Segregation of Duties

Segregation of duties is critical to effective internal control because it reduces the risk of mistakes and inappropriate actions. It helps fight fraud by discouraging collusion and enhancing internal check. Segregation of duties is an Internal Control Concept in which individuals do not have responsibility for incompatible activities. In general, the following functions should be separated among employees:

• Approval
• Accounting/reconciling
• Asset custody

In other words one person should normally not participate in one or more than one function.

Transaction involve the following stages to complete

Initiate

Authorize

Record

Process

Reconcile

Handle Assets

Report

Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions. In general, the approval function, the accounting/reconciling function, and the asset custody function should be separated among employees. When these functions cannot be separated, due to small department size, a detailed supervisory review of related activities is required as a compensating control activity. Segregation of duties is a deterrent to fraud because it requires collusion with another person to perpetrate a fraudulent act.

Specific examples of segregation of duties are as follows:

• The person who requisitions the purchase of goods or services should not be the person who approves the purchase.
• The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports
• The person who approves the purchase of goods or services should not be able to obtain custody of checks.
• The person who maintains and reconciles the accounting records should not be able to obtain custody of checks.
• The person who opens the mail and prepares a listing of checks received should not be the person who makes the deposit.
• The person who opens the mail and prepares a listing of checks received should not be the person who maintains the accounts receivable records.

Segregation of duties becomes more important when the size of the organization grows considerably. In small organization it is possible to review most of the transaction by the owner or the top level management of the organization and may see little importance of segregation of duties. As the size of the organization grows, the importance of segregation of duties becomes more and more important. SOD has been observed as the bigger risk especially in the organization whose size is growing fast. It is mainly because SOD is balanced by deep review of top level management for all the critical transaction but when the size of the organization becomes larger it is virtually impossible to offer that level of deep review for those transactions. In such situation the management needs to review the roles of an employee seriously and attempt to minimize this risk. If management overlooks this matter sooner or later the management will have to encounter fraud related problem.

Roles and responsibilities in internal control

According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to effect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play:
Chief executive officer (CEO): The CEO has ultimate responsibility and ownership of the internal control system. The individual in this role sets the tone at the top that affects the integrity and ethics and other factors that create the positive control environment needed for the internal control system to thrive. Aside from setting the tone at the top, much of the day-to-day operation of the control system is delegated to other senior managers in the company, under the leadership of the CEO.
Chief financial officer (CFO): Much of the internal control structure flows through the accounting and finance area of the organization under the leadership of the CFO. In particular, controls over financial reporting fall within the domain of the chief financial officer. The audit committee should use interactions with the CFO, and others, as a basis for their comfort level on the internal control over financial reporting.
This is not intended to suggest that the CFO must provide the audit committee with a level of assurance regarding the system of internal control over financial reporting. Rather, through interactions with the CFO and others, the audit committee should get a gut feeling about the completeness, accuracy, validity, and maintenance of the system of internal control over financial reporting.
Controller/director of accounting or finance: Much of the basics of the control system come under the domain of this position. It is key that the controller understands the need for the internal control system, is committed to the system, and communicates the importance of the system to all people in the accounting organization. Further, the controller must demonstrate respect for the system though his or her actions.
Internal audit: A main role for the internal audit team is to evaluate the effectiveness of the internal control system and contribute to its ongoing effectiveness. With the internal audit team reporting directly to the audit committee of the board of directors and/or the most senior levels of management, it is often this function that plays a significant role in monitoring the internal control system. It is important to note that many not-for-profits are not large enough to employ an internal audit team. Each organization should assess the need for this team, and employ one as necessary.
Board of director/audit committee: A strong, active board is necessary. This is particularly important when the organization is controlled by an executive or management team with tight reins over the organization and the people within the organization. The board should recognize that its scope of oversight of the internal control system applies to all the three major areas of control: over operations, over compliance with laws and regulations, and over financial reporting. The audit committee is the board's first line of defense with respect to the system of internal control over financial reporting. All other personnel: The internal control system is only as effective as the employees throughout the organization that must comply with it. Employees throughout the organization should understand their role in internal control and the importance of supporting the system through their own actions and encouraging respect for the system by their colleagues throughout the organization.

Control Issues and Limitation

Cost of controls

Costs of controls can include the price of physical safeguards, the value of additional hours of employee work incurred, your time, etc. The costs should be less than the benefits. Employee supervision is where most owner-operated businesses get this comparison wrong, particularly by assuming too low a benefit to a control over a long-term and trusted employee. It is not uncommon for the been-there-forever, taken-for-granted, almost-a-member-of-the-family employee to take advantage of the paternal way in which he or she is treated to loot the company blind.

Implementing controls

Proper control design and selection are only the first steps. The most important factors in making them work are communication and organization. Simply putting the controls in place won't guarantee their effectiveness.

Make sure that your people are aware of and understand the controls; and then find ways to influence their behavior so that they agree to respect them. Organization issues involved include the chain of command structure, cost constraints, job descriptions, and the company’s formal and informal feedback loops.

Every control system needs to be flexible and change as the company evolves. No system of internal controls can completely protect against all risks of theft. Keep in mind that risk is a matter of possibilities and probabilities, and therefore must involve the analysis of both positive and negative outcomes. An analysis of internal controls needs to consider the key risks facing the company, the company’s objectives, and the existing controls and procedures.

Employee motivation Perceived equity

Since it isn’t always possible to eliminate the opportunities for theft, attention should also be paid to the rationalization used by wrongdoers. Most cases of employee theft or misbehavior involve issues of perceived equity. Employees who perceive that they are not being treated fairly are much more prone to steal from their employer. It is important to be perceived as being fair, but not weak. Make sure all of your employees know what is expected of them, and treat everybody consistently. Avoid setting unreachable goals or creating other pressures to commit fraud, remove obstacles that block effective performance, and establish clear and consistent procedures with no exceptions.

Limitations:

Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures.

Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement.

Internal control involves human action, which introduces the possibility of errors in processing or judgment. Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by top management.

Preventive and Detective Controls

Controls can be either preventive or detective. The intent of these controls is different. Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets. Few Example of detective controls are given below:

• Obtaining pre-approval on actions or transactions before they can be processed
• Using document control numbers to make sure all transactions are accounted for
• Matching and comparing documents from different sources to ensure integrity
• Testing clerical accuracy
• Locks on doors and gates
• Physical controls over cash, checks, signature plates, and inventory
• Computer passwords, access controls, and file locks, to prevent unauthorized electronic access
• Computer backups for both audit trails and disaster planning
• Batch totals on data entry work
• Validating input data against established parameters to ensure accurate keypunching.
• Segregation of duties, well defined job descriptions and standards
• Job rotation, enforced vacations, etc., to reduce chances of long-term embezzlement schemes
• Employee screening and training programs
• Drug testing of employees and applicants

Preventive controls are subject to breakdown, with the biggest cause being individual circumvention. Sometimes it is malicious and sometimes it is well intentioned (we can get from one department to another easier if we prop the locked doors open, for example, or I can cut my data entry time by a third if I dummy my batch totals). In some companies physical controls are widely ignored – most major thefts of inventory happen in front of other employees who either assume that the thief is acting properly, or do not want to get involved.

Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. Some Examples are:

• Enforcement of job descriptions and standards to keep employees acting as expected
• Supervisory review and sign-off of accounting work, expense reports, commission statements, payroll data, etc.
• Cycle counts of inventory
• Surprise cash counts
• Management review and approval of account write-offs
• Review of monitoring information and reports to ensure that controls are functioning as planned
• Exception reporting and resolution to highlight out-of-the-norm items
• internal audit
• Supervisory peer review

Comparison of actual results to budgeted or forecasted results

Detective controls tend to be less expensive and more reliable than the preventive controls discussed earlier, because they can often be applied over a large number of transactions in a short time.

If detective controls review less than 100 percent of a certain activity, their review has to be somewhat random. If cash drawers are “surprise” counted by management Mondays, Wednesdays, and Fridays (60 percent of all work days), the counts are predictable and cash skimming will most likely occur during the other days of the week. Random counts would tend to deter skimming because they are unpredictable.

Since fraud perpetrators either ignore or compromise the preventive controls in place, it is imperative that management perform its supervisory and monitoring functions. Do not be afraid to manage – people generally want and need both direction and feedback in order to feel satisfied with their work.

Like preventive controls, detective controls are also subject to breakdown. To minimize the chance of both types of control breaking down, it is important to design the controls so that they do not get subverted – control the right thing and make the control easy to follow, implement, monitor, and reinforce. Implement the control properly, monitor and evaluate any feedback related to the control, and whenever possible, tie controls to incentive systems.

Both types of controls are essential to an effective internal control system. From a quality

Point, preventive controls are essential because they are proactive and emphasize quality.

However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses.

Control activities include approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, segregation of duties, and controls over information systems.

Internal Control Objectives

Internal Control objectives are desired goals or conditions for a specific event cycle which, if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur. They are conditions which we want the system of internal control to satisfy. For a control objective to be effective, compliance with the control activities must be measurable and observable.

Control activities are the policies and procedures that help ensure management directives are carried out and these are designed in such a manner that it achieves the control objective. Effectiveness of control objective solely depends upon the effective design of control activities to address the need of control objective.

The control objectives include authorization, completeness, accuracy, validity, physical safeguards and security, error handling and segregation of duties.

Authorization

The objective is to ensure that all transactions are approved by responsible personnel in accordance with specific or general authority before the transaction is recorded.

Completeness

The objective is to ensure that no valid transactions have been omitted from the accounting records.

Accuracy

The objective is to ensure that all valid transactions are accurate, consistent with the originating transaction data and information is recorded in a timely manner.

Validity

The objective is to ensure that all recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management's general authorization.

Physical Safeguards & Security

The objective is to ensure that access to physical assets and information systems are controlled and properly restricted to authorized personnel.

Error handling

The objective is to ensure that errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.

Segregation of Duties

The objective is to ensure that duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing the transaction.

A well designed process with appropriate internal controls should meet most, if not all of these control objectives.

Component of Internal Control

Internal Control consists of five interrelated component. Internal control systems operate at different levels of effectiveness. Determining whether a particular internal control system is effective is a judgment resulting from an assessment of whether the five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring - are present and functioning. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.

Control environment:
It is an overall attitude of the management towards the existence and effectiveness of control.The control environment is the control consciousness of an organization. It is the atmosphere in which people conduct their activities and carry out their control responsibilities. An effective control environment is an environment where competent people understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is right and doing it the right way. They are committed to following an organization's policies and procedures and its ethical and behavioral standards.
The control environment encompasses technical competence and ethical commitment; it is an intangible factor that is essential to effective internal control.
A governing board and management enhance an organization's control environment when they establish and effectively communicate written policies and procedures, a code of ethics, and standards of conduct. Moreover, a governing board and management enhance the control environment when they behave in an ethical manner-creating a positive "tone at the top"—and when they require that same standard of conduct from everyone in the organization.
Leaders of each department, area or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include:
· Integrity and ethical values;
· The commitment to competence;
· Leadership philosophy and operating style;
· The way management assigns authority and responsibility, and organizes and develops its people;
· Policies and procedures

Risk Assessment:
Risk is an uncertainty associated with an event the outcome of which could adversely affect the attainment of organization objective. Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economics, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
Objectives must be established before administrators can identify and take necessary steps to manage risks. Operations objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss. Financial reporting objectives pertain to the preparation of reliable published financial statements, including prevention of fraudulent financial reporting. Compliance objectives pertain to laws and regulations which establish minimum standards of behavior. The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage. Risks can pertain to internal and external factors. After risks have been identified they must be evaluated.
Managing change requires a constant assessment of risk and the impact on internal controls. Economic, industry and regulatory environments change and entities' activities evolve. Mechanisms are needed to identify and react to changing conditions.

Control Activities
Control activities are actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks. In other words Control activities are the policies and procedures that help to ensure management directives are carried out. They help in ensuring that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Who is Responsible? In the same way that managers are primarily responsible for identifying the financial and compliance risks for their operations, they also have line responsibility for designing, implementing and monitoring their internal control system.
Control activities usually involve two elements: a policy establishing what should be done and designing procedures to implement the policy. All policies must be implemented thoughtfully, conscientiously and consistently.

Information and Communication
Pertinent information must be identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities. Effective communication must occur in a broad sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream.
Reliable and relevant information from both internal and external sources must be identified, captured, processed, and communicated to the people who need it--in a form and timeframe that is useful. Information systems produce reports, containing operational, financial, and compliance-related information that makes it possible to run and control an organization.
Information and communication systems can be formal or informal. Formal information and communication systems--which range from sophisticated computer technology to simple staff meetings-should provide input and feedback data relative to operations, financial reporting, and compliance objectives; such systems are vital to an organization's success.
When assessing internal control over a significant activity (or process), the key questions to ask about information and communication are as follows:
Does our department get the information it needs from internal and external sources in a form and timeframe that is useful?
Does our department get information that alerts it to internal or external risks (e.g. legislative, regulatory, and developments)?
Does our department get information that measures its performance-information that tells the department whether it is achieving its operations, financial reporting, and compliance objectives?
Does our department identifies, capture, process, and communicate the information that others need (e.g., information used by our customers or other departments)-in a form and timeframe that is useful?
Does our department provide information to others that alerts them to internal or external risks?
Does our department communicate effectively--internally and externally?

Information and communication are simple concepts. Nevertheless, communicating with people and getting information to people in a form and timeframe that is useful to them is a constant challenge. When completing a Business Controls Worksheet for a significant activity (or process) in a department, evaluate the quality of related information and communication systems.

Monitoring
Monitoring is the assessment of internal control performance over time; it is accomplished by ongoing monitoring activities and by separate evaluations of internal control such as self-assessments, peer reviews, and internal audits. The purpose of monitoring is to determine whether internal control is adequately designed, properly executed, and effective. Internal control is adequately designed and properly executed if all five internal control components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) are present and functioning as designed. Internal control is effective if management and interested stakeholders have reasonable assurance that:
They understand the extent to which operations objectives are being achieved.
Published financial statements are being prepared reliably.
Applicable laws and regulations are being compiled.
While internal control is a process, its effectiveness is an assessment of the condition of the process at one or more points in time. Just as control activities help to ensure that actions to manage risks are carried out, monitoring helps to ensure that control activities and other planned actions to effect internal control are carried out properly and in a timely manner and that the end result is effective internal control.
Ongoing monitoring activities include various management and supervisory activities that evaluate and improve the design, execution, and effectiveness of internal control. Separate evaluations, on the other hand, such as self-assessments and internal audits, are periodic evaluations of internal control components resulting in a formal report on internal control. Department employees perform self-assessments; internal auditors who provide an independent appraisal of internal control perform internal audits. Management's role in the internal control system is critical to its effectiveness. Managers, like auditors, don't have to look at every single piece of information to determine that the controls are functioning and should focus their monitoring activities in high-risk areas. The use of spot checks of transactions or basic sampling techniques can provide a reasonable level of confidence that the controls are functioning as intended.

Internal Control

• If company owners did all the work themselves, assuming they always acted in their own best interest, there would be virtually no loss from internal theft, unreliable financial reporting, non-compliance with applicable laws and regulations, or inefficient use of resources.
  As soon as you hire employees or outside contractors, you introduce those losses, or at least the risk of those losses. To control that risk, the owners then need to set goals and objectives for employees to strive for, define tasks, identify and quantify risks, establish policies, set boundaries, monitor progress, and take corrective action when needed.
  Control what?
  
  Before designing a system of internal controls, it is important to understand what needs to be controlled. This involves identifying risks and the potential cost of each risk. Determine how often you expect each type of loss would likely occur, and what the cost per occurrence is likely to be. Multiply these two numbers together to get the total loss potential for each type of loss. Later you will compare loss potential with the cost of controls, in order to do a cost-benefit analysis and make sure controls don’t cost more than the potential losses they are designed to prevent.
  
  Meaning:
  
  The systems used by a company to minimize the risk of loss are known as internal controls. Internal control is the responsibility of both directors and managers of the company.
  
  Internal Control System is system of controls, both financial and non-financial, set up by the management of an organization to carry out the function of the company in an orderly and efficient manner. The system should ensure that management policies are adhered to, assets are safeguarded, and the records of the company's activities are both complete and accurate. In other words, internal control is defined as a process established by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's resources are directed, monitored, and measured. It provides reasonable assurance of
  Effectiveness and efficiency of operations,
  reliability of financial reporting, safeguarding of assets,
  reliability and integrity of information assets and
  Compliance with policies, procedures, laws and regulations.
  
  Internal control is a process; it is means to an end and not an end itself:
  Internal control assists in achieving the organizational goal in more systematic and organized manner. Organisation aim to maintain good internal control to achieve its objective, off course maintaining the sound internal control system alone will not achieve its objective, it is one of the effort organization has to make in order to reach its goal.
  
  Effective internal control helps an organization achieve its operations, financial Reporting and compliance objectives:
  Effective internal control is a built-in part of the management process (i.e., plan, organize, direct, and control). Internal control keeps an organization on course toward its objectives and the achievement of its mission, and minimizes surprises along the way. Internal control promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure compliance with laws and regulations. Internal control also ensures the reliability of financial reporting (i.e., all transactions are recorded and that all recorded transactions are real, properly valued, recorded on a timely basis, properly classified, correctly summarized and posted).
  
  People at every level of an organization affect internal control:
  Internal control is affected by people; it’s not merely policy, manual, and forms, but people at every level of the organization. In other words the traditional understanding of internal audit limited to policy, manual and forms no longer support achieving business objective in today’s complex and dynamic challenging work environment. In the present context every people of the organization is part for effective internal control.
  
  Internal control can provide only reasonable assurance - not absolute assurance -regarding the achievement of an organization's objective:
  Plenty of stakeholders and managers still believe that implementation of internal control gives them absolute assurance relating to effectiveness and efficiency of their operation to entity’s management and other stakeholders; this concept has to be clarified so that over reliance on internal control can be prevented. The stakeholders must be educated that the existence of internal control does not give absolute assurance to the business. The internal control merely gives reasonable assurance to the business. Off course Effective internal control helps an organization achieve its objectives; it does not ensure success. There are several reasons why internal control cannot provide absolute assurance that objectives will be achieved: cost/benefit realities, collusion among employees, and external events beyond an organization's control.
  
  
  
  
  
  

Internal Audit-Defination

The globally accepted body the IIA defines Internal Audit as an an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Investorwords, a business dictionary defines internal audit as an ongoing appraisal of the financial health of a company's operations by its own employees. Employees who carry out this function are called internal auditors. During an internal audit, internal auditors will evaluate and monitor a company's risk management, reporting, and control practices and make suggestions for improvement. Internal auditing covers not only an organization's finance function, but all the operations and systems in a firm. While internal auditors are typically accountants, this activity can also be carried out by other professionals who are well-versed with a company's functions and the relevant regulatory requirements.
Moreover, internal auditing is an independent professional service, to serve not just management but the whole organisation and its stakeholders. This means that the internal auditing customer base includes all stakeholders including employees, suppliers, customers, investors, external auditors etc.
Internal audit is a progressive division within the Resources Directorate. We provide independent assurance on the adequacy of risk management, control and governance to the Board of Directors. We undertake this by carrying a programme of audits throughout the authority, and provide advice and assistance to managers at all levels on a range of audit related matters such as risk management, internal control, corporate governance and project / programme management.
Careful analysis of the definition of Internal Audit given by IIA clearly shows two important functions of the Internal Audit mainly assurance and consulting.
The assurance role of the internal audit function mainly require the auditors to give assurance to the stakeholders around adequacy and effective functioning of risk management, control and governance processes.
The consulting roles of Internal Audit specially helps management through its technical knowledge and experience to improve the adequacy and effectiveness functioning of risk management, control and governance processes by partnering with management in designing effective system.
Normally it is found that IA put consulting role more in small organisation or organisation where risk management, control and governance roles are poor. Furthermore, if we observe the normal audit report we will found two part in the report the first part focus on assurance and recommendation part mainly focus on consulting role of internal audit.

Internal Audit Profession-Brief History

Most of us have been doing Internal Auditing and providing wonderful support to achieve the organisational objectives. But it is very much possible that we do not know the history of evolution of the profession. In order to give a brief insight on the subject matter, research was done and following findings were observed.
The practice of internal audit was first formally described in 1938, with the foundation of the Institute of Internal Auditors (IIA),with booming growth of business size and structure it was felt that many businesses did not have appropriate controls in place to permit full achievement of their strategic objectives.
Initially, the IIA comprised only three accountants and a secretary. Early work proved surprisingly successful in convincing the Executive Board of IBM that they should spend vast amounts of money having some complete stranger tell them they needed to sign and date all reports to confirm they had been reviewed. Initial fees were in the order of $700 (worth $12bn at today’s prices). These funds were shrewdly invested, by means of a blind trust, to yield an income equivalent to that of a small (well-controlled) country.
In 1939, the Nazi Party were the first government to recognise the importance of having a well-controlled mechanism for running an evil, world-conquering regime. The IIA were contracted to undertake a series of efficiency reviews in the early weeks of World War II.
However, Heinrich Himmler failed to authorise a proper scope for the work, with the inevitable result that everything became subject to a series of "Value for Money" reviews. Even the Gestapo operated under the cloak of fear that, one day, a pleasant-but-determined auditor might demand to see a complete breakdown of the number of traitors who had been interrogated and, hence, reports on the number successfully converted to patriots.
During the next six years, the IIA became the most feared body in the world, consuming resources and eventually crushing fascism into the ground by demanding to current authorised signatory lists relating to the Holocaust and undertaking regular stock takes at the Eastern Front.
Eventually, the ever-increasing need to comply with interim internal audit reports ensured that the war machine ground to a halt. The Allied Forces, apparently unconcerned with appropriate document retention strategies or enforcing segregation of duties amongst senior managers, swept across Europe and introduced democracy. They also introduced an interesting range of sexually transmitted diseases, but that's not important when freedom is at stake.
With the final report on World War II, a total of 6,395 management action points were raised to enhance controls in the remnants of Germany. The resulting emergence of Europe as a global economic power has since been touted as the greatest success of internal audit in terms of adding value.
During the dark years of the 1960s and 1970s, a number of rival organisations began to challenge the professional standards and objectivity of the IIA. These included such organisations like The Institute of Chartered Accountants in England and Wales, EDP Auditors Association (now known as the Information Systems Audit and Mind Control Association); Auditing Practices Board; The "Real" IIA (a radical splinter faction of the original IIA); and Audit Bureau of Circulation.
To this day, regular street rumbles take place as the various bodies try to establish their supremacy above the others as the de facto providers of high quality, accessible and professional management assurance. Common weapons include slide rules, adding machines and cocktail sticks.
After the world war II, different management philosophy were evolved as growth and expansion was continuously increasing making the business process more complex and fast changing. This made it increasingly difficult for organizations to maintain control and operational efficiency. The shift to a war economy further expanded organizations' responsibilities for scheduling, availability of materials and laborers, compliance with government regulations, and an increased emphasis on cost finding. The Internal Auditing profession evolved steadily with the progress of management science after World War II. It is conceptually similar in many ways to financial auditing by public accounting firms, quality assurance and banking compliance activities. Much of the theory underlying internal auditing is derived from management consulting and public accounting professions.
Management found it impossible to visually observe all of the operating areas in their respective areas of responsibility or to have sufficient personal contact with individuals who directly or indirectly reported to them. In seeking ways to deal with these new problems, management appointed special staff people to review and report on what was happening and to probe for the why. These people came to be known as "internal auditors."
The internal audit function varied greatly as to the number of people assigned to perform it and in the scope and nature of the work being done. In some organizations, internal auditors were used to check on routine financial and operational activities with a heavy emphasis on compliance, security, and detection of fraud. In others, internal auditors were given higher levels of status and were asked to analyze and appraise more substantive financial and operational activities.
As the profession evolved, a number of internal auditors began pushing vigorously for greater understanding and recognition of their function, and began to develop contacts and relationships with professionals in other organizations in an attempt to share problems and to advance their common interests. With the implementation in the United States of the Sarbanes-Oxley Act of 2002, the profession's growth accelerated, as many internal auditors possess the skills required to help companies meet the requirements of the law.
Sources: The IIA, WIKI and other online journals