Question

Assignment:

You are appointed as an internal auditor in a mid-size company of 3000 employees and turrnover of SR 500 million. You are asked to report to the CEO, and develop your job description which defines your job responsibilities towards the company, the board of directors, government requirement, and other stakeholders. They are using an AIS. Tell us how will you approach to set up different kind of controls in the organization? Your report should not be more than 5 pages and can be divided into different parts.

Answer 1

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

In simplest terms, the duties of an internal auditor are to:

Objectively review an organization’s business processes

Evaluate the efficacy of risk management procedures that are currently in place

Protect against fraud and theft of the organization’s assets

Ensure that the organization is complying with relevant laws and statutes

Make recommendations on how to improve internal controls and governance processes

Internal auditing has historically been synonymous with the performance of financial audits, which seek to ensure an organization is using generally accepted accounting procedures (GAAP) to create and manage financial information through the review of financial statements. Businesses also recognize the need for other types of auditing that look beyond ledgers and balance sheets with respect to legal compliance, IT security, environmental, operational and performance oversight objectives:

Compliance Audits are used to evaluate an organization’s compliance with applicable laws, regulations, policies and procedures. Legal and policy requirements may be created by federal or state statute. An organization’s management or board of directors can also create compliance requirements internally.

Internal Auditors and Other Segments of the Organization

Most business organizations are set up with a three-tiered oversight structure:

The board of directors is responsible for making major decisions on behalf of the business such as establishing corporate policies and procedures, enacting mergers and taking steps to expand business operations.

The internal auditing department consisting of financial controllers led by a chief audit executive (CAE), acts as the bridge between the board and the managers. They essentially assess whether the Board’s directives and policies are compliant with the law and whether they increase the overall efficiency and productivity of the business. If the board’s directives are inefficient or are not being implemented by the management staff, the internal auditor has a duty to report back to the board with his findings and recommendations.

Various levels of management are responsible for carrying out the directions and policies that are determined by the board of directors, as well as making day-to-day decisions regarding how the business is run.

Internal Auditor’s Job description>

The main goal of the internal auditing department of any organization is to gather information that can be analyzed and converted into valuable insights into how the company can be run more efficiently. There are four common techniques that are used in the practice of internal auditing to achieve this end:

Observing the target business environment

Inspecting the specific risk management, financial reporting and productivity strategies that are currently in place

Inquiring or asking questions of management personnel related to the effectiveness of the current internal controls

Confirming whether the goals and objectives of the business are being met

Collectively, the four techniques that make up the internal auditing process allow auditors to collect information and evidence, analyze the collected data and report back to the board of directors with suggestions for improvement if necessary.

In the course of bridging the gap between the board of directors and the corporate management team, internal auditors are called upon to use their professional judgment to determine the standards by which business activities are measured. This involves:

Conducting special studies

Analyzing business policies, processes and procedures

Defining audit objectives

Deciding the nature and extent of the audit procedure

Stating final opinions and conclusions

Reporting and distributing findings to the board and management

Arguably, one of the most important aspects of an internal auditor’s job is the ability to perform an objective evaluation of a company’s activities. If company politics prevent the internal auditing department from performing its job as intended, the company will not receive the benefits that are associated with an honest internal audit such as increased efficiency and productivity, decreased waste, financial savings and legal compliance.

Corporations can promote objective auditing by employing auditors that do not serve in any other capacity within the organization. The Institute of Internal Auditors recommends in Section 1100 of the IIA “Guidance and Standards” manual that internal auditors report to a single committee or board member who has oversight authority over the internal auditing department in order to maintain independence and objectivity. Auditors who fill other roles within the organization may have a harder time performing objective audits since their findings may impact other groups, individuals or managers who have seniority or authority over them.

>>Internal Audit control steps

1. Initial Audit Planning

All internal audit projects should begin with the team clearly understanding why the project was put on the audit plan. The following questions should be answered and approved before fieldwork begins:

Why was the audit project approved to be on the internal audit plan?

How does the process support the organization in achieving its goals and objectives?

What enterprise risk(s) does the audit address?

Was this process audited in the past, and if so, what were the results of the previous audit(s)?

Have there been significant changes in the process recently or since the previous audit?

2. Risk and Process Subject Matter Expertise

Performing an audit based on internal company information is helpful to assess the operating effectiveness of the process’s controls. However, for internal audit to keep pace with the business’s changing landscape and to ensure key processes and controls are also designed correctly, seeking out external expertise is increasingly becoming a best practice.

At least one of the following should be used to evaluate the design of the process audited:

Subject Matter Expert (SME) from a Big 4 or other consulting firm

Recent articles from WSJ.com, HBR.org, or other leading business periodicals

Relevant blog posts from The Protiviti View, RSM’s Blog, or the IIA’s blogs

Once you have leveraged internal and external resources to identify relevant risks, you will want to build an audit program that tests for these risks.

3. COSO’S 2013 Internal Control – Integrated Framework

While used extensively for Sarbanes-Oxley (SOX) compliance purposes, internal auditors can also leverage COSO’s 2013 Internal Control – Integrated Framework to create a more comprehensive audit program. In addition to identifying and testing control activities, Internal audit should seek to identify and test the other components of a well controlled process.

Review COSO’s 2013 Internal Control components, principles, and points of focus here.

4. Initial Document Request List

Requesting and obtaining documentation on how the process works is an obvious next step in preparing for an audit. The following requests should be made before the start of audit planning in order to gain an understanding of the process, relevant applications, and key reports:

All policies, procedure documents, and organization charts

Key reports used to manage the effectiveness, efficiency, and process success

Access to key applications used in the process

Description and listing of master data for the processes being audited, including all data fields and attributes

After gaining an understanding of the process to be audited through the initial document request, you should request access to master data for the processes being audited to analyze for trends and to aid in making detailed sampling selections.

5. Preparing for a Planning Meeting with Business Stakeholders

Before meeting with business stakeholders, internal audit should hold an internal meeting in order to confirm the high-level understanding of the objectives of the process or department and the key steps to the process. The following steps should be performed to prepare for a planning meeting with business stakeholders:

Outline key process steps by narrative, flowchart, or both, highlighting information inflows, outflows, and internal control components

Validate draft narratives and flowcharts with subject matter experts (if any)

Create an initial pre-planning questionnaire to facilitate a pre-planning meeting with key audit customers

Preparing the questionnaire after performing the initial research sets a positive tone for the audit, and illustrates that internal audit is informed and prepared. Once this research is completed, internal audit should meet with their business stakeholders to confirm their understanding of the process.

6. Preparing the Audit Program

Once internal audit has confirmed their understanding of the process and risks within the process, they will be prepared to create an audit program. An audit program should detail the following information:

Process Objectives

Process Risks

Controls Mitigating Process Risks

Control Attributes, including:

Is the control preventing or detecting a risk event?

Control frequency (e.g. daily, weekly, monthly, quarterly, etc.)

Does the control mitigate a fraud risk?

Is the control manually performed, performed by an application, or both?

An initial assessment of the risk event (e.g. high, medium, or low)

Testing Procedures for Controls to be Tested During the Audit, including:

Inquiry, or asking how the control is performed

Observation, or physically seeing the control be performed

Inspection, or reviewing documentation evidencing the control was performed

Re-performance, or independently performing the control to validate outcomes

7. Audit Program and Planning Review

Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork:

Internal Audit Manager or Senior Manager

Chief Audit Executive

Subject Matter Expert

Management’s Main Point of Contact for the Audit (i.e. Audit Customer)

Internal auditors who can create and document audit programs from scratch — and do not rely on template audit programs — will be more capable and equipped to perform audits over areas not routinely audited. When internal audit can spend more of their time and resources aligned to their organization’s key objectives, internal auditor job satisfaction will increase because they’ll be taking on more interesting projects. The Audit Committee and C-suite may become more engaged with internal audit’s work in strategic areas. Perhaps most importantly, recommendations made by internal audit will have a more dramatic impact to enable positive change in their organizations.

***Reference: auditboard, The Institute of Internal Auditors (IIA).