Читать книгу Practical Guide to Auditing SAP Systems - Martin Metz - Страница 7

Why does a company need an internal audit function? Well, do you ask the owner of a restaurant how good his dishes are? Or do you put more trust in Google reviews or comments by disappointed or impressed visitors on TripAdvisor? Independence is the key word. From the perspective of experienced auditors, after years of auditing information systems and hundreds of serious findings, internal audit must be considered a centerpiece of a company’s governance structure, providing the board of directors, audit committee, and executives with an independent view of the risk management and control environment within the company. But do lawmakers share this opinion?

At the beginning of the 2000s, Enron was a much-hyped company, comparable perhaps to today’s Internet giants. Furthermore, investing in Enron was highly recommended. However, the accounting practices at Enron were illegal, and revenues and profits were made up on a large scale. One of the biggest bankruptcies according to the US Chapter 11 bankruptcy code was that of Enron in 2001. The revelations about the accounting practices also led to the dissolution of Enron’s accounting firm. This event triggered a new law, which has widely influenced internal audit: the Sarbanes-Oxley Act (SOX). Every publicly traded company in the US must comply with this law. Section 404 of SOX is very important, as it states that companies are obliged to include an internal control report within their annual report. This control report should explicitly state the responsibility of the management to establish an internal control system (ICS) for financial reporting and to assess the effectiveness of this ICS every year. Furthermore, the management’s assessment of the effectiveness of its internal control system must be certified. This is where audit companies and audit departments come into play. Within the context of section 404 of SOX and the certification requirement, the role of internal audit is to:

 Act as a consultant and assist in the setting up of an ICS

 Test internal controls within the ICS

 Review the results of a SOX audit that has been performed by another unit

 Advise the team that is performing a SOX audit

 Audit the ICS together with an external auditor

SOX has been widely adopted by countries around the world, culminating in a China SOX, Japanese J-SOX, Canadian C-SOX, or the German Corporate Governance Code. The Principles of Corporate Governance of The Organisation for Economic Co-operation and Development (OECD) also recommend establishing procedures to ensure the effectiveness of the ICS (“G20/OECD Principles of Corporate Governance”, p. 52).

However, the internal audit function is also explicitly required by other laws. One example is the Israeli Companies law 5759 from 1999, which states in Part IV, Chapter four, Paragraph 146–153, amongst other things, that:

 The board of directors must appoint an internal auditor whose superior must be the chairman of the board of directors or the general manager

 The internal auditor must submit their findings to the chairman of the board of directors

 The annual work program of the internal auditor must be approved either by the audit committee (which is required by the same law) or the board of directors

Another example is the German Banking Act (Kreditwesengesetz, KWG), which requires financial institutions to install internal control mechanisms, including an internal control system and an internal audit function. Publicly traded companies are required by the German Stock Corporation Act (Aktiengesetz, AktG) §91 to implement a company-wide monitoring system to identify risks that could jeopardize the business.

Stock exchanges also have specific rules. The Asian Confederation of Institutes of Internal Auditors surveyed Asian stock exchanges in 2015 and found mandatory requirements for internal audit functions in companies listed on the stock exchange in China, India, and Indonesia, and other Asian nations (https://iaonline.theiia.org/blogs/chambers/2015/no-internal-audit-function-investors-beware).

However, many countries today do not have explicit requirements for an internal audit function. More often, internal audit is indirectly part of the laws and rules on internal control systems (ICS). But what exactly is the ICS and why do people assume that internal audit is part of it?

The most common standard for internal control systems is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its famous cube, which portrays the elements of an ICS (see Figure 1.1).

Figure 1.1: COSO cube (https://www.coso.org/Documents/COSO-ICIF-11x17-Cube-Graphic.pdf)

The top of this cube represents the objectives of an organization in the fields of operations, reporting, and compliance. The columns at the side represent the areas of application for these objectives. From single functions to entire entities, all areas can use these fields to set objectives.

The face of the cube is comprised of five elements of internal control.

The first of these elements is the control environment. It is the framework in which the internal controls of a company are embedded. Through policies, standards, guidelines, standard operating procedures (SoPs), and control descriptions, the framework provides the basis for conducting control activities. The control environment provides structure through organizational charts, reporting lines, and processes. It also entails the company culture, which is as essential for the will to comply with and conduct controls as the ethical setup of the company.

The risk assessment element represents the risk management processes through which a company identifies risks that could hamper its objectives and defines ways to mitigate them. These risks include potential events with a negative impact on the ICS.

Control activities include all actions that help to continuously mitigate risks and to support the achievement of business objectives. The information and communication element represents the aspect of ensuring that all parties involved know their role within the ICS.

With regard to the scope of this book, the monitoring activities are vital. They include the means necessary for assessing how the components of the ICS are working. The COSO framework states two principles for this ICS component:

1 The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

2 The organization evaluates and communicates internal control deficiencies promptly to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Companies have a variety of means at hand to perform these monitoring activities. These means range from automated technical control procedures, through self-assessments, to audits performed either by internal or external auditors. Among the means stated in the COSO guidance on monitoring, the periodic evaluation and testing of controls by internal audits is the first procedure mentioned. (“COSO_Guidance_On_Monitoring_Intro_online1_002”, p. 7).

Thus, internal audit is indeed a paramount component of an ICS. As laws, rules, etc. require the implementation of an ICS, they indirectly urge the incorporation of an internal audit function.