AUI3703 SUMMARY AND EXAM PREP.

AUI3703 SUMMARY AND EXAM PREP. The Internal Audit Process: Specific Engagements And Reporting. The Definition of Internal Auditing: Internal auditing is an independent, objective assurance and consulting activity designed to add value to and improve an organisation's operations. It helps an organisation to accomplish its objectives by bringing a systematic, disciplined approach, to evaluate and improve the effectiveness of risk management, control and governance processes. Assurance services Traditional auditing services at various levels such as compliance, investigating & testing, performance evaluation Assurance services involve the internal auditor's objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter – the process owner, (2) the person or group making the assessment – the internal auditor, and (3) the person or group using the assessment – the user. EXAMPLES: • The assessment that management's policies and procedures are adhered to. • Examining whether control procedures are mitigating the risks identified. Consulting services: Objective is to support management in achieving their objectives Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice – the internal auditor, and (2) the person or group seeking and receiving the advice – the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility. EXAMPLES:  Conducting control self-assessment training.  Providing advice to management on risk management, control and governance issues.  Assisting in developing and drafting policies.  Process development  Training  Provision of advice 1 AUI3703 The Internal Audit Process: Specific Audit Assignments and reporting Principles – Code Of Ethics Internal auditors are expected to apply and uphold the following four principles: 1. Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. 2. Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. 3. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. 4. Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. Rules of Conduct – Code of ethics 1. Integrity Internal auditors: 1.1. Shall perform their work with honesty, diligence, and responsibility. 1.2. Shall observe the law and make disclosures expected by the law and the profession. 1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organisation. 1.4. Shall respect and contribute to the legitimate and ethical objectives of the organisation. 2. Objectivity Internal auditors: 2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation. 2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment. 2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. 3. Confidentiality Internal auditors: 3.1. Shall be prudent in the use and protection of information acquired in the course of their duties. 3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organisation. 4. Competency Internal auditors: 4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards). 4.3. Shall continually improve their proficiency and the effectiveness and quality of their services. 2 AUI3703 The Internal Audit Process: Specific Audit Assignments and reporting Purpose of the standards  to outline basic principles that represent the practice of internal auditing as it should be performed  to provide a framework for performing and promoting a broad range of value-added internal auditing activities  to establish the basis for measuring internal auditing performance  to promote improved organisational processes and operations The standards consist of the following  Attribute standards  Performance standards  Implementation Standards.  Attribute Standards o Attribute standards (the 1000 series) address the characteristics (attributes) of organisations and individuals performing internal audit activities. Attribute standards describe the attributes or characteristics needed for the effective administration of any internal audit activity.The 1000 Series o 1000:Purpose, Authority, and Responsibility o 1100:Independence and objectivity o 1200:Proficiency and due professional care o 1300:Quality assurance and improvement programme  Performance Standards o Performance standards (the 2000 series) describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be measured. Performance standards deal with the actual execution (performance) of internal audits, o The 2000 Series o 2000: Managing the internal audit activity o 2100: Nature of the work o 2200: Engagement planning o 2300: Performing the engagement o 2400: Communicating results o 2500: Monitoring progress o 2600: Resolution of management’s acceptance of risks.  The Implementation Standards expand upon the Attribute and Performance Standards, by providing guidance applicable to assurance or consulting activities and specific types of engagements Three pillars of effective Internal Audit Services  Independence and objectivity  Proficiency  Due professional care 3 AUI3703 The Internal Audit Process: Specific Audit Assignments and reporting Topic 2: Nature of and legislature pertaining to specific audit assignments Forms of Internal Auditing (purpose & nature)  Compliance audits Compliance can be defined as conformity and adherence to applicable laws and regulations as well as policies, plans, procedures, contracts or other requirements. Compliance tests. Example The focus of compliance auditing is on compliance with laws and regulations, statutes and internal policies. A compliance audit therefore sets out to discover how well a unit or organisation complies with an established set of “rules”. Clearly, the level of compliance with formal rules is an aspect of performance. Although it is an important aspect, it is not the only one an auditor is concerned with.  Financial audits During a financial audit, an internal auditor looks for evidence relating to the reliability and integrity of financial information. Auditing of financial statements is directed at assessing the accuracy of financial reports relating to financial conditions and operating performance. Associated with an external audit Substantive tests.  Performance audits Performance auditing involves firstly determining management’s objectives, then establishing whether the management controls that exist lead to effectiveness, efficiency and economy. An internal auditor must determine • which key performance indicators are in use • whether they are appropriate • whether control objectives have been achieved  Environmental Audits Compliance with environmental laws and regulations  Fraud Audits Fraud auditing involves assisting management in creating an environment that encourages the detection and prevention of fraud in commercial transactions. A fraud auditor must know • the realm of fraud possibilities (How can it happen?) • the sources of information and evidence (Where do I look?) • whether the environment is conducive to fraud (Is fraud likely?) • the areas of fraud opportunity (Where can it happen?) • the laws of evidence (How can I prove it?) An internal auditor must be alert for red flags and indicators, such as personal behaviour pattern changes or substantial departmental growth or decline behind the norms  Quality Audits systematic and independent examination to determine whether quality-related activities are implemented effectively and comply with the quality systems and/or quality standards. performed at predefined time intervals and ensure that the institution has clearly defined internal system monitoring procedures linked to effective action. Quality audits can be an integral part of compliance or regulatory requirements.  Programme results Audits Auditing the accomplishment of established goals and objectives for operations and programmes. Are the desired results being achieved? Has management considered alternatives to achieve the same results at a lower cost?  IT/IS Audits IT audits come in a variety of forms. Any of the above types of internal audit could involve the use of computers or, for that matter, the audit of computer systems.  Application Audits Application audits such as the auditing of inventory, payrolls, procurement, sales, treasury and other specific business functions have their own specific characteristics and the audit programme will typically involve a certain degree of standard audit tests. 4 AUI3703 The Internal Audit Process: Specific Audit Assignments and reporting 5 AUI3703 The Internal Audit Process: Specific Audit Assignments and reporting Qualities and abilities of an internal auditor Curiosity. The internal auditor should not take anything for granted. By asking questions and discovering the reasons for particular policies and procedures, the auditor gets to know the audit environment and acquires information that is of value in the operational auditing process. Analytical qualities. The ability to identify problem areas by rapidly examining a given situation and the ability to identify critical problem areas by distinguishing between material and nonmaterial aspects are important here. Qualities of persuasion. The success of an internal audit is measured by the extent to which the auditor's recommendations are implemented and implementation is directly proportional to the qualities of persuasion the auditor displays when conveying recommendations to management. Good business judgment. This quality depends on the knowledge and experience acquired by the auditor and includes the ability to view a problem from a manager's point of view and to ask appropriate questions. Internal auditors should be able to put themselves in the position of management, which may be difficult because the auditor is not likely to have personal experience of an operational management position. Logical thinking. Analysing an activity, identifying risks and weaknesses and making recommendations that could lead to the improvement of existing systems requires not only knowledge but also logical thinking. Only logical thinking can enable the auditor to make meaningful and practical recommendations. Objectivity. In the performance of any audit assignment objectivity is a basic requirement. Even if, for instance, the auditor was previously involved in an advisory capacity in the development and implementation of systems within an activity and irrespective of any personal relationships with any of the people working within an activity, the audit assignment should be approached objectively. Communication skills. The ability to communicate the results of an internal audit effectively is extremely important in ensuring that the shortcomings shown up by an operational audit are understood and effectively addressed by the auditee. Good human relations. Auditors must remain independent and cannot allow their opinions to be influenced by feelings of sympathy or of dislike or fear. The auditees are frequently unable to see any purpose in the audit. There is a greater degree of subjectivity involved in operational auditing than in other forms of auditing, which also increases the potential for conflict between the auditors and the staff. Auditors need to understand human relations issues and be able to deal with them effectively. Independence. The internal auditor should be independent of the activity being audited. The auditor should therefore be able to carry out his or her task objectively and without restrictions. This enables the auditor to make impartial and unprejudiced decisions during the conduct of an audit. Self-confidence. Internal auditors should have sufficient self-confidence to counter the challenges posed by every operational audit. They should also carry out their task and present their opinions with the necessary self-confidence so that management will feel obliged to respond positively. Initiative in developing techniques. The unique nature of every internal audit requires the internal auditor to display initiative and creativity in the development of audit programmes, performance measurement techniques and better working methods that will achieve better results. Flexibility Ability to adapt quickly to new situations and challenges. Work Ethic Get the right things done the right way at the right time. Integrity The stakeholders must have confidence that internal auditors are trustworthy 6 AUI3703 The Internal Audit Process: Specific Audit Assignments and reporting Topic 3: Performance Auditing Synonyms = Management, operational, value for money and functional auditing Concentrates on evaluation of policy, procedures, division of authority, quality of management, effectiveness of methods, special problems and other aspects of an organisation's operations. Purpose: Performance auditing aims at improving an organisation's future performance and it focuses mainly on management’s policy, planning, control and decisions. Independence: internal auditors:  must not be involved in or be responsible for any operational matters within an activity which is being audited  must be able to develop auditing programmes without being influenced  must have full access to all evidence and members of staff wherever this is required for the purposes of the audit  must be objective in collecting and evaluating information and evidence  must be able to prepare audit reports on any matters which they consider necessary to report . Reider’s definition Operational or performance auditing is an audit of operations performed from a management viewpoint to evaluate the economy, efficiency, and effectiveness of any and all operations, limited only by management's desires. The elements of Reider’s definition definition are as follows 1. An audit of operations Performance auditing can be carried out in all functional areas of an organisation, such as marketing, sales, production and human resources. Performance auditing concentrates on the evaluation of policy, procedures, division of authority, quality of management, effectiveness of methods, special problems and other aspects of an organisation’s operations. 2. From a management point of view The principal focus of performance auditing is the achievement of management’s objectives in the most economical, efficient and effective manner. For this reason it is important that a performance auditor should understand the way of thinking, objectives and concerns of top management in particular and focus on the aspects that are important to top management. 3. Evaluation of economy, efficiency and effectiveness During an audit of economy and efficiency, the auditor looks at the optimum balance between costs and results. In an audit of effectiveness, the auditor determines whether an operation is fulfilling the purpose for which it was established. 4. Any and all operating systems within an organisation A performance audit can focus on any component of an organisation, whether it is an operating unit, a functional area, a department or an activity within a department, where the audit objective amounts to reviewing the economy, efficiency and effectiveness with which management is achieving its goals. 5. Only the needs of management restrict the scope of operational auditing As previously mentioned, performance auditing should focus on the aspects that are important to management. The freedom of the internal audit function to evaluate all the activities of an organisation should be incorporated in the internal audit mandate. The aim of Performance Auditing  Performance appraisal  Identification of opportunities to make improvements  Recommendations for the improvement of existing procedures and future action 7 AUI3703 The Internal Audit Process: Specific Audit Assignments and reporting The components of Performance Auditing  financial  compliance  economy and efficiency The following aspects are included: o the purchasing policy of the organisation o material prices and service costs o staffing in relation to the functions that have to be performed o surplus stock on hand o use of more expensive equipment than necessary o prevention of losses and wastage of resources o division of projects into logically manageable tasks o efficiency and application of operating systems and procedures o efficiency of documentation flow o performance of unnecessary tasks or duplication of tasks o allocation of responsibilities and authority within an organisation o speed of production and completion time for projects  effectiveness The following procedures would, for example, form part of an investigation into effectiveness: o evaluating the organisation's approach to the development of realistic targets and objectives and procedures for attaining those targets and objectives o evaluating the adequacy of management's method of measuring effectiveness o establishing the extent to which results are being achieved o identifying the factors that impede satisfactory performance or the achievement of results Effectiveness is the extent to which an activity achieves its stated performance objectives. Effectiveness amounts to doing the right things. Doing the right things is about performing the right activities to achieve a performance objective. If you perform the right activities, you will achieve the performance objective and be effective. Improving effectiveness, will improve organisational performance. Effectiveness – the relationship between actual outputs and planned outputs Results of operation. Efficiency is the extent to which a process or activity has been optimised such that, all other things remaining constant, • its output has been maximised for a given amount of input, or • its input has been minimised for a given amount of output Efficiency – the relationship between actual inputs and actual outputs At least cost without sacrificing results. Method of operation. Economy is the extent to which an organisation, unit or activity gets the right quantity and quality of a resource at the right time and best possible price. Economy – the relationship between planned inputs and actual inputs in terms of unit costs Without sacrificing efficiency and results. Aspects of the performance objectives Audit objective: To determine ....  quality (how well)  quantity (how many)  time (how soon)  cost (how much) Performance objectives – aspects of the business  growing and developing the business  producing and delivering services and/or products  managing the relationships with stakeholders 8 AUI3703 The Internal Audit Process: Specific Audit Assignments and reporting  managing the organisation’s resources, for example finance, information, materials, equipment, people or technology Measuring achievement of performance objectives  A performance measure is a yardstick against which the achievement of a performance objective can be determined. Identifying good or bad performance through performance standards  A performance standard is the minimum required level of performance. By comparing actual performance with the required performance (standard), you can decide whether performance is good (above standard), bad (below standard) or acceptable (same as the standard). The hierarchy of performance objectives The decomposition of activities creates a hierarchy of performance objectives. You can define different types of performance objective according to their level in the hierarchy. For example, you could define four types:  mission – the highest-level performance objective the mission is the ultimate performance objective of an organisation or unit. It conveys the reason for the organisation’s or unit’s existence and what it is trying to achieve.  unit performance objectives A unit performance objective (UPO in diagram 1.2.4) is a clear statement of what a high-level activity within a unit is trying to achieve or what it is marketing or producing. Unit performance objectives must be supportive of and subordinate to the unit’s mission.  key performance objectives A key performance objective contributes to the achievement of its parent unit performance objective.  specific performance objectives A specific performance objective contributes to the achievement of its parent key performance objective. Good performance objectives are  measurable (quantitative)  specific  results (output) centred  realistic and attainable  time-bound Internal auditing standards applicable to Performance Auditing  promoting appropriate ethics and values within the organisation  ensuring effective organisational performance management and accountability  communicating risk and control information to appropriate areas of the organisation  coordinating activities of, and communicating information among, the board, external and internal auditors and management  reliability and integrity of financial and operational information  effectiveness and efficiency of operations and programmes  safeguarding of assets  compliance with laws, regulations, policies, procedures and contracts 9 AUI3703 The Internal Audit Process: Specific Audit Assignments and reporting The advantages of Performance Auditing  Identification of problem areas, the factors that cause the problems and alternatives that could improve the situation  Reducing costs by identifying opportunities to reduce wastage and inefficiency  Identifying opportunities to increase income  Identifying undefined goals, objectives, policy and procedures  Identifying criteria for evaluating the achievement of the organisation’s objectives and goals  Recommendation of improvements to an organisation's policy, procedures and structure  Evaluating the performance of individuals and sections within an organisation  Inquiry into compliance with legal requirements and the organisation's policy, objectives and procedures  Testing for the existence of unauthorised, fraudulent or otherwise irregular actions  Evaluation of management information systems and control systems  Identification of possible problem areas in future activities  Provision of an additional communication channel between people at the operational level and top management  Provision of an independent, objective evaluation of the organisation as a whole Problems associated with Performance Auditing  Performance auditing makes high demands on human relations  Performance auditing requires special proficiency and skills  High cost of performance auditing  Management involvement in and support for performance auditing Steps in the choice of the audit field  Identify and describe the problem  Collecting information and evidence  Evaluating conditions within the organisation  Obtaining the approval of management for the performance of the performance audit Evaluate mission statement  First, that the mission statement has been formally defined.  Secondly, that the mission statement conveys the organisation’s or unit’s reason for existence.  Thirdly, that the mission has been translated correctly into performance objectives.  Fourthly, that managers are keeping their mission statements in line with the changing needs and wants of their customers.  Fifthly, in publicly funded organisations, that the organisation’s reason for existence is still valid and that customers still have a genuine need for the service provided