Internal auditing : an integrated approach [Third edition.] 9781485114741, 1485114748

3,342 330 33MB

English Pages [436] Year 2015

Report DMCA / Copyright

DOWNLOAD FILE

Polecaj historie

Internal auditing : an integrated approach [Third edition.]
 9781485114741, 1485114748

Table of contents :
Front cover
Title page
Imprint page
Table of contents
Preface
The author
Acknowledgements
Section 1: Theory of internal auditing
Chapter 1: The emerging role of internal auditing
In the Beginning ...
The Genesis of Internal Auditing
The Institute of Internal Auditors (IIA)
Internal Auditing
What is Management?
The Management Process
Executive Management’s Responsibility and Corporate Governance
Professionalism within the Internal Auditing Function
The Internal Audit Charter
Content
The Relationship of Internal Audit to Other Company Activities
The Relationship of Internal Audit to the Board of Directors
The Relationship of Internal Audit to the External Auditor
The Relationship between Internal Audit and the Audit Committee
The Relationship with Internal Audit
Independence
The Changing role of Internal Audit in Today’s Business Environment
Chapter 2: The IIA's standards for the Professional Practice of Internal Auditing
Origins
Advisory
Aids
Attribute Standards
Performance Standards
Implementation Standards
Internal Auditor Education
Certified Internal Auditor
Certificate in Control Self-Assessment
Certified Government Auditing Professional
Certified Financial Services Auditor
Chapter 3: Internal Audit Quality
Quality Assurance Reviews
Performing a Quality Assurance Review
Planning and Preparation
Determining the Customer’s Needs
Analyzing the Internal Audit Process
Communicating the Results of the Review
Ongoing Improvement
Follow-up
Quality Assurance Methodology
Chapter 4: Ethics Theory and Practice in the Modern World
Business Ethics
Ethical Theories
A Conceptual Framework
Employee Ethics
Codes of Conduct
Gifts
Confidentiality
Conflicts of Interest
Corporate Ethical Practices
The Free Market and the Marxist Critique of the Free Market System
Corporate Morality
Ethical Management
Resolving Ethical Conflicts
The Role of Ethics in Distinguishing a Profession
Independence and Objectivity
Chapter 5: The perfornamce objectives of organisations
The Nature of Business Organizations
Sole Proprietor
Partnership
Private Company
Incorporated Company
Public Company
Section 21 Company
Public Entities
Strategic Planning and Organizational Performance
Performance Objectives
Performance Measurement
Public Sector Performance Measurement
The Balanced Scorecard and Performance Measurement
Financial measures
Client satisfaction
Internal business processes
Innovation and learning
Applying the Balanced Scorecard
Developing a Balanced Scorecard
Improving Performance Measurement Systems
Effectiveness, Efficiency and Economy
Effectiveness
Efficiency
Economy
The Role of Performance Objectives
Chapter 6: Risk Assessment
Broad Concepts of Control and Risk
The Nature of Risk
Inherent Risk
Control Risk
Audit Risk
The Effect of Risk
Ownership Risks
Process Risks
Behavioral Risks
Entity-wide Risk Identification
Techniques to Identify Risks
Risk Analysis and Internal Auditing
The Elements of Risk Analysis
Risk Factors to Consider
Risk-based Auditing
IIA Standards on Risk Assessment
Management Risk Factors
Risk Identification by Analytical Review
Marketing a Risk-based Internal Audit Approach to Management
Conducting a Risk Assessment
Planning a Risk Assessment
Conducting the Assessment
The ‘Cube’ Approach to Risk Assessment
ERM and Internal Audit
Internal Audit Role
Chapter 7: Control frameworks
Control Processes
COSO’s Internal Control: An Integrated Framework
A Sound Control Environment
A Sound Risk Assessment Process
Sound Operational Control Activities
Sound Information and Communications Systems
Effective Monitoring
Internal Controls
Systems of Internal Control
Control Environment
Organizational Structure
Control Framework
Elements of Internal Control
Segregation of Duties
Competence and Integrity of People
Appropriate Levels of Authority
Accountability
Adequate Resources
Supervision and Review
Control Self-assessment
Resources
Collaboration
Empowerment
Implementing CSA
Internal Control Questionnaires
Customized Questionnaires
Control Guides
Interview Techniques
Workshops
Other Control Frameworks
Banking
IT
CobIT®
Evaluate, Direct and Monitor (EDM)
Align, Plan and Organize (APO)
Build, Acquire and implement (BAI)
Deliver, Service and Support (DSS)
Monitor, Evaluate and Assess (MEA)
Further Information
Other Self-assessment Methods
Chapter 8: Audit Evidence
The Nature of Audit Evidence
Reliability of Audit Evidence
Audit Evidence Procedures
Observation
Questioning
Analyzing
Verifying
Investigating
Evaluating
Documenting the Evidence
Gathering Computerized Evidence
Section 2: The environment of business
Chapter 9: Communication
The Elements of Communication
Sender
Message
Emotions and Messages
System
Language
Receiver
Context
Steps in the Process
Communication at Work
Formal Authorities
Types of Communication at Work
Barriers to Communications
Overcoming the Barriers
Written Communications
Verbal and Non-verbal Communications
Chapter 10: Strategic Management
The Nature of Strategic Management
Business Ethics and Strategic Management
Implementing Strategic Management
Strategy Formulation
Strategy Implementation
Strategy Evaluation
The Strategic Analysis of Industries
Rivalry among Existing Firms
Threats of and Barriers to Entry
The Threat of Substitutes
Suppliers’ Bargaining Power
Competitive Strategies
Market Positioning – Leaders
Market Positioning – Trailers
Market Positioning – Followers
Chapter 11: Global Business Environments
Business Globalizaton
The History of Globalization
Problems of Globalization
Cultural Issues in Globalization
Organizational Culture
Culture and Ethics
The Nature of Industries
Fragmented Industries
Emerging Industries
Declining Industries
Chapter 12: Organizational Behaviour
The Organizational Behavior of Managers
Groups within Organizations
Group Development
Group Size
Group Roles
Group Norms
Group Cohesion
Conflict
The Conflict Process
Conflict Resolution
Group Decision-making
Advantages of Group Decision-making
Disadvantages of Group Decision-making
Group Techniques
Chapter 13: Management Skills
The Evolution of Management Practices
The Classical/Scientific School
The Human Relations School
The Systems/Contingency Approach
Current Management Theory
Skills Required of a Modern Manager
Types of Managerial Decisions
Values and Job Satisfaction
Leadership Styles
Motivation
Motivational Theory
Expectancy Theory
Work Stress
Building Staff Competencies
Performance Management
Chapter 14: Auditing business process cycles
Auditing Business Process Cycles
Revenue and Receivable Business Cycles
Supply Chain Management
Inventory and Production Cycles
Payroll and Human Resource Cycles
Research and Development Cycles
Contract Auditing
Auditing Corporate Strategy
Chapter 15: Negotiation Skills
Negotiation
The Climate for Negotiations
Negotiating Common Ground
Power
Persuasion
Negotiating Conflict
Interviewing
Negotiating/Interviewing as a Consultant
Section 3: The Practice of Internal Auditing
Chapter 16: Types of Internal Audit
Compliance Audits
Financial Audits
Performance and Operational Audits
Environmental Audits
Fraud Audits
Quality Audits
Program Results Audits
IT Audits
Application Audits
Audits of Significant Balances and Classes of Transactions
Inventory Audits
Payroll Audits
Procurement Audits
Treasury Audits
Impact on the Skill Mix
Chapter 17: The internal audit process and documentation
Objectives of Audit Service Delivery
Planning
Risk Assessment
The Macroprocesses of the Internal Audit Process
Audit Planning
Execution
Reporting the Results
Evaluation
The Management Process
Understanding the Organization’s Business
Establishing the Needs
Identifying Key Activities
Establishing Performance Objectives
Deciding on the Control Strategies
Evaluating and Reviewing Performance
Implementation of the Generic Audit Process
The Audit Process Structure
Planning
Execution
Audit Testing
Developing and Reporting Findings and Recommendations
Findings
Recommendations
Reporting
Audit Evaluation
Chapter 18: Control and performance evaluation
The Nature of Internal Controls
Internal Controls
Cost/Benefit Considerations
Defining Performance Measurements
Measuring Actual Performance
Administrative vs Accounting Controls
Internal Control Structures
Chapter 19: Engagement Planning
Learning objectives
Engagement Planning
Planning
Unplanned Work
Project Management
Project Plan
Corporate Environment and Cultural Climate
Chapter 20: Audit reporting and follow-up
Reporting
Audit Reporting
Clear Writing Techniques
Preparing to Write
The Basic Audit Report
The Executive Summary
Detailed Findings
Polishing the Report
Distributing the Report
Interim Reporting
Closing Conferences
Follow-up Reporting
Auditors
The Auditee
Executive Management
Types of Follow-up Action
Audit Follow-up Policies
Chapter 21: Audit engagement tools, statistics and quantitative methods
Audit Engagement Tools, Statistics and Quantitative Methods
What is Sampling?
Why Do We Sample?
Judgmental (or Non-mathematical) Sampling
Statistical Approach
Sampling Risk
Assessing Sampling Risk
Planning a Sampling Application
Audit Objectives
Population Characteristics
Deviations from the Mean
Calculating Sample Size
Quantitative Methods
Trend Analysis
Chi-square Tests
Correlation Analysis
Graphical Analysis
Learning Curves
Ratio and Regression Analysis
Linear Programming
Project Scheduling Techniques
Program Evaluation Review Technique (PERT)
Critical Path Method (CPM)
Gantt or Bar Charts
Simulations
Section 4: Business analysis
Chapter 22: Corporate Governance
International Corporate Governance Developments
Corporate Stakeholders and Governance
Investors, qua Owners
Board Structure, Roles and Responsibilities
Board Committees
The Role of Audit Committees
Audit Committee Responsibility for Internal Audit
External Audit
Internal Audit
A Risk-based Approach to Internal Audit
Resourcing Internal Audit
Outsourcing Internal Audit
Chapter 23: Financial accounting and finance
Financial Reporting
Auditing the Financial Reporting Process
Appointment of External Auditor and Consultants
Audit Plans and Co-ordination with External Audit
External Auditors’ Use of the Work of Internal Audit
Corporate Governance Controls
Corporate Controls over the Financial Reporting Process
The Financial Reporting Review Process
Internal Controls over Financial Reporting
Chapter 24: Cost and managerial accounting
The Importance of Cost and Managerial Accounting Principles
A Value Chain for Business
The Public Sector
Cost Accounting Principles
Analyzing Costs and Evaluating Cost Management
Capital Budgeting and Cost Analysis
Quality Control Costs
Chapter 25: The legal and regulatory environment
The Legal and Regulatory Environment
Impact on the Internal Auditor
Identifying and Monitoring Non-compliance
Internal Audit Programs to Evaluate the Effectiveness of Controls
Section 5: Information technology
Chapter 26: Auditing InformationTechnology
Control and Audit of Information Technology
Some Computing Terminology
Hardware
Storage
Output
Control
Systems of Internal Control
General Control Objectives
Program Control Objectives
Batch vs Online
Other Communication Concepts
Chapter 27: Auditing general and application controls
The Control Environment
General Controls
Application Controls
Computer Operations Controls
Operations Exposures
Operations Controls
Personnel Controls
Supervisory Controls
Operations Audits
Application Controls
Systems Controls
Control Stages
System Models
Control Objectives of Business Systems
Overall Control Objectives
Chapter 28: Auditing systems under development
Why Do Systems Fail?
Systems Development
Drawing up Requirements and Proposals
Specifications
Technical Specifications
Implementation Planning
Implementation
Conversion Activities
Post-implementation Review
Systems Development Exposures
Systems Development Controls
SDLC Control Objectives
Micro-based Systems
Chapter 29: The use of CAATs in auditing computerized systems
Computer-assisted Audit Tools and Techniques
Standards of Evidence
Generalized Audit Software
Customized Audit Software
Information Retrieval Software
Utilities
Online Enquiry
Conventional Programming Languages
Microcomputer-based Software
Test Transaction Techniques
Embedded Audit Modules (SCARFs – System Collection Audit Review Files)
Review of System-level Activity
CAATs Case Study
Chapter 30: Auditing security and privacy
Security
Criteria
User Authentication
Bypass Mechanisms
Auditing Operating Systems
Auditing Communications Security
Availability
Threats to Confidentiality
Threats to Data Integrity
Spoofing (Masquerade Attacks)
Playback of a Recording (Replay)
Password Capture
Brute Force Attacks
Log Tampering
Libel and Contentious Material
Loss of Intellectual Property
Chapter 31: Disaster recovery and business continuity planning
Disasters: ‘Before and After’
Consequences of Disruption
Where to Start
Disaster Recovery Processes in Place
Testing the Disaster Recovery Plan
Auditing the Disaster Recovery Plan
Business Continuity Planning
Management Responsibility for Business Continuity
Understanding the Business
Business Impact Analysis
Risk Assessment
Continuity Strategies
Developing the Response
Emergency Response
Developing Business Continuity Plans
Establishing a Business Continuity Culture
Testing the Business Continuity Plan
Maintenance of the Plan
Auditing the Plan
Chapter 32: Auditing e-commerce and the Internet
Changing the World
e-Commerce
What is e-Commerce?
Impact on Accounting and Auditing
The Changing Business Environment
Technology
Example Audit and Control Issues in EDI
The Impact on Auditing and Audits
Future Directions in e-Commerce Auditing
Conclusion
The Internet
Internet Communication
Connecting to the Internet
Finding Information on the Internet
Internet Security
Internet/Intranet Security
e-Commerce over the Internet
Chapter 33: Current and emerging technology issues for internal auditors
IT Audit Approach and Methodology
IT Governance
Project Management
Outsourcing
Cloud Computing
Smart Mobility
Social Media
Advanced Persistent Threats and Targeted Cyber Attacks
Section 6: Fraud and forensic auditing
Chapter 34: Fraud auditing
Fraud Detection and Identification
The Context of Fraud
Misrepresentation of Material Facts
Concealment of Material Facts
Larceny
Obtaining Fraudulent Loans
Unsolicited Orders
Advance Fees
Bribery
Theft of Trade Secrets
Conflicts of Interest
Breach of Fiduciary Duty
Embezzlement
False Claims
Extortion
Conspiracy
Lapping
Kiting
Fraudulent Affiliations
Red Flags for Fraud
Payroll
Cash Handling
Purchasing
Accounts Payable
Accounts Receivable
Personal Fraud Indicators
Triggering Events
Fraud Prevention
The Role of a Forensic Auditor
Responsibilities for Fraud Detection and Prevention
Fraud Prevention
Fighting Corruption
Codes of Conduct
Internal Audit
Chapter 35: Forensic Evidence
Courts and the Administration of Justice
Constitutional Court
Supreme Court of Appeal
High Court
Magistrates’ Courts and Other Courts
Forensic Evidence
What Constitutes Best Evidence?
Chain of Custody
Forensic Examination
Forensic Audit Department
Polygraph Testing
Chapter 36: Conducting fraud investigations
What are Fraud Investigations?
Elements Required to Establish Evidence of Theft
The Power of the Investigator
Corporate Investigation
Lies, Lies and More Lies
Detecting Lies
Chapter 37: IT fraud investivation
The Exponential Growth of Computer Crime
Classification of Computer Fraud
The Investigation of IT frauds
Pre-incident Preparation
Detection of Incidents
Initial Response
Forensic Back-ups
Investigation
Network Monitoring
Recovery
Reporting and follow-up
Appendices
Appendix A: Internal Auditors’ Guidelines
Appendix B: Sample Audit Committee Charter
Appendix C: Sample Internal Audit Charter
Appendix D: Working Papers
Appendix E: General Standards of Completion
Appendix F: Sample Working Papers
Appendix G: Sample Job Descriptions
Appendix H: Sample Engagement Contract
Appendix I: Sample Audit Program
Appendix J: Sample Audit Report
Index

Citation preview

Internal Auditing – An Integrated Approach 3e covers the basic concepts, philosophy and principles underlying the practice of Internal Auditing, and the relationships between the internal auditor, management and the external auditor. This updated edition is recommended for students of Internal Auditing preparing for BCom, BCom Hons and BTech examinations and for the professional CIA examination of the Institute of Internal Auditors Inc. It is also suitable for internal and external auditors employed in internal departments or professional practices providing outsourced internal audit or management assurance services, as well as senior financial personnel responsible for corporate governance, risk management and internal controls. It will also be of interest to Chartered Accountants with a specialist interest in governance and control issues. Some new information in this edition includes: • The changing role of Internal Audit in today’s business environment

Third edition

An Integrated Approach

Internal auditing

Internal auditing

An Integrated Approach

Third edition

• The Free Market and the Marxist critique of the free market system

• Auditing Business Process Cycles • Auditing Business Environments • Current and emerging technology issues for internal auditors. About the author Richard Cascarino is CEO of Richard Cascarino & Associates, a successful audit consulting and training company based in Johannesburg, SA and Denver, USA.  He has been involved in the development of courses in Internal Auditing, IT Auditing and Governance for the School of Accountancy, University of the Witwatersrand, Johannesburg.  His books are used at universities worldwide and serve as reference guides for Internal, IT and Forensic auditors.  He is chairman of the Audit and Risk Committee of the Department of Public Enterprises in South Africa.

www.jutaacademic.co.za

Richard Cascarino

• Corporate Morality and Ethical Management • The “Cube” approach to risk assessment • ERM and Internal Audit

Richard Cascarino

Internal auditing Third edition

An Integrated Approach

Juta Support Material To access supplementary student and lecturer resources for this title visit the support material web page at http://jutaacademic.co.za/support-material/detail/internal-auditing

Student Support This book comes with the following online resources accessible from the resource page on the Juta Academic website: •

Access to a demo version of IDEA® data analysis software



Exam and study skills.

Help and Support For help with accessing support material, email [email protected] For print or electronic desk and inspection copies, email [email protected]

INTERNAL AUDITING: An Integrated Approach Third edition Richard Cascarino CIA, CRMA, CFE, CISM

Internal_Auditing.indb 1

16/04/2015 11:12

Internal Auditing: An Integrated Approach Third edition First published 2015 First print published 2005 Second edition 2007 Reprinted January 2012 Reprinted August 2012 Reprinted March 2013 Third edition 2015 Juta and Company Ltd PO Box 14373, Lansdowne, 7779, Cape Town, South Africa © 2015 Juta & Company Ltd ISBN 978 1 48511 059 0 (Print) ISBN 978 1 48511 474 1 (WebPDF) All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage or retrieval system, without prior permission in writing from the publisher. Subject to any applicable licensing terms and conditions in the case of electronically supplied publications, a person may engage in fair dealing with a copy of this publication for his or her personal or private use, or his or her research or private study. See Section 12(1)(a) of the Copyright Act 98 of 1978. Project manager: Carlyn Bartlett-Cronje Editor: Pat Hanekom Cover designer: Joan Baker Typesetter: ANdtp Services Indexer: Adami Geldenhuys The author and the publisher believe on the strength of due diligence exercised that this work does not contain any material that is the subject of copyright held by another person. In the alternative, they believe that any protected pre-existing material that may be comprised in it has been used with appropriate authority or has been used in circumstances that make such use permissible under the law.

Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii The Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Section 1: Theory of Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1: The Emerging Role of Internal Auditing . . . . . . . . . . . . . . 3 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 In the Beginning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The Genesis of Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The Institute of Internal Auditors (IIA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 What is Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Executive Management’s Responsibility and Corporate Governance. . . . . . . . . . . 7 Professionalism within the Internal Auditing Function. . . . . . . . . . . . . . . . . . . . . . 8 The Internal Audit Charter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 The Relationship of Internal Audit to Other Company Activities. . . . . . . . . . . . . . . 9 The Relationship of Internal Audit to the Board of Directors. . . . . . . . . . . . . . . . . 9 The Relationship of Internal Audit to the External Auditor. . . . . . . . . . . . . . . . . . 10 The Relationship Between Internal Audit and the Audit Committee . . . . . . . . . . . 10 Three Lines of Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 The Changing Role of Internal Audit in Today’s Business Environment . . . . . . . . . 12

Chapter 2: The IIA’s Standards for the Professional Practice of Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Origins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . New Standards for the Professional Performance of Internal Auditing . . . . . . . . . Internal Auditor Education. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

14 14 15 16

Chapter 3: Internal Audit Quality. . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quality Assurance Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Performing a Quality Assurance Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quality Assurance Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

19 19 20 22

Chapter 4: Ethics Theory and Practice in the Modern World. . . . . . 23 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Business Ethics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ethical Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Conceptual Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Internal_Auditing.indb 3

23 23 24 25

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Employee Ethics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Codes of Conduct. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Corporate Ethical Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Free Market and the Marxist Critique of The Free Market System. . . . . . . . . Corporate Morality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ethical Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resolving Ethical Conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Role of Ethics in Distinguishing a Profession . . . . . . . . . . . . . . . . . . . . . . . . Independence and Objectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26 27 28 28 30 31 31 33 34

Chapter 5: The Performance Objectives of Organizations. . . . . . . . 37 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Nature of Business Organizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Strategic Planning and Organizational Performance. . . . . . . . . . . . . . . . . . . . . . Performance Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Performance Measurement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Public Sector Performance Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Balanced Scorecard and Performance Measurement. . . . . . . . . . . . . . . . . . Improving Performance Measurement Systems. . . . . . . . . . . . . . . . . . . . . . . . . Effectiveness, Efficiency and Economy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Role of Performance Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

37 37 39 40 41 41 41 44 45 46

Chapter 6: Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Broad Concepts of Control and Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Nature of Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Effect of Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Entity-wide Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Techniques to Identify Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Risk Analysis and Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conducting a Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The ‘Cube’ Approach to Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ERM and Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47 47 47 48 50 51 51 56 58 62

Chapter 7: Control Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Control Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . COSO’s Internal Control: An Integrated Framework. . . . . . . . . . . . . . . . . . . . . . Internal Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Systems of Internal Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Elements of Internal Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Control Self-assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementing CSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Control Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CobIT® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Self-assessment Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

65 65 66 67 68 69 70 71 73 75 78

Chapter 8: Audit Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 iv

Internal_Auditing.indb 4

16/04/2015 11:12

CONTENTS

The Nature of Audit Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reliability of Audit Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Evidence Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Documenting the Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gathering Computerized Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

79 80 80 83 83

Section 2: The Environment of Business . . . . . . . . . . . . . . . . . . . . . 85 Chapter 9: Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Elements of Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Communication at Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Barriers to Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overcoming the Barriers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Written Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verbal and Non-verbal Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

87 87 89 91 92 92 93

Chapter 10: Strategic Management. . . . . . . . . . . . . . . . . . . . . . . . . 95 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 The Nature of Strategic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Implementing Strategic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 The Strategic Analysis of Industries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Competitive Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 11: Global Business Environments. . . . . . . . . . . . . . . . . . 107 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Business Globalization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The History of Globalization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Problems of Globalization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cultural Issues in Globalization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organizational Culture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Culture and Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Nature of Industries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

107 107 108 109 110 111 112 113

Chapter 12: Organizational Behavior. . . . . . . . . . . . . . . . . . . . . . . 115 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Organizational Behavior of Managers. . . . . . . . . . . . . . . . . . . . . . . . . . . . Groups within Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conflict. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Decision-making. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

115 115 116 119 120 120

Chapter 13: Management Skills. . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Evolution of Management Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Current Management Theory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Skills Required of a Modern Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Challenges of Increasing Business Uncertainty. . . . . . . . . . . . . . . . . . . . . . Types of Managerial Decisions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

121 121 125 126 126 127 v

Internal_Auditing.indb 5

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Values and Job Satisfaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Leadership Styles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Motivation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Work Stress. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Building Staff Competencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

128 128 129 130 132 132

Chapter 14: Auditing Business Process Cycles. . . . . . . . . . . . . . . . 133 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditing Business Process Cycles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Revenue and Receivable Business Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supply Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inventory and Production Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Payroll and Human Resource Cycles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Research and Development Cycles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Contract Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditing Corporate Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

133 133 133 134 135 136 137 138 139

Chapter 15: Negotiation Skills. . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Climate for Negotiations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Negotiating Common Ground. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Persuasion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Negotiating Conflict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interviewing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Negotiating/Interviewing as a Consultant. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

141 141 142 143 143 144 144 145 147

Section 3: The Practice of Internal Auditing. . . . . . . . . . . . . . . . . . 149 Chapter 16: Types of Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . 151 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Compliance Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Financial Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Performance and Operational Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Environmental Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fraud Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quality Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Program Results Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IT Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audits of Significant Balances and Classes of Transactions . . . . . . . . . . . . . . . . Impact on the Skill Mix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

151 151 151 152 152 153 154 154 155 155 155 156

Chapter 17: The Internal Audit Process and Documentation. . . . . 157 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Objectives of Audit Service Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 The Macroprocesses of the Internal Audit Process. . . . . . . . . . . . . . . . . . . . . . 158 vi

Internal_Auditing.indb 6

16/04/2015 11:12

CONTENTS

The Management Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementation of the Generic Audit Process . . . . . . . . . . . . . . . . . . . . . . . . . The Audit Process Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Developing and Reporting Findings and Recommendations. . . . . . . . . . . . . . . . Audit Evaluation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

160 162 163 166 166 168

Chapter 18: Control and Performance Evaluation . . . . . . . . . . . . . 169 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Nature of Internal Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing of Internal Controlss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

169 169 169 174

Chapter 19: Engagement Planning. . . . . . . . . . . . . . . . . . . . . . . . . 175 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Engagement Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unplanned Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Project Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

175 175 175 178 178

Chapter 20: Audit Reporting and Follow-up. . . . . . . . . . . . . . . . . . 183 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clear Writing Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing to Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Basic Audit Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Detailed Findings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Polishing the Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Distributing the Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interim Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Closing Conferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Follow-up Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Follow-up Action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Follow-up Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

183 183 183 184 185 185 185 186 186 186 187 187 187 188 188

Chapter 21: Audit Engagement Tools, Statistics and Quantitative Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Engagement Tools, Statistics and Quantitative Methods . . . . . . . . . . . . . What is Sampling? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Why Do We Sample? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Judgmental (or Non-mathematical) Sampling . . . . . . . . . . . . . . . . . . . . . . . . . Statistical Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sampling Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assessing Sampling Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning a Sampling Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quantitative Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

190 190 190 191 191 192 192 193 194 198 vii

Internal_Auditing.indb 7

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Ratio and Regression Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Project Scheduling Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Section 4: Business Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Chapter 22: Corporate Governance. . . . . . . . . . . . . . . . . . . . . . . . 205 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . International Corporate Governance Developments. . . . . . . . . . . . . . . . . . . . . Corporate Stakeholders and Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . Investors, qua Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Board Structure, Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . Board Committees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Role of Audit Committees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . External Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Risk-based Approach to Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resourcing Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Outsourcing Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

205 205 208 209 210 212 213 215 215 218 218 219

Chapter 23: Financial Accounting and Finance. . . . . . . . . . . . . . . . 220 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Financial Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditing the Financial Reporting Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appointment of External Auditor and Consultants . . . . . . . . . . . . . . . . . . . . . . Audit Plans and Co-ordination with External Audit. . . . . . . . . . . . . . . . . . . . . . External Auditors’ Use of the Work of Internal Audit. . . . . . . . . . . . . . . . . . . . . Internal Controls over Financial Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . .

220 220 222 222 224 224 226

Chapter 24: Cost and Managerial Accounting . . . . . . . . . . . . . . . . 227 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Importance of Cost and Managerial Accounting Principles . . . . . . . . . . . . . A Value Chain for Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Public Sector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cost Accounting Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analyzing Costs and Evaluating Cost Management. . . . . . . . . . . . . . . . . . . . . . Capital Budgeting and Cost Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quality Control Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

227 227 228 229 230 234 235 235

Chapter 25: The Legal and Regulatory Environment . . . . . . . . . . . 237 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Legal and Regulatory Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Impact on the Internal Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identifying and Monitoring Non-compliance . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Audit Programs to Evaluate the Effectiveness of Controls. . . . . . . . . . .

237 237 238 238 239

viii

Internal_Auditing.indb 8

16/04/2015 11:12

CONTENTS

Section 5: Information Technology. . . . . . . . . . . . . . . . . . . . . . . . . 241 Chapter 26: Auditing Information Technology . . . . . . . . . . . . . . . . 243 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Control and Audit of Information Technology. . . . . . . . . . . . . . . . . . . . . . . . . . Some Computing Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Systems of Internal Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Control Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Program Control Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Batch vs Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Communication Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

243 243 243 249 250 251 252 253

Chapter 27: Auditing General and Application Controls. . . . . . . . . 255 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Control Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer Operations Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Systems Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overall Control Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

255 255 256 259 260 261

Chapter 28: Auditing Systems under Development. . . . . . . . . . . . 263 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Why Do Systems Fail?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Systems Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Micro-based Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

263 263 265 273

Chapter 29: The Use of CAATs in Auditing Computerized Systems. . 274 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Computer-assisted Audit Tools and Techniques. . . . . . . . . . . . . . . . . . . . . . . . 274 CAATs Case Study. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Chapter 30: Auditing Security and Privacy. . . . . . . . . . . . . . . . . . . 279 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditing Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditing Communications Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

279 279 279 280 281 282

Chapter 31: Disaster Recovery and Business Continuity Planning. 285 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disasters: ‘Before and After’. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Business Continuity Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Business Impact Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

285 285 289 290

Chapter 32: Auditing e-Commerce and the Internet . . . . . . . . . . . 294 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e-Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Internet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

294 294 295 300 ix

Internal_Auditing.indb 9

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Chapter 33: Current and Emerging Technology Issues for Internal Auditors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IT Audit Approach and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Project Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Outsourcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cloud Computing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Smart Mobility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Social Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced Persistent Threats and Targeted Cyber Attacks. . . . . . . . . . . . . . . . .

311 311 313 313 315 316 317 318 320

Section 6: Fraud and Forensic Auditing. . . . . . . . . . . . . . . . . . . . . 323 Chapter 34: Fraud Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fraud Detection and Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Context of Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Red Flags for Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Personal Fraud Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Triggering Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fraud Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Codes of Conduct. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

325 325 325 330 331 332 332 335 336

Chapter 35: Forensic Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Courts and the Administration of Justice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forensic Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Constitutes Best Evidence?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forensic Audit Department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Polygraph Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

337 337 338 339 340 341

Chapter 36 Conducting Fraud Investigations. . . . . . . . . . . . . . . . . 343 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What are Fraud Investigations? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Elements Required to Establish Evidence of Theft . . . . . . . . . . . . . . . . . . . . . . The Power of the Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Corporate Investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

343 343 343 344 345

Chapter 37: IT Fraud Investigation . . . . . . . . . . . . . . . . . . . . . . . . 349 Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Exponential Growth of Computer Crime . . . . . . . . . . . . . . . . . . . . . . . . . . Classification of Computer Fraud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Investigation of IT Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

349 349 349 350

Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Appendix A Internal Auditors’ Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Appendix B Sample Audit Committee Charter. . . . . . . . . . . . . . . . . . . . . . . . . 360 Appendix C Sample Internal Audit Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 x

Internal_Auditing.indb 10

16/04/2015 11:12

CONTENTS

Appendix Appendix Appendix Appendix Appendix Appendix Appendix

D Working Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E General Standards of Completion. . . . . . . . . . . . . . . . . . . . . . . . . F  Sample Working Papers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G Sample Job Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H Sample Engagement Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . I    Sample Audit Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J Sample Audit Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

365 370 373 384 396 397 400

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

xi

Internal_Auditing.indb 11

16/04/2015 11:12

Preface The capital markets rocked with recent corporate scandals and business failures are demanding sound corporate governance from corporations and those charged with governance of public listed companies, financial services entities, large nongovernmental organizations and the public sector. Investor confidence has been severely eroded by these events and the tangled web of multiple stakeholders involved. It is in this context that the role of the internal auditor has come to the fore, able to provide support to management in meeting its responsibilities for responsible, accountable and transparent governance and risk management. To restore public confidence in the governance processes, government regulations have become more stringent, and corporate governance reports recommending changes all include requirements for greater involvement by internal audit and an enhanced role for audit committees. Auditing standards governing the external auditors have become more demanding and legislation such as the SarbanesOxley Act in the United Stated reaches across the world in demanding evidence of compliance from US listed companies and their affiliates anywhere in the world. The internal auditor has an important role to play in this process, whether employed by the organization or providing outsourced internal audit assurance services. The Institute of Internal Auditors believes that organizations are best served by a fully resourced and professionally competent internal auditing staff providing valueadded services which are critical to the efficient and effective management of an organization.  This book addresses the area of professional competence within internal auditing staff. The text is designed primarily for lecturers and students of Internal Auditing at an undergraduate and post-graduate level, intending to pursue a career in internal auditing, as well as those with a specialist interest in governance, risk and control issues for organizations. The basic concepts, philosophy and principles underlying the practice of internal auditing, including the relationships between the internal auditor, management and the external auditor are covered in the text. In addition, the student will gain a knowledge and understanding of the nature of an organization as well as risk management and the role of internal auditing in managing organizational risks and understanding current developments in corporate governance in both the public and private sectors. The text will also prove an invaluable aid to those studying for the Certified Internal Auditor professional qualification since it addresses the syllabus requirements of the Institute of Internal Auditors and the Standards for the Professional Practice of Internal Auditing and Competency Framework for Internal Auditors. Access to the IDEA® data analysis software with the educational case study is an added bonus, exposing students to a hands-on application of CAATs.

Internal_Auditing.indb 12

16/04/2015 11:12

PREFACE

The text represents a practical integrated approach to the Institute of Internal Auditors’ recommended internal audit approach, and may be implemented within an Internal Audit Department in a cost-effective manner. Accordingly, the text may be useful as a reference manual for internal audits in practice. The book is recommended reading for: ➤➤ students of Internal Auditing at universities and universities of technology preparing for BCom, BComHons and BTech examinations and for the professional CIA examination of the Institute of Internal Auditors Inc; ➤➤ internal and external auditors employed in internal departments or professional practices providing outsourced internal audit or management assurance services; ➤➤ internal auditors employed in the public sector departments and municipalities governed by the Public Finance Management Act and the more recent Municipal Finance Management Act; and ➤➤ senior financial personnel charged with responsibility for corporate governance, risk management and internal controls.

xiii

Internal_Auditing.indb 13

16/04/2015 11:12

The Author Richard Cascarino CIA, CRMA, CFE, CISM Richard Cascarino is CEO of Richard Cascarino & Associates, a successful audit consulting and training company based in Johannesburg, SA and Denver, USA. He has been involved in the development of courses in internal auditing, IT auditing and governance for the School of Accountancy, University of the Witwatersrand, Johannesburg. His books are used at universities worldwide and as reference guides for internal, IT and forensic auditors. He is chairman of the Audit and Risk Committee of the Department of Public Enterprises in South Africa.

Acknowledgements This textbook is the third edition of a book which was originally a dream that I had for many years, and that Sandy van Esch had co-authored in its first edition. Without Sandy’s encouragement there would have been no book. There had been a demand for many years for an affordable internal auditing textbook for students at universities and universities of technology in southern Africa that incorporates local laws and regulations affecting the internal audit practitioner in this region, while at the same time preparing students for the professional, international CIA examinations. I hope that the text will go some way to address these demands. I wish to thank sincerely all those who contributed to the text along the way and helped ensure that it reflects current practice, and for permissions granted to use copyright material. In particular my thanks go to: ➤➤ Margaret Cascarino and my family for their support. ➤➤ CaseWare International for permission to add the educational version of IDEA© as downloadable with this book. My sincere appreciation as well to the editorial and production team at Juta Academic. Richard Cascarino CIA, CRMA, CFE, CISM Johannesburg, 14 November 2014

Internal_Auditing.indb 14

16/04/2015 11:12



SECTION

1

Internal_Auditing.indb 1

Theory of Internal Auditing

16/04/2015 11:12

Internal_Auditing.indb 2

16/04/2015 11:12

CHAPTER

1

The Emerging Role of Internal Auditing

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the origins and history of internal auditing ➤ Explain the development of the internal auditing profession in South Africa ➤ Explain the emerging role of internal auditing ➤ Explain the different responsibilities of an internal auditor ➤ Define the contents of an internal audit charter

In the Beginning ... From early times dating back to 3500 BC, extant records of various civilizations indicate by patterns of checks and ticks that verification of records took place. In ancient Egyptian, Greek, Chinese and Roman civilizations, rulers sought to confirm official records by comparing two sets of such records. Presumably, this was done by two officials working together, with one official reading from one of the record sheets and the other checking against the other record sheet: the name ‘auditor’ derives from the Latin ‘auditus’, meaning ‘hearer’. With the fall of the Roman Empire, auditing and control disappeared and it was not until the Middle Ages that the growth of centralized control once again demanded proof of the adequacy and correctness of record-keeping.

The Genesis of Internal Auditing The profession of internal auditing, as with many other professions, has its roots in the industrial revolution of the nineteenth century. The enormous growth of the business sector found existing professionals scrambling to keep up. Specialists appeared, coping with such innovations as corporate law, banking provisions and bankruptcies. This led to the formation of a plethora of organizations and associations that over a period of time amalgamated into the British Institute of Chartered Accountants and the American Certified Public Accountants in their respective countries. The main difference, at that time, was the method of achieving professionalism within the two bodies. The American body adopted a style combining the academic and business worlds and produced professionals that were a hybrid of both. The British institute took the more traditional English path of a trade apprenticeship outside of the tertiary education system.

Internal_Auditing.indb 3

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

This situation continued into the mid-1950s, with the two institutes dominating the business world in those countries and becoming an increasingly integrated part of corporate life, to the extent that almost half of all qualified professional accountants were employed outside audit firms. By the start of the 1940s, professional internal control evaluators were employed and distributed throughout organizations to such an extent that the differentiation between internal and external auditors became a meaningful concept. The statutory role of the external auditor has remained as the attest function, confirming that the financial records of organizations have been fairly presented. The role of the internal auditor has developed over the past 70 years to one of assisting management in the discharge of their responsibilities by ensuring that the internal control structures are appropriate to a given level of risk and function, as management intended. Increasingly, internal auditors are called upon to act as internal control, risk and corporate governance consultants within organizations.

The Institute of Internal Auditors (IIA) In 1941, the Institute of Internal Auditors Inc. was formed. Based in New York, it was confined to America only. Its role was to provide a clearing house for ideas and education, and generally to unite the developing profession. After World War II, the growth in multinational corporations virtually guaranteed the spread of the IIA to the rest of the industrialized world. The IIA was not alone in this. External audit firms formed working agreements with other firms across national boundaries, which eventually led to the large international partnerships we see today. By the 1960s, the IIA had grown and flourished, becoming the acknowledged international leader of the internal auditing profession. The IIA‘s motto of ‘Progress Through Sharing’ defined its role as a non-elitist coming together of like-minded individuals to offer mutual support and advancement through the propagation of knowledge. From the IIA‘s inception, it was recognized that the multidisciplinary and evolutionary nature of the business world would have to be reflected in the IIA. It had therefore to provide the umbrella beneath which individual skills and talents needed to audit the internal control mechanisms of modern business could come together as equals to share knowledge and to grow in the process. The IIA has defined its vision as follows: ‘The IIA will be the global voice of the internal audit profession: Advocating its value, promoting best practice, and providing exceptional service to its members’ and its mission as follows: ‘The mission of The Institute of Internal Auditors is to provide dynamic leadership for the global profession of internal auditing. Activities in support of this mission will include, but will not be limited to:  ➤ advocating and promoting the value that internal audit professionals add to their organizations; ➤ providing comprehensive professional educational and development opportunities; standards and other professional practice guidance; and certification programs;

4

Internal_Auditing.indb 4

16/04/2015 11:12

THE EMERGING ROLE OF INTERNAL AUDITING

researching, disseminating, and promoting to practitioners and stakeholders knowledge concerning internal auditing and its appropriate role in control, risk management, and governance; ➤ educating practitioners and other relevant audiences on best practices in internal auditing; and ➤ bringing together internal auditors from all countries to share information and experiences.’1 ➤

Internal Auditing Internal auditing has been defined by the IIA as follows: ‘Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization‘s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Independence is established by the organizational and reporting structure. Objectivity is achieved by an appropriate mind-set. The internal audit activity evaluates risk exposures relating to the organization‘s governance, operations and information systems, in relation to: ➤ effectiveness and efficiency of operations; ➤ reliability and integrity of financial and operational information; ➤ safeguarding of assets; ➤ compliance with laws, regulations, and contracts.’ 2 Internal Auditing has traditionally been based on the paradigms of: ➤ internal control = management control; ➤ management control starts with governance; ➤ top management can control everything; and ➤ internal control is imposed from the top. Today‘s business environment indicates that a more appropriate paradigm might be that continuous improvement focuses control with owners of the process. The role of internal audit must change to reflect this new reality. The fact that internal audit is ultimately responsible to the organization will not change; however, the owners of the process are becoming the custodians of internal control rather than traditional management structures. Internal auditors frequently become experts at describing the best design and implementation of all types of controls. However, internal auditors are not expected to equal – let alone exceed – the technical and operational expertise pertaining to the various activities of the organization. Nevertheless, they may help the responsible individuals achieve more effective results by appraising the existing controls and providing a basis for helping to improve them. With the increased demand for sound corporate governance processes, the role of the internal audit is evolving into a more advisory role to assist management with risk identification processes and the design of appropriate controls for effective management of such risks at the various levels of the organization. 1. www.theiia.org. 2. www.theiia.org.

5

Internal_Auditing.indb 5

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

What is Management? Management can be defined as the optimization of the utilization of corporate resources through the planning, organizing, leading and controlling of the members of any organization. It is a process of continuous improvement in which the business itself is constantly adapting to its environment, and management is changing in the same way. The Management Process The management process begins with an understanding of the organization‘s business. Until this is achieved, any attempt to decide on organizational needs will be at best misleading and at worst disastrous. Once the overall objectives and environment of the business have been established, establishing the needs becomes a comparatively easy task. The organization‘s needs may be determined by identifying and examining the key activities whose effective performances can either make or break it. These key activities must themselves be monitored and therefore ambitious performance objectives must be established early in the planning process. For every performance objective, there will be a range of threats, which, if fulfilled, will either reduce the effectiveness of or totally negate the objective. These must be assessed in a formal risk assessment to determine an appropriate corporate coping strategy. The coping or control strategies of the organization must be determined by management and appropriate controls designed to address the risks to be managed. The actual controls must be implemented and monitored and controls should exist to ensure that this happens. Controls, once implemented, must be effective in performance and periodically management must evaluate and review performance with this in mind. Understanding an organization’s business This is a combination of a theoretical approach using literature searches about the organization and its functions in the business press and relevant Internet sites, combined with a reading of the organization‘s annual reports and other internal and external communications, in order to obtain the whole picture. This theory will be combined with a more practical approach involving interviewing staff in order to both evaluate their understanding of the business and confirm your own understanding. Site visits to observe the operation of specific business functions will also help. An auditor may obtain further information and confirmation by comparing the current understandings to those in effect and identified during previous internal audit reviews. Establishing needs Once an auditor has established the overall objectives and environment of the business, he/she must decide on its overall needs. A study of the organization‘s mission statement should clarify the general performance objectives. Management should have established strategic plans and objectives in order to ensure that the general performance objectives are achieved. By interviewing executive management, employees, and perhaps even customers and suppliers, the auditor can determine what the business needs to successfully accomplish the objectives.

6

Internal_Auditing.indb 6

16/04/2015 11:12

THE EMERGING ROLE OF INTERNAL AUDITING

Identifying key activities The auditor should then identify the major products and services provided to meet the business objectives. Once again, this will involve determining the level of management‘s understanding of customer needs and numbers, the competition and their probable response patterns, as well as management‘s understanding of which are their own key performance areas (KPAs), ie those activities that can make or break the organization. Establishing performance objectives For each KPA, performance objectives must be established. This involves defining core activity targets that are both achievable and at the same time stretch the organization‘s capacity. Key performance indicators will be required to measure performance. The risks and threats that could lead to non- or underachievement must be assessed, including both external and internal threats. Deciding on control strategies Once the full risk analysis is complete, management are in a position to decide what activities must be ensured, which risks must be managed and which transferred. This, in turn, will dictate which risks can be cost-effectively prevented, which must be detected and how any risk can be corrected. Business risks must be prioritized, and here trade-offs will be required, since control measures are commonly contradictory, so that, for example, efficiency often has to be traded off against effectiveness. Implementing and monitoring controls Wishing controls into existence will not make them appear. Controls result from the planned and thoughtful intervention of management to achieve a specific end. For controls to be effective, they must be monitored. Monitoring may take several forms, including self-assessment, the use of regular audits and the introduction of continuous improvement programs. Controls must be frequently reviewed for both their ongoing relevance and their effectiveness, and must be modified and adapted where required. Evaluating and reviewing performance The auditing process is designed to determine where to audit as well as what to audit, and may use any and all of: ➤ control strategy assessment; ➤ control adequacy and effectiveness; ➤ performance quality assessment; ➤ unit performance reporting; and ➤ follow-up. Overall, the standards of audit performance must be set at a professional level. This normally means to a level laid down in the IIA‘s Standards for the Professional Practice of Internal Auditing.

Executive Management’s Responsibility and Corporate Governance Corporate governance can be defined as the relationship among various participants in determining the direction and performance of companies and involves: 7

Internal_Auditing.indb 7

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ ➤ ➤

shareholders; management; and the board of directors.

Under this definition, the objectives of a corporation may be further defined as including the attainment of human satisfaction in a social structure. Efficiency and effectiveness, flexibility and continuity then form a significant part of fulfilling a corporation‘s objectives. Management then become the link between the providers of capital (owners and shareholders) and the users of capital (operational or functional management). Executive management will normally review and approve financial and operating objectives. They will also offer advice to general management, recommend board candidates and review the adequacy of internal controls.

Professionalism within the Internal Auditing Function Internal auditing responsibilities include: ➤ reviewing the reliability and integrity of financial and operating information; ➤ reviewing operational systems to ensure compliance with policies, plans, procedures, laws and regulations; ➤ reviewing the means of safeguarding assets and verifying their existence; ➤ appraising the economy and efficiency of the use of resources; and ➤ reviewing operational effectiveness. Internal audit can demonstrate its professionalism by adhering to the IIA‘s Standards for the Professional Practice of Internal Auditing. Adherence can also assure the head of internal audit that internal audit is complying with company and departmental policies and procedures, and that fieldwork also complies with these policies and procedures. The board of directors gains assurance that the internal audit function complies with internationally accepted norms, while the independent external auditors will be satisfied that the work of internal audit can be used as audit evidence for particular aspects of their work. Internal auditors themselves also gain confidence that they are achieving quality and proficiency of output at a measurable and acceptable standard.

The Internal Audit Charter The principle that any internal audit charter developed by an organization should follow is embodied in the following extract from IIA Practice Advisory 1000-1: Internal Audit Charter. ‘The purpose, authority, and responsibility of the internal audit activity should be defined in a charter. The chief audit executive (CAE) should seek approval of the charter by senior management as well as acceptance by the board. The approval of the charter should be documented in the governing body minutes. The charter should: (a) establish the internal audit activity‘s position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of engagements; and (c) define the scope of internal audit activities.’ 8

Internal_Auditing.indb 8

16/04/2015 11:12

THE EMERGING ROLE OF INTERNAL AUDITING

Whilst internal audit charters have a common approach and structure, the details of each individual charter must be uniquely formulated to meet the needs of a given organization. Its function is to lay down the relationship and responsibilities that should exist among the chief executive, the head of internal audit and the line managers. The chief executive should take a close interest in the drafting of the charter, since it is a definition of the terms of reference for the head of internal audit. If these are defined, they will provide top management with a reliable way of measuring the reliability and quality of internal control within an organization. They also act as a point of reference when internal audit‘s structure, plans or reports are being reviewed. For the head of internal auditor, the charter provides an essential foundation containing absolute directives and objectives that must always be kept in view. These facilitate the drafting of job specifications and descriptions, as well as internal audit manuals and audit plans. To the main body of organizational managers, the charter indicates the level of authority to act delegated to the head of internal audit in reviewing each of their systems of internal control. They will, correctly, expect to see constraints within the body of the document that preserve their rights as decision makers. Content The head of internal audit usually selects the form, content and wording of the charter. These will be influenced by internal audit standards and should encourage best professional practice. Both the chief executive and the chairman of the audit committee will normally sign the charter (Appendix C contains a sample internal audit charter). The actual content will include: ➤ a formal definition of internal audit within the organization and its key objectives; ➤ the authority under which the head of internal audit acts, including the line of reporting, as well as rights of access to people, properties, assets and records; and ➤ terms of reference describing in detail the role and working objectives of the head of internal audit.

The Relationship of Internal Audit to Other Company Activities An understanding of the relationship between internal auditing and other company activities is needed in order to fully understand the nature of internal auditing. An internal auditor must be detached from the normal operations of the company in order to be truly independent and objective. Management may occasionally attempt to assign line responsibilities to an internal auditor. In addition, an internal auditor must not attempt to usurp the role and responsibility of management.

The Relationship of Internal Audit to the Board of Directors In recent years, the board of directors has been playing a more active role in corporate governance and internal control. One of the ways that boards have coped 9

Internal_Auditing.indb 9

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

with these increased responsibilities is through the establishment of an audit committee. (Refer to Chapter 22 for a more detailed discussion of this.) Although in many companies the actual role of the audit committee is still evolving, it is intended to include maintaining an overview of the effectiveness of the system of internal control, the completeness and integrity of the financial statements, and the adequacy of the total audit effort. As stated, an internal auditor normally has a dual relationship with corporate management and with the audit committee.

The Relationship of Internal Audit to the External Auditor While the external auditor has a statutory responsibility to parties outside the client company, the internal auditor is primarily responsible to the organization and all of its stakeholders. Although the two groups have different objectives, there are many common areas of concern that provide a basis for an extensive co-ordination of effort.

The Relationship between Internal Audit and the Audit Committee Of the many committees involved in the governance and control of organizations, the audit committee has the most significant impact on the role and effectiveness of the chief audit executive (CAE). Audit committees fulfill a similar function within all organizations, however, the nature of the organization itself can prescribe a particular emphasis in the working of the audit committee. This, in turn, affects the nature of the relationship between the chief audit executive and the committee as a whole. The authority of an audit committee derives from the board of directors, the rules and regulations within the organization, as well as any relevant governance legislation of the country or countries within which the organization operates and the operative market sector. Its primary function is to assist an organization achieve an effective internal control structure derived directly from the tone at the top. The Relationship with Internal Audit A healthy relationship with the internal auditors can be fostered when the audit committee chair ensures the keeping of open communications channels. This can take many forms including getting to know the CAE on a personal basis, frequent contact between meetings, and the committee chair taking an interest in, and caring about, the internal audit activity. It is also good practice for the audit committee chair to meet with the entire senior internal audit staff from time to time to get to know some of the individuals who report to the CAE, and to thank them for their efforts. The audit committee provides internal audit with oversight, strategic direction, accountability and enforcement where required. Part of its oversight involves ensuring that the internal audit function is properly positioned, adequately resourced and strongly supported, including reviewing and approving: ➤➤ the internal audit activity’s charter and mission statement to ensure the needs of the organization can be met; ➤➤ the annual work plan to ensure all significant risk areas are being appropriately addressed and that no inappropriate restrictions are placed on the scope of internal audit activities;

10

Internal_Auditing.indb 10

16/04/2015 11:12

THE EMERGING ROLE OF INTERNAL AUDITING

➤➤ the adequacy of resources, skill levels, and budget to ensure the work plan is achievable within the appropriate time; and ➤➤ the selection of internal audit projects, adequacy of performance and appropriateness of recommendations. The CAE needs to be up to date on appropriate governance best practices and trends for the area within which the organization operates as well as its market sector. There will always be a need to remain current on emerging issues and the audit committee will seek reassurance in this area. The audit committee also needs assurance that the internal auditors understand the overall corporate strategy and have sufficient professional judgement to identify all forms of risk at an early enough opportunity to facilitate management intervention where appropriate. In order for the audit committee to be appropriately assured, performance assessment of both the CAE and internal audit will be required.

Independence The audit committee relies heavily on the internal audit function to provide objective opinions, information and, when necessary, education to the audit committee while the audit committee in turn will provide oversight and validation to the internal audit function. In today’s environment this could include the outsourcing or co-sourcing of all or part of the internal audit function but the audit committee should ensure that the role of the chief audit executive remains within the organization itself. As part of the audit committee’s responsibility for ensuring the independence of internal audit, the audit committee is responsible for providing input into the appointment, dismissal, evaluation, compensation, and succession planning of the chief audit executive. This is a critical activity of the audit committee since the CAE will, of neccessity, have a high degree of interaction with the audit committee. The committee will typically seek to ensure that candidates for a CAE position have distinguished themselves professionally. They would normally have an advanced degree, the appropriate professional designation, and several years’ experience in an audit supervisory role. The committee is also responsible for ensuring that a continuous quality assurance (QA) program within internal audit exists and that full disclosure of the results be made to the audit committee, in order to give the audit committee assurance that the work of the internal audit function is being conducted to internationally accepted standards. The CAE is functionally required to ensure quality on an ongoing basis. This may include benchmarking to develop an internal auditor scorecard for the audit committee to use for assessing the performance of the internal audit function. An objective and independent evaluation would, nevertheless, include such areas as audit scope and coverage (including financial, compliance, operational, IT, and fraud auditing), audit capabilities, independence, objectivity, supervision and project quality control. The Standards for the Professional Practice of Internal Auditing©3 promulgated by the Institute of Internal Auditors requires that an external Quality Assurance Review (QAR), performed by appropriately qualified reviewers and carried out to professional standards, be conducted every five years. 3. Available from the Institute of Internal Auditors – http://www.theiia.org

11

Internal_Auditing.indb 11

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Three Lines of Defense As part of the King III findings, companies are expected to operate using a triple bottom line namely social, environmental and economic issues. This approach recognizes the impact of the modern organization on both society and the natural environment and the imperative for good corporate citizenship, again, shifts the focus of internal audit to ensuring the control structures are appropriate to achieve such a triple bottom line. This should not be confused with the Three Lines of Defense or LOD model as defined by the IIA in their 2013 Position Paper4 which categorizes management control as the first line of defense and mismanagement, the accumulation of risk control and compliance oversight functions under the direction of management as being the second line of defense, while the independent assurance forms the third line. Under this model, both management controls and the implemented internal control measures form the first line of defense while the second line of defense is made up of risk management, financial control, quality assurance, security, inspection and compliance. Internal audit is seen to be the underpinning of the third line of defense.

The Changing role of Internal Audit in Today’s Business Environment Over recent years, the nature and role of the internal audit function have changed as, indeed, the nature of business has changed. Increasing regulatory changes resulting in higher levels of demand from governing bodies within organizations have shifted the focus of many internal audit functions from straightforward compliance to a wider range of evaluation criteria. The organizational focus on enterprise-wide risk management (ERM) including, in some instances, the expansion of the role of the audit committee into an audit and risk committee, brings changes to the internal audit role and requires the function to provide objective assurance to the board on the effectiveness of the organization’s ERM activities. This moves internal audit from ensuring that business key risks are managed appropriately within an effective internal control framework into assisting in and evaluating such areas as: ➤➤ identification and prioritization of operational and strategic risks across the business activities of the organisation; ➤➤ identification and quantification of changing risk factors as business priorities and initiatives change and key performance indicators change accordingly; ➤➤ the effectiveness of organization processes and systems in maintaining the alignment with the changing business strategies and priorities; and ➤➤ the use of data analytics to understand the nature and threats of the evolving business environment.

4. Available from the Institute of Internal Auditors – The Three Lines of Defense in Effective Risk Management. https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20 of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf

12

Internal_Auditing.indb 12

16/04/2015 11:12

THE EMERGING ROLE OF INTERNAL AUDITING

The traditional audit role of independent adviser on value preservation through the application of effective and efficient internal control structures, moves to a role including the strategic issues leading the business and the improvement of valuecreation by supporting risk management across the organization. Overall, the range of activities being performed by internal audit is increasingly trending towards an advisory role and support for strategic initiatives. In addition, the recognition that the overall Governance Risk and Compliance activities are intrinsically interconnected and rely on common information sources, technology and processes has meant the internal audit must, itself, morph into an integrated discipline leveraging the insider knowledge of the organizational processes and environment. This means that internal audit has to comprehensively understand the stresses operating on the business through the use of the appropriate data analytical tools and methodologies. Internal audit is increasingly moving towards development of improved skilled resources in order to achieve the data analytical capabilities required. Overall, this means that internal audit must strike a balance between the assurance and advisory functionality. Internationally, internal audit is seen to be playing a more prominent role in strategic initiatives such as the implementation of major capital projects and critical IT systems implementation. The strengthening of internal controls in order to prevent fraud and corruption continue to be an imperative with particular reference to the corporate needs to reduce costs overall. In order to maximize benefits, an improved integration of internal audit with other corporate risk interventions is required to avoid duplication of efforts. In small-tomedium sized companies, internal audit is seen to play a pivotal role within ERM and in some cases actually administer the programs.

13

Internal_Auditing.indb 13

16/04/2015 11:12

C HAPTER

2

The IIA’s Standards for the Professional Practice of Internal Auditing

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the history and purpose of the IIA Standards ➤ Differentiate between attribute and performance standards and explain the ➤

role of each in achieving internal audit quality Explain the role of audit standards Practice Advisories

Origins In 1978, the IIA introduced the Standards for the Professional Practice of Internal Auditing to be used around the world in order to provide international consistency and as a measurement tool for audit quality assurance. These consisted of five general and 25 specific Standards, together with numerous Statements on Auditing Standards. The Standards are considered mandatory, while non-mandatory GuideIines are also included. The IIA Standards were intended to establish a yardstick for consistent measurement of internal auditing operations. This allowed the unification of internal auditing worldwide by improving internal audit practice; proclaiming the role, scope, performance and objectives of internal auditing; promoting the recognition of internal auditing as a profession; and promoting responsibility within the internal auditing profession. As part of its ongoing research into the evolving role of internal auditing, the IIA undertook an extensive research project known as the Competency Framework for Internal Auditing (CFIA). It was intended to update the common body of knowledge (CBOK) expected from a professional internal auditor. The CFIA included not only the competencies needed by auditors, but also how these competencies would be assessed. Based on this research, the IIA brought together an international group of audit professionals, the Guidance Task Force (GTF), to formulate a guidance framework for the future. This resulted in the Professional Practices Framework, which comprises mandatory, advisory and practical guidance in the forms of the Standards for the Professional Practice of Internal Auditing, Practice Advisories, and Development and Practice Aids, respectively. In January 2002, the IIA adopted revised standards. Included within these revisions is the new definition of internal auditing: ‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization

Internal_Auditing.indb 14

16/04/2015 11:12

THE IIA’s STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.’

Mandatory IIA Practice Advisory 1300-1: Internal Audit Quality Assurance and Improvement Program, requires the following: ‘The Chief Audit Executive (CAE) is responsible for establishing an internal audit activity whose scope of work includes all the activities in the Standards and in The IIA’s definition of internal auditing’ (Introduction, p. 3).

Compliance with both the IIA’s Code of Ethics (Appendix A) and the Standards is mandatory. All mandatory statements are first promulgated for discussion by the entire profession through the issuing of exposure drafts. The individual internal auditor or internal audit practitioner, and an internal audit function or department in an organization will consider compliance with the IIA Standards essential for the delivery of professional services. Advisory The Guidelines were replaced with Practice Advisories representing the best approaches to implementation of the Standards. Essentially, the Practice Advisories are designed to assist an auditor by interpreting the Standards in a variety of internal auditing environments. Practice Advisories will continue to be issued from time to time, both as general aids and to meet specialized needs within a given industry, geographic location or audit speciality. An example of these requirements is contained in IIA Practice Advisory 1210-1: Proficiency, which requires the following of an internal auditor: ‘Proficiency in applying internal audit standards, procedures, and techniques is required in performing engagements. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance.’

Aids The IIA has also developed or endorsed Development and Practice Aids. These include educational products, research studies, seminars, conferences and other aids related to the professional practice of internal auditing. These are not intended to be either compulsory, as are the Standards, or advisory, as are the Practice Advisories. They are intended solely to assist in the development of internal audit staff by introducing them to techniques and processes developed by a variety of experts in their fields.

New Standards for the Professional Performance of Internal Auditing The individual Standards themselves have been regrouped and redefined into attribute, performance and implementation Standards.

15

Internal_Auditing.indb 15

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Attribute Standards These address the attributes of organizations and individuals performing internal audit services, and apply to all internal audit services. Performance Standards These describe the nature of internal audit services provided and give quality criteria against which the performance of these services can be measured. Implementation Standards These prescribe standards applicable in specific types of engagements in a variety of industries, as well as specialist areas of service delivery. The Standards for the Professional Practice of Internal Auditing, a list of the current Practice Advisories are downloadable (see Appendix A).

Internal Auditor Education A variety of educational qualifications are available in southern Africa. These range from degrees at BCom, BCom (Hons) and BTech level to diploma courses offered by both university and private educational establishments. These can be studied on a full- or part-time basis and are generally based on the Competencies Framework of the IIA worldwide. Certified Internal Auditor One distinguishing characteristic of a profession is the existence of a measurable body of knowledge and competencies that a member of the profession may reasonably be expected to possess. For internal auditors, this is demonstrated by the attainment of the Certified Internal Auditor (CIA) designation. This is a prerequisite for personal career growth, as well as for organizational governance success. The CIA is the only globally accepted certification designation for internal auditors and is the standard by which the competency and professionalism of individuals in the internal auditing field is established. The CIA program is based on the IIA’s Competency Framework and CIAs must demonstrate their mastery of management principles and controls, as well as audit standards and practices. In addition, expertise in information technology and emerging strategies to improve business and government must also be demonstrated. Internationally, an individual does not have to be a member of the IIA to take the certification examinations or to become certified, although the IIA (SA) has implemented a local rule that requires membership. Regardless of membership, all candidates and certified individuals must agree to abide by the IIA's Code of Ethics5, and practising internal auditors with an IIA certification must comply with the IIA's International Standards for the Professional Practice of Internal Auditing. 5. Available from http://www.theiia.org/iia/index.cfm?doc_id=92

16

Internal_Auditing.indb 16

16/04/2015 11:12

THE IIA’s STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

Requirements of the international IIA to qualify to write the CIA examinations include: ➤ a US Baccalaureate four-year degree or equivalent. In South Africa, an undergraduate degree (usually three years) in a relevant field is taken as the equivalent. Credit is given for certain modules of the CIA examination depending on other qualifications held (for further details, see the IIA’s website at http://www. theiia.org); ➤ three years’ practical experience in: ◗ an organization (in-house internal audit department); or ◗ a professional practice offering outsourced management assurance/internal audit services; and ➤ passing the CIA examinations. CIA preparation courses are offered by a variety of organizations in southern Africa, including the University of the Witwatersrand, the University of Pretoria and Unisa, the IIA (SA) and Compact Business Services for the various stages of the CIA examinations. An individual can sit for the examination, prior to satisfying the experience requirement; however, he/she will not be certified until his/her work experience is sufficient and all other requirements have been met. In all cases, the IIA requires that after certification, CIAs, CCSAs, CGAPs and CFSAs maintain their knowledge and skills and stay abreast of improvements and current developments in their area of certification through continuing professional education (CPE). This is facilitated through a self-certification process with the completion of required CPE hours on a biennial basis. Certificate in Control Self-Assessment Beginning in the 1990s, the concept of control self-assessment (CSA) emerged globally and grew into a truly innovative specialty area that today is highly regarded and widely accepted. In 1999, the IIA introduced the Certification in Control Self-Assessment (CCSA), giving practitioners validation of their knowledge of the various aspects of CSA, as well as the confidence to facilitate organizational change. The CCSA examination, offered twice a year in May and November, explores candidates’ knowledge of CSA fundamentals, process and integration. The study process assists candidates in honing their CSA knowledge; takes them through a review of related topics, such as risk, controls and business objectives; and generally primes them for CSA practice. Program candidates must also complete education, work experience and facilitation requirements. The CSSA certification serves as a professional recognition credit for Part IV of the CIA examination. Certified Government Auditing Professional The Certified Government Auditing Professional (CGAP) specialty certification is designed specifically for government auditing professionals at all levels. It tests the candidates’ comprehension of government auditing practices and methodologies as well as the government environment and related standards and risk/control models.

17

Internal_Auditing.indb 17

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

The CGAP certification serves as a professional recognition credit for Part IV of the CIA examination. Certified Financial Services Auditor The Certified Financial Services Auditor (CFSA) is the IIA’s specialty certification program that measures an individual’s knowledge of, and proficiency in, audit principles and practices within the banking, insurance and securities financial services industries. The CFSA examination tests a candidate’s knowledge of current internal auditing practices and understanding of internal audit issues, risks and remedies in the financial services industry. The CFSA certification serves as a professional recognition credit for Part IV of the CIA examination.

18

Internal_Auditing.indb 18

16/04/2015 11:12

C HAPTER

3

Internal Audit Quality

Learning objectives After studying this chapter, you should be able to: ➤ ➤ ➤ ➤ ➤

Outline briefly the need for quality reviews of the internal audit function Differentiate between internal and external reviews Identify acceptable external reviewers Describe the process for conducting an internal review Define the relationship between the IIA Standards and other standards bodies

Quality Assurance Reviews ‘The internal audit activity ... should adopt a process to monitor and assess the overall effectiveness of the quality program’ (Standard 1310).

In the modern world, the extremely low tolerance of failure of technical devices such as nuclear power plants, or process such as life-saving operations has created extremely refined approaches to Quality Assurance. Total Quality Control was the revolutionary concept outlined in Feigenbaum’s book, Quality Control: Principles, Practice, and Administration,6 and nowadays is taken to consist of 4 major focuses: ➤ continuous process improvement, to make processes visible, repeatable and measureable; ➤ the intangible effects on processes and ways to optimize or reduce their effects; ➤ examining the way the user applies the product can lead to improvement in the product itself; and ➤ broadening management concern beyond the immediate product. Today, internal audit functions are increasingly under pressure to provide value. Senior management and audit committees expect the internal audit function to be composed of an informed, experienced and objective team of well-qualified individuals. Unfortunately, all internal audit functions are not created equal. Frederick Taylor (1919) said as much nearly 100 years ago. ‘Among the various methods and implements used in each element of each trade there is always one method and one implement which is quicker and better than any of the rest.’ 7

6. F  eigenbaum, A.V. 1951. Quality Control Principles, Practice and Administration. New York: McGrawHill. 7. Taylor, F. 1919. The Principles of Scientific Management. New York: Harper & Brothers Publishers.

Internal_Auditing.indb 19

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

As such, many internal audit departments seek assurance of the professional quality of their work. They can obtain this through the performance of quality assurance reviews or reviews of best practices for the internal audit function. Quality Assurance Reviews (QARs) provide timely, independent and objective reviews of Internal Audit Functions, their audits and their difficulties, including, but not limited to, an assessment of the quality of deliverables QARs serve the wider corporate interest of assuring the adequacy and effectiveness of the internal audit function. To that end, QARs provide a common source of reliable information to those charged with the oversight of internal audit. Within Standard 1310, the IIA recommends the assessment of the quality of the IA department through either an internal or external review. The quality assurance review evaluates the degree to which the internal audit department conforms to the IIA Standards and its own charter, plans, policies, procedures and systems; and the extent to which it meets the needs of its customers. External reviews are needed every five years in order to independently appraise the internal audit department’s operations. They should be conducted by qualified people who are independent of the organization and who do not have a conflict of interest, either real or apparent. QA professionals provide ongoing advice, counsel and recommendations to internal audit, the Audit Committee and/or executive management. The content of formal QA reports is consistent and provided in a timely manner to all key decision-makers as defined under their scope of work, including normally internal audit management, executive management and the audit committee. In addition to external reviews, internal quality assurance reviews should be conducted annually by members of the internal audit staff. This is a control self-assessment in order to assess the ongoing quality of the audit work that is being performed. The standard IIA quality assurance review methodology allows the review team to assess: ➤ deviations in performance from acknowledged best practices for internal auditing, from IIA Standards, and from the internally prescribed internal audit func-tion procedures; and ➤ the operation of the internal auditing function as perceived by the internal audit function’s members and customers. The review team should also evaluate other issues that affect the internal audit function, including: ➤ the integration of the concepts of business controls into the internal audit practice; ➤ the adding of value to the organization by providing insights into efficiency and effectiveness; ➤ the optimization of internal audit staff performance; ➤ the effectiveness of communication with staff and company personnel; ➤ the development of internal audit staff, both personally and professionally; ➤ the use of technology to increase efficiency and effectiveness; and ➤ the effectiveness of ongoing internal quality assurance programs.

Performing a Quality Assurance Review To comply with the requirements of Standard 1310, a quality assurance review must itself follow a standardized and professional approach. This takes the form of a fivestage process, including: 20

Internal_Auditing.indb 20

16/04/2015 11:12

INTERNAL AUDIT QUALITY

➤ ➤ ➤ ➤ ➤

planning and preparation; determining the customers’ needs; analyzing the internal audit process; communicating the results of the review; and ongoing improvement.

Planning and Preparation As part of the planning and preparation process, the quality assurance review team reviews the latest quality standards and internal audit best practices as established by the IIA. At this stage, the team will normally plan its initial meetings with stakeholders and prepare its information requests for the internal audit department. Determining the Customer’s Needs The main aim of this phase is an assessment of management’s commitment to and support of internal auditing. This is done by getting comments and observations about the internal audit function from its customers, including management, the audit committee and auditees. An understanding of the environment within which the internal audit function operates is essential to gaining a clearer understanding of corporate objectives. In addition, where performance shortfalls are subsequently noted, practical recommendations for improvement can be drawn up. Without an understanding of the needs and wants of internal audit’s stakeholders, it is impossible to evaluate the quality of its service delivery. Analyzing the Internal Audit Process Critical internal audit processes are generally taken to include: ➤ developing the overall audit plan; ➤ planning individual audits; ➤ carrying out the audit program; ➤ communicating results; and ➤ follow-up. In order to evaluate the process against the IIA Standards, the quality assurance review team needs a comprehensive understanding of the internal audit process implemented within the organization. The team should also be up-to-date with the latest of the IIA’s Practice Advisories in order to make acceptable recommendations for improving the existing process. Communicating the Results of the Review As with any audit, the aim of this phase is to communicate the results of the review to management and the audit committee in a form that meets their requirements. The report should make clear to management the overall conclusions, significant points and items requiring action. As such, it should interpret the results of the findings and focus the reporting on high-level aspects of the review, particularly for the audit committee. The audit committee may have questions about the review, and the quality assurance review team should be prepared to respond to requests for additional 21

Internal_Auditing.indb 21

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

information or further insights on their findings. The report should normally include an assessment of the extent to which specific standards were achieved. Where deficiencies are noted, the findings, improvement opportunities and recommendations should be stated. As in any conventional audit, an action plan with dates and allocated responsibilities should have been agreed with the head of internal audit and should be included in the report. Ongoing Improvement The Japanese word kaizen has become popular in today’s organizational language and stresses the importance of efforts to constantly improve. This concept is the antithesis of commonly accepted notions of best practice. Some organizations consider that, having adopted Best Practice in their Internal Audit processes, further improvement is no longer a priority. Best Practice is a moving target involving the definition of methods used to get things done and the benefits often include the assurance of quality results and consistency when the process is followed. As part of providing an effective service, ongoing quality improvement should focus on the overall objective of the audit process, namely the achievement of maximum customer satisfaction. This can be done by developing an understanding of all stakeholders’ needs and by attempting to exceed their expectations continuously. Constant simplification and improvement of the effectiveness of the internal audit processes will result in more efficient service delivery. As part of ongoing supervision and the management process, an internal audit should evaluate the degree to which it meets its stakeholders’ expectations. Follow-up As with any audit, the recommendations resulting from the quality assurance review are of little value if they are not effectively implemented. The quality assurance review team, together with the audit committee, must establish a clear follow-up process to make sure that the action plan is implemented and effective.

Quality Assurance Methodology In order to achieve professionally acceptable standards of review, the conducting of a quality assurance review has been carefully structured by the IIA to follow a specific methodology. This involves, at a minimum, interviews with internal auditing stakeholders, and a review of the internal auditing department charter and of a representative sample of working papers and reports. The stakeholder interviews should be scheduled as early as possible in the process in order to structure the review to meet stakeholders’ requirements and expectations. All members of the review team must have a thorough knowledge of each of the IIA’s Standards, Practice Advisories and Development and Practice Aids, and of internal auditing best practices and the IIA’s Code of Ethics. In practical terms, this means that the individual members of the team should be operating at a certified internal auditor level of knowledge and experience. Team members should also have a thorough understanding of the policies and practices of the department. The IIA has developed a comprehensive set of tools and aids to assist in the process. These can be acquired directly from the IIA. 22

Internal_Auditing.indb 22

16/04/2015 11:12

C HAPTER

4

Ethics Theory and Practice in the Modern World

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the primary classes of ethical theory ➤ Explain how ethical theories are applied to ethical decisions in business ➤ Explain the role of ethics in distinguishing a profession ➤ Briefly explain the structure of the IIA Code of Ethics ➤ Apply the code in a variety of situations of ethical choice ➤ Explain the function and structure of a corporate code of conduct

Business Ethics An understanding of business ethics is relevant for an internal auditor, who will encounter ethical issues and dilemmas in his/her daily interaction with management and auditees in an organization, and in the organization’s interaction with the public sector, its employees, its customers, its suppliers and the community within which it operates. Therefore, before briefly examining the underlying ethical theories that have evolved over the centuries, it is useful to understand that the general areas of economic activity where management makes decisions often present tensions between ethical and legal choices. Rossouw8 identifies three main areas: ➤ the macro- or systemic dimension, consisting of the policy framework created by the state, which determines the basis for economic exchanges both nationally and internationally; ➤ the meso- or institutional dimension, consisting of the relations among economic organizations, such as public sector entities, private sector entities, private individuals and those outside the organizations; and ➤ the micro- or intraorganizational dimension, consisting of the economic actions and decisions of individuals within an organization. Rossouw9 also uses the example of affirmative action in South Africa to demonstrate how these three dimensions may be interrelated. Affirmative action has become a strategic objective for government’s macroeconomic policy, as indicated by the passing of enabling legislation, such as the Employment Equity Act No. 55 of 1998 and the Skills Development Act No. 97 of 1998. A private institution may decide to participate in community upliftment programs in education or in support of AIDS sufferers and orphans in previously disadvantaged communities to demonstrate its commitment to corporate social responsibility. Within an organization, the 8. Rossouw, D. 2002. Business Ethics in Africa. 2nd ed. Cape Town: Oxford University Press, Southern Africa. 9. Ibid., pp. 2–3.

Internal_Auditing.indb 23

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

implementation of affirmative action policies may give rise to conflicts in staff appointments and efforts to meet demographic quotas in staff recruitment policies.

Ethical Theories Ethics are often confused with individual moral principles, but in fact go far beyond them. They are designed to address issues from both practical and idealistic standpoints, as a result of which the ideal may frequently be in conflict with the practical. Ethics have thus been described as being ‘above the law but below the ideal’.10 From the professional’s perspective, they become a way of life. Wheelwright11 defined three key elements in defining the impact of ethics on decision making. ➤ Ethics involve questions requiring reflective choice. ➤ Ethics involve guidance as to what is right and wrong. ➤ Ethics are concerned with the consequences of decisions. Over the years, different classes of ethical theory have evolved. ➤ The imperative principle requires strict compliance with the code of ethics. There are effectively no choices, since no exceptions are allowed. No ‘lesser of two evils’ is seen to exist. Many religions use this form of ethical judgment and it is a standard frequently applied by, for example, anti-abortionists, where the taking of life is seen to be wrong under any circumstances and where there can be no exceptions. This class of ethical theory can cause problems when two or more provisions appear to be at odds or where the ethical principle produces results out of proportion to the actual situation. ➤ The second class of ethics is that of the utilitarian school. This class seeks courses of action bringing the most good to the most people. This is the primary principle of social ethics in countries where the good of the majority is the measurement criterion, and individual unethical acts must be tolerated to bring about the ‘greater good’. ➤ A sub-set of this class is act utilitarianism, where acts must lead to the greatest good for the greatest number. It holds that if existing rules do not assist this process, they should be broken. This type of ethics is common in revolutionary societies and corporate politics. ➤ Rule utilitarianism advocates firm and publicly advocated moral rules to which all acts must conform. Once again, there can be no special cases. Many fundamentalist religions employ this class of ethical standard. ➤ Deontological ethics focuses on the consequences of acts. Within this class, actions commonly result from the concept of duty. Here, ethical principles are ‘independent of each person's conscience’.12 This can be a dangerous ethical stance, since anything can be justified in the name of duty, and individual consciences may condone acts that could lead to societal disintegration. This ethical argument is common in repressive organizations where it is ‘accept10. Kell W.G & Ziegler R.E. 1980. Modern Auditing. Boston: Warren Gordon & Lamont. p. 769. 11. Wheelwright, P. 1959. A Critical Introduction to Ethics. 3rd ed. New York: Odyssey Press. p. 4. 12. Kant, I. 1923. Fundamental Principles of the Metaphysics of Morals. 9th ed. New York: Longmans/ Green.

24

Internal_Auditing.indb 24

16/04/2015 11:12

ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

able’ to lie, cheat and steal as long as the organization benefits. Loyalty to the cause or organization subordinates an individual’s sense of ethical behavior. In this ethical system, consistency is a major requirement. ➤ Ethical theoreticians such as Plato, Aristotle and Adam Smith have espoused classical theories of business ethics. Under classical theory, business has no relationship to societal goals and social objectives. ➤ This philosophy has been modified over the years to show business as being bent on achieving egotistical goals by following established rules for the benefit of all. In this ethical system, business is seen to have distinct social responsibilities. This view is held by moralists who believe that business should have special (community) goals outside of its normal ones of survival and making profits. This gives rise to Kant’s view of business as a good citizen.

A Conceptual Framework Business executives are faced on a daily basis with the challenges of making ethical decisions in complex competitive business environments with multiple goals and objectives; cultural contradictions; changing regulatory environments; and pressure for sustainability, accountability and transparency in their actions and decisions. Public scrutiny of an organization’s activities is heightened especially where environmental implications arise. Chryssides and Kaler13 introduce a useful means of classifying ethical decisions by management, which is set out in Figure 4.1. ➤ Whilst ideally management should aspire to make decisions that fall into Quadrant I: Ethical and Legal, many business decisions may in fact fall into Quadrants II, III or IV, giving rise to business risks arising from non-compliance or adverse public reaction, and at worst threatening the sustainability of the organization. ➤ Quadrant II: Ethical and Illegal covers many controversial decisions, eg the distribution of AIDS drugs prior to government approval, or whistleblowing where the complexity of the legal requirements or company rules may find the ethical whistleblower being prosecuted, rather than bringing the real defaulters to book. ➤ Quadrant III: Unethical and Legal would have included accepting apartheid practices that were legal but unethical. Issues also arise around excessive payments to management. Business may frequently opt for the ‘legal’ option without properly considering the underlying ethical issues. ➤ Quadrant IV: Unethical and Illegal includes discrimination against handicapped people, the illegal disposal of toxic waste and operating in unsafe conditions. Given the dynamic and constantly changing regulatory environment in which business operates on a global basis, decisions made by management could affect any and all of these quadrants. An internal auditor’s function may include auditing compliance with organizational values and regulatory requirements or assessing the effectiveness of processes to accommodate ethical values. It may also include identifying and assessing fraud arising from management decisions falling into Quadrant IV. 13. Chryssides, G. & Kaler, J. 2002. An Introduction to Business Ethics. London: Thomson Learning. p. 56.

25

Internal_Auditing.indb 25

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Quadrant II: Ethical and Illegal

Ethical

Quadrant I: Ethical and Legal

Codification – Decisions Manifestation

Illegal

Corporate Decisions

Legal

Public Scrutiny

Quadrant IV: Unethical and Illegal

Unethical

Quadrant III: Unethical and Legal

Figure 4.1: The classification of ethical decisions

Employee Ethics Employees themselves have specific ethical obligations to comply with, including those discussed below. The Duty of Obedience This is seen as a duty to obey all reasonable directions but involves no obligation to perform illegal or unethical acts. ➤

The Duty of Loyalty Here, acts should be performed only in the interests of employers. While certain organizations may try to exploit this duty by insisting that it applies 24 hours a day, it is generally taken to apply only when the person is acting as an employee. ➤

The Duty of Confidentiality This duty aims at ensuring that information acquired as a result of an organization’s operations is not used to further the interests of either the employee or any other person or organization. While this duty covers such concerns as insider trading and the use of information obtained in the course of the employer’s business, it does not apply if the information is general knowledge or freely available. ➤

26

Internal_Auditing.indb 26

16/04/2015 11:12

ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

Codes of Conduct One of the common controls in this area is the implementation of a corporate code of conduct. Such codes are directive controls and do not, in themselves, enforce ‘ethical’ behavior. Where they are combined with detective controls designed to identify breaches of the code and corrective controls designed to take effective action where such breaches are identified, they may serve as a means of expelling non-conforming members of a population. Codes of conduct should be in place for all companies (as recommended in 1987 by the Treadway Commission and confirmed by King II14) and should be enforced. They help to set an ethical tone at the top of the organization and must apply to all levels from the top down. They open channels of communication between management and employees and help prevent, for example, fraudulent reporting. Codes of conduct may take two forms, namely: ➤ a positive statement of honest intentions (all-embracing but impossible to control); or ➤ a list of improper behavior (easier to audit but difficult to keep comprehensive). The most effective codes contain a combination of positive generalizations and specific prohibitions. They include the basic rules of acceptable and unacceptable behavior, and cover corporate positions and rules concerning: ➤ the acceptance of gifts; ➤ confidentiality; ➤ conflicts of interest; and ➤ standards of corporate practice. Gifts Corporate positions on gifts to employees are generally determined by the degree to which employees will be influenced or will be assumed to be influenced by such gifts. Most companies have strict prohibitions on the receiving of gifts as such. Loans to corporate officers are assumed to have bought influence, and entertainment accepted that is on a lavish scale is also usually considered to be inappropriate. Certain low-value gifts may be acceptable to the organization and these would typically include normal business lunches, gifts of nominal value and normal promotional gifts. A common measurement criterion for the value of gifts is whether the gift was freely available or whether it was given only to selected people because of their positions. The fundamental test applied is normally: Will employee actions or decisions be affected by receipt of the gift? Confidentiality All information obtained in the course of employment is considered to be confidential. This means such information may not be privately used for the employee's or 14. Treadway, J. C. Jr et al. 1987. Report of the National Commission on Fraudulent Financial Reporting, New York: National Commission on Fraudulent Financial Reporting; and Institute of Directors (IOD). 2002.The King Report on Corporate Governance for South Africa, Johannesburg: IOD.

27

Internal_Auditing.indb 27

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

for another's gain. Even without such gain, it must not be used to the company's detriment. This includes divulging it to outsiders without authority. Conflicts of Interest In order to prevent conflicts of interest, employees must have no direct interest in suppliers, customers or competitors. Also, there must be no indirect interest in organizations dealing with the company, or in organizations where a relative has an interest. No holding of public office should exist where a conflict of interest may exist or be deemed to exist. For example, public sector entities have stringent regulations laid down in the Public Finance Management Act and regulations to prevent abuses of authority in tender practices and the awarding of contracts to related parties. Instances of these are often reported in the media, eg infringements of tender processes at hospitals in Mpumalanga, where contracts for the supply of expensive medical equipment were awarded to close family members of senior hospital administrators.

Corporate Ethical Practices Sound corporate governance practices call for corporate ethics to be spelled out in codes of ethics to deal with any failure by management and employees to comply with laws and regulations affecting an organization. Such a code may include a list of unacceptable practices and the penalties for, among other things, non-compliance with the Companies Act, the Banks Act, the Insurance Act and other statutes; exchange control violations; corporate bribery; and corruption in contravention of the Prevention of Corruption Act. General business ethics codes may require, among other things, that all products sold should meet safety standards, all guarantees should be met, all untrue or misleading advertising should be prohibited and all labor laws should be complied with. For a code of ethics to be accepted and effectively implemented, it should be drawn up in consultation with all key stakeholders. Employees should not: ➤ divert business opportunities from the company; ➤ manipulate corporate incentive schemes to their benefit; ➤ publicly denigrate the company, its services or products; ➤ use corporate assets in an unauthorized or illegal way; or ➤ make false or deceptive statements about corporate affairs to the company’s detriment. Ultimately, ethical standards are set by example and stem from the top of the organization. Good or bad, they devolve all the way down and affect all employees. They may be blocked at any level by the active or passive actions of management.

The Free Market and the Marxist Critique of the Free Market System A Free Market is a term used to describe a political or ideological perspective on policy rather than an economic description. It may be defined as a market economy based primarily on supply and demand and one in which government exercises little or no control. In its purest form, a completely free market would be one in which buyers 28

Internal_Auditing.indb 28

16/04/2015 11:12

ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

and sellers can voluntarily agree to trade freely based upon mutual agreements on price with no state intervention in the form of regulations, taxes or subsidies. Trade is entered into without coercion and pricing structures are taken to be the results of buying and selling decisions governed by the effects of supply and demand. Demand is taken to be the pressure placed upon the market by those attempting to buy specific goods, labor and services. Within this, sellers will operate a minimum price at which they are prepared to deliver goods, labor and services while buyers will have a maximum price which they are prepared to pay for such goods, labor and services. The point at which these two intersect is known as equilibrium price which is taken to be the point at which both buyers and sellers are satisfied as to the acceptability of the trade. In such a market, buyers and sellers are free to participate in the market, enter or leave it at their discretion. Each exchange would take the form of a voluntary agreement between two parties to trade in goods or services. No restrictions would exist to prevent new competitors from entering a market and no controls would exist other than the enforcement of private contracts and such controls as are necessary to regulate the ownership of property. In common parlance, this term is used to imply that the overall means of production is under private control rather than state control. In practice, the completely free market is impractical and probably impossible. In most countries pressures, both social and political, mean that governments will intervene in a variety of ways such as erection of price controls, subsidy of production, introduction of minimum wages and other such interventions. Regulated or controlled markets are those in which governments intervened to actively regulate prices as well as supplies in either an indirect or direct manner. If this intervention is substantial, the market may be classed as a mixed economy. Should this intervention take the form of direct control in order to achieve specific goals, the market is generally classed as a command economy. In looking at the development of global economies, regard must be given to the critique of capitalism by Karl Marx.15 Based upon his fundamental belief that capitalism was morally exploitative, Marx was highly critical of the economic philosophies and assumptions of his day such as those espoused by Adam Smith16 which saw the acquisition of private property as being the driver motivating people to produce wealth. One of the underlying fundamentals of capitalism is the concept of private property which was seen by Marx to be primarily sustained by the power of the state. This, according to Marx, resulted in one person’s ownership of an object denying its benefits to another thus creating conflict over resources. When this concept is applied to labor, the logical conclusion is that labor is reduced to mere commodity and becomes alienated from those who own the results of such labor. This concept of alienated labor was fundamental to his understanding of the history and impact of the class struggle. This he defined as the division between the bourgeoisie who owned a means of production and the proletariat who, as laborers, had to sell themselves as a commodity. Under such a system, Marx believed,

15. Shumpeter, Joseph. 1952. 10 Great Economists: from Marx to Keynes. Taylor and Francis Group, Unwin University Books, Edition 4, Vol 26. 16. Adam Smith, An Enquiry into the Nature and Causes of the Wealth of Nations. Project Gutenberg ebook. http://www.gutenberg.org/files/3300/3300-h/3300-h.htm

29

Internal_Auditing.indb 29

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

irreconcilable conflict could be the only result since labor was the only real source of wealth and all capital assets were simply the result of stored labor. Of recent years, Marx’s belief in the labor theory of value has come into conflict with the concept of automated labor. His argument that only humans can add value to raw materials conflicts with today’s understanding that automated process with minimal human intervention can be an effective way to improve the lot of the population as a whole and that labor without direction can be totally ineffective. In addition, the emergence of trade unions in the twentieth century as a significant party in economic and political negotiations has changed the nature of the capitalist society. Many countries class antagonism as described by Marx as having largely been replaced by neo-liberalism.

Corporate Morality Generally, corporate morality is taken to mean conformance to a recognized system of rules for code regarding right and wrong and the degree of acceptable behavior. Morality itself derives from the Latin word mores meaning habits. In sociology, the term refers to norms which are generally acceptable within a given society and are held to have more moral significance. Business morality may then be seen as deriving from the ethical and moral standards of the individual in the context of the political and cultural environment encompassing the organization itself. Johnson, Scholes and Whittington in their book Exploring Corporate Strategy17, indicate that the organization purposes of a given entity are detailed within the corporate values, mission and objectives. These, in turn, are derived with input from the corporate governance beliefs, the business ethics in place, the stakeholders served and the cultural context within which purposes are prioritized. They also draw attention to issues affecting corporate morality such as: ➤➤ the moralities of marketing and markets; ➤➤ moral issues within employment practices; ➤➤ respect for human rights; ➤➤ moral issues regarding the environment; ➤➤ product safety; ➤➤ fairness of dealing with suppliers and customers; and ➤➤ corporate support for communities. This, then, leads corporate morality in the direction of corporate social responsibility where, from a non-altruistic perspective, commercial success may be seen to be dependent upon showing the highest levels of good citizenship in the organization’s behavior within the community, effectively migrating the organization from merely its legal responsibilities through its ethical responsibilities into its voluntary responsibilities. Corporate social responsibility invokes moral, ethical and philanthropic responsibilities for organizations over and above their traditional responsibilities of complying with the law while achieving a fair return on investment for shareholders.

17. Johnson, G., Scholes, K. & Whittington, R. 2008. Exploring Corporate Strategy. 8th ed. Prentice Hall: New Jersey.

30

Internal_Auditing.indb 30

16/04/2015 11:12

ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

Ethical Management In the traditional ‘classical’ economic model espoused by Adam Smith in the eighteenth century, it was suggested that society’s needs could be accomplished by individuals acting in a self-interested manner. This meant the delivering of goods and services to meet the needs of others in a manner which would earn them profits. Even at that stage it was recognized the marketplace participants must act honestly and fairly towards each other in order to achieve a free market. In the twentieth century regulations were enacted in many countries to rein in the power of large corporations while the labor movement sought greater social responsibility from corporate bodies. This is not to say that such concepts were universally accepted. Many economists believed that it was not economically feasible nor desirable for corporations to take on social and moral issues. It was believed that assuming social responsibilities could place those corporations doing so at a competitive disadvantage compared to those who did not undertake such responsibilities. In some cases it is still believed that, lacking the knowledge and skills required to deal with social issues, involvement at the corporate level may exacerbate the problems found. This view is contradicted by those believing that appropriate social involvement can assist an organization to create an improved future operating environment with long-term benefits to borrowing profitability. A variation on the social involvement view is held by those advocating stakeholder management as a corporate ethical position. Under this concept, taking into consideration the legitimate interests and concerns of its own stakeholders can assist the organization to enhance the ethics of this decision-making process. In this context, stakeholder management goes beyond the convention definition of stakeholders as owners, employees, customers, suppliers and government agencies to include all groups or individuals who are impacted by, or can themselves influence, the products and processes of the organization.

Resolving Ethical Conflicts In the conduct of business it is inevitable that ethical dilemmas will arise as a result of conflicting values among various stakeholders. These dilemmas will have to be faced and resolved. There is often no way of telling which values are correct or incorrect, because different people have different values. This may often lead to violence that does nothing to resolve the different points of view, eg ongoing taxi violence to secure competitive advantage in taxi routes or violence between competing political parties in hotly contested areas. Consequently, business needs a strategy for resolving ethical dilemmas and making ethical decisions. Rossouw18 proposes the rational interaction for moral sensitivity (RIMS) strategy for this purpose. He suggests that when a moral dispute arises between two or more parties, there are three basic options open to the parties: ➤ ‘Irrational methods such as violence or throwing a dice to determine which rival opinion should be chosen. ➤ Suspension of the dispute by declaring it in principle impossible to attempt to find a solution – and then going on strike. ➤ Interaction between the rival parties with the aim of finding a solution.’ 18. Rossouw, 2002:69–79.

31

Internal_Auditing.indb 31

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

The first two options are not realistic, as they do not result in a solution acceptable to the parties. Whereas the ethics theories presented earlier in this chapter generally focused on content (ie rights and wrongs), the purpose of the group decisionmaking RIMS strategy is to structure a process that will result in morally sensitive group discussions. RIMS is concerned with the structural features of the discussion to reach a situation where all participants in the discourse are equal and all forms of force or coercion are removed. Rossouw advocates four basic rules: ➤ ‘The only evidence that participants may introduce into the discourse is empirical experience which is objectively accessible. ➤ The process of communicative interaction is driven only by the force of the strongest rational argument. ➤ Only those experiences, arguments and norms that can attain consensual agreement are regarded as knowledge. ➤ Any knowledge formulated in this way is always open to future revision.’19 The six assumptions underlying the RIMS strategy20 are as follows: ➤ Moral dissensus21 is a given. ➤ Moral dissensus does not equal ethical relativism. ➤ Dialogue can produce solutions and participants commit themselves to finding a solution. ➤ Focusing on motives is futile and should not dominate. ➤ Good information is essential and there is no factually incorrect information. ➤ Only moral arguments that display a concern and respect for the interests of all parties are allowed. The RIMS strategy requires participation by stakeholders and the exercise of tolerance by all parties. Thereafter, Rossouw suggests there are three basic steps to the RIMS process: ➤ ‘Step one: Generate and evaluate the arguments that satisfy the following three criteria: The argument should take into consideration the interests of others, as well as your own; it should be clear and intelligible; the facts should be correct and logically coherent. ➤ Step two: Identify the implications – namely the positive and negative implications of the various arguments, rather than participants’ motives or moral convictions. ➤ Step three: Find solutions in a co-operative manner that will keep negative implications to a minimum while retaining the positive aspects.’22

19. Ibid., p. 73. 20. Ibid., pp. 74–6. 21. ‘Modernity, in an attempt to find secular and rational grounding for morality, has produced any number of varying moral theories, all of which are rationally justifiable and defensible. This has resulted in the current condition of dissensus, where no competing moral theory can succeed in gaining superiority over another. All need to be taken seriously or all need to be rejected. The first option forms the first assumption of the RIMS strategy’ (Rossouw, 2002:74). 22. Ibid., p. 77.

32

Internal_Auditing.indb 32

16/04/2015 11:12

ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

The Role of Ethics in Distinguishing a Profession The hallmark of a profession is that its members are bound by a code of ethics that requires adherence to a generally accepted body of standards in an ethical manner. Also, members are subject to disciplinary action by their professional body for conduct unbecoming of a member of that body. This principle is clearly recognized in the introduction to the IIA’s Code of Ethics (see Appendix A) and states the following: ‘A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance. The Institute's Code of Ethics extends beyond the definition of internal auditing to include two essential components: 1. Principles that are relevant to the profession and practice of internal auditing; 2. Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.’

The IIA’s Code of Ethics, its Professional Practices Framework and other relevant IIA pronouncements provide guidance to internal auditors serving others. ‘Internal auditors’ are: ➤ IIA members; ➤ recipients of, or candidates for, IIA professional certifications; and ➤ those who provide internal auditing services within the definition of internal auditing, including both individuals and entities that provide internal auditing services. It is generally held that a body of ethics is a hallmark of a profession. A profession is characterized by most of the following: ➤ a common body of knowledge; ➤ a body of standards containing the technical requirements and methodology of the profession; ➤ a code of ethics; ➤ acceptance by society; ➤ service to society; and ➤ the imposition by itself or by society of sanctions when its ethics or standards are not met. One of the key requirements to establish credibility for members of a profession is the existence of a code of ethics. Enforcement of the code must be seen to be objective, timely and noticeable. Most professional bodies’ codes of ethics require compliance with the standards of performance of that profession. The visibility of enforcement is essential for the gaining and maintaining of public confidence in the profession. However, the public is normally not in a position to evaluate the proficiency of the practitioner. The IIA’s Code of Ethics contains the following principles and related rules of conduct, which internal auditors are expected to apply and uphold.

33

Internal_Auditing.indb 33

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. ➤

Objectivity Internal auditors should exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process they are examining. Internal auditors should make a balanced assessment of all the relevant circumstances and should not be unduly influenced by their own interests or by others in forming judgments. ➤

Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority, unless there is a legal or professional obligation to do so. ➤

Competence Internal auditors competently apply the knowledge, skills and experience needed in the performance of internal auditing services. ➤

Independence and Objectivity Following the recent collapse of organizations such as Enron and WorldCom in the US and Parmalat in Europe, the issue of the independence of both external and internal auditors has come under close scrutiny, with concerns that due professional care may be compromised where independence and objectivity are impaired. The promulgation of the Sarbanes-Oxley Act in the US precludes external auditors from providing internal audit services to external audit clients where these are US corporations that are Security and Exchange Commission (SEC) registrants listed on the New York Stock Exchange and NASDAQ. This includes their subsidiaries and associated entities, wherever in the world they may be registered. The role of the audit committee for listed companies has become more critical in managing the threats to auditor independence for both internal and external auditors. Currently the IIA Code of Ethics recognizes the principle of integrity and objectivity as indicated above. The IIA Standards recognizes the importance of internal auditors maintaining their independence and objectivity when performing internal audit activities, whether employed in the organization, or providing consulting services or management assurance services as outsourced services by a professional practice. Consequently, the more detailed implementation guidance and interpretation contained in the Practice Advisories is extremely important for internal auditors to understand and implement, albeit that compliance is not obligatory. In practice, procedures to ensure the independence and objectivity of internal auditors and their functions in larger organizations is probably running ahead of the requirements presently contained in the IIA Standards and Practice Advisories at this stage, due to public demands and developments in the corporate governance responsibility and accountability of management. This issue is less applicable to small businesses managed by their owners. 34

Internal_Auditing.indb 34

16/04/2015 11:12

ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

Table 4.1 sets out the various IIA standards regarding independence and objectivity and the related implementation guidance in the Practice Advisories: Table 4.1: IIA Standards and related advisories regarding independence and objectivity

IIA Standard

IIA Related Practice Advisory (PA)

Standard requirement

1100: Independence and Objectivity

PA 1100-1: Independence and Objectivity

The internal audit activity should be independent, and internal auditors should be objective in performing their work.

1110: Organizational Independence

PA 1110-1: Organizational Independence

The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.

1110.A1

PA 1110. A1-1:Disclosing Reasons for Information Requests

The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results.

1120: Individual Objectivity

PA 11201: Individual Objectivity

Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.

1130: Impairments to Independence or Objectivity

PA 1130-1: Impairments to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment should be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.

1130.A1

PA 1130. A1-1: Assessing Operations for which Internal Auditors were Previously Responsible

Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an auditor provides assurance services for an activity for which he/she had responsibility within the previous year.

35

Internal_Auditing.indb 35

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 4.1: IIA Standards and related advisories regarding independence and objectivity (continued)

IIA Standard

IIA Related Practice Advisory (PA)

Standard requirement

1130.A2

PA 1130.A1-2: Internal Audit Responsibility for Other (Non-audit) Functions

Assurance engagements for functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity.

1130.C1

None

Internal auditors may provide consulting services relating to operations for which they previously had responsibilities.

1130.C2

None

If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure should be made to the engagement client prior to accepting the engagement.

36

Internal_Auditing.indb 36

16/04/2015 11:12

C HAPTER

5

The Performance Objectives of Organizations

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the types of organizations to be found in the public and private sectors ➤ Explain the impact of performance objectives on the desired risk position of the organization ➤ Differentiate between effectiveness, efficiency and economy in achieving performance objectives ➤ Explain the role of performance objectives in designing appropriate controls

The Nature of Business Organizations Organizations have various characteristics in common. They: ➤ provide services; ➤ perform activities; ➤ acquire and use resources; ➤ are objective driven; ➤ use collective effort; ➤ function on an ongoing basis; and ➤ are formally constituted. Organizations satisfy a variety of needs, including, but not limited to, profit making (usually for the benefit of the owners). Non-profit-making organizations also exist and are designed to benefit the constituencies they serve. Most organizations are geared to satisfy internal needs only. In South Africa, business organizations may take several forms, which are briefly discussed below. Sole Proprietor In this form of business operation, a single person wholly owns the business and it operates to meet the needs of that person. Partnership This consists of two or more partners who agree to be jointly and severally liable for the business affairs of the other partners. This form is generally restricted in the number of partners, with the notable exception of external audit firms.

Internal_Auditing.indb 37

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Close Corporation (CC) This uniquely South African form of business operates in the space between the less formal nature of a partnership and the more formal nature of a company. The regulatory requirements applicable to close corporations are contained in the Close Corporations Act of 1984. The members of a CC may consist of from one to ten ‘natural persons’, ie a company or a trust cannot be a member of a CC. A CC may, however, be a member of a company and may even be the sole shareholder. Annual financial statements are to be prepared and must be reported on by the CC’s accounting officer, although an external audit is not required. The CC is owned and operated by members and not directors. Ownership is referred to as the member’s interest and expressed as a percentage pro rata of the capital contributed. Following any distribution of profits or any other repayments to members, the Close Corporations Act requires the CC to meet the solvency requirements, ie that the CC is still able to pay outside creditors in the ordinary course of business immediately thereafter. If not, the members may be held personally, jointly and severally liable for the debts of the CC, and may be required to repay any excess distribution received. In 2008 amendments to the Companies Act required the calculation of a ‘public interest’ score in order to determine whether the Close Corporation required to be audited. In addition, the 2008 amendment prohibited the registration of any new close corporations after the 1st of May 2011. This cut-off was subsequently amended to the 22nd of December 2011. Close corporations can be converted to companies but companies can no longer be converted to close corporations. Existing close corporations continue to be administered under the Close Corporations Act. Private Company In this formal organization, shares in a private company (designated by (Pty) Ltd), are issued and ownership rests with the shareholders in proportion to the equity they hold. Directors are appointed at general meetings by the shareholders, in accordance with the articles of association of the company. Audited annual financial statements are required by law to be presented to the shareholders at the annual general meeting. Private companies, by their articles of association, restrict the right to transfer their shares, which consequently may not be traded publicly on a securities exchange. There is a maximum of 50 shareholders and a minimum of one. Incorporated Company An incorporated company (designated by Inc.) is a form of private company that is used by professionals such as accountants, engineers and architects to practice as a legal entity. In terms of the Companies Act, the members must all be directors and hold the relevant professional qualification, eg a registered auditor (RA), and will continue to bear professional liability for the personal negligent performance of members of the company.

38

Internal_Auditing.indb 38

16/04/2015 11:12

THE PERFORMANCE OBJECTIVES OF ORGANIZATIONS

Public Company Companies are incorporated under the Companies Act of 1973 and must have a minimum of seven shareholders, with no maximum. Public companies have shares that may be owned by the general public. Where the company is listed, for example on the Johannesburg Securities Exchange (JSE), its shares are traded openly on the stock exchange. Subscriptions may be invited from the public by means of a prospectus, and different classes of shares may be issued. Section 21 Company Companies registered under section 21 of the Companies Act are not-for-profit organizations. That is not to say that they do not trade at a profit, but the business intention is not specifically to make profits, and tax is not payable. A Section 21 company may not distribute profits to its members, but uses profits for the purpose for which the entity was formed. The Institute of Internal Auditors (SA) is a Section 21 company, as are many welfare organizations and NPOs (Non Profit Organizations) providing donor funding to projects. Public Entities In addition to these various forms of private sector organizations, there are also public sector utilities, parastatals and public entities. Public entities include government organizations such as the Financial Services Board, the Department of Trade and Industry, and municipalities, which are all governed by the Public Finance Management Act. Public entities are audited by the auditor-general and are all required by the Act to establish an audit committee and an internal audit function. Other parastatals such as Eskom, Telkom, Transnet, the SA Airports Company and Iscor are examples of large public entities providing strategic and infrastructure services to South Africa and other countries.

Strategic Planning and Organizational Performance A strategic plan is composed of: ➤ a mission statement; ➤ quantifiable goals related to the organization's overall mission; and ➤ strategic interventions necessary to accomplish each goal. The mission statement describes the fundamental reason that the organization or function exists. The goals specify which results will further that mission, and strategic interventions define the specific steps that must be taken to achieve these results. Strategic planning is a dynamic process that may be revisited at intervals on an annual or biannual basis. Organizational performance is about how well the activities are performed and involves both achievement of objectives and consumption of resources, such as the five Ms: ➤ manpower; ➤ money; ➤ materials; 39

Internal_Auditing.indb 39

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ machines; and ➤ methodologies. The cost of resources can be another major standard of performance. Standards of performance, generally, are written statements describing how well a job should be performed. Performance standards should be developed in collaboration with employees whenever possible in order to ensure their commitment to the process. Performance standards provide benchmarks against which work performance may be evaluated. They define how well each function or task must be performed in order to meet or exceed expectations. When performance standards are in place, both management and employees know the expectations for the quality of performance of essential tasks. This common understanding provides the basis for ongoing measurement by both management and the internal audit department. Where no performance standards exist, an internal auditor may be requested by management to help develop them. ➤ One method is the directive approach, in which an internal auditor develops the standards in consultation with management. The standards are then shared with the employees affected for their feedback and to deal with any problems they may have. ➤ Another technique involves a collaborative approach, in which employees work with the auditor and management to develop the performance standards for their positions. While a directive approach is a perfectly legitimate option, a collaborative approach can generate support for the process that may be critical for the successful functioning of the measurement criteria that are set.

Performance Objectives Operational auditors must have standards against which current operations can be compared and evaluated. For financial auditing, the criteria for evaluating the presentation of financial statements are generally accepted accounting principles. But it is management's responsibility to develop and use appropriate standards to evaluate operating activities. Operational auditors will usually start with criteria that have been established by management (performance standards) or by some oversight board or agency. In the absence of standards, operational auditors will have to borrow from other sources or develop some type of criteria against which to compare performance. This is often a difficult task, and auditors should get management's reaction to the suitability of any criteria developed in this way. Reasonable criteria for evaluating performance are absolutely essential for successful operational auditing, because no evaluation of operations is possible without a standard for comparison. While subjectivity cannot be completely avoided, objective criteria that are considered appropriate and reasonable by both the internal auditors and auditees are necessary for the process to be successful.

40

Internal_Auditing.indb 40

16/04/2015 11:12

THE PERFORMANCE OBJECTIVES OF ORGANIZATIONS

Performance Measurement Performance measurement is a philosophy in which feedback is used to make ongoing adjustments to the way in which an organization goes about achieving its vision. For example, information from financial reports, client satisfaction feedback, and feedback from programs and services may help the organization assess its effectiveness in a variety of ways. Using this feedback, the organization can continue to provide excellent programs and services in response to changes in both the internal and external environments. The process starts with the setting of business objectives and the development of strategies and plans to achieve these objectives. This is followed by the development of appropriate performance measures to assess progress towards the objectives. Performance measurement systems provide the feedback information required to assess whether executive management strategies have been effectively converted into operational decisions. Performance measurement is a balanced, methodical attempt to assess an organization’s effectiveness in various terms – financial, client satisfaction, internal business and innovation/learning.

Public Sector Performance Measurement Performance measurement can be more difficult in the public sector than it is in the private sector, since it works best when there is clarity about what is being measured and why. In the private sector, the ‘bottom line’ that managers aim for is clear: private companies try to make a profit and create wealth for their owners. There are well-recognized methods of measuring whether a private enterprise is achieving these objectives. Indicators such as profits, revenue, share price, market share, etc, form the normal criteria. Performance measurement in the public sector is an entirely different matter, since governments are generally supposed to aim at improving people’s lives. This occurs in ways that often cannot easily be measured in rands and cents, and there is often confusion over what the ‘bottom line’ actually is. This confusion causes disagreement over what constitutes ‘results’ and ‘performance’, resulting in disagreement over the choice of appropriate performance measurement.

The Balanced Scorecard and Performance Measurement The ‘balanced scorecard’ approach to measuring organizational performance was developed by Robert S. Kaplan and David P. Norton at Harvard Business School. This approach augments the traditional focus on financial measures in the public service by adding client satisfaction, internal business processes, and innovation and learning. The mechanics of performance measurement are complex, and the development and deployment of the process may be painful. Usually many measures will be evaluated before a key set emerges. Many choices will involve industry best practices measures so that a competitive benchmark can be established. The most apparent change introduced by the balanced scorecard methodology was the integration of other dimensions than the financial one in the overall performance picture, hence the ‘balanced’ view of organizational achievements. These dimensions are briefly discussed below. 41

Internal_Auditing.indb 41

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Financial measures This component traditionally deals with the measurement of the financial performance of programs and services. The financial impact of programs and services in the public service is normally measured through indicators such as actual versus budgeted revenue, actual versus budgeted expenditures, and achieving or exceeding revenue projections. Client satisfaction This measures how effectively an organization's products and services satisfy client needs. Examples of client satisfaction performance indicators in the public service include the degree of service availability, prompt response to service requests, ontime service delivery or ease of access to service providers. Internal business processes This component of the balanced scorecard relates to the quality of internal business processes used to provide programs and services that satisfy client needs. Internal business performance indicators for the public service could include the numbers of projects completed successfully, on time and on budget, the competitiveness of fees or the setting and meeting of targets. Innovation and learning This component measures the ability of an organization to keep innovating and growing through continually improving itself. This is achieved by its human resources, technology, programs and services. Innovation and learning performance indicators for the public service could include the degree of improvement in key operational business processes, the number of employee suggestions coming forward and implemented for program and service innovations and improvements, and the number of new products and services introduced each year. This balanced scorecard framework for measuring organizational performance must be founded on a particular organization's mission and strategic objectives. It uses traditional financial measures to provide comparison to past performance and focuses on internal business processes and the level of client satisfaction to measure current operations. It also provides input on future requirements that may arise from changing technology, client needs or employee needs. When considering change, the most revolutionary aspect of the balanced scorecard is probably the way in which it manages causal relationships. Instead of just reacting to bad performance, so constantly running behind the facts, the concept of the balanced scorecard enables an organization to manage performance in a proactive way. Grouping together those ‘related’ indicators in the performance management system for every causal relationship that must be followed allows an organization to see just what the factors are that drive its performance. In order to achieve the effects it wants, the organization must check both the defined causal relationships and the impact of performance improvement actions on them.

42

Internal_Auditing.indb 42

16/04/2015 11:12

THE PERFORMANCE OBJECTIVES OF ORGANIZATIONS

Applying the Balanced Scorecard A balanced approach to performance measurement helps an organization to: ➤ assess, develop and implement improved information and practices; ➤ ensure that investment supports the organization’s business objectives and employees; and ➤ ensure that spending is focused on the most appropriate areas within the organization. The development of a performance measurement framework requires a top-down approach. Business objectives must be established, then departmental goals, and then plans and strategies can be developed to support the business directions. Performance measures can then be designed for the business function. This approach to business performance measurement uses both qualitative and quantitative information and formal approaches to data gathering. The performance measures developed must be objective, quantifiable and output oriented. The unit of measurement of this approach to performance measurement is the whole of, or a part of, the business program. To apply this framework effectively, however, the same approach must also be applied to each major service area within the business program. As can be seen, the balanced scorecard approach must be tailored to fit each business environment. An organization should conduct an impact analysis to determine the level of its readiness to adopt such an approach to performance measurement and to determine the cultural, functional, technical and cost implications of adopting such a regime. Based on the results of the impact analysis, a pilot project may be started within one of the service lines. This involves: ➤ building consensus on the long-term objectives of the pilot organizational unit; ➤ developing performance measurement architecture to assess the performance of the organizational unit; and ➤ developing an implementation strategy to make the transition to a new performance measurement environment. Developing a Balanced Scorecard The balanced scorecard is a systematic, ongoing process aimed at aligning departmental performance and corporate strategy. This involves identifying clearly defined value drivers that major stakeholders agree are most vital to the superior performance of a specific unit. Ultimately, the goal is to reach consensus on between four and eight value drivers that will underpin successful unit programs. These value drivers can then be used to define the balanced scorecard's categories. The actions needed to support each of the value drivers must then be specified. Since most value drivers are difficult to measure directly, this step involves defining those actions that, if successfully accomplished, will result in the desired value. Categories and action steps must be reviewed with key stakeholders. Based on feedback from stakeholders, a balanced scorecard of between four and eight value drivers and the action steps needed to achieve them will be identified. The value drivers must then be reviewed with stakeholders to confirm that they accurately

43

Internal_Auditing.indb 43

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

reflect their expectations. Once agreed on, a working set of value drivers and a concise, one-page scorecard can be created A process for measuring what has been accomplished must be implemented in order to gauge how successfully the value-enhancing actions were completed. Each individual action step would need to have a complete set of success measures attached to it. To complete the process, a system for reporting results to key stakeholders must be established. Communicating the results is a critical step in the scorecard process. The balanced scorecard can then be fine-tuned to ensure that it accurately matches evolving company priorities. At the managerial level, management will become more effective if the company strategy includes measurable goals that the company is trying to achieve and when the measurement system encourages behavior that is good for the organization.

Improving Performance Measurement Systems Improving performance measurement involves the development of integrated performance measurement systems. Integrated systems are built around a strategic theme, such as business strategy or value creation. They involve measuring those aspects of the corporate structure that relate the activities of people and processes in the organization to the outcomes the company is trying to achieve. Integrated systems use measurement criteria such as money, units, time, feelings and other expressions of actions and results. They are seen as discrete parts of a single, overall depiction of all aspects of company activity. The measures that represent the performance of a particular unit of the organization reflect: ➤ the unit's performance; ➤ the connections between the unit and other organizational units; ➤ the connection between the unit and the organization as a whole; ➤ the quality concerns of production; ➤ the customer-satisfaction focus of sales and marketing; and ➤ the monetary discipline of accounting. Integrated performance measurement systems are a significant improvement over previous evaluation structures; however, they still do not eliminate some of the basic difficulties of performance measurement. Businesses are highly complex organizations that offer many more opportunities for measurement than management can effectively exploit. The difficulties inherent in reducing the number of measures to a significant few will always present a major challenge. In spite of these difficulties, the benefits of measurement integration far outweigh the costs. A more effective measurement system helps to align the activities of people in the organization and ensure that they work in a co-ordinated way to accomplish the organization’s goals. An integrated system helps avoid misunderstandings resulting from inconsistent data or inappropriate comparisons. Also, it motivates individuals by demonstrating to everyone concerned that the measurement system will accurately and impartially measure the contributions they make and the extent of their success. Managers generally understand how effective measurement provides key support in the pursuit of corporate goals when they understand the consequences of per44

Internal_Auditing.indb 44

16/04/2015 11:12

THE PERFORMANCE OBJECTIVES OF ORGANIZATIONS

formance results. They tend to support the concept of performance measurement, because their experience has shown that it helps to achieve corporate success. Managers who use performance measurement regularly understand the difficulties inherent in the process. Many measurement criteria imperfectly define the underlying idea. For example, return on assets is intended to reflect and measure the efficiency of the use of capital. In reality, assets are generally measured using the principles of accrual accounting and are thereby measured by historical cost. Most managers understand the shortcomings of measurement systems. They are fully aware that distortions may be introduced through cost and asset allocations. They recognize that there may be a temptation to measure the things that are easy to measure, and to avoid measures that are more difficult, with the distortions this creates.

Effectiveness, Efficiency and Economy Effectiveness The Canadian Institute of Chartered Accountants has defined effectiveness as ‘the extent to which a program achieves its goals or other intended effects’.23 Attributes of effectiveness include the following: ➤ Management direction measures the extent to which the objectives of an organization, its components programs, its lines of business and its employees are clear, well integrated and understood and appropriately reflected in the organization's plans, procedures, delegations of authority and decision-making processes. ➤ Relevance measures the extent to which a program or line of business continues to make sense with regard to the problems or conditions to which it is intended to respond. ➤ Appropriateness measures the extent to which the design of a program or its major components and the level of effort being made are logical, given the specific objectives to be achieved. ➤ Achievement of intended results refers to the extent to which goals and objectives have been realized. ➤ Acceptance defines the extent to which the constituencies of customers for whom a program or line of business is designed judge it to be satisfactory. ➤ Secondary impacts quantify the extent to which other significant consequences, either intended or unintended and either positive or negative, have an impact. ➤ Cost and productivity measure the relationships among costs, inputs and outputs. ➤ Responsiveness is a measure of an organization's ability to adapt to changes in such factors as markets, competition, available resources or technology. ➤ Financial results involve the matching of, and accounting for, revenues and costs and the accounting and valuation of assets, liabilities and equity. ➤ Working environment takes into consideration the extent to which the organization provides an appropriate work atmosphere for its employees; provides appropriate opportunities for development and achievement; and promotes commitment, initiative and safety.

23. Canadian Institute of Chartered Accountants. 1995. Guidance on Control. Toronto: Canadian Institute of Chartered Accountants.

45

Internal_Auditing.indb 45

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Monitoring and reporting quantify the extent to which key matters pertaining to performance and organizational strengths are identified, reported and carefully monitored. ➤ Protection of assets evaluates the extent to which important assets such as sources of supply, valuable property, key personnel, agreements and important records or information are safeguarded so that the organization is protected from the danger of losses that could threaten its success, credibility, continuity and perhaps its very existence. Efficiency This relates to the relationship between goods or services produced and the quantity of resources used to produce them. An efficient operation produces the maximum output for any given set of resource inputs. Alternatively, it has minimum inputs for any given level of goods or services produced. Economy This refers to the terms and conditions under which resources are acquired. An economical operation procures an appropriate quantity of resources of an appropriate quality at the lowest overall cost and at the right time.

The Role of Performance Objectives Management control is meant to ensure that an organization is working towards its stated performance objectives. Performance objectives and goals are the statement of corporate intent, while management objectives define how the corporate objectives will be met. In line with these objectives, internal control ensures that programs to ensure performance objectives are properly planned and executed. Internal audit provides an independent assessment and ensures that management’s system of internal control will be effective and function as intended. Performance objectives direct the emphasis of day-to-day activities within the organization and may, in themselves, conflict. For example, the need for control may conflict with the need for timeliness, or efficiency objectives may conflict with effectiveness objectives. ‘As quickly as possible’ implies no controls while ‘No rejects’ implies strict controls. The way in which management prioritizes performance objectives directs the development of controls. This will affect the overall system of controls designed and therefore the audit priorities. A final point is that performance objectives must take account of the cost of trying to achieve them.

46

Internal_Auditing.indb 46

16/04/2015 11:12

C HAPTER

6

Risk Assessment

Learning objectives After studying this chapter, you should be able to: ➤ Explain the importance of risk management and internal control ➤ Define and discuss the nature and sources of risk to an organization ➤ Explain the methods used by an internal auditor to establish and document the levels of inherent risk within an organization or a part of it ➤ Describe the role and limitations of internal controls in reducing risks to acceptable levels ➤ Explain how an internal auditor evaluates the adequacy of the system of internal controls ➤ Differentiate between the adequacy and the effectiveness of the control structures

Broad Concepts of Control and Risk ‘“Control” comprises all the elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organization’s objectives. Control is “effective” to the extent that it provides reasonable assurance that the organization will achieve its objectives reliably. Leadership involves making choices in the face of uncertainty. “Risk” is the possibility that one or more individuals or organizations will experience adverse consequences from those choices. Risk is the mirror image of opportunity.’24

The Nature of Risk All entities encounter risk, whatever their size, structure, nature or industry. In common with this, all business decisions involve elements of risk, including such elements as financing, product lines, and sources and methods of supply. Risk may be defined as the possibility of loss. All businesses, products and processes involve some degree of risk. Risk management involves assessing a product, process or business by: ➤ identifying the processes; ➤ identifying the types of risks associated with each process; ➤ identifying the controls associated with each process; ➤ evaluating the adequacy of the system of control in mitigating risk; ➤ determining the key controls associated with each process; and ➤ determining the effectiveness of the key controls. 24. Bradshaw, W. & Willis, A. 1998. Learning about Risk: Choices, Connections and Competencies. Toronto: Canadian Institute for Chartered Accountants.

Internal_Auditing.indb 47

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

There are three types of risk that are normally considered when using a risk-based audit approach. They are inherent risk, control risk and detection risk, which is also known as audit risk. Inherent Risk Inherent risk is the likelihood of a significant loss occurring before taking into account any risk-reducing factors. In evaluating inherent risk, an auditor must consider what the types and nature of risks are, as well as what factors indicate that a risk exists. To achieve this, he/she must be familiar with the environment in which the entity operates. Control Risk Control risk measures the likelihood that the control processes established to limit or manage inherent risk are ineffective. In order to ensure that internal audit evaluates the controls properly, an auditor must understand how to measure which controls are effective. This will involve identifying those controls that provide the most assurance that risks are being minimized within the business. Control effectiveness is strongly affected by the quality of work and control supervision. Controls in business operations provide the major defence against inherent risk. In general, an auditor may assume that stronger controls reduce the amount of risk; however, at some point, the cost of control may become prohibitive (in terms of both financial and staff resources, as well as customer satisfaction). Audit Risk Audit risk is the risk that audit coverage will not address significant business exposures. Pro forma audit programs can be developed in order to reduce audit risk. These provide guidance as to which key controls should exist to address the risk, and the recommended compliance and/or substantive test steps that should be performed. These programs should be used with care and modified to reflect the current business risk profile.

The Effect of Risk In general, business risks can affect a business’ ability to successfully compete, its ability to maintain financial strength, its positive public image and ultimately its ability to survive. Risks will affect the overall quality of an organization’s products, people or services. But risks cannot be eliminated – only managed. Auditors have traditionally been tasked with gaining and confirming an understanding of the system of internal control set up by management as fundamental to evaluating its adequacy and effectiveness. Internal control has been presumed to be a response to business risk. In order to evaluate the effectiveness of risk control measures, an auditor must comprehensively understand the underlying business risks.

48

Internal_Auditing.indb 48

16/04/2015 11:12

RISK ASSESSMENT

This has two prime components. ➤ A thorough understanding of the business process is needed to identify critical processes where less than optimum performance could have serious consequences. ➤ A risk model or risk framework is needed to describe and quantify the effects and likelihood of possible negative consequences. Such an in-depth understanding of the business process implies a collaborative approach, since an internal auditor is rarely as knowledgeable about the process as the manager who routinely controls it. In the same way, the managers involved in a business process on a day-to-day basis will normally lack the independent perspective an internal auditor can bring to risk evaluation. ➤ A specific risk model uses a formula that models the total business risk in each of the organization’s processes. Many internal auditors use a risk model to help them plan their annual audit activities. These risk models, however, tend to be too narrowly focused to be applied to general business risks. ➤ A risk framework is a logical view of the common business risks faced by an organization. A framework is more generalized than specific models and more easily applied to a variety of organizations and industries. The COSO’s Internal Control: An Integrated Framework is an example of such a control framework (see Chapter 7). In 1999, McNamee25 defined a framework composed of three major domains of business risk and a number of risk groups within each domain. He defined the three domains of business risk as follows. ➤ Ownership risks are the risks associated with acquiring, maintaining and disposing of assets (except human assets). ➤ Process risks are the risks associated with putting assets to work to achieve objectives. ➤ Behavioral risks are the risks associated with acquiring, maintaining and disposing of human assets. Ownership Risks MacNamee went on to define ownership risks as including external threats, ie forces outside of the control of the organization that can affect the organization’s business processes and goals. ➤ Custodial risks are the risks associated with owning and safeguarding assets. Since human assets have different characteristics, they are covered under behavioral risks. Examples of custodial risks include obsolescence, damage in handling or storing the assets, and theft from storage. ➤ Hazards (shared with process risks) are the risks to assets associated with loss or damage through fire, natural or human-made disasters, and accidental loss. ➤ Opportunity costs (shared with behavioral risks) are the cost of making lessthan-optimum decisions about asset acquisition and disposition. Examples include buying the wrong asset, paying too much, selling the asset too soon or too late, selling the asset too cheaply, and disposing of the wrong asset. 25. McNamee, D. 1999. Targeting Business Risk, available at http://www.mc2consulting.com

49

Internal_Auditing.indb 49

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Process Risks Process risks include the following. ➤ Hazards (shared with custodial risks) are the risks to processes associated with loss or impairment through fire, natural or human-made disasters, and accidental loss. ➤ Errors/omissions/delays are the risks to processes arising from random differences in human or machine activity in the process. Poor judgment in plans or operations, inappropriate or outdated control mechanisms, and machine malfunction are examples of these risks. ➤ Frauds are the risk to processes arising from intentional misrepresentation of suppliers, employees and customers. Examples of these risks include theft, bid rigging, bribery, kickback schemes and customer abuse. ➤ Productivity loss (shared with behavioral risks) includes the risks to the process arising from poor design of the process or its control system. Examples include scheduling conflicts, inappropriate work rules, missing controls, lack of monitor ing control systems, underutilizing assets in the process, and goal conflicts. Behavioral Risks Behavioral risks include the following. ➤ Productivity loss (shared with process risks) include the risks arising from poor management practices or poor worker commitment. Underutilizing human assets, poor leadership, favoritism, lack of work structure and discipline, inconsistent management decisions, and personal/work goal conflicts are examples of these risks. ➤ Dysfunctional workplaces include the risks to employees from a dysfunctional work environment and the risks to the organization from employees working in such an environment. Examples of these risks are gender/racial harassment, too much pressure to meet objectives (without compensating relief valves), employee theft and sabotage, workplace injuries, employee lawsuits and work place violence. ➤ Opportunity costs (shared with ownership risks) are the costs of making less-thanoptimum decisions about human asset (people, knowledge and skills) acquisition and disposition. Hiring the wrong people or skills, a poor compensation system, and letting the wrong people or skills leave the organization (through quitting, firing or outsourcing) are examples of such risks.

Entity-wide Risk Identification Identifying and quantifying risks will largely depend on each entity’s objectives. It is an iterative process and must be carried out continuously. This is often done as part of the planning process and may be done on a ‘zero-base’ or as incremental to the last review. Risks can arise from internal or external factors and the factors themselves may be interrelated. Typical internal factors would include: ➤ the quality of personnel; ➤ training; ➤ motivation; ➤ integrity; 50

Internal_Auditing.indb 50

16/04/2015 11:12

RISK ASSESSMENT

➤ ➤ ➤ ➤ ➤ ➤

changes in management responsibilities; management’s task maturity; span of control; the degree of dependence on information systems and their stability; the accessibility of assets; and the effectiveness of the board and audit committee.

Typical external factors would include: ➤ competition; ➤ regulations: ◗ new, ◗ changes; ➤ political changes; ➤ economic changes: ◗ for better, or worse; ➤ technological developments; and ➤ natural catastrophes.

Techniques to Identify Risks Risk identification techniques are usually developed by internal and external auditors and involve both quantitative and qualitative prioritization. Other practices include periodic review of economic and industry factors, senior management business-planning conferences and the use of industry analysts. The way in which risk is determined is not particularly important, as long as it is done. The factors that contribute to or increase risk must be identified. Each major business unit or function, such as sales, production, marketing, technology development, or research and development, normally identifies and ranks activity risks affecting the achievement of its objectives. Also, there may be many subsidiary risks in the stated or implied objective. It is understood that not every risk can be identified, but obvious risks must be considered.

Risk Analysis and Internal Auditing Risk analysis involves the estimating of the significance of the risk and assessing the likelihood or frequency of the risk. Management and auditors must consider how the risk should be managed, what actions need to be taken and what controls need to be affected. Should they be preventative procedures to reduce the significance or likelihood of the risk occurring or displacement procedures to offset the impact if it does occur? Risks are normally evaluated before considering the mitigating effects of controls in order to establish inherent risk. The Elements of Risk Analysis Process analysis is the procedure that permits the identification of key dependencies and control nodes and looks at the processes within a business entity. It identifies cross-organizational dependencies, such as where business data originates, where it is stored, how it is converted to useful information and who uses the information. Quality control programs can positively affect these business processes. 51

Internal_Auditing.indb 51

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Costs and benefits must be evaluated. Of these, costs are normally easier to quantify. Theoretically, costs should be incurred until they exceed benefits, but in practice this is a management decision and cost-benefit analysis usually results in some part of the risk being managed and some part remaining. Given this and the fluctuating nature of risk, management should review the residual risk regularly, assessing the extent of the exposure. Risk analysis is a far from foolproof technique and has inherent limitations, such as poor judgment in decision-making, or access may not be available to data that is complete, accurate or timely. People make wrong decisions or get tired and make mistakes. Collusion (two or more people acting together) can occur. Management override that bypasses the system of internal control may be possible. Meaningful risk analysis can substantially increases the probability of achieving objectives, since it alerts management to changes needed to control procedures and links activity objectives to action. Risk analysis focuses effort on control procedures and should become second nature. The process may be formal or informal; however, it is the results, not the degree of formality, that matter. Risk Factors to Consider Among the risk factors to consider are: ➤ the date and results of the last audit; ➤ the financial exposure and potential loss and risk; ➤ requests by management to look at particular areas; ➤ major changes in operations, programs, systems and controls; ➤ the opportunities to achieve operating benefits; ➤ the quality of the internal control framework; ➤ management’s competence; ➤ the complexity of transactions; ➤ the liquidity of assets; ➤ the ethical climate; and ➤ employee morale. In assessing these factors, an auditor may choose to use objective assessment, which utilizes only quantitative attributes of auditable units, such as the value of throughputs, the value of assets under control, the number of personnel or the volume of transactions. Risk factors are not weighted. Using subjective assessment, each risk factor is weighted on a scale reflecting degrees of concern. It allows an auditor to express his/her (or management’s) feelings regarding the presence of possibility of risk. Risk-based Auditing Risk-based auditing involves an integrated approach, including the concepts of highlevel risk analysis and the overall audit plan. The audit plan itself may be differentiated between: ➤ mandatory audit activities, ie those activities that must be carried out within the time span of the audit plan because of legal or regulatory requirements or to meet senior management requirements or external auditor liaison requirements; and 52

Internal_Auditing.indb 52

16/04/2015 11:12

RISK ASSESSMENT



discretionary audit activities, which use a small number of risk factors with associated factor weights.

Detailed risk analysis involves the design of the audit steps. High-level risk analysis is a broad-brush approach designed to arrive at an approximate evaluation of the risks a business entity faces. This can define how often audits should occur, but not necessarily depth or focus areas. Mandatory audit activities will be given the greatest risk value to ensure that they are automatically selected, but be careful that senior management requirements are in fact requirements and not just nice-to-haves. Discretionary audit activities should be chosen by limiting the risk factors to the most important ten or less. These risk factors must apply to a variety of products and services. Common risk factors could include: ➤ exposure (size and sensitivity of assets); ➤ the quality of internal controls; ➤ audit experience; ➤ accounting data; ➤ regulatory requirements; ➤ the value of transactions processed; ➤ the confidentiality of information; ➤ the potential for adverse publicity; ➤ the sensitivity of asset types (convertibility); ➤ the degree of automation in processing; ➤ the condition of suspense accounts: ◗ size, ◗ movements; ➤ the time since the last audit; ➤ the significance of findings at that time ➤ visibility and scope; and ➤ booking duration. Visibility and scope The scope of the entity would include the volume of transactions, the size of master files, and the types of input and processing, while visibility would include the number of users of services and degree of interface with other audit units. Assessing the Risk To be effective, evaluation must be kept simple and involves obtaining a brief understanding of each system’s scope, coverage, volumes and values. Each characteristic is then scored and adding up the scores allows the ranking of the systems. IIA Standards on Risk Assessment The IIA Standards recognize the important role played by internal audit in helping management to meet their risk management responsibilities effectively, as indicated by the guidance contained in IIA Practice Advisory 2100-3: The Internal Auditor’s Role in the Risk Management Process.

53

Internal_Auditing.indb 53

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

‘The definition of internal auditing calls for a disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditors have a key role to play in an organization’s risk management process in order to practise internal auditing in accordance with the Standards. This advisory seeks to provide internal auditors with guidance for determining their role in an organization’s risk management process and for complying with the Standards.’

The IIA recommends the use of seven factors, namely: ➤ the time and results of the last audit; ➤ financial exposure; ➤ potential loss and risk; ➤ requests by management; ➤ major changes in operations, programs, systems and controls; ➤ opportunities to achieve operating benefits; and ➤ changes to and capabilities of auditing staff. Management Risk Factors Management may themselves may be agents of risk, and risk factors in this area may include: ➤ management’s inherent integrity (evaluated from the quality of management’s ➤ responses); ➤ areas of sole control; ➤ indications of past irregularities; ➤ evidence of conflicts of interest; ➤ situational integrity; ➤ remuneration not matching a manager’s standard of living; ➤ performance not matching budgets; ➤ threats to the continued existence of the business; ➤ the possible sale of the business; and ➤ the need to obtain extra finance. Risk Identification by Analytical Review Risk identification by analytical review is a common audit technique and may involve any or all of: ➤ liquidity ratios; ➤ current ratio; ➤ acid test (quick) ratio; ➤ solvency; ➤ asset structure; ➤ capital structure; ➤ profitability ratios; ➤ ROA; ➤ profit as a percentage of sales; ➤ sales to total assets; ➤ sales to fixed assets; and ➤ sales to current assets.

54

Internal_Auditing.indb 54

16/04/2015 11:12

RISK ASSESSMENT

Marketing a Risk-based Internal Audit Approach to Management IIA Practice Advisory 2010-2: Linking the Audit Plan to Risk and Exposures guides an internal auditor in linking the internal audit plan to the assessment of risk and exposures that may affect the business. ‘The internal audit activity’s audit plan should be designed based on an assessment of risk and exposures that may affect the organization. Ultimately, key audit objectives are to provide management with information to mitigate the negative consequences associated with accomplishing the organization’s objectives, as well as an assessment of the effectiveness of management’s risk management activities. The degree or materiality of exposure can be viewed as risk mitigated by establishing control activities.’

Selling the risk-based audit approach involves obtaining management buy-in to the process. One effective way of achieving this is to ensure their participation in both risk identification and risk evaluation. It is operational management’s responsibility to identify, assess and manage risk. It is internal audit’s responsibility to assist management in this process by identifying and assessing risk and by assisting management to monitor how well risks are actually being managed by the business. Most organizations do not have the resources available to identify, analyze and control all business risks. Implementing a formal risk assessment process helps by providing a consistent method for choosing high-impact risks on which to focus audit resources. During the risk assessment, auditors must develop an understanding of the operation’s business in order to identify and assess significant risks. They then use this assessment to allocate audit resources to areas within the organization that provide executive management and the audit committee with the most efficient and effective level of audit coverage. The output of the risk assessment is the primary basis for allocating audit resources during the audit planning process. An auditor must always bear in mind that individual managers have differing attitudes to risk. Some managers or even organizations see the acceptance of risk as fundamental to the making of profits, while others are highly risk-averse and consider reducing risk a fundamental component of the business. This is called risk tolerance. Unless the auditor understands this concept, it is likely that management and auditors will talk at cross-purposes on risk and that management may consider audit recommendations to be impractical or unacceptable. Based on the individual risk positions adopted, companies will manage risk in a number of ways, such as using insurance coverage, financial instruments, compliance, and internal audit functions. Management must understand that internal audit does not replace their responsibility to keep their own risk at acceptable levels. Risks themselves can be categorized according to the organization’s response. ➤ Controllable risks are risks that exist within the processes of an organization and can be managed by the organization. ➤ Uncontrollable risks are risks that arise outside the organization and cannot be directly controlled or influenced, but which nevertheless call for a risk position to be taken by the organization. ➤ Influenceable risks are risks that arise outside the organization, but can be influenced by the organization.

55

Internal_Auditing.indb 55

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

While internal audit normally deals with all three risk types, owing to the limited resources at its disposal, it normally prioritizes those areas where risk control is both desirable and achievable. It then focuses on these areas. Generally, auditors will have developed a basic understanding of the business and control risks faced by the client before meeting the client. During initial client meetings, the client’s expectations of internal audit services should have been clarified, together with any significant risk and control issues that the client faces. Risk analysis can be carried out in a variety of fashions. Qualitative analysis is used to help identify both assets and resources at risk as well as those threats and vulnerabilities to the assets and the safeguards already in place to mitigate the threats. It can also be used to pick up on the controls which could be implemented to reduce the risks to unacceptable level. Qualitative analysis, as the name implies, does not attempt to quantify the financial value of assets at risk nor the frequency of the occurrence of the threats. In addition the implementation costs of suggested controls is not usually included. Quantitative analysis, on the other hand, attempts to identify potential losses in value terms using objective criteria. Typically this will involve considerably greater effort to put a value to specific threats but it does facilitate the evaluation of the cost-effectiveness of suggested controls. For most auditors a hybrid model combining the best of both quantitative and qualitative analysis is probably the most appropriate. In most organizations putting a value to assets is an everyday process where tangible assets are concerned. Valuing intangible assets is a whole study area of its own. Assets such as reputation, intellectual property, brand names and the like can be valued in a variety of manners. Assessing the likelihood of damage to assets via threats is also problematic since it is, in many cases, a subjective judgment and influenced by the risk appetite of the person making the judgment call. Some managers are risk averse while others will willingly accept risk as long as their perception of the payback for accepting the risk is high. By the same token, the assets are not equally vulnerable to every identified threat. Buildings are not commonly stolen and company vehicles do not suffer a loss of reputation. Anticipated losses must therefore be calculated for individual assets and specific threats. Internal controls can affect both the likelihood of an event having a detrimental impact on the organization as well as the degree of impact which it can have. In selecting internal controls the cost/benefit is normally one of the major measurement criteria but it need not be the sole criteria. The ‘risk appetite’ is a measurement of how much risk management is prepared to accept in exchange for a given level of return.

Conducting a Risk Assessment Objectives The objectives of a risk assessment are to identify, assess and document the risks and related risk management activities in an organization. These include risks in the organization’s processes and across its business units, geographic locations or product lines. The audit work should be properly aligned with the business objectives and should be agreed to by management. This, in turn, allows audit resources to be allocated in the audit planning process.

56

Internal_Auditing.indb 56

16/04/2015 11:12

RISK ASSESSMENT

Planning a Risk Assessment The aim of planning a risk assessment is to provide the auditors with a workable structure so that the audit can be completed successfully and efficiently. The process involves reviewing the audit objectives, the roles and responsibilities of those involved, and timelines. Preparing a preliminary plan A team or individual auditor must be given the job of gathering existing knowledge about the auditee area and engagement and to develop a preliminary work plan for carrying out the risk assessment. Much of the background information concerning industry trends, business objectives, internal audit focus, critical success factors, etc, can be obtained from the working papers of previous audits or from the audit department’s permanent files. In addition, the auditee normally has a strategic business plan, which defines the organization’s objectives, critical success factors and strategies. Identifying a project team, agreeing on responsibilities and finalizing the risk assessment work plan Based on audit’s understanding of the client, the next stage is to identify the individuals required to complete the risk assessment. In cases where the audit requires skills that are outside the core competencies of the engagement team, other resources from within the organization can be called on. The specific responsibilities of all parties involved should be agreed upon before starting the risk assessment. The results of the risk assessment become the primary basis for allocating audit resources during the audit planning process. The risk assessment enables us to understand and analyze relevant characteristics of the organization’s more important business and support processes. In order to communicate the appropriate context for audit services, the audit team should use a risk framework that clearly articulates the focus of audit services as they relate to the risk universe. This is achieved by establishing the extent and nature of risk that exists for the auditee. Internal audit will base its evaluation of risk on management’s view of the acceptability of given risk levels. It will focus on the areas of higher business risk and the areas of the business where risk control is both desirable and achievable. Conducting the Assessment Based upon the information gathered by the auditor during the preliminary survey, a list of threats to the attainment of the major control objectives of the client should now be available. These threats should be agreed with the auditee’s representative in order to ensure that no significant threats have been omitted and no specific threats have been over-emphasized. Based upon this list of threats, a preliminary assessment of the inherent risk of a function or department may be derived. The preliminary survey should also have produced a list of controls which management believed to be in place and effective to mitigate the threats. By matching the controls against the threats which they are intended to address, the auditor may come to a preliminary evaluation of the residual risk should all controls function as intended. At this stage the auditors now in a position to group the controls into ‘control structures’ for specific threats and identify the critical controls 57

Internal_Auditing.indb 57

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

intended to address those threats. It should be noted that the auditor will normally assume that there is no specific intent to bypass controls at this stage and that those individuals responsible for implementing controls will normally be competent to carry out those controls. Testing of the controls will indicate where incompetencies are occurring or where controls are not functioning as intended. Many auditors will use a graphical methodology, perhaps in the form of a matrix, to present these threats and controls to management to confirm their understanding of the controls structures which management intend to be in place. At this stage the auditor is in a position to assess the adequacy of the control structures intended to mitigate specific threats. Where the controls do not adequately address the concerns, recommendations can be made to ‘plug the gap’, normally by introducing additional controls. Even if the control structures do not fully address the specific threats, testing will normally be carried out on the key controls, ie those controls which address significant parts of the threat in order to determine their effectiveness. This risk assessment then forms the basis for the development of the audit program as outlined in Chapter 17.

The ‘Cube’ Approach to Risk Assessment The ‘Cascarino Cube’ The following is a generic approach to risk identification and prioritization. Its use needs to be tailored to the requirements of an individual organization. It is referred to here as a ‘cube’ although it is, in actuality, a cuboid with the numbers of layers dependent on the individual architecture, components and risks which the organization is exposed to. Using IT as an example of a corporate function, in general, information processing uses an architecture which can be shown graphically as:

Diagram 1 58

Internal_Auditing.indb 58

16/04/2015 11:12

RISK ASSESSMENT

As can be seen, at the core is the Organization’s Data which is the major asset to be protected. This exists within, and under the control of, the Mainframe computer itself. In order to gain access to the Mainframe, Mainframe Communications channels are used. This communication is typically conducted from Servers or intermediate processors. These in turn, communicate via routers and cabling through Wide Area Networking communications. The Workstations are the point from where users can enter the system. In addition there are frequently users who will access the data via the Internet and Mobile computing. These rings, then, make up the first layer of the cube. The architecture itself will consist of a number of components including among others, typically: ➤➤ data; ➤➤ software; ➤➤ people; and ➤➤ hardware. Each of these architect layers and components will be exposed to risks in a variety of forms. Commonly the risks may include: ➤➤ system non-availability; ➤➤ loss of confidentiality; ➤➤ loss of integrity; ➤➤ inaccuracy and incompleteness; ➤➤ lack of monitoring; ➤➤ lack of compliance; and ➤➤ under-performance. Three dimensionally, these can be shown as in Diagram 2.

Diagram 2 59

Internal_Auditing.indb 59

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Based upon the discussions with Operational and Technical staff at the organization, a Cube of Risks, Systems Components and Architectural Components can be identified and risk-ranked. This will typically result in a cuboid such as that shown in Diagram 3.

Diagram 3 When prioritized and structured, the organization’s risk profile may be represented by higher ranked risks to more critical components that form the upper left-hand corner of each architectural slice. Each architectural slice may then be evaluated separately and the Operational, Security and Technical controls identified and allocated to the specific cell representing a risk (such as unavailability) to a system component (such as data). At this stage, no attempt is made to determine whether the controls believed to exist, actually do exist and function as intended. Examples of the cells indicating specific controls are shown below. Unavailability

Confidentiality

Data

T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16, T17, T18, T21, T22, T23, T26, T27, T28, T29, T30, T33, T34, T35, T36, T37, T39, T40, T41, T42, T43, TK45, TK46, T4K9, TK56, T57, T58, T60 – O1, O2, O3, O4, O5, O8, O9, O11, O12, O14, O16, O19, O23, OK25, O26, O27, O28, O29, OK30, O31, – S3, S4, S5, S6, S11, SK12

T11, T12, T16, T17, T18, T22, T23, T24, T25, T27, T28, T26, T31, T32, T33, T34, T35, T40, T41, T44, T47, T58, T60 – O1, O2, O3, O4, O5, O6, O7, O8, O9, O10, O11, O12, O13, O14, O15, O16, O21, O22, O33 – S1, S2, S3, S4, S5, S6, S7, S8, S9, S10, S11

People

T16, T17, T22, T21, T28, T30, T31, T32, T34, T35, T36, T41, T43, T47, T49, T57, T62 – O1, O5, O8, O11, O25, O27, O28, O30, – S1, S3, S11, S12,

T11, T12, T22, T23, T24, T31, T32, T33, T34, T28, T35, T36, T39, T41, T42, T43, T47, T51, T58, T60 – O1, O2, O3, O4, O5, O7, O8, O10, O11, O14, O15, O21, O22, O26, O32, – S1, S3, S4, S5, S6, S7, S8, S9,

60

Internal_Auditing.indb 60

16/04/2015 11:12

RISK ASSESSMENT

Examples of controls identified may include terms such as: Controls List (legend T = technology, S = security, O=operations) T1 – APC Power Monitoring

S1 – Policies and Procedures

T2 – APC Cold Water Monitoring

S3 – User Access Approval Review

T4 – APC UPS

S4 – Reoccurring User Access Review

T5 – Generator – Natural Gas Powered

S5 – Security Camera Monitoring

T6 – APC UPS Generator Monitor

S6 – Key Fob Access Review

T7 – Multiple Power Paths (N+1 config)

S7 – Shred Bin Monitoring

T8 – Air Conditioning (N+1 config)

S8 – User Awareness Training

The objective of the exercise is to determine whether the accumulation of controls intended to mitigate a particular risk to a particular component, would be adequate to reduce the risk to acceptable levels if they function as intended. Inadequacy of controls indicates a level of risk at too high a level even if all of the controls work as intended and such a vulnerability must then be addressed. Once all mitigating controls have been identified, they can be evaluated in order to determine which controls can give management the most assurance (whether it be from a preventative, detective or corrective perspective). These are designated the Key Controls and form management’s most critical defenses against those specific risks. From management’s perspective, these controls would be subject to the most stringent monitoring in normal operations. From an audit perspective, these would typically be the controls selected to be tested for effectiveness. If these controls function as intended, management may gain the assurance that risk is being controlled to the desired level in an adequate and effective manner. Where such testing of controls determines that the Key Controls are not functioning as intended, the cause of failure must be determined and rectified. In the meantime the other controls in that particular cell can be evaluated to determine whether they have sufficient cumulative impact to maintain the overall control at the desired level. If so, then the effectiveness of these controls must also be tested. Once Key Controls have been identified within each of the individual cells, they may be traced three dimensionally into other cells within other system components and architectural components. This then permits a three-dimensional map of the impact that the failure of the Key Control could have across all system components and architectural components facing a variety of risks. Additionally, the three-dimensional nature of the cuboid enables the auditor to examine control adequacy and effectiveness in vertical slices of system components indicating all risks and architectural components affected, horizontal slices of risks to all components indicating the system and architectural components affected or sliced by architectural components showing all risks and system components affected. By maintaining the Cube and associated controls as risk levels change with the business, and by keeping the control list current and tested, the overall risk and control architecture can be monitored in order to ensure that the overall residual risk to the organization is maintained at acceptable levels. Below is an example of a similar cube prepared for an organization’s fraud risk.

61

Internal_Auditing.indb 61

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

ERM and Internal Audit Enterprise Risk Management is defined by COSO as ‘a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives’.26 All enterprises face a degree of some certainty and part of the role of management is evaluation of the degree of uncertainty which is acceptable in the pursuit of its overall corporate objectives. Enterprise risk management encompasses an array of activities essential to achieving the organizational goals including: ➤➤ determining the organization's risk appetite alignment with the overall corporate strategies; ➤➤ choosing among alternative risk responses including the avoidance of risk, reduction through the implementation of appropriate internal controls; ➤➤ early identification of potential negative events and reduction of the impact; ➤➤ management of risk and cross-enterprise basis; and ➤➤ improved use of capital by understanding the environment and opportunities.

26. Enterprise Risk Management — Integrated Framework – Executive Summary, September 2004, are available from: http://www.coso.org/documents/coso_erm_executivesummary.pdf

62

Internal_Auditing.indb 62

16/04/2015 11:12

RISK ASSESSMENT

The net impact of an effective enterprise risk management includes the reduction of the likelihood of negative consequences such as damage to reputation, failure to comply with laws and regulations and financial damage while enhancing the likelihood of the attainment of the overall objectives including: ➤➤ Strategic – high-level goals, aligned with and supporting its mission; ➤➤ Operations – effective and efficient use of its resources; ➤➤ Reporting – reliability of reporting; and ➤➤ Compliance – compliance with applicable laws and regulations. Internal Audit Role Within the overall sea of corporate governance, a critical element for the board is to ensure that the enterprise risk management processes more open it in both effectively and efficiently. To this end, internal audit has a vital part to play in providing the assurance of their effectiveness and efficiency as well as identification of the ‘key’ risks and controls relied upon by management. In its role as an independent, objective assurance and consulting activity, internal audit activities can be classified into core internal audit roles which are part of the normal internal audit activities, those rules which internal audit can undertake in the presence of appropriate safeguards and those roles which internal audit should not undertake. These include: Core internal audit roles These roles are standard assurance roles falling within the normal remit of internal audit: ➤➤ reviewing the management of key risks; ➤➤ evaluating the reporting of key risks; ➤➤ evaluating risk management processes; ➤➤ giving assurance that risks have been correctly evaluated; and ➤➤ giving assurance on the overall risk management processes. Internal audit roles, given appropriate safeguards These roles fall within the agreement of Consulting Services which may be provided in order to improve the organization’s governance risk and control processes. Safeguards in these areas are critical to ensure the role of internal audit as a consultant and not as either an auditor or a manager is fully understood by all involved: ➤➤ assisting in the identification and evaluation of risks; ➤➤ consolidated reporting on risks; ➤➤ assisting in the development of the risk management framework for board approval; ➤➤ assisting management develop responses to risk issues; ➤➤ assisting in the co-ordination of enterprise risk management activities; ➤➤ acting as a product champion for the establishment of enterprise risk management within the organization; and ➤➤ assisting in the development of a risk management strategy for board approval. Inappropriate roles for internal audit As can be seen, these are all management functions and should not be undertaken by internal audit even in a consultative role: ➤➤ accountability for risk management; 63

Internal_Auditing.indb 63

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤➤ setting the risk appetite of the organisation; ➤➤ implementing risk management processes; ➤➤ providing management assurance on risks; and ➤➤ making decisions on the appropriate responses to risk. It must be stressed that overall risk management is a critical component of corporate governance and falls within management’s overall responsibility. The internal auditor’s primary role remains that to provide assurance to the board and management of the efficiency and effectiveness of the internal control structures and processes. In its role as a consultant, internal audit may extend this assurance to providing advice and assistance to management but must be careful not to overstep its role to the extent that its independence and objectivity may be compromised or assumed to be compromised.

64

Internal_Auditing.indb 64

16/04/2015 11:12

C HAPTER

7

Control Frameworks

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the major internationally recognized control models ➤ Explain their impact on the definition of control objectives ➤ Explain the use of control models in the internal audit process ➤ Explain the nature of controls ➤ Choose control types to achieve the desired impact on risks ➤ Explain the characteristics of an acceptable control structure ➤ Explain an internal auditor’s role in evaluating control structures ➤ Explain the major sources of threat to good control practices ➤ Explain the role of control self-assessment

Control Processes A large part of the work of internal audit is involved with assessing and reporting on control processes. This means an internal auditor must have a sound understanding of the nature of business processes and control frameworks likely to be encountered in a variety of organizations and be able to evaluate their effectiveness and, at times, their efficiency and economy in achieving the objectives of a particular organization in a variety of circumstances. More detailed guidance as to an internal auditor’s responsibilities is provided in IIA Standard 2120 and Practice Advisories 2120.A1-1 to A4-1. Practice Advisory 2120.A1-1: Assessing and Reporting on Control Processes recognizes the varying responsibilities of management and the internal auditor for control processes in an organization as follows. ‘1. One of the tasks of a board of directors is to establish and maintain the organization’s governance processes and to obtain assurances concerning the effectiveness of the risk management and control processes. Senior management’s role is to oversee the establishment, administration, and assessment of that system of risk management and control processes. The purpose of that multifaceted system of control processes is to support people of the organization in the management of risks and the achievement of the established and communicated objectives of the enterprise. More specifically, those control processes are expected to ensure, among other things, that the following conditions exist: ➤ Financial and operational information is reliable and possesses integrity. ➤ Operations are performed efficiently and achieve effective results. ➤ Assets are safeguarded. ➤ Actions and decisions of the organization are in compliance with laws, regulations, and contracts.

65

Internal_Auditing.indb 65

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

2. Among the responsibilities of the organization’s managers is the assessment of the control processes in their respective areas. Internal and external auditors provide varying degrees of assurance about the state of effectiveness of the risk management and control processes in select activities and functions of the organization.’

COSO’s Internal Control: An Integrated Framework In 1992, the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the American Accounting Association, the Institute of Management Accountants and the Financial Executives Institute, collectively referred to as the Committee of Sponsoring Organizations or COSO, issued a jointly prepared study entitled Internal Control: An Integrated Framework. This document identified the fundamental objectives of any business or government entity. These included economy and efficiency of operations, safeguarding of assets, achievement of desired outcomes, reliability of financial and management reports, and compliance with laws and regulations. Internal control was defined by COSO as a broadly defined process, effected by people, designed to provide reasonable assurance regarding the achievement of the three objectives of all businesses, namely: ➤ economy and efficiency of operations, including achieving performance goals and safeguarding assets against loss; ➤ reliable financial and operational data and reports; and ➤ compliance with laws and regulations. In order to achieve these objectives, COSO defined five components that would assist management in achieving these objectives. These are discussed below. A Sound Control Environment A sound control environment requires the correct level of attention and direction from senior management. This environment is created by employing managers and employees who possess integrity, ethical values and competence. It is a function of management’s philosophy and operating style. To be effective, it requires the proper assignment of authority and responsibility coupled with the proper organization of available resources. Staff must be trained and developed to the required standard to ensure that they can competently exercise control. A Sound Risk Assessment Process A sound risk assessment process requires effective methods that allow management to be aware of the risks and obstacles to the successful achievement of business objectives and to be able to deal with them. As such, management must establish a set of objectives that integrate all the organization’s resources so that the organization operates in unison. The risk assessment itself involves the identification, analysis and management of the risks and obstacles to the successful achievement of the three primary business objectives.

66

Internal_Auditing.indb 66

16/04/2015 11:12

CONTROL FRAMEWORKS

Sound Operational Control Activities Sound operational control activities involve the establishment and execution of sound policies and procedures. These help to ensure that actions identified by management as being needed to address risks and obstacles to the achievement of business objectives are effectively implemented. These would include authorization, reviews of operating performance, security of assets and segregation of duties. Sound Information and Communications Systems Information systems facilitate the running and control of a business by producing reports containing financial, operational and compliance-related information. They deal with both internally generated data and external activities, conditions and events that management should be aware of when making decisions and reporting the company’s activities to the outside world. For this to happen, appropriate information must be identified, captured and communicated in a way that enables people to carry out their responsibilities. Effective communication must flow down, up and across the organization. (This includes a clear message from top management to all personnel that control responsibilities must be taken seriously.) This means that all personnel must understand their own roles in the internal control system, as well as how their individual activities relate to the work of others. Personnel also must be able to communicate significant information upwards, as well as communicate with external parties. Effective Monitoring To ensure the effectiveness of the control process, the entire control system must be monitored to assess the quality of the system’s performance over time. Deficiencies must be reported, with serious matters reported directly to top management. Also, there should be separate, independent evaluations of the internal control system. The scope and frequency of these independent evaluations depend mainly on the assessment of risks and obstacles, and the effectiveness of ongoing monitoring procedures.

Internal Controls People are often confused about what exactly a control is. A control is any action taken by management to increase the likelihood that an organization’s objectives and goals will be achieved. It results from management’s planning, organizing and directing, and the many variants (eg management control, internal control, etc) can be included in the generic term. Management controls are intended to ensure that an organization is working towards its stated objectives. ➤ Corporate objectives and goals are the statement of corporate intent (eg ‘Costs will be reduced by 20 per cent over the next year’). ➤ Management objectives define how the corporate objectives will be met (eg ‘Costs will be reduced by reducing material wastage by 10 per cent and stock theft by 60 per cent’).

67

Internal_Auditing.indb 67

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH



Internal control ensures that programs to achieve management’s objectives are properly planned and executed (eg ‘All waste must be written in a waste book and supervisors will check excessive waste weekly’).

Control responsibility is clearly management’s job and encompasses planning, organizing and directing. ➤ Planning in this case is taken to mean establishing objectives and goals, as well as choosing the best methods of using resources. ➤ Organizing involves the gathering of the required resources and arranging them so that the objectives can be achieved. ➤ Directing includes the authorizing, instructing and monitoring of actual performance as well as periodically comparing actual to planned performance. Management decisions may be classified as strategic, tactical or operational. Internal audit ensures that the system of internal control is effective and functions as intended. The level of control needed will be affected by overall objectives. Internal control ensures that programs to achieve management objectives are properly planned and executed. Operating objectives direct the day-to-day activities and may, in themselves, conflict, eg there may be a conflict between the need for control and the need for timeliness. The way in which objectives are prioritized directs the development of controls and will affect the final, overall system of controls that is implemented. In a situation where the objectives are growth and providing service, in a dynamic and rapid growth environment control systems may not keep pace, the risk is higher and the need for frequent audits increases. If the objective is cost reduction, in a stable environment control systems should be stabilized and risk is lower, so the frequency of internal audits can be reduced.

Systems of Internal Control The combinations of the various elements of control go to make up the systems of internal control. These are, in turn, influenced by: ➤ the control environment, which establishes the conditions under which internal controls will operate; ➤ the organizational structure; and ➤ the control framework, including the organizational policies and procedures and external influences. Control Environment The control environment is the overall infrastructure within which the other control elements will function. Primary elements within this infrastructure are the following. Organizational Structure This defines individual managers’ responsibilities, sets limits of authority and allows the proper segregation of duties. If the organizational structure is problematic, with excessive powers granted to individuals, or if poor segregation of duties exists, the effectiveness of the individual controls may be weakened irreparably. 68

Internal_Auditing.indb 68

16/04/2015 11:12

CONTROL FRAMEWORKS

Control Framework The control framework includes the policies and procedures that describe the scope of a function, its activities, its interrelationships with other departments, and the external influences of laws and regulations, customs, union agreements and the competitive environment within which an organization operates. The structures enforcing controls may be complex or simple. Large organizations tend to have highly structured control frameworks, while smaller organizations often use personal contact between employees.

Elements of Internal Control The overall system of internal control is designed to ensure that: ➤ control is maintained over the integrity and accuracy of the operational and financial information of the organization; ➤ control is adequate over the accounting for, and maintenance of, assets; ➤ there is adequate enforcement of compliance with the policies, plans and procedures of the organization, as well as compliance with the relevant laws and regulations; ➤ functions are performed economically and efficiently; and ➤ there is a high probability of managerial objectives being achieved. In order to achieve this control, frameworks are established that involve the primary elements discussed below. Segregation of Duties These are the policies and control procedures to ensure that those who physically handle assets are not the same people who record asset movements, who reconcile those records, or who authorize transactions. Controls should allow for the procedures performed by one person to effectively provide a check on the procedures of another in the transaction process. The critical issue in the segregation of duties is that duties performed by different people should not be incompatible and that individuals are adequately qualified and trained to perform the relevant control procedures. Competence and Integrity of People Underpinning the control system are the people who enforce it. In order for controls to be effective, those who exercise control must be capable of doing so and honest enough to consistently do so. Appropriate Levels of Authority A common mistake in control structures is the granting of too much authority within control boundaries. Authority should only be granted on a need-to-have basis. If there is no need for a particular individual to have specific authority, it should not be granted.

69

Internal_Auditing.indb 69

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Accountability For all decisions, transactions and actions taken, there must be controls that will allow management to work out who did what with an acceptable degree of confidence. Adequate Resources Controls that are inadequately resourced will generally fail whenever they come under stress. Adequate resources include manpower, finance, equipment, materials and methodologies. Supervision and Review Adequate supervision of the appropriate type is an essential for sound internal control.

Control Self-assessment Control self-assessment (CSA) uses techniques performed by management to quantify the impact of business risks and effectiveness of control structures at an operational level in a way similar to the assessment processes followed by internal audit. Self-assessment tools can be used to improve business processes and so add immense value to an organization. CSA goes beyond the bounds of internal audit by making the organization as a whole responsible for management control and governance through embracing, planning and operating a CSA process. Although none of the control frameworks specifically mentions control self-assessment, there is a general feeling in the auditing community that CSA is a significant tool in implementing COSO (in the USA and generally worldwide), CoCo27 (in Canada), Cadbury (in the UK) or King (in South Africa). These frameworks all include monitoring and risk assessment among the fundamentals of internal control. One of the main reasons for introducing CSA was the constraint on internal audit resources due to budget cuts, coupled with the increased demands caused by the growing awareness of the need for good corporate governance. Under a CSA model, management accept full responsibility for internal control, although some implementations of CSA involve collaboration between internal audit and management so that they take joint responsibility for evaluating the adequacy and effectiveness of the system of internal control. Internal auditors may choose to use CSA in several ways: ➤ as a tool to ascertain the state of the existing control process and evaluate management’s understanding of risks in their business process; ➤ to gather information on the history of transactions processed and the actual operation of controls as a substitute for extended testing by internal audit; and ➤ as a complete audit assessment in its own right by combining the first two uses.

27. Canadian Institute of Chartered Accountants. 1995. Guidance on Control (CoCo). Toronto: Canadian Institute of Chartered Accountants.

70

Internal_Auditing.indb 70

16/04/2015 11:12

CONTROL FRAMEWORKS

Resources Budget and staff cuts have caused audit management to realize that changes must be made. CSA puts the main responsibility for the design, operation and maintenance of internal control back on management, ie where the IIA Statement of Responsibilities has always maintained that it belongs. Collaboration As we have seen, CSA can be a collaborative process, with internal audit and management working together to achieve common goals. This is a reversal of the oldfashioned philosophy of adversarial auditing. Empowerment CSA facilitates empowerment. The process is owned overall by management. Management accept responsibility for internal control and exercise that responsibility. Empowerment, more than collaboration, is probably the single most significant aspect of CSA for management.

Implementing CSA CSA generates data in erratic quantities, instead of evenly over the course of an extended audit schedule. CSA practitioners must be prepared to handle large quantities of data over brief periods of time. There are several methods for implementing CSA. These range from the most mechanistic type of audit using internal control questionnaires (ICQs) to group workshops. Internal Control Questionnaires The ICQ is a set of questions used by an auditor as a checklist to determine the existence of expected controls. External auditors documenting their understanding of internal control generally use ICQs. An internal auditor completes the ICQs during the preliminary survey phase of the audit using observation and interviews. The ICQ helps establish the level of theoretical control activity and affects the level of substantive testing that is needed. Under CSA, management can be asked to complete an ICQ as a form of self-audit. This may be used as a risk assessment tool before actually conducting an audit. If management is to complete the ICQ independently, they must be supplied with documentation to explain internal control concepts, the purpose of the instrument and instructions on how to complete it. Customized Questionnaires One improvement on the normal ICQ approach is the use of customized structured questionnaires. One form that this process may take is the internal control signoff on a folder of questions about various control activities. This usually contains a description of the control activity and a schedule of when the activity must be

71

Internal_Auditing.indb 71

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

performed (daily, weekly, etc). These are normally permanent customized questionnaires. They can be verified by upper management and the internal auditor at any time. Folders such as this are often found in extremely high-risk areas such as nuclear power generation or bank cash handling, or in highly regimented control environments such as military establishments. The questions must be carefully considered and the answers must reflect the true state of affairs. One weakness in the ICQ approach lies in the customized forms of questionnaire, as well as in the fact that it is usually obvious that the ‘correct’ to answer to many questions is ‘yes’. Control Guides Control guides are computerized folders containing a description of the expected set of internal controls for the operations covered. They are still often used by internal auditors who specialize in financial audits. In the CSA version, these control folders become internal control workbooks. The workbook is used to facilitate discussion regarding operations, risks and controls. Internal auditors and management discuss the completion of the workbook, and internal audit uses it as part of its preliminary survey. One application is based on a series of interviews with senior management. Interview Techniques Many internal audit departments interview senior management about issues, plans and concerns as part of the annual planning cycle. The CSA approach using interview techniques is a more structured tool than the use of ICQs or control guides. Interviews allow for interaction between the information provider and information gatherer. Using structured interviews to gather management’s input to the assessment process ensures that the same questions are addressed in each session. Workshops A popular method of conducting CSA is to use the work group session model, which derived from the original research at Gulf Resources (Canada) conducted by Bruce McCuaig, Paul Makosz and Tim Leech at the end of the 1980s. They developed two distinct versions of the workshop model. Control model workshops These involve training seminars that focus on developing the knowledge and capability of management and staff to handle assessing, managing and reporting on internal control by using control design models. These workshops have a central premise that the facilitator must transfer knowledge to the work group in order for the work group to assess the controls and risks. This approach increases the assessor’s understanding of the assessment risk and improves the design of internal control systems.

72

Internal_Auditing.indb 72

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

CONTROL FRAMEWORKS

One control framework often used in control model workshops has major categories that include: ➤ the definition and communication to participants of organizational goals and objectives; ➤ the definition of commitment controls (derived from the Canadian Institute of Chartered Accountants 1995 report referred to above), which are soft controls that involve and unite the people in the organization and could include the corporate vision, mission and purpose statements; ➤ planning and risk assessment processes; ➤ competence, training and continuous learning, involving the acquisition and maintenance of the skills required to attain the organization’s goals; ➤ direct control activities and mechanisms; ➤ indicator controls, which are performance indicators of control problems; and ➤ monitoring/feedback, which is the process of gathering and using information to adjust the control system. Alternatively, the COSO Integrated Framework may be used directly. Interactive workshops These are process consultation workshops in which management and staff evaluate the state of internal controls. In this model, the underlying philosophy is that management owns the concept of internal control, and management continues to own the problem throughout the workshop. The facilitator then introduces the information during the workshop. Interactive workshops differ from control model workshops in that they require more facilitation skills, especially during the process consultation phase. Interactive workshops have the advantage that they take less time, because they do not emphasize the training element as control model workshops do. Both workshop approaches use control frameworks to ensure that the relevant issues are comprehensively covered. Some feel that control model workshops are a substitute for traditional internal audit, while interactive workshops are normally seen as another tool of the internal auditing function, ie they are a supplement to traditional auditing approaches. Workshops last a day or two, and each is facilitated by members of the internal audit staff. To be successfully, participants must feel that they can express themselves freely on any subject; and there must be a strong commitment by all concerned to the objectives of the process. The workshop consists of analysis by the group of the strengths and weaknesses of the internal control systems relied on by the department to help it achieve its objectives. Because of the high potential for conflict, facilitation skills are critical in these sessions. It takes a great deal of effort to discuss and capture strengths and improvements in internal control during interactive workshops. Once they have identified a risk, the team must formulate an action plan.

Other Control Frameworks Other control frameworks are used in specialized cases such as banking or IT.

73

Internal_Auditing.indb 73

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Banking The ‘Framework for Internal Control Systems in Banking Organisations’ produced by the Basel Committee on Banking Supervision was produced as a response to the Basel Accord (Basel II) which forces banks to renew their focus on risk. Banks are required to measure, monitor, mitigate and disclose risk. Basel II Introduced the concept of the ‘three pillars’ for effective control in banking, namely maintenance of a minimum capital, an appropriate supervisory review process, and effective market discipline. From an audit perspective, obviously the supervisory review process is of primary importance. This is intended to focus the bank on internal risk management capabilities via internal control reviews of residual risk relative to the risk ‘appetite’ of the bank and reviewing of the risks strategies and monitoring capabilities of the bank. One of the critical aspects of the new accord includes a new and separate risk activity termed ‘operational risk’. To assist in controlling risk, the committee also produced a document named ‘Framework For Internal Control Systems in Banking Organizations’.28 This document clearly defines the principles for the assessment of internal control systems within banks and defines the types of control breakdowns in this environment into: ➤ ‘Lack of adequate management oversight and accountability, and failure to develop a strong control culture within the bank. ➤ Inadequate recognition and assessment of the risk of certain banking activities, whether on- or off-balance sheet. ➤ The absence or failure of key control structures and activities, such as segregation of duties, approvals, verifications, reconciliations, and reviews of operating performance. ➤ Inadequate communication of information between levels of management within the bank, especially in the upward communication of problems. ➤ Inadequate or ineffective audit programs and monitoring activities.’ It also differentiates among performance objectives, information objectives and compliance objectives and splits internal control into: ➤ management oversight and the control culture; ➤ risk recognition and assessment; ➤ control activities and segregation of duties; ➤ information and communication; and ➤ monitoring activities and correcting deficiencies. IT Control Objectives for Information and related Technology (COBIT®), produced by the Information Systems Audit and Control Association (ISACA), is one of the most widely accepted models of IT governance and control utilized to manage risks and implement controls within an IT environment in order to achieve business objectives. COBIT was introduced in order to integrate existing IT standards and best practices into one cohesive structure designed to achieve international accepted governance standards. COBIT works from the strategic requirements of the organization, 28. http//www.bis.org/publ/bcbs40.pdf

74

Internal_Auditing.indb 74

16/04/2015 11:12

CONTROL FRAMEWORKS

and encompasses the full range of IT activities. It focuses on the achievement of control objectives rather than the implementation of specific controls and, as such, it integrates and aligns IT practices with organizational governance and strategic requirements. It is not the only set of standards in common use, but it integrates with other standards to achieve defined levels of control. Standards themselves do not achieve best practice, and what may be classed as best practice for an organization must be appropriate to that organization. Specific controls require careful selection, interpretation and implementation in order to achieve an adequacy of control structures. COBIT presents a framework for overall control based upon a model of IT processes intended to be used as a generic model upon which specific controls can be overlaid. This creates a unique system of internal controls specifically tailored to the business needs of the organization. COBIT is designed to be utilized at different levels of management. Executive management require evidence that value is being obtained on an ongoing basis from the significant investment in information technology and must ensure that risk and control investment is appropriately balanced. Operational management utilize COBIT to facilitate the gaining of assurance that the management and control of information technology services is appropriate. IT management use COBIT as an operational tool to ensure the business strategy is supported in a controlled and appropriately managed manner in providing IT services. IS auditors can evaluate the adequacy of controls against COBIT standards, design appropriate tests to determine the effectiveness of controls and provide management with appropriate advice on the system of internal controls. Because of its close alignment with COSO and other international accepted principles of good corporate governance, it is intrinsically acceptable to multiple layers of management as well as regulators.

CobIT®

Control Objectives for Information and related Technology (CobIT®) was originally created by ISACA in 1996 as a framework for business managers, IT managers and auditors. Since then, the CobIT framework has evolved to become an internationally accepted approach for IT governance, management and assurance. Following the increased focus on the enterprise governance of IT and the introduction of legislation codes of practices such as KING III in South Africa, which was the first national corporate governance code to specifically mandate IT governance as a critical component, CobIT was extended until, in 2012, CobIT 5 was introduced to be a comprehensive framework of globally accepted principles, practices, analytical tools and models to assist an enterprise in the governance and management of information and technology. The fifth edition brought together the concepts contained in CobIT, ValIT and RiskIT into one integrated framework. CobIT is designed to be utilized at different levels of management. ➤➤ Executive management can utilize it to ensure value is obtained from its significant investment in information technology and to ensure that risk and control investment is appropriately balanced. ➤➤ From an operational management perspective, CobIT facilitates the gaining of assurance that the management and control of information technology services, whether insourced or outsourced, is appropriate.

75

Internal_Auditing.indb 75

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤➤ IT management can use it as an operational tool to ensure the business strategy is supported in a controlled and appropriately managed manner in providing IT services. ➤➤ IT auditors can utilize CobIT to evaluate the adequacy of controls, design appropriate tests to determine the effectiveness of controls and provide management with appropriate advice on the system of internal controls. CobIT utilizes a framework of principles and enablers in order to create a logical structure of IT activities in a manner which can be easily subject to managerial controls. The integration of ValIT and Risk IT require the introduction of new Governance of Enterprise IT (GEIT) principles. The framework now divides IT into five CobIT principles and seven CobIT enablers. The principles cover: 1. Meeting stakeholder needs 2. Covering the enterprise end-to-end 3. Applying a single integrated framework 4. Establishing an holistic approach 5. Separating governance from management. CobIT enablers are defined as: 1. Principles, policies and frameworks 2. Processes 3. Organizational structures 4. Culture, ethics and behavior 5. Information 6. Services, infrastructure and applications 7. People, skills and competencies. Processes now cover Evaluating, Directing and Monitoring; Aligning, Planning and Organizing; Building, Acquiring and Implementing; Delivery, Service and Support; Monitoring, Evaluating and Assessing. Evaluate, Direct and Monitor (EDM) Overall governance is designed to ensure that the enterprise objectives are met and involves five high-level IT control objectives namely: EDM01   Ensure Governance Framework Setting and Maintenance EDM01   Ensure Benefits Delivery EDM03   Ensure Risk Optimisation EDM04   Ensure Resource Optimisation EDM05   Ensure Stakeholder Transparency. Align, Plan and Organize (APO) This domain covers all of the processes undertaken by management in order to ensure that the IT function is properly aligned with corporate objectives and planned and controlled to provide assurance that corporate IT objectives will be achieved. Detailed processes include: 76

Internal_Auditing.indb 76

16/04/2015 11:12

CONTROL FRAMEWORKS

APO01   APO02   APO03   APO04   APO05   APO06   APO07   APO08   APO09   APO10   APO11   APO12   APO13  

Manage Manage Manage Manage Manage Manage Manage Manage Manage Manage Manage Manage Manage

the IT Management Framework Strategy Enterprise Architecture Innovation Portfolio Budget and Costs Human Relations Relationships Service Agreements Suppliers Quality Risk Security.

Build, Acquire and implement (BAI) This domain covers the processes involved in identifying IT requirements and choosing solutions through to installation and accreditation of solutions and changes. Detailed processes include: BAI01 Manage Programs and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI05 Manage Organizational Change Enablement BAI06 Manage Changes BAI07 Manage Changes Acceptance and Transitioning BAI08 Manage Knowledge BAI09 Manage Assets BAI10 Manage Configuration. Deliver, Service and Support (DSS) This domain includes all of the processes required to deliver the appropriate service levels, manage information and operations and ensure appropriate performance. Detailed processes include: DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls. Monitor, Evaluate and Assess (MEA) This domain includes the processes required to monitor overall IT performance and ensure effective IT governance. Detailed processes include: MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance with External Requirements. 77

Internal_Auditing.indb 77

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Auditors familiar with CobIT 4.1, RiskIT and ValIT are generally familiar with the process maturity models included in those frameworks. These models are used to measure the current maturity of an enterprise’s IT-related processes, to define a required future desired state of maturity, and to determine the gap between them and how to improve the process to achieve the desired maturity level. The CobIT 5 product set includes a process capability model, based on the internationally recognised ISO/IEC 15504 Software Engineering–Process Assessment standard. This model is designed to achieve the same overall objectives of process assessment and process improvement support and allows areas for improvement to be identified. Further Information Further information is available from the ISACA (www.isaca.org). Details of direct interest to the IS auditor include the CobIT: ➤➤ Frameworks ➤➤ Enabler & Professional Guides ➤➤ Practical Guides ➤➤ IT Audit/Assurance Programs.

Other Self-assessment Methods Another methodology is self-review. Originating in New Zealand, self-review includes a process in which the management of each enterprise prepare a report on their review of their processes, including controls. The review may be accomplished by performance monitoring, corporate planning, process improvement, policy evaluation, peer review, quality management, ad hoc projects, and management by walking around (MBWA), as well as by both internal and external audit. Whichever method is used, the essential requirement is that the review must be documented and verifiable.

78

Internal_Auditing.indb 78

16/04/2015 11:12

C HAPTER

8

Audit Evidence

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the major types of audit evidence ➤ Differentiate between audit and legal evidence ➤ Choose the testing techniques needed to obtain the evidence you are looking for ➤ Document the evidence in a quality working paper

The Nature of Audit Evidence As internal auditors, we are often required to express our opinion on the adequa­cy and effectiveness of internal controls. For this, we must gather audit evidence to support our opinion. Evidence is something intended to prove or support a belief. Each individual piece may be flawed by a personal bias or by a potential error of measurement, and each piece may be less competent than desirable, so we must look at the total ‘body of evidence’, which should provide a factual basis for audit opinions. An internal auditor usually obtains audit evidence by: ➤ observing conditions; ➤ interviewing people; and ➤ examining records. IIA Practice Advisory 2310-1: Identifying Information provides guidance as to the quality of the evidence that an internal auditor looks for. ‘Information should be sufficient, competent, relevant, and useful to provide a sound basis for engagement observations and recommendations. Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Competent information is reliable and the best attainable through the use of appropriate engagement techniques. Relevant information sup­ports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals.’

IIA Practice Advisory 2240-1: Engagement Work Program gives the procedures that an internal auditor uses to gather audit evidence. ‘Engagement procedures, including the testing and sampling techniques employed, should be selected in advance, where practicable, and expanded or altered if circum­ stances warrant.’

Internal_Auditing.indb 79

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

There are various types of evidence. ➤ Physical evidence is generally obtained by observing people, property or events and may take the form of photographs, maps, etc. Where the evidence is from observation, it should be supported by documented examples or, if not possible, by corroborating observation. ➤ Testimonial evidence may take the form of letters, statements in response to enquiries or interviews and is not conclusive, since these documents are only someone’s opinion. It should be supported by documentation where possible. ➤ Documentary evidence is the usual form of audit evidence and includes letters, agreements, contracts, directives, memoranda and other business documents. The source of the document will affect its reliability and the trust we place in it. The quality of internal control procedures will also be taken into account. ➤ Analytical evidence is usually derived from computations, comparisons to stan­ dards, past operations and similar operations. Regulations and common reason­ ing will also produce evidence of this kind.

Reliability of Audit Evidence All audit evidence should be: ➤ Sufficient: ‘... factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor’; ➤ Reliable: ‘... reliable and the best attainable through the use of appropriate engagement techniques’; ➤ Relevant: ‘... supports engagement observations and recommendations and is consistent with the objectives for the engagement’; and ➤ Useful: ‘... helps the organization meet its goals’ (IIA Practice Advisory 2310-1: Identifying Information).

Audit Evidence Procedures As you can see, an auditor relies heavily on gathering evidence. This is done in var­ ious ways and follows the audit program. The audit program is a set of detailed steps that an auditor will follow in order to acquire the appropriate evidence. Evidence is gathered in order to facilitate the expression of an opinion on the degree of control exercised over the business activity. It indicates the manner in which the examination and evaluation of those controls will be carried out and provides the factual basis for the expression of the opinion thus providing the link between the audit fieldwork and the audit report. The audit program is formulated based upon the results of the preliminary survey where it has been determined what risk, if any, is indicated, the nature of the controls intended to best manage those risks and what, if any, evidence the auditor would seek regarding the ongoing effectiveness of those controls. Based upon this the auditor will determine the appropriate tests required to obtain the evidence. Like any map, the audit program must meet the requirements of the person utilizing the map. A good audit program will indicate what tests need to be carried 80

Internal_Auditing.indb 80

16/04/2015 11:12

AUDIT EVIDENCE

out, who will carry out the tests, how they will be carried out, when they will be done and how long they will take. As a planning tool, the audit program therefore assists the auditor by providing a measurement tool regarding the scheduling and budgeting as well as a measurement of the sufficiency of the evidence gathered. Any audit program should be looked on as provisional and may be modified based upon the evidence gathered during the audit itself. Many audit departments use a standardized audit program based on the presumption of risk to be found within the auditee area. These are very useful in carrying out a standard audit over a variety of similar auditees such as geographically spread retail operations. Even within such standardized programs, modification may be required where abnormal conditions are found. New standardized audit programs should be prepared well in advance of the audit since programs which are prepared late have a tendency to omit critical evidence gathering steps. The auditor must always remember that the evidence focus should be on corporate risk and the gathering of the evidence should be designed to indicate the degree to which the risk is acceptably mitigated. The audit supervisor will typically review the audit program prior to implementation in order to ensure that the evidence it is intended to gather will satisfy the objectives of the audit. This is a standard procedure and would be carried out as part of normal project management techniques as indicated within chapter 16. Overall, the audit supervisor must be satisfied with: ➤ the audit objectives; ➤ the audit scope; ➤ the degree of planning carried out prior to the audit; ➤ the accuracy of the control objectives agreed with the auditee; ➤ the evidence sought; ➤ the selection of the audit procedures for gathering the evidence; ➤ the appropriateness of the procedures for evaluation of the evidence gathered ; ➤ the procedures for communicating the results; ➤ the report preparation; and ➤ the follow-up procedures. The actual program used will vary from audit to audit, depending on what you are looking for. For example, if you want to check whether all purchase orders were properly authorized, you might: ➤ interview the staff to find out who is supposed to authorize purchase orders; ➤ inspect the purchase orders themselves to check for signatures; and ➤ compare the signatures to a master copy of the signatures of the list of people with signing powers. Procedures that an auditor may use in gathering evidence include: ➤ conducting interviews, where testimonial evidence is particularly important; ➤ comparing evidence to some standard; ➤ recomputation of results, such as adding up money owed, which tends to be very narrow in scope; ➤ detailed testing, such as vouching, which involves testing balances by examin­ ing supporting documentation; or ➤ tracing, which follows original documents through the processing cycle; ➤ observation and inspection, where an auditor observes activities or inspect assets; 81

Internal_Auditing.indb 81

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

scanning, in which a less-detailed examination is carried out to detect unusual patterns, which may be combined with statistical sampling to obtain evidence; ➤ confirmation, in the form of written confirmation completed by a third party and returned directly to the auditor (such as a debtors certification); and ➤ analytical reviews comparing performance for this week to last week’s performance or budget­ed spending to actual spending. ➤

After the audit program, the auditor selects and examines the evidence. This involves the following processes. Observation Observation involves both seeing and noticing. It is visual examination with a pur­pose and includes mental (or cognitive) comparison with standards and established criteria. It is an evaluative viewing and is generally preliminary to other evaluation techniques. Observations should ideally be confirmed through investigation and analysis and, while these may be a factor of questioning, they may not tell the whole story. An auditor may observe an operation such as placing a purchase order to check whether the correct procedures are followed. Questioning This is perhaps the most common information-gathering technique. Questioning may be oral or written and will continue throughout the assessment process. It is not an easy technique to use effectively, particularly for a manager, since answers often simply contain what the answerer believes the auditor wants to hear. Questions should be open-ended and not directive (ie they should take the form of ‘Tell me how orders are placed’ rather than ‘Do you sign all orders yourself?’), and answers should, where possible, be confirmed independently. Analyzing Analyzing involves examining a complex thing or process in detail by dividing it into simpler parts with the aim of discovering qualities, significance, etc. It may involve determining interrelationships, causes and effects; observing trends; and making comparisons. For example, you could analyze absenteeism in August 2004 by measuring it against TV coverage of the Athens Olympics to see whether there is any correlation. Verifying Verifying is the process of confirming truth, accuracy or validity of assertions. It is a delib­ erate effort to establish truth by comparing something to known facts or standards. A reported wrongdoing may be verified by examining supporting documentation. Investigating This management technique involves an enquiry to uncover hidden facts and a sys­tematic tracking down. Audits imply objectivity, but investigations generally look for evidence of wrongdoing. In such circumstances, be careful not to go out of your depth and be mindful of the legalities. Suspected fraud would typically result in an investigation. 82

Internal_Auditing.indb 82

16/04/2015 11:12

AUDIT EVIDENCE

Evaluating Evaluation is a major management task involving the estimation of worth in order to arrive at a judgment. Management must draw conclusions based on the facts that have been accumulated and require auditors to exercise their professional judgment to help them in this process. An evaluative measurement usually involves comparing something to a standard, such as the time taken for a task or rejection rates in manufacturing. If there are no published and accepted standards, an auditor will have to develop them based on the operation objective and the evaluator’s experience. If necessary, these stan­dards may be verified with a qualified expert or with executive management before any evaluation is carried out.

Documenting the Evidence As proof of the planning, gathering and analysis of audit evidence, it must be sum­ marized, together with its interpretation, in working papers. Working papers are intended to support the information contained in the audit reports and should contain explanations of how risks were evaluated, any cost/ben­ efit considerations the auditors have taken into account, the correlation of evidence gathered with audit objectives and the correlation of evidence gathered with the audit report. Working papers should be able to stand alone and should be understandable, which means they must present the evidence in a logical way. As highly confidential documents, they should be properly protected and should not leave the control of the internal auditor. They will usually be retained for future reference (this may be required by law). A full description of the use and contents of working papers is detailed in Appendix B.

Gathering Computerized Evidence Computers are essential for the gathering of information, its storage, manipulation and retrieval in virtually every business sector. With the undoubted advantages this brings comes the associated danger of computer abuse resulting in the need for evidence to be extracted from computer systems in a forensically acceptable manner. Information stored on a computer can normally be viewed or analyzed with permission of the owner but, on occasion, permission of the court may be required. Acquiring evidence from a computer system may not be as simple as requesting a printout. In the event that such information will be required as part of a fraud investigation, care must be taken as covered in Chapter 35 on Forensic Evidence. Even where fraud is not suspected evidence handling is, nevertheless, critical in the course of any auditee involving computer evidence. Digital evidence may be defined as all evidence in a digital form and can consist of the data contents itself, as well as the metadata (ie data about the data such as file names, date of creation, owner of the document, etc). Digital evidence gathering and analysis is becoming an important source of auditee evidence regarding operational issues as well as control implications. In today’s business environment organizations depend to a lesser extent on hard-copy documents so the traditional audit trail has now become an electronic audit trail in many circumstances. In addition, even where hard-copy exists the information which 83

Internal_Auditing.indb 83

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

the auditor can derive may be limited to the contents of the document itself, while digital files may contain information which was not fully produced on the printout. To make best use of the availability of such evidence, the auditor needs the appropriate data interrogation software as well as the appropriate skills and knowledge to implement such software. This is covered more extensively in Chapter 29 dealing with The Use of CAATs in Auditing Computerized Systems.

84

Internal_Auditing.indb 84

16/04/2015 11:12

S ECTION Internal_Auditing.indb 85

2

The Environment of Business

16/04/2015 11:12

Internal_Auditing.indb 86

16/04/2015 11:12

C HAPTER

9

Communication

Learning objectives After studying this chapter, you should be able to: ➤ Explain briefly why an internal auditor needs good communication skills ➤ Define the major components of any act of communication ➤ Explain the types and structures of communications at work ➤ Explain the barriers to effective communication and adopt overcoming strategies ➤ Explain the role of the listener and how to overcome bad listening habits ➤ Explain the importance and types of written communication used by an internal auditor ➤ Outline briefly the steps in preparing and presenting an audit presentation

The Elements of Communication The importance of communication skills for internal auditors, whether employed in an organization or in professional practice providing outsourced internal auditing or management assurance services, cannot be stressed too strongly, as is indicated in the following extract from IIA Practice Advisory 1210-1: Proficiency. ‘Internal auditors should be skilled in dealing with people and in communicating effectively. Internal auditors should understand human relations and maintain satisfactory relationships with engagement clients …. Internal auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations.’

Communication is the process of imparting or exchanging information and consists of several discrete components. These components are discussed below. Sender The sender is responsible for the success or failure of an act of communication. He/ she chooses the message to be sent and the system and language to be used. The sender’s message often may not be beneficial to the receiver, eg in order to carry out an auditor’s duty, you may have to give bad news to management. In some circumstances, the sender of a message may be the ultimate receiver, eg when an auditor prepares working papers. An important aspect of audit communications is how the receiver perceives the status of the sender, which may affect the acceptability of the message. When dealing with managers who are superior in the chain of command, you may encounter resistance, because the manager perceives the situation as one in which a junior

Internal_Auditing.indb 87

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

member of staff is issuing instructions to a senior member. In dealing with junior staff, you may find that they simply tell you whatever they think you want to hear. Message The message itself may be either a statement or a question. In either case, it must make sense to both parties. Messages may be welcome or unwelcome, expected or unexpected, or interesting or boring. Even silence may give a message (‘I know more than I’m prepared to say’). Emotions and Messages Few messages are without an emotional content or effect. In bargaining, giving or receiving of orders, criticizing or praising, human nature can raise emotional blocks to negative communication, resulting in the message being rejected. Misunderstanding of the reasons why the message was delivered often results, or the message may be misheard. Indeed, the receiver may even take an instant dislike to the messenger. System A communication system includes the finding, transmitting, storing and retrieving of information. The human communication system includes: ➤ touch – from handshakes to pats on the back; ➤ vision – including gestures, nods, smiles, frowns, body language, pictures and graphics; ➤ sound – including speech, tone, volume and music; ➤ smell – which may be offensive, seductive, etc; and ➤ taste – including sour, sweet, etc. The technology systems for communicating messages have ranged from papyrus to EDI, and from smoke signals and drums to multimedia and satellites. Formal and Informal Communications Formal communications include the use of letters, formal reports and ‘normal channels’. Informal communications include rumor, gossip and hearsay. The office grapevine and a person’s reputation both reflect the power of informal communications. Language Language includes the symbols and sounds used to convey a message. Music, sign language and pictograms have been used for centuries to convey messages. Corporate logos may be the modern equivalent of the cavepeople’s pictograms. It is believed that thought is primarily non-verbal and, as such, messages may be more easily accepted if they are non-verbal. This means that using symbols, pictures, graphs and charts in audit reports may increase their acceptability. Verbal language is still the most important form of communication and its effective use involves knowledge of words, their meaning and spelling, and the ways they combine according to the rules of grammar and syntax. In addition to reading and 88

Internal_Auditing.indb 88

16/04/2015 11:12

COMMUNICATION

writing, speaking and listening are key tasks of an auditor. In South Africa, in common with many other countries, the ability to speak several languages is a distinct advantage. Language problems cause a great deal of miscommunication. Receiver The receiver is a badly neglected role that involves rebuilding the message, understanding it and accepting it. This requires time, patience and intelligence. Receivers may have their own objectives, which can result in a type of selective hearing. The message may be affected by his/her expectations, resulting in the receiver seeing only items that interest him/her. The interpretations of messages may vary depending on the receiver’s perceptions. A manager telling his/her staff of a decision he/she has arrived at and asking for feedback may be perceived by one listener as making a statement reflecting his/her willingness to listen to advice. Another listener may hear the same statement and understand it as reflecting an unbending manager dictating to his/her staff. Context The context of the message includes the physical context, including distractions and interference. The psychological context includes the relationship between receiver and sender, and could include acceptance of a message, aggression aroused by an unacceptable message or simply wariness inspired by an ambiguous message. Steps in the Process Steps in the communication process include gaining and holding the receiver’s attention. While the message is being delivered, it is the responsibility of the sender to ensure that the receiver is assimilating, comprehending and accepting it. If you can do this, you will probably get what you want.

Communication at Work Both formal and informal communications take place at work. People talk to each other informally more or less continuously. An auditor must be aware of this and make it work in his/her favor. Formal business structures normally follow a tree structure. In this structure, a manager may have various spans of control. In a narrow span, there will be many managers and few subordinates, and therefore very formal communications will be required. In a wider span, there are usually few managers, many subordinates and more informal communications. Spans of control vary by industry, company and even department. When communicating formally, you should understand the role of different types of authority. Formal Authorities ➤ Hierarchical authority is a nominal status that is passed down through the chain of command. It is the authority a manager possesses by right of his/her position and status.

89

Internal_Auditing.indb 89

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Accepted authority is granted by subordinates based on their perception of the status of the manager. Where superiors have granted a manager hierarchical authority and subordinates are unwilling to accept the authority level, communication problems will exist and can have a very bad effect on unit performance. ➤ The authority of knowledge is granted to someone based on the perception that he/she possesses expert knowledge. In many cases, as an auditor, your authority to make recommendations and have them accepted is based on the perception that you are an expert in your field and are therefore able to give correct advice. ➤ Situational authority is the authority granted to the person who assumes it in a particular situation. So, as an auditor, in a situation where controls are lacking, you must be aware that giving information may be taken as issuing instructions or orders, which may be put into effect without the appropriate managerial authority. In all cases, effective communication requires the recognition of the respective authorities of the sender and receiver. Types of Communication at Work ➤ Within a formal authority structure, vertical communication normally involves passing information downward. In this way, management will give instructions, provide information and explain tasks to their subordinates. Such communication may be oral or written and is essentially authoritative. In such a structure, upward communication giving feedback to an auditee about early warnings of potential problems may make a subordinate apprehensive. When this happens, an auditor may be the bridging communicator overcoming the apprehension and bringing the essential information to the attention of the work superior. ➤ It is normally found that horizontal communications, ie communications among people on the same hierarchical level, can encourage good teamwork. Team members and management groups have found that such communications break down rivalries and jealousies, and create unity of purpose. This type of communication may be internal to a department or involve external resources, and is frequently used in problem solving, since it avoids time being wasted by communicating through a third party. ➤ Probably the most common form of communication you will take part in as an auditor is diagonal communications. This involves communication between employees who are not on the same hierarchical level. Here, you must use your authority of knowledge when dealing with hierarchical superiors, while recognizing that superiors may themselves have knowledge. This is a potentially explosive communications structure requiring tact and diplomacy. You may similarly become involved in diagonal communications with employees who are on a hierarchically lower level. Here, you should be aware of the danger that these employees may provide you only with information they think you want to hear. ➤ The most effective form of communication at work is usually networking, ie communicating, generally informally, across all levels in order to gain or distribute knowledge. Unfortunately, this is not commonly encouraged

90

Internal_Auditing.indb 90

16/04/2015 11:12

COMMUNICATION

in business, since management often sees it as a threat to its hierarchical authority or its authority of knowledge. ➤ Within a business, external communications include communication with customers, suppliers, competition or external agencies. Here we often find communications aimed at projecting an image or fostering a belief.

Barriers to Communications Although communication is required at all levels in business and in our personal lives, there are many barriers that stand in the way of effectively getting a message across. ➤ Noise is any interference or disturbance that confuses the message or competes against communication. This could include physical noise distracting either the sender or receiver. Competing demands for attention based on personal or work priorities may also interfere with the reception and acceptance of messages. If an employee has work or personal problems on his/her mind, his/her concentration may slip and the content of a message may be distorted. Feelings of insecurity and unwillingness to accept the message, together with emotion caused by the content of the message, can further disrupt the communication process and distort the meaning of a message. If the sender of a message lacks credibility, the interference this causes can also be classified as noise. ➤ It is understandable that employees coming from different backgrounds all with different experiences in the workplace may have differing perceptions of the meaning of messages. A word of encouragement may be interpreted as giving positive feedback to encourage future good behavior, or as fawning and currying favor. Positive criticism given to encourage an employee’s or manager’s performance may be seen simply as criticism, which few people like. An auditor’s opinion may be seen either as pointing out an unacceptable business practice or as a direct criticism of management. Given that this is a factor of individual sensitivities and that circumstances alter cases, there is no invariable rule to help you in this area. You should also be aware that what may be acceptable in a face-to-face meeting may be unacceptable in formal communication. An employee may accept direct criticism if it is given unofficially and informally, but if this criticism is repeated in a formal report, the employee may well strongly resist or repudiate the opinion. Internally this may be a discussion, but externally this may be viewed as criticism. ➤ Language problems are often a barrier to communication. The use of jargon in specialized fields such as computers, financial accountancy, engineering or even auditing can cause complications in that the speaker may be under the impression that he/she has expressed him-/herself clearly. In reality, common English words may be used for subtly different meanings within specialist disciplines. Expressions such as ‘unacceptable’ or ‘system of internal control’ may have different meanings outside of the specialized discipline and may confuse the message. Sometimes, the use of jargon can make a message totally incomprehensible to an uninitiated listener. ➤ Distrust and suspicion can cause major problems for auditor-to-auditee communication. If the audit function has a track record of broken promises or loss of confidentiality leading to a general lack of credibility, co-operation will be limited and communication will inevitably break down. 91

Internal_Auditing.indb 91

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ As previously stated, differences in status can cause problems. The receiver will inevitably assess the status of the sender, and the importance and credibility of the message may be increased or reduced by the perceived status. Should you, as an auditor, find that it is difficult to communicate a message to a senior auditee, it is probably better to get one of your superiors in the auditing team to pass on the message, so that two equals are talking to each other, not a superior and a subordinate. Where an auditor has a low self-image, resentment may occur and recommendations may be seen as orders from someone with no positional authority. Because of this, communications can break down for a long time. ➤ Many people see change as a threat. Resistance to change and apathy are much easier than confronting the need to change, and negative reactions such as avoiding the issue, rejecting the message or even undermining the credibility of the person recommending change may result. This can become a self-fulfilling prophecy, as the resistance to change is translated into efforts to ensure that the recommendations fail. Where audit can demonstrate a successful track record as a facilitator of change, and where such change can be shown to have been good for all concerned, resistance can disappear. Apathy, or a general lack of enthusiasm, can significantly distort messages, as can overenthusiasm. ➤ One of the most difficult obstacles for communication to overcome is emotion on the part of either the receiver or the sender. Such emotion can be constructive, but is more generally destructive. You can control the emotional content of an act of communication by controlling the setting for the communications and its tone, by making sure everyone is physically comfortable during presentations and generally by avoiding minor irritations. Where the auditee is expecting positive feedback and receives negative feedback, this shock can generate negative emotions. If auditees think that their methods or systems are being attacked, this can trigger a defense mechanism involving a counter-attack on the credibility and veracity of the audit communication and the auditors themselves.

Overcoming the Barriers Although these barriers may seem daunting, they can be overcome. Generally, as an auditor, you should try to be supportive where possible. In any act of communication, you should use clear, direct and unambiguous language. In all communication, there is a temptation to presume that people understand what you are saying. You should always test communication, and this may involve you in a great deal of faceto-face communication, even when you are going through a written report. You can normally improve communication by repeating and reinforcing your message.

Written Communications While the end product of internal auditing is to help management improve their business, the major immediate output is normally an audit report. Audit results are usually reported in both interim and final reports. Interim reports may be verbal or written, and draw management’s attention to items requiring urgent action or provide timely feedback during an extended audit. A final written report will normally come at the end of the audit process. Such reports should be objective, clear, concise, complete, constructive and timely. Written reports are covered fully in Chapter 20. 92

Internal_Auditing.indb 92

16/04/2015 11:12

COMMUNICATION

Verbal and Non-verbal Communications As an auditor, you will be involved in many different types of communications in many different circumstances. Ranging from normal conversations through conducting of meetings and the presentation of audit findings, you must, in all cases, know your audience. You will often find that in many situations there is too much information at first, and organizing the information will make life a lot easier and facilitate its transfer. Having chosen the communication medium, you may be required to give a presentation. In this case, it is often a good idea to rehearse both the content and the timing of the presentation. You should also remember that perhaps the most difficult part of presenting an audit report is handling the questions afterwards. Making a presentation involves a preliminary assessment of who the audience will be. The numbers in the audience, their organizational status, their knowledge background, their attitude to audit and their personal agendas will all be factors to consider. Knowing who the key figures are and what their hot topics could be may be crucial for effective communication. Obtaining this information may involve research with other auditors and examining a few previous audit working papers in order to decide on the most effective method of selling your recommendations. Your information must be logically structured to get across the points you are trying to communicate. You should select and reject, revise and restructure for acceptability and clarity, in order to communicate effectively the objectives, scope, findings, evidence and conclusions of your presentation to the audience. Once you have organized and structured the information into an appropriate form, you can then select the communication media. Auditors traditionally use faceto-face speech, telephones and group meetings, but recently Internet communication, videoconferencing or even mass meetings have been required. Visual aids can be very helpful, since they can attract and hold the attention of an audience and help understanding by presenting the evidence in a visual form. Where the message is well understood, visual aids will reinforce it. Thirty-five millimeter slides can help you deliver a polished performance. However, they are expensive to produce, and if the projector fails, you are left floundering. This is true of many common mechanical aids: if they don’t work, you’re in trouble. For this reason, some auditors prefer simpler devices such as either prepared or blank flipcharts. Even the bulbs of the old standby overhead projector may fail at the wrong time. So, generally, keep aids simple and familiar. If you are planning to use unfamiliar equipment, it would be sensible to get into the presentation venue early and familiarize yourself with its layout and functioning. There are few things more embarrassing when making a presentation to senior management than having to ask where the ‘on’ switch is located. So practice using equipment beforehand until you can do it properly. If you expect serious resistance to your ideas, a rehearsal with other auditors is a good idea. This helps you to check that your message is getting across, as well as the timing of the presentation and the handling of awkward questions. Although preparation is important, do not over-rehearse. This can lead to your having a fixed idea of how the presentation should progress, and then you may be completely thrown by unexpected questions, etc. When it comes to the presentation itself, it is vital to try to control your nerves. You will feel more relaxed if you are comfortable with your starting phrases, the content of the presentation and the closing phrase. When you are unsure of exactly how you will start, you are more likely to freeze, stammer and lose continuity. 93

Internal_Auditing.indb 93

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Remember that much of communication is visual rather than simply verbal, and that using body language and eye contact combined with appropriate use of your voice can make the difference between a memorable presentation and an instantly forgettable one. The handling of questions is partly a matter of technique and partly one of personal preference. When you are faced with an awkward question, one possible solution is to pass it on to another member at the meeting or in the audience: ‘That’s a good question; maybe John can help us answer it’ can work extremely well. It may be possible to get questioners to answer their own questions by asking for further information to clarify the question and leading the questioners to the correct answers. If questions are interrupting the smooth flow of the meeting or presentation, say you will answer them later – but remember to do so. If you don’t know the answer, the safest bet may be to admit you don’t know and promise to find out. An unacceptable technique is to use the old politicians’ trick of answering a different question altogether – one that you do know the answer to – and ignoring the request for information. Non-verbal communication often involves the deliberate use of kinesics, including the gestures and expressions you use, body posture and eye contact. Proxemics (the study or awareness of socially conditioned spatial factors in ordinary human relations) may help you get the point across effectively in important meetings. It is generally acknowledged that there are three types of space involved in conducting business. ➤ Body space is normally taken to be approximately within arm’s reach of someone. This is their personal space, and you should not enter it unless you have a particular effect in mind, as it will generally cause stress of some kind in someone with whom you are not intimate. ➤ The area from one to two meters away from someone is their home space and it is at about that distance that personal business normally takes place. ➤ Distances more than two or three meters away are taken to be neutral space and this is the distance at which business meetings normally take place. Another aspect of non-verbal communication is the field of paralinguistics. This includes the non-verbal noises we make as we talk. The ‘ums’ and the ‘ers’, the tone of our voice, the groans and laughs are all examples of paralinguistics. In general, communications can be friendly, polite, informative, instructive and persuasive. They can also be aggressive, condescending, dull and boring. Human communication is perhaps your most difficult job as an internal auditor.

94

Internal_Auditing.indb 94

16/04/2015 11:12

CHAPTER

10

Strategic Management

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the steps involved in a comprehensive strategic management model and understand the relevance of such a model to an internal auditor ➤ Explain the impact of organizational culture on strategic management ➤ Explain the impact of the forces acting on an organization in a competitive environment ➤ Define the strategic management phases and relate these to conventional management activity ➤ Structure an audit plan of management’s strategic processes

The Nature of Strategic Management Internal auditors, whether employed in an organization or in professional practice and providing outsourced internal auditing or management assurance services, need to understand strategic management principles. This is recognized in the guidance contained in IIA Practice Advisory 1210-1: Proficiency as follows: ‘An understanding of management principles is required to recognize and evaluate the materiality and significance of deviations from good business practices. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions.’

The strategic management process attempts to organize quantitative and qualitative information under conditions of uncertainty. It involves integrating both intuition and analysis. Intuition is based on past experiences, feelings and judgment and is useful for decision making in conditions of great uncertainty or where there is little precedent. Management exercises intuition and judgment daily at all levels of its activities, and this influences its interpretation of analyses and affects the strategic decisions it takes. Thus analytical thinking and intuitive thinking complement each other. A key part of a modern organization’s strategic management process is adaptation to change. Organizations must monitor events continuously in order to adapt to them in time. Over the last 20 years, the magnitude and rate of change in information technology, greater access to the global marketplace, increased regulation in all spheres affecting business nationally and globally, and the move to adopt international standards in accounting and auditing have increased pressures on management exponentially.

Internal_Auditing.indb 95

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Factors such as globalization, e-commerce, Internet technology and the rapid changes in global market demographics make adaptability to change a key factor affecting corporate survival. External opportunities and threats (economic, social and cultural) may significantly benefit or harm organizations in the future. A basic principle when formulating strategic management strategy is to take advantage of external opportunities while avoiding or reducing the impact of external threats. Strategies are the means by which long-term objectives are achieved and may include geographic expansion or diversification, product development, acquisition of other organizations, divestitures, retrenchments or, ultimately, liquidation. Implemented appropriately, strategic management can help an organization identify opportunities to vastly improve its performance. Even at a minimum level, it facilitates an objective view of management problems, which in turn allows improved co-ordination and control. By focusing on the minimization of adverse conditions and concentrating on decisions to better support the organization’s objectives, management can more effectively allocate time and resources. The clear communication of strategic objectives to staff greatly improves internal communications in an organization. This in turn allows staff to work together towards a common goal. It clarifies the responsibilities of individual employees and encourages thinking towards future goals, adaptability and change. In many cases, however, little if any strategic management takes place within an organization. Organizations may have outdated reward structures, which punish innovation and reward stagnation. Too much effort may be expended in fire-fighting just to maintain the status quo, let alone move forward. Where the organization has a track record of conducting planning sessions without actually implementing the plans, planning may eventually be seen as too expensive and a waste of time. In extreme cases, planning may not take place simply because of management laziness or because of a feeling of complacency that has developed because a company has been very successful in the past. Fear of failure can be as dangerous as overconfidence and a bad prior experience of strategic planning can be as detrimental to the process as self-interest. Strategic management differs from conventional management in that it works according to a longer planning horizon. In the past, this has meant that strategic formulation has been considered a senior management task. Today, however, strategic management is seen as the primary job of all employees and stakeholders. By looking to the future, stakeholders have a better understanding of and commitment to the overall objectives and goals of an organization. Today’s management theorists stress the role of teamwork, participation and joint problem solving as a means of achieving business objectives. Strategic management involves the development of an overall mission for the organization that defines its future position and role. From this, an overall strategy can be formulated as a basis for fulfilling the mission. Strategic planning involves the identification of specific and quantifiable objectives and plans. This involves determining the strength of each business unit with respect to its own market, the positioning of businesses within their markets, and the creation of a unique strategy for each business. Businesses need to be segmented in the markets they address. In real terms, this means businesses must be very clear about who their actual and potential customers are. While a strategy may be defined in broad terms such as ‘overall 96

Internal_Auditing.indb 96

16/04/2015 11:12

STRATEGIC MANAGEMENT

transportation’, in marketing terminology a target market could be passenger transportation. Most large firms operate in multiple environments. As such, they may not be able to address their strategic directions as single entities. This has led to the concept of the SBU (strategic business unit). By seeing the organization as a collection of independent SBUs, organizations can plan separately for each SBU up to strategic level. An SBU may then be defined as a part of a business for which separate strategic planning is possible. Strategic management is an attempt to forecast the outcomes of events, and the degree to which they can be influenced by current management actions. Each action takes effort and managers usually seek synergy. Synergy occurs when the impact of interventions has a greater effect than the sum of their individual effects. Business Ethics and Strategic Management Business ethics may be defined as the principles of conduct within organizations that guide decision making and behavior. They provide a basis for policies and should guide daily behavior and decisions in the workplace. As was discussed in Chapter 4, there are many classes of ethics. It is generally accepted, however, that certain actions by business can be classified as unethical. Unethical behavior is normally taken to be behavior that harms a business’s customers or staff. Misleading advertising, guarantees that are not honored, misleading labeling or poor product or safety standards would all be classified as unethical behavior. Corporate behavior with a negative impact on the environment or the selling of defective products or services would also be seen as unacceptable corporate behavior. Poor personal ethics within business could include such negative behavior as falsification of expense claims, individual cheating of customers or even simply taking sick leave for no reason.

Implementing Strategic Management In today’s global market, strategic management is no longer optional and has now become an imperative for survival. Integrating the various aspects of the management of an organization can help it succeed by optimizing the co-ordination of the efforts of everyone in the organization. An effective strategic management process involves: ➤ strategy formulation; ➤ strategy implementation; and ➤ strategy evaluation. Strategy Formulation The strategy formulation phase involves clarifying the overall vision and mission of the company. The mission is a statement of the ultimate purpose and direction of the firm. It helps in the identification of its SBUs, and forms a basis for the allocation of resources.

97

Internal_Auditing.indb 97

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

A mission statement should express the objectives of the firm based on its underlying values. These values should underpin an organization’s mission statement and quantify the system of beliefs and ethics on which the business is based. The mission statement should also state the primary markets within which the organization will transact business. Although it would appear obvious, this can be one of the most difficult phases to accomplish and communicate effectively to all staff. A common approach in this area is to conduct a SWOT analysis. This normally involves staff at all levels coming together in a brainstorming session to identify the strengths and weaknesses of the organization, together with the opportunities and threats it faces. Strengths and weaknesses are usually identified by evaluating the firm's capabilities and resources. Once these are agreed upon, various strategies can be designed that capitalize on the strengths, strengthen the weaknesses, take advantage of the opportunities and defend against the threats in order to achieve the long-term objectives of the organization. What the organization needs to do well or to have in great abundance is known as core competencies. Core competencies build on the organization’s strengths and are its primary source of competitive advantage. Opportunities and threats can be identified by assessing the competitive factors in the industry within which the organization operates. The factors that can be controlled by the company, such as suppliers, competitors and customers, are known collectively as micro-environment factors, while purely external factors such as social, cultural, demographic, political, legal and economic factors are known as macro-environment factors. Once the various strategies have been designed, those that seem most likely to achieve the organization’s objectives need to be selected and then translated into tactics, working objectives and action plans. At the corporate level, this could involve decisions regarding the expansion of goods and services, the elimination of non-performing parts of the business and the allocation of resources to achieve optimum performance. Choices regarding diversification of the business and entering local markets would be aggressive moves, while putting measures in place to protect the business against global competition would be defensive strategies. Strategy Implementation One of the most difficult parts of strategic management is to move from planning to implementation of the strategic decisions. The formulation of annual objectives, amendments to corporate policies and procedures, and transformation of existing control structures are all complex processes that have to be correctly and effectively carried out. It is in this stage that management’s interpersonal skills are vital in motivating employees to carry out change. Many people see change as a threat to their comfort zone and the status quo. Change involves the unknown, and people fear the unknown. It is at this stage that internal audit can delay or even prevent the implementation of corporate strategy by insisting on maintaining the status quo and previous internal control structures, and by fighting innovation. Strategic plans must filter down through the organizational structure. This process is more likely to be successful if the organizational structure encourages good communications and if personnel have the necessary skills and abilities.

98

Internal_Auditing.indb 98

16/04/2015 11:12

STRATEGIC MANAGEMENT

Implementation of strategic plans will be effective only if the right measurement criteria have been established and measurement is taking place. At each level of the organization, control measures must be implemented to continuously determine how far the strategic plans have been implemented. The usual measurement criterion for strategic planning is operational effectiveness. At the SBU level, measurement criteria are usually concerned with competitive performance in the marketplace. Measurement of market share and customer satisfaction is also often used. A common failing in identifying these criteria is confusion of effectiveness measures with efficiency measures. In many cases, management measures efficiency and assumes that it has therefore achieved effectiveness: ➤ effectiveness is concerned with achieving desired objectives; while ➤ efficiency measures the consumption of resources in achieving those objectives. Strategy Evaluation The final stage of strategic management is strategy evaluation. Strategic management is a highly dynamic function in which today’s success creates new problems for tomorrow and success today is no guarantee of survival tomorrow. As such, all strategies developed today will almost certainly have to be modified some time in the future, since stagnation leads inevitably to failure.

The Strategic Analysis of Industries Michael E. Porter29 has developed one of the most widely recognized methods for analyzing the competitive structure of industries. Porter’s five forces model attempts to determine long-term profitability by measuring long-term return on investment and thus the attractiveness of an industry. The five forces are: ➤ rivalry among existing firms; ➤ threats of and barriers to entry; ➤ the threat of substitutes; ➤ buyers’ (customers’) bargaining power; and ➤ suppliers' bargaining power. Rivalry among Existing Firms When an industry has many strong competitors, rivalry will usually be intense. This will commonly spark responses such as competitive price-cutting, frequent introduction of ‘new’ products and intense marketing efforts. During the early stages in the industrial lifecycle, growth may come from product or service innovation and the creation of new business opportunities. In stable, dominated or declining industries, an organization’s growth can only come from taking business away from its competition. Where an organization can offer a product or service that people want and cannot obtain elsewhere, it dominates the market. Where this is not possible, price may 29. Porter, M.E. 1985. Competitive Strategy. New York: Free Press.

99

Internal_Auditing.indb 99

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

be the only factor that determines whether customers buy a particular product. In these circumstances, price-cutting is rife and an overall decline in profitability will probably occur. One defense against the substitution of a competitor’s product or service is to raise the cost of switching suppliers. Customer loyalty programs reward customers who do not switch to a competitor’s products and services. By the same token, a competitor’s customers may be lured away by reducing the cost of transferring. In an industry where there is no dominant market leader, competition is normally aggressive, as each firm tries to outdo its rivals. Costs, too, can affect the rivalry among firms. Where participation in a market sector requires a large fixed investment, a firm is pressured to operate as close to full capacity as possible. In these circumstances, variable costs will normally be squeezed down to permit aggressive competition in order to achieve volumes of business. This applies also to industries where increased volumes of business come at the cost of large increases in fixed investments. With all the players in the industry trying to gain a price differential based on the economies of scale, overcapacity in the market will result and the number of competitors will ultimately fall as unsuccessful competitors either fail or merge with more successful rivals. In highly competitive industries, rivals must constantly consider whether it is still desirable to remain in the industry. As profitability in the sector declines, competitors are less willing to accept the risks inherent in such rivalry. Under these circumstances, an organization may decide to exit a market sector. It will do this if the cost of leaving the sector is low. A high exit cost may result in organizations remaining as active players in a market sector long after it is desirable. Conversely, if exit costs are known to be low, the market may be more desirable for new rivals to enter, since failure in the sector will not lead to major losses. As such, many organizations try to defend their markets against new entrants by making the price of market exit as expensive as possible. Threats of and Barriers to Entry The most attractive market sector to operate in is one in which entry barriers are high (new competitor entry is difficult) and exit barriers are low (the cost of withdrawing in the event of poor performance is minimal). Entry barriers to new competition are high where the capital needed to enter is high. This reduces the number of competitors who have the financial strength to enter. Barriers are low where there is little capital required and many competitors can enter with little investment. This reduces sector profitability, since many firms can enter the sector and reduce the market share of existing participants. Combined with the requirement for initial investment is the impact of economies of scale. Entry may be possible at a low cost, but if a current participant has a significant price advantage because of the size of its current investment, a competitor may have to match the investment in order to compete successfully. Companies try to deter new rivals by differentiating their products, creating a strong brand identity and making the costs of switching suppliers high. New competitors may try to prove that there is no difference between products, that the ‘old’ brand is inferior and that consumers may switch to a new loyalty at no cost or risk.

100

Internal_Auditing.indb 100

16/04/2015 11:12

STRATEGIC MANAGEMENT

Rivals may be fought by using an organization’s existing market muscle in pressuring suppliers or distribution channels to isolate a new competitor by denying it access to markets or materials. In some countries, government policy may be to defend local industry by discouraging international entrants. Conversely, governments may seek to increase fixed investment by international companies by reducing the barriers to entry by providing start-up grants and tax incentives. Occasionally, a firm may remain in an industry in the face of poor (or even negative) results. Where the cost of entry has been high and little residual value remains in the capital asset, a firm may choose to squeeze the last bit of value out of the asset before withdrawing. Government regulations may make pulling out an expensive option. With a range of legislation covering obligations to employees, customers and creditors, governments can discourage organizations that skim fast, short-term profits from a sector. Common reasons for organizations to remain in a sector when logic dictates they should have exited are their traditions and history. A firm may retain an unprofitable product because it is heavily branded and identified with the firm, while not being a significant loss maker. Alternatively, the product may be retained for purely sentimental reasons. The Threat of Substitutes Substitutes are goods and services that serve the same purposes. These are not simply alternative brands, but products that deliver the same customer satisfaction in different ways. An alternative to long-distance business travel, for example, may be teleconferencing. An alternative to postal services may be electronic communication. Price increases in one type of product or other factors reducing its desirability may prompt a search for a substitute. Increases in the costs of fossil fuel, for example, have prompted large-scale investment in the search for alternative energy sources. Price increases and profit margins may therefore be limited by the threat of substitutes. This may be gauged by measuring the ratio of the percentage change in the quantity of a product or service demanded to the percentage change in the price causing the change. This is known as the price elasticity of demand. ➤ Demand is considered elastic when the ratio exceeds 1.0. For example, an increase in price may result in lowering volumes of sales to the extent that the organization’s total revenues will actually decrease. ➤ Demand is considered inelastic when the price impact on total revenue is greater than the quantity impact. Thus, a firm could increase total revenue by raising its prices, even though the volume of business decreases. In the case of substitutes for a product or service, the more readily available an acceptable substitute is, the more likely that demand will be elastic. An organization concerned for the demand elasticity of its products and services will seriously consider: ➤ its relative prices; ➤ the costs of switching to a substitute; and ➤ customers' inclination or willingness to substitute.

101

Internal_Auditing.indb 101

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Customers’ (Buyers’) Bargaining Power Where buyers use their buying power to obtain better terms, the appeal of an industry to potential entrants decreases. Buyers generally look for lower prices, better quality and improved services. In markets where purchasing power is concentrated in the hands of a few buyers, their bargaining power is greater. This effect is increased when sellers have high capital costs with corresponding pressures to achieve full production. Buyers may increase their power by the threat of acquiring their own supply capacity. This is an example of upstream or backwards vertical integration. Buyers’ bargaining power may be reduced in a monopolistic supply situation where the cost of a buyer switching supplier is exorbitant, or a product or service is vital to the buyer’s welfare. If the supplier’s product or service can be easily substituted or cannot be differentiated from its rivals’, buyers’ bargaining power is increased. Where profit margins are low and a supplier's product or service accounts for a large proportion of its costs, a buyer will have little option but to bargain aggressively. Many suppliers recognize buyers’ bargaining power and respond to it by making offers that are difficult to reject. Alternatively, a supplier may actively target buyers with the least ability to bargain or switch to other suppliers. Suppliers’ Bargaining Power Suppliers affect competition through their pricing and control over the quantity supplied. Where suppliers provide something that is a significant input to the value added by your company, their bargaining power is correspondingly greater. It is also greater when the prices of substitutes are high and the cost of switching suppliers is high. If suppliers can organize for themselves a virtual monopolistic control over a marketplace, they are in a position to dictate terms to the rest of the industry, eg the major parastatals in South Africa. A common response to a high degree of suppliers’ bargaining power is to establish mutually beneficial relationships with suppliers (win/win) or to look for alternative sources of supply. As can be seen from Figure 10.1, the vertical axis measures the attractiveness of a market. High barriers that keep new competition out combined with difficulty in finding a substitute product indicate that this is a desirable market to participate in. The horizontal axis indicates the market profitability, ie in an attractive market, who makes the most profit – the supplier, the customer or your organization?

Competitive Strategies Although profitability is normally a characteristic of the industry in which an organization participates, a critical factor is also its competitive position within that industry. As noted above, organizations seek to differentiate themselves within an industry by either product differentiation or price differentiation. In other words, ‘buy from us because our product is the best/our product is the cheapest’. Porter has also categorized the competitive scope within which strategies are formulated. ➤ A narrow scope will focus on a market segment or even a single product. ➤ A broad scope, on the other hand, can extend to attempts to influence an entire industry.

102

Internal_Auditing.indb 102

16/04/2015 11:12

STRATEGIC MANAGEMENT

Market Attractiveness

Competitor Rivalry

New Entrants

Suppliers

Your Company

Customers

Substitute Products

Market Profitability

Figure 10.1: The relationship between market attractiveness and market profitability Some organizations try to gain competitive advantage through their own lower costs. Such firms can decide to charge a lower price to increase their market share or, by retaining the industry average price, they may earn higher profits than their competitors. This strategy is known as cost leadership. Cost advantages may be gained by their domination of a raw material supply or through economies of scale. Vertical integration (taking over key suppliers or customers) may also lead to a cost advantage. In a cost leadership strategy, a company usually operates on high volume turnover and low profit margins. Here, control over operational efficiencies is paramount, and reducing or eliminating waste becomes a major management objective. Management control usually involves monitoring costs in detail and reports are provided regularly. Reward structures usually involve the achievement of numerical performance goals. Such strategies expose organizations to the potential risk that a competitor may use superior methods, technology or even cloning of products to wipe out the price differential. Also, a competitor who simply manages its cost better can also gain additional advantages. A cost leadership strategy may also be vulnerable should a competitor try to compete on a product differentiation basis. Product differentiation is a strategy frequently favored by organizations that try to achieve competitive advantage by providing a product or service that is obviously different from those of its competitors. If the product or service is unique or close to unique, or consumers think that few, if any, substitutes are available, the organization may earn higher profits because consumers are willing to pay a price premium for that uniqueness. The perception of uniqueness may be real and based on design excellence or technical superiority. Alternatively, it may exist only in the mind of the 103

Internal_Auditing.indb 103

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

consumer as a result of aggressive marketing or strong brand identification. Care must, however, be taken to ensure that the additional cost of differentiation does not price the product or service out of the market altogether and that using a product differentiation strategy does not mean that cost controls are ignored. To achieve effective product differentiation, an organization must have a strong marketing function, which creates awareness in the minds of the mass market of the uniqueness of the product or service. This is frequently based on the organization’s or brand’s reputation for quality or technical leadership. An effective research function combined with creative product development can ensure that reality matches the perception. Where an organization has chosen product differentiation as its competitive strategy, a new range of threats will appear. Successful differentiation breeds imitation by competitors who want to succeed by using the same method. At the same time, overspecialized products and services suffer from rapid obsolescence as consumer tastes change. Even without complete obsolescence, enough may have changed in the marketplace to cause the differentiation to be insufficient to justify the higher price and this can, over a period of time, erode consumer brand loyalty. Organizations that try to achieve competitive advantage through lower costs and simultaneously have a narrow competitive scope, justify this approach on the grounds that such focus improves their ability to serve the narrower market. They can frequently achieve very strong customer loyalty, which may prove a disincentive to potential competitors. The downside of this approach is the loss of purchasing volume and therefore a weaker position relative to suppliers. Also, servicing a narrow target can put the organization at a cost disadvantage compared to more broad-target competitors. Once again, only a slight change in a more specialized market can make the product obsolete. One variation on this theme is focused differentiation, whereby organizations may try to gain or retain competitive advantage through providing a unique product that has a narrow competitive scope. Microbreweries are a typical example of focused differentiation catering for specific local tastes. There may be a temptation to mix strategies in an attempt to be ‘all things to all men’. This can result in appealing to nobody at all, since the adoption of mixed strategies may result in conflicting and self-canceling activities. One way of resolving such conflicts is the creation of multiple self-empowered strategic business units or SBUs, which can then adopt a variety of strategies to meet the needs of a variety of markets. Market Positioning – Leaders Competitive strategies may also have to vary according to an organization’s relative dominance in a marketplace. The market leader may find it difficult to significantly improve its already dominant market share and should try to increase the total demand in the market. This will involve a number of strategies designed to attract new users by focusing on customers who have never used the product or service (market penetration) or who might use the product or service (new market segment). In addition a geographical expansion strategy may be used to target users in previously unserviced areas. At the same time, a market leader has to defend its current market share. This may be done offensively by constant innovation designed to improve products and services, 104

Internal_Auditing.indb 104

16/04/2015 11:12

STRATEGIC MANAGEMENT

increase distribution effectiveness or control costs. A more negative aspect of this is the use of planned obsolescence, resulting in new varieties of products being constantly demanded by consumers. Alternatively, a company may seek new uses for an existing product or service to attract consumers with no desire for the current use. Kotler and Singh30 have defined the following defensive strategies: ➤ A position defense is designed to defend a position by strengthening the firm's brand power. ➤ A pre-emptive defense is an attempt to anticipate a competitive attack. This may involve covering every segment and niche within a market and flooding the market with products, targeting specific competitors before they can attack or indicating to the market the ways in which the leader intends to defend itself. ➤ A flank defense creates interventions in order to protect the leader's position. For example, a competitor's price attack on a firm’s brand may be responded to by introducing two new brands, one designed to be sold at the same price as the competitor’s brand, and the second at a lower price in order to outflank the competitor. ➤ A mobile defense involves market broadening. This usually involves an attempt to shift the emphasis from a specific product to the underlying need. An example is the repositioning of television companies as multimedia companies. An alternative to market broadening is market diversification, which involves the mergers of firms in wholly different industries into conglomerates. ➤ An alternative defense involves concentrating corporate resources in the areas of its greatest strength rather than defending all of the firm's positions. ➤ A contraction defense involves a strategic withdrawal from specific areas of lesser strength. ➤ A counteroffensive defense may lead the organization to respond to a competitor’s price cuts in one market sector by slashing prices in another market sector considered to be more important to the competitor. Market Positioning – Trailers Where a competitor already dominates a market, a market challenger strategy may be the right one for a firm trying to enter the market. For this to be successful, the trailing firm must be absolutely clear about its own strategic intention, whether this is to develop an increased market share or even to challenge the market leader’s dominant position. Attacking a leader may take several forms. A challenger may try to grow by absorbing other small firms to achieve a competitive size rapidly. Alternatively, a challenger may try to service the market in a superior manner or with superior products. Kotler31 has defined five general attack strategies by a challenger. ➤ A frontal attack involves a head-to-head challenge to the leading firm's products, methods of distribution and marketing. ➤ An encirclement attack is used to attack on multiple marketing fronts, but, to be effective, a challenger requires an overall advantage in resources. 30. Kotler, P. & Singh R. 1981. ‘Marketing warfare in the 1980s’. Journal of Business Strategy, Winter, 30–40. 31. Kotler, P. 1994. Marketing Management, Analysis, Planning, Implementation and Control. 8th ed. New York: Prentice Hall. pp. 382–405.

105

Internal_Auditing.indb 105

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ A flank attack may be directed at a perceived weakness of the target in either geographic or segmental terms or at an unmet need. This is most commonly successful when market segments shift, leading to the creation of a gap in customer satisfaction that the challenger can attack. ➤ Guerrilla warfare involves several small attacks designed to sap the strength of the target, followed up by a stronger type of attack. ➤ A bypass attack avoids confrontation in markets where the competitive target is strong. It may involve moving the competition to an environment where the challenger is in a stronger position because of product innovation or technical development. More specific strategies for the market challenger could include the following: ➤ Price discounting tends to succeed if buyers are price-sensitive, the product and service are similar to the market leaders’, and discounts are not matched. ➤ Lower-priced goods of average quality may substantially outsell higher-quality goods if the price is much lower. ➤ Prestige goods are high-quality items sold at a high price. ➤ Product proliferation is a strategy based on greater product variety. ➤ Other specific strategies emphasize improving service, developing a new distribution channel, increasing the marketing budget, or improving manufacturing efficiencies. Market Positioning – Followers Many firms participate in markets where they have no wish to challenge the leader. They may become a follower in order to avoid the retaliation of a dominant leader if the leader feels challenged. Alternatively, they may simply try to avoid the expenses of innovation in favor of imitation. Imitation may take several forms, not all of which are legal. ➤ A counterfeiter operates illegally by selling virtually identical copies of a product. ➤ A cloner sells cheap variations of a product with just enough differentiation to avoid the illegality of counterfeiting. ➤ An adapter operates by improving the products and services of the leader and may choose to operate in different markets. Adapters frequently develop into market challengers. ➤ An imitator markets a product or service that differs insignificantly from existing products and services. Even a market follower will face competition from other followers and will need strategies to maintain its current customers, attract new ones, fend off challengers, protect its advantages, lower its costs, and improve the quality of its products and services. ➤ Market niche strategies are adopted by small or medium-sized firms that choose to compete in small markets. These markets are often ignored by larger firms because they are not cost-effective to enter. Niches frequently specialize, offer high-quality products and services at premium prices, and have low overall costs. They substitute high profit margins for the high volumes of mass marketers. One of the dangers of success in a niche market is the growth of the market itself until it is no longer a niche and attracts larger competitors who have better economies of scale. 106

Internal_Auditing.indb 106

16/04/2015 11:12

CHAPTER

11

Global Business Environments

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly what we mean by the term ‘globalization’ ➤ Explain the effect of cultural issues in international business ➤ Explain the primary drivers of global expansion ➤ Recognize and explain how supply and demand conditions influence the global business environment ➤ Describe how a firm’s global organization affects its organizational and control structures ➤ Evaluate whether there are performance-compromising influences in an organization’s structures ➤ Explain the impact of corruption and political instability on control concepts in international trading

Business Globalizaton In recent years, companies have increasingly competed in a global environment. This has brought undeniable opportunities with the potential to expand on a massive scale. At the same time, the domestic market becomes less important to the firms involved as the percentage of business done overseas increases. Of course, the reverse is also true, in that overseas competition may now attack the domestic market. Competing in larger markets gives organizations greater access to all the resources needed to do so successfully; however, the larger market also means that organizations face competition from the best of the best. International competition normally means attacking an already established market where the home team advantage lies with organizations that are already competitive in both technology and management structures. Companies face a variety of pressures to go global. A recessional economy in their own domestic market can force them to expand into international markets. Many Western countries are experiencing demographic changes such as ageing populations and declining birthrates, which can force companies to go abroad to find fresh markets. Some organizations use international trade to extend a product’s lifecycle and dispose of inventory by exporting technology to underdeveloped or less-developed nations. Many countries offer tax incentives to incoming investors, which makes the overseas market more attractive economically. At the national level of globalization, governments must now try to create a business environment that can both attract fixed investment from overseas firms while simultaneously facilitating the opportunities for domestic firms to compete in overseas markets. In order to achieve this, governments must come to grips

Internal_Auditing.indb 107

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

with the underlying fundamentals of market economies. They may face significant resistance from internal pressure groups concerned with defending their local market share in the face of increasing foreign competition. In order to avoid an international economic trade war, unprecedented levels of international co-operation are required.

The History of Globalization At the start of the sixteenth century, nationalism and expansionism became consuming interests to several European powers. Spain, Portugal, the Netherlands and the United Kingdom all sought to increase their dominance through trade. Initially, this took the form of imperialism and plundering the natural resources of overseas acquisitions. These activities were extremely costly and were normally affordable only by the crown. In order for this to become sustainable, however, individual investors came together as companies to fund and finance the highly profitable international trade in rare commodities and expensive spices. By the eighteenth century, economists were investigating the effects of global trade and national economies. The Scottish economist Adam Smith proposed a theory of absolute advantage. This theory argued that certain countries have a natural advantage in the production of certain goods, because they possess natural resources or climatic advantages that their competitors do not have. This theory indicated that both trading partners could gain by exchanging goods and services that were more efficiently produced in one or other of the partners. Problems arose when one of the trading partners could more efficiently produce goods and services on both sides of the trading process. This led to Ricardo’s theory of comparative advantage. This states that, even when one country can produce both goods more efficiently than its trading partner, it still makes better economic sense to focus in areas in which it has a comparative advantage over its trading partner. If the country produces and exports both goods without importing in return, it will ultimately run out of partners to trade with, since no partners will be left with enough money to pay for its exports. Using comparative advantage for marketing leverage permits both parties to maintain a balance of trade for the sustainable benefit of both. Complications arise in the implementation of this theory, since in reality we are dealing with multiple countries exchanging multiple goods and services. Where one side of the trade has a cost advantage in transportation of the goods, imbalances will occur. In addition, there is no recognition of fluctuations in efficiencies of production. The economies of scale on one side and diminishing returns on the other can distort the balance. The theory also assumes a static global economy. Economies are, in reality, dynamic in nature. At a particular time, the Western economies may be expanding while the Far East economies are contracting and the Middle East economies may be stagnant. Twenty years later, this position could be totally transformed. As well as the trade in finished goods, a country may be importing technical capability and may transform its economy into the self-production and export of those same goods. Local competition from international companies may prompt a reaction by local firms, leading to increased efficiencies and cost competitiveness. By the late twentieth century, economic theory suggested that the product lifecycle approach might be more realistic. Under this theory, a product may be developed initially within the UK, manufactured in the USA, spread to other developed 108

Internal_Auditing.indb 108

16/04/2015 11:12

GLOBAL BUSINESS ENVIRONMENTS

nations, and finally produced in developing nations with much lower labor costs and re-exported back to the developed nations. Once again, a theory may have been true and valid at that time, but the world moves on. For the past 30 years, the increasing spread of internationalism in business has meant that many products are now introduced at the same time in all world markets. Porter32 has theorized that a nation’s international success is affected by four specific factors. ➤ Factor endowments include at a basic level the fundamental wherewithal to compete. This would include such elements as the country’s climate and location, as well as its access to specific natural resources. Competitive advantage can be gained using advanced elements, which would include the technological level of the country, its communications structures, economic infrastructure and the availability of skilled labor. ➤ Demand conditions quantify the degree of pressure placed on firms to be competitive within their home economy by their local customers. ➤ Related and supporting industries that are internationally competitive can cause a knock-on effect, boosting the international competitiveness of other firms within their market sector. ➤ The firm strategy structure and the degree of domestic rivalry experienced within the local economy can also have an effect. Strong local competition can drive individual companies to be more fiercely competitive with better structures and management techniques, and this prepares them to compete in the global economy. Porter also acknowledges the roles played by both government and chance. Labor laws, monopoly legislation and the implementation of internationally recognized standards legislation can have a positive or negative impact on national competitiveness. Chance, in the form of natural disasters or unexpected windfalls, can also play a role.

Problems of Globalization When an organization embarks on a policy of globalization, the complexity of its management processes takes a quantum leap. Globalization involves competing in a variety of political, economic, legal and cultural systems. Political structures internationally are resolving into two main philosophies: ➤ Individualism seeks to facilitate the individual’s freedom to act in his/her own self-interest. ➤ Collectivism seeks to achieve the greatest benefit for the greatest number of individuals, and subordinates self-interest to group benefit. Within these overall structures, differing political systems also add complexity. Totalitarianism, whether left- or right-wing, can be contrasted with the democratic process, also potentially left- or right-wing. 32. Porter, M.E. 1990. ‘The Competitiveness of Nations’. Harvard Business Review, April/May.

109

Internal_Auditing.indb 109

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Legal environments create their own complexities, even within similar political structures. Activities that are acceptable – even the norm – in one country may be socially unacceptable or even illegal in another country. Laws differ immensely from country to country, even where there are generally accepted views on ethical and moral principles. A country’s copyright law may attempt to comply with international standards and agreements and nevertheless have local variations. Definitions of fraud and theft, while generally agreed, differ in law from country to country and must be complied with in international trading. Electronic trading complicates the issues further, with some countries having clear and strict electronic trading laws, while others have none or, at best, vague and confusing legislation. Laws over physical and intellectual property rights are similarly unique. In some countries, bribery of public officials is seen as a minor offense, while others would view it as totally unacceptable. Individual countries also differ in their views on ownership, with some believing strongly in state ownership and nationalization, while others advocate private ownership and deregulation.

Cultural Issues in Globalization One aspect of globalization that a firm ignores at its peril is the diversity of cultures within international businesses. Culture has been defined as a system of values particular to one group and not others. It is passed down from one generation to the next and influences the behavior of group members in predictable ways. Local cultures are based on values, which are the societal norms and assumptions regarding how things ought to be. Values are normally recognized as operating at the subconscious level, as opposed to beliefs, which are the conscious certainties of attributes of society, such as the belief in some cultures that age equals wisdom. Values and beliefs may sometimes clash and cause cognitive dissonance in an individual where a conscious belief is at odds with a subconscious value acquired as an infant. Culture is learned most intensively during the early years of life. By about the age of five, an individual has already developed values associated with gaining rewards and avoiding punishments, avoiding conflict or causing it, and the role models within the family. By the same age, a child may also have become a sophisticated negotiator for what he/ she wants. Other members of the family and culture group inculcate these values. Parents, teachers, the extended family and peer pressure all combine to influence behavior. One advantage to the influence of culture is the way in which it makes members of a specific group behave in uniform, predictable ways. Such uniformity can help the manager predict behavior of typical individuals under normal circumstances Because culture is specific to one group and not to others, this means that different groups may respond to the same stimulus in different ways and react differently in similar situations. This makes management of multicultural groups more difficult, since the stimulus to achieve management’s objectives may be different for the different groups. It is further complicated by the fact that individuals may be members of several unofficial groups. An employee may be a financial manager and a member of that group while simultaneously coming from a non-European ethnic group and being a member of the middle-class social and economic group. In Britain, working hours are conventionally nine to five, while in South Africa many companies operate on a 8.00 a.m. to 4.30 p.m. working day. Holidays in 110

Internal_Auditing.indb 110

16/04/2015 11:12

GLOBAL BUSINESS ENVIRONMENTS

South Africa range from four to seven weeks a year while in America three weeks is the norm. Similarly, Europeans and Americans would see drinking alcohol as normal, while strict Muslims would find it totally unacceptable. It should not be taken that culture is the only influencing factor causing members of groups to act in uniform, predictable ways. Each individual is also influenced by other factors, such as social class, age and gender stereotypes. The managing of cultural diversity creates opportunities within organizations to create a synergy, because of the wider range of cultural experiences and educational and professional backgrounds than in a single culture group. If properly managed, long-term goodwill can be generated; if badly managed, negative stereotypes will be reinforced. Generally, people tend to handle new situations by making generalized assumptions based on past experiences. Thus, a manager handling an unknown group will automatically make assumptions about the capacities of its members based on his/ her experience with similar groups. One way of generalizing about other people is to stereotype them on the basis of their sex, age and racial background or culture. This can lead to a rigidity in dealing with people, since inflexible stereotyping does not allow for exceptions to the norm. Similarly, change as a result of transformation may not be recognized, as old stereotypes tend to resist changes for considerable periods of time. For generalizations to be effective within management, a process of cultural analysis will be required. This involves identification of behavior that seems unusual or unexpected in terms of the local culture. The manager must then collect data regarding the unusual behavior and try to develop hypotheses (a set of alternative explanations) to explain the behavior. Evaluating each alternative in terms of what is already known about the other culture must then test these hypotheses. Those alternatives that cannot be substantiated should be discarded. The most likely hypothesis would then be selected to give a working generalization. As and when new data and examples of behavior are recorded, the hypothesis would then be modified. Many managers try to ignore cultural diversity or downplay the significance of cultural differences within the workforce. This may be because they lack the skills and resources to handle diversity appropriately or because they believe that the negative effects of multiculture outweigh the positive ones.

Organizational Culture Many definitions of the term organizational culture may be found in current management literature. For our purposes, the term is taken to refer to the sum of perceptions that develop within an organization. This includes both perceptions developed deliberately by top management and those based on the employees’ own experiences. Organizational cultures benefit the individual member by providing a sense of identity and act as a framework for interpreting reality. Each organization has its own culture, and members of the organization have to learn that culture. For those employees whose needs are met by such a culture, long careers of service will normally be the result. Where new recruits discover that the culture does not suit their tastes, a high dropout rate will occur. Periodically, management may wish to change the organizational culture and such change is often painful, particularly where the culture has been well established. Cultures can be made stronger by creating more efficient communication among 111

Internal_Auditing.indb 111

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

members, which creates conditions for greater cohesion. Cultures can be made more positive by improving systems so that members see gains and losses to be shared favorably, thus increasing their stakes in official outcomes. Cross-cultural managers whose interaction with members of the other culture is limited to the workplace will experience the values of the other culture only as they appear in the workplace. This can cause problems for any attempt to implement appropriate incentives to motivate workers. There can be major dangers in assuming that what works as a motivator in one culture will have the same effect in a different culture. Motivators must reflect the values held within a particular culture. Incentives are more likely to succeed where they both reflect real needs and take practicalities into account. Further details on motivational techniques can be found in the next chapter.

Culture and Ethics Broad ethical values are shared around the world, but the practical implementation of ethical norms is far more problematic. Decisions regarding what is or is not ethical can also vary over time as people’s values change. Because of the extensive list of scandals in business since the mid-1980s, interest in business ethics has grown enormously. Ethics have already been discussed in Chapter 4, but in a multicultural environment, behavior that one culture considers virtuous may be interpreted differently in another. For example, members of totalitarian or highly authoritarian cultures find the jury system confusing, since it seems to challenge the authority of the judge. When creating value statements in a global business environment, organizations must appreciate the difference between cultural relativism and cultural sensitivity. ➤ Cultural relativism indicates that if a different culture does not agree with a particular ethical standard, then that standard should not be applied in that culture. ➤ Cultural sensitivity involves understanding that different cultures have different perspectives on what is proper and respected. In a cross-cultural environment, corruption may, like beauty, lie in the eye of the beholder. Definitions and descriptions of corruption in dictionaries define corruption as the ‘impairment of integrity, virtue or moral principles’, ‘the perversion or destruction of integrity in the discharge of public duties by bribery or favour’ and ‘moral deterioration or use of corrupt or tainted practices’. Words like ‘integrity’ and ‘moral principles’ may not only signify different things to different people, but are also to a large extent culture-bound. What is officially defined as ‘corruption’ in one society or organization may be the customary way of doing things, the accepted cost of business transactions, or a traditional favor-for-favor exchange in others. Even the sense of what constitutes ‘corrupt conduct’ can differ within a single organization. What one group of managers may see as corrupt, another group may dismiss as ‘the way in which things get done around here’. In the landmark report of the Treadway Commission,33 the commission stated that the control environment sets the tone of an organization, influencing the control conscientiousness of its people. It is the foundation for all other components 33. Treadway et al. 1987. pp. 69–78.

112

Internal_Auditing.indb 112

16/04/2015 11:12

GLOBAL BUSINESS ENVIRONMENTS

of internal control, providing discipline and structure. Effectively controlled entities strive to have competent people, instil an organization-wide attitude of integrity and control consciousness, and set a positive ‘tone at the top’. The effectiveness of internal controls is dependent on the integrity and ethical values of the people who create, administer and monitor them.

The Nature of Industries Industries vary in nature and the more globalization and internationalization occur, the more these varieties are apparent. Fragmented Industries Firms that have an insignificant market share and are not in a position to exert great influence on industry outcomes are said to exist in a fragmented industry. This is particularly true where the industry has many small-to-medium-sized firms with no obvious market leader, and products that may or may not be significantly differentiated. Economists would normally refer to such an industry as pure competition. Industries can fragment for a variety of reasons. Low barriers to entry permit easy access to an industry, which can under certain circumstances lead to fragmentation. Some industries are fragmented for purely historical reasons, while for others, economic causes for fragmentation exist. Small, flexible firms may have a market advantage when quick responses are required to changes or customization of a product line to the unique requirements of individual customers is needed. Even the newness of an industry may be a reason for fragmentation. New firms may not have the resources and abilities to achieve concentration for some time. When the cellphone industry started in South Africa, there was an abundance of small cellphone providers associated with large cellphone infrastructure providers. Over a period of time, through mergers and acquisitions, and the bankruptcies of some companies, a more concentrated market has emerged. Overcoming fragmentation can have significant strategic effects if the factors preventing consolidation can be eliminated. It may be possible to use technology to create economies of scale that ought to isolate the factor that is responsible for fragmentation from the rest of the business. Another common approach is for a single firm to use multiple brand names to appeal to the varying tastes of differing customers. Recognizing the factors that can remove the cause of fragmentation can provide a competitive advantage to an organization, which can influence those factors ahead of the competition. Strategies to defeat fragmentation will be dependent on the situation in which an organization finds itself. Where personal service or local control is critical to successful operations, management may decide that tightly controlled decentralization may be the right strategy. If the cause of fragmentation was the inability to differentiate products or services, an appropriate strategy may be to add value to the product or service in order to create the differentiation. Obviously, management can adopt strategies that will make the situation worse. Attempting to dominate a fragmented industry may be disastrous if no attempt is made to change the basic industry structure. In fragmented industries, speed of response and local knowledge may be critical to success. If this is the case, centralizing the organizational structure could be disastrous. 113

Internal_Auditing.indb 113

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Before selecting a strategy, management must identify the basis for fragmentation and analyze what the right interventions would be to prevent it. Emerging Industries An industry is classed as emerging if it is new and small in size. Such industries may result from new customer needs, innovation or changes in environmental factors. Such industries are typified by uncertainties over products and production (technological uncertainty) or production and marketing (strategic uncertainty). Within emerging industries, there will be many newly formed companies to begin with and spin-offs from existing firms are common. Initial costs are usually high during setup, but they decrease rapidly. Marketing in such industries is problematic, since customers have to be convinced that the risk of using the new product or service is not high and that the benefits are there to be gained. Many such industries, based on new technology, attract government subsidy or grants. While initially these may be beneficial, in the long term they create market instability. Due to the lack of standardization, product quality may be erratic and customer confusion may arise because of the number of variations on the market. Such confusion makes buying these products seem more risky to customers and may be counterproductive. Declining Industries Industries are classed as being in decline when they have sustained a permanent decrease in activity for some time. If an industry is in decline, a company within the industry must make strategic choices to deal with the decline without overcapacity and massive losses. During industry decline, the reality is that business activity is decreasing and that too much competition will only accelerate the decline by decreasing profits. In seasonal industries, it may be difficult to differentiate between genuine decline and the normal seasonal variability of sales and thus it may be difficult for an organization to respond appropriately. The rate of decline will not be a constant, but will increase as lower volumes increase the impact of variable costs. Industry decline can be caused by a variety of factors, including product innovation or the introduction of product substitutes. Customer demographics change over a period of time because of economic factors, population age or even political change. In specialized industries, it may be difficult for an organization to develop an exit strategy, despite low returns, without affecting the image or financial standing of the firm.

114

Internal_Auditing.indb 114

16/04/2015 11:12

CHAPTER

12

Organizational Behavior

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly what managers do in the context of organizational behavior ➤ Explain the contingency approach to organizational behavior and its importance to an internal auditor ➤ Explain the primary causes of conflict within an organization and provide appropriate coping strategies ➤ Explain the fundamental concepts in group and individual decision making

The Organizational Behavior of Managers When examining organizational behavior, it is important to be clear about the role and functions of managers. Managers are individuals who achieve corporate goals through other people. In 1916, Henri Fayol34 defined the management functions as planning, organizing, commanding, co-ordination and control. Later management scientists condensed these into planning, organizing, leading and controlling. The Institute of Internal Auditors defines management’s role as the planning, leading and directing of individuals to align with corporate objectives. Henry Mintzberg35 classified management’s roles into three broad categories, namely interpersonal, informational and decisional. ➤ Interpersonal roles include those roles undertaken by a manager in dealing with insiders and outsiders in business and social environments. These can include the role of figurehead, where the manager may be required to form a number of routine duties of a social or legal nature. In carrying out the responsibility for the motivation and direction of subordinates, the manager is said to be acting in a leadership role. The third role within this grouping is that of liaison, which Mintzberg described as communicating with outsiders who provide the manager with information. ➤ Informational roles include the receiving of information from a wide variety of internal and external sources. This is the role of monitor. Having received this information, the manager must then transmit it to other members of the organization in a disseminator role. Managers may also be required to act as a spokesperson in transmitting an organization’s plans, policies, actions and results to outsiders.

34. Fayol, H. 1916. Industrial and General Administration. Paris: Dunrod. 35. Mintzberg, H. 1973. The Nature of Managerial Work. New York: Harper & Row.

Internal_Auditing.indb 115

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Decisional roles are roles that involve the making of choices. The entrepreneur searches for opportunities and innovations, and will initiate new projects to improve the organization’s performance levels. From time to time, management will face unforeseen problems and be forced to act in the role of disturbance handler. The manager’s role is also to choose his/her preferred method of allocating resources in order to achieve these goals. Managers have at their disposal a variety of resources, which are commonly grouped into the five Ms, namely: ◗ manpower ◗ money; ◗ materials; ◗ machinery; and ◗ methods. This places management in the role of resource allocator. Finally, management will periodically perform a negotiator role in which it bargains with other business units to gain advantages for its own area of responsibility. In the context of organizational behavior, management operates within an environment characterized by the interactions of individuals, groups and structures within organizations. Management is responsible for the application of such knowledge with the aim of improving the organization’s effectiveness.

Groups within Organizations An organization can become so large that individuals do not know most of the other people in it. Groups are collections of people that are small and immediate enough to affect both the feelings and self-images of their members. People tend to be more committed to groups to which they belong, and certain psychological needs are better satisfied by such groups. A group may be defined as two or more individuals who have chosen to come together and interact to achieve specific objectives. Groups may be formal or informal. ➤ Formal groups are those defined within the organization structure that have been allocated specific work assignments. Behavior within those groups is regulated to the extent that the achievement of the organizational objectives is of paramount importance. ➤ Informal groups are those that have come together spontaneously and are neither formally structured nor controlled by the organization. They are primarily socially driven and appear as a response to social needs. Within these overall groupings, further subdivisions are possible: ➤ Formal groups may include command groups, as laid down by the organization chart, or task groups brought together to achieve a specific objective. ➤ Informal groups may include interest groups, who may or may not be part of the same formal group, which have come together to achieve a specific objective in which they all have a common interest. Sub-groups may also develop within informal groups, simply because of social alliances, which may extend beyond the working environment. These are known as friendship groups.

116

Internal_Auditing.indb 116

16/04/2015 11:12

ORGANIZATIONAL BEHAVIOR

People join groups for many reasons. For some individuals, joining a group can reduce the feeling of vulnerability involved in being on their own. If the group has a positive reputation, membership may give a degree of status to an individual. This can improve his/her self-esteem and sense of self-worth. In collective bargaining, membership of a group may contribute to the power of the individual. Power may also be achieved by using group membership to achieve supraordinate goals (ie goals not achieved by working alone but that are possible for the group). Several concepts must be understood with regard to groups. Group Development The traditional view of group development was based on Tuckman’s36 work in 1965. His five-stage model characterized groups as progressing through a standard sequence of forming, storming, norming, performing and adjourning. ➤ Forming, the first stage in group development, is characterized by uncertainty about why the group exists, who will lead it and how it will be structured. ➤ The second stage is known as the storming stage, since it is at this stage that conflict may arise over the control of the group. At the end of the stage, leadership has normally been clarified and the way in which the group functions is relatively clear. ➤ During the third stage, norming, the group comes together as a cohesive whole and close relationships usually develop. At this stage, a strong sense of group identity will exist. ➤ By the fourth stage, performing, the group is functioning efficiently and becomes highly task-oriented. Under normal circumstances, this is the desirable final stage for groups. ➤ For temporary groups, the final stage would be adjourning when the task has been achieved and the group structure is no longer required. In 1998, work by Gersick37 suggested that groups do not develop in a universal sequence of stages. He noted, however, that the timing of group formation and change is highly consistent. This is known as the punctuated-equilibrium model. In this model, it is suggested that the first meeting will set the group’s direction, and the first phase of activity is inertia. At the end of the first phase, a transition takes place, which occurs exactly when the group has used half of its allotted time. This transition initiates major changes and is then followed by a second phase of inertia. The group’s last meeting is characterized by a markedly accelerated activity. This appears to be in line with Parkinson’s Law that ‘work expands so as to fill the time available for its completion’. Group Size Another major factor in the functioning of groups is the group size. There is evidence that smaller groups complete tasks faster than larger ones, but larger 36. Tuckman, B.W. 1965. ‘Developmental sequences in small groups’. Psychological Bulletin. June, pp. 384–99. 37. Gersick, C.J.G. 1988. ‘Time and transition in work teams: Towards a new model of group development’. Academy of Management Journal. March, pp. 9–41.

117

Internal_Auditing.indb 117

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

groups are significantly better at problem solving than smaller groups. In larger groups, there appears to be a tendency for individuals to do less than they are capable of if they were operating as individuals. This tendency is known as social loafing and may be responsible for inefficiencies and ineffectiveness within larger groups. It is believed to occur when individuals see other members underperforming and reduce their own efforts in order to achieve equity (‘Why should I work hard if he’s loafing?’). For management, this means that in addition to setting goal objectives for the group, individual measurement criteria are required so that individual efforts can be recognized and rewarded. Group Roles In any given group, individuals undertake different roles at different times. A number of factors are involved here: ➤ How individuals react within groups is partly due to their role perception. This is the individual’s interpretation of how he/she is supposed to behave and act in a particular role. ➤ Role identity involves specific attitudes and behaviors consistent with the role being played, and individuals will shift roles as circumstances change. ➤ Role expectations, on the other hand, define how others believe the individual should act in a given situation and may lead to role stereotypes. ➤ When an individual is required to adopt multiple roles in a given situation, role conflict may occur, eg a manager may have to discipline a personal friend. Group Norms All groups have established acceptable standards of behavior, which are shared by the group’s members. These are known collectively as group norms. In a formal group, these are laid down in policies and procedure manuals, but most of the norms within organizations are informal. Common norms would include the appropriate dress, norms regarding social interactions such as who eats lunch with whom, performance-related norms regarding how hard individuals should work, and even norms regarding who gets the latest equipment when it arrives. Group Cohesion Although management generally seeks group cohesion in order to achieve corporate objectives, a highly cohesive but unskilled team is still an unskilled team. But even if the skills are present, a cohesive group may develop its own goals and objectives that are out of line with those of the organization or even contradictory to them. In some highly cohesive groups, it becomes more critical that no one disagrees than that objective appraisal takes place. This phenomenon, known as groupthink, can be deadly to the decision-making process. In a strongly led group, overzealous group members may perform unauthorized or even illegal activities because they believe that the leaders of the group and the group as a whole will be pleased. This phenomenon is known as ‘Ollieism’.

118

Internal_Auditing.indb 118

16/04/2015 11:12

ORGANIZATIONAL BEHAVIOR

Conflict Conflict has as many definitions as there are parties to the conflict. One generally recognized definition is that there must be a perception that conflict exists. It is commonly agreed that if no one is aware of the conflict, then no conflict actually exists. Conflict can be seen as a process that begins when one party perceives that another party is, or is about to be, in conflict with the first party. There are further disagreements about the role of conflicts in organizations and groups. Some management scientists argue that conflict is counterproductive, indicates a problem within the group and must be avoided at all costs. Others argue that conflict is natural within any group and can be a positive force in achieving high performance by the group. Current thinking indicates that not only is it possible that conflict can be positive, but that the group will stagnate and die without it and that therefore conflict is an absolute necessity for effective performance. Even with this opinion, the interactionist view is perceived as good. This view differentiates between functional conflict, which is constructive, and dysfunctional conflict, which is destructive. The Conflict Process The conflict process is generally recognized as comprising five main stages: ➤ The first stage is the existence of circumstances within which conflict can arise. This does not mean that conflict will definitely occur, however, but without these preconditions, conflict is unlikely. The circumstances may arise from communication difficulties leading to misunderstanding of people’s attitudes, needs and perceptions. Conflict circumstances may also result from imbalances and misinterpretations within power structures or even from personal factors, including individuals’ value systems and personal characteristics. ➤ Once the preconditions for conflict exist, the possibility exists that the potential for conflict will be perceived and ultimately personalized. It is at this stage that individuals become emotionally involved and that the parties involved decide what the conflict is about. ➤ The third stage involves the formation of intentions. Even at this stage, overt conflict may not occur, since many intentions are never translated into action. Human behavior does not always accurately reflect an individual’s intentions. ➤ The fourth, or action phase of conflict involves human behavior. This is where conflicts become externalized and visible. Conflict, in this stage, may evolve and escalate so that a minor problem that could have been cleared up easily at an earlier stage becomes a major source of conflict, with entrenched positions and power struggles emerging. ➤ The final stage of conflict is the outcomes phase, which again may be functional or dysfunctional. Conflict Resolution Conflict resolution will depend on the individual parties involved, but various options can be identified. ➤ Collaborating involves each party seeking to resolve the situation by fully meeting the needs of the other. 119

Internal_Auditing.indb 119

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Through avoidance, one party, recognizing the potential for conflict, may withdraw from the situation. ➤ Accommodating refers to the intention of one party to place the opponent’s interests above their own in order to appease the opponent. ➤ Compromise is the state when each party agrees to give up some of their requirements in order to meet some of the requirements of the other party.

Group Decision-making Advantages of Group Decision-making It is common within organizations to use groups to help in the making of decisions. Groups can offer the advantage of more complete information and more extensive knowledge by bringing a variety of experiences and skills into the decision-making process. This means that a variety of alternatives can be considered. Once the decision has been made, a greater commitment from individuals can be gained if the individuals feel that they were part of the decision-making process. This commitment can significantly increase the chances of success of any activity decided on. In many cases within the South African context, group involvement increases the legitimacy of any decision arrived at. Because of this country’s history of a substantial proportion of the population being denied any participation in the decision-making process, involvement of this very large group has become essential. Disadvantages of Group Decision-making Although there are significant advantages to the involvement of groups in the decision-making process, there are also disadvantages. Groups, by their nature, create the desire within members to be accepted as an asset to the group. This can cause individual members to suppress disagreement and can result in a kind of groupthink. It is expensive and time-consuming to bring groups together to make routine decisions and therefore group decision making should be reserved for non-routine decisions or those with a critical impact on individual members of the group. With goodwill on all sides, it is still possible for an individual member of the group to dominate, particularly if the group is structurally imbalanced, with senior executives and junior members of staff combining together. A further disadvantage to group decisions is the disappearance of allocatable responsibility. Although members of the group share the responsibility, it may be difficult to establish accountability.

Group Techniques Most group decision-making takes place on a face-to-face basis, although increasingly the use of technology can allow a group to reach consensus without ever meeting. In order to achieve effective group decision making without the disadvantages noted above, specific techniques are required to ensure the effectiveness of the decision-making process, eg brainstorming is a technique used to generate ideas in a group discussion session by noting ideas expressed in an unstructured fashion without ranking or criticizing either them or the people who propose them during the idea-generation. 120

Internal_Auditing.indb 120

16/04/2015 11:12

CHAPTER

13

Management Skills

Learning objectives After studying this chapter, you should be able to: ➤ Define the evolution of managerial practice ➤ Outline briefly the skills required of a modern manager ➤ Explain the challenges for managers in dealing with increasing business uncertainty ➤ Explain the role of management in problem solving ➤ Contrast the types of decisions a manager will be required to make ➤ Explain the impact on employees of values and job satisfaction ➤ Describe the major leadership theories and the impact of different leadership styles on internal control ➤ Explain the basic concepts behind motivational theory and behavior modification ➤ Define work stress and explain potential remedies ➤ Explain the role of the manager in building staff competencies

The Evolution of Management Practices The guidance given in IIA Practice Advisory 2100-1: Nature of Work stresses the importance of management responsibilities and practices that affect the organization and the work of internal audit. ‘Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Management periodically reviews its objectives and goals and modifies its processes to accommodate changes in internal and external conditions. Management also establishes and maintains an organizational culture, including an ethical climate that understands risk exposures and implements effective risk strategies for managing them.’

The term management has been used in a number of different ways. It may be used to refer to the group of people running an organization or to identify the processes by which managers direct and control business activities. The Early Pioneers Three of the earliest pioneers of management thinking were James Watt, Robert Owen and Charles Babbage. ➤ James Watt (1769–1848) patented the first efficient steam engine and in 1795 set up a factory in Birmingham to manufacture it. This factory became famous for its efficiency and employed many of the techniques associated with management thinkers of a hundred years later. The firm was the first to use market research when first establishing the business. The factory site and layout were preplanned. Planning included production planning factors such as the division of labor, the use of standard components, and the development of operating standards and

Internal_Auditing.indb 121

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

procedures. Payment by results was instituted based on work study, and extensive financial and operating records were maintained. Watt was also an innovator in developing training schemes for both workers and management. ➤ Robert Owen (1771–1858) believed strongly in the need for a meaningful understanding between employer and worker. He tried to implement this through improvements in factory working conditions. A revolutionary in his time, he believed that young children should not be employed in factories and that working conditions for factory workers should be improved. He operated in the textiles industry, where he introduced innovations in both social and working conditions. He raised the minimum working age from 10 to 12, reduced the daily working hours to 103/4 and provided education facilities and better housing. ➤ Charles Babbage (1792–1871) was a mathematician who is credited with the creation of the world’s first computer by developing a ‘calculating machine’. In the course of his research, he became interested in the economics of manufacturing processes, particularly in the virtues of division of labor. He argued that specializing the production of a shoe reduced the time needed for learning the job and the waste of materials during the learning stage. He also believed it allowed for improvement in skill levels and allowed the matching of employees’ skills and abilities with specific tasks required. He also suggested that specialization was as relevant to mental work as it was to physical labor. Management theory is generally considered in terms of the main schools of management thought. It must be emphasized that there is no ‘correct’ school. They developed in parallel with changes taking place in society. The Classical/Scientific School The classical school was popular during the first 30 years of the twentieth century and it was during this period that today’s general theories of management evolved. ➤ F. W. Taylor (1856–1917) is generally considered to have invented modern management theory when he laid down the concepts that make up ‘scientific management’. With the Industrial Revolution, ownership and control moved from the hands of individual entrepreneurs due to the separation of ownership and control caused by the development of the limited liability company. Taylor, who was an engineer by profession, believed that management should be based on ‘well-recognized, clearly defined and fixed principles, instead of depending on more or less hazy ideas’. Taylor believed that management’s objective should be to secure maximum prosperity for both employers and employees in both the short and long term. He studied the causes of hostility and inefficiency in the workplace, and attributed this to the belief among workers that increases in output would naturally result in unemployment, that traditional practice created inefficient methods of work and that workers restricted their outputs in order to protect their interests. Taylor tried to overcome these problems by studying each job to discover the best way of doing it. He combined this with a similar study of management practices to identify the best means of control. Taylor identified the four ‘principles of management’:

122

Internal_Auditing.indb 122

16/04/2015 11:12

MANAGEMENT SKILLS

◗ the development of a science of work intended to determine what constitut-

ed a ‘fair day’s work’ for a ‘first class man(/woman)’ for which he/she would receive a ‘high rate of pay’; ◗ the selection, training and development of the worker to ensure that he/she was enabled to do the ‘highest, most interesting and most profitable class of work’ of which he/she was capable; ◗ the bringing together of the science of work and the scientifically selected and trained person to cause the mental revolution in management that Taylor wanted; and ◗ the close co-operation of management and workers to show that management decisions are not arbitrary, and thereby reduce the likelihood of conflict. Taylor believed in detailed observations leading to the design of standards and that workers should be paid on piece rates related to scientifically determined standards, with reduction in pay for those who did not reach the standard. He also believed in specialization of both management and workers, and pioneered what is now known as industrial engineering. His approach is still widely used today and underlies many management techniques, from work study to standard costing. ➤ F. B. Gilbreth38 (1868–1924) was an American manager and consultant. His belief in the one best way of doing a job led him to develop time and motion studies, assisted by his wife, who was a trained psychologist. Gilbreth laid down rules for finding out which of the motions used in doing a job were necessary and which were ‘wasted motions’: he called these the ‘rules for motion economy and efficiency’. ➤ Henry Gantt (1861–1919) was a teacher and then a draughtsman before becoming an assistant to F. W. Taylor. Gantt developed a variety of graphical tools in the course of his work, the best known being the horizontal bar chart, which bears his name (the Gantt chart). ➤ Max Weber (1864–1920) was a German sociologist whose main contribution to management thought was his theory of authority structures. Weber distinguished three typical bases of authority, namely: ◗ charismatic, based upon the exceptional powers of the leader; ◗ traditional, based on precedent and usage; and ◗ rational, based on scientific principles and the rule of law. Weber is credited with coining the word ‘bureaucracy’, meaning ‘rule by the office’, without the later overtones of red tape and inefficiency, and considered bureaucracy to be the dominant system in modern society and to be technically the most efficient. ➤ Henri Fayol (1841–1925) was a French manager who set out his own principles of management, which became known as administrative theory. Fayol suggested that all managers perform five principal functions (as briefly mentioned in Chapter 12, above): planning, organizing, commanding, co-ordinating and controlling. Fayol developed 14 principles of management: ◗ division of work, to increase efficiency through specialization; ◗ authority combined with responsibility, to authorize managers to give orders; ◗ discipline, resulting from effective leadership and a clear understanding of the organization’s rules and the penalties for infringing those rules; 38. Gilbreth, F.B. 1911. Motion Study. New York: Van Nostrand.

123

Internal_Auditing.indb 123

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

◗ unity of command, such that each employee receives instructions from only

one superior; ◗ unity of direction, to ensure that one manager, using one plan, directs the

business affairs of each group; ◗ subordination of individual interests to the general interests, in order to

◗ ◗

◗ ◗ ◗ ◗

◗ ◗

ensure that the interests of the organization as a whole take precedence over the interests of employees or groups of employees; remuneration in the form of a fair wage; centralization in respect of involvement in decision making. A centralized environment leaves decision-making in the hands of management, but the decentralized environment involves subordinates in the process; a scalar chain of authority from top management to the most junior employees, which facilitates communication; order, to ensure that resources are in the right place at the right time; equity, so that managers are fair to their subordinates; stability of tenure, because of the inefficiencies involved in high employee turnover. Effective personnel planning reduces employee turnover and ensures that vacancies can be filled by available replacements; initiative, enabling managers and employees to initiate and implement their own plans and so gain commitment from the employees; and esprit de corps, promoting harmony and unity within the group.

The Human Relations School After World War I, people were reluctant to go back to pre-war conditions and had increased expectations from work. The human relations school of thought involved looking at the behavior of people as a group. It was believed that the key to employee productivity was finding ways to increase employee satisfaction. One of the first pioneers in this area was Elton Mayo (1880–1949). Mayo was an Australian who carried out many research projects at the Harvard Business School. His most famous project was his five-year investigation of the Western Electric Company’s Hawthorne Works in Chicago, which resulted in his conclusions that group influences significantly affected individual behaviors and that a group’s standards laid down the norm for individual worker output. He also proposed that money was less a factor in controlling the levels of output and workgroup sentiments than security within the group and group standards. The impact of Mayo and the Hawthorne experiments on today’s management thinking has been enormous and they have led to a greater understanding of the human aspects of management. ➤ Abraham Maslow (1908–1970) argued that human needs are arranged in a hierarchy so that as each need or group of needs is satisfied, it ceases to act as a motivator and is replaced by the need on the next level. Maslow’s theories are discussed later in this chapter. ➤ Frederick Hertzberg (1923–2000), an American, developed motivationhygiene theory. Hertzberg postulated that humans are motivated by the need to avoid pain and discomfort, as well as the need to grow and develop. His theories suggest an implied neutral point between dissatisfaction and satisfaction and that there are associated maintenance factors that help maintain the status quo. These are discussed below.

124

Internal_Auditing.indb 124

16/04/2015 11:12

MANAGEMENT SKILLS

➤ Douglas McGregor (1906–1964) formulated two models, which he called Theory X and Theory Y. The basic definitions of each model are as follows: ◗ Theory X assumes that people are lazy and do not like work and must be driven. ◗ Theory Y assumes that people have a psychological need to work and can be led. The Systems/Contingency Approach Systems theory Systems theory involves looking at various branches of knowledge as collections of systems. A system may be: ➤ open, ie responsive to external influences; or ➤ closed, ie isolated from its environment. Decision theory is a derivation of systems theory that combines natural and behavioral scientific approaches into a quantitative or mathematical systems approach. Contingency or situational theory Contingency theory views a business firm as an open system and stresses the importance of the environment in determining how situations should be dealt with. In other words, there is no ‘one best way’ of management and the approach adopted by managers must be contingent on the prevailing circumstances.

Current Management Theory Management and Culture In the past, organizations survived because they had improved control over physical resources. In today’s world, the competitive edge now lies with organizations that manage their resources most effectively to meet the demands of the market. ➤ W. Ouchi (1943– ) compared Japanese and American management approaches to determine his ideal management/culture system, which he calls Theory Z. This model adopts many aspects of Japanese management practices, but retains one important aspect of Western management theory – individual responsibility. ➤ Peter Drucker (1909– ) defined the key to a productive and profitable organization as the effectiveness of managers. He believed it particularly important that they make good use of their human resources, and is considered to be the father of management by objectives (MBO). The Quality Concept It is widely acknowledged that, in today's competitive world, survival rests on the delivery of quality in goods and services. ➤ W. Edwards Deming (1900–1993) is believed by many to be the founding father of the quality movement. He regarded the customer as the most important part of the production line and advocated keeping ahead of the customer and anticipating his/her future needs. ➤ Dr Kaoru Ishikawa (1915–1989) helped develop the notion of company-wide quality control (CWQC) in Japan. This requires company-wide participation from top management to lower-ranking employees across all business functions. 125

Internal_Auditing.indb 125

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Dr Genichi Taguchi’s (1924– ) methodology relates to optimizing the product and process before it is produced. ➤ Kenichi Ohmae (1943– ) maintains that customers must form the basis for any business strategy. In the 1970s and 1980s, the so-called New Westerners increased our general awareness of quality issues through publishing them widely. Two of the best-known writers in this group are Crosby and Peters. ➤ Philip C. Crosby (1926– ) believed that traditional quality control procedures and tolerance limits for quality are, in fact, failures and that the system for ensuring quality should focus on prevention and not detection (ie the aim should be zero defects). This does not imply that no one will ever make a mistake, but rather that the company does not begin by expecting mistakes. ➤ Tom Peters (1944– ) suggested that excellent firms were those that believed in continuous improvement. He identified leadership as being central to the quality improvement process and he coined the phrase ‘managing by wandering around’ (MBWA).

Skills Required of a Modern Manager To be effective, today’s manager needs a variety of skills to adapt to a variety of situations. There has been a change of emphasis in many organizations towards a facilitation model of leadership to replace the old command and control structures. Coupled with this has been recognition of the importance of aligning the work objectives to the strategic and long-term goals of the organization, and measuring employee performance in terms of contribution towards these goals. The employee’s objectives are derived from those of their departments, which are in turn derived from the mission and goals of the organization as a whole. As a result, managers are being forced to step outside of their traditional job descriptions and become supporters of team objectives and goals. Today’s manager is more of a facilitator or a mentor, who supports his/her staff by enabling them to operate at optimum levels. Managers, and indeed their staff, must gain the abilities to: ➤ adapt to change; ➤ communicate effectively with different groups at varying levels within the organization; and ➤ solve problems creatively. Management must develop the skills to lead others to comply, not because they are forced to, but because they want to. The traditional view of managers has been of administrators who operate from a short-term viewpoint to maintain control and generally work within existing norms. Today’s managers must become innovators who take a long-term view and challenge the status quo through innovation and development.

The Challenges of Increasing Business Uncertainty Business today operates within an environment comprising a complex set of relationships characterized by extreme fluidity and uncertainty. No single manager or 126

Internal_Auditing.indb 126

16/04/2015 11:12

MANAGEMENT SKILLS

group of managers can either completely envisage the environment and all of its possible changes, or completely control and influence these changes. Attempting to guess future directions is becoming increasingly hazardous to organizations. An alternative approach is therefore required to minimize the risk of committing significant corporate resources to the wrong plans or policies. By building in flexibility, an organization can significantly improve its ability to survive changes in the operational environment. A global perspective has ceased to be optional and must now be viewed as a strategy for survival. Along with globalization has come the threat or opportunity of advanced technology. Once again, the use of advanced technology to gain competitive advantage is no longer an option. The business imperative now is to use advanced technology to prevent competitive disadvantage. That is to say, if you are not doing it, your competitors certainly are. One of the most complex issues facing management is the development of problem-solving abilities.

Types of Managerial Decisions Managers have to make choices continuously from among several alternatives. At the executive level, this involves identifying the organization’s goals and objectives, deciding on the services of products to be offered by the organization and deciding how best to achieve these objectives. Middle management operate at a more tactical level and make the day-to-day decisions on how the business operates. Decision making is a process that occurs in reaction to an existing problem. The gap between the current situation and the future desired state requires the evaluation of alternative actions. In many cases within the business environment, disagreement may occur on the nature of the problem or even, the fact that there is a problem in the first place. To make a decision, management must interpret and evaluate information derived from a variety of sources. Harrison39 developed a six-step process for making a decision: ➤ Ascertaining the need for a decision involves recognizing the existence of a gap between the desired and actual conditions. ➤ Identifying the decision criteria to be used in making the decision is important in order to eliminate the irrelevant factors. ➤ Allocating weights to the criteria is required, since all criteria are not equally important. ➤ Developing the alternatives is achieved by listing all viable alternatives that could possibly resolve the problem. ➤ Evaluating the alternatives in a critical manner is necessary to identify the strengths and weaknesses within each alternative. ➤ Selecting the best alternative is the final stage in the optimizing decision model and involves selecting the best alternative from among those evaluated. Although this model has gained wide acceptance, other decision-making models exist.

39. Harrison, E.F. 1981. The Managerial Decision-making Process. 2nd ed. Boston: Houghton Mifflin. pp. 53–7 and 81–93.

127

Internal_Auditing.indb 127

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ The so-called satisficing model is used by decision-makers faced with a complex problem and involves selecting the first solution that is good enough to satisfy the requirements although not necessarily the optimum solution. ➤ When faced with a complex problem with too many variables to consider fully, the concept of bounded rationality may be used to identify the critical factors without having to understand all the factors involved fully. ➤ One common method of making decisions is called the implicit favorite model. This involves the subconscious selection of an alternative as an implicit favorite early in the decision-making process, with the rest of the process effectively acting as a confirmation that the favorite is in fact the correct choice. ➤ Many experienced managers use intuitive decision making, which is an unconscious process based on the individual manager’s experience. Once again, culture may have an impact on the decision-making process. In many Western countries, the implicit favorite model is used because, although a manager may make an important decision intuitively, it is understood that it must appear to have been reached in a rational and quantitative manner. In many Eastern countries, only very senior managers are empowered to make decisions, while in many European countries, lower-ranking employees make operational decisions.

Values and Job Satisfaction Values have been defined as representing basic convictions that ‘a specific code of conduct or state of existence is personally or socially preferable to an opposite or converse mode of conduct or end-state of existence’.40 Implicit within our value system is an element of judgment of what is right and good. Values have been classified into six specific types41: theoretical, economic, aesthetic, social, political and religious. This means that in the same situations different people holding different values would react in different ways. Values affect job satisfaction and an individual’s general attitude towards his/her job, since people whose value systems are in line with their chosen vocations are more likely to be successful in those vocations and therefore have a greater probability of achieving high job satisfaction. Knowledge of an individual’s values can therefore help management to ensure employee job satisfaction by aligning tasks with individuals’ value systems. Satisfied employees tend to remain in a job, and high satisfaction can reduce both employee turnover and absenteeism.

Leadership Styles The difference between a manager and a leader is one of motivational ability coupled with the ability to adapt situations rather than simply optimize the group’s performance within a given situation. Subordinates must become followers and managers must be clear articulators of the visions that can permit their followers to attain their goals. Measuring the performance of leaders is, in itself, problematic. Performance indices may be related to task outcome, but will also include the ratings of operational effectiveness made by superiors, and the ratings of motivation and satisfaction made by subordinates. 40. Rokeach, M. 1973. The Nature of Human Values. New York: Free Press. p. 5. 41. Alport, G.W., Vernon, P.E. & Lindzey, G. 1951. Study of Values, Boston: Houghton Mifflin.

128

Internal_Auditing.indb 128

16/04/2015 11:12

MANAGEMENT SKILLS

Motivation Motivational Theory It is possible to draw direct links among the quality of leadership, job satisfaction and overall unit or team performance. Leadership behavior using the proper motivational techniques can improve performance, which in turn improves customer satisfaction and loyalty, and can create high levels of unit performance. By motivating his/her followers, a leader can improve follower job satisfaction, which in turn will reduce staff turnover. Many of today’s motivational theories of leadership owe their origins to the human relationship school of thought (see above). Maslow Maslow’s hierarchy of needs included: ➤ basic needs; ➤ security needs; ➤ social needs; ➤ esteem needs; and ➤ self-actualization needs. ➤ Basic needs Individuals who are mainly preoccupied with basic needs are motivated by fulfilling the desire for food, shelter, etc. In business, such individuals would respond to motivators such as salary increases, pleasant working conditions, more luxury or more leisure time. ➤ Security needs Fulfilling the desire for assurance of continuity and continued fulfillment of basic needs motivates individuals who are mainly preoccupied with security needs. In business, such individuals would respond to fringe benefits, protective rules and regulations, pension schemes and tenure protection. ➤ Social (belonging) needs Fulfilling the desire for a sense of belonging and group membership motivates individuals who are mainly preoccupied with social needs. In business, such individuals would respond to organizations that encourage good interpersonal relationships, friendliness of colleagues, acceptance by others and good teamwork. ➤ Esteem needs Fulfilling the desire for recognition and praise motivates individuals who are mainly preoccupied with esteem needs. Such individuals would respond to motivators such as opportunities for advancement, recognition based on their merits, assignments allowing them to display their skills, and inclusion in planning activities. ➤ Self-actualization needs Individuals who are mainly preoccupied with self-actualization needs are motivated by the desire for the freedom to be what they are. Such individuals would respond to motivators such as being able to prove themselves to themselves, the merits of the work itself, and the freedom to experiment and take risks.

129

Internal_Auditing.indb 129

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Hertzberg Hertzberg’s theory suggested the existence of both motivational and maintenance factors. Motivational factors are those that, if improved, could have a major impact on motivation and performance. These include: ➤ opportunities for achievement; ➤ recognition for personal efforts; ➤ the nature of the work; ➤ opportunities for advancement; and ➤ opportunities to exercise responsibility. Maintenance factors are those that, if they are acceptable, do not in themselves motivate; but if they are not acceptable, could significantly demotivate. They include: ➤ company policies and administration; ➤ supervision; ➤ interpersonal relationships; ➤ working conditions; and ➤ salary, status and security. Expectancy Theory Expectancy theory suggests that a person’s willingness to be influenced is primarily control by his/her motivational strength, ie ‘How much effort is it worth making to achieve the results?’ This in turn is influenced by three major factors, namely: ➤ the perceived value of rewards, or ‘Do I really value the reward on offer?’; ➤ the perceived effort-performance probability, or ‘What is the likelihood I will achieve my objective if I put in the required effort?’; and ➤ the perceived performance-reward probability, or ‘What are the chances of my obtaining the reward I want if I satisfactorily complete the job?’. Job Enrichment Job enrichment has been shown to increase staff motivation and therefore work effectiveness by focusing on achieving specific critical psychological states. Job Enlargement Job enlargement involves improving motivation by ensuring that all jobs lead to significant, identifiable results. This is normally achieved by taking a job that only involves a small part of a process and enlarging it so that a more observable result is achieved.

Work Stress Stress can be defined as a condition in which an individual is confronted with an opportunity, constraint or demand related to what is desired and an outcome that is perceived to be important but uncertain. 130

Internal_Auditing.indb 130

16/04/2015 11:12

MANAGEMENT SKILLS

Core Job Characteristics

Critical Psychological States

Skill Variety

Outcomes

High Internal Work Motivation Feeling that work is meaningful

Task Identity

High ‘Growth’ Satisfaction

Task Significance

Autonomy

Feeling of responsibility for outcome of work

Feedback from Job

Knowledge of the actual results of the work

High General Job Satisfaction

High Work Effectiveness

Infuencing Factors: 1. Knowledge and Skill 2. Desire for Personal Growth 3. ‘Context’ Satisfactions

Figure 13.1: Job enrichment Stress is most commonly linked to constraints preventing the individual from doing what is desired and demands for the loss of something that is desired. Sources of stress exist within the business environment and include such threats as economic, political or technological uncertainty. At the organizational level, stress may be caused by the demands of the task to be carried out or pressure from the role an individual undertakes. The nature of the organizational structure and leadership can also increase stress levels. Each individual must also face his/her own personal stress factors, which are dependent on his/her personality and economic situation, and also on family problems. The effects of stress range from physiological symptoms such as high blood pressure and headaches through to psychological symptoms such as depression and anxiety, and may eventually result in behavioral symptoms such as reduced productivity, absenteeism or high staff turnover. High levels of stress over a period of time can severely affect job productivity and is therefore seen by senior management as a significant risk factor. Management can reduce overall stress levels for employees by providing training in realistic goal-setting, introducing participative decision making, improving the alignment of individuals to jobs, and generally focusing on the employees’ physical and mental condition. Individuals have their own role to play in reducing stress levels. A major cause of individual stress is poor time management, and improvements in this area can significantly reduce stress levels. Physical exercise can raise endorphin levels, 131

Internal_Auditing.indb 131

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

increase heart and lung capacity, and improve overall fitness, all of which help an individual deal with stress. Social support can also reduce the likelihood that high levels of work stress can be damaging to employees.

Building Staff Competencies One of the fundamental roles of management is to increase employees’ levels of competency. Skills fall into three broad categories, namely: ➤ technical skills, which involve someone’s ability to carry out tasks assigned; ➤ interpersonal skills, which allow someone to effectively interact with co-workers and superiors; and ➤ problem-solving skills, where someone has to handle non-routine tasks and solve problems as part of the job. Competencies are usually developed or expanded through appropriate training. In most cases, training takes place on the job and includes such techniques as mentoring, job rotation or possibly even an apprenticeship. Formal, off-the-job training includes classroom lectures and simulation exercises such as case studies. In a developing environment such as that faced by many Third World countries, capacity building and the building of specific staff competencies is essential to achieve sustained growth.

Performance Management Performance management can be defined as an ongoing communication process involving both management and employees in: ➤ identifying and defining essential job functions and relating them to the mission and goals of the organization (key performance areas); ➤ developing appropriate performance standards and measurement criteria (key performance indicators); ➤ giving and receiving feedback about performance; and ➤ planning education and development opportunities to sustain, improve or build on employee work performance. The performance management process therefore provides an opportunity for an employee and a performance manager to discuss development goals and jointly create a plan for achieving them. Development plans should contribute to both organizational goals and the professional growth of the employee. Performance auditing, then, involves firstly determining management’s objectives, followed by establishing which management controls exist, leading to effectiveness, efficiency and economy. An auditor must determine which key performance indicators are in use and are appropriate, as well as whether control objectives are being achieved. This is discussed in greater detail in Chapter 18.

132

Internal_Auditing.indb 132

16/04/2015 11:12

CHAPTER

14

Auditing Business Process Cycles

Learning objectives After studying this chapter, you should be able to: ➤ Identify the various types of business cycle ➤ Identify the functional interrelationships within the supply chain ➤ Identify risks within the supply chain ➤ Recognize red flags which may indicate fraudulent practices within the supply chain ➤ Structure supply chain audits ➤ Identify the components of payroll and human resource cycles ➤ Structure audits within the human resources function ➤ Identify risks and structure audits within the R&D cycle ➤ Structure audits for the awarding of contracts ➤ Understand the problems inherent in conducting audits of corporate strategic planning

Auditing Business Process Cycles Each business process follows its own unique cycle within the overall cycle of business operations. Internal auditors must adapt their own processes to meet the needs of these specific business processes. This chapter will examine the differences in the types of audit required within the business processes.

Revenue and Receivable Business Cycles Receivables and revenue represents significant business risks because of the complexity of certain business processes and accounting rules as well as their accessibility for the commission of fraud. Internal auditing in this area may include audit of the accounting system and control activities as well as audits of the monitoring policies and procedures. Critically, management needs assurance of the reliability of revenues reported as well as outstanding receivables in order to make most effective use of operational planning. The overall revenue cycle includes the receiving of orders from customers as well as the delivery of goods and services and the subsequent billing followed by the collection of accounts receivable. In all cases, accuracy and completeness of information are critical to the process. Primary controls sought by auditors in this area include segregation of duties as well as supervisory controls to ensure the accuracy of financial statement assertions. The nature, timing and extent of substantive tests in this area will be dependent upon the auditors’ assessment of inherent and control risks based upon their valuation of the operating effectiveness of the internal controls. One of the more onerous areas for audit substantive testing lies in the area of substantiating the assertions of the existence and valuation of receivables

Internal_Auditing.indb 133

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

due. This normally takes the form of acknowledgement of debt by customers and an assessment of the adequacy of the provision for uncollectible accounts.

Supply Chain Management The supply chain has a major impact on any organization’s business strategy since it directly affects its operation costs. A sustainable supply chain is normally vital to the organization’s ability to survive and prosper. This has become notably more critical due to the nature of today’s competitive environment, with a corresponding need for internal audit to review supply chain performance from an holistic perspective rather than treating the audit as an integrated process. The aim of the internal audit in this IIA is to assist management improve the efficiency and effectiveness of operations in order to achieve the projected business goals. The auditor must be careful not to confuse the difference between cost savings and risk reduction since these are objectives which may compete with each other. The auditor must therefore become familiar with the interconnection of the functions existing within the corporate supply chain in order to review the policies and procedures which should be evident within the procurement function. These processes identified by The Global Supply Chain Forum are: ➤➤ Customer relations management ➤➤ Supplier relations management ➤➤ Customer service management ➤➤ Demand management ➤➤ Order fulfillment ➤➤ Manufacturing flow management ➤➤ Product development and commercialization ➤➤ Returns management.42 Internal audit’s role may take the form of reviewing supply chains including the strengths and weaknesses in order to validate the corporate monitoring programs. Additionally, audit may be called on to assist management identifying critical suppliers, aid with compliance monitoring and improve the strength of risk control procedures. Among the risks to supply chains are: ➤➤ Supply disruptions ➤➤ Supply delays ➤➤ Inaccurate requirement forecasts ➤➤ Poor inventory holding and accounting procedures ➤➤ Fraud. The procurement process is by its nature a competitive activity which can operate effectively only when competitors price independently and honestly. In many organizations, procurement begins with a tender process which may itself be open to such fraudulent techniques as price fixing, bid rigging, product substitution and cost or labor mischarging.

42. Douglas, M.L. (2008), An Executive Summary of Supply Chain Management: Processes, Partnerships, Performance. Sarasota, FL: Supply Chain Management Institute.

134

Internal_Auditing.indb 134

16/04/2015 11:12

AUDITING BUSINESS PROCESS CYCLES

Where there is collaboration between an employee working with an outside vendor through the authorization of bogus or inflated payments for services or products that are delivered or work that is never done, the auditor must always be alert for red flags as warnings of suspicious activities. Such indicators may include: ➤➤ the elimination of discounts in markets where discounts traditionally have been given; ➤➤ price increases that are disproportional to other cost increases; ➤➤ prices remaining fixed for long periods of time; ➤➤ one or more bidding companies continuing to submit unsuccessful bids with a single company winning most contracts; ➤➤ a group of companies consistently bidding for the same contracts with rotation of the lowest bidder; ➤➤ consistent sub-contracting by winning bidders to one or more unsuccessful competitors in the bidding process; ➤➤ large movement in labor costs; ➤➤ reclassification of costs from indirect to direct or vice versa; ➤➤ distinctive patterns of charging for labor or materials; and ➤➤ general laxity in the system of internal controls. Audits of supply chain management must include a review of management processes to ensure functional and process integration within the organization as well as maximizing supply chain flexibility in order to facilitate rapid changes in customer demands to meet customer needs for innovative products and services. To achieve this, the auditor will need to identify the key objectives of the supply chain management from a strategic and operational perspective as well as develop the appropriate criteria to evaluate the effectiveness of the configuration of the organization’s supply chain and the matrix to evaluate its operational performance.

Inventory and Production Cycles Inventory is normally seen to be a major item on the accounting of the working capital and the statement of financial position of an organization. For many organizations the inventory might lie in different locations leading to problems in performing physical controls auditing. As a generic, the cycle consists of: ➤➤ process purchase orders; ➤➤ receive raw materials; ➤➤ store raw materials; ➤➤ process the goods; ➤➤ store the finished goods; and ➤➤ ship the finished goods. Information sought by the auditor in this area will therefore include records of the requisition and ordering of goods or raw materials to be matched against records of receipts of the goods or raw materials. Proof will also be sought of the controls over the issuance of goods or raw materials from inventory as well as store-keeping procedures to ensure the safety and condition of materials and finished goods held in store. Inventory records also retain an inherent risk of material misstatement for

135

Internal_Auditing.indb 135

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

valuation and this would also be examined by internal audit. Tests of controls within this area would include: ➤➤ Existence – observation and evaluation of proper segregation of duties and test procedures for transfer and issuance of inventory; ➤➤ Rights and obligations – checking recorded inventory against both supplies invoices and goods received notes; ➤➤ Completeness – checking the existence of all purchase orders through sequence checking as well as their match to receiving reports and vouchers; ➤➤ Accuracy – examining testing procedures for ensuring physical inventory accuracy as well as the development of cost information; ➤➤ Valuation – testing procedures for the identification of obsolete or slow-moving inventory items; and ➤➤ Item classification – reviewing inventory classification to ensure compliance with corporate accounting policies and international standards. Inventory controls sought by the auditor would include physical controls over inventory, the use of perpetual inventory records and the proper maintenance and integration of unit and standard cost records. The production cycle relates to the processes involved in conversion of raw materials into finished goods. This includes production planning as well as control of the types and quantities of goods to be manufactured, maintenance of appropriate inventory levels and the events and transactions pertaining to the manufacturing process. The production cycle differs from industry to industry and organization to organization and the auditor must design an audit program suitable to the needs of the company. In planning the audit, the auditor will typically take into consideration the materiality of likely findings, the degree of inherent risk, and the use of analytical procedures such as inventory turnover days or inventory growth in relation to costof-sales growth. Other ratios produced could include finished goods produced to raw material used, finished goods produced to direct labor or the percentage of product defects. Once again, these are management measures but internal audit may do time-series analysis in order to evaluate changes in control achievement.

Payroll and Human Resource Cycles The overall human resources (HR) and payroll cycles involve the events and activities pertaining to compensation of employees including salaries, hourly wages, bonuses, commissions, employee benefits as well as stock or share options. Human resource services can vary in importance across industries where some, such as mining, may be highly labor intensive while others, such as Financial Services, may be less so. As such it is important for the auditor to become familiar with the criticality of human resources services to the entity as a whole as well as the varying types of remuneration package in use within the organization. For most organizations, regardless of the degree of labor intensity, the importance of human capital to the value of the organization makes human resource services a material audit area. The overall purpose of the audit of HR is to identify areas of strength and weakness where improvements may be needed. This involves reviewing the current HR practices, policies and procedures in relation to the role HR plays in the achievement of the overall strategic objectives of the organization. Areas which would form part of a conventional audit program would include: 136

Internal_Auditing.indb 136

16/04/2015 11:12

AUDITING BUSINESS PROCESS CYCLES

➤➤ compliance with legal statutes; ➤➤ accuracy and completeness of record-keeping; ➤➤ maintenance of confidentiality; ➤➤ employee relations; ➤➤ performance appraisal systems; ➤➤ termination procedures; ➤➤ health, safety and security in the workplace; and ➤➤ compensation structures. Auditing within HR can take the forms of compliance auditing to determine the degree of compliance with external laws and regulations as well as internal policies, procedures and plans, program-results audits to determine the effectiveness of HR procedures in areas such as health, employee relations, and performance appraisal systems through to operational audits in terms of accuracy and completeness of record-keeping, confidentiality, termination procedures and compensation structures. It is unusual for all of these audit programs to be performed in one single audit. Depending on the nature and risk inherent in the corporate use of HR, the audit would normally be a compliance audit, an operational audit or a program-results audit and the scope set accordingly. In examining payroll activities the auditor may use analytical procedures such as calculating: ➤➤ the average payroll cost per employee classification; ➤➤ the revenue per employee; ➤➤ payroll tax expenses as a percentage of gross payroll; ➤➤ time-series analysis of payroll expenses; and ➤➤ employee benefit expenses as a percentage of gross payroll. in order to determine the accuracy and completeness of payroll information, in addition, the auditor may examine the records regarding: ➤➤ hiring of employees; ➤➤ authorization of payroll changes; ➤➤ preparing and recording of the payroll information; ➤➤ disbursement of the payroll and protection of unclaimed wages; ➤➤ filing of taxation documentation; and ➤➤ detective mechanisms to identify ‘ghost’ employees. Fraud within the payroll takes a form of payments to fictitious or ‘ghost’ employees, payments to genuine employees for hours not worked or payments to employees at rates higher than those authorized. Once again, typical controls the auditor would look for would include: ➤➤ segregation of duties between the preparation and payment of the payroll; ➤➤ employee authentication on collection of cash sums; ➤➤ proper control and disposition of unclaimed payments; and ➤➤ controls to prevent duplicate payments.

Research and Development Cycles Auditing of the R&D cycle includes ensuring that the results of corporate expenditures are appropriately safeguarded as well as ensuring the company gets value-for137

Internal_Auditing.indb 137

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

money for expenditure in this area. Ensuring that expenditures have been made for documented and authorized projects would involve reviews of: ➤➤ corporate R&D objectives; ➤➤ budgets; ➤➤ expenditures; ➤➤ documentation; and ➤➤ policies and procedures. It should be noted that audits in this area are notoriously difficult and that auditors must restrain themselves from ‘second guessing’ the R&D section and confine themselves to examining the policies and procedures governing the section and their compliance. Overall, the auditor seeks to answer the questions: ➤➤ What are the objectives? ➤➤ Are they being achieved? ➤➤ If not, what corrective actions are being taken? ➤➤ What procedures are in place? ➤➤ Are the procedures complied with? ➤➤ Is appropriate project management in place? ➤➤ What controls exist to ensure the intended purpose of the department is being achieved? ➤➤ Is security maintained on all work-in-progress as well as results?

Contract Auditing Conducted effectively, improvements in controls around the awarding of contracts represent an opportunity to reduce risk and save money. As such, a contract audit is taken to involve the evaluation and verification of the accuracy as well as propriety of a contractor’s controls, policies and systems. In order to achieve effective contract audits, certain critical elements need to be in place including: ➤➤ appropriate executive-level support; ➤➤ the co-operation of both contractor and operational management; ➤➤ inclusion of a ‘right-to-audit’ clause in the contract; and ➤➤ clearly defined and understood audit objectives. This type of audit is normally done through inspection of account books, transaction records and operational logs. Over and above the awarding of contracts as noted in supply chain above, a critical element for the auditor involves ensuring that all terms and conditions within the contract have been complied with. The most common reason for conducting a contract audit is to ensure that the contractor has complied with the pricing structure since contract audits have a history of uncovering clerical errors, overpayments and credits and debits which have been omitted. In addition to these financial and administrative issues, the auditor will typically face the scope of the audit around the perceived risk profile of the contractor and the contract itself. Risk factors to be considered would include ensuring that: ➤➤ sub-contracted activity is appropriately authorized, effectively managed and accurately reported; ➤➤ adequate control exists for the protection of customer-owned assets; ➤➤ reconciliations of supplies and materials are carried out in an appropriate manner; 138

Internal_Auditing.indb 138

16/04/2015 11:12

AUDITING BUSINESS PROCESS CYCLES

➤➤ the contractor has adequate insurance to limit customers’ exposure; ➤➤ appropriate statutes are complied with in terms of health and safety, environmental protection, labor legislation, employment equity, taxation requirements, etc; and ➤➤ appropriately qualified staff are employed for work undertaken. Given the nature and size of expenditure covered in contracts within larger organizations, the Enterprise Risk Management strategy should include contract auditing as part of the devaluation of compliance with the overall organizational risk appetite. The size and nature of specific contracts can prioritize them from an audit perspective. The impact of a contract failure on corporate reputation may raise the inherent risk factors to unacceptable levels requiring audit acceleration of the risk to a priority level. Reputational risk can be drastically impacted either positively or negatively by the perceived: ➤➤ safety of products or services; ➤➤ general quality of products and services; ➤➤ environmental impacts; and ➤➤ viability of strategic sourcing partners. Contracts which have been evaluated and with a high enough risk rating to warrant audit intervention should then be analyzed in order to develop the scope of the audit in terms of potential exposures and areas requiring substantive testing. As with any other audit, a blend of skills with appropriate knowledge levels of the contract objectives will typically be required. Where insufficient skills exist in-house, internal audit may draw upon external sources to supplement the audit team. The sources could include operational areas within the organization, external audit service providers or consultants or, where the need for such expertise will be ongoing, recruitment or development of additional audit skills.

Auditing Corporate Strategy An audit of corporate strategy may be the most sensitive type of audit undertaken by the internal audit function given that its nature involves the potential to be seen as ‘second guessing’ management. The overall objective is to assist management by reviewing the corporate vision and objectives and a business plan designed to ensure successful attainment of those objectives. The audit is not intended to review the appropriateness of the vision and objectives but the nature of the business plan, the manner in which the plan was developed and the likelihood of the plan moving the company to where it desires to be. In general, the business plan must be seen to be complete, in line with the corporate vision and business strategies, and manageable. To carry out this audit, the auditor must first develop a clear and objective picture of the business environment within which the organization operates. This includes an analysis of the market arena, competitive analysis and an understanding of the financial realities under which the organization functions. Much of this information will already be available to the auditor although not necessarily structured in a form suitable for audit purposes. Reviews would include examination of the existing business plan and any other strategic planning documents as well as interviews with the executive and operational management teams to ensure knowledge of

139

Internal_Auditing.indb 139

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

the business plan, alignment with the corporate objectives and to establish the probabilities of the existing plan succeeding. Business processes can then be mapped against the plan in order to determine their strategic importance as well as resource requirements and measurement criteria in respect of specific milestones as the plan progresses. Deficiencies identified in the plan itself may point to deficiencies in the planning process. Over-optimism regarding timescales and abilities, under-estimation of resource requirements and guesswork in terms of the industry environment can result in a plan which looks ideal on paper but where the probability of attainment is very low. Recommendations under these circumstances would normally take the form of improvements to the planning process and a recommendation that management revisit the plan using the approved planning process.

140

Internal_Auditing.indb 140

16/04/2015 11:12

CHAPTER

15

Negotiation Skills

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the negotiating process ➤ Explain the conflict process and differentiate between functional and dysfunctional conflict ➤ Explain the role of trust in effective negotiation ➤ Define the structure of negotiations from an internal audit perspective ➤ Identify the steps involved in carrying out a successful negotiation ➤ Explain potential roles of an internal auditor in acting as a third party during organizational negotiations

Negotiation Negotiation has been defined as ‘a process of interaction between parties directed at achieving some form of agreement that will hold and that is based upon common interests, the purpose of resolving conflict, despite widely dividing differences’.43 This involves an exchange of information in order to establish common ground and create alternatives. Negotiation may be classified into distinct types. ➤ In interrogative negotiation, both parties have an overriding objective to leave the negotiation feeling that they have gained more than they could have by other means. ➤ In distributive negotiation, each party goes into a negotiation with the objective of winning, regardless of the effect on the other party. ➤ Destructive negotiation is, as its name suggests, a highly negative form of negotiation in which one party is negotiating in order to inflict damage on the other party, regardless of the impact on themselves. This is normally motivated by the desire for revenge and retribution. ➤ In an ongoing relationship, continuous negotiation is necessary. An employee/ employer relationship or a supplier/customer relationship would be examples of continuous negotiation. ➤ Alternatively, there may come a time when previous good relations are threatened by a current problem and intermittent negotiation must take place. ➤ In a worst-case scenario where confrontation between parties has occurred, a crisis negotiation takes place, but unlike previous forms of negotiation, the two parties operate from totally different power bases. 43. Spoelstra, M. & Pienaar, W. 1996. Negotiation Theories, Strategies & Skills. 2nd ed. Cape Town: Juta. p. 3.

Internal_Auditing.indb 141

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Effective negotiations require adequate preparation. This is critical to the success of the negotiations and falls into clearly defined phases. ➤ The initial phase involves the defining of objectives to be achieved within the negotiation and prioritizing them. These objectives can be prioritized into essential, realistic and nice to have. Essential objectives make up the minimum acceptable solution, while realistic objectives are those that can reasonably be expected in a compromise situation. ‘Nice to have’ objectives will be used as bargaining chips in achieving the essential and realistic ones. ➤ Preparation for the negotiation involves a careful analysis of the situation. The negotiator must establish the nature of the negotiation as defined above, and whether an ongoing relationship is important to both sides. The alternatives, should the negotiations fail to achieve their objectives, must also be considered, and the minimum believed to be sought by the opposition must be identified (obviously this will be an intelligent guess). ➤ In seeking to identify the opposition’s objectives, many issues will be involved and issue identification forms the next step in the process. Identifying the issues from both the negotiator’s and opponent’s perspectives and prioritizing the issues may identify areas of overlap. ➤ An essential part of the preparation is to gain and analyze information on the opposition’s negotiators. By determining their needs and personalities, the negotiators may gain insight into both the opposition’s negotiating and personal goals. Different cultural backgrounds can confuse negotiations if the negotiator is unaware of the objectives and values of the opposing party. ➤ In some negotiations, the legal implications may be a key component. Where the negotiations involve compliance with the law, legal opinion should be sought before the negotiations start. ➤ Most negotiations will have some financial consequences and adequate financial preparation should be carried out to identify the indirect or direct financial effects of potential agreements. ➤ Having established the ground rules for the negotiations, as above, the negotiators must then decide on the tactics they will employ during the process of the negotiation. This may include such factors as the location, the composition of the team, the particular roles individual team members will play, the agenda, the perceived common ground or even the very layout of the room. Once all preparations have been completed, negotiations can take place.

The Climate for Negotiations One of the strongest factors influencing the success or failure of negotiations is the climate within which they take place. Previous relationships and the degree of trust or lack of trust between negotiating parties may influence this. Negotiations normally begin with the initial contact between the negotiators and in the first few seconds, the initial climate is established by how polite negotiators are to each other and the way they greet each other. A poor start can put many barriers in the way of successful negotiation and unnecessarily delay the finding of the solution. Once the initial climate has been established, common ground is sought regarding the objectives of the negotiation, the agenda and the protocols to be followed. Consensus must be reached on the definition of the problem being negotiated and 142

Internal_Auditing.indb 142

16/04/2015 11:12

NEGOTIATION SKILLS

it is at this stage that the negotiating group may achieve cohesion and begin working as ‘we’ rather than ‘I’. When cohesion is achieved, constructive negotiation and problem resolution can follow. The final stage of negotiation is closure – an agreement is reached and future progress is approved.

Negotiating Common Ground It is essential that some common ground be found before the actual negotiations take place. If no common ground can be found, then probably no negotiation is possible. If the negotiators cannot even agree on the nature of the problem, there is really nothing left to negotiate! If common ground has been found, differences and conflicts can be resolved by co-operation instead of confrontation. Issues can then be defined in terms of areas of possible consensus rather than issues of dispute. If common ground is not found – or at least looked for – negotiations start from polarized positions, with each party operating from a ‘win or lose’ position. Achieving common ground is a process in its own right. Most common techniques used in this process involve the use of key questions. Agreement can only be reached once everyone involved in the negotiation has had the opportunity to consider the question and respond. The most common initial question to be answered is: ‘Why are we negotiating?’ Instead of stating the objectives of one side of the negotiation, consensus is sought as to the objectives of negotiating in the first place. In the process of questioning, it is vital that negotiators listen to the other side instead of trying to dominate by ignoring it and its position. By the same token, when questions are asked, answers must follow. Questions must be answered in a way that makes a constructive outcome possible. Questions may be answered by making statements, asking for suggestions, offering alternatives or in some cases remaining silent. A common – and not very constructive – tactic when questioned is to respond with another question. Once common ground has been established, it is possible if disagreements arise to return to the area of common ground to re-establish the negotiation.

Power The outcome of negotiations will be strongly affected by the perception of the relative power of the negotiating parties. Where both parties perceive parity in power, constructive negotiation is more likely to follow. Where there is a disparity, the possibility exists that the more powerful party will attempt to dominate the weaker one. Power itself takes many forms. ➤ Legitimate power stems from someone’s ability to influence the negotiations because of his/her authoritative position. Organizational rank is obviously important here. ➤ Reward power stems from someone’s ability to reward compliance by another. This may be a factor of legitimate power in that an organizational superior may have the ability to promote, provide resources or offer financial inducement. Reward power may take the form of intangible rewards such as praise, compliments, eye contact, visible indications of agreement or praise for past performance. Flattery is an example of the use of reward power. ➤ Coercive power is someone’s ability to punish another for non-compliance. It 143

Internal_Auditing.indb 143

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

is the opposite of reward power. This power is based on the fear by the victim that negative sanctions will be imposed. Coercive power can be an effective tool for short-term gains; however, reward power is more likely to deliver long-term and sustainable results. ➤ Expert power is the power of someone who possesses expertise that is highly valued by another. When someone is believed to be an expert in a particular field, argument is less likely. If someone displays a lack of confidence in his/her own opinion, disagreement and argument often follow. Expert power is the power base from which auditors normally operate. ➤ Referent power involves the desire to be associated with someone or with their opinions because of their personality or charisma. Parties to negotiation may be strongly influenced by referent power when strong personalities are involved. ➤ It may seem like a contradiction in terms, but there can also be power in weakness. Situations can be manipulated by invoking sympathy or feelings of guilt within the other party. Children exploit their own vulnerability in negotiations with parents about bedtimes or the buying of gifts and treats. In business negotiations, this can also be an effective tactic on the basis that ‘You are so big, you can afford it’ or ‘You have exploited us in the past’. Power can be countered by trying to achieve parity with the other party. An effective way of achieving this may be to collapse your own power base. This involves one party intentionally assuming the inferior position in order to prevent the other side escalating their power base further. By simply apologizing for an acknowledged wrongdoing, one party may be able to defuse the situation and prevent further escalation. It is important for negotiators to understand power, the use of power, sources of power and how power may be countered.

Persuasion Given that common ground has been found but that differences still exist, the opposing party in a negotiation must be influenced so that the common ground is increased because, very clearly, an amicable agreement has to be achieved before negotiations can be completed. Negotiators will often encounter an opposing side with strong attitudes about the issues under discussion. Under such circumstances, a negotiator will have to start building a case with arguments that no one strongly disagrees with, and continue to build it piece by piece until it has been made. This is basically what persuasion is all about. Starting the negotiation with radical statements is a high-risk tactic, even if the statements are true for you.

Negotiating Conflict Himes44 defines social conflict as ‘purposeful struggles between collective actors who use social power to defeat or remove opponents and to gain status, power resources and other scarce values’. Some conflict can be healthy in any relationship. Without conflict there can be no negotiation. However, conflict can be dysfunctional and significantly hinder the 44. Himes, J.S. 1980. Conflict and Conflict Management. Athens: University of Georgia Press. p. 14.

144

Internal_Auditing.indb 144

16/04/2015 11:12

NEGOTIATION SKILLS

achievement of the goals of both parties. The point where co-operation breaks down and the generation of alternative solutions ceases is normally taken to be that at which dysfunctional conflict has begun. In dysfunctional conflict, escalation will result in mutual attacks and efforts to destroy the other party. Misjudgments and misperceptions are magnified and the ability to survive may be jeopardized. The probability of successfully achieving the participants’ goals will certainly be compromised. Conflict originates in differing goals, scarce resources, imbalances in power or ambiguity. Such conflict can be moderated or aggravated by the tactics employed within the negotiation. Individuals’ aspirations and perceptions, coupled with the history of their relations (which can be good or bad), can increase or decrease the potential for conflict. Conflict behavior may range from termination of relationships through coercion to physical violence.

Interviewing For an auditor, interviewing is a critical communications process. Often, you will be in a position of receiving information in an interview, and therefore have a responsibility to listen carefully. This is not as easy as it sounds. When dealing with a series of interviews, it is difficult to maintain your focus. Listening is an active function and it is an acquired skill. And, generally, we have a lifetime of bad habits to overcome. Poor listening habits include losing your concentration by becoming impatient with speakers, or simply allowing minor annoyances to distort their message. This usually results in your interrupting the speaker in order to make your point, instead of listening as a good receiver should. Boredom can lead to ‘scanning’ what is being said. In effect, you stop listening unless you hear a key word that interests you. You may also allow yourself to be distracted by personal priorities, prejudging of anticipated information or even taking dictation (ie writing down every word heard, without trying to understand what is being said). It is difficult to develop good listening habits, and, in particular, to maintain interest in an otherwise boring information transfer. Nevertheless, you can learn to encourage the person you are speaking to with non-verbal support (nods of the head, paralinguistics, etc). In addition to giving non-verbal support, you can also be alert to non-verbal behavior such as body language, gestures, etc. Summarizing and recapping what has just been said gives the sender the message ‘I am listening and I understand’. You must learn to be sensitive to the clues in the message the sender is broadcasting and to be non-critical when you are evaluating the information you are listening to. In preparing for an interview, you must clarify in your own mind the aims and objectives of the interview. The interview may be taking place for you to gain knowledge or confirm facts. It may be intended to impart knowledge, to persuade or to assist an auditee to make a decision. Deciding whom to interview will be dependent on the objectives of the audit or negotiation. In all cases, you must ensure that the interview is properly organized. This includes the time schedule (be on time), the place (ensure that it will be appropriate and free of distractions), travel and reception (if you are going to them, know how to get there; if they are coming to you, ensure that they are expected at reception). Preparing for the interview involves your doing some homework or 145

Internal_Auditing.indb 145

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

research on the interviewee. By doing this, you can be aware of any of the interviewee’s special requirements or priorities before the interview actually starts. ➤ The first phase of the interview is the introduction. During this phase, you should try to relax the interviewee by establishing a rapport and removing, as far as possible, any fears that the interviewee may be suffering from. For example, by smoothing the status fears during diagonal communication, you may be able to relax the other party and improve the discussion. ➤ When the interview is actually under way, you should set the scene. During this phase, the interviewer may do most of the talking. The background, goals and objectives of the audit or interview need to be explained. However, this phase should not dominate the interview. Some auditors find visual aids such as diagrams, charts or even photographs may help here. ➤ Questioning may be structured or unstructured. A structured interview may adopt the checklist approach, in which the interview follows the structure of ‘what happens next’. An alternative to sequential checklists is the less structured objective-based approach where questions are sequenced by business or control objectives. This can keep the interview focused on the key perspectives from your point of view, but can be disjointed in attempting to ensure that all stages of a process have been covered. The questions themselves should be open-ended, which basically lets the interviewee set the direction the interview will take. This normally happens when you have no background knowledge. Open-ended questions typically begin: ‘Tell me about...’; or ‘Explain to me how…’. ‘Yes or no’ questions may be conversation stoppers and eventually cause the interview to grind to a halt. A useful technique is the hypothetical question. This would be along the lines of: ‘What would happen if you were sick and a relief manager was brought in to replace you?’ You should be aware that multiple choice questions may well result in the answer the interviewee thinks you would like to hear. Often in everyday conversation we anticipate the answer to a question and start to formulate the next question before the first one is fully answered. In an extreme case, this can make it obvious to the interviewee that you are not listening. You must learn to listen, evaluate and perhaps modify your approach based on the answers given. Paraphrasing or summarizing can leave the interviewee with the impression that you have listened and understood. ➤ At the end of the interview, you should conclude by answering any final questions the interviewee might ask, explaining what will happen next and allowing the interviewee to make any final statements. Common courtesy dictates that you should thank the interviewee and make your farewells. Remember that, even at this stage, a parting word from you, taken out of context, could be misinterpreted. ➤ Once the interview is concluded, you must document any salient points that arose. Decisions taken or comments by the interviewee leading to new knowledge must be recorded. If the interview involves a team of auditors, one of them should be designated as the minute-taker to ensure that the permanent written record of the meeting documents the facts as the team understands them.

146

Internal_Auditing.indb 146

16/04/2015 11:12

NEGOTIATION SKILLS

Negotiating/Interviewing as a Consultant In some cases, auditors may find themselves negotiating in the role of a consultant. There is an old saying: ‘Those who can, do; those who can't, consult’. So when you are acting as a consultant, establishing credibility up front is critical. Consulting is not simply a matter of offering advice. You can be a highly effective consultant simply by listening and permitting the auditees to talk through their problems and find their own solutions. Above all, consultancy requires a non-judgmental approach. As a consultant, you can be a supporter of management or a recommender of action. This is probably the most common audit role in consulting. To carry it out successfully requires you to be very confident about your abilities, since acting as a catalyst for change will require the breaking of old bad habits. You are then in the position of trying to move the auditee out of a comfort zone and may encounter a great deal of resistance. Allowing the auditee to find his/her own solution if agreement can be achieved on the problem may be more effective and less stressful for both parties. From time to time, you may have to take the role of instructor or educator on good business practices. If this necessary, you must be sensitive to the fact that you may not always be right and that the management team itself may have some thoughts on what is good business practice for its particular business.

147

Internal_Auditing.indb 147

16/04/2015 11:12

Internal_Auditing.indb 148

16/04/2015 11:12

S ECTION Internal_Auditing.indb 149

3

The Practice of Internal Auditing

16/04/2015 11:12

Internal_Auditing.indb 150

16/04/2015 11:12

CHAPTER

16

Types of Internal Audit

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly and differentiate the nature and type of internal audits that may be requested: ◗ Compliance audits ◗ Performance and operational audits ◗ Environmental audits ◗ Financial audits ◗ Fraud audits ◗ Quality audits ◗ Program results audits ◗ IT audits ◗ Audits of significant balances and classes of transactions ➤ Explain the effect of the nature of the audit on the skill mix required and the timing of the audit

Compliance Audits Compliance audits are carried out in order to determine whether a business entity has complied with specific policies, plans, procedures, laws, regulations or contracts that affect the organization. In order to successfully complete a compliance audit, there must be established criteria against which the compliance can be measured.

Financial Audits During a financial audit, an auditor looks for evidence relating to the reliability and integrity of financial information. Within a financial audit, the normal measurement criteria against which historical financial information is evaluated are recognised financial reporting frameworks (the IFRS). When such audits are conducted by an internal auditor, the infor­mation is normally intended to be used by management for internal decision-mak­ing purposes. Under these circumstances, the audit may include both operating and financial data. Financial audits normally include both a review of the accuracy and completeness of the numbers themselves and an evaluation of the adequacy and effectiveness of the controls that management have implemented to safeguard assets. These could include controls to ensure that the organization receives all funds to which it is entitled, that the funds are adequately secured and maintained, and that they are appropriately spent for authorized purposes. Auditing of financial statements is directed at assessing the accuracy of financial reports relating to financial conditions and operating performance. This form of

Internal_Auditing.indb 151

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

auditing is usually associated with external audit and includes ensuring the fairness of financial reporting.

Performance and Operational Audits Performance auditing involves firstly determining management’s objectives, fol­lowed by establishing whether the management controls that exist lead to effec­tiveness, efficiency and economy. An auditor must determine: ➤ which key performance indicators are in use; ➤ whether they are appropriate; and ➤ whether control objectives have been achieved The term ‘operational audit’ is commonly used to cover a variety of audit types. An operational audit may cover the evaluation of some or all of: ➤ internal controls; ➤ compliance with laws, regulations and company policies; ➤ the reliability and integrity of financial and operating information; and ➤ the effective and efficient use of resources.

Environmental Audits Environmental auditing emerged as a compliance management tool in the USA in the late 1970s. This was an era of rapidly expanding environmental regulation and a number of highly publicized incidents of environmental pollution. While there is no single, universally accepted definition of environmental auditing, there is broad con­ sensus on what environmental auditing consists of and what it tries to accomplish. Environmental auditing has been defined as a systematic, documented, periodic and objective review by regulated entities of facility operations and practices relat­ed to meeting environmental requirements. The development of environmental auditing was further spurred by actions of the US Securities and Exchange Commission, which in the early 1970s began to require companies to disclose sig­nificant costs of complying with environmental standards. During a typical environmental audit, a team of qualified inspectors conducts a comprehensive examination of a plant or other facility to determine whether it is complying with environmental laws and regulations. The team systematically verifies compliance with applicable requirements using professional judgment and evalua­ tions of on-site conditions. The team may also evaluate the effectiveness of systems in place to manage compliance and assess the environmental risks associated with the facility’s operations. Effective environmental audit programs have a number of characteristics in com­ mon. They require the strong support of their organization’s management. They also require adequate allocation of resources to hire and train audit personnel. In addi­tion, to be effective, audit programs must operate with freedom from internal or external pressure and employ quality assurance procedures to ensure the accuracy and thoroughness of audits.

152

Internal_Auditing.indb 152

16/04/2015 11:12

TYPES OF INTERNAL AUDIT

Fraud Audits Fraud auditing involves assisting management in the creation of an environment that encourages the detection and prevention of fraud in commercial transactions. This may involve assisting in setting the standard for the organization with an appropriate code of conduct and conflict-of-interest policy. A fraud auditor must know: ➤ the realm of fraud possibilities (How can it happen?); ➤ the sources of information and evidence (Where do I look?); ➤ whether the environment is conducive to fraud (Is fraud likely?); ➤ the areas of fraud opportunity (Where can it happen?); and ➤ the laws of evidence (How can I prove it?). A fraud auditor must be capable of conducting a review of internal controls, assess­ ing the strengths and weaknesses of those controls, identifying abnormal transac­ tions and distinguishing between errors and fraudulent entries. This may involve fol­lowing a computerized audit trail. Fraud auditing is less a methodology and more an attitude, with the focus on identifying exceptions, oddities, accounting irregularities and patterns of conduct. Most common schemes perpetrated by lower-level employees involve payments (such as invoices for suppliers who do not exist or paying ‘ghost’ employees), while most higher-level frauds involve such items as hiding expenses to make the fraud­ster look like a good manager, showing income that did not occur or showing favoritism in awarding government contracts. A fraud auditor’s job is to determine whether a fraud, theft or embezzlement has occurred and, if so, whether there is a criminal law dealing with the matter and whether there is an apparent breach of that law, since not all frauds are able to be prosecuted under criminal law. If so, who was the perpetrator, who was the victim and how can it be proved? An auditor must be alert for red flags and indicators, such as personal behavior pattern changes or substantial departmental growth or decline beyond the norms. Knowledge that an official: ➤ is undergoing emotional trauma; ➤ is betting heavily; ➤ is drinking heavily or using drugs; ➤ is sexually promiscuous; ➤ is heavily in debt; ➤ is overambitious; or ➤ enjoys a lifestyle beyond the means of his/her remuneration, should alert an auditor to the possibility of fraud. Fraud detection approaches may be reactive, where an auditor reacts to allegations and complaints, suspicions and management’s intuition. Proactive auditing involves ensuring adequate internal controls through periodic audits, intelligence gathering, reviewing of variances or logging of exceptions.

153

Internal_Auditing.indb 153

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Quality Audits Quality auditing may be defined as a systematic and independent examination to determine quality-related activities are implemented effectively and comply with the quality systems and/or quality standards. Quality assurance (QA) is usually an ideology or set of aspirations that put quality at the center of an organization. Unfortunately, the implementation of QA systems sel­dom attains the ideal of achieving a quality-based corporate culture. In practice, QA is normally left to managers to impose on employees by a new class of supervisory regulators. In ineffective installations of QA programs, a throwback can be seen to the early days of management science with the creation of bureaucratic controls. As seen by auditors, QA cannot be directly equated to assuring ‘quality’ in the normal sense of the word synonymous with ‘excellence’. Quality auditing is a tech­ nical term for auditing that is focused on systems and processes rather than out­ comes. This follows the corporate governance concept that the properly constitut­ ed organization should be based around a system of well-controlled systems and processes. Quality auditing has become associated with older forms of management of qual­ ity such as TQM. As such, quality auditing is associated with quality enhancement strategies rather than the traditional quality control inspections. Quality enhance­ ment focuses on creating a corporate culture centered on quality, as opposed to quality control, which was a reactive process after the event, and involved rejecting sub-standard products and services. If quality is viewed in terms of the appropriateness of systems and processes rather than the more traditional achievement of the correct outcomes, auditing moves from the necessity of having to define best practice and desirable outcomes to evaluating the quality of the processes themselves. Defining the key performance indicators has always been a contentious point in negotiating with management for the audit. Reaching agreement on standard systems of practice is normally consid­ erably easier, since little interpretation is required. From this, it follows that a prop­ er organizational structure is comprehensively systemized and documented, and is therefore fully auditable.

Program Results Audits Program results auditing is auditing of the accomplishment of established goals and objectives for operations and programs. In practical terms, this means audits that determine whether the desired results are being achieved, as well as whether man­agement has considered alternatives to achieve the same results at a lower cost. Conducting such audits involves: ➤ ascertaining whether a specific objective or goal has been clearly defined for a particular function; ➤ ascertaining whether the objective or goal is relevant and consistent with man­ agement’s intent; and ➤ evaluating any variance between the results and their original stated goals and objectives.

154

Internal_Auditing.indb 154

16/04/2015 11:12

TYPES OF INTERNAL AUDIT

In addition, the cost-effectiveness of a given program is evaluated, as is the cost benefit of continuing a program. Typically, in the private sector, efficiency and effectiveness are measured in terms of profitability. In the public sector, efficiency and effectiveness are generally meas­ ured in terms of service delivery. This itself involves quantifying the benefits received and the effects both to the beneficiaries of a program and the community at large. Many auditors make extensive use of statistical analysis over a period of time, drawing inferences from the results of the statistics. Complaint records may give a good indication of the extent to which given operations or programs satisfy the needs of the target market. Management themselves may well be able to give advice on the appropriateness of the programs and the measurement criteria.

IT Audits IT audits come in a variety of forms that are fully covered in Section 5. Furthermore, any of the above types of internal audit could involve the use of computers or, for that matter, the audit of computer systems.

Application Audits Application audits such as the auditing of inventory, payroll, procurement, sales, treasury and other specific business functions have their own specific characteristics and the audit program will typically involve a certain degree of standard audit tests, as in the examples below.

Audits of Significant Balances and Classes of Transactions Inventory Audits The first step in any imminent reorder is normally to determine the existence of the inventory, usually by observation. This would include finished stock, raw materials and work-in-progress and Nielsen Clinton evaluation of management’s controls regarding stocktaking or cycle inventory. The policies and procedures regarding custody of inventory, receipt of inventory to ensure its completeness, quality and appropriateness and issuance of inventory to ensure its authorization and completeness would also be evaluated to determine their adequacy. Procedures for writing-off inventory would also be examined, as would the corporate policies on slow-moving and obsolete stock. Inventory handling controls to prevent damage to stock would additionally be tested. Depending on the nature of the audit, the auditor may also investigate the appropriateness of stock levels, buffer stocks, frequency of stock outages and economic order quantities. Payroll Audits With payroll processing involving the disbursement of corporate assets, control within this area is normally seen to be critical. As such, the auditor would examine the current payroll procedures in order to ensure the proper separation of duties exists and a proper supervisory control is exerted. Payroll records would be verified against original authorized transactions, for example overtime claimed, and the accuracy of calculations determined by re-computing totals. The adequacy and fre155

Internal_Auditing.indb 155

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

quency of bank reconciliations would be determined and the error procedures for handling discrepancies examined. The auditor would usually also seek to determine whether duplicate checks had been cleared of whether checks were still outstanding on the bank account. Procurement Audits Procurement audits usually seek to determine that corporate procedures for procurement have been complied with in the areas of procurement procedures and related documentation, authorization, purchase orders, receiving and inspection and to ensure that the items procured are authorized, of appropriate quality, at an agreed price, delivered to the correct place at the correct time and have been procured from an authorized supplier. They may also seek to determine that the purchasing function adequately addresses the needs of corporate users. Where procurement involves a competitive bidding process, further audit tests may be required to evaluate the process itself in order to ensure that no bias is introduced into the contract awarding process. It should be noted that most organizations have a separate procedure for the acquisition of minor items permitting the bypassing of normal procurement procedures but this should be the exception rather than the rule. arget achievement can also be reviewed, as can the degree to which achievement is successful. Where commission payments are made based upon achievement of sales targets, the auditor may further seek to determine that all payments are entitled to by the person receiving them, payments have been accurately calculated and paid in a timely and appropriate manner. Control over sales based on credit may additionally involve the auditor in determining the procedures used to determine credit limits and creditworthiness of a customer as well as those controls in place to recover debt in an acceptable time scale. Treasury Audits Audits of the treasury function involve three main areas: the front office, the back office and general management. The front office, where the deals are made, normally requires that security be maintained over the dealing area and that all deals are properly authorized to organizational standards and are within dealings limits. Deals themselves must be recorded accurately and completely and proper controls over the accounting for deals must be maintained. Within the back office, where the recording of deals takes place, the processing of deals is of paramount importance as is the recording of payments and reconciliation of deals to accounting records. General management must ensure the appropriate segregation of duties between front and back office and over incompatible duties within each.

Impact on the Skill Mix The skills requirements of the individual auditor and the internal audit function as a whole will be largely dependent on the nature and scope of the internal audits that they undertake. While no auditor is expected to be an expert in all fields, the skill mix must be appropriate to ensure the adequacy of audit coverage of all planned audits to a professional standard. 156

Internal_Auditing.indb 156

16/04/2015 11:12

CHAPTER

17

The Internal Audit Process and Documentation

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the processes involved in conducting an audit ➤ Describe in detail the steps necessary to undertake each of these processes ➤ Identify critical success factors for each stage of the process ➤ Describe the appropriate internal audit measurement criteria for ensuring an effective audit ➤ Explain the role of quality working papers in ensuring audit success ➤ Design an appropriate structure of working papers for the organization ➤ Design an appropriate preliminary outline audit program based on the nature of the audit

Objectives of Audit Service Delivery The primary objectives of the audit service delivery process are to: ➤ align the internal audit resources with the business objectives of the organization; ➤ effectively and efficiently identify risks directly related to the business objectives; ➤ deliver value to the audit clients; and ➤ ensure efficiencies throughout the audit process. Planning Internal auditors must gain a thorough understanding of the client’s business objectives and co-develop the expectations regarding internal audit’s alignment with these business objectives. A mutual understanding is required of the scope of the internal audit services among internal audit management, executive management, the audit committee or board of directors, and the operational management of the organization. Risk Assessment Once the business objectives have been clarified, there must be an assessment of risks that potentially limit the achievement of the organization’s business objectives. Many audit departments prefer to accentuate the positive aspects rather than stress the negative effects of risks. As such, they may prefer to look on this phase as the establishment of control objectives. The implication here is that if, for example, the loss of confidentiality of client records is a major business risk, then the maintenance of confidentiality would be a prime control objective. This will probably involve the

Internal_Auditing.indb 157

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

internal audit function in developing a risk assessment of the more important processes and organizational components. This risk assessment process establishes inherent risk (ie the risk level if there were no controlling elements). Risk priorities for the auditable units form the primary, but not, only, basis for the allocation of audit frequencies in the audit plan. Such a risk assessment would be reviewed and approved at least annually by the client’s executive management and the audit committee. Based on this, the functional area to be audited can be selected and the individual audit process can start.

The Macroprocesses of the Internal Audit Process A brief discussion of each stage of the generic audit process, as reflected in Figure 17.1, is first set out in this section. These stages are then discussed in greater detail.

Business Objectives

Control Objectives

Selection of Auditee PLANNING

Audit Preparation

Audit Objectives

Preliminary Survey

Evidence

Control Analysis

Technique

EXECUTION

Audit Programme Preparation

Tool

Test

Expanded Test

Evaluate

Develop Findings REPORTING

Report

Report

Follow-up

Follow-up

Evaluate Audit Process

EVALUATION

Evaluate Audit Process

Figure 17.1: The generic audit process 158

Internal_Auditing.indb 158

16/04/2015 11:12

THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

Audit Planning In order to ensure a quantifiable probability of being able to achieve the audit objectives, proper planning must take place to optimize the use of the scarce and expensive internal audit resources. The audit plan identifies the individual audits to be carried out during the period, the skills and resources required to execute the audits, and their timing and duration. In developing the plan, the internal auditor must consider: ➤ the total available hours for the overall engagement; ➤ the need for management discretionary projects; and ➤ the depth of audit required in each area. Of these, the depth of audit is normally the most difficult to assess. The depth of the audit assignment is dependent on the auditor’s assessment of the residual risk within the assignment area. This is arrived at largely on the basis of the auditor’s expectation of the effectiveness of the existing internal control structure. Where internal control is expected to be good (after reviews of previous working papers, discussions with management, etc), the audit may only need to confine itself to a confirmation that the controls are still functioning as they are meant to. Where internal control is suspected to be sub-standard, the extent of substantive testing will usually have to be extended and therefore the audit will last longer. Obviously, such planning is based on expectations and will have to be modified in the light of reality as the audit progresses. The audit plan must be reviewed and approved by the client’s executive management and the audit committee. It needs to be updated when necessary to reflect significant changes in the client’s risk profile that may result from changes in the organization’s structure, business operations, and/or new products and services. Execution Internal auditors carry out the audits of auditable units as set forth in the audit plan. They may focus on the specific risks to the control objectives for that auditable unit. Even the agreed control objectives, however, may have to change as the audit progresses. Controls to manage the risks (preventative, detective, corrective and directive) are identified and evaluated on the assumption that all controls function as intended. This permits an auditor to evaluate the theoretical adequacy of the system of internal controls, ie if the controls function as intended, and if there is sufficient control to reduce risk to a level acceptable by management. Once the adequacy of control has been evaluated, the auditor proceeds to select those control elements that are especially critical to adequacy of control. These key controls are then tested to determine the effectiveness of the system of internal control. It should be noted that the source of evidence of the effectiveness of a control might not lie in the control itself. A lock and key on a door does not provide evidence as to whether anyone ever turns the key or how many keys there are. A proper focus on the objective of the control (a lock to keep people in, or a lock to keep people out) can direct an auditor to other sources of evidence regarding the effectiveness of the control. Is any record kept of strangers found in areas they are not allowed to be in, 159

Internal_Auditing.indb 159

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

for example? Typically, these sources of evidence will provide information about the effectiveness of several controls simultaneously (locks, walls, bars, etc). Reporting the Results Auditors report the results of their work to the appropriate levels of management responsible for the area audited, executive management and the audit committee. The primary audience for the report is the first level of management able and empowered to take effective action on any findings. Once management has implemented its chosen actions to achieve the control objectives, a follow-up review must be carried out. Evaluation The final stage of the process is the evaluation phase, in which the auditors conduct a quality assessment on their process in order to refine the audit process for future audits. The objective is to determine what went right, what went wrong and what lessons can be learned for the future. These steps will now be discussed in greater detail.

The Management Process The management process begins with an understanding of the organization’s business. Until this is achieved, any attempt to determine organizational needs will be at best misleading and at worst disastrous. Once the overall objectives and environment of the business have been established, establishing the needs becomes a comparatively easy task. Identifying and examining the key activities whose effective performance can make or break an organization will determine the organization’s needs. These key activities must themselves be monitored and therefore ambitious performance objectives must be established early in the planning process. For every performance objective, there will be a range of threats, which, if fulfilled, will either reduce the effectiveness or totally negate the objective. These must be assessed in a formal risk assessment to determine the appropriate corporate coping strategy. Management must determine the coping or control strategies, and then the appropriate controls to address the risks identified must be selected. The actual controls must be implemented and monitored, and controls should exist to ensure that this happens. Controls, once implemented, must perform effectively, and periodically management must evaluate and review performance with this in mind. Understanding the Organization’s Business This is a combination of a theoretical approach using literature searches on the organization and its functions in the business press, combined with a reading of annual reports in order to obtain the whole picture. This theory will be combined with a more practical approach involving interviewing members of staff in order to both evaluate their understanding of the business and to confirm the auditor’s understanding. Site visits to observe the operation 160

Internal_Auditing.indb 160

16/04/2015 11:12

THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

of specific business functions will also help. Further information and confirmation may be derived by comparing the current understanding of the controls to those identified and in operation during previous reviews. Establishing the Needs Once the overall objectives and environment of the business have been established, the overall needs must be determined. A study of the organization’s mission statement will indicate its general performance objectives. Management should have established strategic plans and objectives in order to ensure that these are achieved. By interviewing executive management, employees and perhaps even customers and suppliers, the business needs for the successful accomplishment of the objectives can usually be determined. Identifying Key Activities The major products and services that are the key activities involved in meeting the business objectives must be identified. Once again, this will involve determining the level of management's understanding of: ➤ customer needs and sizes; ➤ the competition and their probable response patterns; and ➤ which are their own key performance areas (KPAs). The KPAs are those activities that will make or break the organization. Establishing Performance Objectives For each KPA, performance objectives must be established. This involves seeking core activity targets that are both achievable and, at the same time, stretching. Key performance indicators (KPIs) must be identified that will enable the performance to be measured appropriately. The risks and threats that could lead to non-achievement, underachievement or even failure must then be assessed. Both external and internal threats must be considered. ➤ Internal threats are those over which management has complete control, such as choice of vendor. ➤ External threats are those that management cannot directly control, but for which it must nevertheless develop a coping strategy, such as interest rate fluctuations or actions by competitors. Deciding on the Control Strategies Once the full risk analysis is complete, management is in a position to decide what activities must be ensured, as well as which risks must be managed and which transferred. This, in turn, will dictate which risks can be cost-effectively prevented, which must be detected and how a materialized risk can be corrected. Business risks need to be prioritized and trade-offs will be required, since control measures are often contradictory. For example, the need for process efficiency may trade off against the effectiveness of that process. Once again, it is management’s role to establish business priorities, including control strategy priorities. 161

Internal_Auditing.indb 161

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Implementing and Monitoring the Controls For controls to be effective, they must be monitored, and wishing them into existence will not accomplish this. Controls result from the planned and thoughtful intervention of management to achieve a specific end. Monitoring may take several forms, including: ➤ self-assessment; ➤ the use of regular audits; and ➤ the introduction of continuous improvement programs. Controls have to be frequently reviewed for ongoing relevance and for their effectiveness, and must be modified and adapted where required. Evaluating and Reviewing Performance The auditing process is designed to determine where to audit as well as what to audit, and may use any and all of: ➤ control strategy assessment; ➤ control adequacy and effectiveness; ➤ performance quality assessment; ➤ unit performance reporting; and ➤ follow-up. Overall, the standards of audit performance must be at a professional level. This typically means to a level laid down in the IIA’s Standards for the Professional Practice of Internal Auditing.

Implementation of the Generic Audit Process 1. The audit process flows from the business process in that the primary requirements for any audit are to establish firstly the business objectives and then the control objectives of a particular audit area. For example, the overall business objective of the purchasing department may be to buy raw materials. The control objectives would include buying the right materials, in the right quantities and of the right quality, at the right prices, in an authorized manner, for delivery to the right places at the right times. 2. The audit objectives are typically, but not always, to determine if one or more control objectives have been achieved, are being achieved and will continue to be achieved. 3. In order to determine this, an auditor will have to look for evidence of the achievement or non-achievement of these objectives. Since many of the controls that management will have implemented will be preventative ones, an auditor will have to look for detective controls to establish whether or not the control objectives have been achieved. 4. After identifying the source of the evidence, the appropriate audit techniques may be selected. These techniques may include any of the standard ones such as observation, analysis, computer interrogation, questioning, etc.

162

Internal_Auditing.indb 162

16/04/2015 11:12

THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

5. The auditor, after deciding on the techniques, will select the appropriate methodology or tool, such as interviewing, use of generalized audit software, use of questionnaires, etc. 6. When the auditor has selected all the techniques and tools he/she will use, he/ she will conduct the tests in a structured format. 7. The evidence gathered would be evaluated against the standard of the evidence sought in step 3, above. Depending on what has been found, the auditor is in a position to decide whether the control objective has or has not been achieved, and will or will not continue to be achieved. 8. The results of the evaluation, together with the substantiating evidence, the auditor’s opinion and conclusions, and the appropriate recommendations will be presented to management in the form of a formal audit report. 9. Agreed actions will be followed up to ensure they have been implemented or that the risk of non-implementation has been accepted by the appropriate level of management. 10. The audit process is concluded by an evaluation of the audit process itself in order to refine it for future audits.

The Audit Process Structure The audit process can be formalized into a stylized structure in order to implement it as a standardized program. In this case, the individual steps would map onto the generic audit process as follows. Planning This phase consist of three main activities, namely: ➤ selection of the auditee; ➤ audit preparation; and ➤ the preliminary survey. Selection of the auditee Selection of the auditee is generally based on an organization impact evaluation. This is a broad-brush approach, designed to arrive at an approximate risk evaluation of a business entity. It gives the frequency of audit, but not necessarily its depth or focus areas. This can be simplified into mandatory and discretionary audit activities based on a small number of risk factors, which may or may not be weighted to allow an auditor to reflect management’s overall concerns. This is normally done on an annual basis in preparing the overall audit plan for approval by the audit committee. From time to time, it may be necessary to vary the audit plan because of unexpected risk elements arising or changes in management priorities. Audit preparation Once the audit area has been selected, audit preparation must be carried out to clarify: ➤ the overall business objectives of the area;

163

Internal_Auditing.indb 163

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ any significant secondary objectives; ➤ any interrelational objectives with other business areas; and ➤ any deviations from the business objectives. For each area, an auditor must determine the key performance areas, which are the areas whose performance can make or break the operation, as well as the associated control objectives for each KPA. These could involve any of the general control objectives, such as: ➤ control over assets; ➤ the reliability and safeguarding of information; ➤ compliance with policies, etc; and ➤ the effectiveness and efficiency of operations. An auditor can usually determine the business and control objectives by reviewing past working papers, talking to other auditors, determining the existence of corporate guidelines and standards, and verifying against industry norms where possible. Preliminary survey The preliminary survey enables the auditor to confirm the understanding he/she has gained within the audit preparation section. In the event of this being the first audit of an area, the two sections can be combined. In any event, the auditor should use this opportunity to identify sources of information and contact personnel for the detailed testing stage. At this stage, also, the auditor should start to gain a preliminary feel for the expected level of internal control. Also, the detailed audit objectives, timing, reporting schedule, etc, will be confirmed with the client. Execution The execution phase contains three activities, namely: ➤ control description and analysis; ➤ preparation of the audit program; and ➤ expanded tests of control systems. Internal control description and analysis The control analysis activity requires that an auditor determine the key performance indicators, how the organization ensures that its control objective is attained, and if the controls are adequate. ➤ Internal control description and analysis involves the identification and description of controls, on many occasions a transaction or operation ‘walk-through’, and sometimes even a limited testing of controls. While the object is not to test the functional effectiveness of controls, evaluation of internal controls will allow the controls to be assessed as if fully functional. At this stage, the auditor may be able to determine with a minimal testing that the control structure, even if fully functional, is nevertheless inadequate for a given level of risk. This means that risk reassessment must already have taken place. ➤ The scope of control identifies what is being audited. Internal auditors are required to evaluate the adequacy and effectiveness of the overall system of internal control and the quality of performance. ‘Adequacy’ in this respect 164

Internal_Auditing.indb 164

16/04/2015 11:12

THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

refers to the design of the system of internal control, ie how it is supposed to operate, while ‘effectiveness’ refers to the ‘degree of compliance with key control procedures’. Is the system functioning in accordance with management's intentions? In determining scope, the auditor takes into account the objectives of internal control systems, which are to: ◗ ensure the reliability and integrity of information; ◗ promote compliance with policies, plans, procedures, laws and regulations; ◗ ensure the safeguarding of assets; and ◗ promote the effective and efficient use of resources. Often all four control objectives will form part of the audit, while limited audits such as a fraud investigation usually result from a specific complaint. ➤ Controls may be designated as preventative, detective, corrective and directive, and a combination of all four types is usually required. Their adequacy is determined by taking each control objective and determining which controls are believed to assist in the attainment of the control objective. Such information may be derived from discussions with auditees and management, and reviews of standards and procedures to establish what is supposed to happen. ➤ Assuming the controls function as intended, the auditor must determine whether there is sufficient control to bring the level of the risk of non-achievement of the control objective to that specified by management. If this is not the case, recommendations will normally be made to increase the level of internal control by either adding additional controls or by transferring the risk. ➤ Once the control structure has been found to be adequate, the auditor must then determine where the evidence can be found that the controls actually function as intended: which records, which personnel and which computers. From this, he/she can establish how the evidence can be obtained: by examination, analysis, interviews or data interrogation. A detailed schedule of which controls will be tested, how, and seeking what evidence, makes up the detailed audit program. It should be noted that the audit program is always preliminary and may be changed, depending on what is found when testing actually gets under way. Preparation of the audit program The audit program is a detailed series of expanded tests designed to obtain evidence regarding the achievement of control objectives. A common mistake made by auditors is to simply list the questions to be answered instead of developing a roadmap of what steps must be taken to answer these questions. Expanded tests of control systems The expanded tests of control systems are the heart of the audit. They become part of the audit program and may involve changes to audit scope and/or objectives. They may, in turn, affect both the audit team and timing. These tests involve an in-depth examination of the auditee in order to provide the basis for audit conclusions. They may utilize any or all of an auditor’s tools and techniques. They basically involve the execution of the audit program. This normally takes up most auditor time and effort, and can be optimized if the previous steps have been carried out correctly.

165

Internal_Auditing.indb 165

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

Audit fieldwork is a systematic process involving planned audit steps designed to meet audit objectives. The process is designed to be unbiased and obtains proof based on the body of evidence. Care should be taken to ensure that each test is actually telling you what you believe it is. The overall purpose is to gain additional information so that auditors can have more confidence in their conclusions, which result from the gathering of evidence for measurement and evaluation. Audit measurement is a means of reaching an objective conclusion.

Audit Testing Audit testing for purposes of gathering audit evidence may take many forms, as discussed in detail in Chapter 19, to which the reader is referred. Evaluating Evaluating is the estimation of worth and arriving at a judgment. It involves conclusions drawn from facts accumulated and is the basis for professional judgment. Audit measurement is normally for comparison to a standard such as time taken for a task or rejection rates in manufacturing. If there are no published standards, an auditor may have to develop them. In these cases, the standard should be based on the operation objective and the auditor's experience. Such standards should be verified with a qualified expert before any evaluations are carried out.

Developing and Reporting Findings and Recommendations Findings There are four elements that combine to make a good audit finding: ➤ condition: what is; ➤ criteria: what should be; ➤ cause: why the condition exists; and ➤ effect: risk inherent in the condition. Recommendations Recommendations come in four forms: ➤ Make no changes. ➤ Increase internal control. ➤ Transfer risk. ➤ Change the required rate of return for a given risk level. The recommendations selected may be made in conjunction with the auditee; however, the recommendation is ultimately the auditor's. Reporting This phase of the audit contains three activities, namely: ➤ the development of findings; ➤ reporting; and ➤ follow-up. 166

Internal_Auditing.indb 166

16/04/2015 11:12

THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

These activities map to steps 7, 8 and 9 of the generic audit process, given above. The development of findings The development of findings involves determining the degree to which control objectives have been achieved, which can be: ➤ fully and consistently; ➤ mostly or frequently; ➤ partially or seldom; or ➤ never. Findings should be made up of four specific elements, namely: ➤ criteria: that which should be; ➤ condition: that which the auditor found; ➤ cause: the weakness in or failure of internal control that permitted the condition; and ➤ effect: the impact on the business. Reporting Reporting includes documenting and communicating results, and the reputation of both the auditor and the internal audit function rests largely on the final report. As a general rule, audit reports should contain: ➤ audit objectives; ➤ scope; ➤ questions; ➤ general procedures; ➤ findings; and ➤ recommendations. The report of findings and recommendations should be signed by the head of internal audit, as evidence of his/her commitment to the contents. The names of the internal auditors working on the engagement may be included in the report. Increasingly, audit reports are being accompanied by a personal presentation. In either event, they should include auditees' comments in order to present an objective appearance, and may be discussed in preliminary form at a closing conference with the auditees. An auditor should never forget that the audit report is the output from the audit process, and the last word on management’s comments remains with the auditor. The reports themselves should be: ➤ objective; ➤ clear; ➤ complete; ➤ concise; ➤ constructive; and ➤ presented on time. Follow-up If nothing happens as a result of the audit, the whole exercise was a waste of time. A follow-up must be done to investigate, evaluate and report the effect of the audit. This follow-up may be performed by executive management, in conjunction with auditees, by another auditor, or the original team may do it, but it MUST be done. 167

Internal_Auditing.indb 167

16/04/2015 11:12

INTERNAL AUDITING: AN INTEGRATED APPROACH

There are two phases involved. Management chooses either to: ➤ take appropriate action on the audit findings; or ➤ accept the risk of not taking action. The auditors must find out what action was taken and whether it was appropriate. Follow-up reports are normally directed to those who received the original report, and the key focus must be on the attainment of the control objectives, not necessarily on the implementation of audit recommendations.

Audit Evaluation The final phase is the same in both the generic audit process and the audit process structure, namely audit evaluation. This involves the auditors evaluating the audit process itself in the light of what went wrong, what went right and what can be learned to improve future audits.

168

Internal_Auditing.indb 168

16/04/2015 11:12

CHAPTER

18

Control and Performance Evaluation

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the types of internal control an auditor is liable to encounter, together with their strengths and weaknesses ➤ Differentiate between control objectives and the controls policies and procedures intended to assist management in achieving them ➤ Design an appropriate detailed audit program to evaluate both the adequacy and effectiveness of the internal control structures to an appropriate level ➤ Identify and select the critical controls for testing and select appropriate testing methods

The Nature of Internal Controls Controls are virtually an automatic function of our daily lives. Whether we are aware of it or not, we all perform several control functions daily. Some require careful fore­ thought, while others are performed as a matter of habit. Individuals learn at an early age that in a family, certain rules are laid down by the parents regarding how their children will behave and who will undertake which tasks. These rules become the guiding principles of family life and are enforced by the family as a whole. Rules exist in every area of our lives to ensure that one person’s desires do not conflict with another’s liberties. Without such rules, there can be no order and no assurance of how things will happen. In order for such rules to be effective, we need means of: ➤ enforcing the rules; ➤ detecting when they are broken; and ➤ reducing the impact if they are broken. These means are known as controls. In business, we can say that we carry out these control procedures as a reaction to possible financial loss, error or irregularity that may take place.

Internal Controls While it is clearly management’s responsibility to design and implement internal controls in an organization, the role of the internal auditor is one of assessing and reporting on internal controls for a variety of different purposes. This responsibility is captured in the guidance in IIA Practice Advisory 2120.A1-1: Assessing and Reporting on Control Processes.

Internal_Auditing.indb 169

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

‘Three key considerations in reaching an evaluation of the overall effectiveness of the organization’s risk management and control processes are: ➤ Were significant discrepancies or weaknesses discovered from the audit work per­ formed and other assessment information gathered? ➤ If so, were corrections or improvements made after the discoveries? ➤ Do the discoveries and their consequences lead to the conclusion that a pervasive condition exists resulting in an unacceptable level of business risk?’

A control is any action taken by management to increase the likelihood that the objectives and goals they have established are achieved. It results from manage­ ment’s planning, organizing and directing and the many variants (eg management control, internal control, etc) can be included in the generic term. Management controls are intended to ensure that an organization is working towards its stated objectives. Control responsibility is clearly management’s job and encompasses planning, organizing and directing. ➤ Planning in this case is taken to mean the establishing of objectives and goals as well as choosing the preferred methods of using resources. ➤ Organizing involves the gathering of the required resources and arranging them so that the objectives may be attained. ➤ Directing includes the authorizing, instructing and monitoring of performance, as well as periodically comparing actual to planned performance. Management decisions may be classified as strategic, tactical or operational. Internal audit ensures that the system of internal control will be effective and functions as intended. The level of control needed will be affected by overall objectives. ➤ Corporate objectives are statements of corporate intent (‘Costs will be reduced by 20 per cent over the next year’). ➤ Management objectives define how the corporate objectives will be met (‘Costs will be reduced by reducing material wastage by 10 per cent and reducing stock theft by 60 per cent’). ➤ Operating objectives are aimed at ensuring that programs to achieve manage­ ment objectives are properly planned and executed in detail (‘All waste must be written in a waste book and excessive waste will be checked by supervisors weekly’). If we take operating objectives, for example, these direct the day-to-day activities and may, in themselves, conflict, so that we find a conflict between the need for con­trol and the need for timeliness, ie there is a clash between efficiency and effec­ tiveness. The overall prioritization of objectives directs the development of controls and will affect the final, overall system of controls. If the overall objectives are growth and providing service, in a dynamic and rapid growth environment control systems may not keep pace and the risk is higher. As such, the need for frequent audits is increased. If the objective is cost reduction, in a stable environment control systems should be stabilized and risk is lower so the frequency of audit would be reduced. In practical terms, it is impossible to evaluate the adequacy of an internal con­trol or a set of internal controls unless the control objective has been clearly defined. Unless it is known whether the lock on the door is designed to keep peo­ple in or to 170

Internal_Auditing.indb 170

16/04/2015 11:13

CONTROL AND PERFORMANCE EVALUATION

keep people out, no valuation can be made of which side the key should be on. A control objective is therefore a statement of intent, which controls are designed to assure. Another way to look at this is to see control as the other side of the coin to risk. If there is a risk of theft of assets, the control objective is then to ensure that assets remain safe. Cost/Benefit Considerations Objectives must take into consideration the cost of trying to achieve them. ‘As quickly as possible’ implies zero controls other than for speed, while ‘No rejects’ implies strong internal controls covering all aspects of quality. Controls must be practical, useful, achievable and compatible with both operating and control goals, and there is always a trade-off between cost and benefit, since all controls cost money (is it worth spending R200 to prevent a possible loss of R100?). A control cycle is set out diagrammatically in Figure 18.1. Setting standards of performance

Defending performance measurement

Measuring actual measurements

Comparing actual with standards

Taking corrective action if necessary

Figure 18.1: A typical control cycle Defining Performance Measurements Before measurement can take place, standards must be defined. Measurement standards must be relevant to the task in hand and accepted by both the controller and those being controlled. The measurement indicators themselves should be comparatively inexpensive but effective. Many measurement criteria are based on financial data, but this is not always appropriate. For example, the performance measurement for a salesperson may be a financial indicator – achieving a sales target – but for a factory the number of rejected parts may be more appropriate and for a service firm the degree of cus­ tomer satisfaction may have to be measured. Measuring Actual Performance After the performance measurements have been agreed, the actual performance can be measured. In a continuous flow process, measurement may involve samples being taken for evaluation. In other types of process, external monitoring or obser­ vation for comparison to the standard may be required. The simple process of measuring is, in its own right, insufficient. It is only by com­parison to an appropriate standard that you can judge whether actual performance is effective and efficient. Any deviations from the standard must be followed up in order to determine whether the deviation is as a result of poor performance or because the standard itself was wrong. If the deviation was caused by poor per­ formance, a further examination will be required to determine the cause of the 171

Internal_Auditing.indb 171

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

poor performance. Where a deviation indicates problems, corrective action will be required, but a favorable deviation is also possible and this can give significant clues regarding areas where overall performance may be improved across the organiza­tion. One drawback to this type of measurement is the wastage of valuable man­agement time in the search for explanations for trivial deviations from the standard. Degrees of tolerance must be set to avoid excess of reporting of insignificant devia­tions. Should corrective action be necessary, action must be taken to implement the appropriate control structures to remedy the situation. This could involve closer supervision of operations or improved detective controls. Alternatively, the control cycle may need to be revisited in order to redefine standards or introduce revised performance measurement criteria. Administrative vs Accounting Controls Administrative controls typically focus on how operations take place and may have no directly visible impact on the numbers involved in operating an organization (turnover, profitability, etc), while accounting controls address completeness, valid­ ity, authorization and accuracy of information and show up quickly in operating numbers. Ultimately, administrative controls will have a long-term impact on how departments run themselves and whether their objectives are achieved. Financial evaluations typically emphasize accounting controls while operational evaluations emphasize administrative controls. When these are related to the objectives of internal control, we can see at a detailed level that they encompass the following. Reliability and integrity of information

➤ financial accounting information: ◗ budgets; ◗ cost reports; and ➤ operating information: ◗ activity levels; ◗ functional responsibilities. Compliance with policies, plans, procedures, laws and regulations

➤ ensure compliance with laws and regulations imposed externally; ➤ ensure planned, systematic and orderly operation; and ➤ may require the manager to evaluate the adequacy of policies, plans and pro­cedures. Safeguarding of assets

Normally the most visible controls include: ➤ locks on doors; ➤ safes; and ➤ security guards.

172

Internal_Auditing.indb 172

16/04/2015 11:13

CONTROL AND PERFORMANCE EVALUATION

They may include non-tangibles, such as: ➤ dual custody; and ➤ computer passwords. Effectiveness and efficiency of operations

➤ Effectiveness involves the achievement of established objectives and should be the ultimate focus of all operations and controls. It may be assessed by exam­ ining and evaluating the overall system of internal control. ➤ Efficiency reflects whether ‘scarce resources’ are optimally used and includes waste reduction and reducing the underutilization of resources. Types of internal controls

➤ Preventative controls occur before the fact but are never 100 per cent effective. ➤ Detective controls detect irregularities after their occurrence and may be cheaper than checking every transaction with a preventative control. ➤ Corrective controls ensure the correction of problems identified by detective controls and normally require human intervention. They are themselves highly error prone since they occur in unusual circumstances. ➤ Directive controls are designed to produce positive results and encourage acceptable behavior. They do not in themselves prevent undesirable behavior and are normally used where there is human discretion in a situation. ➤ Compensating controls exist where weaknesses in a control may be compensat­ed for by a control elsewhere. They are used to limit risk exposure and may trap the unwary evaluator. Under-control is cheap to implement but may cost you the organization, while overcontrol is expensive and paralyzing. Internal Control Structures The internal control structure is a combination of the control environment itself, the accounting system and specific control procedures policies and security measures undertaken by the organization to protect its assets. The control environment establishes the tone of the organization and establishes the framework within which the employees will or will not implement good internal controls. It is normally taken to comprise seven specific components, namely management’s operating style; the quality of the board of directors and audit committee; the ethical values espoused by the organization, the organizational structure, the organization’s human resources policies and practices; the design of the organizational structure itself; and the assignment of authorities and responsibilities. The accounting system involves both the safeguarding of assets as well as the ensuring of the reliability and accuracy of financial and operational information. As far as the specific control procedures themselves are concerned, the elements making up an effective internal control framework include: ➤ A good audit trail whereby transactions can be traced to their recording in the accounting information system and the recorded information can be traced back to the originating transaction documentation.

173

Internal_Auditing.indb 173

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Safeguarding of assets to minimize the risks of damage to assets as well as theft. ➤ Management reviews of control procedures to ensure, on an ongoing basis, their ability to mitigate risk to an acceptable level. ➤ Competent and ethical employees to ensure that the individuals responsible for implementing internal control are both capable and honest. ➤ Segregation of inappropriate organizational responsibilities to ensure asset custody, transaction authorization and reconciliations are performed by separate individuals.

Testing of Internal Controls Not all controls are created equal in achieving a specific control objective. For every control objective there will be a series of controls designed and implemented in order to achieve the desired goal. Some of these controls will have a minimal impact on that specific control objective, while others will be key controls without which the control objective cannot be achieved. A further complication arises in that many of the key controls will be preventative controls leaving behind no evidence to check. An auditor may have to look elsewhere to find appropriate evidence on which to base conclusions as to the effectiveness of the internal controls. The design of a comprehensive audit program is covered in Chapter 17.

174

Internal_Auditing.indb 174

16/04/2015 11:13

CHAPTER

19

Engagement Planning

Learning objectives After studying this chapter, you should be able to: ➤ Describe the planning procedures that should be followed for each audit and the fac­tors that affect planning decisions ➤ Describe the procedures conducted in the preliminary survey of operations ➤ Explain how an internal auditor develops findings and recommendations from the audit work performed ➤ Outline briefly the tasks of an audit supervisor in planning an individual audit engage­ment ➤ Explain the techniques the supervisor may use to ensure the audit engagement is pro­ceeding to plan ➤ Define and explain the control techniques available to the audit supervisor in control­ling the engagement project ➤ Explain the ongoing nature and role of internal audit quality evaluation in ensuring an effective service delivery

Engagement Planning IIA Practice Advisory 2200-1: Engagement Planning sets out clearly the responsi­ bilities of an internal auditor as follows. ‘The internal auditor is responsible for planning and conducting the engagement assignment, subject to supervisory review and approval. The engagement program should: ➤ Document the internal auditor’s procedures for collecting, analyzing, interpreting, and documenting information during the engagement. ➤ State the objectives of the engagement. ➤ Set forth the scope and degree of testing required to achieve the engagement objec­tives in each phase of the engagement. ➤ Identify technical aspects, activity objectives, risks, processes, and transactions that should be examined. ➤ State the nature and extent of testing required. ➤ Be prepared prior to the commencement of engagement work and modified, as appropriate, during the course of the engagement.’

Planning Planning is the cornerstone of successful auditing. Poor planning will result in failure to achieve audit objectives, as well as audits that are insufficient in scope with unidentified risks and that make inefficient use of resources.

Internal_Auditing.indb 175

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

The planning process involves: ➤ identifying those tasks to be performed in the course of an audit; ➤ allocating the tasks to individual auditors; ➤ deciding when a task should take place; and ➤ quantifying how long it should take to execute. Basing planning on the nature and scope of the work to be performed ensures the efficient and effective use of audit resources. A structured, documented audit plan is essential to establish the criteria against which an audit will be measured and to identify the measurement criteria. The extent and division of the planning process will be dependent on the nature and complexity of the audit envisaged. If it is the first time a specific area has been audited, more time will be required in the plan­ ning process to handle a greater variety of unknown elements. If the area has been audited in the past, time must be set aside to ensure that there have been no major changes to structures or controls in the interim. Such planning helps to establish the objectives and scope of the audit, anticipate problems and achieve flexibility in identifying the control objectives and risks, as well as the controls designed to achieve the objectives and manage the risks. The planning process will typically follow the structure provided in Chapter 17 and should cover all of the steps in the process. At any time up to the completion of the audit, the plan should be looked on as provisional and subject to amendment, depending on what is found. If a straightforward compliance audit uncovers red flags of fraudulent activity, a choice must be made as to whether to continue with the original audit or redesign it as a fraud investigation. Where planning has been inadequate, it is much less likely that the full scope of the audit will be achieved in a cost-effective manner. It is very unwise to underestimate the time it takes to carry out comprehensive planning. It should be done early enough in the process to ensure that the appro­ priate resources can be made available and that the techniques of testing envisaged are fully understood by all concerned. Once again, planning should be viewed as a continuous process, with elements covering both the annual planning for the audit function as a whole and the planning of the individual audit. The annual audit plan is normally based on the overall risk assessment of the organization, coupled with an inventory of the available audit resources. Any methodology used to allocate audit resources must be applicable to a variety of lines of business and services that firms offer. The allocation itself can be simplified into mandatory audit activities and discre­ tionary audit activities: ➤ Mandatory audit activities are those activities that must be carried out within the time span of the audit plan. These activities could be to ensure compliance with legal or regulatory requirements, senior management requirements or external auditor liaison requirements. Usually these activities are assigned the greatest risk values and are therefore automatically selected. Make sure that senior man­ agement requirements are in fact requirements and not simply nice to have. ➤ Discretionary audit activities must then be allocated within the time remaining. This is normally done within predefined risk limits.

176

Internal_Auditing.indb 176

16/04/2015 11:13

ENGAGEMENT PLANNING

Many audit departments maintain a five-year rolling plan of audit coverage reflect­ing the complete audit universe. This plan is updated annually as part of the over-all planning process and is maintained throughout the year to reflect ongoing changes within the organization and its risk environment. Detailed planning for each audit assignment is also carried out annually. Each auditable entity scheduled for audit in the forthcoming year is analyzed so that any component of the audit that requires advanced planning may be dealt with. Items such as special support, access to information systems, co-ordination with other audits and advanced training may then be planned as need requires. The actual audit itself will be planned and conducted in the way given in Chapter 17. The individual tasks that must be scheduled as part of the audit process will involve notifying management of the audit prior to the starting date and obtaining any information required to complete the audit planning. This information, togeth­er with any records required as part of the planning process, should be delivered to the supervising auditor before the start of the work. As part of the planning, con­ sideration may be given to whether any records should remain under the control of internal audit once management have been notified of the impending audit. A key part of the planning process is to ascertain those records and individuals that will enable an auditor to identify key controls and procedures that could have a significant impact on the focus of the audit and the key controls to be audited. This would involve the auditor reviewing previous working papers and any perma­nent files maintained by internal audit in order to find relevant information. If the area has been audited by the independent external auditors, they may be consult­ed to give their input to the planning process. An initial meeting with a client will be planned to confirm the auditors’ under­ standing of the business and control objectives of the auditee entity, and the cur­ rent operating environment. At that meeting, the auditor should ask about any cur­rent business and operational plans that will affect the audit or the time period to be commented on within the audit. Scrutiny of the operating objectives and forth­coming budget for the area under review may help. The auditor may also look for any external factors such as unique legal or regulatory requirements that could influence the timing, extent or nature of the audit. Although nominally part of the annual plan, in practice the general risk assess­ ment is performed during both the annual audit planning process and during the preliminary survey phase of the audit. The auditor in charge should review the annu­ al planning documentation to familiarize him-/herself with the information contained in that document and integrate it into the present audit plan. Based on an agreed understanding of the auditee’s business, the next stage to be planned is the identification of those controls that the auditee believes can be relied on to mitigate the business risks. Key internal controls must be identified and meth­ods of deriving evidence as to the adequacy of these controls must be designed. At this stage, an auditor must always bear in mind that assessing their adequacy involves evaluating the controls as if all were working fully. It is only after the ade­quacy has been evaluated that the key internal controls can be selected for testing. If the system of internal controls itself is inadequate, ie it does not adequately reduce the risk to an acceptable level, recommendations will be made at this stage to improve the control situation. This normally involves the design of new controls to plug the gap not currently covered.

177

Internal_Auditing.indb 177

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Once the adequacy of the system of internal control has been determined, the planning will proceed to those tests needed to assess the effectiveness of the cho­sen controls. In addition to testing the controls as they currently operate, the auditor may need to schedule time to test the consistency with which the controls were applied throughout the time period under review. Planning this stage is a critical element, which provides a transition into the fieldwork phase of the audit. Once the methodology for testing the key controls has been established, the audi­tor must assess the need for the use of specialized audit tools and information tech­nology. If the tools are not currently available, enough time must be given to acquire and become familiar with them. The final stage in the planning process for the audit assignment is the issuing of an engagement letter to the auditee management. Spelled out in this letter are the: ➤ participants; ➤ timescales; ➤ requirements for auditee participation; ➤ areas to be covered; and ➤ areas to be excluded. It is important that this letter documents the risks, major controls and control objec­tives that will be audited.

Unplanned Work It is always necessary to allocate a percentage of the internal audit budget for dis­ cretionary or ad hoc projects. Such projects can include fraud investigation or other specific investigations in areas where management have concerns. Many auditors fall into the trap of budgeting an optimistically low percentage of their resources for this category. If the audit function’s track record over previous years indicates that 20 per cent of resources have been used for ad hoc work, then budgeting 10 per cent for the forthcoming year is an exercise in hope rather than good judgment. Internal audit must also budget a percentage of the resources to cover time that is not directly related to internal auditing. This could include training, leave, sick leave and work that is not a part of internal auditing, such as liaison requirements for the external independent auditors.

Project Management A project may be defined as a temporary endeavor undertaken in order to create a specific result. It is temporary in that it has a specific beginning and a finite end and is brought into being in order to accomplish a temporary objective. It should be noted that it is the project itself which is temporary and not necessarily the results of the project. An audit project may last only a few days but its impact on the organization may endure for many years. Indeed, the intent is that the impact of an audit project will be long lasting. As with any other business endeavor, audit projects involve a degree of risk including the risk of not achieving the audit objectives, achieving them in an unacceptable time scale or achieving them at an unacceptable cost.

178

Internal_Auditing.indb 178

16/04/2015 11:13

ENGAGEMENT PLANNING

In order for the project to achieve its desired objectives, appropriate project management will be required, utilizing a variety of management skills and disciplines as well as the implementation of appropriate tools and techniques. Project management is generally accepted as comprising six specific elements: ➤ Project initiation ➤ Project planning ➤ Project execution ➤ Project monitoring ➤ Project controlling ➤ Project closing. Project initiation involves scoping the audit based on the criteria established in conjunction with the auditee, encompassing the control objectives of the auditee, potential risks and exposures, and a selection of the appropriate forms the audit should take (compliance, operational or any other form). From this an approximation of the size and composition of the project team may be established. Project planning involves the breaking down of the audit into specific tasks to be achieved, allocating work to individuals, and determining the timing and overlaps of specific audit phases. Planning techniques such as the use of the Gantt charts, CPM and the like may come into play, and scheduling of the work. At this stage budget and cost estimates can be prepared, taking into consideration the logistics of the audit, including travel and accommodation if appropriate. Planning will also involve the selection of the appropriate monitoring techniques to be enacted during the audit. Project execution will involve the audit team leader in ensuring that the whole audit process is directed towards achievement of the scope and objectives initially established. This normally involves monitoring progress against the plan and, where deviations occur, modifying the plan in order to put the project back online. Project monitoring is traditionally done by monitoring time spent against plan, although this may not be the most effective way of project management. Rather, monitoring against predetermined key indicators established at the end of critical audit components may be more appropriate. Project controlling involves the lead auditor maintaining the group focus, control and quality of work done and ensuring that unforeseen circumstances or risks do not inadvertently obstruct completion of the audit. Project closing can be as difficult for audit as for any other project. The temptation exists to ‘just check one more thing’, resulting in a significant deviation from the scope, timing, costing and quality of the overall audit. It is part of the role of the lead auditor to bring the project to a successful conclusion, evaluate and discuss with the team the successes, failures and learning points of the audit, and determine which conclusions and evidence will be communicated onwards via the audit report.

179

Internal_Auditing.indb 179

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

The lead auditor’s role is to ensure that, ultimately, the audit project achieves its objective. This involves establishing clear objectives for the audit project and organizing resources to provide adequate assurance that the objectives will be achieved within acceptable quality, cost and time constraints. Periodically, unforeseen circumstances will place competing demands on resource availability for the audit project, and this will then involve adjustments to the audit approach, timing, and possibly even the scope of the audit. Project Plan An audit project plan which delivers the desired impact on the business, to the scope specified in the original audit engagement, at the time promised to the auditees and within the cost constraints originally planned, would be classed as a high-quality audit. The reality of the situation, however, is that few audit projects actually achieve all of those desired deliverables specified above. Audit supervision will be required to make decisions involving balancing those deliverables within the constraints of the audit scope, time and resources available. In addition, all audit planning is carried out based upon a supposition of what will be found. This uncertainty can result in drastic changes to an audit plan if the control environment found does not match the expectation. The changes can be positive as well as negative since, once the audit has started, it may be discovered that the internal control structures are more robust and effective than anticipated and the degree of direct testing may be reduced from that originally planned. More commonly it will be found that internal control is not at the level suggested by management during the preliminary survey and that audit testing will have to be extended, resulting in changes to the cost and duration of the audit. This uncertainty may be defined as project risk. Corporate Environment and Cultural Climate Audit projects, perhaps more than any other, must be seen to operate within a corporate environment and cultural climate, since the auditors are looking at the internal control, which ultimately is exercised by individuals within the organization. Audit findings and recommendations as a result of audit findings will impact those individuals and sensitivity to the ethnic, educational, religious and economic characteristics of the auditees must be considered throughout the audit process. Previous experience with audit and perceptions of the role and authority of audit will similarly require consideration. In the audit of international organizations, custom as well as legal implications will also impact the effectiveness of the audit process across cultural divides. National holidays, time zones and local political conditions may also affect project communication and the use of advanced technology within audits. The perceived role of internal audit can impact on both the effective interchange of information as well as the ability to influence management to implement appropriate control remedies, should deficiencies be found. Even negotiation can degenerate into squabbles based upon cross-cultural misinterpretation of both verbal and visual communications, and motivation becomes problematic. Project management will involve the lead auditor in utilization of a variety of problemsolving initiatives in order to adapt plans so that the overall project objectives can be met and the needs of the auditee, management and the organization can be achieved. 180

Internal_Auditing.indb 180

16/04/2015 11:13

ENGAGEMENT PLANNING

Managing the scope itself is essential to ensure that all of the work required to complete the project, but only that work is fully undertaken and completed effectively. A common problem that this stage is allowing ‘scope creep’ to occur, resulting in considerably more work being undertaken than was required. Once the scope has been agreed the processes to be undertaken to complete the project can be defined and allocated against individual auditors, based on skill requirements and availability. This work breakdown is essential, since the scheduling of time is based upon the quantity of work that a specific individual can achieve at a given task. The sequencing of these activities to ensure a smooth workflow is also important because certain activities may be able to overlap, while others may be dependent upon the successful completion of the preceding operation. Once this breakdown has been done, the lead auditor can compare the overall project plan to the resource constraints within which the project must occur so that any modifications required to fine-tune the project plan can be made. Even at this stage a project plan can be modified based on what is found in the course of the audit activities. For an audit project, cost management largely boils down to time management, since the bulk of audit costs are the costs of human resources. To this end the planning, budgeting and estimating of time scales will largely dictate the project budget. As the project is executed, time and cost resources expended can be monitored against the planned budget and variations analyzed to determine whether they are plan-related (ie the plan underestimated the amount of work to be carried out) or performance-related (ie the people did not perform as planned). Variations will occur in even the best planned projects and subsequent phases of the project may need to be re-planned based upon known performance levels. The management of the human resources making up the project team is critical to the success of the overall audit project. Early involvement of team members in the planning of the project as a whole and their role in particular can dramatically strengthen the commitment of individuals to the accomplishment and success of the audit project. For example, in an extended audit covering a capital project of long duration, the individuals involved in the project may change, and new team members must be accommodated within the overall framework of the plan. It is the lead auditor’s responsibility to ensure that the appropriate knowledge, skills and competencies are available to the project team in order to ensure effective completion and achievement of planned time and cost budgets. In addition, team members must be developed to improve the overall competency of the audit function and this involves the team leader as a mentor and a guide to provide direction, offer feedback and advice, and resolve any issues of conflict within the team. As with any endeavor, the management of quality of work produced is of critical importance to the ongoing reputation of the audit function. The appropriate policies and procedures must be implemented to ensure that all activities fall within the ambit of the Standards for the Professional Practice of Internal Auditing. Once again, the Standards should be seen as a living document to guide the auditor towards acceptable levels of quality rather than a sterile set of instructions to be looked at once a year. Quality control within the audit will involve the identification of key indicators to be monitored as a measurement of quality achieved, the execution of that monitoring, and the identification of improvements to address any areas of unacceptable performance quality. 181

Internal_Auditing.indb 181

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

One of the main reasons for introducing project management is the communication of the status of the audit project at any given point in time. Auditing within an organization should be seen as a continuous flow from project to project and this means that any delay in a particular audit can cause a domino effect in subsequent audits, since specific skills and personnel may not be available at the time originally planned. In addition, auditees and management also require knowledge of where an audit is in terms of its progress against the agreed plan. Communicating in this manner facilitates the management of client expectations as to deliverables, costs and timings for the audit. Obviously, this is more critical in audits of longer duration.

182

Internal_Auditing.indb 182

16/04/2015 11:13

CHAPTER

20

Audit Reporting and Follow-up

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the uses and importance of internal audit reports to the various users of audit services ➤ Outline in detail the basic structure of an internal audit report ➤ Use effective writing techniques for maximum impact ➤ Formulate and express an appropriate audit opinion ➤ Describe the use of auditee responses in the audit report ➤ Polish and edit your own or another auditor’s report ➤ Distribute the audit report for maximum impact ➤ Follow up on findings in an appropriate manner

Reporting IIA Practice Advisory 2440-1: Recipients of Engagement Results provides guidance for internal auditors with respect to their reporting responsibilities as follows. ‘Final engagement communication should be distributed to those members of the organization who are able to ensure that engagement results are given due consideration. This means that the report should go to those who are in a position to take corrective action or ensure that corrective action is taken. The final engagement communication should be distributed to management of the activity under review. Higher-level members in the organization may receive only a summary communication. Communications may also be distributed to other interested or affected parties such as external auditors and the board.’

Audit Reporting Results of the audit are usually reported orally in the form of interim reports and closing conferences, as well as in writing. At least a written report should be produced at the end of an audit, and other types of reporting should occur if necessary. Reports generally should be: ➤ accurate; ➤ objective; ➤ clear; ➤ concise; ➤ complete; ➤ constructive; and ➤ on time.

Internal_Auditing.indb 183

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Written reports should include: ➤ a statement of the purpose of the audit; ➤ the audit scope; ➤ the audit results; ➤ the auditor’s opinion; ➤ recommendations for potential improvements; ➤ an acknowledgement of satisfactory performance; and ➤ the auditee’s reply to the auditor’s opinions and recommendations. Reports should be reviewed and approved by the internal audit manager before they are issued. The issued audit report is a reflection of the competence and professional image of the whole internal audit department and internal auditing as a profession. In many cases, this is the only exposure to internal auditing that senior management will get. This image will be reflected not only in the report’s technical soundness but also in its clarity, tone, organization and style. The message must be unambiguous and questions raised in the reader’s mind must be anticipated and answered. Any desired mood must be created by words alone.

Clear Writing Techniques The objectives of any writing are to inform and influence. To do this effectively and efficiently, you must gather the necessary information before starting. This avoids reorganization and rewriting at a later stage when you remember forgotten facts. Readers tend to retain material better if it is written in a conversational style, but this requires anticipation of the type of feedback one would receive during a normal conversation. Conversational-style reports build mental images, which tend to be assimilated and remembered more easily. When deficiencies are reported, avoid personal references. The audit report should criticize practices, not people. Keep sentences short and simple, trying to average 15 to 20 words. This does not mean that you should count every word and artificially chop long sentences in two. Nevertheless, one idea per sentence can make the report clearer. Long sentences tend to be foggy, awkward, dull and boring. Use active voice verbs, since these are usually shorter, livelier and more conversational. ‘The manager asked for ...’ instead of ‘... were asked for by the manager’. Passive voice verbs tend to be dull, formal and unclear. They can appear less emphatic and vague. Passive verbs are frequently to be found in highly formal and structured reports such as fraud audit reports, where the auditor is deliberately emphasizing the impartial and impersonal nature of the report. Use clear, familiar words and avoid the use of ‘impressive’ words, which the reader may not understand or may misinterpret. In producing the report, you should be specific and precise, but should never sacrifice clarity for brevity. Some audit reports are so abbreviated that the reader has to guess at the meaning. You should recognize that readers of the report will come from a variety of backgrounds and you should therefore avoid jargon where possible. Where it is essential for clarity, the report should explain things in a way a layperson would understand. Always bear in mind that the burden of communication is on the writer, not the reader. Use appropriate headings, as they break up the monotony of long sections and help readers to locate specific information. This speeds up the reading process 184

Internal_Auditing.indb 184

16/04/2015 11:13

AUDIT REPORTING AND FOLLOW-UP

by allowing a reader to scan for specific information. Many auditors feel that they should discourage readers from scanning the report, but the alternative may be that the report is not opened or read at all. Other techniques for easing the reading of reports involve keeping the paragraphs short, as well as the use of emphasis, white space, graphics and color. Remember always that this is a working audit report, not a Christmas card, and do not make it over-fancy. The report should not be padded for the sake of size, nor should there be criticism just for something to say.

Preparing to Write Preparing to write starts at the beginning of the audit. From the moment the scope and objectives are approved, all audit work is done with the audit report in mind. At the start of the audit, you should already have a mental picture of the report in your mind. You know the anticipated audience, the subject matter, and the scope and objectives of the report. When the actual process of committing the report to paper starts, free writing may help to loosen up your mental muscles. This technique involves the writing of unrelated texts such as a letter before you start work on the report. The theory is that this starts the brain moving in logical communication mode. Usually an audit report will involve the co-ordination of several writers’ efforts. In such cases is may be wise to read the report aloud in order to recognize the differences in the styles and methods of individual contributors. Reports should follow the same methods and be written in the same style throughout.

The Basic Audit Report A cover is almost always desirable since it sets a professional tone from the start. It should include the report title, the name and location of the auditee, and the date of audit coverage. The formalities section normally consists of an introduction and is usually one to three pages in length. It includes the date of the report; the addressee (get it right); and the background, scope and objectives of the audit. A brief opinion and the general nature of the findings together with the reply expectations and a signature are required here. The names of participating auditors, a distribution list and contents of the body of the report are also a normal part of the formalities section.

The Executive Summary The executive summary consists of a list of the most important issues and findings. It provides a preliminary perspective to the whole report and focuses on risks to the organization and the specific effect of control weaknesses. It may be all that is read and, in many cases, it is all that should be read. Two approaches are possible in the executive summary, depending on the nature of the executive audience. A ‘condense and eliminate’ approach, which involves abbreviated explanations of major audit findings, ordered by importance and cross-referenced, may be used when you are writing for a knowledgeable executive. A ‘briefings’ approach, which

185

Internal_Auditing.indb 185

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

informs, advises and interprets, may be more appropriate in a specialized audit where the executives may not be fully conversant with the implications of findings.

Detailed Findings Detailed findings usually constitute the body of the report. A finding comprises four distinct parts: Condition

This details what the auditor found, ie what the evidence showed

Criteria

This details what management intended should happen

Cause

This indicates whether the condition was caused by the absence of an internal control or the failure of one and, if so, which

Effect

This indicates the impact on the business of the condition



The detailed findings should include enough information for the reader to understand the findings. Exhibits and attachments are usually placed within the report, but may be placed in an appendix if they are very long. All graphics, charts and financial tabulations should be clearly labeled and, if in an appendix, should be cross-referenced to the report. Management will often want an internal audit opinion, as it provides an overall perspective to the rest of the report and forces the auditors concerned to commit themselves. However, it can cause a management overreaction, resulting in important parts of the report being ignored, since audit results are normally mixed in nature. At the discretion of the auditor, auditee responses may be included in the final report. This can help provide balance and can lend credibility to the report, resulting in less ‘sniping’ from the sidelines. Where such comments are included, they must be reviewed with and agreed to by the auditee.

Polishing the Report Polishing the report involves a rigorous review before it is issued. This is commonly done in a peer group and should involve one person with no knowledge of the specific audit area, who is better able to challenge the assumptions on which the report is based. Many organizations use checklists or computerized grammar and style checkers to help make the report more readable. Ultimately, the head of internal audit or a designated deputy will sign the report. Since many reports are issued late, which is often a major auditee complaint, it is important that you do not build in unnecessary delays to the issuing of the report.

Distributing the Report The report should be distributed to the first authority level able to take appropriate action. The full distribution list may be determined early in the audit process, although auditee chains of command can cause political ramifications. The delivery method should take into account both the confidentiality of the reported information and the remoteness of the recipient. Couriering or hand delivery is best. 186

Internal_Auditing.indb 186

16/04/2015 11:13

AUDIT REPORTING AND FOLLOW-UP

If the contents of the report are highly confidential, detective controls can be implemented to trace individual copies should a leak occur. The most obvious of these techniques is copy numbering, but intentional misspellings or rewording of critical areas may also be used.

Interim Reporting Interim reports are those prepared and issued while the audit is in progress. They are usually used to either report progress on an extended audit or to notify the auditee of a finding that warrants immediate attention. They may be either written or verbal, although a written report in memo form can be a useful way of reporting a finding. The main advantages of interim reports are that the auditee receives timely feedback, which in turn makes immediate action more likely. This can, in turn, result in a more favorable final report if appropriate action is taken. Interim reports effectively provide a follow-up opportunity during the audit itself.

Closing Conferences Before the final audit report is issued, a closing conference is common. This permits an overall review of the audit objectives and findings, and is the final opportunity to clear up any misunderstandings or omissions before the report is issued. It ensures a fair and balanced presentation and allows auditees to express their opinion. It also gives the auditors concerned feedback on the way the audit was handled from a client’s perspective

Follow-up Reporting IIA Standard 2500-A1 states that: ‘The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.’

There are two phases involved. Management chooses either to: ➤ take appropriate action on the audit findings; or ➤ accept the risk of not taking action. The auditors must find out what action was taken and whether it was appropriate. They would usually follow up on reports normally directed to the recipients of the original report and they should focus on attainment of the control objectives, not necessarily on audit recommendations. The participants in the audit process all have distinct roles to play in the follow-up process. Auditors It is the duty of the auditors to: ➤ perform follow-up reviews to ensure appropriate action was taken; and

187

Internal_Auditing.indb 187

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ inform the auditee, executive management, board and audit committee in writing of the outcome of the follow-up review. Internal auditors should make management aware of actual and potential risks, but have no further responsibility if management decides to accept the risk. Auditors must not interfere with the auditee’s operation during the follow-up review. The Auditee The auditee is expected to do the following: ➤ provide timely, complete responses to the audit report; ➤ help auditors with follow-up reviews; ➤ keep auditors and management informed of corrective actions; ➤ inform auditors and management of any major disagreements; and ➤ assess the cost-effectiveness of alternative corrective measure and choose an appropriate alternative. Executive Management The role of executive management is to: ➤ monitor the follow-up process; ➤ assess the adequacy and cost-effectiveness of the auditee’s corrective action; ➤ not interfere with auditors’ follow-up reviews; and ➤ avoid compromising the auditors’ objectivity and independence.

Types of Follow-up Action An auditor will usually review auditee responses and corrective actions, evaluate their adequacy and report follow-up findings. Follow-up actions will vary significantly for differing audits in terms of the breadth, degree of focus, depth and extent of follow-up examination. Practical considerations such as the time available must be taken into consideration. Auditors tend to be optimists as far as time is concerned and often take shortcuts in follow-ups as a result. In many cases, they completely omit follow-ups. In order to reduce the time required for follow-ups, an auditor should: ➤ follow up as much as possible during the audit itself; ➤ review written responses before the follow-up review; ➤ review only the documentation of corrective action for less critical findings; ➤ not perform audit work at all on minor items; and ➤ limit follow-up tests to only the problems noted.

Audit Follow-up Policies Typical audit policy provisions would state that audit follow-ups are required for all audits where exceptions are reported. Internal auditors must be given the authority and responsibility to evaluate the effectiveness of corrective action. Follow-ups should be adequately documented, and the roles and responsibilities of those who will carry out the follow-ups should be documented and followed. The follow-up policy should state executive management’s commitment and should be addressed 188

Internal_Auditing.indb 188

16/04/2015 11:13

AUDIT REPORTING AND FOLLOW-UP

to all managers. Such a statement should be clearly shown as coming from the organization’s highest level of authority. The policy should specify to whom auditee responses should be directed and must itself be in writing. Additional success factors for ensuring that the actions taken are appropriate and followed up would include the auditor discriminating between symptoms and causes in the original report. The auditee action must address the cause, not the effect. The follow-up findings should be attached to working papers and the follow-up report attached to the original report. The auditor will need guidelines for rejecting the auditee's corrective measures should this be necessary, but do not try to force audit preferences on management. The audit focus should be on control objectives and principles; management focus should be on the controls themselves. To do otherwise is to risk becoming the approver of the controls. Management must decide, not the auditor. Where you reject a management action, never attack the individuals concerned. You must avoid becoming emotionally involved in disagreements. State specifically in rejections why the rejection has occurred and which control objectives are still threatened.

189

Internal_Auditing.indb 189

16/04/2015 11:13

CHAPTER

21

Audit Engagement Tools, Statistics and Quantitative Methods

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the difference between statistical and non-statistical concepts ➤ Explain the differing sampling methods in common audit use and the factors affecting sample size ➤ Choose from among the parametric and non-parametric techniques, depending on the needs of the audit ➤ Design and administer surveys and questionnaires ➤ Conduct structured, semi-structured and unstructured interviews ➤ Explain the usage of financial analysis from an internal auditor's perspective ➤ Describe briefly the internal audit use of: ◗ Analytical techniques for sharper insight ◗ Operations research and models ◗ Analytical review procedures ◗ Linear programming ◗ Charting, queuing and game theory ◗ Simulations

Audit Engagement Tools, Statistics and Quantitative Methods IIA Practice Advisory 1210-1: Proficiency provides guidance as to an auditor’s responsibility to understand the accounting, legal, tax or finance issues arising that require the use of specific engagement tools, statistics and quantitative techniques when particular problems or potential problems are identified, in order to conduct further research and evaluate the results. ‘An appreciation is required of the fundamentals of subjects such as accounting, economics, commercial law, taxation, finance, quantitative methods, and information technology. An appreciation means the ability to recognize the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained.’

What is Sampling? Sampling is the process of testing a portion of a group of items in order to evaluate and draw conclusions about the population as a whole.

Internal_Auditing.indb 190

16/04/2015 11:13

AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

The process of sampling may be broken down into the following sub-processes: ➤ An auditor is performing either a compliance test (test of controls), or a substantive test ➤ of either documented internal accounting controls or accounting source records by applying procedures ➤ to less than 100 per cent of the items in the class of transactions or account balance ➤ for the purpose of forming a conclusion about some characteristic of the class or balance.

Why Do We Sample? The underlying assumption of sampling is that the results of a sample yield accurate information about the population from which the sample was taken. Sampling, therefore, is an effective method of gathering audit evidence. If auditors did not use sampling, every item comprising an account balance or every transaction occurring within a class of transaction would need to be reviewed. The cost of such an examination would (a) be prohibitive, because of the amount of time required to perform such an examination and (b) far outweigh the benefit obtained. Sampling provides an auditor with a means of obtaining almost identical information, but at a much lower cost. Thus, sampling is also an efficient method of gathering information. There are two basic sampling approaches: ➤ judgmental/non-mathematical; and ➤ statistical. Each approach represents a different way of handling audit risk. Therefore, each may be appropriate for some populations but not for others. Choosing the right approach involves answering some critical questions about risk, population characteristics and the objectives of our testing. The answers lead us to the best approach and the most efficient audit plan.

Judgmental (or Non-mathematical) Sampling In judgmental sampling, an auditor relies solely on his/her professional judgment to assess the risk of sampling error when evaluating a population. The sample is not intended to be representative of the whole population and therefore sample results cannot be extrapolated to the whole population. This approach is normally used where an auditor intends to use the sample for limited purposes. Where an auditor is aware that a section of the population is a higher risk, he/she may choose to direct the sampling process to that particular area. Here, he/she has exercised professional judgment in selecting the population to be reviewed, and any conclusions drawn must be carefully judged to ensure their validity. Judgmental sampling should not be used as a primary audit procedure if the auditors have no special knowledge about which items in the population are more likely to contain misstatements. Again, judgmental sampling may be used for limited purposes (ie when sampling is not the primary audit procedure), such as corroboration of the outcome 191

Internal_Auditing.indb 191

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

of other analysis, by examining a few detailed transactions to check the validity of forecasts.

Statistical Approach In statistical sampling, the sample is selected in such a way that it can be expected to be representative of the population. By doing so, an auditor intends that the relevant characteristics of the sample, such as the sizes or rates or errors, should be mathematically proportional to those of the population. For this to be valid, an appropriate sample selection technique, such as random selection, and an adequate sample size must be chosen. The sample results may then be used to project to the population (extrapolate) in order to estimate a specific value for the population. The more representative a sample is, the more accurate the extrapolation. This effectively means the larger the sample size, the more accurate the extrapolation. Obviously, statistical sampling is less than 100 per cent reliable, and an auditor must take into consideration the effect of sampling risk.

Sampling Risk All auditing involves a certain amount of risk or uncertainty. The risk that material irregularities or errors will not be detected either by internal control or by the use of the appropriate auditing procedures is always present. The uncertainty that exists in applying the audit procedures is called audit risk. When an auditor chooses to use statistical sampling, he/she faces the possibility that, due to the fact that there is less than 100 per cent certainty, the conclusions drawn about the population may contain some material error. This audit risk comprises two specific sub-sets. ➤ Sampling risk is the risk that the sample chosen may not appropriately reflect the population as a whole. ➤ Non-sampling risk is the risk that, having obtained a representative sample, the auditor still misses a significant error. In the case of statistical sampling, as opposed to judgmental sampling, an attempt is made to control the risk of sampling error. Because the auditor has accepted that 100 per cent certainty is either not desirable or not possible, by working at a 95 per cent certainty level he/she has accepted a 5 per cent chance that the sample drawn does not accurately or completely reflect the population. This risk exists because of the nature of sampling certainty. In a normal distribution, a 95 per cent certainty indicates that, should the auditor draw a sample of 20, 100 times, 95 of those times the full sample would be drawn from a representative part of the population. In five of those times, the sample would include one or more items that are not representative of the population. When this happens, caused by the random chance in the selection of the sample, it is classed as the risk of sampling error. This risk always exists, regardless of how the sample is selected. The auditor’s justification for accepting this risk involves a judgment call regarding the level of assurance that the chosen combination of substantive testing and reliance and internal control give a reasonable probability of detection. By choosing the appropriate sampling technique and by applying his/her professional judgment after consultation with auditee management, the auditor 192

Internal_Auditing.indb 192

16/04/2015 11:13

AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

attempts to minimize the risk of sampling error. In addition, by choosing an appropriate statistical model and by following the correct sampling selection methodology, the auditor can quantify the likelihood of sampling error in order to determine that it is within acceptable limits. In the case of judgmental sampling, the risk of sampling error still exists, but, because the auditor does not explicitly state a confidence level, the risk is not quantifiable. This means that, in this case, the risk of sampling error is dependent on the experience, skill and judgment of the individual auditor and that his/her evaluation cannot be substantiated. Whether the sample chosen is based on statistical methods or an auditor’s judgment, every use of sampling is also subject to the risk of non-sampling error. This type of error is caused by other uncertainties that are not caused by the sampling process. Causes of this type of error could include: ➤ mistakes in selecting the sample; ➤ the use of incorrect audit procedures for a given objective; ➤ failure to recognize misstatements or irregularities included in the sample items; and ➤ an improper definition of the population. Non-sampling error therefore includes any misjudgments or mistakes by the auditor that may lead him/her to an incorrect conclusion based on the tests carried out on the sample. These errors would have occurred even if sampling had not been chosen as a technique and the full population examined. By careful planning and by using the appropriate audit techniques, non-sampling risk can be minimized, but not eliminated.

Assessing Sampling Risk IIA Standards state that auditors should use their professional judgment in assessing sampling risk. The two main aspects of sampling risk in compliance tests of internal controls are: ➤ the risk of overreliance on controls, which is the risk that the sample leads an auditor to place reliance on the control when it is not justified (beta risk); and ➤ the risk of underreliance on controls, which is the risk that the sample leads the auditor to wrongly evaluate the population as falling beyond tolerance levels (alpha risk). The auditor should also be concerned with sampling risk when performing substantive tests. Here the risks are classified as follows: ➤ The risk of incorrect acceptance (beta risk) is the risk that the sample supports the auditor's conclusion that the amount or quantity is not materially misstated when in fact it is. ➤ The risk of incorrect rejection (alpha risk) is the risk that the sample leads the auditor to believe that the amount or quantity is materially misstated when in fact it is not. Alpha characteristics of the population relate to the efficiency of the audit, while beta risks relate to the effectiveness of the audit in the detection of material errors. 193

Internal_Auditing.indb 193

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Planning a Sampling Application Once an auditor has made the decision to use sampling, he/she should consider both the audit objectives and the characteristics of the population. Audit Objectives As with any audit, the auditor starts off by considering the control objectives of the area under review. From this can be derived the source of audit evidence and the nature of the audit testing required to evaluate that evidence. Where the audit testing needs to be done using sampling techniques, the auditor may focus on the specific objectives to be achieved by the tests that will be carried out on the sample selected. The sampling technique chosen will be dependent on the nature of the opinion the auditor wishes to express. An opinion on error rates within the population would normally dictate the use of attributes sampling techniques, while expressing an opinion on the probable values of the population may call for the use of monetary unit sampling or variable sampling. Population Characteristics The second stage of planning is to define the population about which an opinion will be expressed in terms of its characteristics. For example, the auditor may choose to express an opinion about high-value items, low-value items or all items. Any opinions expressed based on a sample can only be in terms of the population that was sampled in the first place. Should the auditor sample invoices within the previous six months, any opinion expressed can only be valid in terms of the previous six months’ invoices. Any conclusions drawn about invoices beyond this period would be invalid. Again, if the auditor wishes to express an opinion regarding customers exceeding their credit limit, the appropriate population to examine would be the creditors’ records and not the invoices. In testing to ensure that all orders have been invoiced, the sample would be drawn from the orders and checked forward against the invoices. If the auditor wishes to express an opinion regarding the authorization of payments, the sample must be drawn from payments and checked backwards against the authorized input documents. In any population, a common evaluation technique is to determine the average value of the population. Three averages are possible: the mean, the median and the mode. In statistical sampling, the most commonly used average is the mean. The mean, or arithmetic average value of a data set, is calculated as the sum of all values, divided by the number of data points. For example, if three selections are made by the auditor of invoices with values of R100, R140 and R180, then the average value would be (100 + 140 + 180) ÷ 3, or R140. The median represents the middle value in a population range. The mode represents the most frequently occurring value in a population. In a census of a population, for example, there may be individuals with ages ranging from 10 to 80 with a predominantly young population and an arithmetic average age of 35. In such a population, the median may be found to be 45, the mean is 35 and the mode may be as low as 20 because of the population being skewed towards younger people. 194

Internal_Auditing.indb 194

16/04/2015 11:13

AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

Deviations from the Mean The amount of variability in the population defines the spread of values. One method of determining the variability of a population is to examine its variability from the mean. Standard deviations measure dispersion around the mean. The standard deviation can be calculated as the square root of the average of squared deviations of each member of the population from the mean. In the case of our invoices, this would involve: 100 – 140 = (40)2 = 1 600 140 – 140 = (0)2 = 0 180 – 140 = (40)2 = 1 600 1 600 ÷ 3 = 1 066.67 √ 1 066.67 = 32.66

The main use from an audit perspective is the statistical fact that in a normal (unskewed) population, 68 per cent of the population will lie within 1 standard deviation from the mean, and 95 per cent of a population will lie within 1.96 standard deviations from the mean. In other words, when an auditor samples such a population, there is a 95 per cent probability that all items selected will be drawn from within ±1.96 standard deviations from the mean. The skewness of a distribution refers to its lack of symmetry. A perfectly symmetrical distribution will result in a normal bell curve with a skewness of zero. Most distributions have some degree of skew. A population with the majority of the population distributed to the right of the mean is said to be negatively skewed, and a distribution with the majority of the population distributed to the left of the mean is said to be positively skewed. The computation of skewness involves taking the deviations from the mean, dividing them by the standard deviation, and raising them to the third power. These figures are then added together and divided by the number of data points. Calculating Sample Size For any sample design, deciding upon the appropriate sample size will depend on certain key factors, which must be considered together in order to ensure that the sample objectives are met. As previously stated, the amount of variability in the population defines the spread of values. This will also affect accuracy and consequently the size of sample required when estimating a value. The greater the variability, the larger the sample size required. The confidence level represents the likelihood that the results obtained from the sample lie within the associated precision. The higher the confidence level you want, the larger the sample size you need. Auditors normally operate at a 95 per cent confidence level, but where a situation is evaluated as low risk, a lower level, such as 90 per cent, is acceptable. Conversely, in a higher risk situation, they may operate at a 99 per cent confidence level. Contrary to popular belief, the population size does not normally affect sample size. Statistically, the larger the population size, the greater the likelihood that the sample will be representative. Where the population to be sampled is less than 5 000, the population size begins to have an impact on the sample size. The effect is to increase slightly the sample size needed. Where population size is very low, 195

Internal_Auditing.indb 195

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

standard sampling techniques may be invalid and non-parametric sampling techniques may be needed. Some audit software does not take this into consideration in calculating sample size, and auditors must be aware that such sampling will only be appropriate in larger populations. Differing methods of sampling are appropriate in different circumstances, and an auditor must be aware of the advantages and disadvantages of each so that the appropriate sampling method can be selected. Table 21.1: Comparison of various sampling methods Sampling Method

Definition

Advantages

Disadvantages

Judgmental sampling

Based on deliberate choice of the auditor

➤ Normal applica-

➤ The sample is

tion is for small samples from a population that is well understood and there is a clear method for picking the sample ➤ Is used to provide illustrative examples or to check forecasts

typically small and can be misleading ➤ It is prone to bias ➤ Sample results cannot be extrapolated to give population results

Attribute sampling

Used to determine error rates in the population

➤ Results in the

➤ Valid only for

Variable sampling

Used to estimate values of a population

➤ Results in the

minimum sample size needed to express an opinion at a given confidence level

minimum sample size needed to express an opinion at a given confidence level

populations >5 000 ➤ May result in a larger sample size than judgmental sampling ➤ Requires random selection to remain valid

➤ Valid only for populations >5 000 ➤ May result in a larger sample size than judgmental sampling ➤ Requires random selection to remain valid

196

Internal_Auditing.indb 196

16/04/2015 11:13

AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

Table 21.1: Comparison of various sampling methods (continued) Sampling Method

Definition

Advantages

Disadvantages

Cluster sampling

Units in the population can often be found in geographical groups or clusters, eg schools, households, etc. A random sample of clusters is taken, and then all units within those clusters are examined

➤ Quicker, easier

➤ Works best when

and cheaper than other forms of random sampling ➤ Does not require complete population information ➤ Useful for faceto-face interviews

each cluster can be regarded as a microcosm of the population ➤ Larger sampling error than other forms of random sampling ➤ If clusters are not small, it can become expensive ➤ A larger sample size may be needed to compensate for greater sampling error

Samples are drawn in proportion to their size, giving a higher chance of selection to the larger items (ie the chance of being selected is proportional to the individual item’s size)

➤ Unit to be

➤ Can be expensive

selected is a single monetary unit, eg a dollar ➤ Used where you want each element to have an equal chance of selection rather than each sampling unit

to get the information to draw the sample ➤ Appropriate only if you are interested in the elements ➤ Not appropriate if elements are underexaggerated ➤ Can easily identify exaggeration

The population is subdivided into mutually exclusive layers The strata can have equal sizes or you may want a higher proportion in certain strata

➤ Ensures units

➤ Selecting the

from each main group are included and may therefore be more reliably representative ➤ Should reduce the error owing to sampling ➤ Typically results in lower sample sizes

sample is more complex and requires good population information ➤ The estimates involve complex calculations

Probability proportional to size (PPS) or monetary unit sampling (MUS)

Stratified sampling

197

Internal_Auditing.indb 197

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 21.1: Comparison of various sampling methods (continued) Sampling Method

Definition

Advantages

Disadvantages

Simple random selection

Ensures each member of the population has an equal chance of selection

➤ Produces defen-

➤ Needs complete

sible estimates of the population and sampling error ➤ Simple sample design and interpretation

and accurate population listing ➤ May not be possible in an unnumbered population ➤ May not be practical if remote items are selected for sampling

Systematic selection

After randomly selecting a starting point in the population between 1 and n, every nth unit is selected, where n equals the population size divided by the sample size

➤ Easier to extract

➤ Can be costly

the sample than simple random selection ➤ Ensures cases are spread across the population

and time-consuming if the sample is not conveniently located ➤ Cannot be used where there is a pattern to the population distribution

Quantitative Methods In addition to statistical analysis, an auditor can use a variety of quantitative methods. These mathematical tools are commonly used to obtain an understanding of operations, and permit the drawing of conclusions in a variety of circumstances through analyzing the complexities of situations. Of the many quantitative methods, the section examines the most commonly used. Trend Analysis Trend analysis is used to evaluate the behavior of a variable, such as the turnover in a period of time. Such analyses can serve as evaluation criteria to determine the reasonableness of fluctuations over an extended period. Comparisons of this year’s turnover to last year’s or, alternatively, this month’s turnover to the same month last year, are popular. Chi-square Tests Chi-square analyses are non-parametric tests capable of analyzing relationships between qualitative data. For example, do operating units in the South have particular patterns of operation different from those in the North? 198

Internal_Auditing.indb 198

16/04/2015 11:13

AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

Chi-square tests can check for the independence of normal classifications and ordinal data, and require no particular distributional pattern for the data. Correlation Analysis Correlation analysis is the measurement of the extent of association of one variable with another. Two variables are said to be correlated when they move together in a detectable pattern. A direct correlation is said to exist when both variables increase or decrease in the same time, although not necessarily by the same amount. For example, one would expect inventory to decrease as sales increase. Correlation analysis is used by internal auditors to identify those factors that appear to be related. An operational auditor, for example, may use correlation analysis to determine whether corporate performance is in line with industry standards by comparing the correlation of company costs of imported parts with exchange rate fluctuations. Problems with how these statistics are computed, shortcomings in an internal auditor’s understanding of auditees’ operations, or real inefficiencies or misstatements can be pinpointed through correlation analysis. Graphical Analysis Graphical analysis can be useful to an internal auditor in identifying interrelationships in data, anomalies and simple data errors. A common form of graphical representation is a scatter diagram, which refers to any graph of data points. The more discernible a pattern appears in the graph, the more likely one variable is related to another and therefore can be used to predict the other’s value. Where no pattern can be noted, there would appear to be a little, if any, correlation between the two variables. Where a strong correlation insists, either positive or negative, the correlation value will approach 1. Where little correlation exists, the correlation value will approach 0. Unfortunately, correlation values only measure linear patterns. Where there is a non-linear relationship, correlation statistics will not disclose this. Occasionally a single data point, not conforming to the general pattern, can distort the correlation value. While this can be readily seen on the graph, it is usually less obvious when examining the correlation value. Learning Curves In conducting operational audits of the quality of training of new staff, a learning curve will normally be expected and observed in performance levels. In other words, as employees gain experience with the new procedures or as a new employee becomes more experienced, the length of time taken to perform the task should decrease. Learning curves are evaluated by computing the time required per unit of production each time that the cumulative output is doubled. A decrease in production time per unit of 25 per cent would result in a 75 per cent curve. A 60 per cent curve would result if the production time were reduced by 40 per cent. By measuring this curve, an auditor can determine how quickly a new procedure or employee becomes productive. When a new procedure is recommended, calculating the initial time per unit under the old system and comparing it to a series of 199

Internal_Auditing.indb 199

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

observations over time using the new procedures can objectively determine whether the new procedure is an improvement over the old.

Ratio and Regression Analysis Ratio analysis assumes a given proportional relationship between two numbers and is normally used for comparisons over time. A more advanced form of ratio analysis attempts to quantify the interrelationship in order to facilitate predictions in a regression analysis. Regression analysis is used to estimate the effect that a movement in one variable (the independent variable) has on an other variable (dependent variable). In other words if the sun shines, more cooldrinks will be sold: but how many more? By performing the regression analysis, the relationship, if any, can be identified and quantified, and sales levels can be predicted. Regression analysis can help an auditor understand and quantify data interrelationships. Unusual variations between expectations and recorded values may be noted for further investigation. Using software, the auditor can also conduct a multiple discriminant regression analysis relating the independent variable to a number of dependent variables simultaneously. By determining the comparative strength of the relationships, an auditor can choose the area that will best improve performance. Such analysis can also been used to predict bankruptcy. As with most statistical tools, regression analysis is based on a set of underlying assumptions that must be met for its use and interpretations to be valid. Linear Programming Linear programming is an operations research tool used to allocate scarce resources or to determine optimal blends of raw materials. The constraints applicable are reduced to algebraic formulae, which are then solved by simultaneous equations. For example, in a production environment, machining may be capable of processing 100 units per machine while finishing can handle 35 units per machine. The question of how many machines of each type should be used for optimum production can be solved using linear programming.

Project Scheduling Techniques Accurate project scheduling techniques have long been a goal in project management. Internal auditing frequently works in project teams, which often suffer from poor project scheduling. Program Evaluation Review Technique (PERT) This technique is used to identify diagrammatically dependent and independent activities. By showing graphically which activities cannot be started until the previous activities have been completed and, at the same time, which activities can proceed simultaneously, the planner can allocate resources to those tasks having most impact on the final completion deadline. This technique also takes into account operational constraints placed on the resources needed to carry out the tasks. 200

Internal_Auditing.indb 200

16/04/2015 11:13

AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

B

2 Days

C 3 Days

2 Days A

1 Day

3 Days F

2 Days

1 Day G

D

1 Day

E

3 Days

H 4 Days I

The shortest time to get from A to E while completing all tasks is determined by calculating the longest path. ➤ Path A-B-C-D-E takes 8 days. ➤ Path A-F-G-D-E takes 6 days. ➤ Path A-H-I-E takes 9 days. This means that the bottom path would be the most critical. The reason for this is that any delay in this path will postpone the final completion date. Any delay in the middle path that does not exceed four days will have no effect on the final completion date. Should the top path experience a delay in any of the processes of, for example, three days, then the top path will now take eleven days to complete and will become the critical path. If, by the same token, the time taken for the critical path can be reduced, then the final completion date can be brought forward. Critical Path Method (CPM) The critical path method (CPM) is a scheduling tool that was developed independently of PERT but uses a similar diagram. However, CPM uses two time estimates, one for normal effort and one for ‘crash’ effort. ‘Crash’ time is the time required for completion if all available resources were committed to the task. Gantt or Bar Charts One of the simplest planning tools requiring no mathematical calculations is the Gantt chart. It is commonly used in organizing work and monitoring progress through the various stages of a simple project and involves the production of bar charts showing the start and completion times of individual project activities. The major drawback to these charts is the poorer representation of interdependencies.

Simulations Monte Carlo Simulations Computers can be used to accelerate timescales by carrying out activities over and over again very rapidly. By combining this with the probability of events occurring, a sophisticated model can be built. One such approach is referred to as the Monte Carlo method. It uses the computer to simulate uncertainty via random behavior based upon the probabilities entered and then iterates specified models several times to determine average performance. 201

Internal_Auditing.indb 201

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Game Theory The term game theory refers to mathematical models of optimal strategies under various incentive schemes. This is used in competitive environments to explore ‘what if’ scenarios. A non-zero-sum game is said to exist when a profit is generated in which it is possible for both participants to share. A zero-sum game denotes a situation where a profit simply transfers from a loser to a winner. Game theory is used to help an internal auditor in understanding the reasons particular strategies are pursued in negotiation sessions or competitive price setting. Queuing Theory Businesses often have queues at service points. Elimination of these queues by increasing the number of service points would result in service points often being unused and costs increasing. Management must be able to decide how many service points should be provided. Queuing theory facilitates the use of mathematical models to minimize the total cost for a given rate of arrivals. The minimized cost includes both service costs (facility and operating costs) and waiting costs (the idle resources involved in waiting in line or having service points idle).

202

Internal_Auditing.indb 202

16/04/2015 11:13

S ECTION Internal_Auditing.indb 203

4

Business Analysis

16/04/2015 11:13

Internal_Auditing.indb 204

16/04/2015 11:13

CHAPTER

22

Corporate Governance

Learning objectives After studying this chapter, you should be able to: ➤ Outline the corporate governance developments nationally and internationally affecting organizations ➤ Discuss the different corporate structures encountered in business organizations ➤ Outline briefly the nature and roles of the following stakeholders in achieving sound corporate governance practices: ◗ Investors or owners ◗ Boards of directors and management ◗ The audit committee ◗ External audit ◗ Internal audit ➤ Explain the impact of a risk-based approach in prioritizing the internal audit plan ➤ Determine the resource requirement in terms of staff competencies and availability to carry out the audit plan ➤ Explain the implications of outsourcing internal audit

International Corporate Governance Developments

The importance of good governance is widely recognized internationally and is driven by the requirements of the global economy for transparency, accountability and a shareholder-inclusive approach to economic, social and environmental stewardship. Following the Treadway Commission report on fraudulent financial reporting in the US in 1987, the past 17 years have seen a number of commissions established in various countries to investigate corporate governance practices and make recommendations regarding, among other things: ➤ changes to legislation; ➤ corporate codes of ‘ethical’ conduct; and ➤ criteria for evaluating and reporting on corporate governance practices worldwide. These include the Cadbury Report on corporate governance in the UK (1992),45 the Hampel Report in the UK (1998), the King Report in South Africa (1994),46 the Blue Ribbon Report in the US (1998),47 the King II Report in South Africa 45. Cadbury Commission. 1992. Report on the Financial Aspects of Corporate Governance. London. 46. Institute of Directors (IOD). 1995. The King Report on Corporate Governance for South Africa. Johannesburg: IOD. 47. Blue Ribbon Committee. 1998. Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees. New York: New York Stock Exchange. (New York Stock Exchange Listed Company Manual 303.01: Audit Committees.)

Internal_Auditing.indb 205

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

(2002), and in the UK, the recent Smith Report (2003)48 entitled Audit Committees Combined Code Guidance, dealing with the role and responsibilities of ‘effective’ audit committees, and the Higgs Report (2003)49, entitled Review of the Role and Effectiveness of Non-executive Directors. In Europe there has similarly been much activity to strengthen corporate governance and company law standards. These include the Cromme Code50 in Germany and the Bouton Report51 in France in September 2002. The Cadbury Commission was commissioned to report specifically on the financial aspects of corporate governance in response to some spectacular company collapses in the UK, such as BCCI Plc, Polypeck Plc and Barings Bank. The Cadbury Report called for a strengthening of the board’s conformance and compliance role. The report advocated the strengthening of the role of independent non-executive directors, the creation of compliance committees using these nonexecutive, independent directors in audit committees, remuneration committees to oversee directors’ remuneration, and nomination committees concerned with the nomination of new directors to the board. Cadbury also recommended greater transparency on board matters and the separation of the roles of the chairman of the board from the chief executive officer (CEO) of the business. In 1998, the Hampel Committee in the UK consolidated these ideas into a set of Principles of Good Governance, and a Code of Best Practice for unitary boards of listed companies was incorporated into the listing rules of the London Stock Exchange, known as the City Code. The report recommended the following: ➤ Good corporate governance needs broad principles, not prescriptive rules. Compliance with sound governance practices, such as the separation of board chairmanship and the CEO function, should be flexible and relevant to each company’s individual circumstances and not reduced to what the report calls a ‘box-ticking’ exercise. Self-regulation is the preferred approach: no additional company legislation was considered necessary. ➤ The board is accountable to the company’s shareholders. There is no case for reassigning directors’ responsibilities to other stakeholder groups. ➤ The unitary board is totally accepted in the UK. There is no interest in alternative governance structures or processes such as two-tier boards. These recommendations led to similar corporate governance initiatives in other countries including the first King Commission Report on Corporate Governance in South Africa (1994), following the corporate collapses of the Masterbond group, Tollgate Holdings and the Supreme group in the late 1980s. More recently in South 48. Smith, Sir R. et al. 2003. Audit Committees Combined Code Guidance, a report and proposed guidance by a group appointed by the Financial Reporting Council chaired by Sir Robert Smith. London. January. 49. Higgs, D. 2003. Review of the Role and Effectiveness of Non-executive Directors, a report and recommendations to the Secretary of State for Trade and Industry. London. January. 50. Cromme, G. et al. 2002. Corporate Governance Report: Vortrag und Diskussionen der Konferenz Deutscher and Corporate Governance Code. Germany. 51. Bouton, D. et al. 2002. Promoting Better Corporate Governance in Listed Companies, Paris: Association Française des Enterprises Privées et Association des Grandes Entreprises Françaises and Mouvement des Entreprises der France.

206

Internal_Auditing.indb 206

16/04/2015 11:13

CORPORATE GOVERNANCE

Africa, there have been the collapses of MacMed Medical Aid, Cape Trust Bank and Regal Treasury Bank. Corporate governance is affected by the relationships among participants in the governance system. Controlling shareholders, who may be individuals, family holdings, bloc alliances, or other corporations acting through a holding company or cross shareholdings, can significantly influence corporate behavior. As owners of equity, institutional investors are increasingly demanding a voice in corporate governance in some markets. Individual shareholders usually do not try to exercise governance rights, but may be highly concerned about obtaining fair treatment from controlling shareholders and management. Suppliers also play an important role in some governance systems and have the potential to serve as external monitors over corporate performance. Employees and other stakeholders play an important role in contributing to the long-term success and performance of the corporation, while governments and securities exchanges establish the overall institutional and legal framework for corporate governance. The various reports all contain recommendations for enhancing corporate governance practices, some of which have subsequently been incorporated into changes in corporate legislation and the listing requirements of stock exchanges. The far-reaching Sarbanes-Oxley Act in the US provides stringent legal requirements to enforce sound corporate governance requirements on all US SEC registrants, as well as their subsidiaries and associated entities, wherever they are operating in the world. All contain references to the important role of audit committees and internal audit in assisting management to ensure the effectiveness of the corporate governance processes. Corporate governance can be defined in a variety of ways, but generally it involves the mechanisms by which a business enterprise is directed and controlled. It concerns the mechanisms through which corporate management is held accountable for corporate conduct and performance. Corporate governance, in general, provides the framework within which the objectives of a company are set and the means of attaining those objectives and monitoring performance are determined. Good corporate governance requires the board and management to pursue objectives that are in the interests of the company and shareholders and therefore facilitate effective monitoring, which in turn encourages firms to use resources more efficiently. The corporate governance framework rests on the legal, regulatory and institutional environment. Factors such as business ethics and corporate awareness of the environmental and societal interests of the communities within which an organization operates can also have an impact on the reputation and the long-term sustainability of the organization. Corporate governance is based on the belief that corporate officers operate best when they are held to account for what they do. This involves holding the management of an organization responsible for its performance. It entails evaluation of the proper use of executive power such that individuals with responsibilities are accountable for and must be prepared to defend their decisions. In public companies and financial institutions, the practical application of corporate governance involves the following aspects: ➤ separation of the roles of chairman and chief executive; ➤ a majority of non-executive directors on the board; 207

Internal_Auditing.indb 207

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ the establishment of an audit committee with non-executive membership; ➤ the protection of the independence of external auditors; ➤ maintaining standards of financial reporting; ➤ the adoption of a company code of ethics; ➤ guidelines for the conduct of directors, in particular, requiring avoidance of conflicts of interest and disclosure of benefits; and ➤ the identification of risk and risk management. Within public sector (government) structures, the term ‘corporate governance’ represents a collection of practices aimed at ensuring management accountability and service delivery. Many of these are drawn from the private sector practices, such as: ➤ risk management; ➤ financial reporting; ➤ a code of ethics; ➤ internal audit; and ➤ audit committees. The South African Public Finance Management Act No. 1 of 1999 regulates financial management in the national and provincial governments and provides for the responsibility of people entrusted with financial management in these governments. A key responsibility is placed on the ‘accounting officer’ who is the head of the relevant public enterprise or department. The act clarifies the division of responsibilities between the accounting officer and the political head (called the ‘executive authority’ – either a minister or MEC). The Guide for Accounting Officers, issued by the National Treasury in 2000, formally requires an accounting officer, among other things, to establish an internal audit function and audit committee. Chapter 6 of this publication, entitled ‘Corporate Management and Internal Controls’, indicates the structure, role and mandate to be embodied in an internal audit charter and the operation of the internal audit function. In addition, it provides for the composition of the audit committee, its role and duties, terms of reference and timing of meetings.

Corporate Stakeholders and Governance The King II Report on Corporate Governance for South Africa (2002) identifies the following seven primary characteristics of sound governance for listed companies, financial institutions and public entities. King II recommends that these guiding principles be infused in the code of corporate practices and conduct of the organizations affected, and are indeed valid principles for all organizations, albeit that their implementation by different companies and public sector entities may differ greatly. The report groups the key aspects of governance under the following headings: ➤ the constitution and operation of the board and its committees; ➤ performance evaluation and reward; ➤ risk management and internal control; ➤ sustainability; ➤ business ethics and organizational integrity; ➤ accounting and auditing; and ➤ disclosure practices. 208

Internal_Auditing.indb 208

16/04/2015 11:13

CORPORATE GOVERNANCE

Table 22.1: Characteristics of sound governance Characteristic Nature Discipline

Commitment by the organization’s senior management to widely accepted standards of correct and proper behavior



Transparency The ease with which an outsider can analyse the organization’s actions and performance Independence The extent to which conflicts of interest are avoided, such that the organization’s best interests prevail at all times Accountability Addressing shareowners’ rights to receive, and if necessary to query, information relating to the stewardship of the organization’s assets and its performance Responsibility Acceptance of all consequences for the organization’s behavior and actions, including a commitment to improvements where required Fairness

Acknowledgement of, respect for and balance between the rights and interests of the organization’s various stakeholders

Social responsibility

The organization’s demonstrable commitment to ethical standards and its appreciation of the social, environmental and economic impact of its activities on the communities in which it operates (the so-called triple bottom line)

Every company has key stakeholders that bring it to life and influence its activities for better or worse during its existence. An ongoing debate is the extent to which corporate governance practices should be incorporated into legislation and policed, as opposed to relying on individuals and corporate structures to ‘do the right thing’ and allowing stakeholders and the capital markets to self-monitor and regulate the actions of the corporate leadership. This chapter discusses the roles of the following key players in ensuring sound corporate governance practices are implemented: ➤ investors, qua owners; ➤ boards of directors and senior management; ➤ audit committees; and ➤ internal and external audit. The roles of other corporate stakeholders such as employees, suppliers, customers and government are dealt with elsewhere in this book.

Investors, qua Owners In the eighteenth century, when the concept of the joint stock corporation began to develop rapidly, the governance of corporations was dominated by the wishes of the dominant shareholders and democracy between shareholders. Shareholders were relatively few in number, frequently held the majority of the shares, and were often 209

Internal_Auditing.indb 209

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

appointed as executive directors. In this way, they were able to exercise a considerable degree of control and influence over day-to-day operations. In millions of smaller and owner-managed companies around the world, this is still the situation today. But for major corporations, particularly those that have their shares listed on a stock exchange, and who may trade globally, the governance situation has changed significantly and their activities are subject to close scrutiny by the public, government agencies, ‘ethics monitoring groups’ and the media. In many countries, the shares of public listed companies are now held by thousands of very diverse shareholders – some are private individuals; a significant portion are institutional investors such as banks, pension funds, insurance companies and asset managers managing unit trust portfolios; and the remaining shares are held by other group companies, who might have strategic business relationships with the company. Nowadays, ownership structures of major public companies around the world are often complex. Consequently, the first step in understanding the reality of corporate governance in any company is to understand the ownership structure and hence identify who has the potential to exercise power and influence over that company. In the past, most institutional investors failed to actively exercise their rights as shareholders, preferring to sell their shares rather than getting involved in challenging poor corporate performance. However, this trend has reversed in recent years, with some institutional investors, particularly in the US, the UK and Australia, becoming proactive, calling for boards to produce better corporate performance, questioning levels of directors’ remuneration, and calling for greater transparency on company finances and greater accountability from directors.

Board Structure, Roles and Responsibilities The board of directors is the ultimate decision-making body in a company. The role of management is to run the enterprise; the role of the board of directors is to see that it is being managed responsibly and is able to meet its long- and short-term objectives. Generally, management operates as a hierarchy. Although the organization may not be a neat pyramid, there is an ordering of responsibility, with authority delegated downwards through the organization and accountability upwards to the CEO. By contrast, the board should not operate as a hierarchy. The members need to work together as equals, reaching agreement by consensus or, if necessary, by voting. In almost all legal jurisdictions, each director on the board bears the same fiduciary responsibilities under the law. Governance structures for organizations vary around the world, but three broad versions are generally recognized. ➤ In the unitary board model, all directors participate in a single board comprising both executive and non-executive directors in varying proportions. This approach to governance is generally shareholder-orientated. It is also called the Anglo-Saxon approach to corporate governance, and is the basis of corporate governance in the US, the UK, Canada, Australia and other Commonwealth countries, including South Africa. ➤ In the two-tier board model, corporate governance is exercised through two separate boards. The upper board supervises the executive board on behalf of stakeholders. This approach to governance is usually more society-orientated 210

Internal_Auditing.indb 210

16/04/2015 11:13

CORPORATE GOVERNANCE

and is commonly referred to as the Continental European approach. It is generally the basis of corporate governance adopted in Germany, Holland and, to some extent, France. ➤ The business network model reflects the cultural relationships seen in the Japanese keiretsu network, in which boards tend to be large, predominantly executive and often ritualistic. The power in an enterprise lies in the relationships between top management in the companies in such a network. Notwithstanding structural differences between two-tier and unitary board systems, the actual board responsibilities and practices are similar. Both recognize a supervisory, or non-executive, function and a managerial, or executive, function, although the distinctions between the two functions tend to be more formalized in the two-tier structure. Generally, both the unitary board of directors and the supervisory board (in the two-tier structure) are elected by shareholders, although, in some countries, employees may elect some supervisory body members as well. Typically, both the unitary board and the supervisory board appoint the members of the managerial body – either the management board in the two-tier system or a group of managers to whom the unitary board delegates authority in the unitary system. In addition, both the unitary board and the supervisory board have a responsibility for ensuring that financial reporting and control systems are functioning appropriately and that the company is in compliance with laws and regulations essential for the continuing survival and operation of the organization. Each board system has been perceived to offer unique benefits. The one-tier system may result in a closer relationship and better information flow between the supervisory and managerial members; however, the two-tier system encompasses a clearer, formal separation between the supervisory body and those being ‘supervised’. With the influence of the corporate governance best practice movement, the distinct perceived benefits traditionally attributed to each system appear to be lessening as practices converge. As described below, the corporate codes, recommended by the various corporate governance commissions appointed in different countries, express remarkable consensus on issues relating to board structure, and the roles and responsibilities of the board members. Many suggest practices designed to enhance the distinction between the roles of the supervisory and managerial members of the boards, including supervisory body independence, separation of the chairman and CEO roles, and reliance on board committees comprising a majority of non-executive members. These expectations are often challenged on the grounds that non-executive directors cannot know as much about the business operations as the executive directors do and that, being part-time, and often with managerial responsibilities in other companies, they cannot devote sufficient time to the company’s affairs. In fact, non-executive directors do not need to know as much about the business as the executive directors. They do, however, need to know enough to make their contributions unique and critical within their particular experience and expertise, in order to challenge the activities of the board of directors and hold them accountable for good governance. Most, if not all, of the corporate codes place significant emphasis on the need for a supervisory body that is distinct from management in its decisional capacity for objectivity to ensure accountability and provide strategic guidance. Codes 211

Internal_Auditing.indb 211

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

that relate to unitary boards emphasize the need for some compositional distinction between the members of the unitary board and members of the senior management team. These codes invariably urge companies to appoint outside (or non-executive) directors, and King II introduces the concept of ‘independent’ nonexecutive directors being appointed to the board. ‘Independence’ in this context generally involves an absence of close family ties or business relationships with company management and the controlling shareholder(s). Codes that relate to unitary boards also frequently call for the positions of the chairman of the board and the CEO (or managing director) to be held by different individuals. (This is already usually the case in two-tier board systems.) Codes that relate to two-tier boards also emphasize the need for independence between the supervisory and managerial bodies. For example, like the unitary board codes, they tend to warn against the practice of naming (more than one or two) retired managers to the supervisory board, because it may undermine supervisory board independence. The JSE listing requirements include a condition that the chairperson and CEO positions be occupied by different people for listed companies. Failure to do so will result in a penalty of R1 million being imposed on the company. Instances have been encountered in the US and the UK, where the ‘independent directors’ appointed have often been hand-picked ‘cronies’ of the CEO or chairperson or president of the corporation willing to do the bidding of the CEO, and anything but ‘independent’. This led directly to recent recommendations for an independent nominations committee to be established by the board.

Board Committees Another interesting feature that has developed in the current demands for increased responsibility and accountability is for boards of directors of public companies to appoint greater numbers of non-executive, or independent non-executive directors to the board. These do not have executive responsibilities and are expected to provide a means of ensuring that the executive directors are held accountable for their management of the company. The codes reflect a trend toward reliance on board committees to assist the board of directors to discharge their responsibilities, particularly in areas where the interests of management and the interests of the company may come into conflict, such as in areas of audit, executive remuneration and nomination. All such committees should have formal terms of reference approved by the board of directors. Most corporate governance recommendations look for non-executive directors to be appointed as chairpersons of these committees and to comprise the majority of the members. The board committees recommended by King II include: ➤ a risk committee, with responsibility for the total process of risk management in the organization at a strategic and operational level, including ensuring the implementation of appropriate risk management and internal control frameworks; annual risk assessments and controls to manage significant risks identified; monitoring processes; and regular reporting of key risks to the board; ➤ a remuneration committee, with responsibility for performance evaluation, determining the remuneration of executive directors and service contract arrangements for executive directors; 212

Internal_Auditing.indb 212

16/04/2015 11:13

CORPORATE GOVERNANCE

➤ a nominations committee, for identifying suitable candidates and screening nominations to the board of directors; and ➤ an audit committee, with oversight responsibility for internal controls; approving of accounting policies; monitoring of internal audit functions; and the appointment and fee budget of the external auditors. While recommendations concerning the appropriate composition of these committees may vary, the codes generally recognize that non-executive and, in particular, independent non-executive directors have a special role to play on these committees to monitor the activities of management and the board of directors. All companies listed on the JSE are required to appoint an audit committee. A similar requirement is contained in the Public Finance Management Act applicable to public entities. King II recommends that the audit committee should comprise a majority of financially literate, independent directors. Where appointed, the terms of reference of any such board committees must be clear and should include at least: ➤ the extent of its powers; ➤ an indication of the responsibilities delegated to it; ➤ its lifespan; ➤ its role and functions; ➤ its reporting procedures; and ➤ its authority. These should be approved by the board of directors. Disclosures by each committee as to its activities should be made in the annual report.

The Role of Audit Committees An effective audit committee is seen as assisting management in the following areas: ➤ improving communication and increasing contact and understanding between management and internal and external auditors; ➤ reviewing the performance of internal and external auditors, thus increasing accountability; ➤ facilitating the imposition of discipline and control, thus reducing the opportunity for fraud; and ➤ strengthening the objectivity and credibility of financial reporting. Concerns have been expressed that the constantly increased expectations of members of audit committees have become unrealistic and have greatly increased the risk exposure of the individuals involved. The available pool of people ‘qualified’ to serve on audit committees is limited and many are executive directors of other companies who, whilst they may have experience, have limited time to spend on any one audit committee’s affairs. In times of increased accountability demands on directors, the non-executive directors serving on audit committees are finding their personal risk exposure is greatly increased. It is likely that remuneration of non-executive directors will be increased to take account of the higher risks they face. It is notable that in the case of the recent major corporate collapses, all had functioning audit committees who did not seem able to prevent the collapse and in some instances, undoubtedly having 213

Internal_Auditing.indb 213

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

inside information of the parlous state of affairs, were party to unethical actions and conduct in order to protect their personal interests in the company. An example of an audit committee charter is contained in Appendix B. Audit Committee Responsibility for Internal Audit The audit committee plays an important role in ensuring the independence of the internal audit function. The most recent recommendations in this regard are found in the Smith Report,52 which recommends a direct reporting responsibility for an internal auditor to the audit committee and suggests in paragraphs 5.10 to 5.13 that the audit committee should carry the responsibility for monitoring and reviewing the internal audit process, as follows: ➤ ‘The audit committee should monitor and review the internal audit activities. Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report. ➤ The audit committee should review and approve the internal audit function’s remit, having regard to the complementary roles of the internal and external audit functions. The audit committee should ensure that the function has the necessary resources and access to information to enable it to fulfill its mandate, and is equipped to perform in accordance with appropriate professional standards for internal auditors.53 ➤ The audit committee should approve the appointment or termination of appointment of the head of internal audit. ➤ In its review of the work of the internal audit function, the audit committee should, inter alia: ◗ Ensure that the internal auditor has direct access to the board chairman and to the audit committee and is accountable to the audit committee; ◗ Review and assess the annual internal audit work plan; ◗ Receive a report on the results of the internal auditors’ work on a periodic basis; ◗ Review and monitor management’s responsiveness to the internal auditor’s findings and recommendations; ◗ Meet with the head of internal audit at least once a year without the presence of management; and ◗ Monitor and assess the role and effectiveness of the internal audit function in the overall context of the company’s risk management system.’ The requirement for the appointment of an audit committee for South African companies is presently contained in the JSE listing requirements and thus applies to listed companies only. The Public Finance Management Act requires all public entities regulated by the Act to appoint an audit committee, and the legislation regulating the various types of financial institutions similarly requires the appointment of an audit committee. 52. Smith et al. 2003. pp. 11–12. 53. Further guidance can be found in the IIA’s Code of Ethics and the International Standards for the Professional Practice on Internal Auditing (see Appendix A).

214

Internal_Auditing.indb 214

16/04/2015 11:13

CORPORATE GOVERNANCE

External Audit In South Africa, external auditors are required by statute to be appointed for every company to report on the company’s annual financial statements, prepared in accordance with a generally accepted accounting framework. Previously, this framework was the South African Standards of Generally Accepted Accounting Practice, but with effect from January 2005 is now in terms of International Financial Reporting Standards (IFRS). In South Africa, the external auditor’s audit responsibilities are governed by the relevant company legislation, the Public Accountants’ and Auditors’ Act, and the regulatory requirements for particular industry sectors, such as the Banks Act, the Insurance Act and the Pension Funds Act, to mention a few. In addition, the client engagement letter should set out additional services to be provided. Following the publication of the new IFAC Code of Conduct for Professional Accountants and the Sarbanes-Oxley Act in the US, the nature of additional services provided to audit clients is restricted, and care should be taken to ensure that any threats to the external auditors’ independence are dealt with and that their independence is not compromised in any way. The South African Auditing Standards (SAAS) are issued by the Public Accountants’ and Auditors’ Board and set out requirements for the performance of the audit and review of financial statements, as well as other assurance engagements. From 1 January 2005, South Africa adopted the full set of the IAASB’s International Engagement Standards including the International Standards on Auditing (ISA’s), International Standards on Review Engagements (ISREI’s), International Standards on Assurance Engagements (ISAE’s) and International Standards on Related Services Engagements (ISRS’s). From the perspective of the audit of financial statements, external audit does not report specifically on the corporate governance practices of the entity; however, the increased corporate governance disclosures in the published audited financial statements of listed entities required by securities exchanges around the world has resulted in changes to auditing standards internationally, including imposing additional requirements on auditors for fraud detection and communication of significant weaknesses in internal controls to those responsible for organizational governance. The Sarbanes-Oxley Act requires an independent external audit of the effectiveness of internal controls affecting the financial reporting of all US-listed entities.

Internal Audit So how do these corporate governance developments nationally and internationally affect what an internal auditor does? The IIA Standards and Code of Ethics (see Appendix A), define the objective of internal auditing as follows: ‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.’

King II contains the same definition of internal audit, as does the Public Finance Management Act. Consequently, in order to perform the internal audit function, 215

Internal_Auditing.indb 215

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

internal auditors have to be aware of corporate governance developments and the implications for their work in the organizations in which they are employed, or to which they provide management assurance services. The IIA Standards also recognize the following: ‘Internal audit activities are performed in diverse legal and cultural environments; within organizations that vary in purpose, size, and structure; and by persons within or outside the organization. These differences may affect the practice of internal auditing in each environment.’

And, in dealing with the responsibility of internal audit for governance matters, IIA Standard 2130: Governance indicates the following: ‘The internal audit activity should contribute to the organization's governance process by evaluating and improving the process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved.’

The worldwide demands for improved governance processes and accountability have significantly changed the role and standing of internal auditors within an organization over the past ten years, moving their focus from primarily auditing controls over transactions to playing a key role in supporting management’s self-assessments in order to manage business risks more effectively and so ensure the sustainability of the organization. Figure 22.1 reflects the changes in the role of internal audit that have occurred during the past ten years in listed companies and public entities. What will quickly become apparent from this figure is that as the focus of internal audit has changed, the skills needed by internal audit personnel have had to adapt and change: ➤ Reactive: The initial focus was on auditing transactions in order to provide assurance regarding financial risks within an organization. ➤ Proactive: This role developed into one of participating with management in identifying risks that could lead to losses through weak or ineffective controls. ➤ Strategic: The role developed still further into the current one of supporting the risk committees of the board to identify and assess strategic and operational risks, and to provide cost-effective methods of dealing with them. Not least has been the need for internal auditors to make greater use of sophisticated technology and knowledge management systems in order to develop key performance indicators and benchmark performance targets to assess the strategic and business process risks critical for the sustainability of often complex and global organizations. In addition, the importance of technology and systems and business continuity plans must be recognized, and accordingly internal staff must develop the necessary technological skills to assess an organization’s controls and business processes. This is necessary to enable an internal auditor to present focused, highlevel and concise reports to the risk committee and board of directors regarding risk management issues, so that they in turn can make better-informed decisions for managing the organization. 216

Internal_Auditing.indb 216

16/04/2015 11:13

CORPORATE GOVERNANCE

Figure 22.1: The developing role of internal audit We wish to thank PriceWaterhouseCoopers Inc. for permission to use this diagram.

King II recommendations for internal audit may be summarized as follows: ➤ An effective internal audit function should be established, or outsourced, as an independent and objective provider of assurance and advice. ➤ Internal audit should implement a systematic, disciplined approach focusing on evaluating and improving the effectiveness of: ◗ risk management, ◗ control, and ◗ governance. ➤ Internal audit should have the respect of and co-operation from the board of directors and executive management. To this end, the audit committee should concur in the appointment/dismissal of the head of the internal audit function or professional service provider. ➤ Internal audit should have an internal audit charter defining its role, responsibility and authority (an example of which appears in Appendix C). ➤ Internal audit should report findings to an appropriate level in the organization – the CEO or audit committee – and should report at each audit committee meeting on the internal audit risk assessments and consequent activities and internal audit plans. Internal audit should have direct and regular access to the chairperson of the board of directors and the chairperson of the audit committee. ➤ Internal audit should adopt a risk-based approach to its audit plans and coordinate its activities with external audit and other assurance providers.

217

Internal_Auditing.indb 217

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

A Risk-based Approach to Internal Audit The principles to be followed when developing any internal audit plan are set out in IIA Standard 2210: Engagement Objectives as follows: ➤ ‘The engagement’s objectives should address the risks, controls, and governance processes associated with the activities under review.’

➤ ‘When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment’ (IIA Standard 2210.A1). ➤ ‘The internal auditor should consider the probability of significant errors, irregularities, non-compliance, and other exposures when developing the engagement objectives’ (IIA Standard 2210.A2).

These standards are in line with the principles of corporate governance discussed earlier in this chapter. Readers are referred to Practice Advisory 2210.A1-1, which provides further guidance in this regard, and to Chapter 6 for a detailed discussion of the risk-based approach to internal audit.

Resourcing Internal Audit IIA Standard 2230: Engagement Resource Allocation states the following: ‘Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.’

Clearly, this will involve an evaluation of the following aspects: ➤ the number and experience level of internal audit staff required based on the nature and complexity of the engagement, time constraints and available resources; ➤ the knowledge skills and other competencies of the internal auditing staff; ➤ the opportunity provided on the engagement for training needs for the development of internal audit staff and the internal audit activity being performed; and ➤ the use of outsourced resources where the organization does not have or is unable to develop particular expertise required, eg where a forensic audit is required for a fraud investigation. As with any other department or function in an organization, internal audit will probably experience a turnover in staff with ongoing recruitment and training implications. Many organizations use internal audit as a means of exposing staff that show potential for growth to the operation’s risks, controls and business processes, before moving them into middle management positions in the organization. This staff movement will also mean that at times the internal audit function may lack particular skills needed to perform particular engagements. In such circumstances, the expertise may be sought from professional firms offering internal audit or management assurance services to clients.

218

Internal_Auditing.indb 218

16/04/2015 11:13

CORPORATE GOVERNANCE

Outsourcing Internal Audit The internal audit standards recognize that management may decide that internal audit functions should be outsourced to an independent external management assurance provider. In such cases, the IIA Standard 2210.C1 states the following: ‘Consulting engagement objectives should address risks, controls, and governance processes to the extent agreed upon with the client.’

As the demands for improved corporate governance increased, the existing internal audit functions in organizations failed to anticipate the changing role of internal audit and remained in a reactive role focusing on transaction auditing. In addition, the requirements of the Public Finance Management Act requiring the appointment of internal audit functions at all public entities in South Africa found the internal audit profession very short of suitably qualified persons to be appointed. The large professional firms of accountants and auditors recognized this marketing opportunity and moved aggressively into the gap to offer internal audit or management assurance services to organizations, drawing on established firm reputations and often offering better technologies to provide strategic and business process risk assessments and more streamlined internal audit engagements. The collapse of Enron, where the external auditors, Arthur Andersen, had been heavily involved in providing both external and internal audit services, as well as other consultation services, sounded alarm bells through the profession and resulted in the Sarbanes-Oxley Act preventing external auditors of US-listed corporations from offering, among other things, internal audit services to their external audit clients. Such services are regarded as a threat to external auditor independence. Consequently, different professional firms will generally become involved in providing external and internal audit services to a client where the latter are outsourced. The scope of outsourced internal audit services must be agreed with management. These services may involve a full internal audit service or, where the organization also employs internal auditors in-house, may involve the external service providers in specific areas of internal audit. Confidentiality and auditor liability issues arise for outsourced internal audit engagements, as do issues around access by the external auditors to working papers prepared for the outsourced internal audit engagement, and consultation with external auditors of the organization. These should be dealt with in the engagement letter appointing the external assurance providers.

219

Internal_Auditing.indb 219

16/04/2015 11:13

CHAPTER

23

Financial Accounting and Finance

Learning objectives After studying this chapter, you should be able to: ➤ Discuss briefly current developments in international financial reporting standards Explain the role of internal audit in the financial reporting process ➤ Discuss the role and responsibilities of internal audit in the appointment of external audit and outside consultants ➤ Explain how internal audit co-ordinates its plans and activities with those of the exter­nal auditors ➤ Discuss the circumstances under which external audit may use the work performed by internal audit in the corporate governance and financial reporting process ➤ Explain the possible role and responsibilities of internal audit in the quarterly and annual financial reporting review process ➤ Discuss the implications for internal audit of the worldwide move by listed companies to comply with international financial reporting standards

Financial Reporting It is assumed that CIA students and others using this book will have completed undergraduate courses in financial accounting and corporate finance. Consequently, this chapter concentrates on the application of their knowledge in practice and does not discuss the conceptual framework for accounting, nor individual accounting standards. Nevertheless it is worthwhile considering the reporting of financial information in the published accounts of an organization. To be useful, financial information must comply with certain characteristics, namely: ➤ Reliability where the financial information can be depended upon to represent accurately the present state of financial affairs of the organization. This involves ensuring: ◗ neutrality, such that the information is not biased; ◗ verifiability, so that independent evaluators can reach the same conclusions using the same methods; ◗ faithful representation, such that the financial statements are in agreement with the actual events they purport to represent. ➤ Comparability, such that financial statements of the organization can be compared to those of other similar organizations. ➤ Relevance, where information must be usable and appropriate in decisionmaking. This means that information must: ◗ have a predictive value, such that the outcome of future events can be reliably predicted;

Internal_Auditing.indb 220

16/04/2015 11:13

FINANCIAL ACCOUNTING AND FINANCE

◗ have a feedback value, such that reality can be compared to prior expecta-

tions; ◗ be of a timely nature, such that the information is still relevant to decision-

making. ➤ Consistency such that the financial statements are comparable over periods of time. Financial statements are generally taken to consist of ten specific elements. ➤ Assets are defined as probable future economic benefits controlled by an organization as a result of previous transactions or events. ➤ Liabilities are probable future sacrifices of economic benefits as a result of current or previous transactions or events. ➤ Equity is the balance of assets remaining after deducting liabilities. ➤ Revenues are associated with the gross increase in assets or decrease in liabilities and can be recognized by different methods depending on the circumstances of the organization ➤ Expenses are associated with the gross decrease in assets or increase in liabilities as a result of the organization’s operations. ➤ Investment by owners increases the equity by transferring assets of value to an entity, resulting in an increase in ownership interest. ➤ Distribution to owners decreases the equity by transferring equity to the owners. ➤ Gains are defined as those increases in equity resulting from transactions affecting the organization, except those resulting from investment by owners on normal revenues. ➤ Losses are classed as decreases in equity from transactions and other circumstances, except those resulting from normal expenses for distribution to owners. ➤ Comprehensive income is defined as the change in equity during the period that is not caused by investments by owners or distributions of equity to owners. Many global companies boast turnovers and net assets in excess of the gross domestic product of small countries and exercise considerable political and eco­ nomic influence. In order to gain access to capital internationally to finance their operations, many of these organizations are listed, for example, on the New York Stock Exchange or the NASDAQ in the US, the London Stock Exchange in the UK, the Hong Kong Stock Exchange and stock exchanges in several European Countries and the Johannesburg Securities Exchange in South Africa. Each stock exchange has strict requirements for listed companies to comply with, including requirements to comply with national or international financial reporting standards. IOSCO – the international organization that regulates stock exchanges worldwide – has also influ­ enced international developments to find common standards of accounting inter­ nationally. Globalization of business operations is probably regarded as the most significant change agent for accounting standards that has occurred during this period. It has led to demands by businesspeople for comparable national and international standards in the accounting treatment of transactions and disclosures in financial statements nationally to make financial reporting comparable and comprehensible to users.

221

Internal_Auditing.indb 221

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

The field of financial accounting has undergone sweeping changes in the past ten to 20 years with accounting standards being developed nationally and internation­ ally by standard setters that seek to harmonize ‘generally accepted accounting frameworks’ of different countries with those developed internationally. In spite of this, there are differences between the standards of several major countries and international standards. The International Federation of Accountants (IFAC) and the International Accounting Standards Board (IASB) has lead with the promulgation of the International Financial Reporting Standards (IFRS), which dozens of countries around the world are adopting as the accepted standards of financial reporting for both listed and unlisted companies. The ongoing collapses of large corporate entities in the US, the UK, Europe, Australia and South Africa and many others are frequently followed by claims that, in addition to blatant fraud by top management, companies have misapplied accounting standards or manipulated them to misstate their financial results or have used inappropriate accounting policies to mislead their shareholders and the pub­lic with fraudulent financial reporting. There is a need to achieve greater accounta­bility and transparency by all organizations, whether profit-making, non-profit-mak­ing or governmental. Consequently, management and regulators are looking to internal audit and audit committees for assistance to improve the governance and financial reporting process.

Auditing the Financial Reporting Process IIA Practice Advisory 2120.A1-4: Auditing the Financial Reporting Process identifies the following activities that internal audit is likely to become involved in when eval­ uating the internal controls that ensure the reliability and integrity of an organiza­tion’s financial reporting, and providing support for the organization’s governance process and oversight responsibilities of the board of directors and its audit com­mittee. ‘Financial Reporting ➤ Providing information relevant to the appointment of the independent accountants. ➤ Co-ordinating audit plans, coverage, and scheduling with the external auditors. ➤ Sharing audit results with the external auditors. ➤ Communicating pertinent observations with the external auditors and audit committee about accounting policies and policy decisions (including accounting decisions for discretionary items and off-balance sheet transactions), specific components of the financial reporting process, and unusual or complex financial transactions and events (eg related-party transactions, mergers and acquisitions, joint ventures, and partnership transactions). ➤ Participating in the financial reports and disclosures review process with the audit committee, external auditors, and senior management; evaluating the quality of the financial reports, including those filed with regulatory agencies.’

Appointment of External Auditor and Consultants An internal auditor’s participation in the selection, evaluation or retention of an organization’s external auditors may vary from no involvement in the process, to advising management or the audit committee, providing assistance or participation in the process, management of the process, or auditing the process. The audit 222

Internal_Auditing.indb 222

16/04/2015 11:13

FINANCIAL ACCOUNTING AND FINANCE

com­mittees of many large organizations are given the responsibility for advising the board of directors on external audit, and the head of internal audit advises on appointments and approves external and internal audit fee budgets. The IIA Standards require internal auditors to share information and co-ordinate activities with other internal and external providers of relevant assurance and con­ sulting services. Depending on the circumstances of the particular internal audit structure within an organization, internal auditors may have some involvement in the selection or retention of the external auditors and in the definition of the scope of the work required, in addition to the external auditor’s statutory responsibilities (further guidance is provided in IIA Practice Advisory 2050-2). Appropriate policies for the selection or retention of external audit services should consider addressing the following attributes: ➤ board or audit committee approval of the policy; ➤ the nature and type of services covered by the policy; ➤ the duration of the contract, the frequency of the formal request for services and/or determining whether to retain the existing service providers; ➤ participants or members of the selection and evaluation team; ➤ any critical or primary criteria that should be considered in the evaluation; ➤ limitations on service fees and procedures for approving exceptions to the policy; and ➤ regulatory or other governing requirements unique to specific industries or countries. The board of directors will also address the acquisition of consultant services other than just financial statement audits that may be offered by external audit firms and may delegate responsibility for negotiations to the audit committee. These may include: ➤ tax services; ➤ consulting and other non-audit services; ➤ internal audit outsourcing and/or co-sourcing services; ➤ other outsourced or co-sourced services; ➤ special services, such as agreed service engagements; ➤ valuation, appraisal and actuarial services; ➤ temporary services such as recruiting, bookkeeping and technology services; and ➤ legal services provided by external audit firms, such as forensic investigations. A word of warning must be sounded here. Following the collapse of Enron and WorldCom in the US, the Sarbanes-Oxley Act severely restricts the nature of the consulting services that an external auditor may provide to an audit client listed on the New York or NASDAQ Stock Exchanges, wherever in the world the organization may have operations. This is intended to reinforce auditor independence and pre­vent conflicts of interest. For example, an external audit firm may not provide both external and internal audit services to the same US listed client. The large audit firms worldwide have responded by selling off their consulting activities to inde­pendent organizations and distancing their audit and assurance services from their consulting services. Some of the large audit firms have generally moved their statutory audit services into incorporated companies and formed separate private companies to handle 223

Internal_Auditing.indb 223

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

the audit firm’s other assurance services, such as tax and audit advisory activities. This enables the audit firm to offer its services under the same firm brand­ing while limiting its liability on the non-statutory, other assurance and related serv­ices engagements. Arrangements for external audit engagements and other assur­ance and related services should be documented in a letter of engagement and signed by both the service provider and the engagement client. Internal auditors should determine how an organization monitors ongoing service activities from external auditors. Compliance with the terms of service contracts and other agreements should be assessed on a periodic basis. Assessment of the inde­ pendence of the external auditors should include internal audit participation, be performed at least annually, and be communicated to the audit committee.

Audit Plans and Co-ordination with External Audit Since audit fees are substantial, the board of directors will generally want to ensure that where an effective internal audit function exists, whether internal or out­sourced, the external auditors make use of the relevant aspects of the work of inter­nal audit to reduce the extent of work that they need to perform. The external auditors will then consider the scope of the internal audit activities at the planning stage and, in consultation with the internal auditors, identify those areas where they may be able to use the work of internal audit and areas where the activities of the internal and external audit teams must be co-ordinated.

External Auditors’ Use of the Work of Internal Audit The extent of use made by the external auditors will depend on their assessment of the independence, competence and effectiveness of the internal audit function, as well as the relevance of the scope and nature of work performed that may provide evidence required for the external audit of the financial statements. Hence the importance of internal audit involvement in auditing the effectiveness of an organi­ zation’s corporate governance processes and controls designed to ensure the integrity of the financial reporting process. IIA Practice Advisory 2120.A1-4 recognizes that an important role of internal audit is to report on their assessment of the effectiveness of the organization’s financial reporting, governance and control processes to the audit committee. The work that may be performed by internal audit in this regard that could be used by external audit includes the aspects dicussed below. Corporate Governance Controls This involves: ➤ reviewing corporate policies relating to compliance with laws and regulations, ethics, conflict of interests, and the timely and thorough investigation of mis­ conduct and fraud allegations; ➤ reviewing pending litigation or regulatory proceedings bearing on organizational risk and governance; and ➤ providing information on employee conflicts of interest, misconduct, fraud and other outcomes of an organization’s ethical procedures and reporting mecha­nisms. 224

Internal_Auditing.indb 224

16/04/2015 11:13

FINANCIAL ACCOUNTING AND FINANCE

Corporate Controls over the Financial Reporting Process This involves: ➤ reviewing the reliability and integrity of the operating and financial information compiled and reported by an organization; ➤ performing an analysis of the controls for critical accounting policies and com­ paring them with preferred practices, eg transactions in which questions are raised about revenue recognition or off-balance sheet accounting treatments should be reviewed for compliance with appropriate national GAAS or IFRS and applicable laws and regulations; ➤ evaluating the reasonableness of estimates and assumptions used in preparing operating and financial reports; ➤ ensuring that estimates and assumptions included in disclosures or comments are in line with underlying organizational information and practices and with similar items reported by other companies, if appropriate; ➤ evaluating the process of preparing, reviewing, approving and posting journal entries; and ➤ evaluating the adequacy of controls in the accounting function. The Financial Reporting Review Process IIA Practice Advisory 2120.A1-4: Auditing the Financial Reporting Process identifies the following role and responsibilities for internal audit. ➤ ‘Assessing the adequacy and effectiveness of the organization’s internal controls, specifically those controls over the financial reporting process; this assessment should consider the organization’s susceptibility to fraud and the effectiveness of programs and controls to mitigate or eliminate those exposures. ➤ Monitoring management’s compliance with the organization’s code of conduct and ensuring that ethical policies and other procedures promoting ethical behavior are being followed; an important factor in establishing an effective ethical culture in the organization is when members of senior management set a good example of ethical behaviour and provide open and truthful communications to employees, the board, and outside stakeholders.’

Section 302 of the Sarbanes-Oxley Act places sweeping responsibilities on the CEO and CFO to certify in each quarterly and annual report of US listed companies lodged with the SEC: ➤ the truth and fairness of the reports; ➤ the effectiveness of the financial reporting controls and that any significant deficiencies in such controls have been disclosed to the auditors and audit committee; ➤ whether any fraud has occurred involving management; and ➤ whether any corrective actions have been taken regarding significant deficien-­ cies in controls. Heavy penalties, including jail sentences and substantial fines, may be imposed on any CEO and CFO who fails to comply with these requirements. IIA Practice Advisory 2120.A1-4 suggests that the internal audit function should allocate the internal audit’s resources to the financial reporting, governance and 225

Internal_Auditing.indb 225

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

control processes in a way that is consistent with an organization’s risk assessment. Internal audit should perform procedures that provide a level of assurance to sen­ ior management and the audit committee that controls surrounding the processes supporting the development of financial reports are adequately designed and effec­ tively executed. The controls should be adequate to ensure the prevention and detection of significant errors, irregularities, incorrect assumptions and estimates, and other events that could result in inaccurate or misleading financial statements, related notes or other disclosures. The roles and responsibilities of the internal and external auditors for providing assurance that management has met its obligations need to be clearly defined. This will affect the extent to which the external auditors may be able to use internal audit procedures and findings. The push for the standardization of global accounting and financial reporting standards and increasing acceptance of IFRS has resulted in thousands of compa­nies worldwide having to bring their accounting policies and disclosures in line with IFRS. In some cases, this has meant changes in the financial accounting processes; controls; and the recognition, measurement and recording of transactions. Many internal and external auditors are engaged in projects to assist management to make the necessary changes to systems and perform analyses of transactions that provide the basis for adjustments to accounting records and financial statement dis­closures. In addition to a sound knowledge of financial accounting principles, both internal and external auditors involved in performing financial reporting reviews need to familiarize themselves with their national accounting standards and inter­national standards applicable to organizations.

Internal Controls over Financial Reporting Internal controls cannot ensure success. Bad decisions, poor managers or environ­ mental factors can negate controls. Also, dishonest management may override con­trols and ignore or stifle communications from subordinates. An active and inde­ pendent governing board that is coupled with open and truthful communications from all components of management and is assisted by capable financial, legal and internal audit functions is capable of identifying problems and providing effective oversight. Section 404 of the Sarbanes-Oxley Act requires the annual report of US listed companies to include an assessment by management of the effectiveness of the internal control structures and procedures for financial reporting. The external audi­tor of an organization is required, as part of the audit of the financial statements, to attest and report on management’s assessment. Continuous internal audit work in this area throughout the financial year can help management gain assurance regard­ing the effectiveness of the controls, as well as providing early identification of sig­nificant weaknesses and assistance with changes to address such weaknesses. An important factor, however, is the authority that internal audit has to recommend changes to management. However, we should not lose sight of the other important areas where internal auditors perform valuable work to assist management, such as their strategic and business process risk analysis and procedures to examine and assess controls in a variety of operational and verification areas that do not directly affect the integrity of the financial reporting. Nonetheless, as this chapter has indicated, internal audit can and should fulfill a very important role in helping management to restore confi­ dence in the financial reporting process of organizations. 226

Internal_Auditing.indb 226

16/04/2015 11:13

CHAPTER

24

Cost and Managerial Accounting

Learning objectives After studying this chapter, you should be able to: ➤ Explain the importance of cost and managerial accounting principles for the work of an internal auditor ➤ Discuss how an internal auditor can add value to management in auditing aspects of costing systems ➤ Describe some of the important cost and managerial accounting principles ➤ Discuss briefly the different audit work that an internal auditor may perform in respect of an organization’s costing systems ➤ Explain the principles underlying cost and revenue decision models and the role of internal audit in management’s decision processes ➤ Discuss briefly the issues that arise in determining cost allocations and how this affects the evaluation of management ➤ Explain briefly the nature of quality control costs and the work of an internal auditor in this regard

The Importance of Cost and Managerial Accounting Principles It is assumed that CIA students and others using this book will have completed undergraduate courses in managerial and cost accounting. There are also many excellent texts published in this field. Consequently, this chapter examines briefly why it is important that an internal auditor understands the principles of manageri­al and cost accounting and how they may be applied in his/her work. As every business works with limited resources, management is concerned with managing the costs of its business processes effectively, efficiently and economical­ly to achieve the various objectives of the business. To mention a few examples, these may include management plans to: ➤ maximize profits; ➤ become the market leader in the industry or field; ➤ meet promised delivery targets; ➤ penetrate new markets, eg going global or using online marketing to expand; ➤ develop new products; ➤ manage environmental issues; ➤ meet black economic empowerment (BEE) targets; and ➤ meet social and community commitments. One of the roles of an internal auditor is to assist management to improve organi­ zational performance. Consequently, he/she may be involved in conducting auditing

Internal_Auditing.indb 227

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

procedures that evaluate the effectiveness, efficiency and economy of different aspects of a business’ processes. The internal audit objectives may be to determine whether these processes do in fact achieve the strategic and operational objectives of the organization and to provide positive and negative feedback to management. Threats identified and communicated should result in appropriate responses by management. In this way, internal audit contributes value to organizational per­ formance and the quality of the management process. An internal auditor may often be called on to conduct performance audits. Performance audits require a sound understanding of a business and its various business and costing processes. Failure to understand the nature of the business may result in an internal auditor focusing on the wrong aspects or failing to identi­ fy a key threat to the business processes, with the result that he/she cannot make meaningful recommendations. In addition to the complexity of the particular cost­ing systems in use, an internal auditor may find it difficult to decide what bench­marks are appropriate in order to determine whether the processes are operating effectively, efficiently and economically and to identify which particular aspect is more critical to the performance audit being conducted.

A Value Chain for Business The seven categories below suggested by Horngren et al54 illustrate very simply a typical value chain of a manufacturing business. Every aspect of the value chain will comprise a number of different, often interrelated, business processes, giving rise to both direct and indirect costs and revenues. Management are faced with making cost-benefit operational decisions on a daily basis that affect the effectiveness and efficiency of the business processes and the profitability of the organization. Depending on the particular performance audit being conducted, an internal auditor will need to obtain a sound understanding of the costs and costing systems applied or the revenue implications of the various processes in order to audit their effectiveness, efficiency and economy. ➤ Strategic and resource management represents the senior management and other resources that facilitate the operational business processes, such as human resource recruitment, training and deployment; capital investment, such as buildings plant and equipment and information technology; accounting; gen-­ eral administration; and an understanding of, and compliance with, the legal environment in which the business operates. ➤ Research and development involves the generation of new products, services and improved production processes. ➤ Design involves the detailed planning, design and engineering of the ideas from research and development. ➤ Production includes the management of supplier relationships and the procure­ ment of raw materials at optimal price and delivery; the use of labor, plant and equipment in the manufacturing process; and the outputs, comprising finished goods or services.

54. H  orngren, C.T., Foster, G. & Datar, S.M. 1994. Cost Acccounting: A Managerial Emphasis. 8th ed. Englewood Cliffs: Prentice Hall. p. 3.

228

Internal_Auditing.indb 228

16/04/2015 11:13

COST AND MANAGERIAL ACCOUNTING

➤ Marketing includes the marketing of the organization’s products and services to potential purchasers; the conducting of market surveys and management of customer relationships; and the development of new markets. ➤ Distribution includes the means by which the organization’s products and serv-­ ices are delivered to the customer, whether through multiple distribution points, physical delivery or services performed at customers’ premises. ➤ Customer service includes after-sales service, maintenance and support to cus­tomers who have bought the organization’s products or services. In order for management to make sound business decisions, the information pro­ vided by the management accounting systems must have integrity and be focused and relevant. Management will often establish benchmarks or key performance indi­cators against which to continuously evaluate the actual performance or outputs from the different business processes, in order to control costs and optimize pro­ ductivity and revenues. An internal auditor may therefore be asked to report on, or may identify, the fol­ lowing areas for audit: ➤ key aspects of the management information system and its controls, in order to verify the integrity of the information being reported to management; ➤ the analysis of particular cost aspects and behavioral aspects affecting the effectiveness, efficiency and economy of the business processes, and the achievement of the key performance indicators or benchmarks set by manage­ ment; and ➤ the causes and quantum of unexpected losses, waste and fraud in any of the business processes or individual areas of the value chain. (Internal audits for losses, fraud and waste are dealt with more fully in Section 6.) The reports of the internal auditor on any of these aspects should inform the strate­ gic and operational decisions of management. Thus it is important that the internal auditor understands the basic principles underlying costing systems in order to ensure that appropriate audit procedures are applied, correct analyses of costs are performed, and weaknesses in internal controls or business processes affecting costs are identified and reported promptly to management.

The Public Sector Public sector or government organizations do not have a profit motive, but do have a service delivery level to meet with limited budgets and targets set by national and local government departments. Consequently, the concerns of management in pub­ lic sector entities will focus on whether taxpayers’ monies have been used for the purposes for which they were intended. Thus, the focus of the head of a department and senior department management, for example, may be to establish whether: ➤ controls over the tendering process at the procurement stage to obtain opti­ mum supply costs and delivery terms are effective and reduce the risk of bribery and corruption; ➤ government policy imperatives, such as the alleviation of poverty; and ➤ service delivery of goods and services promised to the public have been met, such as whether: 229

Internal_Auditing.indb 229

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

◗ access to running water and electricity is provided to areas that have never

previously received such services; or ◗ the roll-out of medical programmes is implemented in accordance with pol­

icy directives at government hospitals and clinics and is being complied with. These are a few examples of the imperatives that government departments may seek to meet and for which these departments will implement controls and opera­ tional processes. Since such departments also incur both direct and indirect costs, an internal auditor in the public sector similarly needs to understand the basis for allocating costs according to departmental budgets and the types of performance and compliance requirements that have to be met in order to identify problems and report on them.

Cost Accounting Principles An internal auditor needs to be familiar with the many terms encountered in cost­ing systems. Most important of these is the distinction among: ➤ direct costs, which are related to the cost object and can be attributed to it in a feasible way; ➤ indirect costs, which are related to the cost object but cannot be attributed to it in a feasible way. Indirect costs are then allocated or assigned to the cost object using an appropriate cost allocation method; ➤ variable costs, which change in direct proportion to the volume of outputs; and ➤ fixed costs, which do not vary with volumes produced, eg facto­ry rentals, payable irrespective of production volumes. Different costing approaches and their implications will be encountered. These will be determined not only by the specific business and product or service provided, but also by the types of costing systems generally in use in the sector that the organization is engaged in, such as manufacturing, service and merchandising sectors. An internal auditor may become involved in operational audits to determine the reasonableness of costs attributable to inventory and work in process. ➤ Inventory for the services sector (professional services of accountants and audi­tors, lawyers, banking services) will generally be negligible. ➤ In the merchandising sector (such as retail outlets for consumer goods), signifi­cant levels of inventory comprising finished goods purchased for resale may becarried at any period end. ➤ Organizations in the manufacturing sector will generally distinguish among raw materials inventory, work in process and finished goods inventory. Work in process and finished goods will usually include the direct cost of materials and direct manufacturing labor costs, with an allocation of manufacturing overhead costs assigned on an appropriate costing basis. Care has to be taken that costs included in inventory that should be expensed in the accounting period are not included in inventory values carried forward to the following financial period. The allocation of costs incurred within service departments is normally taken to be part of the indirect costs known as overheads. These costs are normally allocated 230

Internal_Auditing.indb 230

16/04/2015 11:13

COST AND MANAGERIAL ACCOUNTING

to production departments based on the proportion of services which are used. The three most commonly used methods of such allocation are: ➤ Direct method, which allocates service department costs to production departments using the proportional use of their services as a basis. This method ignores the use of service departments by other service departments. ➤ Step-down method, which includes an allocation of service department cost to other service departments. The method starts by the allocation of costs from the service department providing the highest percentage of its total services to service departments and is stepped down from there. No attempt is made to reciprocate costs. ➤ Reciprocal method, which is the most complex model, reflecting the allocation of each service department’s costs to other service departments prior to calculating the allocation to other users. This system uses simultaneous-equations to calculate the costs. An internal auditor called upon to review the profitability of particular product lines needs an understanding of the cost-profit-volume (CPV) analysis for determining the breakeven point and contribution margins of the revenues generated by an organi­zation. Any analysis is subject to uncertainties, and management may often look for ‘what if’ scenarios to be presented involving the application of a sensitivity analy­sis allowing for changes in the original predicted data or changes in the underlying assumptions. These approaches are discussed in detail in Chapter 21. Depending on the type of products or services manufactured, an organization may assign costs to its products by means of either a job costing system or a process costing system. ➤ The job costing system will be encountered where a distinct, separately identi­fiable product or service results, and occurs frequently where a job is custommade for a specific customer. ➤ The process costing system will usually be encountered where an organization mass produces a product or service for general distribution and not for any particular customer. Costing systems will generally involve a comparison between actual and budgeted costs to allow for monitoring of profitability of products, services and departments, and performance of employees and management. Many manufacturing organiza­tions use standard costing approaches. The standard costing variances provide information about the process that enables management to monitor production. Price and efficiency variances are amongst important cost performance measures that many manufacturers monitor closely. It is also recognized that costs may be affected by both quantitative and qualitative factors. Internal audit may conduct investigations to identify qualitative factors affecting productivity and, indirectly, costs of products. Historical data from costing systems also provide the basis for management’s predictions and budget estimations, affecting short-term and long-term strategic and operational decisions. Hence, maintaining the integrity of the information provided by the cost accounting systems is important.

231

Internal_Auditing.indb 231

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Costing of Production Spoilage, scrap, rework and waste Under normal, efficient operating conditions, a certain degree of spoilage is to be expected in the short run and should be treated as a cost of production of good units. This is referred to as normal spoilage. Abnormal spoilage is classed as spoilage which is not expected to occur under normal, efficient operating conditions. Such costs must be identified separately so that management can monitor and correct the conditions which led to the spoilage. Scrap is taken to be raw materials left over from normal production and usable for purposes other than those for which the material was originally intended. These purposes could include usage within a different production process were being sold off to third parties for a nominal amount. The scrap is usually taken to be a result of normal production and the disposal value credited to the factory overhead account. Rework costs are those associated with the conversion of defective production units into saleable ones. If the costs can be identified against a specific job, then they are normally allocated to that job, otherwise normal rework costs would be charged to factory overhead. Waste is taken to be those raw materials left over from the production process and not saleable at any price. Joint products and By-products Joint products are classified as discretely identifiable products produced from a single set of inputs. In order to be classed as joint products, certain characteristics must be present. The joint products will typically have common costs incurred prior to reaching the split-off point where they can be uniquely identified. Costs included after this point are separable costs identified with individual joint products. In order to be classified as a joint product, the production must have a significant value. Products with low saleable values which do not incur further costs after the split-off point are referred to as by-products. Standard Costing Standard costing involves a notional value of the cost to produce a given unit. It is used to identify variances from production target costs when actual cost differ from the budgeted standard cost. Standard costs are usually established separately for materials, labor and factory overheads. It should be noted that variances from standard cost can be favorable (where actual costs are less than the budgeted standard cost) or unfavorable (were the actual costs exceed the standard). Standard costs are also closely associated with a management decision technique known as incremental costing. Incremental costs are the additional costs incurred to produce one more unit. Under normal circumstances the incremental costs would be for direct materials, direct labor, and any variable overhead associated with production. Additional fixed costs would not normally be incurred to produce one more unit, unless the additional production would involve the 232

Internal_Auditing.indb 232

16/04/2015 11:13

COST AND MANAGERIAL ACCOUNTING

acquisition of increased capacity (eg by hiring one more worker or purchasing one more machine). Incremental costing is commonly used in decisions to make or buy, should production capacity need to be expanded. Other classifications of costs include the following: ➤ Avoidable costs are costs that can be saved by not implementing a particular alternative. ➤ Opportunity costs are those profits lost by choosing one alternative over another. ➤ Sunk costs are costs which have already been incurred or which are already committed to. These would normally have no effect on management decisionmaking since the expenditure has already been made. ➤ Fixed costs are costs which remain unchanged regardless of changes in volumes. ➤ Variable costs vary proportionally with a change in volume, although the variable cost per unit remains constant. ➤ Contribution margin is a contribution of a given unit towards the fixed costs and profits and is taken to be the selling price minus the variable costs of the unit. ➤ Breakeven point is the level of sales at which the total revenues equalled total expenses. Breakeven point can also be calculated as the point at which total contribution margins equals the fixed costs. Management is often faced with making choices between cost and revenue alterna­ tives, for example: ➤ rearranging production lines to achieve cost savings in labor by introducing greater use of technology and then having to predict the effect on levels of out­ put, production costs and savings, and quality of products; ➤ decisions regarding retention vs replacement of ageing plant, where new and more sophisticated plant may have a greater production capacity; ➤ decisions on product mix, where a production line is working to capacity – typ­ ically encountered by food processing plants offering different brands and needing to maintain inventory levels in all product lines, or to meet a shortage to fill a large customer order; ➤ decisions to outsource production or processing operations instead of running them in-house; and ➤ changes in customers that may affect the products produced and open up other more profitable opportunities. In each of the examples above, management consider relevant revenue and costs analyses to identify the key cost drivers. Of themselves, historical costs have no relevance in making decisions affecting future courses of action. The predicted rele­vant costs and revenues, based on historical data should changes not be made, do, however, provide a basis for comparison to the predicted future costs and benefits from the available options. This enables management to determine the effect on business profitability and its planned strategic directions before making an informed decision. Due consideration must also be given to the opportunity cost from pursu­ing one course of action rather than another. Internal auditors often assist in deter­mining which revenues and costs are relevant to such business decisions.

233

Internal_Auditing.indb 233

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Another aspect requiring management decisions is that of the pricing of products and services. Three aspects should be considered. ➤ Customers: Price changes must first be considered in light of the effect on existing customers – whether this will drive them away to other suppliers or to seek alternative products that they can use in a more cost-effective way. Customers thus influence prices through demand levels. Price discrimination may also arise relative to supply volumes, with customers buying significant volumes at lower prices. ➤ Competitors: Competition may directly affect prices set, as an aggressive com­petitor may force an organization to reduce its prices in order to remain in the market. Manufacturers may often use a differential pricing when selling into export markets. However, such actions may contravene anti-trust and anti-dumping laws in other legal jurisdictions and attract the attention of anti-dumping authorities in countries seeking to protect local producers’ markets. For other products, prices may be set globally, such as the gold and platinum prices on precious metal exchanges. Alternatively, do you have a ‘monopoly’ on the product that forces the customer to buy from your organization at any price? ➤ Costs: Care must be taken that the selling price is not set by reference to costs of output for particular products. This could result in a selling price below cost, in which case an organization will incur substantial losses. What is critical here is exactly what costs are deemed to be part of the cost of the finished output. For example, where the product has been researched and designed by the organization itself, do the overhead costs assigned include any part of the research and design costs or only the direct and indirect production costs? Similarly, does the selling price include marketing, distribution and customer service costs that might inflate the price and make it uncompetitive? In some instances, the supply contract with the customer works on a cost-plus basis. Examples of these will be construction contracts and bulk supply contracts to government departments. Internal audit may well become involved in auditing both costs and pricing models to provide assurance that relevant costs have been taken into account, or to provide evidence regarding the basis used for pricing the organization’s products.

Analyzing Costs and Evaluating Cost Management Decisions affecting the assignment of fixed and variable overhead costs to products, transfer-pricing policies and the assignment of costs of support services are fraught with many complexities and considerations. Organizations often have multiple cost objects to which costs may initially be accumulated before becoming an indirect cost for another department. Transfer pricing policies may vary greatly. Cost alloca­tions may affect remuneration of managers, who in turn may influence the alloca­tion of costs in order to justify costs, to increase their bonuses or to measure income and assets for financial and other reporting purposes. Debates may arise around which basis of allocation is most appropriate for out­ put produced and whether the same basis is appropriate for all outputs, or whether different bases should be used for different departments or product lines. Cost allo­ cations may be influenced by plant capacity and actual capacity used. They may also be affected by the stage of the production process at which the costs are 234

Internal_Auditing.indb 234

16/04/2015 11:13

COST AND MANAGERIAL ACCOUNTING

allo­cated. Another challenge is the allocation of costs to joint products and byproducts. In the case of merchandise inventory, costs may be determined on the basis of a percentage of sales prices. Organizations may apply a FIFO or weighted average system for costing finished inventories. Both approaches have merit depending on the type of inventory. However, tax considerations may influence the choices made. A further consideration will be the costs of spoilage, reworked units and scrap arising from the production process. Reworked items may finally be included in inventory, but spoiled units and scrap are not part of the inventory output and should be expensed. An internal auditor may well become involved in auditing the calculations or pro­viding input on various cost allocation bases relevant to the organization or the cost object affected in order to resolve disputes.

Capital Budgeting and Cost Analysis Refer to Chapter 21 for a discussion of the various capital budgeting models and formulae available for calculating forecasts of revenues, costs and investment out­ lays over many future periods. Discounted cash-flow methods are appropriate for forecasting the investment costs and payback periods. These topics will not be dealt with in this chapter.

Quality Control Costs The final aspect to be explored in this chapter is that of costs of quality that affect customer satisfaction and internal performance evaluation. ➤ Costs of quality are those costs incurred to prevent poor quality from occurring and the costs incurred because of poor quality. Most organizations distinguish among: ◗ prevention costs, which occur at the start of the production process to pre­ vent the production of products that do not meet specifications; ◗ appraisal costs, which are costs incurred to quality check products coming off the production line before they are moved to finished inventory (defective products are then scrapped or sent back for reprocessing); ◗ internal failure costs, which are costs incurred when a defective product is detected before being shipped to the customer; and ◗ external failure costs, which are costs incurred after a product is shipped to the customer and has to be returned and replaced, or reworked before being sent out again. Many organizations have separate quality control departments and processes to minimize losses and wastage, as well as to protect market reputational risk from supplying defective products. Invariably, quality control in a production environ­ment requires a careful analysis to ascertain where the failure occurred, in order to determine the appropriate action to take. In some circumstances, organiza­tions carry high levels of professional indemnity or risk insurance, in the event that claims are received from parties adversely affected by the failure of a prod­uct. Organizations may also have strict policies regarding penalties for manage­ment and employees who have failed to meet quality standards, the ultimate consequence being that the individual is fired. 235

Internal_Auditing.indb 235

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Measures of quality failures may be financial or non-financial. ◗ Customer indicators of poor quality include as financial measures: warranty, repair costs, liability claims, and credits passed for defective goods supplied. They do not, however, provide an indication of where in the production process the quality failed. ◗ Consequently, non-financial measures are generally used as well. These may include the number of defective units sold as a percentage of total sold, the number of customer complaints received, or the number of late deliveries of products as opposed the number of deliveries made on time. ➤ Internal performance measures of quality problems may include: ◗ the number of defects per product line; I the proportion of quality output to total output; ◗ manufacturing lead time taken to convert raw materials into finished inventory; and ◗ employee turnover. An internal auditor may audit the quality control processes or be called on to inves­ tigate and identify the causes of poor quality performance in particular depart­ ments. Refer to Chapters 16 and 18 for further discussions of performance audits.

236

Internal_Auditing.indb 236

16/04/2015 11:13

CHAPTER

25

The Legal and Regulatory Environment

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the legal and regulatory environment in which an internal auditor operates ➤ Explain how the regulatory and legal environment in which an organization operates affects the work of an internal auditor ➤ Design internal controls to identify and monitor any non-compliance with laws and regulations that may adversely affect an organization ➤ Develop audit programs to evaluate the effectiveness of internal controls over critical regulatory compliance areas

The Legal and Regulatory Environment The business environment nationally and internationally is being subject to an increasing proliferation of laws and regulations. Not only do companies have to comply with the relevant Companies Act but they also face a host of laws and regulations governing the particular sector in which their business operates. Strict laws and regulations govern basic conditions of employment, and in South Africa, skills development, employment equity and black economic empowerment too. Organizations in a number of sectors are required to comply with environmental laws and regulations, while companies operating globally have to comply with laws and regulations in multiple legal jurisdictions. Companies listed on any of the securities exchanges in countries around the world will have rigorous listing requirements to comply with that require specific disclosures to the public, designed to enhance corporate governance, accountability and transparency. Most far-reaching of the laws governing listed companies has been the draconian Sarbanes-Oxley Act that applies to US corporations listed on the New York Stock Exchange and NASDAQ, as well as their subsidiaries and associated companies anywhere in the world. Among other requirements is one for management to report on the effectiveness of its company’s system of internal controls and for the CEO to report on the ‘correctness’ of the annual financial statements. The cost of compliance for organizations has increased exponentially during the past five years following the numerous collapses of large global corporations. Many of these collapses were a result of management greed, excesses and fraud, and a seemingly blatant disregard for sound corporate governance practices, with managers often treating the organization for which they worked as their personal fiefdom. Governments around the world have responded by trying to entrench ‘good governance’ principles into legislation and by giving far greater enforcement powers to public oversight bodies and to commercial fraud units of their police forces.

Internal_Auditing.indb 237

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Penalties for non-compliance have been significantly increased and many breaches are now classified as criminal activities, resulting in CEOs, CFOs, senior management and external auditors facing jail terms if convicted of fraudulently misleading the public or failing to comply with relevant laws. The public sector has similarly responded with legislation entrenching corporate governance requirements, such as the Public Finance Management Act and the recent Municipal Finance Management Act in South Africa. Among other things, these Acts require the appointment of an audit committee and internal audit function for every public entity to which they apply.

Impact on the Internal Auditor The increased regulation and demand for improved corporate governance has influenced the changing role of the internal auditor from a focus on financial risk and the audit of individual transactions to a focus on enterprise-wide risk and emphasis on evaluating the control self-assessment of departments or business units within the organization, as discussed in Chapter 22. The other significant effect has been to shift the focus of internal auditors to some extent away from concerns that employees have failed to comply with internal policies and procedures, to a more external concern, namely to establish that the organization has adequate and effective controls that ensure compliance with the significant laws and regulations with which it, and each of its business units, has to comply. The IIA Practice Advisory 2100-5: Legal Considerations in Evaluating Regulatory Compliance Programs recognizes the more legal and potentially forensic nature of this audit work, and sounds a word of caution as follows: ‘Internal auditors are encouraged to consult legal counsel in all matters involving legal issues as requirements may vary significantly in different jurisdictions.’

As non-compliance may arise from criminal actions by employees and others, this falls into the category of ‘fraud investigations’ work by an internal auditor. The reader is referred to Section 6, which deals with fraud investigations comprehensively.

Identifying and Monitoring Non-compliance The Practice Advisory provides examples of processes and standards that an organization can implement to ensure compliance with relevant laws and regulations, and indicates that the role of internal audit is to ‘evaluate an organization’s regulatory compliance programs’ in order to contribute to the improvement of risk management, control and corporate governance systems. ‘Compliance programs assist organizations in preventing inadvertent employee violations, detecting illegal activities, and discouraging intentional employee violations. They can also help prove insurance claims, determine director and officer liability, create or enhance corporate identity, and decide the appropriateness of punitive damages. Internal auditors should evaluate an organization’s regulatory compliance programs in light of the following suggested steps for effective compliance programs.’

238

Internal_Auditing.indb 238

16/04/2015 11:13

THE LEGAL AND REGULATORY ENVIRONMENT

The steps suggested in the Practice Advisory may be summarized as follows: ➤ Establish a code of conduct to reduce the prospect of criminal conduct by employees. ➤ Designate a specific ‘high-level’ person with responsibility for overseeing regulatory compliance. ➤ Screen applicants for employment at all levels for evidence of past wrongdoing, and if they are employed, exercise due care to limit their discretionary authority. ➤ Communicate compliance standards and procedures to all employees. ➤ Take reasonable steps to ensure compliance by: ◗ monitoring and auditing systems to detect criminal conduct by employees and agents, and ◗ establishing a fraud ‘hotline’ for anonymous reporting of fraud within the organization by ‘whistleblowers’. ➤ Strictly enforce disciplinary mechanisms. ➤ If offences are detected, respond appropriately and take steps to prevent a recurrence. Clearly management will weigh up the cost benefit of controls that ensure compliance relative to the sanctions that might be imposed if non-compliance is detected by the regulatory authority.

Internal Audit Programs to Evaluate the Effectiveness of Controls The principles to be followed by an internal auditor are no different from those for all work he/she undertakes when following a risk-based approach to internal auditing. ➤ Identify those laws and regulations that will have a significant impact on the very survival of the organization. ➤ Ascertain by inquiry and observation what procedures are implemented specifically to control the particular risk, and monitor any non-compliance. ➤ Perform tests of controls to ascertain the incidence of non-compliance, if any, during the period being audited for the particular department or business unit. ➤ Inquire of employees and management about any known instances of non-compliance and, if any are detected, identify how these occurred and, if possible, who was involved. ➤ Perform substantive procedures to gather evidence to support suspected noncompliance. ➤ If necessary, obtain legal advice and communicate your suspicions to more senior levels of management, unless they are suspected of being involved. ➤ Identify where and how controls failed to work effectively and make recommendations to management for changes and improvements. Several new laws in South Africa concerned with investor protection require organizations affected to appoint compliance officers to perform specific duties under the relevant Act, for example those regulating investment advisers and micro-lenders. In such instances, an internal auditor would need to establish whether the compliance officers have met their responsibilities in terms of the relevant statute.

239

Internal_Auditing.indb 239

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Corporations in the US make use of their internal auditors to help managements meet their responsibilities under the Sarbanes-Oxley Act. In such instances, internal audit will need to be familiar with the specific sections of the Act and consider whether the controls implemented by management are appropriately designed to meet the specific objectives and have operated throughout the period under review.

240

Internal_Auditing.indb 240

16/04/2015 11:13

S ECTION Internal_Auditing.indb 241

5

Information Technology

16/04/2015 11:13

Internal_Auditing.indb 242

16/04/2015 11:13

CHAPTER

26

Auditing Information Technology

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the scope and objectives of an IT auditor ➤ Explain the essential jargon of IT and its meaning ➤ Explain the basic concepts within an IT environment ➤ Describe the impact of IT on risk, control objectives and audit objectives ➤ Define and describe the range of IT audit services offered by internal audit ➤ Define the nature and types of system controls ➤ Define the nature and type of general controls

Control and Audit of Information Technology The IIA Practice Advisory 2100-6: Control and Audit Implications of E-commerce Activities highlights the challenges facing internal auditors in organizations that increasingly use IT in business operations, and provides guidance as to the role and responsibilities of internal audit. ‘Continuous changes in technology offer the internal auditing profession both great opportunity and risk. Before attempting to provide assurance on the systems and processes, an internal auditor should understand the changes in business and information systems, the related risks, and the alignment of strategies with the enterprise’s design and market requirements. The internal auditor should review management’s strategic planning and risk assessment processes and its decisions.’

Some Computing Terminology Before we can start to discuss the audit and control of computer systems, we must have a common understanding of the terminology used. Hardware Hardware consists of those components that can physically be touched and manipulated. Principal among these components are the following: CPU The central processing unit is the heart of the computer. This is the logic unit, which handles the arithmetic processing of all calculations.

Internal_Auditing.indb 243

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Peripherals Peripheral devices are those that attach to the CPU to handle, usually, inputs and outputs. These include: ➤ screens and monitors; ➤ terminals; ➤ printers; and ➤ disk and tape devices. Memory In computers, memory takes the form of silicon chips capable of storing information. In commercial computers, this information takes the form of 1 and 0 in the notation known as binary. Memory comes in various forms: ➤ RAM: Random access memory is also called dynamic or volatile memory. Its contents can be changed, but can also be lost if the power supply is interrupted. ➤ ROM: Read-only memory is a form of memory whereby instructions are ‘burned in’ and not lost in the event of a power failure. These programs cannot be changed. This is also known as non-volatile memory. ➤ PROM: Programmable read-only memory is similar to ROM, but its contents can be changed. ➤ EPROM: Erasable programmable read-only memory is similar to PROM, but the instructions can be erased by ultraviolet light ➤ There is another version of memory known as non-volatile RAM. This is memory that has been attached to a battery so that, in the event of a power failure, the contents will not be lost. Mainframe Mainframe computers are the large (physically as well as in terms of power) computers used by companies to carry out large-volume processing and concentrated computing. Mini-computers Minicomputers are physically smaller than mainframes, although the power of many minicomputers exceeds that of recent mainframes. Micro-computers including personal computers (PCs) and laptops Microcomputers are physically small computers with limited processing power and storage. Having said that, the power and capacity of today’s micro is equivalent to that of a mainframe only five years ago. Many of these have been replaced with the more versatile PC and laptop. An exponential growth has occurred in the use of PCs and laptops in the office and home environments in the past ten years. These may be stand-alone or linked to others in a distributed LAN or WAN situation. The PCs and laptops may be connected to central servers that store data and programs for the various applications. LANs Local area networks are collections of computers linked together within a comparatively small area.

244

Internal_Auditing.indb 244

16/04/2015 11:13

AUDITING INFORMATION TECHNOLOGY

WANs Wide area networks are collections of computers spread over a large geographical area. Storage Data is stored in a variety of forms for both permanent and temporary retention. ➤ Bits are binary digits, individual ones and zeros. ➤ Bytes are collections of bits making up individual characters. ➤ Disks are large-capacity, generally magnetic, storage devices containing anything from 10 Mb to several terabytes of data. ➤ Diskettes are small-capacity removable disks such as: ◗ floppies or stiffies that hold from 360 Kb to 100 Mb (plus) of data; ◗ optical disks which are laser-encoded disks such as compact disks (CDs) and DVDs. ➤ Tapes – can be reel-to-reel or cassette. ➤ Memory sticks contain either volatile or non-volatile RAM. Communications In order to maximize the potential of the effective use of the information on computers, it is essential that isolated computers be able to communicate and share data, programs and hardware devices. Terminals Terminals are remote devices allowing the input to and output from the computer of data and programs. Modem A MOdulator/DEModulator translates digital computer signals into analogue signals for telephone wires and retranslates them at the other end. Multiplexer This combines signals from a variety of devices to maximize utilization of expensive communication lines. Cables These are metallic cables, usually copper, that carry the signals between computers. They may be a ‘twisted pair’ cable, where two or more cables are strung together within a plastic sleeve, or a coaxial cable, where a cable runs within a metallic braiding in the same way as a television aerial cable. Fiberoptics These consist of fine strands of fiberglass or plastic filaments that carry light signals without the need for electrical insulation. They have extremely high capacity and transfer rates but are expensive.

245

Internal_Auditing.indb 245

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Microwave This form of communication involves sending high-power signals from a transmitter to a receiver. They work on a direct line-of-sight basis and require no cabling. Input Inputs to computer systems have developed rapidly over the years. An auditor will still occasionally encounter some of the earlier types. Cards Rarely seen nowadays, punched cards were among the first input and output media and consisted of a cardboard sheet, some eight inches (20 cm) by four inches (10 cm), with 80 columns where rectangular holes could be punched in combinations to represent numeric, alphabetic and special characters. Paper tape Another early input/output medium, paper tape was a low-cost alternative to punched cards and consisted of a one-inch (2,5 cm) wide paper tape with circular holes punched to form the same range of characters as with punched cards. Keyboard The most common input device today (although this is changing), most keyboards are still based on the original typist’s QWERTY keyboard design. Mouse This is an electromechanical pointing device used for inputting instructions in real time. Scanner This is an optical device that can scan pictures into a digitized computer-readable form. It can be used in combination with OCR (optical character recognition) software to allow the computer to interpret the pictures of data into actual characters. Bar code This is optically recognizable printing that can be interpreted by low-cost scanners. This type of coding is common in retail operations. Voice recognition Perhaps the future of computer input, this is a system whereby a computer user, programmer or auditor simply dictates into a microphone and the computer responds appropriately. Output As with inputs, outputs are changing rapidly. In early computing times, output came in three basic forms. The most common of these was paper; however, quantities of cards and paper tape were output for subsequent reprocessing. Nowadays most outputs are via screens or directly onto magnetic media.

246

Internal_Auditing.indb 246

16/04/2015 11:13

AUDITING INFORMATION TECHNOLOGY

Paper Still a popular output medium, paper may be in continuous stationery form, cut sheet form, pre-printed business stock such as invoices, or negotiable instruments such as checks. Computer Output directly to another computer is a growing trend with the coming of age of electronic data interchange (EDI). Screen Output to screen is the current norm for the majority of outputs, with text, graphics, tables and charts, and three-dimensional forms possible. Microfilm/fiche For the permanent, readable recording of outputs, and needing a small storage space, microfilm is a popular output medium. Each frame contains one page of printed output. An alternative is the creation of a microfiche measuring approximately six (15 cm) inches by four (10 cm) inches and containing some 200 pages of printout. Magnetic media Output to disks, diskettes and tapes is commonly used to store large volumes of information. Voice Where a permanent record is not required, another new output medium is voice. Control Within computer systems, control is exercised at a variety of points within the overall architecture. At each stage, opportunities exist to vary the manner in which the systems perform to meet users’ needs. Operating system The operating system is the set of programs that controls the basic operations of the computer. All other software runs under the direction of the operating system and relies on its services for all the work it undertakes. Applications These systems perform the business functions required of the computer. They run under the direct control of the operating system but contain many powerful control elements themselves. Parameters These are user-defined variations adjusting the way in which programs normally operate. Run instructions These are instructions to operators of computers instructing them on the jobs to be run and responses to machine questions to be entered. 247

Internal_Auditing.indb 247

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

JCL Job control language is a means of automating the job running process by giving the computer the instructions in the form of batch programming language. The human element Ultimately, the people who use, operate, program and manage computers exercise control. People Operators They run the computers on a day-to-day basis. Programmers They write the application programs that run on computers. Systems designers They design the overall structure of the application systems and specify the programs required. Systems analysts They analyze the business structures, applications and procedures to determine what, if any, contribution Information Systems (IS) can make. They will also design the outline business specifications of new systems. Systems programmers They are responsible for the well-being of the operating systems and the related systems software components. Database analysts They are responsible for maintaining the database management system (DBMS), which is the systems software controlling access to and the format of the data. Network analysts Network analysts are responsible for ensuring that availability, performance standards and security are achieved on networks. Management Management plan, organize and direct to ensure corporate objectives are achieved. Data Data in IT terms consists of fields held in records, in turn held in files, and stored on disk or any other storage medium discussed elsewhere in this section.

248

Internal_Auditing.indb 248

16/04/2015 11:13

AUDITING INFORMATION TECHNOLOGY

Systems of Internal Control Within our computer systems, there are two primary software components that add to, or subtract from, control. Systems software Systems software includes computer programs and routines controlling computer hardware, processing and non-user functions. This category includes the operating systems, telecommunications software and data management software. Applications software Applications software includes computer programs written to support business functions, such as the general ledger, payroll, stock systems, order processing and other such line-of-business functions. End-user systems are special types of application systems that are generated outside the IS organization to meet specific user needs. These include microbased and user-developed systems. Control Procedures In order to ensure that control over the corporate computer investment is adequate, a range of controls is required. General IS controls These cover the environment within which the computer systems are utilized. Computer operations controls These cover the day-to-day operations of the machine. Physical security controls These cover the security of the physical hardware, software, buildings and staff. Logical security controls These cover the way in which data and software are protected from access via the systems themselves. Program change controls These ensure that systems that are correct and functional and continue to be so. Systems development controls These ensure that the systems in use by the organization continue to be effective, efficient and economical. Application Controls Application systems have their own sets of in-built controls, which are primarily business systems-oriented. Generally they include such control objectives as accuracy, completeness and authorization. In addition, there may be compensating controls, where weak controls in one area may be compensated for by other controls. 249

Internal_Auditing.indb 249

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Classifications of Controls Controls are usually classified into the general categories of preventative, detective and corrective. ➤ Preventative controls prevent an undesirable event from occurring and include controls such as restrictions on users, requirements for passwords and separate authorization. ➤ Detective controls detect undesirable events after the fact so that action may be taken. These include effective use of audit trails and the use of exception reports. ➤ Corrective controls allow things to be put right and include such controls as reconciliations, transaction inquiry and correction procedures, and disaster recovery plans. Control Objectives and Risks All computer environments face a variety of risks, which include such dangers as: ➤ fraud; ➤ business interruption; ➤ errors; ➤ customer dissatisfaction; ➤ poor public image; and ➤ ineffective and inefficient use of resources. These are controlled through a variety of control objectives that address specific threat areas.

General Control Objectives These general objectives cover the overall aspects of the integrity of information; computer security; and compliance with policies, plans, rules, laws and regulations. Data and Transactions Objectives The processing of transactions and the handling of data are also subject to control procedures at each stage of processing. At the input stage, typical examples of control objectives might be that: ➤ all transactions are initially and completely recorded; ➤ all transactions are completely and accurately entered into the system; and ➤ all transactions are entered once only. Input methods could include a mixture of online input, batch input, input from interfacing systems and EDI. Controls at this stage would typically include: ➤ the use of prenumbered documents; ➤ control total reconciliation; ➤ data validation in all its forms; ➤ activity logging;

250

Internal_Auditing.indb 250

16/04/2015 11:13

AUDITING INFORMATION TECHNOLOGY

➤ document scanning; ➤ access authorization; and ➤ document cancellation. At the processing stage, typical examples of control objectives might be that: ➤ approved transactions are accepted by the system and processed; ➤ all rejected transactions are reported, corrected and re-entered; ➤ all accepted transactions are processed once only; ➤ all transactions are accurately processed; and ➤ all transactions are completely processed. Processing types may include batch processing, interactive update (real-time) and online batch processing, where the data is captured online but the processing takes place in a batch environment. Controls at this stage would typically include: ➤ control totals; ➤ program balancing; ➤ segregation of duties; ➤ restricted access; ➤ file labels; ➤ exception reports; ➤ error logs; ➤ reasonableness tests; and ➤ concurrent update control. At the output stage, control objectives might include: ➤ assurance that the results of input and processing are delivered as output; and ➤ output being available only to authorized personnel. Outputs could include hard-copy printouts, file output for onward processing or online enquiry replies. Controls at this stage would include: ➤ complete audit trail; and ➤ output distribution logs.

Program Control Objectives The development and running of computer programs are subject to their own control objectives and procedures. Control objectives would include ensuring: ➤ the integrity of programs and processing; ➤ the prevention of unwanted changes; ➤ adequate design and development control; ➤ adequate testing; ➤ controlled program transfer; and ➤ the ongoing maintainability of systems. 251

Internal_Auditing.indb 251

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Controls around the development of programs would include: ➤ the use of a formal systems development lifecycle (SDLC); ➤ user involvement; ➤ adequate documentation; ➤ a formalized testing plan; ➤ planned conversion; ➤ the use of post-implementation reviews; ➤ the establishment of a QA function; and ➤ the involvement of internal auditors. If these control objectives are adequately addressed and the appropriate controls are implemented, then the risks within the computer systems should be effectively minimized.

Batch vs Online In the early days of commercial computing up to the late 1960s, most processing took place in batches only. This meant that all inputs were collected centrally and entered together in ‘batches’ of documents. This would usually take place using a centralized data preparation function to convert the data from written form into holes punched into either cards or continuous paper tape. The process was highly error-prone and the input medium could be easily damaged. In later batch systems, the data was entered through a terminal onto a file, which would later be processed in batch mode. In this type of system, the primary control objectives were the accuracy and completeness of capture. Many highly effective controls were designed and implemented to ensure completeness of capture of batches of data, complete capture of all batches, and accurate capturing of batches of input data. These controls included the manual preparation of batch header documents for later comparison to computer-generated information, and double keystroke verification, whereby an operator entered the data into a batch of cards or directly into a file containing a batch of input transactions. This data was then re-entered by an independent data capture clerk and system-compared to ensure accuracy and completeness. With the advent of online systems, such controls fell away, since they were no longer appropriate. In many cases within an online environment, very few alternative controls were implemented and often an auditor will find that large assumptions are made as to the adequacy of the controls surrounding the accuracy and completeness of data input. In today’s systems, capture and processing will normally take place using online, real-time data capture with a small batch component. Input is typically through a terminal with instantaneous update. Overnight report production in batch mode is common. The terminals may be local or remote, and the remote terminals may be either dial-up or dedicated. The terminals themselves may be of differing types, but the principal control objectives remain as: ➤ availability; ➤ security;

252

Internal_Auditing.indb 252

16/04/2015 11:13

AUDITING INFORMATION TECHNOLOGY

➤ confidentiality; and ➤ accuracy. In online systems, there is an additional component to the system, which comes complete with its own concerns, and that is the communications component. This can take the form of microwave links, satellite hook-ups or the more basic cables, which themselves may be either dedicated or dial-up. Computers communicate in a digital form, where a signal is either on or off, while normal telephone cables operate in an analogue mode, where the signal is moderated either by changing the height of the curve (amplitude modulation or AM) or by changing the frequency of the signal (frequency modulation or FM). Communications may operate in a simplex mode, where traffic is one way only. This means effectively that a circuit must make a complete circle to get a message there and get a reply back. This form of circuit is inexpensive but vulnerable. Half-duplex communications allow two-way traffic, but only one way at a time. This is the type of signal used in CB radio. Duplex communications involve simultaneous two-way communication. Computer systems typically use half-duplex communications.

Other Communication Concepts ➤ Synchronous communications involve the high-speed transmission and reception of long groups of characters. ➤ Asynchronous communications involve slow, irregular transmissions, one character at a time, with start and stop bits. ➤ Encryption involves the scrambling of data into unreadable forms such that it can be unscrambled by the receiver. ➤ Protocol comprises a set of rules for message transmission in a network. Networks themselves may be of varying types, including: ➤ private networks; ➤ public switched networks (PSNs), such as the telephone system; ➤ value-added networks (VANs), such as Beltel, where the service provider adds additional services onto point-to-point connection; ➤ local area networks (LANs), where the connections are both private and nearby; and ➤ where there is a significant physical distance involved, the network may be referred to as a wide area network (WAN). In recent years, the Internet has become of increasing concern as well as use to internal auditors. The Internet is a worldwide collection of computers connected together loosely, and provides both a source of information and a source of external risk. Networks may be configured as point-to-point with separate direct links. An alternative configuration could be a multidrop one, with multiple terminals sharing a single line. Ring networks have no central computer: each machine is classed as a ‘node’ on the network; while star networks have a single, central computer co-ordinating all communications.

253

Internal_Auditing.indb 253

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Where an online system exists, there are various capabilities. ➤ Online enquiry allows a remote user to retrieve data directly. In this case, the primary concern should be confidentiality of information. ➤ Online data entry permits remote entry of data and allows its concurrent processing. In this case, the primary concerns would be transaction authenticity, accuracy and completeness. ➤ Online update is similar to online data entry but with immediate effect on transactions. The primary concerns here would be concurrency control (prevention of two users updating the same record at the same time) and availability. The basic online concerns remain as: ➤ availability; ➤ security; ➤ unauthorized access; and ➤ accidental or intentional changes. Areas where security could be threatened include the operating system and particularly its management features, as well as intercomputer communication, including dial-up access, gateways and poor network performance. In any networked operation, availability is a major concern. This includes availability of the hardware components, the software, the data, the networking capability and the human resources. Typical controls in this area to protect against unavailability are the ensuring of: ➤ an adequate physical environment; ➤ adequate back-ups; ➤ multiple redundancies in equipment to ensure no reliance on a single piece; ➤ peer-to-peer networking to permit mutual back-up; ➤ adequate disaster recovery planning; and ➤ appropriate training. Security itself is a factor of the hardware, the software and the human element. ➤ Hardware is liable to theft, sabotage and penetration. ➤ On the software side, the operating system software may itself be stolen, corrupted or bypassed, while applications software may suffer a similar fate and may also be substituted by an alternative application. ➤ Data is one of an organization’s most valuable assets and may be liable to theft, corruption, substitution or manipulation. Such security threats may come from normal users of the systems, deliberately or accidentally, specialist insiders such as the IT staff, legitimate outsiders such as computer engineers or even customers and suppliers who have been granted access to the site, or outside hackers who attempt to penetrate an organization’s security for fun or profit.

254

Internal_Auditing.indb 254

16/04/2015 11:13

CHAPTER

27

Auditing General and Application Controls

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the exposures and control objectives within the various types of information processing center ➤ Describe the controls normally used to mitigate the risks ➤ Formulate and implement an appropriate audit program to evaluate the adequacy and effectiveness of general IT controls ➤ Modify such a program for use in distributed environments and networks

The Control Environment The control environment includes the governance and management functions, and the attitudes, awareness and actions of those responsible for the governance and management of an organization’s internal controls. The control environment sets the tone of an organization, influencing the control consciousness of its people, and is the foundation for effective control, providing discipline and structure. The control environment will include the following elements: ➤ communication and enforcement of integrity and ethical values; ➤ commitment to competence and service; ➤ independent review and monitoring functions; ➤ management’s philosophy and operating style, including its approach to taking and managing business risks; ➤ organizational structure and the framework for achieving the organization’s business objectives; ➤ assignment of authority and responsibility; and ➤ human resource policies and practices. The control environment will include controls over the computer systems, which fall into two broad categories: general controls and application controls. General Controls General controls comprise all the policies and procedures, both manual and computerized, that govern the environment within which an organization’s computer systems are developed, maintained and operated, and within which the application controls operate. General controls include the systems development standards operated by an organization, which are dealt with in Chapter 30, and those controls that apply to the operation of the computer installation, such as its hardware

Internal_Auditing.indb 255

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

components, networks and systems software. General controls have a pervasive impact on multiple application systems. Computer systems may range from a simple stand-alone PC or microcomputer to a large, complex and sophisticated installation with a LAN or WAN in a distributed environment. Application Controls Application controls, on the other hand, are defined as the controls, both manual and computerized, within the area of the business application that ensure that data is processed accurately, completely and in a timeous manner. Application controls are specific to individual applications and include: ➤ controls over input, such as data validation and batching; ➤ run-to-run controls designed to check the accuracy and completeness of processing by checking file totals at prespecified stages in processing; and ➤ controls over output to ensure accuracy, completeness and confidentiality.

Computer Operations Controls IT departments will vary considerably from one organization to the next. The structure of a particular department will obviously depend on constraints such as workload and size, but will usually involve an operations function, a project-based or programming function and technical services. The computer operations department houses the staff involved in the day-to-day operation of the information processing facility. This may be a large mainframe environment or a small LAN. The operations function is responsible for many of the routine tasks associated with the effective and efficient running of an installation, including: ➤ mounting and dismounting data files; ➤ loading paper into printers; ➤ aligning special forms; ➤ scheduling runs; ➤ loading programs; ➤ balancing run priorities; ➤ responding to operating system prompts; ➤ responding to application system prompts; ➤ maintaining incident logs; ➤ performing routine housekeeping tasks; ➤ responding to equipment failures; ➤ producing back-up copies as defined; ➤ restoring from back-up when authorized; and ➤ handling ‘unpredictable’ conditions. The operations department may itself be subdivided into: ➤ a control section, responsible for monitoring information passing into, through and out of the computer operations area; ➤ a data preparation section (although considerable progress has been made in moving this function into the user area);

256

Internal_Auditing.indb 256

16/04/2015 11:13

AUDITING GENERAL AND APPLICATION CONTROLS

➤ computer operators, who are responsible for accurate and efficient operation of the scheduled jobs on the computer and who report to the chief operator or shift supervisor; and ➤ possibly a tape librarian to handle the vast quantity of physical tapes, disks and other back-up media. The operations department is responsible for maintaining physical security over the computer, peripherals, magnetic media and stored data. This includes the various measures designed to minimize the impact of such disasters as flood, fire, malicious damage, etc. Data must be secured against accidental or deliberate disclosure, modification or destruction. Processing controls must exist to ensure that the organization receives complete, accurate, timely and secure processing of data. This includes on-site and off-site file and program libraries. Included in these libraries will be safety copies of data, as well as program source and object codes. Automated library software can help to ensure that the library is maintained in an appropriate form. Ensuring segregation of duties, handling the distribution of output and despatch of hard copy, and controlling access to spool files and networked printers are usually functions of the operations department. Operations Exposures These include the normal range of exposures, including human error, hardware failure, software failure, computer abuse and potential disasters. The prime error areas in daily operation are the data entry procedures and operator commands entered from the control console. Using wrong generations of files or wrong versions of programs can be catastrophic should they occur, and an ever-present danger is simple media damage in handling. Operations Controls Controls within the operational area are primarily performance and compliance controls associated with the running of computer jobs. These would usually include the use of: ➤ predefined run schedules; ➤ computer and manual run logs; ➤ system performance statistics; ➤ budgetary controls; and ➤ supervision. Personnel Controls Since operations departments are so heavily dependent on people, it is vital to ensure that the personnel aspects are adequately controlled. This includes the segregation of duties, where we would institute controls to ensure that: ➤ IT staff cannot initiate transactions; ➤ systems and programming are independent from operations; ➤ programmers cannot operate the machine; ➤ operators cannot access file libraries; ➤ the IT librarian is an independent function; and 257

Internal_Auditing.indb 257

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ IT staff have no control over corporate assets, other than access required to meet their specific responsibilities for IT hardware and software operations. In addition, we should ensure that IT operations staff have their duties rotated periodically, are required to take holidays when leave is due, and do NOT attempt to correct programs. Supervisory Controls The nature of the operations function makes it very easy to implement effective supervisory controls. Such controls would include: ➤ approving run schedules; ➤ monitoring operations; ➤ scrutinizing the daily console log; ➤ reviewing the manual reports; and ➤ continuous observation. Generally, 80 per cent of machine usage can be predicted, but there will always be additional user demands, program reruns, reprocessing of files and the handling of unforeseen problems. Machine usage can itself be categorized into machine time spent in: ➤ compilation; ➤ testing; ➤ reruns; ➤ maintenance; and ➤ production. Operational efficiency and effectiveness should be determined and monitored. Reruns will always be required from time to time because of machine failure, operator failure, application failure, operating system failure or simply high volume or critical input errors. Operations Audits Reviewing an operations area involves initially obtaining an organization chart of the function and job descriptions of the staff. These would then be reviewed to ensure proper segregation of duties, particularly in smaller departments. In addition, lists of equipment, networks, system software and running applications will be required. The personnel of the operations section have hands-on access to the hardware, software and networks of the organization. As such, it is imperative that the personnel practices of this section are above reproach. The personnel policies of the operating department must be reviewed with respect to delegation of duties when staff are absent because of illness, leave or for any other reason. Termination procedures must be scrutinized in order to ensure that no weakness occurs when staff resign or retire or when their employment is terminated. The view of the operations function itself would include scrutiny of computer room access in order to determine: 258

Internal_Auditing.indb 258

16/04/2015 11:13

AUDITING GENERAL AND APPLICATION CONTROLS

➤ who is permitted access; ➤ under what circumstances outsiders are permitted access; and ➤ how control over access is enforced. The operation of computer equipment would include determining who is authorized to operate such equipment. An auditor must examine operating instructions to ensure that installation standards exist and are followed for operating system software, application software, restart and recovery procedures, and handling the disposition of inputs and outputs. Operator actions will be scrutinized to determine whether controls exist in areas where operators have discretion, such as amending parameters while systems are running. This would also include scrutiny of incident logs covering reporting of system failures, restart and recovery, emergencies, and any other unusual situations. It should be noted that logs will include both manual and automated ones and that comparisons may be done between the two in order to determine whether management is informed of all deviations from normal procedures. From time to time, operators may have to cope with emergency circumstances, which could involve making urgent modifications to production programs, job control language and procedure libraries bypassing the normal procedures. In these circumstances, it is critical that adequate documentation is maintained of all operator actions and the reasons for these actions. Operators may have access to powerful utilities that can typically dump data, production programs or even memory at execution time. Management must closely monitor access to utilities and any changes made to ensure that no unauthorized procedures are carried out. Evidence must be sought of adequate supervision of operators. This may include management or shift supervisor sign-off of logs.

Application Controls Systems, generally, may be defined as a set of elements or components that interact to accomplish goals and objectives. These systems may take the form of: ➤ systems that perform business-related activities (application systems); or ➤ systems that help the computer function (operating systems). Application systems include payroll, sales, purchases, inventory, accounts payable and accounts receivable, fixed asset registers and production processing applications. In this section, we will concentrate on the auditing of application systems controls. Well-controlled application systems can be distinguished by the quality of processing and usability of the outputs they produce. At a minimum, application systems must process data accurately and completely and must do so in a reliable manner. The data presented to the user must be relevant to the business function and simple to use. It must be presented in a timely manner to permit the user to carry out the business function timeously and the processing must be verifiable. In achieving all of these control objectives, the system must operate in an acceptably economic manner. Systems themselves come in all shapes and sizes. They are categorized in Table 27.1 to assist us in evaluating the appropriateness of their handling of business risk.

259

Internal_Auditing.indb 259

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 27.1: Types of IT systems Type of system

Description of system

Simple vs Complex

Simple and complex systems both face the normal risks of inaccuracies, incompleteness, etc, but complex systems, by their very nature, are more likely to experience these problems, since the more complex a system becomes, the harder it is to test adequately and the easier it is for a system error to go undetected.

Open vs Closed Open systems are more vulnerable to both errors and attempted penetration. This is a factor of the number of sources of input and output, and the degree of systems interactivity. Stable vs Dynamic

The higher the degree of instability of a system, the more likely it is that changes will be made to it that are not clearly thought through with all of the side effects taken into account. There is also a greater probability of rushed and inadequate testing in a highly dynamic system.

Adaptive vs Non-adaptive

Adaptive systems are designed to be flexible and to be all things to all people. As such, it is comparatively easy to tailor these systems incorrectly. By the same token, non-adaptive systems may be run in an inappropriate manner and supplemented with unofficial add-on sub-systems with all of their inherent error opportunities.

Permanent vs Permanent systems are designed, implemented and Temporary maintained within a controlled environment. Temporary systems may fall outside of this system of internal control and may be undertested, undocumented, open for all to change and generally out of control. They also have a habit of becoming semi-permanent unintentionally.

Systems Controls Several individuals may exercise control in several ways using several application systems. At a macro level, the business decision-maker will determine system variables to cover such issues as: ➤ Will the payroll be daily, weekly or monthly? ➤ Will the financial ledger be produced monthly or in 13 four-week periods? On a day-to-day basis, the system parameters, controllable by the system operator, will be used to alter variables that require amendment, such as report dates, file control dates, etc. Control Stages Control over applications is exercised at every stage and commences at the start of the development of the system. This takes two basic forms: 260

Internal_Auditing.indb 260

16/04/2015 11:13

AUDITING GENERAL AND APPLICATION CONTROLS

➤ control over the development process itself; and ➤ ensuring adequate business controls are built into the finished product. Major control stages would include the system design, system development, system operation and system utilization. Controls will include both manual and computerized (programmed) controls for each of the major control stages. System Models Systems may take several forms. ➤ The most basic types of systems are those that are used continuously to provide facilities for the day-to-day operations of an organization. These normally involve the processing of everyday business transactions. Typical examples of transaction processing systems would include sales order processing, inventory control, purchasing, etc. ➤ In addition to these systems supporting normal business processing, management constantly requires information to inform it of the status of various parts of the organization. These management information systems could include financial systems, manufacturing systems, marketing systems, personnel, etc. ➤ A further categorization of systems comes when the information is used by a variety of decision makers to support business decisions. These decision support systems are becoming more and more sophisticated and may be found in all business areas, such as financial, statistical analysis, project management and data warehouses that, among other things, may be used to monitor business operations, and control distribution of goods to outlets from central warehouses, etc. Control Objectives of Business Systems In order to achieve the potential benefits of properly managed information systems, they must themselves be generated and operated in order to achieve specific control objectives. These would include the general control objectives of accuracy, completeness, validity, integrity and confidentiality. In addition, the differing system types may have additional control objectives and differing priorities within the general control objectives. System types could include order processing systems, invoicing systems, accounts receivable and payable systems, and the rest of the full range of business systems. Other specialized systems may exist depending on the nature of the business. Such systems could include online Internet and treasury management banking systems, retail systems, manufacturing systems, and Electronic Data Interchange (EDI) for e-commerce applications and the like.

Overall Control Objectives In addition to the overall objectives for information processing of integrity of information, security and compliance, there are specific control objectives at every stage of input processing and output, as set out in Table 27.2.

261

Internal_Auditing.indb 261

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 27.2: Control objectives and control procedures Stage

Objective

Control Procedures

Input

➤ All transactions have occurred and are valid business transactions of the entity, are properly authorized initially and are completely recorded ➤ All transactions are completely and accurately entered into the system ➤ All transactions are entered once only

➤ ➤ ➤ ➤ ➤ ➤ ➤

Process

➤ Programmed controls to ensure completeness and accuracy of transactions in the processing stage for the relevant application ➤ Programmed controls to detect loss of data, and prevent duplication of transactions ➤ Programmed controls to ensure completeness and accuracy of arithmetic calculations and allocations to ledger accounts and analyses ➤ Control over data storage, retrieval, updating and file maintenance

➤ Completeness and accuracy of transactions: record counts, sequence tests, control totals, hash totals, programmed limit and reasonableness tests, cross-addition of analyses and exception reporting ➤ Completeness and accuracy of updating: correct generation of master file used – manual agreement of computer-generated totals to original documents, runto-run totals, check of brought forward and carry-forward totals, check of file setup for application. ➤ Data storage and retrieval: internal and external file labels, computer updating procedures, audit trails and manual checks to source documents by IT administrator. ➤ Data storage for file maintenance: reconciliation of file totals, comparison of computer balances to physical counts and cut-off checks, review of results (output) by users, one-on-one manual checks, especially for master-file changes processed, computer generated batch and hash totals for total additions/deletions from master files for processing period checked manually to input headers.

Output hard copy file output online enquiry files

➤ Assurance that the results of input and processing are correct and are reconciled to the output reports ➤ Output is available only to authorized personnel ➤ Error reports are distributed to responsible personnel and corrective steps are taken promptly

➤ Complete audit trail ➤ Output distribution logs ➤ Reconciliations of input documents to output reports and to control totals ➤ Error detection and correction ➤ Application program control objectives ➤ Integrity of programs and processing ➤ Prevention of unwanted program changes ➤ Ensuring adequate design and development control ➤ Ensuring adequate testing

Prenumbered documents Control total reconciliations Data validation Activity logging Document scanning Access authorization Document cancellation

262

Internal_Auditing.indb 262

16/04/2015 11:13

CHAPTER

28

Auditing Systems under Development

Learning objectives After studying this chapter you should be able to: ➤ Outline briefly the process involved in developing a new IT system ➤ Outline briefly the process involved in acquiring a packaged IT system ➤ Outline briefly the process involved in maintaining an IT system ➤ Describe the various possible roles of an IT auditor in a development environment ➤ Define the types of database management systems and describe the advantages and disadvantages of database systems ➤ Explain the causes of systems development exposures and the control opportunities available ➤ Explain the vareities of lifecycle models available

Why Do Systems Fail? It is an unfortunate fact that computer systems do fail from time to time. The dis­ tance between these times or the mean time between failures is to a large extent governed by events that took place during systems development. The most com­mon of these problematic events are discussed below. ➤ Poor support from top management Top management, even today, is content in many cases to leave the development of new and strategic systems to computer staff rather than being actively involved. This can mean that IT staff develop what is known as systems blind and the systems become the IT staff’s interpretation of what they believe management should be looking for. This interpretation is not always accurate. ➤ Poor staff attitude Taking their lead from top management, the users whose system it is from inception will also often sit back and leave the detail to the IT staff. An attitude of non-own­ ership of the development process becomes prevalent. ➤ Unclear business objectives In many systems, the development was triggered by a senior manager thinking, ‘Wouldn’t it be a good idea if we had a system that could ...’. The system is then developed to meet the (often poorly defined) requirements of a single manager rather that the needs of the organization as a whole. ➤ Management and users are unsure of their needs It is a common occurrence that, when asked to express their needs in terms of IT support, management and users are unable to articulate clearly what they want.

Internal_Auditing.indb 263

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Auditors find the same problem in asking managers to explain how control is achieved. Think how difficult it would be to explain to someone exactly how you breathe. You have done it all your life, but would find it difficult to explain exactly how you do it. It is part of the job of the IT staff to find out the users’ business needs and translate these into potential computer support areas. ➤ IT personnel are unfamiliar with user needs In many cases, the IT staff assigned to a given project have no fundamental under­ standing of the actual business process to be computerized. Once again, this leads to misinterpretation of users’ wants and needs. ➤ Additional user requirements are not previously specified A common complaint of users is that: ‘The system can’t do ...’ while the IT response is ‘You never told me you wanted it to ...’. One of the most difficult areas of systems analysis is ensuring that your understanding is fully comprehensive and that all requirements are known. ➤ Changes in user requirements Many systems are developed over a number of years. During this time, the business needs of the final user will change due to a changing business environment, new technology requirements, changes in managerial personnel and style, etc. Systems must be developed with as much flexibility as possible, both during development and in the final product. ➤ Organizational changes during the project Given the life of many IT projects, it would be unusual for a project to reach com­ pletion without staff changes. At either the IT or user end, loss of a key member of the development team can create havoc and seriously jeopardize the project’s via­bility. ➤ Failure to understand interrelationships between parts of the organization In today’s environment, most systems implemented are designed to be integrated systems treating the business needs of a disparate group of corporate functions. In many cases, management, even at director level, are so specialized that they have no understanding in depth of how other areas of the business function. As a result, many integrated systems do not adequately map onto the business functionality required. ➤ Overoptimistic file conversions Acquiring data and converting from previous systems is a critical task and should be treated as such. This does not happen overnight and of its own accord. It must be planned for and appropriate resources must be committed to the process. ➤ Poor quality input for file conversions In many cases, the source of the data to be converted for the new system is suspect and such data must be ‘sanitized’ or cleaned up prior to systems implementation.

264

Internal_Auditing.indb 264

16/04/2015 11:13

AUDITING SYSTEMS UNDER DEVELOPMENT

➤ Poor documentation Many systems development projects work on the basis that the documentation will be completed at the end of the project after the new system has stabilized. This is a source of two distinct forms of problems. Firstly, the time when documentation is most needed is at the design and coding stage, to ensure the final system is what was intended. Secondly, completion of documentation at the end results in rushed and scanty documentation and occasionally no documentation at all, since project time has run out. ➤ Inadequate system and program testing Testing of systems is a complex business involving programmers, systems analysts, users and internal auditors. The first three must satisfy themselves that the system performs as desired in that it does everything it is supposed to and conversely does NOT do the things it is not supposed to. An auditor’s role is to satisfy him-/herself that the testing has, in fact, been done to acceptable standards.

Systems Development IIA Practice Advisory 2100-6: Control and Audit Implications of E-commerce Activities provides guidance as to areas that an internal auditor should assess and evaluate in circumstances where there are new and ongoing IT developments in the business processes. ‘The internal auditor should evaluate how well business units are managing the e-commerce process. The following are some relevant topics. ➤ Project management reviews of individual initiatives and development projects. ➤ System Development Life Cycle reviews. ➤ Vendor selection, vendor capabilities, employee confidentiality, and bonding. ➤ Post-implementation economic reviews: Are anticipated benefits being achieved? What metrics are being used to measure success? ➤ Post-implementation process reviews: Are new processes in place and working effectively?’

One of the major controls over the development process is itself the systems devel­ opment life cycle. This has the advantages of uniformity, enabling of performance measurement, reducing the maintenance effort and improving the quality of the fin­ished product. It involves specific tasks, namely: ➤ drawing up requirements and proposals; ➤ systems design; ➤ detailed design; ➤ coding, testing and documentation; and ➤ systems testing. Drawing up Requirements and Proposals Systems proposals come from a variety of sources and happen for a variety of rea­ sons. They may come from the board of directors, as a result of a business change. They may come from the government, in the form of legislative changes. They may be intended to improve business effectiveness or efficiencies. They may come 265

Internal_Auditing.indb 265

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

because technology itself has changed. They may be required as a response to com­ petitive forces. In all cases, the feasibility of the change and its cost desirability must be assessed. This means that the outline systems design must be known. This outline design expresses the business requirements of the proposed system in terms of user requirement specifications. Specifications User specifications identify: ➤ the business functionality required of the system; ➤ the actions the user is to take; ➤ the decision rules to apply; ➤ the services required of IS; ➤ the methods and timescales for user/IS interaction; and ➤ the assignment of responsibility. Technical Specifications Once the outline design has been agreed, the detailed design must be defined. This involves taking the business design and interpreting it into computerese by defining: ➤ file and record layouts; ➤ operational constraints; ➤ processing logic definitions; and ➤ access rules. Problems at the specification stage include: ➤ the availability of user staff, as a result of which the IT section may be left in isolation to develop the system as it sees fit; ➤ access to the right level of staff – in many cases the user staff available are not of the right authority level or do not have the required knowledge base to carry out the appropriate liaison; ➤ ‘technology lust’, which results in a constant search for the latest technology, regardless of whether it is genuinely required; ➤ overextended time scales with no measurement points (defined milestones) in between. To allow effective project planning, timescales should be short, with measurement milestones at frequent intervals. In addition, overextended timescales can mean that key staff change during the process, business objec­ tives change, costs will escalate and hardware/software may become obsolete; and ➤ inexperienced staff, who can cause complications, since many organizations hire extra staff for large-scale projects who may be technically competent but have no understanding of the organization, its objectives and standards. Implementation Planning Once the system has been designed successfully, it must be implemented. This involves: ➤ reviewing the scope and objectives to ensure they are still appropriate;

266

Internal_Auditing.indb 266

16/04/2015 11:13

AUDITING SYSTEMS UNDER DEVELOPMENT

➤ reassessing the timescales, budgets and benefits based on the fuller under­ standing of the system now available; ➤ drawing up implementation timescales based on the full detailed design; ➤ allocating responsibilities for the development of the various parts of the sys­tem; and ➤ conducting a pre-implementation review to ensure that problems encountered in the past do not recur. Implementation Implementation itself involves: ➤ programming; ➤ coding; ➤ prototyping; ➤ unit testing; ➤ test-linking to other modules; ➤ documentation; ➤ installation; ➤ user acceptance testing; ➤ parallel running; ➤ user training; ➤ file conversion; and ➤ live running. Some of these activities may be conducted simultaneously, but this, again, is a fac­tor of the effectiveness of the project planning process. Conversion Activities Once the system has been developed and adequately tested, conversion from the previous manual or computer system must take place. This will usually involve: ➤ the acquisition of data; ➤ the identification of sources; ➤ the development of conversion programs; ➤ the sanitization of input data; and ➤ file conversion. System conversion is a major task and requires strict control to be enforced. Poor conversion may jeopardize the whole project on the principle ‘Rubbish in – rubbish out’. Audit involvement is essential. Care should be taken to ensure that audit’s role does not become one of IT quality assurance. Our role is to ensure that manage­ment has adequate controls to ensure that conversion was effective. While all this is going on, maintenance must continue on the current systems. Post-implementation Review The final stage of the SDLC is the post-implementation review. This is used to deter­mine what went/is going wrong with the development process, as well as what went/is going right. Its objective is not to determine flaws in the developed system 267

Internal_Auditing.indb 267

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

but to refine the SDLC itself by identifying skill shortcomings and improving control techniques. From this point onwards, the system will be subject to ongoing maintenance for the normal business reasons such as design corrections and ‘bugs’, mandatory changes, enhancements as the business changes or to accommodate changes in technology. Systems Development Exposures Failures of control during systems development can lead to a variety of business problems, including: ➤ wrong management decisions; ➤ unacceptable accounting policies; ➤ inaccurate record-keeping; ➤ business interruption; ➤ built-in fraud; ➤ violation of legal statutes; ➤ excessive operating costs; ➤ inflexibility; ➤ overrun budgets; and ➤ unfulfilled objectives. These may prove minor annoyances or major business catastrophes to the business, depending on the organization and the system concerned. The primary causes of development exposures may be summarized as: ➤ incomplete economic evaluation; ➤ management abdication; ➤ inadequate specifications; ➤ systems design errors; ➤ incompetent personnel; ➤ technical self-gratification; ➤ poor communications; ➤ no project ‘kill’ points; ➤ temptations to computer abuse; and ➤ incoherent direction. Systems Development Controls In order to achieve controlled systems, the development process must itself be con­ trolled. Major controls in this area are: ➤ the methodology (SDLC); ➤ staff hiring policies; ➤ training; ➤ technical review and approval; ➤ management review and approval; ➤ audit participation; ➤ the systems test phase; ➤ post-implementation review; and ➤ documentation. 268

Internal_Auditing.indb 268

16/04/2015 11:13

AUDITING SYSTEMS UNDER DEVELOPMENT

Project management controls to assist the process involve: ➤ periodic schedule reviews; ➤ work assignment; ➤ performance monitoring; ➤ progress monitoring; ➤ status reporting; and ➤ follow-up. In other words, an IT project is managed no differently from any other long-term, high-cost engineering project. The project planning elements would include: ➤ appropriate project guidelines; ➤ work breakdowns complete with start and completion dates; and ➤ an effective monitoring mechanism to measure against agreed schedules. SDLC Control Objectives Control objectives for each stage of the SDLC are given below. Methodology ➤ Formalized, structured methodology will be followed. ➤ Roles and responsibilities will be clearly laid out and adhered to. ➤ Methodology will be kept up-to-date and in step with current developments. Project initiation ➤ Each new project will be clearly scoped before work starts. ➤ The user department will be involved in the definition and authorization of new or modified systems. ➤ Team assignment will result in the use of appropriately skilled and qualified staff. ➤ The start of each phase will be preceded by the appropriate authorization. Feasibility study ➤ Alternative courses of action will be evaluated in order that an appropriate solution is selected. ➤ Technological feasibility of the recommended solution will be assured. ➤ All relevant costs will be included in the cost/benefit analysis. ➤ All relevant risks will have been identified and quantified. ➤ Project approval will be given by the appropriate levels of management based on knowledge. ➤ The project will be capable of being monitored through its existence. Systems design ➤ Design methodology is appropriate to the proposed system: ◗ lifecycle; ◗ structure; ◗ database;

269

Internal_Auditing.indb 269

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

skeletal; and prototype. ➤ Documentation will be created to standard. ➤ Input validation requirements will be appropriate. ➤ File structures will conform to departmental standards. ➤ All requisite processing steps will be identified and designed into the system. ➤ All programs will be fully specified according to departmental standards. ➤ All sources of data required for the system will be identified and approved. ➤ The security requirements of the system will be fully defined and approved. ➤ Audit trails will be appropriate and approved. ➤ Documentation of the system design will adhere to departmental standards. ➤ The overall design will include the design of appropriate testing and verification plans. ➤ Design approval will be obtained from the appropriate levels of management. ◗ ◗

Development and implementation ➤ Written narratives of all programs in the system will be available and up-todate. ➤ Commercial packages selected will be compatible with existing operations and departmental policies. ➤ Use of contracted programming staff will be approved and the quality of their work will be contracted for. ➤ Operational documentation will be produced according to departmental stan­ dards. ➤ Training plans will be produced for all users of the system. ➤ Program testing will be comprehensive and effective. ➤ System testing will test both for functional capability and operational efficiency. ➤ Conversion planning will ensure smooth conversion to the new system. ➤ Acceptance testing will be comprehensive and carried out by the appropriate staff. System operations ➤ All organizational controls will operate as designed and intended. ➤ Cost monitoring will ensure that the system operates efficiently. ➤ Modifications to the system will be permitted only by those authorized to carry them out. Post-implementation review ➤ Post-implementation review will be carried out by the appropriate staff and systems will be examined to determine their efficiency, effectiveness and econ­omy. ➤ The systems will be examined to determine areas for improvement in the devel­opment methodology. The project life cycle has been defined as having identifiable start and end points and passing through six distinct phases, namely: ➤ concept; ➤ definition;

270

Internal_Auditing.indb 270

16/04/2015 11:13

AUDITING SYSTEMS UNDER DEVELOPMENT

➤ design; ➤ development; ➤ application; and ➤ post-completion.55 This led to the development of the Waterfall cycle, illustrated below in Figure 28.1. Here we can see that each activity ‘cascades’ from the previous activity to lead the fully developed information system. In this model, the difference you can see that the major activities overlap significantly. The major difficulty with this model is that software development’s need to progress iteratively is not catered for, since each project remains within the identifiable start and end points. System Requirements Software Design Analysis Program Design Coding Testing Figure 28.1 ‘The Waterfall’ cycle

Operations

In 1988 Boehm proposed an iterative spiral model for the development and enhancement of computer software.56 Boehm’s spiral involved five major functions, namely: ➤ next stage planning; ➤ determining objectives, alternatives and constraints; ➤ evaluation of alternatives; ➤ identifying and resolving risk issues; and ➤ developing and verifying the next level product. These functions started with the development of a baseline product and then moved through several iterations until the final product was implemented. An alternative development model based upon the waterfall cycle was suggested by Fish57 and is known as the Vee cycle. This follows a sequence such as that shown in Figure 28.2. Business requirements are dictated by business strategy, which incorporates explicit user requirements. These then lead to the definition of

55. Archibald, R.D. 2003. Managing High-Technology Programs and Projects. 3rd ed. New York: Wiley. p. 19. 56. Boehm, B. 1988. 'A Spiral Model of Software Development and Enhancement'. IEEE May. pp. 61–72. 57. Fish, E. 2002, 2003. An Improvement Project Lifecycle Model. Pandora Consulting, http://www. maxwideman.com/guests/pic/intro.htm (Guest Department) updated.

271

Internal_Auditing.indb 271

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Discovery

Close-out Audit

User requirements Functionality Design Sanction

Review Check Construct

Figure 28.2 The ‘Vee cycle’ systems requirements and specifications. These, in turn, allow the formation of the architectural design of the software and coding then creates the individual components of the system, which is then tested ‘up’ the waterfall against the different levels of specification. From a control and audit perspective, this form of systems development is considered easier to audit since at each level there are standards to match against, as well as the fact that there is a separate audit stage. Within an IS environment, this approach would typically involve the following: ➤ Discovery is the point in the process when the IS or user area finds there is a market for a specific system. This phase is brief, and there are few decisions to be made. ➤ Requirement is the stage at which the user can write an outline system specification which states: ‘We need a system capable of the following functionality A., B., C.’. At this stage a feasibility study may include an assessment of the technical feasibility of this system, its costs and potential benefits. ➤ Functionality occurs when the user can write a detailed business specification which states all of the business, operational and control requirements. At this stage the feasibility study may be revisited to re-assess the technical feasibility of this system, its costs and potential benefits. ➤ Design results in the detailed system specification that specifies file layouts, screen design, the required hardware and software environment, networking requirements, and any potential limitations or requirements for new hardware and software to acquire. ➤ Sanction is the phase in which board approval for design and expenditure is sought prior to the commitment of resources to the longest part of the process. ➤ Construct is the purchase or development of the software, including the coding, unit-testing and documentation of the application systems. ➤ Check is used to verify that what is installed is what was intended to be installed, as set out in the design documents, and that installation was done according to those design documents. This verification is a critical element of the ISO 9000 standard. ➤ Review involves testing sub-systems, usually with test material, to ensure that the intention of the system has been met. This phase tests collections of hardware and software (systems) against the design intent and the interaction of integrated systems. 272

Internal_Auditing.indb 272

16/04/2015 11:13

AUDITING SYSTEMS UNDER DEVELOPMENT

➤ Audit is the verification stage, which may be deemed to be complete when the system can meet the functional, operational and control stipulations of the detailed business specification. ISO 9000 defines this as validation, where tests are applied to see if the customer’s requirements are addressed in reality. ➤ Close-out is the stage in which the cycle is completed by insuring the install product matches the need identified during the discovery phase. As can be seen from the model illustrated in Figure 28.2, the left hand side of the Vee shows the planning stages, while the right hand side indicates the implementation or ‘doing’ stages.

Micro-based Systems In-house developed micro-based systems should be subject to the same controls, but often are not. They are frequently substituted for IS developed systems and suf­fer the same SDLC problems, but, in addition, they fall under nobody’s control and may be developed by amateurs with no specifications, documentation, controls, cost/benefit analysis and back-ups.

273

Internal_Auditing.indb 273

16/04/2015 11:13

CHAPTER

29

The Use of CAATs in Auditing Computerized Systems

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the major types of computer-assisted audit techniques (CAATs) ➤ Describe the benefits and limitations of CAATs ➤ Define the types of automated tools available to an IT auditor ➤ Select the appropriate technique and pick the appropriate tool ➤ Understand and use IDEA as generalized audit software

Computer-assisted Audit Tools and Techniques In today’s environment, a review of business systems will almost inevitably involve the use of appropriate information retrieval and analysis programs and procedures. An auditor will use test transaction techniques to review system level activity. In advanced auditing, the use of knowledge-based systems will allow less-skilled staff to use advanced audit techniques. Standards of Evidence IIA Practice Advisory 2310-1: Identifying Information indicates that audit evidence should be: ➤ sufficient; ➤ reliable; ➤ relevant; and ➤ useful. The use of computer-assisted audit solutions involves the merging of software into an audit program. For this to prove effective, key control questions must be predefined in order to facilitate the use of the technology to analyze the data and provide the answers. Advantages from an auditor’s perspective include: ➤ increased auditor productivity; ➤ creativity; and ➤ the application of a consistent methodology. Information retrieval and analysis programs and procedures include programs that organize, combine, extract and analyze information. This includes generalized audit software, application software and industry-related software. Customized audit

Internal_Auditing.indb 274

16/04/2015 11:13

THE USE OF CAATs IN AUDITING COMPUTERIZED SYSTEMS

software and information retrieval software, as well as standard utilities and online enquiry may also be used for information retrieval and analysis. Where an auditor has computer skills in programming, conventional programming languages may provide a viable alternative, but a lack of such skills does not preclude auditors from using such techniques. The ready availability of microcomputer-based software, which provides computing power without the requirement of technical expertise, puts direct data analysis within the toolkit of any auditor. The primary requirement is an understanding of the business application and how data relates. Generalized Audit Software Generalized audit software (GAS) is software designed specifically for auditors in order to provide a user-friendly audit tool to carry out a variety of standard tasks, such as examining records, testing calculations and making computations. A common audit technique is to take a copy of a file of standard data for later comparison to a changed version of the same data. Once again, GAS can conduct the comparison and analysis. Selecting, analyzing and printing audit samples are techniques that can significantly improve the quality of an audit by allowing the quantification of audit and sampling risk. In a high-volume system, these techniques may be the only method an auditor can employ to achieve a satisfactory audit. In such systems, the use of computerized sampling simplifies both the usage and interpretation of results. Most GAS comes complete with sampling and analysis functions to handle the complexities. An auditor will commonly have to handle data that is not in a suitable format for analysis. Summarizing and resequencing data are required to put the information into a more useable format. Once reformatted, the software can also perform the appropriate analyses. Benefits GAS cannot resolve all of an auditor’s problems, but it can help in many of the common problem areas. It is specifically designed for the handling of volumes of data. The output can be used for further computer processing, allowing audits to be linked together. The time to audit can be reduced and the auditor freed to spend time interpreting results. Since limited programming skills are needed, the audit reliance on IS staff is reduced. Limitations Hardware and software environments may be restrictive if an inappropriate package is selected. The number of files to be handled may be restrictive and the types of record structures may not be comprehensive. Numbers of computations may be limited and the number of reports per ‘pass’ may be restrictive. This makes the selection of software a critical element in the effective use of GAS. Application and industry-related audit software In addition to GAS, audit software is available for standard business applications, such as accounts receivable and payable, payrolls, general ledgers and inventory management. Such software applications are available as stand-alone or as add-ons to standard GAS packages.

275

Internal_Auditing.indb 275

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Industry-related audit software is available for specific industries, such as insurance, health care and financial services. Most of these packages require conversion of input to standard package layouts and the selection of appropriate parameters. This means that a degree of IS skill is required for conversion. The software itself is normally both cost-effective and efficient. Customized Audit Software Customized audit software is software designed to run in unique circumstances and to perform unique audit tests. Where output is required in unique formats, customized audit software may be required. Such software is normally expensive to develop and requires a high level of IS skills. It must be handled with care, since running it may not tell you what you think it does; however, it may be the only viable solution in a unique processing situation. Information Retrieval Software Standard information retrieval software, such as report writers and query languages, can perform many common audit routines, although not specifically written for auditors. This category of software includes report writers, program generators and fourth-generation languages. Utilities Utilities are programs written to perform common tasks, such as copying, sorting, printing, merging, selecting or editing. These programs are normally parameter driven and can be used in combination with other software. They are extremely powerful and the right to use them should be restricted. From an audit perspective, they see data as it exists, which makes their results more reliable. Online Enquiry Interactive interrogation can provide comparison data for audit reports and confirmation of corrective action taken, and can be an additional source of audit information. Effective use requires few IS skills, but an understanding of the information is essential. Armed with the appropriate access authority, auditors can obtain adequate audit evidence to meet their requirements. However, you must be sure about what you are looking at, since it is easy to draw the wrong conclusions. Conventional Programming Languages Standard languages, such as COBOL, BASIC, RPG, PASCAL, C, etc, can be effective audit tools, but require a certain amount of programming experience. Such programs are normally slow to develop and expensive and may not be reliable, since auditors are not professional programmers. They can, however, perform any audit test an auditor can envisage and can be used in conjunction with any other type of audit software.

276

Internal_Auditing.indb 276

16/04/2015 11:13

THE USE OF CAATs IN AUDITING COMPUTERIZED SYSTEMS

Microcomputer-based Software Microcomputer-based software can prove a flexible and powerful tool for an auditor and includes GAS, computer-aided software engineering (CASE), spreadsheet packages (analysis, manipulation, recalculation, etc), specialized packages (eg NCSS) and specialized software for auditing micros (eg CSAN). ➤ They have the advantages of being able to use input from multiple hardware/ software platforms, are comparatively inexpensive and mean that a user has only to learn a set of portable software. ➤ Disadvantages include the fact that an auditor is not looking at the live data and that the software may not handle all data formats from mainframes. Test Transaction Techniques Test transaction techniques are used to confirm processing controls functioning and include the evaluation of edit and validation controls, the testing of exception reports and the evaluation of data integrity controls. Total and calculation verification may be performed. The transaction test techniques could include the following: Test data This technique involves using a copy of the live computer system through which a series of transactions is passed in order to produce predetermined results. The volume of data that can be handled limits this technique, while it is effective in searching for defects. Also, the results may be biased by the results an auditor expects. Integrated test facility (ITF) This technique, while similar in nature to test data, is effected by creation within the live system of a dummy entity (department, warehouse, etc) and the processing of test data against the dummy entity together with the live data. This technique has the advantages of testing the system as it normally operates and testing both the computer and manual systems. It has distinct disadvantages as well. All test transactions must be removed from the live system before they affect live totals, postings or the production of negotiable documents such as cheques. In addition, there may be a very real danger of destroying the live system. ITFs must be used with great care. Source-code review This computer audit technique involves the review of the source code originally written by the programmer. In the past, this has meant browsing through piles of printout. In today’s environment, sophisticated searches can be implemented using GAS to establish weaknesses in the source code. Embedded Audit Modules (SCARFs – System Collection Audit Review Files) In systems where audit trails may exist only as computer records and then only for a short time or discontinuously, it may be necessary for an auditor to have an in-built facility to collect and retain selected information to serve as an audit trail for subsequent examination. This obviously makes the collected data a target for destruction or manipulation and it must be treated as such. 277

Internal_Auditing.indb 277

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Parallel Simulation Parallel simulation is a technique involving the creation of software to simulate some functional capability of the live system, such as a calculation. The live data is processed through the simulating program in parallel with the live system, and the outputs are compared. Review of System-level Activity This involves the examination of control areas with a pervasive influence such as telecommunications, the operating environment itself, and the systems development function and change control. End-user computing, although not in the same category or general control, can be treated in the same manner as a general threat.

CAATs Case Study As part of your purchase of this book, you have been given access to an educational version of IDEA® – Data Analysis software. This software can improve your audit performance and extend your capabilities with IDEA’s powerful functionality. With IDEA®, you can lower your cost of analysis, add more quality to your work, and meet the new professional requirements regarding fraud and internal control. IDEA® can read, display, analyze, manipulate, sample an extract from data files from almost any source including reports printed to a file. Included with this version is a combination of extensive HTML-based Help, Information User’s Guide and a tutorial including a CAAT’s case-study. IDEA® is a registered trademark of CaseWare International Inc. The link to the software is https://www.caseware.com/IDEACDBook1

278

Internal_Auditing.indb 278

16/04/2015 11:13

CHAPTER

30

Auditing Security and Privacy

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the major computer security risk areas and preferred security mechanisms ➤ Explain the criteria for effective security ➤ Describe the basic building blocks of operational environments and operating systems ➤ Select the appropriate methodology for reviewing computer security ➤ Describe the current legislative situation regarding IT privacy

Security IIA Practice Advisory 2100-2: Information Security provides guidance as to the responsibility of internal audit for evaluating information security and associated risk exposures. ‘The chief audit executive should determine that the internal audit activity possesses, or has access to, competent auditing resources to evaluate information security and associated risk exposures. This includes both internal and external risk exposures, including exposures relating to the organization’s relationships with outside entities.’

The first issue affecting information security is identifying who has access to the organization’s computer systems. This consists of both logical and physical access aspects and must, in general, provide support for: ➤ management; ➤ users; ➤ data processing; ➤ internal audit; ➤ external auditors; and ➤ all parties concerned who have an interest.

Criteria Hardware, firmware and software co-exist and an auditor cannot examine one aspect in isolation. It is the interaction of these components that provides complexity and an auditor should look on access control as a complex exercise in risk management technology. This exercise may be aided by utilizing the features within the operating system itself, as well as security packages such as RACF, ACF2, TOP SECRET and the like. Even librarian packages controlling access to source libraries such as LIBRARIAN or PANVALET may help.

Internal_Auditing.indb 279

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

The overall objective is to ensure control over access to data files. This includes preventing unauthorized amendments or disclosures, and means that access to online data files, authorization of data file usage and physical security over data files become essential. The use of standard utility programs to access such data files directly must be controlled, whether by authorized users or by the members of the IT function itself. Functional capabilities within application systems must be segregated, which, in turn, means that there must be highly effective user authentication. If there is not a high degree of certainty that a user is who he/she claims to be, then the use of user profiles defining access authorities becomes ineffective.

User Authentication IIA Practice Advisory 2100-8: The Internal Auditor’s Role in Evaluating an Organization’s Privacy Framework states the following: ‘The internal auditor can contribute to ensuring good governance and accountability by playing a role in helping an organization meet its privacy objectives. The internal auditor is uniquely positioned to evaluate the privacy framework in their organization and identify the significant risks along with the appropriate recommendations for their mitigation.’

User authentication involves gaining the assurance that a user is who he/she claims to be. Users may be authenticated by: Something he/she knows: ➤ personal identity numbers (PINs), which are normally short and often written down; and ➤ passwords, which are any combination of letters, digits or special characters that should be: ◗ hard to guess; ◗ easy to remember; ◗ well guarded; and ◗ frequently changed. Passwords are the most common form of user authentication, but suffer from some major drawbacks. ➤ The initial password assignment can be a problem in that, if users are not forced to change the initial password, it will generally remain unchanged and therefore be known to the security administrator. ➤ The system must hold a password file somewhere within itself. If this password file is not adequately protected, it becomes a separate source of vulnerability within the system. ➤ Users must remember their passwords and this leads to short, easily guessed passwords. Longer or more difficult passwords are commonly written down and kept near the terminal where they are needed. This causes obvious problems in that someone else can find and use them. ➤ Passwords must be changed periodically to be an effective control. Passwords that remain unchanged for a long time will often become common knowledge. ➤ Users must enter their password into the system and someone can simply watch them do it. 280

Internal_Auditing.indb 280

16/04/2015 11:13

AUDITING SECURITY AND PRIVACY

In a well-designed password system, the user must change the default password before it can be used. Password changes must be system-enforced and must exclude previous passwords. Passwords over communication lines must ALWAYS be encrypted. Passwords themselves must be as long as possible, contain at least one alpha and one numeric character and never be displayed on the screen. Something he/she has: These are usually hand-held devices such as smartcards, microchip cards or laser cards that contain user identification parameters. They operate in challenge and response mode. They are used to establish a session, while additional random challenges will be issued and the response keyed into the device. To be effective, the device must be secured at the user end. It should be emphasized that such authentication will not protect privacy and will not prevent a session from being taken over. Something he/she is: Biometric measurement based on physical characteristics of the computer user include: ➤ fingerprint scanning; ➤ voice recognition; ➤ optical scanning; ➤ holographic recognition; ➤ signature recognition; and ➤ password entry rhythm. Bypass Mechanisms User authentication aims at confirming that a user is who he/she claims to be. These controls can be circumvented by mechanisms such as trapdoors and backdoors. These software loopholes are deliberately left in systems to permit unauthorized entry. They are normally hidden and used when needed; however, anyone can use them if they are aware of them and know how to activate them. Such bypass mechanisms are very popular in mainframe environments and are normally introduced by insiders, for various reasons. The systems programmers may claim they have to modify O/S without an IPL. They may want to issue operator commands from a TSO terminal or even require unlimited access at 3 a.m. Generally, these are not a good idea for several reasons. The wrong persons may find them and, since there is usually no inbuilt security, all access controls may be bypassed. Therefore, all systems maintenance should go through change control systems, without exception. The operators and no one else should operate the machine, and no one should be able to bypass the security system at will.

Auditing Operating Systems In truth, it is unlikely that an auditor will ever actually audit the operating system itself. Rather, he/she will examine the operating environment and the way in which it has been implemented and controlled. With no computer assistance available, an auditor can still look for normal controls, such as segregation of duties, authorization of work, etc. It is still possible to seek abnormalities such as excessive machine usage, regular late hours and the 281

Internal_Auditing.indb 281

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

like. A more effective audit will involve using the computer to audit the computer. This will typically involve the use of CAATs, such as GAS, specialized audit software or utilities. Before using CAATs, it is essential that an auditor knows what he/she wants to do. General browsing is expensive, does not inspire confidence and, worst of all, generally does not work. From your manual audit you should know what you want to look at, where to find it, how to get it and what you will do with it. Using CAATs in interrogation of files can be highly effective if: ➤ you know they have not been doctored; ➤ you have the right files; and ➤ you know what you are looking at. An auditor should basically never believe what the first printout tells him/her. Ultimately, an auditor is not there to exercise control, the manager is, and the auditor should check the controls the manager relies on.

Auditing Communications Security Computer communications are vulnerable to a number of security threats. Availability Computer networks provide valuable services to their users. Users rely on these services in order to perform jobs efficiently. When services are not available, a loss in productivity and profitability results. A network may be rendered unusable by: Flooding A server is attacked by bombarding it with transmissions at a rate that it cannot cope with. Unfriendly transmissions are hidden in the flooding transmissions, which can now attack the targeted system. Eavesdropping attack An intruder eavesdrops on a connection session and, before the connection is completed, inserts spurious transmissions into the stream in order to pick up the connection. Viruses A virus can slow down or cripple a computer system. Viruses are self-replicating pieces of software that spread by infecting a host program. Logic bombs A software logic bomb, sometimes called a time bomb, is a hostile software fragment or program set to inflict damage under certain conditions. Spam Spam is unsolicited junk mail that mainly originates with individuals who have mass e-mail lists and who use them for random mailings. Most spam in South Africa

282

Internal_Auditing.indb 282

16/04/2015 11:13

AUDITING SECURITY AND PRIVACY

offers pornographic material, pyramid selling schemes, chain letter schemes or bogus drug offers. Individuals should never reply to spam. By replying, they simply confirm that they are active users, which can lead to further attacks. Hostile programs Mini-programs (applets), such as Java or Active-X components, are usually used to create moving images or for other innocuous reasons. Some of these, however, may have a more sinister purpose. The activities of hostile applets have ranged from the redirection of telephone calls to overseas or premium-charged numbers all the way up to the diversion of banking funds. Threats to Confidentiality There are four common ways that confidentiality may be breached. ➤ Information may be disclosed as a result of impersonation or an intruder misrepresenting someone else. ➤ Performing traffic analysis on communications networks may compromise information. By analyzing the timing and frequency of communications, a great deal about the purpose of the activity may be revealed. ➤ Information may be disclosed as a result of monitoring or tampering with communications, either by logically intercepting the message with network or package sniffers, which can capture packets circulating through the network, or by penetrating the communication medium itself. ➤ A security breach in a communications partner may occur in a network other than the one controlled by the user, but may still result in that user’s system being compromised. Threats to Data Integrity ➤ Loss of confidentiality may also lead to loss of integrity. ➤ Information may be modified as a result of an impersonation, as noted above. ➤ Information may be changed as a result of interfering with the communications medium, permitting the destroying, corrupting, substituting, replaying or resequencing of transmitted information. ➤ Information may be modified as a result of a security breach in someone else’s remote system. Spoofing (Masquerade Attacks) Spoofing may occur if an attacker can convince a trusted network that his/her computer is a valid host on the internal network. Alternatively, by compromising a domain name server for a valid domain, an attacker can route all messages to him-/herself. Playback of a Recording (Replay) A replay attack involves the recording of an authentication session and then playing it back into the system.

283

Internal_Auditing.indb 283

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Password Capture Impersonation using someone else’s user identification and password is becoming increasingly common. Passwords can be obtained from a variety of sources. Even encrypted passwords may be obtained using keystroke-recording software, looking in unprotected data directories or by using package sniffers. Brute Force Attacks With the speed of today’s computers, brute force attacks, which use repeated guesses to try to crack a password, are comparatively easy. A 6-digit password including numeric and alpha characters used to be considered comparatively safe. This can now be cracked in a couple of hours on a PC. Log Tampering An attacker may be able to destroy or modify log or audit trail evidence if the files are not properly protected. Libel and Contentious Material In the past, libelous chain letters were not unknown. Today’s equivalent is defamatory e-mails. This can leave an organization open to a lawsuit because of a defamatory statement by an employee. You need to know precisely what users are doing with your e-mail system. You should have a defined policy about the nature of any materials transmitted from within your system to the outside world and vice versa. Loss of Intellectual Property Could someone take your knowledge for nothing? If a computer displays or makes available materials or data that is felt to be valuable to the organization, steps must be taken to protect that material.

284

Internal_Auditing.indb 284

16/04/2015 11:13

CHAPTER

31

Disaster Recovery and Business Continuity Planning

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the distinguishing characteristics of the various types of contingency plans ➤ Define the roles and responsibilities in producing a contingency plan ➤ Describe the internal audit role and strategies for auditing contingency planning ➤ Evaluate and test a corporate contingency plan

Disasters: ‘Before and After’ Perhaps the best-prepared organizations are the ones who have lived through a calamity. Among the risks of disasters faced by an organization daily are: ➤ fire; ➤ floods; ➤ earthquakes and/or tornadoes; ➤ building collapse; ➤ explosion; ➤ industrial failure; ➤ power failure; ➤ loss of data; ➤ deliberate sabotage; ➤ computer abuse; ➤ deliberate action by staff; ➤ ‘hacking’ into systems; ➤ Internet penetration; and ➤ EDI abuse. As you can see, many of these risks have nothing to do with computer systems, but affect the enterprise as a whole. There is a tendency to focus on the information systems to the exclusion of everything else within an organization, and this is as dangerous as not looking at contingency planning at all. Disasters may be grouped in four basic categories, as Table 31.1 shows. In all these cases, a different approach to disaster recovery planning is required. A plan for evacuation of the building is inappropriate if the disaster involves the loss of a small but vital file. On the other hand, a disaster on the scale of the 11 September 2001 attack on the Twin Towers of the World Trade Center in New York, which led to the complete collapse of both buildings in a matter of an hour, with the loss of thousands of lives, and the destruction of business entities occupying the

Internal_Auditing.indb 285

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 31.1: Types of disasters POTENTIAL LOSS

CAUSES

DISASTER TYPE A People Buildings Factories Finance Credibility Materials Computers

Explosion Aircraft crash Fire completely destroys building and contents Flood Industrial action Earthquake Sabotage Sanctions

DISASTER TYPE B Hardware Software In-house data Temporary loss

Explosion Fire Flood Industrial action

DISASTER TYPE C Software loss and the inability to recover in-house data

Explosion Fire Flood Freak atmospheric force, earthquakes, tornadoes Deliberate destruction Bad systems design Poor operating standards

DISASTER TYPE D Software – partial loss only and the inability to recover

Computer operational error Deliberate destruction Bad systems design Poor operating standards

buildings, their complete records, information systems and equipment, may not be possible to recover from, no matter how effective a disaster recovery and business continuity plan an organization may have developed. However, it is noteworthy that the New York Stock Exchange, located close to the Twin Towers and badly affected by the destruction of electricity supplies and disruption of communication links in that part of the city, restored its communications and restarted trading around the world within five days of the disaster.

286

Internal_Auditing.indb 286

16/04/2015 11:13

DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING

Disaster recovery plans must therefore be capable of responding to a variety of ‘disasters’ and providing optimal solutions for each. Consequences of Disruption The consequences of disruption may include delays in invoicing leading to loss of revenues, lost interest, lost current sales and lost future business, as well as additional incurred costs because of extra staffing and overtime required to reprocess lost data. Loss of discounts and increased interest on loans may also occur, as may general inefficiency. From a production control perspective in a manufacturing company, problems would typically include lost production and schedule disruption, while, from a legal perspective, penalty clauses for failing to meet supply contracts could jeopardize the whole enterprise. At minimum, there would be ill will generated among customers, shareholders and staff. The different levels of preparedness for a disaster may be categorized as in Table 31.2. Table 31.2: Levels of preparedness for a disaster Poor

Organization highly vulnerable to damage to its data processing capability; could jeopardize corporate survival.

Weak

Disaster would result in conspicuous interruption of IT services and could result in loss of business.

Adequate

Organization could recover from the loss of computer capabilities at some cost and public embarrassment.

Good

Organization could recover from the loss of computing capability with some cost but little embarrassment.

Very Good

Organization is ready for virtually any eventuality. Disaster should have no material impact on the business.

Where to Start IIA Practice Advisory 2110-2: The Internal Auditor’s Role in the Business Continuity Process provides guidance as to the role of an internal auditor in assessing the organization’s disaster recovery plan (DRP) and business continuity process (BCP) planning. The principle is as follows: ‘Internal auditing activity should assess the organization’s business continuity planning process on a regular basis to ensure that senior management is aware of the state of disaster preparedness.’

As with any other form of business analysis, the beginning involves understanding the business. In DRP terms this means modeling the business, identifying data flow and dependencies and identifying the critical systems as well as any dependent systems (including manual ones). 287

Internal_Auditing.indb 287

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

For the purposes of this book, we will use the loss of computing capability as an example of such a disaster. For most modern organizations, IT is an essential, although not the only, corporate resource. The techniques described apply equally to any other form of disaster situation. Computer systems may be identified by type, for example by operating objectives. Systems may be centralized, distributed or stand-alone and may also be real-time, online or batch processes. These can then be assigned degrees of priority based upon their business loss rating, the alternative service level required or maximum down-time tolerable. Systems may be categorized by the impact of stoppage and by identifying any essential interfacing systems identified (computer and manual). Once systems have been prioritized, all systems, including manual ones, must be documented. Relationships must be identified and the impact of stoppage quantified. A factor commonly overlooked is ensuring that alternative accommodation for people, stationery supplies, office equipment and interim control procedures have been identified. Data used within each system needs to be graded by application and therefore by strategic importance, as well as by alternate method of sourcing and degree of pain in loss. In a comprehensive plan, data may even be rated by potential disruption period. Each application is therefore graded, although not all of its data is of equal importance or priority. Disaster Recovery Processes in Place It is important to establish: ➤ the minimum configuration required; ➤ whether continuity agreements with vendors exist; ➤ if back-up procedures have been agreed and are implemented; ➤ if there is compatibility of equipment and computer hardware; ➤ if there is compatibility of firm software; ➤ if security arrangements have been agreed; and ➤ if testing of off-site hardware back-up arrangements is carried out regularly (and successfully). In addition, controls such as redundant hardware (ie hardware in excess of current requirements), dual controllers for peripheral devices, switchable communications capabilities and duplicated communications lines should be considered. Uninterruptible power supply (UPS) systems and standby generators will help in preventing power problems from becoming fully-fledged disasters. Testing the Disaster Recovery Plan In order to carry out a successful test of the disaster recovery plan, management needs must be fully defined and approved. The plan must cover all in-house and third party risks and must define all ‘retained’ risks. This is recognized in the extensive guidance provided in IIA Practice Advisory 2100-6: Control and Audit Implications of e-Commerce Activities.

288

Internal_Auditing.indb 288

16/04/2015 11:13

DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING

‘The internal auditor should review the business continuity plan and determine if it has been tested. Management should have devised an alternative means to process the transactions in the event of an interruption. Management should have a process in place to address the following potential conditions: ➤ Volume attacks ➤ Denial of service attacks inadequacies in interfacing between e-commerce and financial management systems ➤ Back-up facilities ➤ Strategies to counter: hacking, intrusion, cracking, viruses, worms, Trojan horses, and back doors.’

Auditing the Disaster Recovery Plan This involves investigating and evaluating: ➤ policies; ➤ the application systems covered; ➤ the user data defined; ➤ the hardware required; ➤ the systems software needed; and ➤ the realism of the testing. Overall an auditor must evaluate the probability of business continuity. Disaster Recovery Plan Maintenance The auditor must also be satisfied that the plan itself will be kept up to date and appropriate as the organization and business operations change over time. This means that the auditor must be satisfied that the plan includes arrangements and procedures that: ➤ ensure responsibility for plan maintenance; ➤ ensure management is kept informed; ➤ ensure the master copy of plan is secure for use in an emergency; and ➤ ensure copies distributed to key personnel are kept up to date and secure.

Business Continuity Planning Management Responsibility for Business Continuity The King II Report stressed the importance of risk-based management to be located at the board level. As a result, the concept of business continuity management (BCM) as a board-level responsibility has become a focal point for many organizations. The first stage of the planning process has to be an acceptance by the board of the organization that BCM is a valid approach to take. It is critical that a specific member of the board accepts overall responsibility for the risk management process and acts as sponsor or champion. This ensures that the process will achieve the appropriate level of importance in the organization. At the operational level, a single overall co-ordinator must be appointed to report directly to the sponsor. This key role requires a mixture of business skills and people skills, as the job calls for good project management and a high degree of communication and interpersonal skills. One of the major roles of the co-ordi289

Internal_Auditing.indb 289

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

nator is to ensure that management at all levels understands the rationale behind the plan so that it becomes an integral part of each manager’s normal responsibilities. The co-ordinator can achieve the overall objective by following a predefined methodology. Understanding the Business BCM is essentially about understanding the nature of the business and being able to establish what is critical for its survival and ongoing good health. The foundation for the plan is therefore a comprehensive analysis of the business. If this goes astray, the whole business continuity plan and therefore corporate survival may be jeopardized. The analysis is designed to identify: ➤ the primary business objectives of the organization; ➤ the methodology and choice of resource allocation by management to achieve those objectives; ➤ the major role players and their part in ensuring the ongoing conduct of the business of the organization; and ➤ the timing chosen by management. The success of the business is dependent on a variety of factors, some internal and some external. Externally, government regulations, actions by competitors, positions taken by unions and pressure groups can all have an influence. Customers, shareholders and suppliers will also play their part. Internally, the success or failure of the organization rests heavily on its internal control structures and its use of the right IT systems. The broader the key relationships and back-up resources that each coordinator can identify and provide for in the continuity plan, the greater the chance of an effective plan being devised.

Business Impact Analysis Once the critical processes and functions have been established, the co-ordinator must work out the impact, if any, the disruption of these functions and processes could have on the achievement of the corporate objectives. Each individual business process may be vulnerable to a number of threats and risks, which must be considered when conducting the overall impact analysis. Although the organization may face a great number and variety of risks, the impacts are normally few in number. For example, should the computerized operations be disrupted owing to lack of power, it becomes irrelevant at this stage whether the shortage of power was caused by a power cut, a strike or a blown fuse. The net effect is still the same and the impact on the business is still the loss of computing power. For this reason, the business impact analysis concentrates on the impact of the risks to the business rather than specific causes of the risks. The process must also take into consideration the time sensitivity of individual business functions as part of their vulnerability to disruption, since this will affect the prioritization of their recovery. All those involved in the critical processes should have input to the analysis. Generally, such processes cross function or divisional boundaries and consensus must be reached on the analysis. 290

Internal_Auditing.indb 290

16/04/2015 11:13

DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING

Once the analysis has been conducted, the co-ordinator should seek agreement at board level from the sponsor on the results of the analysis. Once approval has been granted, the process may continue to the next stage. Risk Assessment After the impact of various disaster scenarios on the business has been established, a risk assessment is carried out to determine, for both the internal and external threats, the likelihood of occurrence. There are many methodologies for carrying out such a risk assessment and the co-ordinator should select the appropriate methodology for the specific organization. By combining the results of the risk assessment and business impact analysis, a ranking may be achieved illustrating the most critical areas to be addressed as part of the continuity strategy. Once again, approval from both the sponsor and the board must be sought. Continuity Strategies Having identified those areas where the organization is most at risk, a decision has to be made as to what approach is to be taken to protect the operation. With the guidance of King II, this decision must be taken at board level. Many possible responses to risk exist, and usually any strategy adopted will consist of a number of these approaches. Whichever are chosen, there are certain alternatives to bear in mind, as Table 31.3 indicates. Table 31.3: Approaches to risk management Options

Reason for choosing option

Do nothing In some instances the board may consider the risk commercially acceptable Changing or ending Deciding to alter existing procedures must be done bearing in the process mind the organization’s key focus Insurance Provides financial recompense/support in the event of loss, but does not provide protection for brand and reputation or for customer defection Loss mitigation

Tangible procedures exist to eliminate/reduce risk

Business continuity An approach that seeks to improve organizational resilience to planning interruption, allowing for the rapid recovery of key business and systems processes, whilst maintaining the organization’s critical functions

The strategy chosen must recognize the internal and external dependencies of the organization and all management members involved should agree to it. Developing the Response This stage involves both developing the detailed response to an incident and the formulation of the disaster recovery plans that support that response. This process 291

Internal_Auditing.indb 291

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

is based upon inputs derived from the analyses previously carried out and would use the business continuity strategies agreed with executive management. Emergency Response This phase covers the development, testing and implementation of procedures for responding to an emergency and stabilizing the situation following an incident. At this stage also, co-ordination may be achieved with the emergency services in order to clarify their powers, roles and responsibilities in the event of an emergency. Detailed steps must be designed in order to ensure the initial assessment of the impact is carried out and that, for the protection of personnel, decisions are made under the overall direction of the emergency plan. One commonly omitted step within the overall emergency response is the determination of the appropriate actions to be taken in order to salvage whatever is salvageable and to determine the actual extent of the emergency. This includes identification of those tasks to be taken immediately to mitigate losses and to salvage whatever is possible. Developing Business Continuity Plans The kernel of the BCM process is the development of a business continuity plan. This document consolidates: ➤ the actions to be taken at the time of an incident; ➤ the timing of the actions; ➤ who is involved; and ➤ how they are to be contacted. As such, it is critical that the plan be up to date and known. The plan itself should include the definition of the organization’s view of what constitutes a disaster as opposed to a normal interruption in processing. The individual authorized to declare a disaster must be noted. In addition, escalation procedures will be required to attempt to contain an emergency that continues for a long time. Also contained within the plan should be the description, responsibilities and organization of the recovery teams, including the support staff required. At some point in the process, the organization will want to change over from the emergency response plan to the business continuity plan, and this phase must be facilitated. The draft plan should be appropriate for the organizational risks. These may be required for further plans at the departmental or functional level. Should this be the case, it is critical that these are aligned with the overall corporate plan.   An organization is a dynamic entity and the plan should reflect this dynamism. This means that ongoing maintenance should be seen as a normal part of the planning process and mechanisms to make changes to the plan should be designed at an early stage. In summary, the plan must define the business continuity procedures covering the mission-critical process and functions of the organization. It must specify what the key resources are and what processes are to be followed to recover these resources and provide continuity to the business.

292

Internal_Auditing.indb 292

16/04/2015 11:13

DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING

Establishing a Business Continuity Culture The success of BCM depends on the successful implementation, across the entire organization, of any recommendations made to normal procedures to ensure continuity. A comprehensive program of training for those directly involved in the execution of the plan is essential. An overall education process must be executed to ensure company-wide awareness and understanding of the plan and the implications should the plan not be successful. Employees at all levels, from executive management down, must commit themselves to the implementation of the strategies and tactics that form the foundation for the plan. Training exercises must be built in that carry out the individual phases of plan under both normal and emergency conditions. It is the confidence that individuals and the organization can handle a crisis that entrenches a continuity culture within a company. Testing the Business Continuity Plan A business continuity plan cannot be relied on until it has been fully tested and proved to be effective. This is especially true given the impact of failure of the plan. Testing should cover both verification that the plan is achievable, as well as familiarizing staff with their role in the implementation of the plan. The testing must be carried out on a regular basis and the frequency would be dependent on the perception of business risk within the environment of the organization. Normally, annual testing would be taken to be a minimum, although, where corporate risk is evaluated at the higher level, more frequent testing may be required. Maintenance of the Plan A process must be established whereby the co-ordinator is informed of any significant changes in the business environment so that he/she can incorporate them into the plan. Effective change control procedures are required to ensure that all distributed copies of the plan remain current. Auditing the Plan The final stage of the planning process is the conducting of an audit to ensure that the process itself remains appropriate and up to date with current continuity management practice. This should be carried out by internal audit in order to ensure objectivity. The frequency of the audit will be dependent on the volatility of the plan and the speed of change within the operational environment of the organization.

293

Internal_Auditing.indb 293

16/04/2015 11:13

CHAPTER

32

Auditing e-Commerce and the Internet

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the distinguishing characteristics of e-commerce ➤ Quantify the unique risks inherent in such an environment and select appropriate control techniques ➤ Discuss the legal and contractual framework required to implement corporate e-commerce effectively ➤ Discuss the impact of e-commerce on the internal audit paradigm ➤ Outline briefly the history and growth of the Internet ➤ Describe the major risk sources from the Internet and the appropriate control mechanisms ➤ Explain the fundamentals behind the development and use of advanced encryption techniques ➤ Define the strengths and weaknesses of firewalls ➤ Develop an appropriate audit program for using the Internet

Changing the World Electronic commerce technologies are rapidly changing the business world, as well as the rules and conditions under which business is transacted. Accordingly, auditors and accountants must be aware of how technology affects their business, their industry and related industries, the legal and regulatory environment, and their profession. The most current and relevant information on new and emerging electronic commerce issues, technologies and approaches is probably on the World Wide Web. However, finding and keeping up with these changes are a significant challenge. Key technologies and their uses and impacts addressed include but are not limited to: ➤ electronic data interchange (EDI); ➤ electronic funds transfer (EFT); ➤ electronic benefits transfer (EBT); ➤ the Internet; ➤ the World Wide Web (WWW, W3 or the Web); ➤ electronic trust and security; ➤ legal issues; ➤ effects on global economies; ➤ educational implications; and ➤ effects on accounting and auditing standards.

Internal_Auditing.indb 294

16/04/2015 11:13

AUDITING e-COMMERCE AND THE INTERNET

e-Commerce What is e-Commerce? At its simplest, electronic commerce (e-commerce) is the process of doing business electronically. It encompasses automating a variety of business-to-business and business-to-consumer transactions through reliable and secure connections. Organizational structures and cultures must be realigned as e-commerce is implemented. Similarly, policies, procedures and practices will have to be reformulated to accommodate the movement to e-commerce. Impact on Accounting and Auditing IIA Practice Advisory 2100-6: Control and Audit Implications of e-Commerce Activities provides the following guidance for an internal auditor employed or engaged in organizations using e-commerce in the conduct of their business operations. ‘The e-commerce risk and control environment is complex and evolving. Risk can be defined as the uncertainty of an event occurring that could have a negative impact on the achievement of objectives. Risk is inherent to every business or government entity. Opportunity risks assumed by management are often drivers of organizational activities. Beyond these opportunities may be threats and other dangers that are not clearly understood and fully evaluated and too easily accepted as part of doing business. In striving to manage risk, it is essential to have an understanding of risk elements. It is also important to be aware of new threats and changes in technology that open new vulnerabilities in information security.’

The advent of e-commerce affects the core elements of accounting and auditing – the practices, techniques, skill and knowledge requirements, liabilities and services offered. Historical control models address mainly internal controls and the processes for assuring their effectiveness. With e-commerce, the control model spans the globe, and assurance processes range from internal systems and network administration to having to rely on a trust model of second and third parties that may be otherwise unknown to the organization. Furthermore, the sheer quantity of transactions and their total financial value can be huge. This being the case, the providers of assurance services (accountants and auditors) are challenged to find new and different means of making assurance possible. The Changing Business Environment Changes in the following business areas include: ➤ business structure and organization; ➤ business location; ➤ distribution channels; ➤ forms and means of conducting business (sales); ➤ relationships with trading partners and customers; ➤ revenue recognition; ➤ payment processes; 295

Internal_Auditing.indb 295

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ tax accounting and payment; ➤ information resources management; ➤ consolidation of data from diverse sources; ➤ data warehousing/mining; ➤ application of new knowledge; and ➤ relationships with software vendors. Each area of change requires that accountants and auditors review the basic premises and activities of the business and assess the effects on risk management and related controls. The new techniques, risks and controls are vastly different from the business processes they are supplanting. At the same time, organization management at all levels will find they have new responsibilities to ensure control objectives are met and can be measured and assessed using all the new tools and techniques – many of which did not exist as short a time as one year before. Technology The accounting profession provided the first applications of business automation with electronic accounting machinery (ie the calculator). But soon the technology spread beyond accounting applications and into every area of business, information and process management. At the same time, the auditing profession began to recognize the need for information systems and technology specialists that would expand audit practices into assessment of controls that did not previously exist, but were increasingly to be found at the heart of issues surrounding the reliability and integrity of information in every organization. Today, the accounting profession needs technology specialists not only to implement advanced accounting systems, but also to oversee the accounting for assets controlled by the technology, as well as the assets that the technology itself represents. Similarly, the auditing profession has developed the requirement for highly specialized technologists to support virtually all auditing techniques, and to assess controls within the detailed environments that manage complex risks. Today, the CA, the CIA and the CISA must share both knowledge and responsibilities as they evaluate and assess the technologies and applications of: ➤ digital/electronic signatures; ➤ data exchange protocols; ➤ secure electronic transactions (SETs); ➤ secure socket layers (SSLs); ➤ electronic licensing and security initiative (ELSI); ➤ encryption; ➤ public and private keys; ➤ key generation; ➤ key management (and custodianship); ➤ public and private key infrastructures (PKIs); ➤ token transactions; ➤ smartcards; ➤ electronic cash (Mondex, e-cash tokens); ➤ point of sale, and much more. 296

Internal_Auditing.indb 296

16/04/2015 11:13

AUDITING e-COMMERCE AND THE INTERNET

Example Audit and Control Issues in EDI EDI provides a good example of where we have come from in e-commerce, and offers insight into our future with Internet-based e-commerce. Assessing controls and providing assurance in an EDI environment is at best a multiparty activity. An internal audit within an organization may provide little or no value in assessing the reliability of control environments of outside business partners and the EDI network. Second- and third-party reviews may assess the business partners and networks, but other elements of control may evade such assessments. Moreover, if third-party assurances, as provided by encryption service providers and key management activities, are judged adequate at a particular point in time, they may still be invalidated some time in the future by the constant changes in technology. Many control issues have been central to EDI for roughly 30 years, but management and auditors still have difficulty assuring the integrity of this environment. Examples include the following: ➤ Audit trails: Although EDI may generate lots of paper, the original transaction is paperless and the official evidence is electronic. Electronic evidence continues to present a moving target in terms of reliability and non-repudiation. ➤ Business continuity: As transactions migrate to the EDI format, reliance on outside parties increases. Security for computer systems and networks continues to evolve, but there is still no generally accepted control model for EDI systems and network security, or for back-up, recovery and processing continuity. ➤ Information security and privacy: EDI transactions passing through third-party networks are exposed to unauthorized access. Again, there is no standard control model for such risks within this constantly changing environment. ➤ Potential legal liability: Despite agreements being established to assure protection of information, even the audits conducted by and for other trading partners could represent potential legal liability for an organization. And control weaknesses in business partners’ environments represent continuous, although probably unknown, threats. ➤ Records retention: Electronic records retention controls require a consistently applied and fully recoverable technology environment. Again, standards may be difficult to identify and assess. ➤ Segregation of duties: Appropriate division of duties in an EDI environment can be achieved, but can also be compromised by seemingly unrelated events and activities. As these examples from the relatively mature EDI environment illustrate, it is growing more difficult to assess controls and provide assurances by relying on traditional accounting and auditing techniques and practices. Auditors and accountants must apply techniques to focus not only on the messages managed within EDI, but also on the processes and technologies that provide authentication and assurance against security breaches.

297

Internal_Auditing.indb 297

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

The Impact on Auditing and Audits Legal issues The Internet has few, if any, physical boundaries. The sheer number of potential business partners and customers on the Net makes it a desirable and viable alternative to traditional commerce methods. Its use, however, raises a host of legal issues that will have to be resolved within an infrastructure and/or in the courts. In July 1997, the Clinton administration in the US released A Framework for Global Electronic Commerce.58 It defines the US position in critical areas of e-commerce and frames the major issues of the information age. Significantly, a main thrust of the administration’s policy is self-regulation, not government regulation. In addition to the findings and recommendations contained in this framework, a number of other legal issues present themselves for consideration when examining and assessing e-commerce risks and risk management: ➤ different intellectual property laws in different jurisdictions; ➤ situs (location, jurisdiction) for law and the initiation of any legal remedies; ➤ product liability and related claims made against organizations within the country in which the product is sold (in e-commerce, this becomes more difficult); ➤ contract enforcement, and the legality of the language used in the contract, in the jurisdiction in which the product is sold (in addition, the laws of non-repudiation must be addressed in electronic contracts); ➤ enforceability of the debt, particularly the currency of sale and debt collection laws; ➤ copyright laws and their enforcement in various countries; ➤ confidentiality of commercial contracts, transactions and related data transmitted over various networks; and ➤ ‘contractual agreement’ vs ‘offer to treat’. Financial issues Just as legal issues promise to bring global dimensions to e-commerce risk management and control assessment, numerous financial issues must also be addressed. Consider: taxes, duties, import fees (particularly soft goods such as software or music, or services such as expert opinion or advice, where the goods or services could be provided electronically and thereby become not as easily subjected to inspection and/or confiscation), the flow of capital across boundaries, etc. Audit implications Many auditors today pride themselves on their expertise in internal controls. For a growing number, this expertise is oriented toward controls in information systems and technology. However, highly technical and complex esoteric systems and processes provide an increasing percentage of the fundamental controls in e-commerce environments. Individuals (including auditors) who are capable of understanding the elements of control in such environments and who also understand the business, legal, financial and other implications of such controls are rare indeed. In its most simple terms, auditors will seek to verify that e-commerce environments provide: 58. Available at http://www.iitf.nist.gov/eleccomm/ecomm/htm An executive summary can be found at http://usinfo.state.gov/journals/itgic/1907/iige/gj-12.htm

298

Internal_Auditing.indb 298

16/04/2015 11:13

AUDITING e-COMMERCE AND THE INTERNET

Proof of: ➤ a transaction occurring; ➤ authorization for the transaction; ➤ authentication of the sender; ➤ non-repudiation of the transaction; ➤ compliance with legal requirements, laws and jurisdiction enforceability, taxation, etc; and ➤ established audit trails to review and assess transactions. Assurance that: ➤ opportunities and risks are identified and assessed; ➤ continuous controls and monitoring are essential system design elements; ➤ auditability features provide for the use of expert systems techniques, and much more. Or, to put it another way: there are no simple audit solutions. Fortunately, the same organizations that build and use the technologies, and the technologies themselves, will help to solve the problem of how to provide assurances in an environment of constant change. Future Directions in e-Commerce Auditing In short, auditors must reverse the thrust of their audit efforts. They must assume a controlled environment, and perform analytical assessments of any and all available records in search of data anomalies that suggest potential flaws in information and/or controls. Auditors must provide assurance that things are as they are expected and reported to be. In this regard, the profession is moving inside the systems and networks. Audits have long been focused on electronic information, so the most effective tools are electronic monitors and embedded intelligence. Historically, audit monitors quickly became management tools, because management processes were not mature enough to build the needed monitors into systems, networks and processes. But management will soon have to grow up in terms of e-commerce use, risk management and controls, or their businesses will fail. In the new environment, the audit process will begin with data analysis. For electronic commerce, auditors will never have enough time to follow the traditional information systems audit approach59 of in-depth systems analysis to discover, define, assess, plan and execute tests of the controls. Consequently, they will skip these tasks and assume they are well managed by the responsible parties. (To date, system control processes have often not been managed properly, and internal audit practice has therefore usually not been aimed at the problems. As a result, audits have been aimed at the symptoms of problems that exist because management failed to enforce responsibility for controls.) The improving price/performance ratio for information processing, storage and transmission equipment will soon provide massive redundancy in data at all points of accumulation, transfer, processing and storage. Massive redundancy will become 59. See Mair, W.C., Wood, D.R. & Davis, K.W. 1982. Computer Control and Audit. Florida: Institute of Internal Auditors.

299

Internal_Auditing.indb 299

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

a control requirement because it is already becoming a competitive advantage. Thus, auditors will use powerful analytical engines to find anomalies in data using techniques such as voting. Audit knowledge bases, supported by expert systems, will accumulate rules and information about data patterns that can be applied on a routine basis. Audit monitoring will take place at a fairly low level until such time as patterns emerge indicating potential problems or a set of conditions not previously encountered. Only when such problems are uncovered will the audit alarm go off. When this happens, additional embedded data will be accessed, allowing automated tracking of transactions or transaction types forward and backward through the systems. Intelligence gained from human intervention will be added to the intelligent audit agents built into the systems and processes. Human auditors will need highly specialized expertise to understand and manage the embedded audit agents. A current, although somewhat elementary, example of such analysis is the application of Benford’s Law to sets of numbers. To simplify greatly, Benford’s Law states that certain patterns will always be present in natural sets of numbers (frequency of the digits in the first and succeeding positions, non-repeating, etc). Thus, applying Benford’s Law to a set of numeric transactions will quickly make the artificial transactions (ie fraudulent transactions and errors) surface. After analyzing data and identifying anomalies, the auditors will begin investigations of the circumstances that caused the anomalies. To the extent that these are control deficiencies, management will be expected to provide or repair the controls and provide evidence that they function properly. Implementation of this future audit scenario will be accelerated by increased demands on the governance level of management, increasing litigation and the increasing shortage of professionals capable of practising and willing to tolerate the current and historical approach to auditing. Conclusion Electronic commerce is a broad, varied and technically complex field supporting seemingly simple components. Understanding and assessing controls in this environment could well be the fabled ‘straw that breaks the camel’s back’, so auditors will be forced to apply techniques that have been used only infrequently to date. Furthermore, e-commerce will provide an avenue back to auditing through separating it from systems analysis and control consulting. This is not to imply that auditors will become any less skilled in investigation and analysis; indeed, they will become more skilled and specialized. However, responsibility for controls will become more recognizably a management function – not an audit requirement.

The Internet The Internet has a history that stretches back into early computer history. Significant events include: 1957 – Advanced Research Projects Agency (ARPA) 1962 – packet-switching networks 1969 – ARPANET commissioned by the US Department of Defense 1970 – ARPANET starts using network control protocol (NCP) 1972 – e-mail invented by Ray Tomlinson 300

Internal_Auditing.indb 300

16/04/2015 11:13

AUDITING e-COMMERCE AND THE INTERNET

1973 1976 1979 1982 1983 1984 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997

– – – – – – – – – – – – – – – – –

ARPANET goes international UUCP developed Usenet established ARPA establishes TCP and IP Internet Activities Board (IAB) established Domain name server (DSN) introduced – 1 000 host barrier broken UUNET founded – 10 000 host barrier broken Internet relay chat (IRC) developed 100 000 host barrier broken ARPANET ceases to exist PGP developed – 1 trillion bytes per month/10 billion packets per month Internet Society (ISOC) is chartered – 1 million hosts WWW growing at 341.634 per cent per year Shopping centers trade on the Internet Search engines are the ‘technology of the year’ Internet 1996 World Exposition Bill Gates nominates 1997 ‘The Year of the Internet’

From this it can be seen that the Internet has grown in a largely uncontrolled manner at an exponential rate. As a tool it is, perhaps, unrivalled as an information repository. It is, however, a potentially unreliable source of information, since the source and accuracy cannot be guaranteed. Some data will be correct, some misleading and some wrong. Initially, Internet information was extremely unfriendly. There were no search engines. Most of the useful Internet information was on ftp (file transfer protocol) sites. The user needed to know the address of the ftp site required. To get hold of the information, knowledge of the Unix programming language was required. Primarily, scientists and academics whose main interest was in publishing their ideas and enabling a peer review of their material used the Internet. Because they were all part of a common community, they felt no need to check the identity of the information provider. As a result, the Internet evolved with no perceived need for copyright, security or other fundamental controls. With the introduction of the World Wide Web, the Internet was transformed. By 1994, the Web could be used to send text and pictures and, eventually, even sound and animation over the Internet. Powerful search engines made it easy to find information and ‘surfing the Web’ became a major research and business tool. Internet Communication The Internet uses the concept of the ‘packet’ to transmit information, where a packet is a collection of related data that is parcelled, addressed and dispatched to a destination. Each packet travels independently across different networks using the addresses of the sending and receiving computers. The packets are reassembled at the other end into the full original message. Switches work out the fastest Internet communication routes, or routers, located at intermediate stages. Communication is achieved by using an agreed set of standards or layers, which enable different users to speak in a mutually understandable language. Primary among these layers in the Internet is the application layer.

301

Internal_Auditing.indb 301

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Application layer Defined by the application developer, the application layer fulfills specific business needs, for example: ➤ file transfer protocol (ftp) is used to transfer files; ➤ simple mail transfer protocol (smtp) is used to deliver e-mail; ➤ network news transfer protocol (nntp) is used to deliver Usenet news; and ➤ hypertext transfer protocol (http) is used to transfer hypertext documents. Addressing In order for the Internet to work, the addresses used for sending and receiving messages must be common. This is achieved using TCP/IP addresses. Internet addresses consist of a 12-digit, 32-bit number that is unique for every machine across the network (ie unique in the world). The Network Information Center (NIC) in the US (or its local counterpart) assigns addresses, which look like this: 199.009.200.001. The first three digits are the network number and the last three digits designate the host. The rest represent the subnet and each group of three can go from 0 to 254. These conventions are intended to permit communication for specific purposes, some of which are discussed below. E-mail Using e-mail gives an immediate, practical use of the Internet. It follows the same basic principle as normal mail. There is a message, which is placed in an envelope with or without attachments. The envelope is addressed. A return address is added and the mail is posted, but the communication is virtually instantaneous. E-mail is a low-cost and standard communication medium that offers substantial advantages over fax or even normal mail in terms of speed, cost and security. However, the major problem of e-mail lies in its reliability. Because it is so reliable, it becomes unquestioned, but e-mail can be compromised as a result of deliberate penetration. The use of an alias can allow unapproved users to get mail, and while posing as someone else is generally considered highly unethical, even as a joke, nevertheless it can and does happen. Communicating anonymously is possible for positive reasons – anonymous tip-offs – or negative reasons – harassment, libel, etc. WWW (World Wide Web, the Web or W3) This consists of resources that have addresses and browsers and allow access to these resources. A uniform resource locator (URL), which is basically a website address, describes how to find a resource and these resources are linked using Web pages. The WWW is rapidly taking over as the de facto Internet standard based around the basic protocol of hypertext transfer protocol (http). ftp Ftp is both a program and a protocol and allows files to be copied to and from PCs, Macs, minis or mainframes. It can permit the obtaining of directory listings, allow the creation of directories and even permit the deletion or renaming of files. Usernames and passwords are transmitted unencrypted and ftp can connect to any host on the Net if the name or IP address is known. A variety of ftp, called anonymous ftp, permits ftp by unknown users.

302

Internal_Auditing.indb 302

16/04/2015 11:13

AUDITING e-COMMERCE AND THE INTERNET

html Hypertext mark-up language (html) is a plain ASCII language that interleaves plain text with . Hypertext links to other pages are supported and there are several editors available in the public domain, as well as commercial software products such as Microsoft’s Front Page. The primary use of html is the design of web pages. Connecting to the Internet Connecting to the Internet involves obtaining a communications address on the Internet. This is done through a DSN (domain name system), which holds an address registered to link your organization's network to the Internet. Personal access to the Internet is normally achieved via either SLIP or PPP. SLIP is the serial line Internet protocol and is used for Internet connection vial dial-up. PPP is the point-to-point protocol, which is a newer protocol doing the same job, but better designed. Access generally has three requirements: ➤ an access phone number of a service provider; ➤ a personal user-ID; and ➤ a personal password. These are obtained by registering with a service provider who provides Internet access commercially to a variety of users. Finding Information on the Internet Given the nature of the Internet and the vast quantities of information available, you need help to locate specific areas of interest. This usually involves using search engines such as Altavista, Lycos, Yahoo, Hotbot and Google. These services are provided free by companies that gather information on websites and permit public browsing. They can also be used in searching for e-mail addresses. General tips for effective use of such search engines or web browsers include keeping search commands as simple as possible to minimize the time taken for the search, while at the same time using combinations of keywords, focused searches and operators to minimize the number of pages returned. It is a good policy to use several search tools for simple searches to familiarize yourself with the process before using them for urgent searches. Useful websites or pages located can be bookmarked for future ease of access. Internet Security Internet security is a potential risk area. ➤ Problems include entry to corporate systems through the Internet and loss of confidentiality of messages. ➤ Message authentication problems exist that can lead to acceptance of false messages or instructions. Verification of authorization then becomes non-negotiable. ➤ User authentication is difficult unless specific efforts are made to ensure the genuineness of claimed identity. At the same time, user anonymity cannot be

303

Internal_Auditing.indb 303

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

ensured and accesses can easily be traced back to source using the inbuilt facilities of the browsers. ➤ Unattended terminals that are logged on to the Internet can lead to unauthorized use. This in turn may lead to time wasting on a grand scale and huge phone bills. ➤ Since many sites accessed are ‘untrusted’, uncontrolled downloading of unknown software easily spreads viruses. ➤ E-mail overflow can result if insufficient space is reserved for incoming messages, and messages can be lost. ➤ Infrastructure observation and infrastructure interference may be possible if external users have the capability of observing people and events on the inside of a connected network. ➤ Standard vulnerabilities of computer systems, including back-up thefts, staff bribery, password guessing, observation of password entry or ‘shoulder surfing’, viewing poorly disposed of confidential output or ‘dumpster diving’ continue to be problem areas. These are compounded by network-specific threats such as the use of packet watching ‘sniffers’ or by wire closet attacks at the control points of the physical network. Combating these threats involves establishing the risk areas and defining an appropriate security architecture. This will typically include: ➤ the use of firewalls (hardware/software combinations that prevent unauthorized outsider access); ➤ network address translation, which conceals origins of messages by providing a barrier between the message sender and the receiver; and ➤ operating system hardening, which involves ensuring that all possible options to enhance security are taken. Packet-level screening, encryption, looking after the infrastructure and monitoring Internet use by individuals can all help. E-mail security can be enhanced by using encryption software such as PGP, which can be downloaded from ftp://net-dist.mit.edu/pub/PGP. PGP has become the de facto standard for e-mail encryption. RIPEM (Riordan's Internet privacy enhanced mail), available from ftp://ripem.msu.edu/pub/crypt/ripem/, supports e-mail using DOS, OS/2 and NT operating systems. Recent hacks via the Internet included a hacker who stole 100 000 credit card numbers using a packet sniffer to catch the data. He was caught trying to sell the numbers. Hackers broke into the official Lost World site and changed it to ‘The Duck World: Jurassic Pond’. In itself this was a fairly innocuous act, but the site also controlled the safety of the rides at the theme park and the changes could have resulted in injury or even death. Internet/Intranet Security Internet and internal network attacks on corporate enterprises seem inescapable in today’s computing environment. Most companies admit to having been attacked at some time in the past year. While the most costly attacks have been from the inside, external attacks from hackers and competitors are rising dramatically. How do you

304

Internal_Auditing.indb 304

16/04/2015 11:13

AUDITING e-COMMERCE AND THE INTERNET

know when you are under attack? The chances are you already create enough audit trail data, but who has time to look at it? Intrusion detection tools solve this problem by automatically discovering and responding to attacks. We will explore the need for intrusion detection, discuss lessons learned from early intrusion detection efforts, and explore the different types of intrusion detection tools available. We will also compare and contrast the three common methodologies used for intrusion detection, and discuss the advantages and disadvantages inherent in various architectures. Not so long ago, hacking took a lot of time and study. While expert hackers still abound, the Internet has entered a new era. Using almost any search engine, ordinary Internet users can quickly find information describing how to break into systems by simply searching for such key words as ‘hacking’, ‘password cracking’ and ‘Internet security’. Thousands of sites publish step-by-step instructions on how to break into Windows NT systems, Web servers, UNIX systems, etc. The sites often include tools that automate the hacking process. In many cases, the tools have easy-to-use graphical interfaces. For instance, a tool called Crack automatically tries to guess UNIX passwords. A similar tool called L0phtcrack breaks Windows NT passwords. A software probe called SATAN discovers vulnerable systems in a network and reports on the specific holes that can be exploited. What does all this mean? Almost anyone with the motivation to break into systems can quickly obtain the technology to do so without having to become an expert hacker. To be effective, an intrusion detection solution must be capable of detecting attacks from both inside and outside the network. In the early 1980s, conventional wisdom dictated that the best way to detect intrusions was to create logs or audit trails of all security-relevant activity. As a result, most operating systems, databases, routers and mission-critical applications generate audit trails. The original idea was that a security administrator would review the audit logs looking for suspicious events. This seemed like a fine idea when companies only had a few systems and a few users. The industry quickly realized that no one had time to read all that audit trail data. A few enterprising developers built query and reporting programs to help analyze the audit trail in an attempt to find trouble spots. For example, in 1984, Clyde Digital Systems developed a product called AUDIT, which automatically searches through OpenVMS audit trails looking for suspicious events. (Incidentally, this product is still in use today.) In 1987, a US government-funded project called IDES at Stanford Research Institute read audit trails and created profiles of normal use patterns for users and then reported deviations. Unfortunately, as the number of users, systems, applications and databases has grown, the audit trails have also grown so large that now they can actually cause denial of service problems from using up too much disk space. Many production environments routinely turn off audit trails to avoid disruptions to production systems. So, the current situation at most sites is that they plan to rely on audit trails to detect intrusions. But without the staff to review the audit trails, these sites turn off the audit trails to improve productivity. Today’s intrusion detection products fall into three basic categories: ➤ post-event audit trail analysis; 305

Internal_Auditing.indb 305

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ real-time packet analysis; and ➤ real-time activity monitoring. Each of these categories has value and particular advantages and disadvantages. Post-event audit trail analysis The traditional intrusion detection method has been to perform post-event audit trail analysis. SAIC’s CMDS and TIS Stalker fall into this category, since they analyze certain UNIX audit trails for suspicious activity. This type of product has two key advantages. ➤ One is that it addresses the tremendous difficulties that organizations experience in examining and managing audit trails. Many times the purchase of such a product can be justified on the cost savings achieved through the centralization and automation of audit trail management. ➤ The second advantage is that investigators can go back in time and do historical analysis of events that have occurred in the past. More sophisticated products can graph results and show trend analysis by attack category, system, type of system, etc. This is particularly useful in investigations of break-ins that have taken place over a period of time. From a network-security perspective, the disadvantage of a pure ‘after-the-fact’ product is that by the time it detects the security problem it is generally too late to respond and protect the data. The resulting consequences of the attack go far deeper into the network without resistance. Ultimately, the damage is already done by the time you find out. Also, since most hackers learn how to cover their tracks by tampering with audit trails, after-the-fact analysis often misses attacks. Real-time packet analysis Several products are now available that detect attacks in real time and respond immediately, ideally before damage is done. One method of real-time intrusion detection is to dedicate a system to sniffing packets traveling across a single network segment. Using this methodology, the intrusion detection software is placed on the system, which puts the Ethernet card in ‘promiscuous mode’ so that the software can read and analyze all traffic. It does this by examining both the packet header fields and packet contents. The intrusion detection software includes an engine that looks for specific types of network attacks, such as IP spoofing and packet floods. When the packet analysis software detects a potential problem, it responds immediately by notifying a console, beeping a pager, sending an e-mail, or even shutting down the network session. This category includes products such as Wheelgroup’s NetRanger, ISS’s RealSecure, and Network Associates’ CyberCop. In a typical deployment, a sniffer is placed outside the firewall to detect attack attempts coming from the Internet. A sniffer is also placed inside the network to detect Internet attacks that penetrate the firewall and to assist in detecting internal attacks and threats. For full enterprise coverage, sniffers must be placed on each network segment. In addition, tools are required to manage the various sniffers remotely, collate the information gathered, and display the enterprise-wide information on a console. 306

Internal_Auditing.indb 306

16/04/2015 11:13

AUDITING e-COMMERCE AND THE INTERNET

The advantages of the packet analysis technique are that there are certain network-oriented attacks (IP spoofing, packet storms, etc.) that are best detected via packet examination. Also, you do not need to put software on various hosts throughout the network. But remember that the basic definition of a network is an organization of nodes and links. A packet analyzer monitors traffic on the links but does not monitor the nodes, which are key pieces of any network. Referring to a packet analyzer as ‘network-based’ intrusion detection ignores the basic definition of a network, which includes nodes as well as links. Using the packet-sniffing methodology as the exclusive intrusion detection technique has other disadvantages as well, as indicated below. ➤ Packet analysis intrusion detection is distant from the mission-critical applications and the data it is trying to protect. ➤ Packet analysis does not detect typical attacks like: ◗ exploiting a buffer overflow flaw on UNIX to gain access; ◗ exploiting a Windows NT registry vulnerability to gain administrator access; ◗ browsing for files that the user should not have access to; ◗ attacking mission-critical servers through dial-up lines; ◗ inserting Trojan horses on systems, such as changing the Windows NT login program; ◗ illegally using a mission-critical application (eg funds transfer system); ◗ tampering with the content of Web pages and a Web server; ◗ improperly modifying firewall or router settings; and ◗ inappropriately accessing a database. ➤ Sniffers require dedicated hardware for each segment of the network being monitored. The cost of the hardware increases depending upon the speed of the network link. The sniffer box must also be capable of keeping up with the volume of traffic. As faster networks are deployed, this will require significant hardware upgrades for the packet analyzers. ➤ Packet sniffers do little in the space of encrypted packets. At best, sniffers can acknowledge that a packet was transferred across the link. But since the data is encrypted, the sniffer cannot report in context as to what the packet contained. Real-time activity monitoring An effective method for real-time intrusion detection is to monitor security-related activity occurring on the various systems and devices that make up the network. While most activity monitors watch the operating system audit trails, more sophisticated tools: ➤ track audit trails from applications, databases, Web servers, routers, firewalls, etc; ➤ monitor critical files for Trojan horses, unauthorized changes, etc; ➤ watch TCP and UDP port activity; and ➤ accept SNMP traps and triggers. Real-time activity monitors can detect attacks such as attempts to access unauthorized sensitive files or to replace the login program with a new version. Unlike packet sniffers, they can detect when a user illegally obtains ‘root’ or administrator access. When suspicious activity is detected, the real-time activity monitor can take

307

Internal_Auditing.indb 307

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

immediate action before damage is done. This action can include notifying a console, sending an e-mail, beeping a pager, disabling a user account, terminating the intruder’s process, terminating the intruder’s session, shutting the system down or executing a command procedure. e-Commerce over the Internet Electronic commerce (e-commerce) is the process of doing business electronically. It encompasses automating a variety of business-to-business and business-to-consumer transactions through reliable and secure connections. Since the turn of the millennium, business has awakened to the opportunities the Web provides to advertise and sell products and services in an international market of millions of potential customers. From its beginnings, when business on the Internet was disapproved of, the position has changed to one where most Internet users have come to realise that it is unavoidable that business should exploit the Internet and its facilities. This has resulted in the growth of legal disputes regarding the ownership of material on the Web, domain names and Internet fraud, and distrust can arise if not swiftly dealt with. When engaging in e-commerce, it is important that the business partner has confidence in the trading partner’s confidentiality practices for e-commerce transactions. Lack of confidence in the electronic information and communications systems can hinder the development of e-commerce. Consumers will embrace e-commerce only if the risks are perceived to be at an acceptably low level. As a result, internal auditors must pay special attention to assessing the level of risk when auditing e-commerce systems. Unlike private information, which is being defined at law in many countries worldwide, there is no internationally recognized definition of confidential information or rights of access to confidential information to ensure its accuracy and completeness. As a result, interpretations of what is deemed to be confidential information must normally be driven by contractual arrangements. For example, an unauthorized party may intercept business partner identification and authentication information and transaction data while they are being transmitted over the Internet. If access to the information is controlled by encryption, it is difficult for the unauthorized party to decipher it. Again, if the computer system where the data is stored is not protected by a firewall and a rigorous system of access controls, unauthorized people may access the information. Most large organizations have a firewall, but many are incorrectly configured, rarely updated and seldom monitored for signs of trouble. Ensuring that internal audit staff periodically test the security can help identify exposures and reduce the likelihood of unauthorized access to the system. Often it is found that an organization’s own people are its greatest weakness, yet many organizations fail to have even a security policy. It is critical that security become fundamental within corporate culture. This involves understanding which information within the business is at risk, and then designing the appropriate policies and procedures to protect it. Senior management needs to promote the importance of security actively and make sure its people are educated about security threats.

308

Internal_Auditing.indb 308

16/04/2015 11:13

AUDITING e-COMMERCE AND THE INTERNET

e-Commerce has resulted in fundamental changes to many of the risks internal auditors try to identify controls over, such as: ➤ Audit trails: Within an e-commerce system, the original transaction is paperless and the official evidence is electronic. As such, an auditor will have to be able to follow an electronic audit trail. ➤ Business continuity: As e-commerce expands, reliance on the effectiveness of other organizations’ network security, back-up, recovery and processing continuity increases. ➤ Information security and privacy: Transactions passing through third-party networks may be exposed to unauthorized access. ➤ Potential legal liability: The audits conducted by and for other trading partners could represent potential legal liability for an organization. ➤ Records retention: The replacement of paper by electronic records means that retention controls require a consistently applied and fully recoverable technology environment. ➤ Segregation of duties: Appropriate division of duties in an electronic environment can be achieved, but can also be compromised by inappropriate access rights. At the heart of e-commerce are the messages sent across the Internet. Encryption and authentication of identity are vital issues. A number of cryptography technologies are available for e-commerce. These include symmetrical key cryptography, asymmetrical (public key) cryptography and digital signatures. Symmetrical key cryptography This uses an algorithm to encrypt information in order to render it unintelligible to anyone who does not possess the secret key to decrypt it. The secret key must be shared between the encrypting party and the decrypting party. The US government's data encryption standard (DES) is perhaps one of the best-known symmetrical key encryption techniques and is the standard against which other encryption techniques are evaluated. Asymmetrical (public key) cryptography Instead of a single key, a two-key set is used, one for encryption and one for decryption. One key of the pair is designated the public key (disclosed to the public) and one kept secret as a private key. A message that is encrypted using the public key can only be decrypted using the corresponding private key, and vice versa. As a result, assurance can be gained that the message was not tampered with and that the authorized only person can decrypt the message. By reversing the process, a message that is encrypted using a private key can be decrypted only by using the matched public key, thus ensuring both the integrity of the message and the authenticity of the sender. This is the basis for the sender’s electronic signature. The major difference found in public key encryption is that the two communicating parties do not have to know each other in advance and do not have to share a single key. Digital signature In the world of e-commerce, the digital signature is perhaps the most important application of public key cryptography. In written documents, handwritten 309

Internal_Auditing.indb 309

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

signatures are traditionally used to authenticate the document. An electronic document signed using a private key by the originator confirms that the document comes from the purported author (authentication), ensures that the document has not been tampered with (integrity), and ensures that the sender cannot deny that the message was sent (non-repudiation). Internal auditors must focus not only on the messages managed within e-commerce, but also on the processes and technologies that provide authentication and assurance against security breaches.

310

Internal_Auditing.indb 310

16/04/2015 11:13

CHAPTER

33

Current and Emerging Technology Issues for Internal Auditors

Learning objectives After studying this chapter, you should be able to: ➤ Recognize the impact of new technology on the overall IT audit approach and methodology ➤ Differentiate between continuous auditing and continuous monitoring ➤ Understand the audit role in IT governance ➤ Define the components of project management and identify internal audit’s role ➤ Recognize various types of IT outsourcing and the types of risks associated ➤ Identify the component parts of the negotiation of service level agreements ➤ Determine the degree of criticality of services outsourced ➤ Recognize the impact of the varying types of cloud computing ➤ Identify areas of potential audit participation ➤ Differentiate between the three basic types of smart mobility ➤ Recognize the risks inherent in the concept of Bring Your Own Device ➤ Recognize the risks to the organization inherent in social media ➤ Advise social media users on the use of privacy modes ➤ Identify risks inherent in Advanced Persistent Threats and the process normally adopted in such threats

IT Audit Approach and Methodology In examining the impact of current and emerging technology issues on the internal audit function, three basic principles of IT risk management must become ingrained. 1. Information risk strategies should primarily be driven by business risks with technical risks playing a secondary role. 2. Effective risk management for IT encompasses a combination of strategy, organisation, process and technology. 3. The overall information risk management process needs to be applied to discreet, yet interrelated, components of an organization’s business processes and related information technology. Of recent years the emphasis in overall risk management has developed from straightforward compliance and prevention through operating performance to the current goals of enhancing shareholder value. When mapping these changes onto the control of IT risk, a top-down approach is commonly used in determining the areas of risk and the roles in implementing the control environment. Overall policy formulation and control is part of the general IT governance layer while operationally, management will dictate the implementation of the appropriate standards, structures as well as physical and environmental controls. At the technical level system software controls, system development controls and the overall application-based controls are all impacted by the dictates of the higher layers.

Internal_Auditing.indb 311

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Recent changes in technology have facilitated new directions and benefits for the organization. These bring their own issues with concomitant changes to the technical details integral to control, security and auditing. In the past 10 years we have seen major changes in the form of: ➤➤ growth in distributed computing environments; ➤➤ integrated network support in voice, data and video transmissions; ➤➤ new types of network media and protocols; ➤➤ increased integration with external networks, clouds, etc; ➤➤ proliferation of sophisticated database technology providing transparent access to data across dissimilar platforms; and ➤➤ increasing trends towards open systems. Deriving from these technological changes we have seen major changes in our people and our processes. From a human perspective, more users with higher levels of computer literacy ensure information access over a wide spectrum of international access routes. With enhanced customer connectivity has come the downsizing and flattening of organizational structures. On the process side, e-commerce and integrated systems have meant a shift in corporate speed-to-market requirements with flexibility of systems becoming critical. In many organizations, revised technology has been the driving force for the implementation of business process reengineering (BPR) resulting in new rules for the gaining of competitive advantage. These changes have required a rethink of the strategies, rules and relationships in information technology management. Cost structures have changed as well as the skills requirements, tools and methods of interaction to operate effectively in today’s high volatility IT environment. These changes have also induced changes in the control, security and auditing issues surrounding IT. The elimination of management control layers due to the integration of system capabilities have resulted in the requirement for new rules for separation of duties. Continuous control monitoring (CCM) and continuous process auditing systems (CPAS) have become the order of the day. The migration towards cloud-based systems has required the retraining of both information technology and end-user staff. Multiple vendors selling package products and application enablers abound and, while there exist undoubted benefits of successful implementations, the risks inherent in failed migrations can threaten the integrity and even corporate survival of organizations. From an internal audit perspective, the audit approach must adapt because of the changes in business requirements. The disappearance of hard-copy audit trails and the sophistication of the IT systems in use means a revision of the automation strategies employed by internal audit. Distributed activities and systems as well as dramatic changes to hardware and software platforms mean that the auditor must become adept at operating within a variety of environments with a variety of security and control implications. At a technical level, there has been a quantum shift in the minimum level of technical knowledge required for all auditors. This, in turn, has forced the shift in the way we manage audits in an automated environment. There will always be a need for the specialized conduct of technical system audits but when and how these will be done is in a permanent state of flux. The use of technology to facilitate continuous auditing has now become an imperative. Faced with today’s audit challenges, including the massive increases in regulatory requirements over the world-wide IP environment combined with the demand for increasing internal audit value, and a growing shortage of skilled resources, the effect 312

Internal_Auditing.indb 312

16/04/2015 11:13

CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

of the introduction of appropriate automated audit solutions has become a strategic issue. The need for timely, ongoing assurance over risk management and control of systems having instantaneous impact on the organization has meant that continuous auditing to provide more frequent and timely analyses of control deficiencies and risk is now essential. It should be stressed that continuous auditing is a methodology used to perform audit-related activities on a continuous basis and is performed by internal audit. Continuous monitoring, on the other hand, involves the processes implemented by management, operational or financial, to ensure that policies and processes are operating effectively and to ensure the adequacy and effectiveness of controls. Audits would then independently evaluate the adequacy of management’s continuous monitoring activities. Continuous assurance involves a combination of continuous auditing and audit oversight of continuous monitoring.

IT Governance IT governance has been defined as ‘specifying the framework for decision rights and accountabilities to encourage desirable behavior and the use of IT’.60 It is seen to be less about the specific decisions made and more about determining which decisions are to be made, who makes each type of decision, how decisions are arrived at and who will be held accountable for the results of the decision. Overlaid on this is the government structure defining the composition of the bodies that are empowered to make or execute joint decisions. As with any other form of governance, IT governance directs the IT operations to ensure alignment with the enterprise in order to realize the promised benefits by exploiting opportunities and maximizing benefits. The board retains overall responsibility to drive the enterprise alignment and directing management in the delivery of measurable value. A variety of models define structures for IT controls including the COSO model and the CobIT© framework referred to elsewhere in this book. IT governance is also specified as a requirement in legislation such as the Sarbanes-Oxley Act, 2002 in the USA and the Basel Accords governing financial institutions.

Project Management The auditing of project management requires an understanding of the purpose and structure of the computer project. Projects, as opposed to normal management activities, are established on a temporary basis, to achieve a certain specific objective. All projects must have a start point and a clearly defined end point. Four basic stages exist in project management methodologies. 1. Project definition 2. Project planning 3. Implementation 4. Project completion.

60. Weill, Peter & Ross, Jeanne W. 2004. ‘IT governance on one page’. MIT Center for Information Systems Research (CISR) WP 349.2.

313

Internal_Auditing.indb 313

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Project definition includes having meetings and discussions with affected parties in order to set the project boundaries and, when necessary, conducting feasibility studies. Project planning involves work-breakdown and the development of specifications of the tasks to be undertaken. Part of the specification includes the resource planning including costs, time, staff and other resources required. Where outside resources are needed, the appropriate tendering process must be followed. The implementation phase includes task prioritization, monitoring via the use of inspections, client meetings, system testing, conversions, documentation, training and user acceptance testing, while constantly identifying problem areas to solve or avoid. The project completion phase includes final user acceptance and sign-off, the closedown of the project team and the evaluation of the project process. Difficulties encountered in project management include the span of today’s IT projects which may entail virtually the whole organization’s information flow. There is always a balancing exercise to be carried out between the delivery of quality and functionality vs the speed to delivery and the associated costs. Overcoming these difficulties will be dependent upon the skills and training of the project team itself. Two types of project audit are possible: in-process project audits, which allow for corrective changes if conditions have changed and focus on project progress and performance; and post-project audits, which emphasize the improvement of future projects and take a longer-term view of the project’s role in the organization. From an audit perspective, it is recognized that a formal project management methodology does not necessarily guarantee success, though the use of such a methodology facilitates the identification of problems at an early stage allowing costeffective changes to be made and reducing the risk of project failure. Controls sought may include: ➤➤ Project initiation reports ➤➤ Outputs of planning and estimation tools ➤➤ Ongoing project progress assessment reports ➤➤ Testing documentation ➤➤ The project costing reports ➤➤ Project team reviews. A well-executed project audit can assist in the early diagnosis and resolution of problems as well as facilitate identification of performance/cost/schedule/relationships thus enabling the improvement of project performance. It can also have the benefit of giving IT management an independent appraisal on the project status and prospects of successful accomplishment as well as reconfirming the feasibility of that commitment to the project as a whole. The project audit typically follows predefined stages, namely: ➤➤ Analysis of the project’s context and stakeholders; ➤➤ Objectives analysis; ➤➤ Review of the plan of activities, resources and inputs required; ➤➤ Analysis of problems encountered; ➤➤ Review of indicators and measurements in use within the project; ➤➤ Risk analysis of events or decisions which could delay or impede the project process; and ➤➤ Analysis of the ongoing validity of assumptions made at the inception of the project. 314

Internal_Auditing.indb 314

16/04/2015 11:13

CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

The success or failure of a given project is commonly measured by the extent to which it meets its objectives. From a customer impact and satisfaction perspective, the quality, timeliness, degree of customer satisfaction and achievement of specifications become the key measurement criteria. In terms of business success, improvements in cash flow on market share as well as meeting expectations in return on investment may be critical indicators. For a project in-process, efficiency in terms of cost efficiency and schedule efficiency are normally evaluated.

Outsourcing Outsourcing of IT has become a major outcome of the pressures involved in a modern information processing environment. Significant technical expertise and skills are required to operate effectively while time-to-market and technology dynamics require rapid development and enhancement. Costs, too, have an impact. The cost to license software or purchase services can be significantly lower than the cost to develop and maintain a proprietary system. In today’s environment, there has been a shift in the nature of outsourced functions to include mission-critical systems. Niche providers and specialization frequently results in multiple vendor relationships. These dynamics create new challenges for the management and audit of vendor oversight. Major types of IT outsourcing include: ➤➤ Applications management ➤➤ Infrastructure management ➤➤ Independent testing and validation services ➤➤ Data center management ➤➤ Helpdesk services ➤➤ Security services. From a corporate perspective, a variety of risks are evident in an outsourced environment. At its most fundamental, there is a risk that the outsourcing strategy is not aligned with the corporate objectives. Even where there is a strong alignment, fundamental assumptions regarding cost savings, payback periods, customer satisfaction and the impact on the supply chain may be wrong as a result of inadequate risk assessment at the feasibility stage. Where appropriate procurement policies are not followed, service-level agreements may not be adequate or properly implemented, while local regulatory implications may not be adequately covered in an international outsourcing environment. A common problem is the inadequacy of contingency arrangements planning. When outsourcing is chosen as a strategic direction, transition planning is critical including a methodology for effective escalation resolution of operational issues and a plan for retention of any essential skills in-house. In many outsourcing agreements there is an implied assumption that outsourcing will continue forever and no consideration is given to termination or renegotiation processes should the current outsourcing prove ineffective. When outsourcing a chosen direction, selection of the service provider becomes critical including the negotiation of service-level agreements. These are normally developed using a four-step process: ➤➤ Determining the objectives – how will the outsourced service fit into the organization’s strategic plan? ➤➤ Defining the requirements – what are the operating and performance needs in terms of availability, response time, functionality, etc? 315

Internal_Auditing.indb 315

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤➤ Setting of target measurements – what metrics will be used and where will these be obtained? ➤➤ Establishing accountability – who will be responsible for what and how much risk has been retained within the organization? From an audit perspective, the internal auditor must determine the degree of criticality of the services outsourced as well as the governance structure related to the outsourced operations in terms of roles and responsibilities. Critical to the process is the extent of detailed risk analysis which was performed at the time of outsourcing and whether an ongoing risk analysis is being continued. The auditor would also seek to determine whether formal service level agreements exist and are kept current for the outsourced activities including the key performance indicators for monitoring vendor performance. The auditor will seek evidence of management’s monitoring of service performance and the mechanism used to address any non-compliance issues with the service-level agreement. Outsourcing can be effective in controlling costs and achieving strategic objectives where in-house skills are not available or are cost-prohibitive.

Cloud Computing Cloud computing is the term given to Internet-based computing whereby shared resources, software and information may be provided to computers and other devices on demand in the same manner as an electrical grid. Its origin lies in the days of large-scale mainframe computers where an individual organization may not have been able to justify the use of one single large computer and instead purchased time on another organization’s computer as timesharing. At the base of cloud computing is the concept of virtualization in which each user sees their own ‘virtual’ computer which may, in fact, be scattered over a variety of machines in a variety of locations. In practice, cloud computing has evolved into a variety of models delivering different levels and types of service such as: ➤➤ Software as a service (SaaS) ➤➤ Platform as a service (PaaS) ➤➤ Infrastructure as a service (IaaS). The overall definition is blurred giving rise to a variety of marketing concepts such as Compute as a service (CaaS) and others. The overall model of business is the pay-as-you-go where each type of service can be provided at a cost and adjusted as corporate needs arise or decline. Cloud-based software services are now in a maturing mode with applications that are specifically enabled for the cloud and support and architecture capable of running multiple instances in a variety of locations. Such services are normally paid on a subscription basis. The platform delivery model is one that enables developers to write applications to specifically run on the cloud while the scaling of infrastructure is comparatively new and consists of servers, storage devices, databases and other peripherals with inbuilt security services. Both platform and infrastructure offerings are currently in the early stages of development compared to software services. Although cloud computing appears to offer flexibility and cost effectiveness there are, however, problems in its usage. The cloud appears to the clients as a huge opaque box where they have little or no control over what happens inside the box. 316

Internal_Auditing.indb 316

16/04/2015 11:13

CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

Cloud computing does not remove the IT control objectives over data confidentiality, integrity, availability and privacy but may expose the organization to additional risks such as the difficulties involved in integrating with current in-house IT systems. In some business environments regulatory requirements effectively prohibit the use of cloud-based systems unless the cloud is a private client directly under the control of the originating organization. Where the cloud is a public cloud, security issues may also include loss of control since the customer’s data application and resources are located with the service provider. Thus user identity management, access rules, security policies and enforcement are all managed by the service provider. In a public cloud, which is by definition a multitenant environment, conflict may arise between tenants’ opposing goals since they share a common pool of resources. The fact that multiple independent users may share the same physical infrastructure can lead to vulnerability whereby an attacker can legitimately be in the same physical machine as a target. From an audit perspective, it becomes difficult to audit data held outside the organization in a cloud and the obtaining of forensically acceptable data may also be more difficult since the data is no longer maintained locally. Legal jurisdiction can also be problematic with different regulatory requirements in the country of the cloud host and further complications if the cloud provider sub-contracts to third party clouds. In terms of audit’s additional roles in a cloud environment, IT audit may participate by assisting management: ➤➤ identify their control requirements and evaluate the controls to be contracted with the cloud provider; ➤➤ evaluate vendors to ensure balanced assessment and a drawing of appropriate vendor contracts; ➤➤ evaluate the controls and procedures in place for managing vendor relationships; and ➤➤ assess the scope and methods of planned data migrations into the cloud as well as the potential for reversing the process if required.

Smart Mobility Although the term smart mobility is used fairly randomly, there are three basic types of mobility: ➤➤ Terminal mobility refers to the ability of a user terminal to continue to access and network as the terminal moves. ➤➤ User mobility refers to the ability of a user to continue to access network services from different terminals under the same user identity when the user moves around. ➤➤ Service mobility refers to the ability of a user to access the same services regardless of where the user is. The management of smart mobility includes the need to support all forms of mobility for all types of application, across heterogeneous radio systems in the same or different administrative domains, without interruption as the user moves around, with the ability of the user to move into, and use, different operators’ networks. Achieving this requires that the network be able to determine a mobile device’s current location and use that information to deliver packets of information to the device. At the same time it must be capable of handing over from one network attachment point to another including the ability to roam and use different operators’ 317

Internal_Auditing.indb 317

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

networks. In providing this functionality, the network provider must be able to determine whether users are permitted to use their network or a specific service provided by the network. This involves authentication of the identity of the user, verifying the authorization of the user and gathering information on the resources used by the user. The common workplace implementation of smart mobility is a concept of Bring Your Own Device (BYOD). It has inherent benefits to the organization in terms of flexibility responsiveness and accessibility while at the same time introducing complications as a result of the wide range of mobile vendors and operating environments which IT must now support. It also becomes difficult for IT to mitigate the risks of unsecured personal applications gaining an unsecured access to corporate data. To some extent these risks can be mitigated by requiring such devices to be registered in order to ensure virus protection, device authentication and encryption where required. Some organizations will only allow the installation of applications which have been authorized by the firm despite the fact that the device does not belong to the organization. In many cases IT reserves the right to monitor all usage of mobile devices within the organization. Mobile devices come with their own set of concerns including malicious threats, lost or stolen devices (70,000,000 smart phones were lost or stolen in 2011 but only 7% were recovered),61 uncontrolled application portfolios and users casual in their attitude to security on their own devices. It should not be seen that mobile computing is always, or even often, detrimental to the organization. Smartphone applications facilitating self-service mobile transactions allow existing customers access to organizational functionality, while non-customers can obtain insurance quotes, prices from comparison shopping sites, as well as locate shopping venues and restaurants. This can permit the organization to effectively gain competitive advantage by the placement, flexibility, consumer appeal, and prioritization of the applications. In addition to interfacing with consumers and customers, increasingly employees are seeking mobile support from the organization in order to achieve cost and performance objectives. With increasing numbers of employees working away from the head office environment, mobile connections via laptops, personal digital assistants (PDAs), mobile phones, and tablets can give flexible access to business processes. Naturally, in this environment, one of the IT auditor’s key concerns is the adequate protection of information both on mobile devices as well as in communication transit to ensure confidential business information is not lost or stolen. In addition, the consistency and accuracy of information held on mobile devices would require effective real-time synchronization.

Social Media Social media is a generic term for the various forms of user-generated content and the collection of websites and applications enabling people to interact and share information online. Generally, these can be categorized into: ➤➤ Social networking sites [Facebook, Twitter, Myspace] ➤➤ Blogs [Wordpress] ➤➤ Video sharing sites [YouTube] ��� . Global state of insecurity survey, 2012, PriceWaterhouse Coopers.

318

Internal_Auditing.indb 318

16/04/2015 11:13

CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

➤➤ Photo sharing sites [Flickr] ➤➤ Crowdsourcing [Wikipedia] ➤➤ User reviews [Amazon, Yelp] ➤➤ Streaming sites [Ustream] ➤➤ Social bookmarking [Digg, del.icio.us]. Social media can be a powerful tool for business enabling them to find customers and build clientele by introducing the organization’s brand on an international basis. E-marketing is a rich source of new customers reachable globally in a manner hitherto unimagined. In addition to the new customers, the potential to influence buyer behavior via electronic marketing by leveraging the information base of existing purchasing behavior is enormous. Social media, one of the most culture-changing trends in e-business, is the integration of social media across all activities. The use of social media strategies for marketing, sales, and service across the enterprise can not only increase market awareness of an organization’s products and services but can also provide valuable feedback on customer experience and branding. The use of technology such as Twitter is now fully recognized as a means of rapid deployment of information to consumers in matters ranging from one-day price reductions to early warning of severe weather, depending on the nature of the organization. From a small business perspective, professional blogging used as a corporate tool for communicating with customers or for employees to share knowledge and expertise, works well for knowledge workers such as consultants. Once again, exposure of this nature introduces its own risks such as opportunities for malicious action to systems and information and the exposure of sensitive or private information. In many job applications these days, human resource departments research applicants on the social media websites to evaluate the appropriateness of employment within the corporate culture. Before use is made of social media posting it is wise to consider the following questions: ➤➤ Will this post or picture cause a problem for me in the long term? (this has caused recent problems with disclosed celebrity photographs) ➤➤ Would I make this comment in front of my mother? (aggressive or insulting Tweets have led to lawsuits) In order to use social media responsibly, most social media sites offer the user options in privacy modes: ➤➤ mostly open where the default sharing mode is public and the individual user must choose to keep their content private; and ➤➤ mostly closed where the default mode is private and the individual user must choose to share content. Some rules of thumb for achieving appropriate medical privacy include: ➤➤ Do not Friend or Connect with people you have not met in person or know well. ➤➤ Reject Friend requests and Connections where there is no way of tracking the individual who has made the request and confirming their acceptability. ➤➤ Limit your overall visibility on Services. ➤➤ Be mysterious. ➤➤ Keep your software and settings up to date with the latest security patches. ➤➤ Think before you Tweet. 319

Internal_Auditing.indb 319

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Advanced Persistent Threats and Targeted Cyber Attacks Advanced Persistent Threats (APT) was a term coined by the US Air Force back in 2006 describing planned, sophisticated, determined and co-ordinated attackers attacking governmental and large organizational networks. Unlike conventional hack attacks, this type of threat is classified as: ➤➤ Advanced where the attacker adapts to defenders’ efforts with a far higher level of sophistication and where the hacker may develop or purchase zero-day exploits. These attacks exploit previously unknown vulnerabilities where the developers have not had time to patch the vulnerability. Once the patch is available it is no longer classed as a zero-day exploit. ➤➤ Persistent where the attacks are both objective and specific and will continue until the goal is achieved. Normally such attacks seek to maintain long-term connectivity for the attacker. ➤➤ Threats in these attacks are typically not the attack itself but the entity behind the attack. APTs have originated in nation states as well as organized crime groups. Hactivist groups have also had APTs traced to them. The objectives of such attacks are dependent upon the groups or individuals attacking. From a political perspective, APTs may be used for suppression of the nation’s own population to maintain stability. Militarily, APTs may be used to identify weaknesses to allow inferior military forces to defeat superior military forces by exploiting the network weaknesses. From a criminal perspective, the gaining of illicit competitive advantage or the theft of intellectual property are common objectives. Frequent targets of hacker groups are software houses where the objective is to obtain the source code for further exploit development either for their own use or for sale to other APT groups. Generally, such attacks are specifically designed to bypass the known anti-virus and anti-malware software and take the form of low and slow attacks designed to move easily across networks. Such attacks commonly follow a seven-step process: 1. Reconnaissance over a number of public website pages that targets contact information may be extracted and subsequently used in targeted social engineering attacks. 2. Initial intrusion into the network including spoofing of e-mails with attachments are links to zip files containing software exploits or malware. Such attacks are commonly carried out overnight (US time). 3. Establishing a back door to retain long-term access into the network. If an attacker can obtain domain administrative credentials, they can utilize this to move laterally through the network establishing multiple back doors with different configurations. Malware introduced with these authority levels can infect registries and use the legitimate user’s credentials to blend in with normal network traffic. 4. Obtaining user’s credentials through use of the administrative access rights. In this manner attackers can obtain user accounts and password hashes in volume. 5. Installing various utilities to extract information, dump passwords, extract e-mails from servers and other malicious tasks. When these utilities are installed, they may reside in sleep mode for anything from a few days to a year or more. 6. Privilege escalation with lateral movement through the network and data exfiltration. By using the rights of authentic, authorized users, firewalls can be negotiated as legitimate system users. 320

Internal_Auditing.indb 320

16/04/2015 11:13

CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

7. Maintaining persistence since such attacks will eventually be identified and remediation steps taken, the remediation itself will be detected by the attackers with the responding increase in the sophistication of their malware and attempts to gain additional footholds. For certain large-scale corporations and for government functions, hardening systems against APTs is essential but for many smaller organizations taking the appropriate steps to prepare for, and detect such attacks also makes sense. Such hardening takes the form of ensuring robust logging is in place with servers and workstations using the latest security patches and with users ensuring that their credentials are hard to crack. The conventional information security approach is to attempt to protect all information assets equally. The advanced approach to control coverage is to identify the most important assets and focus protection efforts in those areas. Preventive controls such as firewalls and antivirus software are still essential, however, monitoring and data analytics used as detective controls are also critical in this form of attack. Overall security has moved from the concept of the peripheral defense when an outside barrier will identify and authenticate the user, to a data-centric approach with controls focused where the threat would be most damaging. Both IT and audit must develop a deep understanding of the organization’s key assets and the IT environment surrounding them. This will allow appropriate research on attackers’ chosen targets, modus operandi and malware commonly in use.

321

Internal_Auditing.indb 321

16/04/2015 11:13

Internal_Auditing.indb 322

16/04/2015 11:13

S ECTION Internal_Auditing.indb 323

6

Fraud and Forensic Auditing

16/04/2015 11:13

Internal_Auditing.indb 324

16/04/2015 11:13

CHAPTER

34

Fraud Auditing

Learning objectives After studying this chapter, you should be able to:

➤ Outline briefly the definitions and concepts underlying fraud, irregularities, waste and abuse ➤ Explain the role of forensic accountants and other outsiders ➤ Understand the profiles and motivators of fraudsters ➤ Differentiate between fraud, waste and abuse ➤ Recognize likely fraud indicators and red flags

Fraud Detection and Identification IIA Practice Advisory 1210.A2-2: Responsibility for fraud detection provides guid­ ance as to the respective responsibilities of management for establishing and main­ taining effective systems of control to prevent fraud; and, should it occur, to detect fraud and take action against those responsible. The practice advisory also provides guidance as to the responsibilities of an internal auditor in such circumstances. ‘Management has a responsibility to establish and maintain an effective control system at a reasonable cost. To the degree that fraud may be present in activities covered in the normal course of work as defined above, internal auditors have a responsibility to exercise due professional care as specifically defined in Standard 1220 with respect to fraud detection. Internal auditors should have sufficient knowledge of fraud to identify the indicators that fraud may have been committed, be alert to opportunities that could allow fraud, evaluate the need for additional investigation, and notify the appropriate authorities.’

Further guidance as to an internal auditor’s responsibilities for the identification of fraud is set out in IIA Practice Advisory 1210.A2-1: Identification of Fraud. ‘Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of the system of internal control, commensurate with the extent of the potential exposure/risk in the various segments of the organization’s operations.’

The Context of Fraud White-collar criminals are making their fortunes in Africa and around the world, with many of them evading discovery and continuing to drain the lifeblood of companies and governments for long periods of time.

Internal_Auditing.indb 325

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Virtually any form of dishonest behavior can be classified as fraud in one form or another. Under private law, fraud involves a false statement or a deliberate omission intended to induce someone to place reliance upon it to his/her prejudice. Where it can be shown that a contract was entered into because of a fraudulent inducement, the contract can be set aside and the victim of the fraud may also be able to recov­er any damages suffered in an action in delict. In criminal law, the same conduct would result in criminal prosecution. In South Africa, courts have ruled that the offense of fraud need not require a specific indi­ vidual to be prejudiced. As such, it is not necessary that a victim be established for the police to secure a conviction. Potential prejudice will be sufficient. Many auditors confuse fraud and internal theft. The most significant difference is that frauds are always planned while thefts may be planned or unplanned. Theft tends to be an opportunistic crime occasionally arising out of genuine need. Frauds usually arise out of genuine greed and must be concealed for the fraud to continue. Fraud in South Africa is deemed to occur when the following elements exist: ➤ An untrue representation about a material fact or event is intentionally made by an individual or an organization. ➤ Such an untrue representation is believed by the person or individual to whom representation was made. ➤ The victim relies on the untrue representation and acts upon it. ➤ The victim suffers the loss of property and/or money as a result of acting upon or relying on the untrue representation. Fraud may be carried out for the benefit of an individual or an organization. The benefits or gains made as a result of fraud carried out by an individual may be direct, such as the receipt of property or money, or indirect in the form of bonuses, promotion, power or influence. When fraud is carried out by an individual acting on behalf of an organization, the benefits are normally direct and take the form of financial gain. Business fraud is then taken to be any business activity in which deceitful practices are resorted to by an organization or representative of an organ­ ization with the intent to cause economic injury or deprive another of property or other entitlements. Over the years, South Africa has seen a variety of fraudulent activities. Common types are discussed below. Misrepresentation of Material Facts In this category, the fraudster makes false statements or false claims, or deliberate­ ly misstates material facts to persuade someone to part with money. To prove mis­ representation of material facts, an auditor must prove ‘intent’, which may not be easy. Concealment of Material Facts Here, the perpetrator must have knowledge of the fact, have concealed a material fact, have had a duty to disclose and have intent to mislead or deceive the other party. Once again, proving ‘intent’ may prove difficult.

326

Internal_Auditing.indb 326

16/04/2015 11:13

FRAUD AUDITING

Larceny In this category, the perpetrator must have taken or converted the property of another without the consent of the owner with the intent to permanently deprive the owner of its possession. Obtaining Fraudulent Loans A common methodology of fraudsters is obtaining loans by using fake references, with no intention of repay­ing them. All references should be viewed with a healthy scepticism. Fake references tend to be highly complimentary to the person or organization seeking finance. A com­mon technique for the fraudster is to provide a contact telephone number for a spe­cific person who should be asked to provide the reference sought. If individuals are contacted, the individuals seeking confirmation must ensure that the person who is giving the reference actually works for the referee company and has the authority to give such a reference. Trade references have, in the past, been ‘given’ by non­-existent companies, and care should be taken to check the excesses of such busi­nesses. Unsolicited Orders Where an organization carries out most of its business through a normal sales force, customers who approach the organization with unsolicited orders may be a source of concern. ‘Golden opportunity’ may be a catch phrase to trap the unwary com­pany and lead it into providing assets with little hard information about the cus­tomer and the company to which assets have been provided. Sudden, unexpected, urgent orders can be used to create a willingness to cut corners in the checks and balances normally carried out in order to land a large new customer. Such urgency, particularly on credit, may indicate a higher risk. Even if the customer is known, many fraudsters have first established their cred­ ibility by placing small orders, which are paid for on time. Once credibility is estab­ lished, larger orders are placed with no intention of ever paying for them. Advance Fees This type of fraud involves the offering of services that require an up-front payment in order to cover costs. The fraudster then disappears with the advance fee. Many such frauds in South Africa have involved offering the transfer of funds from anoth­ er country with currency restrictions. The victim is offered a commission to be the recipient of funds with no risk to him-/herself. The fraudster may offer official look­ing documentation confirming that such funds are available and will be paid. All that is required is the payment of an amount to cover initial expenses (always much smaller than the commission to be paid). Unfortunately, the fraudster does not have such funds available and therefore the victim, in order to obtain the commission, will be asked to cover the initial expenses. Once the money has been handed over, the fraudster disappears, together with all traces of the officials who confirmed that the money was available.

327

Internal_Auditing.indb 327

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Bribery Bribery can be defined as the giving, receiving, offering or soliciting of any ‘thing of value’ in order to influence an official in the performance of, or failure to perform, the law for duties of that official. It may include soliciting the commission of any other type of fraud or the influencing of an official to carry out any act that violates the lawful duty of that official. Under such circumstances, bribery is defrauding the employer of that official of the right to honest and loyal services by an employee. Such bribery may include giving, receiving, offering or soliciting of a ‘thing of value’ because of an official act that has already taken place. In the case of commercial bribery, the offense is the same, but the intent is to influence some business decision without the organization’s knowledge or consent. Theft of Trade Secrets The perpetrator must have possessed information valuable to the business that was to be treated confidentially and have breached the confidential relationship by improper means. This is a particular problem in the perfumes, drug and chemical industries, where formulae are critical to business survival and competitiveness; in fashion designs; and branded food products, such as Coca-Cola™. Similarly, secrecy often surrounds the development of new software and operating systems programs. Conflicts of Interest Closely allied to bribery is conflict of interest. When an organization or person act­ing on behalf of another organization or individual has, or appears to have, a self interest in the activity or a hidden bias that is potentially detrimental to the inter­ests of the party being represented, and such bias is not made known to the repre­sented party, a conflict of interest has occurred. Should such a conflict of interest result in a loss to the represented party, a fraud has taken place. In the public sec­tor, laws exist that prohibit conflicts of interest in government employees and those doing business with the government. In the private sector, conflicts of interest may not be a criminal offense as such, although the results may be deemed to be unjust enrichment and therefore a criminal offense. Breach of Fiduciary Duty When a person who is employed by, and has a duty to, an organization or another individual acts in a manner not in the best financial interests of that organization or individual, a breach of fiduciary duty has occurred. This is not a criminal offense, but is regarded as a civil matter. As such, the burden of proof required for conviction is not as onerous as for criminal fraud and it is normally unnecessary to prove wrong­ful intent. Embezzlement Embezzlement entails the fraudulent conversion of personal property by the person in possession of that property where the possession was obtained as a result of trust placed in the embezzler. 328

Internal_Auditing.indb 328

16/04/2015 11:13

FRAUD AUDITING

False Claims A false claim fraud occurs when a person knowingly and intentionally makes a false or fictitious representation or falsifies a material fact, which results in financial loss to the victim to whom the false representation was made. Extortion The obtaining of something from an individual or organization through the use of actual or threatened force or fear, including the fear of an official’s office or the fear of an economic loss, is classified as extortion. Conspiracy Conspiracy occurs where there is intent that a crime be performed and there is an agreement with another person or persons to engage in that crime, and where one of the conspirators commits an overt act to further the conspiracy. Lapping Lapping involves the use of funds received in payments to conceal a theft of cash. The fraudster will initially steal funds offered in payment of a debt. To conceal the initial theft, a subsequent payment by a second party is used to make good the shortage resulting from the original theft. Payment from a third customer is used to cover the second shortage, and the process continues. Kiting Kiting is made possible when a financial institution permits the withdrawal of funds from an account based on deposits of cheques that have not yet cleared. Under such circumstances, the funds may be in transit or they may, in fact, be non-exis­tent. Money is obtained from legitimate sources of goods purchased by writing cheques against the non-existent balances. By continuously ‘kiting’ from bank account to bank account cheques drawn against non-existent balances, the fraud continues. Fraudulent Affiliations In order to establish credibility, a fraudulent company may often claim an associa­ tion with a well-known and legitimate company. This may take the form of pretend­ ing to be a branch or subsidiary of an existing and well-known organization. Company names that resemble well-established brand names should be treated with suspicion. Impressive trade names implying stature or international status may also be misleading. Claims of overseas offices or foreign ownership, which is difficult to confirm, are also popular. With the intense competition that businesses have been subjected to over recent years, there is pressure on all parties to move quickly, get the big order or get new cus­ tomers. This pressure leads to the cutting of corners and the elimination of controls, which make it easier for the fraudster to exploit the organization’s vulnerability.

329

Internal_Auditing.indb 329

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Frauds often come to light as a result of an allegation from a third party regarding misconduct on the part of the organization or an officer of the organization. In many cases, such allegations are anonymous and there is a temptation to ignore them, since to deal with them would require an uncomfortable decision. Other frauds are detected when significant changes to profitability, market share or cash flow are observed. Some frauds are noticed purely by accident when someone is looking for something else.

Red Flags for Fraud In many cases, investigation of fraud reveals an underlying failure of management supervision and poor execution of company policies and procedures. People tend to follow their role models and studies have indicated that fraud is more likely to occur under management that is unethical or incompetent. Fraud should also be suspect­ ed when an organization’s salaries are lower than those of competitors. Reward struc­tures based on short-term goals, dictatorial management in a power-driven environ­ment and constant crisis management are breeding grounds for fraud. Where indi­viduals are in positions of power to award lucrative contracts or where they handle large amounts of cash without adequate supervision, fraud may also arise. Managers who play one subordinate off against another and seek personal loyal­ty without giving it may also create an environment in which fraud is probable. Such managers often prefer informal procedures to formal, laid down policies, since they usually feel exempt from the rules and override them with impunity. Red flags may also be seen within individual business processes which should alert the auditor to the possibilities of fraud occurring. Once again, what should be emphasized is that these red flags are only indicators of possible fraud and do not guarantee that a fraud is taking place. Payroll Indicators in this area may include high volumes of manually prepared statements; major movements in total payroll or overtime not justified by increases in business activity; easy access to payroll records, negotiable documents or electronic funds transfer systems; and sudden decreases in staff turnover within a business area. Cash Handling Red flags for possible fraud opportunities could include lack of segregation of duties over the receipt of cash, bank deposits and post into customer accounts; lack of adequate safeguards over physical storage of cash; infrequency of bank deposits; persistence shortages in cash itself; and excessive volumes of voided transactions. Purchasing Potential fraud indicators here could include volume of purchases from sole vendors; buyer turnover; occurrences of missing or duplicate purchase order numbers; unusual purchases in terms of the nature of the items of value of the items; and abnormal rises in the volumes or prices of routinely purchased items.

330

Internal_Auditing.indb 330

16/04/2015 11:13

FRAUD AUDITING

Accounts Payable Accounts payable involves monetary disbursements and are a favorite target for fraudsters. Red flags here which could draw the auditors’ attention to potential fraud occurrences could include: remittance addresses or bank accounts matching employee addresses or bank accounts; recurring amounts from the same vendor just below and authorization level; sequential invoice numbers from the same vendor; lack of segregation of duties over processing of accounts payable invoices, authorization of payment and execution of payment; inadequate authorization over changes to vendors’ records; lack of authorization documentation for payments; unauthorized credit adjustments for a specific vendor; comparatively new vendors with slowly increasing credit utilization followed by a sudden increase in exceeding the credit limit; paid invoices not properly cancelled; and easy access to negotiable documents or electronic funds payment systems. Accounts Receivable In the same way as a fraud can be carried out where money leaves the organization, manipulation of debt to the organization can equally lead to fraud. Red flags here could include inadequate segregation of duties between the processing of accounts receivables, recording the movements and recording the payment receipts; excessive movements in the allowances for bad debts; inadequate controls over credit note processing; and inadequate reconciliation of accounts receivable activity.

Personal Fraud Indicators Individuals involved in frauds often display characteristics that indicate a willingness to commit frauds. These characteristics, when coupled with a corporate environ­ment conducive to fraud, create a breeding ground for fraud. Fraud is often indi­cated by the presence of one or more of the following characteristics. ➤ Gambling: Where managers are known to be frequent gamblers, care should be taken to ensure that the gambling is not being funded from corporate resources. ➤ Unusual expenses: A common methodology covering up the existence of fraud is the posting of expense claims. Unusual patterns or values of such claims should be treated as suspicious. ➤ Extravagant living standards and conspicuous consumption: The desire to live a lifestyle that is out of financial reach can be a powerful inducement to fraud. Fraud-prone managers are often conspicuous consumers. Financial success and its trappings are important to their self-images. Impulsive by nature, they find it difficult to postpone gratification and wait for what they feel should be theirs now. Many fraudsters are hard workers who compensate their families with material things because of their hours away from home. Where an individual in a position of authority over the disposition of corporate funds is known to lead an extravagant lifestyle, suspicions should be aroused. ➤ Sexual promiscuity: Sexual promiscuity may be an expensive habit for an indi­ vidual with a known and fixed income. Such expenses must then be funded out of corporate funds in order to conceal the activity. ➤ Undesirable associates: An individual outside an organization may encourage an employee to participate in a fraud. For example, a manager may be able to sign off on fraudulent documents submitted by the outside conspirator. 331

Internal_Auditing.indb 331

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Poor social skills: Many fraud-prone managers are self-centered in relationships both at work and home. This attitude may lead them to treat subordinates as objects to be exploited rather than as valued employees, and leads to their being disliked by business associates and competitors alike. ➤ Extravagant with the truth: Fraud-prone managers are often careless with facts and may boast of their personal achievements while ignoring the contributions of others. Such managers commonly treat opposition as betrayal and react with a hostility that can ruin working relationships. ➤ Substance abuse: Managers involved with fraud may also be heavily involved with drugs and alcohol abuse. Such extravagances have to be paid for and may be beyond the manager’s means without ‘assistance’. Generally, studies of executives involved in fraud indicate a typical profile as a male, 35 years of age, who is married and has two children. He has been employed by the organization for about nine years and did not start the fraud until he had worked with the organization for six years.

Triggering Events What causes a trusted employee to begin fraudulent activity is varied, but most commonly it is an emotional trauma in the individual’s life involving home, work, marriage or some other aspect. This affects the person’s behavior pattern and may well be noticed by his/her colleagues. The manager may assume responsibility for a single client or a specific task, which he jealously guards as he continues the fraud. Where the change involves heavy drinking, gambling, an expensive social life or extra-marital sexual activity, a pattern of lies and deceptions may emerge. Such deceptions are frequently believed because the individual has given long and hon­est service before the fraud actually begins. Most frauds are caused by a lack of internal controls. However, in many cases, the con­ trols are there, but are not being adhered to and management is not policing them.

Fraud Prevention The biggest deterrent to fraud is not controls, but rather the perception of detec­ tion. Ultimately, the best control may be for an organization to demonstrate its will­ ingness and ability to catch and punish offenders. This increases the offender’s belief that he/she will be caught, which is the strongest of all fraud deterrents. In an ideal world, the responsibility for the prevention and detection of fraud would rest solely with management, while the resolution of fraud would be seen as the responsibility of the forensic auditor. To understand the difference between an auditor and a forensic auditor, one needs to understand the fundamental difference between auditing and forensic audit. The Role of a Forensic Auditor Forensic auditing may be defined as the methodology for resolving fraud allegations from inception to disposition with sufficient proof to prove or disprove allegations of

332

Internal_Auditing.indb 332

16/04/2015 11:13

FRAUD AUDITING

fraud. This includes obtaining evidence, taking statements, writing reports, testify­ing to findings, and the detection and prevention of fraud. Table 34.1: Common types of fraud Type of Fraud Cash schemes (occur frequently but rarely material)

Form of Detection



➤ ➤ ➤ ➤ ➤ ➤

bank reconciliation cut-off bank statements surprise cash counts investigation of customer complaints review of journal entries review of sales/cash trends

Accounts receivable schemes ➤ lapping ➤ fictitious receivables ➤ charge-offs ➤ personal borrowing

➤ ➤ ➤ ➤

accounts receivable confirmations cut-offs trend analysis on written-off accounts matching deposit dates

Inventory fraud schemes ➤ theft ➤ misappropriation ➤ scrap sales

➤ missing documents ➤ physical counts ➤ analytical review

Purchasing fraud schemes ➤ fictitious invoices ➤ overbilling ➤ cheques paid to employees ➤ conflict of interest



Analytical review for: ➤ timing of bids ➤ pattern of bids ➤ amount of work ➤ pattern of new vendors ➤ matching addresses ➤ lack of street addresses on invoices

Payroll schemes ➤ ghost employees ➤ overtime abuses ➤ withholding taxes

➤ independent payroll distribution ➤ cash flashing around ➤ matching addresses

The goals of a forensic auditor are then to: ➤ obtain a legal confession (if an accused is guilty, it is the forensic auditor’s objective to obtain a binding confession of guilt, which is legally admissible); and ➤ individually prove each element of fraud, including the intent, disguise of pur­pose, reliance by the victim and concealment of the offence. Responsibilities for Fraud Detection and Prevention The role of an auditor is to assist management in establishing a control environment in which fraud is unlikely to occur, but if it does occur, it will be quickly detected.

333

Internal_Auditing.indb 333

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

The approach of a forensic auditor is the resolution of fraud with sufficient proof to prove or disprove allegations of fraud. Forensic auditors must presume that all cases will eventually end up in litigation. A forensic auditor cannot conduct a forensic audit without credication or just cause or a valid reason to suspect that a fraud has occurred. Credication may be defined as that set of circumstances that would lead the pru­dent, reasonable and professionally trained person to believe that a fraud has occurred, is occurring or will occur. Credication normally comes from a tip-off, but can also come from analytical data, eg – for a retail company – a dramatic increase in the value of refunds or voids, or a sudden decrease in the turnover figures. This can give credication to a forensic auditor to conduct a forensic audit. Of recent years, with the advent of fraud ‘hot lines’, tip-offs have become the biggest single source of fraud allegations. Forensic audit must exclude any other possibility, eg that a mistake or error has been made. To achieve this, forensic auditors often employ a concept called ‘reverse proof’. This means that, in order to prove that an allegation of fraud has occurred, part of the proof must include attempts to prove that a fraud has not occurred and vice versa. Both sides of an allegation must be examined. In addition to technical auditing skills, forensic auditors must have the following abilities: ➤ to elicit facts from witnesses in a fair, impartial and lawful manner; ➤ to report the results of a forensic audit accurately and completely; ➤ to be part accountant, part investigator and part criminologist; and ➤ to deal effectively with people – professionally, empathetically and thoroughly. A forensic audit normally begins with the examination of documentary evidence, before progressing to meet with neutral third party witnesses. The forensic auditor will then interview corroborative witnesses and subsequently suspected co-conspir­ ators. Finally, the forensic auditor will approach the target. In the case of allegations of kickbacks from a supplier, a neutral third party wit­ ness could be the personnel manager. A co-worker could be a corroborative witness. A co-conspirator would be the supplier. The accused would be the staff member against whom the allegations were made. The target or accused should always be interviewed last, once all the ‘facts’ are obtained. Fraud Prevention The vast majority of internal frauds are discovered by accident rather than by plan. Internal auditing is not designed to detect fraud, but to help managers to create an environment in which fraud is unlikely to occur, but will be swiftly detected if it does. The first defence against fraud is the hiring of the right person for a position and this normally falls to human resource professionals. A human resources professional identifies the skills required to complete the job successfully; assesses the person­ality of co-workers, juniors and supervisors; and then begins searching for the right candidate. If this is done effectively, the applicant will have the skills and personal­ity to do the job; however, whether the successful applicant is honest, honest so far, or just not caught yet, remains unknown. 334

Internal_Auditing.indb 334

16/04/2015 11:13

FRAUD AUDITING

Fighting Corruption Corruption in all shapes and forms has a corrosive impact on both local and over­ seas market opportunities, as well as the broader business climate. From the indi­ vidual piracy of DVDs or branded-name products to a worst-case scenario where it may deter foreign investment, stifle economic growth and sustainable development, distort prices, and undermine legal and judicial systems, corruption is a problem in international business transactions, economic development projects and govern­ ment procurement activities. Developing a comprehensive anti-corruption compliance program may limit an organization’s risk and help protect an organization’s reputation and long-term survival. An effective corporate anti-corruption program is one that ultimately yields the intended results of education, detection and deterrence. For such a program to be effective, the full support of executive management is necessary, since the program must be enforced at all levels. If executive management do not take corruption seri­ ously, then neither will employees.

Codes of Conduct A corporate code of conduct consists of a clear set of legal and ethical guidelines for employees to follow. Such a code must exist in writing, be promulgated to all employees and be understood by all involved. It may be necessary to translate the code of conduct into the home languages of the employees, to make sure they understand it fully. To be effective, penalties for violation must be clear and the code must be effectively implemented and enforced at all times. Such a code is a directive control and therefore not 100 per cent effective. Nevertheless, a comprehensive and understood code of conduct may significantly reduce the likelihood of misconduct by employees. A compliance program may be instituted and run by either an individual or a team of compliance officers, depending on the size and nature of the business. Compliance officers and committees can be essential in producing and maintaining codes of conduct, as well as in educating employees on compliance procedures. The overall success of a code of conduct depends on the provision of legal and ethics training and the creation of a culture of integrity. As such, regular ethics train­ing programs are required for all management and employees from executive man­agement down through the hierarchy. Violations of the code should be reported, but many employees are reluctant to report wrongdoing, either because of fear of reprisals or, more commonly, because they do not know who to report it to. It is critical that employees have a clear and known line of communication that they can use to report wrongdoing, anonymous­ly if they prefer. Where fear of reprisals exists, an organizations must be at pains to protect whistleblowers that are prepared to expose themselves for its benefit. Suggestion boxes or anonymous ‘hot-lines’ make the reporting of questionable con­duct easier. Many employees, influenced perhaps by television amateur sleuths, are under the impression that wrongdoing cannot be reported unless the employee has ‘solved the case’ and has incontrovertible proof. This belief must be overcome and employees encouraged to report their suspicions so that professional investigators may find proof that will stand up in court.

335

Internal_Auditing.indb 335

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Another common reason for non-reporting is the belief that nothing will be done or, indeed, that nothing can be done. Feedback should be publicly given as to actions taken as a result of tip-offs. This, in turn, will encourage the ongoing report­ ing of violations of the code. Such violations need not be restricted to fraudulent activity, but may also include racism, sexual harassment or other illegal or unethi­cal behavior. Enforcement of the code of conduct is critical. Creation of a strong code with weak enforcement may prove worse than not having a code at all. Employees effec­tively have it pointed out to them that, while the company officially frowns on such behavior, it is prepared to turn a blind eye to it. Organizations may also have to provide guidance and assistance to employees after a fraud has been uncovered. Innocent employees may need advice on how to cope with and resolve stressful situations resulting from the investigation or prose­ cution.

Internal Audit The auditing and monitoring of systems of internal controls will themselves con­ tribute toward the establishment of effective anti-corruption programs. The early detection of inaccuracies and misconduct (eg bribery, fraud or corruption) can swiftly create the climate of honesty sought by an organization.

336

Internal_Auditing.indb 336

16/04/2015 11:13

CHAPTER

35

Forensic Evidence

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the legal environment in South Africa and the court structures ➤ Differentiate among the differing forms of fraud and the elements of proof ➤ Define the key elements of audit as opposed to legal evidence ➤ Explain the role of the polygraph

Courts and the Administration of Justice Courts and the administration of justice are dealt with in South Africa under the auspices of the Constitution. The major courts in South Africa are the Constitutional Court, the Supreme Court of Appeal, the High Court, the magistrates’ courts and any other court established or recognized in terms of an Act of parliament. Constitutional Court The Constitutional Court consists of a president, a deputy president and nine other judges. Any matter before the Constitutional Court must be heard by at least eight of the judges. Although the Constitutional Court is the highest court in all constitutional matters, it may decide only constitutional matters and it has the final say on whether the matter is classed as a constitutional matter or not. Only the Constitutional Court may decide disputes between the organs of state regarding the constitutional status, powers or functions of those organs of state. It may also decide on the constitutionality of any parliamentary or provincial bill, or any amendment to the Constitution. It may also decide whether parliament or the president has failed to fulfill a constitutional obligation. Supreme Court of Appeal The Supreme Court of Appeal consists of a chief justice, a deputy chief justice and a number of judges of appeal determined by an Act of parliament. Whether an appeal is proper for the Supreme Court of Appeal to lead judgment on may be decided on by the number of judges determined within the Act of parliament. The court may decide appeals in any matter and is the highest court of appeal, except for constitutional matters. High Court The High Court may decide any constitutional matter except a matter that only the

Internal_Auditing.indb 337

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Constitutional Court may decide or a matter that is assigned by an Act of parliament to another court of a status similar to the High Court. Magistrates’ Courts and Other Courts Magistrates’ courts and all other courts may decide any matter determined by an Act of parliament, but may not inquire into the constitutionality of any legislation. Any evidence brought before a court must be capable of standing up to public scrutiny, and have been obtained and documented in accordance with the Criminal Procedure Act. Such evidence is deemed to be forensic evidence.

Forensic Evidence Evidence in general may be defined as anything perceivable by the five senses and includes: ➤ testimony of witnesses; ➤ documents; ➤ facts or data; ➤ tangible objects legally presented; and ➤ direct or circumstantial evidence. Circumstantial evidence can be admissible but must be relevant and material. The relevance of evidence includes evidence of the motive, opportunity, method and means of the perpetrator to commit the crime. In addition, admissible evidence includes physical evidence and evidence of attempts to conceal and or destroy evidence. The most important point for admissibility of evidence is relevance. Evidence may be excluded if it is seen to be unduly prejudicial, confusing, causes delay or is repetitive. Fraud often leaves a paper trail, which can assist investigators to identify the individual(s) responsible and estimate the extent of the loss. Documents used to facilitate the fraud link the perpetrator to the crime and may become key evidence. Evidence, regardless of the type, must be preserved and documented to be useable in criminal trials or employment hearings. Opposing counsel will often attack the admissibility of evidence in terms of its relevance and chain of custody. Especially in the early stages of an investigation, the relevance of a piece of evidence may not be evident. As a result, every item recovered should be treated as though it were relevant. Seemingly useless items may later play key roles in the prosecution of the case. As was seen in the previous chapter, there are various types of fraud. In order to prove the case in court, an auditor will seek to obtain sufficient evidence. For such evidence to the accepted by the court, the rules of evidence must be followed. These vary from country to country and are primarily designed for legal evidence and therefore have to be complied with in legal cases. In a non-forensic case not resulting in a prosecution, an auditor is not normally so restricted and may use any evidence until he/she is satisfied based on his/her professional judgment. In either event, he/she tries to foster an honest belief. In all cases, an auditor acting as a forensic investigator will seek to find and present the best possible evidence.

338

Internal_Auditing.indb 338

16/04/2015 11:13

FORENSIC EVIDENCE

What Constitutes Best Evidence? For documentary evidence, the best evidence is always the original document, which should be obtained wherever possible. Secondary evidence would include copies of written documents or oral evidence of the contents, but these are generally considered inferior. Evidence can also be categorized as: ➤ direct evidence, such as the evidence of a witness to an event; ➤ circumstantial evidence, which proves an intermediary fact and can trap an unwary auditor; ➤ conclusive evidence, where only one reasonable conclusion can be drawn; ➤ corroborative evidence, which substantiates evidence already given; and ➤ opinion evidence. A general rule is that facts are allowable while opinions are not, unless they are expert opinions. Hearsay evidence is generally inadmissible, although dying declarations, valid confessions, tacit admissions or res gestae statements (spontaneous exclamations as part of the criminal act) may be accepted at the discretion of the court. Relevant evidence would be seen as evidence regarding: ➤ the motive for the crime; ➤ the ability of the defendant to commit the crime; ➤ the possession of the means to commit the crime; and ➤ the opportunity to commit the crime. Threats by the suspect, the suspect's conduct and comments at the time of arrest or evidence linking the suspect to the actual crime are also highly relevant. Any attempt to conceal the fraudster’s identity or attempts to destroy evidence may also be submitted to the court. As each piece of evidence is collected, the auditor must maintain an inventory reporting live data, location, time of collection and by whom the item was collected. Original documents should be protected against damage, which could destroy future opportunities to derive additional evidence. Originals would normally be stored in an envelope or plastic folder and should not be altered or written on other than an unobtrusive notation for identification purposes. Any copies made for working purposes should be clearly marked ‘Copy’. Chain of Custody Forensic auditors must maintain the chain of custody of any evidence that comes into their possession. Any break in the chain of custody may result in the item or document being inadmissible at trial. This means that the evidence must be securely stored with access controlled by an ‘evidence custodian’. Securing the location can be as simple as keeping a door locked. From time to time, evidence must be transferred from one person to another and the transfer must be documented. Any movement of evidence, including sending it to a crime laboratory, document examiner or the police, must be accounted for as well. The simplest way to do this is to create an evidence trail within the register that lists each item by number and description.

339

Internal_Auditing.indb 339

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Any transfer of evidence is noted in the evidence register by the person designated as evidence custodian, thus maintaining the item's chain of custody. Forensic Examination IIA Practice Advisory 1210.A2-1: Identification of Fraud recognizes that this is a specialized area of work that may well involve experts in the field. ‘Investigation of fraud consists of performing extended procedures necessary to determine whether fraud, as suggested by the indicators, has occurred. It includes gathering sufficient information about the specific details of a discovered fraud. Internal auditors, lawyers, investigators, security personnel, and other specialists from inside or outside the organization, are the parties that usually conduct or participate in fraud investigations.’

Document examination, normally carried out by a specialized forensic document examiner, can be used to create an evidentiary linkage between the suspect and the fraud. Handwriting evaluation may be able to determine whether a signature is genuine or forged and who the author of a particular piece of writing is. Printed documents may similarly be linked to an individual printer or typewriter. Document examination may also be able to reveal alterations or erasures and may even be able to recover the original text. In addition to the text itself, the ink used can also be analyzed and it may be possible to reveal alterations by identifying the brand of ink used, the production batch number and even intervals between the writing of the original message and the amendment. This may identify alterations after the document was created, resulting in forgeries. The paper itself can also be examined for time of production or the inclusion of watermarks. In general, documents may be examined for the handwriting used as well as the sequence of entries. Alterations, obliterations and erasures may be detected and deciphered. Printers, word processors and copiers can be identified, the authenticity of reproduction copies established and original documents identified. Inks may be compared and dated, and specific pens or pencils used for writing can be differentiated. Paper can be authenticated and dated, and even documents that have been burned or faded may be reconstructed.

Forensic Audit Department The mission of the forensic audit department is to provide fair and objective investigation of serious irregular incidents and tendencies, as well as the rendering of security scenario, advisory and consulting services within an organization. Unlawful or irregular conduct and practices must be reported to the forensic audit department without delay. It would normally be policy to refer alleged transgressions of a criminal nature for prosecution by the appropriate authorities. Should the responsible manager, after consulting forensic audit department functions, feel this is not the appropriate action, he/she can decide not to refer the incident. Human resources and the normal disciplinary procedures may address alleged incidents of a less serious nature.

340

Internal_Auditing.indb 340

16/04/2015 11:13

FORENSIC EVIDENCE

The forensic audit department obtains, assembles and researches information on unlawful or irregular conduct and practices in order to identify causes, and will advise and consult on interventions and action plans. All practices and procedures utilized during investigations must comply with the requirements of the law. The scope of the forensic audit department would normally include the investigation of alleged or suspected theft or other unlawful or irregular activities of a serious, sensitive or corporate nature. Fraud itself, along with forgery and uttering, including electronic transactions; unlawful or irregular disclosure of corporate information, including electronic disclosure and industrial espionage; and any matters regarded as sensitive by the board and audit committee, would fall within its scope. The department may also be commissioned to conduct special investigations from time to time and will develop and maintain records to facilitate the identification, evaluation and analysis of threats to the organization as a result of irregular incidents. To be effective, the forensic audit department must have unrestricted access to all functions, records, property and personnel, as well as full and free access to the audit committee. It must have the independence to allocate resources, set frequencies, select subjects, determine scopes of work and apply the techniques required to accomplish its objectives. If necessary, the department should be empowered to obtain the necessary assistance of personnel in units of the organization where it perform, audits and investigations, as well as other specialized services from within or outside the organization.

Polygraph Testing A polygraph is a measuring device that makes a permanent recording of various physiological changes taking place within the body of the subject as a result of psychological stimuli. The stimulus is brought about by maintaining a certain environmental and emotional climate during the polygraph examination and the asking of questions that have been structured and phrased in a specific way. The questions asked during the examination will have been developed beforehand with the subject so that there are no surprise questions. Two basic types of polygraph instruments are in current use, namely analogue and computerized polygraphs. Both of these are state-of-the-art technology, which, if used by a professional polygraph examiner in a satisfactory environment, can very accurately distinguish between truth and deception. During a pre-examination interview, the examiner gathers details on both the case and the person to be tested. The examiner must establish a rapport with the examinee and allay his/her fears, suspicion and general anxiety. The examinee would then normally be questioned in a non-accusatory interview about his/her knowledge regarding the alleged incident and the test questions would be developed. As mentioned above, the test questions should be discussed with the examinee in advance. At no stage during the test should any surprise questions be put to the examinee. During the examination itself, pneumographs, GSR (galvanic skin response) and cardiograph sensors are attached to the examinee. The examinee is then asked each of the test questions at least twice and the physiological responses are recorded. The polygraph is not a lie detector. It is an instrument that uses what is referred to as the autonomic nervous system, ie that part of the nervous system that we cannot voluntarily control. There are two branches to the autonomic nervous 341

Internal_Auditing.indb 341

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

system, one having to do with growth and development, the other being an emergency system. The emergency system becomes dominant only when there is some threat and the individual becomes fearful. The polygraph test measures such a response. If the truth is told, the body will function at its normal level. If the examinee comes to a question in response to which he/she intends to lie, he/she becomes afraid of being caught in that lie and the body automatically shifts into the emergency system. All of the physiological changes will take place and be recorded on the polygraph chart. After the test, the examinee is questioned about the responses to the relevant questions, if any, and a numerical scoring system is then employed to analyze the examinee’s polygraph charts to determine if there are any significant physiological responses to the relevant questions. Since its invention, over 250 studies have been conducted on the accuracy of polygraph testing. These studies suggest that when an established testing procedure is used by a properly trained examiner, the accuracy of the decision made by polygraph examiners can be around 95 per cent for specific issue investigations.62 The studies also indicate that, although it may be possible for someone lying to be shown as truthful, it is highly unlikely that a person telling the truth will be evaluated as lying. The polygraph is a useful aid with many applications, but is not without its limitations. It cannot replace conventional investigation, since its focused approach cannot be used to examine more than one specific issue at any one time. It should be used to confirm or refute specific elements of information. At present, there is no law in South Africa that prohibits the use of the polygraph, but the examinee must agree to its use in writing before the examiner starts with the test. There is no precedent set regarding the use of polygraph evidence in court at present. It is at the discretion of the magistrate to decide what weight the polygraph will carry as supporting evidence. In some countries, such as Israel, Germany and the USA, the polygraph is widely accepted within the legal systems.

62. Barland, G.H. 1975. Detection of Deception in Criminal Suspects. A Field Validation Study. PhD thesis, University of Utah.

342

Internal_Auditing.indb 342

16/04/2015 11:13

CHAPTER

36

Conducting Fraud Investigations

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the elements of the crime of theft ➤ Understand and explain the rights and powers of an investigator ➤ Select the appropriate investigative techniques for a variety of crimes ➤ Describe how to prepare a case for court and how fraud should be reported ➤ Match the use of investigative techniques and the appropriate support agencies

What are Fraud Investigations? Investigation may be defined as the scientific process whereby facts and evidence are gathered in order to reconstruct an incident objectively and accurately to form the basis on which action and behavior can be evaluated. A fraud or theft investigation relies on the collection of evidence, and the interview and interrogation of individuals involved in a case in order to determine who, what, where, when, how and why. These may be victims, witnesses or suspects in the case. The approach to the investigation of internal fraud, irregularities or other serious crimes differs from organization to organization. Some companies retain an in-house capacity, others make use of consultants and advisers as required, while some rely solely on the police for their investigations. If successful litigation is to occur, the investigation process must be carried out in a manner acceptable to the courts in order to gather the forensic evidence detailed in the previous chapter. The investigation process itself is made up of the situation, the victim and the identification of the perpetrator.

Elements Required to Establish Evidence of Theft Four elements are essential for a specific crime to be classified as theft. ➤ The first essential element of theft is that there must have been a contrectatio, ie the accused must have handled the items stolen. In normal circumstances, this would involve removing the item from the lawful possession of the person in charge of it. This means that if the accused person fraudulently influenced an individual to voluntarily hand over an item with the intent of stealing it, a contrectatio did not occur, but the accused could be charged with theft by false pretenses after the contrectatio had taken place. ➤ The second element is that the object stolen must be a movable object. This term is used in the sense that a house cannot be stolen, because it is immovable. Fixtures and fittings that form an integral part of such an item may not be stolen. However, the furnishings would be considered movable objects.

Internal_Auditing.indb 343

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ The third element is that the state must prove intent to steal, without which the act is not a punishable offense. The intention must be to deprive the lawful owner of his/her ownership or a lawful possessor of his/her possession, eg a hired car subsequently stolen. ➤ The fourth element is that the state must prove that it was the intention of the accused to permanently deprive the owner of the object of his/her ownership. If the intent was merely to deprive the owner temporarily, the accused is not punishable for theft. The accused would instead be charged with unlawfully using somebody else’s property without their permission. Whenever a theft has taken place, certain basic information must be gathered. A statement should be taken from the complainant detailing the specific time and date when the object stolen was last seen, together with the date and time of the discovery of the theft. The complaint should also record that no one had the right to steal the property or temporarily remove it. A full description of the article stolen and of any identification marks are critical for proper identification in the event of recovery. If the object was insured against theft, this must be recorded, together with the name of the insurance company. The value of the objects stolen will also be required both for prosecution and by the insurance company.

The Power of the Investigator In conducting an investigation, the private individual does not automatically have the right to take affidavits or receive sworn statements from witnesses. Investigating auditors should be appointed commissioners of oaths in order to ensure the legality of any sworn or avowed statements from possible witnesses. Investigators should be aware of the fundamental rights of freedom of every South African citizen and that unlawful interference with such rights is looked on as a serious violation by the courts. In searching a premises, any person who is lawfully in charge of any premises or lawfully in occupation of it and who has reason to suspect that an object has been placed in the premises in contravention of any law may, in the absence of a police official, enter into the premises for the purpose of searching the premises and any person therein. Should such an illegal article be found, the person should take possession of it and deliver it to a police official. Once again, the rights of the suspect must be taken into consideration and any such search should be conducted with strict regard to decency and order. If a female has to be searched, only a female police officer or a woman designated by a police official may carry out the search. Under normal circumstances, the arrest of a wrongdoer would be the responsibility of the police. However, under certain circumstances, detailed in Section 42 of the Criminal Procedure Act, a private individual may arrest a person without a warrant of arrest. If the arrest takes place without the provisions of Section 42 being complied with, the arresting person may be liable for unlawful arrest, resulting in a civil claim, and the detention of the suspect will also be unlawful. Section 39 of the Act lays down the manner in which an arrest must be made. A critical component is that the body of the person to be arrested must be touched and the accused must immediately be informed of the reason for his/her arrest. If the person arrested contests the lawfulness of the arrest, the onus of proving that the arrest was lawful rests on the person who made the arrest. 344

Internal_Auditing.indb 344

16/04/2015 11:13

CONDUCTING FRAUD INVESTIGATIONS

Private individuals may also be called upon by a police official to assist in arresting a person or in detaining a person so arrested. Failure to assist the police in this matter without sufficient cause is an offense. Entry into premises for the purpose of effecting an arrest may be gained by an individual who may lawfully arrest another and who reasonably suspects that the other person is on the premises. Certain procedures must be followed to make the entry lawful. The individual must first audibly demand entry into such premises and notify those inside of the reason for which he/she seeks entry. He/she may then, if necessary, break open, enter and search the premises in order to make the arrest. The use of force in effecting an arrest is permissible to an authorized person where the suspect resists arrest and cannot be arrested without the use of force, or where the suspect flees when it is clear that an attempt to arrest is being made. Only such force as may be necessary to overcome the resistance or prevent the flight may be used.

Corporate Investigation IIA Practice Advisory 1210.A2-1: Identification of Fraud indicates that fraud detection is not a primary function of internal audit and that internal auditors’ knowledge and experience is not equivalent to that of a fraud investigator. Consequently, while fraud may be detected in the course of internal audit procedures, this is not a guarantee that all such fraud has been detected, and this in turn does not imply that an internal auditor has not exercised due professional care. ‘Internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is detecting and investigating fraud. Also, audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected.’

This is not to say that in the present environment of endemic fraud, management of large organizations may not establish a forensic audit department employing specialist investigators or may not appoint external service providers for these services. When management becomes aware of possible wrongdoing within an organization, it has a duty to ascertain the truth and extent of the wrongdoing. This normally involves conducting an investigation. Such an investigation must be professionally planned and executed to avoid the normal emotional reaction that occurs when indications of impropriety arise. Hasty overreactions can compromise an investigation before it even starts. Generally, people’s initial reaction when faced with the first indications of possible wrongdoing is an instant judgment regarding the extent of the problem and the potential wrongdoers. Suspicion abounds when fraud is revealed and the behavior patterns of innocent people become suspect. Such knee-jerk reactions can be highly damaging both to the futures and reputations of innocent people and to the organization itself. The suspected fraud should be treated as a management issue and careful planning should be carried out prior to the investigation. At the planning stage, information regarding the suspected fraud should be restricted to those who have a need to know. The extent of this restriction will depend on the individual or individuals suspected, the nature of the fraud and the authority levels of the suspects. Maintaining secrecy at this stage increases the possibility of gaining 345

Internal_Auditing.indb 345

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

appropriate evidence. If the suspected fraudster is unaware of the investigation, there is a greater probability that the fraud will continue and that co-conspirators may be identified. The evidence to be gained by monitoring an ongoing fraud may be critical in proving the case in court. Secrecy can also protect the organization from a lawsuit by the suspect for defamation resulting from libelous or slanderous statements made to a third party damaging to the suspect’s reputation. As part of the early planning process, selection of the individuals to be involved in the investigation must take place. Professional investigators, either private or from the police services, will normally spearhead the investigation, but other members of the organization may also be called on to participate. A senior manager should be designated to ensure liaison takes place between the investigators and executive management. Internal audit can secure evidence and provide background information on the control structures and authority levels of employees. In most cases, legal advice will be required to ensure that the investigation is lawful, that the evidence is maintained in a form acceptable to the courts, and that the appropriate procedures are followed to permit the organization to proceed civilly to recover its losses from the dishonest employee. With the extent of current personnel legislation, it is critical that the senior manager from human resources be involved to ensure that the rights of the accused employee are not violated and that personnel law is followed. Once the team has been appointed, each participant’s role in the reporting relationships must be clearly defined. The goals and objectives of the investigation must be agreed and these could range from temporary suspension to criminal prosecution. These objectives will have a significant impact on the method of investigation, the nature of the evidence to be gathered and the timing of the investigation. Timing can be critical and it is easy to underestimate the duration and resources required for an investigation. A fast resolution may limit further losses but may be counterproductive in attempting to recover losses so far. Lies, Lies and More Lies In conducting the investigation, suspects may be interviewed and may choose to lie. This can take several forms and clues may be detected depending on the nature of the lie. ➤ Lying by omission is the most common form of deception. The interviewee does not actually lie, but evades answering by omitting the information that he/she wants to conceal. If the omission is detected, the interviewee can always claimed that he/she forgot or that he/she did not consider the matter was important enough to mention. Since the person is not directly lying, the personal stress is limited. ➤ Denial of having participated in the fraud or having any knowledge of it is another common form of lying. While it avoids the stress of giving a false answer, it creates a mental conflict known as dissonance, as the liar attempts to balance the prohibitions against lying learned as part of his/her upbringing and the need to protect him-/herself from the consequences of being caught. ➤ Making up a story is the most difficult type of lie to attempt and maintain. The liar will require a good memory to remember what has already been said and must be a quick thinker to maintain consistency in the lie. Such fabrication is normally uncovered because of inconsistencies in the details of the lie or the sequence of events claimed. The starting point of the fabrication and the 346

Internal_Auditing.indb 346

16/04/2015 11:13

CONDUCTING FRAUD INVESTIGATIONS

end point are normally genuine events and time periods. It is what happened in between and when it happened that is fabricated and where the sequence series of events claimed can be forgotten. ➤ Lying by minimization is used to deceive by downplaying negative aspects of the suspect’s behavior or performance. Careful questioning and healthy skepticism on the part of the investigator can normally uncover the truth. ➤ In the same way, exaggeration may also be used as a lie and is frequently used when a job applicant exaggerates his/her qualifications, work experience and responsibilities. Once again, careful questioning may reveal the truth. Detecting Lies In the absence of a polygraph, investigators will use observation of the interviewees’ behavior patterns to identify areas of possible concern. Delays in responding to questions involving the simple recollection of facts may alert the investigator to a possible attempt at deception, as the liar has to consider his/her version of the facts to ensure consistency with what he/she has already said. People who are telling the truth can normally answer promptly, as they are simply recalling a memory. Care should be taken, however, to distinguish between the delay before a lie and the delay of a person taking sufficient time to ensure the question is answered accurately. Questions that require an answer based on the individual’s judgment will normally involve some form of delay. Delay over ‘yes’ or ‘no’-type questions indicates the weighing of the pros and cons of a given answer. Repeating the question may be a tactic used by the interviewee to delay answering while weighing the options. Once again, the delay may be caused by a genuine attempt to give the best possible answer. Lying can also be indicated by the use of qualifiers in answering questions. Expressions such as ‘as far as I can remember’, ‘to the best of my knowledge’ and ‘probably’ can be used to conceal deception. They may signify omissions and areas that the interviewee wishes to avoid. Analyzing an individual’s behavior and body language is a skilled science. When used effectively, it can provide focus for further investigations and questioning, and assists identification of areas where a deception may be occurring. It is, however, easy to draw the wrong conclusions and such analysis should be taken as a guideline rather than as actual evidence. One of the final steps an investigator takes in concluding the inquiry is confronting the target of the investigation. Often, the ultimate outcome of the case may depend on whether the suspect confesses. Confession is responsible for more successful investigations than all the other forensic techniques combined. Confronting a suspect is a complicated process. The individual’s age, education, job, experience with the criminal justice system, and his/her awareness of the investigation must be considered when preparing to confront a suspect and trying to get a confession.

347

Internal_Auditing.indb 347

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

Two common techniques exist: The cognitive behavioral model of confession This model is based on the premise that the confession results from the unique relationship between the subject, the environment and others involved in the process like other suspects, victims, witnesses and interrogators. The interviewer seeks to elicit a confession by inducing social isolation, fatigue, stress or feelings of guilt in the interviewee. There are four basic areas in the cognitive behavioral model that the interrogator uses in inducing a confession: ➤ social, in which the individual's fear of isolation from friends and co-workers may or may not increase his/her resistance to a confession. A benefit for the individual comes in the shape of positive reinforcement, and praise for confessing is provided by the interrogator; ➤ emotional, in that the fear of the unknown, combined with guilt and shame of the wrongdoing, generates emotional relief when the suspect decides to confess; ➤ cognitive, which involves the suspect interpreting facts and making assumptions about what is or is not known. The suspect may convince him-/herself that his/ her guilt is known absolutely, even when this may not be true, and that confession is therefore the best course of action; and ➤ situational, which relates to the timing of the confrontation and the circumstances surrounding it, such as whether the subject is forced to wait or the interrogation begins immediately, who conducts the interview, and where and when is it held. The emotional model of confession This model suggests that the subject's failure to tell the truth is the result of attempting to avoid the consequences of his/her actions, whether real or perceived. The suspect attempts to shift the blame for his/her actions to some other source. Facesaving suggestions allow the subject to justify his/her actions without removing the legal responsibility for his/her criminal acts. The interrogator in this instance is not viewed by the suspect as an opponent, but rather a mediator between the suspect and the organization. This model encourages the individual to make an emotional decision to confess, rather than a rational one, and may result in the suspect reacting emotionally by crying as he/she confesses. Just as frauds can be solved by good interviewing techniques, they can also fail because of errors in interviewing. Wherever possible, the investigation should conclude with the obtaining of a valid, signed confession.

348

Internal_Auditing.indb 348

16/04/2015 11:13

CHAPTER

37

IT Fraud Investigation

Learning objectives After studying this chapter, you should be able to: ➤ Outline briefly the fundamental goals and methodologies of an IT fraud investigation ➤ Define appropriate policies and procedures to facilitate an IT fraud investigation ➤ Explain the basic technology in IT forensics and sources of evidence ➤ Define the elements required in preplanning for an IT fraud investigation ➤ Design an appropriate IT fraud response toolkit ➤ Describe the current legislative basis for using computer evidence

The Exponential Growth of Computer Crime Over recent years, an enormous amount of publicity has been given to the threat of computer crime, which has led to a greater awareness at an executive level of the vulnerability of their IT functions. The growth of organized fraud in the computer world in conjunction with the comparatively new threat of organized terrorism or politically motivated penetration of computer systems makes this awareness essen­tial. Advances in computer science have come at a staggering pace and computer crime has remained in step with all of these advances. Unfortunately, computer crimes happen in real-time and the crime is completed in microseconds. Only a tiny percentage of such crimes have been found in time to perform any form of mean­ ingful investigation, unless care had been taken beforehand to create an appropri­ate detective environment. Where investigations do take place, less than 20 per cent will actually go to court and, of all those prosecuted, less than five per cent will be convicted. In many cases, it is the fear of failure of prosecution and of exposing the corporation to ridicule that is the real deterrent to prosecution. The failure of successful convictions is often due to a lack of proper care or a methodical approach by the investigator. Often, the evi­ dence obtained is improper, inconclusive and not legally gathered or maintained. In addition, business moving onto the Internet has created the greatest opportu­ nity for widespread and methodical fraud the world has ever known. The most common computer crimes are those that merely involve the computer as a tool to implement the crime. In addition, the computer may itself be the victim of the attack, resulting in the theft of information, disclosure of confidential data, vandalism, sabotage or viruses.

Classification of Computer Fraud Given that activities within a computer environment consist of three main elements, input, processing and output, it is no surprise that IT fraud can be classified in the same way.

Internal_Auditing.indb 349

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Input frauds normally take the form of amended or forged transactions entered into the computer and unauthorized changes to standing data on masterfile so that valuable assets, normally cash, can be obtained. This type of fraud does not need any specific IT expertise and is a common form of user-level data entry fraud. ➤ Processing or throughput frauds usually involve modifications to live programs in order to enter unauthorized codes for improper purposes. Viruses, trap-doors and Trojan horses are all examples of such coding. ➤ Output frauds commonly occur when correct and valid outputs are intercepted and amended before they are used. This may take the form of altered pay­ ments or breaches of confidentiality. Once more, with the advent of the Internet, computer hacking has become a source of risk to computer systems. Perhaps fortunately, hacking for fraudulent purposes is not yet widespread.

The Investigation of IT frauds IIA Practice Advisory 2100-6: Control and Audit Implications of E-commerce Activities states that internal audit should be alert for irregularities that may indi­cate the presence of IT fraud in organizations involved in e-commerce. ‘The internal auditor should be alert for: ➤ Unauthorized movement of money (eg, transfers to jurisdictions where the recovery of funds would be difficult). ➤ Duplication of payments. ➤ Denial of orders placed or received, goods received, or payments made. ➤ Exception reports and procedures, and effectiveness of the follow-up. ➤ Digital signatures: Are they used for all transactions? Who authorizes them? Who has access to them? ➤ Protections against viruses and hacking activities (history file, use of tools). ➤ Access rights: Are they reviewed regularly? Are they promptly revised when staff members are changed? ➤ History of interception of transactions by unauthorized persons.’

Many IT fraud investigators have a fundamental fear of computers, but are being called in to investigate computer-related crime, and are therefore happy to leave such investigations to specialist auditors or outside consultants. This fear has built up over the years as a result of the air of secrecy surrounding IT and the technical jargon associated with. Once the technical jargon has been got out of the way, understanding the risks and controls within computer systems and the means of investigating an IT fraud become clear. IT fraud often comes to light because of its impact on the organization; however, the most common way in which computer crime is uncovered occurs when another person, who may or may not be an employee, tips off the organiza­tion. When an IT fraud is suspected, the first objective of the IT auditor or security personnel is to confirm whether an incident has actually occurred. If there appears to be a case for believing such an occurrence has taken place, all subsequent steps must be

350

Internal_Auditing.indb 350

16/04/2015 11:13

IT FRAUD INVESTIGATION

specifically designed to help the accumulation of accurate information and estab­lish control for retrieval/handling of evidence. This can cause complications, because of the need to protect the privacy rights of both the suspected perpetrator and the defrauded organization. There is little point in recovering stolen assets by destroying corporate confidentiality. The investigation must minimize business disruption. Gathering of forensically acceptable evidence will commonly involve isolating the information source to pre­ vent contamination. In the case of information systems, such isolation, if extended over a period of time, could result in considerably more damage to the organization than the original fraud. Once gathered, the evidence must allow for legal recrimination, ie it must be capable of standing up to scrutiny and challenge in court. In order to achieve successful prosecution, there is a whole series of events that must take place, namely: ➤ pre-incident preparation; ➤ detection of incidents; ➤ initial response; ➤ forensic back-ups; ➤ investigation; ➤ network monitoring; ➤ recovery; ➤ reporting; and ➤ follow-up. Pre-incident Preparation The objective of pre-incident preparation is to ensure that, should an incident occur, the organization is in a position to identify what exactly happened and to what sys­ tems. From this it may be determined what information was compromised, what files were created/modified, and who may have caused the incident. It is also useful to prepare, in advance, who should be notified and what steps will be required to get back to normal. Major steps in the process would include identifying the vital assets in advance and conducting a risk analysis to determine what would be the most likely nature of exposure faced. Individual hosts could then be prepared to detect incidents by pro­ducing cryptographic checksums of critical files and enabling secure logging. Preventative measures would include hardening the hosts’ defenses in a variety of ways. Back-ups of critical data stored securely can help protect against the threat of non-availability leading to fraud. Directive controls would include compre­hensive user education about host-based security. Networks should be prepared by installing firewalls and intrusion detection sys­ tems (IDS), as well as by the use of access control lists on routers. Companies can create a topography conducive to monitoring, encrypt network traffic and require authentication beyond the password level.

351

Internal_Auditing.indb 351

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

At the user end, preparations would include determining an appropriate corpo­rate response stance. This could be: ➤ to ignore the incident; ➤ to defend against further attacks; ➤ to prosecute; or ➤ simply to perform surveillance and gather data on the incident for future use. The appropriate response may, in fact, vary based on the circumstances of the inci­dent. If, for example, a hacker is detected, it may be more beneficial to the organi­zation to allow the hacker to believe the system penetration is successful and let him63 in. This would allow time to gather forensically acceptable evidence for his future prosecution, as well as facilitate tracing the hacker to his lair. Obviously such a policy would require a very high level of confidence that the activities of the hack­er could be traced and limited. From the audit and investigation perspective, preparation could include the build­ing of a forensic response toolkit. Such a toolkit would normally consist of a hard­ware/software combination to promote the demonstrably uncorrupting nature of the investigation. The hardware would usually be a high-end processor with a large memory capacity and a large-capacity empty drive. A DVD-RW drive, a highcapacity tape drive and a large number of cables for creating multiple connections would be needed for the interchange of information. An uninterruptible power supply would be necessary to prove that no corruption took place during the inves­tigation phase because of power outages. DVD/Rs and labels, together with external hard disks and a high-capacity memory stick, would also prove essential. In addition, the standard tools for forensic examination including folders and labels for evidence; a digital camera so that evidence might be captured directly into the system; lockable evidence storage containers; a printer and paper; and finally burn bags to dispose of evidence securely when approval is given by legal counsel, would all be required. On the software side, response software would include two or three native oper­ating systems (W98/WNT/LINUX); forensic duplication tools such as EnCase, Imagecast or Expert Witness; all the drivers for all your hardware on all platforms; a file viewer such as Quickview Plus or Handy Vue, capable of handling a variety of file structures and formats; as well as disk-write blocking routines. With this toolkit, an auditor should be able to conduct forensically acceptable examinations. An incident response team should be established to respond to all security inci­ dents and conduct a complete, unbiased investigation. The team must confirm or dis­ pel an incident quickly and assess the damage and scope. A 24/7 hot-line should be established to allow the team early notification so that they can control and contain the incident. The team’s job is to collect and document all evidence while maintain­ ing a chain of custody, to protect privacy rights and to provide expert testimony.

63. S  ince hackers are apparently always male, the use of ‘him’ and not ‘him/her’ seems justified here.

352

Internal_Auditing.indb 352

16/04/2015 11:13

IT FRAUD INVESTIGATION

Detection of Incidents Incidents may be detected via intrusion detection systems, firewalls, suspicious account activity, malfunctioning services or even defaced websites. In all cases, it is essential that the discoverer note the critical details, such as: ➤ the current date and time; ➤ who/what is reporting; ➤ the nature of the incident; ➤ when the incident occurred; ➤ the hardware and software affected; and ➤ contacts for involved personnel. Initial Response The initial response should be directed towards finding out what probably hap­pened and what the best response strategy is. At all times, an investigator must be mindful of the legalities and must ensure that all searches are carried out within the letter of the law. This will typically involve an examination of network topologies and verifying poli­cies, and investigating the incident by conducting personnel interviews, systems administrators interviews, management interviews and interviews of the end-user. Only then should hands-on action be taken. All actions taken must follow the fundamental rules, everything the investigator does must be documented, and every care should be taken to ensure that the evi­ dence itself is not compromised during the investigation. Acquiring the evidence will first involve securing the physical area. Before any­ thing is disturbed, photographic evidence should be gathered of the system itself, the monitor and all cable interfaces. Photographs should also be taken of the sur­ rounding area and all papers and disks should be inventoried and collected. The IT system should then be shut down by unplugging it directly from the power supply. Under no circumstances should the keyboard be touched or the power switch used to power down the machine. Shutting down the machine in the normal way may activate software traps to encrypt or delete sensitive data. At a minimum it will alter the data held in virtual memory. Before the computer itself is moved, it should be sealed and all cables and con­ nectors clearly labeled. Once the computer is in the place where it is to be exam­ ined, the computer case may be opened and, once again, photographs should be taken of the inside before anything is touched. Disconnecting the power leads prior to starting the system should isolate all hard drives. The system can then be started so that the date and time may be collected from the setup menu. This will be used in later examination to compare to date and time stamps and other evidence. At this stage it is also recommended that the BIOS be changed to ensure that the system boots only from a floppy drive. The machine should then be switched off once more. An unused hard drive will be connected to the system to be the target drive for the forensic back-up. This drive should become drive 0, with the original drive classed as drive 1. This prevents the system from attempting to boot from the original drive. A bootable diskette contain­ ing the forensic copying software should be placed in the diskette drive and the sys­tem restarted.

353

Internal_Auditing.indb 353

16/04/2015 11:13

INTERNAL AUDITING: AN INTEGRATED APPROACH

The forensic copy of the hard disk should then be made. All drives should then be removed from the system, placed in anti-static banks and sealed. The sealed disks should be dated and signed and placed in a secure environment. Forensic Back-ups Forensic examinations should never be performed on the original medium. An exact clone of the medium should be made and the original evidence must then be stored securely. Care must be taken to ensure that the cloned medium is in fact a complete copy of the original evidence. Most back-up software available on the market today does not copy information in a way that would be acceptable for further investiga­ tion. In the normal course of events, data that has been deleted still remains on the magnetic medium until it is overwritten. This data can be a rich source of forensic evidence. Most copying, cloning and back-up software will copy only current files from the medium. To be acceptable, the copy must be made bit by bit and sector by sector. Only in this way can the investigator as