Internal Audit

FIVE COMPONENTS Quality Assurance and Improvement Program

(1) internal assessments (2) external assessments (3) communication of QAIP results (4) proper use of a conformance statement (5) disclosure of nonconformance.

Legal Elements of Fraud

- A materially false statement - Knowledge that the statement was false when it was spoken - Reliance on the false statement by the victim - Damages resulting from the victim's reliance on the false statement

When assessing these objective internal audits should:

- Adhere to IPPF standard (design) - Engage in effective audit procedures - Execute those procedures efficiently

Attribute Standard: Direct interaction with the board

- Board assumes responsibility for approving the internal audit charter, internal audit plan, internal audit budget and resource plan, evaluation and compensation of the CAE and appointment and removal of the CAE. - board monitors the ability of the internal audit to operate independently and fulfill its charter - At least annually, a private meeting with the board or audit committee - CAE participate in 1 on 1 -

Passive approaches: Advisory

- Defining process improvement opportunities, when observed - By-product of internal control assessment but not focusing on internal controls - Moving away from strict compliance auditing

Passive approach: detective

- Focus on examination of past transactions - Report past problems and recommend solutions - Maintain rigid independence (no consulting function)

Planning Audit Engagement (most important to lease important)

- High inherent risk - Unusual happening and circumstances - High risk area based on last audit - Changes in the business - Request by management - Part of our annual internal audit

Attribute standard 1130: Impairment to independence or objectivity

- If impaired, the details of the impairment must be disclosed - Personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding - Determine appropriate parties to which the details of an impairment to independence or objectivity must be disclosed - in internal audit charter e

Fraud interviewing strategies

- If you are a bully, you will not get a confession Interview from those likely to those most likely to have committed the fraud - Do your homework before, 1/3 of your time should be planning - Learn as much as you can as the subject before. What is ethical? - Before interviewing, make sure understand company policy regarding privacy concerns - Before interviewing, establish a report - You must be able to empathize with the suspect - Think talk, don't talk think - Enormous advantage over the interviewee when the interviewer --? They don't know exactly what lie they need to tell you because they don't know what you know - This is one of the reasons you need to have a closed manila folder full of stuff When asking questions and answer quickly, mostly telling the truth. - Listen attentively do not interrupt After suspect answers, do not fill the empty room - One take notes, other does not take notes (looking at body language)

Interpretation of Standard 1120 Conflict of Interest

- Internal auditor has a competing professional or personal interest - Exists even is not unethical or improper act results - Can create an appearance of impropriety

Low-level versus executive fraud

- Low level (most incidences) Fraud committed by staff or line employees most often consists of theft of property or embezzlement of cash. Incentives: Relief of economic hardship; material gain. This type of fraud is intended to benefit individuals. - Executive (most $ value) Fraud at the executive level is very different. Incentives: Manipulation of stock price; large bonus. This type of fraud is intended to benefit the organization and fraudster

Interview room

- No windows - Small - Make sure their chair is closest to the door - Two chairs with no table (see whole body) - Nothing on the walls nothing that distracts - Suspect should not have anything in their hands, no phones - No interruptions - Be mindful if recording equipment it may be difficult to obtain a confession - Never at the suspects office - environment that is not theirs

Internal assessments must include....

- Ongoing monitoring of the performance of the internal audit activity - Periodic self assessment or assessments

Assurance Communication

- Perform observation evaluation and escalation process - Conduct interim and preliminary engagement communications - Develop final engagement communications - Distribute formal and informal final communications - Perform monitoring and follow-up procedures.

Characteristic of fraud (The Fraud Triangle)

- Pressure or incentive: person tried to satisfy by committing the fraud (Best chance to pick up on) - Opportunity: ability to commit the fraud (STRONGEST VARIABLE) - Rationalization: person attribute his or her actions to rational and creditable motivates without analysis of the true and unconscious motive

Best Active Approach: Solution Oriented - THIS IS WHAT YOU WANT

- Target process improvements as a key goal - Focus on assessing risk and management's mitigation of Risk - Work toward implementation of cost-beneficial internal controls & compliance - Teamwork approach while maintaining objectivity and independent perspective.

Core principles of the profession (individual internal auditor and collectively)

- integrity - competence and due professional care - objective and independent

Attribute Standard 1200 - proficiency and due professional care

- knowledge - internal audit standard - technology risks - understanding of management - deal with people - competent

Key component of plan: Assurance planning

- objectives and scope - understand auditee - identify and assess key risks (matrix likelihood) - control activities - control design - test plan - audit program -resources

Core principles of the profession ( outcomes or results)

- risk-based assurance - Insightful, proactive, and future focused - organizational improvement

Core principles of the profession ( activity and its processes)

- strategies, objectives, and risks of the organization - Is appropriately positioned and adequately resourced - Quality and continuous improvement - Communicates effectively

NEW internal audit skill sets

- technical skills -business and operational audit - guest auditor program - rotate auditors - analytics background - cybersecurity

Needs of manual objectives

- uniform criteria - standardized activities - continuous improvement - efficiency and productivity

Assurance Performance

-Conduct audit tests to gather evidence -Evaluate gathered evidence and reach conclusions -Develop observations and formulate recommendations

Items in the detailed internal audit charter

-IA objectives and responsibilities -The expectations -Functional and administrative reporting lines -Level of authority including access to records, physical property, and personnel Independent and objective

How Internal Audit plays a role

1) Anticipating the needs of stakeholders 2) Developing forward looking risk management practices 3)Continually advising the board and audit committee 4) Being courageous *Vast majority of the time people understand you cannot force pressure** 5) Support the business objectives 6) Identify monitor and Deal with emerging technology 7) Enhance audit findings through data analytics 8) Establish the IIA's standards as the framework for quality assessment 9) Invest in yourself 10) Recruit and motivate talented auditors *Most important*

Major Categories of Fraud

1. Asset misappropriation 2. corruption 3. financial statement fraud

Internal audit is charged with delivering...

1. Assurance 2. Advice 3. Insight

Mandatory Guidance

1. Attribute Standards: guidance related to the characteristics (qualities) of organizations and parties performing internal audit activities (independence, objective, quality) 2. Performance Standards - guidance related to the nature of internal audit activities and provide criteria for performance evaluation (nature, planning, monitoring)

Standards

1. Attribute standards (1000s): what every audit should have 2. Performance standards (2000s): what is expected as auditor

Steps of Performance standard 2100 internal control

1. Controls proportionate to risks 2. Risk is high more focus on controls 3. Controls in line with risk tolerance (note not risk appetite) and acceptance? 4. Reasonable assurance of achieving the objectives

Scope of the engagement

1. Determine by range of factors: High risk areas, assessment risk of non compliance, nature of business 2. Intended focus of audit: Samples- follow each one through the entire process (Tracing) 3. Establish which regulation and standard form the basis for audit 4. Clearly document the scope and methodology: Communicate to all parties ones audit is schedules

Performance Standard 2240: Engagement Work Program

1. Direction (scope, objective, resource allocation) 2. Execution (test strategies, evidence gathering, working papers) 3. Supervision (oversight, performance, quality)

Recommended guidance

1. Implementation guidance: address approach, methodology and considerations, but NOT detailed processes and procedures (in applying Code of Ethics and Standards and promoting good practices) 2. Supplemental Guidance - detailed guidance for conducting internal audit activities

Types of fraudulent processes

1. Lapping Receivables: a person with access to both customer payments and accounts receivable records steals a customer's payment. The shortage in that customer's account is then covered with a subsequent payment from another customer. 2. Check Kiting: Intentionally writing a check for greater value in bank 1, then writing a second check from another account in another bank (bank 2) - also with non-sufficient funds.

The framework for internal audit effectiveness (The New IPPF)

1. Mandatory Guidance 2. Recommended guidance

3 lines of defense

1st Management controls Internal control measures 2nd Financial control, security, risk management, quality, inspection, compliance 3rd Internal audit 4th line: external audit 5th line: regulator (government)

Order of signatures of audit charter

A CAE signs, senior management signs it, and the audit committee signs it

Risk Management process

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives

Competency

Ability to perform a task or job properly. Set of defined knowledge, skills, and behavior

Engagement scope (achieving engagement aims)

Access to relevent - systems - records - personnel -physical/virtual access

The ______ must periodically review the internal audit charter at least _______ and present it to senior management and the board for ______

CAE; annually; approval signoff

assurance procedures alone, even when performed with due professional care, _______ that all significant risks will be identified.

Do not guarantee

Code of Ethics 2. Objectivity

Exhibit highest level of professional objectivity (individuals are objective). Make a balance assessment and are not unduly influence by their own interest or by others 7 - No operational responsibilities IF YOU DID HAVE THIS IT MUST HAVE BEEN A YEAR UNTIL YOU CAN AUDIT. (usually never audit again) 8 - Avoid any pressures 9 - Disclose any conflict or interest

Analaytical procedures are Reviewing and evaluating ______________ which may be ______ or _________.

Existing information; financial or non financial

Internal auditor must exercise due professional care by considering....

Extent of work needed to achieve the engagement's objectives. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. Adequacy and effectiveness of governance, risk management, and control processes. Probability of significant errors, fraud, or noncompliance. Cost of assurance in relation to potential benefits.

Diversion

Falsely creating or diverting something of value towards a fraudster

What is the gift policy?

Gifts can not be more than $50

Internal Audit Definition

Independent, Objective Assurance, Consulting: Where most of the value is, Adds Value, Improve Organizations Operations, Systemic, Disciplined Approach GRC (Governance, Risk Management, Internal Controls)

NYSE says companies must have an

Internal Audit Function in place

Code of Ethics 4. Competency

Internal auditor's apple the knowledge, skills, and experience needed to perform 12 - knowledge, skills, and experience in compliance with IPPF and QAIP (peer reviews

Performance Standard 2400: Communication Results

Internal auditors must communicate the results of engagements

Code of ethics: 3. Confidentiality

Internal auditors respect the value and ownership of information and do not disclose information without appropriate authority 10 - Prudency (DO NOT TALK) 11 - Proper use of info

What governs internal audit, and what are the guiding principles that comprise the profession?

International Professional Practices Framework IIA - trust, global, guidance only authoritative guidance following appropriate due process

Test of Control

Is there a relevant control? Is the control adequately designed? Is the control effective?

Interview those you think are guilty ______.

LAST

the chief audit executive must establish and maintain a system to _______ the ______________. (PS 2500 monitoring)

Monitor; disposition of results communicated to management

The Deming Cycle

Plan - Establish standards and expectations for operating a process to meet goals. Do - Execute the process and collect data. Check - Compare actual results with expected results and analyze the difference. Act - Identify and implement improvements to the process

Internal auditor must apply the care and skill expected of a _______ prudent and competent internal auditor. (Attribute standard Due Care in Practice)

Reasonably

What is the certification of internal audit?

Statement of conformity with the International Standards for the Professional Practice of Internal Auditing

Periodic assessments evaluate

The quality and supervision of work performed The adequacy and appropriateness of internal audit policies and procedures The ways in which the internal audit activity adds value The achievement of key performance indicators The degree to which stakeholder expectations are met

The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Disclosure should include:

The scope and frequency of both the internal and external assessments. The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest. Conclusions of assessors. Corrective action plans.

What is the mission of internal audit?

To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

How does internal audit organizationally report?

To the audit committee who then reports to the Board of Directors Can talk to management so can fix issue

Assurance strategy

align internal audit plan with the organization's business objectives and strategic plan CAE should have a seat at strategic table address critical strategic risk management

The QAIP should encompass _____ of operating and managing the internal audit activity

all aspects

Perform effective _____ and ______. Performance Standard 2300: Performing the Engagement

analysis and evaluations

_______ are the most way fraud is found.

anonymous employee tips

External assessments must be conducted....

at least once every five years by a qualified, independent assessor or assessment team from outside the organization.

A small internal audit activity may....

be managed informationally.

A large internal audit activity may...

be more formal and cohesive

Who affects the risk management process?

board, management and other personnel

Combo of processes and structures implemented by the _____ to ______, ______, ______, and ____ the activities of the organization(Performance Standard Governance)

board; inform; direct; manage; monitor

Significant component of governance

business ethics

The ______ must develop and maintain a _________________ that covers ___ aspects of the internal audit actvitiy.

chief audit executive; uality assurance and improvement program (QAIP); all

If the chief audit executive determines that the matter has not been resolved, the chief audit executive must....

communicate matter to the board

Opportunities for professional development include participating in.......

conferences, seminars, training programs, online courses and webinars, self-study programs, or classroom courses;

COSO ERM Internal Control Framework

control environment risk assessment control activities information and comm. monitoring

Internal auditors must _____ and ____ work programs that achieve the engagement objectives (PS 2240 engagement work program)

develop and document

The Chief Audit executive has...

direct and unrestricted access to senior management and the board

When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must....

disclose the nonconformance and the impact to senior management and the board.

When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must....

discuss the matter with senior management

Main value of IA (monitoring)

does not derive neither from deficiencies reported nor recommendations made; but from respective resolution and implementation

Added value, effectiveness and reputation should be measured ________

dynamically (not statistically)

CAE must ________ the internal audit activity to ensure it adds value.

effectively manage

Chief audit executive is responsible for... (Attribute Standard 1200: Auditor Proficiency and due professional care)

ensuring conformance of proficiency and due professional care

Most of the time there is no recovery _______.

from fraud

The internal auditor should guide the conversation from ____ to ____

general to specific

External assessors must.....

have no real or apparent conflict of interest

Internal auditors are not expected to... (AS 1210: Proficiency)

have the expertise of a person who primary responsibility is detecting and investigating fraud

CAE must have a thorough understanding of _______________.

he mandatory elements of the IPPF

When you are the auditee, and they present you with the findings ask about....

hidden items found that did not have enough evidence

Risk appetite

how much risk you are willing to take as an organization

Main failure of IA lies on ______ and ______ of management with respect to corrective action and persistence of detected risks

indifference; inaction

Threats to independence must be managed at the....

individual auditor, engagement, functional, and organizational levels.

Code of Ethics: 1. Integrity

integrity of internal auditors establish trust and provides the basis for reliance on their judgment (Trust and reliance) 1 - Honesty 2 - Diligence 3 - Responsibility 4 - compliance 5 - no illegal act 6 - respect of company ethical values

Ongoing monitoring is incorporated.......

into the routine policies and practices used to manage the internal audit activity to evaluate the conformance with the code of ethics

A well-developed QAIP ensures that the concept of quality _____ in the internal audit activity and all of its operations."

is embedded

Internal auditors must have sufficient knowledge of... (AS 1210: Proficiency)

key information technology risks and controls and available technology-based audit techniques to perform their assigned work.

Risk Based Assurance

methodology that links internal auditing to an organization's overall risk management framework in Relation to risk appetite.

Internal auditors must be alert to the significant risks that....

might affect objectives, operations, or resources.

Defalcation

misappropriation of money or fund held by an official trustee or other fiduciary (MOVING OUTSIDE GUARDRAILS)

Asset misappropriation

misuse of any company asset for personal gain (EMAIL) AM schemes usually include: Digital devices Automobiles/trucks Phones/communication

Senior management and the board _______ when an assessment discovers a significant degree of nonconformance.

must be informed

The chief audit executive __________________________ to ensure it adds value to the organization. (Performance standard 2000)

must effectively manage the internal audit activity

What are internal control processes?

policies, procedures (both manual and automated) nd activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.

Engagements must be performed with _______ and ________

proficiency; due professional care

Audit Standards

purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards

Care and skill expected of a __________ and __________ internal auditor (Proficiency and due professional care)

reasonably prudent; competent internal auditor

Ongoing monitoring

reviews at the engagement level engagement by engagement basis continuous activities

An individual auditor may use a __________ as a basis for creating a _______.

self-assessment tool, professional development plan

Illegal gratuities

something of value given to an individual to reward a decision after it has been made

Robbery

taking or attempting to take anything of value by force, threat of force, or by use of fear

In exercising due professional care internal auditors must consider the use of.....

technology-based audit and other data analysis techniques.

Attribute Standard: Independence

the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.

the CAE meets with the board to gain an understanding of the expectations for the internal audit activity to discuss ________________ and to encourage _______.

the importance of the Standards and the QAIP; the board's support of these.

Human resource management is .....

the most important item the internal audit manual should contain

Bribery and kickbacks

the offering, giving, receiving, or soliciting of. anything of value to influence an official act or. business decision. Before it occurs

IT IS NOT THE RESPONSIBILITY OF THE CHIEF AUDIT EXECUTIVE TO RESOLVE.....

the unacceptable residual risk

Internal auditors must identify, analyze, evaluate, and document evidence...... (Performance Standard 2300: Performing the Engagement)

to achieve the engagement objectives

Embezzlement

to convert (property entrusted to one's care) fraudulently to one's own use (OWN USE)

Larceny

unlawful taking or theft of the personal property or another person or business

Economic extortion

use of actual or threatened force to demand money or other consideration.

Risk Tolerable

what an individual unit is willing to absorb.

Corruption

wrongful use of influence to procure a benefit for the actor or another person, contrary to the duty or the rights of others