Victor H Garcia, President and CEO of VHG Consulting, based in Orlando, Florida, US, was in Oman recently to provide a tailor-made audit teaching programme for the internal auditors of a large local organisation. He has over 17 years of experience in accounting and external and internal auditing, having worked with some of the big names in the profession. Garcia served many years with The Institute of Internal Auditors, an international professional association with global headquarters in Florida, US and known as the internal audit profession’s global voice with more than 180,000 members worldwide. Garcia is currently the owner of his own consultancy firm that provides services in the areas of governance, risk and compliance, internal controls, internal audit and other related areas. Afshan Patel met up with him to delve into his thoughts on the new developments and their impacts on the profession of internal audit today.
Please share with us your professional background, about what your organisation does and where all you provide your services across the globe?
I was working with the Institute of Internal Auditors (IIA) from 2005 to 2010 delivering training and managing relationships with IIA chapters around the world, mainly the Spanish and Portuguese speaking world. Before that I was working as an auditor and in 2010 I decided to set up my own consultancy firm. We provide consultancy services and training in various areas including risk management, internal control, fraud prevention and of course internal audit. We provide these services to any English, Spanish or Portuguese speaking jurisdictions.
How have you seen the profession of internal audit evolve over the last 10 years?
I have seen a dramatic change in the profession especially after the year 2000. Following the Enron and the WorldCom scandals there has been an increase in the importance the business world has accorded to the function of internal audit. It is increasingly seen as a function to help management better understand and manage their risks, to ensure that the controls put in place by management are functioning properly to help mitigate risk. The issuance of the Sarbanes Oxley act, the COSO Enterprise Risk Management, the ISO 31000 standard have all contributed to catapult the profession into an area of organisational importance worldwide. Companies are realising that they would like to have someone give them the assurance over the system of internal controls to help them better manage the risks that they are facing every day.
What are the challenges facing the internal audit function and the community of internal auditors.
Internal auditors need to start looking at ways to help management with strategic risks. Traditionally our focus as internal auditors has been on the present and the short term. Management on the other hand is focused on the long term. With a short term perspective you look at threats rather than opportunities. Internal auditors need to provide added-value in terms of looking at opportunities over the longer term to help management realise opportunities and better manage the internal controls into the future. Internal auditors can help management realise opportunities and not just mitigate threats. As an example one could say that internal auditors could look at risks form competition, risks of organisational continuity, dependence or reliance on single or limited suppliers or customers in addition to operational and functional risks.
Currently internal auditors have neither the time budgeted nor the mandate to look at strategic risks.
I think it’s a matter of looking at it from the point where internal auditors begin their work. They begin their work with their risk assessment. It is here that they can include a perspective on strategic risk assessment. By doing this, they can send a strong message to management that they are capable and willing to help management in the long-term and look into the controls that need to be put in place to help management identify and mitigate strategic risks. When internal auditors look at their audit universe and identify their auditable units they should propose to look at strategic risks facing the organisation. If you can tie your risk assessment to a period greater than one year and look at strategic risks, this will definitely be an added-value to management. Eventually your audit programme and risk assessment is going to the audit committee and get approval from them. So if you have added the perspective on strategic risk assessment, you will receive your mandate once it is approved by the audit committee and the board.
I think the internal audit community understands quite well that they do not proceed in their assignments with the objective of looking out for fraud. Yet a responsibility is cast on them to be aware of any circumstances that may raise the suspicion of the existence of fraud. Kindly share some practical tips that internal auditors can use to practice this balance of not proceeding with a magnifying glass while keeping their antennae up?
The Standard series 1200 issued by The IIA, specifically Standard 1210.A2 mentions that internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. These standards represent the starting point that internal auditors must follow when looking into possibilities of identifying certain events that may lead them to believe that fraud may have occurred in an organisation. It is within the scope of the internal audit to identify the potential risk events that might lead to potential fraud situations. In addition, Standard 2120.A2 mentions that the internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk, therefore there is a responsibility cast on internal auditors to consider the risk of fraud, in their enterprise risk assessment as mentioned here. Standard 2210.A2 mentions that internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. That is important because nowadays, anywhere in the world, the risk of fraud is always present. The new COSO 2013 framework makes a specific reference to fraud and the things that need to be considered when performing an evaluation of the system of internal controls regarding fraud.
COSO, IAASB and now ISO 31000 seem to be working in a similar space. All three have their frameworks. Are they not stepping over each other’s toes and doesn’t so much regulation/guidance actually lead to confusion and hamper focus and direction?
I don’t see an overlap. Each standard setting organisation is contributing to the betterment of the processes within the organisation. IAASB is focusing on the standards for audit and assurance assignments with respect to financial information. COSO is focusing more on improving internal controls and the internal control environment which will eventually prevent the occurrence of fraud. And now we have the ISO organisation that jumped into the risk management arena with the issuance of ISO standard 31000 which focuses on risk management. In fact, I feel that there is a very nice complement. They can very nicely operate all together. Organisations can utilise the benefits from the standards and the guidance in improving the overall processes in the organisation. The difference with ISO 31000 from other ISO standards is that ISO 31000 is not certifiable. An organisation cannot claim that it is ISO 31000 compliant. This standard only provides guidance on risk assessment and management.
The external audit reports state that audits are conducted in accordance with international standards on auditing. Some internal audit reports may be mentioning, but many do not mention compliance with any standards or guidance frameworks. Do you think internal audit reports should start mentioning whether COSO guidelines have been followed?
There are sets of standards for the practice of internal auditing issued by The IIA that specifically mention the use of the phrase “Conforms with the International Practice of Internal Auditing”. According to Standard 1331 the chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of internal auditing only if the results of the quality assurance and improvement programme support this statement. So when you issue your internal audit reports you must include a disclosure stating whether you comply with the standards for the practice of internal auditing according to standard 1331. The problem is that not all organisations have gone through a quality assurance and improvement programme and therefore they cannot include this statement as they need to comply with all standards, including those related to the quality assessment review. This is different from what external auditors have to report because their reports are public reports. The external auditor has a requirement to issue an opinion on the effectiveness of internal controls. That opinion is based on the tests that they do and sometimes they work with internal auditors and sometimes they could rely on the work internal auditors have done. An important point to mention here is that the new COSO 2013 framework requires that the external auditors include in their external reports what version of the COSO framework the organisation is using; whether the organisation is basing its internal control framework on COSO 1992 or COSO 2013.
Therefore there are two requirements. Internal auditors should mention in their report that they have conducted their internal audit based on the standards of the professional practice of internal audit and the external auditors have to issue an opinion on the effectiveness of the internal controls and they need to include a reference to which internal control framework the organisation is using. However, this requirement will become applicable from December 15, 2014 onwards.
What are the ethical issues to think about at each of the levels in an organisation – board, management and internal auditors?
We had the COSO framework since 1992 and that didn’t prevent the financial scandals of 2002, it didn’t prevent the financial crisis of 2008 and it is certainly not going to prevent any future events of fraud. Internal control is a process affected by people and designed to provide reasonable assurance on the achievement of the objectives of the organisation in three categories: operations, reporting and compliance. When you get people involved you lose the element of infallibility. You cannot provide an absolute assurance. That’s why internal and external auditors express their opinions with reasonable assurance.
A very important factor to consider is the ‘tone at the top’. What are the messages top management is sending all the way down throughout the organisation in regards to ethics. You could have all the rules and regulations, the best code of ethics, a very nice and well-thought code of conduct, and various procedures but if you are not sending the right message with regard to ethics to all your people then all the internal controls you have in place are going to be much less effective. When the message sent from the top is one of integrity and ethical values. This will most likely flow throughout the organisation in every direction, allowing the board to carry out its governance oversight responsibilities. Therefore, the resulting pervasive control environment has a pervasive impact on the overall system of internal control.
In terms of integrity and ethical behaviour, one of the main components of the COSO framework, and one that internal auditors don’t spend too much time on is the ‘control environment’. The control environment helps us understand the integrity and ethical values of the organisation, the organisational structure and assignment of responsibility, the process for attracting, development and retaining competent employees and the process of performance measures all of which constitutes the basis for a better ethical environment.
What are the features included in the new COSO Integrated framework 2013 that may be considered an improvement over the older framework?
In my opinion, there are three significant areas which may be considered as having an increased emphasis over the previous framework. The first one is that there is an added emphasis on technology. In today’s environment everything is flowing around technology and therefore the controls you have in place should take into consideration the impact of technology in your organisation. The need to have IT related controls is critical. As companies’ use of technology is increasing, the potential risk from technology-related activities that were not taken into consideration before need to be addressed.
Secondly, it is important to highlight the focus that COSO 2013 has given to fraud. It was not specifically mentioned in the previous framework, but now it is part of the regular risk assessment procedures that a company must undertake to identify the potential risks of fraud within the regular risk assessment. The third aspect that COSO 2013 improved greatly is related to the reporting objectives to include financial and non-financial information; unlike the previous framework that only focused on the reporting of financial information. Now, management and internal auditors need to take in consideration the internal financial and non-financial reporting as well as the external financial and non-financial reporting. These three elements contribute to make the work of the internal auditor a little more comprehensive, based on the new COSO 2013 framework.