Auditing 1
Lecture 15
Internal audit
Introduction

The field of internal auditing is a dynamic and
rapidly expanding one. It is a significant
component of the internal control system. Its
significance and expansion has been greatly
enhanced with the formation of the Institute
of Internal Auditors (IIA) in 1941 in the United
States of America, coupled with the growth in
size and complexity of many organizations in
recent years, and the need to institute proper
and efficient control systems.
Introduction
 Internal
audit is generally a feature of
large companies. It is a function, provided
either by employees of the entity or
sourced from an external organization, to
assist management in achieving
corporate company’s mission statement
and strategic plan.
Internal audit and
corporate governance



Established codes of corporate governance such as the UK
Corporate Governance Code highlight the need for
businesses to maintain good systems of internal control to
manage the risks the company faces. Internal audit can
play a key role in assessing and monitoring internal control
policies and procedures.
The board should establish formal and transparent
arrangement for considering how they should apply the
corporate reporting and risk management and internal
control principles, and maintaining an appropriate
relationship with the company’s auditors.
The role of the internal auditor is anchored on three main
pillars: (i) Risk Management (ii) Internal Control and (iii)
Governance
Assessing the need for internal
audit








Internal audit can assist an entity in providing effective corporate
governance thus a corporate governance requirement.
The cost of setting up an internal audit department versus the
predicted benefit
Predicted savings in external fees where work carried out by
consultants will be carried out by the new internal audit
department
The complexity and scale of the organization’s activities and the
systems supporting those activities.
The abilities of existing managers and employees to carry out
assignments that internal audit may be asked to carry out
Management’s perceived need for assessing risk and internal
control
Whether it is more cost effective or desirable to outsource the work
The pressure from external stakeholders to establish an internal
audit department
Definition of internal audit
 In
the standard for the professional
practice of Internal Auditing, the Institute
of Internal Auditors, in 1978, defined
internal auditing as;
 “An independent appraisal function
established within an organisation to
examine and evaluate its activities as a
service to the organization”.
Definition of internal audit


The 21st Century definition of internal auditing as
contained in the International Standards for the
Professional Practice of Internal Auditing issued in
January 2004 re-inforces the core role of the
internal auditor as:
An independent objective assurance and
consulting activity designed to add value and
improve an organisation’s operations. It helps an
organization accomplish its objectives by bringing
systematic disciplined approach to evaluate and
improve the effectiveness of risk management,
control, and governance process.
Definition of internal audit
 Internal
auditing is an appraisal or
monitoring activity established within an
entity as a service to the entity. It functions
by, amongst other things, examining,
evaluating and reporting and to
management and the directors on the
adequacy and effectiveness of
components of the accounting and
internal control systems.
The Changing Role of the
Internal Auditor
CHARACTERISTIC
S
OLD PARADIGM
NEW PARADIGM
i) Internal Audit
focus
Internal Control
Business Risk
ii) Internal audit
response
Reactive, after-thefact,
discontinuous,
observers
of strategic planning
initiatives
Proactive, realtime
continuous,
participants in
strategic planning
initiatives
iii)Risk assessment Searching for risk
factors
Scenario planning
iv)Internal audit
test
Concerned with
important
business risk
Concerned with
important
Controls
The Changing Role of the
Internal Auditor
v)Internal audit
methods
Emphasis on the
Completeness of
detail,
Controls testing
Emphasis on
significance
Of broad business
risks covered
vi)Internal audit
recommendation
Internal control:
-Strengthened
-Cost-benefit
-Efficient/effective
Risk management:
-Avoid/diversity
risk
-Share/transfer risk
-Control/accept
risk
vii)Internal audit
reports
Addressing
Addressing
functional controls process risk
viii)Internal audit
role in the
Independent
appraisal
Integrated risk
Management and
Code of Ethics
 The
Institute of Internal Auditors (IIA) ha
promulgated a code of ethics to promote
an ethical culture in the global profession
of internal auditing:
 Integrity
 Objectivity
 Confidentiality
 Competency
Distinction between internal
and external auditor
Internal audit
External audit
Objective
Designed to add
value and
improve an orgn’s
operations
An exercise to
enable auditors to
express an opinion
on the FS.
Reporting
Reports to the
BOD, or other ppl
charged with
governance, such
as the audit
comm. Reports
are private and
for the directors &
mgt of the co.
Reports to the
s’holders or mbrs
of a co. on the
T&F of the accts.
Audit report is
publicly available
to the s’holders
and other
interested parties
Scope
Work relates to the Work relates to the
Distinction between internal
and external auditor
Relationship
Often employees
of the orgn,
although s’times
the function is
outsourced
Independent of
the co. and its mgt
usually appointed
by the
shareholders.
Planning and
collection of
evidence
-Strategic L-T
planning carried
out to achieve
objective of
assignments with
no materiality
level being set.
-Some audit may
be procedural,
rather than riskbased
-Planning carried
out to achieve
objective
regarding truth
and fairness of
financial
statement.
-Materiality level
set during
planning (may be
amended ).
Functions of Internal Audit:




To review the control system and to identify
weaknesses, breakdown and to report to
management with recommendations.
To design checks to reveal the existence of
frauds or to prevent frauds.
To rationalize accounting policies within a
group and to design and implement new
accounting systems.
To conduct management efficiency audits
and post implementation audits of capital
projects.
Relationship with External
Auditor:
 The
Internal Auditor and the External
Auditor have similar audit aims on
accounting matters; i.e, ascertain the
reliability of records/effectiveness of the
control system so as to safeguard the
assets of the company.
 Both use similar means or methods to
achieve the above, e.g., testing controls,
physical inspection, confirmation from
third parties, sampling techniques.
Qualities/skills of Internal
Auditor











Technical Skills
Data collection and analysts
Financial analysis
Forensic skill/fraud awareness
Identifying types of controls
Interviewing
Negotiating
Use of ICT
Risks analysis
Statistical sampling
Research skills
Qualities/skills of Internal
Auditor











Behavioral
Confidentiality
Governance and ethics sensitivity
Interpersonal skills
Staff management
Leadership
Objectivity
Team Building
Facilitating
Working independently
Work with all levels of management
Reliance on the Internal
Auditor by the External Auditor




In order to rely on the work of the internal auditor,
the external auditor needs to assess the relevance,
competence and objectivity of the internal
auditing department.
Such assessment will be focused on the following
areas:
Position – The degree of independence or how
independent are people whose work are being
reviewed
Staff – The number of qualified staff in the
department as well as their relevant
experience/expertise
Reliance on the Internal
Auditor by the External Auditor


Scope of Work/Evidence of Work Done – A
critical examination of scope of work of the
internal auditing department including the
examination of the working papers and the
appropriate management action taken on
internal audit reports and recommendations.
Executive Functions – The extent to which
internal audit is involved in the
implementation of new accounting systems.
Internal audit assignments
 Internal
audit can be involved in many
different assignments as directed by
management. These can range from
value for money projects to operational
assignments looking at specific parts of
the business.
Value for money audits


Value for money (VFM) audits examines the
economy, efficiency and effectiveness of
activities and processes. These are known as
the three Es of VFM audits.
The three E’s which form the basis of the VFM
audit are very important for assessing the
performance of not-for-profit organizations,
because their performance cannot be
properly assessed using conventional
accounting ratios.
Information technology audits


An information technology (IT) audit is a test
of controls in a specific area of the business,
the computer systems. Increasingly in modem
business, computers are vital to the
functioning of the business, and therefore the
controls over them are keys to the business.
It is likely to be necessary to have an IT
specialist in the internal audit team to
undertake an audit of the controls, as some of
them will be programmed into the computer
system.
Best value audits






“Best value” is a performance framework introduced into
local authorities by the UK government. They are required
to publish annual best value performance plans and review
all of their functions over a five year period.
As part of best value authorities are required to strive for
continuous improvement by implementing the “4 Cs”:
Challenge. How and why is a service provided?
Compare. Make comparisons with other local authorities
and the private sector.
Consult. Talk to local taxpayers and service users and the
wider business community in setting performance targets.
Compete. Embrace fair competition as an means of
securing efficient and effective service
Financial audit
 The
financial audit is internal audit’s
traditional role. It involves reviewing all the
available evidence to substantiate
information in management and financial
reporting. The substantive procedures and
tests of controls employed by external
audit are also used by internal audit.
Operational audits




Operational audits are audits of the
operational processes of the organization.
They are also known as management of
efficiency audits. Their prime objective is the
monitoring of management’s performance
ensuring company policy is adhered to.
There are two aspects of operational
assignments:
Ensure policies are adequate
Ensure policies work effectively
Procurement audits
 Procurements
is the process of purchasing
for the business. A procurement audit will
therefore concentrate on the systems of
the purchasing department(s). the
internal auditor will be checking that the
system achieves key objectives and that it
operates according to company
guidelines.
Internal audit reports



Internal auditors produce reports for directors and
management as a result of work performed. These
reports are internal to the business and are unlikely
to be shared with third other than the external
auditors.
The report is in a similar format to that used in the
‘report to management’ by the external auditor
when reporting significant deficiencies.
The internal auditor’s report could state
deficiencies found during the operational audit
along with the related implications and
recommendations.
Exit meeting



An exit meeting is held at end of the internal audit
engagement after a draft report has been produced.
The people at the meeting are likely to include both the
operational staff who understands the workings of the
implementations of the corrective actions identified.
The objectives of the meeting are to :



Discuss the findings and associated recommendations.
Provide management with the opportunity to give their views
on, and ask for clarification of, the observations and
recommendations allowing any misunderstandings to be
resolved.
Agree to the possible solutions to the problems the audit
assignment has identified
Final reports






Depending on the organization in question,
the final report may take the form of a written
report or take a different format, such as a
PowerPoint presentation.
Standard report format
TERMS OF REFERENCE
EXECUTIVE SUMMARY
BODY OF THE REPORT
APPENDICES FOR ANY ADDITIONAL
INFORMATION
EXECUTIVE SUMMARY







The executive summit is like a condensed
version of the full report and an executive
summary in an internal audit report will usually
include:
Background to the assignment
Objectives of the assignment
Major outcomes of the work
Key risks identified
Key action points
Summary of the left to do
Minimum contents




Although the content and format of the final
internal audit report will vary, somewhere the
report should, as a minimum, describe the
purpose, scope and result of the
engagement.
Purpose: The objectives of the audit
engagement should be clearly stated
This makes the report easier to read and helps
the reader to interpret it.
Findings should be linked back to this
objective.
Minimum contents







Scope: The scope defines what specially is
audited. It identifies which activities are
audited and also highlights any activities that
are excluded from the audit.
Results: This should include:
. observations
. conclusions
. opinions
. Recommendations
. Action plans
Addition contents



In addition, the final internal audit report may
include the following, optional, sections.
Background Information: This could include
information such as details of the organization
and the activities reviewed, and the outcome
of previous audit of the same areas.
Summaries: An executive summary (as
described earlier) may be included to present
the main findings of the report for those who
do not have time to read the entire report.
Addition contents


Accomplishments: Improvements in relation
to the past audit of the area may be
acknowledged.
Opinions: The opinions of management or
other staff on the findings and
recommendations may be incorporated into
either the main body of the report, an
appendix or as a covering letter. Executives
may need to intervene if there is a
disagreement between management and
internal audit
Attributes







High quality internal audit report will have the
following attributes:
Accurate: The report should be free from error.
Objective: It should be fair, impartial and unbiased. It
should be based on facts
Clear: The report should be logical, easily understood
and free from jargon
Concise: It should be to the point and free from
unnecessary detail
Complete: No information essential to the intended
audience should be omitted.
Timely: The report should convey a sense of urgency.
Distribution of the final report





The full report should be provided to those
people who can take corrective action on
the issues raised in the report. Summary
reports should be provided to more senior
managers.
Communication may also go to:
External auditors
The board
Others who are affected by, or interested in,
the results
Amendments
 If
any amendments are made to the
report after it has been issued, a new
report should be issued which highlights
any changes. This should be distributed to
everyone who received the original
report.
Releasing the report
 If
the report is to be released to parties
outside the organization, the risks to the
organization of doing so should be
assessed. Approval to release should be
gained from senior management, legal
counsel or both.
Management response
 After
the issue of the final report,
management will be given the
opportunity to provide their formal
response to the report. This formally
communicates back what is going to be
done about the recommendations raised.
Outsourcing the internal audit
function

Internal audit departments may consist of
employees of the company, or may be
outsourced to external service providers. The
advantages of outsourcing the internal audit
function include speed, cost and a tailored
answer to internal audit requirements. One of
the main disadvantages may include threats
to independence and objectivity if the
external audit service is provided by the same
firm.
What is outsourcing
 Outsourcing
is the use of external suppliers
as a source of finished products
Components or services. It is also known
as sub contracting.
Advantages of outsourcing







Staff does not need to be recruited, as the service
provider has good quality staff.
The service provider has different specialist skills and
can assess what management requires them to do.
Outsourcing can provide an immediate internal audit
department.
Associated costs, such as staff training, are
eliminated.
The service contract can be for the appropriate time
scale.
Because the time scale is flexible, a team of staff can
be provided if required.
It can be used on a short-term basis
Disadvantages of outsourcing






There will be independence and objectivity issues if
the company uses the same firm to provide both
internal and external audit services.
The cost of outsourcing the internal audit function
might be high enough to make the directors choose
not to have an internal audit function at all.
Company staff may oppose outsourcing if it results in
redundancies.
There may be a high staff turnover of internal audit
staff
The outsourced staff may only have a limited
knowledge of the company
The company will lose in-house skills
Managing an outsourced
department






A company will need to establish controls over the
outsourced internal audit department. These would
include:
Setting performance measures in terms of cost and areas of
the business reviewed and investigating and variances
Ensuring appropriate audit methodology (working
paper/reviews) is maintained.
Reviewing working papers on a sample basis to ensure they
meet internal standards /guidelines
Agreeing internal audit work plans in advance of work
being performed.
If external auditor is used, ensuring the firm has suitable
controls to keep the two functions separate so that
independence and objectivity is not impaired.
Quiz









1. What is an internal audit?
2. Name three key differences between internal and external audit.
3. link the value for money E with its definition
Economy
Efficiency
Effectiveness
4. The relationship between the goods and services produced (outputs) and the resources
used to produce them.
. The concern with how well an activity is achieving its policy objectives or other intended
effect.
Attaining the appropriate quantity and quality of physical, human and financial resources
(output) at lowest cost.






5. Name five areal of the computer system which might benefit from an IT audit.
6.. There are formal statutory rules governing the format of internal audit reports.
True
False
It is possible to buy in an internal audit services from an external organization