Major Questions in Internal Auditing - Essay Example

INTERNAL AUDITING Question Control environment: The attitude and actions of the board and management regarding the significance of control with in the organization. The control environment provides the discipline a structure for the achievement of the primarily objectives of the system of internal control. The control environment includes the following integrity and ethical values Management 's philosophy Organizational structure Assignment of authority and responsibility Human resource policies and practices Competence of personnel. List and discuss the methods that management might use to encourage and develop effective control environment. Answer: Background-- When one reads History, there was a quote stating that Sun never sets over British Empire. It was history. But in today's Global village economies, and multinational companies, having offices and organizations in different continents, and outsourcing their business activities, work for more than twenty four hours in the day, and through out the year. The complex activities are to be controlled by managements of the organizations, and in the case of companies, naturally the first target is the Board of Directors of such organization made responsible to formulate proper policies, to control the various activities, the organization carries our in different countries, with cross cultures , different moral values, and different customer loyalties. One can see Nescafe, Cadbury product, Lux , Colgate ,cocoa cola, Pepsi, Philips, Sony, Motorola, Toyota and a host of consumer products available through out the world, where customers vary, their cultures vary, but they are bound by these products, which speaks of their qualityThese products made their own language.. For making such universal names, just like the saying that behind every successful man there is a successful woman, behind every successful organization, definitely there is a sound, solid, successful management structure with reliable management principles and policies, to operate their businesses across globe. These managements are successful, because of their management policies, which involve various control systems. Managements strength lies in the policies, they frame, and implementation of those policies, by establishing, various controls, at different levels of management. Organisation structure --Controlenvironment basically includes the organization structure it self. Management's processes involve planning, organising, and directing the business activities, with the assistance of sound management structure. Different levels of management means-- Management by Board and its subcommittees, top management teams, middle and or functional management teams, operating or supervisory management teams. Boardand StrategicTop Management Middle or Functional Management Operating or Supervisory Management. The first in the management hierarchy, namely the board and top strategic management , formulate (i) the vision, (ii) mission, (iii) objectives of the organization,(iv) long term strategic plans ( ranging from 2 to 5 years period)and approve the plans and strategies prepared by other management structures. Functional management prepares strategiesandshort term plans ranging for six months to a two -year period. Operating management prepares operating plans and operating strategies that will range from one week to six months period. All these plans and strategies should be falling with in the top management plans and strategies. Once they are implemented in true spirit, the organization gives excellent results in all directions. But it is not so simple in the present day organisations. Organisation should have proper control systems in place, and internal audit activity exists to give reasonable assurance to the management that the control environment exists, andcontrol systems established by the management are efficient, effective and economical. Assignment of Authority and responsibility-- Managements function throughby fixing responsibilities on the individual mangers, and delegating the necessaryauthority for the successful achievement of those responsibilities, which if carried out with due diligence, honesty, will result in positive and fantastic growth to the organization and achievement of Organisational Goals and objectives, with least cost . Delegation of authority involves determining, how much to delegate, to whom to delegate, when to delegate. The responsibility and authority delegations should be like the one that of a champion horse rider, to control the horse, motivate it, and in the races and achieve the object of winning the race. Horse has the capacity, and it is the horse rider, who can make it achieve. Similarly, Board and top management can set the objectives; communicate them to the other management levels, in clear, concise, unambiguous terms, for implementation, with the delegated authority from time to time. If board management sets the target of optimum sales in the current year as the objective, operational staff does not know what the meaning of optimum sales is. If a target is set in quantities terms and the time period with in which it is to be achieved, it will give clarity for implementation. Hence if the sales objective is to increase the turnover by 100% over the previous year, When Banks start their branches outside the countries, they will be given full autonomy subject to controls that can be imposed from their Headquarters. Management in this global village concept should have such remote controls, from their headquarters, so that those with delegated powers act in the best interest of the organization. Thanks to the current day's technological advancement, computerization and automated systems, on line record keeping and updating them which show at any time the transactions entered in to the systems, on line teleconferencing systems, etc, remote control management is becoming the order of the day. Integrity and ethical values: An organization, should ensure that 1. it complies with ethical percepts and social expectations of the society: . For example Media industries, comprising, news, films, advertisement , etc operate through out the world, but when they are to be exhibited in different countries, they should comply with the local media rules, regulations, legal frame works for censorship, etc. The same Hollywood film will be censored as per the censorship Acts in different countries, which will depict the local customs and cultures. It complies with the generally accepted business principles like The accounting standards fixed by different accounting bodies in the respective countries where their business entities exist, as well as with International accounting standards, etc. Similarly, any quality standards prescribed in the respective countries should be complied with like British standards, Indian standards, South African standards, American Standards, for the products, to be sold in such countries. 3. Comply with social obligations like providing benefits to the society, 4. It makes disclosures truthfully to the owners, regulators, and other stakeholders and general publicand is accountable for its actions. In India, few decades, back, Union Carbide, caused Bhopal gas tragedy, which resulted in deaths of public, due to its negligence of not following the industry safety norms prescribed .This incident even led to the extent of arrest of the top management officials, stationed outside India, who control the unit, even though the unit is in India. This shows the insensibility of the organisation to the society at large. These basic principles are termed as corporate Governance and ethic culture of the organisation. An organisation will be judged by its ethical values, as mentioned above like compliance with business ethics, it social responsibilities, compliance with disclosure norms in financial and accounting statements, conducting business with in the four corners of laws. Integrity and ethical valuesno doubt, can be broadly formulated by the Board and top management, but it is every employee in the organization, who contribute to enhance the integrity and ethical values. Every one in the organisation should be vigilant, and should not be afraid of bringing in public or to the notice of concerned, any wrong doings of the others in the organization. Each and every staff member is a ethics inspector and should himself comply withthem. The delegated executives should be trust worthy, honest, men of integrity, etc, or else they will siphon off the goodies of the organization to their personal coffers. If the top management has no moral and ethical values, it can not survive in the long run. For example Ford has made a name because of the integrity and ethical values of their team. In the present Global village concept, the executives and other staff need to screened according the values that will set by the parent organizations, so that they will carry universal brands. Management's style and operating Philosophy Managements until now followed different management styles, like autocratic, thumb rule, scientific management, and to the modern day management styles of management by Objective, learning organization, participative managements.With the increase inautomation, at all levels through out the world and the concept of outsourcing the business activities to any part of the world, has now made the managements to look for new concepts. But as one can see from history of management styles and philosophies, there are no uniform styles. Each and every one can have his own style of management, with Corporate Governance in the forefront. Corporate Governance, encompasses, the interests of all the stakeholders. Corporate Giants can make or break economies of the countries and even world at large. To achieve Corporate Governance, apart from compliance with ethical and social aspects, management should evolve propercontrol environment which involves: i) well documented policies , procedures, the functions of departments, their interdepartmental relations, which are like guide posts on the traffic highways. Policy indicates direction, and procedures the path for implementation. ii) the policies regarding a host of other factors outside to its business environment, like labor laws, taxation laws, import and export duties, provisions to be made in books as per the statues like in the case of banking, and insurance sectors, etc. Control environment has to take in to account the present day automated systems, involving, soft ware, application systems for core and operational activities, and last but not the least the systems that should be in place for end users. Automated system replaces, manual processes, on line transactions, paperless offices, electronic communication coupled with high risk for electronic transfer of funds, hacking in to the systems by fraudulent outsiders, either with or without the assistance of insiders. Managements should develop flaw less procedures for general information's systems, for changes in the programmers, controls for on line authorizations, physical securities, including the entry of staff to the computer server offices, backup systems, etc. Proper audit trails need to be established. For processing the on line transactions, built in automatic systems like verifications of passwords, change of passwords at periodic intervals, integrity and honesty of programmers, and computer technical staff, etc, are some of the aspects that deserve the management attention. Management Philosophies and controls-- Broadly there are three types of controls:i) Preventive controls ii) Defective controls iii) Corrective controls. Preventive controls: For good health prevention is better than cure.The same principle applies in the management circles also. Hence the efforts are to have built in control systems which will prevent, errors, frauds. It should be noted that they can not eliminate the errors or frauds. Employment of trust worthy people, segregation of duties especially in financial matters, checking of work done by another superior officer, and or authorization of work done by subordinates,etc, are some of the polices which managementshould implement.In the case of automated systems these are built in to the systemsas the records are created as soon as the transaction takes place, and deletions in the systems are recorded permanently and even if they are erased, system will show the mischief committed by the employee. Physical control over cash in the case of banks, fixing the limits for holding physical cash balanceat any time, and the records of cash transactions, double locking systems of safe, electronic deviceswith password to strong rooms, security alarm systems, presence of armed guards, surprise inspections of cash and cash records by inspecting staff from Headquarters etc are some of the controls that management can implement. In short, preventive controls are a barrier for temptations for those who want to break rules etc for their benefit. Detective controls: These are the controls which involve the detection of errors, mistakes, frauds etc, which can be detected with extra functions. For example, debtors and creditors control accounts will reveal any mischief by the staff supposed to collect debts, and not accounted, and making payments to fictitious creditors or suppliers, etc. Similarly periodical bank reconciliations will enable the management to know that cash at bank, is tallying with bank balance in the books, and those outstanding in the reconciliation statements are genuine business transactions. In the case of automated systems, usage of passwords, is an important detective control. Preventive control aim to prevent the mistakes, and detective controlstry to detect the mistakes committed and passed through the systems. Corrective controls: Preventive and detective controls can be effective only when corrective measures are taken. Controls can not eliminate the mistakes and frauds, but help the management to prevent and reduce the risks against which they are exposed. Cost Vs Benefit-control systems-- Controls should not too costly. They should be least cost. They should be flexible. Otherwise staff will be stifled and their originality and talents for innovation in the work place will not be displayed. Controls should not be a barrier to the progress of company. Controls aim to achieve the objectives and goals of the organization with least cost possibilities.Controls should be with automatic flexibility. For example in the transatlantic flights, when the flight is put to auto , it takes care of oil mixtures, temperature controls, and various other factors, for hours together, with least intervention from the pilot, management controls should be have automatic flexibility for changes in the organization, unless such changes are drastic. The efficacy of control should have feedback in time for any appropriate steps for changes. Controls are important tools especially when businesses are outsourced, and established in various parts of the world. Controls should have standards for success, which can be like the historical standards, industry standards, etc. Human resource polices and practices -- What ever is the extent of automation, and scientific and technological improvements that an organization or project installs, they alone can not function with out human resources, in what ever numbers that might be. It is a wrong notion, that automation will replace human element. Thus, human resources are an important organ of management and they can not and should not overlook them. Unless sound HR policies are framed, and adhered to by the managements, organization can not improve. Policies should be documented, in clear terms, with out technical jargon. Sound Human resources polices involve: --- determining the number of staff, type of technical skills, education back ground, experience, communication skills, etc required in such staff -----recruitment procedures, and recruitment channels ----Clearly defined employment benefits -----establishing career growth opportunities --- Defining job descriptions --- Clearly establishing linkage of individual goals with organization goals, annual plans, performance agreements, with targets of performance in measurable quantities and standards of performance, ---Review of performances at periodical interviews, and taking corrective actions, ---Rewarding the performers and taking appropriate steps against non performers ----Trainingplans, imparting necessary skills training commensurate with job descriptions. All welfare measures pronounced in the policies like, housing, transport,medical benefits, terminal benefits, leave travel concessions, leave entitlements for sick leave maternity leave, sabbatical leaves, children education allowances , etc should be implemented Provision of canteens, crches, first aid health and safety measures as per labour laws Establishing grievances channels. Motivational plans if any. Establishment of committees at various levels, and developing free fair, and fearless communication channels from top to bottom, in other words open door polices as far as human resources are concerned. Developing human bonds relationship bonds between management and work force at various levels instead impersonal attitude to the personal problems. Question 2 The chief audit executive should effectively mange the internal audit activity to ensure it adds value to the organization.(Standard 2000)Critically discuss the potential benefits that internal auditing might bring to an organization. You should consider both financial and non-financial in your answer. Answer In Kingston Mill case, during 1860, the observation made by the Learned judge that "an auditor is a watch dog and not blood hound" even though made in the context of external audit equally applies to internal audit also. From the Kingston cotton Mill case, both external audit activities had undergone lot of metamorphosis, but the basic characteristic of audit activity still remains, and thus the observation f the Learned judge even to day stands, Prior to the Standard 2000 of the Institute of Internal auditors, internal auditors role mainly consisted that of checking the strengths and weaknesses of internal controls, internal procedures, making periodical report the management with recommendations for rectification. This might perhaps due to the fact that internal audit is considered as a burden to the management, and some necessary evil, to find out the mistakes, andreport. Their reports were considered as constant criticisms of even good work. Internal auditors, Internal audit profession, through Institute of Internal Auditors, over number of years, by building expertise in the profession, through the awarding of professional qualifications, conducting work shops, and convincing managements at various forums, finally recently, changed the image of internal auditors. The result is the Standard 2000 bringing in new terminology of "Internal audit activity" which is used in place of internal audit department, and Chief Audit Executive(CEA), which covers the head of Internal Audit activity, who are normally referred to as Director of Internal Audit. Internal Audit activity and CEA are now required to add value to the organization to which they belong.Add value means, justification for the existence of internal audit activity in the organization. Any department should add value to the organization. Otherwise it becomes redundant, and there is no justification for it to stay for name sake, at the cost of other profit making centers. Value is added through the development of new products and services to the organization. Present day internal audit activity, in fact has developed such new products for its justification. Internal audit activity adds value by evaluating and improving the operations risk management, control and governance process. (Standard2000) Standard 2110 mentions as to how this function is to be carried out by Internal audit activity. It should identify and evaluate the risk exposure of management, contribute to improve the risk management capacities and control systems. Internal auditors are experts in accounting, and internal auditing functions, by virtue oftheir professional qualifications and training background. They come across various internal control procedures put in place by management, while assessing the strengths and weaknesses of those controls. Until now, they are reporting defects or drawback of such controls. But it is established that this expertise can be extended to more advisory function of risk analysis to which the management is exposed. Management is exposed to risks, knowingly and unknowingly. Conducting business is risk management, as it involves spending initially in the hope of making profits. Management establishes vision, mission, objectives and plans of the organization. It establishes management structures, lays down policies, procedures, forcarrying out its activities, establishes control systems etc. These are carried out by middle management and operating level staff. While doing so the management has accepted the risks of governance, finance, production, sales, automation, human resources etc. Internal audit activity, by virtue of its study of control procedures, can establish, whether the objectives are achieved by individuals concerned. While doing so it will not criticize the performance of individual mangers, but will reveal the breakdown of any controls established, or the efficacy and economy of such controls. He is not there to judge the performance of individuals, in comparison to their performance agreements. That will be the management function. What all he will do is that he will examine the procedures followed by the department to achieve the objectives and their individual performance goals. For example, the Sales department is given a target of achievement of 100% increase in turnover for the current year, over its previous year performance. This target was further broken down on the individual marketing managers. At the end of third quarter it was observed that stocks are piling up, and sales are not increasing and it was sure that the target may not be achieved. This created fear complex in the minds of the sales and marketing managers. When the internal audit activitywas assigned the task offinding out the causes and report, it was noticed, that at the end of first quarter, Head of Marketing Division, recommended a discount policy for cash and credit sales, and special advertisement campaigns over TV etc. as visual ads will attract more customers. This was not approved by top management due to the cost factors. However the competitors overtook this origination by aggressive advertisement campaigns, discount policies, and this resulted in loss of market for this organization. Thus it is management policy which led to the failure of marketing division According to Standard 2130, Internal audit activity can add its value in the governance process. Internal audit activity is considered as the ethics inspector, by virtue of their independent role in the organization, their integrity, honesty, and communication skills. Internal audit activity can add its value, not only by merely reporting, but by timely reporting, with recommendations. While examiningthe specialized activities like technical aspects, computerized programmers, valuations of special items like diamonds, etc, they can draft in those specialised staff services or can requestconcerned outside expertsreports. Internal audit activity value is enhanced, by virtue of reporting to the top management in the organization, andthrough audit committees in the organization for attending to the rectification of reportswith out loss oftime to various executives Question 3. The internal audit activity should assist the organization by identifying and evaluating significant exposure to risk and contributing to the improvement of risk management and control systems (standard 2110) List and describe the key risk areas in the typical financial and non-financial systems. Answer: Conducting business means accepting risks. Risks are accepted by managements, in the present day economic world. The simple reason is that the share holders, and various other stakeholders are located far from the board rooms, and top managements, and practically with out any knowledge about the operational managements. Hence there should be a watch dog to continuously examine, identifyand evaluate the significant exposures to risk by managements and improving the risk managements and control systems in the organization. This role is now taken up by the internal audit activity, due to the professionalism and expertise in their study and evaluation of control systems in the organization. Internal auditors assist both the management while, audit committees to examine, evaluate report and recommend improvements on the adequacy and effectiveness of management risk process. Risks are uncertain future events which could influence an organization's objectives including, strategic, operational, financial and compliance objectives.Risk management is practiced through out the organization, but the ultimate responsibility is that of the Board. It is the Board which should decide as to the level of risk they are willing to take in pursuance of growth and maximizing opportunities for the organization, shareholders, and stakeholders. Risks are not always negative. They are opportunities for growth. Intel is today one of the most successful memory chip- maker organisations in the world. It was in a highly competitive market that seemed to have reached saturation point. But the organization got changed because of Andy Grove, who made it from memory chip to processor developer, and the result is the Pentium Chip. This meant total reinventing it, or what is in Americans terminology as "betting the farm" Had Intel remained with memory chip, it would have been closed. But because of the risk its management took in developing Pentium Chip, it could give fantastic dividends to its shareholders, and quality products to its customers, and huge wealth to the world at large. Thus these are some ofthe risks the manage takes while carrying pout the business activities. But it is the internal audit activity which can evaluate the risks and assist the management at right times. Management risks involve efficiency of operations, expansion of markets, consolidation of organizations, acquisitions, mergers, divestures, research and development expenditure for new products and innovations, problem sharing. Risks in the organization structure are like informal organization, centralized functioning, decentralized functions and geographical locations, line staff and product groups. Risks associated with Human resources management are, ownership, salary and merit increases, individual bonuses, profit sharingand stock options, team bonus decisions etc. Risk associated with Accounting will be like the decision taken for automation. Automation of accounting and financial records, is not risk free, but it has got inherent risks. The first and foremost risk is the employees sharing their passwords with other staff or outsiders.This will lead to opportunities to commit frauds, and sharing information with unscrupulous elements for ones' own benefit instead of the organization benefit. Similarly electronic transfer of funds, in the automated systems involves risks. Hence the internal audit activity, should constantly assess the existence of automated checks, with in the systems, and inherent risks, and external risks, and then asses their impact, and make reports with recommendations to the board and audit committees for appropriate actions. If needed internal audit activity can take the assistance of outside experts for programme associated risk analysis. Risks associated with marketing will depend upon the policies for developing new markets, new products, and change in the top management, competitors' policies. Some times aggressive marketing policy decision are taken to overcome competitors, and internal audit activity should examine such risks and management capacity for such risk, and the cost benefit analysis to the organisation and to all the stake holders. Question 4. Based on the results of risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organisation's governance, operations and information systems, /this should include: Reliability and integrity of financial and operational information Effectiveness and efficiency of operations Safeguarding of assets Compliance with laws, regulations, and contracts.(standard 2120-1A) For each risk identified in question 3, identify the potential impact of control weakness and recommend appropriate controls that might reduce the impact of the threat. Give reasons for your recommendations. Answer: One of the tasks of board management is to establish and maintain the organization's governance process and obtain assurances concerning the effectiveness of risk management and control processes. Top management or Senior Management will oversee the administration of such risk management policies. Various control processesinstalledare expected to see that the organization runs with minimum risksand: 1. Financial and operational informationis reliable and effective. Corporate Governance process involves that the managements provide reliable financial and operational information , to its shareholders and stakeholders.Information provided by management can be reliable, when they are prepared as per the approved accounting practices, policies, laws, regulations, etc. All the controls installed are working with efficiency and they are reliable. In the automated and on line accounting systems, it should be ensured the passwords allotted to staff are not divulged to others, and they are being changed periodically, entry in to the computer server room, is strictly monitored, changes in programmes are allowed by only authorised personnel. Approved Accounting principles, especially regarding disclosure polices are followed while preparing the financial statement, and management has followed prudent accounting policies while making provisions for bad debts, valuation of inventories, valuation of investments, andfor consolidationgroup company accounts, any variation in accounting policies, abnormal incidents are disclosed as required by law etc. Compliance with tax laws, customs, etc are followed. Internal audit activity can of immense help in this area in assisting the management, unless the management it self is the culprit in non disclosures, and hides control weaknesses. If they are not honest, it will become like the story of fence eating the produce it self. Internal audit reports on financial statements should be in simple terms, easily understandable, and bring out the reasons for non compliance with any business laws, control weaknesses in automated accounting systems etc, as the financial statements will be read by non finance executives. 2. Operations are performed efficiently and achieve effective results: Operations are carried out by the staff at lower levels, which will bring economic value to the whole organization. The policies framed by top and functional management might not be understood easily by the floor level staff, and thus they try to overlook them and not follow them at all.Some times they may misunderstand themand misinterpret them, which will lead to collapse of the control systems. Controls will be seen as penalties for performance, andthus they try not to follow them. Internal audit activity should examine such loopholes and then make adequate recommendation the audit committees for rectification. Monitoring the practical results with the plans, variance analysis, and rectification mechanisms are more valuable than ignoring the deficiencies. 3. Safeguarding physical assets: Management will approve the budgets for fixedassets acquisition, disposals. It is the senior management and other staff at various levels should ensure that assets are acquired as per management policies,and recorded in books, with identification marks, and complete details of physical location of such assets. Maintenance of assets is also of utmost importance. For inventory controls, internal audit activity should ensure that management policies are strictly followed, so that inventories are not accumulated at the cost of bank finances, and at the same time production is not hampered due to less inventories. Control systems should be flexible, not too costly, and throw automatic signals when not implemented, for immediate monitoring purpose. Hence when the systems are installed, along with the objectives and levels of performance expected, if the management can make inherent risks of such polices, it would be of great help at the time of assessment of performances. 4. Corporate Governance and risks: Corporate Governance systems have evolved over centuries, often in response to corporate failures or systems failures. The first documented failure of governance was the South Sea Bubble in the 17oos, which revolutionized the business laws and practices in England. Similarly much of the securities law in the United States was put in place following the stock market crash of 1929. There were other crises, such as the secondary banking crisis of the 1970s, in UK and US savings and loan debacle of the 1980s. There were a number of corporate failures like, Bank of Credit and Commerce International, Maxwell Group raid on the pension fund of Mirror Group of news papers. Hence internal audit activity, has been entrusted with separate standard for the examining of corporate governance process of organisations, and submittingtheir reports to the board and audit committees. It is hoped with honest, professionals in the internal audit field, corporate bungling will become history. Since they are ethics inspectors, they should be brave and bold enough to quit their assignments, in the event of managements not adhering to their recommendations which they believe are as per their observations on the weaknesses of Corporate Governance. Bibliography Sayer, L.B. Dittenhofer, M.A. & Scheiner, J.H. The practice of Modern Internal Auditing, 5th edition: The Institute of Internal Auditors Read More