Internal Audit 101: A Six Step Guide for New Entrants

By Stephen Scott Watson

‘An auditor is a person who watches the battle from the safety of the hills and then comes down to bayonet the wounded.' The best way to prove this often repeated quote wrong is to study your new profession, learn its best practices, immerse yourself in its history, and its future direction. This six-step guide will set new entrants to the internal audit profession on the right path.

• Language: English
• Publisher: Stephen Scott Watson
• Release date: Jul 24, 2022
• ISBN: 9781399931069

Stephen Scott Watson

Stephen Scott Watson, MSc, CFIIA, MBCS, CISA, CIA is an internal auditor with nearly 30 years practical experience as both a practitioner and senior leader, having worked for international accounting and consulting firms and large public sector organisations.Stephen has also contributed to the profession during his tenure as Chief Examiner for the Chartered Institute of Internal Auditors UK & Ireland, and as an exam item writer for the Global IIA’s CIA exams. He maintains his links to the Chartered IIA UK & Ireland today as a freelance advisor to their Apprenticeship Programme.Stephen is an experienced Audit Committee Chair and a speaker at Governance, Risk and Control conferences in both the UK and US.He holds a master’s degree in Audit, Management and Consulting and is a Fellow of the Chartered Institute of Internal Auditors UK & Ireland.He is a regular contributor to professional magazines such as Audit & Risk and blogs widely online about audit, risk, and the control implications of future technology such as artificial intelligence (he is also a Platinum Level Member of the Information Systems Audit and Control Association - ISACA).Stephen was awarded the Chartered Institute of Internal Auditors prestigious J.J. Morris Award for Distinguished Service in 2018. He lives on the beautiful northeast coast of England, five minutes from the beach, with his wife and two retired racing greyhounds.

Book preview

‘An auditor is a man who watches the battle from the safety of the hills and then comes down to bayonet the wounded’ Quotation attributed to Sir Charles Lyell (1797-1875), renowned Scottish geologist who demonstrated the power of known natural causes in explaining Earth's history.

Unfortunately, you will hear this famously disparaging quotation repeated many times over your internal audit career. My advice is to laugh along - and then proceed to prove the person who recounted it wrong! The best way to do this is to study your new profession, learn its best practices, immerse yourself in its history – and its future direction - and so become a proficient and valuable resource within your organisation.

So, you will need to start with textbooks on the subject. There are a lot of audit guides and textbooks out there – some much bigger and more eminent then this one, so why add to the number with this slim volume? Well, firstly, this is not just a reference text or guidebook, it is a six-step plan to give someone who is new to internal audit the basic knowledge that they need to work effectively in the profession. It is not a substitute for professional exams such as those offered by the Institute of Internal Auditors, but it will be a useful first text for new entrants to the profession. I wish that a book such as this had existed when I started my own journey into the internal audit profession! The problem as a new entrant to the internal audit profession is that those distinguished and weighty tomes give you too much information. As you plough through page after page you can become confused and lost and start to wonder if this world of audit is for you. Believe me it is – you just need the right direction, i.e. direction that is appropriate and focussed to you at the early stage of your career. That is what I hope to give you in this book.

As the profile of internal audit continues to rise, so do the expectations placed upon it. It is therefore important to understand the fundamental role requirements. This practical six-step course will guide you through the principles and techniques of internal auditing to help you plan and perform internal audit work in line with the latest standards and best practice. It will also give you enough background knowledge of the governance of organisations to allow you to fully appreciate the wider role of the internal auditor within his/her own organisation.

This six-step course will improve your ability to provide effective, professional insight and internal audit assurance over the key risks faced by your audit clients.

Although written primarily for a UK audience, I have included a wide range of international elements, so I hope the book’s content will be relevant to readers in most countries.

The Chartered Institute of Internal Auditors runs an excellent Apprenticeship programme that gives new entrants to the profession the skills that they need to excel in internal audit. This book has been designed to link closely to the IIA’s syllabus for the apprenticeship programme, although it is not officially approved or sanctioned by the Chartered IIA.

I hope that you enjoy the book and find it useful. Good luck in your internal audit career!

Stephen S. Watson, July 2022.

1. Corporate governance and risk management

Key topics Quick Start:

1. Focus

• Reasons for the development of Corporate Governance Codes.

• Strategic perspectives of risk management.

2. Key thinkers

• Sir Adrian Cadbury (Former chairman of Cadbury Schweppes and author of the 1992 report that set the standard for corporate governance)

• Sir Ronald Hampel (Former Chief Operating Officer of ICI and author of the 1998 Hampel Report, designed to review Cadbury and Combined Code)

3. Before

• Opaque nature of corporate governance

• Lack of accountability to shareholders/stakeholders

• Directors’ pay rising to unacceptable levels

• Corporate scandals and failures

• Absence of corporate information leading to unhelpful speculation by the media: ‘Comments of the media, fed by the analyst community, sometimes anonymously, with no regulatory requirement for accuracy or consistency, can create real problems for management’. Sir Ronald Hampel.

4. After

• The comply-or-explain principle is now a central element of most codes of corporate governance.

• Creating better boards through codification.

• Board composition becomes more diverse as more women join boards.

• Supply of corporate information: a significant increase in the number of news announcements by UK listed companies.

• Directors’ remuneration becomes more transparent.

• 'The single overriding objective shared by all listed companies, whatever their size or type of business is the preservation and the greatest practical enhancement over time of their shareholders' investment'.¹

• Risk is a reality for directors and managers regardless of the industry sector or size of the business.

• Well-run companies now have comprehensive risk management frameworks (RMF) in place to identify existing and potential risks and assess how to deal with them.

• The five key components of an RMF are: risk identification, measurement, mitigation, reporting and monitoring, and governance.

Reasons for the development of Corporate Governance Codes

Over the past thirty years two simple words ‘corporate governance’ have become the mantra for the way an organisation is run, with underlying emphasis on its accountability, integrity, and risk management.

Although it can be argued that concepts of accountability and integrity go back to the very foundation of commercial enterprises as we know them, the most significant growth in corporate governance began in the early 1990s with the Cadbury Report on the financial aspects of corporate governance. To this report was attached a short appendix that was to become a corporate game-changer. It was a code of best practice: the ‘Cadbury Code’.

Written with listed companies in mind, and focusing on standards of corporate behaviour and ethics, the Cadbury Code was gradually adopted by the City of London and the UK Stock Exchange. It was quickly heralded as the yardstick by which to assess good boardroom practice.

The 1980’s and 1990’s were the decades that saw the emergence of the ‘greed is good’ mentality (for some parts of the commercial world, at least). There was an explosion of wealth for those at the top of corporations. It was becoming apparent that the lines between what could be agreed as acceptable corporate behaviour and unacceptable behaviour needed clarification. Several ‘fat cat’ scandals outraged the public and press and led to further governance investigations. A notable example from the mid-1990’s was the British Gas CEO, whose 900 per cent salary rise incensed the press, trade unions and small shareholders and earned the individual the title ‘Private Enterprise Enemy Number One’². Hence, in 1995, the Greenbury Report added a set of principles on the remuneration of executive directors.

In 1998 the Hampel Report brought the two reports together and produced the first Combined Code. A year later, the Turnbull Report added to the set of guidelines by focusing on risk management and internal control.

The common factor was that all these reports were prompted either by shareholder concern over apparent weaknesses in corporate structures and their inability to respond to inadequate performance, or to repeated government threats of legislation if the corporate sector failed to address the issues.

So why do we even need codes of corporate governance? In different forms, such codes have now been developed in most countries where there is a stock exchange. Is it just fashion? Bureaucracy? Neither. The main reason for codes of corporate governance is to help and protect stakeholders and investors. This is self-evident: investors need reliable information about companies and how they are run if they are to decide whether to invest in shares or sell them. The concept of ‘stakeholders’ rather than traditional financial investors has also influenced the growth in corporate governance codes. A stakeholder is a party that ‘has an interest in a company and can either affect or be affected by the business. The primary stakeholders in a typical corporation are its investors, employees, customers, and suppliers. However, the modern theory of the idea goes beyond this original notion to include additional stakeholders such as a community, government or trade association’³.

Corporate governance concepts and approaches

There is no universal governance model. Governance structures and practices need to be individually tailored to their organisation. There may however be legal and regulatory requirements, mandatory and optional practices prescribed by national governance principles and practices which are required by the environments that the organisation operates in. Hence, in the UK the Financial Reporting Council (FRC) has produced a UK Corporate Governance Code⁴ that states that the main principles of corporate governance in the UK are:

1. Every company should be headed by an effective board which is collectively responsible for the long-term success of the company.

2. There should be a clear division of responsibilities at the head of the company between the running of the board and the executive responsibility for the running of the company’s business. No one individual should have unfettered powers of decision.

3. The chairman is responsible for leadership of the board and ensuring its effectiveness on all aspects of its role.

4. As part of their role as members of a unitary board, non-executive directors should constructively challenge and help develop proposals on strategy.

5. The board and its committees should have the appropriate balance of skills, experience, independence, and knowledge of the company to enable them to discharge their respective duties and responsibilities effectively.

6. There should be a formal, rigorous, and transparent procedure for the appointment of new directors to the board.

7. All directors should be able to allocate sufficient time to the company to discharge their responsibilities effectively.

8. All directors should receive induction on joining the board and should regularly update and refresh their skills and knowledge.

9. The board should be supplied in a timely manner with information in a form and of a quality appropriate to enable it to discharge its duties.

10. The board should undertake a formal and rigorous annual evaluation of its own performance and that of its committees and individual directors.

11. All directors should be submitted for re-election at regular intervals, subject to continued satisfactory performance.

12. The board should present a fair, balanced, and understandable assessment of the company’s position and prospects.

13. The board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.

14. The board should establish formal and transparent arrangements for considering how they should apply the corporate reporting, risk management and internal control principles and for maintaining an appropriate relationship with the company’s auditors.

15. Executive directors’ remuneration should be designed to promote the long-term success of the company. Performance-related elements should be transparent, stretching and rigorously applied.

16. There should be a formal and transparent procedure for developing policy on executive remuneration and for fixing the remuneration packages of individual directors. No director should be involved in deciding his or her own remuneration.

17. There should be a dialogue with shareholders based on the mutual understanding of objectives. The board as a whole has responsibility for ensuring that a satisfactory dialogue with shareholders takes place.

18. The board should use general meetings to communicate with investors and to encourage their participation.

The UK Corporate Governance Code is based on the 'comply or explain' principle. Rather than setting out binding laws, government regulators (in the UK, the FRC) set out a code, which listed companies may either comply with, or if they do not comply, explain publicly why they do not. The UK Corporate Governance Code uses this approach in setting minimum standards for companies in their audit committees, remuneration committees and recommendations for how good companies should distribute authority on their boards.

The main purpose of comply or explain is to ‘let the market decide’ – a key concept of capitalist economies. The principle is that the market decides whether a set of standards is appropriate for individual companies. Since a company can deviate from the standard, this approach discards the view that ‘one size fits all’ in terms of governance, but because of the requirement of disclosure of explanations to market investors, anticipates that if investors do not accept a company's explanations, then investors will sell their shares, therefore creating a market sanction, rather than a legal sanction. The concept was first introduced after the recommendations of the Cadbury Report of 1992.

The UK Corporate Governance Code is regularly reviewed in consultation with companies and investors. Listed companies are required to report on how they have applied the main principles of the Code. They must confirm either that they have complied with the Code's provisions or, where they have not, provide a valid explanation.

Even if a company is not listed, it may still have adopted parts of the code as good practice. This is known as the ‘voluntary approach’, which differs from the compulsory approaches often seen outside the UK.

Outside the UK a variety of approaches to corporate governance exist. None are right or wrong, they all relate to the corporate environment that exists in the individual nation states. Most notable amongst these is the rules-based approach adopted by the US: the Sarbanes-Oxley Act 2002⁵ (generally known as SOX). SOX is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms. Several provisions of the Act also apply to privately held companies, such as the wilful destruction of evidence to impede a federal investigation.

SOX contains eleven sections. The sections of the bill cover responsibilities of a public corporation's board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law. In many respects security underpins the requirements of the Sarbanes-Oxley Act, leading to a growth in consulting and auditing activities that advise or give assurance over security systems and IT applications. More on that later in the book.

The Sarbanes-Oxley Act was enacted as a reaction to several major corporate and accounting scandals. We explore some of the most notable organisational governance failures and scandals in the next section. The graphic below lists the key reviews and codes that together form the basis of today’s corporate governance environment in the UK. The column on the left denotes which areas the various codes and reviews addressed. You will see that the Companies Act 2006 also has a large bearing on this area in terms of setting the common law.

Image – the range of codes and reviews since Cadbury. ⁶

We have deliberately only covered the key reviews and codes that relate to corporate governance in this book as you will appreciate there are many that came after Cadbury that effectively built upon the foundation laid by that review (for example, in 1994 the report of the Internal Control Working Group generally known as the Rutteman Report was established to fulfil the requirements of the Cadbury Committee for the profession to develop guidance on internal control. Greenbury the following year focussed on Directors’ remuneration etc.). You can find out more about each quite readily online.

Organisational Governance Failures (and scandals)

Image: A protestor on Wall Street makes a stand against corporate crime⁷

A corporate collapse typically involves insolvency or bankruptcy of a business enterprise. A corporate scandal involves alleged or actual unethical behaviour by people acting on behalf of a corporation. There have been numerous examples of both over the past forty years. It is worth studying the details of the most notable of these as the ignominious ending of these corporate behemoths highlights almost every potential pitfall that can befall large organisations, even those with long-held global reputations, when corporate governance breaks down.

Here is a small selection of the most infamous corporate failures over the past four decades. They all contributed to the calls for improved corporate governance around the world.

The 1980’s

The Carrian Group was a Hong Kong conglomerate that was known for rapid expansion throughout the 1980s. The meteoric rise came to an abrupt halt in 1983, however, when the company ended in collapse amidst a major corruption and fraud scandal. Carrian Group became involved in a scandal with Bank Bumiputra Malaysia Berhad of Malaysia and its Hong Kong-based subsidiary Bumiputra Malaysia Finance. Following allegations of accounting fraud, a murder of a bank auditor (yes, an auditor!), and the suicide of the firm's adviser, the Carrian Group collapsed in 1983, the largest bankruptcy in Hong Kong history. The scandal exposed the ongoing mystery surrounding Carrian’s seemingly limitless ‘capital’ as nothing more than bank loans.

Texaco, Inc. (The Texas Company) is today an American oil subsidiary of Chevron Corporation. For many years, Texaco was the only company selling petrol/gasoline under one brand name in all 50 US states, making it not only one of the biggest but also the only genuinely national fuel brand in the US.

After a legal battle with Pennzoil, where it was found Texaco owed that company over $10.5 bn, Texaco went into bankruptcy. It was later revitalized as a business brand and taken over by Chevron.

The 1990’s

Polly Peck International (PPI) was a small, a struggling British textile firm that was taken over in the 1970’s by Turkish-Cypriot businessman Asil Nadir. The company expanded rapidly throughout the 1980s becoming a constituent of the UK’s FTSE 100 Index in 1989 with a market capitalisation of £1.7bn before collapsing in 1991 with debts of £1.3bn.

After a raid by the UK Serious Fraud Office in September 1990 it emerged that Asil Nadir had systematically falsified the books of his company, exaggerating profits and sales before making off with millions of pounds of investors' money to Northern Cyprus in 1993. Nadir eventually returned to the UK in 2012 and the businessman (by this time aged 74) was jailed for ten years for stealing £29million from Polly Peck. In April 2016, four years into his sentence, he was flown from London to Istanbul after British authorities accepted his request to serve the last six years of his sentence