April 2012
Internal Audit
Introduction

Recent events including global financial crises have emphasised need for
internal auditing within corporate governance structures

Internal audit function is now mandatory by most stock exchanges

Donors increasingly demand improved accountability & financial
transparency in development projects

IFAD procedures do not specifically require internal audit, however, IFAD
Operational Procedures for Project Audits (for use by IFAD & CIs) require
that “as part of the assessment of the borrower’s capacity to implement and
manage the project effectively, the appraisal mission will evaluate any
internal audit (IA) mechanism for the project/ PMU”

Furthermore, internal audit is considered good practice & advisable as
part of underlying control framework & financial management capacity of a
project, particularly if complex &/ or decentralised
1
Definition
“Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization's operations.
It helps an organisation
accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk
management, control, and governance processes. ”
The Institute of Internal Auditors
2
IA – Code of Ethics
Principles
Internal auditors are expected to apply & uphold the following principles:
Integrity
The integrity of internal auditors establishes trust & so provides the basis for
reliance on their judgment
Objectivity
Internal auditors exhibit the highest professional objectivity in gathering,
evaluating & communicating information. Internal auditors make a balanced
assessment of all relevant circumstances & are not unduly influenced by their
own interests or others in forming judgments
Confidentiality
Internal auditors respect the value and ownership of information they receive
& do not disclose information without appropriate authority unless there is a
legal or professional obligation to do so
Competency
Internal auditors apply knowledge, skills, & experience needed
3
What is Internal Audit?
Internal Audit is a professional activity which helps organisations to achieve their
stated objectives by:

Analyzing key processes, procedures & operations

Identifying key controls in each such operation, procedure & process


Evaluating the adequacy of these controls
Testing compliance of sample transactions against these controls

Reporting results of the evaluation of controls and compliance testing of
transactions

Recommending stronger controls wherever necessary

Suggesting methods to improve compliance with key controls

Follow up of action taken on recommendations made in previous reports
4
What are Internal Controls?
Internal Controls are important checks instituted by management to have
reasonable assurance that:

Operations are carried out in an efficient & effective manner

Transactions are recorded accurately & completely

Assets are properly recorded & safeguarded

Laws are complied with

Reliable reports are generated
5
Some examples of Internal Control
►
Budgetary Control
►
Fixed Assets Register
►
Bank & Special Account Reconciliations
►
Reconciliation of Financial & Physical M & E Reports
6
How are Internal Audit & External Audit different?
Internal audit is focused at internal management support and improving
systems, procedures and processes
⇉
External audit (EA): normally statutory requirement, unlike internal audit (IA)
⇉
EA reports are addressed to stakeholders: IA reports are addressed to
Management
⇉
EA reports express an opinion on the financial statements prepared by the
entity for a specified period: IA reports evaluate and check compliance
against key internal controls
⇉
EA reports are usually public documents which are available to all
stakeholders. IA reports are for use only by Management
⇉
EA reports do not make recommendations, although may have a
Management Letter: IA reports are incomplete without
⇉
EA is basically a review of financial statements for compliance: IA seeks to
ensure value for money to Management
7
Why should IFAD funded projects be subject to IA?
IFAD funded projects may be subject to Internal Audit because:

External audit checks overall compliance to internal controls related
to financial transactions.

Supervision Missions conduct only spot checks.

Internal audit is inherent in government structures in most developing
countries.

Sample IA Terms of Reference enclosed

IA has a key role in Risk management of IFAD Projects
8
What are key concerns from a FM viewpoint?
►
►
►
►
►
►
►
►
►
►
►
Is the accounting system capable of recording financial transactions in a timely &
accurate manner?
Is the accounting system capable of tracking project expenditure by category &
component?
Is the accounting system capable of comparing actual expenditure to budget as
per approved AWPB on a real time basis?
Are withdrawal applications prepared properly & do they contain ineligible
expenditures?
Are procurement transactions undertaken as per Schedule 4 &/or LTB of the
financing agreement?
Are project assets properly recorded & safeguarded from misuse and abuse?
Are Special Account & Project Account operated & reconciled properly & timely?
Are proper audit arrangements in place?
Are audit reports properly followed up?
Does the project generate reliable & accurate financial statements & reports?
Are project funds flowing smoothly, timely & transparently to intended
beneficiaries?
9
Internal Audit (IA) Mandate
Compliance & Advisory roles
What does it do?

Primary role in improving internal control, accuracy, reliability &
integrity of information including financial & operational reporting

Monitoring & evaluation of effectiveness of risk management
processes

Role in corporate oversight, safeguarding of assets, economical
& efficient use of resources, compliance with laws & regulations,
deterring fraud
What does it not do?
 Perform management activities/ responsibilities (these include establishing
internal controls)
10
Internal Control Myths and Facts
MYTHS:
FACTS:
Internal control starts with a strong set of
policies and procedures
Internal control starts with a strong set of
policies and procedures
Internal control: That’s why we have
internal auditors!
While internal auditors play a key role in
the system of control, management has
responsibility for internal control
Internal control is a finance thing
Internal control is integral to every aspect
of business/operations
Internal controls are essentially negative,
like a list of “thou-shalt-nots”
Internal control makes the right things
happen the first time
Internal controls take time away from our
core
activities
of
implementing
development objectives
Internal controls should be built “into,”
not “onto” business processes
11
Internal Control Practices
How?
 Internal control is a process. It's a means to an end, not an end
in itself
 Internal control is effected by people as a team, not by
internal auditor. It's not merely policy manuals & forms, but
people at every level of an organization
 Internal control can be expected to provide only reasonable
assurance, not absolute assurance, to an entity's management
and governing bodies/ committees
 Uses systematic methodology
processes, procedures & activities
for
analysing
business
 The cost of IA should not exceed expected benefits to be
derived
12
Internal Control Structure
An internal control structure is simply a different way of viewing operations – a
perspective that focuses on doing the right things in the right way
• Monthly reviews of
performance reports
• Supervisory activities
•
•
•
•
•
Purchasing limits
Approvals/ segregations
Security
Reconciliations
Proper operating &
accounting procedures
• Reporting
• Corporate
communications
(e-mail, meetings)
MONITORING
INFORMATION AND
INFORMATION
&
COMMUNICATION
COMMUNICATION
CONTROL ACTIVITIES
CONTROL
ACTIVITIES
• Based on identification
& analysis of risks to
achievement of
objectives
RISK ASSESSMENT
CONTROL
ENVIRONMENT
•
•
•
•
Corporate Policies
Tone at the top, ethics
Organisational authority
Skilled personnel
In many cases, you perform controls and interact
with the control structure every day, perhaps
without even realising it
13
Role in Risk Management
 Focus on risk of occurrences that could prevent the project from
achieving its goals
 There are many types of risk – strategic, operational, financial reporting,
legal/regulatory, fraud, ineffective/inefficient
technological, human capital, credibility, etc.
use
of
resources,
 Focus on areas with high risk & high probability that controls are not in
place or are weak
 Don’t forget positive risks – opportunities!
Add value by eliminating unnecessary controls, if
underlying risks are minimal/within project’s risk appetite!
14
Role in Internal Control
1. Compliance audit: review of financial & operating controls &
transactions for conformity with laws, regulations & procedures,
e.g.,
•
•
•
•
•
•
Access to IT system appropriate to user’s role
Segregation of duties in high risk areas
Balancing & reconciliation between systems
Systems back up & recovery
Physical safeguard & access restriction controls
Reconciliations, comparison budget of actual
2. Operational audit: review of various functions within project to
evaluate efficiency, effectiveness, & economy
15
IA Role in Corporate Oversight

Four pillars – internal audit, executive management, external audit, & Board of
directors/ steering committee

Combination of processes & organisational structures implemented by
management to inform, direct, manage and monitor the project’s resources,
strategies & policies towards the achievement of its objectives

Public sector governance Principles
- transparency, integrity, accountability

May include review of sufficiency of human resources,
training
needs, policies, etc.
16
Nature of Internal Audit Activity



Establish scope & activities for audit to Management

Develop & execute risk based sampling & testing approach to determine
whether most important controls are operating as intended (NB: input from
Management required – e.g. 100% sampling of WA review)

Report issues/make recommendations/negotiate action plans with
Management to address issues

Follow up on reported findings periodically
Describe key risks facing the business activities within scope of audit
Identify control procedures used to ensure each key risk is properly controlled &
monitored
17
Contents of Audit Plan

Updated annually

Risk based audit plan developed with input from project
staff
including Management

Summary of key goals, risks & corresponding major audits, to illustrate alignment

Based on risk assessment & available resources

Appendix materials, such as planning approach, assumptions & brief descriptions
of all planned audits & related prioritization

Approved by management/ appropriate oversight Committee
18
Contents of Audit Report
 Observations
 Narration/ description
 Remedial action
 Consequences/ fall out
 Recommendation for improvement (prioritized between “high” and
“normal”)
 Response (action plan) – who, when and how
19
IA’s Proactive Role
 Identify Risks
 Find Better Ways and Best Practices
 Partner With Management to Find Solutions
 Prevent Problems
 Provide training
 Respond to policy & technical accounting questions
 Offer suggestions for improvement
 Advisory role
20
Additional Resources
21
Conclusion
Why all this trouble?
 Additional comfort and “tightness” that the project is doing the right thing, the
first time, communicating right information internally, to external auditors,
donors, ministries, etc.
 More formal control structures reduce possibility that risks become real
issues
 External Auditor may receive additional assurance to provide unqualified
report on accounts
 Donor & government confidence increased, affecting financing flows
What are the next steps?
 Identify areas of high risk & opportunities
 Validation of process documentation & controls
 Communication, with PCs & project staff
22