Escolar Documentos
Profissional Documentos
Cultura Documentos
com/mt
Internal Audit
2018 Career Deal Session
Restricted use
Agenda
1. Introduction
2. The Internal Audit Function
3. Internal Controls
4. Exercise 1 – True or False?
5. Fraud and Internal Audit
6. Exercise 2 – Case Study
July 2018
PwC 2
Introduction
July 2018
PwC 3
The Internal Audit Function at PwC Malta
g g g g
To enhance and protect organisational value by providing risk-based and objective assurance,
advice and insight, whilst consistently building trust and strengthening the relationship with our
clients, through the delivery of high quality and distinctive internal audit services.
July 2018
PwC 5
What is Internal Audit?
• Internal Audit (IA) is an independent, objective assurance and consulting activity designed
to add value and improve an organization’s operations.
• IA is responsible to assess the effectiveness of risk management, control and
governance processes and to provide insight and recommendations that can enhance
these processes, particularly relating to:
• Effectiveness of operations;
• Reliability of financial management and reporting; and
• Compliance with laws and regulations.
• IA may also involve conducting fraud investigations to identify fraudulent acts and
conducting post investigation fraud audits to identify control breakdowns and establish
financial loss.
July 2018
PwC 6
3 Line of Defense
External audit
1st Line of Defense 3rd Line of Defense
controls
Regulator
Financial Control
Security
• IA is responsible to report its
Risk Management
Mgt.
Control
Internal
Control
Internal findings to the BOD/ Audit
Quality Audit
Committee
Inspection
July 2018
PwC 7
The Internal Audit Function
July 2018
PwC 8
Internal vs. External Auditors
Public
Not applicable Mandatory for listed companies
Disclosure
July 2018
PwC 9
Similarities between Internal and External Auditors
Area Similarities
Both external and internal auditors carry out testing routines, which may include examining and analysing many
Testing
transactions
Standards Both adopt a professional discipline and operate whilst adhering to professional standards
Independence Both functions must remain independent of the client at all times
Cooperation The two functions are inter-dependable, so they both seek active cooperation
July 2018
PwC 10
Professional Standards for Internal Auditors
• The Institute of Internal Auditors (IIA) is responsible for evaluating and developing practice
standards, aimed at guiding Certified Internal Auditors.
• According to the IIA Code of Ethics, IAs are expected to uphold the following principles:
Integrity
Objectivity
• The integrity of IAs
• IAs should exhibit the highest level of professional
establishes trust and
objectivity in gathering, evaluating, and communicating
thus provides the basis
information about the activity/ process being examined.
for reliance on their
• IAs should not be unduly influenced by their own
judgment.
interests/ by others in forming judgments.
Competency
Confidentiality
• IAs should apply the
• IAs should respect the value and ownership of
knowledge, skills, and
information they receive and do not disclose
experience needed in the
information without appropriate authority, unless
performance of internal
there is a legal/professional obligation to do so.
audit services.
July 2018
PwC 11
The importance of having an Audit Committee (AC)
• The primary purpose of an AC is to provide oversight of the financial reporting process, the
audit process, the system of internal controls and compliance with laws and regulations.
• An AC comprises of non-executive directors which are able to view a company’s affairs in an
independent way and collaborate effectively between the BOD and external auditors.
Benefits Drawbacks
Increase confidence and credibility Fear that the purpose of the AC is to catch
management out
Stronger control environment Non- executive directors may be overburdened with
detail
Bring external experience and expertise Additional costs involved
Impartial and unbiased consultation Problems with recruitment
Easier to raise finance and gain listed status
July 2018
PwC 12
The Internal Audit Process
• Understand the IA • Understand the • Understand the area Report should: • To be embedded in
value drivers business’ objectives under review • Outline major issues each stage
• Mission & Charter • Carry out a Risk • Determine the and findings • Performance Metric
• Develop a strategic Assessment approach to take: • Outline the Measurement
plan • Prepare an Audit Plan • Value Protection or Recommendations • Internal Quality
• Update the Risk • Value Enhancement • Outline management’s review/ assessment
Assessment action plans to
identified issues
July 2018
PwC 13
Outsourcing the Internal Audit Function
• Organisations may develop an in-house IA function, and can also outsource this function
Benefits
1. The use of specialist knowledge may prove to be
expensive, which may discourage directors
2. Knowledge of the client needs to be refreshed upon
1. Specialist knowledge due to the experience obtained every visit
from various clients, which increases quality
3. Management may take the impression that
2. Improves objectivity and independence responsibility has now been passed to the
3. Provides access to leading-edge tools and outsourced provider
methodologies 4. When the outsourced providers are the external auditors,
4. Services can be provided in a more flexible way the dependence of the external auditor is at stake
5. Valuable internal resources can be redeployed towards due to conflict with their role as the internal auditors
core business activities
6. Transfer of knowledge and capabilities to the
organisation
Drawbacks
7. Greater Authority
July 2018
PwC 14
The impact outsourcing has on the external audit function
July 2018
PwC 15
Internal Controls
July 2018
PwC 16
What are Internal Controls?
• Internal Controls (IC) are a set of policies (guidelines, manuals) and procedures (processes) which
Management has the responsibility of implementing and maintaining
• The objective of IC is to provide reasonable assurance that business’ goals are achieved
• IC aim to detect and prevent misstatements which may arise from fraud and error
• A good IC structure is also established in order to:
1. Maximise the efficiency and effectiveness of operations;
2. Safeguard the business’ assets from loss or damage due to inefficiency, error or fraud;
3. Provide accurate, timely, reliable and relevant accounting information through proper
maintenance of accounting records; and
4. Ensure compliance with all applicable laws and regulations.
July 2018
PwC 17
Internal Controls as defined by the COSO framework
4 Categories of objectives
July 2018
PwC 18
Types of controls
July 2018
PwC 19
How Internal Audit adds value
July 2018
PwC 21
Question 1
July 2018
PwC 22
Question 2
- False. Not all units are selected to be audited and not all items in an auditable unit are
selected for test. Through the risk assessment, IAs select areas which are of high risk, and
apply random and judgmental sampling to provide reasonable, not absolute assurance.
July 2018
PwC 23
Question 3
- False. This control prevents procurement from unauthorised suppliers, or even false
suppliers, thus making it a preventive control.
July 2018
PwC 24
Fraud and Internal Audit
July 2018
PwC 25
What is fraud?
‘Any illegal act characterised by deceit, concealment, or violation of trust. These acts are
not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties
and organisations to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.’
- Institute of Internal Auditors
July 2018
PwC 26
Who is responsible to detect fraud?
• It is not the role of the IA to identify fraud, but it’s management’s primary responsibility
• Management is responsible to implement controls, and to develop a healthy tone at the top
that deters fraud
• With increased regulatory focus and widespread negative impact of frauds, organisations are
increasingly concerned about the vulnerability and exposure, and whether or not they are
adequately protected.
• Internal auditors are nowadays expected to have sufficient knowledge to evaluate the risk of
fraud in their organisations, and are required to report to the BOD on any fraud risks found
during their investigations.
• Internal auditors should provide objective assurance to the BOD that fraud controls are
sufficient for identified fraud risks and ensure that the controls are functioning effectively.
July 2018
PwC 27
Worldcom
Control Environment: Risk Assessment
July 2018
PwC 28
Other cases of fraud
• Shipping Company: A former Company director took advantage of her position to approve
cash transactions to misappropriate Company funds and finance her personal life.
• Hotel: US 2008 – Took too much risk- from the safety corporate finance and Mergers &
Acquisitions income to the risky (and booming) market of proprietary trading
• Daniels Shopping Complex: Malta 2016 – Complex only appeared solvent on paper due to a
€20 million revaluation of its properties in 2012 (last time the company filed its accounts)
July 2018
PwC 29
Exercise 2 - Case Study
July 2018
PwC 30
Mac - Case Study (30 Minutes)
July 2018
PwC 31
Mac – Case Study
a) Evaluate the benefits specific to Mac Co of outsourcing its internal audit function
• Improved quality/ experience
• Greater authority
• Bigger resource base
• Independent viewpoint
• Better ability to focus and prioritise issues
• Staff can be reassigned to the finance function
July 2018
PwC 32
Mac – Case Study cont/d
b) Explain the potential impacts on the external audit of Mac Co if the decision is taken to
outsource its internal audit function.
• Assess extent of reliance on the work of the IA function
• Likely to place greater reliance than previously
• Impact on audit strategy, i.e. less substantive procedures
• More efficient audit/ lower fees
• Need to document and evaluate changes to system/controls
• Access to information and working papers
July 2018
PwC 33
Mac – Case Study cont/d
c) Recommend procedures that could be used by your firm to quantify the financial loss
suffered by Mac Co as a result of the fraud.
• Review process for adding approved suppliers to the list
• Review all payments authorised by the account manager
• Use analytics to identify suppliers with same bank details
• Supplier statement reviews
• Select invoices and trace to supporting documentation
• Consider likelihood of insurance reimbursement
• Consider prosecution of account manager and recovery of funds
July 2018
PwC 34
Mac – Case Study cont/d
d) Compare the responsibilities of the external auditor and of management in relation to the
prevention and detection of fraud.
• Management’s primary responsibility
• Management responsible for controls and culture of the entity
• Auditor is only responsible for prevention, but makes recommendations on controls
• Both review strength of system and controls
July 2018
PwC 35
Mac – Case Study cont/d
e) Assess the benefits and drawbacks for Mac Co in establishing an audit committee.
• Increase confidence and credibility
• Stronger control environment
• Bring external experience and expertise
• Impartial consultation
• Easier to raise finance and possibly gain listed status
Drawbacks
• Problems in recruitment
• Increase in costs
July 2018
PwC 36
Further Questions?
Thank You!
July 2018
PwC 37