Deloitte professionals can quickly help you identify and prioritize key areas of

potential risk and opportunity across your enterprise, based on the current
competitive environment, regulatory climate, operational strengths and weaknesses
of your organization and many other factors.
Deloittes internal audit professionals can help provide organizations with a greater
level of assurance, as well as insights and recommendations on business strategy
execution and redeploying valuable resources toward achieving strategic goals and
objectives.
Results include benchmarking statistics, recommendations and suggestions for
improvement leading to an improved and more effective internal audit function
with an enhanced image within your organisation.

Developing strong board and management processes to enable effective governance;

Guiding management to develop a clear "tone from the top";

Measuring and monitoring your control culture;

Ensuring your processes incorporate expected levels of key controls;

Documenting your process flows and controls needed to support US SOX, C-SOX and
any other relevant regulations;

Using IT to provide 24/7 review of key processes to identify issues (i.e. continuous
monitoring);

Developing monitoring systems to ensure your controls work to support local governance
and reporting needs; and

Delivering internal controls training to management and staff.

Internal auditing can provide managers and the Board with

valuable assistance by giving objective assurance about
their organizations governance, risk management and
control processes. Establishing a robust internal audit
function is a long-term and worthwhile investment for most
organizations because an internal audit department can act
as an independent advisor for the Board and senior
management. Where an organization has not established an
internal audit department, the identification of the benefits
and role(s) internal audit could play should be the initial

step. Where an internal audit function has been in

operation, a review of its recent performance to identify
improvement opportunities is recommended.

Internal auditing provides opportunities for companies

to improve based on independent analysis and advice.
Internal audit also helps the Board and senior management
to monitor the organization. To preserve the integrity and
The bottom line: it is time for executives to lead, managers
to manage, boards to govern, and auditors to provide
assurances to the Board and management that things are as
people say they are. Your next audit planning effort should
make this clear to everyone.

1: Introduction to Internal Audit

48

independence of audits, auditors maintain a delicate balance

between offering advice (mainly consulting services) and
providing opinions about a process, system, account
balance, or other subject matter (assurance services).

Internal auditing provides unbiased information to

management and the Board to help them make better
decisions. Internal-audit conclusions and recommendations
are based primarily on independently gathered evidence and
knowledge.
Audits exist to assess how well a business unit meets the
performance goals of the organization, as dictated by the
CEO, CFO (chief financial officer), board, investors and
others. Accordingly, managements goal is to demonstrate
how well operations, controls and results meet the needs of
the business.

Auditors exist to provide the Board and senior management

with an objective, independent assessment of a business
unit or program (such as information security), including
what they see as key opportunities for improvement.

53

CHAPTER 2: THE PROFESSIONAL PRACTICE OF

INTERNAL AUDIT

Quality is never an accident; it is always the result of high

intention, sincere effort, intelligent direction, and skillful
execution; it presents the wise choice of many alternatives.
William A Foster

20 questions for directors to ask internal auditors

The internal audit departments unique position within a
company provides management and audit committee
members with valuable assistance, by giving objective
assurance on governance, risk management and control
processes. Audit committees, of course, are responsible for
providing oversight to the internal audit efforts within the
organization so how audit committees work with their
internal audit staff is crucial to the success of the entire
internal audit operation.
As one of the cornerstones of corporate governance (along
with the Board of Directors, senior management and
external auditing), internal auditing can provide strategic,
operational and tactical value to an organizations
operations. For example, internal auditing is:
A resource to the Board and management for helping to
ensure the entire organization has the resources, systems,
and processes for operating an efficient and effective
organization.
An assurance service for management and the Board that
confirms adequate controls are in place. By ensuring that
qualified professional reviews and tests are performed,
2: The Professional Practice of Internal Audit
54

the Board and management can advance their goals of

overseeing the organizations operations and helping to
ensure continuous improvement and success.
An independent validation that the organizations efforts
are proactive and effective against current and emerging
threats.

A high-quality internal audit function meets or exceeds

stakeholder expectations, while ensuring that value is added
to the organization. The most critical factor in achieving
internal audit quality is the auditors competency and
proficiency in evaluating the organizations risk
management, control and governance processes. Each
internal audit department should have a program, not only
to ensure top quality internal audit reports, investigations,
consulting and other services, but it should also have a way
to effect continuous improvement in its service to

stakeholders.

Serving as an enterprise consultant is an expanded and important role for many

internal auditors. Internal consulting may not fit in all internal audit functions
As mentioned throughout this volume, the purpose of an internal audit is to assist
management by providing analysis, information, and recommendations for the
improvement of controls and operations. Internal controls may be evaluated for:
Compliance with policies and procedures, rules, and regulations
_ Reliability and integrity of financial and operational information
_ Effectiveness and efficiency of operations
_ Safeguarding of assets

Serving as internal consultants, internal auditors can be held to higher standards

of performance and accountability. In these situations, they need to act as objective
and critical outsiders within their own enterprises, delivering the hard facts and
bad news beyond audit report findings, including issues that management sometimes
does not want to hear

they need to be prepared to deliver the truth to

management beyond just errors, omissions, and internal control weaknesses
They
also need to be good at off-the-record consulting-related conversations, which are
sometimes more important than the written audit report. Internal auditors who master
the principles of effective internal consulting can use the related methods and
techniques to dig deeper and deliver the truth.

To fulfill its responsibilities, Internal Audit shall:

_ Identify and assess potential risks to the Banks operations.
_ Review the adequacy of controls established to ensure compliance with policies, plans,
procedures, and business objectives.
_ Assess the reliability and security of financial and management information and
supporting systems and operations that produce this information.
_ Assess the means of safeguarding assets.
_ Review established processes and propose improvements.
_ Appraise the use of resources with regard to economy, efficiency, and effectiveness.
_ Follow up recommendations to make sure that effective remedial action is taken.
_ Carry out ad hoc appraisals, investigations, or reviews requested by the Audit
Committee and Management.
_ Perform independent consulting projects at the specifi request of management .

There are often many areas

within an enterprise where internal audits skills can meet needs and offer some help
and expertise. A good example might be when management formally requests help

with the SOx Section 404 internal controls compliance review, and internal audit
assists. (This process is discussed in Chapter 4.)

Beyond specific internal audit riskbased

audit assignments, internal audit often can provide consulting help in a wide
variety of areas. Examples might include helping to build effective internal controls
in a new IT application, discussed in Chapter 19, or helping to launch an ethics hotline
function, as discussed in Chapter 24. By providing internal consulting support,
internal audit can be a major help to the overall enterprise.

Whether youre looking to establish an internal audit function, attain or maintain

compliance with Sarbanes-Oxley Section 404 (SOX 404) or government contracts,
mitigate your risk of fraud, or gain an overall assessment of your internal controls,
you can count on Moss Adams for reliable and timely business solutions

Of course you want your internal audit function to help maintain compliancebut a high-quality
outsourced audit function can provide benefits well beyond fulfilling your organizations
obligations. You want to work with a firm that brings an understanding of your industry,
knowledgeable staff, and experience that will instill confidence in your board, your investors,
and the public while uncovering ways to reduce your costs, streamline your operations, and
improve your organizations value.
The dedicated professionals at Moss Adams will become an extension of your organization and
provide a thorough understanding of internal controls, system controls, and business processes.
And because we organize our professionals by industry, youll gain the efficiency of working
with a turnkey team: one whos already well versed in the requirements and best practices of
your industry and can provide you with excellent value in exchange for the time and resources
you invest in your audit.
Youll gain the peace of mind that comes with knowing youve not only met your
compliance and business needs but brought your organization closer to achieving its
performance goals.
Our team brings deep expertise in a wide variety of areas, including:

Operations

Compliance

Accounting

Information technology

Risk assessment and risk management

Construction

Fraud prevention

Fraud, theft, and many other types of business and accounting improprieties can cause significant
harm to the people and companies involved. Weve helped solve these problems for numerous
individuals, companies, and law firms, allowing them to recover losses and get back to business.
Our team can investigate suspected fraud, abnormalities, and irregularities as well as provide
expert witness testimony. With fraud examiners working closely with industry professionals, we
have the training, experience, and bandwidth to help you fight fraud and recover from its effects.
Our forensic accounting and investigative experience includes:

Misappropriation of assets

Conflicts of interest

Embezzlement

Fraudulent financial reporting

Insolvency and bankruptcy fraud

Insurance claims fraud

Litigation

We also offer extensive expertise in:

Fraud Risk Management
We can help you develop and evaluate your risk management program to decrease your
vulnerability to fraud and misconduct. We use interviews, surveys, and focus groups to analyze
your existing strategies, refine your fraud-risk profile, and establish the right protocols to avoid
the types of problems your business is most susceptible to.
Data Analysis
We can uncover potentially fraudulent behavior with analytical tools that reveal inconsistencies
in data. To do this, we employ both custom-made and industry-leading tools, including ACL
software that analyzes and cross-references large amounts of data from disparate sources.

Agreed-Upon Procedures

We can serve as an independent practitioner to perform agreed-upon procedures established by

two parties. We have extensive experience conducting these engagements, working proactively
to gain a set of clear, precise procedures that address the nature, timing, and extent of the work to
be done. Such planning helps avoid ambiguity later on that would inhibit achievement of your
desired outcomes.
We can provide a report containing results that are clear and easily used by the specified parties
to achieve validation of compliance and resolution of concerns. We have a diverse range of inhouse expertise, allowing us to quickly assemble a project team capable of addressing unique
technical and industry-specific matters.
Control Assurance Services

You may want assurance on a specific set of controls or control processes. We can scale our
services for one or more specific projects in a wide range of technical and industry areas, from
construction to health care.
Our team of more than 50 practitioners, each steeped in a particular internal audit discipline,
brings specialized expertise to each project, so you get seasoned auditors with finely tuned
expertise and an average of more than 10 years of experience. Youll benefit from the high return
on investment our services provide.
Moss Adams offers comprehensive performance audit services designed to help you identify and
overcome the critical challenges your organization faces. Our performance audits generally
follow a six-phase process:
1. Perform risk assessment, if needed
2. Develop audit plan
3. Conduct fact finding
4. Analyze performance
5. Prepare findings and recommendations
6. Provide draft and final report

7. Investigations - investigations are independent evaluations of allegations generally

focused on improper government activities, including misuse of university resources,
fraud, financial irregularities, significant control weaknesses, and unethical behavior or
actions.
8. Investigation reports are confidential and distribution is limited to the requesting or
impacted principal officer or senior campus official; the campus local designated official
and/or campus Investigation Workgroup; and the UC compliance and audit officer and
UC director of investigations if the investigation reaches required reporting thresholds

What is the process for conducting internal audits?

The audit process consists of the following components:

Key steps in the Internal Audit process are outlined below.
Planning The client department or unit is notified and a planning meeting is conducted with
the responsible principal officer to discuss and obtain input on the initial objectives and scope of
the engagement, the timing of the review, and reporting process.
Preliminary Survey A preliminary survey is conducted which usually begins with a meeting
with the principal/senior officer of the activity to discuss potential scope and concerns;
interviewing management and staff, and gathering background information; identifying key
strategic, operational, and compliance objectives; reviewing formal guidance; gaining an
understanding of organizational governance, risk management processes, and regulatory
compliance; reviewing budgetary information, flowcharting key departmental processes, and
identifying and testing key departmental processes and controls. The preliminary survey may
indicate that additional field work is necessary to focus on areas where controls could be
improved. The result of the survey is the generation of a risk matrix leading to the development
of an audit program.
Field Work - The auditor conducts steps to test key objectives identified in the project risk
matrix; gathers, classifies, and appraises information to measure and evaluate the effectiveness of
specific processes and controls. Sample transactions for a specific test period are often evaluated.
Throughout the course of audit fieldwork, the auditor confers with client management about
areas where improvements may be appropriate.
Draft Report - Upon completion of the field work, the auditor prepares a draft audit report
which outlines the conclusion (executive summary), audit objective, scope, observations, and
recommendations/agreements. Meetings are conducted with individuals and/or impacted units. In

these meetings, the observations are discussed with the client with the goal of reaching
agreement as to the appropriate corrective action to address the observation(s). The other goal is
to resolve any misunderstandings regarding the content and accuracy of the report.
Principal Officer Concurrence - Following these meetings(s), the report is revised as needed
and recommendations are changed to agreements where possible. A review copy of the final
report is shared with the principal officer for concurrence prior to release of the final
report. Corrective actions agreed to by management and Internal Audit is included in the final
report in lieu of a subsequent written departmental response.
Final report - The finalized report is is issued to the campus principal or senior officer who has
responsibility over the area; to the campus Audit Committee; and to the UC Ethics and Audit
Office.
Follow-up - IAS performs follow-up on observations to determine whether departments have
implemented corrective actions. The follow-up is generally performed quarterly, with an audit
inquiry as to the status of corrective action followed by a validation of completion if so indicated
by the client. When it has been determined that corrective actions have been conducted as agreed
to resolve the underlying audit issue, the audit is considered closed. Management corrective
actions are maintained electronically in a secure database (TeamCentral). A report is generated
monthly and distributed to the Principal Officers and responsible party to assist in the resolution
of open, agreed upon management corrective actions.