Internal auditing - adding any values or a burden?

05 Dec, 2004

The Institute of Internal Auditors, USA (IIA) defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes".
IIA believes in and promotes the internal auditor's role in providing advice, counsel, and opinions regarding the organisation's efficiency and effectiveness in risk management, corporate governance, and internal control.
Nowadays in developed countries, executive management is being held more accountable for corporate irresponsibility than ever before. Not only must those at the top of publicly held companies certify their organisation's financial statements, but also their stakeholders are taking a closer look at all aspects of how they conduct business.
This is good. After all, if a company takes investors' money, shouldn't it be required to do all it can to protect them? As such it is now becoming more important that public companies should have in place within the organisation a function that can provide assurance that controls are adequate to mitigate risks; that policies and procedures are being followed throughout the organisations; that processes are efficient, effective, and economical; and that management and the board are meeting organisational goals and objectives.
Considering new legislative and regulatory mandates and the increased emphasis the financial community places on corporate governance, it's not surprising that governance has risen as a driver of a company's overall reputation. Senior executives believe that effective governance, transparent disclosures, and reliable financials are essential elements of their company's reputation.
True sustainable development, a key factor in earning a reputation for corporate accountability and social responsibility, integrates environmental stewardship, economic development, and the well-being of all people - not just for today but for generations to come. In short, it is about "growth with conscious" and an eye on the future. Internal auditors, who monitor and report on their organisation's ethical environment, are well positioned to play a vital role in sustainable development. Now internal auditors are expected to adopt a proactive philosophy to look beyond financial subjects to an operational orientation.
In order to have a useful internal audit function in corporate sector, it is necessary to understand the advantages, limitations and pre-requisites of internal auditing as discussed hereunder.
Q: Is internal auditing cost effective when a company has sufficient systems in place or it is an additional burden on product cost to consumers?
I believe "Internal auditing is in the best interests of an organisation as such cost and effort should not be material enough to justify ignorance of internal auditing".
If we look at the definition of internal auditing, we shall find that it is not a routine vouching adding cost to products. This is in fact a cost saving tool if its definition and utility is properly understood. The management and the board can utilise this function to ensure that all is on the up and up.
Q: Is there need of any special training / qualification for the internal auditors?
Emerging trend in internal auditing demands internal auditors to become more involved in enterprise risk management, forensic accounting and auditing, fraud prevention and investigation and sustainable development activities. The future of internal auditing includes longer-term audit plans, quality assurance reviews, and continuous auditing and monitoring. To get there, internal auditors need to enhance staff qualifications and use audit technology.
The Chief Internal Auditor (CIA) is also expected to help management and the board to meet the organisation's goals and objectives. Again, he or she should provide assurance and value-added service to both management and the board. IIA believes the CIA should serve as an educational resource for management and the board, keeping those at the top of the organisation informed on legislation, trends, and other issues that might affect the organisation's effectiveness, responsibility to stakeholders, and vulnerability to risk.
To enhance the role of internal audit in corporate governance, emphasis should be placed on the capability of internal audit in providing assurance to management and the board on the integrity of information flows, including the monitoring of all internal systems which generate information - internal control, risk identification and assessment, management and communication processes, and the provision of timely advice to management and the board.
The audit committee should play an important role in the hiring and firing of the internal auditor. During the selection process, the audit committee should pay particular attention to how the CIA candidate goes about assessing issues and problems and formulating recommendations, and should ask the candidate to "walk us through your thinking." The audit committee should carefully craft questions to assess the capability of CIA candidate. And, of course, the track record of previous experience, personal character, and professional references of all viable candidates should be meticulously checked and carefully evaluated.
On a day-to-day level, the CIA for operating and managing the internal audit function must have a clear understanding of:
Business risk and effective risk-management techniques.
Internal auditing standards, responsibilities, code of ethics, and certification.
Internal auditor's role in corporate governance and its key relationships with the audit committee, board, and executive and operating management.
New technologies and audit automation tools.
Business process reengineering, outsourcing, and cosourcing. In addition to being analytical, organised, and a strong leader, the CEO and the audit committee should expect the CIA to possess the skills to apply control models such as COSO.
Assessment of relative risk in the global enterprise and electronic world.
Audit of information technology, operations, finance, and all other functions of the organisation.
Audit of contemporary business activities such as mergers, acquisitions, joint ventures, strategic alliances, and investments.
Compliance review and operational evaluation procedures in order to recommend controls for protection of assets to improve the bottom-line.
Serving as consultant by supporting and advancing an ethical tone at the top, educating management on best practices, and helping the organisation maintain a balanced control environment.
Reporting to the audit committee quickly and objectively, and ensuring that the board of directors is up to date on everything that might affect the effectiveness of its oversight.
Deciphering and addressing organisational trends, changes, and risks, both within and outside of the organisation; and making sound recommendations to management and the board relative to changes within the world of business in general, and specifically within the organisation Enterprise risks management, forensic accounting and auditing, fraud prevention and investigation, and sustainable development activities.
CIA should also exemplify well-tuned soft skills. He or she should be artful in accurately evaluating situations and instinctively do the right thing in the face of opposition and conflict; should demonstrate good judgment, strength of character, and an ability to bring forth issues in a balanced way; should be an astute businessperson, an excellent communicator with superb listening skills, a clear and analytical thinker, a strong writer and reporter, a good facilitator and consensus-builder, and a creative problem-solver and idea generator; and should be an ethical professional who can be trusted always to operate from the highest level of integrity and to act on the strength of his or her convictions - regardless of the risks.
Internal auditors and especially CIA should demonstrate their professional competency by attaining appropriate professional certifications. IIA believes internal auditing best addresses management's strategic objectives when internal audits are performed by competent professionals in accordance with professional standards and rules of conduct requiring independence, due professional care, and effective quality assurance mechanisms. In view of growing expectations, current business environment and good corporate governance needs, certification of professional competence to perform internal auditing function is very important. Rigorous education, relevant experience and passing a comprehensive examination should lead to certification of an internal audit professional. They should be bound by a professional code of ethics and standards. Once certified, internal auditors should be required to obtain continuing education to maintain professional certification.
Q: Due to mandatory requirement of code of corporate governance, are particularly local companies in real sense using internal audit function?
I think with enforcement of Code of Corporate Governance (CCG) by Securities and Exchange Commission of Pakistan (SECP) in April 2002, a good beginning has been made but this is not the end, there is always room for improvement if we are open to learning. I firmly believe "present is definitely better than the past and future shall be still better than the present"
Internal auditors, the board of directors, senior management, and external auditors are the cornerstones of the foundation on which effective corporate governance must be built. CCG issued by SECP has enumerated seven key positions that have been vested with major responsibilities for not only good operations of a corporate entity but also made them responsible to ensure compliance of CCG.
CIA is one of those seven key positions. In this corporate world, although these positions (except Audit Committee) have been in existence but a good corporate culture could not develop / flourish. In my view, one of the several reasons is quite distinct and that is the centuries old principle "responsibility and authority go hand in hand" i.e. no authority no responsibility. The authority entails some sort of independent status sufficient enough to take certain actions.
In certain type of entities, these positions are just ceremonially filled to meet the legal formalities as such they can not be expected to do any thing against / beyond often undocumented mandate. Therefore it is imperative that requisite level of independence is ensured for good corporate operations. If greater precision were to be ensured, it would be quite useful if regulatory authorities finally approve appointment and removal of certain key positions. These measures are necessary to curb the practice of "pick and choose" and making the appointment of "pliant and pliable" only. This measure is likely to create a very conducive environment for key positions to discharge their responsibilities. Although internal auditors are positive about their role in corporate governance but are less confident with respect to how to put such a role into practice. Certainly, they regard their effectiveness to be dependent on the caliber and personalities of the members of the board and management.
Q: Does code of corporate governance provide adequate and logical composition for audit committee?
The audit committee should consist solely of outside directors, independent of management and company whose primary focus is to assist the board of directors in carrying out its responsibilities on internal control, financial reporting practices, and accounting policies. The audit committee, with help from the internal auditing department, should fulfil its obligations to the board, the shareholders, and other outside parties who have a stake in the organisation. Oxford English Dictionary (9th edition) defines "independent" as "not depending on another person for one's opinion or livelihood".
The audit committee members should possess relevant industry, company, functional area, and governance expertise and be well informed about financial issues (at least one member needs accounting or financial expertise). The directors should reflect a mix of backgrounds and perspectives. All directors should receive detailed orientation and continuing education to assure they achieve and maintain the necessary level of expertise.
Q: Can internal auditor influence audit committee meetings?
The audit committee is highly dependent on both the internal auditing function and the independent accountant for feedback on risk assessment, management, and internal control systems.
The internal auditor is generally deeply involved in the organisation's processes and practices and constantly observes the control environment. A strong and effective internal auditing function can have a significant impact on improving the effectiveness of audit committee performance. IIA recognises that audit committees and internal auditors have common goals. A good working relationship with internal auditors can assist the audit committee in fulfilling its responsibility to the board of directors, shareholders, and other outside parties.
Internal auditors and audit committees are mutually supportive. Consideration of the work of internal auditors is essential for the audit committee to gain a complete understanding of an organisation's operations, which shall ensure that the audit committee is more involved and proactive in critical corporate issues.
Q: Are the terms of reference of the internal auditors well defined by law? Are the internal auditors sufficiently independent to discharge their functions objectively?
An internal audit charter is a statement of self-governance within the internal audit function. The charter should incorporate all essential matters, which include its accountability structures, responsibilities, quality assurance standards and methodology.
Internal audit should be entrusted by the organisation to ensure that complete, timely and reliable information is provided to the board and key senior management. The board / CEO should be encouraged to promote the functions and status of internal audit, by ensuring that the internal audit function has well defined reporting responsibilities and is provided with sufficient resources. CIA should provide assurance and value-added service to both management and the board to meet the organisation's goals and objectives.
There should be clear guidance for internal auditors to establish a balance between compliance and advisory roles.
The former requires a set of generally accepted and practised benchmarks and standards, while the latter adds value to the organisation through innovative insights and techniques for improvement. Internal audit should have a clear set of published audit objectives to ensure that corporate governance mechanisms such as the internal control systems, the risks management processes, and the financial reporting systems, are monitored at all times.
IIA believes that sound governance is dependent on the synergy generated among the four components of the governance system: the board, management, internal auditors, and external auditors. There should be ongoing communication amongst the CEO, the audit committee, the CFO and the CIA, so that concerns, perceptions and misunderstandings are discussed. This communication is essential to arrive at some congruence in direction in order to achieve good corporate governance.
Independence of Internal Audit
"An internal auditor must be able, and be reasonably expected to be able, to overcome pressures and other factors that would prevent unbiased audit decisions." The auditor must be both independent of mind (the state of mind that permits the provision of an opinion without being affected by the influences that impair professional judgment; when used in conjunction with the independence required of an auditor, it includes the qualities of integrity, objectivity and professional scepticism) and independent in appearance.
IIA's Standards for the Professional Practice of Internal Auditing (Standards) require that the CIA should report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities. To enhance independence, IIA recommends that the following provisions be included in the audit committee charter:
-- The audit committee should ensure that the internal audit function is structured in a manner that achieves organisational independence and permits full and unrestricted access to top management, the audit committee, and the board.
-- The audit committee should review the internal audit function's charter and ensure unrestricted access by internal auditors to records, personnel, and physical properties relevant to the performance of engagements.
-- The audit committee should review and approve the annual internal auditing budget and assess the appropriateness of the resources allocated to internal auditing.
-- Decisions regarding hiring or termination of the CIA should require endorsement by the chairman of the audit committee.
-- The chairman of the audit committee should also be appropriately involved in performance evaluation and compensation decisions related to the CIA.
-- The audit committee should regularly provide the CIA and the external auditor with the opportunity to confer privately with the committee, without the presence of management.
-- The CIA should have direct communication with the audit committee. He / she should attend audit committee meetings and meet privately with the audit committee at least annually. Independence is further enhanced when the audit committee concurs in the appointment or removal of CIA.
Q: Is there a proper co-ordination between the internal and external auditors? If not, how could this process be strengthened?
Financial reporting matters and policies regarding earnings measurement should not be left for the external auditors alone. There should be proper co-ordination and dialogue between the CIA and the external auditor particularly with respect to critical corporate issues affecting the stakeholders. They should work together to help rebuild public trust.
According to IIA Standards for the Professional Practice of Internal Auditing, co-ordinating internal and external audit work falls under the job responsibilities of the CIA. Appropriate coordination should serve to ensure adequate audit coverage and minimise duplicate audit efforts. IIA Research Foundation's report, Co-ordinating Total Audit Coverage: The Relationship between Internal and External Auditors, identifies four relationship levels between internal and external auditors. The key features of each of these levels point to just how closely the two functions might work with each other.
The study labels the first and lowest level of involvement "coexistence." At this level, internal and external auditors pursue separate missions. They independently develop and perform risk analysis, audit planning, and audit-plan execution as distinctly separate and distinct activities. Although those at the "coordination" level also develop analysis independently, they do share information on risk analysis and make some attempts to co-ordinate audit plans. If joint auditing is performed at this level, it is the external auditor who typically tends to determine when and where those activities take place. At the "integration" level, internal and external auditors share risk models and audit plans and perform extensive joint auditing. This is somewhat less collaborative than the fourth level, "partnering," at which internal and external auditors have a shared mission encompassing financial, substantive, compliance, and systems auditing. At this level, the two functions work together to define corporate audit needs and expectations and to meet those requirements through a joint and integrated effort.
Coordination between external and internal auditors is important because it increases the economy, efficiency, and effectiveness of the total audit activity for the enterprise. Neither form of auditing can replace the other. But in many ways, they impinge on each other and if the two audits are uncoordinated, there will be overlaps and duplication that unnecessarily increase audit costs.
The most important element in co-ordinating internal and external auditing is "close and constant communication between the groups". Internal auditors can be particularly helpful to external auditors by exchanging ideas and providing an informed viewpoint on conditions and developments in the organisation, by conducting plant tours and explaining processes and procedures, and by providing briefings on audit activities and findings. The primary objective is not merely economic, but to obtain maximum efficiency and effectiveness of the total audit effort and that efficiency is enhanced when each group's audit results are made available to the other group as needed.
A well-coordinated effort by professional external and internal auditors can provide nervous board members with the assurance that weaknesses in control systems will be detected.
Q: How newly set up internal audits function should proceed and organise its activities?
Once internal audit function is in place, the CEO and the audit committee should expect the new CIA to:
-- Review the definition of internal auditing and the Standards for the Professional Practice of Internal Auditing to become familiar with what is required.
-- Interview senior management and board of directors / audit committee chairman to build rapport, to ensure those at the top has a clear picture of the internal audit function, and to clarify expectations of all. CIA should quickly learn and address what management and the board view as the greatest risks to the organisation, while keeping in mind issues, problems, and opportunities that have already been identified. CIA should develop a system for cataloguing such information, including date and name of person interviewed, for quick reference in the future.
-- Obtain and review a copy of the audit committee charter.
-- Understand "benchmarking" needs and find out which senior management considers to be the leaders and the laggers in the organisation's market niche.
-- Obtain and review written policies and procedures, especially those pertaining to management's responsibility to control the organisation.
-- Discuss with external auditors open and closed internal control issues.
-- Map the major processes / operations within the organisation. Meet with operational managers, including those in information technology, in order to understand their concerns.
-- Develop a risk assessment, including both external and internal risks, for the organisation.
-- Develop a charter, approved by both senior management and the audit committee, for the internal audit department.
-- Build the budget, including personnel and travel; develop the audit plan, based on the risk assessment and requests from management; hire the internal audit staff; and develop a plan for staff training.
-- Ensure that senior management notifies other department of existence of internal audit and calls for complete cooperation.
-- Work with management to establish best-practice reporting relationships, to ensure internal audit is promoted throughout the organisation, and to develop a methodology for following up on audit recommendations and measuring performance.
-- Establish a quality assurance program.
Q: Is internal auditing profession attracting good quality manpower and can internal auditor plan a career in this field?
Senior executives believe that building and maintaining a good corporate reputation is critical to the recruitment and retention of employees. Many view corporate reputations as one of the top three factors that attract new employees, along with compensation and the potential for career growth.
One of the most important things business leaders can do for the organisation is to ensure that the people hired are ethical and honest. This, however, is not an easy task, for sometimes even a person who has previously demonstrated integrity and a strong moral code will stray.
(Shakil Akhtar Qureshi is fellow of Institute of Chartered Accountants of Pakistan (ICAP) and also a member of Accounting and Auditing Standards Committee, Publications Committee and Educational Research Faculty of ICAP. He has over twenty years' diversified experience of working at senior levels in financial institutions. His contact is shakilqureshi@yahoo.com.)

Read Comments