(a) the examination and evaluation of the adequacy and effectiveness of the Agency’s systems of internal control, risk management and governance;
(b) the examination of the Agency’s compliance with policies, procedures, plans, legislation and Treasurer’s Instructions;
(c) assessment of the reliability and integrity of financial management information;
(d) assessment of the safeguarding of assets;
(e) any special investigations as directed by the Head of Agency or audit committee;
(f) provision of advisory services to management
The Internal Auditing profession evolved steadily with the progress of management science after World War II. It is conceptually similar in many ways to financial auditing by public accounting firms, quality assurance and banking compliance activities. Much of the theory underlying internal auditing is derived from management consulting and public accounting professions. With the implementation in the United States of the Sarbanes-Oxley Act of 2002 which is being widely adopted by various countries, the profession's growth accelerated, as many internal auditors possess the skills required to help companies meet the requirements of the law.
INTERNAL AUDIT AND MANAGEMENT
Essentially, internal control is management's responsibility. They are responsible to design, develop, implement and monitor internal control systems.
It is here that the influence of the internal auditor can be most significant. In may respects, an internal auditor is known to be an internal control specialist. It is thus the auditor's responsibility to stay abreast of new laws and to flag any evidence of legal non-compliance. Internal auditor is then responsible for recommending remedial controls to management.
When talking about responsibilities for controls, the very contentious issues of “fraud” and “detection of fraud” comes to mind. Fraud together with corruption gives any company a bad reputation. Sure it is management's responsibility to prevent fraud from happening. However, an incidence of fraud is indicative of a weakness in internal controls. Here the internal auditor is provided with the opportunity to contribute substantially to reducing the incidence of fraud by virtue of the control systems recommended for introduction in the employer's business operations.
Unfortunately, the very group responsible for internal controls, namely senior management, is frequently best placed to commit fraud through management override of control procedures. Therefore it may be safely assumed that auditors have a role to play in this regard. From the side of internal audit, a good system of internal control and internal checks supported by a strong, involved investigative attitude is essential. Strong independent auditors must review the emphasis they place on their audit providing value added business-oriented services at the expense of the time required to be spent on the more traditional areas of internal controls and systems.
Internal audit must also ensure that management challenge the ethos of their corporate culture to ensure it conveys the message that dishonesty, lack of integrity and dubious activities will not be tolerated.
ROLE IN RISK MANAGEMENT
Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization's Risk management processes. Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives. The internal auditing activity evaluates and contributes to the improvement of risk management, control, and governance, regarding:
i)Compliance with laws, regulations and contracts
ii)Effectiveness and efficiency of operations
iii)Reliability and integrity of financial and operational information
iv)Safeguarding of assets
Risk implies uncertainty. Avoiding negative surprises requires the deployment of certain strategies. Independent research has indicated that the majority of companies do not carry out a risk assessment to identify and evaluate the potential impact of an unplanned event on their business. Under the COSO enterprise risk management (ERM) framework, risks fall under strategic, operational, financial reporting, and legal/regulatory categories.
Internal audit can make a difference by considering the risk that fraud, incompetence and errors may exist that may not be detected. By taking the following factors into account, possible fraud and errors might be detected;
•Weaknesses in the design of the accounting and internal control system;
•Non-compliance with internal controls;
•Questions with respect to management's integrity and competence;
•Unusual external or internal pressure on entities;
•Unusual transactions;
•Difficulty to obtain sufficient appropriate audit evidence.
Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include: strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, and credit/lending practices. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Internal auditors may evaluate each of these activities, or focus on the processes used by management to report and monitor the risks identified. For example, internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board, to help identify emerging risks.
In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management's reporting is effective for that purpose.
ROLE IN INTERNAL CONTROL
Control is defined in the IIA's Standards for the Professional Practice of Internal Auditing as:
“Any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.”
The primary objectives of internal controls are to ensure:
•The reliability and integrity of information
•Compliance with policies, plans, procedures, laws, regulations and contracts
•The safeguarding of assets
•The economical and efficient use of resources
•The accomplishment of established objectives and goals for operations or programs
This can be summarized as the safeguarding of resources (assets) from inappropriate use or loss and ensuring that liabilities are identified and managed.
Internal auditing activity is primarily directed at improving internal control. Management is responsible for internal control. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. Internal auditors perform audits to evaluate whether the policies and processes are designed and operating effectively and provide recommendations for improvement.
ROLE IN CORPORATE GOVERNANCE
Internal auditing activity as it relates to corporate governance is generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform, direct, manage, and monitor the organization's resources, strategies and policies towards the achievement of the organizations objectives. The internal auditor is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor.
A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical internal control problems, informing the Committee privately on the capabilities of key managers, suggesting questions or topics for the Audit Committee's meeting agendas, and coordinating carefully with the external auditor and management to ensure the Committee receives accurate information.
The role of internal auditor in corporate governance can thus be summarized as follows:
•Review of general control environment
•Process evaluation and performance auditing
•Risk assessment, risk based audits and business monitoring
•Performance auditing
•Due diligence on internal and external reporting
•Financial control, health, performance auditing and self-assessment
As part of good corporate governance, internal audit will bring all significant findings arising from audit activities to the attention of the audit committee and the board. This will include issues affecting the governance of the company and ethics.
CONCLUSION
In essence therefore, Internal Audit should be seen as “the eye of the Board” confirming to that Board that:
•The systems and procedures of internal control are adequate, well deigned and work in practice to safeguard and secure the assets and resources of the organization
•The board is informed about, and has considered, all relevant risks
•The board receives all the information relevant to its role and that the information is accurate, reliable and complete.
REFERENCES
George Selim & David Mcnamee(2003): Changing the Internal Auditor's paradigm. IIA Research foundation.
Kit Sadgrove(2005): The complete guide to business risk management. 2nd editon. Gower publishing co.
L.B Sawyer et al(2003): Sawyer's Internal Auditing. Institute of Internal Auditor's Inc.
Robert R. Moeller & Herbert N. Witt (1999): Brink's Modern Internal Auditing 5th edition. IIA Wiley, New jersey.
Picket, K.H.(2006): Audit Planning – A Risk Based Approach. The Institute of Internal Auditors. Wiley. New Jersey.
Frigo, Mark L.(2002): A Balanced Scorecard Framework for Internal Auditing Departments. IIA Research Foundation. Altamonte Springs, FL.
The role of Internal audit in Enterprise-wide Risk Management(2006). Institute of Internal Auditors, Uk & Ireland
Internal audit role in corporate governance (2005). IIA Wiley New Jersey.