Internal Audit-Best Practices

Sonali Singh

The Cambridge dictionary defines best practice as a working method (or set of working methods), which is officially accepted as being the best to use in a particular business or industry. These methods or best practices are usually described formally or in detail. Therefore, best practices are those generally understood operational characteristics of organizations, or procedures that have proved to be successful in practice.

The concept of best practice belongs to the field of management and is described by management gurus as the most efficient and effective way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people. About a hundred years ago Fredrick Taylor stated that among the various methods and implements used in each element of each trade there is always one method and one implement which is quicker and better than any of the rest. However, by its very definition, best practice is a dynamic concept, an approach based around continuous learning and improvement, rather than a static, inflexible, unchanging method of doing things. Best practices also change and/or improve as times change and things evolve. What is critical is the adoption of good processes and proper planning, even following a standard way of doing things that other successful organizations are doing, but at the same time, the adaptation and molding of these best practices to suit the particular needs and to balance the uniqueness of an organization with practices it has in common with other organizations. Therefore while best practices do not have one template or form for everyone to follow, it can certainly be the idea that with the proper processes and planning, the organization can achieve the desired result with fewer problems and unforeseen complications. What is needed is the commitment to using all the knowledge and technology at ones disposal to ensure success of the organization.

Internal Audit and Good Governance An effective internal audit function is a fundamental component of good governanceCanada Office of the Auditor General. The terms governance and good governance are widely used today. Traditionally governance refers to forms of political systems and the manner in which power is exercised in utilizing a countrys economic and social resources for development. It has also been described as a process of decision making and the process by which decisions are implemented or not implemented. It involves public institutions in the conduct of public affairs and the management of public resources, which should be utilized most efficiently and effectively. Good governance has been described as an ideal which can be understood as a set of eight characteristics i.e. participation, rule of law, transparency, responsiveness, consensus orientation, equity and inclusiveness, effectiveness and efficiency, and accountability. It involves transparency which means that the decisions taken and their enforcement done in a manner that follows rules and regulations. Good governance means responsiveness. It means effectiveness and efficiency in ensuring that processes and institutions produce results that meet the needs of society while making the best use of resources at their disposal. It necessitates accountability which means that government institutions will be accountable to the public, and to all those who are affected by their decisions.

The 1992 World Bank report entitled Governance and Development identified seven specific aspects of good governance, which became a concern in considering projects for assistance and these included public sector management, accountability, transparency etc. Good governance therefore became very much a part of the reforms agenda and entered the lexicon of governments of developing countries. India was no exception. The process however had started somewhat earlier worldwide, with governments embarking on an ambitious journey to improve government performance- the New Public Management, under which reformers have sought to radically change the manner in which the public business is conducted. All the initiatives whether under the banner of

New Public Management in New Zealand and the United Kingdom or reinventing government in the United States, seek to improve governmental performance by emphasizing customer service, decentralization, market mechanisms, cross functional collaboration and accountability for results.

While public sector reforms are pervasive in the developing countries, what is required is a citizen centric governance framework which combines participatory decentralization, with results oriented management and evaluation. Traditionally evaluations have tended to be uni- dimensional, concentrating only on fiscal probity and rule adherence. These trends are in evidence in India as well since the government has embarked upon reforms. The Fiscal Responsibility and Budget Management (FRBM) Act seeks to put in place stringent fiscal controls in government, the Right to Information Act seeks to bring about transparency and accountability in governments functioning. With the introduction of the Outcome Budget the Government has addressed the need to track not just the intermediate physical outputs of schemes/programmes but also the outcomes which are the end objectives of State interventions. In this scenario internal audit can act as a powerful tool to improve accountability, it can give the required inputs which can be fed into the planning process, inputs that can be utilized to monitor implementation.

The audit function has traditionally been seen as being part of the governments financial management function, and increasingly as a way for improving the performance of the government sector. It has provided assurance that public funds received and spent are in compliance with appropriations and other relevant laws, and that the reported use of funds is a fair and accurate representation of the financial position of the government. Beyond this, audit in many countries has evolved to take a more comprehensive view of the economic and social implications of governments operations or value-for-money or performance audit. In recent years the demand for greater transparency and accountability in governments, has resulted in a move by managers within government organizations, to improve internal audit procedures in a way that would ensure some protection from adverse reports of external audit and also so that internal audit gives them so minimal level of assurances.

Against the background of the plethora of reforms in monetary and fiscal management and the complex challenges being thrown up by the second generation of reforms within the country, the Government felt the need to have a re look at some of the institutionalized financial management systems. Acknowledging the need for change and perhaps the potential of the Internal Audit Wing (IAW) within the ministries/

departments the Ministry of Finance (MoF) recently reviewed the scheme of Integrated Financial Advisor(IFA) and issued a Revised Scheme of IFA on June 1, 2006 which envisages a larger role for the Chief Controller of Accounts( CCA)/ Controller of Accounts(CA) In so far as internal audit is concerned the new guidelines mandate that the Internal Audit Wings working under the control and supervision of the CCAs/CAs shall assist the Financial Advisers in the appraisal, monitoring and evaluation of individual schemes. It specifies that internal audit would focus on: v Assessment of adequacy and effectiveness of internal controls in general, and soundness of financial systems and reliability of financial and accounting reports in particular; v Identification and monitoring of risk factors (including those contained in the Outcome Budget); v Critical assessment of economy, efficiency and effectiveness of service delivery mechanism to ensure value for money; and v Providing an effective monitoring system to facilitate and course corrections.

What the IA can do

With the enlarged mandate and given the scope, objectives and functions of IAW under the CGAs organization internal audit in Government today is of critical value for several reasons all of which are well known to us: v It is potentially of major importance as an effective internal audit system leads to improved accountability, ethical and professional practices. v It can improve the quality of output, support decision making and performance tracking.

v It has the potential to act as an independent and objective appraisal mechanism within the organization whose findings and recommendations can act as a tool enabling the ministry or department within which it functions, to take suitable corrective action with respect to service delivery and also procedures. v It can be used to examine and evaluate activities, as a service to the organization promoting effective control at a reasonable cost. v If internal audit can become an inherent part of management reporting by suggesting remedies for the problem areas identified, it can truly fit into the fundamental and critical area of financial reform which focuses on outcomes, of objectives being achieved at a reasonable cost. It will integrate internal auditing with the ongoing public financial management reforms.

What sets Government Audit Apart?

It is necessary to bring out the differences that exist between auditing in the government sector, and auditing in the private sector. v The environment of the audited government organization is vastly different from what exists in the private sector, and is a significant reason for the difference between the two. The government audit is carried out in an environment determined by legal rules and a great deal of importance is attached to lawful and rightful conduct within the governments flowing from the need for governments to act in accordance with laws and regulations laid down by the government itself v In the public sector moreover, the auditors opinion serves the interest of the public in general and is not confined to only providing a full and fair view to the stakeholders as is the case with the private sector audit. v By extension therefore, the primary purpose of an auditors opinion is to serve in the formal discharging procedure in the democratic process. Effectively then, the stakeholders are many in case of the government audit v It is also a fact that the decision making process in government is much more complex when compared to the private sector where decisions are predominantly

determined by technical and scientific factors concerning the primary processes of the entity and the economically limiting conditions . v In the government arena, success cannot be translated in terms of the bottom line of income and expenditure account but rather needs other criteria as a measure of performance. v The auditing of the accounting system of a government organization is important not only as a track to the financial report but also because the accounts contain important information which is vital for the process of decision making which in the government sector, by its very nature, has wider implications. v Auditing in the government sector therefore has a substantive importance. Attention for the processes like acquisition of resources (economy), use of resources (efficiency), satisfaction of needs of society (effectiveness) which implies that audit of financial management as such, including compliance of laws and regulations in the rightfulness audit, is often defined as a substantive object of audit in the audit assignment. v Financial reporting in the public sector is also different from that in the private sector because the laws and regulations regarding financial reporting in the public sector are different on account of the need for transparency on part of the government regarding the governments plans and the resource allocations. Therefore the laws and regulations on financial reporting in the public sector start with regulating the procedure of the budgeting process and the structure of the presentation of information in the budget documents. v Furthermore, as far as the government is concerned, its primary goal is not to earn a profit over and above the cost of production as is the case with private entities. Rather the goal of government is to realize the maximal possible usefulness for society from a limited amount of resources and the performance indicators are also different since the success of government entities is not expressed only in financial terms.

For a government organization, a system of internal controls is of key importance as a precondition for better government performance because the system of internal control is

often the only instrument available, unlike in the private sector where the market signals act as warning signals. Furthermore the principle in the new governance model in the modernization of governments which stresses on integrity and objectivity for services and the stewardship of funds requires more effective internal controls. With a shift from the traditional centralized controls to a greater delegation and a more distributive control where the management is responsible for the checking and monitoring, effective internal controls are necessary.

Best Practices

With the expanded and extended role of internal audit now stretching beyond its traditional focus on compliance and financial audit, to encompass an assessment of the organizations efficiency and effectiveness in achievement of its objectives, internal audit has become a management tool. In the over all scheme of financial reform aimed at better financial management, best practices in internal control and internal audit, will generate key benefits. The overall design of the internal audit system, including best practices, should be geared towards the specific priorities of the organizations taking into account each organizations own circumstances and requirements. But an overall Best Practices Framework is necessary to evaluate the adequacy of internal controls and the performance of the organization as well as of the internal audit. Best practices could include those relating to roles, responsibilities and authorities and oversight of internal audit, resourcing the internal audit function, planning internal audits activities, audit processes, and evaluating internal audits performance

Internal Audit practitioners talk about an appropriate tone at the top as being a key component of the internal control structure of the organization. Best practice emphasizes the responsibility of the Board/CEO to establish an appropriate corporate culture, including codes of ethics and standards of conduct to enhance the organizations reputation for fair and responsible dealings and to help maintain high standards of behaviour throughout the organization. (TPP). These attributes include: acting with honesty and good faith; exercising due care and diligence; using information and position

properly; employing discretion; avoiding conflict of interest; meeting public obligations; managing financial obligation prudently and maintaining confidentiality. Since internal controls and internal audit is a process rather than an end in itself, and more importantly, it is a process driven or effected by people at every level of the organization, the key attributes and attitudes of the most senior level within the organization, are critical not only to the effectiveness of the audit but also to the achievement of the organizations goals. Documenting and implementing a code of conduct or a code of ethics would serve to address the importance of maintaining confidentiality, avoiding conflict of interest, explain the nature and significance of illegal or other improper acts.

Best practices now encourage the organization to establish effective audit committees which would help preserve the independence of the internal audit function and ensure appropriate and timely action is taken on audit findings. The Audit Committee serves in a special capacity as an important communication link between external and internal auditors and operating management, and as a means of reducing the risk that management will override key elements of an agencys internal control structure.

Designing effective internal control procedures which provide reasonable assurance regarding the achievement of the organizations objectives is important to a Best Practice Framework. The identification of the functions performed by the organization in the achievement of its strategic objectives, and the breaking down into individual tasks and related risks and the control procedures built in to mitigate these risks are important. Best Practice therefore requires the preparation of a Risk Management Plan which will provide the framework for monitoring the risk management activities. Once the whole array of risks has been identified, the next step is to rank the risks and draw up an audit plan accordingly. One way to effectively prioritize the processes for audit purposes is to look at the matrix of probability of occurrence versus severity of loss for each of the processes and develop a risk based audit plan according to this classification (Moody). It is also desirable if the audit plan is devised with a holistic view as to the nature and significance of the risks facing the organization/activity rather than focusing only on the financial reporting risks. While in the process of identifying these risks the audit team may use

intelligence gathered by other functions within the organization, in devising the audit plan the internal auditors should have an independent view on risks. Best practices also demand timely and comprehensive coverage by audit across a spectrum of risks While we grade risks using simple ranking of high, medium and low risk, timeliness of the audit as per this categorization is important, with high risk areas being covered annually and so on. This does not imply that there should be slippage in covering the low risk areas because even these can create problems. In fact internal audit practitioners consider it advisable to annually re assess the organizations risk profile annually. Given that the risks to the organization/activity would change over time, with new risks emerging, revisiting the risk based plan is imperative to an effective audit function.

The effectiveness of audit is dependent on its ability to not only spot problem areas or areas where improvements can be suggested, but also on its ability to ensure speedy remedial action after audit has been completed. This in turn is dependent on timely completion and submission of the audit report. Any delay in this would defeat the very purpose and function of internal audit. It is considered a best practice if audit professionals rank or grade their reports, using a simple system, to enable the clients distinguish problematic audit reports from others. There could for instance be one category of reports that are highly critical where significant remedial actions are recommended; others that list out deficiencies that need to be corrected but where the lapses are not too significant; and a third category of those reports that are by and large a clean bill of health though some improvement opportunities are identified. Effective and timely follow up to reports is essential particularly the speedy implementation of remedial actions recommended in highly critical reports. Best practices calls for such units that receive highly critical reports or those units that have significantly delayed implementation of recommendations of audit, to report the reasons for the problems and proposed corrective actions, to the highest level over seeing the internal audit function within the organization. An effective tracking system for audit reports would ensure an effective and timely follow up to audit. A rigorous audit follow up process could for instance include a Follow up Action Report form to be attached for the audited department to use for reporting when the audit recommendations are implemented. The

follow up by internal audit to verify the implementation could be done within six months and if necessary a second follow up could be done within one year, depending on various factors. The follow up process however ensures the timely and effective implementation of audit recommendations in addition to ensuring managements responsibility and accountability and is therefore a critical element.

Upgrades to the internal audit function capabilities in terms of increased manpower and resources available as well as capacity building, will contribute to a more effective control environment. Best practices support greater independence for the internal audit function and this can be achieved though a significant audit committee role in setting and approving the audit functions staffing and budget; periodic benchmarking of audit functions with peers and industry best practices; clarity in internal audits role in operational risk and pre-implementation control development matters; reporting by the audit head to the audit committee(functionally) and to the CEO( administratively); empowerment of the audit function by communicating the importance of internal audit throughout the organization; adopting a balanced staffing model and maintaining an effective working relationship between internal and external audit.

According to the IIA, appropriate reporting relationships are critical if internal audit is to achieve independence, objectivity and organizational stature necessary to fulfill its obligations and mandate. On the reporting lines for the chief audit executive, the IIA states that best practice indicates that the internal audit activity should have a dual reporting relationship The IIA International Standards for the Professional Practice of Internal Auditing (Standards) require that the chief audit executive (CAE) report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. To achieve necessary independence, best practices suggest the CAE should report directly to the audit committee or its equivalent. For day to day administrative purposes, the CAE should report to the most senior executive (i.e., the chief executive officer [CEO]) of the organization. This reporting line is stated to be the ultimate source of its independence and authority.

10

Internal audit practitioners point to the need for independence of the internal audit function by citing the lesson learnt from the challenges faced by the internal audit function at the now defunct WorldCom .Here since the internal audit function was not fully accepted and supported by top management, the function diverted from its role and focused on finding ways to assist the company to maximize revenues, reduce costs and improve efficiencies. The internal auditors did not fulfill their role as the companys internal audit police but rather sought to gain acceptance as team players by focusing on operational audits and projects that would be seen to be adding value to the company. In the end the function failed to detect the accounting improprieties that were reported at an earlier stage by WorldCom. Other cases cited are of Enron and Global Crossing, where the accounting misrepresentations and dealings of the top executives cost stockholders tens of billions of dollars, and could have been avoided had the internal auditors performed their traditional roles as watchdogs instead of succumbing to pressure to de emphasise audits of sensitive and high risk areas and focus instead on advising management on ways to increase the bottom line. IIA standards which guide the professional practice of internal auditing list independence of the internal audit function as the first standard and on this is dependent the success of any internal audit function its effectiveness and its organizational status. The higher the level within the organization to which the auditor reports, the more effective the auditor is in selecting areas to audit and reporting the findings without fear of retaliation or peer pressure.

Best practices also require that the right internal audit methodology is designed and used to facilitate effective and efficient delivery of high quality services. This can be done once the expectations of the organization are understood so that the right audits are executed at the right time with the right resources. According to the methodology prescribed by the Committee of Sponsoring Organisations (COSO) there should be three components namely, risk assessment, control evaluation and reporting. Risk assessment is done at the organizational level and from this emerges the internal audit plan. Since effective reporting is a key element in the methodology and since significant delays can undermine the organizations perception of the internal audits values and efficiency as well as impact the completion of planned work, it is best practice to agree on reporting

11

protocols before hand so that communication and agreements of audit results can take place in a timely manner.

The IIA standards and the GAO Government Accounting Standards require an external quality assessment to assess internal audit compliance with standards and appraisal of the quality of operations of internal audit While a periodic external quality assessment or peer review of the internal audit function is essential for a comprehensive quality assurance programme, a self assessment can also contribute to quality assurance. This provided the self assessment addresses all attribute and performance standards, duly supported with relevant documentation. Best practices require that the indicators used for measuring internal audit performance should be linked to the organizations objectives. Internal audit should therefore develop and implement a system of performance indicators to measure its own performance. The Statement of Best Practice Internal Control and Internal Audit developed by the New South Wales treasury Department includes as performance indicator service delivery benchmarks such as percentage of internal audits actually completed as per the original plan for the period, the future dollar costs saved or revenues earned as a result of implementation of audit recommendations or the number of internal audit findings implemented as a percentage of the numbers raised in their reports etc. Costs control benchmarks include the actual costs of internal audit as a percentage of internal audits budgeted costs for the period. A survey of management expectations or a customer survey sent to key managers after each audit or after issue of report can be used to measure audit performance. It will help focus internal audit effort and for this purpose the key performance measures suggested in the Statement include effectiveness of the audit in covering key areas, feedback on the findings of audit, duration of audit, timeliness of audit, accuracy of findings and value of audit recommendations, clarity of the audit report, professionalism of the auditors and value added by the audit. The list could be expanded depending on the requirements. The point is to develop a concise structured list of performance indicators to review performance, the results of the review being reported to the audit committee, at regular intervals.

12

The IIA has identified key elements of an effective public sector audit activity which can serve as a starting point to developing best practices for internal audit in the public sector. The importance of the internal audit activity in the public sector has been highlighted in the foregoing section. IIAs professional guidance document on the Role of Auditing in Public Sector Governance, states that Auditors perform an especially important function in those aspects of governance that are crucial in the public sector for promoting credibility, equity, and appropriate behavior of government officials, while reducing the risk of public corruption. The key elements listed by IIA as the minimum for Government audit activity to achieve its mandate and to act with integrity and produce reliable services, are: v Organizational independence. v A formal mandate. v Unrestricted access. v Sufficient funding. v Competent leadership. . v Competent staff. v Stakeholder support. v Professional audit standards

While the need for improving processes over time is necessary as is the need to adopt or develop those processes which are the most efficient and effective way of accomplishing a task, it is equally important to take into account individual need or circumstances. Due care needs to be exercised to ensure that best practices do not result in practice that is in fact not the best when the results of the best practice are in fact contrary to the real ideal situation or when best practice is used to prevent challenges to rules and systems that are in reality not best practice. A Wikipedia article cites the case of Dick Fosbury, who revolutionized high jumping technique-we have all heard of the Fosbury Flop. He challenged the existing best practice by going over the bar back first instead of head first

13

and in the process, by ignoring best practice, he not only raised the performance bar but also created the new best practice.

Best practice can be exchanged, adopted, adapted and developed. The key issue is what is possible? and not merely what is somebody else doing?

14

References:

15