2. “Internal Audit Standards” in my opinion are
Values & Beliefs /
Way of life in Internal Audit
and
not just Rules / Prescriptions!
IIA Madras
M Rajeshwaron
Dec 2005
3. “Effectiveness of Implementation”
Role of…..
Internal Auditor
CEO / CFO
Audit Committee
IIA Leaders
…… is
vital
IIA Madras
M Rajeshwaron
Dec 2005
4. Application – Different Scenario!
Corporates
A. Senior level Professional responsible for Internal Audit
Status
No / Little awareness !
Prescription
Self conviction / Determination / Thorough understanding
Presentations to Audit Stake Holders
Gaining Acceptance
Drafting an “Audit Charter”
Implementation & Monitoring
IIA Madras
M Rajeshwaron
Dec 2005
5. Application – Different Scenario!
Corporates
B. Internal Audit co-ordinated by a by Junior level Auditors
Status
No / little awareness
Interested in PPF implementation – Require guidance!
Organisation not informed of the importance of PPF, New
Definition etc.
Prescription
Seek IIA – Leaders’ support & do all the activities as in ‘A’
IIA Madras
M Rajeshwaron
Dec 2005
6. Application – Different Scenario!
Corporates
C. Group of Companies
Status
Different companies with different status!
Different Audit Committees / CEOs
With or without a Group level Internal Audit co-ordinator!
IIA Madras
M Rajeshwaron
Dec 2005
7. Application – Different Scenario!
Corporates
C. Group of Companies….
Prescription
Group level Head should be a seasoned career internal
auditor
He / She should convince ACs / CEOs of different
Companies
Gain acceptance / put a system in place with Negotiables /
Non-negotiables
Create a strong ‘Group Audit Forum’ / Develop Activities
relating to ‘Standards’
IIA Madras
M Rajeshwaron
Dec 2005
8. Application – Different Scenario!
D. SMEs
Status
No Internal Audit
Blissfully unaware of IIA / PPF etc. !
Prescription
IIA leaders to identify such SMEs & have programs for
educating, guiding and making things happen!
SMEs could seek the help of IA Practitioners for installing
the system.
IIA Madras
M Rajeshwaron
Dec 2005
9. Top 10! Standards that require attention!
• Independence & Objectivity
• Competent Advice / Assistance
• Continuing Professional Education
• Quality Assurance & Improvement
• Establishing Measures
• Planning
• Reporting to Board & Senior Management
• Relationship with Audit Committee
• Role in Risk Management
• Ethical culture
IIA Madras
M Rajeshwaron
Dec 2005
11. 1110 – Independence & Objectivity
Focus:
Organisational Status / Objectivity
The Internal audit activity should be independent and internal
auditors should be objective in performing their work
The Chief Audit Executive should report to a level within the
organisation that allows the internal audit activity to
accomplish its responsibilities
The CAE administratively reports to the CEO of the company
and functionally to the Chairman of Audit Committee
IIA Madras
M Rajeshwaron
Dec 2005
12. 1110 – Independence & Objectivity
Issues
Present level of Internal Auditor in our organisations ?
Responsible for two functions (Resource Utilisation Objective!)
Conflict of interest?
Priority shift between those functions?
Budget constraints coming in the way?
CEO’s time for supervision a constraint? – Delegation to CFOs?
Audit Committee’s time allocation for Internal Audit?
Why does the status of Internal Audit often seem to be a direct
consequence of organisational ledership attitudes? (Long standing IA
functions : JC Penny & Ford Motor)
IIA Madras
M Rajeshwaron
Dec 2005
13. 1130 A2 – Impairments to Independence or Objectivity
Focus
Assurance engagements for functions over which the Chief
Audit Executive has responsibility should be overseen by a
party outside the internal audit activity.
Issues
Who will be the party outside the Internal Audit Activity?
Level of his intervention?
If Field Auditors who report to the CAE were to do the audit?
Escalation of issues to Audit Committee from his (CAE) own
areas?
IIA Madras
M Rajeshwaron
Dec 2005
14. 1210 A1 – Competent Advice / Assistance
Focus
CAE should obtain competent advice and assistance if
the internal audit staff lacks the knowledge, skills, or
other competencies needed to perform all or part of the
engagement
CAE should assess the competency, independence &
objectivity of the outside providers.
IIA Madras
M Rajeshwaron
Dec 2005
15. 1210 A1 – Competent Advice / Assistance
Issues
Normal approach to ‘oursourcing’ Internal Audit vs the
above approach
External Auditors doing internal audit assignments
Internal processes for effective evaluation of outside service
providers
GAP – Guest Audit Pool as a strong Resource!
Strong Business Knowledge
IIA Madras
M Rajeshwaron
Dec 2005
16. 1230 - 1- Continuing Professional Development
Focus
Internal Auditors should enhance their knowledge, skills
and other competencies through continuing professional
development
IIA Madras
M Rajeshwaron
Dec 2005
17. 1230 - 1- Continuing Professional Development
Issues
Normal Training Plan in an organisation vis-à-vis – IA!
Training in Internal Audit:
* Continuous Involvement in Professional Associations
* Knowledge on Standards / its interpretation /
Application
* Technology Adoption (Audit Tools, Risk Assessment
Models)
* Research Projects on various aspects of IA
* Certification for Audit Staff (CIA / CISA etc)
IIA Madras
M Rajeshwaron
Dec 2005
18. 1300 - Quality Assurance and Improvement
Programme (QA & IP)
Focus
The Chief Audit Executive should develop and maintain a
quality assurance and improvement program that covers
all aspects of the internal audit activity and continuously
monitor its effectiveness
IIA Madras
M Rajeshwaron
Dec 2005
19. 1310 -1 – Quality Programme Assessment
Focus
This programme includes periodic internal and external
quality assessments (once in 5 years) and on-going internal
monitoring. Each part of the programme should be designed
to help the internal auditing activity add value and improve
the organisation’s operations and to provide assurance that
the internal audit activity is confirming with the standards.
IIA Madras
M Rajeshwaron
Dec 2005
20. 1300 -1 – Quality Assurance and Improvement
Programme (QA & IP)
1310 – 1 – Quality Programme Assessment
Issues
Do we have a structured system?
What is the system? ISO – 9000?
How are we evidencing the continuous improvement
in the Internal Audit Division? (Kaizen etc)
How do we communicate the results of such Quality
System to Top Management?
Who will do the review (Internal / External)?
Do we have a manual on this?
IIA Madras
M Rajeshwaron
Dec 2005
21. 1311 -2 – Establishing Measures
Quantitative Metrics and Qualitative Assessments to support
reviews of Internal Audit Activity performance
Focus
Identifying critical performance categories:
* Audit stake holders satisfaction
* Audit Processes
* Innovation & capabilities of internal audit
(See chart in next slide)
IIA Madras
M Rajeshwaron
Dec 2005
22. Performance Categories
Internal Customers
• Board / Audit Committee
•Senior Management
•Operating Management
External Customers
•Regulators
Professional Practices
Framework
•Community
Corporate and
Internal Audit
Strategies
•Corporate Customer
Laws and Regulations
•External Audit
Internal Audit Process
•Risk Assessment / Audit
Planning
•Planning & Performing
the Audit Engagement
•Reporting
Innovation and Capabilities
•Training
•Technology
•Industry Knowledge
IIA Madras
M Rajeshwaron
Dec 2005
23. 1311 -2 – Establishing Measures…
Issues
Are we trying to use GAIN – Parameters?
Level of contribution to the improvement of Risk
Management and controls & Governance processes
factored?
Customer Feed back obtained? Matrix prepared?
Achievement of key goals and objectives depicted?
Evaluation of progress against Audit Activity Plan done?
Improved staff productivity substantiated?
A Balance Score Card Frame Work in place? (See chart
next slide)
IIA Madras
M Rajeshwaron
Dec 2005
24. Balance Score Card for Internal Audit
Board / Audit Committee
• Audit Committee satisfaction survey
• Role of internal auditing viewed by
audit committee
• Audit committee risk concerns
Internal Audit Process
Management and Auditees
•Auditee satisfaction survey
results
•Percent of audit
recommendations
implemented
•Number of management
requests
•Management expectations of
internal auditing
Professional Practices
Framework
Corporate and
Internal Audit
Strategies
Laws and Regulations
• Importance of audit issue
• Completed vs. planned audits
• Number of major audit findings
• Amount of audit savings
• Quality assurance techniques
developed
• Number of repeat findings
• Days from end of field work to
report issurance
•Number of complaints about
audit
Innovation and Capabilities
•Staff experience
•Training hours per internal auditor
•CAE reporting relationship – functional
•Percent of certified staff
IIA Madras
M Rajeshwaron
Dec 2005
25. 1311 -2 – Establishing Measures…
Issues…
Increased cost efficiency of the audit process
highlighted?
Increased number of action plans for process (IA)
improvements captured?
Adequacy of engagement planning / supervision
documented?
Effectiveness in meeting the needs of stake holders
measured?
(Next year by this time IAs have to report these to ACs –
Clause 49)
IIA Madras
M Rajeshwaron
Dec 2005
26. 2010 –A1 – Planning
Focus
The Chief Audit Executive should establish risk based
plans to determine the priorities of the internal audit activity
consistent with the organisation’s goals.
Issues
Have we adopted the required Technology to do this Risk
Ranking?
Do we have access to the organisation’s strategy, Goals,
Business Plan etc.,?
Does the organisation have a risk management system in
place or not? Has it been factored in our risk prioritation?
Do we consider Auditee Management, a partner in this
exercise?
IIA Madras
M Rajeshwaron
Dec 2005
27. 2060 – Reporting to Board & Senior Management
Focus
The Chief Audit Executive should report periodically to the
Board and Senior Management on the Internal Audit
activity’s purpose, authority, responsibility & performance
relaltive to its plan.
Reporting should also include significant risk exposures
and control issues, Corporate Governance issues, and
other matters needed or requested by the Board / Senior
Management
IIA Madras
M Rajeshwaron
Dec 2005
28. 2060 – Reporting to Board & Senior Management..
Issues
AC’s dual role – IA oversight responsibility & Internal
Control System
Isolated ‘control’ issues reported often? (Risks vs.
Risk Management Process)
Overall assurance statements not made (data
inadequacy with audit)?
‘Materiality concept’ defined, discussed & agreed?
IIA Madras
M Rajeshwaron
Dec 2005
29. 2060 – Reporting to Board & Senior Management..
Issues…
Significant Material issues
* Conditions dealing with irregularities
* Illegal Acts
* Errors
* Inefficiency
* Waste
* Ineffectiveness
* Conflicts of interest
* Control weaknesses
IIA Madras
M Rajeshwaron
Dec 2005
30. 2060 -2 – Relationship with Audit Committee
Focus
Inter-locking goals of Internal Auditor & Audit Committee
Effective & strong working relationship only will achieve this
* Internal Auditor as an ‘Advisor’ to Audit committee
* Audit Committee who has an ‘oversight responsibility’ for
internal Audit
Issues
20 Questions Directors should ask about Internal Audit (IIA
Research) - click
This should form part of the ‘Internal Auditor’s initial
presentation to the Board / Audit committee / Senior
Management in the organisation
Belief is that when IA Stds. are followed , AC can discharge its
responsibility more effectively.
IIA Madras
M Rajeshwaron
Dec 2005
31. 2100 -3 – Internal Auditors’ role in
Risk Management Process
Focus
The Internal Audit activity should evaluate and contribute
to the improvement of risk management, control and
governance processes using a systematic and disciplined
approach
Issues
Primary responsibility – Management
Support / Facilitating Role – Internal Audit
Risks
- Strategic direction – Board
-
Ownership – Senior Management
Residual Risk Acceptance – Executive Management
Monitoring Activities – operating management
Periodical Assessment / Assurance – Internal Audit
IIA Madras
M Rajeshwaron
Dec 2005
32. 2100 -3 – Internal Auditors’ role in
Risk Management Process…
Issues….
Factors to be considered while adopting the standard
* Culture of organisation / Entity’s size
* Ability of Internal Audit
* Local Conditions / Customs of the Country
IIA Madras
M Rajeshwaron
Dec 2005
33. 2100 -4 – Role in Organisation without a Risk
Management Process
Focus
Consulting Role – Internal Audit
Improving fundamental processes
Issues
What adds value to ‘Risk Services’ by IA?
- Measurement
- Completeness
- Process Assurance
- Second look
- Objectivity
IIA Madras
M Rajeshwaron
Dec 2005
34. 2100 -7 – Environmental Risks
Focus
SHE Audits
Issues
Do we have a Technical Audit system?
Normally Safety Audits are with the Safety Department
No reports placed at the Board by them
Should be an integral part of Internal Audit to effectively
communicate risks to Top Management / Board
Competency building efforts within Internal Audit?
IIA Madras
M Rajeshwaron
Dec 2005
35. Other Risk related Standards
2100 – 5 - Regulatory Compliance
2100 – 6 - e-commerce activities
2100 – 8 - Privacy Framework
2100 - 9 - Application System Reviews
2100 - 10 – Audit Sampling
2100 - 1,2, 11-- Risk Elements
(Definition, Information Security, IT Controls etc.)
IIA Madras
M Rajeshwaron
Dec 2005
36. 2130 – Ethical Culture
Focus
Governance Related
Internal Audit as an “Ethics Advocate”
Issues
Do we look at this at present?
Do we see the connectivity & shift in focus?
* Fraud – Investigation role
* Ethics – Advocacy role
IIA Madras
M Rajeshwaron
Dec 2005
37. 2130 – Ethical Culture
Key Organisational Ethics Activities
IA’s effective Role
-
Set an ethical tone at the top
Promote strong and effective internal controls
Establish a whistle blower policy
Prevent reprisals
Provide ethics & fraud training for staff
Implement a confidential tips hotline
-
Create a culture of doing the right thing
IIA Madras
M Rajeshwaron
Dec 2005
38. 2130 – Ethical Culture
IA can play a ‘Change Agent’ role :
- Establishing a ‘whistle-friendly’ accountable Corporate
Culture?
- Educating the Corporation about the ‘risk of not
knowing what is going wrong!’
Have we built the required credibility and got the
competency to address this area?
IIA Madras
M Rajeshwaron
Dec 2005
39. 2600 – Management’s Acceptance of Risks
Focus
When the Chief Audit Executive believes that senior
management has accepted a level of residual risk that is
unacceptable to the organisation, the Chief Audit Executive
should discuss the matter with Senior Management
If the decisions regarding residual risk is not resolved, the
Chief Audit Executive and senior management should
report the matter to the board for resolution.
IIA Madras
M Rajeshwaron
Dec 2005
40. 2600 – Management’s Acceptance of Risks…
Issues
Are we doing this?
Are issues getting dropped at the Executive Management
level?
Level of Support / Freedom provided by Audit Committee
in this regard?
Residual Risk – Assessment – How scientific is it ?
IIA Madras
M Rajeshwaron
Dec 2005
41. All these mean……
Passion and thirst for excellence!
Strong belief in IIA Standards
High level of Professionalism
Effectiveness in energising,educating, convincing
and gaining acceptance from all stake holders
Ruthless Execution of a robust audit system
Sustaining the Best Practices adopted
- A WILL TO DO !
IIA Madras
M Rajeshwaron
Dec 2005
42. “Will to do”
±ñ½¢Â ±ñ½¢Â¡íÌ ±öÐÀ ±ñ½¢Â¡÷
¾¢ñ½¢Â÷ ¬¸ô ¦ÀÈ¢ý
-¾¢ÕìÌÈû
The will to do achieves the deed
When mind that wills is strong in deed
-Thirukkural
IIA Madras
M Rajeshwaron
Dec 2005
44. 20 Questions
Directors ask about Internal Audit
1.
2.
3.
4.
5.
6.
7.
8.
Should we have an Internal Audit Function?
What should our Internal Audit function do?
What should be the mandate of the Internal Audit
Function?
What is the relationship between Internal Audit and the
Audit Committee?
To whom does Internal Audit report administratively?
How is the Internal Audit function staffed?
How does Internal Audit get and maintain the
expertise it needs to conduct its assignments?
Are the activities of Internal Audit appropriately coordinated with those of external auditors?
IIA Madras
M Rajeshwaron
Dec 2005
45. 20 Questions
Directors ask about Internal Audit
9. How is the Internal Audit Plan developed?
10. What does the Internal Audit Plan not cover?
11. How are internal audit findings reported?
12.How are Corporate Managers required to respond to
Internal Audit findings and recommendations?
13. What services does Internal Audit provide in connection
with fraud?
14. How do you assess the effectiveness of your internal
audit function?
15. Does Internal Audit have sufficient resources?
16. Does Internal Audit function get appropriate support
from the CEO and Senior Management Team?
IIA Madras
M Rajeshwaron
Dec 2005
46. 20 Questions
Directors ask about Internal Audit
17. Are you satisfied that this organisation has adequate
internal controls over its major risks?
18. Are there any other matters that you wish to bring to
the Audit Committee’s attention?
19. Are there other ways in which internal audit and the
audit committee could support each other?
20. Are we (the Audit Committee) satisfied with our Internal
Audit Function?
back
IIA Madras
M Rajeshwaron
Dec 2005