Chapter 1 Definition, Characteristics, and Guidance SS Be a Product of the Product ‘Whar does it mean to be a product of the product? It's quite simple. Be a living example of what you sell, recommend or advise others. Petsonify what you preach. Show don’t tell. Lead by example. John B. Petersen II Introduction Internal audit is undergoing a massive transformation. While its role to provide independent, objective assurance and consulting services to organizations in ways that improve their operations has remained constant for decades and remains true today, how this has been accomplished has changed over time. Since the founding of the Institute of Internal Auditors (IIA) in 1941, the profession has evolved to adapt its personality, purpose, and approach to the changes taking place in the fields of management and organizational behavior. Universities and other academic institutions capitalized. on the lessons of the industrial era and developed organization theories that created systems whereby centralization, a defined hierarchy, distinct authority levels and reporting lines, clear ules, and the division of labor were the norm. Internal audit adapted co this approach and adopted it, so its methodologies were consistent with these theories. Standardization was the norm and organizations implemented rigid guidelines for how they functioned. Consequently, internal auditors did the same and implemented stan- dardized approaches to audit their clients in those organizations. This search for consistency resulted in the proliferation of checklists, standard audit programs, and procedures. In the end, internal auditing evolved in a way that validated the organizations’ hierarchy and structure, its centralization, assignment of rigid authority, discipline, rules, and the division of labor procedures against the standard model. The audit function, then, focused on assessing an organization's control or operational effectiveness with this standardization and could do so quickly by using 1 canned with G camscanner26 perinsl Aus go and viewing he sme Jocmens yey clits P . ; rd for those who conime © audit this way, a concealed ce was and He auior abv be creative. Creative thinkers wa, TPE sion. Using the excuse, and the legitimate nent te" foc 4, a businesses they cxamined ia for ind oh ves from the mendations to improve the PPOs . Weaknenest cy the jined from making recom! an ppaen in te 19605 and lasted through the 19 ides einer audit were P ng theit independence, the busin am ty ‘ ae lobalization, © ological advancements, relentless competi ey 208 graphic a0 Jancal landscape. Companies no Tonge opens th and te del since a ing moved (0 different countries, it was impractical ing the eat rent incon Wi? smoke age overecng al purchasing aii © besa Pee now roca 20 dd the world, the approval of customer orders could no lo ince customer, expeditiously competently by the sales manager. Purchasing and sales oa y regional general ANGE at the countries where these scant were nents to customer accounts, were no longer han ‘led, {00k personally bY the compan) neroller. There was no need (0. The local staff oc tinder che supervision of their local management cam. The company’s ies handle tha (ERP) system provided the necessary separation of duties and lined resource Tansaction planning ( processing r0 those authorize any neal airs mised these CRANES and were slow to adapt to the changi ed by the standard business model The wale ‘ ss ving that he word sil operat became irrelevant. Some internal auditors still used their standard checklis mons sar forthe same document and applied the rules of the eck, led the sane se ni dour procedures bs flowe, Hk avi sided buns mad, sed cane vera coro cnolr prin the ee Teer ide green aed for efecive incernal auditing. B and sig them, cise ste imporaace of having 2 stong and relable inna eos erly, management believed in the ‘ smal conttol envisa maa importance of having sound internal Te Seam i ei ee nr ones i Ph . " et tm op ' i i i ty commended aierd ae eae ee on traditional business modes that Se early out of sep with how the cor vay tough was impoanc eae feet on compliance led many auditors co ears ess, Ma an wusiness and | : = doe coe eee ee Se eee aed the modifications ie Gel aad creel wanted to refrain from mating esd bbue cadi ps yaments demanded quick and judicious red why act , = buns seuure andi practices, Beyond the methodol mode by eae eee ology, some manages i shoe 6 rere enough, ikea rmed in the first place. pestle es pais other role, Ia iin any a cvoied eee "sg nn and ng) ad riety replicated external auing m neraly more detail of prepari i il sires ieee alent publishing of ag ee ee ene eae ace i ee 2 et og et exe nao seemed waefl ifthe OB cial reports, 1 accounting practices that led to the ‘Scanned with camscannerDefinition, Characteristics, and Guidance @ 3 Much has changed si i in eee then, Starting inthe carly 1990s, interna audit began a transfor ging it more i line with the true needs of the of and the related stakeholders. The emergence of the stakeholder theory and & dias oa : stakeholder theory and topics about corporate ea and eye time in adton tthe constant advocacy mak ofthe TIA have gh many change othe profeson. The dotcom meltdown in 2000/2001 and the enact- Hato ibn Ou ‘Act of 2002 were wake up calls forthe profesion. i renal aaa is sciving 4 healthier balance among operational, reporting, com- Lanter ah nology (IT), fraud, and strategic copics. It is now looking beyond the immedi fsa year andtking aos look at lnger em tends and the fucute implications of cuet dyna Ie now Senilping wider of ese sl, and finding that to succeed as ea tries board and management, it must bring into its ranks people with a wider et, including broad business skills, strong communication skills, and familiarity with technology. Bur there is still work ro be done. The State of Internal Audit 2013 report from Thomson Reuters Accelus states that although internal auditors are beginning to evaluate more strategic- level risk management and monitoring activities, most internal audic departments continue (0 focus primarily on process assurance and monitoring activities. Respondents to the survey in- dicated there is lack of led resourss due co the changing oe of incenal auditors away from traditional quantitative assessments and toward becoming a qualitative assessor of the organiza- tion’s goals and strengths. This condition remains true as this book goes to print. In this book, we discuss these dynamics and lay the foundation for effective operational audits. ‘We begin by defining and understanding che definition, role, and practices of modern internal auditing in general and the evolving world of operational auditing in particular. We examine the concept and manifestation of organizational risks and how internal auditors must adopt a ike based auditing approach, which will llow ic o beter support the objectives ofthe organization. Tnegrated auditing is a concept that hasbeen in place fr decades, yet many iternal autor sal struggle to practice ic effectively, We discuss key areibutes of effective integrated audi and why ic is essential for effective operational audits. ‘We end this chapter with a review of selected Standards for the Profesional Practice of Tovernal Auditing (the Standard). But more than isc cher, we discuss their implications inthe bronder topic of operational auditing, and how these standards can be applied succesful. Definition and Characteristics of Operational Auditing Operational auditing je defined as “A furure-oriented, systematic and independenc evaluation of onpannaional activites Financial data may be wed, but the primar soc of evidence ae the operational policies and achievements related co organizaonal objectives, Intemal controls and ‘efficiencies may be evaluated during this type of review.” “The Business Dictionary defines operatios : management and its operating procedures are functi CHiconoy in meeting sated objectives. For example, a busines ig ef senior management has become convinced thar operational improve and need to be identified” ; A I worked in banking operations for 6 year after graduating from college, Ove sie, one of amy roles involved working with the marketing and IT departments to bring new product concepts eet and ensure thet smooth implementation and operation “The work involved managing ight perform an operational ents can be made ‘Scanned with |CamScannerrams from sCCOUNE Set fo pays Pre dius, ime consuming, and ofen Hee * be the large volume of paper files and the ela 3 procesing and storing documents, ang in a H peortbinss the company embarked on pe, Aly ol, 2 os ac ig HE cig and et a. was invited © pa enofe. The result was several months documenting exising pr a phe Ope process ft cheap, ard bet fra ig gm and CY HE BEE Yege o an ‘We hired an ext Tigran eduaion 08 Brinsorming,documenton, mai is with the consulrans ition, Rowcharting and time management, among many others inborn aeduced a ced scoring system chat reduced the amount of ime ely i res an applications We replaced paper ecards iy andthe numberof peo EY OT anderice eview, and were able to provide sey scanned images for document tre loan application process and related dsbursemen, and more curate suas upd OD juency left the bank co work as a business analy iq leveraged this per eas, I dacurnented business requirements for software engineers, sei dost i users. This involved facilitating workshops vg ceed ems : ind helped train en : : define business requirements snd system specications, performing process design, mapping and ne busines c analy, and ceating taining, materials. My role ao involved writing client acceprance ex i fed inthe design. This experience taught m ef taal requirements were included in ¢ rem eae and working closely wih computer programmers and operations “ aie felting meeting, documenting system layout and functionality, and training users, Fee ied met un amore in-depth undersanding ofthe nature of internal contls a various levels of system design, assessing the significance of system Aaws, and postrelease reporting reguement My third career move was more directly related co my original career aspiration: work in international busines. I wanted to take advantage of my professional experience, diverse personal background, and multiple language skils, so I contacted the internal audit department and asked for an informational interview. The internal audit manager who interviewed me asked many aquetons and appeared to be more interested in my experience documenting, analyzing, and improving busines processes, chan my degree in finance, During our interview, we spoke about the importance of asking ‘phe’ and “how” rearing the actives performed within a proces, Drocess, and the systems supporting both the people and the process. One aspect of the In the end, We vs done things that way." rompdy accepted th ‘company that was oft and 0 began “Py cxsaing in Lan Amen g8 08 the ine ‘Scanned with |CamScannerDefinition, Characteristics, and Guidance @ 5 My relatives, friends, and I was very happy for eames internal auditing as a Profesion, and what internal auditors did in paticular. Words often became a statemen along the lines of m h, $0 you are goin cs : : “I did’ noe 082 MO fan accounting fem.” o ‘wanted to work for the IRSI," or the i " ! L" or the question 'd You major in accounting? or something along those lines, Essentially, in the i . some inkling sbou dhe poke internal auditing was generally unknown, and for those with and tax-related work, Sion the tendency was to associate i with accounting, compliance, There was a ip ea = = Than and while Iwas learning about internal auditing too 1 knew explain as bes I could the crpan tn enn compliance, and tax work. I ook he oppor to mahigle eee I the expanding role of intemal auditors and how they helped management at il Nas doing my own advocacy work explaining the work of acon general and the exciting opportunites that this presented fac me, Since those days, he IA has done s Geral audking’ This efor was enhanced trough the Prnidcle eck hae te ee Coleen Renta nating others ofthe accounting iregularces in financial reporting at Enrony and Coleen Rowley, who documented the mishandling of information aad toe ee appropriate scton it the Federal Barca of lavergption (Fl). fd, heir wot was on intnieaeed in uncovering these problems, cha chey jointly received che Time Person ofthe Year award tn 2002 as The Whistleblowers.> AAs we take a closer look at internal auditing, i is helpful co review the definition of intemal audicing as promulgated by the IIA. According to the IIA, the definition of internal auditing “states the fundamental purpose, nature, and scope of internal auditing” Internal auditing is an independent, objective surance and consulting activity designed to add value and improve an organization's operations. It helps an organization ac complish its objectives by bringing a systematic, disciplined approach to evalate and improve the effectiveness of risk management, control, and governance processes Although this definition has been in place for years, itis sill misunderstood by many nonauditors, and unfortunately, even by some internal auditors. The misunderstanding stems from a variety of reasons and heavily influenced by the legacy of auditors performing financial reviews and internal auditors having accounting backgrounds. The definition reflects a modem view of the profession and positions auditors in such a way that they can provide much more valuable asistance to their organizations, The definition creates a variety of challenges and opportunities for internal auditors, who are no longer engaged in a static, routine, repetitive, and accounting/finance-focused but instead admonishes in- ternal auditors to review business programs, processes, and initiatives in innovative ways that can add tangible value to the organization. ‘Scanned with |CamScanner68 ; Ianguage cha important 10 note; jns some Key che position of internal audit wich, Jo pimarily with Ce Pore audit committe (or ne \d report © © (Or its ea ty tld eal ait oe ee and suppart co piform Tes meh the board of jee vender the control of those they audit, This direct oa souk ot Beane ganization wil ep intra audi cpg jghest authority Wi" tion from those whose influence, ecognition, ang : fa anomalies identified by the auditors, Pee action of any me of mind and their ability (0 examine g, ra , y ioe bias, without an agenda, with no other mage %, rocessts, and Pro vcare ie accuracely and promptly. Conflict of interes 3, "2 Ir go inceral audiors must be careful co balance main et abject ronships with others in the organization Sa ably co give confidence and make statemeny aes co the auditors’ abiiY ation. It is often considered a omy ie been the caditional focus of incemal auditors for iy” ‘ “compan bs erwin conformity and adherence of particular yp Compan suis Fo pans pred, repultions, contac, or i Ce he conduc and actos ofthat a, proces or yen, auiere assurance, not absolute asurance, because there ate py ide reasonable ae Pre wth constant, but also because there a no certains in fie does noe mean that incena auditors do substandard work knowing that hey cg mee results Internal auditors are expected to display competence, knowledge, and ac wi serrofesoal ce in alley do wo provide the bes surance posible, Compliance an say reulemens tat ate incenal or excernal, regulatory of not, explicit or implied Taco implicit, because che subject of corporate social responsiblity (CSR), humane working condo, and lower ecologic impact is nc always formally cdifed, bu sakehaldey wre incasingly demanding compliance with higher ethical and moral standards of conduc In fac the Value of Sustainability Reporting study from the Boston College Center for Corporte Citizenship and EY (Emst & Young) states that 68% ofthe 579 global organizations suvejed make a susainabilry disclosure annualy, Sustainability reports are becoming a leading busines practic for large organizations worldwide. “There is increasing interest among organizations and investors in these types of repors a2 way o make sure chat environmental and socal impacts are managed and as a way to ass the qualy and commitment of management to economic, environmental, social, and governance topics. According tothe report, there are four main reasons why organizations report: 4. Provide shareholders more transparency . Gain competitive advantage © Improve risk management capabilites 4. Respond to stakeholder pressure ‘Scanned with |CamScanner