Distinction between internal and external audit
The external audit is focused on the financial statements, whereas the internal
audit function is focused on the operations of the entire business.
Internal Audit
External Audit
Objective
Designed to add value and improve
an entity’s operations
An exercise to enable auditors to
express an opinion on the financial
statement
Reporting
Reports to the board of directors,
or other people charged with
governance, such as the audit
committee. Reports are private and
for the directors and management
of the entity.
Work relates to the operations of
the entity.
Often employees of the
Reports to the shareholders or
members of an entity on the truth and
fairness of the financial statements.
Audit report is publicly available to the
shareholders and other interested
parties.
Work relates to the financial
statements.
Independent of the entity and its
organization, although sometimes
the function is outsourced.
management. Usually appointed by the
shareholders.
Scope
Relationship
The pros and cons of outsourcing internal audit
The advantages of outsourcing internal audit (general):

Independent evaluation. A second look by an experienced, third-party
practitioner can provide new and innovative ideas for improvement.

Experience. The third-party practitioner can provide accounting and consulting
services for a number of years and have reviewed, tested and evaluated internal
controls and operating systems for multiple organizations.

Industry expertise. The service provider has specialist skill and assess
management's requirement in virtually any industry

Time scale of service contract is flexible


Number of staff is flexible, e.g. a team of staff for a short-term project, a single
staff member on a long-term project
Affordable cost. By using third-party experts, you can minimize the fixed cost
associated with in-house audit functions
The advantages of outsourcing internal audit (short-term basis):

Provide immediate services

Lay the basis of a permanent function by setting policies and functions

Prepare the directors for the implications of having an internal audit function

Assist the directors in recruiting the permanent function
The disadvantage of outsourcing internal audit

Complications for the external auditors if the company wish to use same firm for
internal and external audit services

Cost of outsourcing might be high enough to make directors choose not to have
an internal audit function

Internal auditor may lose job if outsourcing

High outsourcing cost

May lose existing and developing skils





Outsourcing staff may have little knowledge of the company initially
Company Staff may oppose outsourcing if it results in redundancies
Lose of managerial control
Quality problem
Outsourcing is not ideal for small company
Using the work of internal audit function






Examples of internal audit work that might be used by the external auditors:
Testing of the operating effectiveness of control
Substantive procedures involving limited judgment
Observation of inventory controls
Tracing transactions through the information system relevant to financial
reporting
Testing of compliance with regulatory requirements
Discuss the planned use of its work with the function, addressing the following:



The timing of such work
The nature of the work performed
The extent of audit coverage

Materiality for the financial statement as a whole and performance materially
It would not be appropriate for the internal auditors to provide direct assistance in
respect of the following:
 Discussion of fraud
 Determination of unannounced audit procedures in accordance with HKSA240
 Responsibilities regarding external confirmation requests and evaluation of
results of external confirmation procedures
Substantive Procedure
A substantive procedure is a process, step, or test that creates conclusive evidence
regarding the completeness, existence, disclosure, rights, or valuation of assets
and/or accounts on the financial statements. To qualify as a substantive procedure,
enough documentation must be collected so that another competent auditor could
conduct the same procedure on the same documents and make the same
conclusion.
Substantive procedures include the following general categories of
activity:



Testing classes of transactions, account balances, and disclosures
Agreeing the financial statements and accompanying notes to the underlying
accounting records
Examining material journal entries and other adjustments made during the
preparation of the financial statements
At a general level, substantive procedures related to testing
transactions can include the following:



Examining documentation indicating that a procedure was performed
Re-performing a procedure to ensure that the procedure functions as
planned
Inquiring or observing regarding a transaction
Examples of substantive procedures:











Bank confirmation
Accounts receivable confirmation
Inquire of management regarding the collectability of customer accounts
Match customer orders to invoices billed
Match collected funds to invoices billed
Observe a physical inventory count
Confirm inventories not on-site
Match purchasing records to inventory on hand or sold
Confirm the calculations on an inventory valuation report
Observe fixed assets
Match purchase orders and supplier invoices to fixed asset records

Confirm accounts payable

Examine accounts payable supporting documents
Confirm debt
Analytical analysis of assets, liabilities, revenue, and expenses


Sarbanes-Oxley Act**
Sarbanes-Oxley will mean big changes for both auditors and the companies they
audit. The former now will be required to certify a company’s internal controls and
will no longer be able to use certain common audit strategies. Management faces the
cost of implementing the new rules.
1. Make changes to audit process
According to the exposure draft of a new SAS, the understanding of internal
controls required for CPAs to express an opinion on financial statements is not
adequate for them to offer an opinion on the controls themselves. This means
auditors will have to make changes to the audit process.
2. Attest to management
The auditor must attest to management’s assessment of the effectiveness of an
entity’s internal controls using standards the Public Company Accounting
Oversight Board issues or adopts. The auditor will require management to
identify, document and evaluate significant internal controls—management
cannot delegate this function to the auditor.
3. Advise company to begin
Auditors should advise companies to begin the process of assessing the
effectiveness of controls as early as possible. The task will be time-consuming,
requiring management to determine which locations or business units to include
in its evaluation.
4. Not too closely involved in the company’s assessment
Auditors should not be too closely involved with a company’s assessment of its
controls or they risk impairing their objectivity. The auditor cannot accept
management’s responsibility to reach conclusions on the effectiveness of the
entity’s controls nor can management base its assertion about the controls
design and operating effectiveness on the results of the auditor’s tests.
Case study--- Deloitte
Internal audit insights---High impact areas of focus
1. Internal audit analytics
2. Risk and control culture
3. Cyber Crime and security
4. Assurance mapping
5. Crisis management
6. Anti-bribery and Anti-corruption
7. Capital project reviews
8. Sustainability
9. Joint venture government
10. Data privacy
** See more at:
http://www.journalofaccountancy.com/issues/2003/sep/howsarbanesoxleywillchang
etheauditprocess.html#sthash.z13A1reL.dpuf
The relationship between internal audit faction and the code on
Corporate Governance Practices in Hong Kong
The key principle is accountability and audit




Establish formal and transparent arrangements for considering how they will
apply the financial reporting and internal control principles and maintaining an
appropriate relationship with the company’s auditors
Audit committee should have clear terms of reference.
Audit committee should monitor and review the effectiveness of internal audit
activities
Maintains effective internal controls to safeguard shareholders’ investment
The board to comply with the requirements of the code where there is
no internal audit function

Audit committee should consider whether there is a need for the function and
make a recommendation to the board
The key responsibility of the board in relation to internal control:






Assess the scope and effectiveness of the internal control
Monitoring the process of internal audit
Ensure appropriate internal control for monitoring compliance with related laws
and regulations
Ensure the internal audit department has sufficient resources
Approving the appointment or dismissal of the head of internal audit
Considering the management response to the suggestion
Role of internal audit in UK’s Corporate Governance Code.
Guidance to Directors in particular highlights the role internal audit can
have in providing objective assurance and advice on risk and control


An objective evaluation of the risk and internal control framework
Analysis of business processes and internal controls
Guidance to Directors sets out some key guidelines for the board.


A defined process for the review of effectiveness of internal control
Review regular reports on internal control