TIAPS Module 1 Audit and Assurance workbook
Four foundational principles are at the heart of governance and are inter-related. Value generation: Pursuit of purpose can be characterized as value creation, whether that value is financial, nonfinancial, or both. Public sector entities share a common purpose of serving the public good through the provision of direct and indirect services. In creating value, they must manage their financial and other resources. State-owned enterprises (e.g., publicly owned transportation, utilities, and broadcasting companies) may operate as commercial or quasi-commercial organizations and compete on that basis with their private sector counterparts but their purpose is still linked to public service and any profits generated are used to subsidize costs to the public or for investment in other public benefits. Strategy: The purpose of an organization tends to be broad and may be satisfied in different ways. It is necessary to develop strategies for fulfilling the purpose by establishing and prioritizing goals and applying resources – which are always finite – accordingly. Strategy typically is formed within a long-term perspective over multiple years. Accountability: As discussed in A.1, public officials are accountable in that they owe a duty of care to their stakeholders – employees, suppliers, service users, taxpayers, and citizens. That accountability needs to be realized through transparency and consequences. Being held to account means accepting responsibility for behaviors, decisions, and actions, and their ensuing impact, and receiving fair treatment on this basis. Oversight: As a consequence of accountability, those charged with governance will both need and desire to exercise oversight. If you are going to be held to account, you will be expected to oversee – and will have a vested interest in overseeing – what is taking place and intervene as and when needed. Typically, a governing body is unable to observe all activity directly. It relies on reports from management, internal auditors, external auditors, and others. Members of the governing body will also ask searching questions to satisfy their responsibilities and wishes for exercising oversight. These foundational principles of governance are enabled by the primary governance principles of leadership, stakeholder engagement, risk governance, the application of data to inform decision-making, and social responsibility, all with the intention of achieving viability and performance over time. Finally, in the ISO model the governance outcomes are defined as effective performance, responsible stewardship, and ethical behavior. Successful leadership and ethical leadership are regarded as co-dependents. A.3.2 The IIA’s Three Lines Model The 2020 Three Lines Model is an update of the well-known three lines of defense. In making the switch, the new model emphasizes the positive nature of governance, risk management, and internal control in supporting organizational success in addition to the 16
defensive aspects to minimize negative impacts. The model also stresses the importance of all key elements working together rather than operating in silos. Governance is described as comprising three types of roles: • Accountability. • Actions. • Assurance. Figure: IIA Three Lines Model This does not imply these roles need to be fully disaggregated and often teams and individuals may have responsibilities combining two of these areas. Accountability: The governing body is regarded as having ultimate accountability to stakeholders for all aspects of the organization and its people. It must engage with stakeholders to ensure clarity of purpose and provide honest reporting of performance, position, and prospects. The governing body is also responsible for ensuring management has the resources and structures needed to achieve the goals of the entity and manage risks effectively. Lastly, the governing body must ensure there is appropriate provision for independent assurance and advice through an internal audit function. Actions: The chief executive officer (CEO) leads the execution of actions and application of resources in pursuit of organizational goals. In doing so, the CEO must take account of risk by enabling risk management and internal control. First line roles are those focused on providing products and services to clients as well as the enabling "back office" support. Second line roles (such as risk management, compliance, legal counsel, security, and financial control) are those with a specific focus on risk and control, providing senior management with specialist support, expertise, monitoring, and challenge on such matters. How resources and roles are allocated between first and 17
- Page 1 and 2: Module 1: Audit and Assurance TIAPS
- Page 3 and 4: Table of Contents Module 1: Audit a
- Page 5 and 6: Relevant Standards Reference is mad
- Page 7 and 8: • Close scrutiny. The activities
- Page 9 and 10: A.2 Public Sector Governance IIA In
- Page 11 and 12: The need for governance arises for
- Page 13 and 14: Although developed for government a
- Page 15: A.3 Governance Models When evaluati
- Page 19 and 20: A.3.3 CIPFA International Framework
- Page 21 and 22: 8. Ensure that its arrangements for
- Page 23 and 24: • Consideration of overlapping in
- Page 25 and 26: A.3: Reflection Which model or mod
- Page 27 and 28: Although they are related, the prin
- Page 29 and 30: B.1.1 Independence, Objectivity, an
- Page 31 and 32: B.1: Reflection Is it possible to
- Page 33 and 34: According to The IIA Position Paper
- Page 35 and 36: B.2: Reflection When was the last t
- Page 37 and 38: When independence or objectivity ar
- Page 39 and 40: B.4 Safeguards for Independence and
- Page 41 and 42: In other cases, there is no audit c
- Page 43 and 44: C. Assurance and Advisory Engagemen
- Page 45 and 46: It is common to build an allowance
- Page 47 and 48: The following list is taken from Sa
- Page 49 and 50: helping managers developing control
- Page 51 and 52: C.1.5 Internal Audit Opinions Audit
- Page 53 and 54: Leadership and Communication Intern
- Page 55 and 56: C.2 Auditing Governance The IIA Sup
- Page 57 and 58: C.2: Reflection How does your inter
- Page 59 and 60: Fraud may be perpetrated via measur
- Page 61 and 62: circumstances (unethical and often
- Page 63 and 64: Management Issues • Lack of area
- Page 65 and 66: Risk management techniques can be a
defensive aspects to minimize negative impacts. The model also stresses the importance of<br />
all key elements working together rather than operating in silos.<br />
Governance is described as comprising three types of roles:<br />
• Accountability.<br />
• Actions.<br />
• <strong>Assurance</strong>.<br />
Figure: IIA Three Lines Model<br />
This does not imply these roles need to be fully disaggregated <strong>and</strong> often teams <strong>and</strong><br />
individuals may have responsibilities combining two of these areas.<br />
Accountability: The governing body is regarded as having ultimate accountability to<br />
stakeholders for all aspects of the organization <strong>and</strong> its people. It must engage with<br />
stakeholders to ensure clarity of purpose <strong>and</strong> provide honest reporting of performance,<br />
position, <strong>and</strong> prospects. The governing body is also responsible for ensuring<br />
management has the resources <strong>and</strong> structures needed to achieve the goals of the entity<br />
<strong>and</strong> manage risks effectively. Lastly, the governing body must ensure there is<br />
appropriate provision for independent assurance <strong>and</strong> advice through an internal audit<br />
function.<br />
Actions: The chief executive officer (CEO) leads the execution of actions <strong>and</strong> application<br />
of resources in pursuit of organizational goals. In doing so, the CEO must take account<br />
of risk by enabling risk management <strong>and</strong> internal control. First line roles are those<br />
focused on providing products <strong>and</strong> services to clients as well as the enabling "back<br />
office" support. Second line roles (such as risk management, compliance, legal counsel,<br />
security, <strong>and</strong> financial control) are those with a specific focus on risk <strong>and</strong> control,<br />
providing senior management with specialist support, expertise, monitoring, <strong>and</strong><br />
challenge on such matters. How resources <strong>and</strong> roles are allocated between first <strong>and</strong><br />
17