Internal Auditing BAC4664 Question 1 (20 marks) Internal auditing is an independent objective assurance and consulting activity Required:

(a) Differentiate between independence and objectivity. (7 marks)

(b) Can the internal auditor attain the same level of objectivity in audit as the external auditor? Explain. (5 marks) (c) Under what conditions would, performing consulting activities impair either the independence of the internal audit department or the objectivity of the internal auditor? Can internal audit department adequately control the threats to independence and objectivity? (8 marks) Answer: a. Independence is achieved when the auditor's judgments are not influenced by any relationships. Independence is most closely related to the auditors reporting relationship and the ability of management to influence either areas to be audited or audit findings. The internal audit department achieves its greatest independence when the audit committee is intimately involved in determining the budget for the audit department as well as audit coverage. Objectivity is achieved when the auditor makes a balanced assessment of all the relevant circumstances and is not influenced by their own interests or others in forming judgments. Objectivity is more related to the personal attributes of the auditors performing the audit engagement. Objectivity is the most important on a specific audit engagement. Independence is already achieved by the authority to conduct a full-scope audit or investigation. There must be sufficient independence to perform an audit. However, once an audit is authorized, it is important that objectivity be in place to ensure the reliability and credibility of audit findings.

b. Yes, the internal auditor can achieve the same level of objectivity on a given audit as does the external auditor. Objectivity is a state of mind an unbiased approach to gathering, evaluating, and analyzing evidence. It is extremely important that both audit functions strive for the highest level of objectivity on each audit engagement. c. Consulting is an important value-added function of the internal audit department. The auditor has a unique vantage point because of a detached objectivity and a broad knowledge of company operations. However, the IIA Standards are explicit that the internal auditor could compromise that objectivity and the perceived independence of the function The auditor needs to remain completely independent of managements operational functions or will face the likely demise of auditor independence.

There are a number of ways to mitigate the threats to audit independence. Some that should be considered by an audit department include: a clear audit charter that specifies the internal audit scope of activities, as approved by the audit committee. That charter should explicitly stop short of allowing the auditor to perform management functions. Participation on task forces that focus on analyzing problems, evaluating evidence, and using the special skill of the auditor. Rotation of auditors to ensure that the auditors evaluating a function in which consulting services had been rendered previously are not the same as those involved in the consulting services.

Question 2 (20 marks) Seruthera Limited manufactures and sells plastic cabinets to a wide range of retailers in the Malaysia. It has seen tremendous growth in recent years. Last year, the company invested significantly in a new machine which significantly increased the productivity. The directors of Seruthera have decided to set up an internal audit department and an audit committee to help assist in the audit. Required: (a) Advise Seruthera's board of directors and the audit committee as to their responsibilities for internal control, and (10 marks) (b) Explain their relationship with both the internal and external auditors. Answer (a) Seruthera's board of directors are responsible for the system of internal control and for reviewing its effectiveness in producing a set of financial statements that are true and fair. An internal control system is designed to manage rather than eliminate the risk of failure in order to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss. (10 marks)

The financial statements of Seruthera will not be perfect in that small errors may have occurred and may not have been noticed.

The board, audit committee, external and internal auditors are primarily interested in correcting large errors in the accounts that might mislead any potential investors in Seruthera.

The board should maintain an efficient system of internal control to safeguard shareholders' investment and Seruthera's assets. The board should establish formal and clear arrangements for considering how they should apply financial reporting standards and internal control principles, and for maintaining an appropriate relationship with its auditors.

The board or the audit committee need to satisfy themselves that there is a proper system and allocation of responsibilities for the day-to-day monitoring of financial controls, but they will not do the monitoring themselves.

They will use the auditors to perform any necessary work, and expect them to report back their findings and any recommendations.

(b) The audit committee, with respect to the internal auditors, should: review and approve the scope of work of the internal audit department. ensure that the internal auditors have access to the information they need and the resources (staff, experience and budget) necessary to carry out their duties. approve the appointment or termination of the head of internal audit. meet the external and internal auditors at least annually, without management being present to discuss the scope of the work of the auditors and any issues arising from the audit. The audit committee, with respect to the external auditors and the board, should: review the external auditors' findings and should in particular discuss major issues that arose during the audit and have subsequently been resolved, and those issues that remain unresolved. review key accounting and audit judgments, and review levels of error identified during the audit, obtaining explanations from management and the external auditors as to any errors that remain unadjusted. When reviewing management reports on internal control, the board should consider: the significant risks, and assess how they were identified, evaluated and managed.

the effectiveness of the internal controls m managing the significant risks. whether necessary actions are being taken promptly to remedy any weaknesses, and

whether the findings indicate a need for more exhaustive monitoring of the system of internal control. This work might be undertaken by internal or external auditors.

Question 3 (20 Marks)

(a) "Working papers document the audit. They record the information obtained and the analyses made, during the audit process."

Required: Explain for what purposes do Internal Auditors prepare working papers when they carry out an internal audit exercise? (15 marks)

(b) Internal audit had the daunting task of providing assurance to the board of directors, and in particular the audit committee, that management was in fact identifying risks and that the controls were mitigating those risks. In line with this development, internal auditors are adopting risk based auditing approach in their audit engagements.

Required: Explain what is risk based auditing? (5marks)

Answer To provide support for audit reports. Well-structured working papers make it easier to transfer the material written during the audit to the pages of interim and final audit reports. Besides, the experienced auditor keeps one eye on the final report throughout the entire audit project. This keeps the field work relevant and pointed in the right direction. Whatever is not suitable for reporting may not be relevant for review. To record information obtained through the questioning of people, the review of

instructions and directives, the analysis of systems and processes, the observation of conditions and the examination of transactions. 4

 To identify and document audit findings, accumulating the evidence needed to determine the existence and extent of deficient conditions. To lend support for discussions with operating personnel. Operations are often quite complex and difficult to remember. Well-documented explanations and charts in the working papers, indexed for ready access, can put the internal auditor on an equal footing with the people who live with the operations and understand them intimately. Thus, good working papers can be a line of defence when audit conclusions and recommendations are challenged. To offer a basis for supervisory review of the audit's progress and accomplishments. Reviews of documented work is more productive than conversations between audit supervisor and auditor. The supervisor's review, also documented in the working papers, is a means of control over the audit and an integral part of it. To provide support and evidence for matters involving fraud, law suits, and insurance claims. To provide a means by which external auditors can evaluate the internal audit work and then use it in their own assessment of the organisation's system of internal control. To create background and reference data for subsequent reviews. Audit projects are often repeated or followed up. Professional working papers make the repeat audit easier and more efficient. To help facilitate peer reviews. More and more internal audit organisations are becoming involved in quality control programs and self-evaluations. Either external auditors or consultants are called upon to evaluate the internal audit activity. Working papers form a basis for evaluating the internal audit department's quality assurance program, demonstrating compliance with the Standards. To serve as part of the documentation required by the Bursa Malaysia Listing Requirements. The Act requires an issuer to, "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances" that certain objectives relating to management 5

authorisation, recording of transactions, access to assets, and accountability for assets are being met. Evidence of compliance must be documented. Part of that documentation can well be the working papers of internal auditors; so such documents must be capable of standing the sharpest scrutiny.

(b) Risk based internal auditing (RBIA) is the methodology which the Internal Audit Department uses to provide assurance that risks are being managed to within the organisations risk appetite. In other words: the processes that manage risks to a level considered acceptable by the board are working effectively and efficiently.

A risk based audit focuses on understanding the business activities and processes that lead to the companys financial and non-financial achievements.

Question 4 (20 marks)

(a) An adequate 'Internal Audit Charter' serves as a basis or authorisation for every effective internal audit programme. An adequate charter is particularly important to define the roles and responsibilities of the internal audit department. Discuss. (10 marks)

(b) The internal auditors, who are employees of an organisation, are in substance not independent and free to carry out their duties without fear or favour. Explain how the board of directors of an organisation can ensure the true independence of the internal auditors? Answer (a) An internal audit charter is a very broad and general document. There is no fixed content or format to an internal audit charter, but it should define the responsibilities of internal audit in very broad terms, describe the standards to be followed, and define the relationship between the audit committee and internal audit. (10 marks)

The latter point is particularly important as it sends a special message to senior management that the Chief Audit Executive can go to a higher authoritythe audit committeein the event of a significant controversy or controls issue.

In theory, the audit committee is supposed to draft the document as a board committee activity. In reality, the Chief Audit Executive will usually take the lead in drafting this charter. While the charter authorises the work that should be performed by internal audit, the audit committee members may not be in a position to draft detailed audit charter requirements.

The Chief Audit Executive works closely with the chairman of the audit committee to draft the audit charter for audit committee and overall board approval. The organisation's external auditors should also have an opportunity to review this document. The acceptance of the internal audit charter and related provisions by all parties of interest means that internal audit is freed from barriers that might otherwise prevent it from making needed disclosures to the audit committee, even those of a very sensitive nature. In fact, the charter should outline a specific obligation to make such disclosures.

This charter statement of internal audit's relationship to the audit committee is especially important since internal audit's day-to-day reporting responsibility is to organisation management. That is, senior management typically selects and hires the Chief Audit Executive. All members of the audit team are hired and paid by the organisation, not the independent audit committee. Senior management often may forget that internal audit also has this special reporting relationship to the audit committee These activities might be documented in a formal policy statement, developed by internal audit and approved by senior management, which outlines internal audit services to its audit committee. (b) Since the internal auditors are employed by the company, the publics opinion of the internal auditors is that they cannot be independent and cannot be free to carry out their duties without fear or favour.

To ensure independence of the internal auditors, the Board of Directors must issue a statement that internal auditors are not part of the management.

The statement must also state that the appointment, suspension or removal of the internal auditors can only be made by the Board of directors. The Board of directors should establish an Audit Committee. The Audit Committee should comprise of independent non-executive directors. The Audit Committee should ensure the independence of the Internal Auditors. The main function of the Audit Committee is to serve as a supervisory function. An independent Audit Committee should determine the organisation's reporting, terms of reference, authority and the remuneration of the Chief Audit Executive, to ensure that the work is performed independently. The Audit Committee must approve a clear audit charter for the internal audit function and a job description for the internal auditor. The Audit Committee must protect and preserve the independence of the Chief Audit Executive.

It is prudent that the terms and conditions of employment of the Chief Audit Executive be signed by the Chairman of the Audit Committee to set out clearly who is the 'master' or the employer.

Question 5 (20 marks)

The growing recognition by management of the benefits of good internal control, and the complexities of an adequate system of internal control have led to the development of internal auditing as a form of control over all other internal controls. The emergence of the internal auditors as experts in internal control is the result of an evolutionary process similar in many ways to the evolution of independent auditing. Required: (a) Explain why the internal and independent auditors' review of internal control procedures differ in purpose. (8 marks) (b) Explain the reasons why internal auditors should or should not report their findings on internal control to the following selection of company officials: (i.) the board of directors; (ii.) the chief financial officer. Answer: (a) The Internal Auditors review and test the system of internal control and report to management in order to improve the information received by managers and to help in their (7 marks) (5 marks)

task of running the company. The Internal auditors will recommend changes to the system to make sure that the management receives objective information, which is efficiently produced. The internal auditors will also have a duty to search for and discover fraud. The external auditors review the system of internal control in order to determine the extent of the substantive work required on the year-end accounts. The external auditors report to the shareholders rather than the managers or directors. External auditors usually however issue a letter of weakness to the managers, laying out any areas of weakness and recommendations for improvement in the system of internal control. The external auditors report on the truth and fairness of the financial statements, not directly on the system of internal control. The auditors do not have a specific duty to detect fraud, although they should plan their audit procedures so as to detect any material misstatement in the accounts on which they give an opinion.

(b) (i) Board of directors A high level of independence is achieved by the internal auditors, if they report directly to the Board. There may be problems with this approach. (1) The members of the Board may not understand all the implications of the internal audit reports when accounting or technical information is required. (2) The Board may not have enough time to spend considering the reports in sufficient depth. Important recommendations might therefore remain unimplemented. A way around these problems might be to delegate the review of internal audit reports to an audit committee, which would act as a kind of sub-committee to the main board. The audit committee might be made up largely of non-executive directors who have more time and more independence from the day-to-day running of the company. (ii) The Chief Financial Officer It would be inappropriate for internal audit to report to the chief financial officer, who is largely in charge of running the system of internal control. It may be feasible for him to receive the report as well as the Board. Otherwise, the internal audit function cannot be effectively independent as the chief financial officer could suppress unfavourable reports or could just not act on the recommendations of such reports.