Professional Documents
Culture Documents
Internal Audit, Control and Compliance Materials Ciica-1
Internal Audit, Control and Compliance Materials Ciica-1
Internal Audit, Control and Compliance Materials Ciica-1
CONTENTS PAGES
1
4.3.1 Specialized Software
4.3.2 Benefits of Audit Software include
4.4 CAATs Education and Professional Development
4.5 Creation of Electronic Work Papers
4.6 Fraud Detection
4.7 Acronyms CAATTs vs CAAT
REFERENCES
4
CHAPTER ONE
INTERNAL CONTROL SYSTEM
5
c. They ensure complete and adequate recording of transactions.
d. They ensure that all recorded transactions are real, properly valued, related to the
correct period, properly classified, correctly authorized and posted.
e. They help to ensure reliable financial reporting and compliance with relevant laws,
regulations and standards.
f. They provide management with reasonable assurance that goals and objectives it
believes are important to the company, which are equally important to the auditor,
will be met.
b) Segregation of duties
i) No one person should be responsible for the recording and processing of a complete
transaction.
ii) The involvement of several people reduces the risk of intentional manipulation or
accidental error and increases the element of checking of work.
iii) Functions which for a given transaction should be separated include initiation,
authorization, execution, custody and recording.
c) Physical
i) This concerns physical custody of assets and invoices and procedures designed to
limit access to authorized personnel only.
ii) Access can be direct, e.g. by being able to enter the warehouse or indirect, that is by
documentation e.g. personnel knowing the correct procedures, may be able to
extract goods by doing the right paper work.
iii) These controls are especially important in the case of valuable, portable,
exchangeable or desirable assets e.g. locking of securities (share certificates) in a
safe with procedures for the custody of the use of the keys, use of passes to restrict
access to sensitive places, use of password to restrict access to computer files.
6
ii) Access can be direct, e.g. by being able to enter the warehouse or indirect, that is by
documentation e.g. personnel knowing the correct procedures, may be able to
extract goods by doing the right paper work.
iii) These controls are especially important in the case of valuable, portable,
exchangeable or desirable assets e.g. locking of securities (share certificates) in a
safe with procedures for the custody of the use of the keys, use of passes to restrict
access to sensitive places, use of password to restrict access to computer files.
f) Personnel
i) Procedures should be designed to ensure that personnel operating a system are
competent and motivated to carry out the tasks assigned to them, as the proper
functioning of a system depends upon the competence and integrity of the operating
personnel.
ii) Measures include selection of people with appropriate personnel characteristics and
training; assignment to tasks of the right level of staff; appropriate remuneration and
promotion and career development prospects.
g) Supervision
All actions by all level of staff should be supervised. The responsibility for
supervision should be clearly laid down and communicated to the person being
supervised.
h) Management
i) These are controls, exercised by management which are outside and over and
above the day to day routine of the system.
i) Acknowledgement of performance
Persons performing data processing operations and other sensitive activities should
acknowledge their activities by means of signatures, initials, rubber stamps, etc., for
7
example, if invoice calculations have to be checked, the checker should initial each
invoice. This mitigates against the following:
b) Risk Assessment
Managers need to assess business risk as part of designing and operating the
internal control system to minimize errors and irregularities. Business risk represents
factors, events and condition that can prevent an organization from achieving its
business objectives. If management effectively assesses and respond to risk, the
auditor will need to accumulate less evidence than when management fails to,
because control risk is lower. Conditions that may increase business risk include
new personnel, new technology, corporate restructuring and foreign operations.
c) Control procedures
Control procedures sometimes called control activities represents policies and
procedures and specific actions taken by a client‘s management and employees that
help ensure management‘s directives are carried out. Control procedures involve
establishing a policy of control and defining procedures to effect the policy. All
control procedures should be analyzed for risk.
e) Monitoring
Internal controls need to be monitored. Management should assess the quality of
control performance on a timely basis. Monitoring involves the process of assessing
8
the design of controls and their operation on a timely basis and taking necessary
corrective actions. Example of monitoring controls include: Company Operating
Manager‘s Report and Published Financial Statement, analysis of customers‘
complaints, periodic comparison of recorded amounts to actual assets, and
examining internal auditors reports on control performance.
However, any instituted internal control system provides management with only
reasonable but not absolute assurance that their objectives are accomplished
because of inherent limitations such as the following:
i) The requirement that the cost of an internal control does not outweigh the potential
loss which may result from its absence.
ii) Most systematic internal controls tend to be directed at routine transactions rather
than non-routine transactions.
iii) The potential for human error in the operation of internal controls due to
carelessness, distraction, mistakes of judgment and the understanding of
instructions.
iv) The possibility that a person responsible for exercising an internal control could
abuse that responsibility by overriding an internal control.
v) The possibility of controls being by-passed because two or more people colluded.
Collusion maybe between people inside the organization, but may involve outsiders
as well.
vi) The possibility that procedures may become inadequate due to changes in
conditions or that compliance with procedures may deteriorate over time. This may
particularly apply if a business is expanding.
9
ii. how such transactions are initiated;
iii. significant accounting records, supporting documents and accounts in the financial
statements; and
iv. iv. the accounting and financial reporting process, from the initiation of significant
transactions and other events to the inclusion in the financial statements.
b. The factors affecting the nature, timing and extent of the procedures performed in
order to understand the systems include:
i. Materiality considerations;
ii. The size and complexity of the entity
iii. Their assessment of inherent risk
iv. The complexity of the entity‘s computer systems
v. The type of internal controls involved, and vi. the nature of the entity‘s
documentation of specific transactions
c. The auditor updates previous knowledge of the accounting systems in the following
ways:
i. Enquiries of appropriate supervisory and other personnel at various organizational
levels within the entity, together with references to documentation such as procedure
manuals, job descriptions and systems descriptions.
iii. Observation of the entity‘s activities and operations, including the information
technology functions, organization, personnel performing control procedures and the
nature of transactions processing.
10
d. Tracing transactions
Walk through tests allow auditors to identify any examples of actual procedures that
vary from intended procedures. It also helps the understanding of the entire process
as well as identification of risks.
f. Observation of procedure
It is sometimes useful to watch staff carrying out procedures (such as wages pay-
out, receiving materials into stores, etc.) to be able to ascertain the existing and
practiced control procedures.
a. Narrative Notes
This method is where words are used to describe the systems. Narrative notes are
normally appropriate for simple systems where all paper work are handled by only
one or few people. For each system, narrative notes need to describe the following:
i. Functions to be performed and those responsible for performing them
ii. Documents used
iii. Source and destination of documents
iv. Sequence of filing documents v. Types of accounting books kept
b. Organization Chart
This provides a convenient way of describing the authority, responsibility, approval
and reporting relationships that exist in the organization. It outlines the formal
relationships that exist in the organization. It however does not specify the precise
duties of the individuals concerned.
c. Internal Control Questionnaire (ICQ) ICQ remains the longest used internal control
assessment and recording technique. Its function is to highlight precisely the areas
of strength and weakness in internal control.
11
The questionnaire is a standardized pre-printed document designed by the audit firm
using it, and comprises a series of questions designed to determine whether
desirable controls are present. They are formulated so that there is one to cover
each of the major transaction cycles. The following points are worth-noting about the
use of ICQ.
i) An ICQ will normally be used if the size and complexity of the client organization
justifies it.
ii) A complete ICQ should have an effective life of approximately three years during
which only updating would be necessary. The completion of new ICQ would be
necessary if a major change in the system had taken place (e.g. a change over from
manual to computerized system).
iii) The ICQ should be completed by a senior member of the audit staff after putting the
questions to the responsible officers of the client company.
iv) Observation and selected tests will ensure that the ICQ accurately reflects the
strengths and weaknesses within the procedures that operate from day to day.
v) The auditor should not place reliance on controls on the basis of this preliminary
evaluation. He should conduct further compliance tests designated to give a
reasonable assurance that the controls are functioning properly.
vi) The questions should be formulated in such a way that the relevant internal control
criteria are implicit, so that no more than a yes/no answer is required to indicate
compliance or non-compliance. This degree of simplicity is not possible for every
question, for example cases where it is necessary to know the names of executive
officer authorized to sign cheques, or the limit on the authority of a particular officer
to authorize expenditure.
d. Flowcharts
The auditor, in establishing the nature of the system in operation, may include flow
charts of the system, supplemented by narrative notes in the permanent audit files.
These are updated on the basis of regular periodic reviews.
The auditor‘s flow charts may be adapted from those already prepared by the client,
or produced from scratch by the auditor himself.
12
The preparation of the charts, will of itself teach the auditor a good deal more about
the detailed functioning of the system at work in each department.
The auditor should not commit the chart to his files until he has, as a result of
questioning and observation, reasonably ascertained that it represents what actually
takes place. This precaution is important because the nature of the audit tests
subsequently carried out will, to a large degree, follow the pattern reflected in the
chart and much time will be wasted if the charts are incomplete or inaccurate.
Generally, there are two methods of flowcharting, namely: Document Flowcharts and
Information Flowcharts.
Document Flowcharts are more commonly used because they are relatively easy to
prepare. They show that:
Information Flowcharts are prepared in the reverse direction from the flow. They
start with the entry into the accounting records and work back to the actual
transaction. They concentrate on significant information flows and ignore any
unimportant or copies of document. They are easy to understand but require skill
and experience to compile them.
Rules of Flowcharting
The following rules are generally observed in flowcharting:
I) A flowchart should only be used when the system being reviewed cannot be readily
understood in words
ii) Flowcharts should be kept simple so that the overall structure or flow is clear at first
sight. This means that:
There must be conformity of symbols, with each symbol representing one and only
one thing
The direction of the flowchart should be from top to bottom and from left to right
There must be no loose ends The main flow should finish at the bottom right and
corner, not in the middle of the page
Connecting lines should cross only where absolutely necessary to preserve the
chart‘s simplicity
iii) Unless BSI symbols are used, a key should always be provided.
vi) Marginal comments should be included in the chart where appropriate, using a
dotted flow line and marginal bracket.
13
Advantages of Flowcharts
i) The system or any part of it may be presented as a totality without any loss of detail.
ii) The relationship between procedures in different areas can be depicted simply.
iii) Control features (or their absence in cases where they might be expected) may be
highlighted by the use of designated symbols.
iv) References to the other related audit documents may be easily incorporated.
v) Diagrammatic representation facilitates subsequent references to particular features
in the system more readily than pure narrative.
vi) New members of the audit team are able to participate in the audit work after a short
induction period and as a result, it results in considerable saving of time.
vii) As the information is presented in a standard form, they are fairly easy to follow and
to review.
viii) They generally ensure that the system is recorded in its entirety, as all document
flows have to be traced from beginning to end. Any‖ loose end‖ will be apparent from
a quick examination.
ix) They eliminate the need for extensive narrative notes and can be of considerable
help in highlighting the salient points of control and any weakness in the system.
Disadvantages of Flowcharts
i) They are only suitable for describing standard systems. Procedures for dealing with
unusual transactions will normally have to be recorded using narrative notes.
ii) They are useful for recording the flow of documents, but once the records or the
assets to which they relate have become static, they can no longer be used for
describing the control (for example over noncurrent assets).
iv) Time can be wasted by charting areas that are of no audit significance.
That all payments are properly authorized? that all credits due from suppliers are
received?
That all transactions are properly accounted for? that at the period end liabilities
are neither overstated nor understated by the system?
That the balance at the bank is properly recorded at all times? that unauthorized
cash payments could not be made and that the balance of petty cash is correctly
stated at all times?
iv. Stocks
Is there reasonable assurance:
That stock is safeguarded from physical loss (e.g. fire, theft, deterioration)?
That stock records are accurate and up to date? that the recorded stock exists?
That the recorded stock is owned by the company?
That the cut off is reliable? that the costing system is reliable?
That the stock sheets are accurately complied?
That the stock valuation is fair?
v. Non-current assets
Is there reasonable assurance:
That recorded assets actually exist and belong to the company?
That capital expenditure is authorized and reported?
That disposals of non-current assets are authorized and reported?
That depreciation is realistic? that non-current assets are correctly accounted for?
That income derived from non-current assets is accounted for?
15
vi. Investments
Is there reasonable assurance:
That recorded investments belong to the company and are safeguarded from loss?
That all income, rights or bonus issues are properly received and accounted for?
That investment transaction is made only in accordance with company policy and
are appropriately authorized and documented?
That the carrying values of investments are reasonably settled?
c. Advantages of ICEQs
i. ICEQs highlight areas of weakness where extensive substantive testing will be
required.
ii. Answering ICEQs enables auditors to identify the important controls which they are
most likely to test during control testing.
At the conclusion of the internal control assessment stage of the audit, there is the
need for the auditors to communicate any weaknesses discovered in the internal
control systems to the management of the client company.
This report usually takes the form of a Management Letter, Letter of Weakness, or
Internal Control Letter. However other forms of reports are acceptable.
The precise stage of the audit at which the letter should be sent, how far the content
of the report should extend and the action the auditor should take if his observations
on major weaknesses are ignored by the client are matters of professional judgment
and based on the type of audit and the client company.
Where the audit work is performed on more than one visit, the auditors normally
report to management after the interim audit work has been completed as well as
16
after the final visit, particularly if there are procedures that need to be improved
before the financial year end.
b. Principal purposes of reports to management
A material weakness (within this context), is a condition which may result in a material
misstatement in the financial statements. If the directors or management have
detected a material weakness, and in the view of the auditors, have taken the
appropriate corrective actions, the auditors do not need to report to directors or
management on the matter.
Ordinarily, material weaknesses in the accounting and internal control systems are
communicated to directors or management in a written report issued by the auditors.
However, in some circumstances it may be sufficient for the relevant matters to be
raised orally with directors or management, followed by a file note circulated to those
attending the meeting to provide a record of the auditors‘ observations and the
responses of the directors or management.
When no material weaknesses are identified during the audit, the auditors may
choose not to issue a report to directors or management. They may however need to
inform them that no report is to be issued.
17
Ordinarily, the auditors request a reply to the points raised in a report to
management, indicating the actions that the directors or management intend to take
as a result of the comments made in the report.
In any report to directors or management, the auditors need to explain that the report
is not a comprehensive statement of all weaknesses which exist or of all
improvements which may be made, but that it documents only those matters which
have come to their attention as a result of the audit procedures performed. The
auditors may wish to refer to their audit approach in the report to directors or
management, particularly in the work undertaken on the accounting and internal
control system, to help directors or management appreciate the nature, time and
extent of the audit procedures which have resulted in the identification of the matters
included in the report.
The auditors may consider it appropriate to raise these matters orally with
management and under these circumstances; the auditors normally prepare a file
note to provide a record of their observations.
In practice, the auditors have little control over what happens to the report once it
has been dispatched. Occasionally, management may provide third parties with
copies of the report, e.g. their banks or certain regulatory authorities.
It is therefore appropriate to ensure that third parties who see the report understand
that it was not prepared for their benefit. Accordingly, care needs to be taken to
18
protect the auditor‘s position from exposure to liability to any third parties who may
seek to rely on a report which was not intended for their use.
We wish to point out, however, that our audit testing was undertaken in accordance
with the scope of our audit engagement, and therefore, will not necessarily identify
all weaknesses that may exist. As you are aware, it is the responsibility of the
directors to ensure that satisfactory internal controls are maintained at all times.
1. Purchase order
Procedure Present system
During the audit we found out that some departments order some goods from
suppliers orally without support of purchase requisition or purchase order.
Recommendation
We recommend that the Logistic department be made responsible for all
procurements and when orders are made orally, they should be subsequently
confirmed by raising official purchase order.
19
Implication
Unexplained differences exist between suppliers‟ statements balance and purchase
ledger balances. This implies a breakdown of purchases invoice and or cheque
payment batching and posting procedures.
Recommendation
It is important that this reconciliation is performed regularly by a responsible official
independent of day to day purchase ledger, cashier and nominal ledger functions.
3 Credit Control
Present System
As at 30October 2016, total debtors figure approximates 3 month sales although the
company‘s trade terms allow 4 weeks credit to customers.
Implication
This has resulted in high overdraft level with the resultant high interest charges and
difficulty in settling the accounts of some key suppliers on time.
Recommendations
We recommend that a more structured system of debt collection be considered
using standard letters and that statement should be sent out a week earlier than it is
now.
Yours faithfully,
20
CHAPTER TWO
INTERNAL AUDIT
2.1 Introduction
Internal auditing is an independent, objective assurance and consulting activity
designed to add value to and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control and
governance processes. Internal auditing achieves this by providing insight and
recommendations based on analyses and assessments of data and business
processes. With commitment to integrity and accountability, internal auditing
provides value to governing bodies and senior management as an objective source
of independent advice. Professionals called internal auditors are employed by
organizations to perform the internal auditing activity.
The scope of internal auditing within an organization is broad and may involve topics
such as an organization's governance, risk management and management controls
over: efficiency/effectiveness of operations (including safeguarding of assets), the
reliability of financial and management reporting, and compliance with laws and
regulations. Internal auditing may also involve conducting proactive fraud audits to
identify potentially fraudulent acts; participating in fraud investigations under the
direction of fraud investigation professionals, and conducting post investigation fraud
audits to identify control breakdowns and establish financial loss.
Internal auditors are not responsible for the execution of company activities; they
advise management and the board of directors (or similar oversight body) regarding
how to better execute their responsibilities. As a result of their broad scope of
involvement, internal auditors may have a variety of higher educational and
professional backgrounds.
Internal auditors work for government agencies (federal, state and local); for publicly
traded companies; and for non-profit companies across all industries. Internal
auditing departments are led by a chief audit executive ("CAE") who generally
reports to the audit committee of the board of directors, with administrative reporting
to the chief executive officer (In the United States this reporting relationship is
required by law for publicly traded companies).
some of the audit technique underlying internal auditing is derived from management
consulting and public accounting professions, the theory of internal auditing was
conceived primarily by Lawrence Sawyer (1911–2002), often referred to as "the
father of modern internal auditing"; and the current philosophy, theory and practice
of modern internal auditing as defined by the International Professional Practices
Framework (IPPF) of the Institute of Internal Auditors owes much to Sawyer's vision.
21
With the implementation in the United States of the Sarbanes–Oxley Act of 2002, the
profession's exposure and value was enhanced, as many internal auditors
possessed the skills required to help companies meet the requirements of the law.
However, the focus by internal audit departments of publicly traded companies on
SOX related financial policy and procedures derailed progress made by the
profession in the late 20th century toward Larry Sawyer's vision for internal audit.
Beginning in about 2010, the IIA once again began advocating for the broader role
internal auditing should play in the corporate arena, in keeping with the IPPF's
philosophy.
While the external auditor has sole responsibility for the audit opinion expressed and
for determining the nature, timing and extent of external audit procedures, certain
parts of internal auditing work may be useful to the external auditor.
22
Nevertheless some of the means of achieving their respective objectives are often
similar and thus certain aspects of internal auditing may be useful in determining the
nature, timing and extent of external audit procedures.
Internal auditing is part of the entity. Irrespective of the degree of autonomy and
objectives of internal auditing, it cannot achieve the same degree of independence
as required of the external auditor when expressing an opinion on the financial
statements. The external auditor has sole responsibility for the audit opinion
expressed, and that responsibility is not reduced by any use made of internal
auditing. All judgments relating to the audit of the financial statements are those of
the external auditor.
Effective internal auditing will often allow a modification in the nature and timing, and
a reduction in the extent of audit procedures performed by the external auditor but
cannot eliminate them entirely. In some cases, however, having considered the
activities of internal auditing, the external auditor may decide that internal auditing
will have no effect on external audit procedures.
The external auditor should perform an assessment of the internal audit function
when internal auditing is relevant to the external auditor‘s risk assessment.
The external auditor‘s assessment of the internal auditor‘s function will influence the
external auditor‘s judgment about the use which may be made of internal auditing in
making risk assessments and thereby modifying the nature, timing and extent of
further external audit procedures.
i) Organizational status: Specific status of internal auditing in the entity and the effect
this has on its ability to be objective. In the ideal situation, internal auditing will report
to the highest level of management and be free of any other operating responsibility.
Any constraints or restrictions placed on internal auditing by management would
need to be carefully considered. In particular, the internal auditors will need to be
free to communicate fully with the external auditor.
ii) Scope of function: The nature and extent of internal auditing assignments
performed. The external auditor would also need to consider whether management
acts on internal audit recommendations and how this is evidenced.
iii) Technical Competence: Whether internal auditing is performed by persons having
adequate technical training and proficiency as internal auditors. The external auditor
may, for example, review the policies for hiring and training the internal auditing staff
and their experience and professional qualifications.
iv) Due professional care: Whether internal auditing is properly planned, supervised,
reviewed and documented. The existence of adequate audit manuals, work
programs and working papers would be considered.
d. Timing for Liaison and Coordination
23
When planning to use the work of internal auditing, the external auditor will need to
consider internal auditor‘s tentative plan for the period and discuss it as early as
possible. Where the work of internal auditing is to be a factor in determining the
nature, timing and extent of the external auditor‘s procedures, it is desirable to agree
in advance the timing of such work, the extent of audit coverage, materiality levels
and proposed methods of sample selection, documentation of the work performed
and review and reporting procedures.
Liaison with internal auditing is more effective when meetings are held at appropriate
intervals during the period. The external auditor would need to be advised of and
have access to relevant internal reports and be kept informed of any significant
matter that comes to the internal auditor. Similarly, the external auditor would
ordinarily inform the internal auditor of any significant matters which may affect
internal auditing.
The nature, timing and extent of the audit procedures performed on the specific work
of internal auditing will depend on the external auditor‘s judgment as to the risk of
material misstatement of the area concerned, the assessment of internal auditing
and the evaluation of the specific work by internal auditing. Such audit procedures
may include examination of items already examined by internal auditing,
examination of other similar items and observation of internal auditing procedures.
The external auditor would record conclusions regarding the specific internal
auditing work that has been evaluated and the audit procedures performed on the
internal auditor‘s work.
In the United States, the internal audit function independently tests managements
control assertions and reports to the company's audit committee of the board of
directors.
25
2.7 Role in risk management
Internal auditing professional standards require the function to evaluate the
effectiveness of the organization's Risk management activities. Risk management is
the process by which an organization identifies, analyzes, responds, gathers
information about, and monitors strategic risks that could actually or potentially
impact the organization's ability to achieve its mission and objectives.
The internal audit function may help the organization address its risk of fraud via a
fraud risk assessment, using principles of fraud deterrence. Internal auditors may
help companies establish and maintain Enterprise Risk Management processes.
This process is highly valued by many businesses for establishing and implementing
effective management systems and ensuring quality is maintained & professional
standards are met Internal auditors also play an important role in helping companies
execute a SOX 404 top-down risk assessment. In these latter two areas, internal
auditors typically are part of the risk assessment team in an advisory role.
It should be adapted to the specific purpose of audit, and the selection of audit
method must be adapted to its specific purpose. Otherwise, it will deviate from the
purpose of the audit.
27
CHAPTER THREE
INTERNATIONAL AUDITING AND ASSURANCE STANDARDS BOARD
3.1 Introduction
The International Auditing and Assurance Standards Board (IAASB) is an
independent standards body that issues standards, like the International Standards
on Auditing, quality control guidelines, and other services, to support the
international auditing of financial statements. It is a body supported by the
International Federation of Accountants (IFAC). The Public Interest Oversight Board
provides oversight of the IAASB, ensuring that the standards are in the public
interest.
To further ensure proposed standards are in the public interest the IAASB consults
its Consultative Advisory Group, which is composed of standard setters, various
international organizations from the private and public sectors, and regulators.
Representatives include a balance of users and prepares of financial statements,
and should to the extent practicable be balanced geographically.
IT audits are also known as automated data processing audits (ADP audits) and
computer audits.
They were formerly called electronic data processing audits (EDP audits).
3.3 Purpose
An IT audit is different from a financial statement audit. While a financial audit's
purpose is to evaluate whether the financial statements present fairly, in all material
respects, an entity's financial position, results of operations, and cash flows in
conformity to standard accounting practices, the purposes of an IT audit is to
evaluate the system's internal control design and effectiveness. This includes, but is
not limited to, efficiency and security protocols, development processes, and IT
governance or oversight. Installing controls are necessary but not sufficient to
provide adequate security. People responsible for security must consider if the
controls are installed as intended, if they are effective, or if any breach in security
has occurred and if so, what actions can be done to prevent future breaches. These
28
inquiries must be answered by independent and unbiased observers. These
observers are performing the task of information systems auditing. In an Information
Systems (IS) environment, an audit is an examination of information systems, their
inputs, outputs, and processing.
The primary functions of an IT audit are to evaluate the systems that are in place to
guard an organization's information. Specifically, information technology audits are
used to evaluate the organization's ability to protect its information assets and to
properly dispense information to authorized parties. The IT audit aims to evaluate
the following:
Will the organization's computer systems be available for the business at all times
when required? (Known as availability) Will the information in the systems be
disclosed only to authorized users? (Known as security and confidentiality) Will the
information provided by the system always be accurate, reliable, and timely?
(Measures the integrity) In this way, the audit hopes to assess the risk to the
company's valuable asset (its information) and establish methods of minimizing
those risks.
1. Technological innovation process audit: This audit constructs a risk profile for
existing and new projects. The audit will assess the length and depth of the
company's experience in its chosen technologies, as well as its presence in relevant
markets, the organization of each project, and the structure of the portion of the
industry that deals with this project or product, organization and industry structure.
2. Innovative comparison audit: This audit is an analysis of the innovative abilities of
the company being audited, in comparison to its competitors. This requires
examination of company's research and development facilities, as well as its track
record in actually producing new products.
3. Technological position audit: This audit reviews the technologies that the business
currently has and that it needs to add. Technologies are characterized as being
either "base", "key", "pacing" or "emerging".
1. Systems and Applications: An audit to verify that systems and applications are
appropriate, are efficient, and are adequately controlled to ensure valid, reliable,
timely, and secure input, processing, and output at all levels of a system's activity.
System and process assurance audits form a subtype, focusing on business process
centric business IT systems. Such audits have the objective to assist financial
auditors.
2. Information Processing Facilities: An audit to verify that the processing facility is
controlled to ensure timely, accurate, and efficient processing of applications under
normal and potentially disruptive conditions.
29
3. Systems Development: An audit to verify that the systems under development meet
the objectives of the organization, and to ensure that the systems are developed in
accordance with generally accepted standards for systems development.
4. Management of IT and Enterprise Architecture: An audit to verify that IT
management has developed an organizational structure and procedures to ensure a
controlled and efficient environment for information processing.
5. Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that
telecommunications controls are in place on the client (computer receiving services),
server, and on the network connecting the clients and servers.
And some lump all IT audits as being one of only two type: "general control review"
audits or "application control review" audits.
In an IS, there are two types of auditors and audits: internal and external. IS auditing
is usually a part of accounting internal auditing, and is frequently performed by
corporate internal auditors. An external auditor reviews the findings of the internal
audit as well as the inputs, processing and outputs of information systems. The
external audit of information systems is primarily conducted by certified Information
System auditors, such as CISA, certified by ISACA, Information System Audit and
Control Association, USA, Information System Auditor (ISA) certified by ICAI
(Institute of Chartered Accountants of India), and other certified by reputed
organization for IS audit.
Frequently a part of the overall external auditing performed by a Certified Public
Accountant (CPA) firm. IS auditing considering all the potential hazards and controls
in information systems. It focuses on issues like operations, data, integrity, software
applications, security, privacy, budgets and expenditures, cost control, and
productivity. Guidelines are available to assist auditors in their jobs, such as those
from Information Systems Audit and Control Association.
3. Literature-inclusion: A reader should not rely solely on the results of one review, but
also judge according to a loop of a management system (e.g. PDCA, see above), to
ensure, that the development team or the reviewer was and is prepared to carry out
further analysis, and also in the development and review process is open to
learning‗s and to consider notes of others. A list of references should be
accompanied in each case of an audit.
This list of audit principles for crypto applications describes - beyond the methods of
technical analysis - particularly core values, that should be taken into account.
32
The use of departmental or user developed tools has been a controversial topic in
the past. However, with the widespread availability of data analytics tools,
dashboards, and statistical packages users no longer need to stand in line waiting
for IT resources to fulfill seemingly endless requests for reports. The task of IT is to
work with business groups to make authorized access and reporting as
straightforward as possible. To use a simple example, users should not have to do
their own data matching so that pure relational tables are linked in a meaningful way.
Enterprise communications audits are also called voice audits, but the term is
increasingly deprecated as communications infrastructure increasingly becomes
data oriented and data-dependent. The term "telephony audit" is also deprecated
because modern communications infrastructure, especially when dealing with
customers, is omni-channel, where interaction takes place across multiple channels,
not just over the telephone. One of the key issues that plagues enterprise
communication audits is the lack of industry-defined or government-approved
standards.
IT audits are built on the basis of adherence to standards and policies published by
organizations such as NIST and PCI, but the absence of such standards for
enterprise communications audits means that these audits have to be based an
organization's internal standards and policies, rather than industry standards. As a
result, enterprise communications audits are still manually done, with random
sampling checks. Policy Audit Automation tools for enterprise communications have
only recently become available.
33
CHAPTER FOUR
COMPUTER-AIDED AUDIT TOOLS
4.1 Introduction
Computer-assisted audit tool (CAATs) or computer-assisted audit tools and
techniques (CAATs) is a growing field within the IT audit profession. CAATs is the
practice of using computers to automate the IT audit processes. CAATs normally
includes using basic office productivity software such as spreadsheet, word
processors and text editing programs and more advanced software packages
involving use statistical analysis and business intelligence tools. But also more
dedicated specialized software are available.
CAATs have become synonymous with data analytics in the audit process.
4.2.1 Traditional Auditing vs CAATs
Traditional audit example
The traditional method of auditing allows auditors to build conclusions based upon a
limited sample of a population, rather than an examination of all available or a large
sample of data.
4.2.2 CAATTs Alternative
CAATTs, not CAATs, addresses these problems. CAATTs, as it is commonly used,
is the practice of analyzing large volumes of data looking for anomalies. A well
designed CAATTs audit will not be a sample, but rather a complete review of all
transactions. Using CAATTs the auditor will extract every transaction the business
unit performed during the period reviewed. The auditor will then test that data to
determine if there are any problems in the data.
34
However, the CAATTs driven review is limited only to the data saved on files in
accordance with a systematic pattern. Much data is never documented this way. In
addition saved data often contains deficiencies, is poorly classified, is not easy to
get, and it might be hard to become convinced about its integrity. So, for the present
CAATTs is complement to an auditor's tools and techniques. In certain audits
CAATTs can't be used at all. But there are also audits which simply can't be made
with due care and efficiently without CAATTs.
CAATs can assist the auditor in detecting fraud by performing and creating the
following:
1. Analytical Tests
Evaluations of financial information made by studying plausible relationships among
both financial and non-financial data to assess whether account balances appear
reasonable (AU 329). Examples include ratio, trend, and Benford's Law tests.
2. Data Analysis Reports
Reports produced using specific audit commands such as filtering records and
joining data files.
3. Continuous monitoring
Continuous monitoring is an ongoing process for acquiring, analyzing, and reporting
on business data to identify and respond to operational business risks. For auditors
to ensure a comprehensive approach to acquire, analyze, and report on business
data, they must make certain the organization continuously monitors user activity on
all computer systems, business transactions and processes, and application
controls.
4. Curb Stoning in Surveys
Curb stoning is the term for instances where a surveyor completes a survey form by
making up data. Because some of the data should conform with Benford's law, this
practice can be detected using CAATTs which provide the capability of performing
such tests
4.7 Acronyms CAATTs vs CAAT
CAATTs and CAATs are used interchangeably. While CAATs has emerged as the
more common spelling, CAATTs is the more precise acronym. The acronym
CAATTs solves one of the two problems with defining the acronym. CAATs means:
Computer Aided (or Assisted) Audit Techniques (or Tools and Techniques)
The first "A" and the "T" can have two different meanings depending on who uses
the term. By using the term CAATTs, one is clearly incorporating both "Tools" and
"Techniques."
36
CHAPTER FIVE
CHANGE MANAGEMENT AUDITING
5.1 Introduction
Proper change control auditing can lower the following risks:
1. Security features of the network turn off.
2. Harmful code is distributed to users.
3. Sensitive data is lost or becomes insecure.
4. Financial report errors occur.
5. Control procedure.
5.2.3 Advantages
1. In addition to making the business more efficient and profitable in the long run.
2. An operational audit almost always provides a company with some new, fresh
perspectives.
3. It makes executives aware of problems that might not have been found otherwise
and lets them evaluate risks for the future.
4. Managers also can use results to motivate employees, as the company always has
something to work toward at the end of the process.
5.2.4 Disadvantages
1. Reviewing operational processes can be very time consuming and costly.
2. When employees and managers are working with the auditor, they can't do other
activities that might benefit the business, so projects or production might slow
temporarily.
3. Sometimes, the changes that a business makes are hard for workers to get used to,
which can increase conflicts or confusion.
4. Operational audit is a systematic review of effectiveness, efficiency and economy of
operation. Operational audit is a future-oriented, systematic, and independent
evaluation of organizational activities.
In Operational audit financial data may be used, but the primary sources of evidence
are the operational policies and achievements related to organizational objectives.
Operational audit is a more comprehensive form of an internal audit.
38
5.4 Risk Capacity
Is the maximum amount of risk that an entity can bear which is linked to capital,
liquid assets, borrowing capacity etc. and maximum amount of bearable risk by an
entity.
5.5.1 Risk
Risk is the potential of losing something of value, weighed against the potential to
gain something of value. Risk hinders the achievement of objective and it has two
attributes. Likelihood: Probability of Risk Event (P)
Consequences: Impact of Risk Event (I) In Risk based internal auditing two types of
risks are considered.
39
CHAPTER SIX
MAINTAINING A SOUND SYSTEM OF INTERNAL CONTROL
6.1 Responsibility for the system of internal control
The Board is ultimately responsible for the system of internal control. Boards will
normally delegate to management the task of establishing, operating and monitoring
the system, but they cannot delegate their responsibility for it.
The Board should set appropriate policies on internal control and regularly assure
itself that appropriate processes are functioning effectively to monitor the risks to
which the company is exposed and that the system of internal control is effective in
reducing those risks to an acceptable level. It is essential that the right tone is set at
the top of the company - the Board should send out a clear message that control
responsibilities must be taken seriously.
In determining its policies with regard to internal control, and thereby assessing what
constitutes a sound system of internal control in the particular circumstances of the
company, the Board‘s deliberations should include consideration of the following
factors:
■ The nature and extent of the risks facing the company;
■ The extent and categories of risk which it regards as acceptable for the company to
bear;
■ The likelihood of the risks concerned materializing;
■ The company‘s ability to reduce the incidence and impact on the business of risks
that do materialize; and
■ The costs of operating particular controls relative to the benefit thereby obtained in
managing the related risks
The Board, however, does not have sole responsibility for a company‘s system of
internal control. Ultimately responsibility for the internal control system rests with the
Board, but all employees have some accountability towards implementing the
Board‘s policies on risk and control. This reflects the ‗topdown, bottom-up‘ nature of
a sound system of internal control.
While the ‗tone at the top‘ is set by the Board, it is the role of management to
implement the policies adopted by the Board. In fulfilling its responsibilities,
management should identify and evaluate the risks faced by the group - for
consideration by the Board - and design, operate and monitor an appropriate system
of internal control.
The operation and monitoring of the system of internal control should be undertaken
by individuals who collectively possess the necessary skills, technical knowledge,
objectivity, and understanding of the company and the industries and markets in
which it operates.
40
achieving the company‘s objectives This includes the safeguarding of assets from
inappropriate use or from loss and fraud, and ensuring that liabilities are identified
and managed;
■ Help ensure the quality of internal and external reporting. This requires the
maintenance of proper records and processes that generate a flow of timely,
relevant and reliable information from within and outside the organization;
■ Help ensure compliance with applicable laws and regulations, and also internal
policies with respect to the conduct of business.
■ Identification and evaluation of risks and control objectives; Every entity faces a
variety of risks from external and internal sources that must be assessed. A
precondition to risk assessment is establishment of objectives, linked at different
levels and internally consistent. Risk assessment is the identification and analysis of
relevant risks to achievement of objectives, forming a basis for determining how the
risks should be managed.
■ Control activities; Control activities are the policies and procedures that help ensure
that management directives are carried out. They help ensure that necessary
actions are taken to address risks to achievement of the entity‘s objectives. Control
activities occur throughout the organisation, at all levels and in all functions. They
include a range of activities as diverse as approvals, authorisations, verifications,
reconciliations, reviews of operating performance, security of assets and segregation
of duties
■ Information and communication processes; and Pertinent information must be
identified, captured and communicated in a form and timeframe that enables people
to carry out their responsibilities. Information systems produce reports, containing
operational, financial and compliance-related information, that make it possible to
run and control the business. They deal not only with internally generated data, but
also information about external events, activities and conditions necessary to
informed business decision-making and external reporting Effective communication
must also occur in a broader sense, flowing down, across and up the organisation.
All personnel must receive a clear message from top management that control
responsibilities must be taken seriously. They must understand their own role in the
internal control system, as well as how individual activities relate to the work of
others. They must have a means of communicating significant information upstream.
41
There also needs to be effective communication with external parties, such as
customers, suppliers, regulators and shareholders
■ Processes for monitoring the effectiveness of the system of internal control. Internal
control systems need to be monitored - a process that assesses the quality of the
system‘s performance over time. This is accomplished through ongoing monitoring
activities, separate evaluations or a combination of the two. On going monitoring
occurs in the course of operations. It includes regular management and supervisory
activities, and other actions personnel take in performing their duties. The scope and
frequency of separate evaluations will depend primarily on an assessment of risks
and the effectiveness of ongoing monitoring procedures. Internal control deficiencies
should be reported upstream, with serious matters reported to top management and
the Board
Illustration 1
Getting the control as close to the risk as possible
A ship‘s captain is given absolute responsibility for their vessel whilst it is at sea, so
they can take appropriate and timely action to remedy any problems that may arise
during the course of the voyage.
■ The costs of control must be balanced against the benefits, including the risks it is
designed to manage.
Design decisions involve the acceptance of some degree of risk. The cost of control
must always be balanced against the benefit of controlling the risk. It is possible to
reach a position where the incremental cost of additional control is greater than the
benefit derived from controlling the risk.
Illustration 2 –
Improving performance can mean greater tolerance of risk
When Sony were designing the Walkman which required a significant advance in
manufacturing technology, the CEO stated that in order to achieve the 50%
reduction in the size of cassette player components, he would be willing to accept a
higher level of failure in research and development projects and he had to visibly
demonstrate this acceptance.
■ The system of control must include procedures for reporting immediately to
appropriate levels of management any significant control failings or weaknesses that
are identified together with details of corrective action being undertaken,
42
It should not be assumed, without making appropriate enquiries, that breakdowns in
internal control are isolated occurrences. The key is continual learning rather than
attribution of blame. This philosophy should come down from the top of the
company. A blame culture encourages the concealment of breakdowns in control
Often major disasters are the result of the accumulation of a number of smaller,
seemingly insignificant events, which if analysed collectively would provide the
necessary warnings to enable preventative action.
■ Control can help minimize the occurrence of errors and breakdowns but cannot
provide absolute assurance that they will not occur.
Human fallibility and the risk of unforeseeable occurrences are inherent limitations in
any system of internal control. A control system cannot be designed to provide
protection with certainty against: a company failing to meet its business objectives;
or all material errors, losses, frauds or breaches of laws or regulations.
■ The system of control should be embedded in the operations of the company and
form part of its culture.
Control is effected by people throughout the company, including the Board of
directors, management and all other staff. People who are accountable, as
individuals or teams, for achieving objectives should also be accountable for the
effectiveness of control that supports the achievement of those objectives. It is
important that criteria are in place by which the effectiveness of the system of control
can be judged. By making individuals accountable, the likelihood that controls are
operated properly is increased.
Illustration 3 –
Getting the right management behaviour at the coal face
A photocopy salesman was offered a significant bonus for achieving demanding
annual sales targets. The copiers were normally sold on a standard three-year hire
purchase contract. The salesman could not influence the contract but he was in a
position to provide the purchaser with extended warranty cover beyond the contract
term. This gave him an advantage over and above his competitors and enabled him
to consistently meet his sales targets. The company was unaware that anything was
wrong until year four when significant warranty claims began to be received on
machinery which was no longer generating an income. In this case the individual
had replaced the corporate risk profile with his own individual risk profile - a
behaviour which should have been known to be unacceptable,
Risk, derived from the early Italian risicare or to dare, is an ever present aspect of
the business world. Companies set themselves strategic and business objectives,
then manage risks that threaten the achievement of those objectives. Internal control
and risk management should supplement entrepreneurship, but not replace it.
Increased shareholder value is the reward for successful risk taking and the role of
internal control is to manage risk appropriately rather than to eliminate it.
43
Risks manifest themselves in a range of ways and the effect of risks crystallizing
may have a positive as well as a negative outcome for the company. It is vital that
those responsible for the stewardship and management of a company be aware of
the best methods for identifying, and subsequently managing such risks.
Risk can be defined as real or potential events which reduce the likelihood of
achieving business objectives. Or, put another way, uncertainty as to the benefits.
The term includes both the potential for gain and exposure to loss.
Internal control is one of the principal means by which risk is managed. Other
devices used to manage risk include the transfer of risk to third parties, sharing risks,
contingency planning and the withdrawal from unacceptably risky activities. Of
course, as discussed above, companies can accept risk too. Getting the balance
right is the essence of successful business - to knowingly take risk, rather than be
unwittingly exposed to it.
The business objective of a nineteenth century coal miner was to maximise coal
output. More tonnage meant more money. Unfortunately, there was always the
danger that the mine workings would collapse, delaying output and injuring, if not
killing, the collier. This is the risk which threatened the achievement of the miner‘s
objective. Fortunately, the miner could use pit props to control or manage the risk of
collapse.
For our miner, the secret of successful risk management was to maximise his time at
the coal face by utilizing the right number of controls. Too many props (over-
controlled) would leave little time to dig coal. Too few props (under controlled) would
result in disaster
In the modern business world, corporate objectives and the environment in which
companies operate are constantly evolving. As a result, the risks facing companies
are continually changing too. A successful system of internal control must therefore
be responsive to such changes - enabling adaptation quicker than its competitors.
Effective risk management and internal control is therefore reliant on a regular
evaluation of the nature and extent of risks. Compliance with the spirit of the Turnbull
guidance, rather than treating it as an additional layer of bureaucracy, will go a long
way to realising the benefits of effective risk management and internal control.
44
CHAPTER SEVEN
REVIEWING THE EFFECTIVENESS OF INTERNAL CONTROL
7.1 Responsibility for reviewing the effectiveness of internal control
The responsibilities of both directors and management are well defined in the
guidance. Reviewing the effectiveness of internal control is an essential part of the
Board‘s responsibilities while management is accountable to the Board for
developing, operating and monitoring the system of internal control and for providing
assurance to the Board that it has done so.
Aspects of the review work may be delegated to the Audit Committee, and other
appropriate committees such as a Risk Committee or Health and Safety Committee.
These committees may be sub-committees of the Board, alternatively they may
include representatives from throughout the company eg, a Risk Committee may
include representatives from management, internal audit and other assurance
functions. The Board as a whole, however, should form its own view on the
adequacy of the review after due and careful enquiry
In order to properly assess the adequacy of the review with a view to approving the
directors‘ statement on the company‘s system of internal control, the Board will need
to establish:
■ The terms of reference of the Audit Committee, or other relevant committees, and
their ability to contribute to such a review;
■ How key business risks are identified, evaluated and managed;
■ The rigor and comprehensiveness of the review process;
■ What evidence the Board has gathered to support the statement; and
■ Whether the entire Board can satisfy itself that the proposed statement is factually
correct.
The Board‘s knowledge must be detailed enough to allow it to concur with what is
said in the proposed statement on internal control in the annual report and accounts
The role of the Audit Committee, or other relevant committees, in the review process
is for the Board to decide and will depend upon factors such as the size, style and
composition of the Board and the nature of the company‘s principal risks.
The Audit Committee will normally consider financial controls; however, the Board
may also request that the committee be used to provide a single focal point for some
or all of the wider review of internal control and the proposed statement for inclusion
in the annual report prior to approval by the Board. In this event, it may be necessary
for the Audit Committee to draw together the results of the work of the Risk
Committee and/or other Board committees in reviewing specific risks (e.g. safety
and environmental issues).
The Audit Committee‘s role is, however, a non-executive one. In enquiring into these
matters it is not seeking to take on an executive function that properly belongs to
management. Instead, its aim is to satisfy itself that management has properly
fulfilled its responsibilities.
45
7.2 The process for reviewing effectiveness
Put simply, a company‘s system of internal control has as its principal aim the
management of risks that threaten the achievement of its business objectives.
Therefore, in order to have effective internal control a company needs to:
■ Identify and assess the risks which threaten the achievement of those objectives;
■ Operate the internal controls in accordance with their design specification; and
■ Monitor the controls to ensure they are operating correctly. Turnbull and the
Combined Code add the final two links in the chain:
■ Directors‘ should review the effectiveness of the system of internal control; and
This suggests a defined process for the Board‘s review of the effectiveness of
internal control - a process starting with the identification of the business objectives
and the identification and assessment of the related risks that would prevent the
company achieving those objectives. By expressly identifying business objectives,
the likelihood of overlooking key business risks will be reduced. It should be
remembered that key risks include not only those that threaten the survival of the
group, or could seriously weaken it, but also the risk of failing to identify significant
opportunities.
Linking the identification of key business risks to the company‘s strategic business
objectives may already be part of the normal financial calendar supporting the
strategic planning and budgeting process. It will be important to ensure this process
is sufficiently balanced in its appraisal of the financial and non-financial risks
There are many techniques available for identifying risk. Some are detailbased and
offer quantification, others are scenario-based or qualitative. The process can either
be facilitated by specialists or carried out by questionnaire or a combination of both.
46
Techniques for identifying risks include:
PEST analysis
A high-level technique to understand the external environment affecting the industry
and some of the specific external factors that may affect the business. It considers
Political, Economic, Social and Technological factors and the risks to the business
that flow from these.
Five Forces analysis
This technique considers all the forces that influence the company, its industry and
its market place. It helps to analyze why a business is successful or not. The five
forces are the threat of new entrants, threat of substitute products or services, the
bargaining power of suppliers and buyers, the competitors and the intensity of rivalry
in the industry.
SWOT analysis
SWOT is an acronym for Strengths, Weaknesses, Opportunities and Threats to the
business.
Facilitated methods (eg, brain storming) have the advantage of drawing upon those
experienced in risk assessment, whilst maximising the input of management who
should know the business best.
For each identified risk a value judgement must be made on the impact, both
financial and reputational, that its crystallisation would have on the business and the
likelihood of the risk occurring.
Once these steps have been performed it may be appropriate to apply more
sophisticated measurement techniques to certain risk scenarios to establish the
expected effect.
Armed with this prioritisation of the risks facing the business, informed choices as to
the most appropriate means to mitigate loss to an acceptable level can be made.
47
An effective risk assessment process addresses both financial risks (such as credit,
market and liquidity risk) and non-financial risks (such as operational, legal and
environmental risk). Furthermore, the process should include an evaluation of the
risks to determine which are controllable by the company and which are not.
For those risks that are controllable, the company must decide whether to accept
those risks or whether to mitigate the risk through control procedures. For those
risks that cannot be controlled, the Board must decide whether to accept the risks or
to withdraw from, or reduce the level of business activity concerned. Contingency
plans should be considered where the Board elects to accept uncontrollable
significant risks.
The Board may not know the fine detail of how all risks that could lead to a material
loss are controlled but should be satisfied that proper control policies, procedures
and activities have been established to support their control objectives. The design
of controls should be based on generally accepted control criteria which have been
approved by the Board for this purpose and include both preventative and detective
controls.
■ Control self-assessment reviewed and tested (at least to a limited extent) by head
office/internal audit; Control and risk self-assessment by local operational
management is a popular option but needs to be carefully managed. Management
already have an implicit responsibility for the design and operation of the system of
internal controls within their businesses and self-certification is a means of
formalising this responsibility. The approach can range from the use of detailed
questionnaires (which may be subsequently validated by internal or external audit)
through to a broader workshop based approach at which both business risks and
related controls are investigated and assessed by the unit responsible for achieving
the business objective - a bottom-up approach
Self-certification may not be sufficient on its own as the right amount of independent
challenge may not be built into the process. The results should be independently
48
reviewed (for example, by internal or external auditors) on behalf of the Board or
Audit Committee. This independent review should independently challenge the:
■ Internal audit visits on a cyclical basis; and Although internal audit should maintain
independence from management, they can perform more than just a monitoring role.
In many companies they also act as facilitators and internal advisors to management
on effective means of controlling business risks. Internal audit arrangements
naturally vary, but they have the potential to play a central role within the monitoring
process
Several models exist which provide a basis for the design and objective assessment
of the effectiveness of control. By their nature, such models also provide criteria by
which the effectiveness of the system of internal control can be judged. Two models
that are currently accepted internationally are the COSO and CoCo systems. The
COSO criteria being substantially similar to those set out in the ICAEW earlier
guidance on internal financial control (the Rutteman report).
The effectiveness of control cannot be judged solely on the degree to which each
criterion, taken separately, is met. The criteria are interrelated, as are the control
elements in an organisation. Control elements cannot be designed or evaluated in
isolation from the business objectives and associated threats to the achievement of
those objectives.
In addition, the Board should undertake an annual assessment exercise for the
purposes of making its statement in the annual report to ensure that it has
considered all significant aspects of internal control for the accounting period and the
period up to the date of approval of the annual report and accounts.
The Board should define the process to be adopted for its review of the
effectiveness of internal control and should ensure that it is provided with
appropriately documented support for its statement on internal controls in the annual
report and accounts. The Board need to consider both the scope and frequency of
the reports it receives during the year, together with the process for its annual
assessment.
■ Assess the effectiveness of the related system of internal control in managing the
significant risks, having regard, in particular, to any significant failings or
weaknesses that have been reported;
When considering the effectiveness of the related system of internal control, the
directors should have regard to the principal characteristics of a sound system of
internal control
■ Consider whether necessary actions are being taken promptly to remedy any
significant failings or weaknesses; and It is not sufficient for the Board to satisfy itself
that weaknesses are being identified. It must also consider what remedial action is
being taken and whether such steps are appropriate.
■ Consider whether the findings indicate a need for more extensive monitoring of the
system of internal control.
50
Where a weakness identified in one area of the business may be duplicated in other
areas, it may be appropriate for the Board to commission a more comprehensive
review. Alternatively, the Board may consider that either the degree of risk involved
or the potential for control breakdown warrant further investigation.
Compliance with Turnbull requires that the Board‘s annual assessment should, in
particular, consider:
■ Changes since the last review in the nature and extent of significant risks and the
company‘s ability to respond effectively to changes in its business and external
environment
The Board should review the company‘s business and operational structure to
identify changes which might alter the risk profile, a typical example might be either
entry to, or withdrawal from, a volatile market
■ The scope and quality of management‘s ongoing monitoring of risks and the system
of internal control, and, where applicable, the work of its internal audit function and
other providers of assurance;
The Board will wish to consider whether management‘s approach to the ongoing
monitoring of the system of internal control covers the key risks to the business in
what they believe to be an appropriate cycle and with a level of diligence that they
deem satisfactory. All directors, including the non executives directors, will need to
form a view on how well the company is managed.
The internal audit function may provide significant additional comfort providing it has
sufficient resources and authority to be effective.
■ The extent and frequency of the communication of the results of the monitoring to
the Board - or Board committees - which enables it to build up a cumulative
assessment of the state of control in the company and the effectiveness with which
risk is being managed;
The Board should consider whether it receives the output from the monitoring
process regularly enough for it to be able to form a timely opinion of the ongoing
effectiveness of the process. If the Board does not receive, review and act upon the
51
results of the monitoring on a timely basis, strategic decision making may be
impaired.
■ The incidence of significant control failings or weaknesses that have been identified
at any time during the period and the extent to which they have resulted in
unforeseen outcomes or contingencies that have had, could have had, or may in the
future have, a material impact on the company‘s financial performance or condition;
and
The Board will want to reflect on the incidence of control weaknesses which
occurred during the period and the effect which those weaknesses had, or could
have or still may have on the organisations results,
■ The effectiveness of the company‘s public reporting process. The efficiency of the
year end reporting process from all areas of the organisation will provide an
indication of the level of management control throughout the organisation.
Should the Board become aware at any time of a significant failing or weakness in internal
control, it should determine how the failing or weakness arose and reassess the
effectiveness of management‘s ongoing processes for designing, operating and
monitoring the system of internal control.
52
CHAPTER EIGHT
CHIEF AUDIT EXECUTIVE
8.1 Introduction
The chief audit executive (CAE), director of audit, director of internal audit, auditor
general, or controller general is a high-level independent corporate executive with
overall responsibility for internal audit.
Because the CAE understands risks and controls, company strategy and the
regulatory environment the CAE may assume additional organizational
responsibilities beyond traditional internal auditing.
All the elements below should be granted to the CAE in the basic rules of the
organisation, or stated in the charter of audit approved by the audit committee and
53
promulgated in the organization (IIA Standard 1110 Organizational Independence,
and standard 1000C1).
The definition (and regular revision) of the scope of the function should be agreed
between the CAE and the audit committee. The internal audit‗s annual work plan,
which for practical reasons must be discussed with the auditees, is subject to the
approbation of the sole audit committee, board of directors, or other appropriate
governing authority.
The internal rules and practices of the directorate of internal audit (audit manual) are
of the responsibility of the CAE.
The CAE is liable to disciplinary action but only with the concurrence of the audit
committee. This could happen if he/she is negligent in the performance of his duties.
However, the CAE in the performance of his daily work communicates and liaises
with the director-general and the staff of the organisation.
Develop and maintain a quality assurance and improvement program that covers all
aspects of the internal audit function, and continuously monitor its effectiveness.
In collaboration with the audit committee, ensure that a practice inspection or other
external review of the internal audit function is conducted at least every 3 years, by a
qualified, independent external review team, and that the results of this external
assessment are communicated to the audit committee.
Ensure that professional internal auditing standards are followed (e.g. IIA standards
or local standards).
ISO 9000 was first published in 1987 by ISO (International Organization for
Standardization). It was based on the BS 5750 series of standards from BSI that
were proposed to ISO in 1979.[12] However, its history can be traced back some
twenty years before that, to the publication of government procurement standards,
such as the United States Department of Defense MIL-Q-9858 standard in 1959,
and the UK's Def Stan 05-21 and 05–24. Large organizations that supplied
government procurement agencies often had to comply with a variety of quality
assurance requirements for each contract awarded, which led the defense industry
to adopt mutual recognition of NATO AQAP, MIL-Q, and Def Stan standards.
Eventually, industries adopted ISO 9000 instead of forcing contractors to adopt
multiple—and often similar—requirements.
57
The global adoption of ISO 9001 may be attributable to a number of factors. In the
early days, the ISO 9001 (9002 and 9003) requirements were intended to be used
by procuring organizations, as the basis of contractual arrangements with their
suppliers. This helped reduce the need for "supplier development" by establishing
basic requirements for a supplier to assure product quality. The ISO 9001
requirements could be tailored to meet specific contractual situations, depending on
the complexity of product, business type (design responsibility, manufacture only,
distribution, servicing etc.) and risk to the procurer. If a chosen supplier was weak on
the controls of their measurement equipment (calibration), and hence QC/inspection
results, that specific requirement would be invoked in the contract. The adoption of a
single quality assurance requirement also leads to cost savings throughout the
supply chain by reducing the administrative burden of maintaining multiple sets of
quality manuals and procedures.
Heras et al. found similarly superior performance and demonstrated that this was
statistically significant and not a function of organization size. Naveha and Marcus
claimed that implementing ISO 9001 led to superior operational performance in the
U.S. automotive industry. Sharma identified similar improvements in operating
performance and linked this to superior financial performance. Chow-Chua et al.
showed better overall financial performance was achieved for companies in
Denmark. Rajan and Tamimi (2003) showed that ISO 9001 certification resulted in
superior stock market performance and suggested that shareholders were richly
rewarded for the investment in an ISO 9001 system.
While the connection between superior financial performance and ISO 9001 may be
seen from the examples cited, there remains no proof of direct causation, though
longitudinal studies, such as those of Corbett et al. (2005), may suggest it. Other
writers, such as Heras et al. (2002),have suggested that while there is some
evidence of this, the improvement is partly driven by the fact that there is a tendency
for better performing companies to seek ISO 9001 certification.
The mechanism for improving results has also been the subject of much research.
Lo et al. (2007) identified operational improvements (e.g., cycle time reduction,
inventory reductions) as following from certification. Internal process improvements
in organizations lead to externally observable improvements. The benefit of
increased international trade and domestic market share, in addition to the internal
benefits such as customer satisfaction, interdepartmental communications, work
58
processes, and customer/supplier partnerships derived, far exceeds any and all
initial investment.
Principle 2 – Leadership
Leaders establish unity of purpose and direction of the organization. They should
create and maintain the internal environment in which people can become fully
involved in achieving the organization's objectives.
Principle 5 – Improvement
Improvement of the organization's overall performance should be a permanent
objective of the organization.
59
ISO 9001:2015 Quality management systems — Requirements is a document of
approximately 30 pages available from the national standards organization in each
country. Only ISO 9001 is directly audited against for third-party assessment
purposes.
Essentially, the layout of the standard is similar to the previous ISO 9001:2008
standard in that it follows the Plan, Do, Check, Act cycle in a process-based
approach but is now further encouraging this to have risk-based thinking (section
0.3.3 of the introduction). The purpose of the quality objectives is to determine the
conformity of the requirements (customers and organizations), facilitate effective
deployment and improve the quality management system.
Before the certification body can issue or renew a certificate, the auditor must be
satisfied that the company being assessed has implemented the requirements of
sections 4 to 10. Sections 1 to 3 are not directly audited against, but because they
provide context and definitions for the rest of the standard, not that of the
organization, their contents must be taken into account.
The standard no longer specifies that the organization shall issue and maintain
documented procedures, but ISO 9001:2015 requires the organization to document
any other procedures required for its effective operation. The standard also requires
the organization to issue and communicate a documented quality policy, a quality
management system scope, and quality objectives. The standard no longer requires
compliant organizations to issue a formal Quality Manual. The standard does require
retention of numerous records, as specified throughout the standard. New for the
2015 release is a requirement for an organization to assess risks and opportunities
(section 6.1) and to determine internal and external issues relevant to its purpose
and strategic direction (section 4.1).
The organization must demonstrate how the standard's requirements are being met,
while the external auditor's role is to determine the quality management system's
effectiveness. More detailed interpretation and implementation examples are often
sought by organizations seeking more information in what can be a very technical
area.
9.7 Certification
The International Organization for Standardization (ISO) does not certify
organisations itself. Numerous certification bodies exist, which audit organisations
and upon success, issue ISO 9001 compliance certificates. Although commonly
60
referred to as "ISO 9000" certification, the actual standard to which an organization's
quality management system can be certified is ISO 9001:2015 (ISO 9001:2008
expired around September 2018). Many countries have formed accreditation bodies
to authorize ("accredit") the certification bodies. Both the accreditation bodies and
the certification bodies charge fees for their services. The various accreditation
bodies have mutual agreements with each other to ensure that certificates issued by
one of the accredited certification bodies (CB) are accepted worldwide. Certification
bodies themselves operate under another quality standard, ISO/IEC 17021, while
accreditation bodies operate under ISO/IEC 17011.
61
ISO 9002:1987 Model for quality assurance in production, installation, and servicing
had basically the same material as ISO 9001 but without covering the creation of
new products.
ISO 9003:1987 Model for quality assurance in final inspection and test covered only
the final inspection of finished product, with no concern for how the product was
produced.
ISO 9000:1987 was also influenced by existing U.S. and other Defense Standards
("MIL SPECS"), and so was well-suited to manufacturing. The emphasis tended to
be placed on conformance with procedures rather than the overall process of
management, which was likely the actual intent.[citation needed]
Other standards, like ISO 19011 and the ISO 10000 series, may also be used for
specific parts of the quality system.
The new ISO 9001:2015 management system standard helps ensure that
consumers get reliable, desired quality goods and services. This further increases
benefits for a business.
The 2015 version is also less prescriptive than its predecessors and focuses on
performance. This was achieved by combining the process approach with risk-based
thinking, and employing the Plan-Do-Check-Act cycle at all levels in the
organization.
9.9 Auditing
Two types of auditing are required to become registered to the standard: auditing by
an external certification body (external audit) and audits by internal staff trained for
63
this process (internal audits). The aim is a continual process of review and
assessment to verify that the system is working as it is supposed to, to find out
where it can improve, and to correct or prevent identified problems. It is considered
healthier for internal auditors to audit outside their usual management line, so as to
bring a degree of independence to their judgments‗.
Over time, various industry sectors have wanted to standardize their interpretations
of the guidelines within their own marketplace. This is partly to ensure that their
versions of ISO 9000 have their specific requirements, but also to try and ensure
that more appropriately trained and experienced auditors are sent to assess them.
The TickIT guidelines are an interpretation of ISO 9000 produced by the UK Board
of Trade to suit the processes of the information technology industry, especially
software development.
ISO 13485:2016 is the medical industry's equivalent of ISO 9001. ISO 13485:2016 is
a stand-alone standard. Because ISO 13485 is relevant to medical device
manufacturers (unlike ISO 9001, which is applicable to any industry), and because
of the differences between the two standards relating to continual improvement,
compliance with ISO 13485 does not necessarily mean compliance with ISO 9001
(and vice versa).
ISO/IEC 90003:2014 provides guidelines for the application of ISO 9001 to computer
software.
ISO 17025:2017 is the Quality Management System applicable only to Testing and
Calibration Laboratories.
9.11 Effectiveness
This section possibly contains original research. Please improve it by verifying the
claims made and adding inline citations. Statements consisting only of original
research should be removed. (May 2013) (Learn how and when to remove this
template message)
The debate on the effectiveness of ISO 9000 commonly centers on the following
questions:
2. How well the ISO system integrates into current business practices: Many
organizations that implement ISO try to make their system fit into a cookie-cutter
quality manual instead of creating a manual that documents existing practices and
only adds new processes to meet the ISO standard when necessary.
65
3. How well the ISO system focuses on improving the customer experience: The
broadest definition of quality is "Whatever the customer perceives good quality to
be." This means that a company doesn't necessarily have to make a product that
never fails; some customers have a higher tolerance for product failures if they
always receive shipments on-time or have a positive experience in some other
dimension of customer service. An ISO system should take into account all areas of
the customer experience and the industry expectations, and seek to improve them
on a continual basis. This means taking into account all processes that deal with the
three stakeholders (customers, suppliers, and organization). Only then can a
company sustain improvements in the customer's experience.
4. How well the auditor finds and communicates areas of improvement: While ISO
auditors may not provide consulting to the clients they audit, there is the potential for
auditors to point out areas of 5. Improvement: Many auditors simply rely on
submitting reports that indicate compliance or non-compliance with the appropriate
section of the standard; however, to most executives, this is like speaking a foreign
language. Auditors that can clearly identify and communicate areas for improvement
in language and terms executive management understands facilitate action on
improvement initiatives by the companies they audit. When management doesn't
understand why they were non-compliant and the business implications associated
with noncompliance, they simply ignore the reports and focus on what they do
understand.
9.12 Advantages
Proper quality management can improve business, often having a positive effect on
investment, market share, sales growth, sales margins, competitive advantage, and
avoidance of litigation. The quality principles in ISO 9000:2000 are also sound,
according to Wade and Barnes, who says that "ISO 9000 guidelines provide a
comprehensive model for quality management systems that can make any company
competitive". Sroufe and Curkovic, (2008) found benefits ranging from registration
required to remain part of a supply base, better documentation, to cost benefits, and
improved involvement and communication with management. According to ISO the
2015 version of the standard brings the following benefits:
1. By assessing their context, organizations can define who is affected by their work
and what they expect. This enables clearly stated business objectives and the
identification of new business opportunities.
2. Organizations can identify and address the risks associated with their organization.
3. By putting customers first, organizations can make sure they consistently meet
customer needs and enhance customer satisfaction. This can lead to more repeat
customers, new clients and increased business for the organization.
4. Organizations work in a more efficient way as all their processes are aligned and
understood by everyone. This increases productivity and efficiency, bringing internal
costs down.
One study showing reasons for not adopting this standard include the risks and
uncertainty of not knowing if there are direct relationships to improved quality, and
what kind and how many resources will be needed. Additional risks include how
much certification will cost, increased bureaucratic processes and risk of poor
company image if the certification process fails.
Dalgleish argues that while "quality has a positive effect on return on investment,
market share, sales growth, better sales margins and competitive advantage,"
"taking a quality approach is unrelated to ISO 9000 registration." In fact, ISO itself
advises that ISO 9001 can be implemented without certification, simply for the
quality benefits that can be achieved.
67
Abrahamson argues that fashionable management discourse such as Quality Circles
tends to follow a lifecycle in the form of a bell curve, possibly indicating a
management fad.
Dytz argues that ISO 9001 certification is based on 7 management principles and
that companies are free to develop their internal tools and working methods,
however, the model adopted to audit and certify companies does not evaluate the
effectiveness of these methods. Even when there is still a superficial analysis of this
effectiveness, mainly due to the time available to audit these companies, the
certifications do not distinguish two companies with the same business model, with
regard to their internal capacity and quality of management.
Lastly, the standard itself is proprietary, and not open to inspection by the general
public. It may be purchased from the ISO for 178 Swiss Francs.
68
CHAPTER TEN
CORPORATE GOVERNANCE
10.1 Introduction
Corporate governance is the collection of mechanisms, processes and relations
used by various parties to control and to operate a corporation. Governance
structures and principles identify the distribution of rights and responsibilities among
different participants in the corporation (such as the board of directors, managers,
shareholders, creditors, auditors, regulators, and other stakeholders) and include the
rules and procedures for making decisions in corporate affairs. Corporate
governance is necessary because of the possibility of conflicts of interests between
stakeholders, primarily between shareholders and upper management or among
shareholders.
Corporate scandals of various forms have maintained public and political interest in
the regulation of corporate governance. In the U.S. these have included scandals
surrounding Enron and MCI Inc. (formerly WorldCom). Their demise led to the
enactment of the Sarbanes–Oxley Act in 2002, a U.S. federal law intended to
improve corporate governance in the United States. Comparable failures in Australia
(HIH, One.Tel) are associated with the eventual passage of the CLERP 9 reforms
there (2004) that similarly aimed to improve corporate governance. Similar corporate
failures in other countries stimulated increased regulatory interest (e.g., Parmalat in
Italy).
Corporate governance has also been more narrowly defined as "a system of law and
sound approaches by which corporations are directed and controlled focusing on the
internal and external corporate structures with the intention of monitoring the actions
of management and directors and thereby, mitigating agency risks which may stem
from the misdeeds of corporate officers."
Corporate governance has also been defined as "the act of externally directing,
controlling and evaluating a corporation" and related to the definition of Governance
as "The act of externally directing, controlling and evaluating an entity, process or
resource." In this sense, governance and corporate governance are different from
management because governance must be EXTERNAL to the object being
governed. Governing agents do not have personal control over, and are not part of
the object that they govern. For example, it is not possible for a CIO to govern the IT
function. They are personally accountable for the strategy and management of the
function. As such, they "manage" the IT function; they do not "govern" it. At the same
69
time, there may be a number of policies, authorized by the board that the CIO
follows. When the CIO is following these policies, they are performing "governance"
activities because the primary intention of the policy is to serve a governance
purpose. The board is ultimately "governing" the IT function because they stand
outside of the function and are only able to externally direct, control and evaluate the
IT function by virtue of established policies, procedures and indicators. Without
these policies, procedures and indicators, the board has no way of governing, let
alone affecting the IT function in any way.
One source defines corporate governance as "the set of conditions that shapes the
ex post bargaining over the quasi-rents generated by a firm.‖ The firm itself is
modeled as a governance structure acting through the mechanisms of contract.
Here corporate governance may include its relation to corporate finance.
10.2 Background
The need for corporate governance follows the need to mitigate conflicts of interests
between stakeholders in corporations. These conflicts of interests appear as a
consequence of diverging wants between both shareholders and upper
management (principal–agent problems) and among shareholders (principal–
principal problems), although also other stakeholder relations are affected and
coordinated through corporate governance.
10.5 Principles
Contemporary discussions of corporate governance tend to refer to principles raised
in three documents released since 1990: The Cadbury Report (UK, 1992), the
Principles of Corporate Governance (OECD, 1999, 2004 and 2015), and the
Sarbanes–Oxley Act of 2002 (US, 2002). The Cadbury and Organisation for
Economic Co-operation and Development (OECD) reports present general
principles around which businesses are expected to operate to assure proper
governance. The Sarbanes–Oxley Act, informally referred to as Sarbox or Sox, is an
attempt by the federal government in the United States to legislate several of the
principles recommended in the Cadbury and OECD reports.
2. Interests of other stakeholders: Organizations should recognize that they have legal,
contractual, social, and market driven obligations to non-shareholder stakeholders,
including employees, investors, creditors, suppliers, local communities, customers,
and policy makers.
71
4. Role and responsibilities of the board: The board needs sufficient relevant skills and
understanding to review and challenge management performance. It also needs
adequate size and appropriate levels of independence and commitment.
5. Disclosure and transparency: Organizations should clarify and make publicly known
the roles and responsibilities of board and management to provide stakeholders with
a level of accountability. They should also implement procedures to independently
verify and safeguard the integrity of the company's financial reporting. Disclosure of
material matters concerning the organization should be timely and balanced to
ensure that all investors have access to clear, factual information.
10.6 Models
Different models of corporate governance differ according to the variety of capitalism
in which they are embedded. The Anglo-American "model" tends to emphasize the
interests of shareholders. The coordinated or multistakeholders model associated
with Continental Europe and Japan also recognizes the interests of workers,
managers, suppliers, customers, and the community. A related distinction is
between market oriented and network-oriented models of corporate governance.
72
In the United States, corporations are directly governed by state laws, while the
exchange (offering and trading) of securities in corporations (including shares) is
governed by federal legislation. Many US states have adopted the Model Business
Corporation Act, but the dominant state law for publicly traded corporations is
Delaware General Corporation Law, which continues to be the place of incorporation
for the majority of publicly traded corporations. Individual rules for corporations are
based upon the corporate charter and, less authoritatively, the corporate bylaws.
Shareholders cannot initiate changes in the corporate charter although they can
initiate changes to the corporate bylaws.
It is sometimes colloquially stated that in the US and the UK "the shareholders own
the company". This is, however, a misconception as argued by Eccles & Youmans
(2015) and Kay (2015).
Founder-run companies, such as Facebook, Netflix and Google are at the forefront
of a new wave of organizational structure better suited to long-term value creation.
Founder centrism, an inclusive concept within CEO theory, integrates the capacity of
founder and non-founder senior leadership to adopt an owner's mindset in
traditionally structured corporations, such as Thomas J. Watson Sr. and Thomas
Watson Jr. with IBM, Steve Jobs and Tim Cook with Apple, Jamie Dimon with
JPMorgan Chase, Lloyd Blankfein with Goldman Sachs, Rick George with Suncor
Energy, and many others. In substance, all fall within the ambit of founder
centrism—leaders with a founder's mindset, an ethical disposition towards the
shareholder collective, and an intense focus on exponential value creation without
enslavement to a quarter-by-quarter upward growth trajectory.
10.9.1 Regulations
Corporations are created as legal persons by the laws and regulations of a particular
jurisdiction. These may vary in many respects between countries, but a corporation's
legal person status is fundamental to all jurisdictions and is conferred by statute.
This allows the entity to hold property in its own right without reference to any
particular real person. It also results in the perpetual existence that characterizes the
modern corporation. The statutory granting of corporate existence may arise from
73
general purpose legislation (which is the general case) or from a statute to create a
specific corporation, which was the only method prior to the 19th century.
In addition to the statutory laws of the relevant jurisdiction, corporations are subject
to common law in some countries, and various laws and regulations affecting
business practices. In most jurisdictions, corporations also have a constitution that
provides individual rules that govern the corporation and authorize or constrain its
decision makers. This constitution is identified by a variety of terms; in English-
speaking jurisdictions, it is usually known as the Corporate Charter or the
Memorandum and Articles of Association. The capacity of shareholders to modify
the constitution of their corporation can vary substantially.
The U.S. passed the Foreign Corrupt Practices Act (FCPA) in 1977, with subsequent
modifications. This law made it illegal to bribe government officials and required
corporations to maintain adequate accounting controls. It is enforced by the U.S.
Department of Justice and the Securities and Exchange Commission (SEC).
Substantial civil and criminal penalties have been levied on corporations and
executives convicted of bribery.
The UK passed the Bribery Act in 2010. This law made it illegal to bribe either
government or private citizens or make facilitating payments (i.e., payment to a
government official to perform their routine duties more quickly). It also required
corporations to establish controls to prevent bribery.
The chief executive officer (CEO) and chief financial officer (CFO) attest to the
financial statements. Prior to the law, CEOs had claimed in court they hadn't
reviewed the information as part of their defense.
Board audit committees have members that are independent and disclose whether
or not at least one is a financial expert, or reasons why no such expert is on the
audit committee.
External audit firms cannot provide certain types of consulting services and must
rotate their lead partner every 5 years. Further, an audit firm cannot audit a company
if those in specified senior management roles worked for the auditor in the past year.
Prior to the law, there was the real or perceived conflict of interest between providing
an independent opinion on the accuracy and reliability of financial statements when
the same firm was also providing lucrative consulting services.
74
10.9.3 Codes and Guidelines
Corporate governance principles and codes have been developed in different
countries and issued from stock exchanges, corporations, institutional investors, or
associations (institutes) of directors and managers with the support of governments
and international organizations. As a rule, compliance with these governance
recommendations is not mandated by law, although the codes linked to stock
exchange listing requirements may have a coercive effect.
One of the most influential guidelines on corporate governance are the G20/OECD
Principles of Corporate Governance, first published as the OECD Principles in 1999,
revised in 2004 and revised again and endorsed by the G20 in 2015. The Principles
are often referenced by countries developing local codes or guidelines. Building on
the work of the OECD, other international organizations, private sector associations
and more than 20 national corporate governance codes formed the United Nations
Intergovernmental Working Group of Experts on International Standards of
Accounting and Reporting (ISAR) to produce their Guidance on Good Practices in
Corporate Governance Disclosure. This internationally agreed benchmark consists
of more than fifty distinct disclosure items across five broad categories:
1. Auditing
2. Board and management structure and process
3. Corporate responsibility and compliance in organization
4. Financial transparency and information disclosure
5. Ownership structure and exercise of control rights
75
Boards organize their members into committees with specific responsibilities per
defined charters. "Listed companies must have a nominating/corporate governance
committee composed entirely of independent directors." This committee is
responsible for nominating new members for the board of directors. Compensation
and Audit Committees are also specified, with the latter subject to a variety of listing
standards as well as outside regulations.
The World Business Council for Sustainable Development (WBCSD) has done work
on corporate governance, particularly on accounting and reporting. In 2009, the
International Finance Corporation and the UN Global Compact released a report,
"Corporate Governance: the Foundation for Corporate Citizenship and Sustainable
Business," linking the environmental, social and governance responsibilities of a
company to its financial performance and long-term sustainability.
Most codes are largely voluntary. An issue raised in the U.S. since the 2005 Disney
decision is the degree to which companies manage their governance
responsibilities; in other words, do they merely try to supersede the legal threshold,
or should they create governance guidelines that ascend to the level of best
practice. For example, the guidelines issued by associations of directors, corporate
managers and individual companies tend to be wholly voluntary, but such
documents may have a wider effect by prompting other companies to adopt similar
practices.
76
CHAPTER ELEVEN
AUDIT RISK
11.1 Introduction
Audit risk (also referred to as residual risk) refers to the risk that an auditor may
issue an unqualified report due to the auditor's failure to detect material
misstatement either due to error or fraud. This risk is composed of:
1. Inherent Risk (IR): The risk involved in the nature of business or transaction.
Example, transactions involving exchange of cash may have higher IR than
transactions involving settlement by cheques. The term inherent risk may have other
definitions in other contexts.;
2. Control Risk (CR): The risk that a misstatement may not be prevented or detected
and corrected due to weakness in the entity's internal control mechanism. Example,
control risk assessment may be higher in an entity where separation of duties is not
well defined; and
3. Detection Risk (DR): The probability that the auditing procedures may fail to detect
existence of a material error or fraud. Detection risk may be due to sampling error or
non-sampling error.
77
11.3 ERM Frameworks ‘Defined
There are various important ERM frameworks, each of which describes an approach
for identifying, analyzing, responding to, and monitoring risks and opportunities,
within the internal and external environment facing the enterprise. Management
selects a risk response strategy for specific risks identified and analyzed, which may
include:
Avoidance: exiting the activities giving rise to risk
Reduction: taking action to reduce the likelihood or impact related to the risk
Alternative Actions: deciding and considering other feasible steps to minimize risks
1. Hazard risk
3. Financial risk
5. Operational risk
7. Strategic risks
4. Integrating Risks: This includes the aggregation of all risk distributions, reflecting
correlations and portfolio effects, and the formulation of the results in terms of impact
on the organization‗s key performance metrics.
7. Monitoring and Reviewing: This includes the continual measurement and monitoring
of the risk environment and the performance of the risk management strategies.
The COSO ERM Framework has eight Components and four objectives categories.
It is an expansion of the COSO Internal Control-Integrated Framework published in
1992 and amended in 1994. The eight components - additional components
highlighted - are:
4. Risk Assessment
5. Risk Response
8. Monitoring
79
The four objectives categories - additional components highlighted - are:
1. Strategy - high-level goals, aligned with and supporting the organization's mission
1. ERM-based approach
5. Uncovering risks
6. Performance management
The model was developed by Steven Minsky, CEO of Logic Manager, and published
by the Risk and Insurance Management Society in collaboration with the RIMS ERM
Committee. The Risk Maturity Model is based on the Capability Maturity Model,
amethodology founded by the Carnegie Mellon University Software Engineering
Institute (SEI) in the 1980s.
80
unified picture of risk for stakeholders and improving the organization's ability to
manage the risks effectively.
81
CHAPTER TWELVE
COMPLIANCE
12.1 Introduction
In general, compliance means conforming to a rule, such as a specification, policy,
standard or law. Regulatory compliance describes the goal that organizations aspire
to achieve in their efforts to ensure that they are aware of and take steps to comply
with relevant laws, policies, and regulations. Due to the increasing number of
regulations and need for operational transparency, organizations are increasingly
adopting the use of consolidated and harmonized sets of compliance controls. This
approach is used to ensure that all necessary governance requirements can be met
without the unnecessary duplication of effort and activity from resources.
Regulations and accrediting organizations vary among fields, with examples such as
PCI-DSS and GLBA in the financial industry, FISMA for U.S. federal agencies,
HACCP for the food and beverage industry, and the Joint Commission and HIPAA in
healthcare. In some cases, other compliance frameworks (such as COBIT) or even
standards (NIST) inform on how to comply with regulations.
Some organizations keep compliance data all data belonging or pertaining to the
enterprise or included in the law, which can be used for the purpose of implementing
or validating compliance—in a separate store for meeting reporting requirements.
Compliance software is increasingly being implemented to help companies manage
their compliance data more efficiently. This store may include calculations, data
transfers, and audit trails.
12.2 By Nation
Regulatory compliance varies not only by industry but often by location. The
financial, research, and pharmaceutical regulatory structures in one country, for
example, may be similar but with particularly different nuances in another country.
These similarities and differences are often a product "of reactions to the changing
objectives and requirements in different countries, industries, and policy contexts.
Initially developed by the Business Rules Group (BRG), in September 2005, the
Object Management Group (OMG) voted to accept the Business Motivation Model
as the subject of a Request for Comment (RFC). This meant that the OMG was
willing to consider the Business Motivation Model as a specification to be adopted by
the OMG, subject to comment from any interested parties. Adoption as an OMG
82
specification carries the intention that the Business Motivation Model would, in time,
be submitted to the International Organization for Standardization (ISO) as a
standard.
12.3.2 Elements
"BMM captures business requirements across different dimensions to rigorously
capture and justify why the business wants to do something, what it is aiming to
achieve, how it plans to get there, and how it assesses the result."
12.5 Overview
Governance, risk management, and compliance are three related facets that aim to
assure an organization reliably achieves objectives, addresses uncertainty and acts
with integrity. Governance is the combination of processes established and executed
by the directors (or the board of directors) that are reflected in the organization's
structure and how it is managed and led toward achieving goals. Risk management
is predicting and managing risks that could hinder the organization from reliably
achieving its objectives under uncertainty. Compliance refers to adhering with the
mandated boundaries (laws and regulations) and voluntary boundaries (company's
policies, procedures, etc.).
Organizations reach a size where coordinated control over GRC activities is required
to operate effectively. Each of these three disciplines creates information of value to
83
the other two, and all three impacts the same technologies, people, processes and
information.
84
A fully integrated GRC uses a single core set of control material, mapped to all of the
primary governance factors being monitored. The use of a single framework also
has the benefit of reducing the possibility of duplicated remedial actions.
When reviewed as individual GRC areas, the three most common individual
headings are considered to be Financial GRC, IT GRC, and Legal GRC.
Financial GRC relates to the activities that are intended to ensure the correct
operation of all financial processes, as well as compliance with any finance-related
mandates.
IT GRC relates to the activities intended to ensure that the IT (Information
Technology) organization supports the current and future needs of the business, and
complies with all IT-related mandates.
Legal GRC focuses on tying together all three components via an organization's
legal department and chief compliance officer.
Analysts disagree on how these aspects of GRC are defined as market categories.
Gartner has stated that the broad GRC market includes the following areas:
2. IT GRC management
They further divide the IT GRC management market into these key capabilities.
Although this list relates to IT GRC, a similar list of capabilities would be suitable for
other areas of GRC.
7. IT Asset repository
10. Reporting
Due to the dynamic nature of this market, any vendor analysis is often out of date
relatively soon after its publication.
Point solutions to GRC (relate to enterprise wide governance or enterprise wide risk
or enterprise wide compliance but not in combination.)
Integrated GRC solutions attempt to unify the management of these areas, rather
than treat them as separate entities. An integrated solution is able to administer one
central library of compliance controls, but manage, monitor and present them
against every governance factor. For example, in a domain specific approach, three
or more findings could be generated against a single broken activity. The integrated
solution recognizes this as one break relating to the mapped governance factors.
An initial goal of splitting out GRC into a separate market has left some vendors
confused about the lack of movement. It is thought that a lack of deep education
within a domain on the audit side, coupled with a mistrust of audit in general causes
a rift in a corporate environment. However, there are vendors in the marketplace
that, while remaining domain-specific, have begun marketing their product to end
users and departments that, while either tangential or overlapping, have expanded
to include the internal corporate internal audit (CIA) and external audit teams (tier 1
big four AND tier two and below), information security and operations/production as
the target audience.
This approach provides a more 'open book' approach into the process. If the
production team will be audited by CIA using an application that production also has
access to, is thought to reduce risk more quickly as the end goal is not to be
'compliant' but to be 'secure,' or as secure as possible.
Point solutions to GRC are marked by their focus on addressing only one of its
areas. In some cases of limited requirements, these solutions can serve a viable
purpose. However, because they tend to have been designed to solve domain
specific problems in great depth, they generally do not take a unified approach and
are not tolerant of integrated governance requirements. Information systems will
address these matters better if the requirements for GRC management are
incorporated at the design stage, as part of a coherent framework.
86
12.9 GRC Data Warehousing and Business Intelligence
GRC vendors with an integrated data framework are now able to offer custom built
GRC data warehouse and business intelligence solutions. This allows high value
data from any number of existing GRC applications to be collated and analysed.
The aggregation of GRC data using this approach adds significant benefit in the
early identification of risk and business process (and business control) improvement.
Further benefits to this approach include (i) it allows existing, specialist and high
value applications to continue without impact (ii) organizations can manage an
easier transition into an integrated GRC approach because the initial change is only
adding to the reporting layer and (iii) it provides a real-time ability to compare and
contrast data value across systems that previously had no common data scheme.
87
CHAPTER THIRTEEN
RECORDS MANAGEMENT
13.1 Introduction
Records management, also known as records and information management, is an
organizational function devoted to the management of information in an organization
throughout its life cycle, from the time of creation or receipt to its eventual
disposition. This includes identifying, classifying, storing, securing, retrieving,
tracking and destroying or permanently preserving records. The ISO 15489-1: 2001
standard ("ISO 15489-1:2001") defines records management as "[the] field of
management responsible for the efficient and systematic control of the creation,
receipt, maintenance, use and disposition of records, including the processes for
capturing and maintaining evidence of and information about business activities and
transactions in the form of records.
Records may be covered by access controls to regulate who can access them and
under what circumstances. Physical controls may be used to keep confidential
records secure – personnel files, for instance, which hold sensitive personal data,
may be held in a locked cabinet with a control log to track access. Digital records
systems may include role-based access controls, allowing permissions (to view,
change and/or delete) to be allocated to staff depending on their role in the
organisation. An audit trail showing all access and changes can be maintained to
ensure the integrity of the records.
Just as the records of the organization come in a variety of formats, the storage of
records can vary throughout the organization. File maintenance may be carried out
by the owner, designee, a records repository, or clerk. Records may be managed in
a centralized location, such as a records center or repository, or the control of
records may be decentralized across various departments and locations within the
entity. Records may be formally and discretely identified by coding and housed in
folders specifically designed for optimum protection and storage capacity, or they
may be casually identified and filed with no apparent indexing. Organizations that
manage records casually find it difficult to access and retrieve information when
needed. The inefficiency of filing maintenance and storage systems can prove to be
costly in terms of wasted space and resources expended searching for records.
A disaster recovery plan is a written and approved course of action to take after a
disaster strikes that details how an organization will restore critical business
functions and reclaim damaged or threatened records.
The format and media of records is generally irrelevant for the purposes of records
management from the perspective that records must be identified and managed,
89
regardless of their form. The ISO considers management of both physical and
electronic records. Also, section DL1.105 of the United States Department of
Defense standard DoD 5015.02-STD (2007) defines Records Management as "the
planning, controlling, directing, organizing, training, promoting, and other managerial
activities involving the life cycle of information, including creation, maintenance (use,
storage, retrieval), and disposal, regardless of media."
Throughout the records life cycle, issues such as security, privacy, disaster
recovery, emerging technologies, and mergers are addressed by the records and
information management professional responsible for organizational programs.
Records and information management professionals are instrumental in controlling
and safeguarding the information assets of the entity. They understand how to
manage the creation, access, distribution, storage, and disposition of records and
information in an efficient and cost-effective manner using records and information
management methodology, principles, and best practices in compliance with records
and information laws and regulations.
4. Developing a records storage plan, this includes the short and long-term housing of
physical records and digital information
Executing a retention policy on the disposal of records which are no longer required
for operational reasons; according to organizational policies, statutory requirements,
and other regulations this may involve either their destruction or permanent
preservation in an archive.
While defensibility applies to all aspects of records life cycle, it is considered most
important in the context of records destruction, where it is known as "defensible
disposition" or "defensible destruction," and helps an organization explicitly justify
and prove things like who destroys records, why they destroy them, how they
destroy them, when they destroy them, and where they destroy them.
91
13.6 Classification
Records managers use classification or categorization of record types as a means of
working with records. Such classifications assist in functions such as creation,
organization, storage, retrieval, movement, and destruction of records.
At the highest level of classification are physical versus electronic records. (This is
disputable; records are defined as such regardless of media. ISO 15489 and other
best practices promulgate a functions based, rather than media based classification,
because the law defines records as certain kinds of information regardless of
media.)
Physical records are those records, such as paper, that can be touched and which
takes up physical space.
Electronic records, also often referred to as digital records, are those records that
are generated with and used by information technology devices.
The types of enterprises that produce and work with such records include but are not
limited to for-profit companies, non-profit companies, and government agencies.
Legal hold data traits may include but are not limited to things such as legal hold
flags (e.g. Legal Hold = True or False), the organization driving the legal hold,
descriptions of why records must be legally held, what period of time records must
be held for, and the hold location.
92
13.10 Records Retention Schedule
A record retention schedule is a document, often developed using archival appraisal
concepts and analysis of business and legal contexts within the intended
jurisdictions that outlines how long certain types of records need to be retained for
before they can be destroyed.
93
the records. These can also be used for periodic auditing to identify unauthorized
movement of the record.
Commercially available products can manage records through all processes active,
inactive, archival, retention scheduling and disposal. Some also utilize RFID
technology for the tracking of the physical file.
Functional requirements for computer systems to manage digital records have been
produced by the US Department of Defense. The United Kingdom's National
Archives and the European Commission, whose MoReq (Model Requirements for
the Management of Electronic Records) specification has been translated into at
least twelve languages funded by the European Commission.
Particular concerns exist about the ability to access and read digital records over
time, since the rapid pace of change in technology can make the software used to
create the records obsolete, leaving the records unreadable. A considerable amount
of research is being undertaken to address this, under the heading of digital
preservation. The Public Record Office Victoria (PROV) located in Melbourne,
Australia published the Victorian Electronic Records Strategy (VERS) which includes
a standard for the preservation, long-term storage and access to permanent
electronic records. The VERS standard has been adopted by all Victorian
Government departments. A digital archive has been established by PROV to
94
enable the general public to access permanent records. Archives New Zealand is
also setting up a digital archive.
Businesses and individuals wishing to convert their paper records into scanned
copies may be at risk if they do so. For example, it is unclear if an IRS auditor would
accept a JPEG, PNG, or PDF format scanned copy of a purchase receipt for a
deducted expense item.
13.18.2 Security
Privacy, data protection, and identity theft have become issues of increasing
interest. The role of the records manager in the protection of an organization's
records has grown as a result. The need to ensure personal information is not
retained unnecessarily has brought greater focus to retention schedules and records
disposal.
13.18.3 Transparency
The increased importance of transparency and accountability in public
administration, marked by the widespread adoption of Freedom of Information laws,
has led to a focus on the need to manage records so that they can be easily
accessed by the public. For instance, in the United Kingdom, Section 46 of the
Freedom of Information Act 2000 required the government to publish a Code of
Practice on Records Management for public authorities. Similarly, European Union
legislation on Data Protection and
95
13.18.4 Adoption and Implementation
Implementing required changes to organisational culture is a major challenge, since
records management is often seen as an unnecessary or low priority administrative
task that can be performed at the lowest levels within an organization. Reputational
damage caused by poor records management has demonstrated that records
management is the responsibility of all individuals within an organization.
An issue that has been very controversial among records managers has been the
uncritical adoption of Electronic document and records management systems.
96
The National Archives in the UK has published two sets of functional requirements to
promote the development of the electronic records management software market
(1999 and 2002). It ran a program to evaluate products against the 2002
requirements. While these requirements were initially formulated in collaboration
with central government, they have been taken up with enthusiasm by many parts of
the wider public sector in the UK and in other parts of the world. The testing program
has now closed; The National Archives is no longer accepting applications for
testing. The National Archives 2002 requirements remain current.
The European Commission has published "MoReq", the Model Requirements for
Electronic Records and Document Management in 2001. Although not a formal
standard, it is widely regarded and referred to as a standard. This was funded by the
Commission's IDA program, and was developed at the instigation of the DLM Forum.
A major update of MoReq, known as MoReq2, was published in February 2008. This
too was initiated by the DLM Forum and funded by the European Commission, on
this occasion by its IDABC program (the successor to IDA). A software testing
framework and an XML schema accompany MoReq2; a software compliance testing
regime was agreed at the DLM Forum conference in Toulouse in December 2008.
The National Archives of Australia (NAA) published the Functional Specifications for
Electronic Records Management Systems Software (ERMS), and the associated
Guidelines for Implementing the Functional Specifications for Electronic Records
Management Systems Software, as exposure drafts in February 2006.
97
REFERENCES
David Griffiths. "Internal audit – Risk based – Introduction". Internal audit. biz.
"Format of Internal Audit Report". Internal audit expert. in. Archived from the original on 7
December 2013. Retrieved 3 December 2013.
"Peer Review: IIA, GAGAS and ISSAI". projectauditors.com. 2012-01-01. Retrieved 2014-
03-26.
Sawyer, Lawrence (2003). Sawyer's Internal Auditing 5th Edition. Institute of Internal
Auditors. ISBN 978-0894135095.
"UK and Ireland Certifications". Eciia.eu. 2013-06-25.Archived from the original on 2013-
08-20.Retrieved 2013-09-04.
Wikipedia
Wood, David A. (May 2012). "Corporate Managers' Reliance on Internal Auditor Recommendations".
AUDITING: A Journal of Practice & Theory. 31 (2): 151–166. doi:10.2308/ajpt-10234.
98
Wood, David A. (July 2009). "Internal Audit Quality and Earnings Management". The Accounting Review. 84
(4): 1255–1280. doi:10.2308/accr.2009.84.4.1255.
Wood, David A. (September 2013). "A Descriptive Study of Factors Associated with the
Internal Audit Function Policies Having an Impact: Comparisons Between
Organizations in a Developed and an Emerging Economy". Turkish Studies. 14 (3):
581–606. doi:10.1080/14683849.2013.833019.
Wood, David A. (November 2011). "The Effect of Using the Internal Audit Function as a
Management Training Ground on the External Auditor's Reliance Decision". The
Accounting Review.86 (6): 2131–2154.doi:10.2308/accr-10136
99