audit & compliance
DESCRIPTION
TRANSCRIPT
Audit & compliance
Audit & compliance
internal audit auditor independence
audit committee
reporting to shareholders
• Roles • Need for int audit • Features • Types of audit work
• Importance • Threats to
independence
• Composition • Role
Review acs & I.C.S Assist with identification of significant risks Review 3 E’s of operations- VFM audit Examine financial & operating information Special investigations , e.g suspected fraud Review compliance with laws & external
regulations
Role of internal auditor
Financial audit Operational audit Project audit VFM audit Social & environmental audit Mgmt audit I.A looks at controls - PAPAMOSS
Types of audit work
I.A is a mgmt control- PAPA(M)OSS I.A review effectiveness of other controls in
the org. Ensure controls are working properly I.A is also often a statutory requirement Good corporate governance may also
suggest an I.A dept I.A is 100% audit – VFM audit Chief internal auditor is in charge of the
dept and reports to the audit committee.
Need for I.A
Factors affecting the need for I.A Scale & complex operations No of employees Cost benefit analysis Change in: org structure, reporting process
or Mgmt.Info.Sys Change in key risks- change in PESTEL
factors Problems with existing ICS Unexplained / doubtful txns
Need for I.A
Per Turnbull report: In absence of I.A function , mgmt needs to
find other monitoring process. To reassure the BOD that ICS are working
properly BOD will assess whether procedures provide
sufficient & objective assurance.
Need for I.A
Auditor independence
Independent objective assurance activity Ensure activity is carried out objectively I.A must be independent and must be seen as independent Independence is achieved by having a structure within
which I.A work Independence assured by I.A following ethical & work stds
INDEPENDENCE
Risks if No Independence
Failure to report control breaches Accepting info without checking No professional skepticism Blind on unethical matters Give undeserved positive feedback
INDEPENDENCE
Threats to independence
Threat to independence is when the opinion of the auditor is doubted.
Threats can be either REAL or PERCEIVED ACCA code of ethics : Self interest
Familiarity Advocacy Self review Intimidation
INDEPENDENCE
Other measures to protect independence
Attribute standards : Deal with characteristics of the org Deal with parties performing Int Audit
Performance stds Describe nature of Int Audit activities Provide quality criteria for evaluating I.A services
INDEPENDENCE
Attribute stds for internal audit Independence I.A should be independent . Head of I.A should be accountable to people who wont undermine
his/her independence There should be no interference when deciding about scope of
work, when performing the work & when reporting findings.
Objectivity I.A should be free from bias- objective – rely on facts only. Impartial attitude – avoid conflict of interests.
Professional care Professional care & competence Knowledge of key IT risks & CAATs
Performance standards for internal audit Managing internal audit Head I.A manages IA activity to add value to the org Head IA : establish risk based plans, decide on work priorities, is
consistent with org’s objectives. Review IA plan annually Head I.A submit plans to senior mgmt & BOD for approval No interference of senior mgmt in the work of I.A
Risk management I.A identify & evaluate significant risk exposure I.A contribute to improvement of risk mgmt & ICS Evaluate risk exposure relating to : governance , ops , information
sys. Effectiveness & efficiency of ops Safeguard assets Comply with law, regulations, contracts.
Control I.A helps to maintain effective internal controls Helps evaluate efficiency & effectiveness of controls Promotes continuous improvement
Governance I.A assess Corporate governance process Makes recommendations where possible Independence maintained if I.A can report breach of C.G without
fear of dismissal or retaliation.
Performance standards for internal audit
Internal audit work Independence achieved when I.A can show that
normal stds of I.A work have been followed No pressure to “ cut-corners” from mgmt
because of low std work. IA work will be to : identify, analyse evaluate ,
record sufficient evidence to achieve objectives of the engagement .
Info should be : reliable , relevant , useful wrt objectives of the engagement
Auditor conclusion – based on suitable analysis & evaluation
Evidence should be recorded.
Performance standards for internal audit
I.A communicates results of engagement Communicates conclusions, findings ,
recommendations. Communicate to appropriate officials. Independence maintained where IA can
communicate to audit committee or Risk committee
Or to any person with enough power to act upon recommendations of Int audit report.
Performance standards for internal audit
Per combined code BOD should maintain sound ICS- to safeguard s/h
investment & assets S/h are owners of the Co. They are entitled to know if ICS
are sufficient to protect their Inv & help maximizing value. Provide s/h with sufficient assurance – BOD conduct annual
review of ICS & report to s/h about effectiveness of controls. Review cover all material controls eg. Financial , operational
, risk mgmt. Review done in line with COSO elements of effective ICS Annual report- inform members of the work of IA There may be additional reporting under SOX
Audit committee- reporting to s/h
SOX reporting on ICS- s404
Mgmt must report on ICS
Audit committee
Audit work:
Audit committee
Stage of work ExplanationIdentify & document controls Identify & document ICS
3 levels of controls1) Entity level - ctrl on the co2) Centralised & processing - ctrl on txn3) activity level- specific activity ctrl
Check documentation Ensure completeness of documentation of the Co. Perform walkthrough tests
Material weaknesses Control deficienciesReport weaknesses to SEC
Test the controls Test if control are working properlykeep documentation of test performed
Written stmt Mgmt prepare a stmt based on advise of IA & audit comm
Composition Consist of NED’s – at least 3 At least one NED should have recent
financial expertise
Audit committee
Roles Oversight, assessment, review of other
functions / systems in the company. Board delegates work to audit comm to meet
objectives pertaining to ICS Review ICS, oversee work of IA, monitor integrity
of FS , review work of external audit Role of audit comm was considered in combined
code & SOX and Kings report contain similar recommendations.
Audit committee
Factors affecting role of audit comm Effectiveness of audit comm depends on how it is constituted and
the power vested in that committee. Factors: BOD decide how much power to grant audit comm Audit comm should have min 3 annual meetings to coincide with
external audit assignment. Audit comm should meet once a yr with only internal & external
audit – without mgmt. so that the auditors can voice out concern. Chairman of audit comm can informally meet mgmt to get more
indepth info about important matters. Disagreement between audit comm members will be referred to
main BOD for resolution Audit comm reviews annually its TOR & effectiveness &
recommend changes to the BOD To be effective , the audit comm should be kept informed
regularly by senior mgmt.
Audit committee
Primary responsibility under SOX Check compliance with external reporting regulations Review significant financial reporting issues & judgments in
connection with preparation of F/S. Audit comm can also drill for more info Ensure that FS received from mgmt & auditors are
acceptable i.e adequate acc policies used, reasonable estimates &
judgements, enquire methods used to account for significant / unusual txns , ensure clarity & completeness of FS disclosures.
Listens to auditors views on matters above. If not satisfied then the audit comm will inform the BOD.
Audit comm- review financial related info included in the FS & corporate gov stmts , relative to audit & risk mgmt.
Audit comm & compliance
1. Audit committee role- Review financial control- Supervise major txn- Receive reports from internal & external auditors iro Control
Mechanisms- Approve Audit report- Internal control stmt- Review Fraud Risk Mgmt – ensure awareness promoted & a
proper reporting/ investigating mechanism exist. Receive reports on conclusions of tests of ctrls by I.A & Ext aud and consider their recommendations.
- Review compliance- regulation, legislation, ethics)- Monitor adequacy of ICS – focus on ctrl environment , mgmt
attitude, mgmt control.
Audit committee & internal control