A Paradigm Shift in Audit Process
- 1. Author: PADMAPRIYA V 1 A PARADIGM SHIFT INA PARADIGM SHIFT IN INTERNAL AUDITINTERNAL AUDIT
- 2. Author: PADMAPRIYA V 2 The Institute of Internal Auditors of UK and Ireland defines Internal Audit as: “Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It help objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Historically it was always held that internal auditing is confined to merely ensuring that the accounting and allied records have been properly maintained, the assets management system, policies and procedures are in place and are duly being complied with. With changing times this concept has undergone a change with regard to its definition and scope of coverage. Modern approach suggests that it should not be restricted to financial issues alone but also on issues such as cost benefit analysis, resource utilization and their deployment, internal controls, effectiveness of the management, identification of fraud etc. • All organisations are subject to fraud risks. Senior Management is considered the most susceptible to committing fraud by virtue of their ability to override existing controls. • Large frauds have led to the downfall of entire organisations, massive investment losses, significant legal costs, incarceration of key individuals, and erosion of confidence in capital markets. Publicized fraudulent behavior by key executives has negatively impacted the reputations, brands, and images of many organisations around the globe. • Reactions to recent corporate scandals have led the public and stakeholders to expect organisations to take a “no fraud tolerance” attitude. The Board/Management are also now increasingly concerned about the vulnerability and exposure of their organisations to frauds and whether or not they are adequately protected. The focus of the audit has been changing from Transaction audit to Value addition....
- 3. Author: PADMAPRIYA V 3 The role of internal audit in fraud risk management • "How could this have happened?" is the usual response when fraud is discovered. "Where were the auditors?" is often the next question. • Because of the “expectation gap” , many investors expect a foolproof audit with a guarantee as to the non-existence or absence of fraud or misstatements, irrespective of how immaterial they are, whereas audit firms have taken it upon themselves to educate the public as to their actual role in the audit, which does not include guaranteed fraud detection. Because auditors do not examine every transaction or event that occur in a company’s fiscal year, there is no guarantee that all material misstatements, whether caused by error or fraud, will be detected. • Closing the expectation gap requires efforts from all the involved parties. Management should be held accountable for the effectiveness of the internal controls, shareholders need to accept the fact that it is neither the auditors’ responsibility nor capability to uncover all incidents of fraud and finally the auditors themselves should conduct their audit whilst keeping an eye out for fraudulent activity. • This entails investigating any warning signs and red flags that may appear during the course of the audit and reporting them in a timely manner. Part of the audit scope should include assessing the control environment in place and its effectiveness for the purpose of designing the audit approach.
- 4. Author: PADMAPRIYA V 4 • Internal auditors should consider the organisation’s assessment of fraud risk while developing their audit plan and review management’s fraud management capabilities periodically. They should interview and communicate regularly with those conducting the organisation’s risk assessments, as well as others in key positions throughout the organisation, to help them ensure that all fraud risks have been considered appropriately. • When performing engagements, internal auditors should spend adequate time and attention in evaluating the design and operation of internal controls related to fraud risk management. They should exercise professional skepticism when reviewing activities and be on guard for the signs of fraud. Potential frauds uncovered during an engagement should be treated in accordance with a well-defined response plan consistent with professional and legal standards. • Internal auditors should also take an active role in support of the organisation’s ethical culture. The importance an organisation attaches to its internal audit function is an indication of the organisation’s commitment to effective internal control. • Specific internal audit roles in relation to fraud risk management could include initial or full investigation of suspected fraud, root cause analysis and control improvement recommendations. Effective internal audit teams are adequately staffed and trained with appropriate specialized skills, given the nature, size, and complexity of the organisation and its operating environment.
- 5. Author: PADMAPRIYA V 5 • Internal auditor’s main fraud responsibilities during an engagement include: • Help management identify, assess risk and determine the adequacy of the control environment • Be alert to fraud opportunities • Identify red flags • Recommend investigation when appropriate • The Institute of Internal Auditors (IIA)has released guidance notes to help organisations deal with fraud risks. The first guide – Internal Auditing and Fraud – is aimed at increasing the internal auditors’ awareness of fraud and provides guidance on how to address fraud risks during internal audit engagements. The second – Fraud Prevention and Detection in an Automated World – is specific to fraud within the technology environment. • To help organisations and internal auditors combat fraud, the guide discusses: • Fraud awareness (e.g., reasons and examples for fraud and potential fraud indicators). • Fraud roles and responsibilities. • Internal audit responsibilities during audit engagements (e.g., execution responsibilities and communicating with the board). • Fraud risk assessment (e.g., identifying relevant fraud risk factors and mapping existing controls to potential fraud schemes and identifying gaps). • Fraud prevention and detection. • Fraud investigation. • Forming an opinion on internal controls related to fraud.
- 6. Author: PADMAPRIYA V 6 • This focus shift is a response to emerging technology risks, notably those arising from adoption of social media, cloud computing, and “big data” collection and analytics as well as the increasingly common practice of allowing employees to use their smartphones and other devices to access business networks and data. In this regard the most desirable Audit skills have emerged as, • Analytical Thinking • Effective Communication • Data Mining and Analytics • General Information Technology • Business Acumen • Industry-specific Knowledge • Accounting • Risk Management Assurance • In PwC’s State of the Profession survey , data privacy and security is one of the main risks identified by senior executives and heads of internal audit. • The bi-annual KPMG Fraud Survey - surveying 281 private and public sector organisations across Australia and New Zealand pinpoints a lack of objective and independent internal audit, inadequate oversight of senior management’s activities by the audit committee, and weak regulatory environment as culprits for the spike in financial statement frauds. • According to KPMG’s India Fraud Survey , “71% of respondents believe that Fraud is an inevitable cost of business. Bribery and corruption(83%) is perceived to be a major concern followed by cyber related frauds(71%) and Diversion/theft of funds(65%).”
- 7. Author: PADMAPRIYA V 7 • Use of data analytics on a continuous or real-time basis, helps the auditing team to identify and report fraudulent activity more rapidly. For example, Benford’s Law analysis can examine expense reports, general ledger accounts, and payroll accounts for unusual transactions, amounts, or patterns of activity that may require further analysis. • Similarly, continuous monitoring of transactions subject to certain “flags”may promote quick investigation of higher-risk transactions. • Various softwares are available for this purpose like ACL and TeamMate solutions. • With data breaches in the headlines these days,organisations are increasingly concerned about • data privacy and security issues and hence are turning to internal audit seeking for help on managing the seemingly new and specific risks of emerging technologies. • In the course of their role, internal auditors now-a-days work across all areas of an organisation. In addition to core areas of financial control and IT, they review the tangible aspects of operations such as an organisation’s supply chain,IT systems as well as more intangible aspects such as organisational culture and ethics. • In fact, any system that has an impact on the effective operation of an organisation may be included in the internal audit’s scope.
- 8. Author: PADMAPRIYA V 8 Areas to focus.... • Data analysis, data mining, and digital analysis tools/softwares can, • Identify suspicious transactions • Assess the effectiveness of internal controls • Monitor fraud threats and vulnerabilities • Consider and analyze thousands or millions of transactions • Information Technology • Compliance/Regulatory • Risk Management Effectiveness • Operational /Business Strategy • Corporate Governance • Cost Reduction/Crisis Mgt • Fraud /Financials . Sarbanes-OxleyTesting/Support
- 9. Author: PADMAPRIYA V 9 THANK YOU
- 10. Author: PADMAPRIYA V 9 THANK YOU