Internal audit's role in this is essential both in providing assurance on the effectiveness internal audit and undertaking a risk based approach to internal audit. Are internal audit functions required to follow The IIA Standards? must audit at least two separate sets of books (statutory and accounting).” The third edition of EconomicsFinance/departments/Documents/echecs16.info Florida Atlantic. The IIA is the internal audit profession's global voice, chief advocate, rec- ognized authority .. many internal auditors are implementing continuous auditing. This book will help auditors learn what gx/eng/fs/insu/echecs16.info Public Company.
|Language:||English, Spanish, Japanese|
|ePub File Size:||26.66 MB|
|PDF File Size:||8.58 MB|
|Distribution:||Free* [*Register to download]|
PDF Drive is your search engine for PDF files. As of today we have 78,, eBooks for you to download for free. No annoying ads, no download limits, enjoy . for new and better ways of doing things. he Insitute of Internal Auditors (IIA) and this book will make an important contribution to teaching (internal) auditing at. Condensed version of: Internal auditing handbook. 2nd ed. . The second edition of the Internal Auditing Handbook was published in December and.
Main article: Software audit review An information technology audit, or information systems audit, is an examination of the management controls within an Information technology IT infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity , and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit , internal audit , or other form of attestation engagement. Main article: Financial audit Due to strong incentives including taxation , misselling and other forms of fraud to misstate financial information, auditing has become a legal requirement for many entities who have the power to exploit financial information for personal gain. Traditionally, audits were mainly associated with gaining information about financial systems and the financial records of a company or a business. Financial audits are performed to ascertain the validity and reliability of information, as well as to provide an assessment of a system's internal control.
It is important to establish the role of IA at the start of the book to retain this focus throughout the next few chapters that cover corporate perspectives. Note that the IA process appears in some detail from Chapter 5 onwards.
Chapter 2 — Corporate Governance Perspectives Chapter 2 covers corporate governance in general, in that it summarizes the topic from a business standpoint rather than focusing just on the IA provisions. Note that the chapter may be used by anyone interested in corporate governance as an introduction to the subject. The section on internal auditing is very brief and simply sets out the formal role and responsibilities, without going into too much detail.
One topic that stands out in the chapter relates to audit committees as many view this forum as the key to ensuring corporate responsibility and transparency. The corporate governance debate is ongoing and each new code refers to the need to start work on updates almost as soon as they are published. As such, it is never really possible to be up to date at publication and the reader is advised to keep an eye on new developments as and when they arise.
Chapter 3 — Managing Risk Many writers argue that we are entering a new dimension of business, accounting and audit whereby risk-based strategies are essential to the continuing success of all organizations.
Reference is made to various risk standards and policies, and we comment on the need to formulate a risk management cycle as part of the response to threats and opportunities. The corporate aspiration to embed risk management into the way an organization works is touched on. The growing importance of control self-assessment has ensured this appears in the Handbook, although this topic is also featured in the chapter on audit approaches.
The chapter closes with an attempt to work through the audit role in risk management and turns to the published professional guidance to help clarify respective positions.
There is a link from this chapter to risk-based planning in the later chapter on Setting an Audit Strategy. Throughout the Handbook, we try to maintain a link between corporate governance, risk management and internal control as integrated concepts.
Chapter 4 — Internal Controls Some noted writers argue that internal control is a most important concept for internal auditors to get to grips with. Whatever the case, it is important to address this topic before we can get into the detailed material on internal auditing. Chapter 4 takes the reader through the entire spectrum of control concepts from reasoning, control models, procedures, and the link to risk management.
One key section concerns the fallacy of perfection where gaps in control and the reality of imperfection are discussed. This forms the basis for most business ventures where uncertainty is what creates business opportunities and projects.
With the advent of risk management, this does not mean controls take a back seat; it just means controls need to add value to the business equation. Having got through the reasoning behind the audit role governance, risk management and control , we can turn to the actual role.
The basic building blocks of the charter, independence, ethics and so on are all essential aspects of the Handbook. Most auditors agree that there is the set audit role and then there are variations of this role. One feature of the upwards direction of the IA function is the growing importance of professional standards as a third component of the equation we discussed earlier. Some of the published standards are summarized in this chapter, although the main footing for the Handbook revolves around the IPPF.
Moreover, quality is a theme that has run across business for many years. If there are quality systems in place, we are better able to manage the risk of poor performance.
It would be ironic for IA reports to recommend better controls over operations that are reviewed when the audit team has no system in place that ensures it can live up to professional standards. Processes that seek to improve the IA product are covered in this chapter, including the important internal and external reviews that are suggested by audit standards.
Chapter 7 — The Audit Approach The range and variety of audit services that fall under the guise of internal auditing have already been mentioned. A lot depends on the adopted approach and rather than simply fall into one approach, it is much better to assess the possible positions armed with a knowledge of what is out there. Once we know what we will be providing, we can think about a suitable structure for the audit shop.
The growing trend to outsourcing the IA function has meant a separate section on this topic with an illustration. Control risk self-assessment CRSA is also detailed along with tips on facilitation skills. It is possible to integrate the CRSA technique with the audit process and this interesting concept is the feature of this chapter. Other specialist audit work involving management investigations, fraud investigations and information systems auditing is also mentioned.
In itself, this task depends on an intimate understanding of the corporate context, the audit role and competencies and challenges that add value to the business. The chapter includes a section on establishing a new audit shop, by bringing everything together, either in-house or through outsourced arrangements.
One interesting aspect of this chapter is the section on working papers. Formal presentations are becoming increasingly popular and this is dealt with in this chapter. While a great deal of high-level work may be undertaken by the CAE in terms of strategy, budgets and audit plans, the bottom line comes down to the performance of each and every individual auditor. It is this person who must carry the burden of the expectation that IA will be a foundation for governance in the employing organization.
It contains a basic foundation of audit information that should be assimilated by competent internal auditors. The handbook can also be used as an induction tool for new auditors where they work through each chapter and then under the supervision of an appointed coach are encouraged to tackle the relevant assignments and multi-choice questions at the end of most chapters. In this way, new staff members can be monitored as they submit their written response to each set of questions.
For a full appreciation of internal auditing, it is necessary to trace these developments and extend trends into the future. One American text has detailed the history of IA: Prior to , internal auditing was essentially a clerical function. Because much of the record keeping at that time was performed manually, auditors were needed to check the accounting records after it was completed in order to locate errors.
The old concept of internal auditing can be compared to a form of insurance; the major objective was to discover fraud. IA was based on a detailed programme of testing of accounting data. Where this model predominates, there can be little real development in the professionalism of the IA function. These owners needed an independent assessment of the performance of their organizations.
They were at greater risk of error, omissions or fraud in the business activities and in the reporting of the performance of these businesses than owner-managers. External auditors examine the accounting data and give owners an opinion on the accuracy and reliability of this data.
More slowly the need for internal auditing of business activities was recognized. Initially this activity focused on the accounting records. Gradually it has evolved as an assurance and consulting activity focused on risk management, control and governance processes. Both external audit and internal audit exist because owners cannot directly satisfy themselves on the performance and reporting of their business and their managers cannot give an independent view of these.
A large number of transactions were double-checked to provide assurances that they were correct and properly authorized by laid-down procedures. Internal control was seen as internal check and management was presented with audit reports listing the sometimes large number of errors found by IA. The audit function usually consisted of a small team of auditors working under an assistant chief accountant.
Management was presented with a list of errors and queries that were uncovered by the auditors. The auditors either worked as a small team based in accountancy or had dual posts where they had special audit duties in addition to their general accounting role.
Audit consisted mainly of checking, with the probity visits tending to centre on cash income, stocks, downloads, petty cash, stamps, revenue contracts and other minor accounting functions. The main purpose behind these visits was linked to the view that the chief accountant needed to check on all remote sites to ensure that accounting procedures were complied with and that their books were correct. The audit was seen as an inspection on behalf of management.
This militates against good controls, as the auditor is expected to be the main avenue for securing information. The auditors would then follow up these procedures without questioning why they were not working.
This allowed a level of audit management to develop, which in turn raised the status of the audit function away from a complement of junior staff completing standardized audit programmes. It was now possible to widen the scope of audit work and bring to bear a whole variety of disciplines including civil engineering, statistics, management, computing and quality assurance. They could meet with all levels of senior management and represent the audit function. This is as well as employing people who are able to use this audit experience as part of their managerial career development.
When assessing risk for the audit plan, one asks what is crucial to the organization before embarking on a series of planned audits that in the past may have had little relevance to top management.
Professionalism is embodied in the ability to deal with important issues that have a major impact on success. Securing the attention of the board, chief executive, managing director, non-executive directors and senior management also provides an avenue for high-level audit work able to tackle the most sensitive corporate issues. This is far removed from the early role of checking the stock and petty cash.
IA was now poised to enter all key parts of an organization. An important development in the US occurred when the Treadway Commission argued that listed companies should have an audit committee composed of non-executive directors.
Since then, most stock exchange rules around the world require listed companies to have an audit committee. Professionalism The IIA has some history going back over 50 years. A profession was born that has undergone many changes over subsequent years. Internal check procedures IA was seen as an integral component of the internal checking procedures designed to double-check accounting transactions. The idea was to re-check as many items as possible so as to provide this continuous audit. Transaction-based approach The transactions approach came next, where a continuous programme of tests was used to isolate errors or frauds.
This checking function became streamlined so that a detailed programme of tests was built up over time to be applied at each audit visit. This systematic approach is readily controlled so that one might have expected the auditor to complete hundreds of checks over a week-long period during the course of completing this predetermined audit programme.
Statistical sampling Statistical sampling was later applied to reduce the level of testing along with a move away from examining all available documents or book entries. Like the sophisticated computer interrogation now used in audit work, this is an example of how a new technique is limited by a refusal to move away from traditional audit objectives.
Probity-based work Probity-based work developed next, again featuring the transaction approach where anything untoward was investigated. The probity approach is based on audit being the unseen force that sees and hears all that goes on in the organization.
Spot checks It was then possible to reduce the level of probity visits by making unannounced spot checks so that the audit deterrent the possibility of being audited would reduce the risk of irregularity. Larger organizations may have hundreds of decentralized locations that would have been visited each year by the auditor. This service depends on employing large teams of junior auditors who would undertake these regular visits.
As management started to assume more responsibility for its operations, the audit service turned increasingly to selective as opposed to periodic visits. Rather than a guaranteed visit each year, one sought compliance with procedure by threatening the possibility of a visit. Systems-based approach Then came a move away from the regime of management by fear to a more helpful service.
Systems-based audits SBAs are used to advise management on the types of controls they should be using. Testing is directed more at the controls than to highlight errors for their own sake. The problems found during audit visits will ultimately be linked to the way management controls its activities.
This new-found responsibility moves managers away from relying on the programmed audit visit to solve all ills. The application of SBA was originally directed at accounting systems where internal control questionnaires devised by external auditors were adapted and used.
These were applied by internal auditors, although it was still in the shadow of external audit work. The only way to ensure legality and propriety of all payments was to install reliable systems and controls.
It is one thing to recommend a whole series of savings but another to actually achieve them. As a result, many teams were later disbanded. On the other hand, operational audit teams that encouraged management to look for its own VFM savings had more success and this is now an established audit role. Management audit Management audit moves up a level to address control issues arising from managing an activity. The ability to understand and evaluate complicated systems of managerial and operational controls allows audit to assume wide scope.
This is relevant where controls are seen in a wider context as all those measures necessary to ensure that objectives are achieved. Risk-based auditing Many IA shops have now moved into risk-based auditing where the audit service is driven by the way the organization perceives and manages risk. Rather than start with set controls and whether they are being applied throughout the organization properly, the audit process starts with understanding the risks that need to be addressed by these systems of internal control.
Much of the control solution hinges on the control environment in place and whether a suitable control framework has been developed and adopted by the organization. IA can provide formal assurances regarding these controls. Moreover, many IA shops have also adopted a consulting role, where advice and support are provided to management.
This may depend on moving out audit functions currently based in accountancy. It is possible to establish IA as a separate profession so that one would employ internal auditors as opposed to accountants.
This is a moot point in that there are those who feel that the auditor is above all an accountant. Not only is this view short-sighted but it is also steeped in the old version of the internal auditor as a poor cousin of the external auditor.
The auditor is able to comment on non-compliance so long as it does not extend to criticizing the DF. This impairs the basic concept of independence where the auditor may be gagged, notwithstanding the presence of an audit committee.
This is one sure way of extending the potential scope of IA to enable it to tackle the most high-level, sensitive areas. The audit terms of reference will move beyond fraud and accounting errors to take on board all-important issues that impact on organizational controls.
We are not only concerned with the matters affecting the DF but also that which is uppermost in the minds of the corporate management team headed by the chief executive. At this extreme, it becomes possible to audit the whole direction of the organization in terms of its corporate strategy that is a far cry from checking the petty cash and stocks.
The temptation for the DF to treat IA as an additional resource for external audit may decline. External audit may be seen to feed into the all-important IA process. This change in emphasis is important; it is based on viewing the principal controls in any system of internal control as embodied in management itself.
We would not consider the personalities of individual managers.
This allows the scope of internal auditing to move to almost unlimited horizons. The IA department could end up with higher grades than the accountancy department.
However, as we move into the era of the audit committee, and the stronger links with this forum and IA, things are changing.
Again, this move is strengthened by the growing involvement in enterprise-wide risk management. The latest position is that there is normally no longer a clear logic to the CAE to continue to hold a reporting line to the DF. The debate now revoles around whether the CAE should report directly into the main board and not just to the audit committee.
This saw the perceived role of IA as dealing primarily with accounting matters and is in line with the view that it arose as an extension of the external audit function. Although the accounting function was the principal concern, non-accounting matters were also within the audit remit.
Accounting operations have to compete with all others for audit attention with no automatic right to priority. It directs the audit function to the highest levels of management. This impacts on independence in that the welfare of the organization becomes paramount as opposed to the requirements of individual managers.
Some of the more restrictive elements have been removed, which again allows a wider view of the audit role. Interestingly, a return to a previous view can represent development. Basic audit concepts need not be thrown away with time. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. The s Debate When the original SOR was being devised in the s, it involved a debate as to the precise role and scope of internal auditing.
Issues to be resolved before a clear model of audit could be constructed included: 1.
An essential resource for every novice internal auditor, this guide offers practical information that points you in the right direction. Paperback Member Price: Nonmember Price: PDF Member Price: Overview Specifications.
Products specifications. Related products. Collaborative Auditing By: Donate to the Internal Audit Foundation By: Support Internal Audit Research!
Click here to subscribe. My account Customer info Addresses Orders Wishlist.