Transcript Auditing Defined

“Current Auditing Hot Button
Issues”
What Are Hot Button Issues
• Hot button issues for business leaders include a range of complex
matters, including ideas, subjects, issues, etc. that evokes strong
feelings
• Hot button Issues are driven by internal and external factors
including:
 new opportunities and challenges,
 emerging areas, global developments,
 effects of new regulations or pronouncements,
 effects of technological or market developments on audit processes
Evolution of Auditing Hot Button Issues
Changing internal-audit roles,
Globalization
Changes in risk management
Shortage of audit talent
Technological advancement
Environmental concerns /climate change
Crime and Forensics
Movement Towards More Risk
Centric Approach to Auditing
Risk Centric vs Control Centric
• Evolution in the primary role of internal audit from control
centric to risk centric
• The Institute of Internal Auditors’ revised definition of internal
audit: providing objective assurance over both controls and
risk management.
• This evolution is a strategic expansion of internal-audit’s role
and one that directly enhances the ability of the audit
committee to oversee the company’s controls and practices.
Globalisation
 Globalization and new technology have a dramatic impact on
how companies structure business processes and operations.
 Changes in regulations, institutional investor demands,
 the complexity of today’s multinational corporations—are influencing
corporate efforts to improve risk management.
 As organizations expand overseas, there is a corresponding increase in the
demand for internal-audit services.
 Expect globalization, outsourcing, and off-shoring to have a profound impact
on the roles and responsibilities of internal audit.
 As companies expand globally, they also need to determine whether to
provide audit coverage from a central location or from a satellite operation
aligned geographically with the business footprint—not a decision to be taken
lightly.
Technological Advancement
• Directors should be aware of the potential impact of technology on the
ability of internal audit to identify and audit risks and to enhance
functional effectiveness and efficiency and the additional risk that it
introduces
• Given the speed of technology development, it is predicted that
technology will affect internal-audit roles and responsibilities more than
any other business trend.
• Technology is important in continuous monitoring and fraud detection.
• Technology can be leveraged to pinpoint Key Risk Indicators in order to
identify changes in organizational risk profiles in advance of internal
control breakdowns and enable CAEs to initiate audits in those areas.
Shortage of Audit Talent
• A broader set of risk-monitoring and analysis capabilities are
needed for a risk-centric auditing environment
• Critical to have sufficient talent to address strategic and business
risks, as well as risks stemming from fraud and technology.
• The traditional internal-audit skill sets is much smaller than
marketplace demand,
• Significant competition exist for well-qualified internal-audit talent
which extends beyond the ranks of IT, finance, and risk
management.
• There is need for a critical mass of auditors who can access, assess,
and analyze risk data as well as help prevent and detect fraud.
Hot Button Issues
 Internal Audit strategic sourcing
 Enterprise risk management
 Regulatory compliance
 IT Growth /Data Safety and Integrity
 Corporate governance
 Global sustainability/environment /climate change
 Continuous Auditing and Monitoring
 Forensics /Personnel Security and safety/ Crime
Internal Audit strategic sourcing
 As companies expand globally, they also need to determine whether to provide audit
coverage from a central location or from a satellite operation aligned geographically
with the business footprint
 If you are a director of a company active in global markets, you should be asking:




Does our internal audit group have what it takes to address the risks of international expansion?
How good is the company at complying with the Foreign Corrupt Practices Act ?
Does management’s existing enterprise-wide risk assessment address political risk?
Does the company possess the the internal talent and expertise to access, assess, and analyze risk
data as well as help prevent and detect fraud ?
 Does the company have the people who can evaluate and test internal controls, audit complex IT
environments, and address both enterprise-wide risk and governance issues ?
 Should the internal audit group provide audit coverage from a central location or from a satellite
operation aligned geographically with its expanded operations?
Internal Audit strategic sourcing
Co sourcing
This involves enhancing a clients existing internal audit capabilities by
complementing in-house functions with specialist skills or geographical
coverage or by providing project-based advisory services.
 The audit consultants selected will have specific experience and
specialized knowledge
 Knowledge and experience across a wide range of industries and
extensive internal auditing knowledge to assist the management in
developing a number of proprietary models of internal audit solution,
which can be used by identify critical areas of risk
 As well as able to perform a more focused, strategically driven risk
assessment to identify other potential risk areas.
Internal Audit Strategic Sourcing
Outsourcing
Similar to the hiring of an external auditor but goes beyond testing
transactions and balances to providing insights that help management
better understand their business.
 It is based on the premise that firms board and management expect
more than traditional internal audit service and seeks to ensure that
the talent and skills required are more easily secured through
outsourcing
 It is a costly but necessary service
 The also require personalized guidance as well as use of the
Consultants knowledge and wisdom to provide value-added
suggestions which will help them achieve financial and operational
success.
Audit Committee Training /Advisory
• Seeking independent advisory services to Audit Committee
on technical accounting issues, corporate governance,
structure and effectiveness of internal audit-related activities,
risk assessment evaluation and advise on other business risks
• Training and remaining up-to-date on issues
Enterprise Wide Risk Management
Internal auditing's core role with regard to ERM is to provide
objective assurance to
the board on the effectiveness of an organization's ERM
activities with the aim of :
 ensuring that key business risks are being managed appropriately
and
 that the system of internal control is operating effectively.
Recommended Roles
•
The main factors CAEs should take into account when determining
internal auditing's role are whether the activity raises any threats to the
internal auditors' independence and objectivity, and whether it is likely to
improve the organization's risk management, control, and governance
processes.
– Facilitating identification and evaluation of risks.
– Coaching management in responding to risks.
– Coordinating ERM activities.
– Consolidating the reporting on risks.
– Maintaining and developing the ERM framework.
– Championing establishment of ERM.
– Developing risk management strategy for board approval.
Roles Internal Auditing Should NOT Undertake.
 Setting the risk appetite
 Imposing risk management processes.
 Management assurance on risks.
 Taking decisions on risk responses.
 Implementing risk responses on management's behalf.

 Accountability for risk management.
Regulatory Compliance
• Pose complex business challenges.
• New laws and regulations are introduced, their
requirements challenge boards to greater levels of
transparency, objectivity and professionalism.
• Increased accountability and potential exposure to
liability means directors need to ensure that corporate
governance standards are adhered to and robust
compliance management systems are in place.
Corporate Governance
• Corporate governance is a system by which organizations are
controlled, directed, and held accountable to its stakeholders.
• The recent declining economy, declining market valuation,
increased unemployment, and increased possible fraudulent
financial schemes have placed increased pressures on
organizations. As a result of these pressures, organizations are
forced to focus on designing sustainable business strategies.
• These strategies seek not only to provide a return on investment or
assets, but to also generate shared value for society and promote
business model sustainability.
• Climate Change , Environmental Sustainability, CSR
Climate change / Environmental risk management
 Climate change / Environmental risk management — the need for
IA to understand, mitigate and manage (i.e. physical, regulatory,
reputational and litigation) in an integrated way using the existing
internal audit and (enterprise) risk management framework.
 Advising on how to grasp the competitive advantage that comes
with fuller and earlier understanding of climate change and
environmental management . These include :
 Sustainable supply chain — Improving the management of carbon ,
and other emissions (and therefore costs) across the supply chain
and performance efficiencies and enhancing brand value and
reputation.
 Sustainable IT (Green IT) —introducing new IT strategies and value chains
through a process of assessment, strategic improvements and verification.
 Clean Development Mechanism
 Corporate climate change /carbon strategy — Understanding the business
implications of climate change and facilitating the company’s strategy
development.
 Emissions trading —making strategic decisions in relation to emissions
trading or investment in emission reduction projects (internal/external).
 Carbon footprint — Calculating the direct carbon-emissions of the
company as well as the emissions caused along the value chain in
accordance with the Greenhouse Gas (GHG) protocol as a baseline for
further action.
 Mitigating all major environmental risk through greater understanding of
environmental impact of products and operations
 CSR
Continuous Auditing & Monitoring
•
Continuous Auditing enables companies to leverage technology to more
efficiently analyze risk data on a frequent basis, while Continuous
Monitoring provides management with information on key performance
metrics in close to real-time.
• Continuous Auditing and Continuous Monitoring are automated feedback
mechanisms used respectively by Internal Audit or Management to
monitor IT systems, transactions and controls on a frequent or continuous
basis, throughout a given period
• To do so organizations must accurately assess risk, design query protocols
and reports; identify the appropriate software tools and create the
capacity to execute continuous audits and monitoring regimes.
Forensics /Personnel Security and Safety/ Crime
• The changing nature of business has created new opportunities, but also
new risks and potential threats.
•
Businesses have to cope with the increasing sophistication of fraud,
organized crime, but also with more complex legislation and regulations
(some with increasing extra-territorial reach).
• Developments in technology and complex cross-border disputes.
• The pitfalls associated with expanding into emerging markets,
dependencies on unfamiliar business partners, and more complex supply
and distribution channels.
•
• Theft and misuse of intellectual property
• Organised crime and the money laundering
• IA’s must use accounting, investigation, intelligence, strategy, criminology,
technology and industry skills to help prevent commercial crime.
• They must also use this know-how to help you manage conflicts involving
commercial disputes, fraud, misconduct or breaches of rules and
regulations, as well as help public sector agencies deal with criminal
issues.
• Challenging in light of greater propensity for criminal backlash
Strategic Responses
 Directors should ensure that their internal-audit groups
adopt a risk-centric mindset. This may require audit
leaders to redefine departmental roles and establish a
unified value proposition so that their departments will be
viewed as strategic players.
 Internal auditors need to adopt a more conceptual
approach to audit, risk assessment, and risk management
that goes beyond a narrow focus on controls. This will
require forging a strong link between the risk-management
initiatives of internal-audit functions and those undertaken
by the rest of the organization.
 Directors need to ensure that internal audit receives the
budget and management support needed to achieve this
transition. If internal audit fails to evolve in this manner, it
could be viewed as a narrow, controls-oriented entity, and
its potential contribution marginalized.
• audit committees should encourage internal audit leaders to
gain more strategic value from internal audit, by :
 Making it a primary objective to provide assurance over risk management.
 Including strategic risks within the risk universe targeted by internal audit.
• Directors should also be inquiring about and encouraging
internal-audit’s career-development programs. To attract and
retain talent, audit needs to be viewed as a function that
offers talented people ample opportunity for career
development
Internal auditors should sharpen their focus on continuous
auditing in an effort to streamline the audit process
As risk assessments and risk monitoring assume a more real-time
dimension, audit timing will become more dynamic. Audits will
have to be conducted on an as-needed basis, triggered more by
changes to organizational risk profiles than by set plans
 Fraud detection, fraud risk-assessments, and fraud
investigations—three key aspects of a comprehensive
antifraud program—must be given more focus
 Increased globalization and advances in technology will
have a significant impact on internal audit and the talent it
needs to meet its objectives. Audit committee members
must ensure they understand these factors and their
implications, so that they will be able to work more
effectively with internal-audit leaders to determine how to
help senior management identify and manage risk
 Directors should ensure that whether internal audit has
people who can evaluate and test internal controls, audit
complex IT environments, and address both enterprise-wide
risk and governance issues. (co-source)
•
Increased globalization and advances in technology will have a significant impact
on internal audit and the talent it needs to meet its objectives. Audit committee
members must ensure they understand these factors and their implications, so
that they will be able to work more effectively with internal-audit leaders to
determine how to help senior management identify and manage risk
•
Directors should ensure that internal audit has people or access to people who can
evaluate and test internal controls, audit complex IT environments, and address
both enterprise-wide risk and governance issues. (co-source)
•
CAEs and Audit Committees should seek support if required from analysts who
understand risks, can provide timely risk-and-control assurances, and can update
organizational risk profiles. Such analysts would also have the capability to focus
on fraud and other areas of significant risk, monitor KRIs, and analyze business
processes to determine which controls, if any, can be removed with little or no
negative impact.
Thank You
