Arising Importance of Audit due to Present Economic
Developments
2
Agenda
1. Definition and Components of Internal Audit
2. International Standards and Regulations about Internal Audit
3. Effects of Economic Crisis and Technological Developments
4. New Trends and Changing Role of Internal Audit
Definition and Components of Internal Audit
4
Definition of Internal AuditInternal audit helps an organization to accomplish its objectives by bringinga systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, governance processes.
Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.
5
Corporate Governance
Corporate governance is a general system which promotes enterprise orientation and control structure.
As generally accepted international corporate governance understanding involves;
• Equality,
• Transparency,
• Accountability and
• Liability.
6
Risk Management
Risk management is a process which satisfies appropriate transition or
exchange between risk and yield and adds “value” to the organization.
Risk management concerns all departments.
IDENTIFICATIONOF RISKS
PRIORITIZATION
OF RISKS
TAKING NECESSARY
ACTIONS
1. Identification of Risks
Defining the risksMeasuring the risksAnalysis the risksReporting
3. Taking Necessary Actions
AcceptanceTransferringControlling
2. Prioritization of Risk
Probability of the RiskSeverity of the Risk
7
Internal ControlControl is one of the actions which are taken to mitigate the effects of the risks in terms of;
Safeguarding of assets,
Compliance with laws, regulations, and aggrements,
Reliability and integrity of financial and operational information,
Effectiveness and efficiency of operations.
Basic Control Activity Examples are;
Authorization Methods
Limit Applications
Decompositions of Tasks
Policy and Procedures
Task Descriptions and Responsibilities
Reconcilement Methods
International Standards and Regulations about Internal
Audit
9
Regulations about Internal Audit
Regulations in Turkey - 5411 numbered Banking Law
- Arrangements of Banking Regulation and Supervision Agency (BRSA)- Arrangements of Capital Markets Boards Of Turkey
International Regulations - Regulations by Basel Committee
- Regulations by Professional Associations (IFAC, IICPA, etc.)
10
Standards of Internal Audit A. ATTRIBUTE STANDARDS
Purpose, Authority and Responsibilities Independency and Objectiveness Proficiency and Due Professional Care Quality, Assurance and Improvement Program
B. PERFORMANCE STANDARDS
Management of Internal Audit Activities Quality of Work Engagement Planning Performing Engagement Reporting Results Observing Developments Acceptance of Residual Risks by Management
11
Purpose, Authority and Responsibilities
Purpose, authority and responsibilities of internal audit activities should be obviously declared in the charter which has to be approved by the Board of Directors.
Independence and Objectivity
Organizational Independence Individual Objectivity Impairment to Independence or Objectivity
Proficiency and Due Professional Care
Proficiency
Requires the knowledge, skills and other competencies needed to perform individual responsibilities.
Due Professional Care
The care and the skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.
Continuing Professional Development
Enhancement of knowledge, skills, and other competencies through continuing professional development.
Attribute Standards
12
The Internal Audit Activity ManagementThe chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.
Planning
Communication and Approval
Resource Management
Policies and Procedures
Coordination
Effective reporting mechanisms in order to communicate with the Board of Directors, Internal Audit Committee and Top Management
Performance Standards
13
Engagement Planning Engagement Objectives:
Setting the engagement objectives, internal auditors should:
Identify and assess risks relevant to the activity under review and the engagement objectives must reflect the results of this assessment,
Consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.
Consulting engagement objectives should address risks, controls and governance processes to the extent agreed upon with the client.
Scope of Engagement:
The established scope must be sufficient to satisfy the objectives of the engagement.
The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.
Engagement Resource Allocation:
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on a plan regarding the below mentioned issues:
-an evaluation of the nature of engagement,-complexity of engagement,-time constraints,-available resources.
Performance Standards
14
Performing the Engagement
Internal auditors must
• identify,
• analyze,
• evaluate, and
• document sufficient information to achieve the engagement's objectives.
Recording Information
Internal auditors must document relevant information to support the conclusions and engagement results.
Thus, it would be beneficial that the Internal auditors prepare working papers.
Performance Standards
15
Communication of the Engagement Results
INTERNAL AUDIT
BRSA(BDDK)
AUDIT COMMITTEE
BOARD OF DIRECTORS
Periodic Activity Report
Observations about Board of Internal Audit
Annual Report and Observations
Performance Standards
16
Monitoring Progress
There are some tasks that each Chief Audit Executive (CAE) is expected to satisfy. These are as follows:
A CAE;
Must establish and maintain a system to monitor the disposition of results communicated to management,
Must establish a follow-up process to monitor and ensure that management actions have been effectively implemented,
Or that senior management has accepted the risk of not taking action (defined as residual risk).
Performance Standards
Effects of Economic Crisis and Technological
Developments
18
Important Corporations Which are Negatively Affected and Failed
October 07 January 08 June 08 September 08
19
Developments After Crisis
What's Expected?
Reconstruction of the Global Banking System
Canonical market economy instead of Free Market Economy– Establishing New Audit/Control System,
Elimination of Weakness of Risk Management,
The Development of Credit Rating Agencies Applications
New Regulations and Regulatory Institutions in Financial Markets
20
Developments After Crisis
Increment Severity of Audit Differentiation of Audit methodologies Monitoring Audit Results Attribution and Adequacy of Auditors
Worldcom
Wrong accounting records more than 9
million $Enron
The greatest bankrupt in USA.
Tyco International
Presented 400 million $ more than real figures of 2002.
Société Generale
4,9 million Euro Tresury
Transactions
21
Developments After Crisis
Lessons to Take
Risk must be “respected”. Risk management function should be seen equally with other functions in Banks, and not be described as a ‘back office’ function.
Risk analysis is an important part of modern risk management. On the other hand, models all alone are not sufficient.
There may be limits to regulations.
If the level of exaggerated debts seem to be good in an unbelievable way then it is really unbelievable. U.S.A banks owned tools which they used mainly to remove their credits from their balance-sheets, explained their leverage ratios to 600 to 1.
Accounting change everything. The accounting of the credit assets in accordance to their market value (mark to market) increased the volatility in reported losses nearly 50 percent during the depression period. Accounting is accounting. There should not be any creative accountancy.
Activity of Audit is as effective as its results.
Volume based bonuses redoubles the risk appetite.
22
Questions to be Answered
Rating Agencies
What are the standard method for working and decision-making? How transparent and accountable are they? How objective are their approaches and reviews? Who checks these organizations and their reports globally and
locally?
23
Questions to be Answered
Risk Management and Risk Management Models
How proactive is risk management?
Was the risk management located in the right position within the bank?
Risk Management Models How applicable are they? How accurate are they? Are control and measurement methods sufficient?
Market Risk
Credit Risk
Operational Risk
The Basel II regulations on capital adequacy did not produce the needed effect on Banks to hold enough liquidity. Northern Rock and Bradford & Bingley did cover the requirements related to “capital”, but it did not prevent them from bankruptcy.
(The Independent)
24
Questions to be Answered
Audit Principles
Internal Audit Independenct? Sanction Power? Risk Oriented? Qualitative Adequacy?
External Audit Regulations? Standards?
25
Questions to be Answered
Board of Directors and Top Management
Volume Focused Bonuses Audit Committee Acts Functions of Independent Members of the Board Corporate Governance
New Trends and Changing Role of Internal Audit
27
New Trends in Audit
Risk Oriented Audit Continuous Audit and Supervision Information System (IT) Audit
28
Risk Oriented AuditThe reasons stated below have effects on working principles of internal audit departments. Risk oriented audit becomes acceptable based on these reasons;
Resources for audit activities are scarce.Brand new risks may evolve in audited fields.Activities involve relatively different severity levels.
•Identify
•Assess
•Measure
•Monitor
AUDIT
PLANRISK
Risk Oriented Audit Concept
Purpose: Transferring Resources of Audit to Most Risky Areas!
29
Continuous Audit and Supervision
Deriving benefits from IT,
Continuous supervision of processes,
Immediate audit following the transaction,
Early warning system before the risk is materialized.
30
IT Audit
Information Systems (IS) provide more effective works with less errors, so it causes more addiction to IS. Important processes flow on IS.
IT systems are vulnerable to many risks:
Authentication Non-deniable Data Integrity/Consistency Data Confidentiality (Privacy) Business Continuity Compliance to Regulations
31
IT Audit Standards
COBIT (Control Objectives for Information and Related Technology) is an IT Management and Audit Model and legislatively accepted standard in IT Audits in Turkey.
CMMI: Software Development Process Standards
ISO: Service/Service Management Standards
ITIL: Information/System Security Standards
32
Changing Approaches in Audit
TRADITIONAL Detection Functional Including whole Once Partial
MODERN Prevention Process based Risk oriented Continuous Integrated
33
Audit Certifications
34
35
QUESTIONS???
36
ThankThank You... You...