This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The reason or background for this study is due to the fact that businesses are becoming more aware of the value that Internal Auditors can bring with regards to Organizational governance, internal controls, risk management and assessment of compliance with applicable laws and regulations.
The purpose of this research assignment will be to document how firstly, Organizations define governance. Secondly, to determine how the Internal Auditors within organizations will test and assess the adequacy and effectiveness of Organizational governance and Thirdly, which Audit procedures will the Internal Audit use when assessing organizational governance.
According to the definition of internal auditing, the primary goal of the Internal auditor is to "evaluate the company's risk management, internal control and corporate governance processes"
Firstly, a few definitions regarding Governance:
Organizational governance is defined by the OECD principles of corporate governance, 2004 as "Corporate governance deals with the rights and responsibilities of companies management, its board, shareholders and various stakeholders" it also includes "A set of relationships between a company's management, its board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined"
Governance defined by the Institute of Internal Auditors, International Standards for the professional practice of Internal Auditing, 01-01-2009 "The combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives."
The Australian Stock exchange defines Organizational governance as "The system by which companies are directed and managed. It influences how the objectives of the company are set and achieved, how risk is monitored and assessed, and how performance is optimized."
Since there is no fixed definition for governance, one can make a conclusion based on the above that Governance deals with how organizational controls and leadership will achieve the organizations objectives bearing in mind the best interest of Shareholders, applicable stakeholders and the company, which includes staff and other resources, as well as how to manage risks associated with the achievement of objectives. Corporate governance involves decision making, accountability and monitoring
Page | 2
What is then the role of the Internal Auditor with regards to Risk, Control and Governance in a whole?
Due to all the scandals of the past several years, Risk management departments are now no longer taking the lead in managing risks, but rather directing the management responsibility to the Internal Audit function. One main reason for this is because in many organizations, the Risk department will only report to the vice-president, while the Internal Audit function reports to the Board of Directors and Audit committee. It is however not Ideal that the Internal Audit function take full ownership of the Enterprise wide risks.
The ideal would be that the Internal Audit function performs assessments of the Enterprise-wide Risk management, but not entirely manage the risks, Which, according to COSO and KingIII, Chapter 4,4.1 should be the responsibility of management. Also to manage the risk requires implementation of recommendations. And according to Audit Standards, the Internal audit function may not be involved in the implementation of the auditors recommendations.
Also the International Standards for the professional practice of internal Auditing, 2009 standard 2010 states that, Internal audit groups shall base audit plans around risk assessments conducted on an annual or more frequent basis. This should be done with input from senior management and Board of directors.
Thus, The role of the internal auditor with regards to Risk management is to report to the audit committee that management is effectively identifying and controlling risks. As well as the fact that the company has a systematic and effective approach to enterprise risk management.
The risk audit should be as stated by KingIII 2008, Published by the Institute of Directors, not whether the firm complies with existing procedures or processes, but rather whether the controls currently present are effective in managing the risks that will arise in the course of reaching objectives, such approach is usually known as a Risk-based approach.
Page | 3According to kingIII, the risk based audit should also be conducted each year and a report submitted to the company board. The internal Auditors should also conduct follow up assessments of risks identified during the main Risk Audits.
Internal controls is a integral part of Enterprise risk management as discussed above. The main role of the Internal Auditor with regards to Internal Controls is to focus on improving the controls and providing recommendations for areas of concerns which can be improved. One of the main frameworks regarding Internal controls is the COSO framework. Under the COSO framework, the Internal auditor should provide reasonable assurance that the internal controls leads to the achievement of objectives. The following main areas of Internal Controls should be evaluated by the Internal Auditor or Internal Audit department namely:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with laws and regulations.
The responsibility for Internal Controls however lies with the firms management. The management should take responsibility for the establishment of policies and processes which will or should lead to organizational success.
The Sarbanes Oxley Act of 2002, although mainly applicable to US based public companies and subsidiaries, states a number of roles that the Internal Audit department should play when it comes to a company's Internal controls.
Sox made it compulsory for companies to consult the Internal Audit department regarding internal controls and risks. Another function that is made compulsory by Sox is that the company should acquire the Assistance of the Internal Audit department in designing the internal control programs for the company, Recommending and drafting procedures for internal controls and assisting with the maintenance of control repository of the firm. The Internal Audit function should also help to design internal control effectiveness tests, conduct the test and then evaluate the results.
The internal Audit function may not, according to Sox, make conclusions on the effectiveness of internal controls on behalf of management. The internal Auditor may not direct the key management decisions regarding internal controls or remedial actions. Performing the installation of internal controls is also prohibited by Sox.
Page | 4The Internal audit function is thus allowed to serve management in various capacities regarding internal controls, including advisory, testing, training and development. But it's prohibited for the internal audit function to cross the line into decision making roles.
Finally, What would be the role of Internal Auditing in the Governance of a company? Firstly, Auditors are given wide powers to enable them to detect wrongdoings by management. They are expected to be independent of the company and provide an objective report. However, One major problem arise, this is that the Internal auditor should conduct objective reviews of management code and conduct, but at the same time, report to senior management.
One solution for this would be for the Internal auditors to report to the Audit committee and directly to the board.
Back to the role of the Auditor, it should be noted that an effective internal audit function should assist a company's board in discharging it's governance responsibilities. Secondly, Internal auditors' full-time focus on risks and controls is vital to a sound governance process.
SOX, The European Unions 8th directive and the ISA all requires from the auditor to report to the audit committee and the board of directors regarding the following:
Page | 5Any approach, scope or limitations on the audit
any ongoing concerns or uncertainties.
any applicable changes in accounting standards and practices
all risks and exposures of the company
any disagreement with management that could affect the financial statements or the audit report
Any weakness in the accounting or internal controls
Irregularities, fraud and non-compliance with applicable laws and regulations
and other matters of material effect and as agreed upon in the audit terms of engagement.
The Auditors should continuously perform a review of the organization's control culture, especially the control and guidance provided by top management. The auditor should provide an objective evaluation of risks and internal controls. Systematic analysis should be performed by the Auditor regarding all business processes and internal controls. They should conduct fraud audits on a continuous basis and with it, whether assets are fairly valued and truly exist. Furthermore, the internal auditors should asses the compliance framework of the company and compliance to applicable laws and regulations. Assessments by the auditor should also be conducted as to what degree the company manages to achieve it's objectives with the current controls in place.
The auditor should also include in his/her final report, an objective review of ethics within the company as well as whistle blowing initiatives. Focus should be given regarding transparency and disclosure policies within the organization.
How will the Internal Auditor assess the adequacy and effectiveness of organizational governance within organizations?
When performing assessments of governance, the Internal auditor should be aware that at some point, high level clearance would be required to obtain confidential and sensitive documents and records. The audit departement or function should therefore ensure that top management and board support exists for governance assessments.
When starting an assessment of governance within an organization, the Auditor should first start with the definition of governance, although no fixed definition exists, a broad understanding of governance should be obtained. The auditor then needs to determine the fundamental purpose of the audit and whether it is to provide assurance or a form of consulting support.
After determining the purpose, the auditor should then define the scope of the governance audit which will be performed. The audit plan should be communicated to all the parties involved and the auditor should ensure that the tasks are clear.
Should the assessments of governance be for the purpose of consultation, then the Internal Auditor should address numerous questions such as:
Page | 6Will the auditor only communicate his/her recommendations after the audit is completed or during the course of the audit?
What type of report is required? Formal or informal?
Who's the addressee of the report?
How will the internal auditors follow up to ensure appropriate consideration and action has been taken on its recommendations?
Prior to the audit, the management and board of directors should decide what format the report should be as well as to whom the report will be distributed.
The auditor should furthermore, In the assessments of Governance, improve communications with management and the board of directors. During the audit of governance, the Internal auditor should place renewed focus on risk and ethical management and serve as a risk educator. It's also recommended that fraud testing be expanded in the audit.
[Total Words: 2000]
Page | 7