Week 2

The Role of the Audit Committee:

What It Is & Its Most Important
Functions
 The Internal Audit Department’s Mission
Most audit departments were formed by the company’s audit committee (a subset of
the board of directors) to provide the committee with independent assurance that
internal controls are in place and functioning effectively.
In other words, the audit committee wants an objective group that will tell it what’s
“really going on” in the company. The committee wants someone it can trust to reveal
all the evildoers who refuse to implement internal controls.
Internal audit departments usually report directly to the chairman of the audit
committee, so they feel protected from the repercussions that could result from
blowing the whistle on the hordes of dishonest managers within the company.
Despite the levity in the preceding paragraph, it is absolutely essential that the audit
committee have an internal audit function that can serve as their eyes and ears within
the company.
This is critical for the committee to function and serve the company’s shareholders. In
addition, most companies’ audit departments also report to an executive within the
company, such as the chief executive officer (CEO) or the chief financial officer (CFO).
 The Internal Audit Department’s Mission
you should know that senior management, just like the audit committee, is interested
in the state of the company’s internal controls.
From an IT perspective, the audit committee and senior management want honest
answers to such questions as, “Are our firewalls really secure?” and “Is our plan to
collaborate and share networks with our biggest rival going to expose us to any
security concerns?”
This is certainly an important role for the audit department to play. However, this is
not the whole picture. Merely reporting issues accomplishes nothing, except to make
people look bad, get them fired, and create hatred of auditors.
The real value comes when issues are addressed and problems are solved. In other
words, reporting the issues is a means to an end.
In this context, the end result improves the state of internal controls at the company.
 The Internal Audit Department’s Mission
Reporting them provides a mechanism by which the issues are brought to light and
can therefore receive the resources and attention needed to fix them.
If I tell senior management that I discovered a hole in the wall of our most important
data center, it may help in my goal of making myself look good at the expense of
others, but the hole is still there, and the company is still at risk.
It’s when the hole is patched that I’ve actually done something that adds value to the
company (and that’s true only if the company wasn’t already aware of and planning to
fix the hole prior to my audit).
Therefore, the real mission of the internal audit department is to help improve the
state of internal controls at the company. Admittedly, this is accomplished by
performing audits and reporting the results, but these acts provide no value in and of
themselves.
They provide value only when the internal control issues are resolved. This is an
important distinction to remember as you develop your approach to auditing and,
most important, to dealing with the people who are the “targets” of your audits
 The Internal Audit Department’s Mission
The internal audit department’s goal should be to promote internal controls and to
help the company develop cost-effective solutions for addressing issues. This requires
a shift in focus from “reporting” to “improving.” Like any other department, the audit
department exists in order to add value to the company via its specific area of
expertise—in this case, its knowledge of internal controls and how to evaluate them.

In summary, the internal audit department’s mission is twofold:

• To provide independent assurance to the audit committee (and senior management)
that internal controls are in place at the company and are functioning effectively.
• To improve the state of internal controls at the company by promoting internal
controls and by helping the company identify control weaknesses and develop cost-
effective solutions for addressing those weaknesses.
 Independence: The Great Myth
Independence is one of the cornerstone principles of an audit department. It is also
one of the biggest excuses used by audit departments to avoid adding value. Almost
all audit departments point to their independence as one of the keys to their success
and the reason that the audit committee can rely on them. But what is independence
really? According to Webster’s Universal College Dictionary, independence is “the
quality or state of being independent.”
Since this is not very helpful, let’s look at the word independent, which Webster
describes as “not influenced or controlled by others; thinking or acting for oneself.”
This definition fits with the concept that’s flaunted by most audit departments. Since
they, at least partially, report to the chairman of the audit committee, they believe
that they are therefore not influenced or controlled by others. But this isn’t really
true; let’s examine this a little closer. Although the audit department reports to a
member of the board of directors, in almost every company, the audit director also
reports to the company’s CFO or CEO (Figure).
The budget for the audit department is usually controlled by this executive, and so is
the compensation paid to members of the audit department. It is hard to see how a
person can feel that he or she is not being influenced by these individuals. In addition,
the internal auditors generally work in the same building as their fellow employees,
inevitably forming relationships outside the audit department. The auditors have 401k
plans just like all other employees, usually consisting largely of company stock.
Therefore, the success of the company is of prime interest to the auditors
Independence: The Great Myth
 Independence: The Great Myth
It should be apparent by now that internal audit departments are not truly
independent. Nevertheless, the core concept behind the independent auditor role is
valid and important. An auditor must not feel undue pressure to bury issues and must
believe that he or she will be allowed to “do the right thing.”
This is where the relationship with the board of directors comes into play. On those
rare occasions when company management truly refuses to do the right thing, the
audit department must have the ability to go to the board with some expectation of
protection from management’s wrath. This should be a tool used only as a last resort.
Ultimately it is not healthy if the auditors constantly have to go over management’s
head
It seems that objective is perhaps a more appropriate word than independent when
describing an internal auditor’s behavior. Objectivity requires that the auditor be
unbiased and that he or she not be influenced by personal feelings or prejudice.
As an auditor, you need to show the board and senior management that they could
never hire an outside firm that would have the knowledge of and relationships
within the company that you do. You need to prove that using your internal auditors
offers the company a competitive advantage. Otherwise, you’re just a bottom-line
cost, and if management can perform the function for a lower cost with another
provider, that is what they’ll do.
 An audit Committee and It’s Role
An audit committee is a group of independent directors of a company who oversee
the financial reporting and auditing process of the company. The role of the audit
committee is to provide oversight and assurance of the integrity and accuracy of the
company's financial statements and the effectiveness of its internal control systems.
The main responsibilities of the audit committee include:
1. Appointment of external auditors: The committee is responsible for selecting and
appointing the external auditors who will audit the company's financial statements.
2. Monitoring of financial reporting: The committee reviews and monitors the
company's financial reporting process, ensuring that it is accurate and in compliance
with regulatory requirements.
3. Review of internal control systems: The committee reviews the company's internal
control systems, ensuring that they are adequate and effective in preventing fraud
and errors.
4. Risk management: The committee assesses and manages the risks facing the
company, including financial, operational, and reputational risks.
5. Communication with stakeholders: The committee communicates with
shareholders, regulators, and other stakeholders on matters related to financial
reporting, auditing, and internal control.
Overall, the audit committee plays a critical role in promoting transparency,
accountability, and good governance in the company's financial reporting process.
 Internal Controls
Internal controls refer to the policies, procedures, and practices that a company puts
in place to safeguard its assets, ensure accurate financial reporting, and comply with
laws and regulations. Internal controls are crucial for preventing fraud, errors, and
improper use of resources. Some examples of internal controls include:
1. Separation of duties: Assigning different tasks to different employees to prevent
any one person from having too much control over a single process.
2. Access controls: Limiting access to sensitive data or areas of the company to only
authorized personnel.
3. Physical controls: Implementing measures such as locks and security cameras to
prevent theft or unauthorized entry to company premises.
4. Documentation and recordkeeping: Maintaining detailed records and
documentation for all transactions and activities to ensure accuracy and
accountability.
5. Monitoring and auditing: Regularly reviewing and testing internal controls to
identify weaknesses or gaps and implementing corrective actions as needed.

Effective internal controls help businesses operate more efficiently, reduce the risk of
errors and fraud, and improve overall financial management.
 Methods for Consulting Internal Controls
Consulting internal controls refers to the process of evaluating and improving
the effectiveness of an organization's internal control systems. Internal
controls are policies, procedures, and processes that are designed to ensure
that an organization achieves its objectives by minimizing the risk of errors or
fraud.
A consulting internal controls professional would assess an organization's
current control processes, identify areas for improvement, and recommend
changes to those processes to reduce risk and increase efficiency.
The consultant may also assist in implementing those changes and providing
ongoing support to ensure continued compliance with internal control
standards.
 Methods for Consulting Internal Controls
1. Risk assessments: Conducting a risk assessment is a crucial step in identifying and evaluating
internal control risks. This involves reviewing processes, activities, and transactions, to identify
potential risks and evaluate the effectiveness of existing controls.
2. Performance reviews: Reviews of performance are conducted to assess whether the internal
control system is working effectively or not. This may involve conducting an audit on the internal
controls or looking at specific areas of the organization where potential risks may exist.
3. Compliance testing: Compliance testing involves testing the implementation of policies and
procedures to ensure they comply with regulatory requirements.
4. Control self-assessment: Control self-assessment (CSA) is a process that involves employees
assessing their own departmental controls. This approach provides an opportunity for employees
to identify areas of weakness in their controls while also building ownership of the control
environment.
5. Process mapping: Process mapping visually outlines the details of processes within an
organization. This technique helps to identify any weaknesses or inefficiencies in the process that
could hinder the effectiveness of internal controls.
6. Interviews and surveys: Interviews and surveys can be conducted to gather feedback from
employees to identify areas of concern or weakness in internal controls.
7. Continuous monitoring: Continuous monitoring involves the use of technology to monitor and
report on the effectiveness of internal controls in real-time. This approach helps to identify
potential areas of risk before they become major issues.
8. Benchmarking: Benchmarking involves comparing the internal control practices within an
organization against best practices of other organizations in the same industry. This approach
helps identify gaps in the current system and provides insight into how to improve internal
controls.