AUI4861/203/0/2012

Tutorial Letter 203/0/2012

Practice of Internal Auditing

AUI4861 Semester 2
Department of Auditing
This tutorial letter contains important information about your module.

Bar code

AUI4861/203/0/2012

CONTENTS
1 2 3 BRIEFING ................................................................................................................................... 3 KEY TO ASSIGNMENT 03/2012 (SECOND SEMESTER) .......................................................... 4 GENERAL COMMENTS.............................................................................................................18

AUI4861/203/0/2012

BRIEFING
The key to the assignment serves only as a guideline concerning the structure and content of your assignment answers, and should not be regarded as a model answer to the questions. You should always remember that internal auditors provide value-added services to others in a dynamic, complex, expanding and constantly changing business environment. You need to develop the ability to develop lifelong learning skills, to think critically (i.e. to grasp the meaning of complex concepts and principles), and to evaluate these concepts and principles and apply them to specific issues. Please note: As post-graduate students in Internal Auditing, you are expected to be familiar with the content of the Internal Auditing course material you received at undergraduate level. In order to do well in the assignments and examinations, you will need to consult the study material and textbooks that were prescribed for your undergraduate studies. However, given the dynamic nature of internal auditing, textbooks frequently become outdated. We therefore encourage you to read widely on the subject and to refer to internet sources to supplement your studies. We expect your answers at postgraduate level to be well planned and logically presented. Depending on the nature of the question, your answers should consist of an introduction, content and a summary or conclusion. The content should be well structured, with headings and subheadings to facilitate effective communication. Please ensure that you present the information gathered from your prescribed material and other research material, together with your own comments and conclusions systematically. We require you to demonstrate that you have studied the relevant literature independently. The content dealt with in the body of your answer must focus on the essence of the question, and the scientific and academic quality of your answer should be at an advanced level. In this regard, please note that an effective assignment answer requires more than a mere reproduction of information sourced elsewhere. You are required to demonstrate that you are able to apply the information sourced in the context of the question posed by interpreting it and commenting on its applicability. We require you to include source references in your assignment answers and to supply a bibliography. You will earn NO MARKS for work simply reproduced from other sources without due acknowledgement. Although this is not a specific requirement in the examination, conforming to academic standards as far as content and presentation are concerned is of the utmost importance Regards AUI 4861 Lecturer

AUI4861/203/0/2012

KEY TO ASSIGNMENT 03/2012 (SECOND SEMESTER)

28 marks

QUESTION 1

1.1 Two most important requirements for auditor independence and the checklist to test the independence of the internal audit activity (12) Reference: Learning Units 1 and 4.2 Attribute Standards 1100, 1110 and 1120 The internal audit activity should be able to perform their work free from any interference from within the organisation. The Chief Audit Executive (CAE) should have a direct reporting line to the board of directors and to the Chief Executive Officer (CEO) for administrative issues in order to facilitate organisational independence. (1) The internal audit activity should have an unbiased mental attitude that allows them to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. (1) Checklist for independence of internal audit activity Yes/No Independence Does the Chief Audit Executive (CAE) have direct and unrestricted access to the senior management and the board? (1) Does the CAE report functionally to the board? (1) This is to ensure organisational independence. For example: Was the board responsible for the approval of the internal audit charter? (1) Was the board responsible for the approval of the risk based internal audit plan? (1) Was there sufficient communication from the CAE on the internal audit activitys performance relative to its plan and other matters? (1) Was the board responsible for the approval of the current CAE? (1) Did the CAE report to the board on the IAAs organisational independence for this year? (1) Objectivity Were any internal auditors involved in operational functions of the organisation? (1) Were any internal auditors involved in the drafting of procedures for systems, or in the design, installation or operation of systems? (1) Were any internal auditors involved in assurance services of activities for which they were responsible within the previous year? (1) Is staff assignment rotated periodically? This is to ensure that potential and actual conflicts of interest and bias are avoided. (1) Have any internal audit staff members reported situations indicating a possible

AUI4861/203/0/2012

conflict of interest? If so, was proper follow up taken and if needed, was the relevant staff member removed from the particular assignment?(1) (Marks as indicated maximum 12 marks) Comments on question 1.1 The question requires a checklist to assess the independence and objectivity of the IAA. Therefore compliance with the IPPF Standards relating to independence should be documented. Since a checklist format was also required, the answer (IPPF Standards requirements) should have been documented in a question type format. 1.2 Memorandum to the board of directors regarding the King Report recommendation on corporate governance (11)

Reference: Learning Unit 2.2 King III Principles 2.16, 2.18 and, 3.3 To: The Board of Directors From: The Internal Audit Manager Date: 02 March 20XX (1) THE KING REPORT ON CORPORATE GOVERNANCE RECOMMENDATIONS () a) Composition requirement of board of directors as per King III Report on Corporate Governance (3) The board should elect a chairman of the board who is an independent non-executive director. (1) The Chief Executive Officer (CEO) of the company should not also fulfill the role of chairman of the board. (1) The board should comprise a balance of power, with a majority of non-executive directors. (1) The majority of non-executive directors should be independent. (1) b) The current boards deviation from the King recommendations (6)

1. Jurie Meyer is both the CEO and the chairperson of the board of directors. This will influence the independence of the board. (1) The King report states that where the roles of the chairperson and the chief executive officer are combined, a lead independent director should be appointed. (1) 2. Four of the six members of the board are involved in the day-to-day running of the business and are also family members. (1) Therefore they are not independent or non-executive. (1) Two external members (i.e. the only external members) are close friends of the management of the company. (1) This will influence the independence of the board. (1) The King report recommends a balance of power, preferably with a majority of non-executive directors, the majority of whom should be independent from management so that the shareholders interests can be protected. (1) ________________________________

AUI4861/203/0/2012

Signed: Internal Auditor () Comments of question 1.2 This question tests your knowledge of board composition requirements according to King III Report specifically. It is important that you study the King III Report to be able to explain concepts and apply it to practical scenarios.

1.3 Responsibility for risk management and disclosure requirements thereof Reference: Learning Unit 2.2 King III Report Principle 4.1

(5)

Risk management is the responsibility of the board of directors. (1) The board should delegate to management the responsibility to design, implement and monitor the risk management plan (management is accountable for integrating risk in the day-to-day activities of the company (1). Risk management matters that should be disclosed by the board include the following: The board should disclose how it has satisfied itself that risk assessments, responses and interventions are effective.(1) The boards responsibility for risk governance should be documented in its board charter and supported by induction and training processes for all board members. (1) The roles and responsibilities of risk management should be disclosed in the company risk management policy. (1) The board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders. (1) Undue, unexpected or unusual risks should be disclosed in the integrated report. The board should disclose its view on the effectiveness of the risk management process in the integrated report. (1) (1 mark each - maximum of 5 marks) Comments on question 1.3 This question tests your knowledge of risk management according to King III specifically. It is theoretical, but it is important that you study the King III Report on Corporate governance (2009) and are able to explain concepts and factors accordingly.

QUESTION 2 Reference: Learning Unit 3.1 How to Employ an Internal Auditor: A Guide to Resourcing For Internal Audit Internal Auditing Handbook. KH Spencer Pickett p780-788

15 marks

AUI4861/203/0/2012

2.1 Outsourcing and in sourcing of the internal audit function Arguments in favour of outsourcing the internal audit activity (IAA) 1.

(9)

Outsourced service providers frequently have access to advanced technologies, leadingedge methodologies and comprehensive knowledge bases, which may be beyond the financial or technical reach of an in-house department. (1) External service providers can add a fresh perspective to internal auditing processes; they often see improvement opportunities not seen by insiders. (1) Outsourced internal auditors may be more independent and unaffected by office politics and, therefore, may discharge their responsibilities more effectively. (1) By outsourcing the IAA the organisation will pay only for the services they utilised. Therefore, costs become a variable instead of a constant (that is the company pays for what it needs and uses). (1) Using outside contractors (especially multinational service providers) can provide greater flexibility, especially for a company that is geographically dispersed. (1)

2.

3.

4.

5.

Argument in favour of an in-house internal audit activity (IAA) 1. In-house staff is always available in case of ad-hoc, urgent requests from management. By having an in-house IAA, the companys accountability is enhanced as issues are attended to on a regular basis. (1) In-house IAAs provide an extremely good training ground for future senior management. This is because internal auditors gain a broad understanding of all the entitys operations and risk exposures. This makes for very effective management succession planning. (1) In the case of an in-house IAA, the audit documentation is kept on-site. This minimises the risk of losing valuable company information (1) In-house IAA also allows for the flexibility to change audit focus within a changing risk environment. (1) Internal audit staff are paid salaries instead of being paid an hourly rate (as in the case with outsourced internal auditors); therefore, staff costs can be forecasted. (1)

2.

3.

4.

5.

(1 mark per valid argument, with a maximum of 9 marks. There should be a balance of at least 3 arguments for each option.) Comments on question 2.1 This question focused on the different types of internal audit activity. You were expected to evaluate the advantages of each option.

AUI4861/203/0/2012

2.2 1. 2. 3. 4.

Recommendation to Mr Sebola

(6)

5.

6.

The company is relatively new and can benefit significantly from established outsourced internal audit providers, as they can bring in the best practice experiences learnt elsewhere. Owing to the size of the company, it will be compelled to establish a one-person or twoperson internal audit activity, and it will therefore be difficult to build internal audit expertise. The company can save money, as it will not incur the cost of training internal auditors. The cost of outsourced internal audit service is variable and not constant. The external service providers will be able to cover a broader scope of work, such as operational audits, information system audits and forensic audits, whereas a small in-house activity may not. Top management will be released to focus on key business activities while they are growing the business. Management will not have to deal with internal audit staff issues such as payroll administration. The independence and administration of the internal audit activity may be compromised in a small organisation, as there are no proper governance structures in place. Outsourced internal audit providers may be more independent and not be affected by office politics. (1 mark per valid point maximum 6 marks)

Comments on question 2.2 This question asked you to evaluate which internal audit activity type will be suitable for the relevant case study. Using the guidance offered in the study guide and the IIA article you should be able to consider the issues (for example the phase in the business life cycle, size and complexity), and determine why IAA type is the best option for Kgosi (Pty) Ltd

QUESTION 3 References: Learning Unit 5 Sawyer pp 156157 Internal Auditing Handbook. KH Spencer Pickett pp 838 - 858 3.1 Steps to ensure a successful interview

15 Marks

a) Preparing () Learn as much as you can about the auditee before the interview. Whatever the interview, it is always useful to do some background work related to the particular topic. (1) Determine the objective of the interview and prepare questions that are calculated to achieve those objectives. (1) Prepare a checklist of areas to cover; it is a way of thinking through the information gathering process beforehand. (1) b) Scheduling () Set convenient dates and times. (1) Do not drop in uninvited unless it is a legitimate surprise audit of cash, securities, suspected fraud or the like. Call the interviewee to arrange for a mutually acceptable time and place. (1)

AUI4861/203/0/2012

c) Opening () Tell the interviewee honestly what the purpose of the interview is and how the results will be used. (1) Set the tone of the interview which should be normally open, friendly and positive. (1) Make sure the interviewee understands that conversations alone rarely result in reportable findings; those will be the product of audit fieldwork. Invite feedback on the audit objective and explain how the interview fits into the audit process. (1) d) Conducting () If the auditor has a know-it-all attitude, the auditee will see no reason to provide information. If the auditee perceives the auditor as one who will twist his/her words, he/she may be reluctant to speak and therefore not create a supportive atmosphere. (1) Learn about the interviewees background. This step will help avoid presenting information in a way that wont be understood or will appear to be patronising. Avoid prejudicial or biased statements, as intemperate or insensitive remarks can abruptly block the communication channel. (1) Ask the questions and direct the interviewee to the key issues without restricting the responses. (1) e) Closing () Dont drag out the interview. Look for non-verbal signs that the interviewee has had enough. () Run through matters dealt with during the interview and clear up any uncertainty. (1) Try to end the interview on a positive note by summarising agreements or recognising laudable actions. If not all significant questions have been asked, schedule another meeting. (1) Ask for any questions, there should be a stage where the interviewee is allowed to reflect on what has been said and ask general questions. () In concluding the interview, the interviewer should explain what will happen from that point onwards. () f) Recording () An unrecorded interview is a waste of time. Auditors will have to use techniques to capture, as soon as possible, what was said and what they learnt in an interview. (1) (Maximum 9 marks) Comments on question 3.1 This is a purely theoretical question and as an internal auditor, you should practise these steps to ensure successful interviews in your career. 3.2 Interview steps contravened a) Recording () The auditors keep requesting information that they should already have on record. An unrecorded interview is a waste of time. Research tells us that, within 24 hours, we will forget 50% of what we have heard. In two weeks we will forget another 25%. (1) b) Scheduling ()

AUI4861/203/0/2012

Piet does not make appointments with the client. Courtesy and common sense require him to call the interviewee, ordinarily to arrange for a mutually acceptable time and place. (1) c) Conducting () Ephraim interrupts the interview process by answering his cellphone in the middle of the interview. Physical noise or distraction can ruin an interview. (1) d) Preparation () Ephraim and Piet demonstrated to the client that they dont know her department well. Piet and Ephraim should have learnt as much as possible about the auditee before the interview. (1) (Marks as allocated maximum 6 marks) Comments on question 3.2 In this practical question, you need to explain how the steps were contravened. By just stating the relevant step contravened, you cannot expect full marks.

QUESTION 4 4. CAEs responsibilities

40 marks

Reference: Learning Unit 4 IPPF Standards as listed below IIA Standard 2000 (Managing the Internal Audit Activity) and Practice Advisory 2010-1 requires the CAE to develop a charter for the internal audit activity; to set goals, work schedules, staffing plans, financial budgets and activity reports; (1) to draft written policies and procedures; to develop the internal auditing activitys human resources; (1) and to maintain a quality assurance programme. It is suggested that the CAE should draft a statement of authority and responsibility for his/her role and have it approved by the board and the audit committee. (1) The CAEs statement of authority and responsibility should include the following: 1. Authority () The CAE is authorised to direct a broad, comprehensive programme of internal auditing within the organisation. Internal auditing examines and evaluates the adequacy and effectiveness of the systems of management control supplied by the organisation to direct its activities toward the accomplishment of its objectives in accordance with organisational policies and plans. In accomplishing these activities, the CAE and members of the audit staff are authorised to have full, free and unrestricted access to all organisation functions, records, property and personnel.(2) 2. Responsibility () The CAE is responsible for: establishing policies for the auditing activity and directing its technical and administrative functions. (1) developing and executing a comprehensive audit programme for the evaluation of management controls over all organisational activities. (1) examining the effectiveness of all levels of management in their stewardship of

10

AUI4861/203/0/2012

organisational resources and their compliance with established policies and procedures. (1) recommending improvement of management controls designed to safeguard organisational resources, promote organisational growth and ensure compliance with government laws and regulations. (1) reviewing procedures and records for their adequacy to accomplish intended objectives and appraising policies and plans relating to the activity or function under audit review. (1) authorising the publication of reports on audits, including recommendations for improvement. (1) appraising the adequacy of operating managements actions to correct reported deficient conditions; accepting adequate corrective action; continuing reviews with appropriate management personnel on action the chief audit executive considers inadequate until there has been a satisfactory resolution of the matter. (1) conducting special audits as requested by management, including the reviews of representations made by persons outside the organisation, and acting in a consulting capacity relative to the above areas of responsibility. (1) Bearing in mind that the IIA Standards are mandatory, specific responsibilities of the CAE with regard to the IIA Standards are as follows: 1000 (Purpose, Authority, and Responsibility) The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. (1) 1010 (Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter) The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board. (1) 1100 (Independence and Objectivity) The chief audit executive should carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. (1) 1110 (Organisational Independence) The chief audit executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities. The chief audit executive must confirm to the board, at least annually, the organisational independence of the internal audit activity. (1) 1111 (Direct Interaction with the Board) The chief audit executive must communicate and interact directly with the board. (1) 1210 (Proficiency) 1210.A1: The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. (1) 1210.C1: The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. (1) 1300 (Quality Assurance and Improvement Programme) The chief audit executive must develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity. (1) 1312 (External Assessments) The chief audit executive must discuss with the board: o the need for more frequent external assessments; and (1)

11

AUI4861/203/0/2012 o the qualifications and independence of the external reviewer or review team, including any potential conflict of interest. (1) 1320 (Reporting on the Quality Assurance and Improvement Programme) The chief audit executive must communicate the results of the quality assurance and improvement programme to senior management and the board. (1) 1321 (Conforms with the International Standards for the Professional Practice of Internal Auditing) The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement programme support this statement. (1) 1322 (Disclosure of Non-conformance) When non-conformance with the Definition of Internal Auditing, the Code of Ethics or the Standards affects the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and its effect to senior management and the board. (1) 2000 (Managing the Internal Audit Activity) The chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organisation. (1) 2010 (Planning) The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisations goals. (1) 2010.C1: The chief audit executive should consider accepting proposed consulting engagements based on the potential of the engagement to improve management of risks, add value, and improve the organisations operations. Accepted engagements must be included in the plan. (1) 2020 (Communication and Approval) The chief audit executive must communicate the internal audit activitys plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations. (1) 2030 (Resource Management) The chief audit executive must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan. (1) 2040 (Policies and Procedures) The chief audit executive must establish policies and procedures to guide the internal audit activity. (1) 2050 (Coordination) The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimise duplication of efforts. (1) 2060 (Reporting to Senior Management and the Board) The chief audit executive must report periodically to senior management and the board on the purpose, authority, responsibility, and performance of the internal audit activity relative to its plan. (1) 2330 (Documenting Information) 2330.A1: The chief audit executive must control access to engagement records. He/She must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate. (1) 2330.A2: The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. (1) These retention requirements must be consistent with the organisations guidelines and any pertinent regulatory or other requirements. (1) 2330.C1: The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. (1) These policies must be consistent with the organisations guidelines and any pertinent regulatory or other requirements. (1) 2340 (Engagement Supervision) The chief audit executive has the overall responsibility of supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform
12

AUI4861/203/0/2012

the review. (1) 2421 (Errors and Omissions) If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication. (1) 2440 (Disseminating Results) The chief audit executive must communicate results to the appropriate parties. (1) 2440.A1: The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration. (1) 2440.A2: If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing results to parties outside the organisation the chief audit executive must assess the potential risk to the organisation; consult with senior management and/or legal counsel as appropriate; and control dissemination by restricting the use of the results. 2440.C1: The chief audit executive is responsible for communicating the final results of consulting engagements to clients. (1) 2500 (Monitoring Progress) The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. (1) 2500.A1: The chief audit executive must establish a follow-up process to monitor whether and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. (1) 2500.C1: The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client. (1) 2600 (Resolution of Senior Managements Acceptance of Risks) When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organisation, the chief audit executive must discuss the matter with senior management. (1) If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution. (1) (1 mark per valid point - maximum of 40 marks) Comments on question 4 This is the theory based question on the responsibilities of the CAE. Therefore knowledge of the IPPF Standards is required here.

QUESTION 5 5.

25 marks

Actions to promote consistency, quality and competencies in internal audit work

Reference: Learning Unit 4 Spencer Pickett, (2000),"Developing internal audit competencies", Managerial Auditing Journal, Vol. 15 Issue: 6 pp. 265 278 Actions the management of the internal audit department can take to promote consistency and quality in the work of its professional employees, in addition to providing a uniform technical audit manual: Develop and secure top management approval of a charter which delineates duties, responsibilities, and authority of the internal audit (IA) department. (1)

13

AUI4861/203/0/2012

Develop a formal training and development (T&D) strategy that is designed to develop highly skilled auditors and tackle all defined weaknesses in the internal audit staff. (1) Employ only persons who have the technical, educational, and professional qualifications required for the companys long term audit plan. (1) Utilise the audit review process to develop the auditors and isolate and identify training needs. (1) Utilise the performance appraisal system to help isolate training gaps. (1) Ensure that each auditor has a documented personal development plan that involves exposure and training to different aspects and areas of audit work. (1) Regular reviews of these individual development plans should be performed to ensure that the required exposure and training has taken place and any further training needs have been included. (1) Implement regular in-house workshops in which new developments, for example changes in any required legislation or International Professional Practices Framework (IPPF) can be presented to the staff. (1) Conduct workshops where some of the senior auditors present the workshop session. (1) Some useful topics such as audit techniques used during audits, the knowledge and attitudes that support the way these techniques may be mastered should be presented. Also consider presenting workshops on soft skills. (1) Insist that internal auditors be aware of, understand, and work in compliance with the Standards for the Professional Practice of Internal Auditing and Code of Ethics as promulgated by The Institute of Internal Auditors. (1) Develop an orientation/ induction program for new employees. (1) Encourage and support staff to participate in continuing development programmes and to pursue advanced degrees. (1) Encourage and support staff to participate in IIA chapter activities and seminars. (1) Encourage and support staff to participate in gaining appropriate certification as a means of demonstrating professional competence. (1) Install a quality assurance programme including both internal and external independent reviews and evaluations. (1) Ensure consideration of the control models such as COSO and CoCo, which provide useful frameworks of internal control that have been internationally accepted. (1) An important development for internal auditors is their role in three main areas, which are to help managers assess business risk; to help managers to respond to results of this risk assessment and to then provide assurances to the audit committee on where the organisations stands in respect of risk management. (1) To assist internal auditors to effectively perform these roles, training in the following skills should be encouraged: o o o Encourage facilitation skills to assist managers assess business risk. (1) Encourage creative problem solving skills to assist management respond to and decide on the result of the risk assessment and decide on appropriate actions to follow. (1) Encourage presentation skills in providing assurance to the audit committee on where the organisation stands in respect of risk assessment. (1)

Ensure that staff is adaptable and creative so as to be able to operate in dynamically changing environments, which require real time responses to real time issues. (1) Develop an in-house training program. (1) Implement a training room that is equipped with suitable facilities for successful in-house training events. (1)

14

AUI4861/203/0/2012

Invest in relevant CDs, publications, journals to promote continuing research and development. Management should encourage the staff to regularly utilise these materials. (1) (1 mark per valid action - maximum of 25 marks)

Comments on question 5 The scenario states that a uniform audit manual has been implemented, therefore no marks will be awarded for recommendations on implementation of an audit manual. You have to do some research on further actions management can take to ensure the consistency, quality and competencies of the internal audit staff.

QUESTION 6 6. Performance measures to evaluate the quality of the Internal Audit Activity

25 marks

Reference: Learning Unit 4 Ziegenfuss, DE. 2000. Developing an internal auditing department balanced scorecard. Managerial Auditing Journal 15(1):12-19. Chen JF, Lin WY. 2011. IIAs Global Internal Audit Survey: A Component of the CBOK Study - Measuring Internal Auditings Value Please note: Students are required to provide the answer in a PowerPoint template and marks will be awarded for use of proper layout. However for marking purposes, the solution was made as detailed as possible. A Powerpoint presentation will usually have bullet points as opposed to paragraphs. The value of an internal audit activity is determined by its usefulness to the organisation.(1) The usefulness of internal audit (IA) services is reflected by the activitys perceived contribution, which is affected by many factors, including organisational characteristics, the internal audit activitys characteristics, performance measurement of the internal audit activity and the internal audit services performed. (1) With regard to quality assurance Douglas E. Ziegenfuss (2000: 12 - 19) states that the Chief Auditing Executive (CAE) is responsible for establishing and monitoring a quality assurance program to ensure his or her department meets its mission and complies with the Institute of Internal Auditors professional standards. (1) Alongside such traditional elements as supervision, internal reviews, and external reviews, monitoring and benchmarking key performance measures have come to be recognised in recent years as the fourth element of quality assurance. (1) The key issue facing the CAE is to select performance measures that accurately reflect the IA departments performances and the departments progress in meeting its mission and objectives. (1) The case deals with applying Total Quality Management (TQM) approach to the Internal Audit function. The key element of TQM was the use of performance measures to track quality and benchmark with other IA departments. (1)

15

AUI4861/203/0/2012

The balanced scorecard methodology can be used to IA departments measure their performance. The Balanced Scorecard supplements the traditional financial measures with three new perspectives those of customers, internal business processes and learning and growth. (1) 1. In terms of the financial perspective, the question should be posed, To succeed financially, how do we appear to our stakeholders?. For the IA department, the stakeholders are ultimately the organisations owners, audit committee and senior management. Therefore performance measures for this perspective should relate to the quality of the relationship between the audit committee, senior management and the IA department. In additional measures relating to the IA departments use of resources should be reviewed. (2) Possible performance measures: CAE reporting relationship functional () CAE meets privately with audit committee () Role of internal auditing as viewed by the audit committee or auditee () Customer/ auditee survey results () Management expectations of internal auditing () Number of management requests () Number of complaints about the audit () The concern here is that auditors will eliminate negative findings or weaken the findings in exchange for favourable ratings. If used properly, however, this could be a very effective measure of audit quality.(1) 2. The customer perspective asks the question, To achieve our vision, how should we appear to our customers? For internal auditors, the customers are essentially the managers of the departments being audited. Consequently, performance measures for this perspective should relate to auditee managers evaluations of audits performed in their area. (2) Possible performance measures: Customer satisfaction survey results () Role of IA, as viewed by the auditee () Management expectations of IA () Number of management results () Number of complaints about audit () 3. The learning and growth perspective asks the question, To achieve our vision, how will we sustain our ability to change and improve? Does the IA department have the knowledge, skills and abilities to constantly reinvent itself in the constantly changing business environment? Performance measures should relate to knowledge, skills and abilities of the audit staff. (2) Possible performance measures: Auditor education levels () Staff turnover rate () Percent of certified staff ()

16

AUI4861/203/0/2012

Average years of audit experience () Training hours per internal auditor () 4. The last perspective is the internal business review perspective. It asks the question, To satisfy our stakeholders and customers, what types of audits should the IA department perform and what results should be forthcoming from those audits? (1) Possible performance measures: Types of audit reviews () External quality assurance reviews () Actual hours versus budgeted hours () Completed versus planned audits () Number of major audit findings/recommendations () Number of process improvements () Percent of audit recommendations implemented () Amount of audit savings () Average response time management requests () Cost savings as a percent of total budget () Days from end of fieldwork to report issuance. () The concern here is that easy audit findings may be proposed. () The IA department should use these performance measures to assess their usefulness to the organisations. With favourable results, they can present them to the organisation and evidence of their success. However, it would be preferable to provide management with their results of the unfavourable performance measures and show management how they plan to improve on those performance measures.(2) In conclusion, adopting the Balanced Scorecard methodology has provided some key lessons concerning performance issues. Firstly, performance measures should not be selected and evaluated individually; rather they should be tied to the IA departments mission and goals. Secondly, the IA department performance should be evaluated based on financial, customer, learning and growth and internal business process. Lastly, key parties both outside and inside the IA department should participate in the process of selecting performance measures. (2) Marks allocation Layout 2 Introduction - TQM concepts 4 Performance measures of quality and 16 concerns Reference 3 Total 25 Comments on question 6 In this discussion question, proper research should be done in suitable performance measures that the IA department can utilise to assess their usefulness to the organisation.

17

AUI4861/203/0/2012

GENERAL COMMENTS

The important principle in answering an examination paper is to ensure that you read and understand the questions properly. Do not think you recognise the question from an assignment or a previous examination paper and then quickly jot down an answer. Read the question carefully, think about it and then start writing your answer. Make sure you know the Standards and King III. As a post graduate student, your experience in internal auditing and additional research on these study topics will assist you in passing in the examination.

18