3.internal Auditing

City University College Department of Accounting & Finance
3. Internal Auditing
Internal auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organization's operations. It
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
Internal Audit and Corporate Governance
 The external auditors cannot and must not be involved in the
operation of their client
 The role of those charged with governance is of a high level
 Who checks how the company is actually being run in practice?
 Thus, a need for a separate department in the company who can
check that:
o Systems are operating effectively
o The procedures in place really work
 In a large public company – a need for an internal audit
 The need for internal audit depends on:
o Scale, diversity and complexity of activities
o Number of employees
o Cost/benefit considerations
o The desire of senior management
What do Internal Auditors Do?
Internal auditors provide assurance to the company’s management that:
 Systems are operating effectively
 Internal controls are effective
 Laid down procedures are being followed
 Financial and other information are sound and reliable
Internal auditors do this by:
 Carrying out assignments and
 Producing reports of their findings
Auditing Principles II 3. Internal Auditing 1
Asrat Bekele
To be effective, the internal audit department needs to be:

 Sufficiently resourced in terms of budgets and people
 Well organized so that it has:
o Well developed work practice
o Competent staff with high quality training
 Independent and objective
o The head of internal audit should have sufficient seniority
o Audit reports or summary there of reviewed by the audit
committee or some other body independent of management
The systems approach to internal audit

The higher profile of risk management in recent years has led some
internal auditors to consider developing a risk-based approach to internal
audit. However, risks do not exist in isolation. They are the results of the
objectives of the organisation or system not being achieved. Risks should
be considered as an integral part of the systems approach to internal
audit. This should allow the adequacy and reliability of the existing
controls to be considered within the context of the overall system that is
being audited.
Systems auditing was originally developed as a more efficient approach to

external audit. However, this systems-based approach had to be further
developed and refined before it could form an effective internal audit
methodology. The objective of external audit is to form an opinion on the
organisation’s financial statements. Internal audit has the very different
objective of working with managers to improve and optimise their internal
control, risk management and corporate governance processes. These
differing objectives mean that internal auditors cannot just adopt the
approach used by external audit. Internal auditors have therefore

Asrat Bekele
developed their own approach to systems auditing that differs in many

respects to the one that may be adopted by external auditors.
Internal Audit – A Step By Step or an Iterative Approach

Systems auditing is often described in a step by step fashion. However,
this description should not be taken literally; each step should not be
considered as a discrete stage to be fully completed before the next stage
of the audit is commenced. Systems auditing should, in contrast, be
considered as an integrated whole. The knowledge base of the auditor will
gradually expand through an iterative approach to the audit. At each
stage in the audit the auditor should reconsider their approach, review
their understanding of the system and if necessary report significant
findings to relevant managers.
Systems auditing is frequently broken down into the following aspects:
 assignment planning;
 identifying the system and its controls;
 documenting existing controls;
 control evaluation;
 testing key controls;
 developing conclusions and recommendations;
 reporting.
At the assignment planning stage any previous internal audit work and
knowledge of the system should be considered and used to ensure that all
key areas are included within the scope of the audit. Although an audit
brief may be agreed with the system managers, auditors should not be
embarrassed to go back and amend this in the light of new knowledge
and understanding gained later during the assignment.
Previous system notes should be an important source of knowledge if the

Asrat Bekele
system has been reviewed recently. Nothing is more annoying than for
managers to have to explain their system from scratch to a new auditor
each time it is reviewed. However, gaining a full and clear view and
understanding of the system will only occur gradually, it will not be
complete until after the audit is completed. Auditors should try and finish
the easy parts immediately. They can always come back and complete the
more difficult central parts later on.
The extent that auditors can document the system will obviously reflect
the knowledge and understanding they have developed. Auditors should
record basic details as soon as they have discovered them, but should not
try to produce perfect system notes at this stage. Audit testing will
provide further details, and report writing and discussions with staff will
usually enhance the auditor’s understanding of the system. It is often a
good idea to delay writing the system notes until the end of the
assignment. At the very least they should be critically reviewed, and
amended as necessary, after the final report has been issued.
Control evaluation is an important stage of each audit and this should be

completed before testing is started. This is to ensure that only controls
that actually exist, and are likely to reduce significant risks, are tested.
However, this evaluation is only a guide to testing, the testing programme
may need to be revised as a greater understanding of the detail of the
system is gleaned during the testing itself. Tests should be stopped
immediately if auditors realise the control is not working. If other key
controls are identified then further testing should be performed to confirm
the reliability of these controls.
For internal auditors, testing should be designed to determine whether a

particular control should provide reasonable assurance that the
objectives of the system are achieved. Or, putting it the other way round,
Asrat Bekele
whether the control will reduce potential risks to acceptable levels.

Controls are not necessarily a good thing in themselves and should only
be tested as long as they are considered to be working effectively and
likely to have a significant impact on the success of the system. Thus the
testing undertaken should reflect the overall nature of the system, the
auditor’s understanding of it and the interdependencies of the different
controls.
Developing conclusions and recommendations is usually one of the last

aspects of internal auditing to be described, but it may be one of the first
to be undertaken. Prior knowledge of the system, and certainly initial
meetings with the system's managers, will lead most experienced auditors
to begin to develop their opinions of the control environment and possible
improvements. These ideas should be developed and refined at each stage
of the audit.
Audit reporting, writing the formal report and holding discussions with
managers, provides an important stage in the auditor’s understanding of
the system, its weaknesses and the practicality or otherwise of potential
improvements. Audit reporting should also allow the true importance of
each aspect of the control system to be viewed more dispassionately and
in the context of the whole system.
Care should be taken to ensure that this greater understanding of the

whole system and the inter-relationship of all its controls is used to refine
the conclusions and consider the practicality of possible additional
controls. If necessary, queries should be answered and further testing
may need to be undertaken at this stage.
Inexperienced auditors may need to approach systems auditing one step

at a time. As their experience grows, a more sophisticated approach

Asrat Bekele
should develop that recognizes the iterative nature of auditing. Greater

knowledge and understanding develops gradually throughout each audit
assignment. This knowledge should be used to adapt the auditing
techniques used, the extent and nature of testing undertaken and the
timing of audit reporting.
Assignment planning
Internal auditors expect their organisations to be efficient and achieve

value for money. To ensure that they cannot be accused of being
hypocritical they have to make sure that they adequately plan all their
audit assignments and so ensure that they can be completed efficiently.
Internal auditors need to be careful that they review all significant aspects
of the system and that all risks are being adequately managed with
suitable controls.
For these reasons, internal auditors should undertake their audits in co-
operation with the relevant managers. Thus, it is usually considered
appropriate for these managers to be sent an outline of the proposed
audit work a couple of weeks or so before the audit assignment is due to
start. This should give the managers adequate time to reflect on the
proposed scope and objectives of the audit and will give them advanced
notice and allows them to plan their work around the audit.
At the beginning of each internal audit assignment there should be a

meeting between the auditors (usually including an audit manager and
the auditor who is to undertake the review) and the manager(s) who is
responsible for the particular system. The objectives of this meeting are
for the internal auditors to:
 discuss the systems objectives and appreciate the significant risks

Asrat Bekele
involved in their achievement;

 obtain an overview of the roles, responsibilities and reporting lines
of staff and managers within the system;
 consider any concerns or particular areas managers would like
internal audit to address during the review;
 agree in broad terms the scope and objectives of the audit.
Internal auditors should be as flexible as possible about the actual timing

of each systems audit assignment. It should rarely be necessary to
undertake ‘surprise’ audits. Most managers are busy people, internal
auditors should recognise this and, whenever possible, should try and fit
their reviews around the managers’ timetables. Therefore, internal audit
visits should be planned so that the normal work of the system is
disrupted as little as possible.
Clear budgets should be agreed for each audit assignment as part of the,
usually annual, planning process. These should be treated as flexible
budgets. It should be possible to exceed the allotted time for an audit, but
only if this is necessary to ensure comprehensive coverage of all
significant aspects of the system. Additional testing may be required or
even requested by the system’s manager. In addition, extra time may be
needed to develop guidance and write up the numerous recommendations
that may be necessary when a poorly controlled system is audited.
However, the staff budget for internal audit needs to be adequately

controlled. If internal auditors need extra time on one assignment then
this time should be recovered on later assignments. Some audits will
inevitably take longer than expected, others should be completed quicker
than planned. Internal auditors should be flexible about the amount of
time they spend on individual audits. However, internal auditors expect
managers to deliver their services within budget. Auditors cannot have

Asrat Bekele
lower standards for their own service. The audits planned to be delivered
each year should be completed in the year, and within the total number of
budgeted days. If this cannot be achieved, internal audit should be
accountable to the audit committee and provide suitable explanations of
the problems encountered and other reasons for not achieving the audit
plans.
Audit managers need to ensure that all audit assignments are undertaken
by auditors who are appropriately experienced or have the necessary
specialist knowledge. Auditors need not (and indeed cannot) be experts in
each of the systems that they review. However, they need to have the
basic background experience that will allow them to appreciate the
significance of the control environment they are reviewing and any short-
comings that may exist within it. For some audits, especially those of
computer systems and capital contracts, specialist knowledge may be
essential. Without it, the auditors will not be able to identify weaknesses
within the control system and may be unaware of technical controls that
are appropriate to effectively manage the risks identified during the audit.
The level of guidance or supervision that will be necessary during each

audit will depend on the level of experience of the auditor, the complexity
of the system and its technical or specialist nature. Before each
assignment is started the audit manager should ensure that all auditors
have a clear understanding of the work they are to undertake; the
approach to be adopted; and the level of enquiry or size of sampling which
is required. In addition, all auditors should be encouraged to discuss
their findings and any problems or uncertainties they encounter during
their audit. Discussion is an effective problem-solving tool for internal
auditors and has the bonus of spreading experience across the audit
team.

Asrat Bekele
Audit planning is necessary for internal audit work to be completed

successfully, within budget and with maximum co-operation from the
staff whose system is subject to review. Planning should be viewed
positively in this light and not just seen as a bureaucratic chore that
stops internal auditors finishing their real work. As the saying goes ‘‘prior
planning prevents possible pitfalls’’.
Control Objectives and Key Controls – The Core of an Internal Audit

Assignment
Internal auditors are of course in favour of controls. However, they do not
just think that controls are a good thing. Controls should be there for a
purpose. The purpose is to ensure that the system or process achieves its
objectives. Controls are only needed to reduce the risks to the
achievement of these objectives to an acceptable level. Thus, there may be
circumstances when internal auditors suggest that certain controls
should be removed, for example, if they do not contribute to the reduction
of significant risks.
The systems audit approach revolves around the objectives of the system
i.e. should existing controls provide sufficient assurance to the senior
managers and directors of the organisation that the system will achieve
its objectives? And does the internal control system currently reduce the
chance of things going wrong (or not going right) to an acceptable level?
Before internal auditors start each audit assignment they need to be clear
about the relevant organisational and management objectives.
Control objectives
Control objectives should form the framework of each systems audit

assignment. They should detail the various aspects of a system’s
Asrat Bekele
objectives. They identify specific objectives against which internal

auditors can evaluate existing controls. Control objectives should be
specific enough to provide the basis for this evaluation. Generalisations
such as "to ensure that support services are adequate" should be avoided.
Comprehensive control objectives can be developed for any system by

considering the following areas of control:
 Has the system been adequately planned?

 Are the operations adequately supervised and controlled?
 Is the system periodically reviewed?
 Is suitable management information produced?
Internal auditors need to ensure that the manager who is responsible for
the system to be audited agrees with objectives assigned to the system
and the control objectives which audit have developed. These should be
agreed at the initial meeting with the system manager who should also be
requested to formally sign up to the agreed scope and objectives for the
audit assignment.
Key controls
Once the control objectives have been agreed, internal auditors need to
identify the controls that they consider necessary to provide assurance
that each of these objectives is being achieved. These are what may be
termed the key controls. If the internal auditor is lucky, control schedules
will have been developed for the relevant system. These schedules should
document the standard control objectives for such a system and the

Asrat Bekele
associated expected key controls.
The purpose of the schedule of expected key controls is to assist in the

evaluation of the actual controls identified during the audit. It is
imperative that the expected controls are reviewed critically to ensure that
they are appropriate. The standard key expected controls will not always
be relevant and may have to be adapted to the particular system that is
reviewed.
If internal auditors do not identify the key expected controls, there is a

danger that they will concentrate purely on the actual controls in place
and fail to identify those that are missing. Identification of key controls
should ensure that audit time is spent efficiently by concentrating on the
key control aspects of the system under review. There may be many other
controls, however, the key controls are the more important controls and
are the basic controls that are necessary to ensure that each control
objective is achieved and all significant risks are adequately managed.
The audit should concentrate on assessing the adequacy and reliability of
these key controls.
Identification and documentation of existing controls
Systems auditing should be a critical assessment of the controls currently

in place against control objectives agreed for the system. Thus, identifying
existing controls is one of the central tasks of systems audit. Internal
auditors cannot assess, test or suggest improvements to the internal
control environment unless they have a clear and comprehensive view of
all of the controls that currently operate. Documenting the existing
controls should help auditors understand these controls and form a basis
for the evaluation of the controls and the development of their testing

Asrat Bekele
strategy.
Sources of information
There may be a wide range of sources of information available to internal
auditors about how a system operates. These may include:
 interviewing staff and their managers;

 reviewing existing documentation;
 observation of working practices;
 reviewing previous audit reports.
Interviews are key
The most important source of information will usually be the staff

working with the system. They know how the system actually operates
and should have a reasonable idea of how practical any improvements
may be. Thus interviewing skills are essential for all internal auditors.
They need to be able to understand what may be a complex system. They
also need to be able to critically assess each stage of the process; ie why
is it performed? Could it be undertaken more efficiently?
Staff who operate the system will know what they do, but not necessarily
why they do it. They may also try and explain the system in the most
positive light. The skill of internal audit is to enable all the staff they
interview to open up and tell them what they actually do (not just what
they think they should do) and to describe any aspects they think could
be improved. Understanding why each task is undertaken may be more
difficult. Staff may just do it ‘‘because we’ve always done it that way’’ or
even worse ‘‘because the auditors told us to!’’
An experienced auditor should ensure that the staff they talk to are
Asrat Bekele
relaxed and so describe the system, warts and all. They should also
challenge the staff to ensure that they describe what actually happens
and, through discussion, ascertain whether any improvements are
possible and practical.
Other places to look
Auditors may review documentation such as statutes, circulars,

committee reports, job descriptions, organisation charts, policy and
procedure manuals and financial regulations. These may record how a
system is supposed to work, but may not necessarily reflect actual
practice. Internal auditors may consider that the adequacy or otherwise of
documentation is an indication of the attitude of management to internal
control.
Observation of the physical environment and working methods should

provide internal auditors with further evidence of actual practice.
This is a particularly useful method of fact-finding where no physical

evidence of an action may have taken place. Internal auditors should
however be aware that their presence may influence the behaviour and
practices of staff under review.
Reports of previous reviews of the system by other internal auditors,

external auditors or other review agencies may also be a useful source of
information. However, these reports should be read with care. The
authors may not have understood the system, they may not have covered
all aspects or their reports may be unclear. This consideration may allow
internal auditors to reflect on the quality of their own reports and system
documentation. Would these allow other auditors to quickly grasp the

Asrat Bekele
most important aspects of the system and its internal controls?
Internal controls
Auditors need to understand how the system operates and the role of all
the key procedures, but essentially they are only interested in controls.
There are a range of different types of control. The most important may
be:
 Segregation of duties: the functions of authorising transactions;

recording the transactions; and custody of the associated assets
should be undertaken by separate staff.
 Organisation: there should be a clear organisation chart and all
staff should have up to date job descriptions that clearly indicate
their responsibilities.
 Authorisation and approval: all transactions and decisions should
be formally authorised by nominated staff.
 Physical: there should be suitable controls over access to offices,
assets, controlled stationery and computer systems.
 Management: production of suitable financial and operational
management information; use of exception reports; critical review
and enquiry by management.
 Arithmetical and accounting: checking / re-performing tasks
carried out by others; costing (adding up) orders, invoices, payroll
etc; reconciliation between the bank and accounting records;
control accounts.
 Personnel: appointment of staff should be adequately controlled; all
staff should be suitably trained for their post and appraised
regularly.
 Supervision: all staff and activities should be adequately
Asrat Bekele
supervised by someone who understands the process and will

detect deviations from accepted practice.
Recording the controls
All internal audit work should be documented and be sufficient to

support the conclusions drawn on the adequacy and reliability of the
internal controls. The main procedures and key controls over significant
risks should be clearly and concisely recorded. Audit working papers
should include:
 systems notes, either in text or graphics;

 notes of interviews and meetings;
 a record of the current key controls and their reliability;
 an assessment of the extent that existing controls will ensure that
each agreed control objective is achieved; and
 evidence of audit sampling and testing of controls.
There are a number of methods of documenting procedures and controls,

for example flow charts, key control schedules, internal control
questionnaires and narrative notes. Whatever method is adopted should
be used consistently. This should make it easier for the system notes to
be used for future reviews of the same system. Systems documentation
should be:
 clear and easy to understand;

 provide a standardised approach;
 highlight risk points and key controls.
The purpose of this documentation is to:
 enable the internal auditors to review the information they have

Asrat Bekele
received and to organise their thoughts and knowledge so the

internal controls can be systematically assessed and tested;
 provide details of problems encountered, evidence of work done and
conclusions drawn for future reference and to assist the planning of
future audits;
 demonstrate to interested parties that the audit work has been
properly planned, controlled, executed and reported.
Once internal auditors have discovered the controls that actually exist
and made notes of these they can go on to assess whether these controls
should be adequate. However, auditors should remember that internal
auditing is not simply a series of stages that can be completed one after
the other. When they go on to test the controls that they have identified,
they may discover further controls or that some controls are not actually
operating as expected. They will then have to go back and revise their
system notes to ensure these reflect the actual controls that are operating
in practice.
The Evaluation of Existing Controls
Each systems audit assignment should concentrate on an assessment of

the adequacy and reliability of the controls necessary to ensure that each
of the agreed control objectives is achieved. This evaluation should form
the core part of the audit work. However, other significant aspects of the
control environment, the efficiency of the system and the extent that best
practice is adopted, should be reviewed and, if appropriate, reported
upon.
The evaluation of each existing control should follow a two stage process.
A control should only be relied upon if:
1. the audit evaluation shows that, in theory, the control is adequate

Asrat Bekele
and it should significantly help to ensure that an agreed control

objective is achieved; and
2. there is sufficient audit evidence to provide reasonable assurance
that the control is operating consistently and reliably.
If the internal auditor, after initial evaluation, concludes that a control is

not effective (or is not necessary for the achievement of the relevant
control objective) there is no point in testing this control.
Compare actual controls with expected controls

Once the actual controls have been identified, these should be
documented and compared with the expected controls. One of the
following will apply:
 the actual control equals the expected control;

 the expected control is absent but adequate compensating controls
exist;
 the expected control is absent.
It is possible that the controls identified do not match the expected

controls and this may indicate the presence of an additional control. This
may be evaluated if it is considered to be significant to the achievement of
the control objective. Alternatively, an expected control may be missing
and, if this is the case, the significance of the omission should be
assessed.
Actual and expected controls do not have to be the same; there may be
several equally valid ways of controlling a particular process. For this
reason internal auditors should ensure that:
 when evaluating actual against expected key controls, the existence

of compensating controls is considered; and

Asrat Bekele
 throughout the control evaluation process, they consider whether

all the controls in place are actually necessary.
Removal or amendment of a control procedure may not significantly

increase the risks associated with the operation of the system and may
result in cost savings.
Evaluation of control weaknesses
The internal audit evaluation should take account of the likelihood of

undesirable events occurring (risk) and their significance to the
organisation (materiality). Internal auditors should use their judgement to
determine what level of control is appropriate in the light of their
evaluation of the risks and materiality involved.
Risk may be viewed as the chance (or probability) of one or more of the
organisation’s objectives not being met. Materiality is an assessment of
the significance of a failure to achieve the objective. Materiality may be
measured in terms of the financial consequences, the relative importance
of the objective concerned or the sensitivity of the areas concerned. In
considering materiality, internal auditors should take into account:
 the possible direct and indirect financial consequences;

 the importance of particular management objectives in the context
of the organisation’s overall objectives;
 the potential for embarrassment or adverse publicity.
Internal auditors should also take into account the cost of reacting to a
failure, as well as the effects of the potential failure itself. Such costs may
include the costs of any investigation, taking corrective action and
supplying appropriate explanations to the regulatory authorities, if

Asrat Bekele
relevant.
Compensating controls
There will be occasions when controls internal auditors expect to find are
missing. If this happens, they should search for controls that compensate
for this potential weakness. For example, in auditing a purchasing system
one control objective might be that ‘‘procedures for ordering, payment and
recording of expenditure are properly documented and complied with’’.
Internal auditors find that there are no procedure manuals (an expected
control to meet the objective). However, staff operating the system are all
highly experienced and knowledgeable, and are closely supervised. In
these circumstances, internal auditors may consider the experience and
knowledge of the staff and the level of supervision adequately
compensates for the absence of manuals, and thus they may conclude
that the control objective is adequately achieved despite the absence of
such manuals.
Internal auditors should evaluate each existing control to consider

whether it is adequate. In addition, they should evaluate the whole
spectrum of controls that may help to ensure that a particular control
objective is achieved.
Testing existing controls
Once the actual key controls have been identified and evaluated, internal
auditors should perform tests to confirm that the controls considered to
be adequate and necessary are operating as required and are reliable.
Internal auditors should consider the following points when selecting a

Asrat Bekele
sample of transactions to test:
 The sample should be selected from the total population, for

example, when testing that all payments have been authorised the
sample should be selected from a bank statement or payments
register rather than from a file of paid invoices.
 The period covered by the sample should be appropriate. This
should normally be the period since the last audit of the system.
However, the sample should be weighted towards the current
financial year, especially if the last audit was several years ago. If
the system has changed significantly, the sample should only
include the period since the changes were introduced.
 The method of sample selection should be recorded. The sample
should include all significant types of transaction.
 Testing should be focused on high risk areas.
Compliance testing
The aim of compliance testing (i.e. test of controls) is to confirm that

existing controls are operating as intended and are reliable. An example is
checking that each invoice has been initialled to indicate that it was
authorised by an appropriate manager. The primary aim of compliance
tests is not to identify errors, mistakes or potential fraud, but to identify
controls that are not always performed as required. The reasons for any
errors or omissions and the reliability of controls are more important to
internal auditors than any individual mistakes or omissions. Compliance
testing should be the standard form of testing used during systems
auditing.

Asrat Bekele
Substantive testing
Substantive testing is concerned with the accuracy and completeness of

outputs rather than the adequacy of controls. An example is checking
that the amounts paid are the same as the value on the invoice.
Substantive testing, therefore, should have a limited role to play in
systems auditing. Nevertheless, internal auditors sometimes use it as a
means of demonstrating the existence or seriousness of weaknesses,
when they are unable to convince management by any other means.
Internal auditors should bear in mind that substantive testing is usually
not economical and may weaken their arguments if it fails to produce
evidence of actual errors.
Testing techniques
There are a number of different ways that internal controls can be tested.
Internal auditors should seek to use the most cost-effective source of
evidence on the reliability of each control to be tested. The nature of the
control will influence the way auditors test it, but there are five main
methods of testing:
1. Observation is particularly important where there is no permanent

record of activities –discrete observation can reveal whether there is
improper access to a restricted area.
2. Interviewing is useful when evidence is absent or unclear. Care
should be taken because the behaviour of the auditor could affect
the attitude of the person being interviewed and an insensitive
approach could lead to an unco-operative and defensive reaction.
3. Verification involves independently confirming the truth, accuracy

Asrat Bekele
or validity of transactions. However, internal auditor’s prime role is

to evaluate and test the controls, not to confirm the validity of the
data itself. When using verification tests, auditors should ensure
that they are related to the operation of controls. Methods used are:
o Comparison - with some ascertainable fact or standard, e.g.
that instruction manuals are up-to-date or staff have
attended appropriate training courses at prescribed intervals.
o Confirmation - checking statements of performance, e.g.
checks with customers that supply delivery response times
are as stated by the supplier.
o Vouching - checking a transaction against supporting
documentation, e.g. a payment to a supplier against the
corresponding order and goods received note.
4. Reperformance is particularly relevant where calculations or
measurements have been supposedly checked as a control and the
auditor wishes to check that the control actually operated.
5. Analytical review consists of reviewing the reasonableness of
significant ratios, trends or other data. For example, a comparison
of the ratio of payroll costs to the number of employees over several
months. Thus it is primarily a substantive test but it may provide
evidence of the quality of the general control environment.
Once the existing controls have been tested for reliability, internal
auditors are ready for the most difficult and professional part of their
audit assignment, the development of recommendations and conclusions.
Developing Recommendations and Conclusions
Internal audit has two roles which in practice are linked.
 Firstly, to provide reasonable assurance to the board (or

Asrat Bekele
comparable body) that the organisation’s significant risks are being

appropriately managed, with an emphasis on the role of internal
controls.
 Secondly, internal audit should be ensuring that the organisations
risk management and internal control systems are continually
being improved and optimised, in response to an ever-changing
environment.
Thus internal auditors should have two essentially different outputs from
their assignments.
 Firstly, a clear opinion or conclusion on the quality of the internal

control system they have audited.
 Secondly, a series of recommendations to improve this system of
control or to reduce the risks that the organisation faces.
These should not be confused. Therefore the conclusions should not be a

summary of the recommendations made. The audit opinion should be a
clear message to senior management and the board on the extent that
existing controls should adequately address the main risks that the
organisation faces in achieving its objectives. Can they sleep safely at
night or are there major concerns that should worry them?
Recommendations
Throughout each assignment internal auditors should consider
recommendations that could be made. What improvements or refinements
can they suggest that would ensure that the organisation achieves its
objectives more efficiently or with reduced risk? Whenever they have
identified a possible control failure or weakness, they should consider the
following:

Asrat Bekele
 How important is the control?

 Are there compensating or complementary controls which reduce
its intrinsic importance?
 How serious are the deviations discovered and why did they occur?
 Is any control failure likely to be isolated or recurring?
 Is further testing (to confirm our opinion) necessary or feasible?
 Is the weakness so serious that management needs to be informed
immediately?
The recommendations internal auditors make may include the following:
 introducing further controls;

 refining or amending existing controls to make them more effective;
 ensuring that existing controls are applied regularly and
consistently;
 reducing unnecessary controls;
 introducing best practices.
It is important that internal auditors do not just recommend the

introduction or strengthening of controls for the sake of it. They should
only suggest that controls are improved if they consider that there are
significant risks that are not currently being adequately managed or being
reduced to an acceptable level. There must be a balance between the risk
auditors have identified and the controls they suggest should be
implemented. The controls should be proportionate to the significance
and likelihood of the relevant risk. The costs of introducing controls
should balance the likely costs of the risks that they are designed to
manage or reduce. The costs of operating all internal controls should
balance the benefits that the organisation may gain from their
implementation.
All the recommendations that auditors make should be tailored to the

Asrat Bekele
specific circumstances of the organisation. Internal auditors need to think

carefully about the sorts of controls that will work within the culture of
the organisation and the section or department that they are auditing.
The recommendations should be sufficiently detailed to ensure that the
managers understand the precise procedures internal audit are
suggesting should be introduced. Auditors may be unsure of the exact
controls that may work, but this can be established through discussions
with the managers when finalising the audit report. Auditors must
remember that these managers should understand their systems better
than auditors do and they should be prepared to amend their
recommendations in the light of these discussions.
Internal auditors may consider that the recommendations they make are
necessary to avoid or reduce the risks they have identified. However, the
internal control system should remain the responsibility of the relevant
managers. If managers agree to implement the recommendations, they
should agree that the benefits will outweigh the costs of introducing the
additional controls, and that other more cost effective controls are not
available.
Which are the important recommendations?
Internal auditors should ensure that managers are aware of those

recommendations that internal audit consider particularly important and
those that are merely desirable. One way of doing this is to prioritise the
internal audit recommendations as follows:
 Fundamental - action considered essential to ensure that the

organisation is not exposed to high risks.
 Significant - action considered necessary to avoid exposure to

Asrat Bekele
significant risks.
 Advisable - action considered to merit attention and should result
in enhanced control or better value for money.
Action plans
Each internal audit report should include an action plan. Internal

auditors should aim to help to improve systems of internal control rather
than just commenting on its quality. The action plan should be completed
by the Systems Manager to indicate their agreement (or otherwise) to each
internal audit recommendation. The action plan should also include the
managers responsible for implementing each recommendation and a
target date for this action.
Follow up
As well as providing recommendations, internal auditors should

periodically monitor the extent that their recommendations have been
implemented. Where managers indicate that the more significant
recommendations have been introduced, internal auditors should carry
out suitable tests to confirm that these controls are now operating reliably
as planned.
Conclusions
When writing the conclusions or opinions to their audit assignments,
internal auditors should consider who the audit report is aimed at and
what their particular concerns may be. They should indicate clearly their
opinion on the quality of the existing internal controls. They should
highlight areas of poor control where they consider that the organisation
is at risk, but also ensure that they clearly recognise areas of good
control. Internal auditors must provide balanced reports that identify

Asrat Bekele
good management practice rather than merely reporting the weaknesses

they have identified. As a result of their audit work, internal auditors
should form an overall opinion on the extent that existing controls provide
adequate assurance, and that all significant risks to the achievement of
the system’s objectives are being effectively managed. One way of helping
to provide this overall opinion is to grade the quality of the level of
assurance provided:
1. Full assurance.
2. Substantial assurance.
3. Limited assurance.
4. Little assurance.
If internal auditors, as a result of each assignment, develop clear

conclusions and practical recommendations they will add value. Internal
auditors can only claim to be professionals if they provide professional
advice that is accepted and valued by managers. The outcome of each
internal audit assignment should be that the risk management and
internal control procedures are improved, optimised and refined. This
should ensure that internal audit is recognised as an important
management tool. Internal auditors should be the controlling conscience
of their organisation, and should be working in partnership with
managers.
If internal auditors adopt the systems audit approach outlined they

provide a professional and valued service to their organisation. The
outcome of internal audit work should be that the internal control, risk
management and corporate governance processes are improved and
optimised so that the organisation is better prepared to face its ever-
changing environment. Systems audits should enable internal auditors to
provide a significant role in the future success of their organisation and
Asrat Bekele
help to ensure that the effects of any risks are avoided or at least
minimised.
Limitations of the internal audit function

The main limitations of internal audit are:
 Lack of independence
 Variation of standards
o Not uniform across the profession
 Relatively new profession
 Expectation gap
 Understanding of internal audit
o Seen as ‘checking up’ on other employees on behalf of ‘the
bosses’
Considerations of outsourcing the internal audit function
Advantages
 Greater focus on cost and efficiency
 Staff may be drawn from a broader range of experience
 Risk of staff turnover passed over
 Specialist skills may be more readily available
 Cost of employing permanent staff avoided
 May improve independence
 Access to new market place technologies
 Reduced management time in administering an in house department
Disadvantages

Asrat Bekele
 Possible conflict of interest if provided by the external auditors

 Pressure on the independence of the contractor
 Risk of lack of knowledge and understanding of the organization’s
objectives, culture or business
 Decision may be based on cost with the effectiveness of the function
being reduced
 Flexibility and availability may not be as high as with an in house
function
 Lack of control over standard of service
Minimizing the risks associated with outsourcing:
 Controls over acceptance of internal audit contracts to ensure no
impact on independence or ethical issues
 Regular reviews of the quality of audit work performed
 Clearly agreed scope, responsibilities and reporting lines
 Procedures manual for internal audit
Internal Audit Assignments
Generic types of assignments
 Value for money/best value assignments
 Assignments dealing with IT
 Project auditing
 Financial audit
Value for money (VFM)
 Concerned with obtaining the best possible combination of services
for the least resources
 Is the pursuit of ‘Economy’, ‘Efficiency’ and ‘Effectiveness’ – 3Es.
o Economy – least cost. Accomplishes objectives and goals at a
cost commensurate with risk.
o Efficiency – best use of resources. Accomplishes goals and
objectives in accurate and timely fashion with minimal use of
resources.
Asrat Bekele
o Effectiveness – best results. Providing assurance that the

organization objectives will achieved.
Tension between economy, efficiency and effectiveness
 VFM audits tend to focus on either economy and efficiency or
effectiveness but not both.
 Easy to reduce costs by providing a lower standard of service or to
improve effectiveness by spending more
 Solution
o Treat current or target effectiveness as fixed and try to identify
ways of cutting costs, or
o Aim to spend the same as before but to improve results in the
process
Measurement
 Audits frequently focus more on economy and efficiency because it
can be difficult to measure effectiveness. E.g. hospitals
Audit of information technology
The internal audit approach to IT covers:
 Whether the company’s systems provide reliable basis for
preparation of financial statements
 Does the system represent value for money/best value?
 Were the controls over awarding IT contracts effective?
Project auditing
 Is about looking at a specific project and whether it was done well
and asking:
o Were the objectives achieved?
o Was the project implemented effectively?
o What lessons can be learned from any mistakes made?
Financial internal audit
Embraces:

Asrat Bekele
 The conventional task of examining records and evidences in order

to detect errors and prevent fraud
 Analyzing information, identifying trends and potentially significant
variations from the norm
Operational and internal audit assignments
Covers:
 Examination and review of a business operation
 The effectiveness of controls
 Identification of areas for improvement in efficiency and performance
 Main areas in which operational internal audit is commonly used
are:
o Procurement
o Marketing
o Treasury
o Human resources
 In all cases the audit work starts by identifying the objectives of the
audit which focuses on:
o The principal business risks involved which may prevent the
organization achieving its objectives
o Assessment of the extent to which:
 Controls are in place
 Operating effectively in order to manage these risks
o The outcome is a report to management
Procurement
 Is the organization achieving value for money in its purchases of
goods and services?
Marketing
An internal audit assignment considers:
 Did the campaign deliver on its objectives?

Asrat Bekele
 Were the proper procedures followed in awarding any external

contracts?
 Possible breaches of regulatory requirements
 Shareholder value lost or damage to reputation through poor brand
image
 Financial loss arising from poor cost control
 Fraudulent practices
 Excessive or inappropriate use of marketing entertainment
Treasury
 The internal audit team may check that the procedures laid down in
the rule book for treasury have been followed
 Internal audit may also be asked to check whether the procedures
were appropriate.
Human resources
 Are the organization’s procedures applied properly?
 Are the procedures appropriate?
Internal Audit Reports
 Customer focused
 Meet organizational needs
Purpose and structure
 To summarize the results of work undertaken
 Content determined by the nature of the assignment
 Short and sweet
o Clear concise easy to read
 Measurable/quantifiable outcomes
o It is less likely that improvements will actually happen
without:
 Clear recommendations about how the improvement is
to be made

Asrat Bekele
 Some way of measuring whether the recommendations

have been successfully implemented
 Prioritization
o The important content needs to be readily accessible
 Avoid surprises
o Discuss with management as points arise
 Fairness
o Balanced and constructive reporting
o Ensure consistency particularly where ratings are used
Types of report
Formal reports
 The traditional outcome from an internal audit assignment
 Recommended structure
 Shorter memorandum reports
o Short less formal reports may be required for:
 Smaller scale assignments
 Where less depth is required
 Where results required urgently
o Care needs to be taken with the contents of the report as in
a formal report
o Addressees
 Make sure it goes to the right people
o Subject matter
 Make sure that
 The purpose of the report is clear
 The objective is addressed by the content of the
report
o Structure
 Make sure the report is laid out well

Asrat Bekele
 Lack of formality should not be taken as an excuse for

sloppy drafting
 Presentations
o Oral presentation can have a greater impact than a written
document
o The structure of presentation has mach in common with the
structure of a formal written report
Structure of a formal report
 Subject
 Distribution list
 Date of issue
 Any rating/evaluation
Executive summary
 Like the whole report in miniature
 Grab the reader’s attention to make sure they read the whole
report
 Readers should still be able to come to the same conclusion and
make the same decisions by reading the executive summary only
 Difficult in practice
Key findings and recommendations
Summary
Short, clear summaries of key findings
 The main problems found
 Breaches in procedure
 Ineffective procedures
Detail findings and agreed actions
 Recommendations for solving the problem
 Who is to carry out the necessary actions
 Deadlines and timescales
Assessment gradings or ratings
Asrat Bekele
Help senior management

 Form an overall opinion of the organization
 Identify trends
 Facilitate high level reporting
There needs to be a consistent and clear mechanism to ensure credibility
of the ratings.
Process of producing the report
 Begins with the planning of the assignment itself
 At the planning stage ensure that the work to be done:
o Will fulfill the objective of the assignment
o Will dovetail with the requirements for the report
 After all the work is done the report needs to be drafted:
o Well structured
o Clear and concise
o Discuss with those affected so that there are no surprises
o Check back with original objective to ensure it delivers what it
was supposed to
Generally accepted principles of effective report writing

The purpose of reports and their subject matter vary widely, but there are
certain generally accepted principles of report writing that can be applied
to most types of report. Bear in mind that all these principles may not
strictly apply to all reports but can be used as necessary. They will help
you further develop your report writing skills.
Title
The report should have a title, and the title should be explicit and brief. In
other words, it should indicate clearly what the report is about and should
be as short as possible.

Asrat Bekele
Identification of report writer, report user and date

Reports should indicate in a clear place, possibly before the title itself,
whom they are directed at, who has written them and the date of their
preparation.
Confidentiality
If the report is confidential or ‘secret’ this fact must be printed at the top of
the report and possibly on every page.
Table of contents
If the report is extensive, it should open with a list of contents.
Terms of reference
The introductory section of the report should explain why the report has
been written and the terms of reference. The terms of reference will explain
not only the purpose of the report but also any restrictions on its scope.
For example, an internal auditing report might state that its terms of
reference have been to investigate procedures in the credit control section
of the accounts department, with a view to establishing whether the
existing internal checks are adequate.
Similarly, the terms of reference of a management accounting report might

be to investigate the short-term profit prospects for a particular product,
with a view to recommending either the closure of the product line or its
continued production. These terms of reference would exclude
considerations of long-term prospects for the product, and so place a
limitation on the scope of the report.
When timescale is important, this should be specified in the terms of

reference. For example, the board of directors might call for a report so
that they can take a decision by a certain cut-off date, e.g., whether to put
Asrat Bekele
in a tender for a major contract and if so at what price, in a situation

where a customer has invited tenders which must be submitted by a
certain date.
Sources of information
If the report draws on other sources for its information, these sources
should be acknowledged in the report. Alternatively, if the report is based
on primary research, the nature of the fact-finding should be explained,
perhaps in an appendix to the report.
If there is an extensive series of documents referring to one matter, a

summary of the history may be provided in the appendix. If the literature
includes a lot of correspondence, a uniform code should be used to refer to
letters in the summary. For example, letters between the Company
Secretary and the Companies Registry might be referenced as CS/Reg
[date].
Sections
The main body of the report should be divided into sections. The sections
should have a logical sequence, and each section should ideally have a
clear heading. These headings or sub-headings should, if possible, be
standardised when reports are produced regularly e.g., audit reports.
Paragraphs should be numbered for ease of reference. Each paragraph
should be concerned with just one basic idea.
Appendices
To keep the main body of the report short enough to hold the reader’s
interest, detailed explanations, calculations, charts and tables of figures
should be put into appendices. The main body of the report should make
cross-references to the appendices in appropriate places.

Asrat Bekele
Summary of recommendations
A report will usually contain conclusions or recommendations about the

course of action to be taken by the report user. These conclusions or
recommendations could perhaps be stated at the beginning of the report
(after the introduction and statement of terms of reference). The main body
of the report can then follow, in its logically progressive sections, and
should lead the report user through the considerations that led the report
writer to these conclusions. The conclusions or recommendations could
then be re-stated at the end of the main body of the report.

Asrat Bekele

3.internal Auditing

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3.internal Auditing

Uploaded by

Copyright:

Available Formats

City University College Department of Accounting & Finance

To be effective, the internal audit department needs to be:

The systems approach to internal audit

Systems auditing was originally developed as a more efficient approach to

Auditing Principles II 3. Internal Auditing 2

developed their own approach to systems auditing that differs in many

Internal Audit – A Step By Step or an Iterative Approach

Previous system notes should be an important source of knowledge if the

Auditing Principles II 3. Internal Auditing 3

Control evaluation is an important stage of each audit and this should be

For internal auditors, testing should be designed to determine whether a

whether the control will reduce potential risks to acceptable levels.

Developing conclusions and recommendations is usually one of the last

Care should be taken to ensure that this greater understanding of the

Inexperienced auditors may need to approach systems auditing one step

Auditing Principles II 3. Internal Auditing 5

should develop that recognizes the iterative nature of auditing. Greater

Internal auditors expect their organisations to be efficient and achieve

At the beginning of each internal audit assignment there should be a

 discuss the systems objectives and appreciate the significant risks

Auditing Principles II 3. Internal Auditing 6

involved in their achievement;

Internal auditors should be as flexible as possible about the actual timing

However, the staff budget for internal audit needs to be adequately

Auditing Principles II 3. Internal Auditing 7

The level of guidance or supervision that will be necessary during each

Auditing Principles II 3. Internal Auditing 8

Audit planning is necessary for internal audit work to be completed

Control Objectives and Key Controls – The Core of an Internal Audit

Control objectives should form the framework of each systems audit

objectives. They identify specific objectives against which internal

Comprehensive control objectives can be developed for any system by

 Has the system been adequately planned?

Auditing Principles II 3. Internal Auditing 10

associated expected key controls.

The purpose of the schedule of expected key controls is to assist in the

If internal auditors do not identify the key expected controls, there is a

Identification and documentation of existing controls

Systems auditing should be a critical assessment of the controls currently

Auditing Principles II 3. Internal Auditing 11

 interviewing staff and their managers;

Interviews are key

The most important source of information will usually be the staff

Other places to look

Auditors may review documentation such as statutes, circulars,

Observation of the physical environment and working methods should

This is a particularly useful method of fact-finding where no physical

Reports of previous reviews of the system by other internal auditors,

Auditing Principles II 3. Internal Auditing 13

most important aspects of the system and its internal controls?

 Segregation of duties: the functions of authorising transactions;

supervised by someone who understands the process and will

Recording the controls

All internal audit work should be documented and be sufficient to

 systems notes, either in text or graphics;

There are a number of methods of documenting procedures and controls,

 clear and easy to understand;

The purpose of this documentation is to:

 enable the internal auditors to review the information they have

received and to organise their thoughts and knowledge so the

The Evaluation of Existing Controls

Each systems audit assignment should concentrate on an assessment of

1. the audit evaluation shows that, in theory, the control is adequate