Operational and Financial Activity in Internal Audit

Internal auditing today involves a broad spectrum of types of operational

and financial activity and levels of coverage. In organizations today, internal

auditing has moved beyond being a staff activity roughly tied to the controller’s

organization, although internal audit’s role is constantly being redefined. SOA

has been a major driver of change for internal auditors. While they once only

had a nominal reporting relationship to the audit committee of the board, SOA

has strengthened and formalized that reporting relationship. However, in some

other organizations, internal audit continues to function at just a routine compliance

level. In other situations, internal audit still suffers from being integrated

too closely with regular accounting activities and limits virtually all of its audit

work to strictly financial areas. These are all exceptions that do not reflect the

potential capabilities of the modern internal audit organization. They may also

reflect the lack of progressive attitudes in the overall organization.

Today, modern internal auditors have expanded their activities to all operational

areas of the organization and have established themselves as valued and

respected parts of the senior management effort. With renewed emphasis from

SOA, the modern internal auditor today is formally and actively serving the

board of director’s audit committee. While internal audit organizations once had

an almost nonexistent, dotted line reporting relationship to their audit committee—

with little direct communication—the chief audit executive (CAE) today

has direct and active level of communication with that same audit committee.

This overall situation reflects major progress in the scope of internal audit’s coverage

and level of service to all areas of the organization. The internal auditing

profession itself, through its own self development and dedication, has contributed

to this progress and has set the stage for a continuing upward trend.

Internal Audit History and Background

INTERNAL AUDITING HISTORY AND BACKGROUND
It is normal for any activity—including a control activity such as internal auditing—
to come into being as a result of emerging needs. The business organization
of 1942, when modern internal auditing was just getting started, was very different
from our twenty-first century organization of today. For example, aside from
some electromechanical devices and activities in research laboratories, computer
systems did not exist. Organizations had no need for computer programmers
until these machines started to become useful for various record keeping and
other computational functions. Similarly, organizations had very rudimentary
telephone connections where switchboard operators routed all incoming calls to
a limited number of desktop telephones. Today, we are all connected through a
vast, automated worldwide web of telecommunications and the Internet. The
increasing complexity of modern business and other organizations has created
the need for a similar specialist in various business controls: the internal auditor.
We can better understand the nature of internal auditing today if we know something
about the changing conditions in the past and the different needs these
1.2 INTERNAL AUDITING HISTORY AND BACKGROUND
5
changes created. What is the simplest or most primitive form of internal auditing
and how did it come into existence? How has internal auditing responded to
changing needs?
At its most primitive level, a self-assessment or internal auditing function can
exist when any single person sits back and surveys something that he or she has
done. At that point, the individual asks him- or herself how well a particular task
has been accomplished and, perhaps, how it might be done better if it were to be
done again. If a second person is involved in this activity, the assessment function
would be expanded to include an evaluation of the second person’s participation in
the endeavor. In a small business, the owner or manager will be doing this review
to some extent for all enterprise employees. In all of these situations, the assessment
or internal audit function is being carried out directly as a part of a basic management
role. However, as the operations of an organization become more
voluminous and complex, it is no longer practicable for the owner or top manager
to have enough contact with every aspect of operations to satisfactorily review
their effectiveness. These operations review responsibilities need to be delegated.
Although this hypothetical senior manager could build a supervisory system
to try to provide a personal overview of operations, that same manager will
find it increasingly difficult to know whether all of the interests of the organization
are being properly served as it grows larger and more complex. Are established
procedures being complied with? Are assets being properly safeguarded?
Are the various employees functioning efficiently? Are the current approaches
still effective in the light of changing conditions?
The ultimate response to these questions is that the manager must obtain
further help by assigning one or more individuals to be directly responsible for
reviewing activities and reporting on the previously mentioned types of questions.
It is here that the internal auditing activity comes into being in a formal
and explicit sense. The first internal auditing assignments usually originated to
satisfy very basic and sharply defined operational needs. The earliest special
concern of management was whether the assets of the organization were being
properly protected, whether company procedures and policies were being complied
with, and whether financial records were being accurately maintained.
There was also considerable emphasis on maintenance of the status quo. To a
great extent, this internal auditing effort was initially viewed as a closely related
extension of the work of external auditors.
The result of all of these factors was that these early internal auditors were
viewed as playing a relatively narrow role in their organizations, with limited
responsibility in the total managerial spectrum. An early internal auditor often
was viewed as a financially oriented checker of records and more of a police
officer than a coworker. In some organizations, internal auditors had major
responsibilities for reconciling canceled payroll checks with bank statements or
checking their mathematics in regular business documents. In retail organizations,
internal auditors often were responsible for reconciling daily cash sales to
recorded sales receipts.
Understanding the history of internal auditing is important because this old
image still persists, to some extent, for today’s modern internal auditors. This is so
even though the character of the internal auditing function is now very different.
FOUNDATIONS OF INTERNAL AUDITING
6
Over time, the operations of various organizations increased in volume and complexity,
creating managerial problems and new pressures on senior management. In
response to these pressures, management recognized the possibilities for better utilization
of their internal auditors. Here were individuals already set up in an audit
function, and there seemed to be every good reason for getting greater value from
these individuals with relatively little increase in cost.
At the same time, internal auditors perceived these opportunities and initiated
new types of services themselves. Thus, internal auditors gradually took on
broader and more management-oriented responsibilities in their work efforts.
Because internal auditing was initially largely accounting-oriented, this upward
trend was felt first in the accounting and financial-control areas. Rather than just
report the same accounting-related exceptions—such as some documentation lacking
a supervisor’s initials—internal auditors began to question the overall control
processes they were reviewing. Subsequently, internal audit valuation work began
to be extended to include many nonfinancial areas in the organization.
In 1942, the Institute of Internal Auditors (IIA) was launched. Its first membership
chapter was started in New York City, with Chicago soon to follow. The
IIA was formed by people who had been given the title internal auditor by their
organizations and who wanted to both share experiences and gain knowledge
with others in this new professional field. A profession was born that has undergone
many changes over subsequent years and has resulted in the type of modern
internal auditor discussed in this book.

What is Internal Auditing??

WHAT IS INTERNAL AUDITING?
An effective way to begin this book about modern internal auditing is to refer to
the professional standards of the Institute of Internal Auditors (IIA). This internal
auditor professional organization defines the practice of internal auditing as
follows: Internal auditing is an independent appraisal function established within an
organization to examine and evaluate its activities as a service to the organization.
This statement becomes more meaningful when one focuses on its key
terms. Auditing suggests a variety of ideas. It can be viewed very narrowly, such
as the checking of arithmetical accuracy or physical existence of accounting or
other business records, or more broadly, as a thoughtful review and appraisal at
the highest organizational level. In this book, we use the term auditing to include
this total range of levels of service, from detailed checking of accounting balances
to higher-level operational appraisals.
The term internal defines work carried on within the organization by its own
employees. Internal auditing work is distinguished from such audit-related
work carried on by outside public accountants or other parties (such as government
regulators) who are not directly a part of an organization.
The remainder of the IIA’s definition of internal auditing covers a number of
important terms that apply to the profession:
• Independent means auditing that is free of restrictions that could significantly
limit the scope and effectiveness of the review or the later reporting
of resultant findings and conclusions.
• Appraisal confirms the need for an evaluation that is the thrust of internal
auditors as they develop their conclusions.
• Established confirms that internal audit is a formal, definitive function in
the modern organization.
• Examine and evaluate describe the active roles of internal auditors, first for
fact-finding inquiries and then for judgmental evaluations.
FOUNDATIONS OF INTERNAL AUDITING
4
• Its activities confirm the broad jurisdictional scope of internal audit work
that applies to all of the activities of the modern organization.
• Service reveals that help and assistance to management and other members
of the organization are the end products of all internal auditing work.
• To the organization confirms that internal audit’s total service scope pertains
to the entire organization, including all personnel, the board of directors
and its audit committee, stockholders, and other interested stakeholders.
Internal auditing can also be recognized as an organizational control that
functions by measuring and evaluating the effectiveness of other controls. When
an organization establishes its planning and then proceeds to implement its
plans in terms of operations, it must do something to monitor the operations to
ensure the achievement of its established objectives. These further efforts can be
thought of as controls. While the internal audit function is itself one of the types
of controls used, there is a wide range of other controls. The special role of internal
audit is to help measure and evaluate those other controls. Thus, internal
auditors must understand both their own role as a control function and the
nature and scope of other types of controls in the organization.
Internal auditors who do their job effectively become experts in what makes
for the best possible design and implementation of all types of controls. This
expertise includes understanding the interrelationships of various controls and
their best possible integration in the total system of internal control. It is thus
through the control door that internal auditors come to examine and evaluate all
organizational activities to provide maximum service to the organization. Internal
auditors cannot be expected to equal—let alone exceed—the technical and
operational expertise pertaining to the many activities of the organization. However,
internal auditors can help the responsible individuals achieve more effective
results by appraising existing controls and providing a basis for helping to
improve those controls.

Assurance Auditing

assurance auditing provides an assessment of the reliability and/or relevance of data and operations in specific areas of business functions. The scope of assurance engagements includes fraud investigation, risk and control self-assessment, third-party and contract audit, quality audit, due diligence audit, security audit, privacy audit, performance audit, operational audit, financial audit, information technology audit, and compliance audit. With these engagements, internal auditors provide reasonable assurance whether organizational goals are being accomplished.

Management Process

The primary objectives of the overall management process are to achieve: relevant, reliable, and credible financial and operating information; effective and efficient use of the organization’s resources; safeguarding of the organization’s assets; compliance with laws, regulations, ethical and business norms, and contracts; identification of risk exposures and use of effective strategies to control them; established objectives and goals for operations or programs.

Holiday maker

As the holiday season approaches, most people start thinking about a couple of weeks in the sun. But, as Kevin Goulding, group head of internal audit at Dublin Airport Authority, explains,the season brings more complicated challenges
for those running airports.

9 July 2013 @ 11:14 in Features.

The airline industry has been one of the hardest hit since the global economic crisis gained momentum. While passenger numbers are moving back up to pre-2008 levels globally, profit margins have narrowed for most, and the environment is set to remain challenging for some time, according to the International Air Transport Association, the major industry body. 

Yet there are always some that buck the trend and succeed where others struggle. Dublin Airport Authority (DAA), which is state owned, but operates on a stand-alone commercial basis, runs Dublin and Cork airports and delivered a solid performance last year. Turnover increased by three per cent to €575m, while profits (excluding exceptional items) grew by 66 per cent to €43m. Group operating costs fell, while passenger numbers rose – 8.8 million passengers used the recently opened Terminal 2, which is driving the airport’s long-haul growth. 

So far this year, the positive upturn looks set to continue and there are signs that even more people will be jetting to and from the Irish capital over the summer.

Kevin Goulding, DAA’s group head of internal audit, is confident that the airports can cope with the projected surge in demand, and that the necessary controls are in place to ensure that passengers have a smooth journey and that internal audit is not run ragged. “Increased capacity and larger passenger numbers are always a risk issue, but the opening of Terminal 2 a couple of years ago reduced those capacity risks,” he says.

Care of duty

But Goulding’s internal audit team is working in a business that is far more complex than that of many airports. DAA has three strands to its operations. The most important and resource-intensive of these is running Dublin and Cork airports. In the past few years it has also developed a consulting arm that provides advice to airports that are, for example, planning to develop new terminals, facilities and business opportunities. Third, over the past 50 years, it has developed an enviable sideline in duty-free/duty-paid shopping with its retail business Aer Rianta International (ARI), one of the world’s largest airport duty-free and duty-paid retailing companies with an interest in 24 airports in 14 countries.

During 2012 ARI generated profits of just over€€27m. It saw strong sales growth in the Middle East and in India, where annual sales at its Delhi Duty Free passed US$100m for the first time. ARI also opened its first Chinese stores in 2012 and has recently been selected as the preferred bidder for the duty- free business at Mumbai’s new Terminal 2, which means that ARI will be operating the key duty free outlets at India’s two main international gateways. This will give DAA a very strong position in one of the world’s most important growth markets.

As a result, Goulding says that internal audit’s work is increasingly involved with the way that the business is expanding internationally. “Bidding for duty-free contracts is big business for DAA and the organisation keeps an ear to the ground to find out when a new opportunity might become available. Our work involves providing assurance on financial statements. In order to win these contracts, the organisation has to give guarantees and provide sound financial forecasts on the amount of revenue and customers it can bring in. We need to check the information behind those figures,” he says.

His team will audit the activities of each ARI subsidiary every two to three years. “This process is complex for a number of reasons. First, it is a question of resources. We have a small team so we need to ensure that resources are deployed in the most effective way possible. The other issue is that many of the ARI operations are joint ventures, and we may need to agree a ‘right to audit’ with the other party. Added to that, joint venture partners may have their own internal audit teams and external auditors, so sometimes we can leverage off their work,” he explains.

Fully automatic

Another area of financial risk for internal audit relates to loss of revenue or “revenue leakage”. “The financial controls we have in place are robust and the business model we use has been established for a long time, so we are aware of the risk profile,” says Goulding. “However, some of our invoicing involves a degree of manual input and that is a concern. The business is trying to automate more of these processes, and internal audit is monitoring progress,” he says.

IT risk is already at the heart of his team’s work. “Our business is very IT-driven,” he says. “There are around 180 different types of IT system across the organisation; everything from the usual desktops to check-in terminals, CCTV, security scanners and arrival and departure monitors. We have identified about 25 of these as critical. We have to make sure that these systems will work and that there is a back-up process we can switch to very quickly if anything goes wrong. Business continuity is a major focus for us.” 

To ensure that the risk of IT disruption remains low, internal audit has a policy of communicating the importance of “patch management” throughout the organisation. “It is hugely important that everyone is using the latest – and safest – versions of software on their systems, so the IT department sends out communications notices to remind people to install the latest patches made available by software providers to get rid of any vulnerabilities,” he explains.

Developing high flyers

Goulding believes that it is important for internal auditors to move into other departments in the organisation after two or three years. He also likes to “mix and match” his staff so that members of his team get to experience all aspects of internal audit work. “I don’t want people to be stuck looking at one area of work all the time, such as regulatory compliance. I want my team to be flexible and to experience the whole range of work that internal audit does so that they get variety, enhance their skills and can benefit the wider business if they move into another department in the organisation,” he says.

Goulding’s first dedicated internal audit role after qualifying was at paper and packaging company Jefferson Smurfit Group (now Smurfit Kappa), where he was mentored by a head of internal audit who constantly stove to make the function “best in class”. “That experience shaped the way that I think about internal audit a lot. My then boss always looked at what value internal audit could add to the business and he put a strong emphasis on having different skill-sets, and I share exactly the same view,” he says.

He took up the role of group head of internal audit at Dublin Airport Authority (DAA) in January 2012. Before this he spent over seven years at Kingspan Group, which provides environmental, construction and renewable energy products. He enjoyed
this job, which included setting up the internal audit and risk-management functions, but a seven-week spell in hospital after a routine appendix operation went wrong and nearly killed him put the constant travelling into perspective. 

“Around 96 per cent of Kingspan’s business was outside Ireland, so my work involved a lot of air travel. I felt like George Clooney’s character in the film Up in the Air – I always seemed to have a bag packed and I was constantly living out of a suitcase, collecting air miles and hotel booking points. My near-death experience put my lifestyle into perspective, and I thought I’d look for a new challenge that kept me close to home,” he says.

One of Goulding’s first tasks when he took charge of the internal audit function at DAA was to make personnel changes within the existing staff. “Over the previous three to five years some of the more experienced internal auditors had left the organisation to take up opportunities outside DAA. They had been replaced by personnel from other parts of the business with less traditional auditing experience, but with a great knowledge of the operation,” he says. 

“While their technical knowledge of the business was a huge asset, some of the team did not have all the requisite formal audit training and qualifications. Some of them had also been moved into the audit function temporarily and had stayed in the team longer than originally planned, so it was time to find new roles for them in the business. 

My approach is that the internal auditing department should be a springboard for new talent whereby recently trained and qualified auditors are brought into the organisation, and then move out into the business after about two years in audit,” he explains.

The redeployment took longer than expected, but Goulding says that he now has a team of five, including four qualified internal auditors. He is currently looking for an IT audit manager plus another internal auditor to focus on the international side of the business. This will make the team “about the right size for the organisation and quantity of work that we are doing”, he says.

His longer term plans could also involve internal audit working more closely with external teams. While he does not have a co-sourcing arrangement in place with any third-party provider at present, he concedes that he may look more closely at this option as the international side of the business grows. This could be particularly useful where the team needs local language skills, he points out. He also wants to build up the relationship internal audit has with external audit for “their shared mutual benefit”. 

“In my last role at Kingspan we carried out a number of joint audit assignments across the US business with the external auditor so that skills and experience were pooled and costs were reduced. In effect, for certain locations I ensured that the requirements of the external audit programme were fully covered by the internal audit programme and that work papers were robust enough to be relied on by external audit,” he says.

“It is more difficult to create that relationship here because external audit is statutory, there are issues surrounding independence and safeguards would need to be established. However, there can be real benefits from sharing certain work to minimise duplication of effort and to ensure there is sufficient leverage off internal audit work,” he adds.

Kevin Goulding in numbers

• 1998 to 2004 – senior internal auditor at Jefferson Smurfit Group plc (including secondments to the SAP implementation).
• 2004 to 2011 – head of internal audit and risk management at Kingspan Group plc.
• Jan 2012 to present – head of internal audit at DAA.
• He is a qualified accountant with the Chartered Association of Certified Accountants and part of the IIA’s heads of internal audit service

Black box: the business figures

Dublin Airport Authority (DAA) runs Dublin and Cork airports (Shannon Airport was ceded in December). In 2012 turnover increased by three per cent to €575m, while profits (excluding exceptional items) grew by 66 per cent to €43m. Group operating costs were slashed, running at eight per cent below 2008 levels when Dublin Airport was operating with only one terminal.Passenger numbers at Dublin and Cork airports were up by 1.6 per cent – equating to 340,000 extra passengers – while the number of long-haul passengers travelling through Dublin Airport grew by 16 per cent, owing to new capacity on routes to the Middle East and to North America. About 10.3 million passengers used Terminal 1 at Dublin Airport in 2012, while 8.8 million passengers used the recently opened Terminal 2, which is driving the airport’s long-haul growth. 

In the first three months of 2013 passenger numbers at Dublin were up four per cent and eight new services have started flying since the start of the year. The airport has secured new transatlantic capacity so that 224 flights a week will operate during the peak holiday season.

How to take a Financial Pulse

How to Take a Financial Pulse

Is That Deadbeat Really Broke?

ROBERT TIE

September 2011

 
John "Mick" Elliott, CFE, has a new client. She is in a family court battle — one of the arenas in which Elliott provides litigation support. Although no children are involved, the stakes are high.

The client, a financially strapped divorcée, came to Elliott for help when her ex-husband stopped paying alimony. The former spouse says he is broke. Perhaps believing that the best defense is a good offense, he is trying to turn the tables by making his own demand for alimony.

But Elliott's client thinks her ex is lying. As a high-end professional, she says, he has always been a big earner.

ALL IN THE FAMILY 

Elliott's practice and the former couple's now-separate residences are in California, which is one of ninecommunity property states; the others are Arizona, Idaho, Louisiana, Nevada, New Mexico, Texas, Washington and Wisconsin.

Under state law in these jurisdictions, couples have equal shares in all possessions they acquire during their marriage. If they divorce, those assets are divided between them. Each state's law provides its own criteria for determining what is an "equal" distribution of the couple's property and whether alimony to either party is warranted.

For example, to divide community property in California, the court would consider, among other things, a quantitative criterion — the provision in section 2550 of the California Family Code, which states that "… the court shall …divide the community estate of the parties equally."

Similarly, to determine whether spousal support is justified and, if so, who should pay it and how much, the court would consider, among other things, the qualitative criteria cited in section 4320 of the California Family Code. These include the "needs of each party based on the standard of living established during the marriage," and the "age and health of the parties."

As in all legal matters, relevant and factual evidence from reliable sources is essential to the effective administration of justice. Thus, the client engaged Elliott to obtain verifiable proof of her ex-husband's current income and other assets. If her suspicions prove correct, and his earnings are high and hidden assets are discovered, her attorney will be better able to persuade the family court judge to rule in her favor, mandating the resumption of alimony payments to her and denying them to her former spouse.

AN UNEXPECTED NICHE

After serving 26 years in federal law enforcement, Elliott retired as an FBI special agent, earned his CFE credential and became a licensed private investigator. His firm, Elliott Investigative Services, in Westlake Village, Calif., serves private and business clients in matters relating to family law and other civil litigation involving fraud.

"Family law turned out to be interesting work, and there's plenty of it," he said.

When Elliott opened his firm's doors in 1999, one of his first clients was a woman who was getting a divorce and suspected her spouse was hiding money from her. In building a financial profile of the client's husband, Elliott uncovered proof that she was right. Armed with that evidence, her attorney successfully argued for a better settlement than she would have gotten otherwise.

"Divorce is about money and emotions," Elliott said. "My job is to level the playing field. In the majority of my cases, the husband hides assets, and the wife engages me to find them. In fact, I can't recall a case in which a woman hid community property assets."

CRACKING THE CODE
During the 1940s, innovative private sector leaders and legal scholars believed that greater uniformity among the states' business laws would simplify and facilitate interstate commerce. To achieve this goal, they jointly developed a collection of standardized legislative models they hoped each state would implement with little, if any, modification. This body of recommendations was the first version of theUniform Commercial Code (UCC), and since then most of it has been widely adopted.

As a result, each state maintains an enormous store of UCC data that its financial institutions report on their transactions, such as business loans. While the information in these filings is sparse — perhaps only the name and address of the borrower — it is a strong lead that an experienced investigator can track to specific data, such as the amount of the loan and details on the collateral used to secure it.

The information in these records is in the public domain, and for a nominal fee, anyone can gain online access to it. Small wonder, then, that Elliott and many other experienced investigators consider UCC filings one of their most valuable sources of information for compiling a financial profile on the subject of an asset-related investigation.

UNCOVERING DIRTY TRICKS 

"A husband secretly planning a divorce will begin hiding assets about six months before taking any legal action," Elliott said. "Unfortunately, there is always a wife who has no idea what her husband has been doing with their community assets."

To take the pulse of a spouse's finances, Elliott sounds out sources that serve as his investigative "stethoscope." In this way, he constructs a profile of the subject — address history; properties owned; businesses associated with, owned or managed; professional licenses; bankruptcies, liens and judgments; and UCC filings. When building such profiles, he almost always encounters something that doesn't seem quite right.

"The financials of 97 percent of the people I've investigated were untruthful in some respect," he said.

Choosing the right source for each search requires care. Once, when combing through property records in what at first seemed like a comprehensive database, Elliott discovered that it contained only the current ownership information. It did not list sales and re-purchases of properties over time — a serious deficiency that left chronological gaps in the profile he was constructing. He then began using a database that contained properties' full ownership history.

Whenever Elliott finds that his target owns several properties, he searches further to determine how many loans the person took out on each property and to review its deed history.

"I look for signs of equity-stripping, where someone has repeatedly re-financed a property without the spouse's knowledge," he said. "If that's been happening, I find out where the proceeds went. Often, they'll wind up in a shell account or false business set up solely to hide that money from the spouse. It's very important to understand the structure of such ‘hidden' businesses. The assets they hold could be inaccessible to a deceived spouse."

Elliott also searches for bankruptcy judgments and liens, which can legally encumber the community property assets his clients seek.

"If my client's ex-husband has a lien against him, it's important that she understand and prepare for the fact that she won't get her share until the lien is cleared," Elliott said.

TIME FOR A CHECK-UP
Using the above search methods, Elliott soon hit pay dirt in his current case.

"I discovered that my client's husband was the subject of three UCC filings in the last five years, including one a few months ago," Elliott said. "If he really is experiencing financial hardship, how was he able to qualify for a loan?"

Although the UCC filings did not provide much detail, they did reveal the loan's existence.

"This will enable my client's attorney to appear before the judge and obtain a subpoena," Elliott said. "That will require the lender to produce the loan application, revealing the husband's bank account information, including the assets he listed as collateral for the loan. I expect the resulting asset profile will demonstrate he is able to make those alimony payments to my client. The court might even order him to provide her with additional community property monies she is entitled to."
Elliott expects the case will be resolved by the end of the year.

PERSERVERANCE PAYS

"If a search doesn't turn up what you need, think it over and look elsewhere," Elliott said. "All it takes is one nugget of information to get to the next question and answer. But you won't find it unless you're thorough and persistent."

Robert Tie is a New York business writer.

The Association of Certified Fraud Examiners assumes sole copyright of any article published onwww.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to FraudMagazine@ACFE.com.