Internal Audit: Exploring Governance and Risk Management

 

  • Compare and contrast three ways where governance and management are occurring in the organization via the audit process, as identified by an auditor? 


ClifftonLarsonAllen consulting firm asserts that “the concept of risk management is evolving into a more fully developed, integrated concept of risk governance in which the board of directors, senior management, and the business units of an organization all have distinctly defined roles in the overall approach to enterprise risk management” (2013, para 1). In response, organizations must adapt their internal audits to support their governance and management processes to mitigate risks. ClifftonLarsonAllen presents three case studies where governance and management are occurring in the organization via the audit process in areas of crisis management, outsourcing, and co-sourcing solutions. Due to the development of automated auditing tools, organizations often outsource and contract their IT internal control auditing process with an outside firm that specializes in IT internal controls auditing. 


In Case 1, governance and management occurred through the audit process when an internal audit provider assembled an onsite team to work with management personnel to assess and report on inventory recording and usage issues. The auditor implemented recommended procedures to fix the issues by working firsthand with the managers who dictate management and governance policy. This is different from internal audits where the auditor interacts with management in a limited capacity and focuses on targeted areas of concern without the heavy influence of management personnel. 


In Case 2, governance and management occurred through the audit process when outsourcing the internal audit allowed the executive board personnel to actively participate with the auditing professionals. Due to the involvement of professionals, the board required less time to contribute in a more impactful way for the time cost involved in participating in the internal audit. Well-defined, documented roles and responsibilities saved time during the audit process and allowed management to effectively interact with and learn from the auditor in a time-efficient way.


In Case 3,  a hybrid approach allowed an organization to outsource professional expertise only in selected areas to provide a co-sourcing approach that saves time and money. Well-defined and documented critical areas of concern allowed the organization to invest only in pertinent areas of the audit while performing less pertinent areas of the audit independently from the professional auditing team. By including governance and management in the internal auditing process, an internal auditor can guide two organizations to successfully work together.


By adopting a top-down approach to internal auditing, the internal audit has a significant effect on governance and management policies through continuous assessment and training with management personnel. 


  • Do you believe that an auditor can adequately assess the adequacy of internal controls for the IT organization?

  An internal auditor can add significant value to the organization by discussing their expertise with management or the IT leadership. The purpose of an internal audit is to identify where systems can be improved from a top-down approach. The purpose of an internal audit is more than just adequately assessing the adequacy of internal controls for the IT organization in one audit. Continuous auditing guides an organization to make small gains over time. An auditor does more than just check boxes on a form to see if controls are adequate. They consider how the organization has evolved over time in their assessment.

  • Compare and contrast the portfolio, programs, and projects management practices and executive strategy, direction, and objectives. 


Portfolio, program, and project management each play distinct but interconnected roles in achieving an organization’s strategic objectives, while executive strategy, direction, and objectives guide these practices. While a project represents a budget, timeline, and scope, a program includes a common goal shared between interrelated projects. In contrast, a portfolio considers unrelated programs and projects to assess their return on investment and value to the organization. Portfolio management is broad, focusing on aligning projects and programs with the organization’s overall strategy. The business objectives, strategies, and directives adopt a layered approach within the organization. While projects have their own objectives, strategies, and directives, higher-level executive business objectives, strategies, and directives are considered higher-level areas of concern to ensure the organization reaches its goals effectively. Auditing must adopt a similar layered approach to assessing an organization.


  • How would the auditor evaluate how management establishes adequate internal controls for the IT organization?

    The auditor follows a top-down approach to identifying the current internal controls for the organization and performing a risk assessment on critical areas (The Business Professor, 2022). By identifying assets and prioritizing risks, the auditor addresses areas of concern from the entity level to the granular transaction level. A flow chart can aid an auditor in documenting the internal controls within the organization. The auditor may review documentation from prior years to gain more insight before testing the controls for their effectiveness.


  • As an auditor, what artifacts and documents would you request in order to review the capabilities and effectiveness of governance and management within the organization?

    As an auditor, I would request the organization's governance framework, which outlines the roles, responsibilities, and processes that guide decision-making and oversight to better align my understanding of the company’s goals and operating parameters. I would also request board meeting minutes, charters, and policies that define the structure and functioning of the board and its committees. Budgets, project plans, business objectives, performance evaluations, financial statements, and budget reports would be valuable to assess the operation of the organization at a more granular level. Operational surveys and feedback from employees and customers would provide insight into the organization's internal and external perceptions of its governance and management effectiveness.


References

ClifftonLarsonAllen, (2013). The Role of Internal Audit in Risk Governance: How Organizations Are Positioning the Internal Audit Function to Support Their Approach to Risk Management. CLAconnect. https://www.claconnect.com/-/media/files/white-papers/theroleofinternalauditinriskgovernancecliftonlarsonallen.pdf?rev=6de9960b7c10431fbe69cd30f3f7ad96

The Business Professor. (2022, June 9). Auditing - Internal Controls Evaluation. https://www.youtube.com/watch?v=ZhB5s80MCDk

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more