Forensic Audit
Ethics investigations can be challenging for just about any organization. If done right, an ethics investigation can help you identify wrongdoing and unethical behavior and put a stop to it before your organization pays the price for not maintaining a conducive and compliant work environment.
A poorly executed ethics investigation, however, can become a full-blown legal case, with the organization risking reputational and financial damages.
Customers and Shareholders prefer engaging with a business that’s known to be highly ethical. This means your business has proper systems for reporting, investigating, and implementing recommendations to improve ethics within the company and its workforce.
But how can you conduct a successful ethics investigation to ensure the least possible legal and reputational trouble for your business? Here’s a look into the process.
What Would Warrant an Ethics Investigation?
A workplace ethics investigation is typically conducted when there’s credible information about significant misconduct, wrongdoing, or ethical lapses within the organization. These include office theft or fraud, health and safety violations, misconduct such as harassment and workplace violence, and time theft, such as altering time sheets for greater earnings.
An ethics investigation can also be warranted if there have been allegations against other employees to exclude the possibility of wrongdoing within the company. For instance, employee whistleblowers expose fraud in an organization 43 percent of the time compared to professional internal auditors, who only successfully uncover it 19 percent of the time,.
An ethics investigation aims to protect the company’s and its shareholders’ interests. It detects and prevents violations and misconduct, identifies areas where the business can improve its internal operations, and ensures the company’s activities comply with applicable laws and regulations.
An ethics investigation will unearth whether suspected misconduct did or did not take place, the circumstances leading to the misconduct, the involved parties, and whether the law or company policy was violated. An ethics investigation must be perceived to be independent, thorough, and analytical.
Whom Should Be First Informed of an Ethical Issue?
Typically, employees should be able to report potential ethical issues to their manager or supervisor. If this option is impractical or the manager or supervisor can’t resolve the issue, they should be able to speak up to people in higher positions and get the audience they need. This may include making a complaint through the company’s compliance hotline or corporate ethics office, where their reports can be heard and determined impartially and with maximum confidentiality.
Ensuring employees have a clear channel for making complaints and addressing them is crucial to avoiding lawsuits related to ethical issues and compliance and saving your organization expensive legal fees.89% of employees who sue their employers do not receive a satisfactory resolution to their issues internally.
What is the Process of an Ethics Investigation?
An ethics investigation can take various stages depending on the industry or organization and its ethics investigation process. However, most investigations take the following steps.
1. Taking the Initial Complaint
An ethics investigation begins when you’re alerted of unethical behavior by someone within the company. The employee will file the complaint through the necessary channel or people. They will be responsible for documenting as much information as possible about the alleged misconduct.
The information filed from the complaint should include who is being accused of misconduct, what information has been given about their behavior, where the misconduct allegedly happened, how it happened, and when it occurred.
This information should be forwarded to your HR team and the department most affected by the ethical incident.
2. Ensure Confidentiality
Every aspect of an ethics investigation must be kept confidential. Maintaining confidentiality is crucial to the investigation’s integrity. If the investigation is not kept confidential, you risk consequences such as:
- Undermining the success of the investigation since others know of it
- Reputational damage to the accused if others learn about the allegations
- A compromised ability of the company to defend against any legal action associated with the investigation
- Liability and negative publicity for the company
- Retaliatory action from the accused
- Attempts to cover up the misconduct by the accused
Confidentiality begins immediately after the complaint is received. No other party should know that an investigation is underway, who is the subject matter, the evidence and materials gathered, the processes followed, and the investigation’s results until the final report is ready.
3. Give Interim Protection
Protecting the accuser or alleged victim should be one of the top considerations immediately after receiving the complaint. Separating the accused from the alleged victim may be necessary to avoid continued harassment or retaliation.
Some protective measures include providing a leave of absence, transfer, or schedule change. However, the complainant must be willing to take these measures. Otherwise, they can view your actions as retaliatory and file a retaliation suit.
4. Select an Investigator
A competent investigator must handle an ethics investigation. Typically, the investigator should possess the following traits:
- Investigate objectively without bias
- Have no stake in the outcome, a personal relationship with the parties involved, or have their position in the organization affected by the outcome
- Possess previous investigative knowledge and working knowledge of labour and employment laws
- Strong interpersonal skills to build a positive rapport with the involved parties and appear neutral and fair
- Right temperament to conduct interviews
- Attention to detail
5. Conduct Investigations
Once you’ve selected the investigator, you should start the investigations immediately, working quickly to identify and stop the unethical behavior before it spirals into bigger organizational issues.
While conducting investigations, the investigator should be thorough in finding the truth and reassuring employees that their submissions are confidential and non-retaliatory. This will ensure they’re more honest, contributing positively to the process.
6. Provide Guidance and Recommendations and Document the Report
Once you’ve completed the investigations, the investigator should present all gathered information and provide a recommendation for the company moving forward. This may involve recommending disciplinary action against the accused employee and effecting policy changes to ensure such incidents don’t reoccur.
After completing this process, you should write a detailed and comprehensive investigation report to provide a reference for future investigations and clear evidence that the investigation was conducted according to procedure.
Having a written investigation report will also help your legal team make a defense in court if the accused employee disputes the disciplinary action in court.
7. Talk to a Compliance Expert
An ethics investigation is a crucial process that your organization must handle properly. An effective ethics investigation process will help your organization remain compliant and avoid damaging lawsuits that can hurt its reputation and finances.
We can hope that we will never have to conduct an ethics investigation, but at most organizations of any size, the time will likely come at some point where we must. Following these steps should ensure a sound and productive ethics investigation. Done right, a proper investigation can get to the bottom of wrongdoing, put an end to the bad behavior, and hold those responsible to account.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
Audit International recommend five ‘Under the Radar’ Areas to Audit that May Not Be on the Audit Plan.
As internal auditors, we all have a “spidey sense” of what we should be auditing.
Sure, we should, of course, conduct comprehensive risk assessments that drive our audit plan, and many of the usual suspects will end up on that plan: cybersecurity, regulatory compliance, financial reporting, third-party relationships, and you know the rest.
But there are things, we would strongly profess, that should be audited, even if we aren’t formally auditing them and they never make it to the actual audit plan. Just by being aware—casting that web, if you will—you should constantly informally “audit” a few critical areas.
What might be some of those things we should (lower case) audit, even if we aren’t (upper case) Auditing them? Here’s Audit Internationals take on five:
1
Culture: Are Disconnects, Even if Subtle, Surfacing?
So much has been written and said about doing culture audits and internal audit’s potential role in doing such a review. Perhaps, however, your organization doesn’t support internal audit doing a full-blown culture audit. Does that mean you throw your hands up and do nothing with the topic? Heck, no!
Look, we are among the very few in the organization who have the benefit of both grasping the desired culture and viewing the entire company because of our day-to-day work. So, why not leverage that and tune into what is going on around us and notice the organizational behaviors, actions, and attitudes that are consistent with, as well as (importantly) counter to, the desired culture.
So, what’s an internal auditor to do?
Some caveats, though. First, be sure you completely understand the desired culture, both what is formally stated through things like the organization’s listed core values as well as what is implied in the “how things are done around here” subtleties. The formal and the informal culture are equally important. Then, as you go about your work in various departments and interact with people at all levels of the organization, be cognizant of behaviors, language, demeanor, protocols, and other elements that seem inconsistent with what you expected.
Now, if you witness such imbalances, and you’ll know because it will make you a bit uncomfortable, talk with close colleagues or discuss it amongst your team. If something seems amiss, continue to keep your eyes and ears open and provide your internal audit function leadership with examples of what you are witnessing. If there are culture issues in a particular area of your organization, it is likely manifesting itself in a number of other issues as well. Your internal audit function leadership will guide you on what to do and may provide guidance on the next course of action. Chief audit executives will need to consider when and how to elevate such delicate issues. Yes, it’s a sensitive topic, but something that might be critical to address. Your spidey sense will guide the way.
2
Employee Engagement: Are People Checking Out?
While it has been a topic in the corporate world for more than 20 years, at least since the Gallup Organization and their Q12 employee survey instrument brought it into the lexicon, “employee engagement” has re-emerged these days. By now, we’ve all heard the new buzz phrase “quiet quitting.” While it’s a catchy label that has been slapped on what is, in essence, just disengagement, it’s not to be taken lightly. Employees who have become disengaged in your company’s mission, vision, and values don’t have passion to do their best. This should be deeply problematic to executive leaders and, in turn, to you. It is a significant and costly drain on everything your organization does.
So, what’s an internal auditor to do?
Just like with the culture topic, we, as internal auditors, interact with more of the organization across all levels (along with HR) than most anyone else in the entire organization. Therefore, we have our finger on the pulse when it comes to engagement and its evil twin, disengagement. Do we have a general sense though the course of our internal audit work that people care or if they are they just going through the motions? Sure, we do.
We don’t need to be scientific about it, and we don’t have to call anyone or any function, department, or location out, per se, but if we see that there is a trend developing toward greater levels of disengagement, let it be known. Make it a part of what we absorb about the organization on a daily, weekly, and monthly basis. Elevate the concerns, whether to HR, department levels, or even the senior management. In other words, don’t ignore it.
3
The Physical Facilities: Are Things in Disrepair?
As much as we may not all be going into a physical office as much anymore, many employees will still spend at least some time in the office or at company facilities. And, the physical state of the office location, branch, facility, or building space is important. Not only can facility disrepair be unhealthy or unsafe, but it can also just negatively affect employee psyche or customer impressions. Pay attention to what things look like and what is the state of the physical environment around you. It may signal deeper problems or an overall neglectful view of the business.
We all have stories about what we’ve witnessed. I remember walking past a locked closet and smelling a damp odor. I could have just ignored it, thought it was just me, or figured that someone else was probably aware of it. Instead, I decided to mention it to the facilities manager of the location. And, lo and behold, behind the rightfully locked door a roof leak had infiltrated the space and it was a wiring closet. It could have been a big problem if it were ignored for any length of time.
So, what’s an internal auditor to do?
Keep your eyes and ears open as you go about your work. Does something seem amiss regarding the physical location? Mention it to someone who could do something about it. What’s the worst that could happen? They tell you “thanks, we are aware of it.” At best, you help address an issue before it gets out of hand. Sometimes we all become blind to our physical surroundings because we’ve just been there for so long. But a fresh set of eyes and ears might just help the organization out and make employees and customers even more appreciative of the physical space they show up to and that the organization spends so much money on. Internal audit can have a unique perspective of noticing what gets unnoticed.
4
The Parking Lot Check: Is Fraud Hiding in Plain Sight?
Closely related to the physical state of the facilities is the state of the employees. Ever see a change in someone’s habits that don’t sync-up with what has gone on in the past, and you wondering “what’s up with that?” Perhaps someone is showing up to the office in a new luxury car, expensive clothes, or talking about some lavish vacation they went on?
Most often, there is a great explanation, and it is none of our business. But, also, any of us who have been around the block a few times will also know that, occasionally, these changed behaviors are clues that something is amiss and that someone may be on the take. You could call this “doing a parking lot audit.” So many frauds and embezzlements have left a trail of these clues as the perpetrator wanted to channel their ill-gotten gains into the fruits of luxury and apparent success. It’s not an outright indicator or fraud, of course, but it might be a red flag to dig deeper, especially if things weren’t adding up already.
So, what’s an internal auditor to do?
Just keep your eyes and ears open, being observant to uncharacteristic behaviors, purchases, and chatter could provide clues to someone who is taking advantage of their position and situation to pilfer from your company. No, don’t go around accusing people of things where you have no proof, of course. But eyes open and be vigilant. And, if you see something, say something to a trusted colleague within your internal audit department. If necessary, elevate it within your department and, if warranted and approved, do some follow-up in a clandestine manner. You may just catch something in its preliminary stages and head it off at the pass, so to speak. Most people steal from the company in small increments, and it escalates from there if they feel they are getting away with it undetected. But, in hindsight, there were usually always clues … perhaps no further away than in the parking lot.
5
Hotline Activity: Is Volume Up, or Has Volume Decreased?
Most internal audit functions have some role in monitoring their organization’s whistleblower hotline for employees, and sometimes also third parties, to file complaints. This may seem like a no-brainer, but you’d be surprised how often small complaints (that point to bigger problems) go unnoticed. Your internal audit function may have complete ownership of managing what comes though, you may partner with someone else in the organization, such as compliance, human resources, or legal, or you just get things passed to you for review or investigation as needed from one of these organizational partners. Regardless, you need to have some role in monitoring the volume of activity. What types of activity are coming through? Are there recurring issues? What are the trends? It doesn’t take an audit, but it does take awareness. Changes in volume can be very telling, and that could be changes in either direction (increased or decreased volume).
Increases in activity might spell some brewing issues of a more macro sense and, alternatively, decreases in volume may spell a level of distrust in the confidentiality of the hotline or a perceived lack of seriousness with which reported items might be getting addressed.
So, what’s an internal auditor to do?
It doesn’t have to be you, so long as someone in your internal audit function is attuned to the trends, both in terms of volume and types of activity. And, if there are notable changes in the trends, up or down, it might be time for a deeper understanding of what might be going on. This could be a signal of troubles brewing that are inconsistent with the desired culture.
—-
To be clear, internal auditors don’t need a formal audit plan initiative to keep abreast of important developments in the organization. It’s not easy, I know, as the formal audit plan has us busy enough, but a little observation may go a long way. Head up, eyes and ears open, use all your senses and leverage your well-honed intellectual curiosity and professional skepticism. Do some ad-hoc auditing of things you might not be able to (upper case) Audit and don’t necessarily make it to the formal audit plan. The organization will be better for it, and you will enhance your engagement and contributions innumerably.
As popularized in the Spiderman comics of yesteryear and said in more recent movies, “with great power comes great responsibility.” Wield it judiciously!
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Here at Audit International, we have seen a significant shift in the way in which environmental, social, and governance (ESG) data has been perceived in recent years. It has gone from being an ‘add-on’ to being a vital opportunity for corporations to boost their competitiveness. As consumers become more discerning about environmental, social, ethical, and responsible business practices, organizations are increasingly starting to realize that reporting ESG data can have significant brand and reputational benefits.
However, this is just the beginning. The value of ESG data extends beyond reporting—when handled properly, it can unlock value for an organization in a variety of ways.
What is ESG and ESG Reporting?
It’s important to note that there is a distinction between ESG and sustainability. The terms are often used interchangeably, but there are important differences. Essentially, sustainability deals with how an organization’s operations impact the environment and society, whereas ESG has more to do with how an organization’s environmental, social, and governance initiatives affect its financial performance.
According to the Center for Audit Quality (CAQ), “ESG reporting encompasses both qualitative discussions of topics as well as quantitative metrics used to measure a company’s performance against ESG risks, opportunities, and related strategies.”
How companies can use ESG data to their advantage
When organizations treat ESG reporting as more than a box-ticking exercise to meet regulatory obligations, they stand to reap a number of benefits, as follows:
● Profitability and sustainability: Including ESG data in an extended planning and analysis (xP&A) strategy allows an enterprise to see how that data affects financial and operational data, which is key to making ESG initiatives sustainable and profitable.
● Risk management: Neglecting ESG issues can result in financial or reputational damage. Thus, all organizations should ensure that they incorporate ESG data into their risk management strategies. By voluntarily disclosing this information, they will demonstrate that they are taking sufficient steps to protect themselves and their stakeholders from ESG-related risks.
● Competitive advantage: Focusing on ESG can help an organization gain a better understanding of what matters to its stakeholders while also identifying opportunities. Furthermore, reporting ESG data will help stakeholders compare the organization with its competitors. This works in the organization’s favour if it is outperforming peers on the ESG front.
● Uncovering critical operational drivers for decision-making: ESG data can help an organization see where sustainable changes could improve efficiency and make its business more ethical and equitable. This can greatly enhance the decision-making process.
What are the main challenges to effective ESG Reporting?
ESG reporting is continuously evolving as governments announce new standards that companies need to comply with, as well as a new mandatory International Sustainability Standards Board (ISSB) standard that is expected to be announced by the end of the year (2022). It also touches every financial process. For these reasons, companies can find the whole ESG journey intimidating.
The following are some of the main obstacles that need to be overcome:
● Several ESG optional frameworks: The Global Reporting Initiative (GRI), Task Force on Climate-Related Financial Disclosures (TCFD), and the Sustainability Accounting Standards Board (SASB) are some of the more notable ESG frameworks, but there are plenty of others, many of which are specific to certain regions or industries. It can be challenging for companies, especially those operating in multiple countries, to know which ESG standards and frameworks to adhere to. This will all change when the mandatory ISSB standards are announced at the end of 2022.
● Complexity of data management: Whether meeting regulatory requirements or carrying out voluntary disclosures, companies need to be able to collect, translate, and process ESG data. This is a task that is complicated by the fact that the data is often siloed across different IT systems and is often stored in different formats. In addition, sustainability can be hard to quantify.
● Lack of ESG insight to inform decisions: Many organizations have difficulty seeing the connection between ESG data and financial results, especially when captured in spreadsheets, which means they are unable to use the data to improve their bottom line and sustainability initiatives.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International have compiled a list of do’s and don’ts for auditors when potential wrongdoing surfaces.
Fraud can occur within any organization regardless of size or sophistication, even when internal controls seem effective. Despite this harsh reality, many audit clients and auditors are caught off guard when they become aware of alleged fraud. This article addresses how auditors should respond if suspicions or allegations of fraud surface during a financial statement audit.
To begin with, it is important for an auditor to remember the definition of fraud in the context of an audit – “An intentional act by one or more individuals … involving the use of deception that results in a misstatement in financial statements that are the subject of an audit”
With allegations of fraud, the key consideration for an auditor is whether the fraud might result in material misstatement of the financial statements. While allegations of fraud should always be appropriately considered by the auditor, not all fraudulent acts will necessarily have a material impact on the financial statements. Auditors are mainly concerned with misstatements that result from either fraudulent financial reporting or misappropriation of assets.
Before discussing what to do as an auditor if you become aware of potential fraud, let’s highlight first what you should not do: Never draw conclusions of guilt or innocence
The legal determination of whether fraud has occurred is made by a judge or jury, not by management and not by the auditor. So, when suspicions or allegations surface during an audit, it is important not to make conclusive statements of guilt or innocence either orally or in writing.
Instead, advise your audit client to seek legal counsel regarding what steps to take in response to the allegations. Even though the client’s action or inaction in addressing suspected fraud may affect the trajectory of the audit engagement and raise issues such as whether an audit firm can issue an opinion or should withdraw from the engagement, it is not the auditor’s role to be legal adviser to the audit client. The auditor instead needs to focus on an appropriate audit response to the situation within the context of generally accepted auditing standards.
WHAT TO DO IF THERE IS SUSPECTED FRAUD
Our discussion to this point has focused mainly on what not to do, so what should you do if you become aware of suspicions or allegations of fraud during an audit?
Notify the right people :
Depending upon who is suspected of the fraud, identify the appropriate members of management or those charged with governance to contact. Notify only those client parties who need to know.
Ask questions :
Gather essential facts about the suspicions or allegations relevant to the audit.
Document your actions and determine the situation’s effect on the audit :
Consider the possible outcomes of a client’s fraud investigation and its impact on the audit, which could include termination of the employee accused of wrongdoing, a fidelity bond claim, legal action, or a combination of these. How a client responds to such allegations or suspicions of fraud will directly affect how an auditor should respond. If a client does not take such allegations seriously, withdrawal from the engagement may be necessary.
In summary, when suspicions or allegations of fraud surface during an audit, it is extremely important to demonstrate a sufficient response to the situation to support the auditor’s conclusions on the engagement.
And finally, make sure you are asking yourself these KEY QUESTIONS.
As you gather information relating to allegations or suspicions of fraud during an audit, consider the following key questions:
– Who will investigate the suspicious activity and follow up on the allegations?
– What are the client’s policies, and what outcomes may come from its investigation, such as termination of the employee, a fidelity bond claim, legal action, or a combination of these?
– What financial statement misstatements are suspicious? What transactions are suspicious? What assets are suspected of being missing?
– Who is the suspect? Is there more than one?
– How long has the suspect been employed at the organization? Note: The worst-case scenario is when allegations are toward a very long-tenured employee with limitless access and authorization to the organization’s assets and systems throughout his or her tenure.
– What is the period under suspicion?
– What roles/positions did the suspect have throughout his or her employment tenure?
– What access does, or did, the suspect have to assets and systems throughout his or her tenure?
– What are the possible ways the suspect could have committed fraud, considering his or her access and authorization to assets and systems? Has the suspect confessed to committing fraud? If so, what did the suspect confess?
– Are there any controls in place that would mitigate fraud risk and limit the amount of possible fraud committed?
– Can you estimate a “worst-case scenario” amount of how much cash or how many assets were stolen?
– What misstatements to the financials could result from the suspected fraud? Consider the possible impact on beginning net assets if prior years are involved.
– What disciplinary measures have already been taken toward the suspect? Did the client place the suspected employee on leave and limit his or her access to assets and systems?
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International have put together a brief guide to strategic audit planning and resourcing.
Managing your audit requires strategic planning whilst ensuring that all internal resources are appropriate and effectively deployed.
Strategic audit planning
An audit needs assessment (ANA) exercise should be undertaken to inform the development of the organisation’s internal audit strategy (IAS). This ANA should be regularly updated and the IAS amended as necessary to reflect the changing assurance needs of the organisation.
The ANA should be updated at least annually but, increasingly, organisations are seeking to achieve more organic strategies that evolve more frequently to reflect the increased speed of change which many are experiencing – particularly fuelled by technology and competition. This requires continuous monitoring of the internal and external environment, and frequent and meaningful dialogue with both senior management and the audit committee.
The ANA represents a critical ingredient in the provision of an adequate, relevant and timely internal audit. It should be used to direct internal audit resources to those aspects of the organisation that represent the greatest risk to the achievement of its objectives, and where internal audit can aid management of those risks.
The ANA process should include:
-Review of the organisation’s risk register / board assurance framework
-Review of performance management data
-Review of previous audit opinions and progress on actions
-Review of other second and third line sources of assurance
-External major incidents/risks and other factors such as industry issues
-Planned organisational changes or major projects
-Reports from regulators
-Discussion with senior management, audit committee and external audit
All of the above should be considered in the context of organisational risk appetite, current risk exposure and acceptance of risks.
In organisations which have moved their risk management arrangements on to reflect the board assurance framework, this is a useful tool in the ANA process. This approach starts with strategic objectives, the risks to achieving those objectives, and then typically the ‘three lines of defence’ within the organisation which aim to manage risk to within appetite.
The first line of defence is the internal control environment recognising the policies, procedures and processes put in place by management. The second line of defence is management’s own monitoring and risk assurance processes including those escalated up through the governance framework. The third line of defence is independent assurance, providing a position statement for internal audit within organisations.
When considering the focus of the organisation’s IAS, the board assurance framework can help internal audit identify where it can provide assistance in its ‘consulting’ role surrounding business critical risk exposure beyond risk appetite. It can also help identify where ‘independent’ assurance will add most value by focusing upon those controls which the organisation believes are managing business critical risks within risk appetite.
The IAS should prioritise reviews over a particular timeline. The timing of reviews will be driven by a number of factors such as:
-Priority for each area of coverage, in terms of the level of risk exposure and risk appetite
management or audit committee concerns regarding a particular area.
-Degree of stability in respect of systems, staff and other organisational change
-Time since last audit and audit outcomes
-When specific risks are considered likely to materialise and impact
The audit resources necessary to deliver individual assignments will be driven by a number of factors such as:
System complexity:
-Factors such as number of locations, transactions and frequency
-The assurance which can be brought forward from previous audits
-The envisaged scope and objectives of the proposed audit
The IAS and the annual plan (year 1) within it will normally be subject to audit committee review and approval, with changes in subsequent years approved as appropriate in accordance with agreed protocol.
Resource management
Few managers have a blank cheque when it comes to budgets. Internal audit is no different.
Internal audit will typically adopt a medium timeline for strategic planning purposes allowing the chief audit executive (CAE) to balance assurance needs and resources within a defined budget envelope to provide reasonable assurance to audit committee and senior management. Short term or specific skills gaps can be bridged through recruitment, training or co-sourcing.
Where the budget of the department is insufficient to meet the assurance needs of the audit committee and senior management, the CAE will need to raise such concerns and explain the impact of such limitations upon the assurance they are able to provide. The audit committee can direct a review of resources and approve as required to meet its needs.
In determining and managing the resource need:
-Identify the number of individuals, skills mix and specialist skills necessary to deliver the approved IAS
-Analyse your current resources against this need to identify resource shortfalls and skills gaps based upon realistic target -Utilisation / efficiency levels
-Allocate audits based upon skills and experience to in-house team members
-Identify how resource shortfalls will be met – recruitment, out-source or co-source
-Ensure that planned audits are delivered in accordance with the approved budgets to identify and take timely action in -Respect of any deviation to keep delivery of the audit plan on-track
When managing co-sourced or out-sourced relationships to support the audit plan:
-Tender for specialist work suitably balancing cost and quality considerations
-Ensure robust and clear contracts are in place with: requirements, pricing, confidentiality, data security, ownership of -Intellectual copyright and working papers, dispute resolution, and exit terms
-Establish clear operating procedures and approval processes within a service level agreement to ensure that each assignment is delivered in accordance with expectation
IT solutions may enable more efficient and effective internal auditing. However, this will be dependent upon a number of factors such as the size of the audit plan, size of the respective team, geographical spread and degree of standardisation or repetition within the audit plan.
Increasingly, internal audit is utilising a risk based approach to audit strategy, rather than simply providing coverage of the audit universe on a set cycle. Some of the value within traditional IT solutions can be limited and not justify their cost. Therefore as with any system acquisition you should undertake a detailed needs analysis and review the product offering to determine if it will meet those needs and provide value for money.
Likewise with increased functionality within common office IT products, there is the ability to utilise existing software to automate elements of the audit documentation and facilitate analysis of large volumes of data if it can be extracted in a common format from the organisations core management information systems.
Knowledge management
The internal audit function must develop the skills, experience and knowledge within its team members. Importantly it must also ensure that as team members change, their knowledge is retained as far as possible or transferred to other team members. Effective audit management systems, notice periods, team working and knowledge sharing practices will assist in minimising associated key person risks.
The following techniques may assist in acquiring and developing in-house skills:
-Structured appraisal and performance management
-Informed training programmes at both a team and individual level
-In-house training programmes to deliver common training needs
-Procure external training for specific specialist training needs
mentoring programmes
-Joint delivery of reviews with co-sourced providers to facilitate knowledge transfer
effective knowledge management systems.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
If the last few years have shown us here at Audit International anything, it’s that we must be ready for the unexpected. From the disruptions of the global pandemic to soaring inflation, from political scandals to a war of aggression in Ukraine—life as we know it is changing.
The public sector doesn’t exist in a vacuum. Global events have a direct effect on national public services, and uncertainty causes disruption. The public sector must adapt to these changes if it is to continue delivering essential services for the taxpayer. Long-term funding challenges, climate change, and changing demographics also add to the pressures the global public sector is facing, and with technology changing the way we work, how does the role of internal audit fit into this complex web of demands and transformations?
As organizations react to these external changes, their assurance needs will inevitably change too. If internal audit is to stay relevant, it needs to keep pace with the changing demands of the organization.
To get a better understanding of how to improve the impact of internal audit and unlock its full potential, Chartered Institute of Public Finance and Accountancy (CIPFA) asked over 800 internal audit professionals and clients from across the United Kingdom for their experiences and views.
Their research revealed that 93 percent of the internal audit leaders who responded strongly agreed that internal audit supports the management of the organization, while 88 percent of managers who responded felt the same. Although there is some disparity between the two figures, they show that managers and heads of internal audit broadly agree that internal audit contributes to effective organizational management. Despite these promising statistics, when asked questions about the specific areas where internal audit is making an impact, there was significant disagreement.
Divergent Views
The CIPFA found that heads of internal audit and their clients, the management of organizations, often had substantially different views on what internal audit currently delivers to the organization. For example, 73 percent of heads of internal audit believe that they act as an independent critical friend on committees or steering groups, with just 43 percent of management agreeing with this. More worrisome, only 35 percent of audit committee members thought that internal audit provided this role. Ninety-one per cent of internal audit leaders said they provide advice on new systems and developments, but only 62 percent of managers agreed. This disparity is common across a range of different services and roles provided by internal audit, with clients consistently believing internal audit’s input is significantly less than what the heads of internal audit believe.
This shows that heads of internal audit need to be more vocal about the work their teams are actually doing for the organization. They need to become advocates for internal audit and promote the work of their teams, while clearly explaining to management how vital internal audit is and how it can help the organization reach its goals. Only then will the input of audit teams be fully understood and appreciated by clients, managers, and audit committees.
The more management understands the role of internal audit, the more expectations they will have of it. Higher expectations mean that internal audit becomes more intrinsically valuable and more relevant to an organization, ensuring its important role in the future.
Three Areas of Focus
-More strategic coverage can also help internal audit transform and adapt for an uncertain future. We asked respondents to identify three key areas that internal audit should focus on in the future to have the greatest impact on an organization.
-Cybersecurity was the top priority, with just under 60 percent of respondents wanting internal audit to focus on this key strategic area in the next three years. Just over 50 percent identified digitization and data use within organizations as the next most important area, while 47 percent thought that climate change and sustainability would be important areas of focus for internal audit professionals in the next three years.
-The area of internal financial risk, which internal audit has traditionally provided assurance in, such as payroll and income, are generally already well managed with little exposure to risk. So, does internal audit still have a role to play in mitigating financial risk? About one-third (35 percent) of respondents said they thought financial viability was a key area for the future. This includes more strategic areas such as financial resilience and medium- and long-term financial strategies—both of which carry considerable risk to the organization. Without seeking to influence the financial policies themselves, internal audit can provide vital independent assurance to decision makers to allow them to take on more risk and be more ambitious.
If internal audit takes a more strategic role in emerging issues and provides assurance not just around internal financial risk, then it can position itself as a trusted partner to the organization. In the coming years, it will be vital for audit professionals to keep up with the changing demands of clients, and the world around us, if internal audit is to stay relevant.
– The Skills Gap
Continual life-long learning is also essential if internal audit is to stay on the front foot. It is this up-skilling that will help auditors keep pace with emerging organizational demands, like cloud computing and cyber security. Out of the heads of internal auditors who responded to our survey, 55 percent agreed that they had sufficient skills and experience to meet the needs of the organization. This is broadly similar to the number of senior managers who agreed that their internal audit teams had the skills needed. There is still room for improvement in this area.
In its 2020 report on the future of jobs, the World Economic Forum identified some key technologies that companies thought would most likely be adopted by 2025. Cloud computing, big data analysis, artificial intelligence, and cybersecurity all came out on top. These represent growth areas for internal audit and where internal audit professionals will have to upskill to provide maximum value to the organization.
Internal auditors cannot be subject matter experts in all these areas, of course, and some aspects will have to be outsourced to specialized firms. Internal auditors can, however, oversee the organization’s direction and approach to these key strategic areas, provide independent assurance and act as a critical friend where necessary. Having good communication, critical and analytical reasoning skills, financial literacy, as well as risk-based auditing skills will help internal auditors tackle these complex subject areas.
Internal audit can have a bright future. Although the world is in a particularly uncertain phase, and organizations’ assurance requirements are rapidly changing to reflect this, internal audit can still make a significant impact and provide a valuable service. But to do this, it must also adapt.
Embracing New Challenges
To stay still is to move backwards when the pace of change is so considerable. Internal audit’s future lies in embracing new challenges such as cybersecurity, financial viability, climate change, artificial intelligence and big data. It can provide organizations with the assurance they so badly need around these issues – allowing them to embrace new technologies and ambitious strategies. To do this, internal auditors need access to learning and development to equip them with appropriate skills to find solutions to these complex issues.
All of this, however, will not lead to the wanted outcomes if heads of internal audit do not advocate and promote the work of their teams within organizations. They must make sure management and clients understand their assurance needs and how internal audit teams support organizations to reach their goals.
Good public financial management is at the core of delivering value for money and improving public services. A much broader, more diverse, and louder internal audit function can reinforce and support good financial management, both now and well into the future.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
One of the biggest issues every successful company face in today’s business world is the prevention of fraudulent activities committed by employees. Over a decade ago the Sarbanes-Oxley Act (SOX) Compliance was introduced which requires that all publicly held companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud. However with increasing new technologies is this enough to protect companies in 2017?
In a recent study conducted by one of the Big4- on average global companies lost over 5% of revenue to fraudulent actions- the majority of this done by current employees. The reason for this was due to lack of internal controls and no risk management in place. Furthermore the cost to strengthen such internal controls is a considerable investment whether it be in hiring new staff such as internal auditors or specialist fraud and forensic audit professionals. However the cost of such professionals is far less than the loss of earnings suffered by companies due to fraudulent activities conducted by employees.
Companies must also face the costly burden of implementing new software such as Governance Risk and Compliance packages. Combine this with the cost of hiring new talent in the IT Audit arena to process, analyse test and review these controls.
Using new technologies such as the cloud has allowed companies to analyse risk management procedures which look for unusual patterns such as access frequencies, duplicate payments, and splitting invoices
These cloud tools automate controls that uncover these types of preventable risks, but they can also help companies develop a road-map for identifying strategic risks.
It is vital that organisations continue to develop their internal controls, invest in technology and most importantly specialized fraud and forensic audit professionals to mitigate the increasing number of preventable risks which untimely leads to higher profit margins.
