www.iiam.com.my

Evaluating the

adequacy and

effectiveness

of controls

by: Mohd Khaidzir bin Shahari

Vice President, IIA Malaysia

Chairman, RTAC

18 February 2016

Tea talk session (3:00-5:00 pm)

The use of this document is solely for training purposes.

www.iiam.com.my

Agenda

Performance Standards 2130-Control

Implementation Standards 2130 A1

Implementation Standards 2130 C1

Practice Guide-Auditing the control environment

Internal audit in Malaysian Code of Corporate Governance

www.iiam.com.my

IIA Performance Standard 2130

The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

www.iiam.com.my

IIA Performance Standard 2130

must : The standards use the word “must” to specify an unconditional requirement.

control: Any action taken by management, the Board, and other parties to manage risks and increase the likelihood that established objectives and goals will be achieved.

Standards glossary

www.iiam.com.my

PA 2130-1: Assess adequacy of

control processes

• CAE communicate overall opinion based on sufficient audit evidence

• Audit evidence should be supported by audit plan which is sufficient in breadth and scope and covers all major operating units and functions

• Audit plan should be flexible and take into account of changes

www.iiam.com.my

PA 2130-1: Assess adequacy of

control processes

• CAE may rely on the work of other assurance providers, e.g. external auditors and compliance officers –PG-Reliance by internal audit on other assurance providers

• Overall opinion is based on aggregation of many individual assessments

• CAE considers significance of weaknesses, corrections,existence of any pervasive condition and potential consequences

• CAE communicates opinion typically annually

www.iiam.com.my

Practice Advisory 2130-1: Assess adequacy of control processes

- ENGAGEMENT OPINION

Defined as: “The rating, conclusion, and/or other description of results of an individual internal audit engagement, relating to those aspects within the objectives and scope of the engagement.”

Further elaboration in PG-Formulating and expressing internal audit opinions-March 2009

Standards Glossary

www.iiam.com.my

Practice Advisory 2130-1: Assess adequacy of control processes

- OVERALL OPINION

Defined as: “The rating, conclusion, and/or other description of results provided by the chief audit executive addressing, at a broad level, governance, risk management, and/or control processes of the organization. An overall opinion is the professional judgment of the chief audit executive based on the results of a number of individual engagements and other activities for a specific time interval.”

Standards Glossary

www.iiam.com.my

Practice Advisory 2130-1: Assess adequacy of control processes

- OPINION IS BASED ON SUFFICIENT AUDIT EVIDENCE

Sufficient audit evidence is based on:

• Completion of audits and Internal audit plan which is sufficient in breadth and scope, flexible to changes and covers all major operating units, business functions and processes- PG-Developing IA strategic plan-July 2012

• Reliance on work of other assurance providers, e.g. external auditors and compliance officers

www.iiam.com.my

Practice Advisory 2130-1: Assess adequacy of control processes

- ASSESSING OVERALL EFFECTIVENESS OF CONTROLS

Overall effectiveness of controls is based on whether:

• Significant discrepancies or weaknesses were discovered

• Corrections or improvements were made after the discoveries

• A pervasive condition exists resulting in an unacceptable level of risk

www.iiam.com.my

IIA Implementation Standard 2130.A1

The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: -

(cont’d)

www.iiam.com.my

IIA Implementation Standard 2130.A1

• Achievement of the organisation’s strategic objectives;

• Reliability and integrity of financial and operational information;

• Effectiveness and efficiency of operations and programs;

• Safeguarding of assets; and

• Compliance with laws, regulations, policies, procedures and contracts.

www.iiam.com.my

IIA Implementation Standard 2130.A1

- Achieve strategic objectives

• Added to the Implementation Standard in October 2012 and listed first

• Consider the organisation’s vision and mission (MCCG 2012)

• Consider the organisations’ risk appetite-(SORMIC)

• Consider the organisation’s short, medium and long term plan (MCCG 2012 &SR 2015)

• Sustainability – Maximisation of shareholders’ wealth vs other social and environmental considerations (SR 2015)

• PG-Assessing organisational governance in Private Sector-July 2012

• PG-Evaluating corporate social responsibility/sustainable development-February 2010

www.iiam.com.my

IIA Implementation Standard 2130.A1

- Information Reliability and Integrity

• Information is both financial and operational

• Accuracy, completeness and security (accounting considerations)

• Confidentiality, integrity and availability (information systems considerations)

• Cyber security issues, threats and past attacks

• Exercise professional scepticism and trace disclosed information to source and supporting documents

• Refer to Global Technology Audit Guide (GTAG) series

www.iiam.com.my

IIA Implementation Standard 2130.A1

- Effectiveness and efficiency of operations

Effectiveness vs Efficiency

www.iiam.com.my

IIA Implementation Standard 2130.A1

- Effectiveness and efficiency of operations

• Establishment and tracking of key performance indicators (KPIs) to monitor effectiveness

• Ratios and trend analysis to track resource use and efficiency

www.iiam.com.my

IIA Implementation Standard 2130.A1

- Effectiveness and efficiency of operations

• Auditor needs a good understanding of the organisation’s business to be able to audit effectiveness and efficiency of operations

• Code of ethics and IIA’s Rules of Conduct require IA to be competent: “Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and experience. Internal auditors shall continually improve their proficiency and the effectiveness and quality of their services.”

www.iiam.com.my

IIA Implementation Standard 2130.A1

- Safeguarding of assets

• Balance sheet assets include land & building, shares, equipment, inventory, receivables, cash etc.

• Non-balance sheets assets include people (safety and retention), corporate guarantee, information (confidentiality, integrity, availability) intellectual property, copyright and reputation

• Consider the controls in place to safeguard the stock and flow (inwards and outwards) of the assets

www.iiam.com.my

IIA Implementation Standard 2130.A1

- Compliance with laws and regulations

• Applies to both common and industry-specific regulations

• Existence of qualified process owners to keep track of regulatory developments

• Select and test compliance with key provisions of relevant laws and regulations

• Internal auditor’s competencies and industry knowledge

www.iiam.com.my

IIA Implementation Standard 2130.A1

- Compliance with laws and regulations

• IIA Performance Standard 2050 “Coordination” states “The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.”

www.iiam.com.my

IIA Implementation Standard 2130.C1

Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes.

www.iiam.com.my

Practice Guide: Auditing the control

environment-April 2011

Control environment- The attitude and actions of the Board and Management regarding the importance of control within the organisation,. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:

www.iiam.com.my

Practice Guide: Auditing the control

environment-April 2011

Integrity and ethical values

Management’s philosophy and operating style

Organisationalstructure

Assignment of authority and responsibility

Human resource policies and

practices

Competence of personnel

www.iiam.com.my

Prin.No.

Rec. No.

MCCG 2012Rec.

MCCG 2007Ref.

Commentaries & implications to Boards

6 6.2 Board should establish an IAfunction which reports directly to AC

Part 2: BB VII & VIII

• Identify a Head of IA reporting directly to AC

• Head of IA with relevant qualifications

• Provides assurance to Board on effective operations of internal controls

• Work to be carried out according to standards set by professional bodies

• review & appraise effectiveness of governance, risk management & internal controls in Company

MCCG-Principle 6 – Recognise & manage risks

www.iiam.com.my

Questions or comments?

Thank you

www.iiam.com.my

Contact Details

Website : www.iiam.com.my

Tel: Technical unit

03-92821148

sivamalar@iiam.com.my