Entity Level Internal Audit Methodology

How does it work?

Overview
IIA Standards
Hints
Information Technology
Fraud

How does it work?

This graphic represents the flow of phases of an entity level internal audit project. Each phase in blue has several corresponding tools that you will see if you click on the phase. The first phase is Determine Client Expectations. The second phase – Understand and Analyze the Business – has four important components. These components are on the bottom part of the graphic and are linked to the second phase by the gold triangle that says “Entity Level Business Risk Analysis”.

The next phase is Identify Target Processes and Risks. Once these have been analyzed you move on to Communicate Results. The Next Steps phase includes suggestions for following up and measuring quality.

The grey bar at the bottom of the graphic symbolizes the communication with clients and management that is crucial at all phases.

Delve down into the methodology to find overviews of each phase and tools to help you carry out a successful entity level internal audit.

Overview of Entity Level Methodology

Companies are under constant competitive pressure to identify and manage business risks and improve the performance of their business processes. They are demanding higher levels of assurance about:

• The reliability of information and performance measures
• The effectiveness of business controls
• The efficiency of processes

Internal audit can respond to these demands through the use of Business Process Auditing (BPA). The BPA approach allows internal auditors to combine their existing skills and competence with new tools and knowledge bases to provide high value assurance and improvement services to their companies. These services include:

• Process analysis
• Assurances about process controls
• Measures and compliance with company policies or other standards (Best Practices)
• Process improvement

Financial statement audits focus on financial measures of business performance and usually involve only those business processes associated with processing accounting transactions and reporting financial information. Generally Accepted Accounting Principles (GAAP) is the assurance standard against which financial auditors compare the financial statements.

The BPA approach also takes into account over 70 business risks found in the Protiviti Risk Model^SM. The assurance standard can be best practices, peer performance within the industry (based on financial or nonfinancial measures), or operating policies and performance expectations set by the company itself.

The objectives of BPA are to:

• Understand and evaluate business processes and related business controls.
• Validate process performance measures and business controls.
• Source root causes of process deficiencies and propose solutions.
• Provide audit assurances in regards to process effectiveness and efficiency.
• Make recommendations to improve business process performance.

Business Process Auditing is designed to analyze and respond to important questions such as:

• What are the significant business risks, both external and internal, that impact the process?
• How and how well are those risks being managed and controlled?
• What key measures are used to monitor the process? Are they the right ones? (i.e., aligned with customer needs and key business objectives?)
• How reliable are the key measures and other management information?
• How efficient is the process in operation?
• How can the process be improved to bring its performance closer to world-class standards?

Using The BPA Approach

The BPA approach is designed to be adaptable and creative. While all the “phases” and “steps” of the BPA are generally needed to complete an effective audit, the BPA tools and specific methods can be used in a very flexible manner. The BPA can be used to audit sub-processes, to perform compliance audits or to audit a function. Many of the tools are alternatives, not required approaches. The tools range from guidelines and checklists to templates and problem-solving methods.

The flexibility of the BPA allows for the great variety in the following:

• Management desires
• Targeted processes
• Objectives
• The depth of process review
• The definition and design of a process

The Entity Level BPA methodology focuses on understanding and analyzing the business. These phases are intended to provide an understanding of company strategies, metrics, processes, and high level risks and controls. This understanding is primarily used to identify the target processes and risks during the audit planning process.

IIA Standards

The BPA approach meets the Institute for Internal Auditors (IIA) standards for the professional practice of internal auditing. The standards can also be found in their entirety within this website in the Competency Center.

Hints

1. Communicate with management not just at the start of the audit but also and throughout the audit. Communication should include the objectives,the audit process, reporting format and protocols, where to spend resources, and assistance required.
2. Concentrate on the information to be included in the audit report throughout the entire audit (beginning to end).
3. Empower the in-charge auditor to discuss findings with management throughout the audit.
4. Focus on the entire business process rather than a specific function or department.
5. Focus on business risks and on improving process performance.

Information Technology

Companies are placing increasing reliance on information technology in almost every aspect of their business. The internal auditor cannot gain a satisfactory understanding of a company’s business, business processes, and risks without an understanding of how information technology (IT) is used.

The internal audit team must answer the following questions regarding Information Technology:

• What is the role of IT in the company’s business operations and business strategies?
• What are the specific business risks, both enterprise wide and at the process level, related to the generic IT risks of access, integrity, availability and relevance?
• What processes and controls are needed to bring IT-related business risks to an acceptable level?

The internal audit team should assess the level of the company’s IT complexity and the level and nature of IT skills that will be needed in the engagement.

IT skills can be used in the following Business Process Audit phases:

1. Determine Client Expectations:
Identify the auditee’s expectations with regards to IT and identify ways in which the audit team can meet and exceed these expectations.
2. Understand and Analyze the Business:

• Document how the company’s diverse technology platforms at all locations interconnect to support the business. Identify the processes by which these technologies are managed and monitored, and the applicable performance measures.
• Identify and understand relevant business risks related to IT access, integrity, availability and relevance.

3. Identify Target Processes/Risks:

• Assess and prioritize IT-related processes and business risks.

4. Analyze Target Processes/Risks:

• Understand and map the target business processes, ensuring that both manual and computer/network processes are understood and documented.
• Assess the IT-related business risks in the processes.
• Assess IT performance and control gaps.
• Validate IT process performance measures and controls.
• Apply Computer Assisted Audit Tools and techniques to the validation of process performance measures and controls in all processes, as needed. CAATs can be used to reconcile databases, identify data integrity problems, test data entry validation, transaction approvals and run-to-run balancing, and perform regression analysis.
• Identify the root causes of IT-related process performance and control gaps.

5. Communicate Results:
The audit team should communicate to the auditee its findings and recommendations regarding the functioning of IT processes as well as IT-related business risks in other processes.

Reviewing Information Technology

A review of the use and management of IT should be included in the audit to identify information technology risks and controls. Information Processing/Technology Risks can be defined as follows:

Access Risk:

The risk that access to information (data or programs) will be inappropriately granted or refused. IT access risks include risks of improper segregation of duties in IT processes and in application systems use, risks associated with the integrity of data and databases, and risks associated with information confidentiality.

Integrity Risks:

• The risks associated with the processes used to develop, maintain and operate the information processing environment and the application systems that support the organization’s business systems.
• The risks associated with the authorization, accuracy and completeness of transactions that are entered, flow through, are summarized by and reported by application systems throughout the organization.

Relevance Risks:

• The risk that information is not relevant to the purposes for which it is collected, maintained or distributed.
• The risks related to the usability and timeliness of information that is either created or summarized by an application system.

Availability Risk:

The risk that information will not be available when needed, for reasons including loss of communications, loss of basic processing capability, operational difficulties, natural disasters, vandalism, sabotage, and accidents.

The potential business impacts associated with IT-related risks include the following:

• Erroneous accounting or management reporting
• Business interruption
• Excessive costs
• Loss of competitive advantage
• Fraud
• Loss or destruction of assets
• Statutory sanction or legal action

Prioritizing IT Risks:

The techniques used in prioritizing IT audits follow the same basic techniques as for other types of audits:

• Identify all the relevant auditable IT functions, installations, applications, and systems under development.
• Determine risk analysis criteria.
• Perform the analysis (rank the auditable areas).
• Establish audit frequencies.

Determining the auditable information systems activities requires that the audit team survey all known data processing centers, distributed processing applications and end-user computing applications to obtain an inventory of hardware, software, policies and procedures, and existing applications, including those in current development. Other useful information includes budgetary data and long-range plans. The objective in gathering this information is to define the overall information systems audit universe.

Criteria that may be used to prioritize the IT audit universe include:

• Impact on decision making
• Complexity of the system
• Volume of transactions
• Impact on financial position and operating results
• Source or use of cash
• Regulatory environment

Information Technology Controls

IT controls are sometimes categorized as either general controls or application controls. This is not always a useful distinction. In older information systems environments, where there was a separate IT function which was responsible for all computer resources, this function performed all aspects of developing and maintaining the operating environment and all application systems used in business processes. The controls over the risks in these activities were “general controls” because they applied generally to all IT resources.

Many businesses today have a variety of IT environments, typically run by the individual divisions, departments or locations of the business. If there is a central IT function, it is likely to have little or no control over these environments. While the same IT risks may exist in each environment, it is not possible to assess one set of “general controls” and assume that they will mitigate IT risks throughout the organization. The audit team needs to identify and understand each technology platform related to key business processes, and assess the risks and controls relevant to each important application and its technology environment, to the extent that the environment is dedicated to a process or business unit.

To the extent that they are applicable in an auditee environment, general controls and application controls can be described as follows:

General Controls:

1. Relate to IT organization, management, and operations processes and help to ensure a controlled environment within which applications can be developed, maintained, and used.
2. May relate to communications systems and networks as well as the computer itself.
3. Are general only to the extent that they are pervasive over all or most applications in both the data processing and user environments.
4. Affect the strengths and weaknesses of individual applications.
5. May include:

• Data and program security administration
• Program change control
• System development controls
• Computer operations controls
• Network administration controls
• Segregation of duties in functional responsibilities of IT personnel

Application Controls:

1. Are specific to each application. Each application has its own inherent risks. The developers of the application build in controls, and the users establish additional controls around the application, in order to address these risks. Therefore, risks and controls need to be considered for each application separately. The input, processing and output processes related to the application need to be evaluated.
2. Are designed for the flow of transactions for a particular process and application, to meet the following general control objectives:

• Ensure authorized, accurate, and complete processing of a transaction
• Prevent, detect, and correct errors and irregularities flowing through the transaction process
• Protect the security and confidentiality of information processed by the application system, appropriate to the value and sensitivity of the information

When an application control is identified as critical, the related general controls must also be effective to ensure the consistent and continuous operation of the application control over time.

Additional details regarding General and Application Controls can be found in the Systems Auditability and Control (SAC) Report, Module 2, Audit & Control Environment, pages 2-5 to 2-17.

Using Information Technology During the Audit

Information technology systems provide the internal auditor with the opportunity to use the computer to enhance the efficiency of the audit.

Information Technology can be used to support the conduct of more complete, efficient and effective audit engagements in the following ways:

• Reviewing application and business system data through the use of information retrieval and analysis programs and procedures
• Testing transaction techniques, and other computerized tools
• Reviewing system-level activity through the use of various computer-assisted techniques
• Using knowledge-based systems to direct or conduct an audit

Fraud

Fraud is intentional deception, commonly described as lying, cheating, or stealing. Fraud can be perpetrated against customers, creditors, investors, suppliers, insurers, or governmental authorities and can be seen in the form of tax fraud, stock fraud, and short weights and counts.

The risk of fraudulent activities and ethical violations must be taken seriously. No organization or institution appears to be exempt from fraud. How much fraud is there? Estimates of fraud include:

• Fraud costs $60 – $200 billion annually.
• 1/2% – 2% of sales are fraudulent.
• $20 – $40 billion embezzled annually.
• 60% of all S&L thrifts experienced fraud.
• 30% of all business failures are related to fraud.
• 70% of retail losses are due to fraud.
• 45 out of 100 defense contractors are fraudulent.

A survey involving over 3,000 large and mid-size companies indicated that:

• Over 75% reported at least one incident of fraud.
• Total cost of reported fraud was almost $250 million.
• Over 50 companies reported fraud in excess of one million dollars.
• The most expensive types of fraud were false financial statements and false insurance claims.
• The most frequently reported frauds are credit card fraud, check fraud (forgery and counterfeiting), and inventory theft.
• The most commonly cited reasons for fraud are poor controls, management override of controls, high industry risk, and collusion between employees and third parties.

Fraud schemes are becoming more complex and, therefore, more difficult to detect. While some internal auditors are already fraud sensitive, using fraud assessment tools can improve the likelihood that complex frauds will be detected.

The Institute of Internal Auditors (IIA) professional standards state that the internal auditor is responsible for:

• Ensuring the existence of controls with systems designed to prevent or deter forms of fraud.
• Identifying areas where theft or manipulation are likely to occur.
• Ensuring the effectiveness of controls in financial accounting and other areas subject to theft, fraud, or embezzlement.
• Exercising the care and skill of a reasonably prudent and competent professional.

IIA standards also state that the internal auditor is not responsible for:

• Absolute assurance against the existence of fraud (although there may be increased performance expectations from management).
• Extraordinary prudence.

Foreign Corrupt Practices Act (FCPA)

The issue of fraudulent financial reporting has been examined by the National Commission on Fraudulent Financial Reporting (the Treadway Commission). The report of the Commission emphasized the importance of an ethical “tone at the top,” effective controls, written codes of conduct, internal auditors, and audit committees as deterrents to fraudulent reporting. The FCPA mandates that controls be established which are adequate to either prevent or detect illegal payments, with a reasonable degree of probability.

Given this primary role of management in establishing and monitoring the control system, a key concern is whether a high likelihood exists that management could override the control system. A higher probability of management override is associated with:

• Decentralized operations.
• Incentive compensation tied to reported accounting numbers.
• The lack of independence of parties with whom business is transacted.

The Fraud Environment

The environment within a company is generally developed and maintained by senior management and the board of directors. To deter fraud, the environment should be a demanding one. Management should clearly set forth written policies demonstrating its commitment to fair dealing, its position on conflicts of interest, its requirement that only honest employees be hired, its insistence on strong internal controls that are well policed, and its resolve to prosecute the guilty.

There are three conditions that, when combined, move people to commit fraudulent acts:

• Situational pressures experienced by employees
• Uncontrolled access to assets, coupled with management’s indifference
• Personality traits undermining personal integrity

Neither managers nor internal auditors can do much about an individual’s situational pressures. Managers can reduce the perceived opportunities by installing appropriate controls, and internal auditors can evaluate the adequacy and effectiveness of these controls.

One of the most effective ways to deter dishonest conduct is by not hiring dishonest employees. Management should at least verify backgrounds of employees. Senior management should insist on proper hiring practices; internal auditors should see that those practices are carried out as intended.

The possibility of detecting fraud increases with auditor awareness of where fraud may occur, with the use of modern techniques, and with an inquisitive audit approach that pursues suspicious conditions.

The Narrow Objective of Fraud Audits

A fraud audit has the narrow objective of uncovering the presence, scope, and means of intentional misstatement of records or misappropriation of assets. A fraud audit tends to be more detailed in approach, since it must uncover that which has been intentionally hidden. Flows of accounting numbers, as well as assets, may have to be reconstructed without an audit trail. The term fraud indicates some sort of deceptive act which harms another party. It is this deception which makes the discovery of fraud far more difficult than the discovery of errors.

The Impetus for Fraud Audits

An auditor must be alert to clues which suggest possible irregularities. Alertness and healthy skepticism may well be two of the auditor’s most important skills. Critical inquiry as to what irregularities are possible should be followed by an assessment of their likelihood, given the controls, supervisory practices, and the overall control environment. Anything detected as questionable should be resolved. Most often, the impetus for a fraud audit offers some sign of an unusual transaction or missing record.

Although the dollar magnitude may be relatively small, a fraud is considered to be qualitatively material. the reasons for this definition are that:
1. Frauds, by their very nature, can balloon quickly if not deterred
2. The existence of fraud in and of itself indicates a weakness in controls; and
3. Frauds imply integrity issues that may have far-reaching consequences.
For example, if management made illegal payments, the company and the individual executives involved could face legal consequences and highly adverse publicity.

A key indicator of the more likely types of exposure faced by an auditee is the auditee’s past experience. Past occurrences of fraud have implications about management’s attitudes and integrity. In addition, such occurrences can serve as a signal to employees as to what type of reaction can be expected if they are discovered to be involved in an impropriety. A lack of corrective and/or disciplinary actions in the past can encourage future problems.

Usually, it is less expensive to prevent fraud than to detect it. Therefore, fraud prevention should take precedence over detection. Internal controls alone do not prevent fraud; they merely facilitate its detection. Fraud prevention measures include:

• Hiring honest people.
• Paying them competitively.
• Treating them fairly.
• Providing a safe and secure workplace.
• Offering real-time feedback on their performance and positive reinforcement when their performance meets standards.
• Providing adequate tools and training to do their jobs right.
• Role-modeling honesty.
• Codes of ethics.

Fraud prevention requires creating a work environment that values honesty. Senior managers who are role models for integrity and fairness in their daily interactions with their peers and subordinates can create such an environment. Prevention also means regularly monitored and enforced internal controls. Therefore, prevention strategies include tight controls, ethical codes, fair treatment, awareness training, applicant screening, and honest role models.

Detection strategies include monitoring variance reporting systems, internal auditing, compliance auditing, and intelligence gathering.

Fraud auditing is creating an environment that encourages the detection and prevention of frauds in commercial transactions. Fraud auditing cannot be reduced to a simple checklist. It is an awareness, in the broadest sense, of many components, such as the human element, organizational behavior, knowledge of fraud, evidence and standards of proof, an awareness of the potentiality of fraud, and an appreciation of so-called red flags.

Fraud prevention within a company would include having in place, and communicating to all employees, an effective corporate code of conduct that should also include conflict-of-interest policy guidelines signed by employees. This will provide a clear understanding of the intent of management and the level of expectations. The company’s agreements, especially with its vendors, should contain a clause that allows the company to inspect the vendors’ records in the normal course of business.