SESSION 33 INTERNAL AUDIT

OVERVIEW
Objective

To describe the role, scope and functions of internal audit and the nature and extent of
internal review assignments.

INTERNAL AUDIT

RISK MANAGEMENT

Definition
Relationship between external and internal auditors
Scope of work
Approach to assignments
Assessing need for function
Outsourcing

CORPORATE
GOVERNANCE

Internal audits role

Session 3

BUSINESS RISK,
INTERNAL
CONTROL

ASSIGNMENTS

REPORTS

Value for money

Best value
IT audit
Financial process audit
Operational audit
Procurement
Marketing
Treasury
HR
Overall approach

Primary purposes
Reporting arrangements
Structure
Timing
Example

Session 8

3301

SESSION 33 INTERNAL AUDIT

INTERNAL AUDIT

1.1

Definition

An independent, objective assurance and consulting activity designed to add

value and improve an organizations operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and
governance processes.
(Institute of Internal Auditors IIA)

This definition usefully outlines the relationship between internal audit and the
management of an entity. Key elements that have not be covered elsewhere within the
study system are:

Add value Organizations exist to create value or benefit to their owners, other
stakeholders, customers, and clients. Value is provided through:

the development of products and services; and

the use of resources to promote those products and services.

When gathering data to understand and assess risk, internal auditors gain insight
into operations and opportunities for improvement that can be beneficial to the
organization.

Control is any action taken by management, the board, etc to enhance risk
management and increase the likelihood that established objectives and goals will
be achieved.

Adequate control is present if management provides reasonable assurance that:

3302

risks have been managed effectively; and

goals and objectives will be achieved efficiently and economically.

Governance process is the procedures utilized by the representatives of the entitys

stakeholders to provide oversight of risk and control processes administered by
management.

SESSION 33 INTERNAL AUDIT

1.2

Relationship Between External And Internal Auditors

1.2.1 External

1.2.2 Internal

Role

To provide an independent opinion (in a

report) on financial statements (see Sessions
1 and 30).

To appraise, examine and evaluate organisational

activities and assist management in discharging its
responsibilities.

Required by

Statute (typically).

Management, usually in larger organizations, will be

urged/required by best practice (e.g. governance codes)
to continually review need for internal audit.

Appointed by

Shareholders (usually at an Annual General

Meeting) or directors.

Highest level of management charged with responsibility

for internal audit (e.g. audit committee under corporate
governance codes)

Reports to

Shareholders (primary statutory duty) and

management (professional responsibility).

For listed companies, usually the audit committee under

corporate governance codes. For other companies, the
highest level of management charged with governance
(e.g. the board).

Reports on

Financial statements. Primary responsibility

is of a financial focus.

Organisational risk management, internal control and

quality of performance. Focus is operational as well as
financial.

Forms opinions on

True and fair view (or similar) of financial

statements.

Effectiveness of risk management strategy and

operations, operation of corporate governance, adequacy
and effectiveness of internal control and other business
functions as a contribution to the economic, efficient and
effective use of resources (See section 3)

3303

SESSION 33 INTERNAL AUDIT

External

Internal

Status

Independent of client company

Employee (therefore potentially less objective)

Qualification

Usually ACCA, ICAEW, ICAI or ICAS

May also be members of other professional bodies (e.g.

IIA) or unqualified

Scope of assignment

Unlimited, to fulfil statutory obligation.

Usually defined by legislation as well as ISA.

Prescribed by management, those charged with

governance or audit committee (see 1.3 below).

Conduct of audit

In accordance with ISAs, for example.

Similar, Standards for the Professional Practice of Internal

Auditing. including ethics.

3304

SESSION 33 INTERNAL AUDIT

1.3

Scope of work

Understand the key business risks (including fraud) and assess the adequacy of the
processes by which these risks are identified, evaluated and managed (see Section 2);

Review the sufficiency of the information, and the adequacy and operation of controls,
used to manage those risks;

Assess the reliability and integrity of key financial and operating information, and the
means used to identify, measure, classify and report such information;

Review the processes and systems to ensure adherence with those policies, plans,
procedures, laws and regulations which could have an impact on the company, and
determine whether it is in compliance therewith;

Review the means of safeguarding assets and other key resources, especially
information in hard copy or on computer systems, including business contingency plans
and the security of computer systems;

Review operations or projects (including systems under development) to ascertain

whether results are consistent with established objectives and goals and, whether the
operation or projects are being carried out as planned;

Monitor corrective action plans to ensure that management implement them promptly
and effectively;

Advise management on cost effective controls for new systems and activities; and

Liaise with those charged with governance (eg the audit committee) and the external
auditors (as necessary).

1.4

Approach to assignments

The general framework in which internal auditors will approach their assignments is
not that dissimilar to the approach used by external auditors.

Both require terms of reference the external auditor within the letter of engagement,
the internal auditor within the scope of instructions given by management/audit
committee.

Both need to understand the entity, its environment and internal control. In particular,
the internal auditor will need to cover all controls (not just financial) that are relevant to
their assignment.

Both will need to plan and document their work. Materiality, risk assessments,
sampling, analytical review, use of CAATs (especially in systems heavily reliant on
information technology) are all aspects of the internal auditors planning and work
procedures.

Both apply strong quality control procedures (e.g. IAASB and IIA requirements).

3305

SESSION 33 INTERNAL AUDIT

Both will report on their work, although (as noted above) the nature and format of the
reports are different.

1.5

Assessing the need for an internal audit function

When the board and senior management is sufficiently close to the business and the
systems are not so complex, the following sources of assurance about the way the
business is operated may prove to be adequate:

the views of, and representations from, executive directors and senior managers;
the views of other employees through (say) a self-assessment process;
results of managements internal confirmation procedures;
regular information on financial and operational matters;
performance indicators;
early warning mechanisms;
external auditors management letters;
reports of any relevant external regulators;
reports (if any) from relevant internal compliance functions.

In such cases there may be no immediate need for an internal audit function.

However, as organizations grow and:

become more geographically diverse;

business is undertaken in new environments (e.g. e-commerce);
develop new products and competitive pressures increase;
systems become more complex;
change is the norm;

then managements time and attention can be very stretched.

In particular, when a company becomes listed, the demands placed on management for
transparency and effective running of the business by the stakeholders are significantly
increased.

1.5.1

Key issues

As many stock exchanges require listed companies to operate internal control functions
(or explain why they do not in their annual reports) the key issues to consider may
mainly relate to larger, unlisted entities.

Are the existing management processes adequate to:

identify and monitor the significant risks facing the company; and
confirm the effective operation of the established internal control systems?

With ever increasing pressures on management at all levels, can those who are
responsible for managing risks and operating controls always take a wholly
objective and systematic view of their own performance?

Does the board receive the right quality of assurance and information from
management and is it reliable?

3306

SESSION 33 INTERNAL AUDIT

Example 1
Suggest additional matters that directors might consider when assessing the
need for an internal audit function.

Solution

1.5.2

Needs of the Board

Board A board of directors, audit committee of such boards, head of an agency or

legislative body to whom internal auditors report, board of governors or trustees of a nonprofit organization, or any other designated governing bodies of organizations.

The board needs to obtain assurances that its risk and control processes are effective.
Management, internal audit and others may provide such assurance. Objective
assurance and advice is provided by an internal audit function, thereby assisting the
board and senior management with their stewardship responsibilities.

Boards, audit committees and senior management now recognise that what is of
relevant value to their business is the internal auditors:

knowledge of the organisation, its systems and its processes; and

skills and experience (e.g. in independently reporting on their findings and making
recommendations to improve effectiveness of the processes).

3307

SESSION 33 INTERNAL AUDIT

1.6

Outsourcing
Outsourcing internal audit has increased as the need for internal audit has increased
(e.g. to better meet requirements of corporate governance):

Small companies may outsource because the do not have the resources to set up
their own department.

Larger companies may decide that resources are best used elsewhere and not invest
in this non-core (though essential) area.

Such services are offered by specialised internal audit providers as well as the global
and other accounting firms.

1.6.1

Factors to be considered

What to outsource?

The whole of internal audit services; or

Specific functions (e.g. environmental auditing).

What (and/or who) to retain? The head of internal audit may be retained as an
employee (to keep a high level responsibility within the company).

Terms of reference:

1.6.2

What services will be provided?

Who does the service provider report to?
What form will reports take?
What action will be taken if problems occur?
How will fees be determined and charged?

Benefits to the company

Costs A company with an in-house internal audit service must pay salaries, training
and overheads. Whilst the contractors fees will also be set to cover these there may be
economies of scale. The company would only pay for resources when required and so
overall the total cost may be cheaper.

Consistency with external audit There may be greater consistency in approach between
the internal and external auditors. This may mean external audit can place more
reliance on internal audit work (see Session 34) and hence the company would benefit
from a lower external audit fee.

Skills Contracting-out internal audit allows the company to bring in new skills.
External providers will have wider experience gained by auditing other companies.

New techniques Both the internal and external audit markets are very competitive. This
encourages firms to develop new techniques which are more efficient and effective.
Contracting out gives the company access to these techniques without a high level of
investment.

3308

SESSION 33 INTERNAL AUDIT

Management time Management time and resources can be freed to concentrate on core
areas of the business instead of peripheral ones.

Liability Legal action may be brought against an external service provider if their
standards are not acceptable.

1.6.3

Disadvantages to the company

Skills An external contractor may lack the specialist skills relevant to a particular
company which an in-house service will possess. Once a contractor is brought in these
skills may be lost forever.

Constraints on service The service provider will need to act in accordance with the
terms of reference. This may mean they are unable to follow up suspicious
circumstances outside their duties without first seeking permission from the company
and re-negotiating the terms of reference.

Flexibility An in-house department will provide a permanent presence whilst

contracted out services may only be at the company for discrete periods. In-house staff
may have more commitment to the company (e.g. willingness to work overtime, travel,
etc). Outsourcing may result in reduced staff availability and flexibility.

Conflicting reporting lines Internal audit should report to the audit committee or board
of directors. However as an employee of the audit firm the auditor may be expected to
report to the partner. The audit firm will be responsible for issues such as promotion
and training and therefore they need to monitor internal audit staff.

Expectation gap An expectation gap has existed for external audit for many years. If
the profession cannot meet public expectations for a narrow role which is defined by
statute can they meet management expectations for a wider role? The company may
discover too late that they are not getting what they want. If a contract has been agreed
it may be difficult to change

Standard of service Once an external provider has secured the contract the level of
service provided may fall. The audit committee/board of directors must monitor and
ensure that the quality of staff provided is satisfactory and work is completed according
to the terms of reference.

Corporate culture Contracting out any service involves a change to corporate culture.
Unless managed sensitively, outsourcing may lower employee morale, reduce
performance, generate a negative cultural impact, create permanent job insecurity.

1.6.4

Service provider issues

Skills The service provider must have the appropriate skills and expertise to undertake
the internal audit role. Whilst there are overlaps between internal and external audit,
internal audit usually fulfils a wider role.

Staff management Undertaking internal audit functions may improve staff management
where the service provider is an audit/accountancy practice. Internal audit work may
be conducted during slacker times when there are fewer external audit engagements.
However internal audit must not be a lower priority.

3309

SESSION 33 INTERNAL AUDIT

Effect on external audit Although there are overlaps, the roles of internal and external
audit are different. If both roles are performed by the same firm the distinction could
become blurred. This could lead to a reduced level of service overall and a lower level
of credibility being attached to the external auditors report. (See Session 4 re ethical
issues for the external auditor)

1.6.5

Independence issues

A benefit to the company Outsourcing increases independence as an in-house

department can never be truly independent. Staff from an external firm will be subject
to the same ethical guidelines (see Session 4) as for external audit, and the firm should
have mechanisms to ensure compliance. Rotation of staff is more likely, so close
relationships do not build up between internal audit staff and the client.

Drawbacks The external provider could become dependent on client. The risk is
perceived to be particularly great where the internal auditor is the external auditor.

1.6.6

Restrictions

Although there are no legal restrictions on the outsourcing of internal audit to a thirdparty service provider, legal and/or ethical standards may restrict this practice to
prevent external auditors from acting in client roles. For example, statutory auditors are
precluded from serving as internal auditor to clients whose financial statements they
certify in many countries (e.g. US, France, India, Italy, New Zealand and Norway).

BUSINESS RISK MANAGEMENT

2.1

Internal audits role in risk management

Business risk and risk management was discussed in Session 8. Fraud was discussed in
Session 11.

2.1.1

Assurance role

A proper system of internal control in practice requires a proper system of risk

management and organisational control.

Internal auditors do not judge the appropriateness of a companys objectives or the

boards strategies to achieve those objectives. They examine the effectiveness of the
processes by which the consequent risks are identified, managed, mitigated and
reported. Internal auditors also add value by the identification of opportunities to
improve the cost effective management of risk.

The assurance role of internal audit is to deliver assessments of the adequacy and
effectiveness of the processes by which risks are:

identified and prioritised;

managed, controlled and mitigated; and
reported,

such that the residual risks are recognised by, and are clearly acceptable to, the board.

3310

SESSION 33 INTERNAL AUDIT

2.1.2

Contribution to risk management

Risk management is not the responsibility of the internal audit function. Many large
organisations have separate risk management functions.

Internal audits job may be to assist that function or the board by:

providing objective assurance on the adequacy and effectiveness of the risk

management and internal control framework;

helping improve the processes by which risks are identified and managed;

helping strengthen and improve the risk management and internal control
framework.

Internal audit can:

provide advice on the design, implementation and operation of control systems;

identify opportunities to make control cost savings;

promote a risk and control culture within the organisation;

act as facilitators, guiding managers and staff through a self- assessment process
(e.g. by leading workshops);

become a centre of expertise for managing risk by providing enterprise-wide risk

management services (ERM).

To be effective, the management of risk requires information which is:

relevant;
meaningful; and
timely.

Such information is required:

to facilitate decision-making;

to monitor business activities, supporting processes and the operational health of

the company.

Internal audit has a role to play providing relevant information to alert the board and
senior management to exceptions or other warning signals.

3311

SESSION 33 INTERNAL AUDIT

OTHER ASSIGNMENTS

3.1

Value for money

VFM auditing is evaluation of managements achievements in terms of the economy,

efficiency and effectiveness (the 3 Es) of operations.

3.1.1

The 3 Es

VFM has been prominent in the public sector (e.g. in the UK) since the 1980s when
audit was narrowly interpreted as a financial audit.

Economy is about obtaining specified resources (inputs, eg material, finance, human,

time) at the lowest cost.

Efficiency is the achievement of either:

the maximum output (at a given quality) from a given input; or

a given output (at a given level of quality) from the minimum input.

Effectiveness is the achievement of outputs which meet managements objectives.

Objectives
Effectiveness

Economy
Resources

Inputs

Process

Outputs
Efficiency

VFM audits are carried out to ensure that corporate resources, shareholders funds and
taxpayers contributions are not wasted. However, the VFM audit process may or may
not be empowered to question whether the objectives set were justified.

Very often a benchmark is required. VFM can only be judged by comparison (external
or internal eg between departments or divisions). Present methods of operation and use
of resources must be compared with alternatives to see if value for money is being
obtained.

3.1.2

Role of internal auditing

Top management is responsible for committing the organisation to a VFM review

process.

The head of internal audit is responsible for conducting VFM reviews and for
comparisons between functions and across time. Internal audit can report (for example)
on:

3312

SESSION 33 INTERNAL AUDIT

unnecessary spending (e.g. overtime guaranteed when work is completed in

normal hours);

misdirected spending (e.g. capital expenditure outlay on lower quality assets

requiring higher level of revenue expense quality);

over-priced spending (e.g. discounts are unclaimed);

under-recovered revenue (e.g. failure to collect on disposals of assets).

Line management should take responsibility for implementing the VFM review,
although very often the responsibility remains with the head of internal audit. They
will be responsible for implementing the recommendations from a VFM review.

3.1.3

Advantages of VFM

Management attention is focused on economy and efficiency but this is tempered by the
need for effective performance.

It promotes the use of performance indicators.

It should eventually lead to self measurement with audit only used to compare
performance between business units on an objective basis.

Although VFM audit is often used to promote cost savings, it can also be used to
identify revenue opportunities.

3.1.4

Disadvantages VFM

Economy and effectiveness are often opposed, eg saving money may result in the need
for lower quality. This is often overcome by treating one element as fixed, eg achieving
savings based on an agreed quality level.

It is difficult to create a balance between short term and long term gains and thus
savings now may lead to additional costs in future.

Savings in one area may create additional costs to another area, eg reducing costs of
production but increasing other costs because of quality rejects or warranty repairs.

Comparisons between business units may be spurious, eg one business unit may excel
at a particular process, the costs of which are relatively high compared to other
processes carried out by other units. So measuring the cost per process will not be
meaningful.

VFM targets may be manipulated by managers, eg production is arranged to meet the

target rather than what is actually required.

Once performance indicators have been established the audit work is routine and not
especially challenging.

3313

SESSION 33 INTERNAL AUDIT

3.2

Best value

Best Value is a duty to deliver services to clear standards covering both cost and quality
by the most effective, economic and efficient means available.
Best Value seeks to secure continuous improvement in the way its functions are exercised,
having regard to a combination of economy, efficiency, and effectiveness.

The best value audit has evolved from VFM auditing in the public sector and local
and central government. It incorporates the 4 Cs:

Challenge why and how a service is provided;

Consult local taxpayers, service users, partners and the wider business
community in the setting of new performance targets;

Compare with the performance of others across a range of relevant indicators to

aim to improve;

Compete consider fair competition as a means of securing efficient and effective

services.

Internal audit can ensure that the concept of best value is incorporated into the risk
management process of the entity in assessing current services and setting strategies for
development.

As a service provider (to management) the internal audit function itself must be able to
demonstrate best value.

3.3

IT audit
Information systems are pervasive through most organisations and would in most cases
be considered a significant business risk through, for example:

3314

no IS strategy or a strategy that does not fit the business strategy;

poor project management;
poor system design (including controls) development and implementation;
acceptance of inappropriate system;
significant expenditure for a system that does not deliver;
poor security, transaction integrity and process alignment;
corruption of data used by management for decision making;
access to sensitive information by unauthorised personnel;
unexpected (non-scheduled) downtime;
breaches of laws and regulations;
no or inappropriate disaster recovery procedures.

SESSION 33 INTERNAL AUDIT

3.3.1

Session 12 covered CIS, CIS controls and electronic commerce. The primary role of
internal audit will be to review and report on all aspects of IS within the organisation,
eg ensure that the controls and systems operate as intended.

Application controls (i.e. controls to ensure completeness, accuracy, security and

effectiveness of processing) exercised over input, output, processing, computer files
and master files; and

General installation controls (i.e. controls over the acquisition, development

maintenance and operation of computer-based systems).

3.3.2

System development project audit

The deliverable of a systems development project is a new information system. The

primary purpose of auditing a system under development is to ensure that:

adequate, effective controls are built into the system;

complementary manual controls are designed to ensure adequate and effective

internal controls over the business system as a whole;

the most efficient combination of manual and automated, preventative and

detective controls are designed and implemented.

In addition internal audit can:

provide assurance that IS projects are being effectively and efficiently managed; and

carry out appropriate testing (eg static, dynamic, unit, system, performance) at each
stage of the systems development process to ensure that the deliverable from each
stage meets the specifications of that stage (eg review the systems analyst notes of
meetings with a user and agree that these have been reviewed and approved by the
user; test the design and programming of the application controls that they
internal audit - initiated).

3.4

Information systems auditing

Financial processes audit

The financial process audit is effectively internal audits traditional role. Accounting
and financial processes include:

receiving value from sales transactions, disposals of assets, investments (interest

income);

bought ledger processing (of invoices for goods and services before suppliers are
paid);

treasury functions (see later);

supplying financial and management information (e.g. to stakeholders);

appraising new business

developing and maintaining accounting systems and financial controls.

3315

SESSION 33 INTERNAL AUDIT

The purpose of the accounting and financial process audit is to review all available
evidence to substantiate information in management and financial reporting (such that
it is not inappropriate and inaccurate). That is, to minimise risk by ensuring:

3.5

the completeness and accuracy of recorded transactions;

that assets are safeguarded;
that complete, accurate and relevant information is provided on a timely basis; and
that accounting and finance functions are managed efficiently.

Operational audit
An audit of the operational processes of an organisation (its primary activities and
support activities) to ensure that management has:

adequate controls and other risk management measures in place to achieve

business objectives (risk management) economically and efficiently; and

adequate routine assurances which inform them that their controls and risk
management measures are effective.

Also called process-based auditing.

Operational audits may be wholly performance-based or compliance-based or include

elements of both approaches.

Performance-based audit Processes or activities are evaluated in order to draw

conclusions about the adequacy of the products, and the adequacy and
effectiveness of the processes associated with those products.

Compliance-based audit Uses investigation, discussion, observation, examination, or

evaluation to determine the adequacy of and compliance with established
procedures, and the effectiveness of their implementation (similar to the standard
systems based audit approach, but applied to all controls).

3.6

Procurement
Procurement is the process by which materials, goods and services are obtained by an
organisation. It includes:

3316

specifying requirements (e.g. parts for production, maintenance support)

tendering and open competition;
order placement/contracts (only with approved suppliers)
receipt of goods/services and quality checking
correct and prompt payment including obtaining discounts
updating books of account, asset registers, etc.

SESSION 33 INTERNAL AUDIT

The purpose of a procurement audit is to ensure that risk is minimised in that:

The basic audit approach would be to:

understand the procurement process and the controls that should be operating;

test the operating effectiveness of those controls (including dealing with exception
reports);

trace transactions through the system; and

ensure that the process is operating as intended and laid down within the
organisations procedures.

3.7

Marketing
Marketing is the process by which demand for goods is measured and enhanced. It is
often closely linked to sales. Marketing and sales involves:

goods/services of appropriate quality are available when needed;

the required quality is obtained at minimum cost;
the correct price is paid for the goods and services received;
appropriate laws and regulations are followed;
the procurement procedures are followed; and
procurement processes are managed effectively.

research
advertising
promotion and image management
order acceptance (including creditworthiness and inventory level checks)
deliveries
payments
after sales service
customer returns.

The purpose of a marketing audit is to ensure that, for example:

marketing processes are authorised, conducted in accordance with written

company policy and apply relevant laws and regulations;

complete, accurate, relevant and timely information is obtained from internal and
external sources (eg market research) and is freely available to all involved; and

advertising, campaigns, promotion and unit pricing is planned, budgeted, costbenefit analysed, monitored and controlled;

contingency plans are in place to limit potential image and reputation risk.

3317

SESSION 33 INTERNAL AUDIT

3.8

Treasury
The treasury function has evolved from cash management. Treasury processes include:

funding requirements (for financing working capital, organic growth and

acquisitions);

investing surplus funds;

managing interest rate risks and foreign exchange exposure.

In most entities, the treasury function is a cost function in that its aim is not to make a
profit, but to manage and minimise costs of cash flow and investment (eg to avoid
paying higher costs in a foreign currency, should that currency move against the entity,
through hedging). In other entities it has a specific trading function with the aim of
making profits for the entity.

The basic purpose of a treasury audit is to ensure that:

funds are available when needed;

financial assets are safeguarded and not put at unnecessary risk;
treasury functions are managed efficiently.
strong controls (eg policies, procedures, segregation of duties, authorisation, limits
on trading, oversight, organisational framework and culture) are in place and
effectively operate;

Because of the nature of treasury management in those areas involving hedging and
derivative functions, it is often a challenge to have sufficiently technically competent
and experienced individuals within the internal audit function. None the less, it is
essential that there are.

There have been many instances of companies (and banks) who have lost significant
value and (in one notorious case, Barings Bank) faced collapse through poor controls
and a lack of understanding by management and internal audit of the financial trading
being carried out.

3.9

HR
Human resources processes support:

the procurement and employment of individuals; and

the development of the organisation.

Operations include:

3318

job analysis and personnel specifications;

recruitment and selection;
pay and reward mechanisms;
training and development;
disciplinary and grievance;
termination of employment;
application of laws and regulations.

SESSION 33 INTERNAL AUDIT

The purpose of a human resources audit is to ensure that:

3.10

procedures and policies are followed and applied;

personnel are available when needed (eg succession planning);
the future development of the organisation is planned, controlled and monitored;
relevant legislation (e.g. equal opportunities) is complied with;
accurate management information is available on a timely basis; and
human resource processes are managed efficiently.

Overall approach

Note that in considering the above areas, whilst specific points have been made, the
overall approach is always to understand the business element, the risks and controls in
place and to carry out tests accordingly (see Section 1.3 above). In addition many
elements overlap, eg VFM, best value, IS can be applied to marketing and HR.

INTERNAL AUDIT REPORTS

4.1

Primary purposes

The purpose of internal audit reports will be driven by the terms of reference of the
assignment. Mostly they:

provide management with an opinion (eg on the adequacy of the internal control
system); and

inform management of significant findings, conclusions and recommendations

arising from the work carried out.

Depending on the type of report issued, the aim of the report would be:

to provide appropriate assurance to management or recommendations to enhance

business performance;

to prompt management action to implement recommendations for change leading

to improvement in performance and control; and

to provide a formal record of points arising from the assignment and, where
appropriate, of agreements reached with management.

Example 2
Suggest FOUR differences between a review report of business performance
and a report on a systems compliance review.

3319

SESSION 33 INTERNAL AUDIT

Solution

4.2

Reporting arrangements

The format and distribution of internal audit reports should be agreed with
management. The head of internal audit should ensure that reports are sent to
managers who have a direct responsibility for the unit or function being audited and
who have the authority to take action on the internal audit recommendations.

Internal audit reports are confidential documents and their distribution should be
restricted to those managers who need to know, to the audit committee and to the
external auditor.

While the internal auditor may clear minor matters which do not indicate a consistent or
systematic weakness with members of staff directly involved, matters of consequence
should be reported formally in writing to management.

4.3

Structure of the report

There are no formal structures, unlike the external auditors report, for an internal
auditors report. As with any business report, the structure of the report suites its
purpose be it formal, informal, a discussion paper, a presentation (eg with PowerPoint
hardcopies) or a monthly summary.

A typical business report would have the following elements:

Terms of reference
Executive summary
Body of report:
key findings and recommendations
detailed findings and agreed action
Appendices

The body of the report will depend on the terms of reference. For example, for a report
on controls the structure may be very similar to management reports produced by the
external auditor (see Session 13). However, the content will be very different where the
internal auditor is concerned with operational matters of economy, efficiency and
effectiveness.

3320

SESSION 33 INTERNAL AUDIT

The reports should be clear, constructive and concise based on sufficient, relevant and
reliable evidence, which should:

state the scope, purpose, extent and conclusions of the assignment;

make recommendations which are appropriate and relevant, and which flow from
the conclusions; and

acknowledge the action taken, or proposed, by management.

4.4

Timing
An interim report, orally or in writing, should be made where:

it is necessary to alert management to the need to take immediate action to correct a

serious weakness in performance or control; or

where there are reasonable grounds for suspicion of malpractice.

Consideration should also be given to interim reporting where there is a significant

change in the scope of the assignment or where it is desirable to inform management of
progress.

The internal auditor should normally meet with management to discuss the audit
findings at the completion of fieldwork for each internal audit assignment and the
formal written report should be presented to management as soon as possible
thereafter.

Before issuing the final report, the internal auditor would discuss its contents with the
appropriate levels of management. In addition, it may usually be necessary to include
management comment within the body of the report. A draft report for management
comment and confirmation of factual accuracy may also be issued prior to finalising the
formal report.

If the internal auditor and management disagree about the relevance of the factual
content of the draft audit report, the internal auditor should consider whether reference
should be made to this in the final report.

It is managements responsibility to ensure that proper consideration is given to internal

audit reports. The internal auditor should ensure that:

appropriate arrangements are made to determine whether action has been taken on
internal audit recommendations; or

management has understood and assumed the risk of not taking action.

See Session 3 to review the role of the Audit Committee in relation to internal audit
reports.

3321

SESSION 33 INTERNAL AUDIT

4.5

Example
INTERNAL AUDIT REPORT

Private and confidential

The contents of this report are confidential and may include comments of a
sensitive nature. Care should be taken to ensure that unauthorised personnel do
not have access to the report and that if it is circulated further, this is done
with discretion.
23 November 20X6
SCOPE
The systems review at took place from 17 September to 5th October 20X6.
objectives of the assignment were:
i)
ii)
iii)
iv)

To
To
To
To

assess
ensure
review
assess

The

the adequacy of internal controls.

adherence to statutory legislation and company policies.
the efficiency and effectiveness of operations.
the quality of management reporting and information.

CONCLUSION
The branch has been operationally and financially poorly controlled. Branch
management have reacted positively to the draft report and are actively addressing
the issues raised. All the points raised in this report and subsequent
recommendation made need to be implemented.
MAIN FINDINGS (References in brackets are to Appendix I)
Inventory
1)

There is no investigation of no stocks1. No stocks have been very high

up to 20%. This has led to considerable customer dissatisfaction
Formal investigation of no stocks should be introduced to improve the
service level to clients. (1.1)

2)

There is insufficient control over the warehouse systems. Before further

liability for inventory loss is assumed, the access of staff to the systems
must be restricted.
A report of adjustments cannot be produced by the inventory system to
ensure all adjustments are legitimate. The production of this report
should be prioritised to stop this aspect of the operation running blind.

Payroll
1)

Not reproduced.

2)

There has beer an apparent lack of supervision and review of the work of
the payroll clerk who left the company at the end of August. There is a
risk that unauthorised amounts may have been paid. A full reconciliation
to assess the situation further will be performed at the beginning of
December. (2.2)

Etc

3322

Also called stock outs.

SESSION 33 INTERNAL AUDIT

Security
1)

It remains possible to gain unauthorised access into the warehouse on

account of the lack of security presence on the route between the car park
and the warehouse. This should be addressed immediately following the
audit. (3.1)

Etc
Purchases
1)

Purchases have been poorly controlled at the branch. Typically, invoices

have arrived within the accounts department and have been authorised for
payment by the former finance manager without reference to the operational
management to confirm the legitimacy of the expense. The temporary Finance
staff has now addressed this situation. (6.1)

APPENDIX I (EXTRACT)
1.1

Observations

There is currently no investigation or recording of

no stocks.
Inventory department are not aware of any no stock
report available from the system.

2.2

Effect

Stores orders are no fulfilled.

Recommendation

The level of no stocks should be traced using

either the issues not confirmed report" or, more
crudely, the number of issues physically returned
to the office.

Managements comments

Agreed

Target date

Immediate

Observations

There appears to have been little or no independent

review of the payroll function by senior
management. The former finance manager may have
performed some checks, however, this has not been
evidenced.
19 payslips on the payroll of 29/09/06 have been
checked in detail. 5 employees overtime was
overpaid because the total hours had been
incorrectly summed in input sheets.
The payroll clerk has left the company, despite an
enhanced offer to stay and with new employment to
go to.

Effect

The payroll does not appear to have been adequately

supervised. There is a possibility that, in
addition to processing errors, irregularity has
occurred.

Recommendation

Duties and controls should be segregated as

described in point 2.1 above (not reproduced).
There should be full reconciliation between the
schedule of employees who have worked at the branch
prepared by the human resources department and the
payrolls processed to date to ensure persons paid
are bona fide and that they have worked the weeks
paid.
The casting of basic and overtime hours by authorising managers should be checked by payroll staff.

3323

SESSION 33 INTERNAL AUDIT

Managements comments

The reconciliation will be performed in November by

Mrs Motley.
The accountant will review the standing data
expense report every month.
Payroll personnel will check the addition of hours.

3.1

Target date

Immediate.

Observations

The security of the site is currently being

reviewed by Shield Consultants who are addressing
fencing, CCTV coverage and recording and the level
of searches (personnel and vehicle) conducted.
There is still a problem with the ease with which
unauthorised persons may gain access to the
warehouse without being challenged. Also, there is
uncontrolled access from the warehouse to the staff
car park.

Effect

Inadequate security measures give rise to an

increased risk of damage to premises and inventory
and to an increased risk of inventory pilferage.

Recommendation

All IDs should be checked when staff enter the

warehouse.
Visitor access should not be permitted until
management authorisation is obtained or if visitors
have been pre-notified to the gatehouse and the
visitors Ids have been checked.

6.1

Managements comments

Agreed. In the short-term the warehouse access

store will be manned full-time across all shifts
and locked at night. There will be 100% ID checks.

Observations

Invoices 1129 1746 were checked for adequate

authorisation and supporting documentation. All
invoices were authorised. The majority, the former
finance manager. Only 6 invoices were supported by
POs.
POs in this sample were generally inadequately
completed, priced and dated.
GRNs were not received from the warehouse to
confirm receipts of goods.

Effect

The managers initiating purchases are often not

involved in the checking or authorisation of
invoices. Accruals are being understated.

Recommendation

Non-administration invoices should be checked by

operational managers.
Authorised GRNs should be received from managers
who have raised requisitions.
All purchase requisitions should be costed. POs
may not be priced unless requisitions are priced.

Managements comments

3324

Agreed. Invoices may be authorised by the

financial manger if they have been checked by the
requisitioning manager.

SESSION 33 INTERNAL AUDIT

FOCUS
You should now be able to:

discuss the factors to be taken into account when assessing the need for internal audit;

discuss the elements of best practice in the structure and operations of internal audit
with reference to appropriate international codes of corporate governance;

compare and contrast the role of external and internal audit regarding planning and the
collection of audit evidence;

compare and contrast the types of report provided by internal and external audit;

discuss the scope of internal audit and the limitations of the internal audit function;

explain the types of report provided in internal audit assignments;

discuss the responsibilities of internal and external auditors for the prevention and
detection of fraud and error;

explain the advantages and disadvantages of outsourcing internal audit;

discuss the nature and purpose of internal audit assignments including value for
money, IT, best value and financial;

discuss the nature and purpose of operational internal audit assignments including
procurement, marketing, treasury and human resources management.

3325

SESSION 33 INTERNAL AUDIT

EXAMPLE SOLUTION
Solution 1 Assessing need for internal audit function

Corporate structure and the degree of autonomy of each of the business units.

Overall corporate culture and managements philosophy.

The companys appetite for risk or its ability to tolerate risk.

Overall control environment.

Changes in organisational structure (including delayering), reporting processes and/or

underlying information systems.

Changes in key risks arising from:

changes in internal processes (e.g. product or service lines or entry into new
markets);

alterations in external factors such as regulatory requirements.

Complexity of the companys systems, especially IT systems.

The number of moderate to high risk areas which are not appropriately controlled.

Deteriorating trends in internal control systems evident from the existing monitoring
systems.

Concerns about the level of risk and control awareness and the need to educate senior
or middle management, or staff.

An increased incidence of unexpected or unacceptable results or occurrences.

The views of the companys external auditors.

Solution 2 Business performance reports

Are effectively consultancy in nature, style and approach;

Greater focus on performance, objectives and processes rather than risks and controls;

Deal with improvements to be made rather than mistakes already made;

Recommendations based on improvements rather than on actions to address mistakes

found.

3326