INTRODUCTION
An introductory section should provide an overview of the specific nature of internal audit. Briefly the structure and function of the Internal Audit Unit should be presented. The difference between internal audit and internal control should be discussed
It is well known that corporate governance is a vital part of the corporate structure, and as an extension of that, internal audit increases the role of corporate governance and provides the firms with better relationships among their members. However, the question that might arise is 'What really corporate governance is and what is the role of internal audit?'
The definition of corporate governance has been recognised since 1970 and is defined in different ways (Cattrysse, 2005). One of them is 'the mean to improve relations between companies and their shareholders; to improve the quality of outside directors; to encourage people to think long-term; to ensure that information needs of all stakeholders are met and to ensure that executive management is monitored properly in the interest of shareholders.' (Cattrysse, 2005, pp. 3). Corporate governance includes members such as board of directors, management, audit committee, and stakeholders (Cattrysse, 2005).
The role of internal audit within an organisation is to ensure that all internal procedures and controls made by the management are adequate and effective (Cattrysse, 2005). An internal auditor is hired by the management and at the same time the person who occupies this position should be independent, something that is in contrast with the way this recruitment occurred (Cattrysse, 2005). For that reason, the audit committee supports the view that there should be official mechanisms between the internal audit and the internal committee to secure the confidential exchanges (Cattrysse, 2005).
The structure of Internal Audit Unit can be met in three different ways (Li, 2006). According to Li (2006), the internal audit unit and the Board of Directors are at the same level of authority and the monitoring committee is guiding the internal audit unit. The second type of structure occurs when the internal audit unit and the company's various departments are at the same level and the former is controlled by the Board of Directors, whereas the third type happens when the internal audit unit is integrated into the finance department since internal auditing is a vital part of finance unit (Li, 2006).
Internal Audit Unit should support the following functions in order its role to be useful in a company's operation: mission and scope of work, accountability, independence, responsibility, authority, and standards of audit practice (Fitzsimon, 2005). However, a more detailed presentation of Internal Audit Unit's functions is going to be discussed into next section.
Internal control and internal audit are two different meanings and should not be confused (Cattrysse, 2005). The main role of internal control is to provide the users with reliable, relevant, timeliness, and compliance with laws and legislations in the financial statements, so as to assist the users in the decision making process through information's accuracy (Cattrysse, 2005; KPMG, 2008). Firms strive to minimise their risks of material misstatements which are occurred in the financial statements (Cattrysse, 2005; KPMG, 2008). On the other hand, internal audit is the activity that is executed by internal auditors to supervise whether the internal control system operates sufficient or not (Cattrysse, 2005; KPMG, 2008).
Internal Audit Unit, Audit Committee and External Auditor
The report should then examine the reasons for introducing internal audit within the corporate structure. The responsibilities and role of the Audit Committee should be analysed. The report should briefly describe and evaluate the roles of, and relationship between, the Internal Audit Unit, Audit Committee and External Auditor.
KPMG (2008) states that internal audit is a fundamental part for a company. Board of directors can fulfill their internal control task, through the internal audit's supervision and assist (KPMG, 2008). The reasons why an internal audit unit should be introduced in a corporate structure, as KPMG (2008) refers, are to be presented.
Internal audit a) provides a brief description of the organisation's control type and evaluates the tone at the top, b) demonstrates unbiased risk assessment, c) shows the various process forms of the organisation, d) explains the contribution of the assets, e) releases valid information of frauds and deceptions, f) illustrates reviews of unacceptable levels of risk, g) displays the compliance framework, h) presents the operational and financial performance, i) offers suggestions for better utilisation of resources, j) estimates the accomplished goals and objectives, and k) gives feedback about firm's code of ethics and firm's values (Hermanson & Rittenberg, 2003; KPMG, 2008).
Audit committee exists due to the fact that every organisation should provide to the public reliable and accurate information and proper assessment of the risk of the firm that are interested in. To be more precise, in accordance with NACD (2000a), Hermanson & Rittenberg (2003), and Sarens et al., (2009) audit committee's task is mainly to observe the financial reporting procedure, to supervise the internal control system, meaning that risks are calculated and minimised by the management, and to monitor whether the internal and external auditors do their work properly or not. Others support the view that audit committee should emphasise primarily in the overseeing of financial reporting procedure (Hermanson & Rittenberg, 2003).
As mentioned above, the monitoring of external auditors includes the fact that an audit committee in some countries (e.g. USA) has the authority to dismiss external auditors from their duties, to hire new ones, and to assess their independence (Hermanson & Rittenberg, 2003).
Fig. 1: Internal Auditing in an Organisational Governance Framework.
Source: Ruud & Bodenmann, 2001, pp. 522; Ruud, 2003, pp. 75)
Despite the fact that external auditors are not incorporated in the organisation, they are considered to be engaged by it (Pop et al., 2008). Additionally, they provide an annual report of the organisation's financial statements. Furthermore, external auditors can minimise errors that are not material significance and as an extension of the aforesaid, they focus on the general performance and financial results. Finally, they examine risk factors regarding management issues and 'behaviours' (Pop et al., 2008). Rudd (2003) claims that, an audit committee acts as a coordinator between external audit and internal audit unit. Figure 1 supports the previous argumentation.
It so far obvious that internal auditing is influenced by senior management and external auditing is not (Pop et al., 2008). Goals and strategies of internal auditing rely on the management's needs whereas external auditors are interested in accurate and unbiased financial statements that do not encompass material misstatements (Pop et al., 2008). What is more, external auditing should be informed by the internal auditors in case something unexpected happens to the internal auditing reports and external auditors should notify when an event is able to affect internal auditing (Pop et al., 2008). External auditors must have complete access to internal auditing reports, and lastly, they should carry out an evaluation of the internal audit function (Pop et al., 2008).
3.1. Interaction between the audit committee and the internal audit function: insights from previous qualitative studies
Recent qualitative studies by Beasley et al. (2009), Gendron and Be΄dard (2006) and Gendron et al. (2004) demonstrated
that practices carried out in audit committee meetings aim to make members comfortable, with regards to matters such as
the accuracy of financial statements and the quality of the work performed by internal and external auditors. The results of
these studies argue that the notion of comfort, as introduced in Pentland's (1993) study on audit engagements, is a fundamental
aspect of the work performed by audit committee members. For example, the study by Gendron and Be΄dard (2006;
236) answers the question: ''what actions do audit committee members and other attendees engage in while trying to mitigate
their anxieties and transform them into hope and comfort zones?''
Audit committee members at three Canadian public companies studied by Gendron et al. (2004) had an interest in the
extent to which internal control is effective, not least because internal control underlies the credibility of financial reports.
Audit committee members in their study relied on the work of the internal audit function to develop their own appreciation
of the internal controls' effectiveness (cf. also Krishnan, 2005). More specifically, they became comfortable with internal
control by assessing the extent to which managers adopt appropriate measures to solve deficiencies highlighted in internal
audit reports. In all three of their cases, internal auditors attended audit committee meetings.
In addition, a more recent study by Gendron and Be΄dard (2006), partially based upon the same data, found that audit
committee members carry out diverse practices, in order to become comfortable with their company's internal controls, and
that several of these practices deal with internal audit reports. Their interviewees confirmed that internal auditing mattered
to them. More specifically, the work of the internal audit function makes visible the extent to which top managers are
competent at dealing with risk and internal control. It turns out, from their interviews, that internal auditors are aware of
their capacity to uncover problems. The authors concluded, therefore, that the internal audit function appears to play a central
role in the development of an accountability relationship between corporate management and the audit committee, which
refers to the principal/agent problem between the audit committee and management, as described earlier in this paper.
Beasley et al. (2009), studying the audit committee oversight process within 42 US public companies, found that audit
committee members clearly are dependent upon both internal and external auditors in evaluating the effectiveness of
internal control over financial reporting. In general, the audit committees in their study would meet frequently with the
internal auditors. It appeared that the audit committee's interaction with internal auditors had increased from pre-SOX
periods, but remained very limited in some of their cases. However, their interviews revealed frequent, ongoing substantive
communications between the audit committee and internal auditors outside of scheduled meetings. In many of their cases,
the oversight of the internal audit function was shared between the audit committee and management in a fairly informal,
sometimes contentious manner. The investigators also identified a substantial lack of clarity in the internal audit function's
reporting channels.
Additionally, a recent case study conducted at a UK listed financial services company by Turley and Zaman (2007) revealed
that, when judged using formal processes alone, the direct impact of the audit committee on matters of internal control and
audit is limited. The authors found only limited evidence of the audit committee questioning or challenging internal audit
findings. Moreover, the influence of the audit committee on the agenda and work plan of the internal audit function turns out
to be limited. The primary active concern of the audit committee, with respect to internal control, appears to be to ensure that
the internal audit plan is met. Members argue that their limited role in specific internal control matters may be explained by
the audit committee's lack of detailed knowledge, thereby implicitly referring to the information asymmetry problem with
which audit committee members must deal. However, the authors found evidence supporting the importance of an informal
channel of communication between the head of the internal audit function and the audit committee chair, through which
concerns might be raised. In their specific case, the head of the internal audit function considered that reporting concerns to
the audit committee generally led to improved governance, which confirms the importance of the relationship between the
audit committee and the internal audit function.
It must be noted that the above-mentioned studies implicitly assume a principal/agent problem between the audit
committee and management, leading to significant information asymmetries on behalf of audit committee members.
Furthermore, these studies recognised the internal audit function as an important mechanism by which to reduce these
information asymmetries, without elaborating on what makes it so. The current study will elaborate more on the specific
information asymmetries that exist, on behalf of the audit committee, thereby further exploring the notion of comfort within
the specific context of the audit committee process. Additionally, this study will incorporate an investigation into what makes
the internal audit function a suitable comfort provider for the audit committee.(sarens et al, 2009)
Internal audit and corporate governance
The report should examine and evaluate whether internal audit is able to improve corporate governance. You should refer to official reports such as the Cadbury, Hampel and Higgs Reports, also Sarbanes Oxley as well as the Combined Code 2010, as appropriate.
Internal audit's work, through their ability to provide information to risk's reduction, can lead a corporation into safety paths and therefore to improve corporate governance (Allen, 2008). Consistent with Allen (2008), internal auditing facilitates the function of 'risk intelligent enterprise', implying that these enterprises assess the probabilities and apply scenarios in their operations, which enables them to the decision-making process and create strategies. The contribution of internal auditors at this point is to achieve a solution for the corporation in order to be more risk intelligent (Allen, 2008). Moreover, they can act as an information channel as well as to enhance operating efficiency (Allen, 2008).
Risk is another factor an enterprise should consider since internal auditors can recognise the different types of risk and imbalances that may occur (Allen, 2008). Enterprises cannot flourish when performing so as to avoid risks (Allen, 2008). Instead, enterprises that utilise the internal auditors' knowledge could add new value in the organisation and develop competitive advantage (Allen, 2008).
Most enterprises assume only traditional financial measurements can evaluate their condition but non-financial factors (among others customer satisfaction, operational quality, innovation, and employee commitment) are those indicators that can assess the performance of an enterprise as well (Allen, 2008). Ethics is also a crucial factor, which can be recognised by internal auditors and raise the corporate performance by boosting the consumers' confidence and creating dedicated customers (Allen, 2008). Using their abilities and the fact that they are integrated in the company, internal auditors can build value by informing management deal with a number of potential threats, from corporate reputation to environmental issues (Allen, 2008). Lastly, expanding the board with members having internal auditing experience, higher boardroom diversity could be achieved, and as a result, greater thought production and improved corporate governance could occur (Allen, 2008).
Cadbury Report (1992), named as 'The Financial Aspects of Corporate Governance' provided recommendations for the reformation of boards and accounting systems so as to minimise corporate governance risks, and to establish effective audit committees with efficient internal controls. Cadbury's recommendations focused on the separation of the roles between the chairman and the CEO (Cadbury, 1992; Cattrysse, 2005). Additionally, the idea that there should be an element in the boardroom, that could prevent CEOs from getting too much power, prevailed (Cadbury, 1992; Cattrysse, 2005).
In short, Cadbury refers to a framework including three principles: openness, integrity, and accountability (Cadbury, 1992; Cattrysse, 2005). A requirement that could influence internal audit function was the fact that the directors had to report whether the internal control system was effective or not (Cadbury, 1992; Cattrysse, 2005). The Cadbury Report is, in a great extent, based on the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and Cadbury's principles are applied in various worldwide corporations (Cattrysse, 2005).
Corporate scandals, such as Enron, Barings Bank, Northern Rock, and WorldCom, which cost billions to the investors, forced US to publish the Sarbanes-Oxley Act of 2002 (Cattrysse, 2005). Section 404 in Sarbanes-Oxley Act (SOX) refers to the assessment of internal control (Sarbanes-Oxley Act, 2002). Precisely, management and external auditing should conduct a report concerning the adequacy of internal control system for financial reporting (Sarbanes-Oxley Act, 2002). SOX presented eight sets of 'rules' or 'codes' until 2004 aiming to restore the reputation of the biggest US organisations and to enhance good corporate governance (Cattrysse, 2005). Moreover, an internal auditing became a necessity for all NYSE listed companies (Cattrysse, 2005). Nevertheless, even with these harsh measures, SOX did not manage to eradicate the risk of corporate scandals (Cattrysse, 2005).
The Combined Code 2010 formulated due to Hampel Committee and promoted even more good corporate governance (Combined Code, 2010). The Combined Code combines the elements of accountability and corporation prosperity (Combined Code, 2010). The former element was the corner stone of the Code since it could improve the performance and the profit of the firm (Combined Code, 2010). The recommendations of Cadbury Committee, Greenbury Committee, and Hampel Committee compose the Code which mentions among others that the audit committee should be represented by independent non-executive directors and great emphasis has been given in the notion of integrity due to the aforementioned corporate scandals (Cattrysse, 2005).
Corporate scandals
The report should also refer to recent corporate scandals such as Enron, Barings Bank, Northern Rock, WorldCom, Lehman Brothers and Satyam Computers as well as the current financial crisis. It should evaluate the role of internal audit in these corporate scandals.
Lehman Brothers belongs to the most and biggest corporate scandals in history. The reasons of the bankruptcy are quite clear. Several executive members were highly-paid despite the financial crisis. This fact revealed that the proportion of the payments was far too huge in relation to the previous year's payments. Another reason for the bankruptcy appears to be the inadequate internal audit control since they let accounting system to be manipulated presenting virtual numbers in the balance sheets. As Story & Dash (2010) state, Lehman exploited a small firm named 'Hudson Castle' to move some of the assets and transactions in order to hide the real financial position of the company. Lehman could control the board members since he possessed a part of the Hudson Castle.
Apart from the aforesaid reasons, Lehman Brothers suffered many losses from the mortgages which had been already securitised. The bank had lack of liquidity because the borrowers were unable to pay their loans due to the crunch. The bank's stock started to fall rapidly and the bank released 1,500 employees to cope with its depts. Bank's investors felt insecure and lost their faith, drifting Dow Jones down. The company tried to make deal with Barclays, a large investment firm in UK, so as to be sold but the deal collapsed. Government also denied assisting Lehman Brothers, resulting to the bankruptcy filing. According to Bloomberg, J.P. Morgan gave to Lehman Brothers a liquidity boost, money that were repaid by the Federal Reserve Bank of New York to J.P. Morgan two days later. WIKIPEDIA
As it seems, the rescue plan for Lehman Brothers was absent because the bank was only the victim since the assist could come earlier. The bank collapsed, dragging lots of investment firms down. The domino effect that occurred forced governments to reformulate bank regulations in order to improve guidance, transparency, disclosure, and monitoring.
To improve board oversight of financial transactions like Repo 105, it is more important to change the approach of corporate audit committees than to enhance the information-sharing among accounting regulators. It appears that members of Lehman's audit committee were not aware of the many repetitions of the Repo 105 transactions. Their ignorance says a lot about what is wrong with the current approach to the audit process in publicly traded companies.
In compliance with the Sarbanes-Oxley Act of 2002 and related exchange rules, all members of the Lehman audit committee were independent, and the committee's chair was a financial expert. Following other rules, the audit committee made sure that the company's auditor (Ernst & Young) was independent of Lehman, and met privately with the engagement partner of the audit firm without Lehman management present.
Under Sarbanes-Oxley and related Securities and Exchange Commission rules, Ernst & Young supplied the audit committee with a list of Lehman's significant accounting policies. Ernst & Young was also specifically obligated to report to the audit committee any significant disagreement with management on financial reporting. However, Ernst & Young apparently went along with Lehman's accounting treatment of Repo 105. The audit firm and Lehman relied in part on a letter from UK counsel opining that Repo 105 constitutes a sale under UK law.
In short, to paraphrase Donald Rumsfeld, members of Lehman's audit committee did not know what they did not know. Unfortunately, audit committees are often in this state of ignorant bliss. The committee members are deluged with massive amounts of complex information, including detailed financial statements and lengthy SEC filings. It is extremely difficult for committee members, no matter how intelligent, to pick out from this mass of data the key judgments made by management and the external auditors in putting together these statements and filings.
To become more effective, audit committees should request four specific pieces of information. First, the auditors should highlight any set of transactions - such as sales or borrowings as well as off balance sheet and tax-motivated deals - which occur repeatedly at the end of quarters or financial years. It is quite reasonable to design one complex transaction in response to a unique set of circumstances; it is more suspicious if similar transactions occur frequently near the end of a reporting period.
Second, the auditors should identify any material item where the accounting literature allows alternative methods of presentation and explain why the company believes its alternative is preferred. For example, the accounting literature allows, but not does not require, companies to use hedge accounting in certain circumstances. Committee members should be fully briefed on whether and why the company decided to use hedge accounting.
Third, and perhaps most importantly, the auditors each year should provide the audit committee with any material differences in significant accounting policies between the company and its four or five main competitors. This comparative analysis should cover policies such as revenue recognition, warranty obligations, retirement plan obligations, tax reserves and valuation of goodwill or other intangibles. Some of the differences in accounting treatment will be due to differences in how the companies run their businesses; others will represent accounting judgments that the committee should fully understand.
Finally, the company's chief financial officer should provide the audit committee with analyst reports discussing the accounting methods embodied in the company's financials or criticising the "quality" of its earnings. Analysts are quick to point out what they perceive as accounting gimmicks used by companies to improve their revenues or net income. They typically try to get to a company's core earnings by stripping away these gimmicks as well as non-recurring items, changes in tax rates and gains/losses from currency movements.
All these pieces of information should be sent to the audit committee at least one week before the committee meets. During that week, the chairman of the audit committee should informally discuss with the auditor's engagement partner any specific issues raised by this information and more generally any "close calls" in the financial reports.
If adopted, these measures will help audit committees identify the key judgments made by management and the external auditors in preparing the company's financial statements. Instead of trying to find a needle in a haystack, committee members will be focusing on the accounting issues most likely to distort the accurate presentation of the company's financial situation.
current requirements and responsibilities of Internal Audit Unit
Based on recent legislation, the report should describe the current requirements and responsibilities of the Internal Audit Unit. It should explain how the Internal Audit Unit interacts with the Audit Committee and External Auditor, and should also explore how the contribution of internal audit can be measured.
Conclusions
In summary, the report should analyse whether and how the introduction of internal audit enhances companies' effectiveness and accountability. It should consider which requirements and functions are especially helpful for companies and investors.
