This chapter is a review of the related literature generated by the researcher on the subject of study. The chapter entails the relationship between internal audit proficiency and internal controls; internal controls and corporate governance; internal audit proficiency and risk management; internal controls and risk management; and risk management and corporate governance.
9.1 Internal Audit Proficiency
Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. (IIA, 2007). The rationale is that internal auditors’ experiences, knowledge and education are most valuable to management (Giselle, 2000).
9.2 Internal Audit Proficiency and Internal Controls
From the definition of internal auditing, the objective of internal auditing not only includes involvement in governance but also highlights the importance of evaluating and improving control and risk management (IIA, 2007). Most internal audit professionals argue that an effective internal audit function clearly correlates with an organisation’s success in meeting management objectives and whether the internal control system is functioning as intended (Faudziah et al, 2005). The effectiveness of internal audit greatly contributes to the effectiveness of each auditee in particular and the organization at large (Dittenhofer, 2001). Dittenhofer (2001) also observed that, if internal audit quality is maintained, it will contribute to the appropriateness of procedures and operations in the organization. Therefore, internal audit proficiency is seen as an important attribute to the quality of the internal audit function and the way it adds value to the internal control frame work.
The Institute of Internal Auditor’s Standard 1210 on proficiency of auditors, requires that internal auditors posse the knowledge, skill and other competencies needed to perform their responsibilities (IIA, 2007). Internal audit effectiveness is determined by the internal audit department’s capability to provide useful findings and recommendations and to prove that it is of value to the organization and promotes good governance within the organization.
Internal auditors need specific technical skills and to be seen to undertake continual professional development to keep up to date with changing business practices and remain capable of providing a value-added service in their audit approach (Giselle, 2000). They should therefore be experts in the area of internal control and should use their skills and expertise to evaluate internal control systems of their organizations and recommend improvements that will greatly contribute to good governance. According to Jan Cattrysse (2005), internal audit could have an important input based on their experience from independent monitoring operations or previous occurrences of wrongdoing.
9.3 Internal Audit Proficiency and Risk Management.
The role of internal audit is to provide objective assurance to those charged with governance and management on the adequacy and effectiveness of the risk management framework, help in improving the processes by which risks are identified and managed, help in strengthening and improving the risk management framework.
According to (Herdman 2002; Richards 2002; Bailey et al. 2003; Gramling et al. 2004; Carcello et al. 2005b; Deloitte 2005; Gadziala 2005), the internal audit function plays a unique and critical role in corporate governance by monitoring organizational risks and helping ensure financial reporting reliability.
Chris Jeffrey (2008) asked that, if an internal audit group does not clearly understand the industry, how could it decipher what the greatest risks to the organization were? In order to do all this, internal auditors need to be skilled and experienced on how risk management works. They also need to gain a better understanding of the key business risks and the impact they can have on the organization’s ability to build shareholder value (risk assessment). Internal auditors must also be able to assess the responses to key exposures and determine if those responses are sufficient or relevant (Gerrit and Ignace, 2006).
Spira & Page (2003), note that the recent corporate governance guidelines assume that risks can be objectively identified, quantified and thus strategically managed. Consequently, expertise in risk management techniques and knowledge about the internal control system become a source of power which enables internal auditors to advance and play an important role within their organization. Companies facing higher risk will increase their organizational monitoring through internal audit, providing evidence of the importance of the internal audit function (Colin et al, 2008).
Lastly, according to Ian & William, (2007), one external auditor commented that the internal audit profession had been trying to reposition itself over the last six or seven years from being relatively unfashionable function: “I’m not saying that it was just re-badging. They have been taking on new skills and repositioning themselves more as risk advisory/ management people”.
9.4 Internal Controls and Risk Management.
According to the new definition of internal controls by the Institute of Internal Auditors (IIA, 2007), controls do not exist in a vacuum and implies, rather, that controls exist to assist organizations in managing risk and promoting governance processes. A company’s system of internal controls has a key role in the management of risks that are significant to the fulfillment of its business objectives. It is important to note therefore, that a sound system of internal control provides reasonable, but not absolute, assurance that a company will not be hindered in achieving its business objectives by circumstances which may reasonably be foreseen.
Risk in a financial context is generally understood to be the potential for financial loss consequent on fraud and incompetence. Although it is widely understood that such risk can never be entirely eliminated, it is generally believed that a system of internal control will act as a deterrent to fraud and a protection against incompetence (Spira & Page, 2003). Gerrit & Ignace, (2006), noted that internal controls are only one of the means to manage key organizational risks. Other devices used to manage risks include the transfer of risks to third parties, sharing risks and the withdrawal from unacceptably risky activities.
9.5 Risk Management and Corporate Governance
From an agency perspective, the importance of strong governance stems from the need to align the interests of management with other stakeholders in the firm in order to reduce agency costs (Cohen et al., 2002). One of corporate governance mechanisms that can be used to monitor management’s behaviour is internal audit (Davidson et al., 2005). Internal auditors are certainly exhorted in the professional literature to embrace the opportunity to contribute to the achievement of corporate objectives through risk management (Gerrit & Ignace, 2006).