www.pwc.

com/mt

Internal Audit
2018 Career Deal Session

Restricted use
Agenda

1. Introduction
2. The Internal Audit Function
3. Internal Controls
4. Exercise 1 – True or False?
5. Fraud and Internal Audit
6. Exercise 2 – Case Study

July 2018
PwC 2
Introduction

July 2018
PwC 3
 The Internal Audit Function at PwC Malta

g g g g

Provide Compliance External Provide

outsourced Audits Quality Internal Audit
Internal Audit Assessment of training to
Services the Internal Client IA teams
g g Audit Function g

Forensic Review of Assistance in

Investigations controls Risk
processes and Management
procedures
July 2018
PwC 4
The mission of Internal Audit?

To enhance and protect organisational value by providing risk-based and objective assurance,
advice and insight, whilst consistently building trust and strengthening the relationship with our
clients, through the delivery of high quality and distinctive internal audit services.

July 2018
PwC 5
What is Internal Audit?

• Internal Audit (IA) is an independent, objective assurance and consulting activity designed
to add value and improve an organization’s operations.
• IA is responsible to assess the effectiveness of risk management, control and
governance processes and to provide insight and recommendations that can enhance
these processes, particularly relating to:
• Effectiveness of operations;
• Reliability of financial management and reporting; and
• Compliance with laws and regulations.
• IA may also involve conducting fraud investigations to identify fraudulent acts and
conducting post investigation fraud audits to identify control breakdowns and establish
financial loss.

July 2018
PwC 6
3 Line of Defense

Governing Body/ Board/ Audit Committee

• IA is the 3rd line of defense
Senior Management
• Senior Management is responsible
2nd Line of Defense to implement sound internal

External audit
1st Line of Defense 3rd Line of Defense
controls

Regulator
Financial Control

Security
• IA is responsible to report its
Risk Management
Mgt.
Control
Internal
Control
Internal findings to the BOD/ Audit
Quality Audit
Committee
Inspection

Compliance • IA is independent of the BOD/ Audit

Committee and Senior Management

July 2018
PwC 7
The Internal Audit Function

July 2018
PwC 8
Internal vs. External Auditors

Area External Audit Internal Audit

Shareholders and stakeholders outside the organisation’s The BOD and senior management who are within the organisation’s
Reports to
governance structure governance structure
Evaluate and improve the effectiveness of governance, risk management
Add credibility and reliability to financial reports by giving
Objectives and control processes. This provides the BOD and senior management with
opinion on the report
assurance that helps them fulfil their duties
Coverage Financial reports and financial reporting risks All categories of risk and their management

Responsibility IA’s role is to advise, coach and facilitate management on improvements, in

for None; however, there is a duty to report problems
order to not undermine the responsibility of management.
Improvement
Mandatory Statutory to listed companies and companies listed by Capital Markets
Statutory to all businesses
Application Authority (CMA). Voluntary for other forms of legal entities.
Risk based approach, covering risks of financial
Approach Risk based approach, covering all business risks
misstatement
Final Report Standardised Report Format Customised report format

Public
Not applicable Mandatory for listed companies
Disclosure

July 2018
PwC 9
Similarities between Internal and External Auditors

Area Similarities
Both external and internal auditors carry out testing routines, which may include examining and analysing many
Testing
transactions

Standards Both adopt a professional discipline and operate whilst adhering to professional standards

Independence Both functions must remain independent of the client at all times

Cooperation The two functions are inter-dependable, so they both seek active cooperation

Reporting Both functions produce formal audit reports on their findings.

July 2018
PwC 10
Professional Standards for Internal Auditors

• The Institute of Internal Auditors (IIA) is responsible for evaluating and developing practice
standards, aimed at guiding Certified Internal Auditors.
• According to the IIA Code of Ethics, IAs are expected to uphold the following principles:

Integrity
Objectivity
• The integrity of IAs
• IAs should exhibit the highest level of professional
establishes trust and
objectivity in gathering, evaluating, and communicating
thus provides the basis
information about the activity/ process being examined.
for reliance on their
• IAs should not be unduly influenced by their own
judgment.
interests/ by others in forming judgments.
Competency
Confidentiality
• IAs should apply the
• IAs should respect the value and ownership of
knowledge, skills, and
information they receive and do not disclose
experience needed in the
information without appropriate authority, unless
performance of internal
there is a legal/professional obligation to do so.
audit services.

July 2018
PwC 11
The importance of having an Audit Committee (AC)

• The primary purpose of an AC is to provide oversight of the financial reporting process, the
audit process, the system of internal controls and compliance with laws and regulations.
• An AC comprises of non-executive directors which are able to view a company’s affairs in an
independent way and collaborate effectively between the BOD and external auditors.

Benefits Drawbacks

Increase confidence and credibility
Stronger control environment
Bring external experience and expertise
Impartial and unbiased consultation
Easier to raise finance and gain listed status
Fear that the purpose of the AC is to catch
management out
Non- executive directors may be overburdened with
detail
Additional costs involved
Problems with recruitment

July 2018
PwC 12
 The Internal Audit Process

1. Foundation 2. Planning 3. Fieldwork 4. Reporting 5. Quality

• Understand the IA • Understand the • Understand the area Report should: • To be embedded in
value drivers business’ objectives under review • Outline major issues each stage
• Mission & Charter • Carry out a Risk • Determine the and findings • Performance Metric
• Develop a strategic Assessment approach to take: • Outline the Measurement
plan • Prepare an Audit Plan • Value Protection or Recommendations • Internal Quality
• Update the Risk • Value Enhancement • Outline management’s review/ assessment
Assessment action plans to
identified issues

July 2018
PwC 13
Outsourcing the Internal Audit Function
• Organisations may develop an in-house IA function, and can also outsource this function
Benefits
1. Specialist knowledge due to the experience obtained
from various clients, which increases quality
2. Improves objectivity and independence
3. Provides access to leading-edge tools and
methodologies
4. Services can be provided in a more flexible way
5. Valuable internal resources can be redeployed towards
core business activities
6. Transfer of knowledge and capabilities to the
organisation
7. Greater Authority
PwC
1. The use of specialist knowledge may prove to be
expensive, which may discourage directors
2. Knowledge of the client needs to be refreshed upon
every visit
3. Management may take the impression that
responsibility has now been passed to the
outsourced provider
4. When the outsourced providers are the external auditors,
the dependence of the external auditor is at stake
due to conflict with their role as the internal auditors
Drawbacks
July 2018
14
The impact outsourcing has on the external audit function

ISA 610: Using the Criteria for assessing the IA function

work of auditors: Proficiency and training of the people who have undertaken the work
• EAs should assess Level of supervision, review and documentation of the work of
how the work of IA assistants
affect them, and what Sufficiency and appropriateness of evidence to draw conclusions
procedures to apply.
Appropriateness of conclusions drawn
• Where EAs use the Consistency of any reports prepared with the work performed
work of IA, the work
Whether the work require amendment to the external audit programme
should be evaluated
and tested to confirm
its adequacy. • The use of work conducted by IA does not reduce the EA’s
responsibility in any way.

July 2018
PwC 15
Internal Controls

July 2018
PwC 16
What are Internal Controls?

• Internal Controls (IC) are a set of policies (guidelines, manuals) and procedures (processes) which
Management has the responsibility of implementing and maintaining
• The objective of IC is to provide reasonable assurance that business’ goals are achieved
• IC aim to detect and prevent misstatements which may arise from fraud and error
• A good IC structure is also established in order to:
1. Maximise the efficiency and effectiveness of operations;
2. Safeguard the business’ assets from loss or damage due to inefficiency, error or fraud;
3. Provide accurate, timely, reliable and relevant accounting information through proper
maintenance of accounting records; and
4. Ensure compliance with all applicable laws and regulations.

July 2018
PwC 17
Internal Controls as defined by the COSO framework
4 Categories of objectives

The Committee of Sponsoring

Organisations of the Treadway
Commission (COSO) and
International Standards on
Auditing (ISA) 315 -
Understanding the entity and its Organisational
8 Components of
environment and assessing the Structure
Enterprise Risk
risk of material misstatement. Management

July 2018
PwC 18
Types of controls

Designed to uncover events once they Designed to stop occurrence of

have occurred, e.g.
• Video surveillance
• Locks on doors/ gates
• Physical controls on cash/
cheques
undesirable events, e.g.:
• Segregation of duties
• Authorisation and approval

Designed to promote Designed to remedy

compliance, e.g.: problems that can be
systematically
• Code of Ethics corrected. They are developed
• Description of duties from observing systematic problems,
• Manuals not through risk assessments.

July 2018
PwC 19
How Internal Audit adds value
• IA works closely with management to
review systems and operations to identify
how well risks are managed, whether the
right processes are in place, and whether
agreed procedures are being followed.
• This provides an indication of the integrity
of the organisation’s systems and
processes, their capability to support the
set goals and also helps identify areas for
improvements.
• IA works across all areas of an
organisation, review tangible (e.g. supply
chain/ IT systems) and intangible (e.g.
organisation culture and ethics) aspects of
operations.
PwC
• IA looks beyond financial statements and
financial risks, and consider wider issues, e.g.
organisation’s reputation, growth, impact on
the environment, and how employees are
treated.
• Any process that has an impact on the
effective operation of an organisation may be
included in internal audit’s scope.
• IA report to the CEO and BOD through an
audit committee, and they provide an
independent viewpoint on the ICs and their
effectiveness.
July 2018
20
Exercise 1 - True or False

July 2018
PwC 21
Question 1

1. Management is responsible to decide which controls to implement, and the IA function is

responsible to implement, review and assess whether they are being properly executed, and
whether the controls can be improved.

- False. Management is responsible to implement controls, whilst the IA function is

responsible to review and assess whether the controls implemented are effective, and
whether they can be improved.

July 2018
PwC 22
Question 2

2. An IA is expected to carry out audit tests in all areas within an organisation.

- False. Not all units are selected to be audited and not all items in an auditable unit are
selected for test. Through the risk assessment, IAs select areas which are of high risk, and
apply random and judgmental sampling to provide reasonable, not absolute assurance.

July 2018
PwC 23
Question 3

3. In an organisation’s procurement process, before goods are procured from a supplier, it is

good practice that approval is obtained from higher management. This is considered as a
detective control.

- False. This control prevents procurement from unauthorised suppliers, or even false
suppliers, thus making it a preventive control.

July 2018
PwC 24
Fraud and Internal Audit

July 2018
PwC 25
What is fraud?

‘Any illegal act characterised by deceit, concealment, or violation of trust. These acts are
not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties
and organisations to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.’
- Institute of Internal Auditors

July 2018
PwC 26
Who is responsible to detect fraud?

• It is not the role of the IA to identify fraud, but it’s management’s primary responsibility
• Management is responsible to implement controls, and to develop a healthy tone at the top
that deters fraud
• With increased regulatory focus and widespread negative impact of frauds, organisations are
increasingly concerned about the vulnerability and exposure, and whether or not they are
adequately protected.
• Internal auditors are nowadays expected to have sufficient knowledge to evaluate the risk of
fraud in their organisations, and are required to report to the BOD on any fraud risks found
during their investigations.
• Internal auditors should provide objective assurance to the BOD that fraud controls are
sufficient for identified fraud risks and ensure that the controls are functioning effectively.

July 2018
PwC 27
Worldcom
• WorldCom filed for bankruptcy in
2002 after more than $11 billion
worth of fraudulent accounting
entries and misstatements
(28.9% of revenue in 2002) were
detected.
• Had there been strong ICs, the
collusion carried out by top
management and accountants
would have been identified earlier.
• Major IC weaknesses in
WorldCom:
PwC
Control Environment:
• Top management subject to
extreme pressures, e.g. unrealistic
targets linked to extreme bonus
schemes
• No whistle-blower function
• Management took advantage of
employee loyalty, and encouraged
them to wrongly record journal
entries
Control Activities
• Lack of organisational instructions,
manuals, policies and procedures
• Lack of financial data controls,
resulting in hidden collusive fraud
• Lack of documentation, especially
since entries were sometimes
initiated via calls
• Management deliberately withheld/
limited access to accounting system
info, to conceal fraudulent activities
Risk Assessment
• Risk Assessment system was
ineffective/ not in place. Known
risks may have been intentionally
hidden by management
• Wrong prioritisation of risks by
management
• Acquisitions had a weak risk
assessment, resulting in acquiring
high risk and unaffordable
acquisitions
Monitoring
• Internal monitoring process was
wrongly organised & didn’t
provide management with
direction and guidance
• IA department was understaffed
with only 35 auditors. For a global
group, Worldcom should have
had at least 100 auditors.
July 2018
28
Other cases of fraud

• Shipping Company: A former Company director took advantage of her position to approve
cash transactions to misappropriate Company funds and finance her personal life.
• Hotel: US 2008 – Took too much risk- from the safety corporate finance and Mergers &
Acquisitions income to the risky (and booming) market of proprietary trading
• Daniels Shopping Complex: Malta 2016 – Complex only appeared solvent on paper due to a
€20 million revaluation of its properties in 2012 (last time the company filed its accounts)

July 2018
PwC 29
Exercise 2 - Case Study

July 2018
PwC 30
Mac - Case Study (30 Minutes)

July 2018
PwC 31
Mac – Case Study

a) Evaluate the benefits specific to Mac Co of outsourcing its internal audit function
• Improved quality/ experience
• Greater authority
• Bigger resource base
• Independent viewpoint
• Better ability to focus and prioritise issues
• Staff can be reassigned to the finance function

July 2018
PwC 32
Mac – Case Study cont/d

b) Explain the potential impacts on the external audit of Mac Co if the decision is taken to
outsource its internal audit function.
• Assess extent of reliance on the work of the IA function
• Likely to place greater reliance than previously
• Impact on audit strategy, i.e. less substantive procedures
• More efficient audit/ lower fees
• Need to document and evaluate changes to system/controls
• Access to information and working papers

July 2018
PwC 33
Mac – Case Study cont/d

c) Recommend procedures that could be used by your firm to quantify the financial loss
suffered by Mac Co as a result of the fraud.
• Review process for adding approved suppliers to the list
• Review all payments authorised by the account manager
• Use analytics to identify suppliers with same bank details
• Supplier statement reviews
• Select invoices and trace to supporting documentation
• Consider likelihood of insurance reimbursement
• Consider prosecution of account manager and recovery of funds

July 2018
PwC 34
Mac – Case Study cont/d

d) Compare the responsibilities of the external auditor and of management in relation to the
prevention and detection of fraud.
• Management’s primary responsibility
• Management responsible for controls and culture of the entity
• Auditor is only responsible for prevention, but makes recommendations on controls
• Both review strength of system and controls

July 2018
PwC 35
Mac – Case Study cont/d

e) Assess the benefits and drawbacks for Mac Co in establishing an audit committee.
• Increase confidence and credibility
• Stronger control environment
• Bring external experience and expertise
• Impartial consultation
• Easier to raise finance and possibly gain listed status
Drawbacks
• Problems in recruitment
• Increase in costs

July 2018
PwC 36
Further Questions?

Thank You!

July 2018
PwC 37