- Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
- How is independence maintained when working for the company as an internal auditor?
- When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Brou Marie Joelle Alexandra Adje says
3) How is independence maintained when working for the company as an internal auditor?
Internal auditors are independent when they render impartial and unbiased judgment in the conduct of their engagement. To ensure this independence, the chief audit executive (CAE) should report directly to the audit committee. For day to day administrative purposes, the CAE should report to CEO of the company for assistance in establishing direction, support, and administrative interface. The CAE should also have direct communication with the audit committee which reinforces the organizational status of internal auditing, enables full support and unrestricted access to organizational resources, and ensures that there is no impairment to independence. Additionally, the internal auditors should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
Sean Patrick Walsh says
I agree that an impartial and unbiased judgement is a sign of the independence that an audit team has within a business. In order to maintain the unbiased opinion, do you think audit personnel should be rotated regularly concerning where and what they audit in a business? I think by rotating the audit personnel a business will prevent from relationship boundaries being blurred or crossed by the audit personnel and help prevent bias from taking shape within an audit.
Said Ouedraogo says
Sean,
I don’t think that would change anything. Matter of fact, I the problem is the role and the function of the job that is problematic and not the person doing it. The job requires to be objective and tell the truth. Even in a rotation based, internal auditors will be seen as “the bad guys”, and that can affect them. They will tend to go easy on their audit in order to be accepted by their colleagues.
I do not know if this will make sens to you guys, but I am seeing the problem in a psychological point of view.
Sean Patrick Walsh says
SOX actually places that very stipulation of firms that provide accounting auditing services to publicly traded companies. I believe an audit lead can not audit the same business for more than 5 consecutive years if I remember correctly in order to prevent the auditor from developing too close a relationship with the business it is auditing and risk the independence and unbiased opinion of the auditing firm.
Priya Prasad Pataskar says
Nice point Said. In my experience, I have faced the problem you pointed. Teams look at internal auditors as if they are patrolling cops. They do not understand that internal auditors are the best to point out issues as they can be tackled within the company rather than getting highlighted in external audits. The whole purpose of internal audit is to help bridge gaps that can be seen through rigorous and continuous monitoring.
In some cases, people start treating auditor not as a third entity but become very friendly. In such cases rotation of auditors would help. Generally processes do not change very frequently. If the same auditor visits the same portion, again to meet and interview the same people, he would still miss some points that he did earlier. Rotation of auditors as well as efforts by management in establishing correct attitude towards auditors is very helpful.
Joshua Tarlow says
Always the risk of someone in an audit role to be viewed as the “bad guy” or not on the same team. Why it is always important to have good communication and try and work with the department or people to ensure the relationship is positive. There will always be issues, but proper communication can help to mitigate some the issues that can cause problems.
Victoria A. Johnson says
How is independence maintained when working for the company as an internal auditor?
Independence can be maintained for internal auditors by allowing auditors to be strategic in their own way while at the same time improving their audit procedures through collaboration without damaging their independence.
To maintain the necessary independence, auditors should consider the following:
• Maintaining the appropriate distance while crafting relationships with other business units is important for internal auditors.
• Proper reporting relationships and following industry standards and CPA ethical guidelines.
• Outsourcing audit work may be necessary to avoid the appearance of impropriety or a conflict of interest.
Brou Marie Joelle Alexandra Adje says
Right Victoria.
Companies increasingly expect their internal audit function to take on a more strategic, collaborative role within the business. The thing is internal auditors should not be proposing or setting the same strategies they will have to audit. They can contribute to strategy by examining the things that need to go right for strategy to be executed—and the things that could go wrong—and advising management on those.
Said Ouedraogo says
Right Alex! But even that causes conflict of interest. As yo said “They can contribute to strategy by examining the things that need to go right for strategy to be executed—and the things that could go wrong—and advising management on those’. What if management implement their advises?
Internal auditors are the one who will audit again the next time, and they will be auditing something they took part of, which undermines their objectivity.
Joshua Tarlow says
Objectivity is crucial for auditors. Absolutely right about noting that auditors will have to return for subsequent audits and objectivity is vital to maintain. Most people will at some level be biased if they are auditing their own work. Best to maintain a separation with an uninvolved party. Same if I am editing a paper, best to have another person look it over and give feedback.
Said Ouedraogo says
How is independence maintained when working for the company as an internal auditor?
First of all, in order to maintain their independence internal auditors should only report those in charge of governance (Audit committee). If they were to report to their direct supervisor it would have compromised their objectivity. then, internal auditors need to stay away from helping management create policies, procedures, and tracking systems because they are the one who will audit those procedures later. And finally, internal auditors should not involve in performing management functions or making management decisions. They need to stay neutral in order to say the truth.
Wenlin Zhou says
I agree with you. ” I want to add some points that the internal auditor occupies a unique position he or she is employed by the management but is also expected to review the conduct of management which can create significant tension since the internal auditor’s independence from management is necessary for the auditor to objectively assess the management s action, but the internal auditor’s dependence on the management for employment is very clear
Brou Marie Joelle Alexandra Adje says
Well said Said. I like that you mentioned the fact that “If they were to report to their direct supervisor it would have compromised their objectivity”. In fact, objectivity is a mental attitude that internal auditors should maintain while performing engagements. To maintain objectivity, internal auditors should have no personal or professional involvement with or allegiance to the area being audited; and should maintain an un-biased and impartial mindset in regard to all engagements
Said Ouedraogo says
Right Alex! However, at the same time I wonder how internal auditors keep their objectivity. After all, they are also part of the company. And in order to fit in their corporate culture, they would definitely need to develop personal and professional relations with their colleague. I just think it is not feasible. It is either they keep their objectivity and are seen as the “enemy” or they develop relations with their colleague and lose their objectivity.
Joshua Tarlow says
Agree with everything that you wrote. However, it seems like one of those things are great theoretically, but very difficult to achieve in practice. Auditors will need some relationships in order to execute their roles, as everyone does. Comes down to how those relationships are defined. Definitely should be separated from the work, but too much restriction may actually hinder audits.
Fred Zajac says
Said,
I’m not sure if I agree with internal auditors not making recommendations to management about policies and procedures. I have included a few links that speak about why internal auditors should make recommendations because it reassures the stakeholders and sets the “Tone at the Top”.
I agree independence is needed for internal auditors. This can be accomplished by the audit manager clearly identifying audit team roles, and responsibilities. Also, separating the audit team from the rest of the company, maybe even a different, independent location.
They should maintain independence but need to make reports on the findings and recommendations to implement better controls. ISACA knowlege base says,
“The business should consider internal auditors as advisors, advocates and partners in the business of control monitoring and strengthening governance. Ultimately, everything that the auditor does to assist the business should be to reduce risk, identified or not. The biggest thing to remember is that internal audit can and should be a business-side colleague in the risk management program.”
The business should consider internal auditors as advisors, advocates and partners in the business of control monitoring and strengthening governance. Ultimately, everything that the auditor does to assist the business should be to reduce risk, identified or not. The biggest thing to remember is that internal audit can and should be a business-side colleague in the risk management program.
http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=119
http://www.withum.com/kc/5-things-every-internal-auditors/
Vu Do says
Great points Said, internal auditors should not be involved with the procedures since they will be the ones conducting the audit on them. They must be independent of what they could be auditing so they can remain biased when making decisions. They must not report to management for that reason to since that could influence their judgment, so reporting to the audit committee would be the best decision if they had any questions. This will help their audit be independent of influence.
Sean Patrick Walsh says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
When I was in the Navy I was involved in the Quality Assurance (QA) Program. One of my responsibilities was to conduct audits on QA Controlled Material lockers. Controlled Material was anything used in specific systems, such as 600 or 1200 lb steam systems or nuclear systems, and had to go through extensive testing and tracking requirements to document the material from “cradle to grave.” The materials and lockers they were stored in had very explicit requirements that had to be met in order to be in compliance with the program. The first part of the audit was to gather all documentation pertaining to the locker in the QA program, the locker itself, the personnel who maintained and had access to the locker, and the material inside the locker. After going over the documentation for any errors the locker and material itself was inspected. Checklists were used to verify compliance with all requirements when inspecting the locker and material. Upon completion of the audit a report was generated that documented what was being done correctly, what was not being done correctly, what was “questionable” in regard to requirements and how they were being implemented, and what steps needed to be taken to rectify any errors in the report. The report gave a timeline of when the remedies needed to be completed by, how to document the changes made, and who to notify upon implementation of the improvements. A follow-up report would be done at 6 months and whenever all corrections were made.
Sean Patrick Walsh says
2. How is independence maintained when working for the company as an internal auditor?
Internal auditor independence is built and maintained through the audit committee. The audit committee is set up by the board of governance of the business, and is comprised of personnel independent of the company who should have proficiency in accounting, finance, and auditing processes themselves. Audit personnel report to and take direction from other senior audit personnel who themselves report to and take direction from the audit committee. By keeping audit personnel separate from the rest of the business’s standard hierarchy structure allows the auditors to perform their duties and responsibilities without worry of reprisal and/or being disregarded.
Brou Marie Joelle Alexandra Adje says
Great answer Sean. Do you think that perhaps outsourcing audit work can also be helpful, in term of independence, to avoid the appearance of impropriety or a conflict of interest?
Sean Patrick Walsh says
Certainly! Now, the question then becomes if there are other services being provided by the external auditor to the business. That was one of the major points of breakdown with Arthur Andersen and its role in Enron’s control failures. Since Arthur Andersen provided other consulting services to businesses it was less inclined to “find” faults with accounting practices or it might risk losing revenues from business conducted with those companies. I’m not sure if SOX applies to businesses that conduct audits outside of accounting as a third party service provider though, so it could just as well be an issue for an auditing firm.
Said Ouedraogo says
Alex, I definitely think that outsourcing is the best solution; but at the time I think publicly traded companies are required to have internal auditors. So, outsourcing is not quiet the solution.
Sean, I am not sure but I think it would make sense that the same law applies to IT Audit. In fact, it is the same principle. If a company external auditors (IT Audit) firm is the same one providing consultancy, there could be conflict of interest. I would just say that it would be better to outsource to a completely different firm than the one providing consultancy.
Fred Zajac says
Segregation of outsourced duties? Answer. Yes.
Many decision makers trample on this because they believe it is cheaper and easier to deal with one company, rather than writing multiple checks and calling multiple providers.
Outsourcing companies call it a “turn key” solution. It sounds good, is cheaper and easier but lacks one thing. Independence.
Joshua Tarlow says
I think there is a place for both external and internal auditors. Important for the internal auditors to be impartial and objective. But it is also beneficial to have a third party to assist both for economies of scale, but also ensure quality. Internal auditors will know the company better than an external auditor which can be very valuable. But external auditors may be able to provide a fresh perspective and more objective analysis.
Magaly Perez says
Great post Sean. I would just like to add that I think the auditors objectivity is a key aspect when an auditor is maintaining their independence. Their mental attitude must be aligned with their profession. While, performing auditing engagements, the internal auditor should have an impartial, unbiased attitude and avoid conflict of interest situations, as that would prejudice his/her ability to perform the duties objectively. The results of internal audit work should be reviewed before they are released in order to provide a reasonable assurance that the work has been performed objectively.
Wenlin Zhou says
How is independence maintained when working for the company as an internal auditor?
INDEPENDENCE: The audit charter should establish independence of the internal audit activity by the dual reporting relationship to management and the organization’s most senior oversight group. Specifically, the CAE should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability. The internal auditors should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
To ensure this independence, best practices suggest the CAE should report directly to the audit committee or its equivalent. For day to day administrative purposes, the CAE should report to the most senior executive (i.e., the chief executive officer [CEO]) of the organization. The CAE should have direct communication with the audit committee which reinforces the organizational status of internal auditing, enables full support and unrestricted access to organizational resources, and ensures that there is no impairment to independence. This provides sufficient authority to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on recommendations.
http://www.elmiracityschools.com/uploadeddocs/independence.pdf
Brou Marie Joelle Alexandra Adje says
Good points Wenlin.
In sum, to maintain the necessary independence and also objectivity, internal auditors need to keep an appropriate distance as they craft relationships with other business units. Independence can actually be maintained through proper reporting relationships and by following industry standards and CPA ethical guidelines.
Wenlin Zhou says
When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
Even if IT compliance is very expensive, it is possible to reduce its cost by applying some standards and
techniques improving the efficiency and effectiveness of compliance processes. Four key words define the cost reduction guideline: standardization; reuse; analysis; risk monitoring.
The most important word is standardization: indeed, business processes standardization is very helpful to
implement a good IT compliance framework, saving money in the meantime. However, standardization here
doesn’t mean merely to redefine all business processes pursuing a rigid and theoretical model; but it implies
to analyze and to define all business processes and IT applications using a unique language. It seems very
simple and granted, but it is not. Several companies have heterogeneous information systems, developed for
several years or decades and never harmonized. In this case, each process, each software, each data flow,
each operation should be controlled by itself, without the possibility to apply formalized and standard
controls. Also the map of the information systems could be very difficult to delineate. In this scenario, to
apply IT compliance controls costs really a lot of money! On the contrary, to apply controls to standard,
harmonized and well designed processes, software and data flows is easier and cheaper.
file:///Users/zhouwenlin/Downloads/ejise-volume12-issue1-article632.pdf
Sean Patrick Walsh says
Standardization definitely helps cut and control costs associated with a process or function. I think regulatory compliance is an example of when a compliance control’s costs may exceed its benefits. Many statutory regulations regarding compliance are put in place for protecting stakeholders outside the business in mind, and not benefiting the business per say. Also, besides standardizing a control a business may be able to fall back on the age-old idea of passing the cost of to the consumer through pricing its products and services with the control costs factored into the pricing process. That relies on the business being able to accurately price the costs associated with the controls though, and being able to price them into their products and services without a commensurate loss in business due to the increase in prices.
Fred Zajac says
Sean,
I agree with you in a company must be able to accurately price the costs of the control and value of the business process being controlled with fluctuating variables.
Things like a companies human resources (how much output are they producing), natural resources (how much coal can we burn before we get taxed), financial resources (how liquid are our assets) will all affect the calculation.
If the costs of the mitigation plan are more than the business process value, you may want to take a look at the risk probabilities and dive down into the risk. Ask questions like, are the risks the same throughout the year? Since oil shows yearly spikes and dips, maybe we can reduce the cost of our controls during the dips, and bring them back up during the spikes. Obviously this is a broad statement but it is a start.
Magaly Perez says
I concur with Sean. Standardization is vital when it comes to helping cut the control cost associated with compliance. However, there might not be a one-size-fits-all approach. Companies must align itself along side the compliance control implementation in order to succeed and be efficient. I really like how Sean mentioned the, “business being able to accurately price the costs associated with the controls though, and being able to price them into their products and services without a commensurate loss in business due to the increase in prices”. He hit the nail right on the head. Great post.
Magaly Perez says
Great explanation Wenlin. I just wanted to add that training is also another effective manner in which a company can do in order to ensure their efficiency and profitability while implementing compliant controls. Proper training including training on the code of conduct, and basic components of the compliance and ethics program.Effective lines of communication with employees regarding compliance concerns, questions, or complaints are critical. Employees must be comfortable speaking with a compliance officer or management regarding compliance concerns that may arise. In the long run adherence to the organization’s legal and ethical obligations is a top priority and the employee must be on the same page.
Wenlin Zhou says
Sorry guys, the error formate in the previous post, I modify and post again.
Even if IT compliance is very expensive, it is possible to reduce its cost by applying some standards and techniques improving the efficiency and effectiveness of compliance processes. Four key words define the cost reduction guideline: standardization; reuse; analysis; risk monitoring.
The most important word is standardization: indeed, business processes standardization is very helpful to implement a good IT compliance framework, saving money in the meantime. However, standardization here doesn’t mean merely to redefine all business processes pursuing a rigid and theoretical model; but it implies to analyze and to define all business processes and IT applications using a unique language. It seems very simple and granted, but it is not. Several companies have heterogeneous information systems, developed for several years or decades and never harmonized. In this case, each process, each software, each data flow, each operation should be controlled by itself, without the possibility to apply formalized and standard controls. Also the map of the information systems could be very difficult to delineate. In this scenario, to apply IT compliance controls costs really a lot of money! On the contrary, to apply controls to standard, harmonized and well designed processes, software and data flows is easier and cheaper.
Fred Zajac says
Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I have been involved in a two different audits with the same company. I spoke of several real-world experiences over the discussion boards. One instance I mentioned was selling supplies by enticing buyers with promotions. Controls were put into place to prevent this type of fraud but by decision makers but it isn’t “technically” illegal. There is no law in place that says you must sell supplies at a specific price, and there is no law against offering promotions. As a matter of fact, the company is still in business, but the reviews by customers are up and down. Since this blog is viewable on-line, I don’t want to name the company.
During the Audit, the atmosphere is very mute and uncomfortable. The auditors would go through all my sales records, customer information, which was on paper and 3×5 cards, and call records. We were told not to worry about it, and we would get our stuff back tomorrow. This happened twice over my short stint with the company. Since I was a lower-level sales rep, this is the only part of the audit I experienced.
Looking back now that I have a more in depth look at the Order to Cash process, I realize they had very limited segregation of duties. After the second time, they hired a person to call and verify all sales orders prior to shipment. The process before was the sales manager would authorize all orders by sales agents, and since the sales manager would make a commission on the overall sales of their agents, giving them an incentive to authorize as many sales as possible.
Magaly Perez says
2.How is independence maintained when working for the company as an internal auditor?
Internal auditor’s independence is maintained by their ability to maintain objectivity. Internal auditors should have no personal or professional involvement with or loyalty to the area being audited; additionally, should maintain an unbiased and impartial mindset in regard to all engagements within the audit. Subsequently, the audit contract should establish independence of the internal audit activity by the dual reporting relationship to management and the organization’s most senior oversight group (the audit committee). Overall, the internal auditors should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
Fred Zajac says
When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control is higher than the benefit obtained when the calculated cost of losing a business process risk < the actual cost. A company must determine a few factors to predict this cost. First, they must understand the Impact Level and the Likelihood. This will determine if the process is worth mitigating, accepting, or avoiding all together. High Impact, High Probability may not be worth the compliance control, unless the business process is mission critical. If the process is mission critical and would destroy the company, the company should understand the value of the business process, the contingencies, and standard deviation away from the values. The calculation will determine if the mitigation is cost effective.
To determine if the current spend is enough or too much, you will find out where the marginal cost of mitigation = the marginal revenue of risky process. By charting the points, you will determine if the current spend is producing diminishing returns.
For example, the level of risk will change based on seasons. The probability of a roof collapsing from heavy snow or fallen leaves is higher in the winter and fall.
Magaly Perez says
2.When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of regulatory compliance is very large burden that can drain the resources of even the most robust businesses. Although compliance is very expensive, if it is implemented correctly it can lower the financial burden of compliance and struggles associated with reaching compliance. In considering the challenges of compliance a company must apply standards or measuring techniques when attempting to improve the efficiency and effectiveness of the compliance process. An approach a business can use is the COMPARE Model:
-Compliance documentation
– Inventory of current compliance activities
– Assets management
– Gap analysis
– Strengths challenges opportunity analysis
– Business case development
– Risk analysis
– Standardization
– Vendor selection
– Software development life cycle
– Project management
– Testing/ validation
– Quality management
– Training
– Scenario planning
Businesses often view compliance efforts as unique projects driven by individual regulatory requests. A better approach is to view compliance as a process that improves corporate performance management, and for many organizations, it can lower cost and enhance quality. Overall, business will need to make a determination of which approach to use based on its risk tolerance and business performance objectives.
Ming Hu says
Regulatory compliance could be costly for many organizations, but I also read an article about how to transform compliance into a competitive advantage. That was about ACI and Wells Fargo, the most important lesson I learnt from this article is about transforming compliance from a reactive task to a proactive repeatable business process, Wells Fargo set the plan in motion more than a year ago rather than waiting to make it clear early on the complexity of new compliance issue, so they could have a clear realization toward the changing requirements and then take actions.
Seunghyun (Daniel) Min says
Q1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I have never been involved with an internal audit or audit of my process/project. But in my current internship, my team, the Waiver Unit of Intellectual Disability Department, City of Philadelphia, is now preparing for the year-end audit. My role is not heavily involved with any type of the preparation, but I can share some aspects of it from my manager’s perspectives. Let me explain a brief introduction of what my department does. In my department, our team collects necessary information from clients, such as their eligibilities, financial statements, etc, to enroll them into the disability waiver support program. During the audit, our team has to show the auditors whether all documents are up-to-date and people who are enrolled in the program are meeting the qualification of the government requirement. Hence my manager is directing every supervisor to confirm every document is updated and making sure if there are any false information on any clients. And they are finally moving all the document files that are done to a room to be ready for the audit.
Priya Prasad Pataskar says
Daniel, I have been involved in audits as an auditor and I know how much importance documentation holds. Your manager stressing on clear and accurate documentation is indeed important. An auditor gets involved in with the team or company only for a short span of time. It is very stressful for an auditor to understand the internal processes of company in that short span. Not only has he to understand but compare with industry best practices and point out flaws or discrepancies in that process. For this, documentation is very important. One, auditor must be evidenced with process documentation as a proof that a formal process is in existence. Two, documentation of how the process was followed is important to showcase adherence to those policies.
Abhay V Kshirsagar says
Good Point. I think understanding different key business process of a company in a short period of time is challenging and in addition, if the documentation that is needed for the audit isn’t properly dated then it can be a nightmare for the audit team during the evidence gathering stage.
Seunghyun (Daniel) Min says
Q2. How is independence maintained when working for the company as an internal auditor?
1. The internal auditor should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability
2. The internal auditor should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
3. In order to maintain independence, the internal auditor should contain objectivity as their mental attitude. To maintain objectivity, internal auditors should have no personal/professional involvement with or allegiance to the area being audited; and should maintain an un-biased and impartial mindset in regard to all engagements.
Source: https://www2.fin.ucar.edu/faqs/ia/how-does-internal-auditor-maintain-independence-and-objectivity
Vu Do says
Daniel, number 3 response makes sense, internal auditors must maintain their independence when conducting an audit. They must not have any self interest in what they are auditing and must have a clear mind to be focus. The decision they make has to be un-biased like you said and that will help them conduct a good audit.
Binu Anna Eapen says
2. How is independence maintained when working for the company as an internal auditor?
An internal auditor should establish independence by dual reporting relationship: one with the management (senior most executive/CEO) for assistance in establishing direction, support and administrative interface for the day to day administrative purposes and the other with organization’s most senior oversight group that is the audit committee for strategic direction, reinforcement and accountability. Audit committee ensures that the internal auditor has full support and necessary resources are available to them and ensures that there is no impairment with independence. It is the audit committee’s role to safeguard the independence by approving the internal audit charter and mandate periodically.
An internal auditor should have access to records and resources whenever necessary. The auditor should have impartial and unbiased mindset in regard to all engagements and should not involve relationship, emotions while auditing to maintain objectivity. The internal auditors work must be reviewed before they are released to provide assurance that work was performed objectively. The internal auditor should abide by the code of ethics and staff of internal auditor should be rotated to different various task and not work on the same team for a long period of time.
http://www.elmiracityschools.com/uploadeddocs/independence.pdf
Mansi Paun says
Very well written, Binu. You’ve mentioned all the possible ways which could affect an Internal Auditor’s independence – which is noteworthy as one often tends to forget that individual relationships could also affect Audits. Just recently, 2 E&Y former Partners were charged with violating Auditor independence rules due to close personal relationships with client personnel.
Annamarie Filippone says
Q1. Have you ever been involved with an internal audit or audit of your process/project? Briefly describe.
This past summer, an audit that my team had conducted earlier in the year was reviewed by the Quality Assurance group. Several Quality Assurance Analysts reviewed our workpapers from beginning to end and spoke to our client from the audit. A passing grade for us meant that the QA Analysts were able to understand and follow our steps throughout the audit, and find our final conclusion and report to be reasonable from those steps.
Annamarie Filippone says
Q2. How is independence maintained when working for the company as an internal auditor?
Internal auditors must maintain independence in order to provide objective assessments of a company’s processes. These auditors should report directly to an audit committee or board, rather than any company executives. This will ensure that internal auditors are not pressured from the top in a way that may influence their work. In addition, internal auditors should have a professional, but not overly close, relationship with business units they may have to audit.
Mansi Paun says
Rightly said, Annamarie – auditors should report directly to an Audit committee rather than a Company executive who’s position and interests could end up affecting the Auditor’s assessment. Since you have been an Auditor / on an Audit team, could you tell if the organization had a culture whereby Auditors were encouraged to act and assess independently ?
Annamarie Filippone says
Mansi,
Independence was definitely stressed where I work. Before the new internal audit analysts started we had to complete a week-long training program, and part of that training was learning the reporting structure (we were even given diagrams to take with us in case we forgot!). Even though we were only entry-level auditors, and thus would have no interaction with the audit committee ourselves for quite some time, the company realized the importance of teaching us the idea of independence and objective assessment from the very beginning.
Paul Linkchorst says
Hi Annamarie,
I had a similar experience to you. When I did my Internal Audit internship, the Internal Audit manager sat myself and another intern down for about 3 hours and stressed how important independence is when performing the function. It was also one of the reasons why we were picked for the position. The company has a record of hiring interns who are the sons/daughters/relatives of employees. Due to the independence issue, they wanted two individuals completely outside the company to intern within the department. For myself, this resonated with me since the company went out of its way to hire two interns just to make sure that the entire department remains independent and objective. I have also seen auditors turn down social events with employees due to the fact that it could jeopardize independence/objectivity from a third party perspective.
Annamarie Filippone says
Q3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control is higher than the benefit obtained when, for an organization, the cost of the loss associated with the compliance risk is less than the cost of implementing the control. Risk assessments, including impact and likelihood analysis of each risk must first be completed, which can then help it calculate the expected loss from each risk. Once it understands the cost associated with the risk itself, an organization can make more informed decisions regarding what controls will be worthwhile to implement.
Priya Prasad Pataskar says
Absolutely agree with you Annamarie. Risk assessment can reveal no only direct losses but the losses from other areas that one control failure can affect and the likelihood of occurrence. A risk-based approach in such a situation will enable organizations to manage risks in a balanced and efficient way that reflects the value that is being protected. If the threat is low impact and low likelihood,which means the threat does not have capability to cause significant harm. In such cases with strategic decision making companies can categorize few risks as accepted. In may cases risks can be transferred to split the cost of losses that company would have to bear.
Binu Anna Eapen says
Nice point on risk assessment. The concept of risk is understood in terms of the probability and magnitude of impact it can have on the business. Controls are placed to mitigate or transfer or accept the risks based on the decision made by the organization based on the cost involved to mitigate it. And placing these controls mean that each employee starting from the top management to the bottom, all are compliant to the policies, standards that have been developed. Organizations that embrace a culture of compliance is likely to be more security and privacy conscious. Its reflects the culture of the organization. Organizations that conduct internal audits can easily manage their cost of compliance or manage it effectively.
Priya Prasad Pataskar says
3) How is independence maintained when working for the company as an internal auditor?
Auditor independence refers to the freedom of an internal auditor to accurately notify the findings without any pressure from external auditors, internal team members, the chief officers of the company and no financial interest in the audit process. This requires integrity, clarity and objective approach. There has to be fairness opinions and contribution to all the reports based on the task assigned.
One, auditor must have reasonable knowledge to exercise objective and impartial judgment on all issues.
Two, committee must note if the auditors relationship with the company, its management and directors may influence the auditors judgments.
Should not creates a mutual or conflicting interest
Should not be a sense of belonging or own the the portion that is going to be audited.
Should not let the auditor act as management.
Auditor must not have any advocate position for the company.
Certain activities like bookkeeping, financial design and implementation, actuarial services, legal services must be prohibited that may affect auditors independence.
The role of internal audit is both internal and independent. It is a tension creating situation when internal auditor must be evaluating the work of fellow members and giving them advice. This should be handled professionally. Relationships must be balanced, not too friendly and not hostile. The audit committee and the CEO must together help create such environment.
Internal audit process must be formal and documented, regular meetings with management and audit committee would help gain independent dialogue. They must be independent from discussing and managing the functions they have audited. The company must ensure that internal auditor perform his duties in a no fear environment and must disclose all findings to auditees and management. Internal auditors can contribute towards strategy in the company by pointing out areas of improvement. Management should understand that contribution to development is not auditors job but by the virtue of their independent work, management can get great inputs towards continual improvement.
Source: http://www.journalofaccountancy.com/issues/2013/dec/20138669.html
https://na.theiia.org/standards-guidance/topics/Pages/Independence-and-Objectivity.aspx
Ming Hu says
Nice point Priya. I agree with you and just want to add something to your first point that auditors should also be mindful of independence, they must be diligent in identifying and evaluating threats to independence and applying appropriate safeguards, that should be seen as an integral part of an auditor’s knowledge. For example, if there conflict of interest situation remains in existence for several days, the auditor should inform Audit Committee in writing that the conflict of interest situation to maintain objectivity of the audit report.
Jianhui Chen says
2. How is independence maintained when working for the company as an internal auditor?
Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.
https://na.theiia.org/standards-guidance/topics/Pages/Independence-and-Objectivity.aspx
Wenlin Zhou says
I agree with you. Internal auditors should not assume any operational responsibility. Objectivity can be presumed to be impaired when internal auditors perform an assurance review of any activity for which they had any authority or responsibility within the past year or a period significant enough to influence their judgment or opinion. Internal auditors should not accept gifts or favors from others such as employees, clients or business associates. The internal auditors should adopt a policy that endorses their commitment to abiding by the Code of Ethics, avoiding conflicts of interest, disclosing any activity that could result in a possible conflict of interests. Staff assignment of internal auditors should be rotated periodically whenever it is practicable.
Wen Ting Lu says
Nice summary of independence as an internal auditor. I want to add that the results of internal audit work should be reviewed before they are released in order to provide a reasonable assurance that the work has been performed objectively. Objectivity is a mental attitude which internal auditors should maintain while performing engagements. The internal auditors should have an impartial, un-biased attitude and avoid conflict of interest situations, as that would prejudice their ability to perform the duties objectively.
Yulun Song says
2. How is independence maintained when working for the company as an internal auditor?
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve and organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risks management, control, and governance processes. To maintain independence, internal auditors should report directly to the chair of audit and finance committee of the board and administrative. From the IIA: “specifically, the internal auditor should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability. The internal auditor should have access to records and personnel as necessary, and to be allowed to employ appropriate probing techniques without impediment. Objectively is a mental attitude that internal auditors should maintain while performing engagements. To maintain objectivity, internal auditors should have no personal or professional involvement with or allegiance to the area being audited; and should maintain an un-biased and impartial mindset in regard to all engagements.”
https://www2.fin.ucar.edu/faqs/ia/how-does-internal-auditor-maintain-independence-and-objectivity
Priya Prasad Pataskar says
Nice post Yulun, I would like to add a point regarding sampling. I have many times seen that the sample size or samples get adjusted so that the internal auditor miss the samples where possible discrepancies would be present. Auditors must be equally involved in sampling. This would mean auditor must have independence to select samples.
Yu Ming Keung says
Good point Priya, I completely agree with you. Auditors verify that internal controls and procedures are in place for companies they audit. They identify critical areas that may need improvement, and they test the performance, In order to give independent opinion, they auditor should stay unbiased whenever they are selecting sample, simples size, providing services or giving opinions.
Abhay V Kshirsagar says
From a different perspective, It is also important for the audit committee to ensure that they are doing a good job to receive unbiased view from their internal auditors. At the end of each audit committee meeting, there is always a session between internal audit committee and head of internal audit to have a very candid conversations of things that may not have discussed in the full audit committee, that the head of internal audit committee wants to share. And, then the reverse of that is commenced by the audit committee members on how well the internal audit is progressing, opportunities of improvement and some cases compliments of job well done.
Yulun Song says
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
Often times, the cost of implementing a compliance control remain a sore point for corporate executives, but consultants say the whirlwind of regulations surrounding businesses means skimping on compliance could end up costing a lot if regulators catch you out. Then, the company will face not only dollar costs, but the cost in time as well, because the time you are spending responding to and monitoring these regulations is increasing. By comparing with skimming implementing a compliance control, reducing the costs is a good way to ensure efficiency and profitability within an organization. The best practices to reduce the compliance: streamline gap analysis, kick spreadsheet to the curb, mesh compliance and security practices, prepare for consultants and auditors, provide executives with business-friendly information.
https://www.lumension.com/Media_Files/Documents/Marketing—Sales/Whitepapers/Guide-to-Reducing-Your-Cost-of-Compliance-(1).aspx
Jaspreet K. Badesha says
Having worked in a compliance department for a healthcare organization I can tell you from experience that skimping on compliance controls is very very costly to an organization not just revenue-wise but reputational wise as well. You can also lose all of the funding you receive form the government and certain patient segments would not be able to use your services (such as medicare). It is always worth it to implement compliance controls when made aware of them before you become the victim of a CIA (corporate integrity agreement) or lawsuit in which you have to pay out large sums of money as well as implement those controls at that time. Being ahead of the curve and implementing early will put you in the front lines instead of always trying to triage and catch up later.
Paul Linkchorst says
Hi Jaspreet,
You bring up a good point about lawsuits. From the plaintiff’s perspective, if the defendant has not followed best practices, which more or less are compliance controls, this can open up an avenue for the plaintiff to use negligence in their lawsuit. Since these controls are required by law, failure to comply could lead to an easy case for the plaintiff. While compliance controls are expensive to maintain, one lawsuit could easily outweigh the costs of complying with these controls. I think the natural problem with compliance controls is that they are not seen as a necessary cost. Most of these controls are required since they protect the company’s stakeholders, and it should be that as long as these compliance controls are followed adequately, then it should adequately protect the stakeholders. It’s not until a major disaster, such as fraud, comes around that company’s see the importance of some of these compliance controls.
Yu Ming Keung says
2. How is independence maintained when working for the company as an internal auditor?
The internal auditor position is always controversial because he or he is ‘employed’ by management, but is also expected to review the conduct of management. This can create significant tension.
Senior management should ensure that the internal audit department does not participate in activities that may compromise, or appear to compromise, its independence. These activities may include preparing reports or records, developing procedures, or performing other operational duties that are normally reviewed by auditors.
To ensure that auditors are independent, they should be given the authority to access all records and staff necessary to conduct the audit, expect from management a formal and timely response to significant adverse audit findings through the taking of appropriate corrective action.
Here is an action list that can ensure the internal auditor’s independence:
– Ensure that the chief audit executive (CAE) reports administratively to the chief executive officer (CEO) and not to the chief financial officer (CFO) or a similar officer who has a direct responsibility for systems being audited. Reporting to executives other than the CEO is not desirable as they can influence the internal audit work to be conducted in their area of responsibility, leading to a loss of independence by internal audit.
– The board or its audit committee should determine the CAE’s performance evaluations and compensation.
– The CAE should report functionally for internal audit operations to the audit committee and for administration to the CEO.
– Ensure that the internal audit activity is free from interference in determining the scope of internal auditing, performing work, and communicating results.
Establish the independence and the authority of internal audit staff by detailing this in a formal document such as an internal audit charter.
However, the internal auditor should not be allowed to assume operating responsibilitie and to draft procedures for, design, install, or operate systems.
Abhay V Kshirsagar says
Good post, Yu Ming.
I think with the points you made, it is also important that the internal auditor doesn’t have any personal involvement with the client personnel for the audit area. This can certainly influence the audit process as conflicts of interest can arise. The auditor may be tempted to ignore or be lenient about negative audit finding as their relationship will on the line.
Binu Anna Eapen says
Well written Yu Ming. I agree with you completely and I also like the fact that you specified about the functions of IT Auditor. It is important that IT auditors are not influenced or influence other functions. The same way even IT Auditor also should not be given right to make any changes in production, development or quality assurance. Their prime duty is to audit, identify risks and suggests means to mitigate it. Also they should not report to any functional head and should have independence when it comes to reporting to CEO as well as the audit committee,
Joshua Tarlow says
Similar to the cost of proper risk management/control, the cost of implementing compliance is higher than the benefit obtained when the actual implementation cost exceeds the benefit. Companies make the calculations all of the time and usual accept some level of risk because it is impossible to prevent everything. Still there are some risks that have a very low probability but a high impact that companies mistakenly decide to accept the risk because the probability is so low. Often when this scenario backfires it can end up in the news and have severe financial and repetitional impacts to the company. Samsung is an example with their Note 7 phone earlier this year. Not only did Samsung have to recall the phone once due to a faulty battery, but was forced to do so a second time. Thought that the problem had been identified but were ultimately wrong. They decided the probability was low enough that it was worth the risk, but this mistake only made the their situation much worse.
Definitely a difficult balance to maintain between compliance and benefits obtained. Companies must strive for efficiency to maintain competitiveness, but at the same time they must properly access probability and risk. First proper risk assessment and realistic probability is crucial. Some companies may not realistically assess probability or assume that something cannot happen. Proper statistics can better inform companies of accurate probabilities of a risk. With accurate data, than an informed decision can be made about the appropriate level of risks to accept, and then the subsequent amount of compliance to achieve this equilibrium.
Paul Linkchorst says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
One of my previous internships included a year working with the Internal Audit department of Munich Reinsurance America Inc. in Princeton, NJ. Over that time span, I worked on several audits from both the IT side and operational side. Due to the experience of the Internal Audit staff, most the SOX compliance audits were performed by the IA team and reviewed by our financial auditors, KPMG. However, two of the larger audits I participated included the audit of the corporate reserving process and an audit for fixed asset management. My experiences are very similar to the audit processes that we have been learning in the ITACS program. For myself, one of the things that I enjoy most about performing Internal Audit work is getting to experience and learn about various parts of an organization.
Deepali Kochhar says
Paul, great example. Can you share the difference in approach adopted towards both the audits you have been a part of? Both of them must have had different purpose. Was there a difference in the way of performing both the audits?
Paul Linkchorst says
Hi Deepali,
The overall process for these audits I would say were the same. We started by reviewing previous audits and documentation to learn the process, met with process owners/managers, requested documentation, tested the documentation, conducted follow up meetings, and finally came to a conclusion/recommendation. For starters, the Corporate Reserving was part of the SOX compliance audits which are performed at the end of the year while Internal Audit decided to perform the Fixed Asset Management audit. Therefore, the Corporate Reserving audit was not as in depth as the Fixed Asset Management one. Since I was an intern though, my role for the two audits differed slightly. One of the major differences which changed the approach slightly was the complexity of such processes.
Actuarial Reserving is a highly technical area, which is where a liability is booked on the financials for the present value of future cash flows of a contingent event. Essentially, an insurance company needs to record a liability for any potential claims that may arrive and actuaries come to that number based on math and statistics. From talking to the Internal Audit Manager, this is a process one can audit multiple times and still not grasp 100% of the function. Therefore, my role was to document as much of the process as possible using a document flowchart tool called Adonis. I utilized older visio charts and updated the processes to reflect how they are performed now as well as utilized risks and controls identified through Enterprise Risk Management’s Risk Control Matrix to locate where controls are in the process diagram. This helped identify any gaps or risks within the process and helped the senior I was working with visualize the process. On top of that, we reviewed multiple excel spreadsheets that were utilized in the process and verified that approvals were made on certain transactions. Since this was a SOX audit, the audit merely scratched the surface but a large portion of my time was documenting what we had learned, not necessarily finishing the audit.
For the fixed asset management audit, this is a much simpler audit and one that many financial auditors start out with. Fixed assets are those that are purchased for long term use and help with producing company’s products or services (i.e. computer chairs, printers, etc.). Unlike Actuarial Reserving, this was an audit that myself and two senior auditors went more in depth with and questioned the accounting of these fixed assets. One of which was how were fixed assets disposed of and if they were in line with company policy. Likewise, we performed some sampling of certain fixed assets, examined the depreciation schedule, valuation, and disposal of that sampling to make sure they followed GAAP. Once the testing was complete, the testing was documented and prior to release of the audit, we met with the department heads and reviewed the findings and discussed potential findings.
Overall, the two were very similar. However, some slight changes can make how one goes about the audit slightly different.
Paul Linkchorst says
2. How is independence maintained when working for the company as an internal auditor?
I suppose there is a natural conflict of interest having members of a company perform audits on its IT and operations. With that being said, there are several actions that a company can do in order to maintain independence. First off, Internal Audit departments are set up where they report to the audit committee. Since the audit committee is a subset of the board of directors, this means the IA department reports to a party whose main responsibilities are to provide oversight for the organization. The purpose of this is to make sure that members of the IA department are not reporting to any supervisors (CEO, CFO, etc.) and therefore can be more objective in their audits without feeling like their actions could have repercussions. Similar to this, members of the IA department cannot design and implement controls. If members of the IA department were to design and implement controls, then their objectivity to an audit could be skewed.
Overall, ethics is a big area in the audit environment and something that is frequently reinforced. In my undergraduate education, one of the codes of conduct that I learned came from the AICPA stating that auditors should be independent in fact and appearance. Independent in appearance is to say that from a third-party perspective, parties are independent (ex. auditee is not a family member). Independent in fact is to say that your state of mind and actions are independent and not influenced in any form. In my experiences, I think most auditors have a high level of ethical behavior and can obtain an objective mindset. I believe this is easier for some auditors since in their perspective their actions are making the company more secure and risk free, even if the auditees and upper management might not agree.
Wenlin Zhou says
I agree with you. Independence of the internal auditor means independence from parties whose interests might be harmed by the results of an audit. Specific internal management issues are inadequate risk management, inadequate internal controls, and poor governance. The Charter of Audit and the reporting to an Audit Committee generally provides independence from management, the code of ethics of the company (and of the Internal Audit profession) helps give guidance on independence form suppliers, clients, third parties, etc. Internal and external concerns are convoluted when nominally independent divisions of a firm provide auditing and consulting services.The Sarbanes-Oxley Act of 2002 is a legal reaction to such problems.
Paul Linkchorst says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
In my opinion, I think the cost of implementing a compliance control is higher than the benefit obtained when the cost is higher than the impact of a threat/risk. When performing a risk assessment one should quantify the impact of a threat/risk if it were to occur. From an information security standpoint, we know that even a slight failure in a control can have a huge impact from say a data breach. This same mindset can be applied to some compliance controls like Sarbanes – Oxley (SO). For example, compliance controls such as SOX require an organization on average to spend about $6 billion a year. From a business standpoint, there are not too many benefits from the SOX implementation that would justify the $6B in expenses. However, the compliance controls are in place to protect the stakeholders and the company itself from overlooking any of the actions of its employees, from the low level employees to c-suite executives. Therefore, SOX compliance controls are most in place to prevent fraud, which even the slightest bit within an organization can cause a stock drop by over a billion for an organization. With that being said, organizations still need to make sure that their operations are efficient and within SOX compliance. From the compliance standpoint, making sure processes are well documented and documentation of a process is well organized, can assist in making the testing of SOX controls a much more efficient process. From the business standpoint, monitoring of such compliance controls is a way to ensure that these compliance controls, which are mandatory, are being performed in a manner that efficiently mitigates the risk that they were designed to do.
Source: https://www.theiia.org/chapters/pubdocs/2/ACost_BenefitAnalysisofSOXOct2007.pdf
Abhay V Kshirsagar says
How is independence maintained when working for the company as an internal auditor?
The internal audit function itself should be independent all the times. It has to be independent of the management team because they are really working for the audit committee. It’s also a difficult relationship sometimes, when you are on the pay roll of the company and you are reporting it to one of the board committees. They have to be independent as they have to come unbiased to the scene, they have to have a point of view that cannot be questioned to be prejudiced in any manner whatsoever. Since the audit committee relies on them and the full board relies on them to bring that unbiased view, there needs to be that trust. The objective of internal auditor should not contain any personal nor professional allegiance to the area that is being audited. This independence can be threatened when an auditor makes comments beyond the audit team about the client or the audit area or lets their personal relationships with the client move beyond a business relationship.
Deepali Kochhar says
Another thing I would like to add to this is that auditor should only make recommendations towards the findings. They should not be biased while making any decisions. There personal point of view should not play any role while reporting the findings and it should be only on the basis of what is seen as an evidence. Because every organisation has different needs and requirements so understanding those and making decision on the findings is the correct way to go.
For example it is not necessary that every organisation may need to implement segregation of duties as it may be costly for them to implement the same. It might be possible that they implement compensating controls in place of that which may save cost to them and is serving the purpose. As an auditor all this should be studied before creating a finding that no segregation of duties are performed.
Yu Ming Keung says
Very good point Abhay, the internal auditor has to be unbiased in their opinions because they are examining issues related to company business practices and risks and he or she will be reporting to the audit committee and the full board. Rules to minimize bias focus on eliminating conflicts of interest. Companies may need to hire external auditor to provide consultation service.
Abhay V Kshirsagar says
When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The controls are in place to ensure that an organization is following safer ways to conduct business so that its stakeholders aren’t harmed in any way. Eg: There aren’t any breaches, frauds, etc. Various compliance were introduced when frauds on large scale started happening and the government decided to be the guardian and parent publicly traded companies to ensure that the public is protected if someone decides to carry out a similar or a bigger fraud. Such incidents are categorized as businesses risks for the organizations. The cost of these regulatory compliance can be on the higher side and the process itself can be complicated. Organizations, after a thorough risk assessment can decide whether to accept or mitigate different risks. And, when the cost of the loss associated with the compliance risk is less than the cost of implement the control that is when the cost of implementing a compliance control is higher than the benefit. I think the key is to understand the cost (value) associated with the different risks.
Deepali Kochhar says
Definitely Abhay, I think the first step towards implementing a compliance control is to decide whether to accept, mitigate, avoid or transfer risk.
cost-benefit analysis must be performed to access if compliance control cost is higher then the benefit obtained.
The situation in which the compliance control cost is higher then the benefit obtained (the potential risk far exceeds the potential benefits) the risk should be avoided and no compliance should be put in place for such risk as it is simply adding cost for the organization.
Seunghyun (Daniel) Min says
Q3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
In my opinion, for some industries where companies are highly regulated, such as pharmaceutical companies, depending on some cases their cost of implementation of a compliance control would be much higher than the benefit that they would obtain. However, for a long-term goal, if the compliance control would benefit the whole company, then I think they should proceed to implement it. For example, if a pharmaceutical company is planning to create a medicine that will help cure many of patients who are suffering from the very specific brain cancer. But the government puts a strict regulation to the company in researching those kinds of medications. The pharmaceutical company should place a compliance control that would most perfectly prevent them from violating the government’s regulation, which might cost them so much money. It might not seem beneficial for them to implement those highly cost controls; however, after they succeed to create the medication for that specific brain cancer, they will have a lucrative market to make revenue. In short, sometime, a company should invest much to meet all the requirement that authorization suggests in order to go for higher benefits.
Binu Anna Eapen says
Nice example Daniel. In order to legally operate, businesses must comply with certain requirements regarding the company’s transactions, labor practices and safety procedures. Before launching any business, the appropriate regulations for that industry must be studied and ensure to keep log of any costs and dates related to their compliance. I believe mostly small scaled business tend to overlook compliance as it sometimes can be too costly for them. It may not be required for them by the law but it is always recommended. If there are any Government regulations then even small scale business also will need to follow.
Mansi Paun says
I agree with you, Daniel – Regulatory controls more often than not, are actually costlier to implement as compared to the benefits realized upon implementing the specific controls. This is mostly because regulatory authorities are entrusted with the responsibility of ensuring that all parties involved are safeguarded when it comes to a buyer/seller or client/provider relationship. For eg. Business owners cannot get away with just providing online payment options which benefits themselves and the customers they also need to ensure that the customer’s payment info is secure by having PCI-DSS compliant systems in place.
Having said that, in the longer run, despite the costs, companies do benefit from following a regulatory framework by increasing their own and their products credibility and often avoiding litigation if they are compliant.
Deepali Kochhar says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I was working with a healthcare product based organization. One of my role was to perform internal audit for SSN. The purpose of the audit was to:
• Ensure that an individual’s Social Security number is not used for any purpose other than the purpose for which it was collected
• It should not be publicly posted, displayed or made available to the general public.
• Safe transmission of SSN
• Safe storage of SSN
• Maintaining CIA of the SSN
Process followed:
• Initially an audit worksheet is maintained which include the details of SSN such as the purpose for which it is being collected, storage of SSN, who all are using it and so on which was collected from the information owners.
• This was discussed with the information owner to cross question based on the data they have provided. For example, are they using it as primary information? If yes, they need to justify the purpose.
• Based on the findings risk scoring was performed and risk was quantified (Low, medium, High)
• Report was generated based on the risk calculated and key risk areas were highlighted.
Mansi Paun says
Very interesting, Deepali. I’m curious to know how you were encouraged or assured to maintain independence during these internal audits. Was the organization itself that mature that you didn’t fear retaliation of reporting any findings or did your own objectivity help you to report your assessment accurately ?
Deepali Kochhar says
Great question Mansi. So there were standard and policies which were defined to be followed for managing the CIA of the crucial data. the audit was based on those standards and policies. Any findings which were not following those standards and policies was questioned to the user and after that based on the reasons provided decision was made on the risk level.
As an example, the policy says that SSN should not be moved to secondary server storage but the finding says that it has been moved. In that case the next thing to assure was how safe that server is and who all have the access to it. Also the reason why it was moved was asked to the user and based on that the findings were generated.
Tiesha Christian says
Deepali – This was a great example. Did this healthcare facility abide by HIPAA and ways to protect PII? I never heard of this type of audit. But the world of audit is so grand and detailed in every aspect. Did you find this work interesting? How involved were you with the findings ratings? I am also curious to know how did the company detect inproper usage of the SSN?
Yu Ming Keung says
When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of compliance expected to rise, organizations must find ways to streamline compliance spending to maintain IT operations and IT security service levels. Having the right compliance control can result in valuable benefits such as reducing risks for occupational fraud, ensuring accurate financial reporting and increase operating efficiencies.
The cost of implementing a compliance control is higher than the benefit obtained when an organization does not have the right control. So organizations may perform the following analysis:
1. Streamline Gap Analysis:
Streamline gap analysis to quickly find requirement changes in updated regulations and additional requirements in new regulations that are currently unmet by existing IT security practices.
2. Kick Spreadsheets to the Curb:
Eliminate spreadsheets and automate the information-gathering process necessary to prove compliance with specific regulatory requirements.
3. Mesh Compliance and Security Practices: Overlay security practices on top of compliance efforts to avoid “checkbox compliance” mentality and maximize real security effectiveness through required compliance spending.
Tiesha Christian says
Yu Ming Keung – I agree with your thought of streamlining gap analysis, meshing compliance and security practices. However, I am curious to know more about your thought on kicking spreadsheets to the curb. How would you automate the information gathering process, and also how do you think it will truly be beneficial? I think the two really strong points are the others you mentioned.
Ming Hu says
Nice point Yu Ming. About meshing compliance and security practices, you need to determine where business risks lie. Then put technology and processes in place to mitigate those risks. At that point, you also need to figure out how those measures satisfy compliance obligations. When the organization get that flowchart backwards—when it acts first to check the boxes to fulfill compliance duties—it tends to leave chinks in its security armor.
Vu Do says
2. How is independence maintained when working for the company as an internal auditor?
Independence I would imagine is maintained by doing your work on projects independently and when you are confuse about something, reach out to a person that can help out. But mostly you have to keep your project to yourself since you are the internal auditor of the company and do not want anyone to get a hold of your data while you are in the process of an audit. If that data is accessible to anyone then the risk of fraud could occur. You have to make sure your work is secured and that you are not influence on a decision base by anyone. Your work must be backup by data attain and unbiased of judgment.
Binu Anna Eapen says
I agree with you that internal auditor must have an unbiased judgement while auditing any business functions an auditor should not share or reveal the data to anyone. I would rather say that independence needs to be maintained by not having to return favors to the team for any reason. The work has to kept professional and independent to correctly identify the vulnerabilities and threats it poses and mitigate all levels of risk to the maximum extend as feasible by the organization keeping the business goal in mind.
Deepali Kochhar says
Great point Binu. Business goals plays a very important role in defining what findings should be noted and what not keeping the personal bias aside. Therefore the first job of an auditor is to understand the organisation’s culture, business, needs before starting an audit. Just having technical knowledge is not sufficient for an auditor to perform an audit. Having only technical knowledge and implementing the same without understanding the business need also is a kind of bias judgement.
Mansi Paun says
2. How is independence maintained when working for the company as an internal auditor?
2. When working for a company as an Internal Auditor, it is of utmost importance to maintain independence and objectivity. Independence can be maintained by ensuring that the Auditor reports directly to the Audit committee and not to a position which could have conflicting interests in the Audit findings. Since the Auditor is employed by the management, and he/she is required to audit or evaluate the management’s performance, there are chances that the management’s interests overshadow the Auditor’s assessment. To maintain independence in such a scenario, it is necessary for the Auditor to be objective and un-biased. He/she must understand the importance of keeping an objective view and ensure that any findings are reported and worked on. Also, an Auditor must understand that if he/she doesn’t assess objectively, the External Auditor will report the findings and at that time, there would be more at stake. It would behoove the Auditor, management and the company that the Auditor reports independently and objectively.
To sum up, an Auditor should be unbiased and objective and be assured that he/she shouldn’t fear retaliatory action based on their assessment to ensure independence.
Tiesha Christian says
Mansi – I like your point aboout remaining objective. I was once on an internal audit team, and during the audit there were findings raised. Management and the Audit team had several meetings to come to an agreement regarding the finding. Once management accepted the finding, they had to provide audit with an action plan. Throughout the entire process there was a team who played the role as the liason between the audit team and the auditee. They came to me and asked me the “Auditor” for my opininon of the remediation plan. I had to express to them that it was a conflict of interest and I had to remain independent in this scenerio.
Jaspreet K. Badesha says
I agree Mansi, I have referenced similar items in my post for how an internal auditor maintains their independence. I particularly liked when you mentioned the following “He/she must understand the importance of keeping an objective view and ensure that any findings are reported and worked on. ” This is an integral part of keeping independence… understanding the organization, the reasoning behind certain decisions and applications as an ‘independent’ person. This gives an auditor prospective and can help them with the second part you mentioned “an Auditor must understand that if he/she doesn’t assess objectively, the External Auditor will report the findings and at that time, there would be more at stake.” Because this is what an external auditor would do as well. This key step would be very beneficial to the organization.
Vu Do says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I have not been involved with an internal audit process but could imagine what it would be like. While working as an App Developer, I was assign Customer request projects and had a deadline with an amount of paid hours to complete it. I imagine upon completion the audit would look at the hours I spend on it during working hours and offline working hours. It would have to look at system login to verify that I was indeed working on the CR and not other projects. It would have to make sure it was me making all the changes and that everything was getting approved along the way. The audit then would have my working hours and compare it to what was given for the project.
Tiesha Christian says
Vu Do – I know most shops operate differently. However, I think you make a good point. Audit would be concerned with your access rights as an App Developer. They would probably want to review things such as change management logs, attestation records and logical access. I don’t think Audit would be really concerned with your number of hours worked on the project. That is usually a concern of the Audit team for the Audit.
Jaspreet K. Badesha says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
Yes, at my previous job I was apart of the Compliance department and handled analytics on training metrics. I created my own access data base to manipulate the data to get it into the correct format for reports for managers and above as well as C level executives and board members. We also had an internal audit team within the compliance department that would audit our records since were going through a government oversight and they wanted to be able to review everything. I had to explain each of my queries and macros and show them examples of what was taking place in a step by step matter. I had to show them audit logs of enrollments and dropping of courses for employees as well as mergers for employees with 2 records (permanent and temporary if they transitioned) to prove that they in fact did complete their mandatory compliance training. It was a very complex and tedious process. This was done to ensure our data had integrity and was accurate before people outside the organization tried to review it and reproduce all of the documented steps including pulling files from our HR system as well as Learning Management Systems before they place it in my database to run the reports. This was not only for new hire employee training, we also had to do this for annual trainings and it was for both domestic and international employees as well as our partners who were other doctors.
Tiesha Christian says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
Yes. I have been included in the pre-liminary planning activities of the audit. Some of the planning activites included preparing and sending the audit start notice the client, having the kick off meeting, the initial walkthrough and going over the scope and objectives of the audit. There are way more steps involved but these are the steps/processes I have participated in closely.
Jaspreet K. Badesha says
2. How is independence maintained when working for the company as an internal auditor? If you do not report to anyone you are auditing, you can maintain a level of independence. When you end up reporting to someone who is responsible for the function you are auditing then it becomes very complicated and it gets hard to separate the truth from conservatively for pleasing your manager and their performance. Independence is also maintained well because if the auditor doesn’t do an ‘independent’ internal audit they will end up missing signs that can be caught by an external auditor and that point it will ruin the reputation of the internal auditor and probably be far along. If the IT auditor maintains their independence during their internal audits they will look at the company slightly differently and catch these errors early.
Wenlin Zhou says
Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
When I am involved with the Internal audit, the process is like following steps:
Planning, Preliminary Survey & Risk Assessment: Client engagement and Acceptance. Define audit scope and objective. Identify areas of Fraud Risks and potentials responses. Understand business process and IT Involvement Environment. Understand current controls. Develop preliminary audit plan.
Testing and Fieldwork: Review and evaluate controls already in place to make sure they work properly. Develop processes and procedures for data gathering. Identify areas of deficiencies or non-compliance.
Reporting: Communicate areas noted for improvement during testing phase. Develop along with business units’ actionable corrective action plan for deficiencies identified. Develop along with business unit’s timeline to address deficiencies identified. Develop final report. Disseminate report to appropriate business entities.
Follow-up: Send request to business entities asking for update and selected random evidence to show progress on implementing action plan. Evaluate if re-resting may be necessary. If all checks out, close the audit plan.
Ming Hu says
Thanks for your sharing, considering the second question about auditor independence, do you need to mention this in your audit reporting, i.e. when you conduct an audit, do you need to provide a written declaration confirming that there have been no contraventions of the auditor independence requirements, such like existence of interest conflict or whatever may influence objectivity of your audit result?
Ming Hu says
How is independence maintained when working for the company as an internal auditor?
Auditor independence is achieved through organizational status and objectivity:
Organizational status – the director of the internal auditing department should be responsible to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of audit reports, and appropriate action on audit recommendations.
Objectivity – internal auditors should report to the director any situations in which a conflict of interest or bias is present or may reasonably be inferred. The director should then reassign such auditors. Also, Staff assignments of internal auditors should be rotated periodically whenever it is practicable to do so.
Source: https://www.compliancealliance.com/our-services/audit-independence