Internal Auditing and good governance: Research from Saudi Arabia

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The Institute of Internal Auditors (IIA) has developed the globally accepted definition of internal auditing, as follows1:

"Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

Independence is established by the organizational reporting structure. Objectivity is achieved by an appropriate mind-set. The internal audit activity evaluates risk exposures relating to the organization's governance, operations and information systems.

Based on the results of the risk assessment, the internal auditors evaluate the adequacy and effectiveness of how risks are identified and managed in the above areas. They also assess other aspects such as ethics and values within the organization, performance management, communication of risk and control information within the organization in order to facilitate a good governance process.

The IIA's Governance standard (2110) advocates, the internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

Promoting appropriate ethics and values within the organization;

Ensuring effective organizational performance management and accountability;

Communicating risk and control information to appropriate areas of the organization; and

Coordinating the activities of and communicating information among the board, external and internal auditors, and management.

As per the Commission on Public Trust's findings and recommendations, The Conference Board, 2003, p. 11, all companies should have an internal audit function. This should be established regardless of whether it is an "in-house" function or one performed by an outside accounting firm that is not the firm that acts as the company's regular outside auditors. Public companies should revise their internal controls to reflect a broad risk-based approach and to support the certification process for both financial reports and internal controls.

The internal auditor should have a direct line of communication and reporting responsibility to the audit committee4.

Accordingly, we consider the research problem to test the "level of governance in Internal Audit Function within Kingdom of Saudi Arabia" under the title "Internal Auditing and Good Governance in Saudi Arabia"

Grounded Theory of Best Practices on Corporate Governance of Internal Audit Function:

To promote good governance with in Internal Auditing function, boards should examine company practices relating to the internal audit function to ensure compliance with relevant legislation and regulatory guidelines. Among other key issues, boards should ensure that; such a function exists within the company; the audit committee is receiving the requisite information from internal auditors such as key risks facing the company; the internal audit function is structured to promote operational independence; appropriate lines of communication exist between the internal auditors, management and the audit committee; and a forum is provided where internal auditors can rise concerns without fear of management retribution.

Internal Audit Function strategies: Laws and regulations in Saudi Arabia, as imposed by the Ministry Of Commerce and Industry (MOCI) and the Capital Market Authority (CMA) in its Corporate Governance Act, require every joint stock company to have internal audit function. According to the CMA, companies would not need to establish a separate internal audit department or devote full-time employee resources, only to have appropriate control measures in place to review and approve internal transactions and accounting.

Companies would also be allowed to outsource the function to an outside firm. If the function is outsourced, the company should use a different firm than the firm used for the external audit.

Ensuring independence: The internal audit function should be structured to ensure operational independence and should have full and direct access to the audit committee and top management. In addition, the Chief Audit Executive (CAE) should report directly to the audit committee. To promote independence, the Institute of Internal Auditors (IIA) recommends the audit committee include certain provisions in its charter pertaining to the internal audit function:

The audit committee should ensure the internal audit function is structured in a manner that achieves organizational independence and permits full and unrestricted access to top management.

The audit committee should review the internal audit function's charter and ensure unrestricted access by internal auditors to records, personnel, and physical properties relevant to the performance of the engagements.

The audit committee should review and approve the annual internal auditing budget and assess the appropriateness of the resources allocated to internal auditing.

Decisions regarding hiring or termination of the CAE should require endorsement by the chairman of the audit committee.

The chairman of the audit committee should also be appropriately involved in the performance evaluation and compensation decisions related to the CAE.

The audit committee should regularly provide the CAE and the external audit with the opportunity to confer privately with the committee, without the presence of management4.

Audit methodology, tools, approaches and standards5:

Risk Assessments: The identification of the functions performed by the organization in the achievement of its strategic objectives, and the breaking down into individual tasks and related risks and the control procedures built in to mitigate these risks are important. Best Practice therefore requires the preparation of a Risk Assessment which will provide as the basis of internal audit activities.

Risk Assessment approach/methodology adopted :

Annual Audit Plan: Once the whole array of risks has been identified, the next step is to rank the risks and draw up an audit plan accordingly. One way to effectively prioritize the processes for audit purposes is to look at the matrix of probability of occurrence versus severity of loss for each of the processes and develop a risk based audit plan according to this classification (Moody).

While in the process of identifying these risks the audit team may use intelligence gathered by other functions within the organization, in devising the audit plan the internal auditors should have an independent view on risks.

Best practices also demand timely and comprehensive coverage by audit across a spectrum of risks While we grade risks using simple ranking of high, medium and low risk, timeliness of the audit as per this categorization is important, with high risk areas being covered annually and so on.

This does not imply that there should be slippage in covering the low risk areas because even these can create problems. In fact internal audit practitioners consider it advisable to annually re assess the organizations' risk profile annually. Given that the risks to the organization/activity would change over time, with new risks emerging, revisiting the risk based plan is imperative to an effective audit function.

Audit programs and audit approaches: Use of appropriate audit programs, approaches towards selection of audit universe, process audits etc and internal control reviews / assessments, use of appropriate software that would ensure value addition and improvement in organisational processes are key best practices within internal auditing.

Timely reporting: The effectiveness of audit is dependent on its ability to not only spot problem areas or areas where improvements can be suggested, but also on its ability to ensure speedy remedial action after audit has been completed. This in turn is dependent on timely completion and submission of the audit report. Any delay in this would defeat the very purpose and function of internal audit. It is considered a best practice if audit professionals rank or grade their reports, using a simple system, to enable the clients distinguish problematic audit reports from others.

There could for instance be one category of reports that are highly critical where significant remedial actions are recommended; others that list out deficiencies that need to be corrected but where the lapses are not too significant; and a third category of those reports that are by and large a 'clean bill of health' though some improvement opportunities are identified.

Follow-up: Effective and timely follow up to reports is essential particularly the speedy implementation of remedial actions recommended in highly critical reports. Best practices calls for such units that receive highly critical reports or those units that have significantly delayed implementation of recommendations of audit, to report the reasons for the problems and proposed corrective actions, to the highest level over-seeing the internal audit function within the organization.

An effective tracking system for audit reports would ensure an effective and timely follow up to audit. A rigorous audit follow up process could for instance include a Follow up Action Report form to be attached for the audited department to use for reporting when the audit recommendations are implemented.

Manpower & Resources: Upgrades to the internal audit function capabilities in terms of increased manpower and resources available as well as capacity building, will contribute to a more effective control environment. Best practices support adopting a balanced staffing model and maintaining an effective working relationship between internal and external audit.

Communication: The audit committee requires information from the internal auditors to gain an overview of the strategic, operational, and financial risks facing the company and the assessment of the controls put in place by management to manage these risks.

The report from the internal auditors should be prepared periodically and broadly address the adequacy of internal controls, rather than being limited to financial controls. The head of internal audit should also, at least annually, present a report on the state of the company's internal control processes to senior management and the audit committee4.

Rotation: Audit committees may wish to consider a rotation policy for both the head of internal audit and internal audit staff to promote independence. For instance, the company could institute a policy whereby internal audit staff is rotated every three or five years. Staff rotation allows for a new and fresh perspective and guards against complacency-an important factor since, at many companies, the positions are used as steppingstone to senior financial manager positions4.

Justification for Research:

At the outset of current financial downturn and the series of corporate aftershocks worldwide, have highlighted the critical role of board of directors in promoting good corporate governance. In particular boards are being held responsible for the effectiveness and efficiency of the internal control system within their organizations.

It is widely accepted that an effective internal audit function plays an important role in assisting board to comply their governance responsibilities. Yet it is very important for the effective functioning of the internal audit how does the board and the audit committee satisfies the corporate governance of the internal audit function.

The definition on internal auditing recognizes two vital roles for internal audit2;

To provide an independent assurance service to the board, audit committee and management, focusing on reviewing the effectiveness of the governance, risk management and control processes that management has put into place.

To provide advice to management on governance risks and controls.

The key role of internal audit is to assist the board and/or audit committee in discharging its governance responsibilities through;

Effectiveness and efficiency of operations.

Reliability and integrity of financial and operational information.

Safeguarding of assets.

Compliance with laws, regulations, and contracts.

However in attempting to adequately discharge all the responsibilities of internal audit within internal auditing, internal auditors often find themselves in an anomalous position. Sometimes they report to senior management within the organization, yet are expected to objectively review management's conduct and effectiveness.

The only satisfactory solution to this critical situation for internal audit is to report primarily and directly to the board and its audit committee rather than to senior management, forms as the justification of this study 3.

Research Questions / or Hypothesis:

In the light of several high level reviews by regulators and others, have acknowledged that the internal audit function and the oversight of internal controls have becomes an important responsibility of boards. Well performing internal audit function is one of the strongest means to monitor and promote good governance within an organization, thus the objective of this study aims to ensure the achievement of following governance objectives within internal audit function in the listed public companies in Kingdom of Saudi Arabia, is considered as the questions / hypothesis on this research;

Does internal audit function been strategically positioned to contribute to meet objectives and board's needs?

Are internal audit methodologies, tools and approaches meet standards, best practices and dynamic in adding value and improve organization's operations?

Does internal audit have right people and personnel strategy to achieve its mission/objectives?

Research Methodology and research design:

Methods of data gathering and reliability

The primary data for this research to be collected through a survey conducted using detail questionnaire attached herewith in Annexure -1. The primary data to be collected from the public companies registered with Capital Market Authority (CMA) and listed in the stock market in Saudi Arabia. A structured questionnaire will be forwarded to the board members for their review and response.

As the numbers of such companies are not very much in number, circulating questionnaire to all those companies is viable, thus expecting to receive representative number of representative responses from this population. As we intend to receive duly completed questioner from CAE as representative of BOD or Audit Committee, we consider the data provided will be within the acceptable level of reliability.

Since the desired processes for each organisation might vary from organisation to the other, due care been taken to collect and consider such desirable options together with its rationale for appropriate consideration and data adjustments.

Secondary Data Collection

Secondary data are collected by referring most recent information from authoritative web and other authenticated source of information.

Analysis methods

The data collected using the questionnaire will be analyzed by using spreadsheet for descriptive statistics and analysis methods. Qualitative method of analysis employed for feedbacks obtained using open ended questions.

There are multiple questions been asked on each research questions, we intend to use Chi-square (χ2) test to determine the goodness of fit between the desired and practicing processes with critical value (α) = 0.05 level of significance on each of the three hypotheses set above under "Research Questions / Hypotheses" head independently.

Data sources, Rights of the participants :

The primary data to be collected from the public companies registered with Capital Market Authority (CMA) and listed in the stock market in Saudi Arabia. As this survey intends to receive one completed questionnaire for each organisation, considering the technical and strategic nature, we request the same to be completed by senior members in the internal audit department/ Top of the Internal Audit Department (Chief Audit Executive).

The questionnaire structured will be send through e-mail to the board of representative companies, the responses can be analyzed through appropriate data analysis techniques explained above.

The participants have the right either to complete this questionnaire fully or partially, each question is given with an exit option to quit from the question with they feel not appropriate to answer. Also, my contact information provided to them will provide them the right to access myself and enquire about the data requirements and status. In and above all we do not collect the organisational identification hence the data collected will be anonymous, which definitely protects the interest of organisations.