needed Lo excel as au internal auditor and the various internal audit opportunities

that interested, competent individuals can pursue,

1-4 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES What an organization wants to

achieve.

Evaluating and Improving the Effectiveness of

Risk Management, Control, and Governance Processes

An organization cannot achieve its objectives and sustain success without effec- tive risk management, control, and governance processes. These processes are complex and interrelated; an in-depth discussion of them at this point would be premature. They are covered extensively in later chapters.

Objectives

Understandable and measurable business objectives represent achievement tar- gets and, accordingly, establish parameters for evaluating actual achievements over time. From an internal auditor's perspective, business objectives provide a foundation for defining engagement objectives (in other words, what the internal auditor wants to achieve). The direct link between business objectives and internal audit engagement objectives sets the stage for internal auditors to help the organi- zation achieve its objectives. This is an important concept that will be emphasized throughout the text. Exhibit 1-2 illustrates a set of business objectives and corre- sponding internal audit engagement objectives.

Business Objectives Audit Engagement Objectives

.!::!

Grow the ergMi~ation's ma~ket ^·~nsure that the ir.1Formatt0n

c, rmmagement uses t-e decide.

a, share, by aoquirlng CJOfT\plemqn•

....

_ra

whether to acqulte €:omf?anil X

..

tary buslnesses •

....

_I.a a~c\.frate. complet~. and vallcl.

V)

V) ^II)

w

^c: 0 Determine whether orders are,

Ship all orders no later than 48

>

^·..::; ra hours after receiving the orders . > in fact, being shipped within 48

I-

..

^a, hours of receipt.

u

^c..

w

⁰

.., m

_{Ve~lf.~ hhe} d~si9)1,a i:!tjuas;~

0

V) c, and ~P.erating, effectiiVeness of

c: cor1trol activities pt!IL In place ^to

V) :.:::;

Record onl~ 'lttlkll sales

w ..

₀ ensure that "eel!! .ded !!'ales aets-

z

^c.. _a, tranaa-ctlohs. ally,e:cc~rre:d (in other words,

V) c:: recorded sales reflE.\ct the

::::> tr;:1nsfer•cif owneri;hip en go,oqs-

m

_{s ~ip~al to} t.blstamer$},

a, Determine that policies and

u procedures established to

c: Comply with Occupational

.s

Safety and Health ensure compliance with

c.. >

E Administration (OSHA) OSHA regulations are well

0 regulations. understood, documented,

u

and communicated.

EXHIBIT 1-2

ILLUSTRATIVE BUSINESS AND AUDIT ENGAGEMENT OBJECTIVES

INTRODUCTION TO INTERNAL AUDITING 'j..('j

The primary purpose of internal consulting services is to provide advice and other assistance, generally at the specific request of engagement customers. The cus- The primary purpose of internal assurance services is to assess evidence rele- vant to subject matter of interest to someone and provide conclusions regarding the subject matter. The internal audit function determines the nature and scope of assurance engagements, which generally involve three parties: the auditee directly involved with the subject matter of interest, the internal auditor making the assessment and providing the conclusion, and the user relying on the internal auditor's assessment of evidence and conclusion.

Afii,mrm1~@ ec~u-1cl Cf.Hu~VJltin~ A<t:Hvity

[}®§!i'ai'u<lHd

h:-» A«'M VaivJ«'~

and

!riluf.llti"<i.W~

O~Jt:m,11Hmu;

Assurance and consulting engagements differ in three respects: the primary pur- pose of the engagement, who determines the nature and scope of the engagement, and the parties involved. The terms used to refer to these parties vary widely.

Hereafter, auditee is used to denote the people subject to assessment in an assur- ance engagement and customer is used to denote the people seeking services in a consulting engagement.

All three processes focus on the achievement of the organization's objectives.

Whereas the board of directors is responsible for conducting the governance pro- cess, management is responsible for conducting the risk management and con- trol processes. The term conducting here means guiding or leading the process as opposed to unilaterally performing or completing the steps in the process. The board and management need each other to effectively implement governance, risk management, and control. They also need the internal audit function, which plays a prominent role in evaluating and improving these processes. However, the inter- nal audit function's responsibility stops well short of actually guiding or leading governance, risk management, and control. Chapter .'3, "Governance," chapter 4,,

"Risk Management," and chapter G, "Internal Control," discuss in detail the inter- nal audit function's responsibilities in these areas.

Control, which is imbcdded in risk management, is the process conducted by man- ugenien): to mitigate risks to acceptable leoels.

Risk ·111.arw.gcrncnt, which is closely interlinked with governance, is the process crm.du.ctecl by managenieni to iuulerstasul and deal with uncertainties (risks and O/Jpo·,·tundies) that could affect the organization's ability to achieve its objectioes.

Hereafter, risk is used when referring to the possibility that an event will occur and negatively affect the achievement of objectives (for example, employee fraud) and opportunity is used when referring to the possibility that an event will occur a ml positively affect the achievement of objectives (for example, introducing a new product),

:.;iiiqllc clc-diuil.io11s are provided here to facilitate thinking about the various roles i 11 tcrnnl aucl itors might play i11 evaluating and improving these processes. Gover- 11a nee provides a good starting point because it is generally viewed as the broad-

c/;l of the three. Gooernance is the process conducted by tlie board of directors to u utlion>;c, direct, and ooersee mcutagetnenl iosoan] the ucliieoenient oftlu: organi-

;;utio11'.~ o!<feclivcs.

1·6 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

Planning the engagement involves, among other activities:

• Obtaining an understanding of the auditee or customer. An internal auditor cannot provide value-adding assurance or consulting services to an auditee or customer that is not well understood. The internal auditor needs to understand A Systematic and Disciplined Approach:

The Engagement Process

To truly add value and improve operations, internal assurance and consulting ngagernents must be performed in a systematic and disciplin cl manner. Th.

three fundamental phases in the internal audit engagement process are planning the engagement, performing the ngagernent, and communicating engagement outcom s. These three phases are introdu zed in chapter 12 "Introduction to the Engagement Process," and covered in depth in chapter 13, "Conducting the Assur- ance Engagement," chapter 14, "Communicating Assurance Engagement Out- comes and Performing Follow-Up Procedures," and chapter 15, "The Consulting Engagement." However, a brief overview is provided here.

Objectivity means that an au litor is able to make impartial, unbiased judgments.

To ensure objectivity, internal auditors should not involv themselves in day-to- day operations, make management decisions, or otherwise put themselves in sit- uations that result in actual or potential conflicts of inter st. For example, if an individual moves into the int rnal audi function from another area of the organi- zation, the internal auditor may not provide assurance services to that area for one year (Standard 1130.Al-1). The reasoning behind this policy is that the internal auditor would be put in a position of auditing his or her own work. Chapter 2 goes into greater depth on the subjects of independence and objectivity.

For the internal audit function to be independent, the CAE must report to a level within the organization that has sufficient authority to ensure broad engagement cov rage, due consideration of engagement outcomes, an l appropriate resp nses to those utcomes, While the CAE often reports administratively to the organiza- tion's CEO, The IIA recommends that the CAE report fu ncticnallyto the organi- zation's board of directors (Irnpl mentation Guide 1110).

Independence and Objectivity

The II.Ns Code of Ethics and International Standards for the Professional Practice of Internal Auditing, both of which will be discussed in greater detail later in this chapter and in chapter 2, "The International Professional Practices Framework:

Authoritative Guidance for the Internal Audit Profession," emphasize the critical- ity of indep nden · and objectivity to the practi of inter nal auditing. Indepen- dence refers to th organizational status of the internal audit fun tion, Obj ctivity refers to the mental attitude of individual internal auditors. ore prin iple num- b r 3 of the ore Principles for th Profeasioual Practi of Internal Auditing unders ores this, stating that the int ·rnal audit function "is objective and free from undue influence (independent)."⁶

tomer and the internal audit function mutually agree on the nature and scope of consulting engagements, which generally involve only two parties: the customer seeking and receiving the advice, and the internal auditor offering and providing the advice.

An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no signifi- cant quality compromises are made.

Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others.

Objectivity

The freedom from conditions that threaten objectivity or the appear- ance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, func- tional, and organizational levels.

Independence

INTRODUCTION TO INTERNAL AUDITING 1-7 A specific internal audit assignment or project that includes multiple tasks or activities designed to accomplish a specific set of objectives. See also Assurance Services and Consulting Services.

Engagement

Although the context of this quote is the audit of financial statements conducted by an independent outside auditor, the ideas expressed are just as relevant to inter- nal assurance and consulting services. Internal assurance and consulting services are analytical and investigative; they are based on logic, which involves reasoning and drawing inferences. Internal auditors use logic when they reach conclusions or formulate advice based on evidence they gather and evaluate. The quality of internal auditors' conclusions or advice depends on their ability to gather and eval- uate sufficient appropriate evidence.

Students beginning their first auditing course have a tendency to assume that auditing is a subset of accounting. Although such an assumption is understand- able, it is not correct. Exhibit 1-3 contains a quote from The Philosophy of Auditing that explains the difference between auditing and accounting.

THE 1:?EtATiONSi,ilfl» ~~IE.''ir'WfiEM AUD!'rlNG AND ACCO~JNTING1

Communicating outcomes is a critical component of all internal assurance and consulting engagements. Regardless of the content or form of the communica- tions, which may vary, communications of engagement outcomes "must be accu- rate, objective, clear, concise, constructive, complete, and timely" (Standard 2420:

Quality of Communications).

Evaluating the evidence gathered during an assurance engagement involves reaching logical conclusions based on the evidence. For example, an internal audi- tor might reach the conclusion that controls over sales transactions are effective.

Evaluating the evidence gathered during a consulting engagement involves for- mulating practical advice based on the evidence. For example, an internal auditor might advise the customer that specific application controls need to be built into a new computerized information system.

Performing the engagement involves the application of specific audit proce- dures. Procedures include, for example, making inquiries, observing operations, inspecting documents, and analyzing the reasonableness of information. A second important aspect of gathering evidence is documenting the procedures performed and the results of performing the procedures.

Setting the engagement objectives. Because the overall purpose of internal assurance and consulting services is to help the organization achieve its objec- tives, the internal auditor will use the auditee's or customer's business objectives as a foundation for defining the desired outcomes of a specific engagement.

11 Determining the required evidence. The internal auditor must design the engagement to obtain sufficient appropriate evidence to achieve the engage- ment objectives.

1;1 Deciding the nature, timing, and extent of the audit tests. These decisions will influence the internal auditor's testing approach that is necessary to gather the required evidence.

the auditee's or customer's business objectives and the risks that threaten the achievement of those objectives. Other aspects of the auditee or customer that the internal auditor must understand include, for example, the auditee's or cus- tomer's personnel, resources, and operations.

1-8 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

The U.S. Sarbanes-Oxley Act of 2002 requires a U.S. public company's inde- pendent outside auditor (frequently referred to as the external auditor) to also attest to the effectiveness of the company's internal control over financial reporting as of the balance sheet date. The CPA firm's opinion on internal con- trol over financial reporting must be based on a recognized framework such as Internal Control - Integrated Framework issued by the Committee of Spon- soring Organizations of the Treadway Commission (COSO). The COSO frame- work, as it is often called, and other internal control frameworks are discussed in detail in chapter 6. Both the CPA firm's financial statement audit report and the firm's report on the effectiveness of internal control over financial report- ing are public documents-they are included in the company's annual report and submitted to the U.S. Securities and Exchange Commission (SEC). This requirement is not restricted to the United States. Many other countries have similar financial reporting laws with similar requirements.

The Committee of Sponsoring Organizations of the Treadway Commission.

Publicly traded companies in many countries are required by law or the require- ments of the stock exchange on which they trade to have their annual financial statements audited by an independent outside auditor, for example, a chartered accounting (CA) or certified public accounting (CPA) firm. A financial statement audit is a form of assurance service in which the firm issues a written attestation report that expresses an opinion about whether the financial statements are fairly stated in accordance with Generally Accepted Accounting Principles (GAAP).

Many privately held companies, government organizations, and not-for-profit organizations also have annual financial statement audits.