Football fans across the world have been stunned over the last year with news of arrests for alleged wrongdoing by officials from soccer’s global governing body, FIFA (Federation Internationale de Football Association). Allegations of “rampant,systemic, and deep-rooted corruption”
along similar lines to FIFA will potentially have much longer-term negative consequences for entities, their leadership cohort, and the brand as a whole.
The FIFA scandal and others like it provide a catalyst for internal auditors to apply the ABC’s for assessing the strength of their entity’s baseline control arrangements -assurance arrangements, business ethics safeguards, and the compliance framework.
Potential internal audit reviews and advisory activities summarised in Exhibit 1 are followed by more detailed commentary
that provides deeper insights for internal auditors.
Internal auditors have an important role to play in evaluating assurance arrangements over a wide range of the entity’s activities,
including financial, performance,compliance, system security, and due diligence.
Around 53% of Chief Audit Executives (CAEs) and directors in the Middle East and North Africa have implemented or are
planning to implement a formal combined combined assurance model, slightly higher than the global average of 49%, according to The
IIA’s 2015 Global Pulse of Internal Audit– Embracing Opportunities in a Dynamic Environment report. This recognises, in part, that audit, risk and compliance specialists are increasingly expected to work together to interpret and report on the patterns emerging in their collective work.
Five elements of assurance to consider for your annual audit plan:
- Evaluate control self assessment arrangements maintained by the entity to form an opinion on the reasonableness of the program coverage
(completeness, breadth, timeliness, and integrity), individual reporting, program monitoring, high-level themes-based
reporting to the audit committee, and overall value of the arrangements for the entity.
- Assess the availability of a Chief Financial Officer (CFO) certification of controls over financial and related operations
of the entity, which should include supporting representation sign-offs by management and significant any outsourced service providers. Assess supporting documentary evidence, which could include internal control questionnaires prepared by management and audit reports and certifications provided by outsourced service providers. Establish whether the audit committee is reviewing the certification arrangements. Evaluate any gaps in these sign-offs together with any ‘exceptions’ recorded by
management which could represent ‘red flags’.
- Utilise assurance mapping to identify, understand and evaluate the combined work of internal and external assuranceproviders across the ‘Three Lines of Defence’ and external audit. Consider emerging risk areas like cyber-security.Establish whether there is proper assurance coverage across key risk areas of the entity with no significant gaps andminimal duplication of effort.
- Evaluate the entity’s overarching governance assurance arrangements, including integrity safeguards, stakeholder engagement, defining outcomes, determining interventions, capacity development, risk management, and transparency.
- Assess the extent to which the entity has embraced combined assurance reporting, and any potential future opportunities to pursue this approach. Consider if there is an understanding of all assurance providers, awareness of what is being assured, nature of reporting with the entity’s discrete governance structures, alignment between assurance and high-level risk exposures,consolidated risk and assurance profile, and coordination of the reporting of assurance activities. Exhibit 1 – Examples of Auditable Activities
Business Ethics Safeguards
It makes good business sense for an entity to behave with integrity and maintain proper mechanisms that enforce the ethical behaviour of its employees and service providers. A strong commitment to business ethics helps to minimise financial losses directly attributable to
wrongdoing, recognising about 5% of an entity’s revenues are typically lost to fraud each year. (Report to the Nations on Occupational Fraud and Abuse,2015 Global Fraud Study, Association of Certified Fraud Examiners).
- External supplier costs represent one of the most significant lines of expenditure and can provide an opportunity for fraud and
corruption. The International Federation of Accountants and the Chartered Institute of Public Finance and Accounting recognise
that “an entity’s strong commitment to ethical values needs to be communicated to suppliers through a Statement of Business
Ethics” (International Framework: Good Governance in the Public Sector, 2014).
Five areas of business ethics to evaluate in your entity.
- Availability of an up-to-date values-based staff code of ethics that articulates the entity’s expectations of staff conduct and the sanctions that it applies for wrongdoing. Consider the robustness of reporting and whistleblower arrangements for alleged wrongdoing.
- Availability of a fraud control plan that articulates your entity’s fraud risks, controls, and mitigation strategies,including significant business activities; potential areas of fraud risk; related fraud controls; gaps in control and assurance coverage; defined remedial actions to minimize fraud risks; and mechanisms for evaluating effectiveness of fraud control strategies.
- Adoption and dissemination of a statement of business ethics targeted at third parties that outlines both acceptable and unacceptable practices in third-party dealings with your entity. Common features include: Chief Executive Officer (CEO) commitment to operating ethically; values and business principles; third parties dealings and behaviours; guidance on bribery; benefits; conflicts; confidentiality; ethical communications; secondary employment; post-separation employment; and contacts.
- Availability and effectiveness of a conflicts of interest policy. Evaluate whether key elements for managing conflicts have been established and are operating in practice within your entity and associated entities. These will typically cover both prevention and detection elements.
- Undertake an assessment of culture, which is one of the recognised control layers together with systems and controls, and capability. In assessing culture, internal auditors have an opportunity – as a first step – to assess ‘soft controls’ as part of their audits, and then consolidate these findings with the outcomes of other work within the entity, such as the results of periodic staff engagement surveys, fraud control health checks, and the analysis of allegations of wrongdoing and the like. (The Internal Auditor – Middle East journal included an article on ‘Auditing Culture’ in its December 2014 edition).
Effective compliance programs ensure that entities are adhering to laws, regulations, standards, licenses, policies plans, procedures, contracts, guidelines,specifications and other requirements relevant to their business. An entity’s reputation can be severely impacted when serious non-compliances occur and lead to punishment by the courts or regulatory authorities, such as prosecution, fines,
or imprisonment of company officials.
Approximately 87% of executives across the world believe that reputation risk is the most important strategic risk (according to
Deloitte’s 2014 Global Survey of Reputation Risk). Regulators have the right to independently validate that an entity in their jurisdiction
is compliant with legislation and regulations by conducting documentary and/or onsite reviews of the entity’s policies, procedures, operations, activities, systems, premises and related information. The outcomes of the regulatory review might be reported publicly or to
- Individual audits in the approved internal audit plan should consider discrete ‘at risk’ compliance activities at a micro level, including whether established controls over compliance risks are operating in practice in line with established policies and procedures. A high-level register should list all of the entity’s policies and procedures, approval dates, related legislation/regulations, account-abilities,and review dates.
- Provide a central regulatory coordination point for the regulator’s review team for any high risk or high profile regulatory reviews. Then monitor the implementation of significant regulatory recommendations in the internal audit activity’s process for monitoring and reporting on the implementation of recommendations.
- The CAE or a senior delegate to periodically attend key board or executive compliance committee meetings as an observer, and report on significant insights to the audit committee. (Each of the compliance committee charters should contain suitable wording to preserve audit independence).
- Complete a high-level assessment of compliance governance to ensure adequate coverage of the entity’s respective licence conditions, legislative / regulatory obligations, and elements of its sustainability platform. Assess the entity’s related risk management arrangements, including compliance obligations and reporting.
- A periodic high-level internal audit to assess the compliance framework at a macro level and how well the core elements are operating in practice. This will include how the entity identifies, creates awareness and promotes compliance; facilitates compliance to
minimise risk of fines, prosecution, complaints, litigation and imprisonment; undertakes risk assessment and identifies
strategies; establishes monitoring mechanisms; fosters continuous improvement; maintains a Compliance Register containing legislation, regulations, policies, standards; and compliance reporting arrangements.
It is increasingly important for internal auditors to anticipate the needs of their stakeholders if they are to play a leading role in the success of their entity. Boards and audit committees will increasingly value the independent insights delivered by internal auditors who apply a strategic and systematic approach to evaluating and reporting on the entity’s baseline control arrangements.
Assurance Services – An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the entity. (IPPF Glossary Excerpt)
Business Ethics – A means of ensuring that individuals working in organisations act in a positive way consistent with the rule of law and other principles underpinning market economies and democratic governance. (World Bank)
Combined Assurance – Aims to optimise the assurance coverage obtained from management, internal assurance providers, and external assurance providers on the risk areas affecting the entity. (King Code of Governance Principles, South Africa)
Compliance – Adherence to policies, plans, procedures, laws, regulations, contracts or other requirements. (IPPF Glossary)
Control – Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. (IPPF Glossary Excerpt)
BRUCE TURNER, AM, CGAP, CRMA, CFE,CISA, PFIIA, FFin, FIPA, MAICD, FAIM is a company director and audit committee chairman in Australia.
JACQUELINE TURNER, B.L JS, GradCert-FraudInv, is a white collar crime senior analyst at a multi-national financial services institution in Australia