- Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
- How is independence maintained when working for the company as an internal auditor?
- When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
Imran Jordan Kharabsheh says
1. While I have never experienced being audited myself, I have taken part in auditing the other departments of my company thanks to my experience in the internal audit department of an investment bank. The process itself was lengthy and required a decent amount of bureaucratic work in order to ensure proper procedure and compliance were being adhered to. There was also a good portion of field work, in which myself and the other auditors engaged members of each department in a series of tests and interviews to ensure that proper training and guidelines were being enforced. Aside from the scheduling and assignment of audit tasks being distributed by the head of the internal audit department, us internal auditors were told not to take direct orders from anybody and that all actions requested of the internal audit department needed to be discussed directly with the head of the internal audit department.
2. From my experience working as an internal auditor in an investment bank, it became clear to me that internal auditors had very few authoritative figures that we took orders from. These people primarily being the head of the internal audit department who is often the leader of the audit projects, the Chief Financial Officer who dictates the budgeting and has limited power over us, and the audit board who are the final pair of hands that touch the audit reports before they are distributed. Often when a decision needed to be made in regards to the internal audit function, the CFO and the head of the Internal Audit department would discuss and try and come to an agreeable conclusion. But if neither can agree with each other, then the issue escalates to the audit board who held the final say in auditing decisions. Having this system helps internal auditors remain impartial when conducting audit functions because we aren’t as swayed by the actions of individual, malicious players.
3. The way that organizations often calculate the dollar amount that a threat has is by calculating annualized loss expectancy. Annualized loss expectancy is a calculation that shows the dollar amount a company can expect to lose annually from a given threat. To calculate annualized loss expectancy, companies need to have an estimated single loss expectancy and multiply that by the annual rate of occurrence associated with that threat. This means that you would need to know the estimated impact of the threat and the annual rate that the threat occurs. After calculating the annualized loss expectancy, a company would then compare that number with the cost associated with mitigating that risk, and ultimately decide whether to take action or not. Often when the cost of mitigating a risk is higher than the annualized expected loss, then a company will not take action against the threat since the cost of mitigating outweighs the benefits.
Penghui Ai says
Hi Jordan, I appreciate that you share your job experience with us in the posting. I totally agree with what you saying in the Question #2, and that is a great system to help internal auditor to remain their unbiased and impartial.
Rouying Tang says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I have never been involved with an internal audit or audit of my process/project.
2. How is independence maintained when working for the company as an internal auditor
The most effective way to maintain the status of independence is the segregation of duties. Avoiding the roles with interest conflicts should be always followed.
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
When the cost of implementing a compliance control higher than the benefit obtained then the continuities of the organizations can be threatened. When the organizations no longer exists, then all rules become meaningless. It is not just meet the business environment, it fits the political environment as well. We hope our government to be clearly function without corruption, but the corruption and fraud have never been stopped under a rapid growth of the economics despite the time and space throughout the human history. To balance the efficiency, profitability and the fairness, the key is about the fraud triangle. Creating an environment with high cost to commit frauds than generating the profits is the only way to link the existence problems with compliance controls. And when the cost to conduct the compliance controls become necessary for all organizations, this cost would no longer become obstacles for any company to compete and survives.
Penghui Ai says
1. Right now, I do not have experience that been involved with an internal audit or audit of my process/project. Based on my understanding, the Internal audit is an independent, objective assurance and advisory activity designed to add value and improve the organization’s operations. It helps organizations achieve their goals by introducing a systematic approach to assessing and improving the effectiveness of risk management, control, and governance processes. One of the most important things in internal is independent, so the auditor can not benefit from the company’s daily business, which means the auditor will not lose his/her benefits if his audit findings hurt the company.
2. The audit charter should establish the independence of the internal audit activity through the dual reporting relationship with the management and the highest-level monitoring group. In order to maintain objectivity, internal auditors should not participate in or be loyal to the areas audited; And there should be an unbiased and impartial attitude towards all audit operations. The internal auditor occupies a unique position. He or she is employed to manage but is also expected to review the conduct of the management this may create significant tension from the internal audit independent of the management auditor who must objectively evaluate the management action, but the internal auditor’s reliance on management employment is very clear.”
3. Implementing IT compliance systems is indeed very expensive because the framework does not affect individual applications, but IT takes up a large part of the information system. For example, the use of ERP and integrated management information systems, with general respect for all organizations, has expanded the scope and power of IT compliance to include almost all IT infrastructure and application portfolios within compliance. In addition, IT compliance is an ongoing process, and its cost may be like a permanent expense, consuming financial resources from the It budget, i.e., from strategic, innovative IT investments.
Faced with this problem, enterprises should regard IT as an initiative rather than an obligation to fulfill, but as an opportunity to improve their understanding of the accounting information system, reduce IT risks, improve the value of financial information, and gain the trust of investors and financial markets.
At the same time, companies should strive to reduce IT compliance costs and expenses, whether for first implementation or maintenance of the framework. To reduce the implementation cost, companies can consider best practices, rationalize their process and application portfolios, standardize accounting systems, and gain economies of scale. To reduce maintenance costs, companies can learn from past business cases and create an empirical economy.
Haitao Huang says
To protect your business operations with the greatest possible efficiency, you must engineer your disaster recovery plan so that those business units with the highest priority are recovered first. You must identify and prioritize critical business functions as well, so you can define which functions you want to restore after a disaster or failure and in what order.
Deepa Kuppuswamy says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
In my prior work experience, I did not get an opportunity to work as an internal auditor. However, I have experience as external auditor in one the big 4 auditing firm. So, I could somewhat relate how the internal audit works. Every public companies will endorse the ‘Three Lines of Defense’ model as a way of explaining the relationship between the business functions and to demonstrate how responsibilities should be divided:
> the first line of defense: Operational Management – functions that owns and manages risk
> the second line of defense: Internal Monitoring and Oversight Functions – functions that oversee or specialize in risk management, compliance
> the third line of defense: Internal Audit – functions that provide independent assurance, above all internal audit
Internal audit team provides assurance to senior management and the board that the first and second lines’ efforts are consistent with expectations. I believe that the three lines should share the same objective to help the organization achieve its objectives by the effective management of risk.
2. How is independence maintained when working for the company as an internal auditor?
Internal audit team ensures independence and professionalism within the organization. The main difference between this third line of defense and the first two lines is its high level of organizational independence and objectivity. Independence and objectivity are two critical components of an effective internal audit activity. The internal auditor should have access to records and personnel as necessary and be allowed to employ appropriate probing techniques without impediment. Objectivity is a mental attitude that internal auditors should maintain while performing engagements. To maintain objectivity, internal auditors should have no personal or professional involvement with or allegiance to the area being audited; and should maintain an un-biased and impartial mindset regarding all engagements.
Reference: https://www2.fin.ucar.edu/faqs/ia/how-does-internal-auditor-maintain-independence-and-objectivity
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
Businesses often respond to regulatory compliance issues in an ad hoc, one-off manner. To manage the high cost of compliance, whether with SOX or other laws, every enterprise must be aware of the dynamics of Total Cost of Ownership (TCO). Awareness of the dynamics of TCO is crucial to managing the cost of compliance.
In order to ensure efficiency and profitability organizations should follow the below recommendations:
– Combine compliance requirements and build synergistic solutions. The effort saves time and money as well as establishes a framework for responding to future requirements
– Monitor the total cost of compliance relative to its effectiveness. Higher spending will not necessarily mean a higher level of compliance or reduction of risk.
– Understand, categorize and communicate the risks of noncompliance to your business. Agree on your preferred risk profile.
– Create an explicit link between compliance, performance management and value
– Manage compliance as a program, not a project. (Regulatory compliance must be continuous.)
Reference: http://logic.stanford.edu/poem/externalpapers/understanding_the_costs_of_c_138098.pdf
Haitao Huang says
1. I do not have any experience of participating in an internal audit yet. When conducting an audit or assessment, the team performing the review should be clear about the standard that they are using to assess the organization. The standard provides the description of control objectives that should be met, and then the audit or assessment is designed to ensure that the organization properly implemented controls to meet those objectives.
2. Internal audits are performed by an organization’s internal audit staff and are typically intended for internal audiences. The internal audit staff performing these audits normally have a reporting line that is completely independent of the functions they evaluate. In many organizations, the chief audit executive reports directly to the president, chief executive officer, or similar role. The chief audit executive may also have reporting responsibility directly to the organization’s governing board.
3. An organization should conduct business impact assessments to prioritize resources, functions, and risk in order to better mitigate risks and protect assets in a cost-effective manner. The BIA identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. The results of the BIA provide you with quantitative measures that can help you prioritize the commitment of business continuity resources to the various local, regional, and global risk exposures facing your organization.
Yuan Liu says
1. I do not have some specific internal audit experience but there is knowledge about it. Although every audit process is unique, the audit process is similar for most engagements and normally consists of four stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report and Follow-up Review. Client involvement is critical at each stage of the audit process. As in any special project, audits require a certain amount of time being diverted from your department’s personnel. One of the key objectives is to minimize this time and avoid disrupting ongoing activities.
2. The audit charter should establish independence of the internal audit activity by the dual reporting relationship to management and the organization’s most senior oversight group. Specifically, the CAE should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability. The internal auditors should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
3.I think better management and technology is good for improvement of efficiency and low cost. Speaking of advances in technology, old and outdated technology can create problems in your organization. Very old technology lacks features that have been built into applications in the past few years. Personally, we have changed contact management systems to fit our needs based on newer features and bigger requirements.
Yuan Liu says
If increasing sales is difficult, businesses mostly think about decreasing expenses. In general, decreasing expenses winds up occurring primarily through human resources. Employees are typically the largest expense in any company. By eliminating members of the team, there will be an increase of available cash, but this is ineffective for long-term growth and sustainability because it creates a stressful culture
Yuan Liu says
7 Ways to Improve Team Efficiency and Productivity: Training, Listen to your Employees, Financial Incentives, Delegation of Responsibility, Appropriate Management Style, Define Roles and Tasks Clearly