IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Control: Internal audit should assist<br />
the organisation in maintaining effective<br />
controls by evaluating their effectiveness<br />
and efficiency and by promoting continuous<br />
improvement.<br />
Governance: Internal audit should assess<br />
and make appropriate recommendations<br />
for improving the governance process<br />
in its accomplishment of the following<br />
objectives:<br />
• Promoting appropriate ethics and values<br />
within the organisation.<br />
• Ensuring effective organisational<br />
performance management and<br />
accountability.<br />
• Effectively communicating risk and<br />
control information to appropriate<br />
areas of the organisation.<br />
• Effectively coordinating the activities and<br />
communicating information among the<br />
board, external and internal auditors<br />
and management.<br />
What type of work?<br />
So, what should be the range and type<br />
of work carried out by internal audit for<br />
an organisation? The <strong>IIA</strong> believes that the<br />
work and methods of internal audit should<br />
encompass:<br />
• Conducting enterprise risk assessment.<br />
• Utilizing risk and control selfassessment.<br />
• Using internal control processes based<br />
on COSO (Committee of Sponsoring<br />
Organisations) guidelines.<br />
• Partnering with management.<br />
• Integrating corporate governance into<br />
practice.<br />
• Increasing staff performance.<br />
• Communicating more effectively.<br />
• Developing staff, both personally and<br />
professionally.<br />
• Using technology to increase staff<br />
efficiency.<br />
• Establishing an assurance function.<br />
• Providing consulting services.<br />
• Conducting audits in emerging areas.<br />
• Utilizing performance measures.<br />
This leads to the types of internal audit<br />
provided by the internal audit function, which<br />
may include some or all of the following:<br />
Compliance audit: The review of both<br />
financial and operating controls and<br />
transactions to see how they conform to<br />
established laws, standards, regulations and<br />
procedures.<br />
Financial audit: The examination of the<br />
financial records and reports of a company<br />
to verify that the figures in the financial<br />
reports are relevant, accurate and complete.<br />
The general focus is on making sure that all<br />
assets and liabilities are properly recorded<br />
on the balance sheet and that the statement<br />
of income and expenses is correct.<br />
Information technology (IT) audit: A<br />
review of the controls within an entity’s<br />
technology infrastructure. These reviews<br />
are typically performed in conjunction<br />
with a financial statement audit, internal<br />
audit review, or other form of attestation<br />
engagement.<br />
On-demand audit: A request for an<br />
internal audit initiated by the board, audit<br />
committee, or management in response<br />
to their particular concerns, and which has<br />
not been scheduled in the internal audit<br />
plan of work. It may also be known as a<br />
management-initiated review.<br />
Operational audit: Sometimes called<br />
program or performance audits, these<br />
examine the use of resources to evaluate<br />
whether those resources are being used in<br />
the most efficient and effective way to fulfil<br />
an organisation’s objectives. An operational<br />
audit may include elements of a compliance<br />
audit, a financial audit and an information<br />
systems audit. This term is mainly used in<br />
the private sector.<br />
Performance audit: The independent and<br />
systematic examination of the management<br />
of an organisation, program, or function<br />
for the purpose of identifying whether<br />
the management is being carried out in<br />
an efficient and effective manner, and<br />
whether management practices promote<br />
improvement. This term is mainly used<br />
in the public sector, and a performance<br />
audit may be the same as or similar to an<br />
operational audit.<br />
and evaluation of all activities related to<br />
the quality of a product or service, to<br />
determine the suitability and effectiveness<br />
of the activities to meet quality goals.<br />
Value for money (VFM) audit: An<br />
examination of how resources are<br />
allocated and utilized. The audit is<br />
concerned with interrelated concepts of<br />
efficiency, effectiveness, economy, and<br />
organisational outcomes. VFM audits<br />
are more common in the public sector<br />
than the private sector since the profit<br />
criterion is lacking in the public sector, and<br />
they may be the same as or similar to a<br />
performance audit.<br />
What influences the type of work?<br />
The range and type of the internal auditor’s<br />
work depend on a number of factors:<br />
The mandate for internal audit<br />
contained in the internal audit<br />
charter: This is what the audit committee<br />
and the organisation want internal audit<br />
to do. Although ideally this should include<br />
both assurance services and consulting<br />
services, it is true to say that some audit<br />
committees and management believe that<br />
internal audit should not stray from its<br />
roots of providing assurance, so in some<br />
organisations the internal audit charter<br />
has focused only on the provision of<br />
assurance services. This attitude peaked<br />
following the corporate collapses of the<br />
1990s. However, more enlightened audit<br />
committees and management of today<br />
seek a more comprehensive internal<br />
auditing service for the organisation. This<br />
has the potential to add a lot of value,<br />
rather than just reporting what is wrong<br />
in compliance and financial areas.<br />
To whom the chief audit executive<br />
reports: The chief audit executive should<br />
report to the audit committee functionally<br />
and for operations, and to the chief<br />
executive officer for administration. Where<br />
a chief audit executive may have other<br />
reporting arrangements - for example to a<br />
chief executive officer for operations and<br />
administration, or worse, to a chief financial<br />
officer - there is a risk that internal audit<br />
may lose a measure of its independence.<br />
Table 4: The chief audit executive’s risk-based annual internal audit plan<br />
Compliance<br />
Assurance<br />
Consulting<br />
Financial<br />
Assurance<br />
Consulting<br />
IT<br />
Assurance<br />
Consulting<br />
Audit Type<br />
Cyclical 12<br />
months<br />
scheduled<br />
hours<br />
6,000<br />
0<br />
750<br />
250<br />
3,000<br />
3,000<br />
Rolling 6<br />
months<br />
scheduled<br />
hours<br />
0<br />
0<br />
2,500<br />
0<br />
0<br />
0<br />
Rolling 3<br />
months<br />
reserve hours<br />
0<br />
0<br />
1,000<br />
0<br />
0<br />
0<br />
This has a potential to impact negatively on<br />
the range and type of work to be performed<br />
by internal audit.<br />
The capability and skills of the internal<br />
auditors: As the work of internal audit<br />
moves toward more difficult methods<br />
of operating, the complexity of internal<br />
audit work increases. This means that the<br />
capability and skills of the internal auditor<br />
need to be greater, and many internal<br />
auditors see this as a quantum leap so great<br />
that they prefer to remain comfortable<br />
where they are.<br />
Any legislative or regulatory<br />
requirements of internal audit: The work<br />
of internal audit will nearly always have a<br />
role to provide assurance of legislative and<br />
regulatory compliance; this is an important<br />
role that should never be forgotten.<br />
Case Study<br />
Designing a Comprehensive Internal<br />
Audit Plan<br />
A large public sector organisation with<br />
Rolling 3<br />
months<br />
unassigned<br />
hours<br />
0<br />
0<br />
500<br />
0<br />
0<br />
0<br />
Annual total<br />
hours<br />
6,000<br />
0<br />
4,750<br />
250<br />
3,000<br />
3,000<br />
Operational / Performance<br />
Assurance / Consulting 500 2,500 1,000 1,000 5,000<br />
Internal audit planning 500 0 0 0 500<br />
Audit monitor and follow-up 500 0 0 0 500<br />
Audit committee 500 0 0 0 500<br />
External audit co-ordination 1,500 0 0 0 1,500<br />
Quality audit: The systematic examination<br />
Total 25,000<br />
18 <strong>April</strong> 2010 19 <strong>April</strong> 2010