2. An introduction to internal auditing
• This slide is not to be shown
• The slide show aims to provide an introduction to internal auditing.
• The notes give more information on each slide.
• The slides and the notes will need changing for your organization.
• The slide presentation is not automatic, you will need to click through it.
• There are 25 slides, which should take around 25 minutes to show
(excluding questions).
• Some slides have animations.
• For more details about the internal audit processes see the free books
available from www.internal audit.biz.
23/08/2015 2
4. Contents
• The organization
• The objectives and risks
• The responses to risks
• The purpose of internal auditing
• Internal audit’s opinions
• Audit planning
• The individual audit
• The periodic summary report
23/08/2015 4
6. The organization
It has ‘stakeholders’ – people who
are interested in what it
delivers.
They may be investors, owners, suppliers,
customers, employees.
23/08/2015 6
7. The organization
It has a governing board – people
who are responsible for
delivering what the stakeholders
want.
They may be directors, trustees, partners.
23/08/2015 7
8. The organization
So stakeholders have objectives
which they expect the governing
board to deliver.
These objectives may be to increase profits,
deliver food to famine areas or recruit more
students.
23/08/2015 8
9. The objectives
Unfortunately the achievement of
these objectives is threatened by
circumstances called risks.
These risks may be: competitors launching new
products, floods destroying roads or poor exam
results.
23/08/2015 9
10. The objectives
These risks require responses to
mitigate them to a level which
should enable the objectives to
be achieved.
This risk level is known as the ‘risk appetite’ of
the organization.
23/08/2015 10
11. The responses
The responses (controls) to mitigate risks are:
• Terminate the operation causing the risk (stop
manufacturing a dangerous product).
• Transfer the risk (insure against the risk, such as a fire).
• Treat the risk by having processes to reduce them (known as
‘internal controls’)
• Tolerate the risk if it is too expensive to use one of the
above responses - but have a contingency plan.
23/08/2015 11
12. The responsibilities
Who has the responsibility for:
• Objectives? The stakeholders and governing board specify
the objectives.
• Risks? The governing board and management identify the
risks hindering the achievement of the objectives.
• Responses? The governing board and management decide on
the responses to be taken to reduce the risks to a level they
consider acceptable.
We can refer to the above processes as the internal control
framework.
23/08/2015 12
13. The worries
How do the stakeholders and
governing board know that their
objectives will be achieved
because the responses are
sufficient and operating?
23/08/2015 13
15. Internal auditing
So what is the purpose of internal auditing?
Internal auditing provides an
independent and objective opinion
to an organization's management as
to whether its risks are being
managed to acceptable levels.
23/08/2015 15
16. Internal auditing
The main aim of internal auditing is to
assist the organization to achieve its
objectives
The management
of an organization
have
Objectives
An internal control
is a process which
manages a risk
Internal auditing
provides an independent and objective opinion
to an organization’s management as to whether
its risks are being managed to acceptable levels.
A risk is a set of circumstances that
hinder the achievement of an objective
23/08/2015 16
17. The opinion
What opinion does the internal audit department provide?
It provides an answer to the question:
Are the risks to the organization's
objectives being managed to
acceptable levels?
What does it need to answer this question?...
23/08/2015 17
18. The opinion
In order to come to its opinion about the
management of risks, internal audit needs to be
sure that management:
– Have implemented controls to bring the risks to below
the risk appetite.
– Have therefore identified the risks which require
controls.
– Have specified the objectives which are threatened by
the risks.
23/08/2015 18
19. The opinions
• Internal audit has therefore to assess the organization’s internal
control framework:
– Has the governing body and management established clear objectives?
– Have managers been trained to identify and assess risks?
– Have controls been implemented to reduce these risks to a level considered acceptable by
the governing body?
• Based on the answers to these, and other, questions internal audit can
decide on whether to plan audits based on the organization’s risk
assessment.
• If it can’t plan audits because risks have not been identified and assessed,
it needs to consult the governing body for guidance.
23/08/2015 19
20. The audit plan
• If internal audit can plan, it will identify audits required based on
the assessed risks and discuss this plan with management.
• This plan will be updated when management identify emerging
risks.
• The audits in the plan should provide the governing body with the
overall opinion they need to report on the adequacy of risk
management to their stakeholders.
• The internal audit plan will therefore cover all functions within an
organization.
23/08/2015 20
21. The individual audit
• The plan consists of individual audits which will:
– Deliver an opinion on whether particular objectives are likely to be achieved.
– Be based on work to examine whether
• Management has established a proper internal control framework in the functions delivering the
objectives.
• Controls mitigating the risks which threaten the objective(s) are sufficient and operating.
– Check that action is being taken to ensure the objectives will be achieved.
• Audit work will:
– Check that objectives have been specified and risks identified and assessed.
– Check that controls are sufficient and operating to bring these risks to within
the organization’s risk appetite.
23/08/2015 21
22. The individual audit
• The stages of the audit will be:
– Planning the audit.
– Obtaining information about the functions/departments involved.
– Agreeing the scope of the audit with management.
– Introducing the audit to all the staff likely to be involved.
– Checking the internal control framework established by management.
– Documenting the objectives, risks and controls, using the internal control framework as a basis.
– Testing that the internal controls are sufficient and operating.
– Discussing the findings with management.
– Issuing a draft report for discussion which gives an opinion as to whether the objective(s) of the
functions/departments being audited are likely to be achieved. (if the objectives are not likely to be
achieved because some risks are above the risk appetite, the opinions on the next slide will be given).
– Issuing the final report to management and senior management, as appropriate.
23/08/2015 22
23. The individual audit
If the objectives are not likely to be achieved
because some risks are above the risk appetite the
individual audit opinion will answer the questions:
• Has management established a proper internal control framework? That is:
– specified their objectives?
– identified the risks threatening these objectives?
– established controls which should reduce the risks to acceptable levels?
• Are these controls sufficient and operating to bring the risks to below the
risk appetite and ensure the achievement of the related objective?
• Where necessary, is action being taken which will bring the risks to below
the risk appetite and ensure the achievement of the objective?
23/08/2015 23
24. Periodic summary report
The internal audit department will issue summary reports
from individual audits giving opinions on whether:
• Objectives are being achieved.
• The risks above the board's risk appetite (‘significant’ risks) have been identified,
evaluated and managed.
• The internal control framework has been effective in managing the significant
risks, having regard, in particular, to any major deficiencies in internal control that
have been reported.
• Necessary actions are being taken promptly to remedy any major deficiencies.
• Whether the audit plan, agreed with the audit committee at the start of the year,
has been achieved. If it has not, why not. (If the report is an interim one, the
progress towards achieving the plan).
23/08/2015 24
View towards Hayling Island from Emsworth shore, Hampshire, UK at sunset.
This slide is to make the presenter aware of what is available on these slides.
These slides aim to provide an introduction to the process of internal auditing and how the internal audit department carries out its work.
The slides are based on the free books available from www.internalaudit.biz
Hello and thanks for coming!
The introduction begins by looking at the organization which has/needs internal auditing.
Next, the presentation describes how internal auditing can be a business advantage to an organization.
It then considers what methods the internal audit department uses to provide this advantage.
So let’s start by looking at your organization...
Your organization has groups of people interested in how it performs – the stakeholders.
They may have a direct financial stake (investors, owners), indirect financial stake (suppliers, employees, students, tax authorities) or potential financial stake (customers)
Your organization has a governing board, such as directors, trustees (for a charity), senate (for a University) or partners (accountants, lawyers). This governing board is ultimately responsible to the stakeholders for delivering their objectives.
In many organizations, an audit committee will carry out some of the responsibilities of the governing board.
These responsibilities may involve monitoring the establishment of the risk framework and receiving internal audit reports.
Internal audit should have a reporting line to the audit committee.
The governing board will have to deliver the stakeholders’ objectives, and will therefore have to understand and clearly specify them.
The governing board may also add their own objectives or make the stakeholders’ objectives more specific, for example specifying by how much profits should increase.
A risk is a set of circumstances which hinders the achievement of an objective.
Responses are actions which reduce the impact and/or probability of a risk. They may be generally referred to as ‘controls’.
Ideally the impact and probability of the risk should be reduced to a level below that considered acceptable by the governing board – the ‘risk appetite’.
Thus the board needs to define how the magnitude of any risk is to be measured, and specify what is acceptable in terms of the measurement system adopted.
There are generally considered to be four types of possible responses to risks. Responses may generally be referred to as ‘controls’.
Terminating the operation giving rise to the risk removes the risk.
Transferring or treating the risk should make it acceptable (but may not do so).
If the above options are not cost effective, the risk may have to be tolerated. The governing board should be made aware of these risks and contingency plans drawn up and tested in case the risk happens.
Management, at the appropriate levels, have the responsibility for specifying objectives, identifying and assessing risks and implementing controls to reduce their impact/likelihood. When complete this work establishes the internal control framework
Why management? Because they know their part of the business. Internal Audit may be able to help them, by running risk workshops for example and maintaining the Objectives, Risks and Controls Register, but management own the risks and are responsible for the controls managing them.
Internal audit may also be available to provide specialist help, for example with financial and IT controls, as part of a consultancy role.
So, at this stage we should know the
Objectives
Risks threatening these objectives
Responses bringing these risks to an acceptable level
So how do the stakeholders and board sleep well at night, knowing the responses (controls) are sufficient and are actually being operated properly?
That’s the responsibility of an internal audit department!
This is my ‘mission statement’ for internal auditing.
The Institute of Internal Auditors has a slightly different statement: To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight
I dislike the word ‘assurance’ in this statement. Although an ‘opinion’ can be positive or negative, assurance has to be positive. This gives an expectation that internal audit will not criticise – not a good idea!
Giving a opinion is completely consistent with the IIA standards (2410.A1 - Final communication of engagement results must, where appropriate, contain the internal auditors’ opinion and/or conclusions...) .
So to sum up so far:
The management of an organization have objectives
The achievement of these objectives is hindered by risks
Internal controls manage these risks
The main aim of internal audit is the same as any function – to assist the organization in achieving its objectives
It does this by providing an opinion about the effectiveness of controls managing risks to acceptable levels
The opinion internal audit provides reflects its mission statement. ‘Managing’ risks is a short way of expressing, ‘reducing risks by applying one of the four responses’.
Internal audit cannot start planning if it does not have confidence in the internal control framework established by management, since it will not know that the controls it is to test are complete.
Therefore the first task of internal audit is to assess the quality of the organization’s internal control framework.
This framework can only be complete if:
All objectives have been specified
All risks have been identified and assessed
All controls have been implemented
In practice there are many questions to answer in order to assess the organization’s risk maturity.
If the answers show that the controls implemented are likely to be complete, planning of audits can commence.
If the answers show that controls may be missing, this opinion must be reported to the governing body/audit committee. It is possible (probable) that internal audit will be asked to facilitate the establishment of a proper internal control framework.
‘Management’ includes the audit committee and governing body.
So the plan is driven out of management’s identification and assessment of risks, probably recorded in some sort of objective and risk register.
IA may identify emerging risks and these should be discussed with the appropriate management and the plan changed accordingly.
Local requirements might include COSO and stock exchange regulations.
Internal audit will not be restricted to financial audits but will cover the entire organization. It may need specialized resources to do this and will be involved with management at all levels. It will need to be constantly aware of the organization’s development and the new objectives and risks resulting from this. It will become an essential participant in the running of the running of the organization.
The individual audit provides opinions consistent with the overall opinion given to the governing board (see slide 17)
Has management established a proper internal control framework? That is, has management: specified their objectives, identified the risks threatening these objectives and established controls which should reduce the risks to acceptable levels?
Are these controls sufficient and operating to bring the risks to below the risk appetite and ensure the achievement of the related objective?
Is action being taken which will bring the risks to below the risk appetite and ensure the achievement of the objective?
The initial audit work will check that the management of the departments concerned have established a proper risk framework. Even if a good risk framework has been established by the organization, it may not have been implemented properly by all managers.
If there is no proper risk framework , internal audit may have to assist management with establishing one.
Once a risk framework is in place, the controls designed to mitigate the risks can be checked to ensure they are sufficient and are working.
Each stage of the audit should require close cooperation with management and staff, so that they are kept informed at all times.
Where risks are above the risk appetite it is likely that a ‘major deficiency’ exists. In this case further questions have to be answered - see the next slide.
These questions will each have an answer:
YES
NO
YES WITH EXCEPTIONS – this opinion means that the objective should be achieved but that cost-effective improvements could be made to the control framework.
Regulations often require an ‘annual report to the board (or Board Audit Committee)' from management on the effectiveness of internal controls. The frequency and contents of the report to the audit committee will depend on internal audit's charter but will normally include the contents of the slide.
This summary is very important, since it is one of the main methods that the audit committee will use to judge the competence and worth of internal audit. The CAE should ensure that the audit committee have been consulted on its format and should obtain feedback from each meeting that he/she attends.
That’s the end of the presentation, which is only an introduction to internal auditing. There is much more, which can be found in the four free books on www.internalaudit.biz
Time for the audience to ask any questions.
Any feedback from the audience?
Do they feel they have learnt something?
Has their view towards internal changed? Do they considerer it more of a partner and less of a subsidiary function?
Goodbye and thanks for your time!
