April 2012

Internal Audit

Introduction

Recent events including global financial crises have emphasised need for
internal auditing within corporate governance structures

Internal audit function is now mandatory by most stock exchanges

Donors increasingly demand improved accountability & financial

transparency in development projects

IFAD procedures do not specifically require internal audit, however, IFAD

Operational Procedures for Project Audits (for use by IFAD & CIs) require
that as part of the assessment of the borrowers capacity to implement and
manage the project effectively, the appraisal mission will evaluate any
internal audit (IA) mechanism for the project/ PMU

Furthermore, internal audit is considered good practice & advisable as

part of underlying control framework & financial management capacity of a
project, particularly if complex &/ or decentralised
2

Definition
Internal

auditing

is

an

independent,

objective assurance and consulting activity

designed to
organization's

add

value

and improve an

operations.

It

helps

an

organisation accomplish its objectives by

bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of
risk management, control, and governance
processes.
The Institute of Internal Auditors

IA Code of Ethics
Principles
Internal auditors are expected to apply & uphold the following
principles:
Integrity

The integrity of internal auditors establishes trust & so

provides the basis for reliance on their judgment

Objectivity

Internal auditors exhibit the highest professional objectivity in

gathering, evaluating & communicating information. Internal
auditors make a balanced assessment of all relevant
circumstances & are not unduly influenced by their own
interests or others in forming judgments

Confidentiality

Internal auditors respect the value and ownership of

information they receive & do not disclose information without
appropriate authority unless there is a legal or professional
obligation to do so

Competency

Internal auditors apply knowledge, skills, & experience needed

What is Internal Audit?

Internal Audit is a professional activity which helps organisations to achieve their
stated objectives by:

Analyzing key processes, procedures & operations

Identifying key controls in each such operation, procedure & process

Evaluating the adequacy of these controls

Testing compliance of sample transactions against these controls

Reporting results of the evaluation of controls and compliance testing of

transactions

Recommending stronger controls wherever necessary

Suggesting methods to improve compliance with key controls

Follow up of action taken on recommendations made in previous reports

What are Internal Controls?

Internal Controls are important checks instituted by management to have
reasonable assurance that:

Operations are carried out in an efficient & effective manner

Transactions are recorded accurately & completely

Assets are properly recorded & safeguarded

Laws are complied with

Reliable reports are generated

Some examples of Internal Control

Budgetary Control

Fixed Assets Register

Bank & Special Account Reconciliations

Reconciliation of Financial & Physical M & E Reports

How are Internal Audit & External Audit different?

Internal audit is focused at internal management support and improving
systems, procedures and processes

External audit (EA): normally statutory requirement, unlike internal audit (IA)

EA reports are addressed to stakeholders: IA reports are addressed to

Management

EA reports express an opinion on the financial statements prepared by the

entity for a specified period: IA reports evaluate and check compliance
against key internal controls

EA reports are usually public documents which are available to all

stakeholders. IA reports are for use only by Management

EA reports do not make recommendations, although may have a

Management Letter: IA reports are incomplete without

EA is basically a review of financial statements for compliance: IA seeks to

ensure value for money to Management
8

Why should IFAD funded projects be subject to IA?

IFAD funded projects may be subject to Internal Audit because:

External audit checks overall compliance to internal controls related

to financial transactions.

Supervision Missions conduct only spot checks.

Internal audit is inherent in government structures in most developing

countries.

Sample IA Terms of Reference enclosed

IA has a key role in Risk management of IFAD Projects

S ample IA TOR

What are key concerns from a FM viewpoint?

Is the accounting system capable of recording financial transactions in a timely &

accurate manner?
Is the accounting system capable of tracking project expenditure by category &
component?
Is the accounting system capable of comparing actual expenditure to budget as
per approved AWPB on a real time basis?
Are withdrawal applications prepared properly & do they contain ineligible
expenditures?
Are procurement transactions undertaken as per Schedule 4 &/or LTB of the
financing agreement?
Are project assets properly recorded & safeguarded from misuse and abuse?
Are Special Account & Project Account operated & reconciled properly & timely?
Are proper audit arrangements in place?
Are audit reports properly followed up?
Does the project generate reliable & accurate financial statements & reports?
Are project funds flowing smoothly, timely & transparently to intended
beneficiaries?
10

Internal Audit (IA) Mandate

Compliance & Advisory
roles
What does it do?

Primary role in improving internal control, accuracy, reliability &

integrity of information including financial & operational reporting

Monitoring & evaluation of effectiveness of risk management

processes

Role in corporate oversight, safeguarding of assets, economical

& efficient use of resources, compliance with laws & regulations,
deterring fraud

What does it not do?

Perform management activities/ responsibilities (these

include establishing internal controls)
11

Internal Control Myths and Facts

MYTHS:
Internal control starts with a
strong set of policies and
procedures
Internal control: Thats why we
have internal auditors!
Internal control is a finance thing
Internal controls are essentially
negative, like a list of thoushalt-nots
Internal controls take time away
from our core activities of
implementing
development
objectives

FACTS:
Internal control starts with a
strong set of policies and
procedures
While internal auditors play a key
role in the system of control,
management has responsibility
for internal control
Internal control is integral to
every
aspect
of
business/operations
Internal control makes the right
things happen the first time
Internal controls should be built
into, not onto business
processes
12

Internal Control Practices

How?
Internal control is a process. It's a means to an end, not an end
in itself
Internal control is effected by people as a team, not by
internal auditor. It's not merely policy manuals & forms, but
people at every level of an organization
Internal control can be expected to provide only reasonable
assurance, not absolute assurance, to an entity's management
and governing bodies/ committees
Uses systematic methodology
processes, procedures & activities

for

analysing

business

The cost of IA should not exceed expected benefits to be

derived
13

Internal Control Structure

An internal control structure is simply a different way of viewing operations a
perspective that focuses on doing the right things in the right way
Monthly reviews of
performance reports
Supervisory activities

Purchasing limits
Approvals/ segregations
Security
Reconciliations
Proper operating &
accounting procedures

Reporting
Corporate
communications
(e-mail, meetings)

MONITORING
INFORMATION AND &
INFORMATION
COMMUNICATION
COMMUNICATION
CONTROL ACTIVITIES
CONTROL
ACTIVITIES

Based on identification
& analysis of risks to
achievement of
objectives

RISK ASSESSMENT
CONTROL
ENVIRONMENT

Corporate Policies
Tone at the top, ethics
Organisational authority
Skilled personnel

In many cases, you perform controls and

interact with the control structure every
day, perhaps without even realising it
14

Role in Risk Management

Focus on risk of occurrences that could prevent the project

from achieving its goals

There are many types of risk strategic, operational,

financial
reporting,
legal/regulatory,
fraud,
ineffective/inefficient use of resources, technological,
human capital, credibility, etc.

Focus on areas with high risk & high probability that

controls are not in place or are weak

Dont forget positive risks opportunities!

Add value by eliminating unnecessary controls,

if underlying risks are minimal/within projects
risk appetite!
15

Role in Internal Control

1. Compliance audit: review of financial & operating controls &
transactions for conformity with laws, regulations & procedures,
e.g.,

Access to IT system appropriate to users role

Segregation of duties in high risk areas
Balancing & reconciliation between systems
Systems back up & recovery
Physical safeguard & access restriction controls
Reconciliations, comparison budget of actual

2. Operational audit: review of various functions within project to

evaluate efficiency, effectiveness, & economy

16

IA Role in Corporate Oversight

Four pillars internal audit, executive management, external
audit, & Board of directors/ steering committee

Combination of processes & organisational structures

implemented by management to inform, direct, manage and
monitor the projects resources, strategies & policies towards the
achievement of its objectives

Public sector governance Principles

- transparency, integrity, accountability

May include review of sufficiency of human resources,

training needs, policies, etc.

17

Nature of Internal Audit Activity

Establish scope & activities for audit to Management

Identify control procedures used to ensure each key risk is

properly controlled & monitored

Develop & execute risk based sampling & testing approach

to determine whether most important controls are operating as
intended (NB: input from Management required e.g. 100%
sampling of WA review)

Report issues/make recommendations/negotiate action

plans with Management to address issues

Follow up on reported findings periodically

Describe key risks facing the business activities within scope of

audit

18

Contents of Audit Plan

Updated annually

Risk based audit plan developed with input from project

staf including Management

Summary of key goals, risks & corresponding major audits, to

illustrate alignment

Based on risk assessment & available resources

Appendix materials, such as planning approach, assumptions &

brief descriptions of all planned audits & related prioritization

Approved by management/ appropriate oversight Committee

19

Contents of Audit Report

Observations

Narration/ description

Remedial action

Consequences/ fall out

Recommendation for improvement (prioritized

between high and normal)

Response (action plan) who, when and how

20

IAs Proactive Role

Identify Risks

Find Better Ways and Best Practices

Partner With Management to Find Solutions

Prevent Problems

Provide training

Respond to policy & technical accounting questions

Offer suggestions for improvement

Advisory role

21

Additional Resources

22

Conclusion
Why all this trouble?
Additional comfort and tightness that the project is doing the right thing, the
first time, communicating right information internally, to external auditors,
donors, ministries, etc.
More formal control structures reduce possibility that risks become real issues
External Auditor may receive additional assurance to provide unqualified
report on accounts
Donor & government confidence increased, affecting financing flows
What are the next steps?
Identify areas of high risk & opportunities
Validation of process documentation & controls
Communication, with PCs & project staff

23