Advancement in Audit World

Advancement in Audit World

In today’s challenging times, internal auditors are evolved as ‘strategic partners’ instead of ‘police men’ of organization. Currently, internal audit function’s major focus is on value addition and improvement in operations of different activities to make effective and efficient for the good of auditee. Now internal audit function is perceived as ‘change agent’ an activity that will bring discipline and systematic change for the ease of auditee and for the overall efficiency of organization so that organization’s objectives can be achieved effectively and efficiently.

Traditionally internal audit function was only focused on the provision of compliance assurance services i.e. to assess whether certain process and procedure is done or completed in compliance with respective policy. However, now internal audit function has been evolved to focus not only on compliance assurance but also to provide related consulting services in a form of trainings, facilitation and advisory roles.

As per IIA’s IPPF Implementation Standard 2010.C1 “The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations”.

In the world of internal auditing concept of ‘Blended Engagements’ is emerging in which internal auditors not only provide assurance services, but, side by side, also conduct consulting and advising role to add value in the overall governance, risk management and control processes of organization.

As per IIA’s IPPF Implementation Standard 2130.C1 “When assisting management in establishing or improving risk management processes through consulting services, internal auditors must refrain from assuming any management responsibility by actually managing risks”.

Such blended and consulting engagements not only add value to the organization but also in parallel internal auditors learn a lot about organization’s operations, culture, strategy and governance, information and communications, monitoring and reporting relationships.

As per IIA’s IPPF Implementation Standard 2130.C1

“Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes”.

This helps internal auditors in the assessment and performance of assurance services related to control environment and risk management of significant risks in organization.

As per IIA’s IPPF Implementation Standard 2120C1

During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks”.

In modern internal auditing the stiff and strict perception of internal auditing is changing and soft and relationship oriented audit culture is prevailing as part of today’s requirement for better value addition and overall accomplishment of objectives of organization. To accomplish this, apart from internal auditors being provider of consulting services, even in assurance related engagements, internal audit activity must adopt strategic partner role and encourage the positive results of audits engagements by documenting the same with positive feedback in audit reports for appreciation of auditee and bridging the gap between auditor and auditee.

As per Implementation Standard 2410.A2

Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications. Internal auditors should provide positive feedback to engagement clients when appropriate. This practice helps to develop good relations with clients and may improve their receptiveness to the audit findings. Additionally, client accomplishments included in the final communication may be necessary to present fairly the existing conditions and provide perspective and balance”.

Information system plays a vital role in today’s digital era. Review of organization’s information system and to give objective assurance about the IT governance, IT risk management and IT controls has become foundation of internal auditing function. Cybersecurity including data breach, hacking, ransom-ware i.e. software to extort and demand money as ransom and phishing messages/emails are emerging current IT related issues which internal audit function must consider in its audit universe for engagement. In this IS Audit perspective emerging issue of ‘Patches’ as part of change management process in organization is an aspect which internal audit must look into deeply to dig out the possible vulnerabilities.

As per GTAG-IT-Change management, article published in IIA’s website: Patches are changes to a computer program designed to address a security vulnerability, an operational deficiency, or to add new or upgraded features between software releases. They may repair vulnerabilities or other defective code unintentionally occurring in the production environment”.

With the advent of progress in information technology, the future of audit profession will dramatically move from periodic to continuous audit by embedded audit modules, from manual to semi-automated to fully automated system based controls based on threshold alert system, from sampling to 100% population review through IT based MIS exploitation, formulas, macros analysis, from providing assurance on historical data to providing assurance on emerging future risks, from assessing business continuity to ensuring business resilience, from field based manual voucher checking to latest IT based remote checking of scanned documents, data mining, integrated test facility, application tracing and system mapping, spreadsheet analysis and parallel simulations, from giving simple conclusions to recommending changes and innovations through solid regression and trend analysis, from manual printed work papers to system based electronic work papers and work programs, from audits of hard disk storage data to cloud based real time data, from audits of office based physical environment to remote network/VPN access and virtual network audits, from audits of human beings operating and handling machines and equipment to artificial intelligence based robotic process automation audits, from audits of procurement or buying and selling through paper currency to transactions through POS (point of sale) based/QR code/card swap/online and crypto currencies, etc. Traditionally internal audit function was not involved with other assurance providers like compliance department, external auditing functions and regulators. However, with the passage of time and emerging challenges of new competitions, cost factor and requirement of improved efficiency and quality, now internal audit function is evolved in a way to consider and rely on the works of other internal and external assurance providers.

As per Performance Standard 2050 & 2201

The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts. Internal auditors also obtain and review the results of work performed by other internal or external assurance providers and/or prior audit results from the area or process under review.”

Final responsibility and accountability of providing assurance services being an independent eyes and ears of board rely on internal audit activity. Chief audit executive will eventually decide about the extent of reliance keeping in view the competency and scope of the work of service provider.

As per Interpretation of Standard 2050

Where reliance is placed on the work of others, the chief audit executive is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity

Control self-assessment is another emerging concept in internal auditing where ownership of control processes is assumed to be taken by organization’s staff at all levels. The people who work within the process, i.e., the employees and managers, are asked for their assessments of risks and controls in their process. Risk assessment, business processes, and internal controls are not treated as exclusive concerns of senior management and the internal audit activity. Instead, CSA involves all personnel, asks for their input, and gives them a sense of participation and ownership. Through a CSA program, the internal audit activity and the business units and functions collaborate to produce better information about how well the control processes are working and how significant the residual risks are. Environmental auditing/green auditing is becoming very famous with the development of environmental cleanliness and protection awareness among organizations.

As per Gleim guide on internal auditing:

An organization subject to environmental laws and regulations having a significant effect on its operations should establish an environmental management system. One feature of this system is environmental auditing, which includes reviewing the adequacy and effectiveness of the controls over hazardous waste.”

Many types of environmental audits exist as of now; however as per IIA publications, major types of environmental audits consist of transactional audits, in which assessment of the environmental risks and liabilities of land or facilities prior to a property sale or purchase is considered. Treatment, storage, and disposal facility (TSDF) audits in which the law may require that hazardous materials be tracked from their acquisition or creation to disposal by means of a document (a manifest). All owners in the chain of title may be liable. For example, if an organization contracts with a transporter to dispose of hazardous waste in a licensed landfill and the landfill owner contaminates the environment, all the organizations and their officers may be financially liable for cleanup.

Concluding the whole article, internal auditing function is in a process of continuous evolution with the advent of new technologies, emerging risks and changing trends. During the challenging time of COVID-19, pandemic focus of internal audit has been shifted to continuous auditing, remote auditing instead of field visits and thematic audits in risk based perspective. With the new advancements and paradigm shifts, new challenges are coming in a way of internal auditing function. Such challenges can be addresses if new skills are developed through continuous learning and progress.



Jahanzaib Javaid ACCA, APFA, PMP

Internal Audit | Risk Advisory | Financial Services | Banking & Capital Markets | Compliance | Risk Review | Governance |

3y

👍

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics