Chapter 5 The Nature of Internal Audit Work (5.4 The Committe Of…
Chapter 5 The Nature of Internal Audit Work
5.2 '' Governance-Risk-Control "
The International Standards for the Professional Practice of Internal Auditing include the performance standards. The performance standards describe the nature of internal audit services and provide quality criteria against which the perfomance of these services can be measured
2100 Nature of work
The Internal Audit Activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach
The internal audit activity must assess and make appropriate recommendations to improve the organization's processes for:
Making strategic and operational decisions
Overseeing risk management and control
Prompting appropriate ethics and values within the organization
Internal Audit Activity must evaluate the design, implementation, and the effectiveness of the organisations ethics-related objectives, programmes, and activities .
The internal Audit Activity must assess wether the IT governance of the organisation sustains and supports the organisation's strategies and objectives
2120 Risk Management
The Internal Audit Activity must evaluate the effectiveness and contribute to the improvement of risk management processes
The Internal Audit Activity must evaluate the adequacy and the effectiveness of controls in responding to risks within the organisation's governance, operations, and information sysytems, regarding the:
Achievement of the organization's strategic objectives.
Realiability and intergrity of financial and operational information
Safeguarding of assets etc
The Internal Audit Activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk.
During consulting engagements, internal auditors must adress the risk consistent with the engagement objective's and be alert to the existence of other significant risks
When asssisting management in establishing or imroving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.
The Internal Audit Activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and by prompting continuous improvement.
The Internal Audit Activity must evaluate the adequacy and effectiness of controls on responding to risks within the organisation's governance, operations, and information systems regarding the:
Achievement of the organisation's strategic objectives.
Reliability and integrity of financial and opretional information
Safeguarding of assets
Internal auditors must incorporate knowledge of controls gained from consulting engagements into the evaluation of the organisation's control processes
As an Internal Auditor it is important to understand where management is coming from and where they are going.
This is reflected in the strategic plan of the organisation
Internal Auditors need a sound understanding of these terms and application within the engagement clients's enviroment
5.6 Advantages and Limitations of Internal Control
5.6.1The Advantages of Internal Control
internal control can assist an organisation to:
achieve its goals fro profitability and outputs
prevent resource losses
promote reliable financial reporting
5.6.2 The Limitations of Internal Control
Ensure an organisation's succes
Internal control can assist an organisation to be successful, but cannot ensure success
Ensure the reliability of financial reporting and compliance with legislation and regulations
A system of internal control, no matter how well it has been designed, can only give reasonable, but not absolute,assurance corncerning the attainment of goals.
5.4 The Committe Of Sponsiring Organisation (COSO) Framework and the internal control process
5.4.1 The Control Environment
184.108.40.206 The philosophy and syle of senior management
Planning : All the activities of the organisation must be properly planned to ensure the avery individual understand his/her specific role in achieving the objectives of thr organisation.
Organising : This implies the co-ordination of people and plans in order to execute the planning.
Directing : This is a process of allocating resources to ensure objectives are met, and includes elements of leadership, motivation and communication.
Controlling : This is a process of ensuring thath thr directed actions have been executed as planned to ensure tha objectives are achieved .
220.127.116.11 The organisational structure
The organisational structure should be suitable for the type of organisation
Some organisations have centralised and others are decentralised.
Grouping of activities
Perhaps the most important decision that must be made in developing organisational arrangements is the way in which, and to what extent, the activities should be grouped
18.104.22.168 Methods used to communicate tasks and responsibilities to personnel
an organisational code of conduct
an organisational chart
clear boundaries of authority
22.214.171.124 Human Resource management
Human resource management affects the organisations ability to appoint adequate competent personnel in order for the organisation to achieves its objectives.
The appointment and evaluation of personnel
when appointing personnel, a formal evaluation process should be followed
Regular scheduling of personnel in respect of tasks should take place.
Regular rotations of duties, within limits
In order to afford personnel exposure, and allow for an alternation in tasks to be promoted, rotation of duties should be implemented.
Carrer path possibilities
Clear carrer path possibilities should be made known to personnel in order to create promotion possiblities.
The formalisation of personnel practices
Personnel practices should be contained in a formal document so that personnel are made aware of intolerable practices.
Exercise psychological control by striving to maintain a high morale amongst personnel
Although management cannot be responsible for the pschological well-being of every individual, aspects such as the overall atmosphere at the workplace, the example that management sets, and the way personnel are treated , can play an important role in the morale amongst personnel
5.4.2 Risk Assessment
As every organisation faces a variety of risks that threaten the reaching of its objectives. These risks must be identified, measured, analysed and controlled. Risk assessement is managements responsibility
5.4.3 The Control Activities
Internal control activities are the policies and procedures tha management has put in place, to ensure that necessary actions taken to adress risks and achieve managements objectives for the organisation
126.96.36.199 Classification of internal control activities
Internal controls can be designed for different outcomes
These are more cost effective controls. When built into the system, preventitive controls forestall erros and thereby avoid the cost of correction.
These are usually more expensive than preventive controls, they too are essential. First, they meausure the effectiveness of the preventive controls. Second , some errors cannot be effectively controlled through a system of prevention; they must be detected when they occur.
These control take over when improper outcomes occur and are detected.
188.8.131.52 Types of internal controls
Segregation of duties
The principle purpose of segregation of duties is to reduce the opportunities foe an individual to make and then concealerros or irregularities while performing a task.
Proper authorisation of transactions and activities
It is vitally important that the transaction be authorised by the appropriate level of personnel.
Adequate documents and records
Documents perform the function of transmitting information throughout the organisation and between different organisations.
Safeguarding of asstes and information
Assets, accounting records and other information and documentation must be physically protected and ther should be limited access to these.
This control activity is the careful and continuous review of the above four control activities by independent senior management and internal auditors.
5.4.4 Information and Communication
The fourth element namely information and communication, identifies the need for petinent information to be identified, captured and communication in a form and time-frame that enables people to carry out their responsibilities
The last component, that is, monitoring, adresses the fact that most organisations function in a changing enviroment.
5.7 Control in an Information Technology Enviroment
Most organisations use IT in the processing of financial, operational and other information. Internal control objectives ad principles do not change from a manual enviroment to an IT enviroment, merely take on different forms.
5.7.1 General Controls
General controls relate to the IT enviroment as a whole.General controls a defined as pervasive effects,which means if they are weak or absent, they may negate the effect of application controls.Examples of controls include:
organisational controls related to IT personnel
standard operating procedures for systems
system documentation controls
5.7.2 The Application Controls
Application controls relate to specific software programs and systems in the organisation. These controls sre designed to ensure completeness, accuracy, authorisation and validity of data captured and processed.
5.3 The Importance of Internal Control
5.3.1 What is Internal Control ?
Control is eithr a process or an action taken
Management is responsible for implementing internal control, but other parties may also be involved
Controls are iplemented to minimise risks, thus ensuring that an organisation's objectives are met. However only reasonable assurance in the minimisation of risks and achievement of objectives can be provided by effective internal controls
5.3.2 The objectives of Internal Control
reliabilty and intergrity of financial and operational information
effectiveness and efficiency of operations
Safeguarding of assets
reliabilty, timeliness, transparency of;
Internal and external reporting;and
financial and non-finacial reporting
compliance with laws, regulations and contracts
5.5 Responsibility of Internal Control
5.5.1 The responsibility of Management
The overall responsibility for internal control resides with the board of directors of an organisation.The board delegates this responsibility to management in the organisation. In turn, management designs and implement control activities and is accountable to the board in this regard.
5.5.2 The Function of the External Auditor
The objectives of an external auditor is to express an opinion on the reasonableness of financial stamements
5.5.3 The Function of the Internal Auditor
According to the definition of internal auditing, control represents one of the three major elements that an internal audit activity should focus on.