Internal Auditing. Umair Ali shah CIA,ACCA. Corporate Governance. Corporate governance is a term that refers broadly to the rules, processes, or laws by which businesses, Organization are operated, regulated, and controlled.
Umair Ali shah
Corporate governance is a term that refers broadly to the rules, processes, or laws by which businesses, Organization are operated, regulated, and controlled.
The term can refer to internal factors defined by the officers, stockholders or constitution of a corporation, as well as to external forces such as consumer groups, clients, government regulations
Internal controls are the fundamental building blocks in developing financial systems that are effective and consider potential risks. Internal controls should be purposeful in addressing risks, but should not unnecessarily restrict activities.
The primary objectives of internal controls are:
Preventive and Detective Controls. Controls can be either preventive or detective. The intent of these controls is different.
Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets.
Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.
Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses.
Control activities include approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, segregation of duties, and controls over information systems.
The following elements define proper internal controls. When developing local controls, a thorough understanding of the process as well as the potential risks is necessary. The documentation and training of policies and procedures are also key follow-up steps.
Information should be clearly and accurately reported and readily available for all that need it to make decisions or to assess organizational or programmatic performance.
Offices can reduce the chance for errors or fraud if procedures are simple, clear, documented and well communicated.
Accountability should be ensured at all levels of authority.
Physical assets should be protected from harm or misuse.
The benefits derived from internal controls should be proportional to their cost as well as the potential risk they are designed to address
The following concepts and practices comprise a basic list of internal controls that field offices should consider when developing local procedures or assigning roles and responsibilities.
Definition of Internal Auditing
The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
There are several types of internal audits. There are financial audit, operational audit, management audit, compliance audit, IS audit and investigation audit. Each audit has different purpose and characteristic.Financial AuditThe purpose is express opinion on financial condition based on analysis, comparisons and test of accuracy. Its scope is on the financial records. The expected results from this audit is to give opinion on the accuracy and reliability of the financial statements.Operational AuditThe purpose is to analyze and improve methods of operations and performance. Its scope on the operational activities of a unit or department. The expected results from this audit is to give recommendations to management for the improvement of operations.
Management AuditThe purpose is to review and evaluate business and management issues to enhance profitability. Its scope is on the business support activities of a unit or the entire organization. The expected results from this audit is to give opinion on strategic issues and recommendations or solutions.Compliance AuditThe purpose is to express opinion as to adherence to internal policies and regulatory rules and requirements and applicable laws. Its scope on the specific aspects of operations and business. The expected results from this audit to make immediate rectification and compliance thereafter.IS/IT AuditThe purpose is to audit on the computer systems and the provision and management of information. Its scope is on the technical reviews on computer systems and their peripherals . The expected results from this audit is to give recommendations on computerization and information systems related.Investigation AuditThe purpose is to audit in dept into irregularities such as misappropriation of bank’s assets or reported fraud or allegations. Its scope is in the area specified to determine modus operandi. The expected results from this audit is to give conclusion to findings with recommendations to prevent recurrence.
Internal auditors are expected to apply and uphold the following principles:
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgment
2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of their
Duties and responsibilities of Internal Auditor
Risk is a concept used by
auditors and managers
to express concerns about
the probable effects of an
Control mitigates risk:
Perform Research on Area under Audit
Research is important for understanding, but we must be able to recognize when “enough is enough”
Research tells us define the historical issues, current issues, marketing issues, pervasive risks, personnel issues, and future issues.
Prepare Your Hypothesis
1. The activity is operating normally
What is = What should Be
2. The activity is not operating as it should in some significant way
What is does not = What should be
3. Some value in between
There are minor differences between
What is and What should be
Send Engagement Memo
Automated Work Papers provide
* Background & Scope Document
* Audit Point Sheet
1. Audit Strategy/ Audit Scope & Objective.
2. Creation of Risk Based Work Papers
3. Collection of basic reference materials (flow
4. Determination of tests needed
5. Sample Design
6. Preparation of meeting agendas
7. Follow-up on information gleaned/re-direction
8. Documentation of test results and conclusions.
9. Creation of Audit Point Sheets.
10. Audit Report
Best practices include:
and report writing.
Audit Point Sheet
Reports are important because they:
assessments of operations and corrective action.
The control aspect of auditing is not
complete until corrective action is taken (or
the risk formally assumed by senior
Effective statements of corrective action