Internal Auditors’ Roles and Responsibilities Chapter VIII
Chapter Objectives: • Understand the importance and value-added nature of the internal audit function. • Review the qualities of an effective internal audit department. • Discuss the role of internal auditors as assurance providers and consultants. • Review the trends of the internal auditing profession. • Discuss the relationship of internal audits and the audit committee. • Analyze the determinants of an effective internal audit. • Discuss the professional practices framework (PPF) adopted by The Institute of Internal Auditors (IIA). • Promote the best practices and internal audit framework.
Key Terms Chief audit executive (CAE) Committee of Sponsoring Organizations of the Treadway Commission (COSO) Foreign Corrupt Practices Act (FCPA) of 1977 Institute of Internal Auditors (IIA) Standards for the Professional Practice of Internal Auditing (SPPIA)
Internal Auditing Function and Corporate Governance Comparison of Internal Audit (Pre- and Postcorporate Governance Reforms)
Internal Auditors as Assurance Providers Assurance reports on these measures are currently voluntary, except for the audit report on economic measures (four basis financial statements), but internal auditors are well-trained and positioned to provide numerous assurance services. Internal auditors, in addition to these voluntary assurance services, can assist external auditors in their integrated audit of internal controls and financial statements. (PCAOB Auditing Standard (AS) No. 2, superseded by AS No. 5) Internal auditors may assist management in complying with Section 302 and 404 requirements of SOX by reviewing management’s certifications on internal controls and financial statements or providing some type of assurance on the accuracy of those certifications.
Internal Auditors as Consultants Internal auditors can provide a variety of consulting services to the company’s board of directors, the audit committee, management, and other personnel at all levels. Consulting services to the board of directors and audit committee. Consulting services to management. Internal auditor training services.
Trend and Relevance of Internal Auditors The Foreign Corrupt Practices Act (FCPA) 1977 COSO Report of the National Commission on Fraudulent Financial Reporting (1987) The IIA redefined internal auditing in 1999 SOX Sections 302 and 404(keep in mind that SOX does not directly address internal auditor responsibilities or internal audit function.) The PCAOB in its AS No. 2
Authorities and Responsibilities of Internal Auditors The internal audit function should have (1) full and free access to the company’s audit committee; (2) unrestricted access to the company’s records, documents, property, and personnel; and (3) authority to discuss initiatives, policies, and procedures regarding risk assessment, internal controls, compliance, financial reporting, and governance processes with management and other corporate governance participants.
Internal Audit Outsourcing The decision of whether to establish and maintain an internal audit function or outsource the function should be made by the company’s board of directors and its representatives. The SEC rule permits internal audit outsourcing to the client’s independent auditor in the following areas: 1. Operational internal audits that are not related to internal accounting controls, financial systems, or financial statements. 2. Nonrecurring assessment of discrete items or other programs unrelated to outsourcing of the internal audit function.
Audit Committee Relationship with Internal Audit The audit committee can contribute to the success of internal auditors and the achievement of their value-added activities by ensuring that they have 1. Sufficient independence from management by reporting to and being held accountable to the audit committee 2. Adequate resources, competence, and focus to assess the company’s operational efficiency, internal control effectiveness, ERM, and reliability of financial reports 3. Proper knowledge of the company’s corporate governance, internal control, financial reporting, and audit activities 4. The mechanisms and confidence to bring forward controversial financial reporting issues 5. A process for communicating directly with the company’s audit committee on a regular and timely basis 6. Access to the audit committee to discuss concerns related to management activities, financial reporting risk, and fraudulent financial reporting 7. Audit committee approval of the budget and staffing of the internal audit function.
Internal Auditor’s Role in Internal Control Section 404 Compliance
Institute of Internal Auditors IIA’s Attribute Standard
Institute of Internal Auditors IIA’s Performance Standards
Institute of Internal Auditors Code of Ethics
Determinants of the Effective Internal Auditor Internal Auditors are striving to fulfill their responsibilities by using the best practices. PricewaterhouseCoopers suggests that internal auditors’ best practices should include the following: Build an adequate internal audit staff to support the needs of business Structure the internal audit function on a fluid and flexible framework Design an enterprise wide risk-based audit program. Broaden audit scope to address third-party and vendor risk. Combat fraud by advocating ethical conduct throughout the organization. Manage information systems risk proactively.
Internal Audit Performance Four-phase plan suggested by PCW: Phase 1: Project planning consisting of establishing specific internal audit objectives in line with stakeholder expectations. Phase 2: Value-driver identification, including gathering information about value drivers of internal audit. Phase 3: Current state assessment consisting of reviews and analysis of internal audit core processes, benchmarks, and best practices. Phase 4: Solution development of preparing report findings, observations, and recommendations for improvement in performance
Internal Auditing Education The Institute of Internal Auditors Research Foundation (IIARF) is in the process of establishing the Common Body of Knowledge (CBOK) for internal auditors. The IIA has established the Internal Auditing Education Partnership (IAEP) program to promote internal auditing in colleges and universities in educating the next generation of auditors.
Conclusion The internal audit function of corporate governance provides objective and independent assurance and consulting services designed to add value and improve the company’s sustainable performance in the areas of operations, risk management, internal controls, financial reporting, and government processes. Internal auditors are well trained and positioned to provide numerous assurance services to their organization. The emerging trend toward more emphasis on MBL of governance, economic, ethical, social, and environmental performance requires organizations to provide assurance on a variety of their performance measures and achievements. SOX does not directly address internal auditor responsibilities or internal audit function. The internal audit function should have (1) full and free access to the company’s audit committee; (2) unrestricted access to the company’s records, documents, property, and personnel; and (3) authority to discuss initiatives, policies, and procedures regarding risk assessment, internal controls, compliance, financial reporting, and governance processes with management and other corporate governance participants.
Conclusion A close working relationship between the audit committee and internal auditors can improve the effectiveness of corporate governance. Internal auditors, as an integral component of the organization’s governance, should continue to improve their internal audit quality and effectiveness to secure their position in the corporate governance continuum. The IIA has promoted the role of internal auditors in corporate governance as providing objective and independent assurance and consulting services to their organizations. The IIA has established a PPF, which provides a definition of internal audits, its code of ethics, SPPIA, and development and practice aids.