Professional Documents
Culture Documents
3. Internal Auditing
Internal auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organization's operations. It
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
Internal Audit and Corporate Governance
The external auditors cannot and must not be involved in the
operation of their client
The role of those charged with governance is of a high level
Who checks how the company is actually being run in practice?
Thus, a need for a separate department in the company who can
check that:
o Systems are operating effectively
o The procedures in place really work
In a large public company – a need for an internal audit
The need for internal audit depends on:
o Scale, diversity and complexity of activities
o Number of employees
o Cost/benefit considerations
o The desire of senior management
What do Internal Auditors Do?
Internal auditors provide assurance to the company’s management that:
Systems are operating effectively
Internal controls are effective
Laid down procedures are being followed
Financial and other information are sound and reliable
Internal auditors do this by:
Carrying out assignments and
Producing reports of their findings
Auditing Principles II 3. Internal Auditing 1
Asrat Bekele
City University College Department of Accounting & Finance
assignment planning;
identifying the system and its controls;
documenting existing controls;
control evaluation;
testing key controls;
developing conclusions and recommendations;
reporting.
At the assignment planning stage any previous internal audit work and
knowledge of the system should be considered and used to ensure that all
key areas are included within the scope of the audit. Although an audit
brief may be agreed with the system managers, auditors should not be
embarrassed to go back and amend this in the light of new knowledge
and understanding gained later during the assignment.
system has been reviewed recently. Nothing is more annoying than for
managers to have to explain their system from scratch to a new auditor
each time it is reviewed. However, gaining a full and clear view and
understanding of the system will only occur gradually, it will not be
complete until after the audit is completed. Auditors should try and finish
the easy parts immediately. They can always come back and complete the
more difficult central parts later on.
The extent that auditors can document the system will obviously reflect
the knowledge and understanding they have developed. Auditors should
record basic details as soon as they have discovered them, but should not
try to produce perfect system notes at this stage. Audit testing will
provide further details, and report writing and discussions with staff will
usually enhance the auditor’s understanding of the system. It is often a
good idea to delay writing the system notes until the end of the
assignment. At the very least they should be critically reviewed, and
amended as necessary, after the final report has been issued.
Audit reporting, writing the formal report and holding discussions with
managers, provides an important stage in the auditor’s understanding of
the system, its weaknesses and the practicality or otherwise of potential
improvements. Audit reporting should also allow the true importance of
each aspect of the control system to be viewed more dispassionately and
in the context of the whole system.
Assignment planning
For these reasons, internal auditors should undertake their audits in co-
operation with the relevant managers. Thus, it is usually considered
appropriate for these managers to be sent an outline of the proposed
audit work a couple of weeks or so before the audit assignment is due to
start. This should give the managers adequate time to reflect on the
proposed scope and objectives of the audit and will give them advanced
notice and allows them to plan their work around the audit.
Clear budgets should be agreed for each audit assignment as part of the,
usually annual, planning process. These should be treated as flexible
budgets. It should be possible to exceed the allotted time for an audit, but
only if this is necessary to ensure comprehensive coverage of all
significant aspects of the system. Additional testing may be required or
even requested by the system’s manager. In addition, extra time may be
needed to develop guidance and write up the numerous recommendations
that may be necessary when a poorly controlled system is audited.
lower standards for their own service. The audits planned to be delivered
each year should be completed in the year, and within the total number of
budgeted days. If this cannot be achieved, internal audit should be
accountable to the audit committee and provide suitable explanations of
the problems encountered and other reasons for not achieving the audit
plans.
Audit managers need to ensure that all audit assignments are undertaken
by auditors who are appropriately experienced or have the necessary
specialist knowledge. Auditors need not (and indeed cannot) be experts in
each of the systems that they review. However, they need to have the
basic background experience that will allow them to appreciate the
significance of the control environment they are reviewing and any short-
comings that may exist within it. For some audits, especially those of
computer systems and capital contracts, specialist knowledge may be
essential. Without it, the auditors will not be able to identify weaknesses
within the control system and may be unaware of technical controls that
are appropriate to effectively manage the risks identified during the audit.
The systems audit approach revolves around the objectives of the system
i.e. should existing controls provide sufficient assurance to the senior
managers and directors of the organisation that the system will achieve
its objectives? And does the internal control system currently reduce the
chance of things going wrong (or not going right) to an acceptable level?
Before internal auditors start each audit assignment they need to be clear
about the relevant organisational and management objectives.
Control objectives
Internal auditors need to ensure that the manager who is responsible for
the system to be audited agrees with objectives assigned to the system
and the control objectives which audit have developed. These should be
agreed at the initial meeting with the system manager who should also be
requested to formally sign up to the agreed scope and objectives for the
audit assignment.
Key controls
Once the control objectives have been agreed, internal auditors need to
identify the controls that they consider necessary to provide assurance
that each of these objectives is being achieved. These are what may be
termed the key controls. If the internal auditor is lucky, control schedules
will have been developed for the relevant system. These schedules should
document the standard control objectives for such a system and the
strategy.
Sources of information
There may be a wide range of sources of information available to internal
auditors about how a system operates. These may include:
Staff who operate the system will know what they do, but not necessarily
why they do it. They may also try and explain the system in the most
positive light. The skill of internal audit is to enable all the staff they
interview to open up and tell them what they actually do (not just what
they think they should do) and to describe any aspects they think could
be improved. Understanding why each task is undertaken may be more
difficult. Staff may just do it ‘‘because we’ve always done it that way’’ or
even worse ‘‘because the auditors told us to!’’
An experienced auditor should ensure that the staff they talk to are
Auditing Principles II 3. Internal Auditing 12
Asrat Bekele
City University College Department of Accounting & Finance
relaxed and so describe the system, warts and all. They should also
challenge the staff to ensure that they describe what actually happens
and, through discussion, ascertain whether any improvements are
possible and practical.
Internal controls
Auditors need to understand how the system operates and the role of all
the key procedures, but essentially they are only interested in controls.
There are a range of different types of control. The most important may
be:
Once internal auditors have discovered the controls that actually exist
and made notes of these they can go on to assess whether these controls
should be adequate. However, auditors should remember that internal
auditing is not simply a series of stages that can be completed one after
the other. When they go on to test the controls that they have identified,
they may discover further controls or that some controls are not actually
operating as expected. They will then have to go back and revise their
system notes to ensure these reflect the actual controls that are operating
in practice.
The evaluation of each existing control should follow a two stage process.
A control should only be relied upon if:
Actual and expected controls do not have to be the same; there may be
several equally valid ways of controlling a particular process. For this
reason internal auditors should ensure that:
Risk may be viewed as the chance (or probability) of one or more of the
organisation’s objectives not being met. Materiality is an assessment of
the significance of a failure to achieve the objective. Materiality may be
measured in terms of the financial consequences, the relative importance
of the objective concerned or the sensitivity of the areas concerned. In
considering materiality, internal auditors should take into account:
Internal auditors should also take into account the cost of reacting to a
failure, as well as the effects of the potential failure itself. Such costs may
include the costs of any investigation, taking corrective action and
supplying appropriate explanations to the regulatory authorities, if
relevant.
Compensating controls
There will be occasions when controls internal auditors expect to find are
missing. If this happens, they should search for controls that compensate
for this potential weakness. For example, in auditing a purchasing system
one control objective might be that ‘‘procedures for ordering, payment and
recording of expenditure are properly documented and complied with’’.
Internal auditors find that there are no procedure manuals (an expected
control to meet the objective). However, staff operating the system are all
highly experienced and knowledgeable, and are closely supervised. In
these circumstances, internal auditors may consider the experience and
knowledge of the staff and the level of supervision adequately
compensates for the absence of manuals, and thus they may conclude
that the control objective is adequately achieved despite the absence of
such manuals.
Once the actual key controls have been identified and evaluated, internal
auditors should perform tests to confirm that the controls considered to
be adequate and necessary are operating as required and are reliable.
Compliance testing
Substantive testing
Testing techniques
There are a number of different ways that internal controls can be tested.
Internal auditors should seek to use the most cost-effective source of
evidence on the reliability of each control to be tested. The nature of the
control will influence the way auditors test it, but there are five main
methods of testing:
Once the existing controls have been tested for reliability, internal
auditors are ready for the most difficult and professional part of their
audit assignment, the development of recommendations and conclusions.
Thus internal auditors should have two essentially different outputs from
their assignments.
Recommendations
Throughout each assignment internal auditors should consider
recommendations that could be made. What improvements or refinements
can they suggest that would ensure that the organisation achieves its
objectives more efficiently or with reduced risk? Whenever they have
identified a possible control failure or weakness, they should consider the
following:
Internal auditors may consider that the recommendations they make are
necessary to avoid or reduce the risks they have identified. However, the
internal control system should remain the responsibility of the relevant
managers. If managers agree to implement the recommendations, they
should agree that the benefits will outweigh the costs of introducing the
additional controls, and that other more cost effective controls are not
available.
significant risks.
Advisable - action considered to merit attention and should result
in enhanced control or better value for money.
Action plans
Follow up
Conclusions
When writing the conclusions or opinions to their audit assignments,
internal auditors should consider who the audit report is aimed at and
what their particular concerns may be. They should indicate clearly their
opinion on the quality of the existing internal controls. They should
highlight areas of poor control where they consider that the organisation
is at risk, but also ensure that they clearly recognise areas of good
control. Internal auditors must provide balanced reports that identify
1. Full assurance.
2. Substantial assurance.
3. Limited assurance.
4. Little assurance.
help to ensure that the effects of any risks are avoided or at least
minimised.
Title
The report should have a title, and the title should be explicit and brief. In
other words, it should indicate clearly what the report is about and should
be as short as possible.
Confidentiality
If the report is confidential or ‘secret’ this fact must be printed at the top of
the report and possibly on every page.
Table of contents
Terms of reference
The introductory section of the report should explain why the report has
been written and the terms of reference. The terms of reference will explain
not only the purpose of the report but also any restrictions on its scope.
For example, an internal auditing report might state that its terms of
reference have been to investigate procedures in the credit control section
of the accounts department, with a view to establishing whether the
existing internal checks are adequate.
Sources of information
If the report draws on other sources for its information, these sources
should be acknowledged in the report. Alternatively, if the report is based
on primary research, the nature of the fact-finding should be explained,
perhaps in an appendix to the report.
Sections
The main body of the report should be divided into sections. The sections
should have a logical sequence, and each section should ideally have a
clear heading. These headings or sub-headings should, if possible, be
standardised when reports are produced regularly e.g., audit reports.
Paragraphs should be numbered for ease of reference. Each paragraph
should be concerned with just one basic idea.
Appendices
To keep the main body of the report short enough to hold the reader’s
interest, detailed explanations, calculations, charts and tables of figures
should be put into appendices. The main body of the report should make
cross-references to the appendices in appropriate places.
Summary of recommendations