The Importance of Internal Auditing –

What can it do for you?

Statistics Sweden, Stockholm
November 16, 2007

Prof. T. Flemming Ruud, PhD

Professor of External and Internal Auditing, University of Zurich and

Handelshöyskolen BI, Oslo
Adjunct Professor of Auditing, University of St. Gallen
flemming.ruud@bi.no

Internrevisionsförordning (2006:1228)
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 2

2 §: Vid myndigheten skall det finnas en

internrevision
Internrevisionen skall ledas av en chef som
skall vara anställd i myndigheten
3 §: Internrevisionen skall granska och lämna
förslag till förbättringar av myndighetens
processer för riskhantering, styrning, kontroll
och ledning

© Prof. T. F. Ruud, PhD

 Internrevisionsförordning (2006:1228)
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 3

4 § Internrevisionen skall utifrån en analys av

verksamhetens risker självstandigt granska
om ledningens interna styring och kontroll
är utformad så at myndigheten med en
rimlig säkerhet
1. Uppnår en effektiv verksamhet,
2. Följer lagar, forordningar och andre regler,
samt,
3. Lämnar en tillförlitlig redovisning och
rättvisande rapportering av verksamheten

Internrevisionsförordning (2006:1228)
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 4

5 § Internrevisionen skall ge råd och stöd til

styrelsen og chefen för myndigheten

6 § Internrevisionen skall omfatta den

verksomhet som myndigheten bedriver
eller ansvarar för

© Prof. T. F. Ruud, PhD

 Agenda
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 5

• Legal foundation
• What is internal auditing?
• Rational for – and what internal auditing can do for you?
• What is control, risk management and governance?
• What do internal auditors do?
• Deliverables
• Knowledge and proficiency in internal audit
• Certified Internal Auditor Examination
• Summary

Information deceptions
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 6

• Xerox, 2002
– In 1997-2001 sales amounting up to $6 billion were recorded incorrectly
(revenues were frequently booked too early)
– Share prices dropped over 30%
– Xerox paid $10 million fine as a penalty for its balance of 1997 (SEC )
– 2003: six former managers accept to pay penalties of $22 million
• WorldCom, 2002
– Expenditures amounting to $3,85 billion were recorded as investments
instead of expenses in 2001 and in the first quarter of 2002 – losses were
transformed into fictive profits - deceptions; balance sheet manipulation
over $11 billion (E.g. roaming expenses were booked as investments)
– About 830,000 persons and institutions who had shares or bonds at
Worldcom at the time of the breakdown, got $6.1 billion back
(shareholders $1 billion, bondholders the rest)
– Citigroup ($2.56 billion) and J. P. Morgan Chase & Co. ($2 billion) paid
– former CEO was sentenced to 25 years; former CFO to 5 years of prison
– Two more employees were sentenced to 5 months of imprisonment plus
5 months of house arrest and 3 years of probation respectively
www.heise.de
• Could this happen again? In the public sector?

© Prof. T. F. Ruud, PhD

 Agency problem
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 7

Asymmetric information
• There is an asymmetric information, when one party cannot look at an aspect
of an interaction
• Typical situations are
– Either important criteria of an interaction before closing a contract are invisible
(uncertainty in quality/adverse selection)
Æ Dilution by signaling
– Or important criteria after closing a contract are invisible (moral hazard)
Æ Dilution by profit sharing

Initial position of the Agency Problem

• Principal = owner, agent = management
• Principals delegate authorization to the agents to lead the company
• Principals and agents can have different objectives; both agents and principals
can try to maximize their personal profits
• Thus, strategies are to be developed in order to coordinate principals‘ and
agents‘ interests by control systems, incentive systems, etc.

Definition of internal auditing

Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 8

“Internal auditing is an independent, objective

assurance and consulting activity designed to add
value and improve an organization's operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.”
(Institute of Internal Auditors (IIA), Altamonte Springs, 2007)

© Prof. T. F. Ruud, PhD

 Prof. F Ruud, PhD
Internal Audit
Governance and internal audit –
What internal audit can do for you
Statistics Sweden
November 16, 2007
Slide 9

Shareholders
Legislation Financial investors
Other stakeholders Government
Nomination
Remuneration
BoD Audit
Committee
CEO

Accountability
Direction

Vision IN
TE External
Objectives RN Auditors
Control & AL Risk Management
Compliance Strategies AU
Controlling D
IT
Suppliers Value adding process
IN Customers
G
Implementation
Internal
Indicators Signals
Employees Control

Solving the principal-agent-problem:

Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

Direction and control

November 16, 2007
Slide 10

Direction Accountability
• Vision • External Audit „Classic“
• Strategy • Internal Audit assurers
• Long- and short-term • Corporate Risk
plans Management Potential
• Code of ethics • Corporate Compliance assurers
• Regulation • Corporate Controlling
• Policies and • Other financial and
procedures non-financial perfor-
• Guidelines mance measurement

© Prof. T. F. Ruud, PhD

 Prof. F Ruud, PhD
Internal Audit Nature of work – Risk management,
control and governance processes
Statistics Sweden
November 16, 2007
Slide 11

The internal audit activity should assess and make appropriate

recommendations for improving the governance process in its
accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and Governance
accountability. Processes
• Effectively communicating risk and control information to
appropriate areas of the organization.
• Effectively coordinating the activities of and communicating
information among the board, external and internal
auditors and management. Risk
Control
Management
Processes
Processes

The internal audit activity should

evaluate risk exposures relating to the
organization’s governance, operations, and
information systems; … and based on the risk assessment … evaluate the
adequacy and effectiveness of controls …
• Reliability and integrity of financial and operational information;
• Effectiveness and efficiency of operations;
• Safeguarding of assets; and
• Compliance with laws, regulations, and contracts.

Internal control
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 12

• Internal control refers to a process, effected by an entity‘s board of

directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
– Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with applicable laws and regulations
Internal Control - An Integrated Framework (COSO)
• Any action taken by management, the board, and other parties to
enhance risk management and increase the likelihood that established
objectives and goals will be achieved. Management plans, organizes, and
directs the performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved.
(Standards for the Professional Practice of Internal Auditing)

© Prof. T. F. Ruud, PhD

 Internrevisionsförordning (2006:1228)
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 13

4 § Internrevisionen skall utifrån en analys av

verksamhetens risker självstandigt granska
om ledningens interna styring och kontroll
är utformad så at myndigheten med en
rimlig säkerhet
1. Uppnår en effektiv verksamhet,
2. Följer lagar, forordningar och andre regler,
samt,
3. Lämnar en tillförlitlig redovisning och
rättvisande rapportering av verksamheten

Importance of internal control

Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 14

Adecco N

© Prof. T. F. Ruud, PhD

 Press releases
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 15

January 12, 2004

Adecco S.A. announced that it does not expect the audit of its consolidated financial statements for the
2003 fiscal year, ended on December 28, 2003, to be completed by Adecco's auditors, by the previously
announced release date of February 4, 2004
The reasons for the delay in completion of the audit include:
–
•The
ITidentification
system security
of material weaknesses in internal controls in the Company's North
•American operations of
Reconciliation of Adecco
payrollStaffing
bank accounts
– The resolution of possible accounting, control and compliance issues in the Company's
•operations
Application of countries
in certain accounts receivable
– The completion of the Company's efforts to address these matters and determine their
•effect
Several
on theissues
Company'saffecting revenue
consolidated recognition
financial statements.
In this regard including
an independentlack of
Counselsystematic documentation
has been appointed by the Audit & of Finance Committee of the
Company's Board of Directors to conduct an investigation.
agreed rates and hours
January 16, 2004
• Billing errors not timely identified and corrected
Material weaknesses, related to Adecco Staffing North America, include IT system security; reconciliation of
payroll bank•accounts;
Lack ofapplication of accounts
segregation ofreceivable;
duties and several
in the issues affecting revenue recognition
branches
including lack of systematic documentation of agreed rates and hours; billing errors not timely identified and
corrected; andincreasing the likelihood of undetected
lack of segregation of duties in the branches increasing theerrors
likelihood of undetected errors. Of
the foregoing, some have already been corrected, and the balance are being actively addressed. The
Audit and Finance Committee of the Board initiated certain measures to help to identify any further
weaknesses and permanently to resolve them. The chief focus of these measures is to investigate
accounting, control and compliance issues in the US and in certain other countries, as well as to
investigate accusations made by ‘whistleblowers’ in the US. Outside of the US, these other countries
together accounted for less than 10% of the group’s reported 2002 net service revenues.

Control
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 16

Attention!
RADAR!

© Prof. T. F. Ruud, PhD

 Internal control
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 17

• Directive controls: support or foster the desired result

• Preventive controls: inhibit an unfavored behavior or event
– Organizational controls: e.g. segregation of duties, structuring
of the entity, control over operational procedures
– Organizational support: e.g. organization chart, flowcharts and
performance charts, manuals, authorized signatures
– Technical support: e.g. measuring devices, safety installations,
IT-Controls
• Detective controls: aim at detecting deficiencies right after
they occur
• Corrective controls: are implemented in order to correct
mistakes or irregularities and to get back to the desired
status

COSO: Components of internal control

Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 18

• The entire process is monitored and

modified as conditions warrant.
• Meanwhile, relevant information is captured
Moni- and communicated throughout the
toring organization.
matio ation

ies • Control activities are implemented to help

n

vit
n&
tio

Control- Acti ensure that management directives to

i ca

Infomr munck
un

ent
address the risks are carried out.
mm

essm
Risk- Ass • Within this environment, management
Co

Co

assesses risks to the achievement of specified

e nt
r onm objectives.
Control- envi
• The control environment provides an
atmosphere in which people conduct their
activities and carry out their responsibilities. It
serves as the foundation for the other
components.

© Prof. T. F. Ruud, PhD

 Purposes of control frameworks
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 19

• Purpose 1: A control framework (CF) provides a way of understanding the important

elements of control, including the important relationships between them (CoCo, §19)
• Purpose 2: Implementation and improvement of internal control
– As a basis for implementing internal control processes
– As a benchmark for evaluating and improving internal control
– Increases transparency of internal control
• Purpose 3: Self assessment of internal control
– CF allows a systematic and comprehensive assessment of internal control
– When performing a self assessment, management and employees get an idea
of an „ideal“ internal control
• Purpose 4: Audit of internal control
– CF allows comprehensive audit of the relevant control processes
– Higher legitimization of recommendations and better support by
management and board
– More efficient and effective communication of the audit results, e.g., between
internal and external audit, as both parties use the same language
– Results of audit can be reconstructed by a third party

What internal control can do and what it

Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

cannot do ...
November 16, 2007
Slide 20

Internal Control can support a company

• To achieve goals of profitability and performance
• To implement a reliable financial reporting system
• To secure compliance with law and regulations, or to prevent violation
of it
• To prevent image to be damaged
• To lead a company and to protect it against surprises and traps
Internal Control cannot
• Guaranty the success of a company
Effective Internal Control can only support a company to achieve its
goals
• Guaranty reliability of financial reporting and compliance with the law
Internal Control – regardless of its efficiency and its conceptual design
– can only offer a reliable but not an absolute security

© Prof. T. F. Ruud, PhD

 Report of Novartis on internal control
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

over financial reporting

November 16, 2007
Slide 21

Annual Report (2006), p. 221

Internal Control
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 22

"If you look at all the failures of

quoted companies in the past, they
all have been failures of internal
control.“
Sir Adrian Cadbury

© Prof. T. F. Ruud, PhD

 Coordination
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 23

IIA-Standard 2050: Coordination

The chief audit executive should share information and coordinate
activities with other internal and external providers of relevant
assurance and consulting services to ensure proper coverage and
minimize duplication of efforts.

Compliance
Officers Risk
Sustainability Management
Officer
Internal IT-
Security
Controlling Auditing
Management
Quality
Management ...

Internal control and enterprise risk

Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

management – Definitions
November 16, 2007
Slide 24

Internal control refers to a process, effected by an entity‘s

board of directors, management and other personnel,
designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
– Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with applicable laws and regulations

“Enterprise risk management is a process, effected by an

entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed
to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity
objectives.”
www.COSO.org

© Prof. T. F. Ruud, PhD

 COSO: Enterprise Risk Management
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

(ERM) Framework
November 16, 2007
Slide 25

Fundamental concepts The 8 components of Objectives and

of COSO ERM COSO ERM components of
COSO ERM
Process

w
ne

w
w

ne
½
Internal environment

ne

½
Effected by people

w
Objective setting

ne
w
ne
Event identifiaction
Applied in strategy setting
w
ne

Risk assessment

w
Applied across the enterprise

ne
w

Risk response
ne

Control activities
Within ones risk appetite
w
ne

w
ne
Information & communication

w
ne
w
ne
Reasonable assurance Monitoring

Achievement of objectives

„Eisenhower Matrix“
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 26

© Prof. T. F. Ruud, PhD

 Risk management - Basic concept
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 27

Risk: The uncertainty of an event occurring that could have an impact on the
achievement of objectives. Risk is measured in terms of consequences and likelihood.
(The IIA, 2002)
Identification
Identification and prioritizing
of relevant risks

External Feedback Assessment

esp. institutional investors Assessment of consequences
of possible risks

Interpretation Internal Feedback Strategy Development

Stakeholders interpret Management reports to the board Strategies matching the relevant
informations or internal audit activity risks (consideration of cost effects)

Disclosure
Risk management strategy, Strategy Implementation
its effectiveness, going concern Implementation of the relevant
statement options
(Source: Solomon,
Evaluation
Assessment of the effectiveness of Norton (2000), S. 452)
the risk management strategy

Risk Management
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 28

Source: Annual Report (2006), p. 91

© Prof. T. F. Ruud, PhD

 Governance from a broader perspective
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 29

“The system by which companies are directed and controlled.”

(Cadbury, 1992)

“Corporate governance . . . involves a set of relationships

between a company’s management, its board, its shareholders
and other stakeholders. Corporate governance also provides
the structure through which the objectives of the company are
set, and the means of attaining those objectives and monitoring
performance are determined. Good corporate governance
should provide proper incentives for the board and
management to pursue objectives that are in the interests of
the company and shareholders and should facilitate effective
monitoring.” (OECD, 1999)

Important Assurance-Engagements
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 30

• Operational (Performance) Engagements

• Financial Engagements Financial

• Compliance Engagements
• System Security Engagements Operational
(Performance) Compliance

• Due Diligence Engagements

• Management Engagements
• Sustainability Engagements
• Privacy Engagements
• Project Engagements
• Contract Engagements
• Special Engagements

© Prof. T. F. Ruud, PhD

 Overview of the internal audit process
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 31

Preparative activities Performing the audit Post-audit activities

Gathering and evalu- Analysis and

description of the Reporting to exec.
ation of background
processes management and
information
BoD/AC

Definition of goals and Extensive assessment

scope of the audit of the processes Follow-up

First assessment of the Development of the Evaluation of the

activities audit-findings audits through
auditors and auditees

Detailed planning of Reporting of the

the audit results to the auditees

Internrevisionsförordning (2006:1228)
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 32

10 § Myndighetens styrelse skall besluta om

1. Riktlinjer för internrevisionen
2. Revisionsplan för internrevisionen, och
3. Åtgärder med anledning av
internrevisionens iakttagelser och
rekommendationer

© Prof. T. F. Ruud, PhD

 Value chain of internal audit
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 33

Planning (IIA-Standard 2010)

Managing the Internal

(IIA-Standard 2000)

Communication and Approval (IIA-Standard 2020)

Audit Activity

Resource-Management (IIA-Standard 2030)

Policies and Procedures (IIA-Standard 2040)

Coordination (IIA-Standard 2050)

Reporting to the Board and Senior Management (IIA-Standard 2060)

E n g a g e m e n t D
E Vorbereitende
n g a g e m e n t C
Durchführung
EVorbereitende
n g a g Arbeiten
e m e n t B des Audits Finalizing
Durchführung
EVorbereitende
n g a gArbeiten
e m e n t Ades Audits Finalizing
Durchführung
Arbeiten Finalizing
des Audits
Planning Performing Finalizing

Activities during the engagement (IIA-Standards 2100 – 2600)

Common Body of Knowledge study

Prof. F Ruud, PhD
Internal Audit
Statistics Sweden
November 16, 2007
Slide 34

• Largest survey ever conducted by the Institute

of Internal Auditors
• Three groups of interviewees:
– Chief audit executives (CAE)
– Other internal audit staff and leaders of
Institute of Internal Audit-affiliates
– IIA-affiliates outside North America
• Respondents: 9‘366 persons and 91 IIA-
affiliates / institutes

© Prof. T. F. Ruud, PhD

 Results of the Common Body of
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

Knowledge study 2006

November 16, 2007
Slide 35

According to X% of respondents
the demand for audit-type Y will …

Review of 14.5
financial 41.9
processes 43.5

Operational 14.7
auditing 39.1
46.2
decrease
Regulatory 11.7
41.4 stay the same
compliance 46.9
increase
4
Governance 32.8
63.2

Risk 2.3
18.2
management 79.5

A Global Summary of the Common Body of Knowledge 2006 (2007), p. 41.

Results of the Common Body of

Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

Knowledge study 2006

November 16, 2007
Slide 36

The Internal Audit Activity has a role in …

(in percent)

Corporate 52.2
31.1
governance 11.3

Regulatory 64
23
compliance 9.2 nowadays
in future (likely)
Risk 66.6
not in future
25.5
management 5.6

Fraud 69
22.9
prevention 5.7

0 25 50 75 100

A Global Summary of the Common Body of Knowledge 2006 (2007), S. 42-43.

© Prof. T. F. Ruud, PhD

 Competency of internal auditors -
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

Certified Internal Auditor exam

November 16, 2007
Slide 37

• „The CIA® designation is the only globally accepted certification for

internal auditors and remains the standard by which individuals
demonstrate their competency and professionalism in the internal
auditing field.“
(Source: http://www.theiia.org/certification/certified-internal-auditor/)

• 5 reasons to get certified:

– Distinguishes you from your peers
– Carries weight with internal and external customers
– Demonstrates your proficiency and professionalism
– Enhances your professional image
– Gives you personal satisfaction of achievement

Development of the Certified Internal

Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

Auditor Exam
November 16, 2007
Slide 38

2002 2003 2004 2005 2006

Exam Sites 231 249 257 276 287

Candidates 26‘152 29‘240 30‘634 38‘050 48‘895

Exam Parts 58‘940 64‘806 63‘037 79‘445 95‘803

New CIAs 4‘962 5‘094 5‘028 6‘284 7‘226

(Source: http://www.theiia.org/certification

• More than 65’000 individuals worldwide have earned the

CIA designation
• Computer based testing as of 2008

© Prof. T. F. Ruud, PhD

 Relationships between internal auditing
Prof. F Ruud, PhD
Internal Audit
Statistics Sweden

and to other functions in the organization

November 16, 2007
Slide 39

Shareholders
Legislature / Regulator Financial Institutes

Publicity State

Nomination
Remuneration
BoD Audit
Committee
CEO

Accountability
Direction

Vision External
Audit
Objectives
Compliance Int Risk management
er
Strategies na
l Au
Controlling
dit
Suppliers Added value process Customers

Employees
Indicators Signals
Internal
Interne Control
Steuerung
System
und Kontrolle

© Prof. T. F. Ruud, PhD