A ConceptualBasisofInternalAudit

�

1 NatureandContentofAudits1.1 GeneralDefinitionofAudit

KeyPoiNts •••

• Duringaudits,an independentpartycompares theexistingconditiontopre-determinedcriteria(suchasUS-GAAP,orthepoliciesandproceduresof theorganization).

• Auditsservetwoimportantcontrolfunctions.Firstly,theyaredetectivecontrolmechanismsbywhichauditorsidentifyandinvestigatevariancesordeviationsfrompredetermined standards.Secondly, theyareusedaspreventive controlmechnismsbecausetheexpectationofanauditshoulddeterindividualsfromengaginginfraudulentfinancialreportingormakingcarelesserrors.

• Inthecourseoftheirevaluation,auditorsidentifybusinessrisksandevaluatetheeffectivenessandefficiencyofthecontrolsystemsdesignedtoavoid,reduceoreliminatethoserisks.Auditorsshouldalsobeawareoftheriskoffraudulentactivities.

• Theprimarygoalofauditingistoservethecompanybyprovidinganindepen-dent and objective evaluation of the organization’s adherence to operational,financialandcompliancepolicies,guidelinesandregulations.

• Likewise,auditsareperformedtoprotecttheinterestsofthirdparties,suchasinvestorsandcreditors.

Ingeneral,auditingisdefinedasasystematicprocessofobjectivelyobtainingandevaluatingevidenceregardingthecurrentconditionofanentity,area,process,fi-nancialaccountorcontrolandcomparing it topredetermined,acceptedcriteriaandcommunicatingtheresultstotheintendedusers.Thecriteriatowhichthecur-rentstateiscomparedmaybealegalorregulatorystandard(suchastheSarbanesOxleyAct),orinternallygeneratedpoliciesandprocedures.

Internalcontrolisdefinedas,“a process affected by an entity’s Board of Directors, management or other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories:(1) reliability of financial reporting,(2) effectiveness and efficiency of operations, and(3) compliance with applicable laws and regulations”(COSO1992).Further,theInstituteofInternalAuditors(IIA)definescontrolas,“anyactiontakenbymanagementtoenhancethelikelihoodthatestablishedobjectivesandgoalswillbeachieved”(Sawyeretal.2003).Controlsmaybepreventive(todeterundesirableeventsfromoccurring),detective(todetectandcorrectundesirableeventswhichhaveoccurred),ordirective(tocauseadesirableeventtooccur).Acontrolsystemistheintegratedcompositionofcontrolcomponentsandactivitiesthatareusedbyanorganizationtoachieveitsobjectivesandgoals.

AuditinginGeneralAuditinginGeneral

internalControlinternalControl

�

Audits are part of the overall control system of an organization and provideseveral important control functions. Firstly, they can serve as detective controlmechanisms–thatis,throughtheirauditinvestigations,auditorsmayidentifyandevaluateerrorsoromissions,orvariancesbetweenthecurrentconditionandpre-determinedcriteria.Secondly,auditscanbeapreventivecontrolmechanism,suchthaterrors,misstatementsandfraudulentactivitiesdonotoccurinthefirstplace.Finally,theresultsofauditsshouldbeusedtoidentifyandproposeanypotentialimprovementstotheauditedentity.

Auditsentailcomparingthecurrent,existingconditionofaprocess,organiza-tion, division or account to predetermined, accepted criteria. A variety of auditproceduresmaybeused.Auditproceduresaretheactivitiesthattheauditorper-formstoobtainsufficient,competentevidencetoensureareasonablebasisfortheaudit opinion. Examples of some audit procedures available to auditors include:observationofpersonnelorprocedures,physicalexaminationofassets,inquiriesorinterviewswithpersonnel,confirmationwithoutsideparties,recomputationorre-calculationofdata,examinationofdocuments,andanalyticalprocedures.

Thefinalobjectiveofauditsistopreservetheinterestsofvariousthirdparties,includinginvestorsandcreditors.Inthisregard,auditsmustcomplywiththestan-dardsofthethirdpartiesandanyapplicableregulations.Forexample,fromanac-countingperspective,auditsoffinancialreportingmustfocusontheaccuracyoftheorganization’sfinancialstatementsandmustbeperformedinaccordancewiththestandardsofthePublicCompanyAccountingOversightBoard(PCAOB).Al-ternatively,auditsof internalcontrolsoverfinancialreportingprovideanassess-mentoftherisksandcontrolsrelevanttotheoperationsaffectingthefinancialre-porting process and financial data and should be based on a formal controlframework, such as the COSO Internal Control Integrated Framework (seeSectionA,Chapter 1.2and1.3). Internalcontrolassessmentsshouldalsobeper-formedinaccordancewiththeguidanceofthePCAOB.

LiNKsANdRefeReNCes e

• COmmIttEEOFSPOnSOrInGOrGAnIzAtIOnSOFthEtrEADwAyCOm-­mISSIOn(COSO).1992.Internal Control Integrated Framework. newyork,ny:AICPA.

• InStItUtEOFIntErnALAUDItOrS.2004.Standards for the Professional Practice of Internal Auditing. AltamonteSprings,FL:TheInstituteofInternalAuditors.

• KEIth,J.2005.KillingtheSpider.Internal Auditor(April2005):25–27.

• mESSIEr, w. F. 2003.Auditing and Assurance Services: A systematic approach. 3rded.Boston,mA:mcGraw-hill.

• PUBLICCOmPAnyACCOUntInGOvErSIGhtBOArD(PCAOB).2004.Audit-ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements. http://www.pcaobus.org/Standards/Standards_and_related_rules/Auditing_Standard_no.2.aspx(accessedmay31,2007).

• rIttEnBErG,L.E.AnDB.J.SChwEIGEr.2005.Auditing: Concepts for a changing environment.5thed.Boston,mA:Thompson.

objectivesofAuditsobjectivesofAudits

AuditProceduresAuditProcedures

PreservingtheinterestsofthirdPartiesPreservingtheinterestsofthirdParties

ConceptualBasisofInternalAuditNatureandContentofAudits

GeneralDefinitionofAudit

A|1|1.1

�

• rOBErtSOn, J. C. AnD t. J. LOUwErS. 1999. Auditing. 9th ed. Boston, mA:Irwin/mcGraw-hill.

• SAwyEr,L.,m.DIttEnhOFEr,AnDJ.SChEInEr.2003.Sawyer’s Internal Audit-ing.5thed.AltamonteSprings,FL:TheInstituteofInternalAuditors.

• SEArS,B.2002.Internal Auditing Manual.newyork,ny:warren,Gorham&Lamont.

1.2 DefinitionofInternalAudit

KeyPoiNts •••

• Internalauditingisanindependent,objectiveassuranceandconsultingactivitydesignedtoassesstheeffectivenessofthecontrolenvironment,addvalue,andimproveanorganization'soperations.

• Inthepast,InternalAuditwasregardedasmerelyfocusedonfinancialandac-countingmatters,buttodayitsrolehasdevelopedtoincludeactiveriskandcon-trolevaluationsandisconsideredintegraltothecorporategovernanceprocess.

• Theinternalauditfunctionispartoftheinternalmonitoringsystemoftheor-ganizationandthereforeshouldbepositionedwithintheorganizationsuchthattheindependenceofinternalauditorscanbeguaranteed.Ideally,InternalAuditshouldreport functionally to theAuditCommitteeof theBoardofDirectorsandadministrativelytotheChiefExecutiveOfficer(CEO)oftheorganization.

• Generally,aninternalauditisamulti-stepprocessaimedatdeterminingwhetherexistingprocessesandprocedures(thecondition)complywithapplicablerulesandregulations(thecriteria)ordeviateinanywayfromthesecriteria.

• The Committee of Sponsoring Organizations of the treadway Commission(COSO) established the concepts and criteria that an internal audit functionshouldfollowinpracticalterms.

TheInstituteofInternalAuditors(IIA),whichistheinternationalprofessionalor-ganizationthatoversees internalauditguidance,certification,education,andre-search,definesinternalauditingas:[…] an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its ob-jectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. (IIAStandardsfortheProfessionalPracticeofInternalAuditing,Glossary)

TheIIA’sdefinitiondemonstratesthetransformationthatInternalAudithasun-dergoneinrecentyearswithregardtoitsroleandhowitisperceived.Inthepast,InternalAuditwasregardedasamanagementsupportfunctionthatgenerallyfo-cusedonfinancial andaccountingmatters.now its rolemay includeactive riskmanagement,which–alongwithtraditionalauditing–isanintegralpartofthecorporategovernanceprocess.InternalAuditno longerfocusesonlyontransac-

iiAdefinitioniiAdefinition

transformationofinternalAudit

transformationofinternalAudit

�

tionsthatoccurredinthepasttodeterminewhethercontrolsystemswereeffective.today’s internalauditorsalso lookaheadto identify thepotential risks thatmayadverselyaffecttheorganizationandtoevaluatethecontrolmechanismsthatwillavertorminimizethem.moreover,theactivitiesofinternalauditorsarenolongerlimitedstrictlytoaudittasks;managementconsultingisnowconsideredanimpor-tantandexpandingroleforinternalauditors.Thus,wheninternalauditorsidentifyareasforimprovementinthecourseoftheirregularauditwork,theywillalsosug-gestrecommendationsastohowtheorganizationcanimproveitsoperations.

Internalauditsallowmanagementtodelegateitsoversightfunctiontotheinter-nalauditdepartment.Inlargercompaniesmanagementcannotperformtheover-sightfunctionitselfforseveralreasons,including,• growingcomplexityoftheoperatingenvironmentduetoautomateddatapro-

cessing,• increaseddecentralizationinphysicallocationanddecision-makingasaresult

ofglobalizationorinternationalization,and• itslackofexpertiserequiredtoconductefficient,high-qualityaudits.

InternalAudit ispartof the internalmonitoringsystemofanorganization.Thissystemcomprisesallmonitoringmeasuresandprecautionsputinplacewithinthecompanytosecureassetsandguaranteetheaccuracyandreliabilityoftheaccount-ing system. This task is managed with objective-based and compliance-focusedcomparisonsbetweentheexistingconditionandtheacceptedcriteria,asrequiredbyallapplicablepolicies,regulations,andlaws.

Inrecentyears,internalcontrolhasbecomeincreasinglyimportant.Thisisevi-dencedinthenumerouslaws,regulationsandstandardsthatnowrequirethator-ganizationshaveaninternalauditfunctionoraninternalcontrolreview.SeveralofthemostinfluentialrequirementsaredescribedfurtherinSectionA,Chapter1.3.

Generally,aninternalauditisamulti-stepprocessaimedatdeterminingwhetherexisting processes and procedures (the condition) comply with predeterminedrulesandregulations(thecriteria)ordeviateinanywayfromthisstandard.Firstly,toperformaninternalaudit,theauditorsmustidentifyandunderstandthecriteriato which the condition must be compared. Secondly, internal auditors collectevidenceregardingtheexistingcondition.Thirdly,InternalAuditorsanalyzeandevaluate the evidence. Analysis and evaluation may include (among otheractivities):• observationofprocessesandprocedures,• inquiryofkeyparticipantsintheprocesses,• comparisonofcurrentperiodinformationwithprioryearinformation,• comparisonofcurrentinformationwithbudgetsandforecasts,• comparisonofcurrentactivitieswithapprovedpoliciesandprocedures,• samplingandtestingtheactualperformancetothedesiredperformance,• utilizing computer assisted audit tools to review, compare and analyze large

amountsofdata.

supportforCorporateManagementsupportforCorporateManagement

systematicPositioningofinternalAuditsystematicPositioningofinternalAudit

internalAuditintheContextofLegalRequirements

internalAuditintheContextofLegalRequirements

internalAuditProcessinGeneralinternalAuditProcessinGeneral

A|1|1.2ConceptualBasisofInternalAuditNatureandContentofAudits

DefinitionofInternalAudit

�

Fourthly,basedonthisanalysisandevaluation,InternalAuditorsdrawconclusionsabouttheeffectivenessofthecontrolsystemsandtheextenttowhichthecurrentconditionmeetstherequiredcriteria.Finally,theresultsoftheworkandthecon-clusionsdrawnbytheauditorarecommunicatedtotherelevantparties(auditedunits,managementetc.)alongwithanynecessaryrecommendationsforimprove-mentintheformofanauditreport.Itismanagement’sresponsibilitytoactupontheresultsofanauditor’sevaluation.

Aninternalauditisgenerallyconductedbyateamofauditors(i.e.,morethanoneauditor).As internalauditsvary insizeandcontent, thesizeof the internalauditteamsworkingoneachauditalsofluctuate.Oneoftheauditorsactsasteamleadwhoisresponsibleforplanningandoverseeingtheaudit,aswellascommuni-catingwiththeauditees,whileotherauditteammembersexecutetheauditactivi-ties(fortheorganizationofauditteams,seeSectionA,Chapter4.4).

Aftertheinternalaudit,theresultsandfindingsarereportedtotheAuditCom-mittee,seniormanagement,andthemanagerresponsiblefortheauditedunit.Theresultsarealsosharedwiththeemployeesconcerned.Asnecessary,otherpartieswithinterestsintheauditmaybeinformedoftheresults;thesepartiesmayincludecreditors,strategicpartnersandexternalauditors(forreportingoncompletedau-dits,seeSectionB,Chapter5).

The Committee of Sponsoring Organizations of the treadway Commission(COSO)hasdefinedcriteriaforauditsonwhichtheworkofInternalAuditshouldbebased.COSOis“a private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corpo-rate governance”(seewww.coso.org).

COSOprovidescriteriaforestablishinginternalcontrolandevaluatingitsef-fectiveness.Further,COSOdefineskeyconceptsthatexplainthepurposeandper-formanceofinternalcontrolasfollows:• Internal control is a process. It is a means to an end, not an end in itself.• Internal control is affected by people. It’s not merely policy manuals and forms, but

people at every level of an organization.• Internal control can be expected to provide only reasonable assurance, not absolute

assurance.• Internal control is geared to the achievement of objectives in one or more separate

but overlapping categories. (www.coso.org/key.htm)

HiNtsANdtiPs ;

• Theinternalauditfunctionshouldremainindependentfromallotherdepart-mentswithintheorganization.Thisallowsinternalauditorstomaintainobjec-tivityastheyperformtheirauditactivities.

• Internal auditors should familiarize themselves with their organizational po-sitionwithinthecompanyandwhennecessary,clearlycommunicate to their

AuditteamAuditteam

ReportingReporting

CosoCoso

KeyCosointernalControlConcepts

KeyCosointernalControlConcepts

�

auditeeshowtheyfitintheorganizationandwhattheirprimaryserviceistotheorganization.

• InternalAuditmustmeettheneedsoftheorganization.Therefore,theorganiza-tion’sstrategy,objectives,andstructuremustbeunderstoodbeforedetermininghowInternalAuditwillfitintoit.

LiNKsANdRefeReNCes e

• COmmIttEE OF SPOnSOrInG OrGAnIzAtIOnS OF thE trEADwAyCOmmISSIOn (COSO). 1992.InternalControl Integrated Framework.newyork,ny:AICPA.

• COmmIttEEOFSPOnSOrInGOrGAnIzAtIOnSOFthEtrEADwAyCOm-­mISSIOn(COSO).2004.Enterprise Risk Management Integrated Framework.newyork,ny:AICPA.

• InStItUtEOFIntErnALAUDItOrS.2004.Standards for the Professional Practice of Internal Auditing. AltamonteSprings,FL:TheInstituteofInternalAuditors.

• KEIth,J.2005.KillingtheSpider.Internal Auditor(April2005):25–27.

• mESSIEr, w.F. 2003.Auditing and Assurance Services: A Systematic Approach. 3rd ed.Boston,mA:mcGraw-hill.

• rEDDInG,K.,P.SOBEL,U.AnDErSOn,etal.2007.Internal Assurance and Consult-ing Services.AltamonteSprings,FL:TheInstituteofInternalAuditors.

• rIttEnBErG,L.E.AnDB.J.SChwEIGEr.2005.Auditing: Concepts for a Changing Environment.5thed.Boston,mA:Thompson.

• rOBErtSOn, J. C. AnD t. J. LOUwErS. 1999. Auditing. 9th ed. Boston, mA:Irwin/mcGraw-hill.

1.3 RegulatoryandOrganizationalFramework

KeyPoiNts •••

• Internalauditsaresubjecttoalargenumberofregulatoryandorganizationalrequirements.recentnotableregulationsandguidancehavebeendevelopedintheUS,Germany,UK,Canada,Japan,China,andhongKong.

• Independenceofbothinternalandexternalauditorsismoreimportantthaneverbefore.Therefore,InternalAuditshouldbeanindependentstaffdepartment.

• Theinternalauditfunctioncaneitherbecentralizedordecentralizedbasedontheneedsoftheorganization.

Auditsaresubjecttoavarietyofregulatoryandorganizationalconditions.regula-torystandardshaveundergoneparticularlyrapiddevelopmentinrecentyearsasaresultofseveralnewlegislativeinitiatives.

overviewoverview

A|1|1.3ConceptualBasisofInternalAuditNatureandContentofAudits

RegulatoryandOrganizationalFramework

�

Anumberofnewregulationshavebeenpassedinrecentyears,whichaffectnotonlyexternalauditing,butalso the internalaudit function.manystandardsandlegalrequirementsnowaddresstheinternalauditprocessdirectly,ortheinternalcontrol structureoforganizations.For the internal audit function, the followinglaws,standardsandguidanceprovidethemostexplicitdirectives(detailsregardinginternalauditandinternalcontrolareprovidedbelow):• UnitedStates:

■ SarbanesOxleyActof2002(SOX),■ nySEListingStandards,■ COSOInternalControlIntegratedFramework,■ COSOEnterpriseriskmanagementIntegratedFramework,■ COBIt®ControlObjectivesforInformationandrelatedtechnology.

• Germany:■ ActonControlandtransparencyinBusiness(KontraG),■ GermanCorporateGovernanceCode(DCGK),■ transparencyandDisclosureAct(transPuG),■ AccountingLegislationreformAct(BilreG).

• UnitedKingdom:Theturnbullreport:InternalControlrequirementsoftheCombinedCode.

• Canada:CanadianSecuritiesAdministrationrules.• Japan:FinancialInstrumentsandExchangeLaw.• China:CodeofCorporateGovernance.• hongKong:

■ rulesGoverning theListingofSecuritieson theStockExchangeofhongKongLimited,

■ rulesGoverningtheListingofSecuritiesontheGrowthEnterprisemarketoftheStockExchangeofhongKongLimited.

TheSarbanes-OxleyActof2002(SOX)wasenactedbytheUnitedStatesCongressin response to severalmajoraccounting scandals in2001and2002.TheexplicitpurposeoftheActisto“protectinvestorsbyimprovingtheaccuracyandreliabilityofcorporatedisclosuresmadepursuanttothesecuritieslaws”(USCongress2002).TheActisapplicabletoallpubliclyregisteredcompanieslistedonU.S.stockex-changesandunderthejurisdictionoftheU.S.SecuritiesandExchangeCommis-sion(SEC).ThisincludesanyforeignfirmthatislistedonaU.S.stockexchange.SOXhasseveralsections,themostimportanttoInternalAuditaresection302,re-quiringtheCEOandCFO(ChiefFinancialOfficer)tocertifythevalidityofthefi-nancialstatements,section404,whichrequiresthatmanagementassessandreportontheeffectivenessofthe internalcontrolsoverfinancialreportingandthattheindependentexternalauditorattesttothatassessment,andsection806,whichpro-tects employees, known as whistleblowers, who report fraudulent behavior (seeSectionA,Chapter2.6andSectionD,Chapter13).

RegulatorystandardsRegulatorystandards

soXsoX

�

newyorkStockExchange(nySE)FinalCorporateGovernancerulesrequirethatalllistedcompanieshaveaninternalauditfunctionto“providemanagementandtheauditcommitteewithongoingassessmentsofthecompany’sriskmanage-ment processes and system of internal control” (nySE 2003). Compliance withnySElistingstandardshasbeenmandatorysincenovember2003.

TheCOSOInternalControlIntegratedFramework(IC)wasdevelopedin1992toprovideamodelforevaluatinginternalcontrolsandisrecognizedasthestan-dardagainstwhichorganizationsshouldmeasuretheeffectivenessoftheirinternalcontrolsystems.COSOdefinesinternalcontrolas:A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:• effectiveness and efficiency of operations,• reliability of financial reporting,• compliance with applicable laws and regulations (COSO 1992).COSOdefinesinternalcontrolasconsistingoffiveinterrelatedcomponents:• controlenvironment,• riskassessment,• controlactivities,• informationandcommunication,and• monitoring.COSO’sbroaddefinitionofcontrolmarksasignificantdeparturefromtheprevi-ouslyheldnotionthatInternalAuditshouldbeconcernedonlywithretrospectiveaudits of financial and accounting data. Instead, Internal Audit’s responsibilitiesincludeinternalcontrolsoverstrategyandoperatingeffectivenessandregulatorycompliance,aswellasreliabilityoffinancialreporting(COSO1992).Formorein-formationonCOSOICanditsrelationtoSOXseeSectionD,Chapter14.1.2.

morerecently,in2003,COSOreleasedaframeworkforenterpriseriskmanage-ment(Erm)thatencompassesandenhancesCOSOIC.COSOdefinesErmas:A process, effected by an entity’s Board of Directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO2003).An ongoing Erm approach helps management effectively deal with uncertaintyand associated risk and opportunity throughout the organization, and thereforehelpstheorganizationachieveitsobjectives.TheCOSOErmmodelisillustratedusingacube,whichshowshowtheobjectives, internalcontrolcomponentsandorganizationlevelsareinterrelated.

COSOErmexpandsupon theobjectives set forth in the IC frameworkandprovidesfourcategoriesforanorganization’sobjectives:• strategic,• operations,

NyseListingstandardsNyseListingstandards

CosoiCCosoiC

CosoeRMCosoeRM

CosoeRMCubeCosoeRMCube

ConceptualBasisofInternalAuditNatureandContentofAudits

RegulatoryandOrganizationalFramework

A|1|1.3

10

• reporting,and• compliance.Further,COSOErmdescribeseight interrelatedcomponentsthatare integratedwithinthemanagementprocess:• internalenvironment,• objectivesetting,• eventidentification,• riskassessment,• riskresponse,• controlactivities,• informationandcommunication,and• monitoring.COSOErmclearlyaffectstheentireorganizationatalllevels:theentityasawhole,eachdivision,allbusinessunits,andanysubsidiaries(COSO2004).

TheCOBIt®(ControlObjectivesforInformationandrelatedtechnology)frame-workisparticularlyusefulinanorganizationwithastronginformationtechnologyenvironment.TheCOBIt®frameworkwasissuedandismaintainedbytheInfor-mation Systems Audit and Control Association (ISACA). COBIt® supplements

CoBit®CoBit®

Objective Setting

Subs

idia

ryBu

sine

ss u

nit

Div

isio

nEn

tity-

Leve

l

Risk Assessment

Risk Response

Control Activities

Information & Communication

Monitoring

Internal Environment

Strategic

Operations

Reporting

Compliance

Fig.1 COSOCube(ERM)

AdaptedfromSOX-Online,http://www.sox-online.com/coso_cobit_coso_cube-new.htmlCopyright©2001bytheCommitteeofSponsoringOrganizationsforthetreadwayCommis-sion

11

COSOandSOXbyfocusingonthegovernanceofItresourcesandprocesses.Itisespecially helpful because it provides a framework and supporting tool set thatbridgescontrolrequirements,technicalissuesandbusinessrisks(formoreinfor-mationonCOBIt®seeSectionA,Chapter6.2.5).

TheGermanActonControlandtransparencyinBusiness(Gesetz zur Kontrolle und Transparenz im Unternehmensbereich – KonTraG)wasintroducedin1998withtheaimofeliminatingpotentialweaknessesintheinternalcontrolsystemsinGer-manpubliccompanies,includingintheinternalandexternalauditfunctions.ThiswasachievedprimarilyberedefiningtherolesofExecutiveBoardandSupervisoryBoard(whichfunctioninlieuoftheBoardofDirectorsinGermancorporations),aswellastheroleoftheexternalauditors.ThekeystipulationrequirestheExecu-tiveBoardtoensure thatanadequateriskmanagementsystemandanadequateinternalauditfunctionareinplace.ThislawmarksthefirsttimethattheinternalauditfunctionhasbeencodifiedinGermanlaw,thusrecognizingitsplaceasanintegralpartofthefinancialreportingsystem.

TheGermanCorporateGovernanceCode(DCGK),whichwasestablishedin2005,doesnotrefertotheinternalauditfunctiondirectly,butitdoesobligetheSupervisoryBoardofacompanytosetupanAuditCommittee.ThisCommitteeistaskedprimarilywithissuesofaccountingandriskmanagementincludingthebud-getingandmonitoringoftheexternalauditors.ThechairmanoftheAuditCom-mittee “shall have specialist knowledge and experience in the application of ac-counting principles and internal control processes” (Government CommissionGermanCorporateGovernanceCode2006).Thisestablishesthebasisforcoopera-tionbetweentheAuditCommitteeandInternalAudit.

Asaresultof theGermantransparencyandDisclosureAct(2002) theStan-dardsoftheGermanCorporateGovernanceCodehavebeenincorporatedintolaw.Thus Executive Boards of listed companies must confirm annually whether thecompanycomplieswiththerecommendationsoftheCommissionoftheGermanCorporate Governance Code and state which recommendations have not beenimplemented.

The German Accounting Legislation reform Act of 2004 (BilReG – Bilanz-rechtsreformgesetz)hasmadeasignificantcontributiontostrengtheningtheinde-pendenceof theexternalauditors.Specifically,sections319and319aof theHan-delsgesetzbuch (hGB - German Commercial Code) list a number of advisoryservicesthattheexternalauditorsarenotallowedtoperformforacompanyiftheyauditthecompany.ThisconceptcanalsobeappliedtoInternalAudit.here,too,theconsultingfunctionhasgainedimportanceinrecentyearsandnowformsanim-portant part of Internal Audit’s responsibilities. On the other hand, however, allinternalauditworkalsomustcomplywiththepostulateofindependence.Ifacloserelationshipbetweenauditingandconsultingisregardedasinappropriateforexter-nalauditorsandisnotpermittedforthisreason,itmustbeassumedthatsucharelationship could also damage Internal Audit’s effectiveness if auditor indepen-denceisnotguaranteedandconflictsofinterestarise.

KontraG(Germany)KontraG(Germany)

GermanCorporateGovernanceCode(dCGK)

GermanCorporateGovernanceCode(dCGK)

GermantransparencyanddisclosureAct(transPuG)

GermantransparencyanddisclosureAct(transPuG)

GermanAccountingLegislationReformAct(BilReG)

GermanAccountingLegislationReformAct(BilReG)

ConceptualBasisofInternalAuditNatureandContentofAudits

RegulatoryandOrganizationalFramework

A|1|1.3

1�

IntheUnitedKingdomtheturnbullreport(InternalControlrequirementsoftheCombinedCode)requiresthattheBoardofDirectors“maintainasoundsys-temof internalcontrol tosafeguardshareholders’ investmentandthecompany’sassets.”Annually,directorsmustconductareviewoftheeffectivenessoftheinter-nalcontrolsystem,includingallcontrols(financial,operationalandcompliance)and risk management, and must report this evaluation to shareholders. Further,companieswithoutinternalauditfunctionsmustperiodicallyassesstheirneedforsuch a function. In general, the Combined Code requires that listed companiesdisclosehowtheyapplytheprinciplesinthecode(includingthoserelatedtointer-nalcontrols)andconfirmthattheycomplywiththecodeor–wheretheydonotcomply–issueanexplanationforthatdeviation.TheCombinedCodeonCorpo-rateGovernancewasoriginallyissuedinJuneof1998andrevisedin2005(InstituteofCharteredAccountantsinEnglandandwales2005).

In 2004, the Canadian Securities Administrators developed rules to improveinvestorconfidence.Therulesrequirethedevelopmentofan independentAuditCommittee,thathasawrittencharterandcommunicatesdirectlywiththeinternalauditfunction(CanadianSecuritiesAdministrators2004).

InJapan,theFinancialInstrumentsandExchangeLaw,legislationsimilartotheU.S.SarbanesOxleyAct,wasdevelopedin2006.Thislaw,nicknamedJ-Sox,isef-fectiveforfiscalyearsbeginningonorafterApril2008.StandardsdevelopedbytheBusiness Accounting Council of the Financial Services Agency require all listedcompaniesinJapantoprepareandsubmitinternalcontrolreportsbasedonman-agement’s evaluation of internal controls over financial reporting. J-Sox has abroaderdefinitionoffinancialreportingthanUSSOX,whichincludesotheritemsdisclosedinSecuritiesreportsthatusefinancialstatementdata.Further,companymanagementmustevaluatecontrolsatanyaffiliatesthatareconsolidatedundertheequity-methodofaccounting.InternalcontrolsaretobeevaluatedusingaformalcontrolframeworksuchastheJ-Soxframework,whichisbasedupontheCOSOICframework.Finally,theauditormustreportonmanagement’sevaluationofinternalcontrols.

TheCodeofCorporateGovernanceforListedCompaniesinChinawasdevel-opedbytheChinaSecuritiesregulatoryCommissionin2001.ThecoderequiresthatonethirdofthemembersoftheBoardofDirectorsbeindependentandsug-geststhe(optional)appointmentofanAuditCommittee.ThemajorityoftheAuditCommitteemembersmustbeindependentandonemembermustbeafinancialexpert.Theprincipalresponsibilitiesof theAuditCommittee includeoverseeingtheinternalauditfunction(ChineseSecuritiesregulatoryCommission2001).

TherulesGoverningtheListingofSecuritiesontheStockExchangeofhongKong Limited and the rules Governing the Listing of Securities on the GrowthEnterprisemarketoftheStockExchangeofhongKongLimitedwereestablishedtoensureinvestorconfidenceinthemarket.TheserulesrequirethatlistedcompaniesestablishanAuditCommitteewhoseresponsibilitiesincludeoverseeingthefinan-cialreportingsystemandinternalcontrolprocedures.Forlistedcompanieswithan

theturnbullReport(UK)theturnbullReport(UK)

RulesoftheCanadiansecurities

Administration

RulesoftheCanadiansecurities

Administration

financialinstrumentsandexchangeLaw

(Japan)

financialinstrumentsandexchangeLaw

(Japan)

CodeofCorporateGovernanceforListed

CompaniesinChina

CodeofCorporateGovernanceforListed

CompaniesinChina

RulesGoverningtheHongKongstock

exchanges

RulesGoverningtheHongKongstock

exchanges

1�

internalaudit function, theAuditCommitteemust reviewandmonitor InternalAudit’seffectivenessandensureithassufficientresources.Further,theAuditCom-mitteemustreporttoshareholdersaboutitsreviewofinternalcontroleffectivenessannually(hongKongExchange2007).

IIAStandard1100clearlystatesthattheorganization’s internalauditfunctionmustbeindependent,andinternalauditorsshouldbeobjectiveinperformingtheirwork.Independenceisachievedthroughorganizationalstatusandobjectivityandisadecisivefactorinensuringthatinternalauditorscanperformtheirtasksinlinewithrequirements.TheChiefAuditExecutive(CAE)shouldreporttoalevelwithintheorganization thatallowsInternalAudit toachieve independence. Ideally, theCAEshouldreport functionally totheAuditCommitteeandadministratively totheCEOoftheorganization.Further,theCAEshouldhavedirectandunrestrictedcommunicationwiththeBoardofDirectorsandAuditCommittee.Specifically,theCAEshouldregularlyattendBoardofDirectorsmeetingsandshouldhavetheop-portunitytomeetprivatelywiththeAuditCommittee.Independenceisstrength-enedwhentheCAEisappointedandterminatedbytheBoardofDirectors,notmanagement.

tomaintainindependence,theinternalauditfunctionshouldbemanagedasaseparatestaffdepartmentwithouttheauthoritytomanageordirectemployeesofotherunits.ThisensuresthatInternalAuditdoesnotauditanyprocessesorsce-nariosthatithasbeeninvolvedincreating.Inaddition,thisorganizationalstruc-ture also enhances the standing of Internal Audit within the organization as allemployeesofthecompanyacceptandrespectthisdepartmentandtheworkitdoes.Asanindependentdepartment,InternalAuditcanevaluateoperationsandproviderecommendations for improvement, but cannot implement them. ImplementingInternalAudit’srecommendations,aswellasdesigningandimplementingcontrolsolutions,istheresponsibilityofmanagement.

InternalAuditmustdecidewhethertoestablishacentralizedoradecentralizedinternalauditfunction.Thisdecisiondependsonthespecificneedsoftheorganiza-tion.CentralizedinternalauditservicesaremanagedandcontrolledbyoneInter-nalAuditmanagementteamwithoneauditplanfortheentirefunction.Theauditactivities, tools and reporting methods are standardized for the entire function.Adecentralizedinternalauditfunctionmaybeorganizedintomultipledivisions,eachofwhichhastheauthoritytodevelopindividualauditplans,designdifferingaudit techniques and division-specific reporting procedures. Alternatively, someorganizationsmayuseahybridinternalauditdepartmentwithcharacteristicsofboth centralized and decentralized internal audit functions. SAP’s internal auditdepartmentforexampleisacentrallyorganizedstaffdepartmentwithadecentral-ized,regionalstructure,i.e.withteamsinGermany,theUnitedStates,Singapore,andJapan(seeSectionA,Chapter4).

iiAstandard1100iiAstandard1100

staffdepartmentstaffdepartment

Centralizationvs.decentralizationofinternalAuditservices

Centralizationvs.decentralizationofinternalAuditservices

ConceptualBasisofInternalAuditNatureandContentofAudits

RegulatoryandOrganizationalFramework

A|1|1.3

1�

HiNtsANdtiPs ;

• Beforebeginninginternalauditactivities,theauditorsshouldbeawareofanylaws,regulationsorapplicablestandardsthatrelatetothespecificauditobjec-tives.Forglobalorganizations,thismayincludeinternationalguidance.

LiNKsANdRefeReNCes e

• Aktiengesetz (AktG) vom 6. September 1965 zuletzt geändert durch Artikel 13 des Gesetzes vom 5. Januar 2007. http://bundesrecht.juris.de/bundesrecht/aktg/gesamt.pdf (accessedmay31,2007).

• BUSInESS ACCOUntInG COUnCIL. 2007. Standard for Implementation of Evalu-ation and Audit for Internal Control over Financial Reporting. http://www.fsa.go.jp/en/news/2007/20070420.pdf(accessedmay31,2007).

• CAnADIAnSECUrItIESADmInIStrAtOrS.march29,2004.New Rules Promote Investor Confidence, Change Issuers’ Disclosure and Governance practices.Pressrelease.

• ChInESE SECUrItIES rEGULAtOry COmmISSIOn. 2001. Code of Corporate Governance for Listed Companies in China.http://www.ecgi.org/codes/documents/code_en.pdf(accessedmay31,2007).

• COmmIttEE OF SPOnSOrInG OrGAnIzAtIOnS OF thE trEADwAyCOmmISSIOn (COSO). 1992.InternalControlIntegrated Framework.newyork,ny:AICPA.

• COmmIttEEOFSPOnSOrInGOrGAnIzAtIOnSOFthEtrEADwAyCOm-­mISSIOn(COSO).2004.Enterprise Risk Management Integrated Framework.newyork,ny:AICPA.

• FInAnCIAL SErvICES AGEnCy. 2006. New Legislative Framework for Investor Protection: Financial Instruments and Exchange Law. http://www.fsa.go.jp/en/policy/fiel/20060621.pdf(accessedmay31,2007).

• GesetzzurEinführung internationalerrechnungslegungsstandardsundzurSicherungderQualitätderAbschlussprüfung(Bilanzrechtsreformgesetz–BilreG)vom4.Dezem-ber2004.BundesgesetzblattI65(9.12.2004):3166–3182.http://www.bmj.bund.de/media/archive/834.pdf(accessedmay31,2007).

• Gesetz zur Kontrolle und transparenz im Unternehmensbereich (KontraG) vom 27.April1998.BundesgesetzblattI24(30.04.1998):786–794.http://217.160.60.235/BGBL/bg-bl1f/b198024f.pdf(accessedmay31,2007).

• Gesetz zur weiteren reform des Aktien- und Bilanzrechts, zur transparenz und Pub-lizität (transparenz- und Publizitätsgesetz) vom 19. Juli 2002. Bundesgesetzblatt I 50(25.07.2002): 2681–2687. http://217.160.60.235/BGBL/bgbl1f/bgbl102s2681.pdf (accessedmay31,2007).

• GOvErnmEnt COmmISSIOn GErmAn COrPOrAtE GOvErnAnCE CODE.2006. German Corporate Governance Code as amended on June 12, 2006 (convenience translation).http://www.corporate-governance-code.de/eng/download/E_CorGov_End-fassung_June_2006.pdf(accessedmay31,2007).

1�

• hOnG KOnG EXChAnGE. 2007. Rules Governing the Listing of Securities on the Growth Enterprise Market of the Stock Exchange of Hong Kong Limited.http://www.hkex.com.hk/rule/gemrule/GEm-App15%20(E).pdf(accessedmay31,2007).

• InStItUtEOFChArtErEDACCOUntAntSInEnGLAnDAnDwALES.2005.Turnbull Report – Internal Control Guidance for Directors on the Combined Code.London:TheInstituteofCharteredAccountantsinEnglandandwales.

• InStItUtEOFIntErnALAUDItOrS.2007.International Standards for the Profes-sional Practice of Internal Auditing.http://www.theiia.org/guidance/standards-and-prac-tices/professional-practices-framework/standards/standards-for-the-professional-prac-tice-of-internal-auditing(accessedmay31,2007).

• InStItUtEOFIntErnALAUDItOrS.2002.Practice Advisory 1100-1: Independence and Objectivity.AltamonteSprings,FL:TheInstituteofInternalAuditors.

• nEw yOrK StOCK EXChAnGE. 2003. Final NYSE Corporate Governance Rules. http://www.nyse.com/pdfs/finalcorpgovrules.pdf(accessedmay31,2007).

• PrOtIvItI.2007.J-Sox Flash Report – Japanese Guidelines for Interal Control Reporitng Finalized – Differences in Requirements Between the U.S. Sarbanes-Oxley Act and J-Sox.http://www.protiviti.jp/downloads/flashreport/JSOX_Flash_report0221E.pdf (accessedmay31,2007).

• PUBLICCOmPAnyACCOUntInGOvErSIGhtBOArD(PCAOB).2004.Audit-ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements. http://www.pcaobus.org/Standards/Standards_and_related_rules/Auditing_Standard_no.2.aspx(accessedmay31,2007).

• PUBLIC COmPAny ACCOUntInG OvErSIGht BOArD (PCAOB). 2005. Staff Questions and Answers: Auditing Internal Control over Financial Reporting. http://www.pcaob.org/standards/staff_questions_and_answers/2005/01-21.pdf (accessed may 31,2007).

• rEDDInG,K.,P.SOBEL,U.AnDErSOn,m.hEAD,S.rAmAmOOrtI,AnDm.SALAmASIK.2007.Internal Assurance and Consulting Services.AltamonteSprings,FL:TheInstituteofInternalAuditors.

• rIttEnBErG,L.E.AnDB.J.SChwEIGEr.2005.Auditing: Concepts for a changing environment.5thed.Boston,mA:Thompson.

• SAwyEr,L.,m.DIttEnhOFEr,AnDJ.SChEInEr.2003.Sawyer’s Internal Audit-ing.5thed.AltamonteSprings,FL:TheInstituteofInternalAuditors.

• SEArS,B.2002.Internal Auditing Manual.newyork,ny:warren,Gorham&Lamont.

• USCOnGrESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of America. HR 3763.washingtonDC:GovernmentPrintingOffice.

ConceptualBasisofInternalAuditNatureandContentofAudits

RegulatoryandOrganizationalFramework

A|1|1.3