REPORTS TO THE BOARD AND CEO
EVALUATION OF QUALITY
AND
PERFORMANCE /
BOARD LEVEL CORRECTIVE
ACTION / ASSESSMENT
OF STRATEGIC ISSUES
INTERNAL AUDIT
FUNCTION INTELLIGENCE FOR MIDDLE-LEVEL MANAGEMENT
^
MEDIUM-AND \ LOWER-LEVEL
CORRECTIVE ACTION PATTERN OF
OPERATIONS NOT IN CONTROL
ASSESSMENT OF NECESSARY
\ MEASURES
DATABASE MINING HANDS-ON
EXAMINATIONS
Figure 1.5 The bifurcation in self-assessment through internal control and auditing
18 Why Internal Control Systems Must be Audited
how management is planning, directing, and controlling its operations.
Attention paid to internal control by regulators considers such matters as:
• Form, nature, and, reporting relationships of an entity's organizational units and management positions and
• Assignment of authority and responsibility to these positions, including constraints established over their functioning.
For reasons of efficiency, policies established by the board should clarify the understanding of, and improve compliance with, the organization's objectives. Systems should be in place to alert auditors to deviations so that these are immediately investigated and brought to management's attention.
As the discussion has already pointed out, methods of communicating and enforcing the delegation of authority would be much more effective if they were supported through high technology.
While the need for value-added auditing services is more pronounced than ever, few internal audit groups today have real-time tools to monitor the effectiveness of the controls they exercise, or use agents to audit all accounts and ensure that resources are allocated where they are most needed. This lack of appropriate support was a reason why internal audit was criticized in 1987 by the Treadway Commission, and again in 1999 by the Basle Committee, for ineffective approaches (see below).
Part of the reason for this deficiency lies in the fact that most auditors have been trained in reporting accounting reconciliation deficiencies not in analyzing the significant risks being taken across the entity, and in prognosticating their most likely aftermath. It is therefore not surprising that some surveys indicate major differences between what boards think is being audited and what is actually being done.
In my experience, auditing is much more effective if it sees to it that all service-related activities, even if not specifically manifested in general ledger accounts, are subject to adequate periodic reviews. This is equally true of appraisals of administrative control for each function and for the company as a whole. The examiners should produce auditing comments and suggestions for improvements of operational efficiency.
On these premises rest the development of value-added services by the auditing department. The board of directors and the Audit Committee should be the first to disallow reactive, tired, dull audit reports and recommendations that too often fail to address the real issues. Top management should be increasingly demanding far more value and insight from internal auditors, and ensuring that this is forthcoming. It should also emphasize the need for value-added services:
77?^ Role of Auditing 19
• Traditional-type internal audit involves after-the-fact inspection, but offers little by way of inciting continuous improvement
• Continuous improvement can be assisted through a new auditing culture supported through an entity-wide monitoring and control system.
This system should benefit from input from all work units and target quality assurance, with activities under control monitored throughout the company and interactively reported. All documentation must be databased for further analysis when necessary, and knowledge artefacts used to derive intelligence from this information.
A battery of critical queries can help in guiding the chief auditors' hand.
Does the frequency and scope of management control action comply with statutory requirements of internal audits? How sophisticated are our auditing standards? Is each auditor preparing a time budget? Are plan versus actual time analyzes used as a guide in forward planning? Does the depth of coverage appear to be sufficient? Is each auditor periodically reporting his or her progress in completing the frequency and scope schedule? Does the board's auditing committee approve significant deviations, if any, from the original programme?
In order to improve overall efficiency, and add value to auditing work, the audit methodology should itself come under scrutiny. Are different entry dates and time periods between reviews scheduled so as to frustrate anticipation of entry dates by auditees? Are controls on opening and closing general ledger and other accounts adequate? Is auditing formally advised of any changes? Is the company's possession of all assets owned or managed in fiduciary capacities subjected to verification?
Other queries, too, are important. Given that the auditing function itself is - or at least should be - subject to administrative controls, does the audit manual contain the scope and objective of each audit function? Does it provide for certain deviations from audit procedures, done for the sake of adaptability to changing conditions? Are these procedures approved by the Audit Committee? Do audit procedures provide for the follow-up of exceptions noted in previous audits?
The use of statistical and other tools should also be investigated. Do audit procedures employ statistical sampling techniques with acceptable reliability and precision? Is there available a method for resolution of exceptions and deficiencies? Are statistical quality control charts available to show trends in demerits and help ascertain whether the audited processes are in control? Are there provisions for an expression of the opinion of the auditor regarding the adequacy and efficiency of internal controls?
20 Why Internal Control Systems Must be Audited
Some of the queries pertaining to the efficiency of the auditing function necessarily relate to the personality of the chief auditor, their status in the organization and the definition of their duties. The director of internal auditing should be given by the board a statement of purpose which clearly defines the authority and responsibility for the job to be done. The planning process which he or she establishes must include:
• Goals
• Work schedules
• Staffing and financing plans
• The use of technology
• A steady improvements schedule and
• Activity reports.
In my postgraduate studies at the University of California, I had a professor who taught his students that the goals of the internal auditing department should not only be spelled out but should also be measurable. Therefore, they should be accompanied by measurement criteria, yardsticks, quality assurance standards, and targeted dates of accomplishment.
Whether or not value-added functions are included, work schedules must outline what activities are to be audited; when they will be audited; and what are the time and cost estimates. Auditing programmes should take into account the scope of the work planned as well as the nature and extent of previous audit work. Work schedules should be sufficiently flexible to cover unanticipated demands for a more rigorous internal auditing job.
Staffing plans and financial budgets must include specifications which help in computing the number of auditors, the technology to be put at their disposal, and the knowledge, skills, and disciplines required to perform assigned work. This leads to the definition of education and training requirements, as well as auditing research and development efforts and the sophistication of technological supports:
• Today, research and development is the necessary supplement to any business activity worth its salt, and auditing is no exception.
• Every function can be done better if we pay enough attention to improving it, as well as to shortening the timetables of deliverables by bettering the means used in its execution.
The discussion above mentioned the use of expert systems as an example.
This is a mid-to-late 1980s' solution, which has itself been subject to steady
The Role of Auditing 21 improvement. For instance, instead of expert systems resident at a workstation we are now using agents, or interactive knowledge artefacts which are mobile and proactive - flushing out inconsistencies, violations of compliance, inordinate risks, and other weak points, and therefore alerting their master to take the required action. But while technology is a welcome supplement to the auditor's functions, the No. 1 criterion is organizational:
to where exactly does the auditing department report?