Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
OVERVIEW
Objective
To describe the role, scope and functions of internal audit and the nature and extent of
internal review assignments.
INTERNAL AUDIT
RISK MANAGEMENT
Definition
Relationship between external and internal auditors
Scope of work
Approach to assignments
Assessing need for function
Outsourcing
CORPORATE
GOVERNANCE
Session 3
BUSINESS RISK,
INTERNAL
CONTROL
ASSIGNMENTS
REPORTS
Primary purposes
Reporting arrangements
Structure
Timing
Example
Session 8
3301
INTERNAL AUDIT
1.1
Definition
This definition usefully outlines the relationship between internal audit and the
management of an entity. Key elements that have not be covered elsewhere within the
study system are:
Add value Organizations exist to create value or benefit to their owners, other
stakeholders, customers, and clients. Value is provided through:
When gathering data to understand and assess risk, internal auditors gain insight
into operations and opportunities for improvement that can be beneficial to the
organization.
Control is any action taken by management, the board, etc to enhance risk
management and increase the likelihood that established objectives and goals will
be achieved.
3302
1.2
1.2.2 Internal
Role
Required by
Statute (typically).
Appointed by
Reports to
Reports on
Forms opinions on
3303
External
Internal
Status
Qualification
Scope of assignment
Conduct of audit
3304
1.3
Scope of work
Understand the key business risks (including fraud) and assess the adequacy of the
processes by which these risks are identified, evaluated and managed (see Section 2);
Review the sufficiency of the information, and the adequacy and operation of controls,
used to manage those risks;
Assess the reliability and integrity of key financial and operating information, and the
means used to identify, measure, classify and report such information;
Review the processes and systems to ensure adherence with those policies, plans,
procedures, laws and regulations which could have an impact on the company, and
determine whether it is in compliance therewith;
Review the means of safeguarding assets and other key resources, especially
information in hard copy or on computer systems, including business contingency plans
and the security of computer systems;
Monitor corrective action plans to ensure that management implement them promptly
and effectively;
Advise management on cost effective controls for new systems and activities; and
Liaise with those charged with governance (eg the audit committee) and the external
auditors (as necessary).
1.4
Approach to assignments
The general framework in which internal auditors will approach their assignments is
not that dissimilar to the approach used by external auditors.
Both require terms of reference the external auditor within the letter of engagement,
the internal auditor within the scope of instructions given by management/audit
committee.
Both need to understand the entity, its environment and internal control. In particular,
the internal auditor will need to cover all controls (not just financial) that are relevant to
their assignment.
Both will need to plan and document their work. Materiality, risk assessments,
sampling, analytical review, use of CAATs (especially in systems heavily reliant on
information technology) are all aspects of the internal auditors planning and work
procedures.
Both apply strong quality control procedures (e.g. IAASB and IIA requirements).
3305
Both will report on their work, although (as noted above) the nature and format of the
reports are different.
1.5
the views of, and representations from, executive directors and senior managers;
the views of other employees through (say) a self-assessment process;
results of managements internal confirmation procedures;
regular information on financial and operational matters;
performance indicators;
early warning mechanisms;
external auditors management letters;
reports of any relevant external regulators;
reports (if any) from relevant internal compliance functions.
In such cases there may be no immediate need for an internal audit function.
In particular, when a company becomes listed, the demands placed on management for
transparency and effective running of the business by the stakeholders are significantly
increased.
1.5.1
Key issues
As many stock exchanges require listed companies to operate internal control functions
(or explain why they do not in their annual reports) the key issues to consider may
mainly relate to larger, unlisted entities.
identify and monitor the significant risks facing the company; and
confirm the effective operation of the established internal control systems?
With ever increasing pressures on management at all levels, can those who are
responsible for managing risks and operating controls always take a wholly
objective and systematic view of their own performance?
Does the board receive the right quality of assurance and information from
management and is it reliable?
3306
Example 1
Suggest additional matters that directors might consider when assessing the
need for an internal audit function.
Solution
1.5.2
The board needs to obtain assurances that its risk and control processes are effective.
Management, internal audit and others may provide such assurance. Objective
assurance and advice is provided by an internal audit function, thereby assisting the
board and senior management with their stewardship responsibilities.
Boards, audit committees and senior management now recognise that what is of
relevant value to their business is the internal auditors:
skills and experience (e.g. in independently reporting on their findings and making
recommendations to improve effectiveness of the processes).
3307
1.6
Outsourcing
Outsourcing internal audit has increased as the need for internal audit has increased
(e.g. to better meet requirements of corporate governance):
Small companies may outsource because the do not have the resources to set up
their own department.
Larger companies may decide that resources are best used elsewhere and not invest
in this non-core (though essential) area.
Such services are offered by specialised internal audit providers as well as the global
and other accounting firms.
1.6.1
Factors to be considered
What to outsource?
What (and/or who) to retain? The head of internal audit may be retained as an
employee (to keep a high level responsibility within the company).
Terms of reference:
1.6.2
Costs A company with an in-house internal audit service must pay salaries, training
and overheads. Whilst the contractors fees will also be set to cover these there may be
economies of scale. The company would only pay for resources when required and so
overall the total cost may be cheaper.
Consistency with external audit There may be greater consistency in approach between
the internal and external auditors. This may mean external audit can place more
reliance on internal audit work (see Session 34) and hence the company would benefit
from a lower external audit fee.
Skills Contracting-out internal audit allows the company to bring in new skills.
External providers will have wider experience gained by auditing other companies.
New techniques Both the internal and external audit markets are very competitive. This
encourages firms to develop new techniques which are more efficient and effective.
Contracting out gives the company access to these techniques without a high level of
investment.
3308
Management time Management time and resources can be freed to concentrate on core
areas of the business instead of peripheral ones.
Liability Legal action may be brought against an external service provider if their
standards are not acceptable.
1.6.3
Skills An external contractor may lack the specialist skills relevant to a particular
company which an in-house service will possess. Once a contractor is brought in these
skills may be lost forever.
Constraints on service The service provider will need to act in accordance with the
terms of reference. This may mean they are unable to follow up suspicious
circumstances outside their duties without first seeking permission from the company
and re-negotiating the terms of reference.
Conflicting reporting lines Internal audit should report to the audit committee or board
of directors. However as an employee of the audit firm the auditor may be expected to
report to the partner. The audit firm will be responsible for issues such as promotion
and training and therefore they need to monitor internal audit staff.
Expectation gap An expectation gap has existed for external audit for many years. If
the profession cannot meet public expectations for a narrow role which is defined by
statute can they meet management expectations for a wider role? The company may
discover too late that they are not getting what they want. If a contract has been agreed
it may be difficult to change
Standard of service Once an external provider has secured the contract the level of
service provided may fall. The audit committee/board of directors must monitor and
ensure that the quality of staff provided is satisfactory and work is completed according
to the terms of reference.
Corporate culture Contracting out any service involves a change to corporate culture.
Unless managed sensitively, outsourcing may lower employee morale, reduce
performance, generate a negative cultural impact, create permanent job insecurity.
1.6.4
Skills The service provider must have the appropriate skills and expertise to undertake
the internal audit role. Whilst there are overlaps between internal and external audit,
internal audit usually fulfils a wider role.
Staff management Undertaking internal audit functions may improve staff management
where the service provider is an audit/accountancy practice. Internal audit work may
be conducted during slacker times when there are fewer external audit engagements.
However internal audit must not be a lower priority.
3309
Effect on external audit Although there are overlaps, the roles of internal and external
audit are different. If both roles are performed by the same firm the distinction could
become blurred. This could lead to a reduced level of service overall and a lower level
of credibility being attached to the external auditors report. (See Session 4 re ethical
issues for the external auditor)
1.6.5
Independence issues
Drawbacks The external provider could become dependent on client. The risk is
perceived to be particularly great where the internal auditor is the external auditor.
1.6.6
Restrictions
Although there are no legal restrictions on the outsourcing of internal audit to a thirdparty service provider, legal and/or ethical standards may restrict this practice to
prevent external auditors from acting in client roles. For example, statutory auditors are
precluded from serving as internal auditor to clients whose financial statements they
certify in many countries (e.g. US, France, India, Italy, New Zealand and Norway).
2.1
Business risk and risk management was discussed in Session 8. Fraud was discussed in
Session 11.
2.1.1
Assurance role
The assurance role of internal audit is to deliver assessments of the adequacy and
effectiveness of the processes by which risks are:
such that the residual risks are recognised by, and are clearly acceptable to, the board.
3310
2.1.2
Risk management is not the responsibility of the internal audit function. Many large
organisations have separate risk management functions.
Internal audits job may be to assist that function or the board by:
helping improve the processes by which risks are identified and managed;
helping strengthen and improve the risk management and internal control
framework.
act as facilitators, guiding managers and staff through a self- assessment process
(e.g. by leading workshops);
relevant;
meaningful; and
timely.
to facilitate decision-making;
Internal audit has a role to play providing relevant information to alert the board and
senior management to exceptions or other warning signals.
3311
OTHER ASSIGNMENTS
3.1
3.1.1
The 3 Es
VFM has been prominent in the public sector (e.g. in the UK) since the 1980s when
audit was narrowly interpreted as a financial audit.
Economy
Resources
Inputs
Process
Outputs
Efficiency
VFM audits are carried out to ensure that corporate resources, shareholders funds and
taxpayers contributions are not wasted. However, the VFM audit process may or may
not be empowered to question whether the objectives set were justified.
Very often a benchmark is required. VFM can only be judged by comparison (external
or internal eg between departments or divisions). Present methods of operation and use
of resources must be compared with alternatives to see if value for money is being
obtained.
3.1.2
The head of internal audit is responsible for conducting VFM reviews and for
comparisons between functions and across time. Internal audit can report (for example)
on:
3312
Line management should take responsibility for implementing the VFM review,
although very often the responsibility remains with the head of internal audit. They
will be responsible for implementing the recommendations from a VFM review.
3.1.3
Advantages of VFM
Management attention is focused on economy and efficiency but this is tempered by the
need for effective performance.
It should eventually lead to self measurement with audit only used to compare
performance between business units on an objective basis.
Although VFM audit is often used to promote cost savings, it can also be used to
identify revenue opportunities.
3.1.4
Disadvantages VFM
Economy and effectiveness are often opposed, eg saving money may result in the need
for lower quality. This is often overcome by treating one element as fixed, eg achieving
savings based on an agreed quality level.
It is difficult to create a balance between short term and long term gains and thus
savings now may lead to additional costs in future.
Savings in one area may create additional costs to another area, eg reducing costs of
production but increasing other costs because of quality rejects or warranty repairs.
Comparisons between business units may be spurious, eg one business unit may excel
at a particular process, the costs of which are relatively high compared to other
processes carried out by other units. So measuring the cost per process will not be
meaningful.
Once performance indicators have been established the audit work is routine and not
especially challenging.
3313
3.2
Best value
Best Value is a duty to deliver services to clear standards covering both cost and quality
by the most effective, economic and efficient means available.
Best Value seeks to secure continuous improvement in the way its functions are exercised,
having regard to a combination of economy, efficiency, and effectiveness.
The best value audit has evolved from VFM auditing in the public sector and local
and central government. It incorporates the 4 Cs:
Consult local taxpayers, service users, partners and the wider business
community in the setting of new performance targets;
Internal audit can ensure that the concept of best value is incorporated into the risk
management process of the entity in assessing current services and setting strategies for
development.
As a service provider (to management) the internal audit function itself must be able to
demonstrate best value.
3.3
IT audit
Information systems are pervasive through most organisations and would in most cases
be considered a significant business risk through, for example:
3314
3.3.1
Session 12 covered CIS, CIS controls and electronic commerce. The primary role of
internal audit will be to review and report on all aspects of IS within the organisation,
eg ensure that the controls and systems operate as intended.
3.3.2
provide assurance that IS projects are being effectively and efficiently managed; and
carry out appropriate testing (eg static, dynamic, unit, system, performance) at each
stage of the systems development process to ensure that the deliverable from each
stage meets the specifications of that stage (eg review the systems analyst notes of
meetings with a user and agree that these have been reviewed and approved by the
user; test the design and programming of the application controls that they
internal audit - initiated).
3.4
bought ledger processing (of invoices for goods and services before suppliers are
paid);
3315
The purpose of the accounting and financial process audit is to review all available
evidence to substantiate information in management and financial reporting (such that
it is not inappropriate and inaccurate). That is, to minimise risk by ensuring:
3.5
Operational audit
An audit of the operational processes of an organisation (its primary activities and
support activities) to ensure that management has:
adequate routine assurances which inform them that their controls and risk
management measures are effective.
3.6
Procurement
Procurement is the process by which materials, goods and services are obtained by an
organisation. It includes:
3316
understand the procurement process and the controls that should be operating;
test the operating effectiveness of those controls (including dealing with exception
reports);
ensure that the process is operating as intended and laid down within the
organisations procedures.
3.7
Marketing
Marketing is the process by which demand for goods is measured and enhanced. It is
often closely linked to sales. Marketing and sales involves:
research
advertising
promotion and image management
order acceptance (including creditworthiness and inventory level checks)
deliveries
payments
after sales service
customer returns.
complete, accurate, relevant and timely information is obtained from internal and
external sources (eg market research) and is freely available to all involved; and
advertising, campaigns, promotion and unit pricing is planned, budgeted, costbenefit analysed, monitored and controlled;
contingency plans are in place to limit potential image and reputation risk.
3317
3.8
Treasury
The treasury function has evolved from cash management. Treasury processes include:
In most entities, the treasury function is a cost function in that its aim is not to make a
profit, but to manage and minimise costs of cash flow and investment (eg to avoid
paying higher costs in a foreign currency, should that currency move against the entity,
through hedging). In other entities it has a specific trading function with the aim of
making profits for the entity.
Because of the nature of treasury management in those areas involving hedging and
derivative functions, it is often a challenge to have sufficiently technically competent
and experienced individuals within the internal audit function. None the less, it is
essential that there are.
There have been many instances of companies (and banks) who have lost significant
value and (in one notorious case, Barings Bank) faced collapse through poor controls
and a lack of understanding by management and internal audit of the financial trading
being carried out.
3.9
HR
Human resources processes support:
Operations include:
3318
3.10
Overall approach
Note that in considering the above areas, whilst specific points have been made, the
overall approach is always to understand the business element, the risks and controls in
place and to carry out tests accordingly (see Section 1.3 above). In addition many
elements overlap, eg VFM, best value, IS can be applied to marketing and HR.
4.1
Primary purposes
The purpose of internal audit reports will be driven by the terms of reference of the
assignment. Mostly they:
provide management with an opinion (eg on the adequacy of the internal control
system); and
Depending on the type of report issued, the aim of the report would be:
to provide a formal record of points arising from the assignment and, where
appropriate, of agreements reached with management.
Example 2
Suggest FOUR differences between a review report of business performance
and a report on a systems compliance review.
3319
Solution
4.2
Reporting arrangements
The format and distribution of internal audit reports should be agreed with
management. The head of internal audit should ensure that reports are sent to
managers who have a direct responsibility for the unit or function being audited and
who have the authority to take action on the internal audit recommendations.
Internal audit reports are confidential documents and their distribution should be
restricted to those managers who need to know, to the audit committee and to the
external auditor.
While the internal auditor may clear minor matters which do not indicate a consistent or
systematic weakness with members of staff directly involved, matters of consequence
should be reported formally in writing to management.
4.3
There are no formal structures, unlike the external auditors report, for an internal
auditors report. As with any business report, the structure of the report suites its
purpose be it formal, informal, a discussion paper, a presentation (eg with PowerPoint
hardcopies) or a monthly summary.
Terms of reference
Executive summary
Body of report:
key findings and recommendations
detailed findings and agreed action
Appendices
The body of the report will depend on the terms of reference. For example, for a report
on controls the structure may be very similar to management reports produced by the
external auditor (see Session 13). However, the content will be very different where the
internal auditor is concerned with operational matters of economy, efficiency and
effectiveness.
3320
The reports should be clear, constructive and concise based on sufficient, relevant and
reliable evidence, which should:
make recommendations which are appropriate and relevant, and which flow from
the conclusions; and
4.4
Timing
An interim report, orally or in writing, should be made where:
The internal auditor should normally meet with management to discuss the audit
findings at the completion of fieldwork for each internal audit assignment and the
formal written report should be presented to management as soon as possible
thereafter.
Before issuing the final report, the internal auditor would discuss its contents with the
appropriate levels of management. In addition, it may usually be necessary to include
management comment within the body of the report. A draft report for management
comment and confirmation of factual accuracy may also be issued prior to finalising the
formal report.
If the internal auditor and management disagree about the relevance of the factual
content of the draft audit report, the internal auditor should consider whether reference
should be made to this in the final report.
appropriate arrangements are made to determine whether action has been taken on
internal audit recommendations; or
management has understood and assumed the risk of not taking action.
See Session 3 to review the role of the Audit Committee in relation to internal audit
reports.
3321
4.5
Example
INTERNAL AUDIT REPORT
To
To
To
To
assess
ensure
review
assess
The
CONCLUSION
The branch has been operationally and financially poorly controlled. Branch
management have reacted positively to the draft report and are actively addressing
the issues raised. All the points raised in this report and subsequent
recommendation made need to be implemented.
MAIN FINDINGS (References in brackets are to Appendix I)
Inventory
1)
2)
Payroll
1)
Not reproduced.
2)
There has beer an apparent lack of supervision and review of the work of
the payroll clerk who left the company at the end of August. There is a
risk that unauthorised amounts may have been paid. A full reconciliation
to assess the situation further will be performed at the beginning of
December. (2.2)
Etc
3322
Etc
Purchases
1)
APPENDIX I (EXTRACT)
1.1
Observations
2.2
Effect
Recommendation
Managements comments
Agreed
Target date
Immediate
Observations
Effect
Recommendation
3323
3.1
Target date
Immediate.
Observations
Effect
Recommendation
6.1
Managements comments
Observations
Effect
Recommendation
Managements comments
3324
FOCUS
You should now be able to:
discuss the factors to be taken into account when assessing the need for internal audit;
discuss the elements of best practice in the structure and operations of internal audit
with reference to appropriate international codes of corporate governance;
compare and contrast the role of external and internal audit regarding planning and the
collection of audit evidence;
compare and contrast the types of report provided by internal and external audit;
discuss the scope of internal audit and the limitations of the internal audit function;
discuss the responsibilities of internal and external auditors for the prevention and
detection of fraud and error;
discuss the nature and purpose of internal audit assignments including value for
money, IT, best value and financial;
discuss the nature and purpose of operational internal audit assignments including
procurement, marketing, treasury and human resources management.
3325
EXAMPLE SOLUTION
Solution 1 Assessing need for internal audit function
Corporate structure and the degree of autonomy of each of the business units.
changes in internal processes (e.g. product or service lines or entry into new
markets);
The number of moderate to high risk areas which are not appropriately controlled.
Deteriorating trends in internal control systems evident from the existing monitoring
systems.
Concerns about the level of risk and control awareness and the need to educate senior
or middle management, or staff.
Greater focus on performance, objectives and processes rather than risks and controls;
3326