Transcription of an introduction - Internal Audit
1 Internal auditing An introduction David Griffiths PhD FCA Version Internal auditing - An introduction - contents David M Griffiths Contents Contents .. 1 David M Griffiths .. 1 introduction .. 1 1 The basics .. 3 What is the purpose of Internal auditing? .. 3 Objectives .. 3 Risks .. 4 Process and decision opportunities and risks .. 4 Characteristics of process and decision risks .. 6 How do we manage process opportunities and risks? .. 7 How do we manage decision opportunities and risks? .. 8 Internal controls .. 8 Who is responsible for implementing Internal controls? .. 8 How do we assess Internal controls managing risks? .. 9 How do we assess Internal controls which manage opportunities?
2 10 How do we assess decision-making controls? .. 10 What is the role of Internal Audit ? .. 11 Where does risk management fit in? .. 12 Opportunities, risks: process and decision .. 13 Summary .. 13 2 The Internal Audit 15 What is the opinion? .. 15 Declarations about the state of Internal control .. 15 Committee of Sponsoring Organizations of the Treadway Commission (COSO) (US) .. 15 The UK Corporate Governance Code 2018 .. 15 King IV (South Africa) .. 16 The opinions .. 16 When is the opinion presented? .. 17 How is the opinion reached? .. 18 3 Establishing the Internal control framework .. 19 The stages .. 19 Measuring risks .. 19 Scoring .. 19 Measuring the effect of controls.
3 20 What risks is the board prepared to accept? .. 21 RBIA An introduction - contents David M Griffiths Specifying objectives .. 23 Identifying risks .. 23 The role of management .. 23 The role of Internal Audit .. 24 Finding the significant risks .. 24 Start at the top .. 24 Interviewing .. 24 Risk workshops .. 24 The accounts .. 25 Identifying controls .. 25 Organizing objectives, risks and controls .. 25 What we have .. 25 Level 1 objectives and risks .. 26 Level 2 objectives and risks .. 26 Level 3 objectives and risks .. 27 A hierarchy of objectives, risks and Internal controls .. 27 An alternative method .. 28 Recording the risks .. 28 What we ve got so far.
4 28 The Objectives, Risks and Controls Register .. 29 Updating the register .. 30 The next steps .. 30 4 The Risk Based Internal Audit .. 31 What is risk based Internal auditing? .. 31 The RBIA stages .. 32 5 Risk maturity .. 34 Assessing the organization's risk maturity .. 34 Levels of risk maturity .. 34 The impact of risk maturity .. 35 Reliability of the risk register .. 36 Objective of this step .. 36 Internal Audit work .. 36 The risk maturity checklist .. 36 Opinion .. 37 6 Compiling the risk and Audit universe .. 38 Objective of this 38 Which risks? .. 39 Allocate risks to audits .. 39 RBIA An introduction - contents David M Griffiths Categorize the risks.
5 39 Group the risks .. 40 Small organizations .. 41 Systems audits? .. 41 The RBIA Documentation .. 41 The risk and Audit universe (RAU) .. 41 The Audit database .. 41 Summary .. 42 7 The annual Audit plan .. 43 Objective of this 43 Why an annual plan? .. 43 Which audits to select? .. 43 How often to Audit ? .. 44 Use a 'Heat map' .. 44 Reduce the inherent risk score .. 45 Resources .. 46 The ongoing risk and Audit universe .. 46 Publishing the annual plan .. 47 Quarterly plan .. 47 8 The Audit .. 48 Objective of the Audit .. 48 What is an Audit ? .. 49 The aim of an Audit .. 49 The basic structure of an Audit .. 49 A - Planning .. 50 B - Background information.
6 50 C - The Audit scope .. 50 D - Meetings .. 51 E - Evaluate risk maturity .. 51 F -The Audit database (ORCR) .. 52 Set-up .. 52 Determine risks and controls .. 52 G - Testing controls .. 53 H - Deficiencies .. 53 Update reports .. 53 Identifying deficiencies .. 53 The close down meeting .. 55 I & J - Reporting to management .. 56 RBIA An introduction - contents David M Griffiths The report .. 56 57 Summary report to the Audit committee .. 57 9 Pushing out the boundaries .. 59 How the boundaries of Internal auditing are changed .. 59 Perception of Internal Audit .. 61 Relationship with management .. 61 Staff expertise .. 61 Management responsibility for risk management.
7 62 Management of the Internal Audit department .. 62 The benefits .. 63 Disadvantages .. 64 Some questions .. 64 What happened to the consultancy responsibilities of Internal auditing? .. 64 Do I have to throw away my work programs and questionnaires? 64 Do financial audits disappear? .. 64 Where does Control Self-assessment (CSA) fit in? .. 65 What s Enterprise Risk Management (ERM)? .. 65 What about the IIA standards? .. 66 What about the COSO framework? .. 66 Where do fraud investigations fit in? .. 66 10 Glossary .. 67 11 Further 69 Links .. 69 You want to manage information or implement computer systems?? 69 12 Appendices .. 70 A Internal auditing objectives .. 71 B Interviewing.
8 72 C Running a risk workshop .. 73 D Objectives and risks .. 76 E The ORCR inherent scores (part only) .. 77 F Assessing the organization's risk maturity .. 78 G Risk and Audit universe for the year 20X1 (part) .. 81 H Risk and Audit universe annual plan (part) .. 82 I Quarterly plan (part) .. 83 J Audit database (146 Transport of food to camps) (part) .. 84 RBIA An introduction - contents David M Griffiths K Risks to be considered .. 85 L Transport of food - objectives, risks and controls report (part) .. 89 Risk based Internal auditing by David Griffiths is licensed under a Creative Commons Attribution-NonCommercial Unported License. RBIA David M Griffiths David M Griffiths David M Griffiths Biography In 1972, I finished my chemistry at the University of Nottingham (UK) and joined Price Waterhouse as a trainee accountant.
9 I qualified in 1976 and moved to the Internal Audit department of The Boots Company PLC, a retail chemists and healthcare company ( 5bn turnover), before assisting in the introduction of inflation accounting. I returned to be Head of the Internal Audit department (Chief Audit Executive) a year later, in charge of 12 staff. Promotion to Head of Pharmaceutical Accounting Services followed, where I was responsible for 100 staff in payroll, fixed assets, accounts payable and accounts receivable departments. Following the reorganization of Accounting Services, I returned to Internal Audit , as Internal Audit Manager. I introduced risk based auditing into the department, using a database at its core similar to the Excel spreadsheet used on the website.
10 This methodology was used for most audits, including computer and systems development audits. I have now retired and am spending my spare time trying to keep my web site maintained! I was a member of the Institute of Internal Auditors ( ) Technical Development Committee and was involved in the writing of the Guidance Note on implementing RBIA. I also served as a trustee for an almshouse charity, where I compiled the risk database in Microsoft Access, which is available on the website. The views expressed in this book and on the web site, are my own and are not endorsed by the IIA or Boots. I have written websites on managing information ( ), Specifying, Choosing and Implementing Computer Systems ( ) and teaching the basics of computing ( ).
