Auditing 1

Lecture 15
Internal audit
Introduction
The field of internal auditing is a dynamic and
rapidly expanding one. It is a significant
component of the internal control system. Its
significance and expansion has been greatly
enhanced with the formation of the Institute
of Internal Auditors (IIA) in 1941 in the United
States of America, coupled with the growth in
size and complexity of many organizations in
recent years, and the need to institute proper
and efficient control systems.
Introduction
Internal
audit is generally a feature of
large companies. It is a function, provided
either by employees of the entity or
sourced from an external organization, to
assist management in achieving
corporate companys mission statement
and strategic plan.
Internal audit and
corporate governance
Established codes of corporate governance such as the UK
Corporate Governance Code highlight the need for
businesses to maintain good systems of internal control to
manage the risks the company faces. Internal audit can
play a key role in assessing and monitoring internal control
policies and procedures.
The board should establish formal and transparent
arrangement for considering how they should apply the
corporate reporting and risk management and internal
control principles, and maintaining an appropriate
relationship with the companys auditors.
The role of the internal auditor is anchored on three main
pillars: (i) Risk Management (ii) Internal Control and (iii)
Governance
Assessing the need for internal
audit
Internal audit can assist an entity in providing effective corporate
governance thus a corporate governance requirement.
The cost of setting up an internal audit department versus the
predicted benefit
Predicted savings in external fees where work carried out by
consultants will be carried out by the new internal audit
department
The complexity and scale of the organizations activities and the
systems supporting those activities.
The abilities of existing managers and employees to carry out
assignments that internal audit may be asked to carry out
Managements perceived need for assessing risk and internal
control
Whether it is more cost effective or desirable to outsource the work
The pressure from external stakeholders to establish an internal
audit department
Definition of internal audit
In the standard for the professional
practice of Internal Auditing, the Institute
of Internal Auditors, in 1978, defined
internal auditing as;
An independent appraisal function
established within an organisation to
examine and evaluate its activities as a
service to the organization.
Definition of internal audit
The 21st Century definition of internal auditing as
contained in the International Standards for the
Professional Practice of Internal Auditing issued in
January 2004 re-inforces the core role of the
internal auditor as:
An independent objective assurance and
consulting activity designed to add value and
improve an organisations operations. It helps an
organization accomplish its objectives by bringing
systematic disciplined approach to evaluate and
improve the effectiveness of risk management,
control, and governance process.
Definition of internal audit
Internalauditing is an appraisal or
monitoring activity established within an
entity as a service to the entity. It functions
by, amongst other things, examining,
evaluating and reporting and to
management and the directors on the
adequacy and effectiveness of
components of the accounting and
internal control systems.
The Changing Role of the
Internal Auditor
CHARACTERISTIC OLD PARADIGM NEW PARADIGM
S
i) Internal Audit Internal Control Business Risk
focus
ii) Internal audit Reactive, after-the- Proactive, real-
response fact, time
discontinuous, continuous,
observers participants in
of strategic planning strategic planning
initiatives initiatives
iii)Risk assessment Searching for risk Scenario planning
factors
iv)Internal audit Concerned with Concerned with
test important important
Controls business risk
The Changing Role of the
Internal Auditor
v)Internal audit Emphasis on the Emphasis on
methods Completeness of significance
detail, Of broad business
Controls testing risks covered
vi)Internal audit Internal control: Risk management:
recommendation -Strengthened -Avoid/diversity
-Cost-benefit risk
-Efficient/effective -Share/transfer risk
-Control/accept
risk
vii)Internal audit Addressing Addressing
reports functional controls process risk

viii)Internal audit Independent Integrated risk

role in the appraisal Management and
Code of Ethics
The Institute of Internal Auditors (IIA) ha
promulgated a code of ethics to promote
an ethical culture in the global profession
of internal auditing:
Integrity
Objectivity
Confidentiality
Competency
Distinction between internal
and external auditor
Internal audit External audit
Objective Designed to add An exercise to
value and enable auditors to
improve an orgns express an opinion
operations on the FS.
Reporting Reports to the Reports to the
BOD, or other ppl sholders or mbrs
charged with of a co. on the
governance, such T&F of the accts.
as the audit Audit report is
comm. Reports publicly available
are private and to the sholders
for the directors & and other
mgt of the co. interested parties
Scope Work relates to the Work relates to the
Distinction between internal
and external auditor
Relationship Often employees Independent of
of the orgn, the co. and its mgt
although stimes usually appointed
the function is by the
outsourced shareholders.
Planning and -Strategic L-T -Planning carried
collection of planning carried out to achieve
evidence out to achieve objective
objective of regarding truth
assignments with and fairness of
no materiality financial
level being set. statement.
-Some audit may -Materiality level
be procedural, set during
rather than risk- planning (may be
based amended ).
Functions of Internal Audit:
To review the control system and to identify
weaknesses, breakdown and to report to
management with recommendations.
To design checks to reveal the existence of
frauds or to prevent frauds.
To rationalize accounting policies within a
group and to design and implement new
accounting systems.
To conduct management efficiency audits
and post implementation audits of capital
projects.
Relationship with External
Auditor:
The Internal Auditor and the External
Auditor have similar audit aims on
accounting matters; i.e, ascertain the
reliability of records/effectiveness of the
control system so as to safeguard the
assets of the company.
Both use similar means or methods to
achieve the above, e.g., testing controls,
physical inspection, confirmation from
third parties, sampling techniques.
Qualities/skills of Internal
Auditor
Technical Skills
Data collection and analysts
Financial analysis
Forensic skill/fraud awareness
Identifying types of controls
Interviewing
Negotiating
Use of ICT
Risks analysis
Statistical sampling
Research skills
Qualities/skills of Internal
Auditor
Behavioral
Confidentiality
Governance and ethics sensitivity
Interpersonal skills
Staff management
Leadership
Objectivity
Team Building
Facilitating
Working independently
Work with all levels of management
Reliance on the Internal
Auditor by the External Auditor
In order to rely on the work of the internal auditor,
the external auditor needs to assess the relevance,
competence and objectivity of the internal
auditing department.
Such assessment will be focused on the following
areas:
Position The degree of independence or how
independent are people whose work are being
reviewed
Staff The number of qualified staff in the
department as well as their relevant
experience/expertise
Reliance on the Internal
Auditor by the External Auditor
Scope of Work/Evidence of Work Done A
critical examination of scope of work of the
internal auditing department including the
examination of the working papers and the
appropriate management action taken on
internal audit reports and recommendations.
Executive Functions The extent to which
internal audit is involved in the
implementation of new accounting systems.
Internal audit assignments
Internal
audit can be involved in many
different assignments as directed by
management. These can range from
value for money projects to operational
assignments looking at specific parts of
the business.
Value for money audits
Value for money (VFM) audits examines the
economy, efficiency and effectiveness of
activities and processes. These are known as
the three Es of VFM audits.
The three Es which form the basis of the VFM
audit are very important for assessing the
performance of not-for-profit organizations,
because their performance cannot be
properly assessed using conventional
accounting ratios.
Information technology audits
An information technology (IT) audit is a test
of controls in a specific area of the business,
the computer systems. Increasingly in modem
business, computers are vital to the
functioning of the business, and therefore the
controls over them are keys to the business.
It is likely to be necessary to have an IT
specialist in the internal audit team to
undertake an audit of the controls, as some of
them will be programmed into the computer
system.
Best value audits
Best value is a performance framework introduced into
local authorities by the UK government. They are required
to publish annual best value performance plans and review
all of their functions over a five year period.
As part of best value authorities are required to strive for
continuous improvement by implementing the 4 Cs:
Challenge. How and why is a service provided?
Compare. Make comparisons with other local authorities
and the private sector.
Consult. Talk to local taxpayers and service users and the
wider business community in setting performance targets.
Compete. Embrace fair competition as an means of
securing efficient and effective service
Financial audit
The financial audit is internal audits
traditional role. It involves reviewing all the
available evidence to substantiate
information in management and financial
reporting. The substantive procedures and
tests of controls employed by external
audit are also used by internal audit.
Operational audits
Operational audits are audits of the
operational processes of the organization.
They are also known as management of
efficiency audits. Their prime objective is the
monitoring of managements performance
ensuring company policy is adhered to.
There are two aspects of operational
assignments:
Ensure policies are adequate
Ensure policies work effectively
Procurement audits
Procurements is the process of purchasing
for the business. A procurement audit will
therefore concentrate on the systems of
the purchasing department(s). the
internal auditor will be checking that the
system achieves key objectives and that it
operates according to company
guidelines.
Internal audit reports
Internal auditors produce reports for directors and
management as a result of work performed. These
reports are internal to the business and are unlikely
to be shared with third other than the external
auditors.
The report is in a similar format to that used in the
report to management by the external auditor
when reporting significant deficiencies.
The internal auditors report could state
deficiencies found during the operational audit
along with the related implications and
recommendations.
Exit meeting
An exit meeting is held at end of the internal audit
engagement after a draft report has been produced.
The people at the meeting are likely to include both the
operational staff who understands the workings of the
implementations of the corrective actions identified.
The objectives of the meeting are to :
Discuss the findings and associated recommendations.
Provide management with the opportunity to give their views
on, and ask for clarification of, the observations and
recommendations allowing any misunderstandings to be
resolved.
Agree to the possible solutions to the problems the audit
assignment has identified
Final reports
Depending on the organization in question,
the final report may take the form of a written
report or take a different format, such as a
PowerPoint presentation.
Standard report format
TERMS OF REFERENCE
EXECUTIVE SUMMARY
BODY OF THE REPORT
APPENDICES FOR ANY ADDITIONAL
INFORMATION
EXECUTIVE SUMMARY
The executive summit is like a condensed
version of the full report and an executive
summary in an internal audit report will usually
include:
Background to the assignment
Objectives of the assignment
Major outcomes of the work
Key risks identified
Key action points
Summary of the left to do
Minimum contents
Although the content and format of the final
internal audit report will vary, somewhere the
report should, as a minimum, describe the
purpose, scope and result of the
engagement.
Purpose: The objectives of the audit
engagement should be clearly stated
This makes the report easier to read and helps
the reader to interpret it.
Findings should be linked back to this
objective.
Minimum contents
Scope: The scope defines what specially is
audited. It identifies which activities are
audited and also highlights any activities that
are excluded from the audit.
Results: This should include:
. observations
. conclusions
. opinions
. Recommendations
. Action plans
Addition contents
In addition, the final internal audit report may
include the following, optional, sections.
Background Information: This could include
information such as details of the organization
and the activities reviewed, and the outcome
of previous audit of the same areas.
Summaries: An executive summary (as
described earlier) may be included to present
the main findings of the report for those who
do not have time to read the entire report.
Addition contents
Accomplishments: Improvements in relation
to the past audit of the area may be
acknowledged.
Opinions: The opinions of management or
other staff on the findings and
recommendations may be incorporated into
either the main body of the report, an
appendix or as a covering letter. Executives
may need to intervene if there is a
disagreement between management and
internal audit
Attributes
High quality internal audit report will have the
following attributes:
Accurate: The report should be free from error.
Objective: It should be fair, impartial and unbiased. It
should be based on facts
Clear: The report should be logical, easily understood
and free from jargon
Concise: It should be to the point and free from
unnecessary detail
Complete: No information essential to the intended
audience should be omitted.
Timely: The report should convey a sense of urgency.
Distribution of the final report
The full report should be provided to those
people who can take corrective action on
the issues raised in the report. Summary
reports should be provided to more senior
managers.
Communication may also go to:
External auditors
The board
Others who are affected by, or interested in,
the results
Amendments
Ifany amendments are made to the
report after it has been issued, a new
report should be issued which highlights
any changes. This should be distributed to
everyone who received the original
report.
Releasing the report
Ifthe report is to be released to parties
outside the organization, the risks to the
organization of doing so should be
assessed. Approval to release should be
gained from senior management, legal
counsel or both.
Management response
After
the issue of the final report,
management will be given the
opportunity to provide their formal
response to the report. This formally
communicates back what is going to be
done about the recommendations raised.
Outsourcing the internal audit
function
Internal audit departments may consist of
employees of the company, or may be
outsourced to external service providers. The
advantages of outsourcing the internal audit
function include speed, cost and a tailored
answer to internal audit requirements. One of
the main disadvantages may include threats
to independence and objectivity if the
external audit service is provided by the same
firm.
What is outsourcing
Outsourcingis the use of external suppliers
as a source of finished products
Components or services. It is also known
as sub contracting.
Advantages of outsourcing
Staff does not need to be recruited, as the service
provider has good quality staff.
The service provider has different specialist skills and
can assess what management requires them to do.
Outsourcing can provide an immediate internal audit
department.
Associated costs, such as staff training, are
eliminated.
The service contract can be for the appropriate time
scale.
Because the time scale is flexible, a team of staff can
be provided if required.
It can be used on a short-term basis
Disadvantages of outsourcing
There will be independence and objectivity issues if
the company uses the same firm to provide both
internal and external audit services.
The cost of outsourcing the internal audit function
might be high enough to make the directors choose
not to have an internal audit function at all.
Company staff may oppose outsourcing if it results in
redundancies.
There may be a high staff turnover of internal audit
staff
The outsourced staff may only have a limited
knowledge of the company
The company will lose in-house skills
Managing an outsourced
department
A company will need to establish controls over the
outsourced internal audit department. These would
include:
Setting performance measures in terms of cost and areas of
the business reviewed and investigating and variances
Ensuring appropriate audit methodology (working
paper/reviews) is maintained.
Reviewing working papers on a sample basis to ensure they
meet internal standards /guidelines
Agreeing internal audit work plans in advance of work
being performed.
If external auditor is used, ensuring the firm has suitable
controls to keep the two functions separate so that
independence and objectivity is not impaired.
Quiz
1. What is an internal audit?
2. Name three key differences between internal and external audit.
3. link the value for money E with its definition
Economy
Efficiency
Effectiveness
4. The relationship between the goods and services produced (outputs) and the resources
used to produce them.
. The concern with how well an activity is achieving its policy objectives or other intended
effect.
Attaining the appropriate quantity and quality of physical, human and financial resources
(output) at lowest cost.

5. Name five areal of the computer system which might benefit from an IT audit.
6.. There are formal statutory rules governing the format of internal audit reports.
True
False
It is possible to buy in an internal audit services from an external organization