mu1 module 3 powerpoint
Post on 14-Apr-2018
222 Views
Preview:
TRANSCRIPT
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 1/35
Course Name: Internal Auditing and Controls
Module: 3
Module Title: Risk Management, Control
Frameworks and Governance
Lectures and handouts by:
Chuck Campbell
Copyright © The Certified General Accountants Association of British Columbia. All rights reserved.
1
Risk management, control frameworks,
and governance
Module 3
As you learned in Module 1, the scope of internal auditing has
expanded over the past several decades. From a limited
focus on compliance and financial integrity, it first grew to
encompass the assessment of effectiveness, efficiency and
economy of operations. In recent years, the focus has
widened further to consider risk management and
governance. In this module you will learn about the
importance of managing risk, control frameworks and
control self-assessment. You will also consider the role of
governance and that of the audit committee.
2
Internal Auditing & Controls
Module 3
Part 1 Topic 3.1 Risk management
Part 2 Topic 3.2 Role of the internal auditor Topic 3.3 Risk assessment process
Part 3 Topic 3.4 Control frameworks
Topic 3.5 Auditing using control frameworks
Part 4 Topic 3.6 Control self-assessment and continuous auditing
Part 5 Topic 3.7 Governance
Topic 3.8 Role of the audit committee
Topic 3.9 The Sarbanes-Oxley Act of 2002
Part 6 Module summary – Learning objectives
Recent examination questions
3
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 2/35
Internal Auditing & Controls
Module 3
Part 1
Topic 3.1 Risk management
4
The relationship between risk and
control
Risk is the possibility (uncertainty) of an event
occurring that will have a (negative) impact on
the achievement of objectives.
5
The relationship between risk and
control
Risk is the possibility (uncertainty) of an event
occurring that will have a (negative) impact on
the achievement of objectives.
Enterprise risk is, therefore, the uncertainty of an
event occurring that may reduce the likelihood of
an organization achieving its objectives.
6
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 3/35
The relationship between risk and
control (cont’d)
Enterprise risk management is defined as “a
process, effected by an entity’s board of directors, management and other personnel,applied in strategy setting and across theenterprise, designed to identify potential eventsthat may affect the entity, and manage risk tobe within its risk appetite, to providereasonable assurance regarding theachievement of entity objectives.”
7
The relationship between risk and
control (cont’d)
Effective control provides reasonable assurance
that the entity will achieve its objectives (by
reducing uncontrolled risks to an acceptable
level) and, therefore, includes the identification
and management of risks.
8
The relationship between risk and
control (cont’d)
Risk models enable management to identify the
risks faced by the enterprise, establish risk
tolerances (risk limits) for these risks and test
controls to ensure that the uncontrolled risks
remain within the organization’s established
risk tolerances.
9
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 4/35
Benefits of enterprise risk
management
aligning risk management and strategy;
enhancing risk response decisions;
reducing operational surprises and losses;
identifying and managing multiple and cross-
enterprise risks;
seizing opportunities;
improving deployment of capital.
10
Limitations to enterprise risk
management
human judgement in decision making may be faulty;
decisions on responding to risk (including establishing
controls) must take into account the relative costs and
benefits;
breakdowns can occur due to simple errors or mistakes;
controls can be circumvented by collusion;
11
Limitations to enterprise risk
management (continued)
management has the ability to override risk managementdecisions (including controls);
decisions must often be made in conditions of
uncertainty and without complete information.
For these reasons the board and management cannot have
absolute assurance as to the achievement of objectives.
12
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 5/35
Identifying risks using risk models
A number of risk models or risk frameworks have
been developed to help identify the risks related
to an organization’s activities and plans. The
risks faced by businesses vary from organization
to organization and should be identified by the
organization’s management.
13
Risk and the “Butterfly Risk Tool”
Reading 3-2 introduces a new tool to enable both
internal auditors and management to better
identify risk events as part of the organization’s
risk analysis.
The “Butterfly Risk Tool” considers the sources of
risk and the potential consequences of those
risks to the organization. Control activities
should be designed to address the sources of
risk and reduce the likelihood and impact of
adverse consequences.
14
Setting appropriate risk limits
Risk tolerances or risk limits define the amount of residual,uncontrolled risk that the board and management are
prepared to consider as acceptable. For example, a
company could determine the amount of foreign
currency risk that it was prepared to accept and
implement processes to hedge exposures in excess of
that amount. The amount of exposure that the company
was prepared to accept would be its “risk tolerance,”
“risk limit” or “risk appetite.”
15
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 6/35
Techniques for mitigating or
reducing risks
Management has a number of alternative techniques which
can be used to manage the risks faced by anorganization. These include:
avoiding the risk;
16
Techniques for mitigating or
reducing risks (cont’d)
Management has a number of alternative techniques whichcan be used to manage the risks faced by anorganization. These include:
avoiding the risk;
diversification;
17
Techniques for mitigating or
reducing risks (cont’d)
Management has a number of alternative techniques whichcan be used to manage the risks faced by anorganization. These include:
avoiding the risk;
diversification;
controlling the risk;
18
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 7/35
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 8/35
Internal Auditing & Controls
Module 3
Part 2
Topic 3.2 Role of the internal auditor
Topic 3.3 Risk assessment process
22
The role of internal auditing in the
assessment and management of risks
Internal auditing includes assisting the
organization by identifying and evaluating
significant exposures to risk and contributing
to the improvement of risk management and
control systems. The internal auditor should
monitor and evaluate the effectiveness of the
organization’s risk management system.
23
The role of internal auditing in the
assessment and management of
risks (cont’d)
The purpose of internal auditing (in the context of riskmanagement) is to assess the appropriateness andadequacy of management’s actions to avoid, share,transfer and control risks to keep them within the definedcontrol limits or tolerances.
The IIA has issued a practice guide to assist internalauditors in assessing management’s risk managementprocesses. This is found as On-line Reading 3.2-1.
24
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 9/35
The role of internal auditing in the
absence of a formal risk
management process
If an organization has not established a riskmanagement process, the internal auditor shouldbring this to the attention of management together with suggestions for establishing such a process.
25
The role of internal auditing in the
absence of a formal risk
management process
If an organization has not established a riskmanagement process, the internal auditor shouldbring this to the attention of management together with suggestions for establishing such a process.
If requested, internal auditors can play a proactiverole in assisting with the initial establishment of arisk management process for the organization.
26
The role of internal auditing in the
absence of a formal risk
management process
If an organization has not established a riskmanagement process, the internal auditor shouldbring this to the attention of management together with suggestions for establishing such a process.
If requested, internal auditors can play a proactiverole in assisting with the initial establishment of arisk management process for the organization.
Internal auditors can facilitate or enable riskmanagement processes but they should not “own” or be responsible for the management of the risksidentified.
27
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 10/35 1
Principles of risk management
1. Risk management creates and protects
value (and must be most rigorous when
risks are greatest).
2. Risk management is an integral part of
organizational processes.
3. Risk management is part of decision-
making.
4. Risk management expressly addresses
uncertainty.
28
Principles of risk management
5. Risk management is systematic, structured,
and timely.
6. Risk management is based on the best
available information.
7. Risk management is tailored to the specific
organization.
8. Risk management takes human and cultural
factors into account.
29
Principles of risk management
9. Risk management is transparent and
inclusive.
10. Risk management is dynamic, iterative, and
responsive to change.
11. Risk management facilitates continual
improvement and enhancement of the
organization.
30
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 11/35
ISO 31000 on risk management
Risk management should:
address uncertainty;
constitute an integral part of business process and
decision-making;
be based on the best available information and
tailored to the organization;
take human and cultural factors into account;
be dynamic, iterative and responsive to change;
mature further as the organization gets better at
risk management;
create and protect value.
31
Differences between traditional and
risk-based internal auditing
Risk-based auditing starts by reviewing the organizational
objectives, then considers the business risks that impact
the achievement of those objectives and examines the
methodologies in place to mitigate those risks. Risks
can be avoided, shared or transferred, rather than
controlled. Risk-based auditing also explicitly accepts
that there will always be some risk that must be
accepted, but the acceptable amount must be kept within
the limits established by the board and management.
32
Differences between traditional and
risk-based internal auditing (cont’d)
Traditional auditing began with a consideration of
controls, focusing only on the design and
effectiveness of the controls in meeting
traditional control objectives of ensuring
accurate financial information, compliance with
laws and policies, safeguarding of assets and
achievement of effectiveness, efficiency and
economy of operations.
33
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 12/35 1
Managing the risk of the internal audit
activity
The risks to internal audit activities fall into three
broad categories:
audit failure;
false assurance; and
reputation risks.
Internal audit departments should proactively
manage their risks in these areas, particularly by
monitoring compliance with professional and
ethical standards.
34
Internal Auditing & Controls
Module 3
Part 3
Topic 3.4 Control frameworks
Topic 3.5 Auditing using control frameworks
35
Risk and control frameworks
Risk and control models or frameworks have beendeveloped by a number of organizations, firms
and individuals as a means of providing a
common language to be used in the
identification and mitigation of risks.
Risk frameworks focus on the risks faced by
enterprises; control frameworks focus on the
controls to mitigate the risks.
36
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 13/35 1
Different definitions of control
objectives
COSO (the American Committee of SponsoringOrganizations of the Treadway Commission),CoCo (the CICA Criteria of ControlCommittee), and the IIA have similar, butdifferent, definitions of control. All threedefinitions consider control to consist of actionstaken to support people in the achievement of the organization’s objectives.
37
Different definitions of control
objectives (cont’d)
The objectives of control set out by COSO relate tothe effectiveness and efficiency of operations,the reliability of reporting and compliance withapplicable laws, regulations and internalpolicies. CoCo uses virtually identical languageto describe its view of control objectives.
38
Different definitions of control
objectives (cont’d)
The IIA Standards list four objectives: reliability
and integrity of financial and operational
information, effectiveness and efficiency of
operations, safeguarding of assets, and
compliance (with laws, regulations and
contracts). These can all be considered to fall
within the objectives set out in the COSO and
CoCo frameworks.
39
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 14/35 1
Components of effective internal
controlCOSO states than in an effective internal control
system, the following five components work to
support the achievement of an organization’s mission, strategies and related business
objectives:
the control environment;
risk assessment;
control activities;
information and communication;
monitoring activities.
40
The nature of control
CoCo’s Guidance on Control makes fiveobservations on the nature of control:
Control is effected by people throughout anorganization.
Those who are accountable for activities should beaccountable for controlling those activities.
Organizations are constantly interacting and adapting.
Control can never supply absolute assurance – onlyreasonable assurance.
Effective control requires a balance between
autonomy and integration, and between the statusquo and adapting to change.
41
Limitations of control (cont’d)
Control cannot give absolute assurance – only reasonableassurance – because:
1. Controls must be cost-effective.
2. There are inherent limitations to control. These include:
the decision-making processes may be faulty (or basedon incomplete or uncertain information).
controls tend to be directed at routine, recurringtransactions.
some human error is inevitable.
there is always the possibi lity of collusive circumventionof controls.
there is always the possibility of management over-rideof controls.
42
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 15/35 1
The CoCo framework
The CoCo framework:
is generally broader than most other frameworks;
classifies criteria of control into four groups: purpose;
commitment;
capability;
monitoring and learning.
recognizes soft controls (such as trust).
43
Control frameworks and internalauditing
The development of control frameworks has led toa broader understanding of control andmanagement’s responsibility for controlling theactivities that they manage. It has broughtmanagement more into the control assessmentprocess and created greater control-consciousness in management. It hasrecognized the existence and potentialeffectiveness of “soft” controls and included
them in evaluation.
44
Control frameworks and internal
auditing (cont’d)
Using the COSO control framework is a six-stepprocess:
1. Understand the control framework to be used.
2. Determine existing control strengths and weaknesses.
3. Define key issues and reportable conditions.
4. Validate testimonial evidence.
5. Complete the assessment.
6. Identify and recommend corrective action.
45
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 16/35 1
Internal Auditing & Controls
Module 3
Part 4
Topic 3.6 Control self-assessment and continuous
auditing
46
Control self-assessment defined
Control self-assessment can be broadly defined
as “any activity where the people responsible
for a business area, task, or objective using
some demonstrable approach analyze the
status of control and risk to provide additional
assurance related to the achievement of one
or more business objectives.”
47
Purposes of control self-assessment
Identification of risks and exposures. Assessment of the control processes that
mitigate or manage those risks.
Developing action plans to reduce risks to
acceptable levels.
Determining the likelihood of achieving
business objectives.
48
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 17/35 1
Starting points for CSA
CSA can start with any of the following:
1. Objectives
2. Risks
3. Processes
4. Controls
49
Alternative processes in CSA
1. Facilitated team workshops – gather information from work teams representingdifferent levels in the organization.
50
Alternative processes in CSA
1. Facilitated team workshops – gather
information from work teams representingdifferent levels in the organization.
2. Surveys – uses a questionnaire format incircumstances where: Respondents are too numerous or geographically
dispersed;
Management style discourages open, candiddiscussion;
Workshops are viewed as too expensive.
51
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 18/35 1
Alternative processes in CSA
1. Facilitated team workshops – gather information from work teams representingdifferent levels in the organization.
2. Surveys – uses a questionnaire format incircumstances where: Respondents are too numerous or geographically
disbursed;
Management style discourages open, candiddiscussion;
Workshops are viewed as too expensive.
3. Management-produced analysis – generallyprepared by a team in a staff or support rolewithin the activity.
52
Steps in the control self-assessmentprocess (facilitated team workshops)
As developed by Gulf Canada Resources, controlself-assessment (CSA) consisted of thefollowing phases:
1. Identify business objectives and customize theprocess for the participating workshop team.
2. Conduct a workshop with management andstaff from the unit being assessed.
3. Prepare a summary report and provide
feedback.
53
Steps in the control self-assessment
process (facilitated team workshops)(cont’d)
Phases in control self-assessment (cont’d)
4. Analyze and review results, comparing themwith those from other workshops.
5. Report results to management.
6. Report summary results to the auditcommittee.
7. Provide follow-up and assistance in dealingwith the issues identified.
54
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 19/35 1
Different viewpoints on CSA
Is i t real ly internal aud i t ing?
Maybe . . . but it is not sufficient in itself – sometesting of the operating effectiveness of keycontrols should be performed in addition toCSA in areas of significant enterprise riskwhere CSA is used.
55
Advantages of control self-
assessment
Advantages of control self-assessment include:
increases management and employee
awareness of controls;
56
Advantages of control self-
assessment
Advantages of control self-assessment include:
increases management and employee
awareness of controls;
brings the focus of those who know the
processes to bear on control issues;
57
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 20/35 2
Advantages of control self-
assessment
Advantages of control self-assessment include:
increases management and employeeawareness of controls;
brings the focus of those who know theprocesses to bear on control issues;
gains acceptance of recommendations;
58
Advantages of control self-
assessment
Advantages of control self-assessment include:
increases management and employee
awareness of controls;
brings the focus of those who know the
processes to bear on control issues;
gains acceptance of recommendations;
provides potential cost savings in later
years.
59
Disadvantages of control self-
assessment
Disadvantages of control self-assessment include:
lack of objectivity and independence of
evaluations;
60
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 21/35 2
Disadvantages of control self-
assessment
Disadvantages of control self-assessment include:
lack of objectivity and independence of
evaluations;
costly to implement (in the first few years);
61
Disadvantages of control self-
assessment
Disadvantages of control self-assessment include:
lack of objectivity and independence of evaluations;
costly to implement (in the first few years);
may become mechanical in time;
62
Disadvantages of control self-
assessment
Disadvantages of control self-assessment include:
lack of objectivity and independence of
evaluations;
costly to implement (in the first few years);
may become mechanical in time;
requires an open management style to be
effective.
63
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 22/35 2
Continuous auditing
Another technique that auditors can use to monitor
risks and evaluate the effectiveness of internalcontrols in known as continuous auditing. This
technique usually relies upon technology to
monitor risk and controls automatically. This is
explained further in Reading 3-8.
64
Internal Auditing & Controls
Module 3
Part 5
Topic 3.7 Governance
Topic 3.8 Role of the audit committee
Topic 3.9 The Sarbanes-Oxley Act of 2002
65
The concept of governance
Governance is “the combination of processes
and structures implemented by the board in
order to inform, direct, manage and monitor
the activities of the organization toward the
achievement of its objectives.”
66
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 23/35 2
The concept of governance
“Corporate governance” means the process andstructures used to direct and manage the businessand affairs of the corporation with the objective of
enhancing shareholder value, which includesensuring the financial viability of the business. Theprocess and structure define the division of power and establish mechanisms for achievingaccountability among shareholders, the board of directors and management. The direction andmanagement of the business should take intoaccount the impact on other stakeholders such asemployees, customers, suppliers and communities.
67
The concept of governance
Governance refers to the responsibilities andactions of members of governing bodies intheir stewardship capacity (to protect theinterests of the entity’s stakeholders).
Accountability is the obligation to answer for aresponsibility.
Boards of directors (or their equivalents) are
accountable to the entity’s stakeholders for the performance of their governance role.
68
Control and governance role of the board of directors
CoCo’s Guidance for Directors provides the following list of control and governance responsibilities for private
sector Boards of Directors:
1. approve and monitor mission, vision and strategy;
69
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 24/35 2
Control and governance role of the board of directors
CoCo’s Guidance for Directors provides the following list of
control and governance responsibilities for private
sector Boards of Directors:
1. approve and monitor mission, vision and strategy;
2. approve and monitor the organization’s ethical
values;
70
Control and governance role of the board of directors
CoCo’s Guidance for Directors provides the following list of
control and governance responsibilities for private
sector Boards of Directors:
1. approve and monitor mission, vision and strategy;
2. approve and monitor the organization’s ethical
values;
3. monitor management control;
71
Control and governance role of the board of directors
CoCo’s Guidance for Directors provides the following list of control and governance responsibilities for private
sector Boards of Directors:
1. approve and monitor mission, vision and strategy;
2. approve and monitor the organization’s ethical
values;
3. monitor management control;
4. evaluate the performance of senior management;
72
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 25/35 2
Control and governance role of the board of directors
CoCo’s Guidance for Directors provides the following list of
control and governance responsibilities for private
sector Boards of Directors:
1. approve and monitor mission, vision and strategy;
2. approve and monitor the organization’s ethical
values;
3. monitor management control;
4. evaluate the performance of senior management;
5. oversee external communications;
73
Control and governance role of the board of directors
CoCo’s Guidance for Directors provides the following list of
control and governance responsibilities for private
sector Boards of Directors:
1. approve and monitor mission, vision and strategy;
2. approve and monitor the organization’s ethical
values;
3. monitor management control;
4. evaluate the performance of senior management;
5. oversee external communications;
6. assess the board’s own effectiveness.
74
Control and governance role of the board of directors
The Board of Directors is the focal point for all governance activities.
is ultimately accountable and responsible for the
performance and affairs of the organization, its
effective risk management practices and its risk
limits.
oversees all organizational activities but does not
have direct management of any of them.
establishes the “tone at the top” and implements
best governance practices for the organization.
75
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 26/35 2
Control and governance role of management
Management
sets strategic direction and establishes the entity’s value system.
provides assurance that risks are managed as partof a risk management process, that operations aremonitored, results are measured and correctiveactions are implemented in a timely fashion.
deploys strategy, enforces internal control andprovides direct supervision over operational areas.
accountable for implementing and monitoring therisk management and control processes.
76
Role of internal audit in relation to
governance
Internal audit should assess and make appropriate
recommendations for improving the governance
process in its accomplishment of the following
objectives:
promoting appropriate ethics and values within the
organization;
77
Role of internal audit in relation to
governance
Internal audit should assess and make appropriate
recommendations for improving the governance
process in its accomplishment of the following
objectives:
promoting appropriate ethics and values within the
organization;
ensuring effective organizational performance
management and accountability;
78
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 27/35 2
Role of internal audit in relation to
governance
Internal audit should assess and make appropriate
recommendations for improving the governance
process in its accomplishment of the followingobjectives:
promoting appropriate ethics and values within the
organization;
ensuring effective organizational performance
management and accountability;
effectively communicating risk and control information
to appropriate areas of the organization;
79
Role of internal audit in relation to
governance
Internal audit should assess and make appropriaterecommendations for improving the governanceprocess in its accomplishment of the followingobjectives: promoting appropriate ethics and values within the
organization;
ensuring effective organizational performance managementand accountability;
effectively communicating risk and control information toappropriate areas of the organization;
effectively coordination the activities of and communicatinginformation among the board, external and internal auditorsand management.
80
Role of internal audit in relation to
governance
Internal audit can: evaluate whether companywide governance
components work together as expected.
analyze the level of reporting transparency among partsof the governance structure.
compare governance best practices.
identify compliance with recognized and applicablegovernance codes.
Guidance from the IIA states that “internal auditors may participate in the establishment of governance processes.”
81
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 28/35 2
The role of the audit committee of the
board of directors
The responsibilities of the board’s audit committee
usually include the following:
1. oversight of published financial informationincluding annual financial reports, interimreports, public disclosure documents, etc.
82
The role of the audit committee of the
board of directors
The responsibilities of the board’s audit committee
usually include the following:
1. oversight of published financial information
including annual financial reports, interimreports, public disclosure documents, etc.
2. oversight of the internal auditing function
83
The role of the audit committee of the
board of directors
The responsibilities of the board’s audit committee
usually include the following:
1. oversight of published financial information
including annual financial reports, interimreports, public disclosure documents, etc.
2. oversight of the internal auditing function
3. oversight of the internal financial controls
84
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 29/35 2
The role of the audit committee of the
board of directors
The responsibilities of the board’s audit committee
usually include the following:
1. oversight of published financial informationincluding annual financial reports, interimreports, public disclosure documents, etc.
2. oversight of the internal auditing function
3. oversight of the internal financial controls
4. oversight of the corporate Code of Conduct
85
The role of the audit committee of the
board of directors
The responsibilities of the board’s audit committee
usually include the following:
1. oversight of published financial information
including annual financial reports, interimreports, public disclosure documents, etc.
2. oversight of the internal auditing function
3. oversight of the internal financial controls
4. oversight of the corporate Code of Conduct
5. liaison with the organization’s externalauditors
86
Audit committee charter
Best practices include an audit committee
charter, drawn up by the audit committee andapproved by the board. It would typicallyinclude:
PURPOSE
AUTHORITY
COMPOSITION
MEETINGS
RESPONSIBILITIES
(See Exhibit 3-2 for an example charter)
87
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 30/35 3
Impact of Sarbanes-Oxley Act of 2002 on
corporate governance
The Sarbanes-Oxley Act of 2002 was passed by the
US Congress to address investor concerns after theEnron collapse.
88
Impact of Sarbanes-Oxley Act of 2002 on
corporate governance
The Sarbanes-Oxley Act of 2002 was passed by theUS Congress to address investor concerns after theEnron collapse.
Among the changes was the creation of a board tooversee audit and assurance of publicly tradedentities.
89
Impact of Sarbanes-Oxley Act of 2002 on
corporate governance
The Sarbanes-Oxley Act of 2002 was passed by theUS Congress to address investor concerns after theEnron collapse.
Among the changes was the creation of a board tooversee audit and assurance of publicly tradedentities.
CEOs and CFOs must now attest to their belief in
the accuracy of published financial information.
90
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 31/35 3
Impact of Sarbanes-Oxley Act of 2002 on
corporate governance
The Sarbanes-Oxley Act of 2002 was passed by theUS Congress to address investor concerns after the
Enron collapse. Among the changes was the creation of a board to
oversee audit and assurance of publicly tradedentities.
CEOs and CFOs must now attest to their belief in theaccuracy of published financial information.
External auditors (in the United States) will have toprovide opinions on the controls over financialreporting within their publicly traded audit clients.
91
Impact of Sarbanes-Oxley Act of 2002 on
corporate governance
The Sarbanes-Oxley Act of 2002 was passed by the USCongress to address investor concerns after the Enroncollapse.
Among the changes was the creation of a board to overseeaudit and assurance of publicly traded entities.
CEOs and CFOs must now attest to their belief in theaccuracy of published financial information.
External auditors (in the United States) will have to provideopinions on the controls over financial reporting within their publicly traded audit clients.
These changes have increased the responsibility of boardsand their audit committees and have resulted in much greater
significance being placed on the internal audit functions withinthose companies affected by the law.
92
Internal Auditing & Controls
Module 3
Part 6
Module summary – Learning objectives
Recent examination questions
93
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 32/35 3
Module 3 Learning Objectives
1. Explain enterprise risk management and
how risk models can help identify specific
risks and set appropriate tolerance limits.(Level 1)
94
Module 3 Learning Objectives
2. Explain the role of the internal auditor in the
risk management process and how this role
changes when there is no established risk
management process. (Level 1)
95
Module 3 Learning Objectives
3. Explain how auditors use risk assessment
to assist in audit planning and compare this
approach with traditional approaches to
internal auditing. (Level 1)
96
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 33/35 3
Module 3 Learning Objectives
4. Explain the definition, nature, inherent
limitations, and criteria of control as set out
by the Committee of SponsoringOrganizations (COSO), and compare the
COSO control framework with other
frameworks. (Level 2)
97
Module 3 Learning Objectives
5. Describe the impact of the development of
control frameworks on internal auditing and
outline the steps in using a control
framework as the basis of assessing control
in an organization. (Level 2)
98
Module 3 Learning Objectives
6. Explain the control self-assessment
process, identify its advantages and
disadvantages, and outline how continuous
monitoring can improve the effectiveness of
internal control. (Level 2)
99
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 34/35 3
Module 3 Learning Objectives
7. Outline the IIA performance standards on
governance, the governance responsibilities
of the board of directors or equivalent body,and the role of internal audit in corporate
governance. (Levels 1 and 2)
100
Module 3 Learning Objectives
8. Explain the role of the audit committee of
the board of directors. (Levels 1 and 2)
101
Module 3 Learning Objectives
9. Explain how the Sarbanes-Oxley Act of
2002 has affected corporate governance
and understand how internal audit may
assist in the Sarbanes-Oxley compliance
process. (Level 2)
102
7/27/2019 MU1 Module 3 Powerpoint
http://slidepdf.com/reader/full/mu1-module-3-powerpoint 35/35
Recent examination questions
The examination blueprint states thatbetween 8% and 11% of the examination
will test material from Module 3.
Typical examination questions:
Multiple choice questions
103
Recent examination questions
Typical examination questions:
Essay questions – question 1
104
Recent examination questions
Typical examination questions:
Essay questions -- question 2
105
top related