The Question of Effectiveness

There are several ways of considering audit effectiveness. The General Services

Commission of the State of Texas has developed one set of criteria, which are as follows:

1 At what level is management involved in the internal audit function. All reports should be dealt with at the highest level.

2 The internal audit function should be involved in the assessment of the entity’s risk profile. In other words; what risks are faced by the entity and what damage can be done by these risks? These should be well documented and linked to the audit plan.

3 A properly drawn audit plan of action, reflecting the high risk areas of activity must be drawn up, and acted upon. In drawing up the plan, all expertise within the organization should be drawn upon.

4 The planning and conduct of the audit should be in conformity with professional standards, ie the standards of the Institute of Internal Auditors.

5 Communication of results must be to the highest authority within the organization, and action plans to correct deficiencies must be considered at this level.

7 That the various compliance requirements are adhered to. In the case of Texas State organizations, this includes compliance with the legislative requirements of the State of Texas, and the Code of Ethics of the Institute of Internal Auditors. (State of Texas, Auditor’s Office, 1997)

The Texas Audit Office has gone on to detail its development of its own series of considerations to be used in deciding the effectiveness of an audit (State of Texas, Auditor’s Office, 2000). These detailed considerations are summarised as:

1. Is the internal audit process planned in conjunction with both senior management/board and the line management involvement?

2. Are all risks properly identified and included in the audit process? 3. Is the risk identification undertaken at a sufficiently high level within the

organization?

4. Is internal audit independent of day to day management operations? 5. Is the internal auditor sufficiently senior?

6. Is there a proper quality control procedure in place within the internal audit function?

7. Is the internal audit function recognised as important to the organization in that it adds value to the organization?

8. Does the internal audit function have a recognised role within the organization as an ethical sounding board?

9. Does the internal audit function have an effective procedure for establishing ethical guidelines?

10.Do the planning and procedures of the internal audit function conform with the professional standards?

11.Are the risks the business faces, and internal audit procedures reviewed regularly to ensure that the organization does not face unidentified risks? 12.Is the internal audit operation both properly managed as to cost, and

properly funded?

(Texas Auditor’s Office, 2000, Paraphrased)

These questions are a sound analysis of the requirements of an effective internal audit operation, and tie into the position taken by the IIA (IIA Handbook 1997).

Most of these points have been supported by academic writers for some time. For example, points 1, 2, 3, 4, and 5 above has been held out for some time as an important requirement of internal audit by Wilson and Root in 1989 (Wilson & Root, 1989).

Dhamankar & Khandewale (2003) have defined what makes an internal auditor effective as having:

i.) the right outlook towards the function;

ii.) proper orientation about the role internal audit plays in the overall business set up;

iii.) understanding about real life difficulties; and iv.) an urge to deliver the best.

Dhamankar & Khandewale (2003) go on to recommend that

• The appointment of the internal auditors should be made by top management, other than a person from the finance department,

• The authority should be delegated in writing in the form of an ‘Audit Manual’ and should be properly communicated to all concerned,

• The purpose of the audit and scope of the audit must be communicated to all concerned persons, if possible, the (sic) representative of all

departments should be involved in the process of determination of scope of the auditors.

It is unfortunate that Dharmankar & Khandewale appear to limit the role of the internal auditor to a financial one, by excluding the financial section from being involved in the choice of internal auditor. This is particularly so given that, as previously mentioned, the IIA would hold that the role of the internal auditor extends beyond a mere financial role to include operational auditing.

It is also unfortunate that they take the approach to selection of the internal auditor that they do, considering that they comment that “Unfortunately the role of (the) Audit Committee…. does not include appointment of internal auditors” Dharmankar &

Khandewale (2003). The optimal position would be appointment of the internal auditors by the Board Audit Committee. In fact, such an action would not be new. The

far back as 1972 (ANZ Bank Archives). One would have thought that Dharmankar & Khandewale would have encouraged the process. They do, however, suggest that: “the replacement of internal auditors is also, to a large extent, driven by the desire to get rid of the person posing to be dangerous than by the desire to improve the effectiveness of the function.” (Dharmankar & Khandewale, 2003). Unfortunately Dharmankar &

Khandewale make no attempt to justify or support this remark, and it therefore must be assumed that with the improvements in corporate governance demanded by the various developments such as the Sarbanes Oxley Act (2002), this situation is becoming irrelevant.

Since the passage of the Sarbanes-Oxley Act (2002) and the need for corporations registered in the USA (or for that matter, raising capital through the US capital markets) to have an extensive internal control system, the role of the internal auditor has moved in the directions put forward by all the above points. In fact there has been a substantial increase in the demand for internal audit as a result of this legislation.

Another approach is the “bloody minded” one of simply asking what losses have/have not been prevented by the designing and monitoring of internal control systems undertaken by the internal auditor. Chapter 2, at 2.4.1 illustrates the risk of loss in the event of a failure to have adequate control systems. This approach is covered in the “Texas” model (Texas Audit Office, 2003) by the question about risk identification and minimization which is also covered by Wilson and Root (Wilson & Root, 1989). . The fact of the matter is however that proper risk minimization must include proper risk identification and

management, and in most organizations this is an operational question rather than a financial one. This the importance of the operational internal auditor (whatever he/she is called) in minimizing physical and therefore financial risk to the organization.

CHAPTER 5.