Overview
In Certified Public Accountant Licensure Examination, this subject will cover:
- SEC Code of Corporate Governance under Regulatory Framework for Business Transactions;
- Planning Phase of the Audit Process particularly Understanding the Entity and its Environment including its Internal Control and Test of Control under Auditing; and
- Consultancy under Management Advisory Services.
This subject, “Governance, Risk Management, and Control,” makes up thirty-five percent (35%) of the 2019 CIA Exam Syllabus, Part 1 – Essentials of Internal Auditing, covering the foundation of internal auditing; independence and objectivity; proficiency and due professional care; quality assurance and improvement programs; governance, risk management, and control; and fraud risk.
Course Objectives
At the end of the semester, students are expected to:
- Possess current knowledge of professional standards that are expected from a professional accountant and demonstrate appropriate use;
- Demonstrate knowledge of corporate governance, risk management, and internal control;
- Apply knowledge in business acumen, IT, and management needed for internal auditing;
- Be able to apply tools and technique to evaluate risks and internal controls;
- Be able to perform an audit engagement with minimal supervision in conformance with acceptable professional standards;
Course Materials
Module 1 | |
Module 2 | |
Module 3 | |
Module 4 | |
Module 5 | |
Module 6 | |
Module 7 | |
Module 8 | |
Module 9 |
Internal Auditing
Governance, Risk Management, and Internal Control add value to the organization by placing a mechanism that provides reasonable assurance that organization's objectives will be achieved.
Governance, risk management, and control are related. Their relationships can be summarized as follows:
- Governance provides overall direction for risk management activities.
- Effective governance considers risk when setting strategy, and risk management relies on effective governance (e.g., tone at the top, risk appetite and tolerance, risk culture, and the oversight of risk management).
- Effective governance relies on controls, and communication to the board relies on their effectiveness.
- Controls within governance processes often are significant in managing multiple risks. For example, controls related to the code of conduct may be relied upon to manage compliance and fraud risks.
- Internal control implements the organization’s risk management strategies.
The Board sets the organization’s risk appetite. The Board delegates to the CEO and senior management primary ownership and responsibility for operating risk management and control. Then the Board sets mechanism to review and assures itself on an ongoing basis whether the senior management is responding appropriately to these risks by relying on adequate line functions.
As a professional accountant, the concepts related to Governance, Risk Management, and Internal Control will be fully utilized in the field of Auditing, particularly Internal Auditing, being the third line of defense.
Three Line of Defense model shows that management control is the first line of defense. The various risk control and compliance oversight functions established by management are the second line of defense. Lastly, Internal Audit is the third line of defense.
As the third line of defense, Internal Audit Activity must assess and make appropriate recommendations to improve organization’s governance, must evaluate the effectiveness and contribute to improve risk management processes, and must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Clearly, the function of Internal Auditing encompasses the entirety of this subject. And as we tackle each topic under this subject, we will always encounter Internal Auditing. For this reason, it would be better if we study Governance, Risk Management, and Internal Control from the point of view of an Internal Auditor. So for this module, let's have a quick overview of the essentials of Internal Auditing. The discussion here is based on the Revised 2019 CIA Syllabus, Part 1.
Course Objectives
After studying this module, you should be able to
- Interpret The IIA's Mission of Internal Audit and the principles-based, mandatory requirements which are essentials in the conduct of internal audit activity;
- Distinguish assurance and consulting services provided by the internal audit activity;
- Demonstrate conformance with the IIA Code of Ethics;
- Describe the required elements of the quality assurance and improvement program (internal assessments, external assessments, etc.);
- Understand the role of internal audit in Governance, Risk Management, and Internal Control; and
- Identify elements of Fraud Risk.
Course Materials
Foundations of Internal Auditing
Internal Audit Activity is defined as a department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations.
The International Standards for the Professional Practice of Internal Auditing (Standards) requires that the purpose, authority, and responsibility of the internal audit activity must be consistent with the following:
- Mission of Internal Audit
- Mandatory Elements of the International Professional Practices Framework.
The Mission of Internal Audit articulates what internal audit aspires to accomplish within an organization: “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”
The Mandatory Elements of the International Professional Practices Framework are
- Definition of Internal Auditing.
- The Core Principles for the Professional Practice of Internal Auditing,
- International Standards for the Professional Practice of Internal Auditing (the Standards)
- Code of Ethics
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. On the other hand, Consulting services are advisory in nature and are generally performed at the specific request of an engagement client.
The International Internal Audit Standards Board released the revision to the Standards following consideration and approval by the International Professional Practice Framework Oversight Council. The Revised Standard took effect on January 1, 2017. The Standards are a set of principles-based, mandatory requirements consisting of:
- Statements of core requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels.
- Interpretations clarifying terms or concepts within the Standards.
The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission
- Demonstrates integrity.
- Demonstrates competence and due professional care.
- Is objective and free from undue influence (independent).
- Aligns with the strategies, objectives, and risks of the organization.
- Is appropriately positioned and adequately resourced.
- Demonstrates quality and continuous improvement.
- Communicates effectively.
- Provides risk-based assurance.
- Is insightful, proactive, and future-focused.
- Promotes organizational improvement.
The Institute’s Code of Ethics states the principles and expectations governing the behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities. The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal auditing. It includes two essential components:
- Principles that are relevant to the profession and practice of internal auditing
- Rule of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.
Internal auditors are expected to apply and uphold the following principles:
- Integrity. The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
- Objectivity. Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
- Confidentiality. Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
- Competency. Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be objective in performing their work.
Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship.
Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.
Proficiency and Due Professional Care
Engagements must be performed with proficiency and due professional care.
Proficiency is a collective term that refers to the knowledge, skills, and other competencies required of internal auditors to effectively carry out their professional responsibilities. It encompasses consideration of current activities, trends, and emerging issues, to enable relevant advice and recommendations.
Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.
Quality Assurance and Improvement Program
Quality assurance and improvement program (QAIP) is an ongoing and periodic assessment of the entire spectrum of audit and consulting work performed by the internal audit activity. The assessment can be internal or external.
Internal assessments must include:
- Ongoing monitoring of the performance of the internal audit activity
- Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.
External assessments provide an independent and objective evaluation of the internal audit activity’s compliance with the Standards and Code of Ethics. External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.
Governance, Risk Management, and Control
The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive, and their evaluations offer new insights and consider future impact.
Governance is the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
Risk Management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.
Control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
Fraud
The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. It is not the role of the Internal auditors to identify fraud, but it is the primary responsibility of management and those charged with governance to prevent and detect fraud.
Fraud is any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
The elements of Fraud are Pressure, Opportunity, and Rationalization.
Pressure or incentive (also called motive) incites actions. It is the moving force which impels a person to commit fraud. It can also be defined as the need a person tries to satisfy by committing the fraud. It should be distinguished from intent, which is the use of a particular means to commit fraud, a mental state demonstrated by the overt acts of a person.
Opportunity is the ability to commit fraud. An opportunity for fraud is more likely in companies where there is a weak internal control system. Poor control over cash, merchandise, and other organizational property, as well as a lack of compensating accounting controls, are enabling factors. Moreover, management can always override existing controls.
Rationalization is the justification for the act. Some people may rationalize fraudulent action as necessary, harmless, excusable, or acceptable.
References
Reading materials you may use in this course are the following:
- SEC Code of Corporate Governance for Publicly Listed Companies
- SEC Code of Corporate Governance for Public Companies and Registered Issuers
- 2019 CIA Syllabus Part 1 - Essentials of Internal Auditing
- The Institute of Internal Auditor
- The IIA’s International Standards for the Professional Practice of Internal Auditing
- IIA Code of Ethics
- Philippine Framework for Assurance Engagements
- Governance, Risk, and Compliance
- G20/OECD Principles of Corporate Governance
- Revised Corporation Code
- Sustainability Reporting Guidelines
- Code of Business Conduct and Ethics
- Corporate Governance Manual
- COSO’s Enterprise Risk Management – Integrating with Strategy and Performance
- ISO 31000:2018
- Philippine Standards on Auditing
- COSO Internal Control – Integrated Framework
- Any other books or e-books on Governance, Business Ethics, Risk Management, and Control