IIA CIA Books [PDF]

Zitiervorschau

Part 1: Essentials of Internal Auditing Welcome to Part 1 of The IIA’s CIA Learning System®. The self-study text for the learning system includes the content addressed in The IIA’s CIA syllabus. (You can download the syllabus from the online Resource Center or from The IIA’s website.) However, in some cases, the content has been reorganized to facilitate instruction and understanding. Refer to the Table of Contents for an outline of the content. To get the most out of the course materials, complete the course in this order: 1. Begin by accessing the course at www.learncia.com. 2. Read the overview and return to the menu. Select Part 1 from the menu. 3. Complete the pre-test and view the report to help focus your study efforts. 4. Read each section and follow the Next Steps directions included at the end of the section. 5. Complete Part 1 as outlined in the online overview. Note that Part 1 of the CIA exam will consist of 125 multiple-choice questions and test takers are given 150 minutes to complete this portion of the exam. You can go to https://na.theiia.org/certification/CIACertification/Pages/CIA-Certification.aspx to register for the exam separately.

Study Support

The IIA’s CIA Learning System includes online tools to support your study. These tools may be accessed from the menu at any time.

•

Glossary—Refer to the glossary for definitions of terms used in all three parts of The IIA’s CIA syllabus.

•

Reports—Refer to the reports to review your most recent test scores and progress through the learning system.

•

Resource Center—Refer to the Resource Center to access information about The IIA’s International Professional Practices Framework, updates, test-taking tips, printable flashcards, related links, and reference material and to provide feedback to The IIA regarding the learning system.

The IIA’s CIA Learning System® The IIA’s CIA Learning System® is based on the Certified Internal Auditor® (CIA®) syllabus developed by The IIA. However, program developers do not have access to the exam questions. Therefore, while the learning system is a good tool for study, reading the text does not guarantee a passing score on the CIA exam. Every effort has been made to ensure that all information is current and correct. However, laws and regulations change, and these materials are not intended to offer legal or professional services or advice. This material is consistent with the revised Standards of the International Professional Practices Framework (IPPF) introduced in July 2015, effective in 2017.

Copyright These materials are copyrighted; it is unlawful to copy all or any portion. Sharing your materials with someone else will limit the program’s usefulness. The IIA invests significant resources to create quality professional opportunities for its members. Please do not violate the copyright.

Acknowledgments The IIA would like to thank the following dedicated subject matter experts who shared their time, experience, and insights during the development and subsequent updates of The IIA’s CIA Learning System. Pat Adams, CIA

Al Marcella, PhD, CISA, CCSA

Terry Bingham, CIA, CISA, CCSA

Markus Mayer, CIA

Raven Catlin, CIA, CPA, CFSA

Vicki A. McIntyre, CIA, CFSA, CRMA, CPA

Patrick Copeland, CIA, CRMA, CISA, CPA

Gary Mitten, CIA, CCSA

Don Espersen, CIA

Michael J. Fucilli, CIA, QIAL, CRMA, CGAP, CFE

Lynn Morley, CIA, CGA

James D. Hallinan, CIA, CPA, CFSA, CBA

James Roth, PhD, CIA, CCSA

Larry Hubbard, CIA, CCSA, CPA, CISA

Brad Schwieger, CPA, DBA

Jim Key, CIA

Doug Ziegenfuss, PhD, CIA, CCSA, CPA, CMA, CFE, CISA, CGFM, CR.FA., CITP

David Mancina, CIA, CPA

Lyndon Remias, CIA

Part 1 Overview Internal auditing is a discipline that works on behalf of management, the board of directors, and other stakeholders of public and private entities to improve and add value to governance, risk management, and control procedures. This is in contrast to external auditing, which serves third parties who require reliable financial information based on reliable supporting records. Instead, internal auditors typically have a broader focus (based on their approved internal audit activity charter) that requires them to examine and appraise controls, financial performance, compliance with laws and regulations, and operational performance for their effectiveness. Rather than primarily focusing on historical events as external auditors do, internal auditors also help the board and management make current as well as future-oriented decisions. For example, internal auditors may be asked to assess whether planned operations have the proper controls in place to be likely to achieve organizational goals and objectives. Drawing further distinctions between internal and external auditors as well as other related review functions can help clarify what internal auditing is and what it is not. These distinctions are described below: • External auditors/financial auditors. These auditors provide an attestation solely based on the financial reports and statements generated by an organization. While these auditors focus on the accuracy of reported information, they also review the records supporting the statements and the related controls over the financial information. The work of external and financial auditors is historical in nature and is critical to allowing investors and other third parties to make informed decisions (e.g., investing, approving debt issuance) about an organization based on its financial statements when taken as a whole. In the U.S., audits of private companies are governed by the Generally Accepted Auditing Standards (GAAS) of the American Institute of Certified Public Accountants (AICPA) and audits of public

companies are governed by the Auditing Standards (AS) of the U.S. Public Company Accounting Oversight Board (PCAOB). The International Federation of Accountants (through its International Auditing and Assurance Standards Board) also promulgates International Auditing Standards (IAS), and these may be in use or adapted for use in various jurisdictions. For example, the U.K. uses a derivative of IAS. • Compliance. Compliance reviews typically serve to determine whether or not an organization is adhering to a specified law, regulation, standard, policy, or procedure, and the results are reported as such. Compliance audits do not necessarily consider the effectiveness and efficiency of business processes but rather primarily whether the process is—or is not—in compliance. Typically, specialized individuals, some with legal or compliance backgrounds, conduct these reviews. • Regulators. These auditors work for regulating bodies (in the U.S., for example, the Financial Industry Regulatory Authority [FINRA], the Securities and Exchange Commission [SEC], and the Office of the Comptroller of the Currency [OCC]), and they review compliance with specific regulations as well as the overall safety and soundness of the organizations being examined. These auditors perform compliance reviews of corporations or agencies that are regulated by the specified regulating body. • Government auditors. Government auditors typically work for departments, ministries, or agencies of a government and provide assurance regarding program requirements, performance audits, budget reviews, and management audits. A few more contrasting points between the internal and external auditing professions will round out this overview of internal auditing: • First, individuals employed in an internal audit activity are typically employees of an organization. However, there are alternative arrangements to staff an internal audit department through out-sourcing,

co-sourcing, and secondment arrangements. By contrast, external auditors are always independent contractors. • Second, internal auditors provide assurance, compliance, and consulting services and are also concerned with detecting patterns of errors, inefficiencies, and irregularities, including fraud, that impact an organization’s ability to accomplish its objectives, with limited regard for financial materiality. Internal auditors are primarily future-focused, and they play a strong role in helping management improve the organization’s control structure. External auditors are primarily concerned with preventing or detecting fraud when it may have a material effect on the financial statements, though they are still concerned with the potential indicators of fraud overall. • Third, internal auditors must be independent from the internal organizational functions that they audit, meaning that they exercise no management duties over the areas being audited. Internal audit activities also achieve organizational independence through their direct functional reporting to the board of directors (or a designated audit committee of the board). In general, they remain ready to respond to requests from the board and all management constituents. In contrast, external auditors are independent of both the board and management in fact and in mental attitude. Part 1 of The IIA’s CIA Learning System looks at a number of the essentials of internal auditing. • Section I covers the foundations of internal auditing—The IIA’s International Professional Practices Framework; the purpose, authority, and responsibility of the internal audit activity; the requirements of the audit charter; the difference between assurance and consulting services. • Section II looks at the concepts of independence and objectivity. • Section III looks at the concepts of proficiency and due professional care.

• Section IV describes aspects of a quality assurance and improvement program. • Section V covers organizational governance, risk, and controls and corporate social responsibility, and it looks at risk management within an audit activity charter. • Section VI focuses on fraud risks—the types of these risks, the potential for such risks occurring, and controls to prevent and detect fraud.

Section I: Foundations of Internal Auditing This section is designed to help you:

•

Identify and apply relevant ethical, practical, and legal standards to audit practice, including The IIA’s Code of Ethics, International Standards, and Practice Advisories and relevant laws.

•

Explain the International Professional Practices Framework categories of guidance.

• • • • •

Explain the Mission of Internal Audit.

•

List the Core Principles for the Professional Practice of Internal Auditing. Define internal auditing. Describe compliance with The IIA’s Code of Ethics. Explain how the purpose, authority, and responsibility for an internal audit activity are documented, communicated, and approved. Understand the importance of securing the board’s approval of the internal audit activity charter and audit plan.

The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 15% of the total number of questions for Part 1. One of the topics is covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.) The other topics are covered at the “P—Proficient” level, meaning that you are responsible not only for comprehension and recall of information but also for higher-level mastery, including application, analysis, synthesis, and evaluation.

Section Introduction The profession of auditing has a rich and storied past. The earliest accounts of auditing date back to Mesopotamia, where marks were used to record ship cargos and verify financial transactions. In ancient Rome, the Latin word auditus (the precursor to our term audit) referred to the

hearing of oral evidence as one official would verify records with those of another. Internal auditing has evolved through the years, gaining recognition from executives and organization leaders and altering the focus of audit efforts to respond to the changing needs of the global environment. Today, it focuses heavily on integrated audits, where auditors provide assurance related to any combination of the following engagement types: • Controls assurance. Providing assurance related to the design and operating effectiveness of key control activities; controls may be operations-, reporting-, or compliance-related. • Information technology (IT). Providing assurance related to the design and operating effectiveness of general IT or specific application control activities. • Compliance. Providing assurance related to the design and operating effectiveness of control activities and procedures in place to assure compliance with laws, regulations, policies, etc. • Operations. Providing assurance related to the effectiveness and efficiency of an organization’s operations, including performance and profitability goals and safeguarding resources against loss. • Financial assurance. Providing assurance related to the achievement of one or more financial statement assertions (also called management assertions): • Existence or occurrence • Completeness • Valuation and allocation • Rights and obligations • Presentation and disclosure Throughout the centuries, auditors have continued to pursue the truth,

control transactions, and prevent or detect fraudulent acts. Today, internal audits are independent, unbiased fact-finding exercises that provide verifiable information to a board of directors (especially its audit committee), management, or outside interests. Note that, according to The IIA, a board is: The highest level of governing body charged with the responsibility to direct and/or oversee the activities and management of the organization. Typically, this includes an independent group of directors (e.g., a board of directors, a supervisory board, or a board of governors or trustees). If such a group does not exist, the “board” may refer to the head of the organization. “Board” may refer to an audit committee to which the governing body has delegated certain functions (e.g., an audit committee).

Topic A: The IIA’s International Professional Practices Framework/Purpose, Authority, and Responsibility of the Internal Audit Activity (Level P) The Framework The Institute of Internal Auditors (The IIA) provides internal audit practitioners with an International Professional Practices Framework (IPPF). This framework contains many components, as described below, but one key component is referred to as “the Standards.” The IPPF exists to guide internal auditors’ professional practice and ensure the highest-quality internal audit results. In The IIA’s own words, “The purpose of the . . . IPPF is to organize The Institute of Internal Auditor’s . . . authoritative guidance in a manner that is readily accessible on a timely basis while strengthening the position of The IIA as the standard-setting body for the internal audit profession globally.” Furthermore, by reflecting the evolution of current practice, the framework aims “to assist practitioners and stakeholders throughout the world in being responsive to the expanding market for high quality internal auditing.” In general, a framework like the IPPF provides a structural blueprint of how a body of knowledge and its related guidance fit together. As a coherent system, a framework facilitates consistent development, interpretation, and application of concepts, methodologies, and techniques useful to a discipline or profession. Throughout the world, internal auditing is performed in diverse environments and within organizations that vary in purpose, size, and structure (e.g., publicly traded, privately owned, not-for-profit, governmental, etc.). In addition, the laws and customs of various

countries differ. These differences may affect the practice of internal auditing in each environment. The implementation of the IPPF, therefore, will be governed by the environment in which the internal audit activity carries out its assigned responsibilities. No information contained within the IPPF should be construed in a manner that conflicts with applicable laws or regulations. If a situation arises where information contained in the IPPF is in conflict with legislation or regulation, internal auditors are encouraged to contact The IIA or legal counsel for further guidance. The IPPF is the compass that provides internal auditors with direction to keep up with the rate of business change. The framework is regularly updated by the International Internal Auditing Standards Board and related IIA international committees. The current IPPF was introduced in July 2015 and became effective in 2017. The International Professional Practices Framework is shown in Exhibit I-1. Exhibit I-1: International Professional Practices Framework

The IPPF consists of:

• The Mission of Internal Audit. • The Core Principles for the Professional Practice of Internal Auditing. • The Definition of Internal Auditing. • The Code of Ethics. • The International Standards for the Professional Practice of Internal Auditing (the Standards). • Implementation Guidance. • Supplemental Guidance. The Mission of Internal Audit, the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards are available to be read or downloaded from The IIA’s website (www.theiia.org), along with a great deal of other material relevant to internal auditors, whether or not they are IIA members. (Other materials that may be available to the public for reading or downloading from the website include the monthly newsletters, IIA Global SmartBrief and Tone at the Top, and the Internal Auditor magazine, all of which will be cited as authoritative sources in these study materials.) These materials enhance the knowledge and skills of internal auditors. The Implementation Guidance and the Supplemental Guidance are intended for the use of IIA members and are password-protected. The full International Professional Practices Framework is available, however, in printed and e-book versions, known familiarly, and for reasons obvious to those who have seen it, as the “Red Book.” It can be ordered online. While the book includes all aspects of the framework, it is not necessarily as up-to-date as the online version, which is subject to continuous review, revision, and addition. Internal auditors should be sure they are familiar with the most current version of the framework available at The IIA’s website. As the auditing environment evolves, so

will the recommended guidance materials and, at a more deliberate pace, the Standards. For example, the 2017 edition of the Standards includes two new standards, alignment of the Standards to the Core Principles, and updates to existing standards. Note that this learning system is consistent with the revision of the Standards effective January 1, 2017, which can be viewed at global.theiia.org/standards-guidance/mandatoryguidance/Pages/Standards.aspx.

Authoritative Guidance in the IPPF As shown above in Exhibit I-1, the authoritative guidance in the IPPF comprises two categories: mandatory and recommended. The Mission of Internal Audit, the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards make up the core of the IPPF, and abiding by them is mandatory for IIA members, practicing internal audit professionals, and Certified Internal Auditors. Mandatory guidance is denoted within the Standards by the use of the terms must and should. The IPPF Standards Glossary (in the IPPF “Red Book”) defines these words in the following manner: • The word must specifies an unconditional requirement. • The word should is used where conformance is expected unless, when applying professional judgment, circumstances justify deviation. The introduction to the Standards goes on to clarify what is meant by mandatory guidance: The Standards apply to individual internal auditors and internal audit activities. All internal auditors are accountable for conforming with the Standards related to individual objectivity, proficiency, and due professional care. In addition, internal auditors are accountable for conforming with the Standards, which are relevant to the performance of their job responsibilities. Chief audit executives [CAEs] are accountable for overall conformance with the Standards.

(Note: Adherence to the Standards is required even for those who are not IIA members or CIAs if the statement “conformance with the standards” is used in their work.) The IPPF’s recommended forms of guidance support the mandatory components. Each standard, for example, is supported by a corresponding Implementation Guide. There are also links, in some cases, to the growing collection of Practice Guides, including the Global Technology Audit Guides (GTAGs) and other supplemental guidance documents. The Implementation Guidance and the Supplemental Guidance are optional, not mandatory. They are The IIA’s version of “best practices.” They provide detailed guidance for conducting internal audit activities, including topical areas, sector-specific issues, processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables. Recommended guidance is endorsed by The IIA and was developed using due process by an IIA international guidance committee and/or institute. Rather than providing definitive answers, supplemental guidance contains a wide range of possible solutions and methods of implementing the mandatory guidance. A description of each of the IPPF components is included next. Note, however, that The IIA’s Code of Ethics is not covered in this topic. It is covered later, in Topic D of this section.

The Mission of Internal Audit The Mission of Internal Audit in the IIA’s International Professional Practices Framework articulates what internal audit aspires to accomplish in an organization: To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Its place in the IPPF is deliberate, demonstrating how practitioners

should leverage the entire framework to facilitate their ability to achieve the mission.

The Core Principles The IIA describes its Core Principles for the Professional Practice of Internal Auditing, which are included in the IPPF, as follows: The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission. The Core Principles include:

• • • • • • • • • •

Demonstrates integrity. Demonstrates competence and due professional care. Is objective and free from undue influence (independent). Aligns with the strategies, objectives, and risks of the organization. Is appropriately positioned and adequately resourced. Demonstrates quality and continuous improvement. Communicates effectively. Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement.

The Definition of Internal Auditing According to The IIA’s Definition of Internal Auditing: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

As defined in the Standards Glossary, an internal audit activity is “a department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations.” Internal auditing activities are often referred to in relation to the acronym GRC (governance, risk, and control) due to the value-adding services internal auditing provides in assurance and consulting engagements to evaluate and help improve GRC effectiveness. Internal auditing is performed by professionals with an in-depth understanding of the culture, systems, and processes of the business. Internal audit activities may be performed by people from within the organization and/or outside the organization (i.e., co-sourced or outsourced). Effective internal auditors serve as an organization’s corporate conscience and advisors for governance, risk, and control operational efficiency and effectiveness. They also educate and make recommendations to management and the board of directors (and/or other governance oversight bodies) to support the organization in meeting its goals and objectives. In fulfilling these responsibilities, internal auditors must demonstrate professionalism, objectivity, knowledge, integrity, and leadership.

Key Terms in the Definition The following text defines and breaks down some key terms from the Definition of Internal Auditing. Independent and Objective The first part of the definition is that internal auditing is an “. . . independent, objective assurance and consulting activity . . .” Organizational independence and individual objectivity form the foundation of internal auditing; all stakeholder confidence in auditors’ work rests on this foundation.

IIA Standard 1110 states that the chief audit executive (CAE) “must confirm to the board, at least annually, the organizational independence of the internal audit activity.” (The Standards Glossary defines the chief audit executive as “a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards.”) What does organizational independence look like for an internal auditor, who is, after all, usually an employee of that organization? Organizational independence exists if the CAE: • Reports functionally to the board. • Has direct and unrestricted access to the board. • Reports administratively to the chief executive officer (CEO) or a similar head of the organization or to some other organizational level so long as the internal audit activity controls the scope of work, the performance of the work, and the reporting of results without interference. Stakeholders need to know that internal auditors can review any area of the organization without being biased themselves or unduly influenced by others. Internal auditors must have access to any and all records and all employees (including management and persons represented by unions or works councils) as deemed necessary to fulfill their duties. Objectivity requires internal auditors to avoid a conflict of interest or the appearance thereof, meaning that a situation that could be perceived as a conflict of interest could harm the internal auditor’s credibility. Independence and objectivity are discussed more in Section II. Consulting Consulting has been part of the Definition of Internal Auditing since 1999. Consulting expands the role of internal auditing into the areas of other value-added services and suggestions related to future-oriented

decisions. Auditors can provide insight to decision makers as processes are being developed so that the proper controls are built into a new project or process from the start. So long as internal auditors make it clear that they are not making any decisions themselves, it does not compromise independence when they perform such work and/or provide advice or suggestions. Management should formally acknowledge or confirm that internal auditors will not play a decision-making role on such engagements. Risk Management, Control, and Governance The last part of the Definition of Internal Auditing addresses evaluating and improving the effectiveness of governance, risk management, and control. While the original definition of internal auditing referred only to control, if senior management and the board are so willing (through approval of the annual audit plan including its priorities and resource constraints), internal auditing can, and should, provide a more comprehensive evaluation of the organization’s risk management and governance processes. Internal auditors were and often are the first champions of a comprehensive enterprise risk management process, and many have helped build up this function in the organization. To prevent a loss of independence and objectivity, some organizations have created a chief risk officer position. The Standards Glossary defines governance as the “combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.” Organizations that get involved in financial scandals often have sophisticated and mature risk management processes but a common pattern is that they also have governance structures that ignore the risk assessments in favor of high profits. Internal auditors can help ensure that the organization has the proper “tone at the top,” management and operating methodology, and ethics and integrity. Internal auditors can also provide assurance that risk taking

is truly within the organization’s risk appetite both in terms of the organization’s ability to take risk (e.g., worthwhile strategic initiatives such as new products or new goals, plus sufficient financial health) and the board’s stated willingness to assume risks in specific areas. Governance, risk, and control are defining activities for an enterprise. Successful organizations don’t champion one over another; rather, they recognize the powerful interplay and benefits of all three. Collectively, governance, risk, and control largely determine an organization’s ability to succeed in its marketplace. Well-conceived and well-executed, these three activities also support healthy interactions with the organization’s stakeholders. Internal auditors must be proficient in each of the three activities. In discussing the requirements of Standard 2100, “Nature of Work,” Implementing the Professional Practices Framework, second edition, succinctly summarizes how internal auditors must evaluate and contribute to the improvement of governance, risk management, and control systems. These points are shown in Exhibit I-2. Exhibit I-2: Nature of Work for Internal Audit Activity Nature of Work for Internal Audit Activity Governance

Help an organization assess and make recommendations for improving governance in its accomplishment of the following objectives:

• •

Promoting appropriate ethics and values in the organization Ensuring effective organizational performance management and accountability

•

Effectively communicating risk and control information to appropriate areas of the organization

•

Effectively coordinating the activities of and communicating information among the board, management, and external and internal auditors

•

Clearly establishing, communicating, and monitoring organizational objectives

Risk

Help an organization manage risk by:

• • • Control

Identifying and evaluating significant exposures to risk. Contributing to the improvement of risk management and control systems. Monitoring and evaluating the risk management system.

Help an organization maintain effective controls by:

• •

Evaluating the effectiveness and efficiency of controls. Promoting the continuous improvement of the control environment and related control activities.

Source: Implementing the Professional Practices Framework, second edition, by Urton Anderson and Andrew J. Dahle.

The internal audit activity must determine the best way to accomplish the activities in these three areas. Factors such as the organizational culture, the role of the internal audit group in the organization, and stakeholder expectations will shape specific internal auditing practices. Section V of this part examines exactly what constitutes effective governance, risk management and control, in accordance with The IIA’s Part 1 exam syllabus.

The IIA’s View of “Modern Internal Auditing” The IIA’s framework contains—and implicitly incorporates—the Institute’s definition of the profession of internal auditing. The definition makes clear The IIA’s commitment to a broad view of internal auditing that includes assurance as well as consulting and that focuses on helping management meet organizational objectives rather than solely focusing on traditional matters such as attesting to the accuracy of financial statements and compliance with laws and regulations. As Sawyer, et al., write in their definitive Sawyer’s Internal Auditing (published by The IIA Research Foundation): “Financial matters represent only one aspect of internal auditing’s purview. Once perceived as the client’s adversary, internal auditors now pursue cooperative,

productive working relationships with clients through value-adding activities.” Sawyer accurately names this view of the profession as “modern internal auditing.”

The IIA’s International Standards The IIA recognizes that defining a set of global standards for a profession practiced in a wide variety of environments poses challenges. As the Introduction to the Standards states, “Internal auditing is conducted in diverse legal and cultural environments; within organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization.” Nevertheless, the Introduction continues, “Compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) is essential.” The purpose of the Standards can be broken down as follows: • To guide adherence to the mandatory elements of the International Professional Practices Framework • To provide a framework for performing and promoting a broad range of value-added internal auditing • To establish the basis for the evaluation of internal audit performance • To foster improved organizational processes and operations Many internal audit functions—of private, nonprofit, and government organizations as well as public companies—have adopted the Standards into their charters (consistent with the language in Attribute Standard 1000, described below). The Standards have also received the imprimatur of the Treadway Commission, which states, in the Treadway Commission Report:

The professionalism of internal auditors has been enhanced in recent years by the efforts of The Institute of Internal Auditors (IIA), the professional organization for internal auditors. Standards of The IIA offer excellent guidance for effective internal auditing and reflect some of the most advanced thinking on fraud prevention and detection. The Commission encourages public companies that have not done so to consider adopting The IIA Standards.

The Standards are principles-based mandatory guidance rather than a detailed set of rules and regulations. Some Standards include “interpretation” text to further explain the guidance description. This italicized text should not be overlooked, as it is part of the standard. The Standards employ terms that have been given specific meanings; these are defined in the Standards Glossary. Whenever these terms are defined in this learning system, they are identified as being from the Standards Glossary.

Types of Standards There are three types of Standards: Attribute Standards, Performance Standards, and Implementation Standards. Attribute Standards The Attribute Standards address the characteristics of organizations and parties performing internal audit activities. Attribute Standards apply to all internal audit services and internal auditors individually. Attribute Standards are numbered in the 1000s range. The major sections of Attribute Standards are as follows:

The following are examples of two of the Attribute Standards.

• Attribute Standard 1000—“Purpose, Authority, and Responsibility” The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.

• Attribute Standard 1100—“Independence and Objectivity” The internal audit activity must be independent, and internal auditors must be objective in performing their work.

Each of the sections of Attribute Standards can have multiple subsections. For example, Standard 1100’s subsections (1110, 1120, etc.) all deal with some aspect of independence and objectivity. Similarly, Standard 1300 on quality assurance and improvement contains a subsection 1310, “Requirements of the Quality Assurance and Improvement Program,” which in turn contains two subsections, 1311, “Internal Assessments,” and 1312, “External Assessments.” The numbering system leaves room for additions in the future, recognizing that the standards will continue to evolve. Performance Standards Performance Standards describe the nature of internal auditing and provide quality criteria for evaluating audit performance. Similar to Attribute Standards, Performance Standards apply to all internal audit services as well as internal auditors. Performance Standards are numbered in the 2000s range. The major sections of the Performance Standards are as follows:

The following are examples of two of the Performance Standards. • Performance Standard 2000—“Managing the Internal Audit Activity” The chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization.

• Performance Standard 2100—“Nature of Work” The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact.

As you can see, the Performance Standards at this highest level address topics of general applicability; from 2200 through 2600, they trace the course of the well-constructed audit. Performance Standards also have more detailed subsections. As the framework evolves over time, these standards and subsections are also updated. Implementation Standards Implementation Standards expand upon Attribute and Performance Standards; they provide separate mandatory instructions for implementing the Attribute and Performance Standards depending on whether the engagement is to be for assurance or consulting. (The Standards Glossary defines an engagement as “a specific internal audit

assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy.”) Assurance and consulting services are described further in Topic C of this section.

Exceptions to Mandatory Guidance of Standards If laws or regulations prohibit internal auditors from complying with certain parts of the Standards, appropriate disclosures should be made. Internal auditors should comply with all other parts of the Standards.

The IIA’s IIASB The Standards, as we have seen, are continuously evolving. The IIA’s International Internal Auditing Standards Board (IIASB), the party responsible for the issuance and publication of the Standards, bases each new standard on consultations with authorities around the world, including select members of the global IIA board of directors and persons representing major global organizations or regulators external to the IIA. The International Professional Practices Framework, in all its parts, incorporates the idea that internal auditing is, truly, a global profession. The intent of the IIASB is to propose changes to the Standards when they will substantively improve the practice of internal auditing. The IIASB is a group of practicing professionals, independent of The IIA’s certification group of The IIA’s CIA Learning System.

Recommended Guidance As noted at the beginning of this topic, the IPPF’s recommended forms of guidance support the mandatory components (the Mission, the Core Principles, the Definition, the Code of Ethics, and the Standards.) Recommended guidance includes Implementation Guides and Practice Guides.

Implementation Guides Implementation Guides provide concise and timely guidance to assist

internal auditors in interpreting and applying the Code of Ethics and the Standards and promoting best practices. They include practices relating to international or country- or industry-specific issues; specific types of engagements; and legal or regulatory issues. Some Implementation Guides are applicable to all internal auditors; others have a more specific focus. Implementation Guides address approach, methodology, and considerations but not detailed processes and procedures. All internal auditors and other interested parties are welcome to submit suggestions to The IIA’s Standards Board to help in the continued development of the guides. Implementation Guides have ongoing updates and changes to provide new best practices to conform with the requirements of the Standards. All Implementation Guides are submitted to a formal review process by the Standards Board or other group designated by the Professional Practices Advisory Council. The most upto-date versions of these and other parts of the framework appear at The IIA’s website (www.theiia.org). The Implementation Guides are intended for the use of IIA members and are therefore password-protected on the website. Implementation Guides will form the background of the presentation of many topics in this course. As an example of how the Implementation Guides function, recall Standard 1110, “Organizational Independence,” which contains this mandate: The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.

How to put that into practice may not be immediately obvious to an organization’s CAE. To get clarification, the CAE can bring up the Contents section of the online framework (assuming that he or she is an

IIA member), go to the section listing Implementation Guides, find an entry for Implementation Guides 1110, “Organizational Independence,” and read the further guidance provided there. Even with the guidance of the Implementation Guides, the auditor will inevitably encounter challenging situations that aren’t specifically covered. When this happens, the auditor is still responsible for making decisions that are guided by the principles underlying the specific Standards and Rules of Conduct in the Code of Ethics. For The IIA’s members, these principles—and their animating spirit—cannot be overruled by a manager’s instructions or an organization’s contrary practices, policies, or culture. Only the law overrides the Code and the Standards. However, CAE and/or internal auditor judgment and experience are crucial to applying the standards, rules, and ethics in the best way possible and there can be differences of opinion on the best way to apply them. Practice Guides Practice Guides are another form of guidance provided by The IIA to help internal auditors incorporate the Standards into their practice. According to the Preface to the IPPF, the Practice Guides provide “detailed guidance for conducting internal audit activities” and include “detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables.” Like the Implementation Guides, these materials are listed only in the sections of The IIA’s website that require a password for access.

Purpose, Authority, and Responsibility of the Internal Audit Activity The IIA asserts that an effective internal audit activity is a valuable resource for management and the board (or its equivalent) and the audit

committee due to the activity’s understanding of the organization and its culture, operations, and risk profile. The objectivity, skills, and knowledge of competent internal auditors can significantly add value to an organization’s governance, risk management, and internal control processes. Similarly, an effective internal audit activity can provide assurance to other stakeholders such as regulators, employees, providers of finance, and shareholders.

Purpose, Authority, Responsibility Characteristics Internal auditors need a clear mandate that provides the authority they need and supports their independence and objectivity if they are to deliver this level of value in an organization. For an internal audit activity to best support executive management and boards of directors in accomplishing overall organizational goals and objectives and strengthen internal controls and corporate governance, the purpose, authority, and responsibility of the internal audit activity must be understood. Exhibit I-3 reviews the key elements characterizing internal audit activity purpose, authority, and responsibility. Exhibit I-3: Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity Purpose

Authority

• •

Provide an independent, objective assurance and consulting activity. Support organizational objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

•

Determine if organizational governance, risk management, and control processes are in place and functioning properly.

•

Communicate any opportunities for improvement or risk exposures to the appropriate management level (and the board/audit committee as appropriate).

•

Add value and improve an organization’s operations.

•

Provide appropriate unfettered access to records, personnel, and physical properties.

Responsibility

•

Maintain full and open access with the audit committee, board of directors, or other appropriate governing authority.

•

Secure necessary internal and external resources to accomplish audit activity objectives as planned.

•

Document the objectives and scope of the engagement as well as the methodology to be used.

•

Ensure that internal audit activity staff have sufficient knowledge, skills, experience, and/or professional certifications to fulfill the engagement charter.

•

Communicate the results of the internal audit activity or other matters that the CAE determines necessary to senior management, the audit committee, the board, or other governing body of the organization.

•

Consider the coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process.

•

Do not perform management activities.

Supporting Endeavors Internal auditors perform ongoing internal quality assessments of the function’s activities and are required to undergo independent external quality assessments to validate conformance to the Standards. These processes answer the question “Who audits the auditors?” The answer cannot be that nobody does. Individuals may also receive auditor certifications. There are many reasons to obtain an official IIA certification designation such as the Certified Internal Auditor® (CIA®) certification. Obtaining a certification such as this is professionalism defined. The IIA’s CIA Learning System, which you are now reading, is an example of IIA certification preparation materials. Used in combination, all of these professional endeavors help individual auditors and the organizations they serve to succeed together.

Topic B: Requirements of the Internal Audit Charter (Level B) An internal auditing activity will be of the highest value when clients view engagements positively and are open to accepting results. An organization’s audit committee, chief executive officer, and senior-level management team need to establish a “tone at the top” that supports the credibility of the internal audit function. Without this critical top-down support, the internal audit activity becomes vulnerable to client biases, defensiveness, and other human shortcomings. A primary way to do this is to formally document and secure approval by the board and acceptance by management for an internal audit charter. The charter and several other documents should be in place to support the purpose, authority, and responsibility of the internal audit department and internal audit activities.

Related Standards and Implementation Guides The Standards and Implementation Guides related to the internal audit charter’s role in defining the purpose, authority, and responsibility of the internal audit activity are listed in Exhibit I-4. Exhibit I-4: Internal Audit Charter Standards and Related Guidance Standard Attribute Standard 1000, “Purpose, Authority, and Responsibility” The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit

Related Guidance Implementation Guide 1000, “Purpose, Authority, and Responsibility”

executive must periodically review the internal audit charter and present it to senior management and the board for approval. Implementation Standard 1000.A1 (Assurance Engagements) The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter. Implementation Standard 1000.C1 (Consulting Engagements) The nature of consulting services must be defined in the internal audit charter. Performance Standard 2060, “Reporting to Senior Management and the Board” The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board.

Implementation Guide 2060, “Reporting to Senior Management and the Board”

The Internal Audit Charter According to the Standards Glossary, the internal audit charter is: A formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.

The internal audit charter provides a road map for the internal audit activity and provides the vehicle for the internal audit activity to carry out its mission. It defines what the board and senior management can expect from the internal audit activity and directs the efforts of internal audit staff. It also defines the nature of services for assurance and consulting engagements. A written charter may be distributed to other stakeholders, such as process owners and outside parties (suppliers and

joint venture partners), to make others aware of the kinds of work internal auditors are performing. To create the internal audit charter, the CAE must understand the Mission of Internal Audit and the mandatory elements of the IPPF. Implementation Guide 1000, “Purpose, Authority, and Responsibility,” states: This understanding provides the foundation for a discussion among the CAE, senior management, and the board to mutually agree upon:

• • • •

Internal audit objectives and responsibilities. The expectations for the internal audit activity. The CAE’s functional and administrative reporting lines. The level of authority (including access to records, physical property, and personnel) required for the internal audit activity to perform engagements and fulfill its agreed-upon objectives and responsibilities.

The charter must be consistent with the Standards. Implementation Guide 1000 tells us that providing a formal, written internal audit charter is critical in managing the internal audit activity. The internal audit charter provides a recognized statement for review and acceptance by management and for approval, as documented in the minutes, by the board. It also facilitates a periodic assessment of the adequacy of the internal audit activity’s purpose, authority, and responsibility, which establishes the role of the internal audit activity. If a question should arise, the internal audit charter provides a formal, written agreement with management and the board about the organization’s internal audit activity.

Elements of the Internal Audit Charter Although internal audit charters may vary by organization, they typically include the following sections, some of which may include aspects of the IPPF: • Introduction. This section explains the overall role and

professionalism of the internal audit activity. Relevant elements of the IPPF are often cited in the introduction. • Authority. This section affirms the internal audit activity’s full access to the records, physical property, and personnel required to perform engagements and declares internal auditors’ accountability for safeguarding assets and confidentiality. • Organization and reporting structure. This part of the charter documents the reporting structure for the CAE position. The CAE should report functionally to the board and administratively to a level in the organization that allows the internal audit activity to fulfill its responsibilities. This section may delve into specific functional responsibilities, such as approving the charter and internal audit plan and hiring, compensating, and terminating the CAE. It may also describe administrative responsibilities, such as supporting information flow in the organization or approving the internal audit activity’s human resource administration and budgets. • Independence and objectivity. This section describes the importance of internal audit independence and objectivity and how these will be maintained, such as prohibiting internal auditors from having operational responsibility or authority over areas audited. • Responsibilities. This section lays out major areas of ongoing responsibility, such as defining the scope of assessments, conducting an organization-wide risk assessment at least annually, writing an internal audit plan, submitting the plan to the board for approval, performing engagements, communicating results of engagements, and monitoring corrective actions taken by management. • Quality assurance and improvement. This part of the charter describes the expectations for developing, maintaining, evaluating, and communicating the results of a quality assurance and improvement program that covers all aspects of the internal audit activity.

• Signatures. The signatures document agreement between the CAE, a designated board representative (for example, the audit committee chair), and the individual to whom the CAE reports. This section includes the date, names, and titles of signatories. A sample internal audit charter is shown below. Keep in mind that no sample is all-encompassing for every internal audit organization. Likewise, all items shown in this sample charter may not be relevant to every engagement. A charter must be tailored to each internal audit activity and the governing rules of the organization. Exhibit I-5: Sample Internal Audit Charter

Source: “Model Internal Audit Activity Charter,” The Institute of Internal Auditors, https://na.theiia.org/standards-guidance/Public Documents/Model Internal Audit Activity Charter.pdf.

The IIA has another internal audit charter template that may be used as a guide. It is available to IIA members for download and can be found under “Other Supplemental Guidance” on the IIA website.

Communications of the Charter Significant deviations from the internal audit charter must be communicated. The CAE cannot change the nature of the audit function without consulting the audit committee or modifying the internal audit charter.

Other Key Documents Other key documents related to the audit charter include the following: • Function and responsibility (F and R) statement. This statement establishes the authority and responsibility of the audit staff and delineates appropriate types of auditing activities and access necessary to execute the functions outlined in the charter. The F and R statement may be included in the form of a matrix, where staff roles and assigned activities are identified. • Statement of policy (also referred to as corporate audit policy or policy statement missions). This policy statement identifies the different missions of the audit activity and assists management and the board in the effective discharge of their responsibilities. The scope and status of internal auditing in the organization is covered, along with its objective to add value and contribute to improved risk management and governance. A policy statement also describes the internal audit department’s authority to carry out audits, issue reports, make recommendations, and evaluate corrective actions. • Audit manual (policies and procedures). This document includes written policies and procedures intended to provide guidance to the audit staff as they perform their duties. Policies and procedures should be appropriate for the size of the organization and the structure and complexity of the activity. Generally, a larger enterprise would have more formal and detailed communications while written memos might be sufficient in a small organization.

• Staff job descriptions. Job descriptions should identify requirements of exceptional performance—the knowledge and skills necessary to effectively and efficiently complete a wide range of audit assignments such as staff auditors, auditor-in-charge, audit manager, and unique audit positions.

Topic C: Assurance and Consulting Services (Level P) Internal auditors no longer only perform compliance-oriented audit engagements; they also provide a variety of assurance and consulting (advisory) services. The Standards Glossary defines assurance services as follows: An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.

The Glossary defines consulting services as: Advisory and related client services activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.

Implementation Standards and Assurance/Consulting Services Guidance for assurance and consulting services is provided in the IPPF’s Implementation Standards. These expand upon the Attribute and Performance Standards by providing the requirements applicable to assurance or consulting services, as noted by the use of A or C in the standard’s number. For example, 1000.A1 and 1000.C1 are the Implementation Standards related to Attribute Standard 1000, “Purpose, Authority, and Responsibility.” Implementation Standard 1000.A1, an assurance engagement standard, tells us: The nature of assurance services provided to the organization must be defined in

the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter.

Implementation Standard 1000.C1, a consulting engagement standard, states, in similar language: The nature of consulting services must be defined in the internal audit charter.

The Standards also state that when performing assurance or consulting services, the internal auditor should maintain objectivity and not assume management responsibility. Now we’ll look at the key differences between assurance and consulting and some examples of the different types of services internal auditors may provide.

Assurance Services Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusion regarding an entity, operation, function, process, system, or other subject matter. Three parties are generally involved in assurance services: • The person or group directly involved with the entity, operation, function, process, system, or other subject matter—the process owner • The person or group making the assessment—the internal auditor • The person or group using the assessment—the user The nature and the scope of the assurance engagement are determined by the internal auditor. Assurance services are at the core of internal auditing. While others can provide consulting services, internal audit has the knowledge of the organization and the independence to provide the board with the

information, facts, and conclusions they need to make appropriate decisions. Assurance work makes up the majority of internal audit activities and is most frequently one or a combination of the following services: • Operational. Reviewing a process or function to determine effectiveness and efficiency to achieve organizational objectives. • Compliance. Reviewing financial and operating controls to assess conformance to laws, regulations, standards, policies, and processes. • Reporting. Reviewing internal controls to provide assurance around the integrity, completeness, and timeliness of internal and/or external financial and non-financial reporting and testing the effectiveness of internal controls over financial reporting (ICFR). Testing ICFR is an important aspect of assurance services for publicly traded companies subject to U.S. Sarbanes-Oxley Act (SOX) requirements. • IT. Reviewing technology infrastructure to assure integrity of information. The internal audit activity could also provide assurance services in these areas: • Due diligence for potential acquisition • Contract reviews • Third-party provider audits • Joint-venture audits • Performance audits • Construction projects • Entity-level reviews • System implementations

• Continuous auditing (versus periodic audit engagements)

Consulting Services Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. They generally involve two parties: • The person or group offering the advice—the internal auditor • The person or group seeking and receiving the advice—the engagement client The nature and the scope of a consulting engagement are subject to agreement with the engagement client. Such agreements should be formalized in writing. Consulting services can include any advisory activity that improves the organization’s governance, risk management, controls, and compliance. The following are examples of different types of consulting services. • Advisory consulting engagements. These engagements are designed to offer advice and might include: • Advising on control design. • Advising during development of policies and procedures. • Participating in an advisory role for high-risk projects. • Advising on certain enterprise risk management activities. • Recommending solutions to key issues or challenges facing the organization. • Training consulting engagements. These engagements are educational in nature and might include: • Training on governance, risk management, and internal control. • Benchmarking internal areas with comparable areas of similar

organizations to identify best practices. • Post mortem analysis—that is, determining lessons learned from a project after it is completed. • Facilitative consulting engagements. These engagements might include: • Facilitating an organization’s risk assessment process. • Facilitating management’s control self-assessment. • Facilitating a task force charged with redesigning controls and procedures for a new or changed area. • Acting as a liaison between management and independent outside auditors, government agencies, vendors, and contractors on control issues. Consulting may range from formal engagements, defined by written agreements, to informal activities, such as participating in standing or temporary management committees or project teams. Internal auditors may be requested to help in special consulting engagements, such as participation in a merger or acquisition project or in an emergency engagement (for example, a review of disaster recovery activities). These may require departure from normal or established procedures for conducting consulting engagements. The following are common examples of consulting activities: • Business process improvement • Risk and control self-assessment • Continuous monitoring of controls • Internal control review • Forensic audits • Operational readiness (product launch, new service or system)

• Governance principles and practices • Ethics training • Internal control training • Participation on committees In all situations, a consulting engagement should not be conducted in an attempt to circumvent assurance engagement requirements such as the need to provide an opinion at the end of an engagement. This is consistent with The IIA’s Code of Ethics. On the flip side, services once conducted as an assurance engagement may be performed as a consulting engagement—if deemed appropriate. However, such consulting activities should be coordinated with other internal audit assurance activities as well as external audit activities to minimize redundancy. (See Standard 2050, “Coordination and Reliance.”)

“Blended” Engagements Assurance and consulting services are not mutually exclusive, so an audit activity can have both assurance and consulting components. A “blended” engagement may consolidate elements of assurance and consulting activities. In other instances, individual components of an engagement may be specified as assurance or consulting. This blending of the two types of services can add value and create efficiencies. However, if assurance and consulting services are blended, it must be ensured that there are no conflicts of independence, objectivity, or otherwise with regard to roles and responsibilities. And it is often necessary to communicate the outcomes separately, since the purpose and the scope will differ between the assurance and consulting components of an engagement.

Topic D: The IIA’s Code of Ethics (Level P) It is improbable that professionals in any field or organization would dispute the aspirations set forth in a code of ethics. Well-developed codes of ethics help to foster ethical behavior, affirm core values, deter unethical actions, and cope with ethical dilemmas. For internal auditors, a formal code of ethics provides a window into generally accepted standards of conduct useful to an organization and its customers. It sets forth a uniform approach to guide conduct. Ethical conduct depends upon a commitment to “do the right thing,” of course, but it also requires a clear vision of what the right thing is. Seeing clearly in ethical matters can be challenging. The conflicts of interest that arise almost inevitably in any profession that has multiple responsibilities—to the profession itself, to colleagues, to customers, to employers, and to the community—sometimes cast a shadow across the line that separates the right thing from the usual thing or the easy thing or the profitable thing to do. A well-founded code of ethics should spell out the standards for acceptable and expected behavior or conduct as well as what constitutes unacceptable behavior or conduct. The IIA maintains its Code of Ethics “to promote an ethical culture in the profession of internal auditing.” The Code: States the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities.

The Standards Glossary defines The IIA’s Code of Ethics as follows: Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services.

The IIA bases its Code of Ethics on four fundamental principles of professional conduct: integrity, objectivity, confidentiality, and

competency. The Code interprets each of these four principles by describing what each means and by specifying related Rules of Conduct that provide guidance in how to put the principles into practice. The Code does more than simply demand ethical conduct; it defines that conduct in detail. All CIAs (regardless of whether they are currently practicing or are working in different functional areas) must abide by the IIA’s Code of Ethics, which is shown in Exhibit I-6. Exhibit I-6: The IIA’s Code of Ethics

Conflicts of Interest It isn’t difficult to spot places in the Code of Ethics that identify potential conflicts of interest. For example, under the first principle, integrity, the auditor is required to make disclosures expected by the law and the profession. Under confidentiality, the auditor is mandated to respect the confidentiality of the information unless legally or professionally required to disclose it.

Objectivity may be compromised if the internal auditor is assigned to audit an area in which he or she has worked in the preceding 12 months or plans to work in the near future. Standard 1130.A1, “Impairment to Independence and Objectivity,” provides specific guidance on such conflicts, stating: Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.

A perhaps more subtle conflict arises under competency. Determining at the outset of an engagement whether one is or is not competent to complete it may not be so simple—especially when one’s professional pride or the possibility of a promotion seems to be at stake. There is generally very little support for saying “I can’t do that.” Nevertheless, the principles of the Code and the Rules of Conduct are mandatory in all instances that don’t conflict with legal principles. It is situations of conflict of interest that make ethical conduct a challenge—and that make codes of conduct necessary. In any situation not directly covered by the Rules of Conduct, the auditor should apply the principles to determine the ethical course of action. Seeking advice from those who may have greater objectivity or more experience is also helpful.

Practical Applications Exhibit I-7 describes some practical applications of the four principles in The IIA’s Code of Ethics. Exhibit I-7: Examples of The IIA’s Code of Ethics Principles Examples of The IIA’s Code of Ethics Principles Integrity

The internal auditor should have knowledge of the requirements for the Code of Ethics and perform all activities according to the Code.

Integrity includes honesty, diligence, and responsibility; observance of laws; not performing illegal activity; and contributing to the legitimate and ethical objectives of the organization. Objectivity

The internal auditor should not perform audits where the assessment would be biased or professional judgment may be impaired. All facts must be disclosed. If an auditor does not feel comfortable in doing an audit, he or she should ask to be removed from the team.

Confidentiality

Information obtained while performing an audit must be protected and used only as appropriate in the engagement. Information should be used only in conformance to laws or regulations and never used for personal gain.

Competency

The necessary knowledge, skills, and experience are important requirements for providing internal auditing services. Each internal auditor should have a plan to receive knowledge or training to enhance future performance.

Next Steps You have completed Part 1, Section I, of The IIA’s CIA Learning System®. Next, check your understanding by completing the online section-specific test(s) to help you identify any content that needs additional study. Once you have completed the section-specific test(s), a best practice is to reread content in areas you feel you need to understand better. Then you should advance to studying Section II. You may want to return to earlier section-specific tests periodically as you progress through your studies; this practice will help you absorb the content more effectively than taking a single test multiple times in a row.

Index The numbers after each term are links to where the term is indexed and indicate how many times the term is referenced. advisory consulting engagements 1, 2 assessments of audit activities 1 assurance engagements 1 Attribute Standards 1 audit manual 1 auditors external 1 financial 1 internal 1 authoritative guidance in International Professional Practices Framework 1

authority of internal audit activity 1 board of directors 1 CAE (chief audit executive) 1 certification 1 charter. See internal audit charter chief audit executive 1 Code of Ethics 1 competency 1 compliance 1, 2 confidentiality 1 conflicts of interest 1 consulting engagements 1, 2, 3 control(s) 1, 2 Core Principles for the Professional Practice of Internal Auditing 1 Definition of Internal Auditing 1 documentation 1 engagements 1 assurance 1 consulting 1, 2, 3

“blended” 1 external auditing 1 external auditors 1 F and R (function and responsibility) statement 1 facilitative consulting engagements 1 financial auditors 1 financial audits 1 function and responsibility statement 1 governance 1 government auditors 1 IIASB (International Internal Auditing Standards Board) 1 Implementation Guides 1 1000 1 Implementation Standards 1, 2 independence 1 information technology 1 integrity 1 internal audit activity 1 internal audit charter 1 communications 1 elements 1 internal auditing 1, 2 internal auditors 1 International Internal Auditing Standards Board 1 International Professional Practices Framework 1 authoritative guidance 1 Code of Ethics 1 Core Principles for the Professional Practice of 1 Definition of Internal Auditing 1 mandatory guidance 1, 2 Mission of Internal Audit 1 recommended guidance 1, 2 International Professional Practices Framework_Standards. See International Standards for the International Standards for the Professional Practice of Internal Auditing 1

1000, “Purpose, 1, 2, 3

1000.A1 1, 2 1000.C1 1, 2 1100, “Independence and 1 1110, “Organizational 1, 2 1130.A1 1 2000, “Managing the 1 2060, “Reporting to 1 2100, “Nature of Work” 1, 2 Attribute Standards 1 Implementation Standards 1, 2 Performance Standards 1 IPPF. See International Professional Practices Framework IT (information technology) 1 job descriptions 1 mandatory guidance in International Professional Practices Framework 1, 2

Mission of Internal Audit 1 objectivity 1, 2 operations 1 Performance Standards 1 policies and procedures 1 Practice Guides 1 purpose of internal audit activity 1 recommended guidance in International Professional Practices Framework 1, 2 Implementation Guides 1 Practice Guides 1 regulatory bodies 1 responsibility of internal audit activity 1 risk management 1 staff job descriptions 1 statement of policy 1 training consulting engagements 1 “blended” engagements 1 “modern internal auditing” 1

Build 08/24/2018 15:39 p.m.

Contents Part 1: Essentials of Internal Auditing The IIA’s CIA Learning System® Part 1 Overview Section I: Foundations of Internal Auditing Topic A: The IIA’s International Professional Practices Framework/Purpose, Authority, and Topic B: Requirements of the Internal Audit Charter (Level B) Topic C: Assurance and Consulting Services (Level P) Topic D: The IIA’s Code of Ethics (Level P) Index

Section II: Independence and Objectivity This section is designed to help you:

• • • • •

Define independence and objectivity in terms of internal audit. Interpret organizational independence of the internal audit activity. Explain the importance of independence in an internal audit activity. Explain the reporting relationships for internal auditors. Identify whether the internal audit activity has any impairments to its independence.

•

Assess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivity.

•

Analyze policies that promote objectivity.

The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 15% of the total number of questions for Part 1. Two of the topics are covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.) The other topics are covered at the “P—Proficient” level, meaning that you are responsible not only for comprehension and recall of information but also for higher-level mastery, including application, analysis, synthesis, and evaluation.

Section Introduction Internal auditors are more than compliance reviewers and financial analysts. Broadened responsibilities range from assessing a gamut of risks, controls, ethics, and quality initiatives to evaluating emerging technologies, analyzing opportunities, and examining global issues. Internal auditors are responsible for assuring that the controls in place are adequate and effective in mitigating the risks to achieve the organization’s objectives.

In providing such assurance and consulting activities, internal audit organizations must maintain independence and objectivity. These are the cornerstones of effective internal auditing. The Standards Glossary defines independence as: The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.

The Glossary defines objectivity as: An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no significant quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.

Related

Standards and Practice Guides

The Standards and Implementation Guides related to independence and objectivity are listed in Exhibit II-1. Additional recommended guidance includes The IIA’s Practice Guide “Independence and Objectivity.” Exhibit II-1: Independence and Objectivity Standards and Related Guidance Standard Attribute Standard 1100, “Independence and Objectivity” The internal audit activity must be independent, and internal auditors must be objective in performing their work. Attribute Standard 1110, “Organizational Independence” The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. Implementation Standard 1110.A1 (Assurance Engagements) The internal audit activity must be free from interference in

Related Guidance Implementation Guide 1100, “Independence and Objectivity” Implementation Guide 1110, “Organizational Independence”

determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications. Attribute Standard 1111, “Direct Interaction With the Board” The chief audit executive must communicate and interact directly with the board.

Attribute Standard 1112, “Chief Audit Executive Roles Beyond Internal Auditing” Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity. Attribute Standard 1120, “Individual Objectivity” Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. Attribute Standard 1130, “Impairment to Independence or Objectivity” If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. Implementation Standard 1130.A1 (Assurance Engagements) Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. Implementation Standard 1130.A2 (Assurance Engagements) Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity.

Implementation Guide 1111, “Direct Interaction With the Board” Practice Guide, “Chief Audit Executives— Appointment, Performance Evaluation, and Termination” Implementation Guide 1112, “Chief Audit Executive Roles Beyond Internal Auditing”

Implementation Guide 1120, “Individual Objectivity” Implementation Guide 1130, “Impairment to Independence or Objectivity”

Implementation Standard 1130.A3 (Assurance Engagements) The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement. Implementation Standard 1130.C1 (Consulting Engagements) Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. Implementation Standard 1130.C2 (Consulting Engagements) If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.

Topic A: Organizational Independence of the Internal Audit Activity (Level B) Internal auditors provide organizations’ stakeholders with information the stakeholders need to effectively fulfill their responsibilities. The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. Stakeholders must also have confidence that internal audit can review all activities and do so in an unbiased manner. As stated in the introduction to this section, independence allows for the freedom from conditions of interference. Often, such conditions stem from the organizational placement and assigned responsibilities of internal audit. For example, when internal audit reports within other functions in an organization, it is not considered independent of that function, which is subject to audit. Similarly, if the CAE has functional responsibilities broader than internal audit, such as risk management or compliance, internal audit is not independent of these additional functions, which are also subject to audit. However, the CAE cannot solely determine the organizational independence and placement for internal audit. He or she needs help from the board and senior management to address independence effectively. Typically, the CAE, the board, and senior management reach a shared understanding of internal audit’s responsibility, authority, and expectations, which lays the groundwork for a discussion of independence and organizational placement.

Independence and Reporting Relationships Independence is established by the organizational reporting structure. Best practice suggests that the CAE (and, hence, the internal audit activity) should have dual reporting lines: administratively to the senior management level (CEO, etc.) and functionally to the audit committee. Exhibit II-2 visualizes this reporting structure.

Exhibit II-2: Internal Audit Dual Activity Reporting Structure

The internal audit activity charter should establish this dual reporting relationship as well as the principal activities directed up each line. Ideally, the CAE should report: • Functionally to the board. • Administratively (directly) to organizational senior management. • Functionally to the audit committee or its equivalent.

Functional Reporting Functional reporting provides the ultimate source of independence and authority. Organizational independence is effectively achieved when the CAE reports functionally to the board. Examples of functional reporting to the board involve the board: • Approving the internal audit charter. • Approving the risk-based internal audit plan. • Approving the internal audit budget and resource plan. • Receiving communications from the CAE on the internal audit activity’s performance relative to its plan and other matters. • Approving decisions regarding the appointment or removal of the CAE. • Approving the remuneration of the CAE. • Making appropriate inquiries of management and the CAE to determine

whether there are inappropriate scope or resource limitations (interpretation of Standard 1110).

Administrative Reporting Administrative reporting facilitates the day-to-day operations of the internal audit function. Examples characterizing the administrative reporting relationship include: • Budgeting and management accounting. • Human resource administration, including personnel hiring and compensation. • Internal communications and information flows. • Administration of the internal audit activity’s policies and procedures.

The Importance of Independence The dual reporting relationships support internal audit activity independence and allow internal auditors to carry out their work freely and objectively and to render impartial and unbiased judgments. These reporting relationships also help to ensure: • The appropriate flow of information across the organization. • Access to key executives and managers. • Appropriate reporting of internal audit activity results. The CAE should monitor the reporting relationships. Any situation that impedes the independence and effective operations of the internal audit function should be brought to the attention of the audit committee (or its equivalent).

Proper Alignment to Achieve Independence

The Standards are designed to apply to all internal audit organizations regardless of size, nature of the organization, or other factors. As such, they are intentionally somewhat generic about reporting relationships; there is no one-size-fits-all approach. The following are ways the CAE can ensure that the internal audit activity is properly aligned to achieve organizational independence. • Have regular and direct communication with the board. Regular communication with the board helps assure independence and facilitates an open, two-way dialogue on matters of mutual interest. Direct communication occurs when the CAE regularly attends and participates in board meetings related to auditing, financial reporting, organizational governance, risk management, and control. The CAE’s attendance and participation at these meetings (i.e., having a “seat at the table”) provides an opportunity for the CAE to learn about strategic business and operational issues as well as share information concerning the plans and activities of the internal auditing function. The CAE should meet privately with the board at least annually. Attribute Standard 1111, “Direct Interaction With the Board,” and Implementation Guide 1111 provide specific guidance for this communication. • Report to an individual at the senior management level with sufficient authority to promote independence and to ensure broad audit coverage. The individual the CAE reports to should have sufficient authority and stature to ensure the effectiveness of the audit function. Further, this individual should have an appropriate control and governance mindset to assist the CAE in his or her role and the time and interest to actively support the CAE on audit issues. Lastly, this person should understand the nature of the functional reporting relationship and support it. • Report directly to the audit committee (or its equivalent). The internal audit function provides information and assurance to the audit committee on internal controls, risk management activities, and governance processes. Best practices for the CAE to maintain an

effective relationship between the audit committee and the internal auditing function are to: • Send periodic communications on risks faced by the organization to the audit committee (consistent with CAE communications sent to senior management). • Help the audit committee ensure that the committee’s charter, activities, and processes are appropriate. • Ensure that the charter, role, and activities of internal auditing are clearly understood and responsive to the needs of the audit committee and the board. • Maintain open and effective communications with the audit committee and the chairperson. • Provide training, when appropriate, to the audit committee on risk and internal control. Another essential component is a direct channel of communication with the audit committee. Provisions should be in place for the CAE to: • Have open and direct access to both the audit committee chair and committee members. • Attend audit committee meetings to present the audit plan, report on the results of major audits and key audit findings or other matters, and discuss internal auditing’s observations on risk and internal controls in the organization. • Have out-of-session communications with the audit committee chairperson, particularly in the case of critical circumstances such as serious fraud and other material risk events (emerging risks, safety). To further reinforce the independence and nature of this reporting relationship, the CAE should be allowed to meet privately with the audit committee or its equivalent without management present and circulate confidential memos or reports only to the audit committee. Ultimately, the CAE and the internal auditors, the audit committee, and

the board of directors are all interdependent. They should be mutually accessible and supportive. With this reciprocity in place, the internal auditors can provide objective opinions, information, support, and education to the audit committee and the audit committee can provide appropriate oversight and validate internal auditing activities.

Topic B: Impairments to Independence (Level B) Many factors, intentional or not, can be impairments to independence and/or objectivity. According to the Standards Glossary: Impairment to organizational independence and individual objectivity may include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding).

As stated in Standard 1130, if independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to the appropriate parties. Who is deemed as “appropriate parties” is dependent on the expectations of the internal audit activity as described in the charter, the CAE’s reporting responsibilities, and the nature of the impairment itself.

Recognizing Impairments To fully understand and appreciate independence, internal auditors need to consider the perspectives of their various stakeholders and the conditions that could be perceived as undermining independence. Often, the CAE will develop an internal audit policy manual or handbook that includes a discussion of organizational independence and internal auditor objectivity, the nature of impairments, and how internal auditors should handle potential impairments. It may also describe the types of situations that could create, or appear to create, impairments and may specify the actions the internal auditor should undertake if faced with a potential impairment. Recommended guidance found in Implementation Guide 1130, “Impairment to Independence or Objectivity,” states: Impairment situations generally include self-interest, self-review, familiarity, bias, or undue influence. Internal audit examples of organizational independence impairments include the following:

•

The CAE has broader functional responsibility than internal audit and executes an audit of a functional area that is also under the CAE’s oversight.

•

The CAE’s supervisor has broader responsibility than internal audit, and the CAE executes an audit within his or her supervisor’s functional responsibility.

• •

The CAE does not have direct communication or interaction with the board. The budget for the internal audit activity is reduced to the point that internal audit cannot fulfill its responsibilities as outlined in the charter.

Mitigating Efforts Certain actions can help to keep impairments from undermining auditor independence or resulting in compromised interests that influence an auditor’s judgment or opinions. Internal auditors are to report to the CAE any situations in which an actual or potential impairment to independence may reasonably be inferred or if they have questions about whether a situation constitutes an impairment to independence. They should report any offers of material fees or gifts immediately to their supervisors. If the CAE determines that impairment exists or may be inferred, he or she needs to reassign the auditor(s). Another impairment situation that could occur and that should be mitigated is a scope limitation, which is a restriction placed on the internal audit activity that precludes the activity from accomplishing its objectives and plans. Among other things, a scope limitation may restrict the: • Scope defined in the internal audit charter. • Internal audit activity’s access to records, personnel, and physical properties relevant to the performance of engagements. • Approved engagement work schedule. • Performance of necessary engagement procedures.

• Approved staffing plan and financial budget. A scope limitation, along with its potential effect, needs to be communicated, preferably in writing, to the board. The CAE needs to consider whether it is appropriate to inform the board regarding scope limitations that were previously communicated to and accepted by the board. This may be necessary particularly when there have been organization, board, senior management, or other changes.

Topic C: Auditor Objectivity (Level P) Objectivity refers to an internal auditor’s impartial and unbiased mindset, which is facilitated by avoiding conflicts of interest. The interpretation of Standard 1120, “Individual Objectivity,” states: Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual’s ability to perform his or her duties and responsibilities objectively.

To implement this standard, the CAE will first want to understand policies or activities in the organization and in internal audit that could enhance or hinder an objective mindset. The internal auditing activity has different constituencies for its services. Organizational executives, the board, operations management, and the audit committee are just some of the prospective customers (clients) in a single enterprise. Despite an organization’s best intentions for strategic synergies across functions, different clients may have different interests. For example, senior-level executives may have bonuses tied to bottomline performance. Operations may be focused on audit results that can help improve operational performance. The audit committee’s principal focus may be on control activities and risk management. Further complicating the situation is the fact that the CAE (and by extension, the internal audit activity) reports administratively to senior management but must also review management. Despite these potentially conflicting interests, an internal auditor must maintain objectivity—an independent mental attitude—in performing engagements.

Recognizing Impairments

As noted previously in this section, the CAE should document expectations and requirements around maintaining objectivity. Many policy manuals or handbooks will include descriptions of the types of situations that could create impairments. Recommended guidance found in Implementation Guide 1130, “Impairment to Independence or Objectivity,” provides examples of objectivity impairments, including situations in which: • An internal auditor audits an area in which he or she recently worked, such as when an employee transfers into internal audit from a different functional area of the organization and then is assigned to an audit of that function. • An internal auditor audits an area where a relative or close friend is employed. • An internal auditor assumes, without evidence, that an area being audited has effectively mitigated risks based solely on a prior positive audit or personal experience. • An internal auditor modifies the planned approach or the results based on the undue influence of another person, often someone senior to the internal auditor, without appropriate justification. Often, the internal audit policy manual describes the appropriate actions for an internal auditor to take should he or she become aware of, or concerned about, such impairments. Typically, the first step is to discuss the concern with an internal audit manager or the CAE to determine whether the situation is truly an impairment and how best to proceed.

Maintaining Individual Objectivity Policies and ongoing assessment of individual objectivity set the stage for an internal auditor to perform his or her duties objectively. Additional best practices for perpetuating individual objectivity include the following actions:

• The CAE should periodically query the internal auditing staff about potential conflicts of interest and bias. • Internal auditor staff assignments should be rotated periodically whenever it is practical to do so. • An internal auditor should not accept a fee, gift, or entertainment from an employee, client, customer, supplier, or business associate. Objectivity must be maintained in fact and in appearance. Promotional items (such as pens, calendars, or samples) that are available to employees and the general public and that have minimal value should not hinder internal auditors’ professional judgments. Likewise, accepting a lunch invitation or allowing someone to buy lunch should not compromise an internal auditor’s objectivity. In assessing objectivity, consider what is “reasonable” versus what could be perceived as a conflict of interest.

Topic D: Promoting Objectivity (Level P) To manage internal audit objectivity effectively, the CAE should establish expectations and requirements for every internal auditor, including: • Understanding of the critical importance of objectivity to the internal audit profession. • Typical situations that could undermine objectivity. • Actions the internal auditor should take if he or she becomes aware of a current or potential objectivity concern. • Reporting requirements (for example, requiring each internal auditor to periodically consider and disclose conflicts of interest).

Policies That Promote Objectivity Many organizations have employee conflict-of-interest policies. Internal audit will often customize such policies to address internal audit roles specifically and may have other relevant departmental policies. The CAE will want to understand the nature of relevant policies and consider their potential impact on internal audit objectivity. Internal auditors should have no personal or professional involvement with or allegiance to the area being audited and should maintain an unbiased and impartial mindset in regard to all engagements. Establishing the following policies can help to promote such objectivity: • Standard 1130.A1 states that “internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.” Creating a policy that restricts these assignments can eliminate situations that

could influence auditors’ judgment or opinion. • A policy should be in place that endorses the internal auditor’s commitment to abiding by the Code of Ethics, avoiding conflicts of interest, and disclosing any activity that could result in a possible conflict of interest. • Internal auditors should not subordinate their judgment on audit matters to that of others. • Internal auditors should perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. • Internal auditors should not be placed in situations in which they feel unable to make objective professional judgments. • Staff assignments should be made so that potential and actual conflicts of interest and bias are avoided.

Reinforcing Policies Through Training To reinforce the importance of these policies and help ensure that all internal auditors internalize this importance, many CAEs hold routine workshops or training on these fundamental concepts. Such training sessions will often allow internal auditors to better understand objectivity by considering objectivity-impairing scenarios and how best to address them. For example, more-senior auditors and managers may share personal experiences where objectivity was called into question or where they self-disclosed a relationship or experience that was a conflict. Another common training topic is professional skepticism. Such training reinforces the nature of skepticism and the criticality of avoiding bias and maintaining an open and curious mindset. Maintaining professional skepticism ensures that internal auditors don’t make undue assumptions about the validity of “support” such as verbal explanations from

management or other information received without an appropriate level of objective verification of such support.

Ongoing Assessment of Individual Objectivity However well-intended, policies and training cannot provide total assurance of objectivity. Ongoing assessment can help to ensure that objectivity has not been compromised during an engagement. A best practice is for the CAE, or another individual in a supervisory capacity for the internal audit activity, to review the results of the internal audit work before the related engagement communications are released. For example, consider appropriate actions for an auditor who has been promoted within an operating department but soon thereafter moves to the internal audit activity and then is asked to complete an internal audit of that department. If the timing and logistics allow, or a conflict of interest or bias may be reasonably inferred, Implementation Guide 1130 recommended guidance is that the auditor should not continue on an audit of that department and the CAE should reassign the auditor.

Next Steps You have completed Part 1, Section II, of The IIA’s CIA Learning System®. Next, check your understanding by completing the online section-specific test(s) to help you identify any content that needs additional study. Once you have completed the section-specific test(s), a best practice is to reread content in areas you feel you need to understand better. Then you should advance to studying Section III. You may want to return to earlier section-specific tests periodically as you progress through your studies; this practice will help you absorb the content more effectively than taking a single test multiple times in a row.

Index The numbers after each term are links to where the term is indexed and indicate how many times the term is referenced. administrative reporting 1 assessments of audit activities 1 audit committee 1 board of directors 1 functional reporting 1 1130 1, 2 independence 1 and alignment in organization 1 and reporting relationships 1 impairments to 1 International Standards for the Professional Practice of Internal Auditing 1100, “Independence and 1 1110, “Organizational 1 1110.A1 1 1111, “Direct 1 1112, “Chief Audit 1 1120, “Individual 1, 2 1130, “Impairment to 1, 2 1130.A1 1, 2 1130.A2 1 1130.A3 1 1130.C1 1 1130.C2 1 objectivity 1, 2 impairments to 1, 2 maintaining 1 promoting 1 reporting administrative 1 functional 1

scope limitations 1 skepticism 1 training 1 Build 08/24/2018 15:39 p.m.

Contents Section II: Independence and Objectivity Topic A: Organizational Independence of the Internal Audit Activity (Level B) Topic B: Impairments to Independence (Level B) Topic C: Auditor Objectivity (Level P) Topic D: Promoting Objectivity (Level P) Index

Section III: Proficiency and Due Professional Care This section is designed to help you:

•

Identify and describe the required knowledge, skills, and competencies for an internal audit activity and how an organization develops and/or procures them.

•

Identify and describe the required knowledge, skills, and competencies that an internal auditor needs to possess to perform his/her individual responsibilities.

• •

Explain how to exercise due professional care in an internal audit activity.

•

Describe the importance of professional development and formal certification for internal auditors. Explain how an individual internal auditor’s competency is demonstrated through continuing professional development.

The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 18% of the total number of questions for Part 1. One of the topics is covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.) The other topics are covered at the “P—Proficient” level, meaning that you are responsible not only for comprehension and recall of information but also for higher-level mastery, including application, analysis, synthesis, and evaluation.

Section Introduction Standard 1200, “Proficiency and Due Professional Care,” states that performing engagements with proficiency and due professional care is the responsibility of every internal auditor. Proficiency is a collective term that refers to the knowledge, skills, and other competencies required of internal auditors in order for them to effectively carry out their professional responsibilities. Proficiency

encompasses consideration of current activities, trends, and emerging issues to enable auditors to provide relevant advice and recommendations. Internal auditors usually develop proficiency via education, experience, professional development opportunities, and qualifications such as earning this certification, the Certified Internal Auditor® (CIA®). It is important to note that attaining this level of proficiency is not a one-time event; often there are continuing education requirements for keeping professional certifications current. Due professional care involves comprehending the objectives and scope of audit engagements as well as the competencies that will be required to execute the audit work and any policies and procedures specific to the internal audit activity and the organization. It requires an understanding of the IPPF’s systematic and disciplined approach to internal auditing, which is supplemented by organization-specific policies and procedures established by the CAE. The CAE is responsible for ensuring conformance with this standard by the internal audit activity as a whole. As part of managing the internal audit activity, the CAE establishes policies and procedures that enable internal auditors to perform engagements with proficiency and due professional care. This involves the CAE’s recruitment and training of internal auditors as well as the proper planning, staffing, and supervising of engagements.

Topic A: Required Knowledge, Skills, and Competencies for the Internal Audit Activity (Level B) Ultimately, the collective skills, knowledge, and competencies of the internal audit activity are critical components in completing the audit plan, achieving the overall mission of the activity, and delivering valueadded services to the organization.

Related Standards and Implementation Guides The Standards and Implementation Guides related to the required knowledge, skills, and competencies (proficiency) for the internal audit activity and the development or procurement of that proficiency are listed in Exhibit III-1. Exhibit III-1: Proficiency Standards and Related Guidance Standard Attribute Standard 1200, “Proficiency and Due Professional Care” Engagements must be performed with proficiency and due professional care. Attribute Standard 1210, “Proficiency” Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Implementation Standard 1210.A1 (Assurance Engagements) The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or

Related Guidance Implementation Guide 1200, “Proficiency and Due Professional Care” Implementation Guide 1210, “Proficiency”

other competencies needed to perform all or part of the engagement. Implementation Standard 1210.A2 (Assurance Engagements) Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. Implementation Standard 1210.A3 (Assurance Engagements) Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. Implementation Standard 1210.C1 (Consulting Engagements) The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

Required Internal Audit Activity Knowledge, Skills, and Competencies A successful internal auditing activity manages the audit process with the same commitment to standards, consistency, and control that other business processes practice. As such, internal audit must identify the specific knowledge, skills, and competencies that are required to enable auditors to fulfill the activity’s defined mission and responsibilities. • Knowledge is the body of information necessary to perform the internal audit activity.

Examples: The knowledge required to perform technical audits of an organization’s core business, conduct fraud investigations, or participate in systems development life cycle (SDLC) activities; the knowledge of internal audit elements.

• Skills are the levels of proficiency needed to perform the internal audit activity. Examples: Language or communication skills, audit extraction, data analytics system configuration and use.

• Competencies are the collective knowledge, skills, abilities, and personal attributes that can lead to exceptional performance. Examples: Using your professional knowledge of a business process or of risks and red flags of fraud along with your interviewing and interpersonal skills to assess if someone is lying to you.

Competencies are more than basic job knowledge, skills, and abilities. Job competencies are behaviors that are usually developed over time and represent the compilation of multiple abilities, traits, and knowledge required for success. Competencies are personal to the employee and can be taken from one audit engagement to another, from one position to another, and even from employer to employer. The ongoing success of an internal audit activity depends on the performance of the internal auditors. The CAE is responsible for determining the appropriate levels of education and experience for internal audit positions based upon the scope of work and the level of responsibility. Staffing is the general term used to describe the process of identifying human capital needs for the internal audit function—recruiting, selecting, developing, and deploying talent resources to meet those needs. In large organizations, the CAE may have the help of human resource management in staffing the internal audit function. In smaller organizations, the CAE may have more direct staffing responsibilities.

Staffing, sourcing, recruitment, selection (hiring), development, and retention are interrelated processes that often overlap and complement one another. Various people will be at various points in the process. When these processes are performed adroitly, the internal audit staff should collectively possess the knowledge, skills, and competencies essential to the practice of the profession in the organization. An annual analysis of an audit department’s knowledge and skill sets should be performed to help identify areas of opportunity that can be addressed by continuing professional development, recruiting, and/or cosourcing. Exhibit III-2 shows a tool for evaluating staff professional proficiency. The tool is aligned with the Standards. Exhibit III-2: Evaluating Staff Professional Proficiency

Source: Adapted from Quality Assessment Manual, fifth edition.

Availability of Required Knowledge, Skills, and Competencies Internal audit engagements may be staffed in different ways to help ensure that audits are performed by persons with the necessary knowledge, skills, and competencies: • In-house auditing. Establishing a dedicated audit team with the requisite resources. • Co-sourcing. A combination of internal staffing and external outsourcing in which an external provider supports the CAE and the dedicated audit team with supplementary specialist skills that might be too costly or complex to maintain in-house; this is considered a joint engagement and may be ongoing or used to fulfill specific terms. • Total out-sourcing. Out-sourcing all of the internal audit activity to an external provider, usually on an ongoing basis. It should be noted that while many external providers of internal audit services bring in their own CAEs and many of these providers have satisfied customers, The IIA believes that the internal audit activity should never be fully outsourced but should be managed from within the organization, preferably by a CAE who is an employee. The organization cannot defer responsibility for the quality of the internal audit function, even if the function is fully out-sourced. The audit committee or other designated body needs functional oversight, and senior management needs to administer the function to ensure the ongoing quality and effectiveness of the out-sourced function. • Subcontracting (also known as staff augmentation). Securing a specific individual to perform a specific engagement or part of some engagement, typically for a limited period of time; in-house audit staff typically provide management oversight for the engagement.

• Secondment. Borrowing an employee from another part of the organization to work in the audit activity for a specified period of time, generally from one to 24 months; commonly referred to as “guest auditors.” In such situations, it is important to pay close attention to guest auditor independence and objectivity, especially if audits include areas where the borrowed employee has been working. Whichever staffing method is used, the high standards for audit performance cannot be compromised. The CAE must ensure that auditors assigned to an internal audit activity have the requisite ability to proficiently execute an independent, objective assurance or consulting activity. The CAE should request assistance or even consider turning down an engagement if the staff or skills required for the engagement are not available.

Procuring Additional Resources for the Internal Audit Activity Co-sourcing and out-sourcing are necessary when unique competencies and specialty skills are not available in-house to fulfill an internal audit activity or when key risks need to be addressed and the internal audit activity does not have the necessary resources at present. Implementation Guide 2030, “Resource Management,” states that to fill gaps related to the internal audit staff’s knowledge, skills, and competencies, the CAE may hire an external service provider. This is a person or firm, independent of the organization, who has special knowledge, skill, and experience in a particular discipline. External service providers include actuaries, accountants, appraisers, culture or language experts, environmental specialists, fraud investigators, lawyers, engineers, geologists, security specialists, statisticians, information technology specialists, the organization’s external auditors, and other audit organizations. An external service provider may be engaged by the board, senior management, or the CAE. Planning or accepting assignments that cannot be staffed competently can

potentially expose the organization to inadequate evaluation of the effectiveness of governance, risk management, and control processes. Additionally, accepting such assignments does not adhere to the Code of Ethics and Attribute Standard 1210, “Proficiency.” Providing such false assurance can also weaken the internal audit function’s reputation and credibility, both of which are vital to enable the function to provide the highest level of quality and best value to the organization and its stakeholders.

Why Co-Source or Out-Source? Generally speaking, co-sourcing and out-sourcing allow an organization to capitalize on the expertise of other individuals or firms. In internal auditing, the distinction between the two is the degree to which the internal audit is contracted out. Co-sourcing is an arrangement where an external provider supplements the primarily in-house based internal audit function; out-sourcing pays an outside firm to perform the internal audit function. Several general advantages and disadvantages of co-sourcing and outsourcing an internal audit activity are shown in Exhibit III-3. Exhibit III-3: Advantages and Disadvantages of Co-Sourcing and Out-Sourcing Advantages

Disadvantages

•

Frees internal resources for other activities

•

Can be costly to go outside for specific expertise

•

Provides flexibility (by allowing internal resources to complete other projects)

•

•

Can improve efficiency and effectiveness (by gaining outside expertise)

Can represent a potential lost opportunity for developing in-house capabilities and expertise such as process control

•

Has potential to undermine staff morale in co-sourcing situations

•

Requires heightened awareness of the responsibility and need for active, ongoing oversight and coordination to manage the relationship

• •

Can reduce expenses (extends staff capabilities without incurring fixed staffing/benefit costs) Can provide coverage of remote locations

•

May improve the quality and/or timeliness of the internal audit activity

•

Can provide additional skill sets not currently within the department

•

Can entail additional potential privacy and confidentiality issues and considerations

•

Can create a lost opportunity for internal auditing activities as a training ground for internal promotions

CAE’s Responsibilities for Outside Service Providers The CAE has an important role when an outside service provider is retained. The CAE determines that the external service provider possesses the necessary knowledge, skills, and other competencies to perform the engagement by considering: • Professional certification, license, or other recognition of the external service provider’s competence in the relevant discipline. • Membership of the external service provider in an appropriate professional organization and adherence to that organization’s code of ethics. • The reputation of the external service provider. This may include contacting others familiar with the external service provider’s work. • The external service provider’s experience in the type of work being considered. • The extent of education and training received by the external service provider in disciplines that pertain to the particular engagement. • The external service provider’s knowledge and experience in the industry in which the organization operates. The CAE needs to assess the relationship of the external service provider to the organization and to the internal audit activity to ensure that

independence and objectivity are maintained throughout the engagement. In performing the assessment, the CAE verifies that there are no financial, organizational, or personal relationships that will prevent the external service provider from rendering impartial and unbiased judgments and opinions when performing or reporting on the engagement. To ascertain that the scope of work is adequate for the purposes of the internal audit activity, the CAE obtains sufficient information regarding the scope of the external service provider’s work. It may be prudent to document these and other matters in an engagement letter or contract. To accomplish, this, the CAE reviews the following with the outside service provider: • Objectives and scope of work including deliverables and time frames. • Specific matters expected to be covered in the engagement communications. • Access to relevant records, personnel, and physical properties. • Information regarding assumptions and procedures to be employed. • Ownership and custody of engagement working papers, if applicable. • Confidentiality and restrictions on information obtained during the engagement. • Where applicable, conformance with the Standards and the internal audit activity’s standards for working practices. Where applicable, compliance with The IIA’s Standards and the audit department’s standards for working practices should be referenced in the engagement letter or contract.

Special Considerations for Detecting/Investigating Fraud

Fraud is an area where the services of outside experts are often retained. As noted in Implementation Standard 1210.A2 (Assurance Engagements): Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

Internal auditors should look for the key indicators of fraud within each business function or process. Fraud is defined and discussed further in Section VI. More detailed information is available in “Managing the Business Risk of Fraud, A Practical Guide,” available from the IIA website.

Special Considerations for Information Technology Information technology is another area where the services of outside experts are often retained. However, all internal auditors are required to have an understanding of information technology. The IIA provides IT guidance through the Guide to the Assessment of IT Risk (GAIT) and the Global Technology Audit Guide® (GTAG®) series of Practice Guides. As noted in Implementation Standard 1210.A3 (Assurance Engagements): Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

Topic B: Required Knowledge, Skills, and Competencies for the Internal Auditor (Level P) Requisite knowledge, skills, and other competencies for an internal auditor include: • Proficiency in internal audit standards, procedures, and techniques required in performing engagements. • Proficiency in accounting principles and techniques (for those auditors working extensively with financial records and reports). • An understanding of management principles and good business practices so deviations can be recognized and evaluated. • An appreciation of subjects such as accounting, economics, commercial law, taxation, finance, quantitative methods, and information technology, depending on the nature of the organization. Internal auditors should also have an understanding of human relations and possess the ability to effectively communicate and deal with engagement clients. Oral and written communications skills are necessary so that the internal auditor can clearly and effectively convey items such as engagement objectives, evaluations, conclusions, and recommendations. Performance Standard 2420, “Quality of Communications,” states, “Communications must be accurate, objective, clear, concise, constructive, complete, and timely.” Interpretation tells us: Accurate communications are free from errors and distortions and are faithful to the underlying facts. Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances. Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information. Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness. Constructive communications are helpful to the engagement client and the

organization and lead to improvements where needed. Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions. Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action.

Other essential skill sets include an in-depth knowledge of the organization’s industry and internal audit standards and best practices, technical understanding and expertise, and knowledge and skills for implementing and improving processes in both financial and operational areas.

The IIA Global Internal Audit Competency Framework The IIA Global Internal Audit Competency Framework (the Framework) defines the competencies needed to meet the requirements of the International Professional Practices Framework. Compiled by a task force of IIA volunteers and subject matter experts, the Framework provides a detailed view of the expertise required by internal auditors. The current Framework is a working model that will change and grow over time. It is posted online at https://na.theiia.org/about-us/aboutia/Pages/Competency-Framework.aspx. In the Framework, each of ten core competency areas is supported by a list of more detailed competencies. Each competency statement is categorized by internal auditing role—staff, manager, or CAE. While the competencies have been defined individually, it should be understood that there are connections and interdependencies among them. The ten core competencies include the following: • Professional ethics. Trust is enhanced when professionals are governed by rules for ethical behavior. As we learned earlier, The IIA’s Code of Ethics provides specific guidance around the principles of integrity,

objectivity, confidentiality, and competency, and internal auditors must abide by this guidance in order to promote and uphold an ethical culture within the profession. • Internal audit management. Internal auditors develop and manage all aspects of the internal audit function, coordinating all engagement activities to achieve the defined objectives. • International Professional Practices Framework. The nature of internal auditing, its role in the organization, and the requirements for professional practice are contained in the International Professional Practices Framework. Internal auditors apply the IPPF to work within a globally agreed set of core principles and standards. This exemplifies quality and continuous improvement of the internal audit activity. • Governance, risk, and control. The profession of internal audit is fundamentally concerned with evaluating an organization’s management of risk. To do this, internal auditors assess the quality of risk management processes and systems and internal control and corporate governance processes. Auditors must have a thorough understanding of governance, risk, and control appropriate to the organization. • Business acumen. Internal audit practitioners must understand the organization and its employees, processes, and culture. The successful internal auditor maintains expertise regarding the business environment, industry practices, and specific organizational factors. • Communication. Successful auditors are effective communicators, clearly conveying thoughts, ideas, and suggestions during meetings, presentations, interviews, and negotiations with audit customers and executives. Internal auditors must understand criteria for communicating, implement quality communications, and follow the communication process. • Persuasion and collaboration. Internal auditors persuade and motivate others through collaboration, teamwork, and cooperation.

• Critical thinking. In order to create value for the organization, internal auditors must apply a critical thinking approach to internal audit—a level beyond basic operational audits. This involves analyzing a situation or task for the development of supportable conclusions— applying process analysis and business intelligence and problem-solving techniques—and conveying the assessed results in a logical manner. • Internal audit delivery. Effective management of internal audit engagements includes the use of strategies, tactics, and tools throughout the process. • Improvement and innovation. Innovation in internal auditing is both crucial for its growth and necessary in meeting the ever-changing needs of stakeholders. Internal audit should find ways to be more forwardlooking by embracing change and driving improvement and innovation. Exhibit III-4 depicts the structure of the Framework and how the core competencies relate to each other. Exhibit III-4: Competency Framework Structure

Professional ethics and internal audit management provide a firm foundation for the delivery of internal audit. In order to provide an effective audit service, internal auditors need to operate according to high ethical standards and coordinate the resources and activities of the internal audit function.

The principal points of focus of an internal auditor’s expertise are the IPPF; governance, risk, and control; and business acumen. The IPPF is the primary source of the Standards for internal audit that the IIA provides to all internal auditors around the world. Additionally, internal auditors require technical expertise in governance, risk, and control to inform their work and help organizations accomplish their objectives. Business acumen—in the form of understanding the client organization, its culture, the way it works, the sector it operates in, and the local and global factors that act upon it—is another essential prerequisite that enables internal auditors to provide effective assurance and advisory services and so add value to the organization. Internal auditors need to be competent in communication, persuasion and collaboration, and critical thinking in order to deliver internal audit engagements, and they need to drive improvement and innovation in an organization. It is important to note that the Framework is intended to form a foundation that can be adapted and applied by practitioners, line managers, HR professionals, trainers, and others. Given the diversity of professional practice globally, there are practical difficulties in devising a framework that can be regarded as both fully comprehensive and universally applicable. As such, this Framework should be used as a guide.

Topic C: Due Professional Care (Level P) Due professional care calls for the application of the care and skill that would be expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Internal auditors are expected to act responsibly in all professional situations. This includes taking the appropriate actions when confronted with challenges, such as investigating suspicious activities rather than ignoring them.

Related Standards and Implementation Guides The Standards and Implementation Guides related to due professional care are listed in Exhibit III-5. Exhibit III-5: Due Professional Care Standards and Related Guidance Standard Attribute Standard 1200, “Proficiency and Due Professional Care” Engagements must be performed with proficiency and due professional care. Attribute Standard 1220, “Due Professional Care” Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. Implementation Standard 1220.A1 (Assurance Engagements) Internal auditors must exercise due professional care by considering the:

• • •

Extent of work needed to achieve the engagement’s objectives. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. Adequacy and effectiveness of governance, risk management, and control processes.

Related Guidance Implementation Guide 1200, “Proficiency and Due Professional Care” Implementation Guide 1220, “Due Professional Care”

• •

Probability of significant errors, fraud, or noncompliance. Cost of assurance in relation to potential benefits.

Implementation Standard 1220.A2 (Assurance Engagements) In exercising due professional care, internal auditors must consider the use of technology-based audit and other data analysis techniques. Implementation Standard 1220.A3 (Assurance Engagements) Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. Implementation Standard 1220.C1 (Consulting Engagements) Internal auditors must exercise due professional care during a consulting engagement by considering the:

•

Needs and expectations of clients, including the nature, timing, and communication of engagement results.

•

Relative complexity and extent of work needed to achieve the engagement’s objectives.

•

Cost of the consulting engagement in relation to potential benefits.

Exercising Due Professional Care Due professional care is exercised when internal audits are performed in accordance with the Standards. Exercising due professional care during an internal audit requires that: • Internal auditors be independent of the activities they audit. • Internal audits be performed by those persons who collectively possess the necessary knowledge, skills, and disciplines to conduct the audit properly and objectively. • Audit work be planned and supervised properly.

• Audit reports be objective, clear, concise, constructive, and timely. • Internal auditors follow up on reported audit findings to ascertain that appropriate action was taken. Implementation Guide 1220, “Due Professional Care,” tells us that due professional care implies reasonable care and competence, not infallibility or extraordinary performance. As such, due professional care requires the internal auditor to conduct examinations and verifications to a reasonable extent. Internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance needs to be considered whenever an internal auditor undertakes an internal audit assignment. In exercising due professional care, an internal auditor should: • Apply the care and skill appropriate to the complexities of the engagement being performed. • Be alert to the possibility of intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest. • Be alert to those conditions and activities where irregularities are most likely to occur. • Identify inadequate controls and recommend improvements to promote compliance with acceptable procedures and practices.

Due Professional Care in Assurance Engagements What constitutes due professional care in assurance engagements? One principal factor is the extent of work needed to achieve the engagement objectives. (Engagement objectives are “broad statements developed by internal auditors that define intended engagement accomplishments” [Standards Glossary].)

The nature of the processes being evaluated is also important. For example, evaluating the adequacy and effectiveness of governance, risk management, and control processes shapes due professional care for an engagement. In exercising due professional care during assurance engagements, auditors need to consider the probability of significant errors, irregularities, or noncompliance as well as the cost of assurance in relation to potential benefits. Two Implementation Standards that specifically address this concept— 1220.A2 and 1220.A3—are described in the introduction to this topic. Examples of due professional care principles for assurance engagements include a(n): • Working knowledge of The IIA’s Standards. • Understanding of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework of internal control. (This is discussed in Section V.) • Awareness of organizational objectives, goals, and strategies. • Knowledge of the internal audit activity’s systematic and disciplined approach to evaluating organizational governance, risk management, and control processes. Examples of not exercising appropriate due professional care include: • The failure to recognize an indicator—or red flag—of fraud (within reason), such as an employee never taking a vacation. • Performing an internal audit of each department in an organization every three years without regard to the risks or importance of the department. • Not performing stated work or properly documenting conclusions.

Due Professional Care in Consulting Engagements Some of the same considerations shaping due professional care in assurance engagements apply to consulting engagements (the relative complexity and the extent of the work needed to achieve the engagement’s objectives and the costs in relation to potential benefits). The needs and expectations of clients have increased significance. Regarding due professional care in consulting engagements, the internal auditor should understand the: • Needs of management officials, including the nature, timing, and communication of engagement results. • Possible motivations and reasons of those requesting the service. • Skills and resources needed to conduct the engagement. • Effect on the scope of the audit plan previously approved by the audit committee. • Potential impact on future audit assignments and engagements. • Potential organizational benefits to be derived from the engagement. Examples of due professional care principles for consulting engagements include: • A working knowledge of The IIA’s Standards. • An understanding of the organizational objective(s) for the consulting engagement. • Providing objective comments about the proposed process or activity. Performing an engagement without any knowledge or experience in the consulting subject and without supervision exemplifies a lack of due

professional care.

Topic D: Continuing Professional Development (Level P) Continuing professional development is the means by which members of a profession maintain, improve, and broaden the knowledge, skills, and competence required in their professional lives.

Related Standard and Implementation Guide The Standard and the Implementation Guide related to continuing professional development for internal auditors are listed in Exhibit III-6. Exhibit III-6: Continuing Professional Development Standard and Related Guidance Standard Attribute Standard 1230, “Continuing Professional Development” Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development.

Related Guidance Implementation Guide 1230, “Continuing Professional Development”

Promoting Continuing Professional Development Best practices indicate that organizations should promote professional development and formal certification of internal auditing staff. Implementation Guide 1230, “Continuing Professional Development,” takes this to the next level and states: The individual internal auditor is responsible for conforming with Standard 1230. This includes continuing their education to enhance and maintain their proficiency. Internal auditors need to stay informed about improvements and current developments in internal audit standards, procedures, and techniques, including The IIA’s International Professional Practices Framework (IPPF) guidance.

Any topics that develop or enhance an auditor’s proficiency contribute to continuing education. This may include specialized training in business processes, audit techniques, interpersonal skills, communication skills, and related topics. Development may be accomplished through a variety of actions, such as: • Occupational assignments. • Mentoring. • Networking. • Training (knowledge and skill acquisition and development through inhouse or external sources). • Participation in research projects. • Collective wisdom derived from analyzing or synthesizing information, etc. • Formal education (such as college courses). • Attendance at conferences. • Membership and participation in professional societies. • Certification and recertification. A large organization may have the resources, facilities, and budget to conduct in-house training. Some organizations may reimburse employees for participation in external offerings. Individuals may have specific learning style preferences (e.g., self-study, seminar, or online). The one constant is the need for ongoing learning in internal auditing.

Training Resources from The IIA The IIA is known as the profession’s chief educator and a global leader

in professional development. Extensive educational offerings (such as the materials you are now reading) make it easy for internal auditing professionals to meet the value expectations of their employers and exceed performance standards. Opportunities exist for individuals new to internal auditing, experienced auditors, and individuals in related professions. Exhibit III-7 summarizes these training and education offerings. Exhibit III-7: The IIA’s Training and Education Offerings Offering

Description

Seminars

The IIA offers a variety of seminar topics and format options to meet individual and organizational training needs. Public seminars are scheduled throughout the year in hotels and other conference spaces. Attendees are from many different organizations. On-site seminars are held at chapter or organizational locations. They are scheduled for specific training purposes and organizations.

Conferences

Industry-specific conferences provide the opportunity to learn the latest audit trends, tools, and techniques; to network with peers; and to gain valuable knowledge from exhibitors.

Web-based training

The IIA’s web-based training programs allow individuals to learn any place they have access to a computer—at work, at home, or on the road—all available on demand.

Vision University

This IIA executive development training program is designed exclusively for CAEs who want to take their organization to a new level of excellence.

For specific information on The IIA’s training and education opportunities, visit The IIA’s website at www.theiia.org.

Certification and Recertification Internal auditors can greatly enhance their professional development by obtaining appropriate professional certification. Certification is the

systematic measurement of characteristics such as education and experience that results in recognition of an individual as one who meets the suggested knowledge and other minimum requirements for a position or a profession. Certification may result from one or more of the following achievements: • Graduation from an accredited or approved training program • Completion of a specified amount or type of work experience • Acceptable performance on a qualifying examination Earning The IIA’s Certified Internal Auditor® (CIA®) certification symbolizes competency and achievement in and commitment to the internal auditing profession. Most certification programs require that holders of a certification credential demonstrate continuing competence. Recertification is the term used to describe policies requiring demonstration of ongoing compliance with certain criteria. To keep a credential valid, certified individuals must submit to certain evaluative processes to demonstrate continuing competence. Typically, recertification requires a level of continuing professional education (CPE) received every one to five years. CIAs are required to obtain at least 40 hours annually to meet the CPE requirements for maintaining certification. Why should internal auditors consider certification and the recertification process? The primary benefits are to: • Demonstrate mastery of a defined body of knowledge. • Enhance professional credibility and prestige. • Demonstrate mastery of professional practice standards. • Facilitate professional development.

• Stay current in a practice area.

Next Steps You have completed Part 1, Section III, of The IIA’s CIA Learning System®. Next, check your understanding by completing the online section-specific test(s) to help you identify any content that needs additional study. Once you have completed the section-specific test(s), a best practice is to reread content in areas you feel you need to understand better. Then you should advance to studying Section IV. You may want to return to earlier section-specific tests periodically as you progress through your studies; this practice will help you absorb the content more effectively than taking a single test multiple times in a row.

Index The numbers after each term are links to where the term is indexed and indicate how many times the term is referenced. assurance engagements due professional care in 1 business acumen 1 CAE (chief audit executive) 1 certification 1 chief audit executive 1 co-sourcing 1 Code of Ethics 1 collaboration 1 communication 1, 2 competencies of internal audit activity 1 of internal auditors 1 consulting engagements due professional care in 1 continuing professional development 1 control(s) 1 critical thinking 1 due professional care 1, 2 engagements assurance 1 consulting 1 fraud 1 governance 1 IIA Global Internal Audit Competency Framework 1 Implementation Guides 1220 1 1230 1 improvement 1 information technology 1 innovation 1

internal audit activity competencies 1 knowledge 1 management 1 skills 1 internal audit delivery 1 internal auditors competencies 1 knowledge 1 skills 1 International Professional Practices Framework 1 1200, “Proficiency and 1, 2 1210, “Proficiency” 1 1210.A1 1 1210.A2 1, 2 1210.A3 1, 2 1210.C1 1 1220, “Due Professional 1 1220.A1 1 1220.A2 1 1220.A3 1 1220.C1 1 1230, “Continuing 1 2420, “Quality of 1 IT (information technology) 1 knowledge of internal audit activity 1 of internal auditors 1 out-sourcing 1 persuasion 1 professional development 1 professional ethics 1 proficiency 1 recertification 1 risk 1 secondment 1 skills

communication 1 of internal audit activity 1 of internal auditors 1 staffing 1 subcontracting 1 training resources 1 Build 08/24/2018 15:39 p.m.

Contents Section III: Proficiency and Due Professional Care Topic A: Required Knowledge, Skills, and Competencies for the Internal Audit Activity (Level B) Topic B: Required Knowledge, Skills, and Competencies for the Internal Auditor (Level P) Topic C: Due Professional Care (Level P) Topic D: Continuing Professional Development (Level P) Index

Section IV: Quality Assurance and Improvement Program This section is designed to help you:

•

Describe the required elements of a quality assurance and improvement program.

•

Describe the requirement of reporting the results of the quality assurance and improvement program to the board or other governing body.

•

Identify appropriate disclosure of conformance versus nonconformance with The IIA’s International Standards for the Professional Practice of Internal Auditing.

The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 7% of the total number of questions for Part 1. All of the topics are covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.)

Section Introduction Organizations are continually changing. Operations undergo refinement, and internal processes change and evolve. As an organization changes, auditing services must keep pace. How can the internal auditor meet ever-changing management needs for auditing services and still ensure the highest-quality audit activity results? To ensure the consistent quality of internal audit activities, the internal audit function is required to have a quality assurance and improvement program (QAIP) in place. Attribute Standard 1300, “Quality Assurance and Improvement Program,” outlines the requirements for a QAIP. It requires the CAE to “develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.” The interpretation of this standard explains that:

A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The chief audit executive should encourage board oversight in the quality assurance and improvement program.

Implementation Guide 1300 states that a QAIP should have the “ultimate goal of developing an internal audit activity with a scope and quality of work that includes conformance with the Standards and application of the Code of Ethics.” It states that the CAE is accountable for implementing processes designed to provide reasonable assurance to the various stakeholders that the internal audit activity: • Performs in accordance with the internal audit charter, which is consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. • Operates in an effective and efficient manner. • Is perceived by those stakeholders as adding value and improving the organization’s operations. These processes include appropriate supervision, periodic internal assessments and ongoing monitoring of quality assurance, and periodic external assessments. An internal audit department that is fully out-sourced is still required to have a QAIP, even if the out-sourcing provider has completed one for its own overall activities. For example, an audit firm that provides internal audit services to multiple clients completes a QAIP for its activities annually, but each of its internal audit clients needs one as well. Standard 2070, “External Service Provider and Organizational Responsibility for Internal Auditing,” states, “When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity.” According to

interpretation, “This responsibility is demonstrated through the quality assurance and improvement program, which assesses conformance with the Code of Ethics and the Standards.” To implement Standard 1300, the CAE must consider requirements related to its five essential components: • Internal assessments • External assessments • Communication of QAIP results • Proper use of a conformance statement • Disclosure of nonconformance Each of these components is described in this section.

Related Standards and Recommended Guidance The Standards, Implementation Guides, and Practice Guides related to quality assurance and improvement of the internal audit activity are listed in Exhibit IV-1. Exhibit IV-1: QAIP Standards and Related Recommended Guidance Standard Attribute Standard 1300, “Quality Assurance and Improvement Program” The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.

Attribute Standard 1310, “Requirements of the Quality Assurance and Improvement Program”

Related Guidance Implementation Guide 1300, “Quality Assurance and Improvement Program” Practice Guide, “QAIP to Help IA Functions Achieve and Maintain Quality” Implementation Guide 1310, “Requirements of

The quality assurance and improvement program must include both internal and external assessments.

the Quality Assurance and Improvement Program”

Attribute Standard 1311, “Internal Assessments”

Implementation Guide 1311, “Internal Assessments”

Internal assessments must include:

•

Ongoing monitoring of the performance of the internal audit activity.

•

Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.

Attribute Standard 1312, “External Assessments” External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:

• •

Implementation Guide 1312, “External Assessments”

The form and frequency of external assessment. The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.

Attribute Standard 1320, “Reporting on the Quality Assurance and Improvement Program” The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Attribute Standard 1321, “Use of ‘Conforms with the International Standards for the Professional Practice of Internal Auditing’ ” Indicating that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing is appropriate only if supported by the results of the quality assurance and improvement program. Attribute Standard 1322, “Disclosure of Nonconformance” When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board.

Implementation Guide 1320, “Reporting on the Quality Assurance and Improvement Program”

Implementation Guide 1321, “Use of ‘Conforms with the International Standards for the Professional Practice of Internal Auditing’ ”

Implementation Guide 1322, “Disclosure of Nonconformance”

Topic A: Key Elements of a QAIP (Level B) Internal and External Assessments QAIP elements include internal and external assessments. Care must be taken to identify appropriate performance measures for these assessments —measures that are aligned to the organization’s objectives and the internal audit charter and that target performance necessary to meet activity objectives. Exhibit IV-2 provides an overview of internal and external quality assessments. Exhibit IV-2: QAIP Internal and External Assessments Description

Purpose

Performance

Timing

Internal Quality Assessment Ongoing internal evaluations of the internal audit activity coupled with periodic selfassessments and/or reviews.

To obtain objective evidence through ongoing internal reviews as well as through separate periodic self-assessments or reviews to support an assessment of the internal audit activity charter.

Conducted by persons in the organization’s internal audit activity. Supervised under the direction of the CAE. (Note: CAE involvement precludes total objectivity.)

Usually incorporated into the routine policies and practices used to manage the internal audit activity. May include ad hoc, special purpose reviews and compliance testing.

External Quality Assessment Evaluation of internal audit activity conformance to the Definition of Internal Auditing,

To assess the effectiveness of an internal audit activity in providing assurance and consulting services to stakeholders.

Conducted by qualified independent reviewer or review team from outside the organization.

At least once every five years.

the Code of Ethics, the Standards, the use of best practices, and internal audit activity efficiency and effectiveness.

To assess conformance to the mandatory guidance and provide an opinion as to whether the internal auditing activity generally conforms to all of the Standards. To identify opportunities and offer recommendations to the CAE and staff for improving performance and services and promoting the image and credibility of the internal audit function.

Internal auditors should consult the related Standards and Implementation Guides for these types of QAIP assessments.

Internal Assessments According to Attribute Standard 1311, “Internal Assessments,” internal assessments must include: • Ongoing monitoring of the performance of the internal audit activity. • Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. Interpretation of Standard 1311 tells us: Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards. Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the Standards. Sufficient knowledge of internal audit practices requires at least an

understanding of all elements of the International Professional Practices Framework.

Ongoing internal assessments are practices put into place by the CAE to do routine evaluations of the practices and policies of performing individual audits. The type and amount of these assessments will vary depending on the nature of the organization. Specific processes and tools should be developed for each organization. Conclusions should be developed on an ongoing basis, and appropriate actions should be taken to improve the quality of the ongoing audit activities. Periodic reviews are another important aspect of the internal assessment process. This is a scheduled self-assessment approach to determine if the right activities are being performed should changes be made to the internal audit practices and procedures in order to enhance the quality of the programs. This periodic self-assessment process is also used by many organizations to perform their own evaluation of conformance to the Standards. Many organizations use this type of review to perform their own evaluation before an external quality assessment is to be performed. Internal assessments should include: • Routine and continuous supervision and testing of the performance of audit and consulting work. • Ongoing measurements and analyses of performance metrics (e.g., audit plan accomplishment, cycle time, recommendations accepted, customer satisfaction). • Periodic validations of compliance with applicable laws, regulations, and government or industry standards. • Periodic validations of compliance with the Standards and Code of Ethics, including timely corrective actions to remedy any significant instances of noncompliance. • Evaluation of the adequacy of the internal audit activity’s charter,

goals, objectives, policies, and procedures. • Assessment of contribution to the organization’s governance, risk management, and control processes. • Evaluation of the effectiveness of continuous improvement activities and adoption of best practices. • Whether the auditing activity adds value, improves operations, and helps the organization achieve its objectives. It is the CAE’s responsibility to establish a structure for reporting results of periodic reviews that maintains appropriate credibility and objectivity. Typically, those individuals conducting ongoing and periodic reviews should report to the CAE while performing the reviews and should communicate their results directly to the CAE. If internal assessment results determine that there are areas for improvement, the improvements should be implemented by the CAE through the QAIP. For additional information about performing ongoing internal reviews, consult Implementation Guide 1311, “Internal Assessments.”

External Assessments External assessments must also be conducted. Attribute Standard 1312, “External Assessments,” states that: External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:

• •

The form and frequency of external assessment. The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.

Interpretation of Standard 1312 tells us: External assessments may be accomplished through a full external assessment, or

a self-assessment with independent external validation. The external assessor must conclude as to conformance with the Code of Ethics and the Standards; the external assessment may also include operational or strategic comments. A qualified assessor or assessment team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of an assessment team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified. An independent assessor or assessment team means not having either an actual or a perceived conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. The chief audit executive should encourage board oversight in the external assessment to reduce perceived or potential conflicts of interest.

External quality assessment reviews may be performed by: • A team that is totally independent of the organization that is being reviewed. Such teams are available from The IIA or consulting organizations that have knowledge of the requirements of the standards for audit performance. • A peer review team formed using members from one or more outside organizations. Note that reciprocal arrangements such as peer A providing audit services for peer B and then peer B doing the same for peer A would compromise independence, but A auditing B and B auditing C and C auditing A would be acceptable. • Self-assessment with independent validation (SAIV). This is an external quality assessment performed by an independent, qualified reviewer/team to validate a self-assessment. A self-assessment might be used when there are limited resources available for one of the above options. The required qualifications are the same for all three of these types of

assessment teams. An external review team should also include members with information technology expertise, relevant industry experience, and expertise in other specialized disciplines (such as accounting, taxation, or environmental affairs), as necessary. Integrity and objectivity are critical considerations in the selection process. The CAE should involve senior management and the board in the selection process for an external reviewer and obtain their approval. Implementation Guide 1312 recommends that external assessment consist of a scope of coverage that typically includes three core components: • The level of conformance with the Standards and the Code of Ethics. This may be evaluated via a review of the internal audit activity’s charter, plans, policies, procedures, and practices. In some cases, the review may also include applicable legislative and regulatory requirements. • The efficiency and effectiveness of the internal audit activity. This may be measured through an assessment of the internal audit activity’s processes and infrastructure, including the QAIP, and an evaluation of the internal audit staff’s knowledge, experience, and expertise. • The extent to which the internal audit activity meets expectations of the board, senior management, and operations management and adds value to the organization. Additional information about external assessments is found in the Quality Assessment Manual and in Implementation Guide 1312.

Quality Measures Implementation Guide 1311 provides extensive guidance in establishing performance measures for reviews of audit activity. This guidance is recommended in conjunction with consideration of the Standards and other common measurement practices.

Although this guidance provides examples of several specific measurements considered to be critical, it is important to understand that there is no single set of measurements that is universally effective for all audit activities. Both quantitative metrics and qualitative assessments are important to demonstrate audit activity performance to key stakeholders. Exhibit IV-3 provides a point-in-time snapshot of performance measurements that were considered important to a limited number of CAEs. Exhibit IV-3: QAIP Performance Measurements

Source: Adapted from A Balanced Scorecard Framework for Internal Auditing Departments by Mark L. Frigo.

The IPPF Practice Guide “Measuring Internal Audit Effectiveness and Efficiency” describes a four-step process for establishing an effective performance measurement process. • Step 1: Define internal audit effectiveness. This definition will be

based on the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, the Standards, existing charters, agreed internal audit deliverables, and internal consensus on what constitutes an efficient and effective internal audit activity. • Step 2: Identify key internal and external stakeholders. Internal stakeholders may include the board or audit committee, senior management, operations and support management, and internal auditors. External stakeholders may include regulators and standards-setting bodies, external auditors, third-party vendors, and customers. In-depth interviews and surveys can be conducted to develop a clearer understanding of the needs and expectations of each of these stakeholders. • Step 3: Develop measures, orkey performance indicators, of internal audit effectiveness and efficiency. Key performance indicators (KPIs) focus on accomplishments or behaviors that are valued by the organization. They are valid indicators of performance (i.e., they measure the right target) and are understandable to the internal audit staff who use them to guide and improve their performance. KPIs are valuable to the internal audit activity because they allow the CAE to detect shortcomings in the activity and plan remedial action. They also allow the CAE to demonstrate the value of internal auditing to customers, and they can be used to validate requests for resources needed to support the desired level of performance. Because of the close relationship between the internal auditing activity’s KPIs and the expectations of the board and senior management, the CAE should establish KPIs in a group with these stakeholders. In this way the CAE can ensure that the activity’s KPIs focus on meaningful performance that is aligned with the organization’s strategic goals. Whether internal auditors are evaluating KPIs during an audit project or are looking at organization-wide KPIs, they need to answer two

questions: • Are these the right measures? (Do they cover all the objectives? Do they reflect changes in actual performance? Can users understand them? Are they timely?) • Are they operating effectively? (Are the numbers accurate? Are the information sources reliable?) Usually, KPIs measure outcomes (e.g., sales, production). Sometimes they measure process characteristics (e.g., timeliness, accuracy). KPIs may be quantitative (e.g., the percentage of planned audits that have been completed) or qualitative (e.g., internal customer satisfaction with audit performance). A balanced scorecard approach can be used to develop specific KPIs. A balanced scorecard examines performance from four different perspectives: financial needs, customer satisfaction, business processes required to accomplish the activity’s mission, and learning and growth to ensure continuous improvement. Exhibit IV-4 lists sample KPIs from these different perspectives. Exhibit IV-4: Stakeholders/KPIs Alignment

Step 4: Monitor and report results. The CAE must ensure that performance against agreed KPIs is monitored, considered as the basis for quality improvement, and reported at a frequency agreed to by the board and senior management—for example, quarterly—and in the manner desired by stakeholders (e.g., presentations, automated dashboard, emails). Implementation Guide 1311 recommends the following ongoing assessment processes and tools: • Engagement planning and supervision • Checklists or automated tools and written procedures (e.g., auditing manual) • Feedback from audit customers and other stakeholders • Staff and engagement KPIs • Selective peer reviews of workpapers by staff not involved in the affected audits • Project budgets, timekeeping systems, audit schedules, projected cost recoveries (budget-to-actual variances) • Periodic self-assessments Occasionally, in-depth interviews and surveys should be conducted with stakeholders. The CAE should also consider periodically benchmarking the activity’s KPIs against those of similar peer organizations.

Other Types of KPIs Sometimes KPIs measure risk and might be referred to as key risk indicators or KRIs (e.g., delinquency rates, the trend in error rates). KRIs are often used as leading indicators of risk. That is, if the KRI trends dangerously upward or crosses a predefined threshold, management can identify and correct the root cause before actual damage occurs. An internal audit example of how to use a KRI might be audit risk (i.e., failing to detect a material audit observation) or a trend in error rates for the audit function over time, such as the trend in error rates in cyclical

audits over time. Another kind of KPI has become necessary as organizations focus on what is usually called sustainability or corporate social responsibility (CSR). The basic concept is that organizations are not responsible for just short-term financial results; they are also responsible to the communities in which they operate and to the environment that sustains all humankind. As organizations implement formal sustainability programs and practices, they are developing related performance measures. Increasingly, organizations are reporting their CSR performance measures to external stakeholders. Internal auditors are starting to play a role in auditing sustainability programs and the design and reliability of the measures.

Topic B: QAIP Reporting Requirements (Level B) In order to perform its assurance role in the areas of governance, risk management, and operational effectiveness and efficiency, the internal audit activity must assure its own efficiency and effectiveness and report its performance to senior management and the board at agreed intervals. The Standards and various Implementation Guides identify specific reporting requirements for both internal and external assessments. For internal assessments, the CAE may share the results, necessary action plans, and their successful implementation with stakeholders such as senior management and the board. For external assessments, the preliminary results of the review should be discussed with the CAE during and at the conclusion of the assessment process. Final results should be communicated in a formal report to the CAE or other official who authorized the review for the organization, preferably with copies sent directly to appropriate members of senior management and the board.

Assessment Reports As specified in Performance Standard 2060, “Reporting to Senior Management and the Board”: The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board.

Interpretation states that the reporting responsibility is demonstrated through the QAIP.

Standard 1320 states that communication to senior management regarding the results of the QAIP should include: • The scope and frequency of both internal and external assessments. • The qualifications and independence of the assessor(s) or assessment team. • The conclusions of the assessors. • Any corrective action plans that have been created from the assessments to address areas that are not in conformance with the Standards, along with opportunities for improvement. The IIA Quality Assessment Manual provides specific guidelines for internal assessment reporting and follow-up, including the following: • To reinforce the independence and objectivity of the assessment team, the team and the CAE should agree on the reporting medium and format at the beginning of the assessment. • The CAE should document in writing a response/action plan and implementation timetable for each recommendation from the final written report. • Copies of final reports sent outside the internal audit activity should include a copy of the internal audit activity’s response and implementation plan. External assessment reporting involves a systematic process of conferences, a report draft, and a final formal report. The formal report should: • Contain an opinion on the internal audit activity’s compliance with the Definition of Internal Auditing, the Code of Ethics, and the Standards based on a structured rating process. • Assess and evaluate best practice usage, both that observed during the

assessment and others potentially applicable to the activity. • Provide appropriate recommendations from the external assessor and management action plans to improve internal audit quality, efficiency, and effectiveness, which may provide new ideas or ways for the internal audit activity to better serve the organization’s stakeholders and add value. In most organizations, the external assessment reporting process typically unfolds in the following manner: • External assessments results are reported to senior management and the audit committee and documented in the report. • The lead person from the external audit team may be requested to make presentations to organizational executive management and the audit committee to ensure an understanding of the identified opportunities for an enhanced internal audit activity. • The planned action of the CAE to provide improvements to the internal audit activity is included in the report. • The CAE reports to the audit committee on the progress in enhancing the internal audit activity. The board is required to receive a copy of the external quality assessment report. It is the CAE’s responsibility to respond to the recommendations and provide an action plan for remediation.

Topic C: Conformance/Nonconformance (Level B) Both internal and external assessments of the internal audit activity are performed to evaluate and express an opinion on the activity’s conformance with the International Professional Practices Framework and The IIA’s Code of Ethics. Conformance means that the practices of the internal audit activity, taken as a whole, satisfy the requirements of the Definition of Internal Auditing, the Code of Ethics, and the Standards.Nonconformance means that the impact and severity of the deficiencies in the practices of the internal audit activity are so significant that they impair the activity’s ability to discharge its responsibilities.

Conformance to the Standards According to The IIA’s Quality Assessment Manual, the most important aspect of an assessment is the evaluation of the internal audit activity’s conformance with the Standards and its charter along with the extent of its use of current best practices and its program of continuous improvement. These evaluations should also include recommendations to enhance conformance to the Standards. Results of QAIP assessments, which indicate the internal audit activity’s level of conformance, must be communicated to the board, as required by Standard 1320. Interpretation of Standard 1320 states: To demonstrate conformance with the Code of Ethics and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the assessor’s or assessment team’s evaluation with respect to the degree of conformance.

Implementation Guide 1320 also clarifies that the report on the independent assessment may include, if relevant to the overall opinion or

conclusion, an assessment to show the degree of conformance for each standard as well as the impact from the results. Interpretation of Standard 1321 tells us: The internal audit activity conforms with the Code of Ethics and the Standards when it achieves the outcomes described therein. The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments.

Use of the Conformance Statement Internal auditors may assert that the internal audit activity conforms with the Standards only if the results of the QAIP, including both internal and external assessment results, support such a statement. External assessment reports often include a rating scale that may be used to show the degree of conformance for each standard and/or standard series: • “Generally conforms.” This is the top rating, meaning that an internal audit activity has a charter, policies, and processes and that the execution and results of these are judged to be in conformance with the Standards. • “Partially conforms.” Deficiencies in practice are judged to deviate from the Standards, but these deficiencies do not preclude the internal audit activity from performing its responsibilities. • “Does not conform.” Deficiencies in practice are judged to be so significant that they seriously impair or preclude the internal audit activity from performing adequately in all or in significant areas of its responsibilities. The use of a conformance statement requires an external assessment at least once during each five-year period, along with ongoing monitoring and periodic internal assessments that have concluded that the internal audit activity is in conformance. Per interpretation of Standard 1321, a

documented periodic self-assessment that supports a conclusion of conformance will suffice for internal audit activities in business for fewer than five years. Smaller internal audit activities (such as with five or fewer people) might break up internal assessments into manageable portions per year, such as assessing conformance with the Code of Ethics in one year, the Attribute Standards the next year, and part of the Performance Standards in each of the next two years, and then doing the external assessment in the fifth year. Such an arrangement, plus ongoing monitoring, would fulfill the objectives of continuous improvement of the audit activity and adding value to the organization without placing an undue burden on a small staff. According to Standard 1322, “Disclosure of Nonconformance”: When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board.

Any instances of nonconformance that have been disclosed by a quality assessment that impair the internal audit activity’s ability to discharge its responsibilities should be adequately remedied, and remedial actions should be appropriately documented and reported to the relevant assessor(s), senior management, and the board.

Next Steps You have completed Part 1, Section IV, of The IIA’s CIA Learning System®. Next, check your understanding by completing the online section-specific test(s) to help you identify any content that needs additional study. Once you have completed the section-specific test(s), a best practice is to reread content in areas you feel you need to understand better. Then you should advance to studying Section V. You may want to return to earlier section-specific tests periodically as you progress through your studies; this practice will help you absorb the content more effectively than taking a single test multiple times in a row.

Index The numbers after each term are links to where the term is indexed and indicate how many times the term is referenced. assessments external quality 1 external quality 1 internal quality 1 self-assessments 1 external quality 1 internal quality 1 balanced scorecard 1 conformance 1 corporate social responsibility 1 external quality assessments 1, 2, 3 external stakeholders 1, 2 Implementation Guides 1311 1 1311 1 1300 1 internal quality assessments 1, 2 internal stakeholders 1, 2 International Standards for the Professional Practice of Internal Auditing 1311, “Internal Assessments” 1 1312, “External Assessments” 1 1300, “Quality Assurance 1, 2 1310, “Requirements of 1 1311, “Internal 1 1312, “External 1 1320, “Reporting on the 1, 2, 3 1321, “Use of ‘Conforms 1, 2 1322, “Disclosure of 1, 2 2060, “Reporting to 1 2070, “External Service 1 key performance indicators 1

key risk indicators 1 KPIs (key performance indicators) 1 KRIs (key risk indicators) 1 nonconformance 1 performance measures 1 Practice Guides “Measuring Internal Audit Effectiveness and Efficiency” 1 QAIP. See quality assurance and improvement program quality assurance and improvement program 1 external quality assessments 1 external quality assessments 1 internal quality assessments 1 quality measures 1 external quality assessments 1 internal quality assessments 1 reporting requirements 1 quality measures 1 reporting on quality assurance and improvement program 1 self-assessments 1 stakeholders 1, 2 sustainability 1 Build 08/24/2018 15:39 p.m.

Contents Section IV: Quality Assurance and Improvement Program Topic A: Key Elements of a QAIP (Level B) Topic B: QAIP Reporting Requirements (Level B) Topic C: Conformance/Nonconformance (Level B) Index

Section V: Governance, Risk Management, and Control This section is designed to help you:

• • •

Demonstrate proficiency with corporate/organizational governance principles. Explain the internal audit activity’s required assessment role in governance. Explain how the internal audit activity can promote appropriate values in the organization.

•

Recognize the impact of organizational culture on the overall control environment and individual engagement risks and controls.

•

Explain the internal auditor’s role in monitoring ethics compliance and organizational codes of conduct.

•

Describe environmental and social safeguards an organization may support by policy, such as sustainability/green initiatives, environmental regulation compliance, privacy, and equitable and compliant human resources policies.

•

Recognize how the internal audit activity can support appropriate privacy policies and practices.

• •

Define and describe corporate social responsibility.

• • •

Assess organizational governance when auditing an organization’s corporate social responsibility policies and actions. Learn risk and control terminology. Understand risk management frameworks, elements, and concepts. Examine the objectives, components, roles, and responsibilities of the COSO enterprise risk management (ERM) framework.

•

Compare the COSO risk management approach with ISO 31000, “Risk Management,” and the Turnbull guidance.

• •

Identify and assess risks in terms of impact and likelihood. Explain how the internal audit activity supports management in risk identification and assessment.

•

Differentiate among risk management techniques such as avoidance, reduction, sharing, and acceptance.

• •

Define and describe control and different types of controls. Evaluate the design of controls.

• •

Explain various management control techniques. Describe The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework.

•

Describe alternative internal control frameworks used internationally such as the Cadbury model, the Criteria of Control (CoCo) model, the King Report, and the COBIT model.

•

Examine the effectiveness and efficiency of internal controls.

The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 35% of the total number of questions for Part 1. Some topics are covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.) Other topics are covered at the “P—Proficient” level, meaning that you are responsible not only for comprehension and recall of information but also for higher-level mastery of the content, including application, analysis, synthesis, and evaluation.

Section Introduction The nature of internal auditing work has evolved well beyond the traditional areas of internal control assurance and compliance to include risk management and governance. Performance Standard 2100, “Nature of Work,” succinctly describes the broadened scope: The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact.

Of the three functional areas, governance is the least easy to grasp because it is intangible and because governance is challenging. Topics A through D in this section focus on governance and business ethics and the actions by boards of directors and/or senior management that set an overall tone for the organization from the top down. The intent is to promote appropriate values within the organization and ensure that these values are not only enforced by effective controls but also reinforced by

the “tone at the top,” the organizational culture, and policies and procedures. Proper governance and consistent business ethics has become a business imperative in a global economy. Good corporate citizenship improves the organization’s environmental and social impact, because it reduces the risks of litigation or noncompliance citations and because the organization’s business practices affect its reputation and therefore its financial sustainability. The internal audit activity’s knowledge and involvement with risk management varies across industries and organizations. Financial services entities, for example, have a reasonable level of maturity in dealing with risk management. But many other types of organizations are relatively new to this discipline. Topic E provides a basic introduction to risk vocabulary, elements, and management. Topic F describes globally accepted risk management frameworks commonly used in organizations. The foundations introduced here are applied to the development of riskbased internal audit plans, as discussed in Topics G and H. Internal auditors have experience with controls. The last three topics in this section address internal control. Topic I defines types of controls, Topic J explores various internal control frameworks, and Topic K discusses the effectiveness of internal controls. These three areas of internal auditing work are closely interconnected. In Implementing the Professional Practices Framework, second edition, authors Urton Anderson and Andrew J. Dahle point out that evaluating and improving one area typically improves the other two areas at the same time. Several Standards and related Practice Advisories further elucidate the expanded scope of internal audit work and the nature of governance, risk management, and internal control. We will examine these Standards and The IIA guidance in subsequent content. Note that Topics F and J introduce two different frameworks developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Since risk management is discussed before internal control, Enterprise Risk Management—Integrating with Strategy and

Performance (June 2017) is the first framework that will be introduced and the Internal Control—Integrated Framework (May 2013) is discussed later in the section. While the topics will delve into the details, Exhibit V-1 shows some highlights of these frameworks to help distinguish one from the other. Exhibit V-1: COSO ERM—Integrating with Strategy and Performance versus COSO Internal Control—Integrated Framework COSO ERM—Integrating with Strategy and Performance

COSO Internal Control—Integrated Framework

A focused framework intended to ensure that enterprise risk management (ERM) is used in strategic planning and is embedded throughout the organization. Risk is relevant to strategy selection because a strategy may otherwise not align to the organization’s mission, vision, and core values. The chosen strategy will have implications such as trade-offs and a profile of risks that relate to achieving objectives and whether enhanced performance can be achieved.

A framework to help a board of directors, management, and staff design and implement an effective system of internal control, basically a system that can provide reasonable assurance regarding achievement of operations, reporting, and compliance objectives. The framework is a principles-based, dynamic, and integrated process. It allows for judgment, is adaptable to different entity sizes and types, and promotes considering how components interact with one another. It also helps identify and analyze risks to these objectives and has anti-fraud measures.

The framework consists of 20 principles that are subdivided into five component areas:

The framework has three categories of objectives:

• • • • •

Governance and culture Strategy and objective setting Performance Review and revision Information, communication, and reporting

• • •

Operations objectives Reporting objectives Compliance objectives

Internal control has five integrated components:

• • • • •

Control environment Risk assessment Control activities Information and communication Monitoring activities

These objectives and integrated components will later be shown as a cube, with various organizational levels (from entity level down to functional area level) to indicate their multidimensional interrelationship. The framework has 17 principles that are subdivided among the five integrated components.

Note that COSO intends these two frameworks to be complementary. Neither supersedes the other, and they avoid redundant content.

Topic A: Organizational Governance (Level B) We learned earlier that governance is the “combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.” There are numerous other definitions and descriptions that provide insights into governance. They collectively reinforce that effective governance: • Starts at the top with the board of directors and cascades throughout the organization to all employees. • Involves critical relationships among the board, senior management, and shareholders. • Encompasses organizational structure as well as the related legal and regulatory environment. • Balances economic and social goals. • Extends to all organizational stakeholders, including but not necessarily limited to customers, suppliers, partners, creditors, and the general community.

Related Standards and Implementation Guides Internal auditors must understand governance roles, responsibilities, structures, processes, risks, and objectives to effectively carry out The IIA’s Standards. The Standards and guidance related to the activity’s role in governance are listed in Exhibit V-2. Exhibit V-2: Internal Audit Governance-Related Standards and Related Recommended Guidance

Standard

Related Guidance

Performance Standard 2110, “Governance”

Implementation Guide 2110, “Governance”

The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for:

Practice Guide, “Auditing Executive Compensation and Benefits”

• • •

Making strategic and operational decisions.

Practice Guide, “Evaluating Corporate Social Responsibility/Sustainable Development”

Overseeing risk management and control.

Practice Guide, “Management of IT Auditing” (previously GTAG 4)

Promoting appropriate ethics and values within the organization.

Practice Guide, “Information Security Governance” (previously GTAG 15)

•

Ensuring effective organizational performance management and accountability.

•

Communicating risk and control information to appropriate areas of the organization.

•

Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management.

Standard 2110.A1 The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities. Standard 2110.A2 The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.

Implementation Guide 2110, “Governance”

Implementation Guide 2110, “Governance”

Governance Initiatives and Activities Governance (often referred to as organizational governance or corporate governance) has assumed increasing importance for all organizations

worldwide. By its nature, governance is a complex activity. As shown in Exhibit V-3, many organizational initiatives overlap. The center of the diagram illustrates those aspects of an organization that are common across many, if not all, initiatives and activities. Exhibit V-3: Overlap of Common Organizational Initiatives in Governance

Source: “Assessing Organizational Governance in the Private Sector” (IPPF Practice Guide), The Institute of Internal Auditors, 2012.

These particular activities and initiatives interact with governance in the following ways: • Compliance with legal or regulatory requirements. Responses to various requirements imposed by stock exchanges, industry regulators, legislative bodies, and the like typically involve implementing certain structures and processes to ensure compliance. Often, these responses define the key elements of an organization’s governance structure (e.g., composition of the board and the role of internal and external auditors). • Internal control assessment and reporting. Internal controls help to ensure that management strategies and directions are carried out. Many

organizations use established control frameworks (such as COSO, CoCo, Cadbury, Turnbull, or COBIT). Elements of these frameworks clearly overlap with elements of governance. • Enterprise risk management (ERM). Adequate understanding and assessment of organizational risks and the effective implementation and functioning of appropriate risk mitigation strategies (such as COSO, ISO 31000:2018 [from the International Organization for Standardization], and Turnbull) are key elements of governance processes. A crucial governance aspect of ERM is setting and monitoring risk appetite, which consists of both the ability of the organization to take on risk (e.g., strength of financial position and cash reserves) and willingness to take risks in specific areas. To be effective, this risk appetite should be not only a set of policies for each risk area but also a set of key performance indicators that can measure and balance willingness to take a risk against ability to absorb the risk. • Quality initiatives. The methods that various quality initiatives (such as ISO 9001 certification, the European Foundation for Quality Management award, Six Sigma, and the Baldrige award) use to measure organizational effectiveness overlap with many structural elements of governance. • Transparency and disclosure. Organizations are commonly reporting more than financial results. Social responsibility, environmental stewardship, management practices, employee relations, and other social issues are becoming commonplace. The transparency of such financial and nonfinancial disclosures to stakeholders is a key element of governance. • Governance structure and processes. Unique aspects of organizational governance (such as management structure, organizational oversight, or disciplinary actions taken by the board or management against those who violate organizational values) and other senior management and board processes will overlap with other activities and initiatives. Oversight is of particular importance to proper

governance. It is critical that even the highest level of executive management have effective checks and balances. This is not a definitive list of initiatives and activities that support governance. Governance reflects an organization’s policies, processes, and structures. Thus, every organization will be unique and will face its own challenges. Note also that ISO is an international confederation of national standards-setting bodies from multiple countries, such as the National Institute of Standards and Technology (NIST) in the U.S. ISO uses member consensus to generate voluntary standards that are widely accepted as international standards. Some standards have an associated organizational certification available that requires assertion by an independent third party. (ISO does not directly provide assurance.)

Corporate Governance Principles It has been written that corporate governance is like motherhood. No one can argue against it, because governance codes and policies help to ensure integrity, openness, and accountability. Exhibit V-4 lists several specific principles typically used in describing effective governance principles. Exhibit V-4: Effective Governance Principles Effective Governance Principles 1.

Ensure a properly organized and functioning board that has the right number of members; an appropriate board committee structure; established meeting protocols; sound, independent judgment about affairs of the organization; and periodically reaffirmed membership.

2.

Make sure board members possess appropriate qualifications and experience, with a clear understanding of their role in the governance activities, a sound knowledge of the organization’s operations, and an independent/objective mindset.

3.

Assure that the board has sufficient authority, funding, and resources to conduct independent inquiries.

4.

Maintain an understanding by executive management and the board of the organization’s operating structure, including structures that impede transparency.

5.

Articulate an organizational strategy (including mission, vision, objectives, goals, and plans) against which the success of the overall enterprise and the contribution of individuals are measured.

6.

Create an organizational structure that supports the enterprise in achieving its strategy.

7.

Establish a governing policy for the operation of key activities of the organization.

8.

Set and enforce clear lines of responsibility and accountability throughout the organization.

9.

Ensure effective interaction among the board, management, external and internal auditors, and any other assurance providers.

10.

Ensure appropriate oversight of and by management, including establishment and maintenance of a strong set of internal controls.

11.

Make sure that compensation policies and practices, especially related to senior management, are consistent with the organization’s ethical values, objectives, strategy, and control environment and encourage appropriate behavior.

12.

Throughout the organization, communicate and reinforce an ethical culture, organizational values, and an appropriate “tone at the top,” which include an environment that allows employees to raise concerns without fear of retaliation and in which potential conflicts of interest are monitored and investigated.

13.

Effectively use internal auditors, ensuring the adequacy of their independence, resources, scope of activities, and effectiveness of operations.

14.

Clearly define and implement risk management policies, processes, and accountabilities at the board level and throughout the organization.

15.

Effectively use external auditors, ensuring their independence, adequate resources, and scope of activities.

16.

Provide appropriate disclosure of key information, in a transparent manner, to

stakeholders. 17.

Provide disclosure of the organization’s governance processes, comparing those processes with recognized national codes or best practices.

18.

Ensure proper oversight of related-party transactions and conflict-of-interest situations.

Source: “Assessing Organizational Governance in the Private Sector” (IPPF Practice Guide), The Institute of Internal Auditors, 2012.

There are other best practices and principles of effective governance than those shown here. The fact is, there is no single model of effective governance.

Roles and Responsibilities An organization’s governing body (the board, trustees, or managing board) and its senior management are accountable for effective governance. But, in the end, effective governance is the result of robust synergies among the board, management, internal auditors, and external auditors. Exhibit V-5 reviews the key responsibilities and activities for each of the parties. Exhibit V-5: Key Organizational Governance Roles, Responsibilities, and Activities Role Board

Responsibilities and Activities

•

Bears the primary responsibility for governance and serves as the focal point for all governance activities.

•

Establishes, implements, and monitors organization-wide ethics, business practice, and compliance policies and standards.

•

Oversees the CEO and senior management, typically delegating significant authority for day-to-day operations to them.

•

Directs and provides oversight to the CEO and senior management in setting strategic objectives, establishing risk appetite,

establishing effective control systems, monitoring performance, and providing transparent and timely stakeholder communications. Chief executive officer (CEO)

Senior management

Operations management

Internal auditors

External auditors

• •

Sets the “tone at the top” and “walks the walk.” Bears ultimate responsibility for implementing the organization’s governance system.

•

Acts as the leader and primary member of senior management (i.e., also has the duties listed for senior management below).

•

Sets strategic direction (under the oversight of the board) and establishes an entity’s value system.

•

Provides assurance that risks are managed as part of a risk management process, operations are monitored, results are measured, and corrective actions are implemented in a timely manner.

•

Deploys strategy, enforces internal control, and provides direct supervision for areas under its control.

•

Is accountable to senior management, and ultimately to the board, for implementing and monitoring the risk management process and establishing effective and appropriate internal control systems.

•

Perform independent and objective assessments to provide assurance that governance, risk management, and internal control (GRC) structures and processes are designed properly and are operating effectively.

•

Identify and offer recommendations for GRC structures and processes.

•

Coordinate their work with that of external auditors to minimize gaps in coverage, maximize efficiencies, and avoid duplication of efforts.

•

Provide independent assurance on financial statement preparation and reporting activities, in accordance with applicable regulations and accounting principles.

•

Coordinate their work with that of internal auditors to minimize gaps in coverage, maximize efficiencies, and avoid duplication of efforts.

Source: “Assessing Organizational Governance in the Private Sector” (IPPF Practice Guide), The Institute of Internal Auditors, 2012.

Each of these parties has separate and distinct roles in governance. Collective efforts facilitate effective governance. However, if role

boundaries are not respected, effective governance is diminished. Internal auditing should provide reasonable assurance that management’s governance process “is effective by establishing and preserving values, setting goals, monitoring activities and performance, and defining the measures of accountability.” We will consider what internal auditors must understand to provide such assurance. As we will see, the internal audit activity has a major role in ensuring success.

Internal Audit’s Required Role Once the internal audit activity secures approval of its charter, internal auditors have the authority to plan and perform a variety of engagements. These audit engagements and related activities provide assurance to management that GRC structures and processes are properly designed and operating effectively. The internal audit activity also identifies any deficiencies and advises management on potential improvements.

Factors Influencing Governance and Internal Audit’s Role The maturity level of the organization’s governance processes and structure and the organizational role and qualifications of internal auditors all influence the capacity in which auditing serves. When less maturity prevails, the internal audit function tends to focus more on: • Performing discrete audits. • Providing advice regarding optimal structure and practices. • Comparing the current governance structure and practices against regulations and other compliance requirements. An organization that has more structured and mature governance practices allows internal auditors to focus on:

• Evaluating the efficiency and effectiveness of company-wide governance components and whether they work together as expected. • Analyzing the transparency and disclosure (reporting) practices among parts of the governance structure. • Comparing governance best practices. • Identifying compliance with applicable regulations and governance codes. A governance maturity model is an assessment tool that can help in evaluating an organization’s governance practices. We do not provide an example of such a model here because the governance attributes and criteria will vary depending on the organization’s context. To develop an organization-specific maturity model, the CAE should review any available models for the organization’s country and industry and take into consideration the governance documents and issues specific to the organization. Internal auditors are agents of management and the board and provide independent objective assessments of the appropriateness of the organization’s governance structure and the operating effectiveness of specific governance activities. Although internal auditors do not directly evaluate management decisions, they can serve as catalysts for change and advise or advocate for improvements to decision-making processes and enhance the organization’s governance structure and practices.

Internal Audit’s Value Factor Corporate values are generally defined as an organization’s standards of behavior. Value statements (often referred to as the corporate credo) put into words the organization’s essential and enduring tenets. They are a set of general guiding principles that are not to be compromised for financial gain or short-term expediency. Organizations worldwide have adopted formal statements of corporate

values. Senior executives articulate a set of core values and attempt to embed them in management practices. The expectation is that these values will promote and reinforce behaviors that benefit the organization as well as communities inside and outside the entity. Value preferences often include statements about ethical behavior, honesty, integrity, and other social concerns. The statement “People should be treated with honesty, respect, and dignity” is representative of a value statement. Strong corporate values are an effective element of the control system and are considered key directive controls that promote and affirm the highest values, conduct, and behavior to be expected of employees, management, boards of directors, and other stakeholders. Clearly stated, communicated, and affirmed core values can play a vital and complementary role in supporting an organization’s code of conduct/ethics. According to Implementing the International Professional Practices Framework, “If they permeate the organization to the point that they are internalized by workers and are inherently considered in all business processes, corporate values essentially become the guiding force behind all decisions and activities.” The language of the Standards makes it clear that internal auditors are to promote appropriate ethics and values within the organization. This is accomplished through various assurance and consulting activities. Internal Audit Assurance Activities Standard 2110 specifies that the internal audit activity include some type of organizational values in their audit work. Corporate values are not typically assessed during routine risk and control evaluations. Instead, self-assessment methods and appropriate audit programs are generally used to measure the comprehension and preservation of corporate values. • Self-assessment methods. Practitioners use self-assessment exercises, surveys, and questionnaires to evaluate: • How well employees understand organizational values.

• How well individual goals and objectives are aligned to corporate values. • Whether employees feel they uphold those values in their jobs or if work requirements compel them to compromise them. • Whether they perceive others (e.g., senior managers, operational managers, and other employees) as exemplifying those values. An important part of administering self-assessments is to ensure that a representative sample of employees—beyond the board and senior managers—is used to determine if the “tone at the top” and the espoused values are more than words and platitudes. The selfassessment needs to identify if the values are actively practiced. An emerging practice is the use of self-assessment methods to determine how well the organization’s values are reflected in the practices of joint venture, alliance, and out-sourcing partners as well as in potential mergers and acquisitions. The internal audit activity can help with the inclusion of appropriate language about core values in contracts and agreements and can perform audits of vendor/partner compliance. • Audit programs. Implementing the International Professional Practices Framework describes how some organizations create audit programs to ensure that values are understood and upheld. For example, a core value might state, “We respect all individuals and we will seek, value, and promote diversity internally and externally.” To assess this value, the audit program might focus on human resources practices and relevant behavior in the organization and employee attitudes toward customers. Or in another scenario when an internal ethics function exists, the internal auditor could specifically review the program and assess whether it provides effective control mechanisms. Internal Audit Consulting Activities Internal auditors are prohibited from accepting any consulting assignment that does not support the organization’s values. Implementation Standard

2210.C2 specifies that: “Consulting engagement objectives must be consistent with the organization’s values, strategies, and objectives.” The point of the internal audit’s activities is to ensure that organizational values are not just words. The internal audit activity can help to determine if the values are: • Clearly communicated. • Understood by employees and other stakeholders. • Integrated in normal activities and communications as well as critical decisions. • Practiced from the top down. • Supported and reinforced by organizational systems and structures.

Further Information More information on organizational governance is available through the following resources. The Institute of Internal Auditors • Corporate Governance and the Board—What Works Best. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. • Audit Committee Effectiveness—What Works Best, third edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. Government and stock exchange guidance/regulations • “Revised Guidance for Directors on the Combined Code.” Financial Reporting Council, www.ecgi.org/codes/documents/frc_ic.pdf. • “Corporate Governance Principles and Recommendations with 2010 Amendments.” ASX Corporate Governance Council,

www.asxgroup.com.au/media/PDFs/cg_principles_recommendations_with_2010_amen • “The Laws That Govern the Securities Industry—Sarbanes-Oxley Act of 2002.” Securities and Exchange Commission, www.sec.gov/answers/about-lawsshtml.html#sox2002. • “Corporate Governance: A Practical Guide.” London Stock Exchange, www.ecgi.org/codes/documents/rsmi_lse_guide2004.pdf.

Topic B: The Impact of Organizational Culture on the Overall Control Environment and Individual Engagement Risks and Controls (Level B) Organizational culture can be defined as the values that influence everyday behavior in an organization. It is not an organization’s desired values, but the actual values that staff live by in the workplace. Culture is the set of assumptions and norms that determine how things are done and what shapes behaviors across the organization. It is not a set of prescribed standards, regulations, or practices that apply equally to every organization. Culture is a unique component for every organization; what works for one company may not work in another. An organization’s culture is reflective of the ethical climate, atmosphere, standards, and core values underlying all behavioral aspects and activities of the organization.

The Impact of Culture on the Control Environment Much can be learned about an organization’s culture by examining its attitude toward governance, its relationships with customers, what is important to the organization, how it treats employees, how it reacts to negative events, and how it behaves toward its competitors and in its community. Examining culture could be a part of every engagement, as it helps to proactively manage risk and serve as a critical early warning function. Without an ethical and compliant culture, organizations put themselves at undue risk.

The Control Environment The Standards Glossary defines the control environment as: The attitude and actions of the board and management regarding the importance

of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:

• • • • • •

Integrity and ethical values Management’s philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and practices Competence of personnel

The control environment is influenced by management style and how leadership fulfills its oversight duty. As it focuses on integrity, ethical values, and competence in daily business activities, it is often associated with organizational culture. The control environment provides the background against which the various other controls are operated. It is communicated by leadership and encompasses the ethics, values, and beliefs that are incorporated into the work environment to achieve the organization’s business objectives. • Leadership. Organizational culture is defined by the board and senior management. They set the “tone at the top” and are the starting point for setting the organization’s core values and expectations, and their behavior must reflect the values being espoused. They communicate the mission, vision, and strategy that provide direction for all in the organization. Is the organization focused on financial gain, customer satisfaction, and/or rapid expansion? The answer could impact the type of training staff receive, the expectations for staff capabilities, demands on employees, the way they offer service, and how progress is rewarded. It can also influence the delegation of power and lines of authority. Tone at the top is not just about what is said—it’s about actions or lack of actions. How leaders conduct themselves will significantly impact organizational behavior and culture. Lack of clear direction, frequent changes, and arbitrary decisions contribute to negativity in the organization culture. This can result in various

departments having different work cultures and working in a counterproductive manner, and this directly impacts the efficiency and effectiveness of business operations. Clarity, alignment, and integration is vital, both from the top down and across the organization. • Ethics. Business ethics goes beyond legal and compliance requirements. It shows whether the organization is conducted on values of integrity, honesty, and fairness. If the culture of the organization does not support principled performance, then the people, processes, and technologies that are put in place to mitigate ethics and compliance risks are unlikely to be effective. A clearly defined and implemented code of conduct can improve the organizational culture; a lack of a code of conduct may contribute to a negative organizational culture. The ethical, principles-based, and centered organization recognizes and consistently affirms that the “means” mean everything. In other words, how the organization conducts itself to achieve its objectives and goals is as important as achieving those objectives and goals themselves. • Values and beliefs. The behavior and competence shown by employees in day-to-day operations reflects the organizational culture. Values and beliefs form the foundation of the control environment. Unhealthy values and beliefs are a red flag for unhealthy and corrupt business practices. These aspects of the control environment clearly indicate how culture is a key contributor to organizational performance, both positive and negative. Internal audit reports might address a deficiency in one or more of the five principles of a control environment (i.e., the COSO frameworks), for example, if the board of directors is failing to properly oversee the development and performance of internal control or if individuals are not consistently being held accountable for their internal control responsibilities in pursuit of objectives. Recommendations should be given to improve and build a healthy organizational culture. An organization’s risk appetite, philosophy, and exposures can be determined in part by analyzing the organizational culture. Is the

culture risk-averse, risk-neutral, or risk-aggressive (or somewhere in between on a spectrum)?

Culture and Governance What constitutes good corporate governance varies depending on the circumstances of the organization. An organization uses various legal forms, structures, strategies, and procedures to ensure that it: • Complies with society’s (and specific industry’s) legal and regulatory rules. • Satisfies the generally accepted business norms, ethical precepts, and social expectations of society. • Provides overall benefit to society and enhances the interests of the specific stakeholders in both the long and short term. • Promotes full and truthful reporting transparency to its owners, regulators, other stakeholders, and the general public to ensure accountability for its decisions, actions, conduct, and performance. The way in which an organization chooses to conduct its affairs to meet these four responsibilities is commonly referred to as its governance process. As an organization changes, governance practices must evolve to meet those circumstances. An organization’s governance practices reflect a unique and ever-changing culture that affects roles, specifies behavior, sets goals and strategies, measures performance, and defines the terms of accountability. The culture impacts the values, roles, and behavior that will be articulated and tolerated by the organization and determines how sensitive, thoughtful, or indifferent the enterprise is in meeting its responsibilities to society. Thus, how effective the overall governance process is in performing its expected function largely depends on the organization’s culture.

The Impact of Culture on Individual Engagement Risks and Controls It is important for internal auditors to incorporate consideration of culture in audit engagements from the earliest stages of audit planning to the consideration of specific risks and controls on an assurance or consulting engagement. Culture can include the level of autonomy given to staff, how people interact with one another at the same and other hierarchical levels, how explicit the rules and expected behaviors are, and what reward systems exist. These factors can influence individual engagements in many ways, from who an internal auditor needs to talk to (or submit a form to) to get access to a given record or computer system, to who needs to be interviewed to get a well-rounded perspective on an area (e.g., both sales professionals and regulatory compliance professionals related to new sales). A risk-based audit program should be developed keeping the organizational culture in mind. When internal auditors develop an annual audit plan, they consider what functional areas or business processes can be audited, called the risk universe. The organization’s culture can impact how the internal audit activity may want to organize the risk universe to ensure that engagements are value-added and critical risk areas are given sufficient attention. If the culture reinforces formal functional area authority, then a best practice is to define the risk universe by these functional areas. In this way, audits will be easier to comprehend and accept. If the culture is more collegiate and people work more toward the objectives of cross-functional business processes, then the audit universe is best defined by business processes. Since any organizational culture will have its strengths and weaknesses, considering the weaknesses of a given culture when defining the audit universe is also important, such as looking for risks that occur in the interface between two functional areas (for our first example) or looking for unclear definitions of accountability (for our second example). Audits that involve multiple functional areas due to a business process focus

may also need to find ways to compartmentalize report results so that one area’s weaknesses are not published to every other functional area manager participating in the given process. When it comes to individual audit engagements, culture can impact the quality of risk assessments performed as part of enterprise risk management and used as an input to audit planning. For example, cultures that emphasize a formal and consistent risk assessment methodology will be good at identifying quantitative risks and being thorough at identifying risks, but they may miss some qualitative or emerging risks. If the process is less formalized and much of it involves interviews with management and process owners, the risks that are these people’s primary concerns will be captured, and often this does include qualitative or emerging risks but may lack completeness and could suffer from some forms of bias. For example, a manager’s minor issues might get more weight than they deserve or a manager’s sense of optimism may minimize certain risks. Internal auditors can work with the risk information inputs the organization provides to ensure that any weaknesses in these management risk assessments are covered by their own risk assessment work. This might mean creating a few new risk categories or modifying the impact of risks based on how they trace back to key business objectives. Organizational culture impacts how controls are developed and whether and how issues are reported or enforced. Establishment of policies and procedures related to control activities might be sparing or extensive, informal or formal. Internal audit’s role in either case is to evaluate whether these policies effectively contribute to the mitigation of key risks and achievement of objectives. In cultures with few policies and procedures or less formality, influencing management to put critical new policies and procedures into place (and/or formalizing them in writing) may be more of a challenge than in ones that are more bureaucratic. In organizations with many formal policies and procedures, the challenge may relate more to ensuring that critical policies and procedures are promoted and communicated as such.

A culture can impact information and communication and monitoring activities related to internal controls. Some cultures may be better than others at ensuring that the objectives and responsibilities for internal control are internally communicated to the right persons, for example. Other cultures may downplay or avoid discussions related to negative information, and internal auditors may need to make recommendations if such tendencies are impacting the effectiveness of internal controls. Similarly, some cultures are better than others at identifying whether controls are operating effectively or at taking corrective action when monitoring reveals control deficiencies. In such cultures, internal audit needs to not only be vigilant as a line of defense but to work to change the culture through education on the consequences of lax monitoring or corrective action, such as a downward spiral of the control environment and culture itself into one that treats controls with disregard.

Topic C: Ethics and Compliance Issues and Violations (Level B) Environmental and social safeguards are a broad category of external laws and regulations and internal policies, risk management strategies, and programs of management, control, and assurance. Compliance and ethics programs are used to provide incentives for compliance, disciplinary measures for noncompliance, and assurance that these external laws and regulations and internal policies are being followed. Compliance audits can help assess whether the organization is or is not in compliance with each relevant law, regulation, or policy. Companies come to terms with values and ethics in different ways. History has shown that a strategy of simply hoping that people will behave ethically and relying on periodic admonitions to “always act ethically” does not typically produce success. But a carefully planned approach that starts at the top and cascades throughout the organization can create a culture in which people are committed to core organizational values and ethics. Visible and vocal commitment from the board and management is a prerequisite for organizational ethics compliance. The board and management must model this commitment in their public and private actions, in the values they espouse, and in the decisions they make for the organization.

Organizational Compliance According to the Open Compliance and Ethics Group (OCEG), a nonprofit organization devoted to GRC standards, compliance is: The act of adhering to, and the ability to demonstrate adherence to, mandated requirements as defined by laws and regulations as well as voluntary requirements resulting from contractual obligations and internal policies.

Typically, compliance audits are conducted by compliance professionals, although internal auditors perform compliance audits in areas where they have expertise. Large organizations, especially those in heavily regulated industries, often have a chief compliance officer. Examples of compliance frameworks include: • ISO 19600—2014, “Compliance management systems— Guidelines.” The ISO 19600 standard provides guidance to establish, develop, implement, evaluate, maintain, and improve a compliance management program and can be combined with other management program standards like ISO 9001, “Quality management.” Rather than targeting a specific risk area, ISO 19600 helps ensure that compliance programs are more comprehensive, in part by using the plan-do-checkact continuous improvement methodology: • Plan involves identifying issues and stakeholders, establishing good governance principles, setting scope, establishing compliance policy, and identifying compliance obligations and risks. • Do involves establishing leadership and support functions, performing operational planning and compliance risk control, and reporting on compliance and performance. • Check involves determining areas of noncompliance using independent compliance functions. • Act involves continuous improvement. (Note that this standard supersedes Australian Standard AS 3806, a widely accepted compliance framework.) • U.S. Federal Sentencing Guidelines for Organizations. This is a principles-based framework, originally intended to guide U.S. federal judges when imposing sentences on organizational defendants, but it has become a de facto standard for compliance. Its seven principles (shown in Exhibit V-6) are intended to guide human behavior toward clear accountability and ethical conduct. It also promotes compliance

training and leadership. Exhibit V-6: Guidelines for Effective Compliance Programs Guidelines for Effective Compliance Programs

•

Compliance standards and procedures that are reasonably capable of reducing the prospect of criminal activity

•

High-level personnel assigned overall responsibility to oversee compliance with such standards and procedures

•

Due care in delegating substantial discretionary authority to individuals whom the organization knew, or should have known, had a propensity to engage in illegal activities

• •

Effective communication to all levels of employees

• •

Reasonable steps to achieve compliance, which includes systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal Consistent enforcement of compliance standards, including disciplinary mechanisms Taking all reasonable steps to respond appropriately to the offense and prevent further similar offenses upon detection of a violation

Source: “Organizational Guidelines,” www.ussc.gov/Guidelines/Organizational Guidelines/index.cfm.

The role of internal auditing in compliance is to provide assurance that compliance professionals, policies, processes, and systems are effective. To audit the effectiveness of these people, processes, and technologies, internal auditors should start by gaining a basic knowledge of the roles and responsibilities of compliance professionals and the frameworks and systems they use and then determine how well these professionals are using these tools and techniques to ensure compliance with the specific laws, regulations and policies that they are responsible for assessing.

Environmental and Social Compliance Since laws and regulations differ by country, at a minimum, the organization must comply with the environmental and social laws and requirements of the countries in which it operates. Often an organization will adopt a more stringent set of guidelines or policies and require that the stricter of either the country’s laws and regulations or the

organization’s guidelines be used. An example of such guidelines is described later under the discussion of environmental health and safety. Organizations can also adopt voluntary international standards to serve as their environmental policy, such as adopting the ISO 14000 family of standards. ISO 14001:2015, “Environmental management systems,” helps organizations to measure and document their environmental impact. Documentation that helps prove compliance and reporting is a prerequisite for many potential investors and can provide a reputation boost. It can also reduce costs by cutting material use or the cost of waste management. Two examples (among many others) of agencies that enforce laws and set regulations related to environmental and social safeguards are: • U.S. Environmental Protection Agency. The U.S. Clean Water Act, Clean Air Act, and Toxic Substances Control Act grant the U.S. Environmental Protection Agency (EPA) the authority to write regulations and provide incentives for organizations to exercise voluntary compliance. The EPA’s significant guidance documents help organizations determine how to be compliant on specific environmental issues such as pesticide use. • U.S. Occupational Safety and Health Administration. The U.S. Occupational Safety and Health Administration (OSHA) sets and enforces regulations to ensure that employers provide their employees with a safe and healthful workplace that is free from serious recognized hazards. Compliance professionals will be responsible for ensuring that all relevant and industry-specific standards are followed. The U.K.’s counterpart is called Health and Safety Executive. Internal auditors may audit the work of health and safety compliance professionals and should be aware of relevant industry/organization standards.

Organizational Programs Some examples of organizational programs or functional areas that

provide environmental and social safeguards follow.

Environmental Health and Safety Environmental health and safety (EH&S or EHS) may be a functional area or just a set of guidelines mandated by organizational policy. The International Finance Corporation (IFC) of the World Bank Group has published a widely recognized set of EH&S guidelines for investment in the private sector in developing countries. The IFC’s EHS Guidelines contain specific direction in the following areas: • Environmental, which includes categories such as air and water emissions and quality, waste management, hazardous materials management, and contaminated land • Occupational health and safety, which includes facility design, identifications of hazards in many areas, and personal protective equipment • Community health and safety, which includes water quality; structural, fire, traffic, and transportation safety; disease prevention; and emergency preparedness • Construction and decommissioning, which includes environmental, occupational, and community health and safety standards for the life cycle of facilities • Specific industry-sector guidelines, which help tailor each project to the hazards and risks that are identified in an environmental assessment Organizations that adopt EH&S guidelines usually make them mandatory for all organizational divisions when conducting normal operations or embarking on new projects. The IFC requires that all projects meet either their guidelines or the host country’s regulations, whichever are more stringent. Use of such guidelines rather than following just the minimum laws and regulations in each host country can reduce a number of risks, such as risks to the organization’s reputation and the ability to

attract investors. The increased level of investment necessary to meet more stringent standards need not be excessive. The IFC’s EHS Guidelines are set so that they should be achievable by new facilities using existing technologies at reasonable costs. There is also a process to justify proposed project alternatives that still protect human health and the environment.

Environmental Monitoring and Reporting Environmental monitoring and reporting is an organizational group responsible for monitoring the environmental impact of activities on ground, water, and air; this includes monitoring greenhouse gas emissions. The environmental monitoring and reporting group’s outputs are typically included in the organization’s corporate social responsibility report or as part of an integrated report published along with the organization’s financial statements. Environmental reporting is discussed further in the next topic, on corporate social responsibility.

Supply Chain Management Supply chain management is a cross-departmental and often crossorganizational function that works to create efficiency and effectiveness in the design, sourcing, production, and delivery of products and services. Often, organizations use supply chain management to find ways for their economic and environmental/social interests to be complementary, such as designing products that are lighter, require less packaging, or are produced and sold in the same local area. For example, many car companies now have plants in each of their major sales regions around the world. Each plant assembles vehicles just for that region, which reduces shipping costs while providing a social benefit of jobs in each community. Such initiatives are often called “design for the environment” or “design for the supply chain” to reflect that the full life cycle of a product and its production methods and locations will be considered from a totalcost-of-ownership perspective. Additional benefits include reduced risks

of litigation and reputation damage and increased quality and/or health and safety of workers and consumers while simultaneously lowering production and shipping costs. Ensuring that out-sourced overseas business processes avoid child labor and conform to other generally accepted international labor practices are critical social safeguards for organizations doing business in countries with fewer or unenforced labor laws and regulations. Organizations have learned that the environmental or social failures of their supply chain partners (and the partners of those partners) can still harm the organization’s reputation. Auditing contracts or recommending incentives for environmental and social policy compliance or requiring certain contractual obligations are examples of possible internal auditor involvement.

Facility Management Facility management is an organizational group in charge of an organization’s buildings, plants, and grounds. Facility management can help organizations make wise long-term decisions regarding facilities, such as investing in better insulation or more efficient or reliable heating, cooling, and lighting. Buildings can also be designed to promote aesthetics and create beautiful outdoor spaces for the benefit of the public. Such initiatives can offer economic, environmental, and social advantages, with a lower total cost in the long run due to lower energy costs and reduced maintenance costs.

Human Resources Management In terms of social safeguards, human resources (HR) laws, regulations, and related organizational policies include numerous protections such as equal employment opportunity, protection from harassment, fair wages and compensation, and a safe and healthy working environment. Compliance with HR laws and regulations in the U.S. is enforced by multiple federal and state agencies. (OSHA is a federal example, while Cal-OSHA is its state counterpart in California.) Individuals may bring

lawsuits that can be quite costly to an organization, whether or not it is ruled against. Again, the role of internal auditors in this area may be to audit the effectiveness of HR compliance processes.

Privacy Management Privacy is a broad concept—and one that is difficult to define succinctly. It means different things to different people. Privacy definitions vary widely depending upon country, culture, political environment, and legal framework. The term can encompass personal privacy (physical and psychological), privacy of space (freedom from surveillance), privacy of communication (freedom from monitoring), and privacy of information (collection, use, and disclosure of personal information by others). Privacy management is often part of risk management at an organization, and the ultimate responsibility for it rests with the board and senior management. Given the fact that privacy issues can damage the reputation of individuals and the organization, lead to legal action and liability issues, and contribute to consumer and employee mistrust, privacy must be handled judiciously. The second edition of the Practice Guide “Auditing Privacy Risks” states: For businesses, the benefits of good privacy controls include:

• • • • •

Protecting the organization’s public image and brand. Protecting valuable data on the organization’s customers and employees. Achieving a competitive advantage in the marketplace. Complying with applicable privacy laws and regulations. Enhancing credibility and promoting confidence and goodwill.

For public-sector and non-profit organizations, the benefits of good privacy controls include:

• •

Maintaining trust with citizens and noncitizens. Sustaining relationships with donors of non-profit organizations by respecting the privacy of their activities.

Privacy Vulnerabilities The failure to protect privacy and personal information with the appropriate controls can have significant consequences for an organization. Potential vulnerabilities are pervasive because privacy cuts across numerous facets of an organization’s infrastructure. An organization’s website, web-enabled services, information technology systems, databases, applications, and network connections with outside service providers and third parties all pose privacy concerns. Personal information generally refers to data associated with a specific individual or data that has identifying characteristics that may be combined with other information. It goes beyond just name and other specific identifiers to include other sensitive information such as disciplinary actions, credit records, or medical records. Accessing any personal information may require that the internal auditor comply with applicable laws. Such laws often differ by jurisdiction, and legal counsel should be sought as needed to ensure proper compliance. Because some laws require the purpose for collection to be disclosed at the time of collection, it may not be possible to use it for a different purpose without direct consent of the individual or as required by law. Internal auditors may be able to help their organizations avoid some personal information privacy risks by designing audit procedures to detect when information is not adequately safeguarded. Implementation Guide 2310, “Identifying Information,” provides advice related to data collected when performing an engagement: It may be helpful for internal auditors to review the organization’s policies and jurisdictional laws related to data privacy before beginning engagement work. They may also consult with the organization’s legal counsel or other applicable subject matter experts to address any questions or concerns that may arise about access to personal information.

Privacy Laws, Regulations, and Guidance There are numerous laws and regulations as well as generally accepted policies and practices developing worldwide that are related to privacy. Exhibit V-7 summarizes key privacy legislation that internal auditors in organizations operating in the U.S. should understand. Exhibit V-7: Key U.S. Privacy Legislation and Regulations Legislation Financial Modernization Act of 1999

Description

• • •

Health Insurance Portability and Accountability Act (HIPAA)

Freedom of Information Act (FOIA)

• •

Commonly referred to as Gramm-Leach-Bliley Act. Includes provisions to protect consumers’ personal financial information held by financial institutions. Includes these principal privacy requirements:

•

Financial Privacy Rules governs collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.

•

Safeguards Rule requires all financial institutions to design, implement, and maintain safeguards to protect customer information. Rule applies to financial institutions that collect information from their own customers and to financial institutions (such as credit reporting agencies) that receive customer information from other financial institutions.

•

Other provisions protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.”

Addresses security and privacy of health data. Provides consumers with rights over disclosure of their medical records.

•

Contains provisions for secure transmission of electronic patient and medical records as well as medical information.

• •

Allows patients to easily obtain and correct medical records.

•

Restricts how employers use health-related information during job interviews. Establishes public’s right to obtain information from federal government agencies. (It does not create right of access to records held by Congress, the courts, or state or local government agencies.)

Children’s Online Privacy Protection Act of 1998 (COPPA)

•

Allows any person the right to file a FOIA request, including U.S. citizens, foreign nationals, organizations, associations, and universities.

•

Allows agencies to withhold information pursuant to nine exemptions and three exclusions.

•

Enacted in 1966 and has had a number of amendments (Privacy Act of 1974, Government in the Sunshine Act in 1976, Anti-Drug Abuse Act of 1986, Electronic Freedom of Information Act of 1996, Intelligence Authorization Act of 2002, Open Government Act of 2007, and Wall Street Reform Act of 2010).

•

Gives parents control over what information is collected from their children by operators of commercial websites, general audience sites, and online services and how such information may be used.

•

Requires websites that knowingly collect data on children under age 13 to first obtain verifiable parental consent.

•

Requires operators to post privacy policy on homepage of website and link to privacy policy on every page where personal information is collected.

Privacy is, of course, a global issue. Many nations and economic regions have privacy laws, such as the European Union’s Global Data Protection Regulation (GDPR), which became effective on May 25, 2018. (This is a binding regulation that does not require national governments to pass any enabling legislation.) The GDPR includes a right to be informed of an organization’s privacy policy, a right of access to one’s personal data, a right to correct errors in that data, the right to be forgotten (i.e., request deletion of personal information), the right to data portability (i.e., to request a copy of personal information), and the right to object or opt out of future data collection. Because of country-by-country differences, organizations such as the Organisation for Economic Co-operation and Development (OECD) are working to create consistency in transborder flows of personal data. The OECD’s “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” include the eight core principles summarized in Exhibit V-8.

Exhibit V-8: OECD Core Principles for the Protection of Privacy and Transborder Flows of Personal Data Core Principle

Intent

Collection limitation

• •

Data quality

•

Recommends that personal data should be relevant to purposes for which it is to be used.

•

Promotes that data should be accurate and complete and kept upto-date.

•

Advocates that purposes for which personal data is collected should be specified no later than at time of data collection.

•

Recommends that subsequent use be limited to fulfillment of those purposes or other compatible purposes.

Purpose specification

Recommends limits to the amount of personal data collected. Promotes that data should be obtained by lawful and fair means and, where appropriate, with knowledge or consent of data subject.

Use limitation

Advocates that disclosures of personal data (other than those specified in purpose specification) be made only with consent of data subject or by authority of law.

Security safeguards

Promotes that personal data be protected by reasonable security safeguards from risks (such as loss or unauthorized access, destruction, use, modification, or disclosure).

Openness

Advocates that there should be general policy of openness about developments, practices, and policies with respect to personal data.

Individual participation

•

Promotes that data subject have easy and reasonable access to personal data at a charge, if any, that is not excessive and in a form that is readily intelligible.

•

Advocates that any denial of information be explained and challengeable.

•

Promotes that data subject be able to challenge personal data and, if challenge is successful, to have data erased, rectified, completed, or amended.

Accountability

Recommends that data controller be accountable for complying with measures that give effect to principles.

Internal Auditors and Privacy Compliance

As we have learned, the board and senior management have overall accountability for ensuring that the principal risks of the organization have been identified and the appropriate systems have been implemented to mitigate those risks. “Auditing Privacy Risks” recommends establishing a privacy framework for the organization and monitoring its implementation. The internal auditor can evaluate the privacy framework and identify any significant risks along with appropriate recommendations for their mitigation. He or she should consider: • The laws, regulations, and other standards and practices relating to privacy that are applicable to the organization and the country/countries in which it operates. (In-house legal counsel can help with this.) • Whether information security and data protection controls are in place and are regularly reviewed and assessed for appropriateness. (Information technology specialists can help here.) • The level or maturity of the organization’s privacy practices. Depending upon this level or maturity, the internal auditor may have differing roles. The auditor may facilitate the development and implementation of the privacy program, evaluate management’s privacy risk assessment to determine the needs and risk exposures of the organization, or provide assurance on the effectiveness of the privacy policies, practices, and controls across the organization. If the internal auditor assumes any responsibility for developing and implementing a privacy program, the auditor’s objectivity will be impaired. It is reasonable that the internal auditor could be expected to: • Identify the types and appropriateness of information the organization gathers as well as the collection methodology used. • Evaluate whether the organization’s use of the information collected is in accordance with its intended use and the applicable laws.

Due to the highly technical and legal nature of privacy, it may be necessary to secure the services of third-party experts when evaluating an organization’s privacy framework, especially in global organizations.

Assessing the Organization’s Ethical Climate The first element of control in the IPPF definition of the control environment is integrity and ethical values. Performance Standard 2100, “The Nature of Work,” notes the role of ethics and values in the governance process and underscores the inextricable relationship between governance, risk management, and control processes. The level and nature of risks related to an organization’s ethical climate will vary by type of business, internal and external pressures, and culture (both organizational and societal). An organization’s culture may determine the extent to which ethical values and policies are followed, ignored, or modified for the purpose of convenience. It is the responsibility of internal auditing to develop a clear picture of the current ethical climate and propose controls designed to sustain or improve it.

Evaluating Ethics The internal audit activity should periodically assess the state of the ethical climate of the organization and the effectiveness of its strategies, tactics, communications, and other processes in achieving the desired level of legal and ethical compliance. Information about the adequacy of ethics controls must be gathered. This information must be analyzed to determine the potential risk-related impact on the ethical environment and on the organization. Recommended new controls or changes to existing controls should be practical and aligned with local practices. The CAE must gain the support and buy-in of the board and senior management to ensure required access and the receptivity of the board and senior management

to findings. The CAE must also communicate the results of the engagement with sensitivity and awareness of the need for confidentiality. Internal auditors can assess the ethical climate of an organization through several actions, including: • Evaluating the completeness of ethics policies and codes—whether the organization’s policies and codes include appropriate subjects and guidance. • Reviewing the adequacy of positive personnel practices in supporting an ethical climate. • Determining whether appropriate communications are occurring and if employees and other stakeholders understand the information. • Evaluating how well employees truly embrace the message. • Determining if there are explicit strategies to support and enhance the ethical culture (e.g., regular programs to update and renew the organization’s commitment to ethics). • Evaluating the effectiveness of the processes established to enable employees to communicate concerns regarding inappropriate behavior to management or the board (e.g., a whistleblower process). • Determining if the appropriate process exists to ensure that allegations of misconduct are investigated and resolved, findings are properly reported, and corrective action is taken to improve controls. • Evaluating board oversight responsibilities and monitoring activities. This list is not all-inclusive. The internal auditor’s involvement in ethics will vary. In some organizations, internal auditors may even be at the level of serving as the primary driver behind all ethics-related initiatives. Nontraditional assessment tools and auditing techniques not used in

traditional engagements may be required to evaluate the ethical environment. These tools can include: • Employee surveys and compliance forms (e.g., annual reports of financial dealings that might constitute conflicts of interest). Internal auditing can perhaps work with human resources to include questions related to ethics and governance in annual employee surveys. • Informal and continual networking of the CAE and staff throughout the organization, which allows observation of behaviors and attitudes. Use of Surveys Internal auditors can use surveys as a tool to help assess the effectiveness of the communication process and the ethical climate of the organization. Any survey will generate data, but, in order to improve the reliability and validity of the data, an auditor should: • Have the support of top management and position the survey as a feedback tool. • Design the questions carefully to ensure ease of response, by using, for example, yes/no responses or Likert agreement/disagreement or satisfied/dissatisfied rating scales. (A Likert scale might range from strongly disagree, to disagree, to strongly agree, for example, to help capture qualitative information such as the intensity of the response.) • Include space for comments and invite people to explain why they chose a rating, especially when the rating points to a weakness. • Keep the survey at a reasonable length. • Field-test the survey. • If feasible, have surveys returned to an independent market research firm and the statistical analysis and typed comments returned to internal audit.

If survey participants have any fear of retribution, survey results will be jeopardized. Ensuring confidentiality lowers this fear. On the other hand, the ability to follow up can be powerful and may warrant consideration. Another key point is that survey participants need to feel that management considers the survey as meaningful and is committed to acting on the results. Participants will need to see that their input has led to positive changes. Identifying Root Causes Additional sources of ethics violations are organizational factors that directly or indirectly promote dishonest or unethical acts. Consider a few examples: • Emphasis on results, especially short-term • Excessive focus on the bottom line (such as sales revenues and profit goals) • High-pressure sales tactics • Ruthless negotiations • Aggressive incentives or rewards that are tied to reported financial and nonfinancial information

Internal Auditor’s Role in Assessing Codes of Conduct Organizational codes of conduct that govern acceptable employee behavior are another important consideration for the internal audit activity. These codes are intended to clearly communicate the kind of conduct that the organization expects in various situations. Codes reinforce the need to promote ethics in business decisions. Specific codes of conduct vary across organizations, but most include sections addressing: • Conflicts of interest.

• Confidentiality. • Fair dealing. • Proper use of organizational assets. • Gifts and gratuities. • Compliance with laws, rules, and regulations. • Reporting of illegal or unethical behavior. For example, a written statement about conflicts of interest should: • Generally define conflicts of interest. • Address the expected behavior for employees, other corporate agents, and suppliers. • Include provisions for activities, investments, or other interests that reflect on the entity’s integrity or reputation. Codes of conduct are intended to provide a proactive statement on the organization’s position on ethics and compliance issues. They are not intended to have the force of law.

Investigation and Disposition of Ethics Violations Just as management is responsible for the governance process, it is also responsible for investigating alleged violations of ethics, compliance, or business conduct practices and making recommendations for resolution of misconduct, including disciplinary action. Many corporate ethics programs have a chief ethics officer. An ethics officer is the logical management representative to lead an investigation. When violations are found, they should be investigated no matter what the rank of the perpetrator in the organization. Actions taken in response to ethics violations should be handled in a

consistent manner. No one is immune from penalties. If a senior manager and a mailroom clerk both commit the same illegal act, their penalties should be consistent. The disposition of an ethics violation will depend on the specific nature and seriousness of the act. Possible disposition scenarios include: • An internal progressive disciplinary process that may start with verbal counseling or probation for a first offense, escalating to more formal warnings and/or potential termination for repeated offenses or for serious first-time violations. • Reporting any violations of rules to the appropriate regulatory agencies. • Reporting any illegal acts such as theft or workplace violence to legal authorities. Violations should be appropriately documented and records retained as required. Of course, the overall goal is to have processes and policies in place that encourage all employees to behave in an ethical manner.

Fostering a Healthy Ethical Climate There are many things an organization can do to promote ethical behavior. Best practices include: • Setting the “tone at the top” for honesty and integrity and reinforcing that every manager, director, and employee needs to maintain these values. • Incorporating and emphasizing organizational core values and ethics as part of recruiting and hiring and new employee on-boarding and orientation. • Developing a written code of ethics and ensuring that it reflects current business conditions. • Delivering the ethics message via multiple communication media (e.g.,

email, fax, bulletin board postings, company communications, in person). • Conducting employee ethics interviews. • Designing and administering employee and stakeholder ethics attitude surveys. • Designing and delivering ethics training. • Supporting open communications. • Promoting employee involvement. • Valuing diversity and institutional fairness. • Providing whistleblower hotlines for reporting incidents. • Promoting a compliance-supporting culture. Values, ethics, and codes of conduct can be the essential glue that holds an organization together. To be effective, they need to be bedrock beliefs that everyone in the organization actually feels deep down to their toes, not mere platitudes. Values, ethics policies, and codes of conduct must be developed through employee participation (to generate buy-in) and then clearly and repeatedly communicated so they can be understood and accepted by all employees. Successful organizations are still human institutions.

Internal Auditor’s Role in Assessing the Ethical Climate of the Board The board is the focal point for an organization’s governance practices. Although the board does not have any direct management responsibility, it does set the big-picture perspective for the organization and oversee all governance activities. Ultimately, the board has the accountability for all organizational affairs and performance.

Stakeholders trust that the board will practice honest and ethical conduct. Effective governance is diminished if stakeholders have any distrust of the board or if any board violations of codes of conduct and ethics occur. The internal audit activity can play an important role in supporting the ethical aspects of the board’s governance by assessing the areas identified in Exhibit V-9 and—as warranted—assisting in and/or making recommendations for improvements. Exhibit V-9: Assessing the Board’s Ethical Climate Area Board structure, objectives, and dynamics

Board committee functions

Board policy manual

To Assess . . . Whether the board and its committees are appropriately structured and chartered to operate effectively to ensure:

• • • •

Healthy board and management interaction. Adequate board meeting time devoted to open discussion. Full range of issues considered at board meetings. Appropriate board composition (e.g., number of board members, absence of conflicts of interest, and capabilities of board members).

• • •

Sufficient frequency and duration of meetings.

•

Board meeting schedules, establishment of agendas, dissemination of advance information, and adherence to committee charters.

•

Whether board committees maintain a calendar of responsibilities and regularly monitor performance in regard to published responsibilities.

•

Evaluation of CEO performance, including ethical culture metrics.

•

Care in development of incentive programs to ensure that improper behavior is not rewarded.

•

Board member compliance with laws and codes of conduct.

•

Process for developing and maintaining board governance policies or a policy manual.

Board self-assessment of performance. Meetings in private executive sessions.

•

Compliance procedures.

Processes for maintaining awareness of governance requirements

Organization’s processes for maintaining awareness of relevant, evolving governance codes, best practices, and compliance requirements.

Board education and training

•

Provisions for ongoing education on significant issues facing the organization, changing technology, and emerging risk areas.

•

Provisions to train and educate new board members to prepare them properly for their new responsibilities.

•

Adequacy of education provided to board members compared to best practices from other organizations.

A few caveats apply here. • Board structure, objectives, and dynamics. A board may want to consider whether internal audit involvement would be beneficial and acceptable, with appropriate safeguards to preserve internal auditor objectivity and independence. • Awareness of governance requirements. Internal auditors could also take a proactive role in assisting the board with current governance obligations and practices. This could be accomplished by developing networks and processes to maintain awareness of these requirements and working with business round tables, professional trade associations, internal and external subject matter experts, and internal compliance or risk assessment committees. Auditors would then be prepared to assess: • Whether the organization is in compliance. • The ramifications of noncompliance. • The adequacy of the disclosures relating to the organization’s governance system in its annual report. • Board education and training. Internal auditors can assist the board in these efforts by developing and delivering training and providing

related administrative support.

Topic D: Corporate Social Responsibility (Level B) Corporate social responsibility (CSR), sometimes also called social responsibility (SR) or sustainable development (SD), is defined by Sawyer’s as “the term commonly associated with the movement to define and articulate the responsibility of private enterprise for nonfinancial performance.” The impetus for CSR owes much to another term, triple bottom line, which was popularized in 1994 by author and sustainability advocate John Elkington in his book Cannibals with Forks: Triple Bottom Line of 21st Century Business. The triple bottom line refers to the concept that corporate success should be measured in three dimensions—economic, social, and environmental—not just by the traditional economic bottom line of profitability. Exhibit V-10 illustrates how these dimensions overlap to create an organization that is sustainable over the long term. Exhibit V-10: The Triple Bottom Line and Sustainability

Elkington wrote that these three areas must be fully integrated into the organization’s business model and strategy to create organizational sustainability over the long term. Economic sustainability requires reinvestment of profits toward the growth of customer markets as well as

investing in and tracking the impact of investments in environmental and social programs. This tracking and reporting process allows the social bottom line and the environmental bottom line to be measurable. Measurable results allow the long-term benefits of the programs to be measured against their costs so that better decisions can be made regarding which programs are truly contributing to the organization’s sustainability. Such a tracking process can also allow the organization to market its successes. Corporate social responsibility incorporates these concepts and ideals.

Understanding Corporate Social Responsibility CSR has some alternate definitions in addition to the one provided above. The IIA Practice Guide “Evaluating Corporate Responsibility/Sustainable Development” states that: Generally, CSR is understood to be the way firms integrate social, environmental, and economic concerns into their values, culture, decision making, strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm, create wealth, and improve society.

This definition underscores the importance of integrating CSR into the very fabric of the organization if it is to be successful, as was mentioned previously for the triple bottom line. CSR is a philosophy that must be championed from the top down. In fact, the board of directors is responsible for the effectiveness of CSR governance, risk management, and associated internal control processes. Senior management is responsible for establishing the objectives of CSR, managing related risks, measuring performance, and monitoring and reporting on CSR issues. However, one tenet of CSR is that, like TQM (total quality management), everyone at an organization has a role to play in ensuring the fulfillment of CSR objectives. Therefore, thorough change management is needed to ensure that these objectives are reinforced and

brought into the culture and incentive structures of the organization. Some organizations, such as those that have little direct impact on the environment, will define the objectives of CSR a little differently, making the environment just one element of CSR and emphasizing other social objectives more, such as ethics and transparency, donations and political contributions, corporate/organizational governance, human rights, human resources and employment, supply chain management, shareholder relations, health and safety, and community investment.

Stakeholders to CSR and Their Needs Exhibit V-11 lists a number of stakeholders to the CSR process, reprinted from The IIA’s course “Corporate Social Responsibility: Opportunities for Internal Audit,” although the “environment” stakeholder might be better termed as “supporters of the environment,” since the environment cannot speak for itself. Exhibit V-11: Stakeholders to CSR and Their Needs Stakeholders Employees (and their families)

Needs Fair pay, living wage Respect (freedom from discrimination and harassment; equity) Support systems (education, social benefits) Safety and security

Environment

Clean air, water, land Recycle, reuse, reduce waste Respect for ecosystems and animals

Neighboring community

Philanthropy Capacity building Social welfare Economic opportunities

Shareholders

Transparency and honesty Longevity (sustainable) Reputation and legal compliance Optimization of return Governance Pursuit of strategy in ethical/legal fashion

Customers

Safety Transparency and honesty Optimization of price

Suppliers

Fair negotiations Relationships Contractual compliance

Each stakeholder has certain needs that if met, will reduce the risks to the organization (if the need can be met without undue hardship or expense).

Risks That CSR Is Intended to Address The results of a risk management assessment will help identify a variety of risks, some of which can be managed using a CSR program and some of which will be created by the CSR program itself. • Strategic risks. Strategic risks include having an inadequate or ineffective strategic decision-making process or control development process related to a CSR program. This could lead to poor results from approved projects or other initiatives, which could then result in less ability to get future CSR projects or initiatives approved. • Reputation risks. An organization that fails to address the needs of its stakeholders (as defined previously) may earn a negative reputation. The saying that it takes years to build a reputation but just moments to destroy it is as true for organizations as it is for individuals. Damage to

organizational reputation is hard to measure, but many organizations have lost market share or investor confidence or suffered other real effects from a poor reputation. Another risk to reputation is from the CSR program itself. The program usually involves publishing voluntary reports, which can be used to attract new investors and advertise the organization’s successes, but they could also be used by environmental or social activists to level attacks on the organization. Even an effort in the right direction may not be seen as enough by some groups. The CSR program could also fail to be enacted or run properly, or breakdowns in controls could occur. Internal audits of CSR programs could objectively assess information provided in reports or determine the efficiency and effectiveness of CSR. • Compliance risks. There are myriad laws and regulations under the purview of a CSR program, and, because of this, there are risks of noncompliance due to ignorance (which is not an allowed excuse) or deliberate actions. Organizations operating in multiple countries will experience a higher level of compliance risk. • Liability risks. Liability risks can occur because an organization has not provided adequate controls to address a risk or because a risk event occurs, perhaps due to a control weakness or failure. Often, if an organization can prove that it had the proper controls in place, it can limit the damages even if there has been a control failure. For example, if an employee sues for sexual harassment but the organization can prove that it has a program in place to require managers to be trained on sexual harassment, in certain jurisdictions the organization may be able to show that it has established a “zero tolerance” atmosphere toward sexual harassment and reduce some of the damages (such as preventing the case from becoming a class action lawsuit). Liability risk can also exist as part of the CSR program. If an organization’s business partners are contractually required to follow certain CSR standards or policies, there is a risk of noncompliance and

legal liability. Even if a supplier assumes all liability, it could create a supply chain disruption or worse. Independent or internal audits can help address this risk. • Operational risks. An organization’s operations may create air, water, or noise pollution, workplace hazards, or products that cause unintended harm to consumers. An organization can face these risks even if it is in full compliance with the laws and regulations of a country, especially if the country has relatively lenient laws or cannot or will not enforce its laws and regulations. This is because an organization’s business practices in such countries could be brought to light and harm the organization’s reputation or create direct liability risk. Operational risks can also be created by a CSR program. The CSR program may fail to meet its operational goals. The goals could be unrealistic, not address the highest priority risks, or be more expensive to implement than originally expected. The program could also fail because it is not integrated into business strategy or business processes or because adequate controls over CSR processes fail to be developed or implemented. Organizations adopting CSR standards or policies may face difficulty when attempting to apply them in different countries. • Reporting risks. Improper or inaccurate financial or nonfinancial reporting about an organization’s CSR program or its impact/results could lead to many other types of risks, such as reputation risk, compliance risk, or liability risk. • Staffing risks. Employees and potential employees have expectations for their place of work such as fair pay and respect. Having a great CSR program may become one of these expectations if it is the industry norm. The organization may have difficulty attracting and retaining talent if it lacks such a program. • Marketing risks. Closely associated with reputation risk, marketing risks can arise if the organization is not proactive in implementing or

advertising a CSR program. This could include boycotts, missing out on a socially active customer segment, or simply losing market share to an organization that is actively engaged in CSR. • Supply chain partner risks. Suppliers, business partners, and downstream customers in the supply chain, such as wholesalers, could act unethically (even if legally) if no contractual obligations exist, or they could violate CSR contractual terms and conditions and the organization could suffer from guilt by association. Monitoring controls may be difficult, especially for long distance relationships.

CSR Process CSR starts with the board and senior management determining their priorities and high-level objectives. The next step is to identify and prioritize significant risks related to CSR. Management may adopt an external CSR framework such as ISO 26000 or the Global Reporting Initiative and/or translate these objectives into high-level policies. Once a framework and policies are in place, the next step is to set detailed objectives, performance targets, and implementation strategies. Examples of objectives include reducing safety incidents, encouraging volunteerism, creating a culture of transparency, or reducing waste or carbon emissions. A best practice is for organizations to embed CSR principles into their business processes to ensure that they occur, such as by engaging employees from the bottom up in crafting mission and vision statements that reflect CSR values, requiring a life-cycle value assessment of projects or product designs with the environment and social impact in mind, or requiring that CSR risks be assessed and addressed prior to allowing project approvals. Once processes are developed, they must be managed and measured against performance targets or other benchmarks. Results are analyzed and recommendations are made to complete the cycle of continual

improvement. For example, the organization’s emissions could be tracked and compared to industry benchmarks or internal goals. Product hazards could be verified and quantified using laboratory testing. Employee satisfaction could be measured using self-assessment tools. Commitments made to stakeholders could be reviewed to ensure that they were honored. Internal auditors may play a role at this point of the process. One ongoing process throughout the CSR development life cycle is to regularly communicate with stakeholders. This may include involving stakeholders in policy development, distributing surveys and collecting feedback, forming focus groups, or managing the complaints process. Another ongoing activity is internal and external auditing and compliance. Internal auditors test internal controls and CSR management systems. Compliance professionals may determine whether the organization and its supply chain partners are in compliance with laws, regulations, contracts, and policies, but internal auditors may be called upon to determine how effectively these processes are being conducted. The final element in the CSR process is CSR reporting. CSR reporting is addressed later, but examples include voluntarily supplying information on carbon emissions, issuing safety data sheets for hazardous products, and making other required public disclosures and reports.

CSR Frameworks Organizations may wish to adopt a CSR framework of policies and standards rather than developing them on their own. The use of a framework has many advantages, from providing a common vocabulary to easier adoption in various countries, especially when international standards are used. Common CSR frameworks include ISO 26000 and the Global Reporting Initiative.

ISO 26000:2010, “Social Responsibility” ISO 26000:2010, “Social responsibility,” provides guidance on:

• Terms, definitions, and concepts related to social responsibility. • The characteristics of social responsibility, its background, and trends. • Principles and practices related to social responsibility. • The core issues and subjects of social responsibility. • Integrating, implementing, and promoting socially responsible behavior throughout the organization and, through its policies and practices, within each area’s sphere of influence (i.e., internal auditing for internal auditors). • Identifying and engaging with stakeholders. • Communicating commitments, performance, and other information. ISO 26000 is intended to promote a common understanding of social responsibility among employees and encourage them to go beyond legal compliance. Motivated and empowered employees add value to programs and provide valuable word-of-mouth marketing within and outside the organization. This can help with CSR adoption and contribute to sustainable development.

Global Reporting Initiative The Global Reporting Initiative (GRI) is a network-based organization that produces a reporting framework for sustainability actions and results. This reporting framework is subject to continuous improvement and has been widely adopted globally. GRI reports can be easily benchmarked against reports from other organizations using this framework. GRI also provides advice and standards on how to measure performance against key performance indicators.

CSR Reporting CSR reports can be stand-alone or part of an organization’s annual

report. Selected CSR information could also be included in marketing releases such as brochures for shareholder meetings, web pages, commercials, or press releases. Regulators may also require that certain filings be made. Reporting on CSR is important because these disclosures allow potential investors to determine if the organization qualifies as a socially responsible investment, open the organization to additional investor classes, or may provide information on whether the organization is sustainable in the long term per the triple bottom line discussion earlier. However, organizations need to carefully consider what to include and omit from such reports, not only because the information has a liability risk (e.g., being used by unfriendly activists) but also because the potential benefits of gathering that information must outweigh the costs of producing the information in the first place. An organization that embarks on CSR reporting must also recognize that it will sometimes need to share bad news as well as good. However, organizations that consistently report both positive and negative information will be considered more trustworthy. Some countries such as France have laws requiring organizations to report on their environmental and social impact. Canada has a similar law requiring banks and federally incorporated trusts with more than $1 billion in equity to report their contributions to the economy and society. Similarly, the United Kingdom has rules for pension funds to report on the ethics and social and environmental policies of organizations in which they invest. In addition to the challenge of determining what to include in a report, the report format and terminology used also pose challenges for the comparability of information reported. Unlike external financial reporting, which has been standardized to make statements fairly comparable, CSR does not yet have a generally accepted format for reporting. ISO 26000 or GRI could provide this common framework, but a critical mass of voluntary adopters will be required to make

comparability a reality. Another issue with CSR reporting is that reports may not be considered trustworthy unless they have been independently verified by third parties or have been subject to some other type of assurance process. Internal auditors are one possible resource that could provide this assurance. To complement such assurance processes, auditors or other assurance providers can use CSR assurance standards, such as those produced by AccountAbility, an international not-for-profit organization. Its AA1000 standard is a principles-based standard that provides methods of continually improving sustainability performance. An organization could also receive a certification that it is compliant with ISO 26000 or other relevant ISO standards. This requires submitting the organization to a review from an accredited third-party testing organization.

Auditing CSR Corporate social responsibility encompasses a very broad range of organizational activities and related controls. Therefore, various elements of CSR will likely be audited on a cyclical basis. Some elements of CSR may require extended time to obtain sufficient audit evidence and can therefore only be audited after that point. Exhibit V-12 provides some possible methods of selecting CSR elements to audit. Exhibit V-12: Methods of Auditing CSR Audit Method

Description

Audit by element

Perform separate audit engagements for each CSR element, such as governance; environment; ethics; community involvement; health, safety, and security; transparency; and working conditions and human rights. Engagements can subdivide elements by business location or external partner.

Audit by stakeholder

Perform separate audit engagements to assess effectiveness of delivering value to each stakeholder group such as employees and their families, customers, the environment, and so on. The basis for determining effectiveness is fulfillment of each group’s

needs. Each engagement could be subdivided by location or external partner. Audit by common subject

Perform audits by common subject area, such as workplace, marketplace, community, and environment. Auditing by workplace could bundle issues together such as employer of choice, health and safety, diversity and equality, environmental management practices, training and development, ethics, governance, and human rights. In another example, bundling by community could include assessing local economic support, charity, capacity building, volunteerism, and stakeholder engagement.

Audit by internal control

Perform audits using internal controls over risk management, data gathering, measuring, and CSR reporting activities for each department or organizational group to be audited in the audit plan. The same audit tests would be performed for each area so the results would be comparable. At the end of the year, an overall report on CSR could be made based on all areas audited.

Audit by riskmanagement-based priority

Perform audits using a risk-management-based approach, selecting the areas of a CSR program identified as being most significant in terms of risk impact and likelihood, with direction provided by board and senior management. This method can be combined with any of the prior methods.

There are other related audit topics in which the CAE could serve as a project manager or an internal auditor could be used as a resource if managed by another area: • Auditing public disclosures about the organization’s CSR approach and results to provide assurance that the results are reliable • Auditing third parties for contractual compliance with CSR terms and conditions or reviewing prospective suppliers to prequalify them The CAE must assess his or her audit team’s capabilities to perform CSR audits and consider adding external subject matter expertise when needed. For example, internal auditing may need to use a management self-assessment process to audit some CSR controls or results. It is

essential that internal auditors possess good facilitation skills when explaining how to perform self-assessments and when providing feedback on results. Internal auditors also need adequate communication skills to carefully address sensitive issues such as ethics or working conditions. The IIA’s Certification in Control Self-Assessment is one way to ensure that audit staff have the proper skill set for this activity. There may also be situations in which the internal auditor is responsible for some aspect of a CSR program’s operations. When this is the case, that portion of the program could be audited by an independent thirdparty service provider. CSR auditing engagements could also be performed as consulting engagements, in which case the internal auditor could provide input during the design phase of CSR programs to ensure that proper controls are developed and integrated seamlessly into processes.

Topic E: Risk Management Fundamentals (Level P) What Is Risk Management? The Standards Glossary defines risk management as “a process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization’s objectives.” On one level, all employees—including internal auditors—are risk managers, whether they know it or not. They manage risks every day to help them achieve their goals and objectives. But they become better risk managers when they do it consciously, in a disciplined and consistent way. From the organization’s standpoint, great benefits can be derived if managers do not just manage their own risks within their own organizational “silos.” If the same disciplined risk assessment process is applied throughout the organization and the results are rolled up to higher levels, executive management can see the total picture of risk for the organization. With this “portfolio view” of risk in mind, executives can make better strategic decisions and allocate resources more effectively. Organizations around the world are developing enterprise risk management (ERM) programs to realize these benefits. Our discussion of risk management will focus on ERM, which encompasses all risk management concepts. In addition to the Standards Glossary definition, we can learn additional information from other discussions of risk management: • Enterprise Risk Management—Integrating with Strategy and Performance. COSO’s ERM framework defines enterprise risk

management as: The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value. This definition recognizes that each persons’ unique world view and the organization’s culture influence how people identify, assess, and respond to risk. Capabilities refer to things like competitive advantages and relative capacity for change or adaptation. Practices refer to ensuring that ERM is continually applied to the entire scope of regular and unique activities and decision making at strategic, tactical, and operational levels. Integration with strategy setting and performance refers to ensuring that there is a flow from a strategy (that aligns with the organization’s mission and vision) down to all business units and functional areas. The definition also indicates how ERM is integral to achieving strategy, goals, and objectives, such as providing management and the board with reasonable expectations regarding both risk and reward. Finally, the definition links ERM to value creation (or destruction) in the level of risk the organization is willing to accept in the pursuit of value (called risk appetite). • Enterprise Risk Management: Trends and Emerging Practices. This publication was prepared by Tillinghast-Towers Perrin and sponsored by The IIA Research Foundation in cooperation with the Conference Board of Canada. Based on information gathered from extensive literature reviews, the principal authors define enterprise risk management as “a rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives.” This publication notes that enterprise risk management: • Incorporates risks from all sources (financial, operational, strategic, etc.). • Makes use of the natural hedges and portfolio effects from treating

those risks with a collective approach. • Coordinates risk management strategies that span risk assessment, mitigation, financing, and monitoring. • Focuses on the impact to the organization’s overall financial and strategic objectives. • Recognizes the upside opportunity and downside nature of risk. • “The Role of Internal Auditing in Enterprise-Wide Risk Management.” The IIA Position Paper “The Role of Internal Auditing in Enterprise-Wide Risk Management” was prepared by The Institute of Internal Auditors in coordination with its IIA U.K. and Ireland affiliate. The Position Paper defines enterprise-wide risk management as: A structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. The Position Paper further notes that ERM takes a broader portfolio approach than traditional risk management and deals with risks and opportunities affecting the creation or preservation of organizational value. The different definitions of risk management/enterprise risk management all emphasize the same points: The scope of risk management transcends the traditional organizational hazard management mentality and encompasses both strategic and bottom-line objectives. The risk management process is broad and ongoing and involves management and employees at all levels of an entity.

Related Standards, Implementation Guides, and Practice Guides Exhibit V-13 lists the IIA Standards specifying the scope of internal

auditing in risk management as well as the related guidance. Exhibit V-13: Risk Management Standards and Recommended Guidance Standard Performance Standard 2100, “Nature of Work” The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact. Performance Standard 2120, “Risk Management” The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Related Guidance Implementation Guide 2100, “Nature of Work”

Implementation Guide 2120, “Risk Management” Practice Guide, “Assessing the Adequacy of Risk Management Using ISO 31000” Practice Guide, “Coordinating Risk Management and Assurance”

Implementation Standard 2120.A1 (Assurance Engagements) The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the:

•

Achievement of the organization’s strategic objectives.

•

Reliability and integrity of financial and operational information.

•

Effectiveness and efficiency of operations and programs.

• •

Safeguarding of assets. Compliance with laws, regulations, policies, procedures, and contracts.

Implementation Standard 2120.A2 The internal audit activity must evaluate the potential

Practice Guide, “Auditing External Business Relationships”

for the occurrence of fraud and how the organization manages fraud risk.

Implementation Standard 2120.C1 (Consulting Engagements) During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. Implementation Standard 2120.C2 (Consulting Engagements) Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes. Implementation Standard 2120.C3 (Consulting Engagements) When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. Related guidance is available in the Position Paper “Role of Internal Auditing in Enterprise-Wide Risk Management” and the Practice Guides “GAIT for Business and IT Risk,” “Business Continuity Management” (previously GTAG 10), and GTAG 6 —“Managing and Auditing IT Vulnerabilities.”

Risk Terminology Internal auditors need to understand the myriad terms associated with risk and control. Let’s start with the Standards Glossary definition of risk: “the possibility of an event occurring that will have an impact on the achievement of objectives; . . . measured in terms of impact and likelihood.” The text Internal Auditing: Assurance and Consulting Services makes the following additional points about risk:

• Risk begins with strategy formulation and objective setting. Because no two organizations are identical, individual enterprises have unique strategies and objectives and face different types of risk. • Risk does not present a single point estimate; it represents a range of possibilities. Without a single outcome, the range is what creates uncertainty when understanding and evaluating risk. • Risk may relate to preventing bad things from happening or from failing to ensure that good things happen. Risks may present threats to an organization or be the failure to achieve positive outcomes. • Risks are inherent in all aspects of life; risks associated with conducting a form of business are considered business risks. Business risks are uncertainties related to the achievement of business objectives. It is also important to understand that an organization has to take some level of risk if it wants to achieve its business objectives. More ambitious objectives may require that more risk be accepted, but, if the effort is successful, the reward should also be greater. A company that does not take enough risk can fail by being surpassed by a company that does take the necessary risks. While some risks should be avoided, others need to be accepted as a cost of doing business (and some of these risks can be mitigated by a system of internal controls). With no risk, there can be no reward. Every organization should have a clear definition of risk. While working definitions may vary from that in the Standards Glossary, the language should be understood by everyone involved in an organization’s risk assessment activities. The following list of terms related to risk and control is not all-inclusive but rather provides a good vocabulary primer. The terms, which are presented in alphabetical order, are likely to be similar to those used in your organization. Collectively, the list of terms in Exhibit V-14 provides a common

language to use with the board, management, and others in all communications. Exhibit V-14: Risk and Control Terms Term

Definition

Acceptable risk

A type of risk that revolves around the business impact that would be experienced if certain risks became realized. The loss is deemed to be acceptable; no additional controls are warranted.

Acceptable risk level

A level of risk deemed to be acceptable as derived from an organization’s legal and regulatory compliance responsibilities, its threat profile, and its business drivers and impacts.

Adequate and effective control

A level of control that is present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization’s risks have been managed effectively and that the organization’s goals and objectives will be achieved efficiently and economically (Standards Glossary).

Audit risk

The risk that internal auditors may arrive at the wrong conclusions and opinions of the work that they have undertaken.

Compliance

Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements (Standards Glossary).

Control deficiency

A control-related condition that warrants attention as a potential or real shortcoming that could leave an organization at risk if not addressed. A significant control deficiency (material weakness) would have the potential to put the organization in a position of excessive risk if not addressed.

Control environment

The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. It includes the following elements:

• • • • •

Integrity and ethical values Management’s philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and practices

•

Competence of personnel (Standards Glossary)

Control processes

The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept (Standards Glossary). Note: “to ensure” can be interpreted as “to provide reasonable assurance.”

Control risk

The potential that control activities will fail to reduce controllable risks to an acceptable level.

Enterprise risk management (ERM)

A structured, consistent, and continuous process across the whole organization for identifying, assessing, deciding on responses to, and reporting on opportunities and threats that affect the achievement of its objectives.

Event

An incident or occurrence resulting from internal or external sources that affects (or could potentially affect) the implementation of strategy or achievement of objectives.

Impact

The actual or potential result, effect, or consequences of an event.

Inherent limitations

Limitations of risk management, control, and governance related to human judgment, resource limitations, and the need to balance the costs of controls in relation to expected benefits; considers the reality of breakdowns occurring and the possibility of management override and collusion.

Inherent risk (also called absolute risk)

The risk derived from the environment, strategy, tactics, and operations without the mitigating effects of internal controls.

Likelihood

The probability that a given event will occur.

Opportunity

As related to risk, an uncertain event that if it occurs could positively impact the achievement of objectives.

Pervasive risk

The nature of risk found throughout the environment.

Residual risk

The projected risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.

Risk

The possibility of an event occurring that will have an impact on the achievement of objectives; it is measured in terms of impact and likelihood (Standards Glossary). A risk that has the potential to

negatively impact achievement of objectives is sometimes called a threat; a risk that has positive potential toward achievement of objectives is sometimes called an opportunity. Both types are uncertain. Risk appetite

The level of risk an organization is willing to accept (Standards Glossary).

Risk assessment (also known as risk analysis)

The identification and measurement of risk and the process of prioritizing risk.

Risk classification

The assignment of risk into categories, such as financial risk, operational risk, strategic risk, or reputation risk.

Risk identification

The method of recognizing possible threats and opportunities that have the potential to impact the achievement of objectives.

Risk management

A process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization’s objectives (Standards Glossary).

Risk measurement

The evaluation of the potential magnitude of risk.

Risk prioritization

Ranking risks, formally or informally, from the highest to the lowest.

Risk response

The actions taken to manage risk.

Risk tolerance

The acceptable levels of risk variation relative to the achievement of objectives.

Uncertainty

A condition where the outcome can only be estimated.

Risk Assessment Process Risk assessment is a process, as Exhibit V-15 illustrates. Exhibit V-15: Risk Assessment Process

Source: “Enterprise Risk Management: What’s New? What’s Next” seminar, The Institute of Internal Auditors.

Let’s use the simple example of taking an examination to demonstrate how the risk assessment process works. • Possible objectives. Possible objectives could be to pass the test or to get the highest test score. • Risk events. Examples include overanalyzing answers, running out of time during the exam, not being prepared for the exam, or not understanding parts of the core content. • Inherent risk. Based on the collective impact and inherent likelihood of the events, the risk of not passing the exam is high. • Responses. Examples include budgeting your time, keeping a steady pace during the exam, being careful that you do not read too much into an answer, completing a self-study review, or joining a study group. • Residual risk. After the responses are factored in, the residual risk should be lower than the inherent risk. The more effective the responses, the lower the level of residual risk. Effective responses can provide reasonable assurance that you will pass the test but cannot provide the same level of assurance that you will get the highest score. Conceptually, the risk assessment process is simple. The challenge is putting it into appropriate practice. It should be a top-down process and start at a high level.

Assessing Risk Impact and Likelihood Management measures events in terms of likelihood and impact. Exhibit V-14 described likelihood in terms of the probability that a given event will occur and impact as its result or effect. Examples of some common likelihood and impact factors are shown in Exhibit V-16. Exhibit V-16: Common Likelihood and Impact Factors Likelihood Factors

•

Probability estimates based on history or cycles

• •

Complexity of activities

Impact Factors

• • •

Materiality (e.g., dollar loss) Potential reputation or brand damage Importance of the related objective to the organization’s mission

Change or stability (e.g., employee turnover or new laws)

•

•

Control environment (e.g., integrity and ethics)

Velocity of occurrence, duration, and/or pervasiveness of the event

•

•

Recovery costs

Control process effectiveness

Organizations rate the likelihood and impact of risk events. Qualitative terms—such as high, medium, and low—or quantitative measures—such as numerical scales of 1 to 5, percentages, frequency of occurrence, or other metrics—may be used. Some organizations may even combine words and numbers in a risk rating (1 = low, 5 = high). Many organizations portray the factors in a graphical representation such as the four-quadrant matrix shown in Exhibit V-17. Variations of this matrix are possible. Exhibit V-17: Risk Map for Likelihood and Impact

Estimating likelihood and impact can be difficult and challenging. These estimates or ratings rely heavily on professional judgment and a consistent application of rating factors. Here is an example based on our test-taking activity: • High impact/high likelihood event. “Not understanding parts of the core content” would probably have the highest potential impact. The likelihood of this event could be low, moderate, or high, depending on the individual’s experience and background. • Low impact/high likelihood event. “Overanalyzing answers” on several individual questions is very likely but may not have much overall impact. • High impact/low likelihood event. “Overanalyzing answers” on a large number of questions is probably less likely but could also result in running out of time and have a high impact on passing the test. • Low impact/low likelihood event. Completing a self-study review could reduce the “not being prepared for the exam” risk to this level. If risks are instead grouped into low, medium, and high impact and low, medium, and high likelihood, a matrix of three by three (or nine possible boxes) would be instead created. Some organizations use different terminology other than likelihood and impact (e.g., probability, severity, seriousness, or consequence). The specific terminology is not as important as developing an effective risk assessment process that meets the organization’s needs. When addressing risks, many organizations start by correcting those risks with a lower impact to the organization and a lower probability because these are easier to fix—and fixing a greater number of open issues in a short amount of time looks better on paper. However, auditors should recommend that organizations start by addressing those risks that will have the highest likelihood of occurring and the highest impact. By focusing on the low-impact risks first, the company still remains

vulnerable to the high-impact risks that can cause irreparable damage. While high-impact/high-likelihood risks should be a high priority within an organization, low-impact/high-likelihood risks and high-impact/lowlikelihood risks also may require immediate attention. Therefore, each risk should be carefully evaluated before determining which needs to be addressed first.

Establishing a Framework for Assessing Risk Internal auditors cannot evaluate every possible risk facing an organization. The multiple sources of potential engagements coupled with the related scope of work require the efficient use of limited internal audit resources. A risk assessment framework provides a systematic way for the CAE and the internal audit function to assess internal and external risk factors and develop an annual audit plan. The risk assessment framework is a tool used to comply with Performance Standard 2010, “Planning,” which tells us: “The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.” Interpretation helps us understand how to develop the framework: The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

To some extent, frameworks for assessing and developing risk-based plans will vary from enterprise to enterprise. An organization’s size, formality, management team dynamics, industry, regulatory requirements, and other demographics are just some of the potential influencing factors. But, in general, most risk-based frameworks for internal audit planning encompass the steps listed in Exhibit V-18.

Exhibit V-18: Risk-Based Assessment Framework for Internal Auditing Step Determine the audit universe.

Description

•

Identifies all organizational sources of potential engagements and all potential auditable units (or auditable activities); not limited to functional areas but also considers specific activities within a functional area that pose potential risks. Auditable units may vary depending on the industry or nature of the organization; for example, locations, processes, products, or divisions may be considered.

Example: A listing of all units and processes in the organization (which may well be hundreds of items). Examine organizational risk factors.

•

Develops and applies standardized risk assessment methodology to allow for qualitative and quantitative measurement(s) of risk within and across all auditable units.

•

Assesses internal and external organizational risks from the perspective of their impact on organizational goals and objectives more than on the extent of change within specific functions.

• •

Considers potential engagement sources. Involves discussing the audit universe with organizational senior managers to identify levels of risk, planned new activities, and/or process changes.

•

Incorporates ERM results—if the organization has an ERM process.

•

Considers other internal and external assurance activities.

Example: Consideration of size of revenue or assets, visibility of areas, liquidity or cash flow, results of other reviews, and reported problems. Prioritize audits.

• •

Evaluates proposed engagements. Establishes criteria and ranks the risks based on their significance to organizational success and the organization’s risk appetite (tolerance for risk).

•

Considers if the internal audit staff is sufficient to cover all the primary risks and whether some can be delayed and/or handled by other assurance providers.

•

Leads to the annual audit plan.

Example: Identification of the most important areas to audit during the upcoming year based on high-level risk evaluations, planned process changes, and requests from management coupled with the

internal audit resources available.

Standard 2010.A1, “Planning,” further states: “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.” Internal audit activities can leverage their organization’s ERM framework —if one exists—and apply it to the selection of audit engagements, engagement criteria, and audit tools. In the next topic, we will look at a few well-accepted risk management frameworks.

Topic F: Globally Accepted Risk Management Frameworks (Level B) Risk management is a core competency for most internal audit departments. Internal auditors contribute to risk management through numerous assurance and consulting activities. As noted earlier, risk management is sometimes managed from an enterprise-wide perspective. There are a variety of approaches to enterprise risk management, and organizations may choose to implement ERM in different ways. Best practice has shown that using a framework can improve the efficiency and effectiveness of enterprise risk management. By formally organizing risk management responsibilities and activities in a framework, an organization is much better positioned to achieve its strategic objectives. Use of a framework helps to ensure that risk management activities are truly focused on ERM (rather than on risk management at the functional level) and that risk is being proactively managed (not just reduced). There are numerous ERM models. They generally vary in their focus and complexity. Some are highly specialized frameworks applicable to specific situations (e.g., IT security, insurance). Here we will look at three major frameworks that are widely used by risk management practitioners around the world. These are included not because they are the only frameworks in use or necessarily the best but because they represent distinct types of frameworks that try to accomplish the same things.

COSO’s ERM Framework COSO (The Committee of Sponsoring Organizations of the Treadway Commission) published an ERM framework in 2004 and updated it in 2017. As of 2017, the title of the framework is Enterprise Risk Management—Integrating with Strategy and Performance. This framework is intended to help organizations design and implement effective enterprise-wide approaches to risk management. It introduces

key ERM concepts and a common ERM language and provides principles-based guidance. It has gained broad acceptance by many organizations in their efforts to manage risk. The 2017 update addresses the evolution of ERM as integral to developing a sound strategy and promoting achievement of that strategy through effective organizational performance and value creation. It addresses the need for organizations to improve their approach to managing risk to meet the growing demands in business. The COSO ERM framework is applicable to all industries and all types of risk. Starting at the top and supporting an organization’s mission, vision, and core values is what differentiates COSO from most other risk models. The model describes the connection between strategy, business objectives, and performance (what the organization strives to achieve) and the ERM components (what is needed to achieve the objectives).

Components of COSO’s ERM Framework COSO’s ERM framework consists of five interrelated components, shown in Exhibit V-19. Exhibit V-19: Components of COSO’s ERM Framework Component

Description

Governance and culture

Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.

Strategy and objective setting

Enterprise risk management, strategy, and objective setting work together in the strategic planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.

Performance

Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has

assumed. The results of this process are reported to key risk stakeholders. Review and revision

By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes and what revisions are needed.

Information, communication, and reporting

Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

Source: Enterprise Risk Management—Integrating with Strategy and Performance, © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

The three components of strategy and objective setting, performance, and review and revision represent common processes that flow through an organization. The other two components—governance and culture and information, communication, and reporting— represent supporting aspects of ERM.

Principles of COSO’s ERM Framework These five components are supported by a set of 20 principles—the things the organization would do as part of the enterprise risk management process. The principles provide senior management and the board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives. The principles are listed in Exhibit V-20. Exhibit V-20: Principles of COSO’s ERM Framework Component Governance and culture

Principles 1. Exercises board risk oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives. 2. Establishes operating structures—The organization establishes

operating structures in the pursuit of strategy and business objectives. 3. Defines desired culture—The organization defines the desired behaviors that characterize the entity’s desired culture. 4. Demonstrates commitment to core values—The organization demonstrates a commitment to the entity’s core values. 5. Attracts, develops, and retains capable individuals—The organization is committed to building human capital in alignment with the strategy and business objectives. Strategy and objective setting

6. Analyzes business context—The organization considers potential effects of business context on risk profile. 7. Defines risk appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value. 8. Evaluates alternative strategies—The organization evaluates alternative strategies and potential impact on risk profile. 9. Formulates business objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.

Performance

10.Identifies risk—The organization identifies risk that impacts the performance of strategy and business objectives. 11.Assesses severity of risk—The organization assesses the severity of risk. 12.Prioritizes risks—The organization prioritizes risks as a basis for selecting responses to risks. 13.Implements risk responses—The organization identifies and selects risk responses. 14.Develops portfolio view—The organization develops and evaluates a portfolio view of risk.

Review and revision

15.Assesses substantial change—The organization identifies and assesses changes that may substantially affect strategy and business objectives. 16.Reviews risk and performance—The organization reviews entity performance and considers risk. 17.Pursues improvement in enterprise risk management—The organization pursues improvement of enterprise risk management.

Information, communication, and reporting

18.Leverages information and technology—The organization leverages the entity’s information and technology systems to support enterprise risk management. 19.Communicates risk information—The organization uses communication channels to support enterprise risk management. 20.Reports on risk, culture, and performance—The organization

reports on risk, culture, and performance at multiple levels and across the entity.

Source: Enterprise Risk Management—Integrating with Strategy and Performance, © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

The components and principles of the framework do not represent isolated, stand-alone concepts. COSO states that enterprise risk management is not static. It is integrated into the development of strategy, the formulation of business objectives, and the implementation of those objectives through day-to-day decision making.

Roles and Responsibilities Traditionally, risk management responsibilities were assigned to individual business units and/or parts of business units. In theory, risk management was considered an organizational initiative; in practice, risk management activities rarely fanned across the organization. As we have learned, effective risk management requires everyone in the organization —at all levels—to participate in the process. Producing information used to identify risks, taking necessary actions to support risk management, and facilitating information and communication flows are implicit and explicit in everyone’s job descriptions. However, COSO notes that the board, management, risk officers, financial executives, internal auditors, and certain external parties have special roles and responsibilities. The Board The board, or its equivalent, serves several functions. The board is responsible for providing risk oversight of the ERM culture, capabilities, and practices. Often the board delegates the monitoring and assurance responsibilities to management, reserving authority for key decisions. COSO describes the board’s oversight of enterprise risk management as: • Knowing the extent to which management has established effective

enterprise risk management in the organization. • Being aware of and concurring with the entity’s risk appetite. • Reviewing the entity’s portfolio view of risk and considering it against the entity’s risk appetite. • Being appraised of the most significant risks and whether management is responding appropriately. The board is part of the governance and culture component in the COSO model. Through its actions, the board sets precedents for integrity and ethical values. The board may employ resources to conduct special investigations and use board committees to carry out certain duties. A compensation committee, for example, would assume the responsibilities for various aspects of the rewards system, or the audit committee would oversee the reliability of external reporting. Ultimately, the board’s makeup, commitment, focus, and activities largely influence whether risks are managed at an acceptable level. Management Management assumes the primary responsibility for identifying, assessing, and managing risk and for implementing ERM with a structured, consistent, and coordinated approach. The specific responsibilities of managers at the different levels vary from organization to organization. If several layers of management exist, subunit managers or lower-level supervisory personnel may be directly involved in executing policies and procedures at a detailed level. The management hierarchy could be structured using what is called the “three lines of defense,” which have a prerequisite of risk management oversight and strategy setting provided by the board and senior management. (Neither the board nor senior management are part of the three lines of defense per se.) The three lines of defense are: • First line—operational management. Operational managers who are responsible for identifying and managing performance and risks

inherent to the strategy and achievement of business objectives and for the selection and management of management controls and internal control measures. These are the operational functions that own and manage risks. • Second line—risk management and compliance functions. Functional areas or individuals who are responsible for providing guidance on performance and ERM requirements and for evaluating adherence to defined regulations and standards. This includes financial controller positions for financial risks. These functions exist to ensure that the first line of defense is in place and operating correctly; therefore, they need a measure of independence from the first line. However, because they are managers or they work under the direction of management, they cannot have true independence. Second line management has an active role in evaluating and implementing ERM and internal control frameworks, identifying emerging risks, reporting, helping guide changes in risk appetite, and modifying and continuously improving risk management and internal control systems. • Third line—internal audit (or other assurance functions). Works in accordance with the Standards and maintains the highest level of independence and objectivity within the organization. This line of defense provides accountability by performing assurance related to governance, ERM, and internal controls, including frameworks and practices, identifying issues and improvement opportunities, making recommendations, and keeping the board and executive management up-to-date on matters requiring resolution. See the IIA Position Paper “The Three Lines of Defense in Effective Risk Management and Control” (January 2013) for more information. Management and the board work together during the strategy-setting process to determine an organization’s risk appetite. COSO defines risk appetite as “the amount of risk, on a broad level, an entity is willing to accept in pursuit of value.” Risk appetite is partially determined by an organization’s operating environment. For example, pharmaceutical

companies work in an operating environment that requires protecting the brand value and minimizing risks by investing in early research and testing. However, even such an organization can choose to follow a strategy that exposes it to more or less risk, such as a decision to enter a new market or to remain in more stable, mature markets. Internal auditors play a role in assuring that the organization has sufficient risk tolerance, or capacity to absorb variations from objectives, to account for the organization’s resource allocations and strategic choices related to risk appetite. A fairly universal truth is that the chief executive officer has ultimate ownership for the enterprise risk management process, setting the “tone at the top” and ensuring a positive internal environment. COSO outlines the CEO’s responsibilities as: • Providing leadership and direction to senior management. • Evaluating and choosing a strategy and setting business objectives, considering the risk appetite of the organization. • Maintaining oversight of the risks facing the organization. • Guiding the development and performance of the ERM processes across the organization and delegating to management. • Communicating expectations and information requirements. Senior managers convert the risk management strategies into operations. Managers in specific processes, functions, or departments provide the tactical, hands-on role in devising and executing specific risk management procedures. They also report on status and recommend improvements to upper-level managers. Management authority and accountability are imperative in enterprise risk management. Each manager should be accountable to the next higher level, with the CEO being accountable to the board.

Risk Officer In some organizations, a risk officer (also referred to as a chief risk officer or risk manager) provides central coordination for enterprise risk management across the organization. Empowered by the CEO, a risk officer has the resources to work with other managers in establishing effective risk management practices, monitoring progress, and assisting those managers in reporting. COSO lists a risk officer’s specific ERM responsibilities as: • Assisting the board and management in fulfilling their risk oversight responsibilities. • Establishing relevant policies and ongoing practices. • Building and maintaining relationships with those managing organizational risks. • Framing related authority and accountability in business units. • Reviewing the operation of ERM in each business unit. • Communicating with management the status of enterprise risk management, including severe and emerging risks. • Promoting integration of ERM practices into business planning and reporting to business unit leaders. • Evolving organizational capabilities in line with the suitability and maturity of ERM. • Reporting status to executive management, including recommended actions. Some organizations appoint an individual to serve exclusively in the capacity of risk manager. Others assign the related enterprise risk management responsibilities to the chief financial officer, general counsel, or another senior officer. A risk officer may also coordinate

with the internal audit activity. Financial Executives Finance and controller activities cut across all operating and business units. Budgeting and financial planning as well as tracking and analyzing performance and reporting are all in the domain of the chief financial officer, the chief accounting officer, the controller, or others in the financial function. These individuals and their respective activities are central to how management executes risk management. External Parties Several external parties contribute to an entity’s ERM activities: • External auditors. External auditors provide an independent and objective view that can contribute to an organization’s achievement of external financial reporting objectives as well as other entity objectives. While most financial statement audits do not have a significant focus on enterprise risk management, COSO points out that the information provided can be helpful to management in carrying out its risk management responsibilities. Audit findings, analytical information, and recommended actions are pertinent to the achievement of established objectives. If an external audit uncovers any deficiencies in risk management and control, the auditor may report those findings along with recommendations for improvement. Should the external audit be required by law or regulation to assess an entity’s internal control over financial reporting (e.g., the Sarbanes-Oxley Act), the audit scope in those areas will be more rigorous. • Legislators and regulators. Many laws and regulations affect the enterprise risk management of particular entities. Legislators and regulators establish rules that require an entity’s risk management and control systems to meet minimum statutory and regulatory requirements. When regulatory agencies examine an entity (such as federal and state bank examiners examining a bank’s operations), the organization typically receives useful information in applying enterprise

risk management and recommendations and/or directives regarding needed improvements. • Business associates. Other parties who conduct business with an entity (customers, vendors, creditors, and the like) can be useful information channels for risk management activities. Items such as demand for new products and services, quality control issues, ethical concerns, and shipping or billing discrepancies can be valuable inputs toward the achievement of strategic, operations, reporting, or compliance objectives. • Out-sourcing providers. Many organizations choose to out-source dayto-day activities (such as payroll, finance, or information technology) in order to concentrate activities and resources on core business competencies. Out-sourcing generally allows an organization to capitalize on the expertise of other firms that may be more efficient, effective, or knowledgeable at specialized tasks that are peripheral to those core businesses. COSO makes the point that management cannot delegate associated risk management responsibilities or activities to these external providers. Programs must be devised and implemented to monitor those activities. • Financial analysts, bond rating agencies, and news media. Financial analysts and bond rating agencies evaluate a variety of factors to formulate an opinion about the soundness of an organization and its worthiness as an investment. The financial media often undertake similar analyses. The observations and insights these groups garner may be helpful to management in improving risk management activities. More information on COSO’s Enterprise Risk Management—Integrating with Strategy and Performance can be found on the COSO website, at www.coso.org.

ISO 31000 Framework ISO 31000:2018, “Risk management—Guidelines,” is an international

standard for risk management that is simple and concise. ISO 31000 is a framework for the systematic development of enterprise risk management that can be used successfully by any size or type of organization because the organization can adapt the framework to the proper scope and environmental context. As the organization’s risk management activities become more mature, the framework can likewise be augmented. ISO has also published two complementary resources, ISO Guide 73:2009, “Risk management—Vocabulary,” which helps organizations discuss risks using a common set of risk management terms, and ISO 31010:2009, “Risk management—Risk assessment techniques,” which focuses on risk assessment concepts, processes, and the selection of risk assessment techniques. ISO 31000 is gaining popularity, in part because it is an international standard and also because many organizations find it to be more intuitive and easier to explain to management and the board. This is especially true for non–U.S. organizations and those organizations just adopting a risk management framework. For example, in 2009 ISO 31000 was adopted as a joint Australian/New Zealand standard (AS/NZS ISO 31000), replacing AS/NZS 4360, in an effort to support use of an international standard. The purpose of ISO 31000 is to help organizations manage uncertainty. An organization that can manage uncertainty and adapt quickly to change will not only be better able to achieve its objectives but will be more attractive to investors. ISO 31000 also helps organizations benchmark their own risk management practices against those of other organizations adopting ISO 31000. It provides a guide for managing risk based on key principles, a framework, and a process.

ISO 31000 Principles ISO 31000 is a principles-based standard intended to generate transparency and credibility within the risk management function. The principles describe characteristics of effective and efficient risk

management and should be used as a foundation for establishing an organization’s ERM processes. These principles state that risk management: • Is an integral part of all activities in an organization. • Should follow a structured and comprehensive approach to provide consistent results. • Is customized to the organization’s operating environment, culture, and objectives. • Is transparent, auditable, and inclusive of all stakeholders, providing improved communications and awareness. • Addresses uncertainty in a structured, orderly, unambiguous, and timely fashion. • Makes use of the best information available. • Is influenced by organizational culture and staff behavior. • Uses an iterative cycle to generate continual improvement, organizational learning, and the ability to quickly respond to changing environments.

ISO 31000 Framework Components The ISO 31000 framework components assist in integrating risk management into all organizational activities and functions. These components, which should work together and be customized as needed to achieve the organization’s own objectives, include: • Leadership and commitment. Oversight by top management ensures that a risk management approach is integrated into all activities, promoting the value to the organization and stakeholders. • Integration. Risk management should be a key aspect of governance.

It should be aligned to the organizational purpose, strategy, objectives, and operations. • Design. The framework should be designed to fit the context of the organization and demonstrate the commitment to risk management. • Implementation. Success requires stakeholder engagement and awareness. The framework ensures that a risk management process is included in all activities. • Evaluation. To evaluate the effectiveness of the framework, auditors should measure performance against indicators and expected behaviors. • Improvement. Organizations should continually monitor and adapt the framework to address identified gaps and incorporate enhancements.

ISO 31000 Cycles At a high level, the ISO 31000 framework is a cyclical process that begins with top executives expressing a strong commitment to risk management and mandating its adoption based upon the principles described above. The framework is then designed and customized. Once implemented, it is monitored and reviewed to enable continual improvement and further customization. The implementation phase has its own cycle, as shown in Exhibit V-21. Exhibit V-21: ISO 31000 Implementation Phase Process Framework

For more information on ISO 31000:2018, visit the ISO website at www.iso.org/iso-31000-risk-management.html.

How the ISO 31000 and COSO ERM Frameworks Compare The objectives of the ISO 31000 and COSO ERM frameworks are very similar. Both approaches: • Attempt to help organizations achieve their business objectives through the effective management of internal and external risks. • Recognize the importance of embedding a risk management mentality in the culture of the organization. • Recognize the importance of the “tone at the top” in risk management. • Are deliberately broad in focus yet allow for more detail-level integration throughout an organization. • Recognize that risk management is a complex iterative process requiring multidisciplinary skills to implement and manage properly. While the risk management processes are parallel in nature, there are some subtle differences. One difference is in terminology. ISO

31000:2018 uses “risk treatment,” where COSO employs “risk response.” Another difference is that the components of COSO ERM and ISO 31000 do not align precisely, as is shown in Exhibit V-22. (Note that some components are repeated to show where they apply to more than one component of the other process.) Exhibit V-22: Differences Between COSO ERM and ISO 31000 Components COSO ERM Components Governance and culture

ISO 31000 Components Leadership and commitment (Process: communication and consultation)

Strategy and objective setting

Integration Design (Process: scope, context, criteria)

Performance

Implementation

• • • • •

Identifies risk

(Process: risk identification)

Assesses severity of risk

(Process: risk assessment)

Prioritizes risks

(Process: risk analysis)

Implements risk responses

(Process: risk treatment)

Develops portfolio view

Review and revision

Evaluation Improvement (Process: monitoring and review)

Information, communication, and reporting

(Process: communication and consultation) (Process: recording and reporting)

The Turnbull Guidance The term “Turnbull Guidance” is a colloquial reference to a report now titled “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting.” Nigel Turnbull was the chairman of

the working party that developed the risk management guidance in 1999 for the U.K. It has had 2005 and 2014 updates. The Turnbull guidance discusses the adoption of a risk-based approach to internal control and the assessment of its effectiveness. It is linked to disclosure requirements of the London Stock Exchange. Turnbull calls for all companies listed on the London Stock Exchange to have implemented a risk management plan for their businesses. While specific implementation details are left to the discretion of a company, the guidance requires that a plan be put in place and actively managed. Similar to requirements imposed by the Sarbanes-Oxley Act of 2002, related U.S. Securities and Exchange Commission (SEC) rules, and American stock exchange rules, noncompliance with Turnbull results in a disclosure in the annual report. In fact, the SEC has identified the Turnbull guidance as a suitable framework for complying with U.S. requirements to report on internal controls over financial reporting (ICFR) as set out in Section 404 of Sarbanes-Oxley and related SEC rules. The Turnbull guidance is a broad set of principles to manage risk effectively and embed internal control in business processes that make sound business sense for any entity. Organizations may selectively choose principles appropriate to their circumstances. Listed below are some of the key tenets of the Turnbull guidance: • Focus on significant risks. If too many risks are identified, it becomes difficult to identify and manage the significant ones. Turnbull recommends that risk identification focus on those risks that have been identified by senior management as being potentially damaging to the achievement of the organization’s objectives. • Emphasis on risk management. Turnbull positions risk management as essential in reducing the probability that organizational objectives will be jeopardized by unforeseen events. It promotes proactively managing risk exposures.

• Ongoing, continuous monitoring of risk and control. An organization’s risk management and internal control strategies and policies must be continuously monitored and fine-tuned in response to changing exposures. A feedback process should be in place to learn from mistakes and to harness potential improvements and risk reductions. • Engaging all employees. Turnbull maintains that all employees have some responsibility for internal control and accountability for achieving organizational objectives. Employees must have the necessary knowledge, skills, information, and authority to establish, operate, and monitor the system of internal control within their sphere of responsibility. They must understand organizational objectives and the industries and markets in which the entity operates as well as the risks it faces. • Streamlining risk management databases. Control should be embedded in the organizational processes. Rather than developing separate risk reporting systems, Turnbull recommends building early warning mechanisms into existing management information systems. The Turnbull guidance obviously has many similarities with the risk management approaches presented above, and many of the benefits will also be the same. Some of the key benefits include the improved ability to: • Provide objective assurance to the board and management as to the adequacy and effectiveness of organizational risk management and internal control processes. • Provide advice on effective risk management, especially those issues surrounding the design, implementation, and operation of internal control systems. • Identify opportunities to save on control costs/avoid operational and similar losses.

• Reduce the possibility of unwelcome events occurring. For additional information, visit www.frc.org.uk/.

Topic G: The Effectiveness of Risk Management (Level P) The Practice Guide “Assessing the Adequacy of Risk Management Using ISO 31000” cites the following characteristics of an effective risk management process: • The risk management process is applied appropriately, and each element in the process is suitable and sufficient. • The process is aligned with the strategic needs and objectives of the organization. • All significant risks are identified and treated. • Controls are designed in keeping with objectives. • Critical controls are adequate and effective. • Line management reviews controls to maintain and continuously improve their effectiveness. • The process’s value improves with time, as the organization becomes more effective in applying it. Using best practice techniques from the ERM frameworks just introduced allows internal auditors to look for these characteristics in assessing the effectiveness of the risk management process. This topic provides additional details around risk management processes and functions, including how organizational structure, risk identification and assessment, risk responses, and monitoring should be used to identify deficiencies and evaluate effectiveness.

Risk and Control Implications of Structure Organizational structure generally refers to the way in which the

functional groups of an entity are designed and organized. For many years, the traditional structure in large organizations was a hierarchy where, as the name implies, authority and duties were clearly separated by hierarchical rank. In today’s workplace, however, there are numerous departures from the traditional hierarchy structure. Inverted pyramids, horizontal (flattened) structures, matrix structures, networked (team) structures, and virtual organizations are increasingly commonplace. There are even designs that simulate shamrocks, starbursts, and pizza shapes in an attempt to show that everyone is equal and collaborative interactions are paramount. A critical consideration in organizational design is how to best facilitate effective communication and coordination to achieve business goals and objectives. Regardless of what an organizational structure looks like on paper, an effective design will: • Reflect the entity’s size and nature of activities. • Establish formal lines of authority. • Define key areas of responsibility. • Establish lines of reporting. • Establish relationships among individuals, groups, and departments. • Coordinate diverse organizational tasks. • Assign responsibilities to specific jobs and departments. • Allocate and deploy organizational resources. Overall, an organization’s structure provides the framework to plan, execute, control, and monitor activities. COSO’s Enterprise Risk Management—Integrating with Strategy and Performance explains how an entity’s structure will specifically impact the following areas. (Note that in some cases the ISO 31000 equivalent terminology is provided in parentheses.)

Development of Goals and Objectives Organizations first set strategic objectives aligned to organizational goals. More specific objectives (sub-objectives) applicable to departments, functions, and individuals can then be developed. No matter what the organizational structure, the critical aspect in developing these cascading objectives is that they are aligned and integrated with and support the strategic perspectives. Further, all objectives should be clearly communicated and measurable. Everyone in the organization must understand the objectives related to their sphere of influence—what needs to be accomplished and how performance will be measured.

Risk Identification As COSO points out, events can have a positive or negative impact—or both—on the implementation of organizational strategy and the achievement of objectives. Management must understand how one event can lead to or relate to others across the organization so that risk management efforts are appropriately coordinated.

Risk Response (or Risk Treatment) Organizational structure is an important consideration when an organization evaluates how to best manage risk. Risk response or treatment should be an iterative process that considers not just the enterprise level but departments and functions as well. For example, the risk tolerance for specific departments may be individually appropriate but may collectively exceed the risk appetite of the organization as a whole. Or some functions may incur higher risks than others, but the collective risk responses end up balancing the organizational risk appetite. Control activities are generally established to ensure that risk responses are appropriately carried out in support of related objectives. Specific risk response techniques are covered later in this topic.

Review and Revision (Monitoring and Review, Improvement)

Risk management is hardly static. Over time, changes in organizational personnel, processes, business objectives, the competitive environment, and other areas can make current risk responses irrelevant. Control activities may also lose effectiveness. Reviewing performance confirms whether risks have been identified or whether new, emerging risks have occurred. Management must have reasonable assurance that risk management remains effective. The specifics on how this is accomplished will depend on the organization. Typically this involves two monitoring actions: • Ongoing monitoring—built into normal, recurring activities and performed on a real-time basis • Separate evaluations—conducted after the fact and intended to take a “fresh look” at risk management effectiveness More detail about both monitoring actions is found in the discussion of risk monitoring later in this topic.

Information, Communication, and Reporting (Communication and Consultation) Every organization captures a wide array of information related to internal and external events and activities. In turn, personnel throughout the organization must receive the respective information they need to efficiently carry out their responsibilities. An information infrastructure must capture data in a timely manner and at a level of detail appropriate to the organization’s need to identify events and respond to risks. The design of the system architecture and the acquisition of technology are critical. Data integrity and reliability cannot be compromised. Consideration must be given as to how to accommodate challenges such as: • Conflicting functional needs. • System constraints.

• Nonintegrated processes. To gain a better understanding of information technology and related risks and controls, review the Practice Guide “Information Technology Risks and Controls,” second edition (previously GTAG 1). To complement the information infrastructure, internal and external communications should support the organization’s risk management philosophy and approach. For example, all internal personnel should understand the importance of risk management, the organization’s objectives, and the roles and responsibilities to support initiatives. Personnel need to understand how their individual activities relate to the work of others. This implies that there must be open channels of communication across an organization as well as a cooperative spirit and a willingness to listen. Communication with external parties (customers, suppliers, stakeholders, regulators, and others) also needs to be pertinent and timely. For example, meaningful related risk appetite and risk tolerance communication with suppliers can serve to prevent an organization from inadvertently accepting excessive risk from a supplier who has different values.

Risk Identification and Assessment Next we will look at two areas of enterprise risk management—risk (event) identification and assessment techniques—in more detail. The content draws largely on the COSO ERM framework, but the ISO 31000 framework has very similar themes and concepts, and terminology differences are identified as appropriate. The COSO ERM and ISO 31000 principles are intended to be readily usable by a wide variety of organizations, stakeholders, and other interested parties desiring to implement a full risk management process.

Risk Identification

COSO includes “identifies risk” as a principle under performance. (ISO 31000 has a risk identification subcomponent as part of its risk assessment component.) COSO describes risk identification as encompassing the following key management actions: • Identify potential factors that could affect the organization’s ability to achieve its strategy and business objectives. • Determine if potential events represent opportunities or might have an adverse impact. Many external and internal factors must be considered when identifying risks. Exhibit V-23 lists several examples. Exhibit V-23: External and Internal Factors That Drive Risks Examples

Potential Implications

External Factors Economic

Price movements, capital availability, inflation, lower barriers to competitive entry

Higher or lower cost of capital and new competitors

Environmental

Natural or human-caused catastrophes (e.g., fire, flood, earthquakes, tornadoes, terrorism)

Property damage, restricted access to raw materials, loss of human capital

Political

Turnover in government officials, new political agendas and labor laws, trade restrictions, tariffs, political instability

Either newly opened or restricted access to foreign markets, higher or lower taxes

Social

Changing demographics, social mores, work/life priorities, customer expectations or needs

Changing demand for products and services, new buying venues and human resource issues, production interruptions

Legal

Laws, regulations, and/or standards

Changing environmental, health and safety compliance requirements

Technological

New electronic commerce methods, automation, technology incentives

Expanded availability of data, reductions in infrastructure costs, increased demand for technology-based services

Infrastructure

Increasing capital allocation for preventive maintenance and call center support

Reducing equipment downtime and improving customer satisfaction

Personnel

Workplace accidents, fraudulent activities, and expiration of labor agreements

Loss of available personnel, monetary damage, loss of reputation, production stoppages

Process

Process modification without adequate change management protocols, process execution errors, out-sourcing customer delivery with inadequate oversight

Loss of market share, inefficiency, customer dissatisfaction, defections

Technological

Increasing resources to handle volume volatility, security breaches, potential system downtime

Backlog reduction, fraudulent transactions, disruptions of business operations

Internal Factors

Source: Adapted from Enterprise Risk Management—Integrating with Strategy and Performance, © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

COSO reinforces that risk identification should examine: • Strategy and business objectives. • Risk appetite and tolerance. • Business context (events at the entity and activity levels as well as past events [e.g., accounts receivable default histories or lost-time accidents] and future exposures [e.g., shifting demographics or customer preferences]). • Portfolio view of risk.

Risk Identification Techniques Organizations typically use a combination of techniques and tools to identify risks. The identification approaches often differ in sophistication, whether they examine historical data and/or factual sources of observable events or feed data into some type of projection model to identify probable future events. Some techniques examine data from the top down; others create a detailed analysis from the bottom up. Different approaches can be used to identify existing, new, or emerging risks. Exhibit V-24 summarizes common risk identification approaches. Exhibit V-24: Common Risk Identification Approaches Technique

Description

Example

Event inventories

Detailed listings of potential events common to companies within a particular industry or to a particular process or activity common across industries

Software products that generate lists of generic potential events that are typically encountered in a custom software development project

Internal analysis

• •

New product launch analysis that examines internal historical data as well as events affecting the success of competitors’ products

Escalation or threshold triggers

•

Triggers alerting management to areas of concern that may require further assessment or immediate response

•

Comparison of current transactions or events with predefined criteria

Facilitated workshops and interviews

Detailed analysis of information May be part of routine operations or may use information from other stakeholders (e.g., other business units, customers, or suppliers), internal sources, and external sources

Facilitator-led structured discussions to draw on the collective knowledge and experience of management, staff, and other stakeholders about events that may impact the achievement of

Tracking of competitors’ prices and review of the organization’s pricing structure when competitor reaches a specific threshold

Focus group with members of the accounting team led by a financial controller to identify events that have an impact on the organization’s external

Process flow analysis

entity or unit objectives

financial reporting

•

Examines the combination of inputs, tasks, and responsibilities in a process

•

Considers internal and external factors that affect inputs to or activities within a process

Medical lab constructing process maps for the receipt and testing of samples and then evaluating the process maps to identify potential risks

•

Identifies events that could impact the achievement of process objectives

Leading key indicators

Monitoring of qualitative or quantitative measures that help identify changes to existing risks

Financial institution monitoring loan payment patterns to identify late payments and mitigate the potential for default through timely action

Loss event data methodologies

•

Examination of data on past individual loss events to identify trends and root causes of events

•

Help to assess whether it is better to treat the root cause than to address individual events

Insurance company examining a historical database of accident claims to identify the root cause of the accidents

Source: Adapted from Enterprise Risk Management—Integrated Framework and Enterprise Risk Management—Integrating with Strategy and Performance, © 2004 and 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

Keep in mind that no one approach suits every situation or is relevant for every organization. COSO tells us: • Depth, breadth, timing, and discipline in risk identification vary across organizations. • Management selects approaches that are appropriate to its risk management philosophy and ensure adequate risk identification capabilities. Risk Categories

New, emerging, and changing risks arise when business context changes. Emerging risks are sometimes grouped into categories or major enterprise risk types using a risk inventory. For example, risks may be aggregated horizontally across an entity and vertically within operating units. There are distinct benefits to categorizing risks. The categorization process: • Enhances information gathered as a basis for risk assessment. • Facilitates management efforts to determine opportunities and risks. • Allows management to consider the completeness of its risk identification efforts. Organizations establish categories based on relevance. An organization could develop categories based on its objectives, starting with high-level strategy objectives and cascading down to objectives at the unit, function, or process levels. Categories could be grouped by similarities, such as financial risks, customer risks, or compliance risks. Another approach might establish risk categories within the context of internal and external factors. Organizations may want to group risks that are likely to disrupt operations and affect the achievement of strategy and business objectives. The following are some examples that may be considered: • Emerging technology • Expanding role of data analytics • Depletion of natural resources • Rise of virtual entities • Mobility of workforces • Labor shortages • Shifts in lifestyle, health care, and demographics

• Political environment Risk Interdependencies During risk identification, management needs to consider how risks relate to one another. Risks are rarely isolated. For example, incentives tied to performance may increase productivity but may also result in fraudulent reporting practices. Framing Risk Once major contributing factors and risks are identified, management can determine the impact—either positive (a potential gain) or negative (a potential loss). In some cases, a risk may be both. Positive opportunities are channeled back into the strategy and objectives-setting process; risks with negative impact are slated for further assessment and response. When organizations become prepared and are proactive in effectively addressing risks, they set themselves up to be able to take strategic advantage of opportunities as they arise.

Risk Assessment Risk assessment is a process of identifying, measuring, and prioritizing risk. Risk assessments may be micro or macro in their overall scope. Those at the micro engagement level are intended to identify and evaluate risk exposures in operations and ensure that the risks relevant to the area under review are addressed. As described in Implementing the International Professional Practices Framework by Anderson and Dahle, organization-wide macro assessments are intended to provide a top-down look at all the key risks affecting the organization. Two possibilities exist with organization-wide assessments: • Management may have a process for identifying and evaluating highlevel risk. In this situation, internal auditing should consider the effectiveness of management’s process when determining how much to rely on them for possible use in their own independent risk

assessment(s). The internal audit activity can then potentially leverage the results of the organization-wide assessment. • In situations where an organization does not have an established risk management process, the internal auditor should advise management, suggesting how to establish such a process. If an organization lacks dedicated resources for enterprise risk management, the internal audit activity can help facilitate the initial establishment of a generic framework (such as COSO or ISO 31000) at management’s request. In organizations without a risk management process, there are boundaries and cautions for the internal audit activity. Although internal auditors can facilitate or enable risk management processes, they should not own or be responsible for the management of the risks identified. However, interpretation of Standard 2010, “Planning,” states as part of establishing a risk-based internal audit plan: If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

Therefore, in some cases it may be necessary to proceed without a formalized risk management framework or assessment. Assessment Techniques Risk assessment techniques include qualitative and quantitative assessments. Organizations should consider using both. Interviews and workshops are two widely used qualitative assessment techniques. Such techniques are used when: • Risks do not lend themselves to quantification. • Sufficient credible data required for quantitative assessments is not readily available.

• It is not cost-effective to obtain or analyze quantitative data. Qualitative techniques generally estimate the likelihood and impact of potential events by applying nominal or ordinal measures. Nominal measures group events in categories (such as economic or political) but do not rank them in any way. Ordinal measures list events in order of importance using scales (such as high, medium, or low in order along a scale). Quantitative assessment techniques yield objective and comparable measures. Quantitative techniques are more complex than qualitative measures and usually require greater effort and rigor; they are often used to supplement qualitative techniques. Mathematical models are sometimes used in quantitative techniques. Exhibit V-25 summarizes common quantitative assessment techniques. Exhibit V-25: Examples of Quantitative Risk Assessment Techniques Technique Benchmarking

Probabilistic models

Description A collaborative process that uses common metrics to compare performance measures and results for specific events or processes and identify improvement opportunities. May also be used to assess likelihood and impact of potential events across an industry. The following are examples of benchmarking techniques.

•

Internal: Compares measures of one department or division with others in the same organization.

•

Competitive/industry: Compares measures among direct competitors or similar companies.

•

Best-in-class: Looks at like measures among companies across different industries.

Associate a range of events and the resulting impact with the likelihood of those events based on certain assumptions. Likelihood and impact are assessed based on historical data or simulated outcomes reflecting assumptions of future behavior. May use different time horizons to estimate outcomes and may also be used to assess expected or average outcomes versus extreme or unexpected impacts. The following are examples of probabilistic models.

•

Value at risk (VAR): Models based on distributional assumptions

about change in the value of an item or group of items not expected to exceed a given confidence level over a defined time period. Used to estimate extreme ranges of value change expected to occur infrequently (such as an estimated loss with 95% confidence). The desired confidence level and time horizon are chosen by management and reflect the organization’s established risk tolerance. Example: Estimating the capital required for a business unit (with 99% confidence) to cover potential losses for a specified time period.

Nonprobabilistic models

•

Cash flow at risk: Estimates a change in cash flows relative to projected cash flows with a given confidence level over a defined time period. Based on distributional assumptions about the behavior of changes in cash flows. May be done at the entity or business unit level. Example: A manufacturer measuring foreign currency risks in relation to net cash flows.

•

Earnings at risk: Estimates a change in the accounting earnings of an organization or business unit not expected to be exceeded with a given confidence over a defined time period. Based on distributional assumptions about the behavior of accounting earnings. Example: A computer-generated Monte Carlo simulation of sales revenues that will ensure a given earnings per share.

•

Operational loss distributions: Use statistical techniques to estimate maximum operational or credit loss distributions with given confidence level. Example: Collecting operational loss data categorized by root cause (e.g., sales practices), relating data to insurance costs and proceeds, developing a preliminary loss distribution, and making refinements to reflect the organization’s risk responses.

•

Back-testing: Periodic comparison of an entity’s at-risk measures with subsequent profit or loss to gauge the quality and accuracy of risk assessment systems. Example: A bank routinely comparing daily profits and losses with outputs generated by risk models.

Use subjective assumptions in estimating the impact of events without quantifying an associated likelihood. Base assessments on historical or simulated data and assumptions of future behavior. The following are examples of non-probabilistic models.

•

Sensitivity analysis: Assesses impact of normal or routine changes in potential events. Measures change in one variable as a result of change in another variable. Used with operational measures and equity securities, using beta. Examples: Effect of sales volume fluctuations on call center response time or the ratio of movements of an individual stock relative to the movements of an overall market portfolio.

•

Scenario analysis: Assess the effect of an objective of one or more events. Examines what happens to profitability estimates under

several different sets of assumptions. Can be used to estimate optimistic, pessimistic, and most likely or base-case scenarios, or custom scenarios. Example: Estimating the impact of a network failure across a business or net cash flow from a capital investment.

•

Stress tests: Assess effect of events having extreme impact. Focus on direct impact of change in only one event or activity under extreme circumstances in order to avoid big surprises and losses. Examples: Estimating the effect of rapid and large movement in the foreign exchange rate or an increase in product manufacturing defects.

Source: Adapted from Enterprise Risk Management—Integrating with Strategy and Performance, © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

Risk Assessment Pitfalls Implementing the International Professional Practices Framework mentions the following common risk assessment pitfalls: • Limiting risk assessments to financial hazards. Rather than the traditional financial hazards, less tangible soft issues (such as human resources, social responsibility, or reputation) are of increasing importance in risk assessments. They should be part of the risk assessments, as they often prove to be more advantageous or detrimental. • Blindly selecting risks from a generic risk framework. Such matrices should be considered more as a brainstorming tool to identify risk exposures. • Internal auditors developing risks in a vacuum. Collaborative approaches such as top-down organization-wide assessments and bottom-up engagement-level risk assessments that are aligned and linked are much more effective. • Identifying too many risks. Long lists of risks increase the chances that significant risks will receive inadequate attention. The COSO framework includes risk categories that organizations have successfully

used. Some guidelines recommend limiting significant risks to 15 to 20. • Overcomplicating risk quantification. Unless complex risk quantification is merited (for example, in dealing with derivatives or other complex financial instruments), it’s best to keep the quantification and prioritization of risks simple. Precise, detailed quantification can needlessly complicate a risk assessment when simple rating tactics of significance and likelihood (such as high likelihood/high significance or low likelihood/low significance) could suffice.

The Dynamic Nature of Risk As we have learned, risk identification and risk assessment will vary among entities based on organizational specifics. But the processes should be robust. Organizations, their markets, and their business environments are not static. Change is constant. Risk events shift as well. Therefore, risk identification and assessment cannot be limited to a once-a-year strategic exercise. Implementing the International Professional Practices Framework suggests that provisions be made for the ongoing acquisition of new risk information through practices such as frequent management call programs, quarterly risk committee involvement, and automated tools to capture and understand risk indicators.

Risk Responses Once management has assessed relevant risks, it must determine how to respond. In addition to controls, management has other risk response techniques. COSO describes five courses of action to manage assessed risks, as shown in Exhibit V-26. Exhibit V-26: COSO Risk Management Responses Risk Response

Description

Examples

Accept

Avoid

Pursue

Reduce

Share

No action is taken to affect likelihood or impact.

•

Accepting risk that conforms to risk tolerances

•

Deciding to self-insure against loss because insurance costs and deductibles exceed the cost of replacement

Action is taken to exit the activities giving rise to risk. Risk avoidance may involve exiting a product line, declining expansion to a new geographical market, or selling a division.

•

Eliminating a third-world plant because of political instability and the potential for operation interruptions

•

Deciding not to undertake a project because of the high probability of unstable cash flows

Action is taken that accepts increased risk to achieve improved performance. Management understands the nature and extent of changes required to achieve improvements.

•

Adopting more aggressive growth strategies

• •

Expanding operations

Action is taken to reduce the risk likelihood or impact or both. This may involve myriad everyday business decisions.

• • •

Diversifying product offerings

Action is taken to reduce risk likelihood or impact by transferring or otherwise sharing a portion of the risk.

Developing new products and services

Maintaining large cash reserves Investing in technology upgrades that reduce the likelihood of system failures

•

Reallocating funds among operating units

• •

Entering into joint ventures or partnerships

•

Sharing risk through contractual agreements with clients or suppliers Purchasing insurance to protect against significant unexpected loss

Source: Adapted from Enterprise Risk Management—Integrating with Strategy and Performance, © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

Risk Response for Different Risk Types The following looks at responses to different types of risks.

Inherent Risk Inherent risk (also called absolute or intrinsic risk) is the risk derived from the environment, strategy, tactics, and operations without the mitigating effects of internal controls. In other words, it is the combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk present assuming that no internal control activities are in place. Risk assessment should first be applied to inherent risks. Once risk responses have been developed, management then considers residual risk (relative to the organization’s risk appetite). Residual Risk As the five risk responses in Exhibit V-26 indicate, it is impossible to eliminate all risk. Some degree of residual risk—the risk that remains after the risk response (e.g., after the controls are designed and effectively executed)—is inevitable. The target residual risk is the amount of risk an organization prefers to assume in its pursuit of its strategy and business objectives, knowing that management will implement actions to alter the severity of the risk. The actual residual risk is the risk remaining after management has taken steps to alter a risk’s severity—to accept, avoid, pursue, reduce, or share the risk. The actual residual risk should be equal to or less than the target residual risk. If it exceeds the target risk, additional actions should be identified for management to alter the risk severity further. Exhibit V-27 shows the two choices management faces when considering residual risk. Exhibit V-27: Residual Risk Considerations If the Residual Risk Is . . . Reasonable (not too high)

Then Management Should Consider . . . Accepting the residual risk in order to achieve organizational business objectives.

Excessive

Not undertaking the associated task or initiative or considering the benefit/cost implications if risk responses were to be increased to bring residual risk down to an acceptable level.

Residual risk cannot be ignored. General considerations in determining the appropriate response are: • Alignment of the response with the organization’s risk tolerance. • The effects of a potential response on the likelihood and impact of risk occurrence. • Analysis of costs versus benefits of different responses. • The potential impact of different responses on achieving organizational objectives. Control Risk In addition to residual risk, there are control risks in management’s response process. Control risk refers to the tendency of the internal control system to lose effectiveness and expose the assets under control. Stated another way, control risks are the risks associated with a control procedure that fails to accomplish its task.

Risk Monitoring Risk monitoring takes into account the fact that an organization’s enterprise risk management processes change over time. Substantial change may lead to new or changed risks, so practices for identifying such changes should be built into business activities and performed continually. Also, by monitoring activities, management can determine if enterprise risk management continues to be effective. COSO discusses review and revision activities, which include organizational reviews of performance and evaluations of business practices, as ways to assess the presence and functioning of enterprise risk management components over

time.

Ongoing Monitoring of Performance Enterprise risk management activities typically have built-in provisions for self-monitoring. Most ongoing monitoring activities are performed on a real-time basis during the regular course of business activities. Ongoing monitoring activities are: • Typically performed by line or functional support managers based on the information they receive. • Focused on relationships, inconsistencies, or other relevant implications. • Differentiated from activities performed in response to policy (e.g., transaction approvals or account balance reconciliations). An example of an ongoing monitoring activity is a conversation between a manager and a group of operations personnel regarding how they identify risks relevant to the individual tasks they perform and whether they understand the purpose of the controls and can appropriately identify any issues in control activities. This normal, ongoing dialogue helps to confirm that employees understand codes of conduct and possess good knowledge of risk management and internal control. Any concerns identified that require attention could be addressed.

Using Evaluations for Improvements By embedding evaluations into business practices (continual evaluations or separate evaluations), organizations can focus directly on enterprise risk management effectiveness and identify potential improvements. According to COSO: • Scope and frequency vary, depending on the significance of risks and the importance of the risk responses in managing the risks. • Higher-priority areas tend to require more frequent evaluations.

• Evaluation of the entire ERM system is generally needed less frequently than more focused evaluations. • Evaluation of the entire system may be warranted by factors such as major strategy or management changes, acquisitions or dispositions, changes in economic or political conditions, or changes in operations or methods of processing information. Separate evaluations are often conducted as self-assessments. The individuals responsible for a particular unit or function determine the effectiveness of activities within the sphere of their responsibilities. For example, line managers would examine operations and compliance objectives and a controller would focus on reporting objectives. Internal auditors routinely perform evaluations as part of their regular duties or at the specific request of management, the board, or other executives. Management may also consider input from external auditors. Management will use judgment to decide if separate management-led evaluations are needed (note that the internal audit activity will separately use its own judgment on whether or not to perform its own independent, separate evaluations). The management decision making process may take into account factors such as: • The nature and degree of changes in the business environment and associated risks. • The competence of personnel responsible for implementing risk responses and related controls. • The results of ongoing monitoring. Typically, ongoing monitoring combined with some level of separate evaluations helps to ensure that ERM functions effectively over time. Frequent separate evaluations may indicate the need for improvements in ongoing monitoring.

Reporting Deficiencies Reporting deficiencies is another part of monitoring. COSO describes a deficiency as: A condition within enterprise risk management worthy of attention that may represent a perceived, potential, or real shortcoming or an opportunity to strengthen enterprise risk management to increase the likelihood that the entity’s objectives will be achieved.

Insights gained from monitoring performance can identify deficiencies. Management evaluations, internal audit activity results, and other selfassessments can highlight areas that need improvement as well as areas that show strength and should receive positive reinforcement. External sources such as regulatory body and external audit reports may have deficiency findings, much like internal audit reports. A part of internal audit’s role is helping the audit committee by following up with management to see whether they have responded to these other reports by implementing action plans to correct the deficiencies. This is usually a list of deficiencies identified in each report, with the action plan, target date, accountability, and status of implementation presented at each audit committee meeting.

Topic H: The Internal Audit Activity’s Role in the Risk Management Process (Level B) This topic traces the role of the internal audit activity in using the organization’s ERM framework in forming a risk-based internal audit plan or assessing management’s risk assessment processes. It emphasizes the role of the chief audit executive in: • Interacting with senior management and the board. • Understanding what the organization does and its risk exposure and attitude. • Assessing the adequacy of the organization’s ERM framework. • Managing the internal auditing activity in a strategic manner, which includes measuring and reporting internal audit performance and ensuring that resources are adequate for achieving performance objectives. • Ensuring that the annual audit plan and individual assurance and consulting audits are aligned with risk management objectives.

Risk Management Roles and Responsibilities Internal auditors are expected to identify and evaluate significant risk exposures in the normal course of their duties. The internal audit activity’s role in the risk management process of an organization can change over time and may be found at some point along a continuum that ranges from: • No role, to • Auditing the risk management process as part of the internal audit plan, to

• Providing insight and historical data on risk events identified by internal audit findings, to • Consulting on the establishment or improvement of risk management processes. Implementation Guide 2100, “Nature of Work,” notes that typically the board is responsible for guiding the governance process and senior management is accountable for leading risk management and control processes. Standard 2120, “Risk Management,” states, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” This can be part of an assurance engagement, or management may request a consulting engagement. The CAE discusses the role of internal audit related to risk management with senior management and the board and considers the risk appetite, risk tolerances, and risk culture of the organization. Internal audit activity’s roles and responsibilities are codified in the internal audit charter. In most organizations, internal auditors have a key role in evaluating the effectiveness of enterprise risk management and recommending improvements by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of management’s risk processes. As a function within the organization, the internal audit activity must comply with the organization’s policies and procedures, including risk management processes, and must use risk management methodologies in the design and implementation of internal auditing practices. Even when consulting, it is important to use the risk knowledge gained as part of overall evaluations of the organization’s risk management process. Note that when consulting, according to Standard 2120.C3, “internal auditors must refrain from assuming any management responsibility by actually managing risks.” Implementation Guide 2120 also reminds us that the internal audit

activity is not immune to risks. In its risk assessment, the internal audit activity would consider the organization’s size, complexity, life cycle, maturity, stakeholder structure, and legal and competitive environment. Risks to internal audit activities tend to fall into three broad categories: audit failure, false assurance, and reputation risks. Through planned engagements, internal audit may provide assurance on a macro level, by assessing the organization’s design and implementation of the risk management process, and on a micro level, by assessing management assertions about the effectiveness of risk identification and treatment in separate areas of the organization.

Assurance Roles An organization’s board needs to have assurance that risk management processes are functioning as expected and key risks are being managed at an acceptable level. In most organizations, this assurance comes from different sources and at different levels. For example, operational areas in an organization that have assigned functional risk management responsibilities report to the board on their performance levels. These functional reports are augmented by the objective assurance of external audits, specialist reviews, and internal audits. Providing assurance is the core contribution of the internal audit activity to risk management. Internal audit provides assurance for the entire risk management process by examining: • Risk management’s role in the organization. Does it have adequate management support? Have adequate resources been budgeted for the process? Is risk management part of the decision-making process, especially at higher levels within the organization? • The risk management framework and the criteria used to assess risks. Are the framework and criteria appropriate for the organization’s structure and external environment? • Ability to implement the risk management processes. Have

objectives and criteria for evaluating risks been clearly communicated? Are employees trained for their roles? Are employees held accountable for their parts in the process? • Communication. Does the process allow feedback about the outcomes of risk management throughout the organization? Does the process include its risk management practices when communicating with external stakeholders? Does the process support compliance with external reporting requirements? • Monitoring and reporting. Are risk identification and treatment activities monitored and reported regularly to senior management and the board? Can the process itself be measured against key performance indicators so that it can be improved continually? • Consistency of implementation. Are definitions, criteria, and activities consistently applied across the organization? • Responsiveness to change. Does the process recognize the need for reevaluating the organization’s risk environment? Are risks reevaluated with a frequency appropriate to the organization’s business and environment? Providing assurance requires the internal auditor to formulate an opinion on whether risk management processes are effective and sufficient to protect the assets, reputation, and ongoing operations of the organization. Interpretation of Standard 2120 tells us: Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:

• • • •

Organizational objectives support and align with the organization’s mission; Significant risks are identified and assessed; Appropriate risk responses are selected that align risks with the organization’s risk appetite; and Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry

out their responsibilities. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness. Risk management processes are monitored through ongoing management activities, separate evaluations, or both.

Implementation Guide 2120 guidance indicates: To fulfill this standard, the CAE and internal auditors start by attaining a clear understanding of risk appetite, as well as the organization’s business missions and objectives. It is also important to attain a complete understanding of the organization’s business strategies and the risks identified by management. Risks may be financial, operational, legal/regulatory, or strategic in nature… Internal auditors will generally attain an understanding of the organization’s current risk management environment and the corrective actions in place to address prior risks. It is important to know how the organization identifies, assesses, and provides oversight for risks before internal auditors start to implement Standard 2120.

The techniques used by various organizations for their risk management practices can vary significantly. Depending on the size and complexity of the organization’s business activities, risk management processes can be: • Formal or informal. • Quantitative and/or qualitative. • Embedded in the business units or centralized at a corporate level. The organization designs processes based on its culture, management style, and business objectives. The internal auditor determines that the methodology chosen is sufficiently comprehensive and appropriate for the nature of the organization’s activities. When assessing the adequacy and effectiveness of any system, including governance, risk management, and internal control, there are distinctions

between the terms that an internal auditor should understand. Adequacy of governance, risk management, and control (GRC) processes: Is present if management has planned, designed, followed, ensured compliance with GRC processes in a manner that provides reasonable assurance that the organization’s objectives and goals will be achieved efficiently and economically. This assumes GRC process are followed as designed. Efficient performance accomplishes objectives and goals in an accurate, timely, and economical fashion. Economical performance accomplishes objectives and goals with minimal use of resources (i.e., cost) commensurate with the risk exposure. Reasonable assurance is provided if the most cost-effective measures are taken in the design and implementation stages to reduce risks and restrict expected deviations to a tolerable level. Thus, the design process begins with the establishment of objectives and goals. This is followed by connecting or interrelating concepts, parts, activities, and people in such a manner as to operate together to achieve the established objectives and goals.

Effectiveness of GRC processes: Is present if management directs processes in such a manner as to provide reasonable assurance that the organization’s objectives and goals will be achieved. In addition to accomplishing the objectives and planned activities, management directs by authorizing activities and transactions, monitoring resulting performance, and verifying that the organization’s processes are operating as designed.

Coordinating with Other Assurance Providers The Practice Guide “Coordinating Risk Management and Assurance” notes that internal audit may be only one part of the organization’s assurance provider framework, which may also include, in some organizations, external audit, governance, risk management, and other internal assurance providers, such as quality assurance or compliance. Given the fact that multiple assurance providers may be involved in identifying organizational risks and evaluating the effectiveness of the organization’s risk management processes, it is critical that these different groups coordinate their responsibilities. Internal audit may coordinate assessments of the effectiveness of the risk management processes with these various groups.

The CAE can help the board and senior management understand the different roles in the organization’s assurance framework and any gaps in assurance coverage that have been identified. To this end, the CAE may develop an annual report on the state of the organization’s risk management processes or may “coordinate the development and distribution of this report through the organization’s governance or risk management function.” Implementation Guide 2050, “Coordination and Reliance,” notes the usefulness of assurance mapping exercises in communicating this information to the board and senior management—especially in organizations in which the CAE must deliver an overall opinion of risk management processes. An assurance map would include, for each business unit in an organization: • Significant risk categories. • Risk owner (management responsible for coordinating assurance activities for that risk) and controls in place to manage the risk. • Inherent risk rating (risk level before mitigation/control). • Residual risk rating (risk level after mitigation/control). • External audit coverage. • Internal audit coverage. Internal audit can identify the steps it is taking to assess and provide assurance regarding risk(s)—for example, through the annual audit plan. It can also point out significant risks with gaps in or inadequate assurance coverage or areas of duplication in assurance coverage.

Consulting Roles Internal audit may also provide consulting services that improve organizational risk management and control processes. The IIA Position Paper “The Role of Internal Auditing in Enterprise-Wide Risk

Management” mentions the following topics as possibilities for consulting engagements: • Educating management about the risk and control tools and techniques used by the internal audit activity and sharing those tools • Being a champion for introducing ERM into the organization and sharing the internal audit activity’s expertise • Providing advice, workshops, and training to the organization on risk and control • Acting as the central point for coordinating, monitoring, and reporting on risks • Supporting managers as they work to identify the best way to mitigate a risk The extent to which the internal audit activity actually provides risk management consulting services is a function of various factors: • Resource availability—the internal and external resources available to the board • Risk maturity of the organization—the maturity level of organizational risk management processes and structure and the organizational role and qualifications of the internal auditors (Risk maturity levels are discussed a little later in this topic.) • Independence/objectivity of the internal auditor—whether the internal auditor is assuming a role in managing the risk When the internal audit activity extends its services to include consulting engagements, safeguards should be in place to preserve its independence and objectivity. As we have seen, the internal audit activity can be a valuable contributor in ensuring success through assurance and consulting activities and

supporting management and board responsibilities. But it must be clear that management remains responsible for risk management. To preserve the integrity of the internal audit function within the organization’s risk management framework, the IIA Position Paper recommends that: • Internal auditors should provide advice and challenge or support management’s decisions on risk, as opposed to making risk management decisions. • The nature of internal auditing’s responsibilities should be documented in the audit charter and approved by the audit committee. “The Role of Internal Auditing in Enterprise-Wide Risk Management” identifies the following roles the internal audit function should not undertake: • • • • • •

Setting the risk appetite Imposing risk management processes Management assurance on risks Making decisions on risk responses Implementing risk responses on management’s behalf Accountability for risk management

Approaches to Auditing Risk Management Processes The Practice Guide “Assessing the Adequacy of Risk Management Using ISO 31000” describes three approaches to auditing the risk management process. An approach should be selected based on an organization’s needs, but approaches can also be combined.

Process Element Approach In a process element approach, internal audit checks whether each

element of the risk management process is in place. ISO 31000:2018 identifies eight components of the risk management process, as shown in Exhibit V-28. Exhibit V-28: ISO 31000 Risk Management Process Elements

Key Principles Approach In a key principles approach, the organization’s risk management process is assessed according to how well it incorporates nine principles of risk management: • Risk management creates and protects value. • It is an integral part of all organizational activities. • It is a structured and comprehensive approach to provide consistent results. • It is customized to the organization’s operating environment, culture, and objectives. • It is transparent, auditable, and inclusive of all stakeholders, providing improved communications and awareness. • It addresses uncertainty in a structured, orderly, unambiguous, and timely fashion.

• It makes use of the best information available. • It is influenced by organizational culture and staff behavior. • It uses an iterative cycle to generate continual improvement, organizational learning, and the ability to quickly respond to changing environments.

Maturity Model Approach A maturity model approach emphasizes the value that the risk management process delivers to the organization and the gradual evolution of the process from one focused primarily on compliance to one focused on effective treatment of risks. It measures growth against defined and evolving objectives. This approach provides an assessment of where an organization’s risk management process is on the maturity curve, so that the board and management can determine if it is meeting the current needs of the organization and is maturing as expected. Progress is linked to the risk management plan and the performance management system. The maturity level of an organization’s ERM processes affects how much weight the CAE should give to a selected risk response. An organization may have the intent—but not the ability—to effectively address a risk. The enabling processes to address risks include people, processes, and technology. • People. People include the leaders of the organization and whether they are developing and communicating strategies and risk appetite clearly and effectively. They also include all persons directly responsible for managing and owning specific risks. The organization must have the proper accountability structures in place, diligent hiring procedures, and training. • Processes. Processes include policies, procedures, and tasks that must be performed as intended and must be audited to ensure that they are

executed, efficient, and effective. • Technology. Technology includes information timeliness, availability, completeness, and relevance as well as the security and level of integration of the technology itself. This includes not only information systems but also production line technology and so on. The organization’s relative maturity level in each of these areas for its ERM capabilities will result in an overall organizational maturity level for ERM, as shown in Exhibit V-29. (Different sources may use different names for the stages.) Exhibit V-29: Assessing the Organization’s ERM Maturity Level

Lack of organizational maturity for the ERM function may result in making ERM processes one of the areas to audit in the upcoming audit cycle. The organization’s relative level of ERM maturity should be taken into account when assessing the likelihood that a risk response will be adequate. More precisely, CAEs assess the degree of residual risk that they consider to be remaining for each significant risk given the organization’s ERM maturity in this area.

Gathering Evidence Implementation Guide 2120 notes that the internal audit activity should obtain sufficient information (evidence) to evaluate the effectiveness of the organization’s risk management processes. This evidence needs to support the soundness of risk management processes and their ability to meet risk management objectives. The guide recommends the following audit procedures: • Research internal and external new developments and trends related to the organization’s industry that may affect the organization’s risk picture. This might include the emergence of new competitors, changes in tax codes, or pending regulations. • Review the organization’s strategic plan, business plan, and policies and have discussions with the board and senior management to gain insight to assess whether the organization’s strategic objectives support and align with its mission, vision, and risk appetite. • Review previous risk assessments and related evaluation reports from management, internal and external auditors, regulators, and other sources. The presence of unremediated risks may indicate a change in the organization’s risk appetite. • Interview mid-level management to understand alignment of the organization’s mission, objectives, and risk appetite at the business unit level. • Evaluate the effectiveness of mitigation, monitoring, and communication related to risks and controls. • Assess the appropriateness of reporting lines for risk monitoring activities. • Review the adequacy and timeliness of reporting on risk management results.

• Review the completeness of management’s risk analysis and steps taken to respond to findings. • Determine the effectiveness of management’s self-assessment process through observation and direct tests. • Discuss weaknesses in risk management processes and practices with senior management and the board. • Conduct risk assessment and independently perform a gap analysis to determine whether significant risks are being identified and assessed adequately. Auditing tools can include observation, interviews, document review, analysis (e.g., risk model, control self-assessment, root cause, statistical, “near miss”), process mapping, and surveys.

Documentation Although documentation of risk management processes may be lacking in some organizations, documentation of the evaluation of risk management processes is important—especially when an organization is reporting on the effectiveness of its ERM to external parties. “Assessing the Adequacy of Risk Management Using ISO 31000” recommends documentation of key characteristics of risk management processes, such as: • An overall strategy for risk management. • Risk communication structures. • Allocation of resources. • Analysis of cost-effectiveness of controls using technology. • Performance of monitoring. • Inclusion of risk management as a principle in decision making and

performance management decisions.

Audit Challenges There may be multiple groups involved in evaluating risk management processes. In addition, while internal audits of risk management processes may occur at one time, they may also occur in phases. Coordinating these perspectives and aggregating data from separate audits can be a challenge, but it is critical to avoid missing important observations and patterns or trends. Staffing audits with the same teams over dedicated periods of time can have its advantages, including, but not necessarily limited to, bringing greater continuity to audit activities. It is also important that CAEs consider the activity’s risk management responsibility when managing human resources. Staff development should support understanding of risk management processes and its elements, but it should also support staff’s ability to communicate risk management principles and process elements to their engagement clients.

Management’s Acceptance of Risk The internal audit activity assesses the effectiveness of the organizational risk management processes through its assurance engagements and recommends improvements to the board and the audit committee. In evaluating internal processes, the internal audit activity provides reasonable assurance as to whether the processes in place should enable the organization to mitigate risk and fulfill goals and objectives efficiently and economically. Performance Standard 2600, “Communicating the Acceptance of Risks,” states: When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must

communicate the matter to the board.

Interpretation of Standard 2600 clarifies how risks can be identified and who is responsible for managing that risk: The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.

Risk acceptance responsibility is also discussed in Implementation Guide 2060, “Reporting to Senior Management and the Board”: A primary purpose of CAE reporting is to provide assurance and advice to senior management and the board regarding the organization’s governance (Standard 2110), risk management (Standard 2120), and controls (Standard 2130) …If the CAE believes that senior management has accepted a level of risk that the organization would consider unacceptable, the CAE should first discuss the matter with senior management. If the CAE and senior management cannot resolve the matter, Standard 2600 directs the CAE to communicate the matter to the board. If such issues are too urgent to wait until a scheduled board meeting, the CAE would be well advised to make arrangements to communicate sooner.

Unforeseen Risks Audit engagement plans prioritize engagements based on several factors, including effective resource utilization, risk priorities, and the significance of risks and exposure. Final audit activity reports include conclusions/opinions, observations, findings, and recommendations as appropriate (based on the scope of the engagements). However, unforeseen risks—beyond those considered in the risk-based planning phase for engagements—can and often do arise. Consider some of the myriad possibilities: • Legal actions • Product/service liability issues • Employee wrongdoing

• Accidents • Vandalism • Sabotage • Employee errors • Supplier errors • Delinquent accounts payable • Unacceptable yield from financial investments • Unacceptable project paybacks • Natural disasters • Unexpected departure, death, or disability of key personnel • Inadequate controls • Fraud The reality is that even the most efficient and effective risk management processes cannot forecast all potential risks. As unforeseen risks arise that in the CAE’s judgment are significant, the CAE should discuss the risk exposures with the board and audit committee.

Topic I: Types of Controls and Management Control Techniques (Level P) What Is Internal Control? Multiple definitions provide insight about control, the control environment, and internal control. The Standards Glossary defines control as: Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The Internal Control—Integrated Framework published by COSO includes the following definition of internal control: Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Fundamental concepts are inherent in this definition: • Internal control is an ongoing process, and it is effected by people at all organizational levels. • Management and the board receive reasonable assurance, not absolute assurance. • Internal control transcends policy manuals and forms and is geared toward the achievement of organizational objectives (in operations, reporting, and compliance).

• Internal control is flexible and adaptable to the organization’s structure. As these multiple definitions point out, internal controls provide reasonable assurance regarding the achievement of objectives.

Types of Controls As we can see from the examples in Exhibit V-30, there are a tremendous variety of controls available to management. Which control or combination of controls is best depends on the objective and the business environment. Exhibit V-30: Examples of Control Tools Examples of Control Tools

•

Ethical “tone at the top,” communicated in words and actions

•

• •

Organizational structure that promotes the flow of information

• •

•

Clear definition of responsibilities

Forms control (e.g., prenumbered documents, maintaining integrity of numerical sequence, limited access to key forms)

•

Exception reports (e.g., receivables past due, overtime, duplicate payments, discounts not taken)

•

Information systems controls:

Delegation of authority commensurate with responsibility

•

Mechanisms to hold people accountable for results

• •

Reward mechanisms

• • • •

Qualified and well-trained personnel, particularly in key positions Positive, motivating work environment Effective empowerment of employees An atmosphere of mutual trust

Checklists Formal compliance program, including a designated compliance officer

•

Environmental controls (e.g., heat, humidity, fire extinguishers)

• •

Data security system Backup and recovery policies and procedures

Frequent interaction between senior and operating management

•

•

Disaster recovery or business continuity plans (tested periodically)

Appropriate policies and procedures for hiring, training, promoting, and compensating employees

•

• •

Written policies and procedures

Input controls—authorization, validation, error notification and correction (e.g., blocked transactions, transaction limits, error listings, field checks, self-checking digits, sequence checks, validity checks, completeness

Performance standards

• •

• • • • •

checks)

Procedures for authorizing and processing transactions

•

Reviews: budget-to-actual comparison, current-to-prior period comparison, performance indicators, project management reports, etc.

Processing controls (e.g., edit checks, control totals and other programmed steps within application software, audit trails)

•

Output controls (e.g., output review, exception reports, master file change reports)

•

Software license compliance controls

Independent verification of performance Reconciliations Security for assets and records Supervisory review Segregation of duties (e.g., separation of initiation, authorization, recording, and custody; at least two sets of eyes involved in every transaction)

Source: Control Model Implementation: Best Practices by James Roth.

Control types can be classified in a number of ways.

Entity-, Process-, and Transaction-Level Controls Some controls are designed to operate at a high, overarching level, while others apply to specific processes or transactions. Entity-Level Controls Entity-level controls apply to the entire organization and are designed both to ensure that organizational objectives are achieved and to mitigate risks that threaten the organization as a whole. Major subtypes of entity-level controls include the following: • Governance controls. Governance controls are often directive in nature and establish the control culture, clarify organizational expectations, and include organization-wide policies and procedures. Examples of establishing the culture and clarifying expectations include instituting audit committee oversight over controls or communicating the board and top management’s risk appetite or attitude toward

financial reporting; examples of policies and procedures include a code of ethics, compliance policies, IT policies, and management procedures such as conducting enterprise risk management. • Management oversight controls. These controls are set at the business unit or line management level to address achievement of business unit objectives and mitigation of business unit risks. Examples include risk committees, some period-end controls, and IT general controls. Process-Level Controls Process-level controls are established by a process owner to ensure that the objectives of the process are achieved and that process-level risks are addressed. Examples include supervision, monitoring, oversight, processlevel risk assessments, performance evaluations, key account reconciliation, and inventory counts. Transaction-Level Controls Transaction-level controls are specific to individual transactions. They exist to ensure that the objectives of the transaction are achieved and transaction-specific risks are addressed. Examples include documentation requirements, segregation of duties or authorizations, and IT application controls (input, processing, output).

Key Controls versus Secondary Controls Controls can also be classified based on their relative importance. Sawyer’s provides the following definitions: • Key controls. “Controls that must operate effectively to reduce a significant risk to an acceptable level.” • Secondary controls. “Controls that help the process run smoothly but are not essential.” Key controls are those controls that, if omitted, would make it very difficult to achieve the desired outcome or business objective. Secondary

controls exist either to mitigate risks that are not considered significant or as an added/redundant control already addressed by a key control. The clear intent behind identifying key controls is to ensure that management supervision and controls testing and other audit procedures are efficient, do not waste time and resources, and focus on key risks and achievement of organizational objectives. Each risk at the entity, process, or transaction level that has been identified as a significant risk in a risk assessment process will have one or more key controls associated with it. Secondary controls are the remaining controls in a system. Ensuring that the “tone at the top” reinforces rather than undermines process-level controls is an example of a key governance control at the entity level. A related secondary control might be ensuring that mission and vision statements are revisited and recommunicated. At the management oversight level of entity controls, some key controls exist that can monitor the effectiveness of several other secondary controls and indicate when breakdowns in the lower-level controls are occurring, thus providing an early indicator of a control failure and reducing the amount of testing needed for the secondary controls. At the process level, reconciliations of key accounts rather than all accounts (secondary controls) could provide sufficient evidence of whether the entire process is likely to achieve its objectives. At the transaction level, a check sum for an accounting entry could provide evidence that other transactionlevel controls are operating effectively. Controls allowing only a certain range of numeric data in a field might be secondary.

Controls by Function Many terms commonly used to describe types of controls are based on their functions. • Preventive controls. These are proactive controls that deter undesirable events from occurring. An example is a reward mechanism based on a relevant key performance indicator for an area rather than on achieving an arbitrary budget number. Preventive controls are generally

considered the strongest type of control, as they are established for the purpose of stopping a risk event from occurring in the first place. • Detective controls. Detective controls are reactive and detect undesirable events that have occurred. Examples are account reconciliations or exception reports. • Corrective controls. Corrective controls are reactive controls designed to allow manual or automated correction of errors or irregularities discovered by detective controls, including resolution of duplicate payments in a cash disbursement system, audit trails, or backup and recovery procedures. • Directive controls. Directive controls are proactive controls that cause or encourage a desirable event to occur. Guidelines, training programs, and incentive plans are examples of directive controls. • Mitigating controls. Mitigating controls reduce the potential impact should a risk event occur. Insurance is a prime example of a mitigating control. • Compensating controls. These controls compensate for the lack of an expected control. For example, close supervisory review may compensate for a lack of segregation of duties where a small staff size makes proper segregation impractical. • Redundant controls. Redundant or backup controls duplicate a control objective or a secondary control that operates only if a key control fails, for example, a spillover pool below a toxic substance holding tank.

Active/Manual versus Passive/Automated Controls Controls may be categorized as active (manual) or passive (automated): • An active control (or manual control) implies a task that prevents or detects a deviation from the approved procedure. We can think of it as

a control that works by some type of conscious intervention. An example is a manager’s review of transactions. • A passive control (or automated control) operates without human intervention. An example may be controls built into the computer system or a relationship or process that possesses control implications. We can think of it as a control that works by just being there. An example is a thermostat set to maintain the temperature of a room.

Hard versus Soft Controls The term “soft controls” was first used in a 1980 publication entitled Internal Control in U.S. Corporations: The State of the Art by Robert K. Mautz. It has since become a major influence on internal auditors. Generally speaking, hard controls are more scientific in nature and soft controls are more humanistic. These terms can be defined as follows: • Hard controls. These controls tend to be quantitative and objective, meaning that traditional audit tests can be used to test compliance. Inspecting meeting minutes or performing a monthly budget-to-actual analysis are examples. • Soft controls. These controls tend to be qualitative and subjective and are intended to be indicative of the culture of an organization, such as states of mind or perceptions. For example, soft controls may include policies to determine whether a body of knowledge is sufficient to corroborate results or support conclusions. While soft controls can put a company at risk due to their intangible nature, they are as critical as hard controls for promoting effective GRC. Exhibit V-31 lists common examples of both types. Exhibit V-31: Hard and Soft Internal Controls Hard Control Examples

•

Policy/procedure

Soft Control Examples

•

Competence

• • • •

Organizational structure Bureaucracy Restrictive formal processes Centralized decision making

• • • • • •

Trust Shared values Strong leadership High expectations Openness High ethical standards

The assessment of control efficiency and effectiveness is a foundational aspect of the internal audit activity. Yet to focus on only hard controls (e.g., documented policies and procedures) at the process level yields an incomplete assessment. To evaluate internal control and provide reasonable assurance to senior management and the board, the internal audit activity must include the intangible, inherently subjective soft controls.

IT Controls Similar to the concept of entity-level versus process- and transactionlevel controls, information technology also has levels of control to address risks associated with IT systems: • IT general controls. IT general controls (ITGC) are entity-level controls that apply to general IT processes such as change management, deployment, access security, and operations and that can be applied to most if not all information systems in general. IT general controls consist of governance controls such as a privacy policy as well as management oversight controls such as testing standards or segregation of IT duties. • Application controls or technical controls. Application or technical controls are process- or transaction-level controls that are usually specific to a given application but may also control larger technical processes such as system access rights. Application controls are sometimes grouped by common function:

• Input controls. Input controls verify the integrity of data as it is manually or automatically entered into a system. For example, a control total might verify that the proper number of records is entered. • Processing controls. Processing controls check that data processing tasks are accurate, complete, and valid. For example, a control total might be compared at various processing points. • Output controls. Output controls verify that the data outputs are accurate, complete, and valid. An example is a control to ensure that output is being sent to and received by the intended recipients and no other person or system. IT control tools such as audit trails are discussed in Part 3 of this learning system and are addressed primarily in Part 3 of the CIA exam.

Benefits/Limitations of Internal Control Organizations should not have unrealistic expectations about internal control. Internal control has both distinct benefits and distinct limitations, as indicated in Exhibit V-32. Exhibit V-32: Benefits and Limitations of Internal Control Internal Control Can Help . . .

Internal Control Cannot . . .

•

Achieve organizational performance and profitability targets.

•

Ensure organizational success or even survival.

• • •

Prevent loss of resources.

•

Ensure the reliability of financial reporting.

•

Ensure absolute compliance with laws, regulations, and policies and procedures.

Support reliable financial reporting. Support compliance with laws, regulations, and internal policies and procedures to avoid damage to reputation and other consequences.

Judgment, management override, and other like factors allow for only

reasonable assurance that controls will mitigate risk. Other factors may limit the benefits of controls: • Excessive and/or redundant controls can lead to confusion and frustration. • Overreliance on controls may cost more than the exposure the controls are intended to guard against. • Overemphasis on controls can lead people to focus on merely satisfying the controls and cause them to lose sight of business objectives. • Changes and time may make controls obsolete. • Unless personnel buy in to the controls, or if they do not understand the objectives to be met, people may resist the controls and their creativity and initiative may be thwarted.

Topic J: Internal Control Frameworks (Level P) Organizations establish goals and objectives and then assess the risks of achieving those objectives. A control strategy and internal controls help to ensure that operations are successful, protect resources, and enhance the probability of the objectives being met. Controls may be tangible policies, procedures, and activities, or they may be embodied in less tangible behavioral aspects such as ethical values. They are designed by management and put into place with the intent of containing risks within the risk tolerances established by the organizational risk management process so that business objectives can be achieved at the lowest costs. But effective internal control is more than implementing a range of procedures. Internal control is a dynamic process that cuts across all levels in an organization. A control framework is a recognized system of concepts encompassing all elements of internal control. Increasingly, organizations are using control frameworks to establish effective internal control systems. Authoritative agencies around the world have developed different control models as a way to provide guidance on the components of internal control that should be evaluated. Although most control frameworks have a similar structure, individual frameworks might have a unique focus or purpose. Some of the more common frameworks include: • COSO’s Internal Control—Integrated Framework. • The U.K. Code of Corporate Governance (commonly referred to as the Cadbury report). • The Criteria of Control framework (CoCo), introduced by the Canadian Institute of Chartered Accountants (now CPA Canada).

• The King Report on Corporate Governance, introduced by the King Committee for South Africa. • The Control Objectives for Information and Related Technology (COBIT) model, used for IT governance and management. • The Basel Committee framework, used by many banking institutions. These all define control in terms of managing risk to objectives and outline specific elements that help to do so. Incorporating and adopting various elements from these models into a control system helps management and oversight bodies achieve strategic objectives. Whichever control framework an organization uses, it facilitates the ability to document and report on the adequacy of internal controls. The internal audit activity evaluates control efficiency and effectiveness against framework criteria and determines whether the controls in place are adequate to mitigate the risks that threaten the organization. This topic explores these common frameworks and provides details on their individual approach to internal control.

COSO’s Internal Control—Integrated Framework COSO’s Internal Control—Integrated Framework provides guidance to management on how to establish better controls so organizations can achieve their objectives through effective operations. Internal auditors can also use the framework to evaluate an organization’s system of internal controls. The original framework was introduced in 1992. In 2013, the framework was updated to incorporate business and operating environment changes and to provide better interpretation of its components. The COSO framework has been widely adopted by corporate businesses around the world.

COSO Objectives According to the COSO model, internal control provides reasonable assurance to an organization regarding the achievement of objectives in the following areas: • Operations objectives (effectiveness and efficiency of operations). This category is related to an organization’s basic business objectives, including performance, profitability, and the safeguarding of resources. • Reporting objectives (reliability of reporting). This category pertains to internal and external financial and nonfinancial reporting and may include terms set up by the organization’s policies or recognized standard setters, such as reliability, timeliness, and transparency. • Compliance objectives (compliance with applicable laws and regulations). This category includes all laws and regulations that apply to the organization.

COSO Components The five interrelated components of COSO’s internal control framework are summarized in Exhibit V-33. Exhibit V-33: COSO Internal Control Components Component

Description

Control environment

According to COSO, the control environment “is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.” It sets the tone of an organization by influencing the control consciousness and attitudes of its employees, contractors, vendors, and business partners. It is the foundation for all other components of internal control, providing discipline and structure. It is considered the most critical component, because the control environment has a tremendous impact on the other four components.

Risk

According to COSO, “Risk assessment involves a dynamic and

assessment

iterative process for identifying and analyzing risks to achieving the entity’s objectives.” Risk assessment forms the basis for determining how the risks should be managed.

Control activities

According to COSO, “Control activities are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out.” Control activities include policies and procedures that set expectations as well as more directive controls such as selecting and developing IT general controls.

Information and communication

Pertinent information must be identified, captured, and communicated internally and externally in a form and time frame that enable internal and external persons to carry out their responsibilities. Effective communication must also occur in a broader sense, flowing down, across, and up the organization.

Monitoring

Internal control systems need to be monitored by management—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.

Source: Internal Control—Integrated Framework, COSO.

Relationship of Objectives and Components in the COSO Framework Similar to the COSO enterprise risk management model (which was discussed earlier), the COSO internal control framework establishes a direct relationship between organizational objectives (what the entity strives to achieve) and the components (which represent what is needed to achieve the objectives). The relationship is depicted as the threedimensional cube-shaped matrix shown in Exhibit V-34. Exhibit V-34: COSO Internal Control Matrix

Source: Internal Control—Integrated Framework, COSO.

Note the following characteristics about the COSO matrix: • The top of the cube depicts the three categories of organizational objectives. • The horizontal rows represent the five components. • The entity organizational structure is depicted by the four vertical columns along the side of the cube. The objectives and the components cut across each other, and an organization must follow the entire matrix to be considered COSOcompliant. For example, financial and nonfinancial information generated from internal and external sources is part of the information and

communication component. The information relates to all three objectives categories as it helps to: • Effectively and efficiently manage business operations. • Develop reliable financial and nonfinancial reports. • Determine that an entity is complying with applicable laws and regulations.

The COSO Framework Principles The COSO framework identifies 17 principles representing the fundamental concepts associated with each component. Because these principles are drawn directly from the components, an entity can achieve effective internal control by ensuring all 17 principles are present and functioning in an integrated manner. All principles apply to operations, reporting, and compliance objectives. The principles supporting the components of internal control are listed in Exhibit V-35. Exhibit V-35: COSO’s 17 Principles of Internal Control Control Component

Principles

Control environment

1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk assessment

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives

across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. Control activities

10.The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11.The organization selects and develops general control activities over technology to support the achievement of objectives. 12.The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and communication

13.The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14.The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15.The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring

16.The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Source: Internal Control—Integrated Framework, © 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

Note that, for each of these principles, the Internal Control—Integrated Framework provides what COSO calls “points of focus.” These are important characteristics of each principle. For example, for the first principle, one point of focus relates to setting the tone at the top, and there is a discussion of how the board of directors and management demonstrate this tone. COSO notes that management can decide which

points are suitable and relevant and which are not. These points can be helpful in designing, implementing, or executing internal control and in providing assessments of internal control, but the COSO framework “does not require that management assess separately whether points of focus are in place.”

Effective Internal Control The Internal Control—Integrated Framework provides the requirements for an effective system of control, one that will provide reasonable assurance of the achievement of the organization’s strategy and objectives. Such a system reduces the risk of not achieving the business objectives to an acceptable level. This requires that all five components and relevant principles are present and functioning in an integrated manner. Experienced practitioners have learned that there is no “one size fits all” solution. The framework requires judgment in designing, implementing, and assessing internal control for effectiveness. It should be tailored using management’s best judgment within the entity’s risk tolerances and the boundaries of laws, rules, regulations, and standards. The COSO control framework is relevant for all industries. For more information on the framework, consult the Internal Control—Integrated Framework publication or visit the COSO website at www.coso.org.

Alternative Control Frameworks The Cadbury Model The Cadbury model was published by The Institute of Chartered Accountants in England and Wales (ICAEW). The elements of the Cadbury model are quite similar to the COSO components: • Control environment. The attitude and actions of the directors, management, and employees that set the tone for control in the

organization. • Identification and evaluation of risks and control objectives. The identification and analysis of relevant business risks in a timely manner. • Information and communication. The performance indicators, information systems, and other systems that communicate the right information to the right people and enable them to carry out their responsibilities. • Control procedures. The policies and procedures or control activities that facilitate the execution of management directives and ensure compliance. • Monitoring and corrective action. The monitoring process that assesses the quality of the internal control system’s performance and reports on required changes and weaknesses necessitating corrective action. While the Cadbury model acknowledged that the board has responsibility for the full spectrum of internal control, it dealt primarily with the reliability of financial reporting. Subsequently, in 1999, the ICAEW issued the Turnbull guidance (detailed earlier in this section, in Topic F), which expanded the concept beyond financial controls. For more information on the Cadbury model, visit the ICAEW website at www.icaew.co.uk.

Criteria of Control (CoCo) The CPA Canada report “Guidance on Control” includes a control model referred to as Criteria of Control (CoCo). The CoCo model generally describes internal control as actions that foster the best result for an organization. According to CoCo, control involves “those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the

achievement of the organization’s objectives.” The framework outlines criteria broken down into four interrelated components: • Purpose. The mission, vision, strategy, risks and opportunities, policies, planning, and performance targets and indicators that provide a clear driver for control criteria that people can understand. • Commitment. The ethical values, integrity, human resource policies, authority, accountability, and mutual trust that get people to commit to the control philosophy. • Capability. The knowledge, skills, tools, communication processes, information, coordination, and control activities that provide people with the resources and competence to participate in designing and installing good controls and being able to assess risks. • Monitoring and learning. The monitoring of internal and external environments and performance as well as challenging assumptions, reassessing information needs and information systems, conducting follow-up procedures, and assessing the effectiveness of control. The CoCo model presents 20 specific control criteria within these control components. It states that all 20 must be in place for internal control to be effective.

The King Report on Corporate Governance The King Report on Corporate Governance is the output of South Africa’s King Committee on Corporate Governance. There have been four reports; the latest is King IV (2016). These reports have been adopted by many organizations globally as best-practices models for developing a framework for corporate governance. The reports provide a model for good governance that requires an integrated approach inclusive of stakeholder interests and a focus on

environmental and social bottom lines in addition to the economic bottom line. (In other words, corporate social responsibility, as discussed in Topic D of this section). The reports contain a Code of Corporate Practices and Conduct: • Discipline. Organizations commit to disciplined behavior that is universally accepted as proper and correct. • Transparency. Organizations commit to make it easy for outsiders to analyze the organization’s activities. • Independence. Organizations are self-reliant and can manage or avoid conflict. • Accountability. Organizations develop ways to accept and acknowledge the positive and negative consequences of their actions. • Responsibility. Organizations design corrective action into all processes and consider the needs of all stakeholders in decision making. • Fairness. Organizations balance competing interests. • Social responsibility. Organizations embed corporate social responsibility programs into their core business model. The reports address the role and function of internal auditing as well as specific reporting requirements such as the need for audit committees to approve all appointments and dismissals of the CAE. They also call for audit plans to be based on a risk assessment and on issues called out for scrutiny by the audit committee and senior management. The later reports emphasize effective leadership based on an ethical foundation and the need to fundamentally redesign the organization around sustainability. Innovation, fairness, and collaboration are described as key tools to achieve sustainability. Internal auditors are also placed as central to maintaining proper governance and developing

organizational strategy. King III highlighted the imperative to use riskbased auditing, stating: A compliance-based approach to internal audit adds little value to the governance of a company as it merely assesses compliance with existing procedures and processes without an evaluation of whether or not the procedure or process is an adequate control. A risk-based approach is more effective as it allows internal audit to determine whether controls are effective in managing the risks which arise from the strategic direction that a company, through its board, has decided to adopt.

It went on to recommend that internal auditors assess the general effectiveness of the system of internal controls (control environment) and risk management processes. The current version of the report is principle- and outcomes-based rather than rules-based, focusing on transparency and targeted, well-considered disclosures that require entities to explain how the principles are applied. For more information on the King IV Report, visit The Institute of Directors in Southern Africa (IoDSA) website at www.iodsa.co.za/page/KingIVReport.

The COBIT Framework COBIT, formerly known as Control Objectives for Information and Related Technology, is an internationally accepted framework created by ISACA that helps enterprises to achieve their objectives for the governance and management of IT. The current version of the framework, COBIT 5, is a family of products that helps management understand the role of IT and its place in organizational strategy, helps users be more satisfied with IT security and outcomes, and sets clear lines of responsibility. It also helps managers create more value from IT resources, meet regulatory compliance, and control IT risks by providing better risk awareness so that informed risk decisions can be made. In addition to the framework document, the COBIT 5 family of products includes published guidance related to enabling processes (these are

defined later) and other types of professional guidance such as an implementation guide. There is also an online collaborative environment. The COBIT 5 framework is built on a generic set of five key principles and seven enabling processes that can be adapted for use by any size or type of organization to set and achieve separate governance and management objectives for its information systems. Since the enabling processes are referred to in each of the key principles, they are listed here first and then described later: 1. Principles, policies, and frameworks 2. Processes 3. Organizational structures 4. Culture, ethics, and behavior 5. Information 6. Services, infrastructure, and applications 7. People, skills, and competencies Exhibit V-36 illustrates the five key principles that form the COBIT 5 framework. Each key principle is explained next. Exhibit V-36: COBIT’s Five Principles

Source: “COBIT 5: A Business Framework for the Governance and Management of Enterprise IT,” © 2012 ISACA. All rights reserved. Used with permission.

• Principle 1: Meeting stakeholder needs. Stakeholder needs drive value creation in an organization. Since the objective of governance is the creation of value in an organization, governance must define value creation as the realization of the benefits expected by stakeholders while optimizing the use of resources and the management of risks. The needs of stakeholders often conflict, such as shareholders’ need for profit versus regulators’ or society’s need for environmental sustainability. Therefore, the COBIT 5 framework promotes governance as a process of negotiating among stakeholders’ value interests and then deciding how best to create optimum value for stakeholders overall. Also, since this is a generic framework, what constitutes value for stakeholders may differ considerably, such as between for-profit and not-for-profit organizations. To help organizations define value, the COBIT 5 framework includes a values cascade, which is basically a set of tables that start with a set of 17 generic goals, for example, financial transparency. Organizations select from among these generic goals, which cascade down to 17 IT-related goals, for example, transparency

of IT costs, benefits and risk, which in turn cascade down to a set of enabler goals. Enabler goals are the goals for COBIT 5’s enabling processes, such as people, skills, and competencies. The point is to translate stakeholder needs and the derived governance goals into priority-weighted IT goals and from there to easily implementable processes, policies, and procedures. • Principle 2: Covering the enterprise end-to-end. The second principle is that IT governance must be wholly and completely part of the organization’s overall governance and internal control framework. The COBIT 5 framework integrates the most current governance models and concepts. It also applies to processes that have been outsourced or are part of an extended enterprise of partners in a supply chain. Because the seven enabling principles listed earlier are organization-wide in scope, focusing on each of these enablers allows governance to be end-to-end. The last part of this principle involves defining governance roles as well as their relationships and activities. Owners or shareholders delegate to a governing body such as the board, which sets the direction for management, which provides instructions to operations so that it remains aligned to stakeholder goals. Each relationship also includes a feedback process of reporting, monitoring, and accountability. • Principle 3: Applying a single integrated framework. The COBIT 5 framework is designed to integrate seamlessly into other governance frameworks to provide a single source of organizational guidance. It avoids getting into technical details and integrates all guidance from prior ISACA publications and is designed to integrate with other governance frameworks, such as ISO/IEC 38500. • Principle 4: Enabling a holistic approach. The seven enablers listed previously are used to implement each goal determined using the goals cascade. The first enabler— principles, policies, and frameworks—is central, because these provide practical guidance on how to shape desired behavior by doing specific management activities. The

processes, organizational structures, and culture, ethics, and behavior principles are governance-directed management organizing activities that help ensure successful adoption of the principles, policies, and frameworks. Governance direction over culture, ethics, and behavior is critical to achieving goals, although the influence of these three factors is often underestimated. The remaining principles of information; services, infrastructure, and applications; and people, skills, and competencies are resource management enablers of the basic principles and framework. These enablers are interconnected and rely on one another to succeed. For example, processes need proper information, skills, and behavior to make them effective and efficient. For each enabler, the COBIT 5 framework has a set of enabler dimensions that ensure that each of the following is considered for each enabler: • Does measurement of leading indicators (predictive metrics) show that the proper inputs, practices, and outputs are being followed? • Does measurement of leading indicators show that the proper system development life cycle is being used (e.g., feedback is incorporated)? • Does measurement of lagging indicators (historical metrics) show that internal and external stakeholder requirements were met? • Does measurement of lagging indicators show achievement of enabler goals (e.g., quality, efficiency, effectiveness, security, accessibility)? • Principle 5: Separating governance from management. The governance body of an organization, typically its board of directors, needs to see itself as a discipline separate from the management of an organization. The COBIT 5 framework outlines five governance processes and 32 management processes that are developed in detail in a supporting document, “COBIT 5: Enabling Processes.” For each governance process, the key roles are to evaluate, direct, and monitor. Governance processes include ensuring that the governance framework is in place and maintained, stakeholder benefits are delivered, risk

responses are optimized, resource use is optimized, and transparency exists. The management processes are divided into the following categories that reflect a cyclical set of management roles: • Align, plan, and organize. Processes include managing strategy, systems infrastructure, risk, security, human resources, and relationships. • Build, acquire, and implement. Processes include project and change management, defining requirements, identifying and building solutions, and managing configuration, changes, knowledge, and assets. • Deliver, service, and support. Processes include managing operations, incidents and problems, continuity, security, and process controls. • Monitor, evaluate, and assess. Processes include monitoring, evaluating, and assessing performance and conformance, the control infrastructure, and compliance with external requirements.

The Basel III Standards Basel III is a set of voluntary reform measures designed to strengthen the regulation, supervision, and risk management of the banking sector. These standards are a result of the global financial crisis in the late 2000s. Developed by the Basel Committee on Banking Supervision (BCBS), the goal of the framework is to protect banks against the possibility of future crises by regulating their relationships with other institutions. The standards include minimum requirements that apply to internationally active banks. They require banks to maintain a cushion of capital in order to continue lending money to credit-worthy institutions, even during periods of stress and economic uncertainty. The Basel III reform measures aim to: • Improve the banking sector’s ability to absorb shocks arising from

financial and economic stress, whatever the source. • Improve risk management and governance. • Strengthen banks’ transparency and disclosures. The Basel III framework consists of three pillars: • Pillar 1 sets calculations of regulatory capital requirements for credit, market, and operational risk. • Pillar 2 outlines the process by which a bank should review its overall capital adequacy and the process under which the supervisors evaluate how well financial institutions are assessing their risks as well as the appropriate actions to take in response to those assessments. • Pillar 3 sets the disclosure requirements for banks to publish certain details of their capital and risk management, with the aim of strengthening market discipline. It is intended to improve effective risk management by allowing comparison of performance across different sectors. For more information on Basel III, visit the BCBS website at www.bis.org.

Topic K: The Effectiveness and Efficiency of Internal Controls (Level P) Performance Standard 2130, “Control,” states that “the internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.” As with the responsibility for evaluating risk exposure, internal auditing must apply knowledge concerning the adequacy of controls from consulting engagements to the evaluation of the effectiveness of the organization’s control processes. Evaluation of control effectiveness—especially for soft controls such as management values and ethics—often requires having a basic understanding of organizational needs and structure implications.

Related Standards and Implementation Guides The Standards and Implementation Guides related to evaluating the effectiveness and efficiency of internal control are listed in Exhibit V-37. Exhibit V-37: Internal Control Standards and Related Recommended Guidance Standard Performance Standard 2130, “Control” The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

Related Guidance Implementation Guide 2130, “Control”

Implementation Standard 2130.A1 (Assurance Engagements)

Implementation Guide 2130, “Control”

The internal audit activity must evaluate the adequacy and

Practice Guide, “Auditing

effectiveness of controls in responding to the risks within the organization’s governance, operations, and information systems regarding the:

Privacy Risks,” second edition (replaces GTAG 5)

• •

Practice Guide, “Coordinating Risk Management and Assurance”

• • •

Achievement of the organization’s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures and contracts.

Implementation Standard 2210.A3 (Assurance Engagements) Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board. Implementation Standard 2130.C1 (Consulting Engagements) Internal auditors must incorporate knowledge of controls gained from consulting engagements into their evaluation of the organization’s control processes. Other guidance for specific subjects can be found in the GTAG series of Practice Guides.

Evaluating Controls A useful concept when consulting with management on the evaluation of controls is the control loop. A control loop functions by measuring the state of the control at a given point and comparing it to the desired state for the system. The deviation from the desired state (the error) is used to determine corrective action. As shown in Exhibit V-38, the path forms a loop when diagrammed, hence the term “control loop.”

Exhibit V-38: The Control Loop

The process in a control loop is: 1. Determine the objective that management has established for the function and the company as a whole. 2. Establish the acceptable standard prior to beginning the evaluation of the controls. 3. Compare actual findings against the standards that were previously established. 4. Determine appropriate corrective action. Objectives and reasons for controls need to be communicated to employees. If this is not done, employees may see controls as unnecessary, irrelevant, or a waste of time. Standards establish the performance expected. They provide a basis for measuring the objectives to be achieved. Whenever possible, standards should be quantitative. For example, a specific unit of time such as five days should be specified rather than “a reasonable time interval,” as qualitative measures can lead to wildly different subjective interpretations. Management needs assurance that controls are effective, and operating management should get this assurance for themselves through ongoing monitoring. Separate evaluations by independent parties (e.g., internal auditors) provide additional assurance, especially for management and the audit committee.

Internal auditors generally evaluate the effectiveness of a control by selecting a sample of instances when the control should have been applied and testing to determine whether it was applied correctly in each instance. Organizations may implement a variety of different techniques to document, assess, and report on the adequacy of internal controls. Regardless of the techniques used, some universal characteristics distinguish effective systems: • Timely identification of potential or actual deviations so as to limit costly exposures • Reasonable assurance of achieving intended objectives at a minimum cost with the fewest undesirable side effects • Clear accountability that helps personnel to meet their assigned responsibilities • Effective placement (e.g., where measurement is most convenient or time is left for corrective action) • Root cause identification so corrective action is appropriate • Alignment to management strategies and business objectives As shown in Exhibit V-39, for a control system to be effective, every person in an organization has a role in internal control. Exhibit V-39: Organizational Responsibilities for Internal Control Area/Individual

Task

Board of directors

Establish and maintain the organization’s governance processes; provide oversight of the organization’s risk management and control processes; and obtain assurances concerning the effectiveness of the risk management and control processes.

Senior

Oversee the establishment, administration, and assessment of the

managers

system of risk management and control processes.

Operational managers

Design, apply, and provide ongoing monitoring of the control processes in their respective areas.

Chief audit executive

•

Develop an audit plan (typically annually) that ensures that sufficient evidence will be obtained to evaluate the effectiveness of the risk management and control processes.

•

Guide the internal audit activity in its mission and in its efforts to perform sufficient audit work and gather other available information during the year so as to form a judgment about the adequacy and effectiveness of the risk management and control processes.

•

Communicate the overall judgment about the organization’s risk management process and system of controls to senior management and the audit committee.

•

Apply risk management processes to the internal audit activity.

•

Oversee the evaluation of the organization’s internal control system, including information technology security and control.

•

Understand, review, and approve the scope of internal and external auditors’ review of internal control and obtain reports on significant findings and recommendations, together with management’s responses.

Audit committee

Internal and external auditors

Provide varying degrees of assurance about the state of effectiveness of the risk management and control processes in select activities and functions of the organization. Note: The external auditors’ focus is primarily on internal control over financial reporting; internal auditing encompasses all of internal control.

Employees

Perform job responsibilities to the level of identified standards.

Evaluating Soft Control Effectiveness Internal auditors sometimes need to move beyond traditional audit techniques when evaluating the effectiveness of soft controls such as ethics and values.

Control Self-Assessment (CSA) One particularly useful method for management to use in their evaluation of soft controls is control self-assessment (CSA). CSA refers to a variety

of assessment techniques, including facilitated workshops and surveys in which the assessment is performed by staff involved in the area or process being assessed rather than an independent party. Although the lack of independence reduces the reliability of the results (because management is evaluating their own area), experience shows that a well-designed, disciplined CSA technique produces results that are still quite reliable. And these results are often far more powerful than that which can be attained by an independent party examining objective evidence. If CSA participants feel safe in being honest about the evaluation of internal controls in their functional areas, the technique can guide them to identify control weaknesses they might not think of or choose to reveal to an independent evaluator. This is especially true of soft control weaknesses. The CSA approach is conducted in a structured environment in which a repetitive process is thoroughly documented. The CSA process allows management and/or work teams directly responsible for a business function to: • Participate in the assessment of internal control. • Evaluate risk. • Develop action plans to address identified weaknesses. • Assess the likelihood of achieving business objectives. Certainly the specific benefits an organization will gain from CSA will vary. But organizations can realistically expect the following two important improvements. • Valuable information on internal control. The CSA process generates information that is useful to management and internal auditors in judging the quality of control. It effectively augments internal auditing. Through control self-assessment, internal auditing and operating staff collaborate to produce an assessment of an operation.

This synergy helps internal auditing assist in management’s oversight function by improving the quantity and quality of available information. • A positive influence on the control environment. Because of its participatory nature, CSA establishes buy-in from operating staff. Participants learn more about controls and their own responsibility regarding risk management. Control consciousness increases. Operating staff become involved in executing controls and maintaining an effective control environment that contributes to meeting the organization’s goals and objectives. The IIA offers a Certification in Control Self-Assessment (CCSA).

Examples of Soft Control Issues Internal Auditors Need to Deal With Examples of the kind of soft control issues internal auditors need to be able to deal with when examining the effectiveness and efficiency of internal controls include: • The implications of different organizational needs. A top-down philosophy often shapes employee behavior. For example, consider the situation that arises if management’s philosophy for a salesperson is to make money without regard to the tactics used. This salesperson may ignore policies, procedures, ethics, and integrity that are normally part of the process to make a sale. • The implications of different organizational structures. Control measures are not transportable across different organizations. COSO makes the point that even if two organizations have identical objectives and similar strategies on how to achieve the objectives, the control activities will be different based on organizational specifics such as environment and industry, size and complexity, nature and scope of operations, history and culture, and individual judgments of people affecting control.

Next Steps You have completed Part 1, Section V, of The IIA’s CIA Learning System®. Next, check your understanding by completing the online section-specific test(s) to help you identify any content that needs additional study. Once you have completed the section-specific test(s), a best practice is to reread content in areas you feel you need to understand better. Then you should advance to studying Section VI. You may want to return to earlier section-specific tests periodically as you progress through your studies; this practice will help you absorb the content more effectively than taking a single test multiple times in a row.

Index The numbers after each term are links to where the term is indexed and indicate how many times the term is referenced. acceptance, as risk response 1, 2 active controls 1 actual residual risk 1 adequacy of governance, risk management, control 1 application controls 1 assurance engagements 1 activities 1 audit programs 1, 2 auditors external 1 internal 1 audits challenges in 1 compliance 1 corporate social responsibility 1 of risk management processes 1 automated controls 1 avoidance, as risk response 1 back-testing 1 Basel III standards 1 beliefs, and organizational culture 1 benchmarking 1 board of directors and governance 1 ethical climate of 1 role in risk management 1 bond rating agencies, role in risk management 1 business associates, role in risk management 1 Cadbury model 1 cash flow at risk 1 chief ethics officers 1

Children’s Online Privacy Protection Act 1 COBIT 1 CoCo (Criteria of Control) 1 Code of Ethics See also codes of conduct, ethics 1 codes of conduct 1 See also Code of Ethics, ethics 1 Enterprise Risk Management—Integrating with 1, 2, 3 Internal Control—Integrated Framework 1, 2, 3 communication 1 compensating controls 1 compliance 1, 2 audits 1 environmental 1 risk 1 social 1 conflicts of interest 1 consulting engagements 1 activities 1 control loop 1 control self-assessment 1 control(s) 1 active 1 application 1 automated 1 compensating 1 corrective 1 detective 1 directive 1 entity-level 1 environment 1 evaluating 1 frameworks 1 hard 1 input 1 internal 1, 2, 3, 4 key 1

manual 1 mitigating 1 output 1 passive 1 preventive 1 process-level 1 processing 1 redundant 1 risk 1 secondary 1 soft 1, 2 technical 1 transaction-level 1 coordination with other assurance providers 1 COPPA (Children’s Online Privacy Protection Act) 1 corporate social responsibility 1 audits of 1 frameworks 1 process 1 reporting 1, 2 stakeholders 1, 2 corrective controls 1 Enterprise Risk Management—Integrating with Strategy and Performance 1, 2, 3 Internal Control—Integrated Framework 1, 2, 3 Criteria of Control 1 CSA (control self-assessment) 1 CSR. See corporate social responsibility culture, organizational 1 detective controls 1 directive controls 1 disclosures 1 documentation 1 earnings at risk 1 effectiveness of governance, risk management, control 1 EH&S (environmental health and safety) 1 engagements

assurance 1 consulting 1 enterprise risk management 1, 2, 3 maturity level 1 See also risk 1 entity-level controls 1 environmental compliance 1 environmental health and safety 1 environmental monitoring/reporting 1 Environmental Protection Agency (U.S.) 1 EPA (Environmental Protection Agency, U.S.) 1 ERM (enterprise risk management) 1, 2, 3 maturity level 1 See also risk 1 escalation triggers 1 ethics 1 and board of directors 1 and organizational culture 1 evaluation of 1 promotion of ethical behavior 1 See also codes of conduct, Code of Ethics 1 violations 1 evaluation in risk management 1 of controls 1 event inventories 1 evidence gathering 1 external auditors and governance 1 role in risk management 1 facilitated workshops/interviews 1 facility management 1 Federal Sentencing Guidelines for Organizations (U.S.) 1 financial analysts, role in risk management 1 financial executives, role in risk management 1 Financial Modernization Act 1

FOIA (Freedom of Information Act) 1 Freedom of Information Act 1 GDPR (Global Data Protection Regulation, European Union) 1 Global Data Protection Regulation (European Union) 1 Global Reporting Initiative 1 goals 1 governance 1, 2 and organizational culture 1 controls 1 maturity model 1 principles 1 processes 1 roles/responsibilities 1 structure 1 GRI (Global Reporting Initiative) 1 hard controls 1 Health Insurance Portability and Accountability Act 1 HIPAA (Health Insurance Portability and Accountability Act) 1 human resources management 1 IFC’s EHS Guidelines 1 impact of risk 1 Implementation Guides 2050 1 2060 1 2100 1 2120 1 2310 1 information technology 1 inherent risk 1 input controls 1 internal analysis 1 internal audit activity and risk management 1 assurance activities 1 audit programs 1 consulting activities 1 required role 1

self-assessments 1 value factor 1 internal auditors and governance 1 and privacy compliance 1 internal controls. See controls, internal International Finance Corporation’s EHS Guidelines 1 International Organization for Standardization 1 ISO 14000 1 ISO 19600—2014, “Compliance management 1 ISO 26000, “Social responsibility” 1 ISO 31000, “Risk management, Guidelines” 1, 2 2010, “Planning” 1, 2 2010.A1 1 2100, “Nature of Work” 1, 2 2110, “Governance” 1 2110.A1 1 2110.A2 1 2120, “Risk Management” 1 2120.A1 1 2120.A2 1 2120.C1 1 2120.C2 1 2120.C3 1 2130, “Control” 1 2130.A1 1 2130.A3 1 2130.C1 1 2210.C2 1 2600, “Communicating the 1 ISO. See International Organization for Standardization IT (information technology) 1 key controls 1 key principles approach to auditing risk management 1 King Report on Corporate Governance 1 leadership 1 leading indicators 1

legislators, role in risk management 1 liability risk 1 likelihood of risk 1 Likert scales 1 loss event data methodologies 1 management oversight controls 1 role in risk management 1 manual controls 1 marketing risk 1 maturity level 1 maturity model approach to auditing risk management 1 mitigating controls 1 news media, role in risk management 1 non-probabilistic models 1 objectives 1 Occupational Safety and Health Administration (U.S.) 1 OECD (Organisation for Economic Co-operation and Development) “Guidelines on the Protection of 1 operational loss distributions 1 operational risk 1 operations 1 Organisation for Economic Co-operation and Development “Guidelines on the Protection of Privacy and 1 organizational culture 1 organizational structure 1 OSHA (Occupational Safety and Health Administration, U.S.) 1 out-sourcing 1 output controls 1 passive controls 1 personal information 1 Practice Guides “Assessing the Adequacy of Risk Management Using ISO 31000” 1 “Auditing Privacy Risks” 1, 2 “Coordinating Risk Management and Assurance” 1 “Evaluating Corporate Responsibility/Sustainable Development” 1 preventive controls 1

privacy 1 frameworks 1 guidance 1 laws/regulations 1 management 1 vulnerabilities 1 probabilistic models 1 process element approach to auditing risk management 1 process flow analysis 1 process-level controls 1 processing controls 1 pursuing, as risk response 1 quality initiatives 1 reducing, as risk response 1 redundant controls 1 regulatory bodies 1 on corporate social responsibility 1, 2 risk 1, 2, 3 reputation risk 1 residual risk 1 risk 1 actual residual 1 assessment 1, 2 categories 1 compliance 1 control 1 dynamic nature of 1 frameworks 1, 2 identification of 1, 2 impact 1 inherent 1 interdependencies 1 liability 1 likelihood 1 management 1, 2, 3, 4, 5 marketing 1 monitoring 1

officers 1 operational 1 reporting 1 reputation 1 residual 1 response to 1, 2 See also enterprise risk management 1 staffing 1 stock market 1 strategic 1 supply chain partner 1 target residual 1 terminology 1 treatment of 1, 2 unforeseen 1 universe 1 root cause identification 1 scenario analysis 1 secondary controls 1 self-assessments 1, 2 senior management, and governance 1 sensitivity analysis 1 sharing, as risk response 1 social compliance 1 soft controls 1, 2 staffing 1 stakeholders 1, 2, 3 stock market risk 1 strategic risk 1 stress tests 1 supply chain management 1 supply chain partner risk 1 surveys 1 target residual risk 1 technical controls 1 threshold triggers 1 transaction-level controls 1

transparency 1 triple bottom line 1 Turnbull guidance 1 unforeseen risk 1 value at risk 1 value factor for internal audit activity 1 values 1 VAR (value at risk) 1 “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” 1 Build 08/24/2018 15:39 p.m.

Contents Section V: Governance, Risk Management, and Control Topic A: Organizational Governance (Level B) Topic B: The Impact of Organizational Culture on the Overall Control Environment and Individual Topic C: Ethics and Compliance Issues and Violations (Level B) Topic D: Corporate Social Responsibility (Level B) Topic E: Risk Management Fundamentals (Level P) Topic F: Globally Accepted Risk Management Frameworks (Level B) Topic G: The Effectiveness of Risk Management (Level P) Topic H: The Internal Audit Activity’s Role in the Risk Management Process (Level B) Topic I: Types of Controls and Management Control Techniques (Level P) Topic J: Internal Control Frameworks (Level P) Topic K: The Effectiveness and Efficiency of Internal Controls (Level P) Index

Section VI: Fraud Risks This section is designed to help you:

• • • •

Define fraud and the conditions that must exist for fraud to occur. Discriminate among the major types of fraud. Recognize red flags and their role in fraud. Identify common types of fraud associated with the engagement area during the engagement planning process.

•

Consider the potential for fraud risks in the engagement area during the engagement planning process.

•

Determine if fraud risks require special consideration when conducting an engagement.

• • •

Determine if any suspected fraud merits investigation. Demonstrate an understanding of fraud investigations. Ensure that the organization and internal audit learn from fraud investigations.

•

Complete a process review to improve controls to prevent fraud and recommend changes.

• • •

Provide examples of fraud risk management controls. Employ audit tests to detect fraud. Use computer data analysis, including continuous online monitoring, to detect fraud.

•

Support a culture of fraud awareness, and encourage the reporting of improprieties.

• • •

Describe the features of an effective whistleblower hotline. Demonstrate an understanding of forensic auditing techniques. Demonstrate an understanding of fraud interrogation/investigative techniques.

The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 10% of the total number of questions for Part 1. One of the topics is covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.) The other topics are covered at the “P—Proficient” level, meaning that you are responsible not only for comprehension and recall of information but also for higher-level mastery, including application, analysis,

synthesis, and evaluation.

Section Introduction In its “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse,” the Association of Certified Fraud Examiners reported that the average organization loses 5% of its revenues to fraud per year and that a large portion of those incidents—22%—represent losses of over U.S. $1,000,000. As disturbing as the size of the loss is the fact that reported fraudulent activities usually continue for 16 months before they are uncovered. Only 3% of reported incidents are uncovered by external audits, 13% by management review, 15% by internal audit, and approximately 40% through investigation of tips. Nearly half of all frauds occurred due to internal control weaknesses, and 85% of all fraudsters displayed at least one red flag (potential indicator) of fraud. These facts suggest that fraud represents a serious risk for most organizations around the world. An internal auditor’s responsibilities include assessing the adequacy and effectiveness of the system of internal controls, because many controls are designed with the purpose of preventing and/or detecting fraud. Another key responsibility is to design the audit program to look for red flags of fraud. The internal auditing function can play a major role in managing the organization’s fraud risk by assuring the effectiveness of the organization’s fraud risk management framework and by considering the potential for fraud and the effectiveness of controls during specific assurance engagements. The topics in this section address the areas of knowledge concerning fraud and fraud audits: • The types of fraud and fraud risks an internal auditor might encounter in different engagements • Assessing fraud risks when conducting an engagement

• Determining the need for initiating a fraud investigation • Interrogation/investigative tools for fraud investigations • Analyzing processes to improve fraud controls • Tools to detect fraud • Creating a culture of fraud awareness • Forensic auditing to compile legal evidence

Topic A: Fraud Risks and Types of Fraud (Level P) Several fraud-related requirements are mentioned specifically in the outline for the CIA exam. This topic covers the definition of fraud, the types of fraud, and assessing fraud risks.

Related Standards The supporting role of the internal auditor in detecting fraud is reflected in Attribute Standard 1210.A2, which reads: Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

Implementation Standard 1210.A2 provides guidance on how to conduct assurance engagements in line with Standards 1200 and 1210: • Standard 1200, “Proficiency and Due Professional Care”: “Engagements must be performed with proficiency and due professional care.” • Standard 1210, “Proficiency”: “Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.” The ability of the internal auditor to detect fraud and assess controls is a necessary component of other standards as well: • Attribute Standard 1220, “Due Professional Care,” requires internal auditors to exercise prudence and competence. Attribute Standard 1220.A1 applies to preparing for engagements by considering the

probability of fraud and Attribute Standard 1220.A2 to using technology and data analysis tools to detect fraud. • Performance Standard 2120, “Risk Management,” requires internal auditors to “evaluate the effectiveness and contribute to the improvement of risk management processes.” Standard 2120.A2 states: “The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.” • Performance Standard 2210, “Engagement Objectives,” requires internal auditors to set objectives for each engagement and, in Standard 2210.A2, to “consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.” The IIA provides educational materials to help the auditor fulfill the requirement to become, and remain, proficient at the level required by these Standards. These materials include related Implementation Guides, Practice Guides and Position Papers, seminars, publications, and links to additional resources.

Definition of Fraud The Standards Glossary defines fraud as: Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.

“Managing the Business Risk of Fraud, A Practical Guide,” published by The IIA in conjunction with the American Institute of Certified Public Accountants and the Association of Certified Fraud Examiners, defines fraud as “any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.”

The specific legal definition of fraud may vary by jurisdiction. Fraud risk is the probability that fraud will occur and the potential severity or consequences to the organization when it occurs. Fraud is an area where the services of outside experts are often retained. The internal auditor’s responsibilities for detecting fraud during engagements include: • Considering fraud risks in the assessment of control design and determination of audit steps to perform. • Having sufficient knowledge of fraud to identify red flags indicating that fraud may have been committed. • Being alert to opportunities that could be considered conducive for fraud to occur, such as control weaknesses. • Evaluating the indicators of fraud and deciding whether any further action is necessary or whether an investigation should be recommended. • Notifying the appropriate authorities within the organization if a determination is made that fraud has occurred to recommend an investigation. While internal auditors are not expected to be experts in fraud, they are expected to understand enough about internal controls to identify opportunities for fraud. They also should understand fraud schemes and scenarios as well as be aware of the signs that point to fraud and how to prevent it. More detailed information is available in “Managing the Business Risk of Fraud, A Practical Guide,” available from the IIA website.

Types of Fraud

There are two general types of fraudulent acts: those intended to injure an organization (such as embezzlement) and those perpetrated on behalf of an organization (such as deceptive financial reporting designed to artificially elevate the stock price). Alternate ways to classify fraud include whether it is committed by someone inside (i.e., occupational fraud) or outside the organization, how it is concealed (on-book or offbook), or where it occurs in the business cycle (sales and collection, acquisition and payment, payroll and personnel, inventory and warehousing, capital acquisition and repayment). Internal auditors should choose a system of classification most appropriate for their own organization and then become familiar with fraud scenarios that are common to those classes.

Fraud That Injures the Organization Fraud perpetrated to the detriment of the organization is conducted generally for the direct or indirect benefit of an employee, an outside individual, or another organization. Common fraud schemes that injure the organization include the following: • Asset misappropriation involves stealing cash or assets (supplies, inventory, equipment, information) from the organization. In many cases, the perpetrator tries to conceal the theft, usually by adjusting the records. The “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse” lists asset misappropriation schemes as the most common (89% of cases) but the least costly (median loss of $114,000) type of fraud. • Skimming occurs when cash is stolen from an organization before it is recorded on the organization’s books and records. For example, an employee accepts payment from a customer but does not record the sale. • Disbursement fraud occurs when a person causes the organization to issue a payment for fictitious goods or services, inflated invoices, or invoices for personal purchases. For example, an employee can create a

shell company and then bill the employer for nonexistent services. Other examples include fraudulent health-care claims (billings for services not performed, unbundled billings instead of bundled billings), unemployment insurance claims by people who are working, or pension or social security claims for people who have died. • Expense reimbursement fraud occurs when an employee is paid for fictitious or inflated expenses. For example, an employee submits a fraudulent expense report claiming reimbursement for personal travel, nonexistent meals, extra mileage, etc. • Payroll fraud occurs when a person causes the organization to issue a payment by making false claims for compensation. For example, an employee claims overtime for hours not worked or adds ghost employees to the payroll and receives the paychecks. • A conflict of interest occurs where an employee, manager, or executive of an organization has an undisclosed personal economic interest in a transaction that adversely affects the organization or the shareholders’ interests. • A diversion is an act to divert a potentially profitable transaction to an employee or outsider. Other examples include: • Acceptance of bribes or kickbacks. • Intentional concealment or misrepresentation of events, transactions, or data. • Intentional failure to act in circumstances where action is required by the company or by law. • Unauthorized or illegal use of confidential or proprietary information. • Unauthorized or illegal manipulation of information technology networks or operating systems.

People defraud organizations in myriad ways, from petty theft to embezzlement. At the petty end of the scale, defrauding an organization may involve nothing more than stealing petty cash or inventory shrinkage (inventory theft, misappropriation, etc.). Internal controls must pass a cost-benefit test, and so not all controls can be designed with a literal zero tolerance for fraud. (For example, a retail industry standard is 1% for inventory shrinkage; above this level is considered material.) However, policies can still be communicated to employees as “zero tolerance” for fraud, since any level of fraud can foster an unethical environment. Management can appropriately discipline (e.g., terminate) any employee caught perpetrating any level of fraud and turn the case over to the appropriate authorities. It’s the “deceit” mentioned in the Standards Glossary definition that generally brings fraud into the purview of the internal auditor. The auditor is looking for red flags that indicate the possibility that someone —an employee, manager, or outsider—is diverting assets from the organization for his or her use or for sale and is hiding the disappearance of those assets.

Fraud Intended to Benefit the Organization The second type of fraud is that perpetrated supposedly on behalf of the organization. Fraud designed to benefit the organization generally produces such benefit by exploiting an unfair or dishonest advantage that may also deceive an outside party. Perpetrators of such acts usually accrue an indirect personal benefit, such as keeping their jobs or getting management bonus payments or promotions. Some common fraud schemes intended to benefit the organization include the following: • Financial statement fraud involves misrepresenting the organization’s financial statements, often by overstating assets or revenue or understating liabilities or expenses. Such fraud is typically perpetrated by organization managers who seek to enhance the economic

appearance of the organization. Members of management may benefit directly from the fraud by selling stock, receiving performance bonuses, or using the false report to conceal another fraud. The “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse” indicates that financial statement fraud schemes are the least common (10% of cases) but the most costly (median loss of $800,000) type of fraud. • Information misrepresentation involves providing false information, usually to those outside the organization. Most often this involves fraudulent financial statements, although falsifying information used as performance measures can also occur. • Corruption is the misuse of entrusted power for private gain. Corruption includes bribery and other improper uses of power. It is often an off-book fraud, meaning that there is little financial statement evidence available to prove that the crime occurred. Corrupt employees do not have to fraudulently change financial statements to cover up their crimes; they simply receive cash payments under the table. In most cases, these crimes are uncovered through tips or complaints from third parties, often via a fraud hotline. Corruption often involves the purchasing function. Any employee authorized to spend an organization’s money is a possible candidate for corruption. • Bribery is the offering, giving, receiving, or soliciting of anything of value to influence an outcome. Bribes may be offered to key employees or managers such as purchasing agents who have discretion in awarding business to vendors. In the typical case, a purchasing agent accepts kickbacks to favor an outside vendor in buying goods or services. The flip side of offering or receiving anything of value is demanding it as a condition of awarding business, termed economic extortion. Another example is a corrupt lending officer who demands a kickback in exchange for approving a loan. Those paying bribes tend to be commissioned salespeople or intermediaries for outside vendors. • Related-party activity is a situation where one party receives some

benefit not obtainable in a normal arm’s-length transaction. • Tax evasion is intentional reporting of false information on a tax return to reduce taxes owed. One example is selling waste and scrap materials without reporting the earnings. Intentional and improper transfer pricing (e.g., valuation of goods exchanged between related organizations) can also be used for tax evasion. By purposely structuring pricing techniques improperly, management can improve their operating results to the detriment of other organizations and one or more countries’ taxation systems. Additional examples include: • Sale or assignment of fictitious or misrepresented assets. • Prohibited business activities, such as those that violate government statutes, rules, regulations, or contracts. • Illegal political contributions and payoffs to government officials or intermediaries of government officials. Illegal contributions, bribes, etc., are the sort of acts that triggered passage of the U.S. Foreign Corrupt Practices Act of 1977. Any act that involves deception with intent to benefit the organization (and in the process injure another party) qualifies for inclusion here. Exhibit VI-1 summarizes examples of some of the fraud categories. Exhibit VI-1: Fraud Categories Category Financial statement fraud

Examples

•

Claiming fictitious revenues (including premature revenue recognition)

• •

Improperly valuing assets Intentional and improper transfer pricing (improving indicators of performance by manipulating pricing of goods transferred between related organizations)

• • • •

Cash theft

Disbursement fraud

Misuse or theft of assets (embezzlement)

Recording expenses in the wrong period Improper use of off-balance-sheet accounting to conceal information such as actual asset or liability levels on financial reports Concealing potential or actual liabilities (e.g., debts, lawsuits) Failure to disclose required or significant information (e.g., acts of malfeasance by management, conflicts of interests, events that occurred subsequent to the close of the reporting period but that may affect the financial statements)

•

Skimming cash from registers (through a variety of schemes, including destroying receipts, altering or falsifying receipts, charging customer accounts, not recording transactions and pocketing cash, falsifying credits)

•

Lapping payments (diverting payments from a customer to personal use and using payments from other customers to cover missing payments)

• •

Pocketing all or part of daily deposits Selling waste and scrap materials, keeping the proceeds, and failing to report it

•

Creating “ghost employees” and diverting their paychecks to one’s own account

•

Creating fictitious vendors or invoicing schemes and diverting payments to one’s own account

• • • • •

False refunds Falsifying bills of lading and sharing proceeds with shippers Altering time cards Falsifying expense reports or misusing advances Colluding with suppliers to increase invoices and sharing the excess

•

Sale or assignment of fictitious or misrepresented assets (e.g., incorrectly valued properties)

•

Personal use of company property (e.g., postage stamps and stationery)

• •

Theft of furniture, tools, computers, supplies Falsifying financial records (e.g., inventory reports) to conceal theft

•

Intentionally concealing or misrepresenting events, transactions, or data

•

Selling access to company assets (e.g., key codes, account

numbers, credit card numbers)

Bribery and corruption

• •

Theft of company intellectual property or competitive information

•

Intentional and improper related-party activities (receiving benefit greater than what could be obtained through an arm’s-length transaction)

• • •

Business activities prohibited by law

Alteration of computer programs or data for personal gain

Intentional errors to reduce tax liabilities Intentional failure to act in circumstances where action is required by company policy or by law (e.g., reporting an environmental accident)

•

Granting special prices or privileges in exchange for kickbacks in the form of cash payments, gifts, loans, hidden interests (e.g., shares of stock)

•

Bid rigging (limited bidders colluding to all bid high; the bid winner may provide subcontracts to the other bidders; the bid evaluator may also be in on the collusion)

Common Types of Fraud Associated with Engagements The specific nature of the engagement can help in identifying the relevant types of fraud and potential indicators for inquiry. Let’s consider an example of a routine internal audit of the purchasing function that Glover and Flag describe in Effective Fraud Detection and Prevention Techniques Practice Set for an overview of fraud applied to a specific engagement. • Background and risks. Purchasing represents an activity where liabilities and commitments to expend cash are incurred. Fraud risks include unauthorized expenditures, illegal or corrupt procurement activities, and inefficient operations. • Engagement objectives. In considering these risks, the audit objectives are to: • Ensure that vendors are authorized in accordance with

management’s criteria. • Determine if purchases eligible for competitive bids are reviewed and authorized. • Ensure that goods received are properly reflected in purchasing and shipping records and receiving reports are independently verified. • Verify that liabilities incurred are properly recorded and updated upon cash disbursement and purchasing-related adjustment. • Audit scope. The audit of the purchasing function will primarily focus on the duties performed by the purchasing function. However, the internal auditor will have to interface with other functions such as receiving or accounts payable as deemed appropriate to verify the existence of controls. • Potential indicators of fraud. Examples of indicators of fraud in this case could include the following: • Turnover among purchasing department buyers that significantly exceeds attrition rates in other areas of the organization • Purchase order proficiency rates that fluctuate significantly among buyers with comparable workloads • Dramatic increases in purchase volumes per certain vendors that are not justified by competitive bidding or changes in production specifications • Unaccounted purchase order numbers or physical loss of purchase orders • Rise in the cost of routine purchases that exceed the inflation rate • Unusual purchases not consistent with the categories identified by prior trends or operating budget

Assessment of Fraud Risk Awareness of fraud schemes is developed through periodic assessment

by management and internal auditors, training of employees, and frequent communication between management and employees. To assess fraud risk, internal auditors should use the organization’s enterprise risk management model, if one is available. A risk model maps and assesses the organization’s vulnerability to fraud schemes, covering all inherent risks to the organization. The model should use consistent categories (i.e., there should be no overlap between risk areas) and should be detailed enough to identify and cover anticipated high-risk areas. As introduced in Section V, COSO’s ERM framework provides a useful framework to assess fraud risk that includes five interrelated components: • Governance and culture • Strategy and objective setting • Performance • Review and revision • Information, communication, and reporting The evaluation should consider whether fraud could be committed by an individual or requires collusion. Considerations also should be made regarding the negative effects of unjustly suspecting employees or giving the appearance that employees are not trusted. If an ERM model is not available, auditors should try to understand the specific fraud schemes that could threaten the organization. COSO’s Fraud Risk Management Guide (2016) is a framework intended for management use in identifying, assessing, and testing potential fraud misconduct schemes and scenarios. Like other frameworks, internal auditors can also use the framework to assess the completeness and adequacy of management’s fraud risk assessments. This guide includes five principles that map to the five components of COSO’s Internal

Control—Integrated Framework: • For the control environment, principle 1 relates to establishing and communicating a fraud risk management program demonstrating the expectations of the board and senior management regarding their integrity and ethics related to managing fraud risk. • For risk assessment, principle 2 is about performing comprehensive fraud risk assessments to identify fraud schemes and risks, assess likelihood and impact, and assess existing fraud controls, addressing gaps and residual risk. • For control activities, principle 3 is about selecting, developing, and implementing preventive and detective fraud controls as timely mitigating tools. • For information and communication, principle 4 is about ensuring that there is a communication process for reporting potential fraud and making sure investigation and corrective action follow a coordinated, timely approach. • For monitoring activities, principle 5 is about ongoing evaluation of the fraud risk management program and communication of deficiencies to senior management and the board. A fraud risk assessment process (regardless of whether it uses the above framework or not) is a critical activity in establishing a basis for the design and implementation of anti-fraud programs and risk control activities. Internal Auditing: Assurance and Consulting Services lists the following characteristics of effective fraud risk assessment: • It is performed on a systematic and recurring basis. • It considers possible fraud schemes and scenarios, including consideration of internal and external factors. • It assesses risk at a company-wide, significant business unit, and

significant account level. • It evaluates the likelihood, significance, and pervasiveness of each risk. • It assesses exposure arising from each category of fraud risk by identifying mitigating control activities and considering their effectiveness. • It is performed with the involvement of appropriate personnel. • It considers management override of controls (i.e., nonroutine transactions and journal entries or temporary suspension of controls). • It is updated when special circumstances arise (i.e., mergers and acquisitions and new systems). The final determination of whether or not the risk of fraud warrants special consideration when conducting an engagement involves the internal auditor’s experience, knowledge, and judgment skills. This mental attitude or judgment is a combination of the internal auditor’s analytical skills and all information related to the organization to determine if internal control weaknesses exist that signal the potential for fraud activity. Armed with this information, the internal auditor can respond accordingly in planning the engagement.

Topic B: Potential for Fraud Occurrence (Level P) All organizations are exposed to a degree of fraud risk in any process where human input is required. The degree to which an organization is exposed relates to the fraud risks inherent in the business, the extent to which effective internal controls are present either to prevent or detect fraud, and the honesty and integrity of those involved in the process. It is the task of the internal auditor a potential “early warning system” of the organization and detect the indicators of fraud—signs that indicate both the inadequacy of controls in place to deter fraud and the possibility that some perpetrator has already overcome these weak or absent controls to commit fraud. Such indicators are referred to as red flags. Fraud red flags may surface at any stage of the internal audit. Red flags are only warning signs; they are not proof that fraud has been committed. However, they serve an important function during planning to direct the internal auditor’s attention to questionable areas and/or activities. Identification of red flags directs the scope of current and subsequent audit steps until sufficient evidence is gathered to form an objective conclusion regarding the existence of fraud. Internal auditors play an important role in how an organization manages fraud risks. They assist other members of the organization in the effective discharge of their responsibilities by furnishing them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed. To be better prepared to support fraud investigations, internal auditors should be aware of how investigations are conducted. Once potential fraud is identified, it is best to refer the case to those parties trained in fraud investigation. An internal audit is not a fraud investigation.

Conditions That Indicate Potential Fraud

(Red Flags) Combating fraud begins with strong anti-fraud programs and controls that management should have in place to prevent and deter fraud. Fraud standards applicable to the jurisdiction and type of organization (such as AICPA AU-C 240 [formerly SAS No. 99]/PCAOB AS 2401 in the U.S.) may outline types of controls and programs that an auditor should look for and may provide information on characteristics of fraud or include examples. Fraud thrives in a particular kind of environment. The internal auditor should be able to recognize the environmental conditions for fraud. However, it is important to remember that it isn’t failures in systems, policies, procedures, or controls that cause fraud—it’s people. People may take advantage of these failures, but it is still a human activity, so much of the discussion regarding detecting fraud relates to understanding the motivations and rationalizations of people. Sawyer provides the following list of examples of conditions that might indicate fraud: • Loose internal controls • Poor management philosophy • Poor financial position • Low employee morale • Ethics confusion • Lack of background checks on new hires • Lack of employee support programs • General conditions, such as high employee turnover, pending mergers, excess trust in key employees, etc.

Each of these conditions suggests particular temptations. Poor financial position provides a motive for fraud committed on behalf of the organization against lenders and investors, for instance. Lack of background checks on new hires suggests the need for engagement steps designed to pinpoint employees with suspect backgrounds as well as motive and opportunity. (Obviously, it also suggests recommendations to be made to management about human resource practices.) Low employee morale suggests the potential for fraud committed against the company by employees who are prone to larceny and are especially disenchanted with the employer. There is a set of three conditions that, if present in the right proportions, suggest the possibility of fraud. They are opportunity, motive, and rationalization as shown in Exhibit VI-2. Exhibit VI-2: The Fraud Triangle

These three conditions can be described as follows: Opportunity

•

A process may be designed properly for typical conditions. However, a window of opportunity may arise for something to go wrong or that creates circumstances for the control to fail.

•

An opportunity for fraud may exist due to poor control design or lack of controls. For example, a system can be developed that appears to protect assets, but which is missing an important control. Anyone aware of the gap may be able to take advantage of it without much effort.

•

Persons in positions of authority can create opportunities to override existing controls (i.e., management override), because subordinates or weak controls allow them to circumvent the rules.

Motive (also called incentive or pressure)

•

While people can rationalize their acts, there needs to be an incentive that entices them behave that way.

•

Power is a great motivator. Power can be simply gaining esteem in the eyes of family or coworkers. For instance, many computer frauds are done to show the hacker has the power to do it rather than to cause intentional harm.

•

Another motivator is the gratification of a desire, such as greed, or an addiction.

•

The third motivator is pressure, either from physical stresses or from outside parties.

Rationalization

•

Most individuals consider themselves good persons, even if they occasionally do something bad. To convince themselves they are still good persons, they may rationalize or deny their acts. For example, these individuals might consider that they were entitled to the stolen item or that if executives break the rules, it must be alright for others to do so as well.

•

Some people will do things that are defined as unacceptable behavior by the organization, yet are commonplace in their culture or were accepted by previous employers. As a result, these individuals will not comply with rules that don’t make sense to them.

•

Some people may have periods of financial difficulty in their lives, have succumbed to a costly addiction, or are facing other pressures. Consequently, they will rationalize that they are just borrowing the money and, when their lives improve, they will pay it back.

•

Others may feel that stealing from a company is not bad, thereby depersonalizing the act.

Although internal auditors may not be able to know the exact motive or rationalization leading to fraud, they are expected to understand enough about internal controls to identify opportunities for fraud. Auditors also should understand fraud schemes and scenarios and be aware of the signs that point to fraud and how to prevent such schemes or scenarios. Information available from The IIA and other professional associations or organizations should be reviewed to ensure that the auditor’s knowledge is current.

Categorizing Red Flags Red flags may relate to time, frequency, place, amount, or personality. They include overrides of controls by management or officers, irregular or poorly explained management activities, consistently exceeding goals/objectives regardless of changing business conditions and/or competition, preponderance of nonroutine transactions or journal entries, problems or delays in providing requested information, and significant or unusual changes in customers or suppliers. Red flags also include transactions that lack documentation or normal approval, employees or management hand-delivering checks, customer complaints about delivery, and poor IT access controls such as poor password controls. People committing fraud often display certain behaviors or characteristics that may serve as warning signs or red flags. Personal red flags include living beyond one’s means; conveying dissatisfaction with the job to fellow employees; unusually close association with suppliers; severe personal financial losses; addiction to drugs, alcohol, or gambling; change in personal circumstances; and developing outside business interests. In addition, there are those who consistently rationalize poor performance, perceive beating the system to be an intellectual challenge, provide unreliable communications and reports, and rarely take vacations or sick time (and when they are absent, no one performs their work). These red flags are often indicators of misconduct, and an organization’s management and internal auditors need to be trained to understand and identify the potential warning signs of fraudulent conduct. While none of these mean an employee is actually committing fraud, a combination of these factors could indicate a need for inquiries and heightened audit attention. In Effective Fraud Detection and Prevention Techniques Practice Set, Glover and Flag suggest various ways of categorizing red flags and list many specific examples. In general, types of red flags include: • Audit cycle red flags. These are characterized by the point in the audit

cycle in which they are observed. • Environmental red flags. These are characterized by the environments in which they occur. • Industry-specific red flags. The nature of certain industries creates the opportunity for certain types of fraudulent activity that have their own red flags. • Perpetrator red flags. These are tied to the individuals perpetrating the fraud—whether they are employees or managers. We’ll look at each of these types, and we will also discuss briefly red flags associated with financial statements, even though auditing financial statements is generally considered the responsibility of an external rather than internal auditor.

Audit Cycle Red Flags Internal audit reviews activity in four general areas or cycles: • Revenue, which includes both the recording of receivables and the receipt of payments • Expenditures, which includes those liabilities associated with the administrative cost of running the business • Production, which focuses on costs specifically associated with the goods or services produced or sold • Financing, which includes both incurring and retiring debt and issuing and buying back stock Exhibit VI-3 illustrates some red flags associated with each of these cycles and described by Glover, Flag, and others. These lists of red flags are by no means complete. Exhibit VI-3: Audit Cycle Red Flags

Environmental Red Flags Environment may be viewed on a macro or micro level. The macro level refers to conditions that affect an entire industry, a country, or a global region, while the micro level refers to specific organizations. Examples of macro-level red flags include: • Stiff competition in which some corporate players may be hindered by unfair trade practices or economic downturns that put pressure on companies to perform and create layoffs that in turn place economic pressures on individuals. These conditions may generate the motive to

commit fraud. • Recently deregulated or poorly regulated industries, in which absence or laxity of controls creates opportunity for fraud. As described below, certain types of industries by their nature offer opportunities for fraud —through, for example, the importance and ease of accessing cash in the business or the complexity and resulting opacity of transactions. • An industry or cultural trend toward dishonesty and disregard of law and regulation (e.g., a history of corrupt practices by certain types of government contractors, a pattern of bribe taking by government officials). Perpetrators may point to a history or climate of acceptance as rationalization for fraud. The same types of red flags may be seen on the micro or organizational level: • Financial motive can be created by events like the loss of a lucrative contract, the pressure to improve financial performance to obtain a loan or before issuing stock, or a research and development failure that threatens the health of the organization’s product pipeline. • Reorganizations can mean disruptions in control policies that create the opportunity to commit fraud. Failure to screen may lead to the hiring of people with the motive to commit fraud. Failure of managers and supervisors to implement, enforce, and monitor control policies can create a culture of opportunity. • Failure to train all personnel in the organization’s ethical code can contribute to a culture that easily rationalizes small and large acts of fraud, including theft, bid rigging, kickbacks, and conflicts of interest. Two particular types of micro environments offer special opportunities for fraud and challenges for internal auditing: international organizations and organizations that rely heavily on technology. • International organizations. Internal audits of corporations that

operate internationally may uncover many types of red flags that result from the difficulty of maintaining controls in a decentralized and multicultural organization. Bribery may be occurring in both directions: Employees may be receiving kickbacks, and large, poorly described expenditures may mask bribes to foreign officials. Managers may carry ghost employees on the payroll. Records can be lost. Differences in exchange rates can be exploited. Myriad and legitimate international transfers of funds can conceal fraudulent wire transfers to numbered accounts. Differences in practices such as those involving travel and entertainment expenses can vary significantly between countries. What may be culturally acceptable or expected behavior in one country may be deemed unacceptable or unethical in another. • Organizations dependent on computer technology. Corporations that rely heavily on computer technology face challenges of security of controls. The system can be used to steal assets, including data that may facilitate identity theft, and to hide the fraud. System access can allow tampering with controls and records. Intellectual property may be readily accessed in highly portable formats. Internal auditors must be alert to red flags that may signal ineffective security controls (e.g., poor network administration that fails to define and enforce appropriate levels of access, the lack of reports showing unauthorized access to the system, the use of passwords by unauthorized users, users’ failure to secure their own computers through passwords or even physical control of tools such as personal computers, lack of firewalls to detect intruders, or users inviting intruders into a corporate system through careless Internet use). Auditors must also take note of red flags like a pattern of system disruption or lost data, unusual patterns of system use (e.g., processing and transaction activity in one area of the system at an unexpected time of day), individuals who work more than or outside their normal hours so that they can maintain access to the system, or personal computers that are reported as stolen.

Industry-Specific Red Flags

It has been estimated that four industries alone account for more than 70% of white-collar fraud: financial services, insurance, manufacturing, and energy. Organizations in such industries therefore may see a significant return on investment from assurance that controls are adequate and operating correctly related to fraud prevention and detection. The financial services sector—which includes banks, savings and loan institutions, credit card companies, investment firms, and finance companies—may often already satisfy at least two of the components of fraud: motive and opportunity. The industry tends to be highly competitive and there may be high sales incentives, so both organizations and individuals may be motivated to take unacceptable risks or misstate sales and earnings. There is also access to cash—through systematic diversions from customer accounts, interception of customer payments, issuing of loans to fictitious entities, and so on—and complicated electronic transaction systems that can be used to hide transgressions. Similarly, the insurance sector offers ready access to cash through fraudulent claims or payouts to nonexistent clients or mis-evaluation of underwritten properties. Opportunity abounds as well in manufacturing businesses, where complicated procurement processes and lax oversight have produced highly reported cost overruns and discrepancies. Closely held technology companies offer opportunity for fraud to the handful of decision makers who know and understand the product and business. In the energy industry, a decentralized structure, often international, allows greater opportunity for fraudulent activity and bribery to cover it up. It may be difficult to evaluate assets or track profits. Customers may not be able to verify what and how much they are actually receiving.

Perpetrator Red Flags Perpetrators may be organizations or individuals. Fraud committed by

entire organizations is reported extensively in the media and can have broad economic, regulatory, and social impacts. The environmental red flags discussed previously address many of the indicators of fraud risk. In addition, as Tracy Coenen has reported in the Wisconsin Law Journal, there are indirect economic costs (e.g., lost management productivity, investigation and prosecution, development and implementation of new controls) and noneconomic costs (e.g., damage to employee morale) as well. Perpetrator red flags speak to the three conditions of fraud: • Opportunity. Employees who refuse to take breaks, promotions, or vacations; employees who voluntarily take on certain tasks that provide access to cash, information systems, records, or assets; a tendency of employees or managers to cultivate close associations with certain customers; an atmosphere of constant crisis; failure to reconcile or investigate unreconciled cases; frequent use of management override of a process; a manager in a particular job for an excessive number of years. • Motive. Possessions or lifestyle inconsistent with family income, boasting about possessions, high level of debt or pattern of borrowing, liens on paychecks or calls at work from creditors, pressure to meet company or family goals, strong ambition to make more money, strong involvement in money-making schemes (e.g., stock market, real estate). • Rationalization. Poor sense of ethics, history of breaking rules or taking advantage of situations, attributing irregularities to bad habits or harmless personal weaknesses (e.g., paperwork delayed because of a personal dislike for the task), grievances against the employer and supervisors. Auditors should also be alert to behavioral signals, like a pattern of complaints against an employee, a decline in employee morale or attendance, abrupt resignations or evasiveness in answering questions, and a lack of cooperation or an adversarial attitude during the audit.

Other red flags may signal the techniques used to commit the fraud. These include: • Unexplained variances (e.g., abnormally high expenses when compared with previous periods). • Unusual shortages in cash or inventories. • Missing or altered documents. • Invoice items inconsistent with the charge code or business function. • Circumventions of approval processes (e.g., splitting orders to stay below thresholds for approval). • Vendors with generic names or only post office box addresses. • Manual transactions in an environment characterized by automated transactions. • Even amounts in an environment characterized by irregular amounts. • Duplicate payments. • A sudden increase in “middle man” activity (using a fictitious middle man to divert company cash or assets). Managerial Fraud The Association of Certified Fraud Examiners has found that the size of a fraudulent activity relates to the position of the perpetrator. Fraud losses committed by owners or executives were relatively uncommon, only 19% of cases in the “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse,” but these caused a median loss of $850,000, so they are very significant. Managers who are committing fraud against their companies (to be distinguished from those committing fraud on behalf of their companies, such as managers who authorize and cover up environmental or

employment violations) exhibit many of the same red flags as their employees. They may have additional needs that stem from company expectations. For example, a sales manager may falsify sales records so that he or she can meet quarterly goals and stay on a promotion track. The leader of a division may misstate performance to avoid layoffs. And managers may have significantly more opportunities for fraud. For example, a manager may falsify expense records or manipulate bonuses by falsifying performance data. Managers who commit fraud may be very poor managers in one or more ways. They may be chronically late with reports, play favorites with employees, and demand loyalty from employees without showing loyalty to them or the company. Some bad managers are simply that—bad managers. Internal auditors, however, should consider these management areas as high risk for fraud and be alert to further red flags.

Financial Statement Red Flags Although external auditors are responsible for reviewing financial statements and identifying financial statement fraud, internal auditors may be asked to consult on the preparation of the financial statement in order to avoid problems during the external audit. The CAE may also need to form an overall opinion on the internal controls over financial reporting (ICFR) based on all assurance and consulting activity performed during the period, such as to satisfy the requirements of the U.S. Sarbanes-Oxley Act (SOX). Internal auditors may be in a position to detect irregularities before they become a public, costly embarrassment to the organization. Some red flags that may be associated with financial statements follow. • Fictitious revenues. Unusual growth in income or profitability, earnings growth despite recurring negative cash flows in some parts of the organization, highly complex transactions (like those used by the Enron Corporation, which board members and many financial experts said they could not follow), transactions occurring just before the end

of the reporting period (one such practice is called channel loading, in which the corporation builds sales through special incentives, which builds sales in one period at the cost of sales in the following periods), sales or income attributed to unknown companies or areas, absence of documentation for posted sales. • Improper asset valuation. Changes made to inventory counts, fictitious sales accounts, unacknowledged and uncollected liabilities, fictitious assets supported by fictitious documents. • Concealed liabilities. Unposted invoices from vendors, calling an expense an asset (which can be depreciated or amortized), debts assumed by shell companies (off-balance-sheet accounting), reliance on subjective valuations, unusually low expenses or purchases, level of loss (e.g., returns or warranty) lower than that experienced by similar organizations, irregular accounting entries that reduce tax liabilities. • Improper disclosures. Poor communication of standards about disclosure, ineffective boards of directors. In general, a heavy concentration of authority in one individual or area (usually combined with poor controls), evasiveness, a history of dishonesty or disrespect for laws and regulations, the potential for significant financial reward for certain individuals—these can all be general red flags for financial statement fraud.

Determining if Suspected Fraud Merits Investigation Organizations investigate possible fraud when there is a concern or suspicion of wrongdoing in the organization. Suspicion can result from a formal complaint process, an informal complaint process such as a tip, or an audit, including an audit designed to test for fraud. Investigating a fraud is not the same as auditing for fraud, which is an audit designed to proactively detect indications of fraud in those processes or transactions

where analysis indicates the risk of fraud to be significant. If significant control weaknesses are detected, additional tests conducted by internal auditors should be directed at identifying other fraud indicators. The internal auditor should: • Recognize that the presence of more than one indicator at any one time increases the probability that fraud has occurred. • Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended. • Notify the appropriate authorities in the organization if a determination is made that fraud has occurred to recommend an investigation. In addition, it is the responsibility of the internal auditor to support further investigation by providing sound data and by ensuring that the suspected perpetrators are not prematurely alerted to the investigation.

Maintaining Continuity When fraud is suspected, a best practice is for the internal auditor to refer the case to the CAE, who will secure appropriate resources for further investigation—for example, a certified fraud examiner or an IT security specialist. The internal auditor plays an important role in transitioning to a fraud investigation. The succeeding auditor/investigator should be briefed on fraud risks in the engagement, red flags noticed, fraud tests implemented to date, and preliminary findings. Internal auditors assigned to an engagement should be similarly prepared to discuss specific concerns about suspected fraud with a successor in the event that the audit must be handed off to a colleague before definite conclusions can be reached.

Fraud Investigations Investigations attempt to discover the full nature and extent of fraudulent

activity, not just the event that may have initiated the investigation. Investigation work includes preparing, documenting, and preserving evidence sufficient for potential legal proceedings. Internal auditors, lawyers, investigators, security personnel, and other specialists from inside or outside the organization usually conduct or participate in fraud investigations. Investigations and the related resolution activities need to be carefully managed in accordance with laws. Local laws may direct how and where investigations are conducted, disciplinary and recovery practices, and investigative communications. It is in the best interest of the company, both professionally and legally, to work effectively with the organization’s legal counsel and to become familiar with the relevant laws in the country in which the fraud investigation occurs. According to Sawyer’s Internal Auditing, the objectives of a fraud investigation are: • First and foremost, to protect the innocent (to clear them from suspicion), to establish the facts, to resolve the matter, and to clear the air. • To determine the basic circumstances quickly to stop the loss as soon as possible. • To establish the essential elements of the crime to support successful prosecution. • To identify, gather, and protect evidence. • To identify and interview witnesses. • To identify patterns of actions and behavior. • To determine probable motives (which often will identify potential suspects). • To provide accurate and objective facts upon which judgments

concerning discipline, termination, or prosecution may be based. • To account for and recover assets. • To identify weaknesses in control and counter them by revising existing procedures or recommending new ones and by applying security equipment when justified.

Investigation Policies and Procedures Management is responsible for developing controls for the investigation process, including policies and procedures for effective investigations, preserving evidence, handling the results of investigations, reporting, and communications. Such standards are often documented in a fraud policy; internal auditors may assist in the evaluation of the policy. Such policies and procedures need to consider the rights of individuals, the qualifications of those authorized to conduct investigations, and the relevant laws where the frauds occurred. The policies should also consider the extent to which management will discipline employees, suppliers, or customers, including taking legal measures to recover losses or civil or criminal prosecution. (Note, however, that the “Report to the Nations” indicates that most of the victims did not recover anything.) It is important for management to clearly define the authority and responsibilities of those involved in the investigation, especially the relationship between the investigator and legal counsel. It is also important for management to design and comply with procedures that minimize internal communications about an ongoing investigation, especially in the initial phases. The policy needs to specify the investigator’s role in determining whether a fraud has been committed. Either the investigator or management will decide if fraud has occurred, and management will decide whether the organization will notify outside authorities. A judgment that fraud has occurred may in some jurisdictions be made only by law enforcement or judicial authorities. The investigation may simply result in a conclusion that organization policy was violated or

that fraud is likely to have occurred.

The Role of Internal Audit The role of the internal audit activity in investigations needs to be defined in the internal audit charter as well as in the fraud policies and procedures. For example, internal auditing may have the primary responsibility for fraud investigations or may act as a resource for investigations. Internal auditing may also refrain from involvement in investigations because they are responsible for assessing the effectiveness of investigations or they lack the appropriate resources. Any of these roles can be acceptable as long as the impact on internal auditing’s independence is recognized and handled appropriately. To maintain proficiency, fraud investigation teams have a responsibility to obtain sufficient knowledge of fraudulent schemes, investigation techniques, and applicable laws. There are national and international programs that provide training and certification for investigators and forensic specialists. If the internal audit activity is responsible for the investigation, it may conduct an investigation using in-house staff, outside service providers, or a combination of both. In some cases, internal audit may also use non-audit employees of the organization to assist. It is often important to assemble the investigation team without delay. If the organization is likely to need external experts, the CAE may prequalify the service provider(s) so external resources are quickly available when needed. In organizations where primary responsibility for the investigation function is not assigned to the internal audit activity, internal audit may still be asked to help gather information and make recommendations for internal control improvements, such as: • Monitoring the investigation process to help the organization follow relevant policies and procedures and applicable laws and statutes. • Locating and/or securing misappropriated or related assets.

• Supporting the organization’s legal proceedings, insurance claims, or other recovery actions. • Evaluating and monitoring the organization’s internal and external postinvestigation reporting and communication plans and practices. • Monitoring the implementation of recommended control enhancements.

Conducting the Investigation A fraud investigation consists of gathering sufficient information about specific details and performing the procedures necessary to determine whether fraud has occurred, the loss or exposures associated with the fraud, who was involved, and how it happened. The following activities can occur in an investigation. Creating an Investigation Plan An investigation plan is developed for each investigation, following the organization’s investigation procedures or protocols. The lead investigator determines the knowledge, skills, and other competencies needed to carry out the investigation effectively and assigns competent, appropriate people to the team who have no potential conflict of interest with those being investigated or with any of the employees in the organization. The plan should consider the following investigative activities: • Gathering evidence through surveillance, interviews, or written statements • Documenting and preserving evidence, considering legal rules of evidence and the business uses of the evidence • Determining the extent of the fraud • Determining the techniques used to perpetrate the fraud • Evaluating the cause of the fraud

• Identifying the perpetrators The investigator may conclude at any point that the complaint or suspicion is unfounded. The investigator then follows the organization’s process to close the case. Obtaining Evidence The collection and preparation of evidence is critical to understanding the fraud or misconduct, and it is needed to support the conclusions reached by the investigation team. The investigation team may use computer forensic procedures or computer-assisted data analysis based on the nature of the allegations, the results of the procedures performed, and the goals of the investigation. All reports, documents, and evidence obtained should be recorded chronologically in an inventory or log. Some examples of evidence include: • Letters, memos, and correspondence, both in hard copy and electronic form (such as emails or information stored on personal computers). • Computer files, general ledger postings, or other financial or electronic records. • IT or system access records. • Security and timekeeping logs, such as security camera videos or access badge records. • Internal phone records. • Customer or vendor information, both in the public domain and maintained by the organization, such as contracts, invoices, and payment information. • Public records, such as business registrations with government agencies or property records. • News articles and internal and external websites such as social

networking sites. Interviewing and Interrogating While, in some cases, an investigation unit is a subunit of internal audit and some internal auditors are also qualified investigators, when this is not the case, it is important that internal auditors not conduct themselves as investigators. The two roles should be separate and distinct. The investigator will interview individuals, such as witnesses and facilitating personnel, with the goal of gathering evidence to support a suspicion that fraud may be occurring and/or establish the scope of fraud activity and the degree of complicity in the fraud. Many investigators prefer to approach the accused with sufficient evidence that will support the goal to secure a confession. Generally the accused is interrogated by two people: 1) an experienced investigator and 2) another individual who takes notes during the interrogation and later functions as a witness if needed. It is essential that all information obtained from the interrogation is rendered correctly. The differences between interviews and interrogations and the techniques appropriate to each are discussed in Topic D later in this section. Investigative activities need to be coordinated with management, legal counsel, and other specialists such as human resources and insurance risk management as appropriate throughout the investigation. Investigators need to be knowledgeable and cognizant of the rights of persons within the scope of the investigation and the reputation of the organization itself. The investigator has the responsibility to ensure that the investigation process is handled in a consistent and prudent manner. The level and extent of complicity in the fraud throughout the organization needs to be assessed. This assessment can be critical to not destroy or taint crucial evidence and to avoid obtaining misleading information from persons who may be involved.

The investigation needs to adequately secure evidence collected, maintaining chain-of-custody procedures appropriate for the situation. Reporting Investigation Results Reporting consists of the various oral, written, interim, or final communications to senior management and/or the board regarding the status and results of fraud investigations. Reports can be preliminary and ongoing throughout the investigation. A written report or other formal communication may be issued at the conclusion of the investigation phase. It may include the reason for beginning the investigation, time frames, observations, conclusions, resolution, and corrective action taken (or recommendations) to improve controls. Depending on how the investigation has been resolved, the report may need to be written in a manner that provides confidentiality for some of the people involved. In writing the report, the investigator should consider the needs of the board and management while complying with legal requirements and restrictions and the organization’s policies and procedures. Some additional considerations concerning fraud reporting are: • Submitting a draft of the proposed final communications to legal counsel for review. In cases where the organization is able to invoke attorney-client privilege and has chosen to do so, the report is addressed to legal counsel. • Notifying senior management and the board in a timely manner when significant fraud or erosion of trust occurs. • Considering the effect on financial statements. The results of a fraud investigation may indicate that fraud had a previously undiscovered adverse effect on the organization’s financial position and its operational results for one or more years for which financial statements have already been issued. Senior management and the board need to be informed of such a discovery so they can decide on the appropriate

reporting, usually after consulting with the external auditors. Standards 2400, “Communicating Results,” and 2410, “Criteria for Communicating,” provide information applicable to necessary communications in cases in which the internal audit activity conducts the investigation. As specified in these standards, distribution of investigation results should be appropriately limited and information should be treated in a confidential manner. Implementation Guide 2600 notes that information regarding fraud comes under the category of “highly significant risks that the CAE judges to be beyond the organization’s tolerance level.” These are characterized as matters that may adversely impact the organization’s reputation, image, competitiveness, success, viability, market values, investments and intangible assets, or earnings. In addition, communication of results should take care to protect internal whistleblowers. Whistleblower protection(s) should be clearly outlined in an organization’s approved whistleblower (or related) policy. This will help create an atmosphere in which future whistleblowers feel less vulnerable to pressures and repercussions from within the organization. Without these protections, whistleblowers may feel that it is safer to take sensitive information to outside bodies first. This hinders the organization’s ability to conduct its own investigations and take corrective actions. In the case of fraud, local laws may accelerate communication of investigation reports to the board and may require reporting to local authorities as well. Resolving Fraud Incidents Resolution consists of determining what actions will be taken by the organization once a fraud scheme and perpetrator(s) have been fully investigated and evidence has been reviewed. Management and the board are responsible for resolving fraud incidents, not the internal audit activity or the investigator. An important decision at this stage is whether to prosecute the

wrongdoer. This decision is made by management and the board, based on the input of legal counsel. While internal auditors do not make these decisions, they may indicate to management and the board that prosecutions discourage future fraud by reinforcing the repercussions of fraudulent behavior and thus serve as a fraud deterrent. Resolution may include all or some of the following: • Providing closure to persons who were initially under suspicion but were found to be innocent • Providing closure to those who reported a concern • Disciplining an employee in accordance with the organization’s policies, employment regulations, or employment contracts • Requesting voluntary financial restitution from the fraud perpetrator(s) • Terminating contracts with suppliers • Reporting the incident to law enforcement, regulatory bodies, or similar authorities; encouraging them to prosecute the persons involved; cooperating with their investigation and prosecution • Entering into civil litigation or similar legal processes to recover losses • Filing an insurance claim • Filing a complaint with the perpetrator’s professional association • Recommending control enhancements Communicating Results Management or the board determines whether to inform entities outside the organization after consultation with individuals such as legal counsel, human resources personnel, and the CAE. The organization may have a responsibility to notify government agencies of certain types of fraudulent acts. These agencies include law enforcement, regulatory

agencies, or oversight bodies. Additionally, the organization may be required to notify the organization’s insurers, bankers, and external auditors of instances of fraud. Any comments made by management to the press, law enforcement, or other external parties may be coordinated through legal counsel; these communications should be made in accordance with organizational policies. Typically, only authorized spokespersons make external announcements and comments. Internal communications are used by management to reinforce its position relating to integrity, to demonstrate that it takes appropriate action (including prosecution, if appropriate) when organizational policy is violated, and to show why internal controls are important. This is part of how management serves as a line of defense to reduce fraud risk. Such communications may take the form of an intranet posting or email from management, or the situation may be used as an example in the organization’s fraud training program. These communications generally take place after the case has been resolved internally, and they do not specify the names of alleged perpetrators or other specific investigation details that are not necessary and appropriate to divulge. An investigation and its results may cause significant stress or morale issues that may disrupt the organization, especially when the fraud becomes public. Management may plan employee sessions and/or team-building strategies to rebuild trust and camaraderie among employees. Evaluating Lessons Learned After the fraud has been investigated and communicated, it is important for management and the internal audit activity to step back and consider the lessons learned. For example: • How did the fraud occur? • What controls failed? • What controls were overridden? • Why wasn’t the fraud detected earlier?

• What red flags were missed by management? • What red flags did internal audit miss? • How can future fraud be prevented or more easily detected? • What controls need strengthening? • What internal audit plans and audit steps need to be enhanced? • What additional training is needed? The dynamic feedback from these sessions needs to stress the importance of acquiring up-to-date information on perpetrators and fraud schemes that can help internal auditors and the anti-fraud community engage in best practices to prevent losses. Internal auditors typically assess the facts of investigations and advise management relating to remediation of control weaknesses that lead to the fraud. Internal auditors may design steps in audit programs or develop “auditing for fraud” programs to help disclose the existence of similar frauds in the future.

Topic C: Controls to Prevent/Detect Fraud and Education to Improve Fraud Awareness (Level P) A program to detect fraud results from the realization that, in most cases, fraud cannot be entirely prevented. Fraud detection controls, which aim at uncovering actions or events that could be symptomatic of fraud, include activities such as reconciling vendor payments with purchase orders, invoices, vendor information (e.g., address on file), and employee personal national identification numbers (e.g., a Social Security number in the U.S. or a resident identity card in China). Detection controls can be passive or active. A passive fraud detection example would be a whistleblower program that facilitates reporting of suspected fraud by employees, while an active detection control would be an analytic test performed during an audit. These controls can be performed periodically, during an assurance audit engagement, or continually, which may provide a much shorter time frame for detection. The “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse” stated that the median length of time for a fraudulent activity was 16 months. For significant fraud risks, detecting fraud sooner rather than later can be especially important. A whistleblower hotline is an important and effective tool for detection. While the report cited that 40% of fraud was discovered from tips, it also noted that 46% of these cases were detected by tips at organizations with a hotline, while only 30% of cases were detected by tips at organizations with no hotline. The existence of a hotline increases tips significantly. This topic focuses on different controls that can be implemented to prevent and detect fraud. It starts with describing how to complete a process review to assess whether controls are in place, recommends additional tools to detect fraud, and concludes with information to set up a culture of fraud awareness through programs and education.

Process Review for Fraud Controls The goal of the process review is to ensure that existing controls are achieving their objectives—that all risks have been identified and controlled to the level required by the organization’s risk appetite—and to identify opportunities for improving fraud controls. The process review may occur as the focus of one engagement within the audit plan —an individual engagement within the annual audit plan designed to review, analyze, and improve the current fraud risk management framework. It may also be included as one objective of an individual engagement, if the audited area or process is considered vulnerable to some manner of fraud. Applied to the area of auditing for fraud controls, process review implies that, in the course of an assurance engagement, the internal auditor will: • Review the risk assessment to identify risks that have not been identified. • Assess whether controls are in place—according to an analysis of the degree of likelihood and impact of a fraud scenario and according to the organization’s risk attitude—to prevent or mitigate fraud. • Gather evidence to establish whether fraud controls are operating as defined. • Propose ways to improve fraud controls in the program, audited area, or process.

Auditing the Fraud Risk Management Program The audit plan may include an engagement to audit the risk management, internal control, and governance activities in regard to fraud—the fraud risk management program. The components of a fraud risk management program are described in “Managing the Business Risk of Fraud, A Practical Guide,” which states:

Only through diligent and ongoing effort can an organization protect itself against significant acts of fraud. Key principles for proactively establishing an environment to effectively manage an organization’s fraud risk include: Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk. Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate. Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization. Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized. Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.

Internal auditors usually consider fraud risks and controls during audit engagements, covering issues in Principles 2, 3 and 4. An audit of the organization’s fraud risk management program takes a macro approach and ensures coverage of activities named in Principles 1 through 5. Additional areas to evaluate may include: • Board roles, responsibilities, and oversight activities. • Fraud statistics and performance measures. • The ethics culture and opinions of stakeholders. • Compliance reporting functions. • The effectiveness of corrective action (recovery of losses, disciplinary action, identification and improvement of control weaknesses).

Fraud Risk Management Framework Controls

Fraud prevention and mitigation encompasses those actions taken to discourage fraud and limit fraud exposure when it occurs. Strong safeguarding controls and an anti-fraud program are proven fraud deterrents. As with other internal controls, management has the primary responsibility for establishing and maintaining fraud controls. A fraud risk management framework might include the following core tenets: • Create a control environment that strongly promotes ethics and honesty. • Establish anti-fraud controls. • Provide independent assurance that anti-fraud controls and fraud risk management processes are effectively overseen by operational management and any relevant compliance functions. Creating a culture of fraud awareness is discussed later in this topic. In addition to cultural controls, specific controls can be designed to meet the fraud risks in different types of functions and processes. Exhibit VI4 shows how COSO’s Fraud Risk Management Guide principles integrate with other internal control principles to form an effective fraud risk management system of internal controls. The right side of the exhibit shows how these elements relate to internal auditing responsibilities. Exhibit VI-4: COSO Fraud Risk Management Guide and the Internal Audit Activity Control Elements

Internal Auditing Responsibilities

Control environment Companies must establish and communicate an appropriate control environment, which should include:

•

A code of conduct, ethics policy, or fraud policy to set the appropriate “tone at the

•

Assess aspects of the control environment.

•

Conduct proactive fraud audits and investigations.

•

Communicate results of fraud audits.

top.”

•

•

A fraud risk management program demonstrating senior management and the board’s commitment to managing fraud risk with high integrity and ethical values. This might include:

• •

Provide support for remediation efforts.

Ethics programs. Hiring and promotion guidelines and practices.

•

Oversight by the audit committee, board, or other oversight body.

•

Investigation of reported issues and remediation of confirmed violations.

Risk assessment Organizations should identify and assess fraud-related risks, including assessing the likelihood and potential impact of specific fraud schemes or risks, such as fraudulent financial reporting, asset misappropriations, improper receipts and expenditures, or financial misconduct by management and others.

Evaluate management’s fraud risk assessment, in particular their processes for identifying, assessing, and testing potential fraud and misconduct schemes and scenarios, including those that could involve suppliers, contractors, and other parties.

Companies also should assess existing fraud control activities and determine how to close any gaps. For example, this might include evaluation of whether adequate segregation of duties exists and establishing new processes for areas that need this control. Control activities

•

•

Organizations should establish and implement effective fraud control practices, including actions taken by management to prevent, detect, and mitigate fraud activities such as fraudulent financial reporting, misuse of the organization’s assets, or override of controls by management. Organizations should establish an affirmation or certification process to confirm that employees have read and understood corporate policies and are in compliance with them.

•

Assess the design and operating effectiveness of fraud-related controls.

•

Ensure that audit plans and programs address fraud risk.

•

Evaluate the design of facilities from a fraud or theft perspective.

•

Review proposed changes to laws, regulations, or systems and their impacts on controls.

Information and communication Organizations should establish effective fraudrelated information and communication practices with timely investigation of information received, including:

•

Documentation and dissemination of policies, guidance, and results.

• •

Opportunities to discuss ethical dilemmas.

• •

Communication channels, including whistleblower hotlines that allow anonymous tips.

Assess the operating effectiveness of information and communication systems and practices, such as the independence of a whistleblower hotline from management (e.g., a thirdparty service) and whether the information is addressed in a timely fashion. Internal auditors may also evaluate fraud-related training initiatives.

Training for personnel. Considerations of the impact and use of technology for fraud deterrence, such as the use of continuous monitoring software.

Monitoring activities Organizations should select, develop, and perform evaluations in an ongoing manner to ensure that the fraud risk management program is operating as intended. If deficiencies are detected, there should be a process to report and resolve them in a timely fashion. Organizations should conduct ongoing and periodic performance assessments and identify the impact and use of computer technology for fraud deterrence.

•

Assess monitoring activities and related computer software.

•

Ensure that investigations are conducted in a timely manner. (In some cases, internal audit may conduct investigations, if qualified.)

•

Assess whether deficiencies in the fraud risk management program are communicated effectively and to the appropriate parties, including senior management and the board, as appropriate.

•

Support the audit committee’s oversight related to control and fraud matters.

•

Support the development of fraud indicators.

•

Hire and train employees so they can have the appropriate fraud audit or investigative experience.

Whether an organization uses the COSO control framework or another

framework, the key components in creating a culture of fraud awareness are setting a tone of honesty and integrity, developing a strong code of conduct and ethics policy, and clearly communicating it to all employees. Then the risks must be identified and quantified according to the probability of occurrence and their potential impact. With these elements in place, internal auditors can examine and evaluate the adequacy and effectiveness of their internal controls system commensurate with the extent of a potential exposure within the organization.

Audit Tests to Detect Fraud When the internal auditor discovers an indication that fraud might have occurred or that control systems are weak in some particular area, he or she should design further tests to uncover other indicators of fraud. Computer-based data analysis can be used to detect fraud, as can other analytical procedures such as trend analysis and proportional analysis.

Trend Analysis/Proportional Analysis Trend and proportional analysis require that the internal auditor have an adequate understanding of the business being audited, both in terms of activity levels and in the relationships between activities. These techniques can help an internal auditor to focus on areas of potential concern. Trend Analysis Reasoning that related activities will show consistent trends unless some factor disrupts the relationship, an auditor may analyze trend data to see if any such disruptions have occurred. After finding a disruption, the auditor will do further research to identify a cause. The root cause of an unexpected anomaly in a trend analysis may be fraud. For example, a study of trends in sales and freight costs could reveal a much faster rate of increase in freight costs than in sales. Since the costs of shipping materials and goods should be directly related to the quantity of goods

produced and sold, the auditor initiates an investigation, uncovering a pattern of false shipments recorded. The auditor also discovers that the accounts payable supervisor has a close personal relationship with the mail room manager of a shipping company frequently used by the organization. Ultimately, it is determined that two fraud perpetrators are colluding: the accounts payable supervisor and the company mail room manager. They are sharing the proceeds of payments for shipments of goods that never actually occurred. Proportional Analysis Proportional analysis is another way of comparing related pieces of data. Instead of tracking the data’s trends, the auditor uses proportional analysis to determine the ratio of one value to another to see if the relationship is reasonable and matches expectations. For example, the auditor in the previous example might (perhaps more simply) determine the ratio of the number of shipments based upon sales and the number of shipments based upon freight costs. If the organization is paying for more shipments than is necessary to get product to buyers, then the ratio would be unreasonable. Another example demonstrates the application of proportional analysis. An auditor conducting an engagement at a brewery compares the cost of hops against the annual output of beer and discovers that the brewery is paying for twice the amount of hops as required by the output. Investigation determines that the treasurer is diverting the excess hops to another brewery in which he is an investor.

Computer Data Analysis The use of computers in auditing provides the internal auditor with greater power to verify large numbers of transactions. The computer can compare transactions with the related events to highlight unusual conditions, which can then be studied to determine whether they are tied to fraud or some other, perhaps more benign, explanation.

Consider the following comparisons: • Sales of manufactured products to labor and materials costs (Run in one direction, this comparison might highlight nonexistent sales; run backward, it might indicate fraudulent materials or labor costs.) • Purchases with increases in inventories or sales • Payroll costs with employee payroll tax reports These analytical tests do not prove fraud—or another causal mechanism. They simply identify anomalies worth investigating to find an explanation; one explanation could be fraud. Audit departments should consider these various techniques when applying technology to fraud detection: • Calculation of statistical parameters (e.g., averages, standard deviations, highest and lowest values)—to identify outlying transactions that could be indicative of fraudulent activity • Classification—to find patterns and associations among groups of data elements • Stratification of numeric values—to identify unusual (i.e., excessively high or low) values • Digital analysis using Benford’s Law—to identify statistically unlikely occurrences of specific digits in randomly occurring data sets (Benford’s Law is covered below.) • Joining different data sources—to identify inappropriately matching values such as names, addresses, and account numbers in disparate systems • Duplicate testing—to identify simple and/or complex duplications of business transactions such as payments, payroll, claims, or expense report line items

• Gap testing—to identify missing numbers in sequential data • Summing of numeric values—to check control totals that may have been falsified • Validating data entry dates—to identify postings or data entry times that are inappropriate or suspicious According to a 2008 white paper by ACL Services Ltd., to maximize the effectiveness of data analysis in fraud detection, the technology employed should enable auditors to: • Compare data and transactions from multiple IT systems (and address control gaps that often exist within and between systems). • Work with a comprehensive set of fraud indicators. • Analyze all transactions within the target area. • Perform the fraud detection tests on a scheduled basis and provide timely notification of trends, patterns, and exceptions. Critical to the analysis of data is the establishment of normal values for comparative purposes. The first step in preparing to detect fraudulent deviations is defining a baseline. For example, a five-year history of inventory or sales levels will help internal auditors identify unusual increases in cost of goods sold as a percentage of sales or annual yearend increases in sales that could be channel loading (which was described earlier in this section). Benchmarks may be created from internal data or may be purchased from industry research organizations. Next, we will describe two types of analysis—numerical analysis and regression analysis—and two auditing tools for information systems. Numerical Analysis Most auditing programs performing numerical analysis are based on Benford’s Law, a probability principle using observations about the

frequency of occurrence of the leading digit in a series of numbers. In the 1920s, physicist Frank Benford noticed that the first few pages of his book of logarithm tables were much more worn from use than the last pages. He went on to observe geographic, scientific, and demographic data and deduced that, in sets of numbers, the number one will appear as the leading digit about 60% of the time. The numbers must be describing similar phenomena (e.g., number of transactions or sizes of payments), must not be assigned according to some set of rules (like ZIP codes or payment codes), and must not have an inherent minimum or maximum value (e.g., legally specified amounts, like minimum wage). Larger numbers appear in the leading digit position in indirect proportion to their size, so that the number nine appears in the leading position only 5% of the time. Since most people believe that numbers occur randomly, it is possible that an employee committing fraud—by, for example, making payments to a fictitious vendor or to an employee for expense reimbursements— would choose amounts that violated Benford’s Law. The amounts of the payments may begin an inordinate number of times with more improbable higher numbers. Benford’s Law has been extended to describe probabilities for second numbers and for two- and three-digit sets of numbers. It may also be coupled with other forms of numerical analysis to identify irregularities, such as: • Relative size factor, which determines when the largest number in a group is out of line with the rest of the items. • Same, same, different tests, which search for improbable matches of two of three variables. • Same, same, same tests, which search for identical entries. Regression Analysis

Computer programs may also be developed using regression analysis—a statistical modeling tool used to find relationships between a dependent variable (e.g., an unauthorized payment) and one or more independent variables (e.g., the number of checks issued, vendors paid, vendors paid at the same address as an employee address, payments made below a certain threshold). A program might correlate expense claims with events associated with travel or with a calendar to spot unreasonably frequent travel or travel that could not be associated with the stated purpose. Enterprise Auditing Some software tools have been developed to build data analysis models and then apply them across an integrated enterprise management system. Enterprise management systems help coordinate various areas of control, analysis, and information storage in large organizations that may be decentralized, like a multinational company or a conglomerate of very different business units. Data mining refers to the capability of sifting through and analyzing large volumes of data to find certain patterns or associations. Enterprise data mining can be helpful in defining what constitutes a suspicious pattern and, then, in detecting suspicious transactions, like fraudulent wire transfers. Continuous Online Auditing Continuous auditing (or continuous monitoring) uses computerized techniques to perpetually audit the processing of business transactions. Continuous online auditing programs edit transactions as or shortly after they occur, looking for transaction details that do not fall within preset parameters or, alternatively, transactions that match the patterns in fraudulent activity. Auditing reports can be generated at time intervals set according to need. An example of an online auditing system is a program that monitors payments being received at a data center. The online auditing program can check to see that each step of the required process for receiving payments is followed. Continuous auditing might be used to compare payment addresses for

each payment mailed with a database of employee addresses. This might detect payments to fictitious entities or duplicate payments. Another example is cited in Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley Environment by Glen L. Gray. Gray describes the use of data mining to collect and compare data from a nationwide chain of retail outlets. Automated comparisons of “clear sale” or “no sale” or cash transactions with national averages identified problematic stores in which employees were stealing cash. Continuous auditing provides an effective way of maximizing audit coverage and allowing the internal audit function to focus on exceptions and obtain greater coverage of high-risk areas. In addition, fraud can be detected in more timely manner. Gray notes that while continuous auditing of an entire database provides total assurance and can capture even small errors and deviations, it offers two other benefits. It provides legal coverage against charges that sampling might have been discriminatory or not representative. It also improves the ethical environment by removing opportunity, so there may be fewer attempts to commit fraud. The IIA Bookstore has additional sources of information on continuous auditing, such as: • Harnessing the Power of Continuous Auditing: Developing and Implementing a Practical Methodology by Robert L. Mainardi (2011). • Practice Guide, “Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance,” second edition (previously GTAG 3) (2015). Building comprehensive software systems of this nature requires thorough business, system, and analytical techniques. Continuous auditing has been most successful in industries with large volumes of transactions, such as the financial services and retail industries. Although most organizations want to develop continuous monitoring systems,

doing so requires the right skill set along with a commitment to implement the program for long-term success.

Education and Culture of Fraud Awareness The five fraud risk management principles discussed earlier in this topic stress the importance of fraud risk assessment, the establishment of prevention and detection controls, and periodic auditing of fraud risk controls. These principles also emphasize actions that support the creation of a culture of fraud awareness. This soft control—created through clearly communicated and enforced policies, employee training in fraud awareness, and a reporting mechanism for suspected fraud—is continually in place to prevent acts of fraud and to ensure more rapid detection when fraud is committed. As noted earlier, tips—usually by another employee but also by customers, vendors, and others—represent a significant number of fraud investigation leads. Management review, internal audit, and monitoring systems are simply not as efficient or effective in detecting fraud as ensuring that employees know what fraud looks and feels like, know what to do when they become aware of fraud, and can easily report fraud without fear of retaliation.

Encouraging Reporting of Improprieties Individuals who report fraud and abuse are commonly referred to as whistleblowers. A whistleblower is typically an employee, but a former employee or someone outside of an organization may also report fraud or other misconduct. Legitimate whistleblowers who have proof of fraud must have confidence that they will be protected from retaliation. Whistleblower hotlines are the most common mechanism for reporting fraud. Compared to organizations without formal whistleblower hotlines, organizations with hotlines are more likely to detect fraud by receiving tips and are less dependent on external auditors or accidental discovery to uncover fraud.

An effective hotline includes the following features: • Confidentiality or anonymity. Confidentiality and anonymity are not the same thing, and it must be made clear to all concerned whether the information received will be confidential or anonymous. Confidentiality implies that the caller’s name and identity will be communicated only to those with an essential or authorized need to know (e.g., the legal department, human resources, or an investigative unit) and not openly disclosed. Confidentiality can be promised only within the limits allowed by law, and callers should know who might learn their identity. Anonymity provides both secrecy and nondisclosure of the caller’s identity. With full anonymity, the caller’s gender and any other identifying information are also withheld. Promises of anonymity must be kept, and safeguards should be put in place to ensure that the caller’s identity is not disclosed. The challenge of an anonymous source for investigators is that it is not possible to contact the person directly to follow up on the complaint or concern such as to get more information. • Accessibility. A whistleblower hotline must be easily accessible. For telephone hotlines, a toll-free number or an international number that accepts collect calls is best. The hotline number should be available 24 hours a day, seven days a week. There should also be provisions for reporting by email, letter, and fax. Employees should have as many mechanisms as possible for reporting fraud or abuse. • Staffing. Hotlines must be staffed by “real” people (not voice-recorded messaging) who are thoroughly screened and trained. If the hotline is international, skilled translators must be available. • Use of third-party vendors. Although administering a hotline in-house may be adequate, using the services of an independent third-party vendor helps to ensure both the perception and the reality that tips will remain confidential or anonymous. • Naming the hotline. Some corporations choose to keep the term

“hotline” in the title for their reporting tool (e.g., “Risk Hotline” or “Ethics Hotline”). Other schools of thought recommend using another term for hotline (e.g., “Business Conduct Line”). Whatever name is chosen, it should clearly signify the intent of a quick and direct communication medium. • Communicate the existence. A hotline and fraud reporting system will fail unless all employees and people outside the organization are aware of it. Prominently displaying information on the organization’s website, the company intranet, and internal postings in public places (e.g., break rooms and cafeterias) are a few ways to publicize the hotline. • Organizational responses to hotline reports. Quick responses are paramount. They build confidence with potential reporters of fraud and abuse that the organization is committed to ethical behavior and a culture of compliance. The Sarbanes-Oxley Act, the U.S. Federal Sentencing Guidelines for Organizations, and other regulations and laws require accountability and oversight. But embedding fraud awareness within the internal control framework makes even better business sense by promoting zero tolerance for fraud.

Fraud Training Fraud training is usually a key factor in the deterrence of fraud. Training can cover the organization’s expectations for employees’ conduct, the procedures and standards necessary to implement internal controls, and employee roles and responsibilities to report misconduct. Employees need to understand the ethical behavior expected of them to act accordingly within the organization. New employee orientations can present the organization’s mission, values, and code of conduct; types of fraud; responsibility to report violations of ethical behavior and impropriety; and details of the hotline or other ways to report potential fraud.

Employee fraud training needs to be tailored to the organization and the employee’s position within the organization. Although generic fraud training can be helpful, it is more effective to identify the top fraud risk areas in the organization and develop training so that employees in key positions can better understand their role in the organization’s fraud detection program. Perpetrators may even attend the training, which can benefit the organization, as they may be deterred by seeing the organization’s fraud risk management process in action. Periodic training throughout an employee’s career reinforces fraud awareness and the cost of fraud to the organization. Regardless of the method used to produce and disseminate the training material, one key goal is to test the employee’s comprehension of the fraud training. This can be done through online surveys that not only confirm attendance but also offer quick exams to determine whether employees have gained the necessary knowledge from the training.

Topic D: Forensic Auditing (Level B) When an internal audit uncovers sufficient and reliable evidence that fraud has been committed, the internal auditor summarizes this evidence in a report for the CAE. The executive will determine if the evidence and the scope of the fraud merit further investigation for possible criminal or civil prosecution. The internal auditing activity will then either assemble an appropriate fraud audit team whose members include specialists in forensic auditing, refer the fraud investigation project to another internal investigation team, or out-source the investigation to an external third party. The term “forensic” means “used in or suitable for use in court.” In other words, forensic auditing is the application of auditing skills to gather evidence that may be used in a court of law for a criminal or civil matter.

Fraud Audit Team As suggested by Standard 1210.A2, while the internal auditor must be able to identify the indicators of fraud, he or she is not expected to have the special skills required to gather evidence and establish facts that will be admitted into court and will be effective in securing convictions or favorable judgments. This expertise belongs to a group of individuals who comprise the fraud audit team. A fraud team may include an ACFE-certified fraud examiner, security investigators, human resources personnel, legal counsel, and outside consultants (e.g., surveillance or computer experts). Depending on whether senior management is suspected of involvement in the fraud, the team may or may not include members of senior management. If external service providers are used, the CAE should ensure that a work agreement clearly describes the scope of work, expectations and limitations, and deliverables.

Required Skills and Expertise By necessity, forensic auditing requires not only understanding of accounting standards and practices but also familiarity with the practices and policies of the business activity being audited and expertise in investigative techniques and the rules and standards of legal proceedings. Forensic auditors must be able to both gather evidence and present it in court in a convincing manner. The evidence they present must follow the rules of evidence established for the court in which the case is presented —whether it is at a federal/national, regional/state, or local level, and whether it is a civil or criminal proceeding. They must be able to ensure that evidence is not lost, destroyed by the perpetrator, or mishandled in some way so that it will no longer be considered reliable in court. As with any area of specialization, the more experience professionals gather while doing their jobs, the more adept and intuitive they become. Their intuition is based on a personal mental database of examples of fraud indicators and cover-up techniques they have seen before. They are especially skilled in piecing together the story of a fraud—from establishing motivation and opportunity to describing how the fraud was perpetrated and tracking each step of the fraudulent activity to its final outcome. Organizing this detailed and often technical data into a wellsupported story that is easy to follow will be essential in court. Forensic auditors are thus skilled in identifying the gaps in their stories and following trails to find the missing information.

Interrogative/Investigative Techniques If a specialist in fraud investigations is not available in-house, the CAE may contract with external service providers to perform fraud investigations. This may be particularly necessary when fraud schemes involve multiple perpetrators, computers, security, or complex financial transactions. Attribute Standard 1210.A1 states that “the chief audit executive must

obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.” Implementation Guide 2050 advises the CAE to consider a service provider’s professional certifications, memberships in professional associations, reputation, experience, and familiarity with the organization’s industry or business. In addition, the CAE must ensure the independence and objectivity of the service provider. While internal auditors are not expected to conduct interrogations—these are usually conducted by security/loss prevention and law enforcement professionals—internal auditors should be aware of the unique nature of interrogations.

Interviewing and Interrogation Although the terms interview and interrogation are often used interchangeably, these two activities generally occur in different contexts. They have different goals, and different techniques are used for achieving those goals. Put simply, in an interview, the interviewer doesn’t know the answer to most of the questions he or she is asking. In an interrogation, the interviewer probably already knows the answers to many of the questions that will be asked. The interviewer is seeking an admission of those answers by the perpetrator and any accomplices, evidence of lying or obfuscation, and to determine the methods used for committing the fraud. It is critical for the internal auditor to know the difference between interviews and interrogations and the impact that confusing the two can have on an organization. An interview treated inappropriately as interrogation can result in legal action against the company. Interview subjects may feel as if they have been libeled or coerced. Equally important to the legal implications, however, are the practical effects on the information-gathering goals of the interview. Key distinctions between interviewing and interrogation are summarized in Exhibit VI-5.

Exhibit VI-5: Comparison of Key Features of Interviewing and Interrogation Interviewing

Interrogation

Goals

To uncover information.

To secure a confession or obtain evidence.

Interviewees

Could include suspected perpetrator; potential witnesses and victims; those who may have aided the perpetrator; those who can provide background information about the area, activity, or perpetrator.

Will probably focus on suspected perpetrators and accomplices.

Questioning strategy

•

Establish comfort level to encourage conversation.

•

•

Convey a clear sense of what is being sought without using the word “fraud.”

Question repeatedly to detect changes in explanations.

•

May change direction suddenly to elicit an unguarded response.

• •

Confrontational at times.

Atmosphere

•

Ask questions in a logical and sequential manner.

• •

Cooperative, open tone.

•

Usually at the interviewee’s place of work. Private and seeking to maintain low visibility of interview to others, especially suspected perpetrators.

•

Neutral ground, free of distractions (no windows, decorations, minimal furniture). Presence of security.

Because their role is to detect signs of fraud and establish grounds for further investigation, internal auditors are usually interviewing, rather than interrogating, individuals. Their responsibility is not to seek confessions or establish evidence that can be used in court, unless they are acting in the role of investigator rather than auditor. The task of the internal auditor is to learn enough about the suspicious activity or individual to confirm or eliminate suspicion and then make a recommendation to the auditing department. It is therefore in the best interest of the internal auditor to use discovery techniques that will

encourage communication.

Interview Behaviors That May Be Red Flags Many writers have described specific behaviors during interviews that may become fraud indicators or red flags or at least signs that the interviewee is lying or withholding information. These interview red flags might include: • Restlessness (frequent shifting of position, standing up, pacing). • Posture (angling the body away from the interviewer). • Reluctance to make eye contact. (Auditors should remember, however, that eye contact is often a culturally determined behavior. In these cases, failure to make eye contact may simply be a sign of courtesy rather than concealment.) • Inappropriate attitudes (ranging from an unusual and immediate level of candor and friendliness to unfounded hostility or sarcasm). • Signs of anxiety like sighing, perspiring, dry mouth, rubbing hands or face, or rapid and high-pitched speech. • Sudden change in attitude about answering questions. • Changes in answers given to questions during the interview. Auditors should remember that these are only indicators of a potential problem, not proof or evidence that fraud has been committed. They may, however, influence the internal auditor’s recommendation for a follow-up fraud audit.

Interviewing Model There are various steps internal auditors should follow when conducting interviews in the course of any type of audit. These steps are condensed into the following four phases.

• Prepare. This may involve defining the purpose and goals of the interview, gathering background information about the interview subject that may help in establishing rapport and forming questions, preparing specific questions and strategies, and securing an acceptable time and place for the interview. • Conduct the interview. The interviewer should try to follow the plan and not be distracted from the goals that have been set. Additional areas of questioning may develop in the course of the interview, but the auditor should try to accomplish the interview in the time allotted. The auditor should ensure that interviewee statements are clearly understood to be either factual or hearsay (based on another’s experience or on rumor). Adequate notes should be taken during the interview to facilitate an accurate, complete report. • Gain agreement with the interview subject. In concluding the interview, the auditor should summarize key points to gain the subject’s confirmation or to correct misunderstandings. • Document the interview. As soon as possible, the interviewer should complete a report of the interview. This is not a transcript but a summary of areas in which questions were asked, key information was received, and information is still lacking. Interview subject attitude should also be described. The report may suggest the next step in the interviewing or investigative process. We have presented a simplified overview of the interviewing process. A fraud-related interrogation will usually be conducted by someone familiar with many more strategies for establishing rapport and comfort that can be used for a range of purposes, from simply assessing truthfulness to gaining evidence or a confession. In addition to their investigative and legal responsibilities, forensic auditors may also be used by corporations proactively as consultants. Their experience equips them to identify potential weaknesses in controls that can be exploited by perpetrators of fraud.

Computers as Sources of Evidence It is perhaps obvious that an organization’s information system or computers can provide much valuable data that may be analyzed independently or compared with other types of information, which could include paper-based receipts, logs, invoices, or work orders; information from interviews; and information gathered through observation of the area or function. It will be important for the auditor to remember the less obvious sources of information on a computer or information system, such as: • Word-processed documents (e.g., correspondence that can corroborate an action like writing off an uncollected debt or lost shipment). • Customer lists. (These might be useful in identifying fictional or inactive accounts that are being used to conceal theft.) • Email logs. (These might reveal, for example, extensive communication with a customer that is uncharacteristic of the work situation.) • Financial records. (These will yield data that can be further analyzed for irregularities.) • Scheduling systems or logs. (These can be used to identify irregular contacts or activities or to demonstrate false claims for expense or time reimbursements.) • Operations logs. (For example, pilfering of waste or diversion of company property might be identified by comparing expected levels of waste or use with actual data.) • Personnel records. (Personnel records can point to various red flags. For example, employees may not have been screened completely or properly. An employee’s employment record may reveal a history of brief tenures at jobs that afforded opportunity for fraud.) • Computer-stored voice mail. (These records may suggest instances of

theft of intellectual property.) • Internet history reports. (These may provide evidence related to activities such as harassment or hate crimes.) It will be critical for auditors to be aware of applicable data privacy practices, policies, and restrictions before reviewing correspondence and items on personal computers. Organizations should also be aware of the rules of evidence in the countries in which they operate. These rules may require the retention of data for specified periods and the ability to search stored data. They may also dictate how evidence may be handled and what is admissible in court. Computer forensics is an investigative discipline that includes the preservation, identification, extraction, and documentation of computer hardware and data for evidentiary purposes and root cause analysis. Computer forensic technology and software packages are available to assist in the investigation of fraud—where computers are used to facilitate the fraud—or to identify red flags of potential fraud. Examples of computer forensic activities include: • Recovering deleted emails. • Monitoring emails for indicators of potential fraud. • Performing investigations after terminations of employment. • Recovering evidence after formatting a hard drive. The challenge of using computers as a source of evidence is maintaining the integrity of the evidence while, at the same time, investigating what is on the computer in question. Since accessing anything on a computer may inadvertently change significant access dates in files, investigators generally begin by isolating the computer under investigation and making a digital copy of the computer’s hard drive. The original is stored in a secure location to maintain the pristine, untouched condition that is

required of evidence—to maintain the “chain of evidence.” Investigation and analysis are conducted on the copy, including searching hidden folders and unallocated disk space for deleted, encrypted, or damaged files. Computer forensic activities help establish and maintain a continuing chain of custody, which is critical in determining admissibility of evidence in courts. Although the CAE and internal auditors are not expected to be experts in this area, the CAE should have a general understanding of the benefits this technology provides so that he or she may engage appropriate experts, as necessary, for assisting with a fraud investigation.

Next Steps You have completed Part 1, Section VI, of The IIA’s CIA Learning System®. Next, check your understanding by completing the online section-specific test(s) to help you identify any content that needs additional study. Once you have completed the section-specific test(s), a best practice is to reread content in areas you feel you need to understand better. Then you should complete the Part 1 online post-test. A best practice is to return to earlier section-specific tests periodically as you progress through your studies; this practice will help you absorb the content more effectively than taking a single test multiple times in a row.

Bibliography The following references were used in the development of Part 1 of The IIA’s CIA Learning System. Please note that all website references were valid as of April 2018. “About the Profession.” The Institute of Internal Auditors, www.theiia.org/theiia/about-the-profession. Adams, Pat, Sally Culter, Bruce McCuaig, Sajay Rai, and James Roth. Sawyer’s Internal Auditing, sixth edition. Lake Mary, Florida: The Institute of Internal Auditors Research Foundation, 2012. “All in a Day’s Work: A Look at the Varied Responsibilities of Internal Auditors.” The Institute of Internal Auditors, na.theiia.org/aboutia/PublicDocuments/06262_All_In_A_Days_Work-Rev.pdf. American Institute of Certified Public Accountants. “Management Antifraud Programs and Controls.” New York: American Institute of Certified Public Accountants, Inc., 2002. Anderson, Urton, and Andrew J. Dahle. Implementing the Professional Practices Framework, second edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006. Anderson, Urton, and Andrew J. Dahle. Implementing the International Professional Practices Framework, third edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. Anderson, Urton, et al. Internal Auditing Assurance and Advisory Services, fourth edition. Lake Mary, Florida: The Institute of Internal Auditors, 2017. “AS/NZS ISO 31000:2009, “Risk Management—Principles and Guidelines.” Standards Australia/Standards New Zealand, www.standards.govt.nz.

“Assessing the Adequacy of Risk Management Using ISO 31000” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. Audit Committee Effectiveness—What Works Best, third edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. “The Audit Committee: Purpose, Process, Professionalism.” The Institute of Internal Auditors, www.theiia.org/download.cfm?file=6676. “Auditing External Business Relationships” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. “Auditing Privacy Risks” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “Auditing Techniques” course. Altamonte Springs, Florida: The Institute of Internal Auditors. “Basel III: International Regulatory Framework for Banks.” Bank for International Settlements, www.bis.org/bcbs/basel3.htm? m=3%7C14%7C572. Baxter, Ralph. “The Role of Spreadsheets in Today’s Corporate Climate.” ITAudit, Vol. 9, December 2006. Biegelman, Martin T., and Joel T. Bartow. Executive Roadmap to Fraud Prevention and Internal Control—Creating a Culture of Compliance. Hoboken, New Jersey: John Wiley and Sons, 2006. Chartered Professional Accountants Canada (CPA Canada), www.cpacanada.ca. “Chief Audit Executives—Appointment, Performance Evaluation, and Termination” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. “COBIT 5: Enabling Processes.” ISACA,

www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-productpage.aspx. Coenen, Tracy L. “The Fraud Files: The True Cost of Fraud.” Wisconsin Law Journal, May 24, 2006. Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org. Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management—Integrated Framework. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2004. Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management—Integrating with Strategy and Performance. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2017. Committee of Sponsoring Organizations of the Treadway Commission. Fraud Risk Management Guide. 2016. Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework. Jersey City, New Jersey: American Institute of Certified Public Accountants, 1994. Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework (2013). Jersey City, New Jersey: American Institute of Certified Public Accountants, 2013. Committee of Sponsoring Organizations of the Treadway Commission. Internal Control Over Financial Reporting—Guidance for Smaller Public Companies. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2006. “Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance” (IPPF Practice Guide), second edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2015.

“Coordinating Risk Management and Assurance” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “Corporate Governance: A Practical Guide.” London Stock Exchange, www.ecgi.org/codes/documents/rsmi_lse_guide2004.pdf, 2004. Corporate Governance and the Board—What Works Best. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. “Corporate Governance Principles and Recommendations with 2010 Amendments.” ASX Corporate Governance Council, www.asx.com.au/documents/asxcompliance/cg_principles_recommendations_with_2010_amendments.pdf. “Corporate Social Responsibility: Opportunities for Internal Audit” course. Altamonte Springs, Florida: The Institute of Internal Auditors. Daft, Richard L., and Dorothy Marcic. Understanding Management, tenth edition. Boston, Massachusetts: Cengage Learning, 2015. Directory of Software Products for Internal Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. “Enterprise Risk Management: What’s New? What’s Next” seminar. Altamonte Springs, Florida: The Institute of Internal Auditors. “Environmental, Health, and Safety (EHS) Guidelines.” International Finance Corporation, www.ifc.org/ehsguidelines. “Evaluating Corporate Social Responsibility/Sustainable Development” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. Financial Reporting Council (FRC), www.frc.org.uk/Home.aspx. “Formulating and Expressing Internal Audit Opinions” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009.

Fraser, John, and Hugh Lindsay. 20 Questions Directors Should Ask About Internal Audit. Toronto, Ontario: The Canadian Institute of Chartered Accountants, 2004. Fraud Examiners Manual, 2003 edition. Austin, Texas: Association of Certified Fraud Examiners, 2003. “Frequently Asked Questions,” The Institute of Internal Auditors, na.theiia.org/about-us/about-ia/Pages/Frequently-Asked-Questions.aspx. Frigo, Mark L. A Balanced Scorecard Framework for Internal Auditing Departments. Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 2002. Galloway, David. Internal Auditing: A Guide for the New Auditor, second edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2002. Global Reporting Initiative, www.globalreporting.org. Global Technology Audit Guides (GTAG). Altamonte Springs, Florida: The Institute of Internal Auditors. • “Business Continuity Management” (Previously GTAG 10), 2009. • “Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition” (Previously GTAG 3), 2009. • “Information Technology Risk and Controls, 2nd Edition” (Previously GTAG 1), 2012. • GTAG 3, “Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment,” 2005. • GTAG 6, “Managing and Auditing IT Vulnerabilities.” Glover, Hubert D., and James C. Flag. Effective Fraud Detection and

Prevention Techniques Practice Set. Altamonte Springs, Florida: The Institute of Internal Auditors, 1993. Gray, Glen L. Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley Environment. Altamonte Springs, Florida: The Institute of Internal Auditors, 2004. “Guidance on Risk Management, Internal Control and Related Financial Business Reporting.” Financial Reporting Council, www.frc.org.uk, 2014. Hubbard, Larry. Control Self-Assessment: A Practical Guide. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. Hutton, David W. The Change Agents’ Handbook. Milwaukee, Wisconsin: ASQ Quality Press, 1994. “The IIA’s Global Internal Audit Competency Framework.” Altamonte Springs, Florida: The Institute of Internal Auditors, 2013. “IIA Position Paper on Resourcing Alternatives for the Internal Audit Function.” Altamonte Springs, Florida: The Institute of Internal Auditors. “Independence and Objectivity” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011. The Institute of Chartered Accountants in England and Wales (ICAEW), www.icaew.co.uk. The Institute of Directors in Southern Africa (IoDSA), www.iodsa.co.za. The Institute of Internal Auditors, www.theiia.org. “Integrated Auditing” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “Interaction with the Board” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011. Internal Audit Reporting Relationships: Serving Two Masters. Altamonte

Springs, Florida: The Institute of Internal Auditors, 2003. “Internal Auditing and Fraud” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. International Professional Practices Framework (IPPF), 2017 Edition. Lake Mary, Florida: The Institute of Internal Auditors, 2017. “International Standards for the Professional Practice of Internal Auditing (Standards),” na.theiia.org/standards-guidance/mandatoryguidance/Pages/Standards.aspx. “Interpersonal Skills—Abilities Needed to Interact With Others Effectively.” The Institute of Internal Auditors, www.theiia.org. (As of April 2018, this publication is suppressed.) ISO 14001:2015, “Environmental Management Systems.” ISO, www.iso.org/standard/60857.html. ISO 26000:2010, “Guidance on Social Responsibility.” ISO, www.iso.org/standard/42546.html. ISO 31000:2018, “Risk Management—Guidelines.” ISO, www.iso.org/standard/65694.html. ISO 31010:2009, “Risk Management—Risk Assessment Techniques.” ISO, www.iso.org/standard/51073.html. ISO Guide 73:2009, “Risk Management—Vocabulary.” ISO, www.iso.org/standard/44651.html. Jerskey, Pamela. “Automated Workpapers Made Easy.” Keith, Jonnie T. “Killing the Spider.” Internal Auditor, April 2005. “King IV Report,” Institute of Directors of Southern Africa, 2016. www.iodsa.co.za/page/KingIVReport, 2016. “The Laws That Govern the Securities Industry—Sarbanes-Oxley Act of

2002.” Securities and Exchange Commission, www.sec.gov/about/laws.shtml. Mainardi, Robert L. Harnessing the Power of Continuous Auditing: Developing and Implementing a Practical Methodology. Hoboken, New Jersey: John Wiley, 2011. “Managing the Business Risk of Fraud, A Practical Guide.” The Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners, 2008, global.theiia.org/standardsguidance/Public%20Documents/fraud%20paper.pdf. Marcella, Albert J., Jr., and Carol Stucki. Privacy Handbook. Hoboken, New Jersey: John Wiley and Sons, 2003. Marks, Norman. “Auditing Governance Processes.” Internal Auditor (Ia), February 2012. Mautz, Robert K. Internal Control in U.S. Corporations: The State of the Art. New York: Financial Executives Research Foundation, 1980. McNamee, David. Business Risk Assessment. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. McNamee, David. “Risk Management and Risk Assessment.” Pleier Corporation, www.pleier.com/rmra.htm. “Measuring Internal Audit Effectiveness and Efficiency” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. Miccolis, Jerry A., Kevin Hively, and Brian W. Merkley. Enterprise Risk Management: Trends and Emerging Practices. Altamonte Springs, Florida: The Institute of Internal Auditors, 2001. “Model Internal Audit Activity Charter.” The Institute of Internal Auditors, global.theiia.org/standards-guidance/recommended-

guidance/Pages/Model-Internal-Audit-Activity-Charter.aspx. “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.” Organisation for Economic Co-operation and Development, www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html. Operational Auditing. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006. Pickett, K. H. Spencer, and Jennifer M. Pickett. The Internal Auditing Handbook, second edition. West Sussex, England: John Wiley and Sons, 2003. “Practical Considerations Regarding Internal Auditing Expressing an Opinion on Internal Control.” The Institute of Internal Auditors, 2005. PriceWaterhouseCoopers. Audit Committee Effectiveness—What Works Best, third edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. PriceWaterhouseCoopers. Corporate Governance and the Board—What Works Best. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. Privacy Rights Clearinghouse, www.privacyrights.org. Quality Assessment Manual for the Internal Audit Activity, 2017 IPPF Aligned. Lake Mary, Florida: Internal Audit Foundation, 2017. Quality Assessment Manual, fifth edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006. “Quality Assurance and Improvement Program” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. Redding, Kurt F., Paul J. Sobel, Urton L. Anderson, Michael J. Head, Sri Ramamoorti, Mark Salamasick, and Cris Riddle. Internal Auditing:

Assurance and Consulting Services. Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 2007. “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse.” Association of Certified Fraud Examiners, www.acfe.com/reportto-the-nations/2018/. “Revised Guidance for Directors on the Combined Code.” Financial Reporting Council, www.ecgi.org/codes/documents/frc_ic.pdf. Rife, Randal. “Planning for Success.” Internal Auditor (Ia), October 2006. “Risk Assessment in Practice.” COSO, www2.deloitte.com/content/dam/Deloitte/global/Documents/GovernanceRisk-Compliance/dttl-grc-riskassessmentinpractice.pdf, 2012.

“The Role of Internal Auditing in Enterprise-Wide Risk Management.” The Institute of Internal Auditors, global.theiia.org/standardsguidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20 2009. Roth, James. Control Model Implementation: Best Practices. Altamonte Springs, Florida: The Institute of Internal Auditors, 1997. Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing, fifth edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing—Instructor’s Guide. Altamonte Springs, Florida: The Institute of Internal Auditors, 2003. “Setting a Standard for Quality” (PowerPoint presentation). The Institute of Internal Auditors, na.theiia.org/services/quality/Public_Documents/Quality%20Program% 20PowerPoint%20Presentation.ppt.

Sobel, Paul. “Internal Auditing’s Role in Risk Management.” bookstore.theiia.org/internal-auditings-role-in-risk-management, March 2011. Steinberg, Richard M., and Deborah Pojunis. “Corporate Governance: The New Frontier.” Internal Auditor (Ia), December 2000. “The Three Lines of Defense in Effective Risk Management and Control.” Altamonte Springs, Florida: The Institute of Internal Auditors, 2013. Verschoor, Curtis C. Audit Committee Briefing: Understanding the 21st Century Audit Committee and Its Governance Roles. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. Verschoor, Curtis C. Governance Update 2003: Impact of New Initiatives on Audit Committees and Internal Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors, 2003. “What Is COBIT 5?” ISACA, www.isaca.org/COBIT/Pages/default.aspx. “Your Internal Audit Team” (PowerPoint presentation). The Institute of Internal Auditors, na.theiia.org/awareness/PublicDocuments/Your-InternalAudit-Team.ppt.

Index The numbers after each term are links to where the term is indexed and indicate how many times the term is referenced. assessments of fraud risk 1 assets improper valuation 1 misappropriation 1, 2 audit cycle red flags 1 audit tests 1 audits forensic 1 of risk management processes 1 Benford’s Law 1 bribery 1, 2 cash theft 1 computer data analysis 1 computer-technology-dependent organizations, and fraud 1 computers as sources of evidence 1 forensic activities 1 concealed liabilities 1 conflicts of interest 1 continuity, maintaining 1 continuous online auditing 1 control(s) for fraud 1 process reviews 1 corruption 1, 2 data mining 1 disbursement fraud 1, 2 disclosures 1 diversion 1 embezzlement 1

enterprise auditing 1 environmental red flags 1, 2 evidence computers as sources of 1 gathering 1 expense reimbursement fraud 1 fictitious revenues 1 financial statement fraud 1, 2 financial statement red flags 1 forensic auditing 1 fraud 1 and computer-technology-dependent organizations 1 and international organizations 1 and motive 1, 2 and opportunity 1, 2 and rationalization 1, 2 assessment of risk 1 asset misappropriation 1, 2 audit tests for 1 bribery 1, 2 cash theft 1 conflicts of interest 1 controls 1 corruption 1, 2 disbursement 1, 2 diversion 1 embezzlement 1 expense reimbursement 1 financial statement 1, 2 information misrepresentation 1 investigation of 1 managerial 1 payroll 1 red flags 1 related-party activity 1 resolution 1 risks 1

skimming 1 tax evasion 1 hotlines 1 Implementation Guides 2050 1 2600 1 improper asset valuation 1 improper disclosures 1 industry-specific red flags 1, 2 information misrepresentation 1 internal audit activity and fraud investigation 1 international organizations, and fraud 1 International Standards for the Professional Practice of Internal Auditing 1200, “Proficiency and 1 1210, “Proficiency” 1 1210.A1 1 1210.A2 1 1220, “Due Professional 1 2120, “Risk Management” 1 2210, “Engagement 1 2400, “Communicating 1 2410, “Criteria for 1 interrogation, in fraud investigations 1, 2 interviewing, in fraud investigations 1, 2 investigation of fraud 1, 2 liabilities, concealed 1 managerial fraud 1 motive, and fraud 1, 2 numerical analysis 1 opportunity, and fraud 1, 2 organizational culture 1 payroll fraud 1 perpetrator red flags 1, 2 process reviews for fraud controls 1 proportional analysis 1 rationalization, and fraud 1, 2

red flags of fraud 1 audit cycle 1 environmental 1, 2 financial statement 1 in interviews 1 industry-specific 1, 2 perpetrator 1, 2 regression analysis 1 related-party activity 1 reporting on fraud investigations 1 risk fraud 1 skills for forensic auditing 1 skimming 1 tax evasion 1 trend analysis 1 whistleblowers 1, 2 Build 08/24/2018 15:40 p.m.

Contents Section VI: Fraud Risks Topic A: Fraud Risks and Types of Fraud (Level P) Topic B: Potential for Fraud Occurrence (Level P) Topic C: Controls to Prevent/Detect Fraud and Education to Improve Fraud Awareness (Level P) Topic D: Forensic Auditing (Level B) P1_Bibliography Index