SARBANES-OXLEY OVERVIEW: KEY INTERNAL AUDIT CONCERNS

The official name for this U.S. federal legislative act to regulate the accounting
and auditing practices of publicly traded companies is the “Public Accounting
Reform and Investor Protection Act.” It became law in August 2002 with some


INTERNAL AUDIT IN THE TWENTY-FIRST CENTURY: SARBANES-OXLEY AND BEYOND

detailed rules and regulations still being released, some over two years later as
this book went to press. The law’s title being a bit long, business professionals
generally refer to it as the Sarbanes-Oxley Act from the names of its congressional
principal sponsors, and it is referred to as SOA throughout this book.
Others refer to the law with the name SOX.

SOA has introduced a totally changed process of issuing external auditing
standards, reviewing external auditor performance, and giving new governance
responsibilities to senior executives and board members. Among other matters,
the SEC has taken over the process for establishing auditing standards from the
AICPA through the Public Company Accounting Oversight Board (PCAOB).
This board also monitors external auditor professional ethics and performance.
As happens with all comprehensive federal laws, an extensive set of specific regulations
and administrative rules is being developed from the broad guidelines
in the SOA text, and the SEC has been given that responsibility.
The provisions of the SOA also have a major impact on internal auditors, particularly
in U.S. publicly traded organizations. Internal audit now must act somewhat
differently in their dealings with audit committees, senior—and in particular
financial—management, and external auditors. Because of the breadth of U.S.
business throughout the world, SOA has an impact on virtually all internal auditors.
The effective modern internal auditor should develop a general understanding
of SOA’s provisions as well as its specific provisions affecting internal audit.
U.S. federal laws are organized and issued as separate sections of legislation
called Titles with numbered sections and subsections under each. Much of the
actual SOA text only mandates rules to be issued to the responsible agency, the
SEC for SOA. These upcoming specific SOA rules to be developed by the SEC
may or may not be significant to most internal auditors. For example, Section 602
(d) of Title I states that the SEC “shall establish” minimum professional conduct
standards or rules for SEC practicing attorneys. While perhaps good to know, an
internal auditor will typically not be that concerned about these specific rules yet
to be promulgated. Others may be of more interest to internal auditors. Section
407 of Title I again says that the SEC will set rules requiring the disclosure that at
least one audit committee member must be a “financial expert.” While this definition
of a “financial expert” is subject to ongoing interpretation, this is important
information for a chief audit executive (CAE) who will be dealing with both members
of the audit committee and senior management. That “financial expert” will
or should have some understanding of an effective internal controls review process
as well as audit committee and internal audit interactions. Since this “financial
expert” may very well be new to the organization’s audit committee, this may
be a key liaison contact for internal audit.

“WHERE WERE THE AUDITORS?” STANDARDS FAILURE

source:Brink, Sawyer modern auditing .

The corporate accounting scandals and bankruptcies that surfaced in the early
days of this twenty-first century, including Enron, WorldCom, and others, all happened
in the same general time frame. Although these scandals did not raise
questions about the quality and integrity of internal auditors, CPA certified external
auditors were faced with multiple questions along the theme of “where were
the auditors”? These external auditors were responsible for auditing the books
and certifying that the financial statements were fairly stated. It is easy to suggest
that the once highly regarded but now gone Arthur Andersen represented what
had gone wrong with the major public accounting firms. Andersen had promised
to improve its processes as part of a settlement with the SEC regarding botched
audit procedures at Waste Management several years earlier. Andersen, however,
evidently shrugged off that settlement the way a driver shrugs off the ticket for
being caught in a speed trap. When they were implicated with Enron, regulators
at the SEC soon honed in on Andersen’s procedures. Enron’s internal audit function
had been outsourced to Andersen with the two audit groups essentially
speaking in one voice, Andersen seemed to be more interested in providing consulting
services to Enron than auditing its financial statements, and many Andersen
auditors were quickly rewarded with senior management positions at Enron
after brief periods on the financial internal audit staff.
Although Andersen was the center of attention for Enron, other external audit
practices soon faced questioning. Based on off-the-books accounts, corporate
executive greed, and other matters, it soon became apparent that some audited
financial statements were not all fairly stated, per the traditional CPA/auditing
terminology. Many situations were soon highlighted where the external auditors
had missed some massive errors and frauds in their reviews of organization
financial statements. Too often, the major public accounting firms were accused as
selling their auditing services as a “loss leader” with the objective of using that
audit work to gain assignments in more lucrative areas such as consulting or tax
advisory. To many observers, the whole concept of “independent outside auditors”
was seriously questioned. How could a team of outside auditors be independent,
the critics asked, if key members of the financial staff had just recently
been serving as auditors and then had accepted positions on the “other side.”
There were too many close ties, making independent, objective decisions difficult.
With a very few exceptions, there also was little evidence of internal auditors
raising issues at these accounting-scandal-implicated corporations. Many of
the internal audit departments at these corporations accused of accounting fraud
had been “outsourced” to their responsible external audit firms. Prior to Enron’s
fall, there were published reports describing the “great partnership” that existed
between the Arthur Andersen managed internal audit function at Enron and the
Andersen external auditors. They shared offices, shared resources, and spoke
essentially in one voice. This was really in contrast to the somewhat uneasy alliances
that independent internal audit functions sometimes had had with their
external auditors in the past. Although these internal audit outsourcing arrangements
had been in place for many corporations over some years, the Enron situation
raised many questions about the independence and objectivity of these
outsourced internal auditors.

BACKGROUND: CHANGES IN FINANCIAL AUDITING STANDARDS

Some internal auditors often avoided financial auditing issues in past years. They
took pride in their skills as operational auditors and reserved financial auditing
tasks to their external audit firm. Those external auditors reviewed financial controls
and records leading up to the issuance of annual financial statements along
with their auditor’s reports on the fairness of those financial statements. Given
their operational audit and internal controls skills, many internal auditors supported
their external auditors over the years. This arrangement began to change
somewhat during the 1990s. The major public accounting firms up through about
the year 2002—then called “the Big 5”—began to take responsibility for organizational
internal audit functions through what was called outsourcing. Through an
INTERNAL AUDIT IN THE TWENTY-FIRST CENTURY: SARBANES-OXLEY AND BEYOND
22
arrangement with the audit committee, many internal auditors at that time found
themselves to be employees of their external audit firms continuing to perform
internal audits but under the management of their external auditors.
These outsourcing arrangements offered advantages to some internal auditors.
Reporting to a large external audit firm, many outsourced internal auditors
found greater opportunities for access to continuing education or the possibility to
make promotional career transfers to other organizations. Outsourcing somewhat
changed the tone of many of these internal audit functions. The public accounting
firms managing an internal audit group tended to focus the attention of their
internal audit resources more on audits in support of financial controls rather than
operational issues. Although not every internal audit function was outsourced,
this trend continued through the late 1990s in many major corporations.
As the 1990s ended, businesses were faced with predictions of computer
systems and other process-related disasters as part of the Y2K millennium
change to the year 2000. Although the millennium arrived with no major problems,
the following year, 2001, brought with it some real disasters for U.S.
accountants, auditors, and business in general. The long-running stock market
boom, fueled by “dot-com” Internet businesses, was shutting down with many
companies failing and with growing ranks of unemployed professionals. Those
same boom years spawned some businesses following new or very different
models or approaches. One that received considerable attention and investor
interest at that same time was Enron, an energy trading company. Starting as a
gas pipeline company, Enron developed a business model based on buying and
selling excess capacity first over their and competitor’s pipelines and then moving
on to excess capacity trading in many other areas. For example, an electrical
utility might have a power plant generating several millions of excess kilowatt
hours of power during a period. Enron would arrange to buy the rights to that
power and then sell it to a different power company who needed to get out of a
capacity crunch. Enron would earn a commission on the transaction.
Enron’s trading concept was applied in many other markets such as telephone
message capacity, oil tankers, water purification, and in many other
areas. Enron quickly became a very large corporation and really got the attention
of investors. Its business approach was aggressive, but it appeared to be profitable.
Then, in late 2001, it was discovered that Enron was not telling investors the
true story about its financial condition. Enron was found to be using off-balance
sheet accounting to hide some major debt balances. It had been transferring significant
financial transactions to the books of unaffiliated partnership organizations
that did not have to be consolidated in Enron’s financial statements. Even
worse, the off-balance sheet entities were paper-shuffling transactions orchestrated
by Enron’s chief financial officer (CFO) who made massive personal profits
from these bogus transactions. Such personal transactions had been
prohibited by Enron’s Code of Conduct, but the CFO requested the board to formally
exempt him from related code violations. Blessed by the external auditors,
the board then approved these dicey off-balance sheet transactions. Once publicly
discovered, Enron was forced to roll these side transactions back in to
Enron’s consolidated financial statements and forcing a restatement of earnings.
Certain key lines of credit and other banking transactions were based on its
3.1 BACKGROUND: CHANGES IN FINANCIAL AUDITING STANDARDS
23
pledge to maintain certain financial health ratios. The restated earnings put
Enron in violation of these agreements. What once had looked like a strong,
healthy corporation, Enron was soon forced to declare bankruptcy.
Because Enron was a prominent company, there were many “how could this
have happened?” questions raised in the press and by government authorities.
Another troubling question was, “where were the auditors?” Commentators felt
that someone would have seen this catastrophe coming if they had only looked
harder. The press at the time was filled with articles about Enron’s fraudulent
accounting, the poor governance practices of Enron’s board, and the failure of its
external auditors. The firm Arthur Andersen had served as Enron’s external auditors
and had also assumed responsibility for its internal audit function through
outsourcing. With rumors that the SEC would soon be on the way to investigate
the evolving mess, Andersen directed its offices responsible for the Enron audit to
“clean up” all records from that audit. The result was a massive paper shredding
exercise, giving the appearance of pure evidence destruction. The federal government
moved quickly to indict Andersen for obstruction of justice because of this
document shredding, and in June 2002, Andersen was convicted by a Texas jury
of a felony, fined $500,000 and sentenced to five years’ probation. With the conviction,
Andersen lost all public and professional trust and soon ceased to exist.
At about the same time, the telecommunications firm WorldCom disclosed
that it had inflated its reported profits by at least $9 billion during the previous
three years, forcing WorldCom to declare bankruptcy. Another telecommunications
company, Global Crossing, also failed during this same time period when
its shaky accounting became public. The cable television company Adelphia
failed when it was revealed that its top management, the founding family, was
using company funds as a personal piggy bank, and the CEO of the major conglomerate
Tyco was both indicted and fired because of major questionable financial
transactions and personal greed. Only a few examples are mentioned here;
in late 2001 and through the following year, 2002, many large corporations were
accused of fraud, poor corporate governance policies, or very sloppy accounting
procedures. Exhibit 3.1 highlights some of these financial failures. The press, the
SEC, and members of Congress all declared that auditing and corporate governance
practices needed to be fixed.
These financial failures helped to introduce some major changes to what had
been well-established financial auditing standards and practices. They caused
government regulators as well as the investment community to question and then
reform the financial auditing standards setting process and a wide range of public
accounting firm practices. Many organizations’ CEOs and CFOs were characterized
as being more interested in personal gain than in serving shareholders, audit
committees were often characterized as not being sufficiently involved in organizational
transactions, and external auditors and their professional organization,
the American Institute of Certified Public Accountants (AICPA) received major
criticism. Outsourced internal auditors caught this criticism as well; they were
viewed as being tied too closely to their external audit firm owners. Many other
previously accepted practices, such as the self-regulation of public accounting
firms, were seriously questioned. By self-regulation, we refer to the AICPA’s peer
review process, where public accounting firm A would be given the responsibility
INTERNAL AUDIT IN THE TWENTY-FIRST CENTURY: SARBANES-OXLEY AND BEYOND
24
to review standards and practices for firm B. Knowing that firm B might be
assigned to come back and review A a few years into the future, few firms ever
found that much critical to say about their peers.
These financial scandals caused many changes with the passage in 2002 of the
Sarbanes-Oxley Act (SOA) as the most significant event. SOA establishes regulatory
rules for public accounting firms, financial auditing standards, and corporate
governance. Through SOA, the public accounting profession has been transformed,
the AICPA’s Auditing Standards Board (ASB) has lost its authority for
setting auditing standards, and the rules have changed for corporate senior executives,
boards of directors, and their audit committees. A new entity, the Public
Corporation Accounting Overview Board (PCAOB) has been established, as part
of SOA and under the SEC to set public accounting auditing standards and to
oversee individual public accounting firms. Although not directly covered in the
legislation, SOA also has very much affected internal auditors as well.
This chapter discusses this very significant public accounting standards setting
and corporate governance legislation, the Sarbanes-Oxley Act (SOA), with an
emphasis on its aspects that are most important to internal auditors. SOA and the
PCAOB represent the most major change to public accounting, financial reporting,
and corporate governance rules since the SEC was launched in the 1930s.
SOA represents the most important set of new rules for auditing and internal
auditing today. The effective internal auditor should have a good understanding
of these new rules and how they apply to today’s practice of internal auditing.

the relation between Management and Internal Auditor !!!!!!!!!!!!!

Source: Brink -Modern Internal Auditing Magazine


2.5 MANAGEMENT AND THE INTERNAL AUDITOR
will not be directly involved when final outcomes become evident. There
are many published accounts of this practice, where a manager achieves
short-term results at a unit and because of those results either is promoted
or leaves to join a different organization. The successors must deal
with the long-term results of these short-term decisions. Auditors can
often play an important role in this short-term versus long-term results
decision process. An internal auditor frequently identifies operational
issues that may have long-term negative implications even though the
short-term results are not nearly as obvious.
A central truth of management is that conditions are always changing. A valued
employee leaves the organization, a new invention makes existing practices
obsolete, consumer preferences shift, or something else unforeseen develops. As a
result, many dimensions of the management process must be reappraised or redirected.
An organization’s capacity to foresee such possibilities and to adapt to
them is a measure of its ability to survive and prosper. This adaptive approach
often takes a rather unstructured management style. At the same time, however,
there are needs for standardization and regularity, including effective internal
control processes

Attribute of Management

source: Brink-Modern Internal Auditing

ATTRIBUTES OF MANAGEMENT
While many organizations in the past were often isolated, with their markets
local or restrained by limitations in communications and transportation, the typical
organization today operates in a more complicated and often global environment.
However, those organizations in the past “good old days” were affected
by many similar attributes even though things traveled at a much slower pace.
For example, as early as the 1880s, the price of grain in Kansas was influenced by
grain prices in the Ukraine and in Argentina. It took a few days for that price
information to travel to the market in Kansas and much longer for grain to actually
be transported to these other markets, but they each were influencing factors.
Similar examples can be found going at least back to Roman times. Today,
speed of communications and such factors as the Internet have just increased
this environmental complexity.
Modern environmental factors include economic, competitive, technological,
political, and social matters. They should be in the mind of an internal auditor
when attempting to understand why management does or does not take
some action. For example, economic factors, including dimensions of the state of
world, national, and regional economies, can have a major influence on an organization.
When thinking about an organization and its business processes, an
internal auditor might raise a series of questions such as: Who uses these products
and why? How strong is that demand in terms of other needs? Where are
the users of the product? Are there other, competitive products or services?
There are also factors relating to the supply of the product or service. Where do
the materials come from that are needed to produce the aforementioned products,
and what is their availability? What kinds of facilities are needed and what
kind of production processes are involved? What are the requirements in terms
of capital, specialized knowledge, and marketing? Finally, factors relating to
demand and supply must be considered in terms of whether there are acceptable
profit potentials.
Economic factors have an impact on all organizations, whether a privatesector
industrial corporation, a not-for-profit service organization, or a governmental
unit. For example, United Parcel Service (UPS) in the United States has
largely taken over small parcel delivery from the U.S. Postal Service due to
UPS’s ability to provide better service at a lower cost structure. The U.S. Postal
Service, once a virtual monopoly, could not effectively compete when faced with
these economic factors. An internal auditor should always consider the role of
economic, competitive, technical, and even political factors when performing
internal audits in an organization. That understanding will be valuable for a better
understanding of management needs.
This discussion of environmental factors has been from the standpoint of the
entire organization. However, management entities also exist at lower levels,
including subsidiaries, divisions, departments, and the like. The environmental
factors previously discussed also include the authority and controls of the
higher organizational levels, to which lower-level management entities are
accountable. Also included are the resources available from upper-level management
that augment and better define the environmental factors as well as constraints
of various kinds that may be imposed by the senior-level management.
In addition to these environmental factors, an internal auditor also needs to
understand other key attributes that help to define the overall process of management.
Some of the more important of these include:
• Dependence on People. People are the most important resources the effective
manager must utilize. They are important in terms of their knowledge,
skills, and experience, and have a unique importance that goes far
beyond those considerations. An effective manager is directly dependent
on people to implement plans through their definitive actions. Thus, an
internal auditor must understand how people, or the human resources of
an organization, can operate in an effective manner to provide a maximum
contribution toward the achievement of managerial goals and
objectives. As part of understanding an organization’s human resources,
management has a continuing challenge to find the best possible fit and
integration of individuals within overall organizational goals. These
human resources range from senior management to the support staff in
an organization. Each has its own general interests, motivations, and
needs; management needs to understand these factors to best utilize
human resources.
• Focus on Decision Making. Managerial action is based on various types of
decisions with some at a very high level, such as a major new line of business,
while others are at relatively lower levels. All have common elements
in their decision-making process with respect to decision principles
and methodology. The problem must be identified, alternatives explored
using all information available, and a decision made on the action to be
made. This decision-making process is similar for managers at all levels,
and only differs due to the magnitude of the problem, the extent to which
information is available, the available decision alternatives, and the
potential risks associated with the decision outcomes. The factors of time,
risk levels, and costs all affect this management process. The effective
manager should survey these issues, identify the most significant issues,
and then attempt to make the best decisions. Internal auditors should follow
this decision-making process to help assemble the correct supporting
data when making a recommendation. This will also help the internal
auditor to better understand how management reacts to audit report findings
and recommendations.
• Effect of Risk Level. There are risks associated with every management
decision. If a wrong decision is made, there may be the risk of increased
costs associated with that wrong decision, including wasted resources,
diminished future performance, or even legal liability for the organization
or the responsible manager. To a considerable extent, risk can be
reduced by better management information about operational and environmental
factors. Of course, every decision would be risk-free if the
manager had what is hypothetically called perfect information. There are
costs associated with obtaining the various types and levels of information
desired, and probability factors will affect the desired results. As a
result, total certainty is impossible because of both practical and absolute
MANAGEMENT NEEDS: INTERNAL AUDIT’S OPERATIONAL APPROACH
16
limitations. This means that management decisions reflect the levels of
risk deemed to be acceptable to the particular responsible manager. Managers
and their overall organization have varying appetites for risk, and
each manager must make evaluations within the parameters of decision
authority and risk preferences. The effective internal auditor should have
a good understanding of this risk assessment process. Chapter 5, “Understanding
and Assessing Risks: Enterprise Risk Management,” discusses
the entire process of evaluating risk in the context of the COSO Enterprise
Risk Management (ERM) framework. In order to understand management’s
needs, an internal auditor also needs to understand management’s
willingness to accept or avoid risks.
• Management Is Judged by Results. Virtually everything a manager does is
judged by how those actions further the achievement of established organization
goals and objectives. Managers should be primarily interested in
results as opposed to letting an intermediate process be an end in itself.
This attribute of judging overall management effectiveness has been a
rationale for some hostile management takeovers. Corporate raiders have
taken over many otherwise successful companies with the argument that
they could achieve better short-term financial results by selling off underperforming
assets and undertaking other restructuring actions. Although
an organization might have been considered otherwise successful, these
raiders promised better results and often took over the organization and
then reported improved short-term results. There are always decision
variables that cannot be fully predicted or adequately evaluated. As a
result, the merits of some managerial decisions may be controversial, and
managerial excellence is measured by the quality of its results. Internal
auditors should be aware of these issues when attempting to understand
management’s needs. If management wishes to achieve the best results
for the overall organization, the auditor should attempt to support and
corroborate those decisions.
• Time Span for Appraising Results. Judging management by its results
raises questions as to the time frame in which those results are to be evaluated.
A manager often can achieve short-term results such as improved
profitability even though those decisions will undermine longer-run
profits. For example, quality can be temporarily sacrificed with resulting
short-term profits, but this action can be so damaging to customer satisfaction
that future products are no longer purchased. Good managers
should think in terms of the longer term and resist the often-tempting
shortcuts that endanger longer-term potentials. When management
understands this, the correct decision should be clear. However, the evaluation
may be complicated by how long of a time span should be allowed
for decisions made today and how willing stockholders are willing to
wait for longer-run rewards. A further complicating factor is the difficulty
of measuring long-term effects. Managers often innocently make
bad estimates in these areas or are victims of wishful thinking. In other
cases, lower-level managers ignore long-term consequences because they

Understanding and working with managers and managemenet

 UNDERSTANDING AND WORKING WITH MANAGERS AND MANAGEMENT

but will primarily focus on organizational processes and operations. Many of

these operational areas will be discussed in greater detail in other chapters of

this book.

Internal auditors should regularly take an operational approach in their

audits and appraisals of management performance. For example, today they

often will be helping to complete the SOA internal controls assessment requirements,

called Section 404 and discussed in Chapter 6, “Evaluating Internal Controls:

Section 404 Assessments.” By doing this work, they will improve the

overall internal controls environment and will help to satisfy a corporate legal

requirement. However, line or operational management may not see much additional

value in these reports unless internal audit serves management through

appraisals of operations and suggestions for improvement when appropriate.

Managers of business operations will be more interested in such areas as:

• Suggestions to improve operations at all levels to help managers achieve

their objectives

• The manner in which the results of operations, including audit recalculations

of performance, are reported back to senior management levels

• The impact of overall organizational policies, instructions, and allocations

on the operation being reviewed

In many larger organizations where many employees have little direct contact

with senior management, internal auditors may be one of the few groups

with regular, face-to-face links with senior corporate management beyond periodic

financial performance reports or other high-level meetings. Managers at all

levels look to internal auditors to appraise their operations and to make constructive

suggestions. While it may sometimes be necessary, management is not

looking to an internal auditor to make a series of minor, nit-picking recommendations.

Internal audit has the high-level objective of serving management’s

needs through constructive operational auditing recommendations.

Internal Auditing Operational Approach (2)

SOURCE:Brink- Modern Internal Auditing Approach

OPERATIONAL AUDITING CONCEPTS
A basic theme and message in this chapter and throughout this book is that an
internal auditor is primarily an operational auditor, no matter whether reviewing
a cash management process, information systems service delivery, or Sarbanes-
Oxley Act (SOA) Section 404 internal controls. The expression “operational auditor”
can cause some confusion with noninternal auditors who often tend to think
that all auditors, whether internal or external, do about the same tasks. That is certainly
not true. Internal auditors, with their strong operational approach, have a
unique and important role in service organization management at all levels.
The objective of operational auditing is, as defined in the IIA’s “Statement
of Responsibilities” standards1 “to assist members of the organization in the
effective discharge of their responsibilities.” To accomplish this, internal auditors
must place themselves in the position of both general and departmental
management to see things from both perspectives and to provide constructive
service and recommendations to the overall organization. This starts with an
internal auditor gaining a clear understanding of management’s objectives in
some areas as well as a good knowledge of the operations that will be reviewed.
This places an internal auditor in a much different role than the public accountant
external auditor who primarily focuses on the organization’s published
financial statements and the supporting financial auditing standards. An internal
auditor may become involved in some of these financial accounting issues,

Management Needs: Internal Audit’s Operational Approach(1)

Source:Brink Modern Internal Auditing

INTERNAL AUDIT’S MANAGEMENT FOCUS
Starting with the first edition in 1942, this book has continually emphasized that
service to management should be the major mission of internal audit. In the earlier
days, this internal audit mission objective was fairly narrow and emphasized
more the needs of middle to senior management, such as a financial controller
interested in the controls covering accounting processes. Over time, this internal
audit mission has been broadened to cover the board of directors, stockholders,
all levels of employees, government, and society. The controlling mission of internal
audit today is service to the overall organization, including those responsible
for its governance. However, that mission still must have a strong internal management
focus. While the recipients of internal auditing services have special
needs, management effectiveness is often the most major concern. If an organizational
unit is not well managed, everyone associated with it suffers. At the same
time, management’s tasks are becoming more complex because of a rapidly
changing worldwide environment with regard to changing technology, markets,
regulatory factors, and societal values. These factors make it important for internal
audit to take a broad approach to the concept of service and assistance to the
organization at every level and in every way. In order to properly assist management,
an internal auditor must continuously strive to understand management
needs, in terms of both general concepts and the unique characteristics of a particular
organization. Auditors need to understand some general concepts of management
theory and processes, how managers set their objectives, and how they
identify and solve problems to achieve those objectives. All internal auditors

MANAGEMENT NEEDS: INTERNAL AUDIT’S OPERATIONAL APPROACH

must learn to think like organization management in order to form partnership
relationships and communication links.
Another important reason to understand management theory and practice is
that internal auditors themselves are managers. Their roles include supervising
audit projects and directing overall internal audit tasks. Internal auditors must
be able to develop objectives and strategies to achieve those objectives, working
through people and with other resources, just like other managers. Auditors
cannot be qualified counselors to management if they cannot effectively manage
their own operations. Internal auditors should provide a model that can be
observed and followed by others in the organization. In this way, internal auditors
will also be viewed as likely candidates for other management-level positions
in their organizations.
This chapter considers some of the more general concepts of management
and also discusses communication techniques that will help an auditor gain a
better understanding of management needs. This chapter should be read in conjunction
with other audit management chapters such as Chapter 4, “Internal
Controls Fundamentals: COSO Framework,” and Chapter 14, “Directing and Performing
Internal Audits,” among others. Effective internal auditing involves
understanding management needs and working with management to serve
those needs. That understanding is an essential ingredient for establishing internal
audit credibility such that management will respect and listen to internal
audit’s counsel. Working together, managers and internal auditors can achieve
increased effectiveness and promote overall organizational welfare.

Being a lifelong bookworm may keep you sharp in old age

This piece originally appeared on smithsonianmag.com.

To keep their bodies running at peak performance, people often hit the gym, pounding away at the treadmill to strengthen muscles and build endurance. This dedication has enormous benefits—being in shape now means warding off a host of diseases when you get older. But does the brain work in the same way? That is, can doing mental exercises help your mind stay just as sharp in old age?

Experts say it’s possible. As a corollary to working out, people have begun joining brain gyms to flex their mental muscles. For a monthly fee of around $15, websites like Lumosity.com and MyBrainTrainer.com promise to enhance memory, attention and other mental processes through a series of games and brain teasers. Such ready-made mind exercises are an alluring route for people who worry about their ticking clock. But there’s no need to slap down the money right away—new research suggests the secret to preserving mental agility may lie in simply cracking open a book.

The findings, published online today in Neurology, suggest that reading books, writing and engaging in other similar brain-stimulating activities slows down cognitive decline in old age, independent of common age-related neurodegenerative diseases. In particular, people who participated in mentally stimulating activities over their lifetimes, both in young, middle and old age, had a slower rate of decline in memory and other mental capacities than those who did not.

Researchers used an array of tests to measure 294 people’s memory and thinking every year for six years years. Participants also answered a questionnaire about their reading and writing habits, from childhood to adulthood to advanced age. Following the participants’ deaths at an average age of 89, researchers examined their brains for evidence of the physical signs of dementia, such as lesions, plaques and tangles. Such brain abnormalities are most common in older people, causing them to experience memory lapses. They proliferate in the brains of people with Alzheimer’s disease, leading to memory and thinking impairments that can severely affect victims’ daily lives.

Using information from the questionnaire and autopsy results, the researchers found that any reading and writing is better than none at all. Remaining a bookworm into old age reduced the rate of memory decline by 32 percent compared to engaging in average mental activity. Those who didn’t read or write often later in life did even worse: their memory decline was 48 percent faster than people who spent an average amount of time on these activities.

The researchers found that mental activity accounted for nearly 15 percent of the difference in memory decline, beyond what could be explained by the presence of plaque buildup. “Based on this, we shouldn’t underestimate the effects of everyday activities, such as reading and writing, on our children, ourselves and our parents or grandparents,” says study author Robert S. Wilson, a neuropsychologist at the Rush University Medical Center in Chicago, in a statement.

Reading gives our brains a workout because comprehending text requires more mental energy than, for example, processing an image on a television screen. Reading exercises our working memory, which actively processes and stores new information as it comes. Eventually, that information gets transferred into long-term memory, where our understanding of any given material deepens. Writing can be likened to practice: the more we rehearse the perfect squat, the better our form becomes, tightening all the right muscles. Writing helps us consolidate new information for the times we may need to recall it, which boosts our memory skills.

So the key to keeping our brains sharp for the long haul does have something in common with physical exercise: we have to stick with it. And it’s best to start early. In 2009, a seven-year study of 2,000 healthy individuals aged 18 to 60 found that mental agility peaks at 22. By 27, mental processes like reasoning, spatial visualization and speed of thought began to decline.

What is the difference between Reliable,Relevant, and Sufficient Information???

Reliable information

 is the best attainable information through the use of appropriate engagement techniques (Inter. Std. 2310). An original document is the prime example of such information.

Relevant information

 supports engagement observations and is consistent with engagement objectives.

Sufficient information 

is factual, adequate, and convincing to a prudent person.

Flow Charting

Flow charting is a pictorial method of analyzing and understanding the processes and procedures involved in operations, whether manual or computerized.

 Flow charting is therefore useful in the preliminary survey and in obtaining an understanding of internal control. It is also helpful in systems development.

 Consequently, by indicating control weaknesses, flowcharts show where fraud may occur.

What is Control????

Control 
is any action taken by management to enhance the likelihood that established objectives and goals will be achieved.

Conflict resolution

While it might seem obvious that an MP should not accept cash from lobbyists to ask questions in Parliament, some conflicts of interest can be hard to spot and depend on an individual’s role as well as the sector they work in. So how can internal audit help firms to be on guard?

10 July 2013 @ 13:00 in Features.

When the Financial Services Authority (FSA) fined fund manager Martin Currie £3.5m in 2012 for failing to manage a conflict of interest between clients, it was a sign of heightened regulatory scrutiny of asset managers’ approach to managing such issues.

In November last year, the FSA sent the chief executives of every UK asset manager a letter asking them to confirm that their firms had adequate conflict procedures in place. And, under the guise of the new Financial Conduct Authority (FCA), it is now said to be considering multi-million-pound fines for fund managers that use investors’ money to pay investment banks for access to the CEOs of their corporate clients (reportedly up to $20,000 an hour).

But conflicts of interest can occur in all types of organisation. For example, the Financial Reporting Council (FRC) recently announced two investigations into the audit arm of KPMG over possible conflicts. And last October the European Court of Auditors found that a number of EU agencies, including the European Food Safety Agency and the European Medicines Agency, had failed to manage conflict of interest situations adequately.

Sources of conflict

Conflicts of interest can occur in a wide range of situations. They might involve a clash between an employee’s personal interests and those of their employer’s customer or stakeholder. Gifts and entertainment are obvious examples, whether it is a case of a head of procurement being paid to fly around the world to attend a prestigious sporting event by a supplier trying to sell them services, or a local councillor accepting a bottle of champagne from a company and subsequently sitting on a panel deciding whether to award them work. Or it could be an individual holding shares or having another financial interest in a client, supplier or competitor.

Other types of conflict occur between the interests of different clients. This is a particular problem for law firms, which are prohibited by the Solicitors Regulation Authority from acting for a client whose interests clash with those of another client or of the firm itself. As a result, many now have teams dedicated to detecting potential issues.

Concerns over a lack of independence can also be a problem for external auditors. In May, the FRC – which sets ethical standards to ensure their objectivity and impartiality – published its annual report into audit quality inspections. While it highlighted an improvement in the overall quality of external audit work, it also found that firms should reassess the adequacy of their independence and ethics procedures and the training they provide to staff at all levels. In one case, a former executive of an audited organisation rejoined its audit firm as a partner, but failed to dispose of a shareholding in the organisation for several months, in breach of ethical standards.

Whatever the nature of conflicts, there can be regulatory consequences for failing 
to manage them appropriately. Company boards have a statutory duty under the Companies Act 2006 to avoid conflicts of interest, while the UK corporate governance and stewardship codes (overseen by the FRC) place a range of requirements on boards and investors for handling independence and potential conflicts on a “comply-or-explain basis”. The Bribery Act 2010 has increased scrutiny over employees accepting gifts and entertainment. The professions also have their own ethical codes and systems of regulatory oversight.

But legal problems are not the only danger from conflicts of interest – there’s 
also the risk of reputational damage. Angela Robertson, general counsel at Eversheds, notes: “If a law firm takes on a piece of work for a client and a conflict of interest is subsequently identified, it could severely damage or even kill that client relationship. 
In some sectors – particularly those where clients are sensitive around conflict issues – 
it could have repercussions across the industry, because word would get out to others. Obviously there’s a risk of adverse publicity, particularly in the legal press.”

Reducing the risks

How can organisations reduce the risk of conflicts of interest occurring? The starting point is for all conflicts or potential conflicts to be declared or identified so they can be managed appropriately. At Wokingham Borough Council all councillors and senior managers are asked to complete a declaration of any known conflicts of 
interest annually. 

“But this is only as effective as the training and understanding that goes with it,” explains Muir Laurie CMIIA, director of business assurance and democratic services and head of internal audit at the council. 

“I think some internal audit teams think that getting 100 per cent completion of 
those forms is all you need to do. But that doesn’t mean there aren’t conflicts of interest – managers may be unaware of them or knowingly leave them off forms because it might ruin relationships they have with contractors.”

Issues for councils in general are typically around property and procurement for officers and planning for council members. Laurie says that Wokingham runs governance training sessions for newly elected councillors. “If a council member is sitting on the planning committee hearing a planning application from one of their neighbours wanting to build a conservatory in their back garden, should they declare it? They should – and that’s the kind of practical example we try to give.”

In the legal sector, a lot of conflict management relies on processes and technology, explains Robertson. As well as being responsible for conflict management at Eversheds, she previously set up the global conflicts team at Clifford Chance after it had undergone two mergers. “Every single piece of new work for a client, whether new or existing, had to go through the central conflicts team to identify whether there were any legal or commercial conflicts of interest,” she explains.

A law firm needs a good conflicts database containing details of all its current and historic clients and cases, she adds. “You need to be able to identify what work you’ve done for which client over a period of time. You’ve also got to have a good, clear process that everybody is aware of, so that you don’t start acting on a piece of work for a client until you’ve checked with the conflicts team, assuming you have one.” But lawyers must also be trained to understand the importance of giving the correct information to the conflicts team, she adds. “A conflicts system relies on people using it properly and inputting the right information.”

Getting the right culture and governance framework is also an important issue for asset managers – and reflects the FCA’s focus on consumer protection, believes Amanda Rowland, the partner who heads up PwC’s asset management regulation team. 
“If senior management are getting the right information and are fully engaged, and the culture is right within the firm, all of these issues – whether conflicts or anything else that affects consumers and products – will be handled better,” she says.

While she believes that “most firms would say that they were managing conflicts of interest in a way that they felt was appropriate”, the regulatory expectation has shifted and “the level of attention from the regulator has clearly concentrated minds”. Since then, firms have been looking at their written policies and procedures and ensuring they have appropriate control mechanisms for declaring, registering or managing conflicts. 

But there are still grey areas – particularly relating to concerns raised by the FCA over the way asset managers buy research and trade execution services on behalf of clients. “Clearly there’s the potential for conflicts. The question is what’s the best way to deal with that, while at the same time leaving asset managers with access to the best quality research that enables them to make the best decision for their funds and provide the best service for their customers.” The matter is the subject of an ongoing discussion between the regulator and the industry, she adds.

So what’s the role for IAs in terms of managing conflicts of interest? “As part of our internal audit plan, we’ll carry out a review of declarations of interest for officers and members, says Laurie. “We don’t look just at the completion rate, but whether they are consistent with our cumulative audit knowledge and experience. If they aren’t, we can flag it up.” It’s also important for a head of internal audit to lead by example and be very transparent about any perceived or actual conflicts of interest that they face themselves, he adds.

An end to direct assistance

IAs need to be aware of a recent change to Financial Reporting Council standards for external auditors that will affect how the two sets of auditors can work together. “Direct assistance” – where external auditors take IAs into their audit team for a period of time – will now be prohibited. 

It’s a move that has been taken precisely to avoid “conflicts of interest and a lack of independence”, explains Melanie McLaren, executive director of codes and standards at the FRC. “Clearly an internal auditor who is employed by a company has a financial interest in it.”

External auditors will still be able to rely on the work of IAs provided that it has been scoped and managed by the internal audit function and that the external auditor is satisfied that it has been approached objectively and appropriately reviewed. 

There is, of course, an ongoing debate at European level over the possible compulsory rotation of external auditors and restrictions on the consultancy services that they can provide. In the UK, the FRC doesn’t support mandatory rotation, but changed the corporate governance code last autumn to stipulate (on a “comply-or-explain” basis) mandatory retendering of external audit contracts every ten years by FTSE 350 companies. “Our view is that investors deserve the best quality audit,” says McLaren. “In some parts of the market there isn’t a large number of firms capable of carrying out a sufficiently high-quality external audit, largely because of the global reach or sectoral expertise needed.”

In terms of firms’ consultancy work, McLaren says the FRC isn’t in favour of a cap on so-called audit-related services. “We think it would be better to say that there are certain services that can’t be provided (such as advocacy) and then place a requirement on audit committees to satisfy themselves in terms of independence, objectivity threats and safeguards on the other work.”

SOURCE:Charted Institute of Internal Auditors

Internal Audit Girl: FOUNDATIONS OF INTERNAL AUDITING

Internal Audit Girl: FOUNDATIONS OF INTERNAL AUDITING: FOUNDATIONS OF INTERNAL AUDITING   Traditionally, internal auditors had been concerned with both accounting and financial processe...

FOUNDATIONS OF INTERNAL AUDITING

FOUNDATIONS OF INTERNAL AUDITING

 

Traditionally, internal auditors had been concerned with both accounting and

financial processes, and some expertise in these areas had generally been considered

to be essential. Coverage of accounting and financial controls and processes

also provided an opportunity for expanding the range of internal audit services

into the broader operational areas. Since accounting and financial records directly

or indirectly reflect all operational activities, financially oriented internal audit

reviews often open doors to the other activities. This combination of operational

and financial internal audit practices as well as information systems auditing will

be considered throughout this book. In terms of strategy, an internal audit abandonment

of accounting and financial areas can create a vacuum that would invite

the emergence of other audit-type functions. 

“Internal Audit Quality

Assurance and ASQ Quality Audits” for example, will discuss how many traditional

internal auditors in the past ignored the International Organization for

Standardization (ISO) “quality” movement in its early days, leading to an almost

separate profession of quality auditors.

An internal audit function today needs to have an adequate coverage of key

accounting and financial areas, and the responsibilities of whomever does that

will inevitably spill over into an overview of broader operational areas. The failure

to cover key financial areas was one of the arguments external audit firms

made to senior management when they offered to provide internal audit outsourcing

services. For some years leading up to the enactment of SOA, it almost

appeared that the public accounting firms were taking over internal auditing

through their outsourcing arrangements. Now, an organization’s external auditors

are prohibited from also performing internal audits for the same organization.

In the wake of SOA and the internal control assessment requirements of the

Act’s Section 404 requirements about internal audits’ roles

and responsibilities are changing again as we move through the first decade of

the twenty-first century. Internal auditors today are a much more important element

in an organization’s overall internal control framework than they were not

that many years in the past. To be effective here, an internal auditor must gain a

strong understanding of internal controls, and any internal audit involvement

with SOA Section 404 reviews require some understanding of generally accepted

accounting principles (GAAP) and their related financial controls. Therefore,

internal auditors today need to understand financial and operational as well as

information systems controls. An objective of this book is to cover all three of

these areas, but to cover them in a manner whereby they are not considered separate

internal audit practices, but represent skills and knowledge that should be

used by all internal auditors.

RELATIONSHIPS OF OPERATIONAL, FINANCIAL, AND INFORMATION SYSTEMS AUDITING

 RELATIONSHIPS OF OPERATIONAL, FINANCIAL,

AND INFORMATION SYSTEMS AUDITING

During the 1960s, there was a strong tendency for many to use the term of operational

auditing in place of the traditional internal auditing. The rationale was that internal

auditing was a term tied too closely with basic financial auditing, including the external

auditor’s review of both financial control activities and financial statements.

Internal auditors called themselves operational auditors because of their desire to

focus more of their efforts on the other operational activities in the organization that

could potentially point to areas for increased profit and overall management service.

In its most extreme form, the so-called operational auditing function would disassociate

itself entirely from the so-called financial areas. They would claim, for example,

to have no expertise on the financial controls surrounding an accounts receivable

operation. Rather, they might look at process controls and ignore the issue of

whether the cash received was properly recorded and tied to financial accounts,

including the general ledger. Management often became confused and dismayed

when their internal auditors all but ignored these important accounting or financialrelated

issues. This separation of responsibility created issues of both substance and

self-interest for the operational audit–oriented internal auditors.

Operational and Financial Activity in Internal Audit

Internal auditing today involves a broad spectrum of types of operational

and financial activity and levels of coverage. In organizations today, internal

auditing has moved beyond being a staff activity roughly tied to the controller’s

organization, although internal audit’s role is constantly being redefined. SOA

has been a major driver of change for internal auditors. While they once only

had a nominal reporting relationship to the audit committee of the board, SOA

has strengthened and formalized that reporting relationship. However, in some

other organizations, internal audit continues to function at just a routine compliance

level. In other situations, internal audit still suffers from being integrated

too closely with regular accounting activities and limits virtually all of its audit

work to strictly financial areas. These are all exceptions that do not reflect the

potential capabilities of the modern internal audit organization. They may also

reflect the lack of progressive attitudes in the overall organization.

Today, modern internal auditors have expanded their activities to all operational

areas of the organization and have established themselves as valued and

respected parts of the senior management effort. With renewed emphasis from

SOA, the modern internal auditor today is formally and actively serving the

board of director’s audit committee. While internal audit organizations once had

an almost nonexistent, dotted line reporting relationship to their audit committee—

with little direct communication—the chief audit executive (CAE) today

has direct and active level of communication with that same audit committee.

This overall situation reflects major progress in the scope of internal audit’s coverage

and level of service to all areas of the organization. The internal auditing

profession itself, through its own self development and dedication, has contributed

to this progress and has set the stage for a continuing upward trend.

Internal Audit History and Background

INTERNAL AUDITING HISTORY AND BACKGROUND
It is normal for any activity—including a control activity such as internal auditing—
to come into being as a result of emerging needs. The business organization
of 1942, when modern internal auditing was just getting started, was very different
from our twenty-first century organization of today. For example, aside from
some electromechanical devices and activities in research laboratories, computer
systems did not exist. Organizations had no need for computer programmers
until these machines started to become useful for various record keeping and
other computational functions. Similarly, organizations had very rudimentary
telephone connections where switchboard operators routed all incoming calls to
a limited number of desktop telephones. Today, we are all connected through a
vast, automated worldwide web of telecommunications and the Internet. The
increasing complexity of modern business and other organizations has created
the need for a similar specialist in various business controls: the internal auditor.
We can better understand the nature of internal auditing today if we know something
about the changing conditions in the past and the different needs these
1.2 INTERNAL AUDITING HISTORY AND BACKGROUND
5
changes created. What is the simplest or most primitive form of internal auditing
and how did it come into existence? How has internal auditing responded to
changing needs?
At its most primitive level, a self-assessment or internal auditing function can
exist when any single person sits back and surveys something that he or she has
done. At that point, the individual asks him- or herself how well a particular task
has been accomplished and, perhaps, how it might be done better if it were to be
done again. If a second person is involved in this activity, the assessment function
would be expanded to include an evaluation of the second person’s participation in
the endeavor. In a small business, the owner or manager will be doing this review
to some extent for all enterprise employees. In all of these situations, the assessment
or internal audit function is being carried out directly as a part of a basic management
role. However, as the operations of an organization become more
voluminous and complex, it is no longer practicable for the owner or top manager
to have enough contact with every aspect of operations to satisfactorily review
their effectiveness. These operations review responsibilities need to be delegated.
Although this hypothetical senior manager could build a supervisory system
to try to provide a personal overview of operations, that same manager will
find it increasingly difficult to know whether all of the interests of the organization
are being properly served as it grows larger and more complex. Are established
procedures being complied with? Are assets being properly safeguarded?
Are the various employees functioning efficiently? Are the current approaches
still effective in the light of changing conditions?
The ultimate response to these questions is that the manager must obtain
further help by assigning one or more individuals to be directly responsible for
reviewing activities and reporting on the previously mentioned types of questions.
It is here that the internal auditing activity comes into being in a formal
and explicit sense. The first internal auditing assignments usually originated to
satisfy very basic and sharply defined operational needs. The earliest special
concern of management was whether the assets of the organization were being
properly protected, whether company procedures and policies were being complied
with, and whether financial records were being accurately maintained.
There was also considerable emphasis on maintenance of the status quo. To a
great extent, this internal auditing effort was initially viewed as a closely related
extension of the work of external auditors.
The result of all of these factors was that these early internal auditors were
viewed as playing a relatively narrow role in their organizations, with limited
responsibility in the total managerial spectrum. An early internal auditor often
was viewed as a financially oriented checker of records and more of a police
officer than a coworker. In some organizations, internal auditors had major
responsibilities for reconciling canceled payroll checks with bank statements or
checking their mathematics in regular business documents. In retail organizations,
internal auditors often were responsible for reconciling daily cash sales to
recorded sales receipts.
Understanding the history of internal auditing is important because this old
image still persists, to some extent, for today’s modern internal auditors. This is so
even though the character of the internal auditing function is now very different.
FOUNDATIONS OF INTERNAL AUDITING
6
Over time, the operations of various organizations increased in volume and complexity,
creating managerial problems and new pressures on senior management. In
response to these pressures, management recognized the possibilities for better utilization
of their internal auditors. Here were individuals already set up in an audit
function, and there seemed to be every good reason for getting greater value from
these individuals with relatively little increase in cost.
At the same time, internal auditors perceived these opportunities and initiated
new types of services themselves. Thus, internal auditors gradually took on
broader and more management-oriented responsibilities in their work efforts.
Because internal auditing was initially largely accounting-oriented, this upward
trend was felt first in the accounting and financial-control areas. Rather than just
report the same accounting-related exceptions—such as some documentation lacking
a supervisor’s initials—internal auditors began to question the overall control
processes they were reviewing. Subsequently, internal audit valuation work began
to be extended to include many nonfinancial areas in the organization.
In 1942, the Institute of Internal Auditors (IIA) was launched. Its first membership
chapter was started in New York City, with Chicago soon to follow. The
IIA was formed by people who had been given the title internal auditor by their
organizations and who wanted to both share experiences and gain knowledge
with others in this new professional field. A profession was born that has undergone
many changes over subsequent years and has resulted in the type of modern
internal auditor discussed in this book.