Standards IIA 2110.A1 – The internal audit activity must evaluate the design, implementation and effectiveness of the organization's ethics-related objectives, programs and activities. Standards IIA 2110.A2 – The internal audit activity must assess whether the organization's information technology governance supports and supports the organization's strategies and objectives. CIA should ensure that documentation of existing governance processes is kept up to date.

In such situations, the CIA should discuss with the unit's Chief Executive their responsibility regarding risk management. The Chief Internal Audit Officer must create risk-based plans to prioritize internal audit activity, consistent with the organization's goals. The Head of Internal Audit considers the organization's risk management framework, including the use of risk appetite levels set by management for different activities or parts of the organization.

Internal Control

• Meaning and purpose of Internal Control
• Management responsibility for Internal Control Framework
• Role of Internal Audit in Internal Control
• Internal Controls and Annual Audit Planning
• Internal Controls and Audit Engagements

Chief executives also have a responsibility to ensure that systems are in place to regularly monitor the proper operation of controls. It is the prerogative of Management to determine whether the COSO Integrated Control Framework should be adopted and implemented in full or in any suitably modified form in the RGoB as a whole or in any of the Ministries, Dzongkhags and other budget entities. As in the case of Risk Management, it should be emphasized that when relying on the elements of the COSO Integrated Control Framework, care must be taken to determine the suitability of particular processes in the context of the particular needs of RGO units.

Because many of the concepts must be applied in the audit processes, CIAs and internal auditors must carefully review and understand these components of internal control. Guidelines on Internal Audit Standards for the Public Sector” (http://www.intosai.org/en/portal/documents/intosai/audit_related/documentsgoal1/). Internal auditors should review this document to obtain additional and useful guidance on internal control.

As enshrined in the Audit Charter and Standards, internal auditors are required to examine internal controls to ensure, first, that the controls are properly designed to achieve the specific control objective of managing identified risks and, second, that the controls are operating effectively as designed by Management. The effectiveness of the organization's risk management system is largely dependent on the effectiveness of the control systems implemented to manage the key risks. Consequently, the effectiveness or otherwise of the internal control system is in itself a key risk factor to be considered when planning audit work for the year.

Internal auditors should plan the audit task by establishing clear audit objectives and determining criteria for measuring the audit objective. Detailed guidance on review and assessment of internal controls can be found in Chapter IV - Engagement Planning and Execution.

Fraud Management

• Nature of Fraud
• Factors underlying the occurrence of Fraud
• Types of Frauds
• Fraud Indicators (Red flags)
• Role of Internal Audit in Fraud Management
• Role of Internal Audit in Fraud Investigations
• Analysis of Lessons Learnt from Fraud Incidents

Auditors periodically test the effectiveness of control systems designed to address key risks faced by the organization. Managers generally have access to confidential information, which allows them to override or circumvent internal controls and cause more damage to the organization than lower-level employees. Managers and internal auditors must therefore have sufficient knowledge and insight into the entity's operations, the individual vulnerabilities of organizations, and always act with appropriate professional care when performing their tasks.

Both management and internal auditors, while carrying out their respective roles and activities within these three areas, must be aware of the organization's vulnerability to fraud that can be committed both internally by staff and externally by others. This may include the involvement of the Anti-Corruption Commission, legal officers and the internal auditors at all stages of the process. ii) Take appropriate measures to recover the financial and other losses from the illegal beneficiaries of the fraud and appropriate action against all involved in the fraud in accordance with the rules of the relevant public authorities and other laws. This may also include staff whose negligence allowed the fraud to take place. iii) communicate the results of the investigations to the relevant authorities. iv).

Based on lessons learned, reassess risks to the organization and take corrective actions to strengthen appropriate internal controls to prevent recurrence of fraud. Therefore, internal auditors must be alert to check weaknesses as well as signs and possibilities of fraud in an organization, especially given their constant presence in the organization which gives them a good understanding of the organization and its control systems. The role of the internal audit activity in investigations should be clearly defined, preferably in the internal audit charter or in a separate and well-known document issued by the CEO or a higher authority.

Care must be taken to ensure that involvement in investigations does not undermine the independence of the CIA and the IAD. When an IAD plays an active role in investigations, the CIA must ensure that there is sufficient skill among the internal auditors within the IAD to assume the assigned role. Evaluating the cause of the fraud. viii) Form and periodicity of reporting on the findings of the investigations.

Which controls were overridden. iv) Why the fraud was not detected earlier. v) What red flags were overlooked by management and internal auditors. you).

Periodic Reporting to Chief Executive on Governance, Risk Management, Internal Control and Fraud Issues

Introduction

Basis for preparing the Annual Report

This will assist the CIA in the systematic preparation of the report and ensure that it is supported by adequate and relevant evidence. Therefore, it will be a challenge for the CIA to issue an opinion or assurance along with a report on the overall risk management and control processes as a whole. Sufficient evidence may not be obtained to provide assurance as required by auditing standards.

Nevertheless, CIAs should prepare the reports and provide limited assurance based on the scope of the work performed. If relevant and necessary, the limitation of the scope of the work carried out, especially due to lack of sufficient resources, should also be mentioned in the report. Such reports will serve to increase management's awareness of risks and the importance of managing risks through appropriate measures and controls and the impact on the organization.

The identified deficiencies or weaknesses exposed the organization as a whole to an unacceptable level of risk. This leaves the onus on the reader to interpret the significance of the matters being reported, and the reader may not gain a holistic perspective on the state of risk management and the effectiveness of internal controls or ask the questions – “so what?”. Satisfactory – if all key risks have been identified and controls have been properly designed and implemented;

Not satisfactory – key risks have not been identified and/or associated controls have not been implemented or are not functioning in accordance with the plan.

INTERNAL CONTROL FRAMEWORK

• Control Environment
• Risk Assessment
• Control Activities
• Communication
• Monitoring

The following provide some simple guidelines regarding costs:. i) The cost of the control activity must not exceed the cost that would be incurred by the organization if the undesirable event were to occur. ii) Management should build control activities into business processes and systems as the processes and systems are designed. Adding control activities after developing a process or system is generally more expensive. iii). The allocation of resources between control activities should be based on the importance and likelihood of the risk they prevent or reduce.

In some situations, a combination of control activities may be required, and in others, one control activity may replace another. Management should decide what to verify based on the risk to the organization if there was no verification. Management should protect the organization's equipment, information, documents and other resources that may be misused, damaged or stolen.

It affects every aspect of an organization's operations and helps support its internal control system. Management should educate staff about control activities and encourage them to be vigilant and report any irregularities. Because of their involvement with the details of the organization's day-to-day operations, staff have the best vantage point for detecting any problems with existing control activities.

Because of this broader focus, executive managers should place even greater emphasis on monitoring the achievement of organizational goals. Executive managers should also monitor the existence of risks and opportunities in the internal or external environment that could indicate the need to change the organization's plans. Control activities can fail if controls are overridden or if there is collusion for fraudulent purposes.

Therefore, management should establish procedures to monitor the performance of control activities and the use of control overrides.

SAMPLE INTERNAL CONTROL QUESTIONNAIRE

• Integrity &
• Commitment to Competence
• Management’s Operating Style
• Organizational Structure
• Assignment of Authority and Re-
• HR Policies and Procedures
• Entity-wide Ob- jectives
• Risk Identifica- tion
• Managing Risk During Change
• General Appli- cation
• Common Categories
• General Controls
• Monitoring
• On-going Monitoring
• Separate
• Audit Resolution
• Information &
• Information
• Form & Means of Communication

Assigns authority to the unit and delegates responsibility to appropriate personnel to address organizational goals and objectives. Does the company have an integrated management strategy and risk assessment plan that takes into account the company's goals and relevant sources of risk from internal management factors and external sources. Are there objectives at activity level (programme) that arise from and are connected to the unit's unit-wide objectives and strategic plans.

Does the entity have mechanisms in place to anticipate, identify and respond to risks arising from changes in economic, industry, regulatory, operational or other conditions that may affect the achievement of organizational objectives or the level of activity. Gives the entity special attention to risks associated with changes that may have a more dramatic and far-reaching effect on the entity and may require the attention of senior officials. Evaluate control activities regularly to ensure they are still appropriate and working as intended.

Whether the Entity uses various control activities appropriate to information processing systems to ensure accuracy and completeness. Does the Entity regularly perform a comprehensive, high-level risk assessment for its information systems. Whether the entity has developed a plan that clearly describes the company-wide security program and the policies and procedures that support it.

Does the entity have a mechanism to ensure prompt resolution of findings from audits and other reviews. Is management responsive to results and recommendations from audits and other reviews aimed at strengthening internal control.