NAME-MONICA .J. PRITHIANI..

STD-M.COM PART-2 ROLL NO-1362103 DATE 29/09/2013

COLLEGE S.S.T. COLLEGE

INTERNAL AUDIT WITH REFERENCE TO INTERNAL CONTRO.

INTERNAL AUDIT:Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organization's governance, risk management and management controls by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity. The scope of internal auditing within an organization is broad and may involve topics such as an organization's governance, risk management and management controls over: efficiency/effectiveness of operations (including safeguarding of assets), the reliability of financial and management reporting, and compliance with laws and regulations. Internal auditing may also involve conducting proactive fraud audits to identify potentially fraudulent acts; participating in fraud investigations under the direction of fraud investigation professionals, and conducting post investigation fraud audits to identify control breakdowns and establish financial loss. Internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds. The Institute of Internal Auditors (IIA) is the recognized international standard setting body for the internal audit profession and awards the Certified Internal Auditor designation internationally through rigorous written examination. Other designations are available in certain countries. In the United States the professional standards of the Institute of Internal Auditors have been codified in several states' statutes pertaining to the practice of internal auditing in government (New York State, Texas, and Florida being three examples). There are also a number of other international standard setting bodies.

 History of internal auditing:Internal auditors work for government agencies (federal, state and local); for publicly traded companies; and for non-profit companies across all industries. Internal auditing departments are led by a Chief Audit Executive ("CAE") who generally reports to the Audit Committee of the Board of Directors, with administrative reporting to the Chief Executive Officer (In the United States this reporting relationship is required by law for publicly traded companies). The Internal Auditing profession evolved steadily with the progress of management science after World War II. It is conceptually similar in many ways to financial auditing by public accounting firms, quality assurance and banking compliance activities. While some of the audit technique underlying internal auditing is derived from management consulting and public accounting professions, the theory of internal auditing was conceived primarily by Lawrence Sawyer (1911-2002), often referred to as "the father of modern internal auditing"; and the current philosophy, theory and practice of modern internal auditing as defined by the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors owes much to Sawyer's vision. With the implementation in the United States of the Sarbanes-Oxley Act of 2002, the profession's exposure and value was enhanced, as many internal auditors possessed the skills required to help companies meet the requirements of the law. However, the focus by internal audit departments of publicly traded companies on SOX related financial policy and procedures derailed progress made by the profession in the late 20th century toward Larry Sawyer's vision for internal audit. Beginning in about 2010, the IIA once again began advocating for the broader role internal auditing should play in the corporate arena, in keeping with the IPPF's philosophy.

Organizational independence While internal auditors are not independent of the companies that employ them, independence and objectivity are a cornerstone of the IIA professional standards; and are discussed at length in the standards and the supporting practice guides and practice advisories. Professional internal auditors are mandated by the IIA standards to be independent of the business activities they audit. This independence and objectivity are achieved through the organizational placement and reporting lines of the internal audit department. Internal auditors of publicly traded companies

in the United States are required to report functionally to the board of directors directly, or a sub-committee of the board of directors (typically the audit committee), and not to management except for administrative purposes. The required organizational independence from management enables unrestricted evaluation of management activities and personnel and allows internal auditors to perform their role effectively. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit activity is the entity charged with oversight of management's activities. This is typically the Audit Committee, a sub-committee of the Board of Directors. To provide independence, most Chief Audit Executives report to the Chairperson of the Audit Committee and can only be replaced with the concurrence of that individual Role in internal control Internal auditing professional standards require the function to evaluate the effectiveness of the organization's Risk management activities. Risk management is the process by which an organization identifies, analyzes, responds, gathers information about, and monitors strategic risks that could actually or potentially impact the organization's ability to achieve its mission and objectives. Under the COSO enterprise risk management (ERM) Framework, an organization's strategy, operations, reporting, and compliance objectives all have associated strategic business risks - the negative outcomes resulting from internal and external events that inhibit the organization's ability to achieve its objectives. Management assesses risk as part of the ordinary course of business activities such as strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, credit/lending practices, mergers and acquisitions, strategic partnerships, legislative changes, conducting business abroad, etc. Sarbanes-Oxley regulations require extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Internal auditors may evaluate each of these activities, or focus on the overarching process used to manage risks entity-wide. For example, internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board, to help identify emerging risks; or internal auditors can evaluate and report on whether the board and other stakeholders can have reasonable

assurance the organization's management team has implemented an effective enterprise risk management program. In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management's reporting is effective for that purpose. Internal auditors may help companies establish and maintain Enterprise Risk Management processes. Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment. In these latter two areas, internal auditors typically are part of the risk assessment team in an advisory role. Role in corporate governance Internal auditing activity as it relates to corporate governance has in the past been generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. According to COSO's ERM framework, governance is the policies, processes and structures used by the organizations leadership to direct activities, achieve objectives, and protect the interests of diverse stakeholder groups in a manner consistent with ethical standards. The internal auditor is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor. A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical management control issues, suggesting questions or topics for the Audit Committee's meeting agendas, and coordinating with the external auditor and management to ensure the Committee receives effective information. In recent years, the IIA has advocated more formal evaluation of Corporate governance, particularly in the areas of board oversight of enterprise risk, corporate ethics, and fraud.

 Audit project selection or "annual planning" Based on a risk assessment of the organization, internal auditors, management and oversight Boards determine where to focus internal auditing efforts. This focus or prioritization is part of the annual/multiyear audit planning. The audit plan is typically proposed by the CAE (sometimes with several options or alternatives) for the review and approval of the Audit Committee or Board of Directors. Internal auditing activity is generally conducted as one or more discrete assignments. A typical internal audit assignment involves the following steps: 1. Establish and communicate the scope and objectives for the audit to appropriate management. 2. Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary. 3. Describe the key risks facing the business activities within the scope of the audit. 4. Identify management practices in the five components of control used to ensure each key risk is properly controlled and monitored. 5. Develop and execute a risk-based sampling and testing approach to determine whether the most important management controls are operating as intended. 6. Report issues and challenges identified and negotiate action plans with management to address the problems. 7. Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose. Audit assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated. In addition to assessing business processes, specialists called Information Technology (IT) Auditors review information technology controls.

 Internal audit reports Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary; a body that includes the specific issues or findings identified and related recommendations or action plans; and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's": 1. Condition: What is the particular problem identified? 2. Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark. 3. Cause: Why did the problem occur? 4. Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding? 5. Corrective action: What should management do about the finding? What have they agreed to do and by when? The recommendations in an internal audit report are designed to help the organization achieve effective and efficient governance, risk and control processes associated with operations objectives, financial and management reporting objectives; and legal/regulatory compliance objectives. Audit findings and recommendations may also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements. Under the IIA standards, a critical component of the audit process is the preparation of a balanced report that provides executives and the board with the opportunity to evaluate and weigh the issues being reported in the proper context and perspective. In providing perspective, analysis and workable recommendations for business improvements in critical areas, auditors help the organization meet its objectives.

 Other topics Measuring the internal audit function The measurement of the internal audit function can involve a balanced scorecard approach.[9] Internal audit functions are primarily evaluated based on the quality of counsel and information provided to the Audit Committee and top management. However, this is primarily qualitative and therefore difficult to measure. "Customer surveys" sent to key managers after each audit engagement or report can be used to measure performance, with an annual survey to the Audit Committee. Scoring on dimensions such as professionalism, quality of counsel, timeliness of work product, utility of meetings, and quality of status updates are typical with such surveys. Understanding the expectations of senior management and the audit committee represent important steps in developing a performance measurement process, as well as how such measures help align the audit function with organizational priorities Reporting of critical findings The Chief Audit Executive (CAE) typically reports the most critical issues to the Audit Committee quarterly, along with management's progress towards resolving them. Critical issues typically have a reasonable likelihood of causing substantial financial or reputational damage to the company. For particularly complex issues, the responsible manager may participate in the discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues. It is a matter of considerable judgment to select appropriate issues for the Audit Committee's attention and to describe them in the proper context. Audit philosophy Some of the philosophy and approach of internal auditing is derived from the work of Lawrence Sawyer. His philosophy and guidance on the role of internal audit was a forerunner of the current definition of internal auditing. It emphasized assisting management and the Board in achieving the organizations objectives through well-reasoned audits, evaluations, and analyses of operational areas. He encouraged the modern internal auditor to act as a counselor to management rather than as an adversary. Sawyer saw auditors as active players influencing events in the business rather than criticizing all degrees of errors and mistakes. He also foresaw a more desirable auditor future involving a

stronger relationship with members of Audit Committee and the Board and a divorce from direct reporting to the Chief Financial Officer. Sawyer often talked about catching a manager doing something right and providing recognition and positive reinforcement. Writing about positive observations in audit reports was rarely done until Sawyer started talking about the idea. He understood and forecast the benefits of providing more balanced reporting while simultaneously building better relationships. Sawyer understood the psychology of interpersonal dynamics and the need for all people to receive acknowledgment and validation for relationships to prosper. Sawyer helped make internal auditing more relevant and more interesting through a sharp focus on operational or performance auditing. He strongly encouraged looking beyond financial statements and financial-related auditing into areas such as purchasing, warehousing and distribution, human resources, information technology, facilities management, customer service, field operations, and program management. This approach helped catapult the chief audit executive into the role of a respected and knowledgeable adviser who was thought to be reasonable, objective, and concerned about helping the organization achieve the stated goals. Whether to have an internal audit function Having an internal audit function is not mandatory for listed companies, although it is for certain public sector organisations. Therefore the board of a smaller listed company may decide that it already gains sufficient assurance on risk, control and governance from other assurance activities within the organisation, for example, directly from regular management information and self-monitoring, from other assurance functions such as security or health and safety or from its external auditors. In short, a company may conduct internal audit activities even though there is no internal audit function. The Smith Guidance calls upon the audit committee to recommend to the board whether there should be an internal audit function. In such a situation, the audit committee needs to be satisfied that all arrangements that the board has put into place are sufficient and appropriate for the organisation. Guidance for audit committees Internal audit is a source of independent and objective assurance. Therefore when making the decision not to have an internal audit function, the board and the audit committee must be in a position to demonstrate that the assurance it is already receiving is sufficient. Paragraph 4.9 of the Smith Guidance requires the audit committee

to explain this in its report to shareholders so it must also be in a position to demonstrate to external parties that an internal audit function is not necessary. Status of internal audit Where there is an internal audit function, its status and remit derives from the needs of the organisation and should be set at the top of the organisation, i.e. by the board and the audit committee. There is no single model for internal audit and each organisation will determine what is appropriate to suit its requirements. In general, internal audit could, if agreed by the audit committee, seek assurance that: The organisation has a formal governance process which is operating as intended: values and goals are established and communicated, the accomplishment of goals is monitored, accountability is ensured and values are preserved. Significant risks within the organisation are being managed and controlled to an acceptable level as determined by the board. In addition, internal audit can be used to facilitate the strengthening of the governance and risk framework within the organisation. The audit committee will need to consider the role that has been set for internal audit within the organisations overall assurance framework. It will, on an ongoing basis (at least annually), wish to challenge the organisations decisions in relation to the role that has been set for internal audit and question whether its scope, authority and resources are adequate and consistent with the risks that the organisation faces and the effectiveness of the internal controls that are in place to address those risks. Terms of reference The overall status and remit of internal audit should be formalised in terms of reference, often referred to as an audit charter, and approved by the board, normally through the audit committee. These should then be communicated to relevant people within the organisation. Internal audits terms of reference or charter should provide clarity about its: strategy and objectives; role and responsibilities within the organisation; scope of work;

 accountability to the audit committee; reporting lines for line management purposes; accessibility to the board and the audit committee; and unfettered access to all information, people and records across the organisation. The terms of reference should make it clear that internal audit should not be put in a position where it has to review its own work. The audit committee might wish to consider: Are there formal terms of reference/an audit charter that are approved by the board? Have they been communicated to relevant people within the organisation? How frequently are the terms of reference refreshed? What safeguards protect the independence of internal audit and the position of the head of internal audit?

Audit plans Internal audit should, on at least an annual basis, develop a plan of work that it will cover to provide the required assurance to the audit committee and the board. This plan should retain some flexibility to enable internal audit to respond to new issues as they arise. The audit plan should identify how internal audit will: obtain assurance on the effectiveness of the governance and risk management processes; support the development and maintenance of governance and risk management processes; challenge the boards assessment of risk and the controls in place to manage the identified risks; evaluate and test the effectiveness of controls in place to manage the identified risks; and co-ordinate with other sources of assurance, e.g. health and safety, external auditors, etc. In setting the audit plan, there should be effective dialogue between the audit committee, management, internal audit and external auditors to ensure that there is adequate assurance from all sources to cover all key business risks. Audit committees need to make clear their expectations that both internal and external auditors will communicate effectively with each other about how their respective audit plans and objectives will cover these key business risks.

The IIAs Performance Standard 2201,Planning Considerations, states that internal auditors, in planning their work, should consider the objectives of the activity being reviewed, the risks related to that activity, the adequacy and effectiveness of the activitys risk management and control systems and the opportunities for making significant improvements to those systems. Sourcing of internal audit There is no requirement for internal audit to be provided by an organisations own employees. The organisation may choose to have the service provided fully from within, may outsource it entirely to an external provider or may consider a mixture of internal and external sourcing. However the service is provided, it needs to fit into the overall remit and scope that has been set and its effectiveness needs to be monitored and reviewed on a regular basis by the audit committee. Performing the audit work In order to perform its work efficiently and effectively, internal audit will need to have unfettered access to necessary information, people, records and outsourced operations across the organisation. IIA Performance Standard 2300, Performing the Engagement, states that internal auditors should identify, analyse, evaluate and record sufficient information to achieve the engagements objectives. The head of internal audit will need to determine how internal auditors carry out their work and the level of evidence required to support their conclusions. Evaluation of findings Internal auditors will normally evaluate the findings of each engagement. They should assess whether the actions adopted by management address risks in the manner and to the extent intended and identify and report any weaknesses.Communication of results Under the IIAs Performance Standard 2400,Communicating Resultsit is recommended that internal auditors report internally to the board, the audit committee and management on a regular basis. Guidance for audit committees Internal audits reports, opinions and any recommended management actions need to be communicated in a clear, concise, reliable and constructive way. They should demonstrate a clear understanding ofthe organisation and its objectives. All significant actions need to be communicated to the audit committee regularly, together with dates of implementation. Where key agreed actions are not appropriately implemented by management, there needs to be a mechanism for internal audit to investigate the reasons why and, if necessary, escalate matters to the audit committee.

It is important for both internal and external auditors to co-operate, communicate and share their evaluations and the results of their audit work when relevant and subject to any confidentiality requirements. This dialogue should take place regularly throughout the year. The audit committee might wish to consider: Is there a schedule of actions together with agreed implementation dates? Can management provide adequate explanations for situations where actions have not been implemented? Does internal audit have confidential access to the audit committee? Effectiveness of internal audit Internal audit activities play an important part in the effective governance and risk and control framework of any organisation. As required by code provision C.3.2, the audit committee should monitor and review the effectiveness of the internal audit function. It should provide feedback and guidance to internal audit to help it provide the assurance service the audit committee needs. Reviewing internal audit reports will help the audit committee assess the quality of internal audits work during the course of the year. Building on this ongoing review, an annual review may involve obtaining feedback from management, external auditors and other stakeholders. In addition to these ongoing and annual reviews, IIA Performance Standards recommend that a quality review of the internal audit function should be carried out by an independent qualified reviewer at least every five years.

Skills and resources Internal audit needs to have adequate budget and resources to complete its work plan and fulfil its remit. In achieving appropriate The internal audit function 7 coverage of the agreed risk areas, it will need to have staff with the right skills and expertise. It may also require access to specialist resources which might include using staff from elsewhere in the organisation or external resources. Paragraph 4.10 of the Smith Guidance requires the audit committee together with the head of internal audit to ensure that the current complement of staff is sufficient and appropriate to achieve the audit plan

 Background Risk is inherent in the decisions that an organisation takes to manage and run its business and in the business processes established to assist in the achievement of its business objectives. Changes in the way organisations carry out their normal activities resulting from, for example, expansion of the business or changes in the regulatory framework, can place enormous strain on an organisations control mechanisms and become major sources of risk. That is why establishing, implementing and embedding effective risk and control elements of the overall corporate governance framework are of fundamental importance to all organisations. Internal audit can play an important assurance role in an organisations governance processes, particularly in the area of risk management and control. In many organisations, the expectations placed upon internal audit have increased and the function is being relied on to make a significant contribution. With the introduction of the revised Combined Code and the Smith Guidance, audit committees are expected to take a more focused oversight role in respect of risk management and internal control. They need assurance from management and independently that good internal controls are in place and operating effectively. Internal audit can contribute to independent assurance on the overall risk management, control and corporate governance processes. It can also be a useful catalyst for change and improvement within the organisation. It is important therefore for the audit committee to distinguish between the role of management and that of internal audit. Management has primary day-to-day responsibility for managing risk and for the operation of internal controls within an organisation. Internal audits role is separate and independent from management. Independence has a different meaning for internal audit than it does for external audit. The internal audit function is generally considered independent when it can carry out its work freely and objectively.. INTERNAL CONTROL In accounting and auditing, internal control is defined as a process affected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives.[1] It is a means by

which an organization's resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the SarbanesOxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls. Internal controls have existed from ancient times. In Hellenistic Egypt there was a dual administration, with one set of bureaucrats charged with collecting taxes and another with supervising them. The sacking of Troy was a classic example of the failure of internal controls. In the Republic of China, the Control Yuanone of the five branches of government, is an investigatory agency that monitors the other branches of government.

There are many definitions of internal control, as it affects the various constituencies (stakeholders) of an organization in various ways and at different levels of aggregation. Under the COSO Internal Control-Integrated Framework, a widely-used framework in not only the United States but around the world, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations.

 COSO defines internal control as having five components: 1. Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. 2. Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed 3. Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities 4. Control Activities-the policies and procedures that help ensure management directives are carried out. 5. Monitoring-processes used to assess the quality of internal control performance over time. 6. The COSO definition relates to the aggregate control system of the organization, which is composed of many individual control procedures. 7. Discrete control procedures, or controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A controls impact...may be entity-wide or specific to an account balance, class of transactions or application. Controls have unique characteristics for example, they can be: automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud. Controls within a process may consist of financial reporting controls and operational controls (that is, those designed to achieve operational objectives)."

Context More generally, setting objectives, budgets, plans and other expectations establish criteria for control. Control itself exists to keep performance or a state of affairs within what is expected, allowed or accepted. Control built within a process is internal in nature. It takes place with a combination of interrelated components such as social

environment effecting behavior of employees, information necessary in control, and policies and procedures. Internal control structure is a plan determining how internal control consists of these elements. The concepts of corporate governance also heavily rely on the necessity of internal controls. Internal controls help ensure that processes operate as designed and that risk responses (risk treatments) in risk management are carried out (COSO II). In addition, there needs to be in place circumstances ensuring that the aforementioned procedures will be performed as intended: right attitudes, integrity and competence, and monitoring by managers. Roles and responsibilities in internal control According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play: Management The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise. Board of Directors Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the

entity's activities and environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem. Auditors The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. There are laws and regulations on internal control related to financial reporting in a number of jurisdictions. In the U.S. these regulations are specifically established by Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance on auditing these controls is specified in PCAOB Auditing Standard No. 5 and SEC guidance, further discussed in SOX 404 top-down risk assessment. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting. Audit Committee The role and the responsibilities of the audit committee, in general terms, are to: (a) Discuss with management, internal and external auditors and major stakeholders the quality and adequacy of the organizations internal controls system and risk management process, and their effectiveness and outcomes, and meet regularly and privately with the Director of Internal Audit; (b) Review and discuss with management and the external auditors and approve the audited financial statements of the organization and make a recommendation regarding inclusion of those financial statements in any public filing. Also review with management and the independent auditor the effect of regulatory and accounting initiatives as well as off-balance sheet issues in the organizations financial statements; (c) Review and discuss with management the types of information to be disclosed and the types of presentations to be made with respect to the Company's earning press release and financial information and earnings guidance provided to

analysts and rating agencies; (d) Confirm the scope of audits to be performed by the external and internal auditors, monitor progress and review results and review fees and expenses. Review significant findings or unsatisfactory internal audit reports, or audit problems or difficulties encountered by the external independent auditor. Monitor management's response to all audit findings; (e) Manage complaints concerning accounting, internal accounting controls or auditing matters; (f) Receive regular reports from the Chief Executive Officer, Chief Financial Officer and the Company's other Control Committees regarding deficiencies in the design or operation of internal controls and any fraud that involves management or other employees with a significant role in internal controls; and (g) Support management in resolving conflicts of interest. Monitor the adequacy of the organizations internal controls and ensure that all fraud cases are acted upon. Personnel Benefits Committee The role and the responsibilities of the personnel benefits, in general terms, are to: (a) Approve and oversee administration of the Company's Executive Compensation Program; (b) Review and approve specific compensation matters for the Chief Executive Officer, Chief Operating Officer (if applicable), Chief Financial Officer, General Counsel, Senior Human Resources Officer, Treasurer, Director, Corporate Relations and Management, and Company Directors; (c) Review, as appropriate, any changes to compensation matters for the officers listed above with the Board; and (d)Review and monitor all human-resource related performance and compliance activities and reports, including the performance management system. They also ensure that benefit-related performance measures are properly used by the management of the organization. Operating Staff All staff members should be responsible for reporting problems of operations, monitoring and improving their performance, and monitoring non-compliance with the corporate policies and various professional codes, or violations of policies, standards, practices and procedures. Their particular responsibilities should be documented in their individual personnel files. In performance management activities they take part in all compliance and performance data collection and processing activities as they are part of various organizational units and may also be

responsible for various compliance and operational-related activities of the organization. Staff and junior managers may be involved in evaluating the controls within their own organisational unit using a control self-assessment. Limitations Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures. Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progrressTowards the achievement of operational and strategic objectives, but cannot guarantee their achievement. ls control needed on eIs an understanding of internavery audit? Yes. The auditor is required to perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. Paragraph 12 of CAS 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment, requires the auditor to obtain an understanding of internal control relevant to the audit. Obtaining this understanding of internal control applies to all audits, even when an auditor does not intend to place reliance on internal controls,often the approach taken by auditors of a small entity. When the auditor intends to rely on relevant controls, paragraph 8 of CAS 330, The Auditors Responses to Assessed Risks, requires the auditor to design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls.This brochure presents a brief, practical discussion of Internal Controls for the unit manager.

 What are internal controls and why are they important? Internal controls are the methods employed to help ensure the achievement of an objective. They are tools used by managers everyday.

Writing procedures to encourage compliance, locking your office to discourage theft, and reviewing your monthly statement of account to verify transactions are common internal controls employed to achieve specific objectives.

All managers, from the unit level to the President of the University, use internal controls to help assure that their units operate according to plan. And the methods they use--policies, procedures, organizational design, and physical barriers--constitute the internal control structure of the Indiana University. Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities.

A computer application which checks validity prevents the entry of an invalid account number. Reading and understanding University Human Resource policies, such as Work Hours [for PA Staff], helps prevent violations of the Federal Fair Labor Standards Act. [Human Resources Professional Staff Policy 2.14] A manager's review of purchases for propriety and validity prior to approval prevents inappropriate expenditures.

Detective controls are designed to identify an error or irregularity after it has occurred.

An exception report detects and lists incorrect or invalid entries or transactions. A comparison of validated Cash Receipt Vouchers to monthly financial statements will detect deposits posted to erroneous accounts. The manager's review of long distance telephone charges will detect improper or personal calls that should not have been charged to the account.

Through careful design, the system of internal controls can help your unit operate more efficiently and effectively and provide a reasonable

level of assurance that the processes and products for which you are responsible are adequately protected.

Maintaining written procedures for manual processing will ensure that operations can continue in the event of computer failure.

What is the manager's responsibility? You, as managers, are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of your unit. To evaluate internal controls, first think about the following general objectives then identify your unit's specific objectives within these broad categories.

Propriety of Transactions for all activity within accounts for which the manager is responsible [IU Financial Policy I-1: Role of Fiscal Officer, Account Manager, and Account Supervisor] Reliability and Integrity of Information for internal management decisions and external agency reports Compliance with Indiana University Policies and Government Regulations, including but not limited to: Human Resources, Financial, Purchasing, granting agencies, and state and federal government Safeguarding Assets, including physical objects and University data Economy and Efficiency of Operations to optimize the use of limited resources in accomplishing the mission of the unit and Indiana University

Next, identify what controls currently exist (or should be established) to reasonably assure the achievement of each specific objective for your unit.

What is Internal Audit's responsibility?

Internal Audit provides an independent evaluation of the adequacy of internal controls and reports the results to Indiana University administration and the Board of Trustees. Auditors look at how the internal controls, within an operation, work together to make up the internal control structure. The auditor gathers information about the mission and processes of the unit, discusses the major objectives with the manager, and identifies control points within each process where an error, irregularity, or inefficiency is likely to occur.

The auditor documents existing controls at each significant control point, evaluates the adequacy of the controls to ensure achievement of the objective, and then tests the controls to verify they are working as described. Further discussions with the manager focus on control risks, manager insights, and potential control enhancements. The greater the risk, the more extensive the control that is warranted. The auditor's evaluation includes an examination of the following internal control elements: Personnel - should be competent and trustworthy, with clearly established lines of authority and responsibility documented in written job descriptions and procedures manuals.

Organizational charts provide a visual presentation of lines of authority. Periodic updates of job descriptions ensures that employees are aware of the duties they are expected to perform.

Authorization Procedures - should include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority should be commensurate with the nature and significance of the transactions and in compliance with Indiana University policy. Time records should be signed by the employee and supervisor with direct knowledge of the employee's work schedule. [IU Financial Policy IV-1] An account manager or fiscal officer may delegate signature authority only to an exempt employee or an appointed biweekly employee. [IU Financial Policy I-10] Segregation of Duties should reduce the likelihood of errors and irregularities. An individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping.

Authorization for the assessment of class fees (Registrar) is segregated from the collection of those fees (Bursar).

Physical Restrictions - are the most important type of protective measure for safeguarding University assets, processes, and data.

Safe combinations should be changed periodically and anytime a staff member knowing the combination terminates employment.

Critical forms, such as custodial fund checkbooks, should be adequately secured. Alarm systems may be necessary to adequately protect large amounts of cash, other valuable assets, or sensitive data

Documentation and Record Retention - should provide reasonable assurance that assets are controlled and transactions are correctly recorded.

The Equipment Loan Form documents the authorized removal of equipment from campus and provides assurance that an individual has accepted responsibility for the item. [IU Financial Policy I-140] State Board of Accounts approval for all new or revised forms having a financial implication provides consistency and ensures that adequate transaction information is recorded. [IU Financial Policy I-100]

Monitoring Operations - is essential to verify that controls are operating properly. Reconciliation, confirmations, and exception reports can provide this type of information.

Biannual equipment inventories comply with granting agency regulations and provide assurance that assets physically exist and are available for use. Account managers, account supervisors, and fiscal officers must verify the propriety of transactions within their accounts. [IU Financial Policy I-1] What can jeopardize internal controls?

While many circumstances may compromise the effectiveness of your internal control structure, a few of the most common and serious of these warrant special mention: Inadequate Segregation of Duties - (Our most common audit finding) - Separating responsibility for physical custody of an asset from the related record keeping is a critical control.

Persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable). The person who prepares the deposit should not post the receipts to the customer accounts. The person who prepares the payroll voucher should not distribute or have custody of the payroll checks.

 Inappropriate Access to Assets - Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications.

An employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access. Only authorized individuals should be issued keys for restricted areas.

Inadequate Knowledge of Indiana University Policies -The University is not a static environment--new policies and policy revisions are a part of our continual evolution. Many University policies are available electronically and printed copies can be supplied upon request by contacting the relevant University department. Managers must stay abreast of these changes and understand their responsibilities.

Fiscal Misconduct - "If any employee knows or suspects that other university employees are engaged in theft, fraud, embezzlement, fiscal misconduct or violation of university financial policies, it is their responsibility to immediately notify the Internal Audit department or the appropriate campus police department." [IU Financial Policy I-30]

Form Over Substance - Controls can appear to be well designed but still lack substance, as is often the case with required approvals.

The account manager's signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance.

Control Override - Exceptions to established policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited.

Thorough documentation and approval of all exceptions will help management ensure the availability of a clear explanation for unusual transactions or events. A periodic review of these exceptions also helps to identify the need for policy or procedural changes.

 Inherent Limitations - There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress).

A manager who encourages employees to take earned vacation time can improve operations through cross training while enabling employees to overcome or avoid stress and fatigue.

How much do internal controls cost? The cost of implementing a specific control should not exceed the expected benefit of the control.

The potential loss of a computer printer may justify the cost of a door lock but not an alarm system. Computer screen savers with passwords are inexpensive, effective methods of protecting sensitive data on a computer.

Sometimes there is no out-of-pocket cost to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish the objective.

Checks received in the mail are immediately separated from supporting documentation for restrictive endorsement and deposit. The supporting documentation is given to a different employee for crediting the payment or filling an order. Voided receipts are approved by someone (preferably a manager) other than the person preparing receipts.

A well-designed internal control structure can enhance operations by improving your unit's overall efficiency and effectiveness, as well as, reducing the risk of loss or theft.

A bank lock box establishes accountability and restricts access to cash, in addition to streamlining operations by providing immediate deposits and (possibly) electronic application updates.

In analyzing the pertinent costs and benefits, managers should also consider the possible ramifications for Indiana University at large and attempt to identify and weigh the intangible as well as the tangible consequences.

 It may be difficult to determine the cost of poor public relations and lost goodwill if an ex-employee steals cash because the manager did not change the safe combination or retrieve University keys upon the employee's termination. Help Internal controls should reduce the risks associated with undetected errors or irregularities, but designing and establishing effective internal controls is not a simple task and cannot be accomplished through a short set of quick fixes. However, we hope that this brochure has helped to explain the basic internal control concepts and have given you some ideas for improving your unit's controls. You can also request an internal control video and booklet by calling (812) 345-3361 and/or request one of our auditors to give a demonstrations. This video was designed specifically for colleges and universities and is suitable for individual, group, or staff meeting viewing. Role in risk management Internal auditing professional standards require the function to evaluate the effectiveness of the organization's Risk management activities. Risk management is the process by which an organization identifies, analyzes, responds, gathers information about, and monitors strategic risks that could actually or potentially impact the organization's ability to achieve its mission and objectives. Under the COSO enterprise risk management (ERM) Framework, an organization's strategy, operations, reporting, and compliance objectives all have associated strategic business risks - the negative outcomes resulting from internal and external events that inhibit the organization's ability to achieve its objectives. Management assesses risk as part of the ordinary course of business activities such as strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, credit/lending practices, mergers and acquisitions, strategic partnerships, legislative changes, conducting business abroad, etc. Sarbanes-Oxley regulations require extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Internal auditors may evaluate each of these activities, or focus on the overarching process used to manage risks entity-wide. For example, internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board, to help

identify emerging risks; or internal auditors can evaluate and report on whether the board and other stakeholders can have reasonable assurance the organization's management team has implemented an effective enterprise risk management program. In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management's reporting is effective for that purpose. Internal auditors may help companies establish and maintain Enterprise Risk Management processes. Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment. In these latter two areas, internal auditors typically are part of the risk assessment team in an advisory role. Audit philosophy Some of the philosophy and approach of internal auditing is derived from the work of Lawrence Sawyer. His philosophy and guidance on the role of internal audit was a forerunner of the current definition of internal auditing. It emphasized assisting management and the Board in achieving the organizations objectives through well-reasoned audits, evaluations, and analyses of operational areas. He encouraged the modern internal auditor to act as a counselor to management rather than as an adversary. Sawyer saw auditors as active players influencing events in the business rather than criticizing all degrees of errors and mistakes. He also foresaw a more desirable auditor future involving a stronger relationship with members of Audit Committee and the Board and a divorce from direct reporting to the Chief Financial Officer. Sawyer often talked about catching a manager doing something right and providing recognition and positive reinforcement. Writing about positive observations in audit reports was rarely done until Sawyer started talking about the idea. He understood and forecast the benefits of providing more balanced reporting while simultaneously building better relationships. Sawyer understood the psychology of interpersonal dynamics and the need for all people to receive acknowledgment and validation for relationships to prosper.[12]

Sawyer helped make internal auditing more relevant and more interesting through a sharp focus on operational or performance auditing. He strongly encouraged looking beyond financial statements and financial-related auditing into areas such as purchasing, warehousing and distribution, human resources, information technology, facilities management, customer service, field operations, and program management. This approach helped catapult the chief audit executive into the role of a respected and knowledgeable adviser who was thought to be reasonable, objective, and concerned about helping the organization achieve the stated goals

Conclusion:This Bulletin explains the requirements in the CASs for auditors to understand internal control. The understanding required involves both evaluating the design and determining the implementation of controls relevant to an audit. It reminds auditors that these requirements apply to all audits, even when the auditor does not intend to place reliance on internal controls. Although not required, a walk-through is often used to confirm the auditors understanding of an entitys information system. It can be particularly effective as a risk assessment procedure for obtaining audit evidence about the design and implementation of controls.