Table of Contents
LIST OF ABBREVIATIONS
Chapter 1 - INTRODUCTION
1.1 Reasoning behind the Book
1.2 The IIA Standards and Links to the Book
1.3 How to Navigate around the Book
1.4 The Handbook as a Development Tool
1.5 The Development of Internal Auditing
Summary and Conclusions
Chapter 1: Multi-choice Questions
Chapter 2 - CORPORATE GOVERNANCE PERSPECTIVES
2.1 The Agency Concept
2.2 Corporate Ethics and Accountability
2.3 International Scandals and their Impact
2.4 Models of Corporate Governance
2.5 Putting Governance into Practice
2.6 The External Audit
2.7 The Audit Committee
2.8 Internal Audit
2.9 The Link to Risk Management and Internal Control
2.10 Reporting on Internal Controls
2.11 New Developments
Summary and Conclusions
Chapter 2: Assignment Questions
Chapter 2: Multi-choice Questions
Chapter 3 - MANAGING RISK
3.1 What Is Risk?
3.2 The Risk Challenge
3.3 Risk Management and Residual Risk
3.4 Mitigation through Controls
3.5 Risk Registers and Appetites
3.6 The Risk Policy
3.7 Enterprise-wide Risk Management
3.8 Control Self-assessment
3.9 Embedded Risk Management
3.10 The Internal Audit Role in Risk Management
3.11 New Developments
Summary and Conclusions
Chapter 3: Assignment Questions
Chapter 3: Multi-choice Questions
Chapter 4 - INTERNAL CONTROLS
4.1 Why Controls?
4.2 Control Framework - COSO
4.3 Control Framework - CoCo
4.4 Other Control Models
4.5 Links to Risk Management
4.6 Control Mechanisms
4.7 Importance of Procedures
4.8 Integrating Controls
4.9 The Fallacy of Perfection
4.10 Internal Control Awareness Training
4.11 New Developments
Summary and Conclusions
Chapter 4: Assignment Questions
Chapter 4: Multi-Choice Questions
Chapter 5 - THE INTERNAL AUDIT ROLE
5.1 Why Auditing?
5.2 Defining Internal Audit
5.3 The Audit Charter
5.4 Audit Services
5.6 Audit Ethics
5.7 Police Officer versus Consultant
5.8 Managing Expectations through Web Design
5.9 Audit Competencies
5.10 Training and Development
5.11 New Developments
Summary and Conclusions
Chapter 5: Assignment Questions
Chapter 5: Multi-Choice Questions
Chapter 6 - PROFESSIONALISM
6.1 Audit Professionalism
6.2 Internal Auditing Standards
6.3 Due Professional Care
6.4 Professional Consulting Services
6.5 The Quality Concept
6.6 Defining the Client
6.7 Internal Review and External Review
6.8 Tools and Techniques
6.9 Marketing the Audit Role
6.10 Continuous Improvement
6.11 New Developments
Summary and Conclusions
Chapter 6: Assignment Questions
Chapter 6: Multi-choice Questions
Chapter 7 - THE AUDIT APPROACH
7.1 The Systems Approach
7.2 Control Risk Self-assessment (CRSA)
7.3 Facilitation Skills
7.4 Integrating Self-assessment and Audit
7.5 Fraud Investigations
7.6 Information Systems Auditing
7.8 VFM, Social and Financial Audits
7.9 The Consulting Approach
7.10 The ‘Right’ Structure
7.11 New Developments
Summary and Conclusions
Chapter 7: Assignment Questions
Chapter 7: Multi-choice Questions
Chapter 8 - SETTING AN AUDIT STRATEGY
8.1 Risk-based Strategic Planning
8.2 Resourcing the Strategy
8.3 Managing Performance
8.4 Dealing with Typical Problems
8.5 The Audit Manual
8.6 Delegating Audit Work
8.7 Audit Information Systems
8.8 Establishing a New Internal Audit Shop
8.9 The Outsourcing Approach
8.10 The Audit Planning Process
8.11 New Developments
Summary and Conclusions
Chapter 8: Assignment Questions
Chapter 8: Multi-choice Questions
Chapter 9 - AUDIT FIELD WORK
9.1 Planning the Audit
9.2 Interviewing Skills
9.3 Ascertaining the System
9.5 Testing Strategies
9.6 Evidence and Working Papers
9.7 Statistical Sampling
9.8 Reporting Results of the Audit
9.9 Formal Presentations
9.10 Audit Committee Reporting
9.11 New Developments
Summary and Conclusions
Chapter 9: Assignment Questions
Chapter 9: Multi-choice Questions
Chapter 10 - MEETING THE CHALLENGE
10.1 The New Dimensions of Internal Auditing
10.2 The Audit Reputation
10.5 Meeting the Challenge
Summary and Conclusions
Chapter 10: Multi-choice Questions
Appendix A - INDUCTION/ORIENTATION PROGRAMME
Appendix B - CRSA BEST PRACTICE GUIDE
Appendix C - A POEM BY PROFESSOR GERALD VINTEN
Appendix D - ANALYTICAL TECHNIQUES BY SUE SEAMOUR
Appendix E - MULTI-CHOICE QUESTIONS: ANSWER GUIDE
Copyright © 2010 K.H. Spencer Pickett
John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom
For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com
The right of the author to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.
Library of Congress Cataloging-in-Publication Data
Pickett, K. H. Spencer.
Includes bibliographical references and index.
1. Auditing, Internal. I. Title.
657’.458 - dc22
A catalogue record for this book is available from the British Library.
Typeset in 9.5/12 Gill Sans Light by Laserwords Private Limited, Chennai, India.
This handbook is dedicated to the memory of my mother, Joycelyn, who passed away in August 2002
LIST OF ABBREVIATIONS
ACAudit CommitteeACCAAssociation of Chartered Certified AccountantsACRAssurance, Control and RiskAIBAllied Irish BankAICPAAmerican Institute of Certified Public AccountantsAIRMICAssociation of Insurance and Risk ManagersALARMAssociation of Local Authority Risk ManagersAOAccounting OfficerAPBAuditing Practices BoardBABusiness AreaBBCBritish Broadcasting CorporationBCCIBank of Credit and Commerce InternationalBCPBusiness Continuity ProgramBFSBaring Futures SingaporeBVBook ValueC&AGComptroller and Auditor GeneralCAATComputer Assisted Audit TechniquesCAEChief Audit ExecutiveCBIConfederation of British IndustryCBOKCommon Body of KnowledgeCCABConsultative Committee of Accountancy BodiesCEOChief Executive OfficerCFIACompetency Framework for Internal AuditorsCFOChief Financial OfficerCGCorporate GovernanceCIAChief Internal AuditorCICACanadian Institute of Chartered AccountantsCIMAChartered Institute of Management AccountantsCIOChief Information OfficerCIPFAChartered Institute of Public Finance and AccountancyCISOChief Information Security OfficerCOSOCommittee of Sponsoring Organizations of the Treadway CommissionCPACertified Public AccountantCPDContinuing Professional DevelopmentCPEContinuing Professional EducationCROChief Risk OfficerCRSAControl and Risk Self-AssessmentCSAControl Self-AssessmentCSFBCredit Suisse First BostonCSIComputer Security InstituteCSRCorporate Social ResponsibilityDADistrict AuditorDFDirector of FinanceDGIADirectorate General for Internal AuditDPData ProtectionDRDisaster RecoveryDRPDisaster-Recovery ProgramDTIDepartment of Trade and IndustryEAExternal AuditECEuropean CommissionECIIAEuropean Confederation of Institutes of Internal AuditingEFQMEuropean Foundation Quality ModelERMEnterprise Risk ManagementERMEffective Risk ManagementEUEuropean UnionFCOForeign and Commonwealth OfficeFDFinance DirectorFEIFinancial Executives InternationalFRCFinancial Reporting CouncilFRRPFinancial Reporting Review PanelFSAFinancial Services AuthorityGAAPGenerally Accepted Accounting PoliciesGAINGlobal Audit Information NetworkGAOGovernment Accountability OfficeGAPGenerally Accepted Accounting PrinciplesGARGuaranteed Annuity RateGRCGovernance, Risk, and ControlGSEGovernment-Sponsored EnterprisesHMHer Majesty’sHoPHead of PersonnelHRHuman ResourceHRMHuman Resource ManagementIAInternal AuditICInput ControlICAEWInstitute of Chartered Accountants in England and WalesICEInternal Control EvaluationICGNInternational Corporate Governance NetworkICQInternal Control QuestionnaireIFRSInternational Financial Reporting StandardsIIAInstitute of Internal AuditorsIiPInvestors in PeopleIMCInstitute of Management ConsultantsIoDInstitute of DirectorsIPPFInternational Professional Practices FrameworkIPSASInternational Public Sector Accounting StandardsIRCINFOSEC Research CouncilISInformation SystemsISOInternational Standards OrganizationISSInstitutional Shareholder ServicesITInformation TechnologyJDSJoint Disciplinary SchemeKPIsKey Performance IndicatorsKPMGKlynveld, Peat, Main and GoerdelerKRCMKey Risk and Control MatrixMIIAAdvanced Diploma in Internal Audit ManagementMISManagement Information SystemMOMain OfficeMUSMonetary Unit SamplingNAONational Audit OfficeNDPBsNon-Departmental Public BodiesNEDNon-Executive DirectorNHSNational Health ServiceNIINuclear Installations InspectorateNYSENew York Stock ExchangeOCOutput ControlOECDOrganization for Economic Cooperation and DevelopmentPAPerformance AppraisalPACPublic Accounts CommitteePAFPublic Audit ForumPCProcessing ControlPCPersonal ComputerPCPlans and ControlPESTLPolitical, Economical, Social, Technical and LegalPIPerformance IndicatorPIIADiploma in Internal Audit PracticePIPEDAPersonal Information Protection and Electronic Documents ActPMProject ManagerPPFProfessional Practices FrameworkPSRPreliminary Survey ReportPwCPricewaterhouseCoopersQAQuality AssuranceQRPQuality Review ProcessRaCERisk and Control EvaluationRBSARisk-Based Systems AuditingSBASystems-Based AuditingSBASystems-Based ApproachSDSystems DevelopmentSDStandard DeviationSECSecurities and Exchange CommissionSECStock Exchange CommissionSEESocial Ethical and EnvironmentalSICStatement on Internal ControlSIMEXSingapore International Money ExchangeSLAsService Level AgreementsSWOTStrengths, Weaknesses, Opportunities and ThreatsTBATransactions Based ApproachTECTraining & Enterprise CouncilTITransparency InternationalTQMTotal Quality ManagementUKUnited KingdomUSAUnited States of AmericaVFMValue for Money
FOREWORD TO SECOND EDITION
Internal auditing is a profession which has always prided itself on being a service to management. That service was founded on the ability of internal auditors to influence the way in which managers controlled their organization’s operations in order to achieve objectives. Internal auditors have never attempted to take over the management task - rather they have tried to support the manager’s endeavours by reviewing and advising in order to give an assurance that control is as effective as it can be.
The function of internal auditing can be undertaken in a variety of ways and it is for each organization to discover the best way for itself. In-house teams know the business; outsource providers and partnerships bring other strengths. Boards of directors must decide from all the options open to them which type of service is most likely to work for them, is the most cost-effective and adds the most value.
It is clear, however, that at the start of the third millennium, internal auditing has a significant role to play in every type of organization and in every economic centre. The late twentieth century saw virtually every type of organization suffer to some extent from poor management decisions, unethical corporate behaviour, fraud and other unacceptable business practices. Thus, corporate governance - the way in which organizations are directed and controlled - and a worldwide interest in the wider stakeholder community has meant that boards of directors have come under more scrutiny than ever before.
Accountability, transparency of operations and the integrity of boards and their individual members have resulted in global pressure on organizations to fully understand their corporate objectives and the impact, both socially and environmentally, which these objectives may have. Additionally, organizations must assess and manage the risks which may prevent attainment of objectives and convince their stakeholders that outputs of product or service have been achieved as economically, efficiently and effectively as is practicable.
All of this allows the internal auditor to move centre-stage. The skills in which internal auditors have always excelled - understanding strategic planning and objective setting; assessing and prioritizing risks; recommending control and mitigation strategies; communication ability - mean that more than ever before boards and senior managers are seeking the help of well-qualified, professional internal auditors to assist them in this increasingly complex technological world.
Internal auditors have not been slow to take up the challenge and this Handbook exemplifies the approach of continuous improvement which all professionals need in order to provide the service which managers need. Calling upon modern approaches and the use of technology to achieve greater productivity and understanding, the Handbook draws upon global best practice together with illustrations and examples from experienced practitioners. For both the new-entrant to internal auditing and the more experienced professional, Spencer Pickett has ensured that this updated version of the Handbook provides the material which will add to everyone’s store of knowledge.
In times of fast change, technological innovation and pressure to deliver in virtually all sectors of activity, the Handbook provides the right guidance to achieve greater learning. More than this, it gives the stimulus for each of us to continue to improve our professional approach to providing an effective internal audit service.
Neil Cowan Past President, IIA.UK&Ireland IIA Global Ambassador
A very special thanks to my wife, Jennifer, for all her help and support in preparing the new edition and a big hug to our children Dexter and Laurel-Jade; just for being there.
For their past, present and continuing support, a thank you to Nigel Freeman, Neil Cowan, Richard Todd, Andy Wynne, Professor Andrew Chambers, Dan Swanson, Vernon Bailey, Paul Moxey, John Watts, Marian Lower, Eric Hall, Keith Wade, Graham Westwood, Steve Hardman, Mr and Mrs Livermore, Mr and Mrs Newman, Master Lajos Jakab, Mohammed Khan, Horace Edwards, Hock-Chye Ong, Don Daniels, Jack Stephens, Sue Seamour, Adrian Hogg, Mike Mintrum, Alan Davies, Tony Otokito, and staff at the Institute of Internal Auditors (UK&Ireland). Also a thank you to my large family including Aunt Edith, Aunt Joyce, Uncle Tony, and also: Tony, Graham, Kathy, Ellen, James, Lenny, Marianne (Maza), Lucie, Stella, Adrian, Maria, Irvine, Nigel, Nichole, Trevor, Barbara, Michael, Elaine and Karron.
A very special acknowledgement to Professor Gerald Vinten, Editor of the Managerial Auditing Journal, who introduced me to the previously mysterious world of the author.
The third edition of the Internal Auditing Handbook reflects the significant changes in the field of internal auditing over the last few years. Since the last edition, there have been many developments that impact the very heart of the audit role. There really are ‘new look’ internal auditors who carry the weight of a heightened expectation from society on their shoulders. Auditors no longer spend their time looking down at detailed working schedules in cramped offices before preparing a comprehensive report on low-level problems that they have found for junior operational managers. They now spend much more time presenting ‘big picture’ assurances to top executives after having considered high-level risks that need to be managed properly. Moreover, the internal auditor also works with and alongside busy managers to help them understand the task of identifying and managing risks to their operations. At the same time, the internal auditor has to retain a degree of independence so as to ensure the all-important professional scepticism that is essential to the audit role. The auditor’s report to the board via the Audit Committee must have a resilience and dependability that is unquestionable. These new themes have put the internal auditor at the forefront of business and public services as one cornerstone of corporate governance - and the new Internal Auditing Handbook has been updated to take this on board. The third edition of the Internal Auditing Handbook contains all the detailed material that formed the basis of the second edition and has been expanded in the following manner:
1. The new edition has been updated to reflect the Institute of Internal Auditor’s (IIA) International Standards for the Professional Practice of Internal Auditing that were released during 2009.
2. Each chapter has a new section on new developments to reflect changes that have occurred since the second edition was published.
3. A series of multi-choice questions has been developed and included at the end of each chapter.
4. A number of important contributions from Dan Swanson on Information Systems auditing and other topics have been included throughout the book.
Change is now a constant and we have tried not to focus too much on specific events such as the 2007/2008 Credit Crunch, the resulting recession and the Madoff fraud, since it is the principles of internal auditing that remain constant, regardless of the latest scandal to impact the economy. Please have a look at the IIA’s web site at www.theiia.org to keep up to date with latest developments.
Back in 1997, the first edition of the Handbook described internal auditing as a growing quasi-profession. The quantumleap that occurred between the old and the new millennium is that internal auditing has now achieved the important status of being a full-blown profession. Note that the term chief audit executive (CAE) is used throughout the handbook and this person is described by the IIA:
The chief audit executive is a senior position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from external service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow-up of engagement results. The term also includes titles such as general auditor, head of internal audit, chief internal auditor, and inspector general.
The areas that are included in this chapter are:
1.1 Reasoning behind this Book
1.2 The IIA Standards and Links to the Book
1.3 How to Navigate around the Book
1.4 The Handbook as a Development Tool
1.5 The Development of Internal Auditing Summary and Conclusions Assignments and Multi-choice Questions
1.1 Reasoning behind the Book
The original Internal Auditing Handbook focused on the practical aspects of performing the audit task. It contained basic material on managing, planning, performing and reporting the audit, recognizing the underlying need to get the job done well. The new edition has a different focus. Now, we first and foremost need to understand the audit context and how we fit into the wider corporate agenda. It is only after having done this that we can go on to address the response to changing expectations. In fact, we could argue that we need to provide an appropriate response rather than think of the audit position as being fixed and straightforward. It is no longer possible to simply write about an audit programme and how this is the best way to perform the audit task. To do justice to the wealth of material on internal auditing, we must acknowledge the work of writers, thought leaders, academics, journalists and noted speakers at internal audit (IA) conferences. The first and second editions of the Internal Auditing Handbook set out the author’s views and understanding of the audit role. The new Handbook contains a whole range of different views and extracts of writings from a variety of representatives from the audit community. There are also special contributions from Richard Todd and Andy Wynne who have provided several examples, written specially for the Handbook, taken from their many years of professional internal auditing work. Gerald Vinten, Paul Moxey, Mohammed Khan, John Watts and Neil Cowan have likewise shared their experiences with the reader. Dan Swanson has provided many important contributions to the new handbook. Dan is an IA veteran who is also a former director of professional practices at the IIA. He has completed audit projects for more than 30 different organizations and has almost 25 years of auditing experience in government at federal, provincial and municipal levels, as well as in the private sector. Dan Swanson has also been a long-time columnist for Compliance Week, a leading US governance, risk and compliance publication.
The new context for internal auditing is set firmly within the corporate governance arena. The IIA definition of internal auditing was not changed when the standards were revised in January 2009 and remains as follows:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The Internal Auditing Handbook has early chapters on Corporate Governance Perspectives, Managing Risk and Internal Controls. It is only after having addressed these three inter-related topics that we can really appreciate the IA role. There are chapters on quality, professional standards, audit approaches, managing IA, planning, performance and reporting audit work and specialist areas such as fraud and IS auditing. The final chapter attempts to look at our future and changes that may well be on the way. The new Handbook includes several new references and quotes from a wide variety of sources; since all views are important, even where they conflict. This variety can only help move the profession onwards and upwards. The Handbook rests firmly on the platform provided by the International Standards for the Professional Practice of Internal Auditing as part of the International Professional Practices Framework (IPPF). Internal auditing is a specialist career and it is important that we note the efforts of a professional body that is dedicated to our chosen field. Note that despite the recent changes in the field of internal auditing, there is much of the first book that is retained in the new edition. Change means we build on what we, as internal auditors, have developed over the years rather than throw away anything that is more than a few years old. That is why the original material from the second edition has not been discarded, as the saying goes - it is important not to throw away the baby with the bath water. Note that all references to IIA definitions, code of ethics, IIA attribute and performance standards, practice advisories and practice guides relate to the IPPF prepared by the IIA in 2009.
1.2 The IIA Standards and Links to the Book
The Handbook addresses most aspects of internal auditing that are documented in the IIA International Standards for the Professional Practice of Internal Auditing. In late 2005, the IIA’s Executive Committee commissioned an international Steering Committee and Task Force to review the Professional Practices Framework (PPF), the IIA’s guidance structure and related processes. The Task Force’s efforts were focused on reviewing the scope of the framework and increasing the transparency and flexibility of the guidance’s development, review and issuance processes. The results culminated in a new IPPF and a reengineered Professional Practices Council, the body that supports the IPPF. The Attribute Standards outline what a good IA setup should look like, while the Performance Standards set a benchmark for the audit task. Together with the Practice Advisories, Position Statements and Practice Guides and other reference material (as at October 2009), they constitute a professional framework for internal auditing. The IIA’s main Attribute and Performance Standards are listed below:
1000 - Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.
1100 - Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be objective in performing their work.
1200 - Proficiency and Due Professional Care
Engagements must be performed with proficiency and due professional care.
1300 - Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
2000 - Managing the Internal Audit Activity
The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.
2100 - Nature of Work
The internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach.
2200 - Engagement Planning
Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing and resource allocations.
2300 - Performing the Engagement
Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.
2400 - Communicating Results
Internal auditors must communicate the engagement results.
2500 - Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.
2600 - Resolution of Senior Management’s Acceptance of Risks
When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution.
1.3 How to Navigate around the Book
A brief synopsis of the Handbook should help the reader work through the material. It is clear that the Handbook is not really designed to be read from front to back but used more as a reference resource. Having said that, there should be some logic in the ordering of the material so that it fits together if the reader wishes to work through each chapter in order. One important point to make is that although most chapters contain 10 main sections, they are each of variable length. Some readers find different chapter lengths inconvenient, but there is little point trying to fit set material into standard boxes when some chapters naturally consume more material than others. In fact, some sections are quite long because they need to cover so much ground. Apologies in advance if this policy proves bothersome at all.
Chapter 1 - Introduction
This first chapter deals with the content of the handbook and lists the International Standards for the Professional Practice of Internal Auditing. It also covers the way the handbook can be used as a development tool for the IA staff, linked to website material that can be used to form the basis of learning workshops and resources. The way internal auditing has developed over the years is an important aspect of the chapter, whereby the progress of the profession is tracked in summary form from its roots to date. It is important to establish the role of IA at the start of the book to retain this focus throughout the next few chapters that cover corporate perspectives. Note that the IA process appears in some detail from Chapter 5 onwards. Likewise our first encounter with the IPPF appears in this chapter based on the ‘Platform’ theory to underpin the entire Handbook.
Chapter 2 - Corporate Governance Perspectives
Chapter 2 covers corporate governance in general, in that it summarizes the topic from a business standpoint rather than focusing just on the IA provisions. A main driver for ‘getting things right’ is the constant series of scandals that have appeared in every developed (as well as developing) economy. The governance equation is quickly established, and then profiles of some of the well-known scandals are used to demonstrate how fragile the accountability frameworks are. New look models of corporate governance are detailed using extracts from various codes and guidance to form a challenge to business, government and not-for-profit sectors. Note that the chapter may be used by anyone interested in corporate governance as an introduction to the subject. The section on internal auditing is very brief and simply sets out the formal role and responsibilities, without going into too much detail. One topic that stands out in the chapter relates to audit committees as many view this forum as the key to ensuring corporate responsibility and transparency. The corporate governance debate is ongoing and each new code refers to the need to start work on updates almost as soon as they are published. As such, it is never really possible to be up to date at publication and the reader is advised to keep an eye on new developments as and when they arise.
Chapter 3 - Managing Risk
Many writers argue that we are entering a new dimension of business, accounting and audit whereby risk-based strategies are essential to the continuing success of all organizations. Reference is made to various risk standards and policies, and we comment on the need to formulate a risk management cycle as part of the response to threats and opportunities. The corporate aspiration to embed risk management into the way an organization works is touched on. The growing importance of control self-assessment has ensured this appears in the Handbook, although this topic is also featured in the chapter on audit approaches. The chapter closes with an attempt to work through the audit role in risk management and turns to the published professional guidance to help clarify respective positions. There is a link from this chapter to risk-based planning in the later chapter on Setting an Audit Strategy. Throughout the Handbook, we try to maintain a link between corporate governance, risk management and internal control as integrated concepts.
Chapter 4 - Internal Controls
Some noted writers argue that internal control is a most important concept for internal auditors to get to grips with. Others simply suggest that we need to understand where controls fit into the risk management equation. Whatever the case, it is important to address this topic before we can get into the detailed material on internal auditing. An auditor armed with a good control model is more convincing that one who sees controls only as isolated mechanisms. Chapter 4 takes the reader through the entire spectrum of control concepts from reasoning, control models, procedures, and the link to risk management. One key section concerns the fallacy of perfection where gaps in control and the reality of imperfection are discussed. This forms the basis for most business ventures where uncertainty is what creates business opportunities and projects. With the advent of risk management, this does not mean controls take a back seat; it just means controls need to add value to the business equation.
Chapter 5 - The Internal Audit Role
This chapter moves into the front line of IA material. Having got through the reasoning behind the audit role (governance, risk management and control), we can turn to the actual role. The basic building blocks of the charter, independence, ethics and so on are all essential aspects of the Handbook. Much of the material builds on the original first edition of the Handbook and is updated to reflect new dimensions of auditing. One key component is the section on audit competencies, which forms the balancing factor in the equation - ‘the challenges’ and ‘meeting the challenges’. Most auditors agree that there is the set audit role and then there are variations of this role. Those who have assumed one particular variation of the audit role need to appreciate where it fits into the whole.
Chapter 6 - Professionalism
The auditors’ work will be determined by the needs of the organization and the experiences of senior auditors, and most audit shops arrive at a workable compromise. One feature of the upwards direction of the IA function is the growing importance of professional standards as a third component of the equation we discussed earlier. Some of the published standards are summarized in this chapter, although the main footing for the Handbook revolves around the IPPF. Moreover, quality is a theme that has run across business for many years. If there are quality systems in place, we are better able to manage the risk of poor performance. It would be ironic for IA reports to recommend better controls over operations that are reviewed when the audit team has no system in place that ensures it can live up to professional standards. Processes that seek to improve the IA product are covered in this chapter, including the important internal and external reviews that are suggested by audit standards.
Chapter 7 - The Audit Approach
The range and variety of audit services that fall under the guise of internal auditing have already been mentioned. A lot depends on the adopted approach and rather than simply fall into one approach, it is much better to assess the possible positions armed with a knowledge of what is out there. Once we know what we will be providing, we can think about a suitable structure for the audit shop. The growing trend to outsourcing the IA function has meant a separate section on this topic with an illustration. Control risk self-assessment (CRSA) is also detailed along with tips on facilitation skills. It is possible to integrate the CRSA technique with the audit process and this interesting concept is the feature of this chapter. Other specialist audit work involving management investigations, fraud investigations and information systems auditing is also mentioned. The IPPF acknowledge the linked trend towards more consulting work by IA outfits and the consulting approach has its own section.
Chapter 8 - Setting an Audit Strategy
One view is that formulating an IA strategy is one of the most important tasks for the CAEs. In itself, this task depends on an intimate understanding of the corporate context, the audit role and competencies and challenges that add value to the business. The CAE needs to define a strategy, set standards, motivate staff and then measure what is done to have a half chance at delivering a successful audit service. The chapter includes a section on establishing a new audit shop, by bringing everything together, either in-house or through outsourced arrangements.
Chapter 9 - Audit Field Work
Audit field work covers the entire audit processes from planning the assignment to reporting the results, while interviewing is the primary means of obtaining information for the audit. One interesting aspect of this chapter is the section on working papers. This section on working papers establishes that good working papers can help develop findings and the draft report. Formal presentations are becoming increasingly popular and this is dealt with in this chapter.
Chapter 10 - Meeting the Challenge
This final short chapter attempts to track key developments that impact on internal auditing and includes comments from various sources on its future direction.
1.4 The Handbook as a Development Tool
All internal auditors need to be professionally competent and all IA shops need likewise to demonstrate that they add value to the risk management, control and governance processes. While a great deal of high-level work may be undertaken by the CAE in terms of strategy, budgets and audit plans, the bottom line comes down to the performance of each and every individual auditor. It is this person who must carry the burden of the expectation that IA will be a foundation for governance in the employing organization. The Internal Auditing Handbook is a collection of reference material that can be used to help support the internal auditor’s constant drive to professionalism. It contains a basic foundation of audit information that should be assimilated by competent internal auditors. The handbook can also be used as an induction tool for new auditors where they work through each chapter and then under the supervision of an appointed coach are encouraged to tackle the relevant assignments and multi-choice questions at the end of most chapters. In this way, new staff members can be monitored as they submit their written response to each set of questions. It should take around two weeks to work through the handbook and prepare formal responses to each chapter’s set questions (see Appendix A).
1.5 The Development of Internal Auditing
IA is now a fully developed profession. An individual employed in IA 10 years ago would find an unrecognizable situation in terms of the audit role, services provided and approach. For a full appreciation of internal auditing, it is necessary to trace these developments and extend trends into the future. It is a good idea to start with the late Lawrence Sawyer, known as the Godfather of IA, to open the debate on the audit role. Sawyer has said that audit has a long and noble history: ‘Ancient Rome “hearing of accounts” one official compares records with another - oral verification gave rise to the term “audit” from the Latin “auditus” - a hearing’.1
The Evolution of the Audit Function
It is important to understand the roots of internal auditing and the way it has developed over the years. One American text has detailed the history of IA:
Prior to 1941, internal auditing was essentially a clerical function . . . Because much of the record keeping at that time was performed manually, auditors were needed to check the accounting records after it was completed in order to locate errors . . . railroad companies are usually credited with being the first modern employers of internal auditors . . . and their duty was to visit the railroads’ ticket agents and determine that all monies were properly accounted for. The old concept of internal auditing can be compared to a form of insurance; the major objective was to discover fraud . . . .2
It is clear that the IA function has moved through a number of stages in its development.
Extension of external audit IA developed as an extension of the external audit role in testing the reliability of accounting records that contribute to published financial statements. IA was based on a detailed programme of testing of accounting data. Where this model predominates, there can be little real development in the professionalism of the IA function. It would be possible to disband IA by simply increasing the level of testing in the external auditor’s plans. Unfortunately, there are still organizations whose main justification for resourcing an IA service is to reduce the external audit fee. The Institute of Internal Auditors in the United Kingdom and Ireland (IIA.UK&Ireland) have suggested this link between external and IA:
The nineteenth century saw the proliferation of owners who delegated the day-to-day management of their businesses to others. These owners needed an independent assessment of the performance of their organizations. They were at greater risk of error, omissions or fraud in the business activities and in the reporting of the performance of these businesses than owner-managers. This first gave rise to the profession of external auditing. External auditors examine the accounting data and give owners an opinion on the accuracy and reliability of this data. More slowly the need for internal auditing of business activities was recognized. Initially this activity focused on the accounting records. Gradually it has evolved as an assurance and consulting activity focused on risk management, control and governance processes. Both external audit and internal audit exist because owners cannot directly satisfy themselves on the performance and reporting of their business and their managers cannot give an independent view of these.3
Internal check The testing role progressed to cover non-financial areas, and this equated the IA function to a form of internal check. A large number of transactions were double-checked to provide assurances that they were correct and properly authorized by laid-down procedures. The infamous ‘audit stamp’ reigned supreme indicating that a document was deemed correct and above board. Internal control was seen as internal check and management was presented with audit reports listing the sometimes large number of errors found by IA. The audit function usually consisted of a small team of auditors working under an assistant chief accountant. This actually encouraged management to neglect control systems on the grounds that errors would be picked up by auditors on the next visit. It locked the audit role tightly into the system of control, making it difficult to secure real independence. If existence within an organization depends on fulfilling a service need, then this need must be retained if it is to survive. The temptation is to encourage failings in the systems of control so that each visit by the internal auditor could result in a respectable number of audit findings. Wide-ranging recommendations for solving these control gaps (which cause these errors in the first place) may, therefore, not be made by the auditor.
Probity work Probity work arrived next as an adaptation of checking accounting records where the auditors would arrive unannounced at various locations and local offices, and perform a detailed series of tests according to a preconceived audit programme. Management was presented with a list of errors and queries that were uncovered by the auditors. The auditors either worked as a small team based in accountancy or had dual posts where they had special audit duties in addition to their general accounting role. Audit consisted mainly of checking, with the probity visits tending to centre on cash income, stocks, purchases, petty cash, stamps, revenue contracts and other minor accounting functions. The main purpose behind these visits was linked to the view that the chief accountant needed to check on all remote sites to ensure that accounting procedures were complied with and that their books were correct. The audit was seen as an inspection on behalf of management. This militates against good controls, as the auditor is expected to be the main avenue for securing information. Insecure management may then feel that their responsibility stops at issuing a batch of detailed procedures to local offices and nothing more. The auditors would then follow up these procedures without questioning why they were not working. The fundamental components of the control systems above local-office level fell outside the scope of audit work that was centred on low-level, detailed checking.
Non-financial systems The shift in low-level checking arose when audit acquired a degree of separation from the accounting function with IA sections being purposely established. This allowed a level of audit management to develop, which in turn raised the status of the audit function away from a complement of junior staff completing standardized audit programmes. The ability to define an audit’s terms of reference stimulated the move towards greater professionalism, giving rise to the model of audit as a separate entity. Likewise, the ability to stand outside basic financial procedures allowed freedom to tackle more significant problems. It was now possible to widen the scope of audit work and bring to bear a whole variety of disciplines including civil engineering, statistics, management, computing and quality assurance.
Chief auditors Another thrust towards a high-profile, professional audit department was provided through employing chief internal auditors (or CAEs) with high organizational status. They could meet with all levels of senior management and represent the audit function. This tended to coincide with the removal of audit from the finance function. The audit department as a separate high-profile entity encourages career auditors, able to develop within the function. This is as well as employing people who are able to use this audit experience as part of their managerial career development. The current position in many large organizations establishes a firm framework from which the audit function may continue to develop the professional status that is the mark of an accepted discipline. When assessing risk for the audit plan, one asks what is crucial to the organization before embarking on a series of planned audits that in the past may have had little relevance to top management. Professionalism is embodied in the ability to deal with important issues that have a major impact on success. The recent rise in the profile of internal auditing confirms this potential for significant development.
Audit committees Audit committees bring about the concept of the audit function reporting to the highest levels and this had a positive impact on perceived status. Securing the attention of the board, chief executive, managing director, non-executive directors and senior management also provides an avenue for high-level audit work able to tackle the most sensitive corporate issues. This is far removed from the early role of checking the stock and petty cash. IA was now poised to enter all key parts of an organization. An important development in the US occurred when the Treadway Commission argued that listed companies should have an audit committee composed of non-executive directors. Since then, most stock exchange rules around the world require listed companies to have an audit committee.
Professionalism The IIA has some history going back over 50 years. Brink’s Modern Internal Auditing has outlined the development of the IIA:
In 1942, IIA was launched. Its first membership was started in New York City, with Chicago soon to follow. The IIA was formed by people who were given the title internal auditor by their organizations and wanted to both share experiences and gain knowledge with others in this new professional field. A profession was born that has undergone many changes over subsequent years.4
The Development of Internal Audit Services
The developmental process outlined above highlights the way the function has progressed in assuming a higher profile and a greater degree of professionalism. The type of audit service has changed to reflect these new expectations and these developments over the last 20 years may likewise be traced:
1. Internal check procedures IA was seen as an integral component of the internal checking procedures designed to double-check accounting transactions. The idea was to re-check as many items as possible so as to provide this continuous audit. One might imagine an audit manager giving staff an instruction that ‘your job is to check all the book entries’ on an ongoing basis.
2. Transaction-based approach The transactions approach came next, where a continuous programme of tests was used to isolate errors or frauds. This checking function became streamlined so that a detailed programme of tests was built up over time to be applied at each audit visit. This systematic approach is readily controlled so that one might have expected the auditor to complete hundreds of checks over a week-long period during the course of completing this predetermined audit programme.
3. Statistical sampling Statistical sampling was later applied to reduce the level of testing along with a move away from examining all available documents or book entries. A scientific approach was used, whereby the results from a sample could be extrapolated to the entire population in a defendable manner. The problem is that one is still adopting the external audit stance that seeks to give an accept or reject decision as the final product. Like the sophisticated computer interrogation now used in audit work, this is an example of how a new technique is limited by a refusal to move away from traditional audit objectives. The downfall of many an information system’s auditor has been failure to understand the full impact of the audit role. Computerized investigations now allow 100% checks, although much depends on whether we perceive this as a valid audit task or a managerial responsibility.
4. Probity-based work Probity-based work developed next, again featuring the transaction approach where anything untoward was investigated. The probity approach is based on audit being the unseen force that sees and hears all that goes on in the organization. Instead of double-checking accounting records and indicating those that should be corrected, the probity approach allowed the chief accountant to check on financial propriety across the organization. The auditor would represent the director of finance (DF) by visiting all major units and carrying out these audit test programmes.
5. Spot checks It was then possible to reduce the level of probity visits by making unannounced spot checks so that the audit deterrent (the possibility of being audited) would reduce the risk of irregularity. Larger organizations may have hundreds of decentralized locations that would have been visited each year by the auditor. This service depends on employing large teams of junior auditors who would undertake these regular visits. As management started to assume more responsibility for its operations, the audit service turned increasingly to selective as opposed to periodic visits. Rather than a guaranteed visit each year, one sought compliance with procedure by threatening the possibility of a visit. It has been suggested that: ‘combining the need for uncovering errors and the need to catch misappropriations resulted in the internal auditor being little more than a verifier.’5
Moreover, most internal auditors assumed a ‘Got-Ya’ mentality where their greatest achievements resided in the task of finding errors, abuse and/or neglect by managers and their staff. One writer has said: ‘The old concept of internal auditing can be compared to a form of insurance; the major objective was to discover fraud more quickly than it could be discovered by the public accountant during an annual audit.’6
6. Risk analysis The transaction/probity approach could be restricted by applying a form of risk analysis to the defined audit areas so that only high risk ones would be visited. There are many well-known risk formulae that are designed to target audit resources to specific areas based around relevant factors. Each unit might then be ranked so that the high risk ones would be visited first and/or using greater resources. Risk analysis used in conjunction with statistical sampling and automated interrogation gives the impression that internal auditing is carried out wholly scientifically, although this approach is steeped in the dated version of internal auditing.
7. Systems-based approach Then came a move away from the regime of management by fear to a more helpful service. Systems-based audits (SBAs) are used to advise management on the types of controls they should be using. Testing is directed more at the controls than to highlight errors for their own sake. The problems found during audit visits will ultimately be linked to the way management controls its activities. This new-found responsibility moves managers away from relying on the programmed audit visit to solve all ills. Systems of control become the keywords that management adopts when seeking efficiency and effectiveness, and formed the focus of the audit service. The application of SBA was originally directed at accounting systems where internal control questionnaires devised by external auditors were adapted and used. Basic financial systems were covered by tailoring ready-made audit programmes that looked for a series of predetermined controls. These were applied by internal auditors, although it was still in the shadow of external audit work. The importance of sound organizational systems came to the fore in the US where the Foreign Corrupt Practices Act passed in 1997 stated that an organization’s management was culpable for any illegal payments made by the organization even where they claimed they had no knowledge of the payments. The only way to ensure legality and propriety of all payments was to install reliable systems and controls.
8. Operational audit Attention to operational areas outside the financial arena provided an opportunity to perform work not done by the external auditor. The concepts of economy, efficiency and effectiveness were built into models that evaluated the value-for-money (VFM) implications of an area under review. Looking for savings based on greater efficiencies became a clear part of the audit role. Purpose-built VFM teams were set up to seek out all identifiable savings. The worst-case scenario came true in many organizations where these teams had to be resourced from the savings they identified. It is one thing to recommend a whole series of savings but another to actually achieve them. As a result, many teams were later disbanded. On the other hand, operational audit teams that encouraged management to look for its own VFM savings had more success and this is now an established audit role.
9. Management audit Management audit moves up a level to address control issues arising from managing an activity. It involves an appreciation of the finer points relating to the various managerial processes that move the organization towards its objectives. This comes closer to the final goal of IA where it is deemed capable of reviewing all-important areas within the organization by adopting a wide interpretation of systems of control. The ability to understand and evaluate complicated systems of managerial and operational controls allows audit to assume wide scope. This is relevant where controls are seen in a wider context as all those measures necessary to ensure that objectives are achieved. The systems-based approach offers great potential with the flexibility in applying this approach to a multitude of activities and developing a clear audit methodology at corporate, managerial and operational levels.
The late Gerald Vinten has argued that social auditing is the highest plane that IA may reach and defines this as: ‘A review to ensure that an organisation gives due regard to its wider social responsibilities to those both directly and indirectly affected by its decisions and that a balance is achieved between those aspects and the more traditional business or service-related objectives.’7
10. Risk-based auditing Many IA shops have now moved into risk-based auditing where the audit service is driven by the way the organization perceives and manages risk. Rather than start with set controls and whether they are being applied throughout the organization properly, the audit process starts with understanding the risks that need to be addressed by these systems of internal control. Much of the control solution hinges on the control environment in place and whether a suitable control framework has been developed and adopted by the organization. IA can provide formal assurances regarding these controls. Moreover, many IA shops have also adopted a consulting role, where advice and support are provided to management.
This is no linear progression in audit services with many forces working to take the profession back to more traditional models of the audit role where compliance and fraud work (financial propriety) are the key services in demand.
Moving Internal Audit out of Accountancy
Many of the trends behind the development of IA point to the ultimate position where the audit function becomes a high-profile autonomous department reporting at the highest level. This may depend on moving out audit functions currently based in accountancy. It is possible to establish IA as a separate profession so that one would employ internal auditors as opposed to accountants. This is a moot point in that there are those who feel that the auditor is above all an accountant. Not only is this view short-sighted but it is also steeped in the old version of the internal auditor as a poor cousin of the external auditor. The true audit professional is called upon to review complicated and varied systems even if the more complicated and sensitive ones may sometimes be financially based. A multidisciplined approach provides the flexibility required to deal with operational areas. Many organizations require internal auditors to hold an accounting qualification or have accountancy experience. A move outside the finance function allows staff to be employed without an accounting background. There are clear benefits in this move in terms of securing a firmer level of independence from the finance function:
• The traditional reporting line to the DF may have in the past created a potential barrier to audit objectivity. It may be said that there is little real audit independence where the CAE works for the DF. There are many models of internal auditing that see this function as a compliance role, representing the DF’s interest in financial propriety. The auditor is able to comment on non-compliance so long as it does not extend to criticizing the DF. The corporate view of financial management relies on the DF taking responsibility for establishing sound financial systems, which are then devolved across an organization. The heart of any financial system will be based in the DF’s department and this creates a problem for an auditor who may have found inadequacies in the way the DF has managed these systems. A defensive DF may ensure that the auditor does not produce material that forms a criticism of his/her financial services. This impairs the basic concept of independence where the auditor may be gagged, notwithstanding the presence of an audit committee.
• One might, therefore, give greater attention to the managerial aspects of providing financial systems and move away from merely checking the resulting transactions. This is one sure way of extending the potential scope of IA to enable it to tackle the most high-level, sensitive areas. The audit terms of reference will move beyond fraud and accounting errors to take on board all-important issues that impact on organizational controls. We are not only concerned with the matters affecting the DF but also that which is uppermost in the minds of the corporate management team headed by the chief executive. At this extreme, it becomes possible to audit the whole direction of the organization in terms of its corporate strategy that is a far cry from checking the petty cash and stocks.
• The relationship with external audit may become better defined where the differing objectives are clarified. The temptation for the DF to treat IA as an additional resource for external audit may decline. It may be possible to encourage external auditors to cover the main financial systems, with IA turning its attention more towards operational matters. If IA assumes a high profile and reviews the major activities, then the relationship between IA and external audit may be reversed. External audit may be seen to feed into the all-important IA process.
• The audit approach may move from an emphasis on financial audits to the exciting prospect of reviewing the entire risk management process itself. This change in emphasis is important; it is based on viewing the principal controls in any system of internal control as embodied in management itself. We would not consider the personalities of individual managers. We are more concerned with the formal managerial processes that have been established and how well they contribute to the efficient and effective application of resources. This allows the scope of internal auditing to move to almost unlimited horizons.
• The potential for establishing a powerful CAE may arise, which might be compared to the previous position where the CAE merely acted as a go-between for the DF and the audit staff, giving them batches of projects that the DF wanted done. In an ideal world, the CAE will have the ear of the chief executive officer (CEO) who may turn to audit for advice on major organizational issues that impact on underlying control systems. This has a knock-on effect with the CAE assuming a senior grade commensurate with his/her role in the organization. Likewise, audit managers and other staff will benefit. The IA department could end up with higher grades than the accountancy department.
In short, we would need to be close to, but at the same time be some distance from, the DF. However, as we move into the era of the audit committee, and the stronger links with this forum and IA, things are changing. The trend is for more of a break between the finance link as IA gets more and more involved in the actual business side of the organization. Again, this move is strengthened by the growing involvement in enterprise-wide risk management. The latest position is that there is normally no longer a clear logic to the CAE to continue to hold a reporting line to the DF. The debate now revoles around whether the CAE should report directly into the main board and not just to the audit committee.
The Role of the Statement of Responsibility
The IIA has issued various statements of responsibilities (SORs), each new one providing a revision to the previous. It is possible to trace much of the development of IA through these SORs from 1947 onwards:
1947 Original SOR setting out the first formal definition of IA. This saw the perceived role of IA as dealing primarily with accounting matters and is in line with the view that it arose as an extension of the external audit function.
1957 IA dealt with both accounting and other operations. Although the accounting function was the principal concern, non-accounting matters were also within the audit remit.
1971 The breakthrough came in viewing the audit field as consisting simply of operations. Accounting operations have to compete with all others for audit attention with no automatic right to priority.
1976 This is the same as in 1971 but is made gender-neutral so as not to assume that all auditors are male.