

Proves objective assurance to topmanagement and the board

Reports problems, and also offersadvice on needed improvements

Encompasses all the importantoperations of an organization

Assurance & Consulting Activity

Assurance services - objective services that improve the

Quality of information about processes

Effectiveness of controls

Reliability of information

Compliance with company, regulatory, orgovernmental procedures

Effectiveness and efficiency of operations

Consulting services:

Advisory or partnering activities that add value andimprove operations

Both parties must agree on nature and scope ofservices

Identifies problems and potential solutions

Advisory; does not include decision making

Discuss Assurance & ConsultingActivity

Systematic and Disciplined Approach

Internal auditing standards are designed to ensureobjective, relevant, and sufficient evidence isgathered and evaluated

Internal auditors identify risks, gather evidence,evaluate findings, and suggest improvements

Elements of the systematic and disciplinedapproach:

Defined audit objectives

Risk analysis

Audit work plan

Defined audit procedures

Use of technology

Independent review of audit work

Review of conclusions with management

Assurance & Consulting Activity(Continued)

Corporate Governance, Risk Management, andControl

Good governance requires organizationsimplement processes and controls designedto ensure

Decisions are made at the appropriate level of theorganization

Processes comply with organization policies andgovernment regulations

Processes are efficient and effective

Risks are identified and factored into decisions

Controls are properly designed and implemented

Effective whistle-blowing function is implemented

Review Internal Auditing &Corporate Governance

Internal auditors should:

Understand key governance issues, stakeholders,and accountability to those stakeholders

Provide analysis to determine that top managementunderstands risks and have processes in place toaddress such risks

Ensure the organization has controls to addresssuch risks, and that such controls are operatingeffectively

Evaluate organization's processes for determiningoperating efficiency

Determine that operations comply with organizationpolicies as well as contracts, laws, and regulations

Determine that an effective whistle-blowing functionis in place

What is the internal auditcharter?

Statement of the internal audit's role in an organization, thecharter accomplishes two important objectives:

Defines the scope of the internal audit activity including accessto company records

Defines the reporting relationships that exist between the auditactivity and others within the organization such as auditcommittee members, senior management, and operatingmanagement

Important issues that should be noted in the charter:

Statement of the mission of the activity defined in terms ofgovernance, risk, control, and operating efficiency

Identification of audit accountabilities

Defined responsibility to provide periodic reports

Prohibition against performing operational tasks

Identification of standards by which to judge performance ofinternal audit work

Review Internal Auditing & theAudit Committee

Internal auditors assist the audit committee in anumber of ways:

Review the quality of internal controls over financialreporting

Provide an independent viewpoint on majoraccounting issues

Provide feedback on the efficiency of operations andcompliance with company and regulatory policies

Facilitate information flow to the audit committee

Perform special projects or investigations asrequested

Monitor effectiveness of whistle-blowingactivities

Evaluate whether the company has met itsreporting objectives

Assess the "quality" of financial reporting

Evaluate the effectiveness of riskmanagement processes

Provide independent assessments of risk

Provide information to facilitate monitoringof key risks

Review Internal Auditing &the Audit Committee

Discuss Internal AuditOutsourcing

Recent trend for companies to outsource their internal auditfunction to public accounting or other specialize firms

This trend may slow as the SEC prohibits a CPA from providingboth internal and external audit services for the same company

Possible advantages of outsourcing internal audit function.Service provider may:

Have greater expertise or specialized talents

Be able to provide service at lower cost

Have global presence and be able to provide service withoutlanguage or cultural problems

Provide greater flexibility in staffing and budgeting

Possible disadvantages of outsourcing internal audit function:

Employees may have greater knowledge of the company andits operations

Loss of internal audit as a training ground to develop newmanagers

What is value added internalauditing?

Internal audit activities can be classified as:

Risk analysis

Organizations take risks to accomplish their objectives

Organizations need processes to recognize risk andinstitute controls to minimize adverse outcomes

Risk analysis examines whether processes are adequate tomanage risks

Information reliability

Organizations need accurate, reliable, and timelyinformation

Information must also be protected

Internal auditors perform periodic reviews of security andcontrols

Control effectiveness

Controls exist to address risks

Internal auditors provide objective assessment asto whether

Controls are adequate to manage risk

Controls are operating effectively

Operational effectiveness and efficiency

Conformance with company policies andprocedures

Fraud investigations

What is value added internalauditing? (Continued)

What are operational audits?

Evaluate organization's activities, systems, andcontrols

Assess quality and efficiency of performance

Identify opportunities and developrecommendations for improvement

Criteria for evaluation of performance

Past operations

Best practices for similar operations

Stated management objectives

Further Discussion ofOperational Audits

Every operational audit follows the same ten step process:

Understanding the operational area and management'sinterest in having the area audited

Develop background information about the audit area

Develop objective criteria regarding operationalefficiency

Perform preliminary analysis of the audit area

Perform detailed risk analysis

Develop and analyze data that might indicate problems

Perform inquiry and testing to identify source ofproblems

Performed detailed tests of operating activities andcontrols

Summarize findings - prepare report and discuss withmanagement

Develop mechanism to follow-up on recommendations

More Operational Audits

Detailed considerations: Establish criteria

Objective criteria should be established prior to the audit

Criteria should include both performance and controlmeasures

Perform preliminary risk analysis for all operational audit areas

To determine whether organization has effective riskmanagement process

To identify important controls

Perform analytical analysis

To identify existence and source of potential operatingproblems

Test controls and operations

Every operational audit will have compliance testingcomponent

To determine whether operations follow company policiesand meet company standards

Discuss Compliance Audits

Performed to determine whether operations arebeing conducted in compliance withcontracts, management's policies, orapplicable laws and regulations

Add value because they can

Improve operational efficiency

Provide assurance that organization isoperating within applicable laws andregulations

Internal Auditing and Sarbanes-Oxley

Internal auditors are an integral part ofassisting organizations to implementprovisions of the Sarbanes-Oxley Act

Internal audit may assist in facilitatinga control self-assessment bymanagement assisting operatingpersonnel understand controls anddocumentation

Review Internal Audit Standards

Standards for the Professional Practice ofInternal Auditing (IIA):

Attribute Standards

Purpose, Authority, and Responsibility

Independence and Objectivity

Proficiency and Due Professional Care

Quality Assurance and ImprovementProgram

Performance Standards

Managing the Internal Audit Activity

Nature of Work

Performance Standards

Engagement Planning

Performing the Engagement

Communicating Results

Monitoring Progress

Management's Acceptance of Risks

Implementation Standards

There may be multiple implementationstandards derived from the concepts in theattribute and performance standards

Review Internal Audit Standards(Continued)

What is the IIA Code of Ethics?

Focuses on broad-based Principlesand Rules of Conduct regarding:

Integrity

Objectivity

Confidentiality

Competence

Comment on Reporting Fraud

The IIA's Code of Ethics makes it clearthat an internal auditor should

"Observe the law and make disclosuresexpected by the law and theprofession"

"Not knowingly be a party to any illegalactivity, nor engage in acts that arediscreditable to the profession ofinternal auditing or to the organization"

If an internal auditor uncovers evidence offraud, the auditor should:

Document the findings and include them inan audit report

Report findings to the board of directors, theaudit committee, and appropriate membersof top management

Consult with an attorney on actionsappropriate to the particular case

Consider the need for any additional actionto disassociate from the fraud

Comment on Reporting Fraud