You are on page 1of 20

The Importance of Internal Auditing – What can it do for you?

Statistics Sweden, Stockholm November 16, 2007
Prof. T. Flemming Ruud, PhD
Professor of External and Internal Auditing, University of Zurich and Handelshöyskolen BI, Oslo Adjunct Professor of Auditing, University of St. Gallen flemming.ruud@bi.no

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 2

Internrevisionsförordning (2006:1228)
2 §: Vid myndigheten skall det finnas en

internrevision Internrevisionen skall ledas av en chef som skall vara anställd i myndigheten 3 §: Internrevisionen skall granska och lämna förslag till förbättringar av myndighetens processer för riskhantering, styrning, kontroll och ledning

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 3

Internrevisionsförordning (2006:1228)
4 § Internrevisionen skall utifrån en analys av verksamhetens risker självstandigt granska om ledningens interna styring och kontroll är utformad så at myndigheten med en rimlig säkerhet 1. Uppnår en effektiv verksamhet, 2. Följer lagar, forordningar och andre regler, samt, 3. Lämnar en tillförlitlig redovisning och rättvisande rapportering av verksamheten

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 4

Internrevisionsförordning (2006:1228)
5 § Internrevisionen skall ge råd och stöd til styrelsen og chefen för myndigheten 6 § Internrevisionen skall omfatta den verksomhet som myndigheten bedriver eller ansvarar för

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 5

Agenda
• • • • • • • • •

Legal foundation What is internal auditing? Rational for – and what internal auditing can do for you? What is control, risk management and governance? What do internal auditors do? Deliverables Knowledge and proficiency in internal audit Certified Internal Auditor Examination Summary

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 6

Information deceptions

Xerox, 2002
– – – –

In 1997-2001 sales amounting up to $6 billion were recorded incorrectly (revenues were frequently booked too early) Share prices dropped over 30% Xerox paid $10 million fine as a penalty for its balance of 1997 (SEC ) 2003: six former managers accept to pay penalties of $22 million Expenditures amounting to $3,85 billion were recorded as investments instead of expenses in 2001 and in the first quarter of 2002 – losses were transformed into fictive profits - deceptions; balance sheet manipulation over $11 billion (E.g. roaming expenses were booked as investments) About 830,000 persons and institutions who had shares or bonds at Worldcom at the time of the breakdown, got $6.1 billion back (shareholders $1 billion, bondholders the rest) Citigroup ($2.56 billion) and J. P. Morgan Chase & Co. ($2 billion) paid former CEO was sentenced to 25 years; former CFO to 5 years of prison Two more employees were sentenced to 5 months of imprisonment plus 5 months of house arrest and 3 years of probation respectively

WorldCom, 2002

– – –

• Could this happen again? In the public sector?

www.heise.de

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 7

Agency problem
Asymmetric information
• There is an asymmetric information, when one party cannot look at an aspect

of an interaction

• Typical situations are

Either important criteria of an interaction before closing a contract are invisible (uncertainty in quality/adverse selection)

Dilution by signaling

Or important criteria after closing a contract are invisible (moral hazard)

Dilution by profit sharing

Initial position of the Agency Problem
• Principal = owner, agent = management • Principals delegate authorization to the agents to lead the company • Principals and agents can have different objectives; both agents and principals

can try to maximize their personal profits

• Thus, strategies are to be developed in order to coordinate principals‘ and

agents‘ interests by control systems, incentive systems, etc.

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 8

Definition of internal auditing
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
(Institute of Internal Auditors (IIA), Altamonte Springs, 2007)

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 9

Governance and internal audit – What internal audit can do for you
Shareholders Legislation Other stakeholders
Nomination Remuneration Audit Committee

Financial investors Government

BoD CEO

Vision

Objectives

IN TE

Control & Compliance
Controlling

Strategies

RN AL

AU D

External Auditors Risk Management

Suppliers

Value adding process
Implementation Indicators

IT IN G

Customers

Employees

Signals

Internal Control

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 10

Solving the principal-agent-problem: Direction and control
Direction • Vision • Strategy • Long- and short-term plans • Code of ethics • Regulation • Policies and procedures • Guidelines Accountability
• External Audit • Internal Audit • Corporate Risk Management • Corporate Compliance • Corporate Controlling • Other financial and non-financial performance measurement
„Classic“ assurers Potential assurers

© Prof. T. F. Ruud, PhD

Accountability

Direction

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 11

The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization. • Ensuring effective organizational performance management and accountability. • Effectively communicating risk and control information to appropriate areas of the organization. • Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.

Nature of work – Risk management, control and governance processes
Governance Processes

Risk Management Processes

Control Processes

The internal audit activity should evaluate risk exposures relating to the organization’s governance, operations, and information systems; … and based on the risk assessment … evaluate the adequacy and effectiveness of controls …
• • • • Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations; Safeguarding of assets; and Compliance with laws, regulations, and contracts.

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 12

Internal control
• Internal control refers to a process, effected by an entity‘s board of

directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: – Effectiveness and efficiency of operations – Reliability of financial reporting – Compliance with applicable laws and regulations

Internal Control - An Integrated Framework (COSO)

• Any action taken by management, the board, and other parties to

enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
(Standards for the Professional Practice of Internal Auditing)

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 13

Internrevisionsförordning (2006:1228)
4 § Internrevisionen skall utifrån en analys av verksamhetens risker självstandigt granska om ledningens interna styring och kontroll är utformad så at myndigheten med en rimlig säkerhet 1. Uppnår en effektiv verksamhet, 2. Följer lagar, forordningar och andre regler, samt, 3. Lämnar en tillförlitlig redovisning och rättvisande rapportering av verksamheten

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 14

Importance of internal control
Adecco N

!

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 15

Press releases
January 12, 2004 Adecco S.A. announced that it does not expect the audit of its consolidated financial statements for the 2003 fiscal year, ended on December 28, 2003, to be completed by Adecco's auditors, by the previously announced release date of February 4, 2004 The reasons for the delay in completion of the audit include:

Audit and Finance Committee of the Board initiated certain measures to help to identify any further weaknesses and permanently to resolve them. The chief focus of these measures is to investigate accounting, control and compliance issues in the US and in certain other countries, as well as to investigate accusations made by ‘whistleblowers’ in the US. Outside of the US, these other countries together accounted for less than 10% of the group’s reported 2002 net service revenues.

• ITidentification of material weaknesses in internal controls in the Company's North system security The American operations of payroll bank • Reconciliation of Adecco Staffing accounts – The resolution of possible accounting, control and compliance issues in the Company's operations in certain accounts • Application of countries receivable – The completion of the Company's efforts to address these matters and determine their • Several issues affecting revenue recognition effect on the Company's consolidated financial statements. In this regard including lack of systematic documentation of an independent Counsel has been appointed by the Audit & Finance Committee of the Company's Board of Directors to conduct an investigation. agreed rates and hours January 16, 2004 • Billing related to not timely identified and corrected security; reconciliation of errors Adecco Staffing North America, include IT system Material weaknesses, payroll bank accounts;of segregation ofreceivable; and the branches application of accounts duties in several issues affecting revenue recognition • Lack including lack of systematic documentation of agreed rates and hours; billing errors not timely identified and corrected; andincreasing theof duties in the branches increasing theerrors of undetected errors. Of lack of segregation likelihood of undetected likelihood the foregoing, some have already been corrected, and the balance are being actively addressed. The

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 16

Control

Attention! RADAR!

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 17

Internal control
• Directive controls: support or foster the desired result • Preventive controls: inhibit an unfavored behavior or event – Organizational controls: e.g. segregation of duties, structuring of the entity, control over operational procedures – Organizational support: e.g. organization chart, flowcharts and performance charts, manuals, authorized signatures – Technical support: e.g. measuring devices, safety installations, IT-Controls • Detective controls: aim at detecting deficiencies right after

they occur • Corrective controls: are implemented in order to correct mistakes or irregularities and to get back to the desired status

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 18

COSO: Components of internal control
• •

Monitoring

mm un

Control-

i ca

vit Acti

tio

ies

Risk-

Ass

Co

ent essm

Control-

r envi

e nt onm

The entire process is monitored and modified as conditions warrant. Meanwhile, relevant information is captured and communicated throughout the organization. Control activities are implemented to help ensure that management directives to address the risks are carried out. Within this environment, management assesses risks to the achievement of specified objectives. The control environment provides an atmosphere in which people conduct their activities and carry out their responsibilities. It serves as the foundation for the other components.

n& matio ation Infor munck Co m

n

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 19

Purposes of control frameworks
• •

Purpose 1: A control framework (CF) provides a way of understanding the important elements of control, including the important relationships between them (CoCo, §19) Purpose 2: Implementation and improvement of internal control
– – –

As a basis for implementing internal control processes As a benchmark for evaluating and improving internal control Increases transparency of internal control CF allows a systematic and comprehensive assessment of internal control When performing a self assessment, management and employees get an idea of an „ideal“ internal control CF allows comprehensive audit of the relevant control processes Higher legitimization of recommendations and better support by management and board More efficient and effective communication of the audit results, e.g., between internal and external audit, as both parties use the same language Results of audit can be reconstructed by a third party

Purpose 3: Self assessment of internal control
– –

Purpose 4: Audit of internal control
– – – –

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 20

What internal control can do and what it cannot do ...
Internal Control can support a company • To achieve goals of profitability and performance • To implement a reliable financial reporting system • To secure compliance with law and regulations, or to prevent violation of it • To prevent image to be damaged • To lead a company and to protect it against surprises and traps Internal Control cannot Guaranty the success of a company Effective Internal Control can only support a company to achieve its goals • Guaranty reliability of financial reporting and compliance with the law Internal Control – regardless of its efficiency and its conceptual design – can only offer a reliable but not an absolute security

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 21

Report of Novartis on internal control over financial reporting

Annual Report (2006), p. 221

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 22

Internal Control

"If you look at all the failures of quoted companies in the past, they all have been failures of internal control.“
Sir Adrian Cadbury

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 23

Coordination
IIA-Standard 2050: Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts.
Compliance Officers Sustainability Officer Controlling

Risk Management ITSecurity Management ...

Internal Auditing

Quality Management

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 24

Internal control and enterprise risk management – Definitions
Internal control refers to a process, effected by an entity‘s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: – Effectiveness and efficiency of operations – Reliability of financial reporting – Compliance with applicable laws and regulations “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
www.COSO.org

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 25

COSO: Enterprise Risk Management (ERM) Framework
The 8 components of COSO ERM
ne w

Fundamental concepts of COSO ERM
Process

Objectives and components of COSO ERM
ne w ½ ½ ne w ne w ne w ne w

Internal environment

Effected by people

Objective setting
ne w

Applied in strategy setting

Event identifiaction Risk assessment

Applied across the enterprise

ne w

Risk response Control activities

Within ones risk appetite

ne w

Information & communication

Reasonable assurance

Monitoring

Achievement of objectives

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 26

„Eisenhower Matrix“

ne w

ne w

ne w

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 27

Risk management - Basic concept
Risk: The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood.
(The IIA, 2002) Identification Identification and prioritizing of relevant risks External Feedback esp. institutional investors Assessment Assessment of consequences of possible risks

Interpretation Stakeholders interpret informations Disclosure Risk management strategy, its effectiveness, going concern statement

Internal Feedback Management reports to the board or internal audit activity

Strategy Development Strategies matching the relevant risks (consideration of cost effects)

Strategy Implementation Implementation of the relevant options Evaluation Assessment of the effectiveness of the risk management strategy (Source: Solomon, Norton (2000), S. 452)

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 28

Risk Management

Source: Annual Report (2006), p. 91

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 29

Governance from a broader perspective
“The system by which companies are directed and controlled.”
(Cadbury, 1992)

“Corporate governance . . . involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Good corporate governance should provide proper incentives for the board and management to pursue objectives that are in the interests of the company and shareholders and should facilitate effective (OECD, 1999) monitoring.”

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 30

Important Assurance-Engagements
• Operational (Performance) Engagements • Financial Engagements • Compliance Engagements • System Security Engagements • Due Diligence Engagements • Management Engagements • Sustainability Engagements • Privacy Engagements • Project Engagements • Contract Engagements • Special Engagements
Operational (Performance) Compliance Financial

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 31

Overview of the internal audit process
Performing the audit Analysis and description of the processes Extensive assessment of the processes Development of the audit-findings Reporting of the results to the auditees Post-audit activities

Preparative activities Gathering and evaluation of background information Definition of goals and scope of the audit First assessment of the activities Detailed planning of the audit

Reporting to exec. management and BoD/AC Follow-up Evaluation of the audits through auditors and auditees

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 32

Internrevisionsförordning (2006:1228)
10 § Myndighetens styrelse skall besluta om 1. Riktlinjer för internrevisionen 2. Revisionsplan för internrevisionen, och 3. Åtgärder med anledning av internrevisionens iakttagelser och rekommendationer

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 33

Value chain of internal audit
Planning (IIA-Standard 2010)

Managing the Internal Audit Activity (IIA-Standard 2000)

Communication and Approval (IIA-Standard 2020) Resource-Management (IIA-Standard 2030) Policies and Procedures (IIA-Standard 2040) Coordination (IIA-Standard 2050) Reporting to the Board and Senior Management (IIA-Standard 2060)

E n g a g e m e n t D E Vorbereitende e n t C n g a g e m Durchführung Finalizing E n g a g Arbeiten t B des Audits e m Vorbereitende e n Durchführung Finalizing E n g a g e m e n t A Audits Arbeiten des Vorbereitende Durchführung Finalizing Arbeiten des Audits Planning Finalizing Performing

Activities during the engagement (IIA-Standards 2100 – 2600)

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 34

Common Body of Knowledge study
• Largest survey ever conducted by the Institute

of Internal Auditors • Three groups of interviewees: – Chief audit executives (CAE) – Other internal audit staff and leaders of Institute of Internal Audit-affiliates – IIA-affiliates outside North America • Respondents: 9‘366 persons and 91 IIAaffiliates / institutes

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 35

Results of the Common Body of Knowledge study 2006
According to X% of respondents the demand for audit-type Y will …
Review of financial processes Operational auditing Regulatory compliance 4 14.5 41.9 43.5 39.1 46.2 41.4 46.9 32.8

14.7

11.7

decrease stay the same increase
63.2

Governance Risk management

2.3

18.2

79.5

A Global Summary of the Common Body of Knowledge 2006 (2007), p. 41.

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 36

Results of the Common Body of Knowledge study 2006
The Internal Audit Activity has a role in …
(in percent)
Corporate governance Regulatory compliance Risk management Fraud prevention 0
52.2

11.3 23

31.1

64

9.2

5.6

25.5

66.6

nowadays in future (likely) not in future

5.7

22.9

69

25

50

75

100

A Global Summary of the Common Body of Knowledge 2006 (2007), S. 42-43.

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 37

Competency of internal auditors Certified Internal Auditor exam

„The CIA® designation is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competency and professionalism in the internal auditing field.“
(Source: http://www.theiia.org/certification/certified-internal-auditor/)

5 reasons to get certified: – Distinguishes you from your peers – Carries weight with internal and external customers – Demonstrates your proficiency and professionalism – Enhances your professional image – Gives you personal satisfaction of achievement

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 38

Development of the Certified Internal Auditor Exam
2002 Exam Sites Candidates Exam Parts New CIAs 231 26‘152 58‘940 4‘962 2003 249 29‘240 64‘806 5‘094 2004 257 30‘634 63‘037 5‘028 2005 276 38‘050 79‘445 6‘284 2006 287 48‘895 95‘803 7‘226

• More than 65’000 individuals worldwide have earned the

(Source: http://www.theiia.org/certification

CIA designation • Computer based testing as of 2008

© Prof. T. F. Ruud, PhD

Prof. F Ruud, PhD Internal Audit Statistics Sweden November 16, 2007 Slide 39

Relationships between internal auditing and to other functions in the organization
Legislature / Regulator Publicity
Nomination

Shareholders

Financial Institutes State

BoD

Vision

Compliance
Controlling

Objectives Strategies

External Audit

Int er na l

Risk management

Suppliers

Added value process
Employees Indicators

Au dit

Customers

Signals

Internal Control Interne Steuerung System und Kontrolle

© Prof. T. F. Ruud, PhD

Accountability

Direction

CEO

Remuneration Audit Committee