Mubarak for Accounting, Auditing & Financial Consultancy

Size: px

Start display at page:

Download "Mubarak for Accounting, Auditing & Financial Consultancy"

Nathan Harrington
5 years ago
Views:

2 Internal Auditing: The Definition of Internal Auditing 3 Add Value 5 Value-Added Internal Audit Survey - Introduction 7 Value-Added Internal Audit Survey - Responses to our questionnaire 8 IAA in SMEs Sudan 21 Best practices in value-added internal audit 22 References 37 2

3 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance process. 3

4 The Definition highlights the following responsibilities of internal auditing: Objective assurance and consulting activity Independently managed within an organization Adds value to improve the operations of the organization Assists an organization in accomplishing its objectives Uses a systematic and disciplined approach Evaluates an improves the effectiveness of the organization's risk management, control and governance processes. 4

5 The concept of value added has been embedded in definition of internal auditing, as noted in the glossary to the Standards; Value is provided by: improving opportunities to achieve organizational objectives, identifying operational improvements, reducing risk exposure through both assurance and consulting services. 5

6 The first Performance Standards* (Standard 2000) states: The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. * International Standards for the Professional Practice of Internal Auditing. 6

7 Recognizing the importance of the subject, we have conducted a survey covering 24 large organizations. Survey target respondents were: Banks Telecom companies Diversified groups Government entities Rate of response was 45.8%. 7

8 1. Availability of an internal audit department: 9% 91% of respondents have an internal audit department, while the rest have outsourced the service. 91% Yes No 8

9 2. Number of internal audit staff 67% of responding organizations employ more than 10 internal auditors. 70% 60% 67% 50% 40% 30% 20% 22% 10% 0% 11% less than 5 5 to 10 more than 10 9

10 3. Availability of an IT auditor 82% of responding organizations do not have the services of an IT auditor. Yes, 18% No, 82% 10

11 4. Perceptions towards Internal audit costs All said: Costs related to running a full-fledged IAA are justified and beneficial to the organization. They should neither be eliminated nor reduced. 11

12 5. Availability of a charter 91% of responding organizations possess an approved Internal Audit Charter. No, 9% Yes, 91% 12

13 6. Availability of a manual 18% indicated the unavailability of a formal Internal Audit Manual. No, 18% Yes, 82% 13

14 7. Perceptions towards value-adding roles From the point of view of senior management and based on perceived actual performance, IAA helps in: Achieving organizational objectives Strongly Agree Agree Somewhat Agree Disagree 64% 27% 0% 9% 14

15 7. Perceptions towards value-adding roles From the point of view of senior management and based on perceived actual performance, IAA helps in: Improving operations/performance Strongly Agree Agree Somewhat Agree Disagree 73% 9% 9% 9% 15

16 7. Perceptions towards value-adding roles From the point of view of senior management and based on perceived actual performance, IAA helps in: Strongly Agree Agree Somewhat Agree Disagree Prevention of fraud 64% 18% 9% 9% 16

17 7. Perceptions towards value-adding roles From the point of view of senior management and based on perceived actual performance, IAA helps in: Strongly Agree Agree Somewhat Agree Disagree Cost reduction 45% 45% 0% 9% 17

18 8. Reporting lines Over 45% of internal audit departments in the surveyed organizations report to the general manager or the CEO. GM/CEO 45% BOD/ Audit Committee 55% 18

19 9. Ranking of value-added internal auditing measures: assurance of internal control efficiency dealing with financial risks dealing with compliance risks fraud prevention and detection reporting quality and efficiency finalization of the approved annual audit plan assuring the efficiency of risk management dealing with operational risks provide consultancy services/contribute to special committees reduce external audit fees 19

9. Some incidents/reports where Senior Management noticed a value addition by the IAA to the organization Improvement of some programs and processes resulting in an improved service provision and

20 9. Some incidents/reports where Senior Management noticed a value addition by the IAA to the organization Improvement of some programs and processes resulting in an improved service provision and customer satisfaction Alignment of authority matrix and avoidance of conflicting responsibilities/duplication of efforts Evaluation and recommendations related to IT contingency plan. Recommendations resulted in a faster receivables collection. Frequently repeated errors report Recommendations lead to avoidance of very likely losses and compliance with regulations. Reduced operational and compliance risks 20

21 From our experience, we have noted the following about the IAA in Sudan SMEs. Small and understaffed departments, compared to the size of operations Vouching rather than risk-based audits Limited resources, lack of training and professionally qualified staff Reporting to executive management and not the BOD No audit committees No approved charters or documented manuals. Hence, the vast majority of SMEs in Sudan do not run value-adding internal audit departments. 21

22 1- Align the Audit Department Structure with the Structure of the Organization. Organizational units, processes, or product lines however the organization categorizes itself are assigned to each audit manager. For example, consider the following structure used at a major retail company: Audit Managers for: Audit Manager for: Audit Manager for: Audit Manager for: Dept. stores (2) Catalog Business Process Review team Merchandising & Marketing Separate Vitamin and Health Products Subsidiary Accounting Center Credit Direct Marketing Finance International IS Audit Technology 22

23 1- Align the Audit Department Structure with the Structure of the Organization (continued) For this tactic to work, the audit department must be large enough to require and support several audit managers. 23

24 2- Use Relationship Managers. An experienced auditor is assigned to each organizational unit/process/product line. Purpose: To stay in touch with unit/process/product line managers. To provide real time risk assessment. To find opportunities to help: talk about changes taking place and the resulting risks; suggest procedures for managing risk; share best practices and common control weakness being found throughout the organization, etc. 24

25 2- Use Relationship Managers (continued). Activities: A formal call program of once a month or at least once a quarter. Frequent, informal stopping by. Attendance at staff meetings, planning sessions, conference calls, etc. Variations: If the organization is geographically disbursed, an auditors is assigned in each region for each process. The lead auditor fills this role until another auditor leads an audit in the area. 25

26 3- Base the Audit Plan on Risk Minimize or eliminate repetitive, cycle audits. Use qualitative, participative risk assessment. An automated risk model is of secondary importance. If you use one, emphasize qualitative factors. If you use one, use it as the starting point only. Management participation is primary. 26

27 4- Identify Tomorrow s Risks, Not Yesterday s. Once a year is not enough. Use real time risk assessment. Focus on change, business strategy. Build flexibility into the annual plan to address risks as they arise. 27

28 5- Select the best Assurance Service for Each Risk. Offer a menu of products/services, including: Risk based process audits. Pre-implementation reviews. Use of self-assessment. For soft controls (workshops, surveys, questionnaires, structured interviews). 28

29 5- Select the best Assurance Service for Each Risk (continued). For hard controls (operating personnel independent of the area tested perform detailed tests of internal control procedures on a defined schedule and with internal reporting of results, internal audit reviews documentation and sub-tests to verify integrity of the process). Internal control education (formal training programs and ad-hoc training during audits). 29

30 6- Ensure Audit Are: Risk based. and/or Process based Meaning # 1: audit the entire business process, not organizational units. Meaning # 2: focus on process improvement, not just control. 30

31 7- Ensure Audit Are Participative. Plan the audit with your audit customer. Work through the audit with your customer; discover weaknesses together. Develop solutions together. 31

32 8. Ensure Audit Include CAATS. 9. Ensure Audit Are Integrated. Consider technology, operation, control, etc. together in the audit. One person ideally should be looking at the composite picture that results. 32

33 10- Employ Stop and Go Auditing. Stop when comfort is acquired, not when the audit plan or program states. Go where weakness are indicated until comfort is achieved. Avoid spending 99% of audit time reviewing things that are 99% okay. 33

34 11- Staff with Experts More Than Trainees. High average experience level. Multidisciplinary. Experienced in the business. Skilled in data analysis. Integrated IT/business audit skills. High professional (certification, advanced degrees, ). Enhanced with selective outsourcing. 34

35 12. Create Positive Work Environment. Challenging work assignments. Creativity encouraged and rewarded. Employee involvement in decision-making. Fun place to work. 35

36 13. Promote a Value-adding Culture. Emphasize partnership more than independence. Serve as an internal control trainer, coach, consultant ; not just an evaluator Make sure everyone always look for opportunities to improve the business. 36

International Professional Practices Framework (IPPF) The Definition. International Standards for the Professional Practice of Internal Auditing.

37 International Professional Practices Framework (IPPF) The Definition. International Standards for the Professional Practice of Internal Auditing. MAAFC survey on value-added internal auditing, January Implementing the IPPF (IIA) 3 rd Edition. A global summary of the common Body of knowledge (CBOK 2006). How internal auditors Add Value? By James Roth, Internal Auditor, 18 March Internal Auditing as a consulting activity that evaluates and improves the control process, University of Pretoria Coetzee, GP (2004). Guidance for audit committees, The internal audit function, ICAEW, March Targeting Key Threats and changing expectations to deliver greater value, PWC Global internal audit survey, Ernst & Young,

38 38