THE SYSTEMS APPROACH TO INTERNAL AUDIT - PART ONE

Andy Wynne - andywynne@lineone.net

Introduction
Systems auditing should be the main approach that is adopted by internal auditors. This series of four articles aims to outline the key aspects of this approach to internal audit and to provide some insights into undertaking internal audit more effectively. The higher profile of risk management in recent years has led some internal auditors to consider developing a risk-based approach to internal audit. However, risks do not exist in isolation. They are the results of the objectives of the organisation or system not being achieved. Risks should be considered as an integral part of the systems approach to internal audit. This should allow the adequacy and reliability of the existing controls to be considered within the context of the overall system that is being audited. Systems auditing was originally developed as a more efficient approach to external audit. However, this systems-based approach had to be further developed and refined before it could form an effective internal audit methodology. The objective of external audit is to form an opinion on the organisation's financial statements. Internal audit has the, very different, objective of working with managers to improve and optimise their internal control, risk management and corporate governance processes. These differing objectives mean that internal auditors cannot just adopt the approach used by external audit. Internal auditors have there fore developed their own approach to systems auditing that differs in many respects to the one that may be adopted by external auditors.

Internal Audit - A Step By Step or an Iterative Approach

Systems auditing is often described in a step by step fashion. However, this description should not be taken literally, each step should not be considered as a discrete stage to be fully completed before the next stage of the audit is commenced. Systems auditing should, in contrast, be considered as an integrated whole. The knowledge base of the auditor will gradually expand through an iterative approach to the audit. At each stage in the audit the auditor should reconsider their approach, review their understanding of the system and if necessary report significant findings to relevant managers. Systems auditing is frequently broken down into the following aspects:

00000000assignment planning identify the system and its controls documenting existing controls control evaluation testing key controls develop conclusions and recommendations reporting

At the assignment planning stage any previous internal audit work and knowledge of the system should be considered and used to ensure that all key areas are included within the scope of the audit. Although an audit brief may be agreed with the system managers, auditors should not be embarrassed to go back and amend this in the light of new knowledge and understanding gained later during the assignment.

Page 1 of 15

Previous system notes should be an important source of knowledge if the system has been reviewed recently. Nothing is more annoying than for managers to have to explain their system from scratch to a new auditor each time it is reviewed. However, gaining a full and clear view and understanding of the system will only occur gradually, it will not be complete until after the audit is completed. Auditors should consider their knowledge and understanding to be like a jigsaw, they should try and finish the edge pieces and the easy parts immediately, they can always come back and complete the more difficult central parts later on. The extent that auditors can document the system will obviously reflect the knowledge and understanding they have developed. Auditors should record basic details as soon as they have discovered them, but should not try to produce perfect system notes at this stage. Audit testing will provide further details and report writing and discussions with staff will usually enhance the auditor's understanding of the system. It is often a good idea to delay writing the system notes until the end of the assignment. At the very least they should be critically reviewed, and amended as necessary, after the final report has been issued. Control evaluation is an important stage of each audit and this should be completed before testing is started. This is to ensure that only controls that actually exist, and are likely to reduce significant risks, are tested. However, this evaluation is only a guide to testing, the testing programme may need to be revised as a greater understanding of the detail of the system is gleaned during the testing itself. Tests should be stopped immediately if auditors realise the control is not working. If other key controls are identified then further testing should be performed to confirm the reliability of these controls, For internal auditors, testing should be designed to determine whether a particular control should provide reasonable assurance that the objectives of the system are achieved. Or, putting it the other way round, whether the control will reduce potential risks to acceptable levels. Controls are not necessarily a good thing in themselves and should only be tested as long as they are considered to be working effectively and likely to have a significant impact on the success of the system. Thus the testing undertaken should reflect the overall nature of the system, the auditor's understanding of it and the interdependencies of the different controls. Developing conclusions and recommendations is usually one of the last aspects of internal auditing to be described, but it may be one of the first to be undertaken. Prior knowledge of the system, and certainly initial meetings with the system's managers, will lead most experienced auditors to begin to develop their opinions of the control environment and possible improvements. These ideas should be developed and refined at each stage of the audit. Audit reporting, writing the formal report and holding discussions with managers, provides an important stage in the auditor's understanding of the system, its weaknesses and the practicality or otherwise of potential improvements. Audit reporting should also allow the true importance of each aspect of the control system to be viewed more dispassionately and in the context of the whole system. Writing the report should enable auditors to stand back and see the wood for the trees. Care should be taken to ensure that this greater understanding of the whole system and the interrelationship of all its controls is used to refine the conclusions and consider the practicality of possible additional controls. If necessary, queries should be answered and further testing may need to be undertaken at this stage Inexperienced auditors may need to approach systems auditing one step at a time. As their experience grows, a more sophisticated approach should develop that recognises the iterative nature of auditing. Greater knowledge and understanding develops gradually throughout each audit assignment. This knowledge should be used to adapt the auditing techniques used, the extent and nature of testing undertaken and the timing of audit reporting.

Assignment Planning
Page 2 of 15

Internal auditors expect their organisations to be efficient and achieve value for money. To ensure that they cannot be accused of being hypocritical they have to make sure that they adequately plan all their audit assignments and so ensure that they can be completed efficiently. Internal Auditors need to be careful that they review all significant aspects of the system and that all risks are being adequately managed with suitable controls. For these reasons, internal auditors should undertake their audits in co-operation with the relevant managers. Thus it is usually considered appropriate for these managers to be sent an outline of the proposed audit work a couple of weeks or so before the audit assignment is due to start. This should give the managers adequate time to reflect on the proposed scope and objectives of the audit and will give them advanced notice and allows them to plan their work around the audit. At the beginning of each internal audit assignment there should be a meeting between the auditors (usually including an audit manager and the auditor who is to actually undertake the review) and the manager(s) who is responsible for the particular system. The objectives of this meeting are for the internal auditors to:

00000000discuss the systems objectives and appreciate the significant risks involved in their achievement; obtain an over view of the roles, responsibilities and reporting lines of staff and managers within the system; consider any concerns or particular areas managers would like internal audit to address during the review; agree in broad terms the scope and objectives of the audit.

Internal auditors should be as flexible as possible about the actual timing of each systems audit assignment. It should rarely be necessary to undertake surprise audits. Most managers are busy people, internal auditors should recognise this and, whenever possible, should try and fit their reviews around the managers timetables. Therefore, internal audit visits should be planned so that the normal work of the system is disrupted as little as possible. Clear budgets should be agreed for each audit assignment as part of the, usually annual, planning process. These should be treated as flexible budgets. It should be possible to exceed the allotted time for an audit, but only if this is necessary to ensure comprehensive coverage of all significant aspects of the system. Additional testing may be required or even requested by the system's manager. In addition, extra time may be needed to develop guidance and write up the numerous recommendations that may be necessary when a poorly controlled system is audited. However, the staff budget for internal audit needs to be adequately controlled. If internal auditors need extra time on one assignment then this time should be recovered on later assignments. Some audits will inevitably take longer than expected, others should be completed quicker than planned. Internal auditors should be flexible about the amount of time they spend individual audits. However, internal auditors expect managers to deliver their services within budget. Auditors cannot have lower standards for their own service. The audits planned to be delivered each year should be completed in year and within the total number of budgeted days. If this cannot be achieved internal audit should be accountable to the audit committee and provide suitable explanations of the problems encountered and other reasons for the non-achievement of the audit plans. Audit managers need to ensure that all audit assignments are undertaken by auditors who are appropriately experienced or have the necessary specialist knowledge. Auditors need not (and indeed cannot) be experts in each of the systems that they review. However, they need to have the basic background experience that will allow them to appreciate the significance of the control environment they are reviewing and any short-comings that may exist within it. For some audits, especially those of computer systems and capital contracts, specialist knowledge may be essential. Without it, the auditors will not be able to identify weaknesses within the control system and may be
Page 3 of 15

unaware of technical controls that are appropriate to effectively manage risks identified during the audit. The level of guidance or supervision that will be necessary during each audit will depend on the level of experience of the auditor, the complexity of the system and its technical or specialist nature. Before each assignment is started the audit manager should ensure that all auditors have a clear understanding of the work they are to undertake; the approach to be adopted; and the level of enquiry or size of sampling to be required. In addition, all auditors should be encouraged to discuss their findings and any problems or uncertainties they encounter during their audit. Discussion is an effective problem-solving tool for internal auditors and has the bonus of spreading experience across the audit team. Audit planning is necessary for internal audit work to be completed successfully, within budget and with maximum co-operation from the staff whose system subject to review. Planning should be viewed positively in this light and not just seen as a bureaucratic chore that stops internal auditors finishing their real work. As the saying goes: "prior planning prevents possible pitfalls".

Page 4 of 15

THE SYSTEMS APPROACH TO INTERNAL AUDIT - PART TWO Control Objectives and Key Controls - The Core of an Internal Audit Assignment
Internal auditors are of course in favour of controls. However, they do not just think that controls are a good thing. Controls should be there for a purpose. The purpose is to ensure that the system or process achieves its objectives. Controls are only needed to reduce the risks to the achievement of these objectives to an acceptable level. Thus, there may be circumstances when internal auditors suggest that certain controls should be removed, for example, if they do not contribute to the reduction of significant risks. The systems audit approach resolves around the objectives of the system. Should existing controls provide sufficient assurance to the senior managers and directors of the organisation that it will achieve its objectives? Does the internal control system currently reduce the chance of things going wrong (or not going right) to an acceptable level? Before internal auditors start each audit assignment they need to be clear about the relevant organisational and management objectives.

Control objectives Control objectives should form the framework of each systems audit assignment. They should detail the various aspects of a system's objectives. They identify specific objectives against which internal auditors can evaluate existing controls. Control objectives should be specific enough to provide the basis for this evaluation. Generalisations such as "to ensure that support services are adequate" should be avoided.
S S E OJ CI E YT M B TV E

C NR L B CI E O T O OJ TVS E KYC NR L E O T OS

Comprehensive control objectives can be developed for any system by considering the following areas of control: has the system been adequately planned? are the operations adequately supervised and controlled? is the system periodically reviewed? is suitable management information produced?

Internal auditors need to ensure that the managers who are responsible for the system to be reviewed agree with objectives assigned to the system and the control objectives audit had developed. These should be agreed at the initial meeting with the system manager who should also be requested to formally sign up to the agreed scope and objectives for the audit assignment.
Page 5 of 15

Key controls Once the control objectives have been agreed internal auditors need to identify the controls that they consider necessary to provide assurance that each of these objectives is being achieved. These are what may be termed the key controls. If the internal auditor is lucky, control schedules will have been developed for the relevant system. These schedules should document the standard control objectives for such a system and the associated expected key controls. The purpose of the schedule of expected key controls is to assist in the evaluation of the actual controls identified during the audit. It is imperative that the expected controls are reviewed critically to ensure that they are appropriate. The standard key expected controls will not always be relevant and may have to be adapted to the particular system that is reviewed. If internal auditors do not identify the key expected controls, there is a danger that they will concentrate purely on the actual controls in place and fail to identify those that are missing. Identification of key controls should ensure that audit time is spent efficiently by concentrating on the key control aspects of the system under review. There may be many other controls, however, the key controls are the more important controls and are the basic controls that are necessary to ensure that each control objective is achieved and all significant risks are adequately managed. To ensure that audit time is used efficiently the audit should concentrate on assessing the adequacy and reliability on these key controls.

Identification and Documentation of Existing Controls

Systems auditing should be a critical assessment of the controls currently in place against control objectives agreed for the system. Thus identifying existing controls is one of the central tasks of systems audit. Internal auditors cannot assess, test or suggest improvements to the internal control environment unless they have a clear and comprehensive view of all of the controls that currently operate. Documenting the existing controls should help auditors understand these controls and forms a basis for the evaluation of the controls and the development of their testing strategy. Sources of Information There may be a wide range of sources of information available to internal auditors about how a system operates. These may include: interviewing staff and their managers reviewing existing documentation observation of working practices reviewing previous audit reports.

Interviews are Key The most important source of information will usually be the staff working within the system. They know how the system actually operates and should have a reasonable idea of how practical any improvements may be. Thus interviewing skills are essential for all internal auditors. They need to be able to understand what may be a complex system. They also need to be able to critically assess each stage of the process. Why is its performed? Could it be undertaken more efficiently?

Page 6 of 15

Staff who operate the system will know what they do, but not necessarily why they do it. They may also try and explain the system in the most positive light. The skill of internal audit is to enable all the staff they interview to open up and tell them what they actually do (not just what they think they should do) and to describe any aspects they think could be improved. Understanding why each task is taken may be more difficult. Staff may just do it because weve always done it that way or even worse because the auditors told us to! An experienced auditor should ensure that the staff they talk to are relaxed and so describe the system, warts and all. They should also challenge the staff to ensure that they describe what actually happens and, through discussion, ascertain whether any improvements are possible and practical. Other Places to Look Auditors may review documentation such as statutes, circulars, committee reports, job descriptions, organisation charts, policy and procedure manuals, financial regulations and desk instructions. These may record how a system is supposed to work, but may not necessarily reflect actual practice. Internal auditors may consider that the adequacy or otherwise of documentation is an indication of the attitude of management to internal control. Observation of the physical environment and working methods should provide internal auditors with further evidence of actual practice. This is a particularly useful method of fact-finding where no physical evidence of an action may have taken place. Internal auditors should however be aware that their presence may influence the behaviour and practices of staff under review. Reports of previous reviews of the system by other internal auditors, external auditors or other review agencies may also be a useful source of information. However, these reports should be read with care. The authors may not have understood the system, they may not have covered all aspects or their reports may be unclear. This consideration may allow internal auditors to reflect on the quality of their own reports and system documentation. Would these allow other auditors to quickly grasp the most important aspects of the system and its internal controls? Auditors need to understand how the system operates and the role of all the key procedures, but essentially they are only interested in controls. There are a range of different types of control. The most important may be remembered by the mnemonic SOAP MAPS:

Segregation of duties: the functions of authorising transactions; recording the transactions; and custody of the associated assets should be undertaken by separate staff Organisation: there should be a clear organisation chart and all staff should have up to date job descriptions that clearly indicate their responsibilities Authorisation and approval: all transactions and decisions should be formally authorised by nominated staff Physical: there should be suitable controls over access to offices, assets, controlled stationery and computer systems Management: production of suitable financial and operational management information; use of exception reports; critical review and enquiry by management Arithmetical and accounting: checking / re-performing tasks carried out by others; costing (adding up) orders, invoices, payroll etc; reconciliation between the bank and accounting records; control accounts

Page 7 of 15

Personnel: appointment of staff should be adequately controlled; all staff should be suitably trained for their post and appraised regularly Supervision: all staff and activities should be adequately supervised by someone who understands the process and will detect deviations from accepted practice.

Recording the Controls All internal audit work should be documented and be sufficient to support the conclusions drawn on the adequacy and reliability of the internal controls. The main procedures and key controls over significant risks should be clearly and concisely recorded. Audit working papers should include: systems notes, either in text or graphics; notes of interviews and meetings; a record of the current key controls and their reliability; an assessment of the extent that existing controls will ensure that each agreed control objective is achieved; and evidence of audit sampling and testing of controls.

There are a number of methods of documenting procedures and controls, for example flow charts, key control schedules, internal control questionnaires and narrative notes. Whatever method is adopted should be used consistently. This should make it easier for the system notes to be used for future reviews of the same system. Systems documentation should be: clear and easy to understand provide a standardised approach highlight risk points and key controls.

The purpose of this documentation is to: enable the internal auditors to review the information they have received and to organise their thoughts and knowledge so the internal controls can be systematically assessed and tested provide details of problems encountered, evidence of work done and conclusions drawn for future reference and to assist the planning of future audits demonstrate to interested parties that the audit work has been properly planned, controlled, executed and reported.

Once internal auditors have discovered the controls that actually exist and made notes of these they can go on to assess whether these controls should be adequate. However, auditors should remember that internal auditing is not simply a series of stages that can be completed one after the other. When they go on to test the controls that they have identified, they may discover further controls or that some controls are not actually operating as expected. They will then have to go back and revise their system notes to ensure these reflect the actual controls that are operating in practice.

Page 8 of 15

THE SYSTEMS APPROACH TO INTERNAL AUDIT - PART THREE The Evaluation of Existing Controls
Each systems audit assignment should concentrate on an assessment of the adequacy and reliability of the controls necessary to ensure that each of the agreed control objectives is achieved. This evaluation should form the core part of the audit work. However, other significant aspects of the control environment, the efficiency of the system and the extent that best practice is adopted should be reviewed and, if appropriate, reported upon. The evaluation of each existing control should follow a two stage process. A control should only be relied upon if: i) ii) the audit evaluation shows that, in theory, the control is adequate and it should significantly help to ensure that an agreed control objective is achieved; and there is sufficient audit evidence to provide reasonable assurance that the control is operating consistently and reliably.

If, because of the initial evaluation, the internal auditor concludes that a control is not effective or is not necessary for the achievement of the relevant control objective there is no point in testing this control. Compare Actual Controls with Expected Controls Once the actual controls have been identified, these should be documented and compared with the expected controls. One of the following will apply:

actual control equals the expected control the expected control is absent but adequate compensating controls exist the expected control is absent

It is possible that the controls identified do not match the expected controls and this may indicate the presence of an additional control. This may be evaluated if it is considered to be significant to the achievement of the control objective. Alternatively, an expected control may be missing and, if this is the case, the significance of the omission should be assessed. Actual and expected controls do not have to be the same; there may be several equally valid ways of controlling a particular process. For this reason internal auditors should ensure that:

when evaluating actual against expected key controls the existence of compensating controls is considered; and throughout the control evaluation process consider whether all the controls in place are actually necessary.

Removal or amendment of a control procedure may not significantly increase the risks associated with the operation of the system and may result in cost savings. Evaluation of control weaknesses The internal audit evaluation should take account of the likelihood of undesirable events occurring (risk) and their significance to the organisation (materiality). Internal auditors should use their judgement to determine what level of control is appropriate in the light of their evaluation of the risks and materiality involved.

Page 9 of 15

Risk may be viewed as the chance (or probability) of one or more of the organisations objectives not being met. Materiality is an assessment of the significance of a failure to achieve the objective. Materiality may be measured in terms of the financial consequences, the relative importance of the objective concerned or the sensitivity of the areas concerned. In considering materiality, therefore, internal auditors should take into account:

the possible direct and indirect financial consequences the importance of particular management objectives in the context of the organisations overall objectives the potential for embarrassment or adverse publicity.

Internal auditors should also take into account the cost of reacting to a failure, as well as the effects of the potential failure itself. Such costs may include, for example, the costs of any investigation, taking corrective action and supplying appropriate explanations to the regulatory authorities, if relevant. Compensating controls There will be occasions when controls internal auditors expect to find are missing. If this happens, they should search for controls that compensate for this potential weakness. For example, in auditing a purchasing system one control objective might be that "procedures for ordering, payment and recording of expenditure are properly documented and complied with". Internal auditors find that there are no procedure manuals (an expected control to meet the objective). However, staff operating the system are all highly experienced and knowledgeable, and are closely supervised. In these circumstances, internal auditors may consider the experience and knowledge of the staff and the level of supervision adequately compensates for the absence of manuals, and thus they may conclude that the control objective is adequately achieved despite the absence of such manuals. Internal auditors should evaluate each existing control to consider whether it is adequate. In addition, they should evaluate the whole spectrum of controls that may help to ensure that a particular control objective is achieved.

Testing Existing Controls

Once the actual key controls have been identified and evaluated, internal auditors should perform tests to confirm that the controls considered to be adequate and necessary are operating as required and are reliable. Internal auditors should consider the following points when selecting a sample of transactions to test: the sample should be selected from the total population, for example, when testing that all payments have been authorised the sample should be selected from a bank statement or payments register rather than from a file of paid invoices the period covered by the sample should be appropriate. This should normally be the period since the last audit of the system. However, the sample should be weighted towards the current financial year, especially if the last audit was several years ago. If the system has changed significantly, the sample should only include the period since the changes were introduced the method of sample selection should be recorded. The sample should include all significant types of transaction

Page 10 of 15

testing should be focused on high risk areas.

Compliance testing The aim of compliance testing is to confirm that existing controls are operating as intended and are reliable. An example is checking that each invoice has been initialled to indicate that it was authorised by an appropriate manager. The primary aim of compliance tests is not to identify errors, mistakes or potential fraud, but to identify controls that are not always performed as required. The reasons for any errors or omissions and the reliability of controls are more important to internal auditors than any individual mistakes or omissions. Compliance testing should be the standard form of testing used during systems auditing. Substantive testing Substantive testing is concerned with the accuracy and completeness of outputs rather than the adequacy of controls. An example is checking that the amounts paid are the same as the value on the invoice. Substantive testing, therefore, should have a limited role to play in systems auditing. Nevertheless, internal auditors sometimes use it as a means of demonstrating the existence, or seriousness of weaknesses when they are unable to convince management by any other means. Internal auditors should bear in mind, however, that substantive testing is usually uneconomic and may weaken their arguments if it fails to produce evidence of actual errors. Testing Techniques There are a number of different ways that internal controls can be tested. Internal auditors should seek the most cost-effective source of evidence on the reliability of each control to be tested. The nature of the control will influence the way auditors test it, but there are five main methods of testing:

observation is particularly important where there is no permanent record of activities. For example, discreet observation can reveal whether there is improper access to a restricted area; interviewing is useful when evidence is absent or unclear. Care should be taken because the behaviour of the auditor could affect the attitude of the person being interviewed and an insensitive approach could lead to an unco-operative and defensive reaction; verification involves independently confirming the truth, accuracy or validity of transactions. However, internal auditors prime role is to evaluate and test the controls, not to confirm the validity of the data itself. When using verification tests, auditors should ensure that they are related to the operation of controls. Methods used are: comparison - with some ascertainable fact or standard, e.g. that instruction manuals are up to date or staff have attended appropriate training courses at prescribed intervals; confirmation - checking statements of performance, e.g. checks with customers that supply delivery response times are as stated by the supplier; vouching - checking a transaction against supporting documentation, e.g. a payment to a supplier against the corresponding order and goods received note;

Page 11 of 15

reperformance is particularly relevant where calculations or measurements have been supposedly checked as a control and the auditor wishes to check that the control actually operated; analytical review consists of reviewing the reasonableness of significant ratios, trends or other data. For example, a comparison of the ratio of payroll costs to the number of employees over several months. Thus it is primarily a substantive test. However, it may provide evidence of the quality of the general control environment.

Once the existing controls have been tested for reliability, internal auditors are ready for the most difficult and professional part of their assignment audit, the development of recommendations and conclusions.

Page 12 of 15

THE SYSTEMS APPROACH TO INTERNAL AUDIT - PART FOUR Developing Recommendations and Conclusions
Internal audit has two roles which in practice are interwoven. These are, firstly, to provide reasonable assurance to the board (or comparable body) that the organisation's significant risks are being appropriately managed, with an emphasis on the role of internal controls. Secondly internal audit should be ensuring that the organisations risk management and internal control systems are continually being improved and optimised in response to an ever changing environment. Thus internal auditors should have two essentially different outputs from their assignments. First, a clear opinion or conclusion on the quality of the internal control system they have audited. Second, a series of recommendations to improve this system of control or to reduce the risks that the organisation faces. These should not be confused, the conclusions should not be a summary of the recommendations made. The audit opinion should be a clear message to senior management and the board on the extent that existing controls should adequately address the main risks that the organisation faces in achieving its objectives. Can they sleep safely at night or are there major concerns that should worry them? Recommendations Through out each assignment internal auditors should be consider recommendations that could be made. What improvements or refinements can they suggest that would ensure that the organisation achieves its objectives more efficiently or with reduced risk. Whenever they have identified a possible control failure or weakness they should consider the following: how important is the control? are there compensating or complementary controls which reduce its intrinsic importance? how serious are the deviations we discovered and why did they occur? is any control failure likely to be isolated or recurring? is further testing (to confirm our opinion) necessary or feasible? is any weakness so serious that management needs to be informed immediately?

The recommendations internal auditors make may include any of the following: introducing further controls refining or amending existing controls to make them more effective ensuring that existing controls are applied regularly and consistently reducing un-necessary controls introducing best practices.

It is important that internal auditors do not just recommend the introduction or strengthening of controls for the sake of it. They should only suggest that controls are improved if they consider that there are significant risks that are not currently being adequately managed or being reduced to an acceptable level. There must be a balance between the risk auditors have identified and the controls they suggest should be implemented. The controls should be proportionate to the
Page 13 of 15

significance and likelihood of the relevant risk. The costs of introducing controls should balance the likely costs of the risks that they are designed to manage or reduce. The costs of operating all internal controls should balance the benefits that the organisation may gain from their implementation. All the recommendations that auditors make should be tailored to the specific circumstances of their organisation. Internal auditors need to think carefully about the sorts are controls that will work within the culture of the organisation and the section or department that they are auditing. The recommendations should be sufficiently detailed to ensure that the managers understand the precise procedures internal audit are suggesting should be introduced. Auditors may be unsure of the exact controls that may work, but this can be established through discussions with the managers when finalising the audit report. Auditors must remember that these managers should understand their systems better than auditors do and they should be prepared to amend their recommendations in the light of these discussions. Internal Auditors may consider that the recommendations they make are necessary to avoid, or reduce, the risks they have identified. However, the internal control system should remain the responsibility of the relevant managers. If managers agree to implement the recommendations, they should agree that the benefits will outweigh the costs of introducing the additional controls and that other, more cost effective, controls are not available. Which are the important recommendations? Internal auditorsshould ensure that managers are aware of those recommendations that audit consider particularly important and those that are merely desirable. One way of doing this is to prioritise the internal audit recommendations as follows: Fundamental Significant Advisable Action Plans Each internal audit report should include an action plan. Internal auditors aim should be to help to improve systems of internal control rather than just commenting on its quality. The action plan should be completed by the systems manager to indicate their agreement (or otherwise) to each internal audit recommendation. The action plan should also include the managers responsible for implementing each recommendation and a target date for this action. Follow Up As well as providing recommendations, internal auditors should periodically monitor the extent that their recommendations have been implemented. Where managers indicate that the more significant recommendations have been introduced, internal auditors should carry out suitalbe tests to confirm that these controls are now operating reliably as planned. Conclusions When writing the conclusions or opinions to their audit assignments, Internal auditors should consider who the audit report is aimed at and what their particular concerns may be. They should indicate clearly their opinion on the quality of the existing internal controls. They should highlight
Page 14 of 15

action considered essential to ensure that the organisation is not exposed to high risks; action considered necessary to avoid exposure to significant risks; action considered to merit attention and should result in enhanced control or better value for money.

areas of poor control where they consider that the organisation is at risk, but also ensure that they clearly recognise areas of good control. Internal auditors must provide balanced reports that identify good management practise rather than merely reporting the weaknesses they have identified. As a result of their audit work internal auditors should form an overall opinion on the extent that existing controls should provide adequate assurance that all significant risks to the achievement of the systems objectives are being effectively managed. One way of helping to provide this overall opinion is to grade the quality of the internal control system of the basis of the following scale: 1. controls within the system should provide full assurance that risks material to the achievement of system objectives are adequately managed 2. controls within the system should provide substantial assurance that risks material to the achievement of system objectives are adequately managed 3. controls within the system should provide limited assurance that risks material to the achievement of system objectives are adequately managed 4. controls within the system should provide little assurance that risks material to the achievement of system objectives are adequately managed. If, as a result of each assignment internal auditors, develop clear conclusions and practical recommendations they will add value. Internal auditors can only claim to be professionals if they provide professional advice that is accepted and valued by managers. The outcome of each internal audit assignment should be that the risk management and internal control procedures are improved, optimised and refined. This should ensure that internal audit is recognised as an important management tool. Internal auditors should be the control conscience of their organisation, and should be working in partnership with managers. Internal auditors should not be seen as people who turn up after the battle has been won to kill the wounded. If internal auditors adopt the systems audit approach that I have outlined in these articles they should provide a professional and valued service to their organisation. The outcome of internal audit work should be that the internal control, risk management and corporate governance processes are improved and optimised so that the organisation is better prepared to face its everchanging environment. Systems audit should enable internal auditors to provide a significant role in the future success of their organisation and help to ensure that the effects of any risks are avoided or at least minimised.

Page 15 of 15