2. GOVERNANCE
OVERSIGHT – P li
Policy
Setting
STEWARDSHIP - M Managers i in
charge of full business units
TACTICAL / OPERATIONAL – Includes Line /
Supervisory management
ASSURANCE – Includes Internal Audit/
External Audit, M&E and Internal Affairs
3. AGENDA OF PRESENTATION
What is Internal Auditing?
Why and How is Internal Auditing carried out in
the Government of Liberia?
What are Internal Controls?
What are Some Common irregularities resulting
from a failure in Internal Controls?
Question & Answers
4. WHAT IS INTERNAL AUDITING?
Some Definitions:
is an independent, objective assurance and consulting activity
designed to add value and improve an organization's
operations.
operations It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and
governance processes……The IIA Definition
An appraisal activity established or provided as a service to the
entity.
entity Its functions include, amongst other things, examining,
include things examining
evaluating and monitoring the adequacy and effectiveness of
internal control. …………The ISA 610 and ISSAI 1003 Definition
5. INTERNAL AUDITING IN GOL
The Auditor-General is the is the principal
responsible for conducting comprehensive post
audits, special Financial investigations,
reconciliation s
reconciliation's and analyses, and continuous
audits on a routine basis…… Section 53.3 of the Executive
Law of 1972.
The function, reporting responsibilities and
function
activities of internal auditors shall be prescribed in
regulations under this Act, supplemented by
instructions and guidelines issued by the Minister
in Collaboration with the Auditor General….Section
38, PFM Act (2009)
6. INTERNATIONAL BEST PRACTICE
Internal auditing is conducted in diverse legal and
cultural environments; within organizations that
vary in purpose, size, complexity, and structure;
and by persons within or outside the organization.
While differences may affect the practice of
internal auditing in each environment,
conformance with The IIA's International
Standards for the Professional Practice of Internal
Auditing (Standards) is essential in meeting the
responsibilities of internal auditors and the
internal audit activity.
7. GOL INTERNAL AUDIT STRATEGY 1/3
Adopted by the Cabinet as a structural benchmark (2008)
Identified as a key support to the newly adopted Medium Term
Id ifi d k h l d d M di T
Framework (2010/ 2011) – Part of PFM Reform
Proposed a Two phase approach of Consolidating existing capacity
and Expanding this after one year (Institutions Identified through
Portion of National Budget, Residual Risk, PRS importance and donor
expectations (risk)
Proposed Consolidation begins at Ministries of Finance, Health,
p g , ,
Education, Public Works and Lands Mines & Energy
Proposes an Institutional Framework covering a Governance Board,
Secretariat and Audit Committees in Line Ministries
Proposes the Governance board establishes Common Audit Priorities
for the M&As
Proposes adoption of a 5 level IA Capability Maturity framework
8. GOL INTERNAL AUDIT STRATEGY -2/3
2/3
Risks facing the GOL IA Strategy
Appointment of a Board
The Governance board consisting 5 members, including
the GAC, MoF, CSA, PPCC and a Private Sector Member is
currently being formulated and could be in place soon.
A lack of demand for IA functions
Limited capacity to undertake Internal Audits
Failure of External Audit/ GAC to coordinate with IA
Failure to include IA in objective setting
9. GOL INTERNAL AUDIT STRATEGY -3/3
3/3
Key Secretariat Deliverables outstanding
Audit Manual
Audit Committee Charter
Annual Risk Assessment (Audit Priority)
Audit Plan
Audit Announcement letter
A dit working papers
Audit ki g
The Audit Report
10. WHAT IS INTERNAL CONTROL?
internal control is defined as a process effected by an
organization's structure, work and authority flows, people
g i ti ' t t k d th it fl l
and management information systems, designed to help the
organization accomplish specific goals or objectives.
The Control h ld be
Th C t l should b capable of responding quickly t
bl f di i kl to
evolving risks to the business arising from factors within the
company and to changes in the business environment.
Internal Control consists of 5 i
I lC l i f inter-related components
l d
Control Environment
Risk Assessment
Information and Communication Processes
Monitoring
Existing Control Activities
11. THE CONTROL ENVIRONMENT
g
The control environment sets the tone of an organization,
influencing the control consciousness of its people. It is the
foundation for all other components of internal control,
providing discipline and structure. Control environment factors
structure
include the integrity, ethical values and competence of the
entity’s people; management’s philosophy and operating style;
the
th way management assigns authority and responsibility, and
t i th it d ibilit d
organises and develops its people; and the attention and
direction provided by the Oversight board.
12. RISKS ASSESSMENT 1/4
Every entity faces a variety of risks from external and
internal sources that must be assessed. A precondition to
i t l th t tb d diti t
risk assessment is establishment of objectives, linked at
different levels and internally consistent. Risk assessment is
the identification and analysis of relevant risks to
achievement of objectives, forming a basis for determining
how the risks should be managed.
Because economic industry regulatory and operating
economic, industry,
conditions will continue to change, mechanisms are needed
to identify and deal with the special risks associated with
change.
change
There are many techniques available for identifying risk.
Some are detail based and offer quantification, others are
scenario-based or qualitative
qualitative.
14. RISK ASSESSMENT 3/4
For those risks that are controllable, the company
must decide whether to accept those risks or
whether to mitigate the risk through control
procedures. For those risks that cannot be
controlled, the Board must decide whether to
accept the risks or to withdraw from, or reduce the
level of business activity concerned
concerned.
Contingency plans should be considered where
the Board elects to accept uncontrollable
significant risks.
15. RISK ASSESSMENT - AFTER 4/4
RISK DECISION MAKING
Tolerate / Accept risk; simply take the chance
that the negative impact will be incurred
Terminate/ Avoid risk; changing plans in order to
prevent the problem from arising
Transition/ Mitigate risk; lessening its impact
through intermediate steps
g p
Transfer risk; outsource risk to a capable third
party that can manage the outcome
16. INFORMATION AND COMMUNICATION
PROCESSES 1/2
Pertinent information must be identified, captured and
communicated in a form and timeframe that enables
i di f d i f h bl
people to carry out their responsibilities.
Information systems produce reports, containing
y p p , g
operational, financial and compliance-related
information, that make it possible to run and control the
business. They deal not only with internally generated
y y yg
data, but also information about external events,
activities and conditions necessary to informed
bus ess decision-making a d e te a reporting
business dec s o a g and external epo t g
Effective communication must also occur in a broader
sense, flowing down, across and up the organisation.
17. INFORMATION AND COMMUNICATION
PROCESSES 2/2
All personnel must receive a clear message from
top management that control responsibilities must
be taken seriously. They must understand their
own role in the internal control system, as well as
how individual activities relate to the work of
others.
Th
They must have a means of communicating
h f i i
significant information upstream. There also
needs to be effective communication with external
eeds e ect e co u cat o t e te a
parties, such as customers, suppliers, regulators
and shareholders.
18. MONITORING
Internal control systems need to be monitored - a process
that assesses the quality of the system’s performance over
th t th lit f th t ’ f
time. This is accomplished through ongoing monitoring
activities, separate evaluations or a combination of the two.
On going monitoring occurs in the course of operations. It
operations
includes regular management and supervisory activities,
and other actions personnel take in performing their duties.
The scope and frequency of separate evaluations will
depend primarily on an assessment of risks and the
effectiveness of ongoing monitoring procedures. Internal
control deficiencies should be reported upstream, with
upstream
serious matters reported to top management and the Board.
19. EXISTING CONTROL ACTIVITIES
Control activities are the policies and procedures
that help ensure that management directives are
carried out. They help ensure that necessary
actions are taken to address risks to achievement
of the entity’s objectives.
Control activities occur throughout the
organisation, at all l l and in all f
i i ll levels d i ll functions. Th
i They
include a range of activities as diverse as
app o a s, aut o sat o s, e cat o s,
approvals, authorisations, verifications,
reconciliations, reviews of operating performance,
security of assets and segregation of duties.
20. CRIME
Control Risk Information and
Environment
E i t Assessment
A t Communication
C i ti
Existing Control
Monitoring
g
Activities
21. INHERENT WEAKNESSES OF INTERNAL
CONTROLS
Internal Control provide only reasonable
assurance due to following inherent
weaknesses
Human error which includes error in design and use
of automated controls
Deliberate circumvention of controls
Management over ride
Cost-benefit considerations
22. AUDIT RISK/ RESIDUAL RISK
Audit risk ( )
(also referred to as residual risk)
refers to acceptable audit risk, i.e. it indicates
the auditor's willingness to accept that the
financial statements may be materially
misstated after the audit is completed and an
unqualified ( l
lifi d (clean) opinion was i
) i i issued. If th
d the
auditor decides to lower audit risk, it means
that he wants to be more certain that the
financial statements are not materially
misstated.