Internal Audit

CA. Rajkumar S Adukia B.Com(Hons.) FCA, ACS,MBA, AICWA, LLB ,Dip In IFRS(UK) rajkumarfca@gmail.com www.caaa.in 9820061049/9323061049 To receive regular updates kindly send test email to rajkumarfca-subscribe@yahoogropups.com 1. Introduction Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. 2. History of internal auditing The Internal Auditing profession evolved steadily with the progress of management science after World War II. It is conceptually similar in many ways to financial auditing by public accounting firms, quality assurance and banking compliance activities. Much of the theory underlying internal auditing is derived from management consulting and public accounting professions. With the implementation in the United States of the Sarbanes-Oxley Act of 2002, the profession's growth accelerated, as many internal auditors possess the skills required to help companies meet the requirements of the law. 3. Purpose The purpose of an internal audit is to:

provide comfort to management that operations are well-managed, efficient, and within the bounds of applicable laws, regulations and policies; identify weaknesses in business practices and management systems and recommend improvements; and, identify opportunities to reduce expenditures, increase revenues and better protect enterprises assets.

4. The Role of Internal Auditor The internal auditor is involved with

Evaluating Emerging Technologies Analyzing Opportunities Examining Global Issues Assessing Risks, Controls, Ethics, Quality, Economy, and Efficiency Assuring that controls in place are adequate to mitigate the risks Communicating information and opinions with clarity and accuracy. Such diversity gives internal auditors a broad perspective on the organization.

Internal Auditors are well disciplined in their skills and subscribe to a professional code of ethics. They are diverse and innovative; committed to growing and enhancing their skills; continually on the lookout for emerging risks and trends in the profession; good thinkers. To effectively fulfill all their roles, internal auditors must be excellent communicators who listen attentively, speak effectively and write clearly. Sitting on the right side of the management, todays internal auditors are consulted on all aspects of the organization and must be prepared for just about anything. They are coaches, internal and external stakeholders advocates, facilitators of risk management, control experts, efficiency specialists and problem solving partners. Its certainly not easy, but for these skilled and competent professionals, its all in a days work.

5. The Audit Phases An internal audit involves four essential and interrelated phases: planning; fieldwork; reporting and follow-up. 4.1 Phase 1 Planning The planning stage answer these three basic questions: What will be looked at during the audit -(the scope) The scope of an audit is the 'things' (activities, systems, business processes, financial affairs, documents, people, and locations) that will be looked at during the course of the internal audit. What questions will be answered - (the objectives) The objectives identify 'what' is to be accomplished by looking at the scope items. More often than not, objectives are prefaced with the terms:

To determine whether To assess whether To provide assurance that

It is the job of the internal auditor to conclude on the objectives. How the objectives will be answered. - (the criteria)

Criteria are the 'measuring sticks' that an internal auditor will consider in concluding on performance relative to an audit objective. By responding to all the criteria underlying an objective, an internal auditor is able to reach an objective, factual, and fair conclusion to the question posed by the audit objective. To ensure the success of the internal audit, it is important that the organization being audited participate in the planning process. In particular, organizational input into the development of the audit criteria is key. At the conclusion of the planning process a term of reference should be developed. The terms of reference is an agreement setting out the overall purpose, scope and objectives for the audit to be undertaken. The terms of reference is signed by Internal Audit & Advisory Services and the appropriate person within the organization being audited. 4.2 Phase 2 Fieldwork During the fieldwork phase, sufficient, relevant and reliable evidence of actual performance is gathered and compared against expected performance. Rather than finding fault, the intent of internal auditing is to identifying gaps between actual and expected performance. While all differences are noted, only significant differences are identified in the reporting phase. For example, if the expected performance is that sensitive documents are kept in a locked safe, and the actual performance, based upon fieldwork, shows that sensitive documents are kept in an unlocked desk drawer, the auditor would note this difference. In determining the significance of the difference between actual and expected performance, the internal auditor will consider a number of factors. In drawing a conclusion, the internal auditor will rely upon their independence from the process being audited, their objectivity as a person disinterested in the outcome of the audit, and on their professional judgment gained through training and experience. Internal auditors may conduct interviews, surveys, run focus groups, review documentation, analyze reports, prepare calculations, consult experts; and employ any number of other techniques that help them to obtain sufficient, relevant and reliable information. The conclusions reached by Internal Audit & Advisory Services are their professional opinions, based on the evidence collected and the analysis performed, as to how closely actual performance compares to expected performance. Internal audit recommendations are intended to assist management in improving actual performance closer to expected performance. 4.3 Phase 3 Reporting

Although an end product of any internal audit is the report to management, the management reporting process starts at the beginning of the internal audit, and continues throughout the course of the audit. The contents and structure of the report are considered during the planning phase and modified as necessary during fieldwork. Like the planning and fieldwork phases, the internal audit report continues to evolve and change over the course of the audit as new information and new perspectives are revealed. Progress reports are provided to management throughout the internal audit. By working closely with the management and staff of the organization being audited, all significant issues and the related recommendations should be fully discussed with the organization prior to the issuance of the final draft report. Generally, a first draft of the report is issued to management in order to achieve agreement on the accuracy of the information contained in the report, the suitability of the recommendations and the validity of the conclusions. Thereafter, a second draft of the report is issued to management, at which time an action plan is developed by management that addresses the audit issues. The recommendations contained in an audit report suggest what needs to be done. How the recommendation is implemented, however, remains the responsibility of management. Finally, the final report is issued to the concerned authority.

4.4 Phase 4 Follow-up With the release of the final internal audit report, there is an expectation that management will follow-up and report on the actions set out in the action plan. To encourage that outcome, Internal Audit & Advisory Services follows up on the status of the recommendations and may decide to conduct a follow-up audit. During the follow-up audit, internal auditors assess the extent to which management actions have been implemented. 6. Internal Audit Standards Internal audit activities are performed in diverse legal and cultural environments; within organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization. While differences may affect the practice of internal auditing in each environment, compliance with the International Standards for the Professional Practice of Internal Auditing (Standards) is essential if the responsibilities of internal auditors are to be met. If internal auditors are prohibited by laws or regulations from complying with certain parts of the Standards, they should comply with all other parts of the Standards and make appropriate disclosures.

The purpose of the Standards is to: 1. Delineate basic principles that represent the practice of internal auditing as it should be. 2. Provide a framework for performing and promoting a broad range of value-added internal audit activities. 3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations. The Standards consist of Attribute, Performance, and Implementation Standards. Attribute Standards address the attributes of organizations and individuals performing internal audit services. The Performance Standards describe the nature of internal audit services and provide quality criteria against which the performance of these services can be measured. The Attribute and Performance Standards apply to all internal audit services. The Implementation Standards expand upon the Attribute and Performance Standards, providing guidance applicable in specific types of engagements. These standards ultimately may deal with industry-specific, regional, or specialty types of audit services. There is one set of Attribute and Performance Standards; however, there are multiple sets of Implementation Standards: a set for each of the major types of internal audit activity. The Implementation Standards have been established for assurance (A) and consulting (C) activities. Assurance services involve the internal auditor's objective assessment of evidence to provide an independent opinion or conclusions regarding a process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the process, system, or other subject matter - the process owner, (2) the person or group making the assessment - the internal auditor, and (3) the person or group using the assessment - the user. Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice - the internal auditor, and (2) the person or group seeking and receiving the advice - the engagement client. When

performing consulting services the internal auditor should maintain objectivity and not assume management responsibility. Methodologies

Entity Level Internal Audit Methodology

How does it work?

Overview IIA Standards Hints Information Technology Fraud How does it work? This graphic represents the flow of phases of an entity level internal audit project. Each phase in blue has several corresponding tools that you will see if you click on the phase. The first phase is Determine Client Expectations. The second phase - Understand and Analyze the Business - has four important components. These components are on the bottom part of the graphic and are linked to the second phase by the gold triangle that says "Entity Level Business Risk Analysis". The next phase is Identify Target Processes and Risks. Once these have been analyzed you move on to Communicate Results. The Next Steps phase includes suggestions for following up and measuring quality.

The grey bar at the bottom of the graphic symbolizes the communication with clients and management that is crucial at all phases. Delve down into the methodology to find overviews of each phase and tools to help you carry out a successful entity level internal audit.

Overview of Entity Level Methodology

Companies are under constant competitive pressure to identify and manage business risks and improve the performance of their business processes. They are demanding higher levels of assurance about: The reliability of information and performance measures The effectiveness of business controls The efficiency of processes Internal audit can respond to these demands through the use of Business Process Auditing (BPA). The BPA approach allows internal auditors to combine their existing skills and competence with new tools and knowledge bases to provide high value assurance and improvement services to their companies. These services include: Process analysis Assurances about process controls Measures and compliance with company policies or other standards (Best Practices) Process improvement Financial statement audits focus on financial measures of business performance and usually involve only those business processes associated with processing accounting transactions and reporting financial information. Generally Accepted Accounting Principles (GAAP) is the assurance standard against which financial auditors compare the financial statements. The BPA approach also takes into account over 70 business risks found in the Protiviti Risk ModelSM. The assurance standard can be best practices, peer performance within the industry (based on financial or nonfinancial measures), or operating policies and performance expectations set by the company itself. The objectives of BPA are to: Understand and evaluate business processes and related business controls. Validate process performance measures and business controls. Source root causes of process deficiencies and propose solutions. Provide audit assurances in regards to process effectiveness and efficiency.

Make recommendations to improve business process performance.

Business Process Auditing is designed to analyze and respond to important questions such as: What are the significant business risks, both external and internal, that impact the process? How and how well are those risks being managed and controlled? What key measures are used to monitor the process? Are they the right ones? (i.e., aligned with customer needs and key business objectives?) How reliable are the key measures and other management information? How efficient is the process in operation? How can the process be improved to bring its performance closer to worldclass standards? Using The BPA Approach The BPA approach is designed to be adaptable and creative. While all the "phases" and "steps" of the BPA are generally needed to complete an effective audit, the BPA tools and specific methods can be used in a very flexible manner. The BPA can be used to audit sub-processes, to perform compliance audits or to audit a function. Many of the tools are alternatives, not required approaches. The tools range from guidelines and checklists to templates and problem-solving methods. The flexibility of the BPA allows for the great variety in the following: Management desires Targeted processes Objectives The depth of process review The definition and design of a process The Entity Level BPA methodology focuses on understanding and analyzing the business. These phases are intended to provide an understanding of company strategies, metrics, processes, and high level risks and controls. This understanding is primarily used to identify the target processes and risks during the audit planning process.

IIA Standards
The BPA approach meets the Institute for Internal Auditors (IIA) standards for the professional practice of internal auditing. The standards can also be found in their entirety within this website in the Competency Center.

Hints
1. Communicate with management not just at the start of the audit but also and throughout the audit. Communication should include the objectives,the audit process, reporting format and protocols, where to spend resources, and assistance required. 2. Concentrate on the information to be included in the audit report throughout the entire audit (beginning to end). 3. Empower the in-charge auditor to discuss findings with management throughout the audit. 4. Focus on the entire business process rather than a specific function or department. 5. Focus on business risks and on improving process performance.

Information Technology
Companies are placing increasing reliance on information technology in almost every aspect of their business. The internal auditor cannot gain a satisfactory understanding of a company's business, business processes, and risks without an understanding of how information technology (IT) is used. The internal audit team must answer the following questions regarding Information Technology: What is the role of IT in the company's business operations and business strategies? What are the specific business risks, both enterprise wide and at the process level, related to the generic IT risks of access, integrity, availability and relevance? What processes and controls are needed to bring IT-related business risks to an acceptable level? The internal audit team should assess the level of the company's IT complexity and the level and nature of IT skills that will be needed in the engagement. IT skills can be used in the following Business Process Audit phases: 1. Determine Client Expectations: Identify the auditee's expectations with regards to IT and identify ways in which the audit team can meet and exceed these expectations. 2. Understand and Analyze the Business: Document how the company's diverse technology platforms at all locations interconnect to support the business. Identify the processes by which

these technologies are managed and monitored, and the applicable performance measures. Identify and understand relevant business risks related to IT access, integrity, availability and relevance. 3. Identify Target Processes/Risks: Assess and prioritize IT-related processes and business risks. 4. Analyze Target Processes/Risks: Understand and map the target business processes, ensuring that both manual and computer/network processes are understood and documented. Assess the IT-related business risks in the processes. Assess IT performance and control gaps. Validate IT process performance measures and controls. Apply Computer Assisted Audit Tools and techniques to the validation of process performance measures and controls in all processes, as needed. CAATs can be used to reconcile databases, identify data integrity problems, test data entry validation, transaction approvals and run-to-run balancing, and perform regression analysis. Identify the root causes of IT-related process performance and control gaps. 5. Communicate Results: The audit team should communicate to the auditee its findings and recommendations regarding the functioning of IT processes as well as IT-related business risks in other processes. Reviewing Information Technology A review of the use and management of IT should be included in the audit to identify information technology risks and controls. Information Processing/Technology Risks can be defined as follows: Access Risk: The risk that access to information (data or programs) will be inappropriately granted or refused. IT access risks include risks of improper segregation of duties in IT processes and in application systems use, risks associated with the integrity of data and databases, and risks associated with information confidentiality. Integrity Risks: The risks associated with the processes used to develop, maintain and operate the information processing environment and the application systems that support the organization's business systems. The risks associated with the authorization, accuracy and completeness of transactions that are entered, flow through, are summarized by and reported by application systems throughout the organization.

Relevance Risks: The risk that information is not relevant to the purposes for which it is collected, maintained or distributed. The risks related to the usability and timeliness of information that is either created or summarized by an application system. Availability Risk: The risk that information will not be available when needed, for reasons including loss of communications, loss of basic processing capability, operational difficulties, natural disasters, vandalism, sabotage, and accidents. The potential business impacts associated with IT-related risks include the following: Erroneous accounting or management reporting Business interruption Excessive costs Loss of competitive advantage Fraud Loss or destruction of assets Statutory sanction or legal action Prioritizing IT Risks: The techniques used in prioritizing IT audits follow the same basic techniques as for other types of audits: Identify all the relevant auditable IT functions, installations, applications, and systems under development. Determine risk analysis criteria. Perform the analysis (rank the auditable areas). Establish audit frequencies. Determining the auditable information systems activities requires that the audit team survey all known data processing centers, distributed processing applications and end-user computing applications to obtain an inventory of hardware, software, policies and procedures, and existing applications, including those in current development. Other useful information includes budgetary data and long-range plans. The objective in gathering this information is to define the overall information systems audit universe. Criteria that may be used to prioritize the IT audit universe include: Impact on decision making Complexity of the system Volume of transactions Impact on financial position and operating results Source or use of cash

Regulatory environment

Information Technology Controls IT controls are sometimes categorized as either general controls or application controls. This is not always a useful distinction. In older information systems environments, where there was a separate IT function which was responsible for all computer resources, this function performed all aspects of developing and maintaining the operating environment and all application systems used in business processes. The controls over the risks in these activities were "general controls" because they applied generally to all IT resources. Many businesses today have a variety of IT environments, typically run by the individual divisions, departments or locations of the business. If there is a central IT function, it is likely to have little or no control over these environments. While the same IT risks may exist in each environment, it is not possible to assess one set of "general controls" and assume that they will mitigate IT risks throughout the organization. The audit team needs to identify and understand each technology platform related to key business processes, and assess the risks and controls relevant to each important application and its technology environment, to the extent that the environment is dedicated to a process or business unit. To the extent that they are applicable in an auditee environment, general controls and application controls can be described as follows: General Controls: 1. Relate to IT organization, management, and operations processes and help to ensure a controlled environment within which applications can be developed, maintained, and used. 2. May relate to communications systems and networks as well as the computer itself. 3. Are general only to the extent that they are pervasive over all or most applications in both the data processing and user environments. 4. Affect the strengths and weaknesses of individual applications. 5. May include: Data and program security administration Program change control System development controls Computer operations controls Network administration controls Segregation of duties in functional responsibilities of IT personnel Application Controls: 1. Are specific to each application. Each application has its own inherent risks.

The developers of the application build in controls, and the users establish additional controls around the application, in order to address these risks. Therefore, risks and controls need to be considered for each application separately. The input, processing and output processes related to the application need to be evaluated. 2. Are designed for the flow of transactions for a particular process and application, to meet the following general control objectives: Ensure authorized, accurate, and complete processing of a transaction Prevent, detect, and correct errors and irregularities flowing through the transaction process Protect the security and confidentiality of information processed by the application system, appropriate to the value and sensitivity of the information When an application control is identified as critical, the related general controls must also be effective to ensure the consistent and continuous operation of the application control over time. Additional details regarding General and Application Controls can be found in the Systems Auditability and Control (SAC) Report, Module 2, Audit & Control Environment, pages 2-5 to 2-17. Using Information Technology During the Audit Information technology systems provide the internal auditor with the opportunity to use the computer to enhance the efficiency of the audit. Information Technology can be used to support the conduct of more complete, efficient and effective audit engagements in the following ways: Reviewing application and business system data through the use of information retrieval and analysis programs and procedures Testing transaction techniques, and other computerized tools Reviewing system-level activity through the use of various computerassisted techniques Using knowledge-based systems to direct or conduct an audit

Fraud
Fraud is intentional deception, commonly described as lying, cheating, or stealing. Fraud can be perpetrated against customers, creditors, investors, suppliers, insurers, or governmental authorities and can be seen in the form of tax fraud, stock fraud, and short weights and counts. The risk of fraudulent activities and ethical violations must be taken seriously. No

organization or institution appears to be exempt from fraud. How much fraud is there? Estimates of fraud include: Fraud costs $60 - $200 billion annually. 1/2% - 2% of sales are fraudulent. $20 - $40 billion embezzled annually. 60% of all S&L thrifts experienced fraud. 30% of all business failures are related to fraud. 70% of retail losses are due to fraud. 45 out of 100 defense contractors are fraudulent. A survey involving over 3,000 large and mid-size companies indicated that: Over 75% reported at least one incident of fraud. Total cost of reported fraud was almost $250 million. Over 50 companies reported fraud in excess of one million dollars. The most expensive types of fraud were false financial statements and false insurance claims. The most frequently reported frauds are credit card fraud, check fraud (forgery and counterfeiting), and inventory theft. The most commonly cited reasons for fraud are poor controls, management override of controls, high industry risk, and collusion between employees and third parties. Fraud schemes are becoming more complex and, therefore, more difficult to detect. While some internal auditors are already fraud sensitive, using fraud assessment tools can improve the likelihood that complex frauds will be detected. The Institute of Internal Auditors (IIA) professional standards state that the internal auditor is responsible for: Ensuring the existence of controls with systems designed to prevent or deter forms of fraud. Identifying areas where theft or manipulation are likely to occur. Ensuring the effectiveness of controls in financial accounting and other areas subject to theft, fraud, or embezzlement. Exercising the care and skill of a reasonably prudent and competent professional. IIA standards also state that the internal auditor is not responsible for: Absolute assurance against the existence of fraud (although there may be increased performance expectations from management). Extraordinary prudence. Foreign Corrupt Practices Act (FCPA) The issue of fraudulent financial reporting has been examined by the National Commission on Fraudulent Financial Reporting (the Treadway Commission). The report of the Commission emphasized the importance of an ethical "tone at the top," effective controls, written codes of conduct, internal auditors, and audit committees as deterrents to fraudulent reporting. The FCPA mandates that

controls be established which are adequate to either prevent or detect illegal payments, with a reasonable degree of probability. Given this primary role of management in establishing and monitoring the control system, a key concern is whether a high likelihood exists that management could override the control system. A higher probability of management override is associated with: Decentralized operations. Incentive compensation tied to reported accounting numbers. The lack of independence of parties with whom business is transacted. The Fraud Environment The environment within a company is generally developed and maintained by senior management and the board of directors. To deter fraud, the environment should be a demanding one. Management should clearly set forth written policies demonstrating its commitment to fair dealing, its position on conflicts of interest, its requirement that only honest employees be hired, its insistence on strong internal controls that are well policed, and its resolve to prosecute the guilty. There are three conditions that, when combined, move people to commit fraudulent acts: Situational pressures experienced by employees Uncontrolled access to assets, coupled with management's indifference Personality traits undermining personal integrity Neither managers nor internal auditors can do much about an individual's situational pressures. Managers can reduce the perceived opportunities by installing appropriate controls, and internal auditors can evaluate the adequacy and effectiveness of these controls. One of the most effective ways to deter dishonest conduct is by not hiring dishonest employees. Management should at least verify backgrounds of employees. Senior management should insist on proper hiring practices; internal auditors should see that those practices are carried out as intended. The possibility of detecting fraud increases with auditor awareness of where fraud may occur, with the use of modern techniques, and with an inquisitive audit approach that pursues suspicious conditions. The Narrow Objective of Fraud Audits A fraud audit has the narrow objective of uncovering the presence, scope, and means of intentional misstatement of records or misappropriation of assets. A fraud audit tends to be more detailed in approach, since it must uncover that which has been intentionally hidden. Flows of accounting numbers, as well as assets, may have to be reconstructed without an audit trail. The term fraud

indicates some sort of deceptive act which harms another party. It is this deception which makes the discovery of fraud far more difficult than the discovery of errors. The Impetus for Fraud Audits An auditor must be alert to clues which suggest possible irregularities. Alertness and healthy skepticism may well be two of the auditor's most important skills. Critical inquiry as to what irregularities are possible should be followed by an assessment of their likelihood, given the controls, supervisory practices, and the overall control environment. Anything detected as questionable should be resolved. Most often, the impetus for a fraud audit offers some sign of an unusual transaction or missing record. Although the dollar magnitude may be relatively small, a fraud is considered to be qualitatively material. the reasons for this definition are that: 1. Frauds, by their very nature, can balloon quickly if not deterred 2. The existence of fraud in and of itself indicates a weakness in controls; and 3. Frauds imply integrity issues that may have far-reaching consequences. For example, if management made illegal payments, the company and the individual executives involved could face legal consequences and highly adverse publicity. A key indicator of the more likely types of exposure faced by an auditee is the auditee's past experience. Past occurrences of fraud have implications about management's attitudes and integrity. In addition, such occurrences can serve as a signal to employees as to what type of reaction can be expected if they are discovered to be involved in an impropriety. A lack of corrective and/or disciplinary actions in the past can encourage future problems. Usually, it is less expensive to prevent fraud than to detect it. Therefore, fraud prevention should take precedence over detection. Internal controls alone do not prevent fraud; they merely facilitate its detection. Fraud prevention measures include: Hiring honest people. Paying them competitively. Treating them fairly. Providing a safe and secure workplace. Offering real-time feedback on their performance and positive reinforcement when their performance meets standards. Providing adequate tools and training to do their jobs right. Role-modeling honesty. Codes of ethics. Fraud prevention requires creating a work environment that values honesty. Senior managers who are role models for integrity and fairness in their daily interactions with their peers and subordinates can create such an environment.

Prevention also means regularly monitored and enforced internal controls. Therefore, prevention strategies include tight controls, ethical codes, fair treatment, awareness training, applicant screening, and honest role models. Detection strategies include monitoring variance reporting systems, internal auditing, compliance auditing, and intelligence gathering. Fraud auditing is creating an environment that encourages the detection and prevention of frauds in commercial transactions. Fraud auditing cannot be reduced to a simple checklist. It is an awareness, in the broadest sense, of many components, such as the human element, organizational behavior, knowledge of fraud, evidence and standards of proof, an awareness of the potentiality of fraud, and an appreciation of so-called red flags.

Fraud prevention within a company would include having in place, and communicating to all employees, an effective corporate code of conduct that should also include conflict-of-interest policy guidelines signed by employees. This will provide a clear understanding of the intent of management and the level of expectations. The company's agreements, especially with its vendors, should contain a clause that allows the company to inspect the vendors' records in the normal course of business