OVERVIEW OF AUDIT FUNCTION AND ROLES OF INTERNAL AUDITORS, CERTIFIED PUBLIC

ACCOUNTANTS, AND BANK EXAMINERS AND DISCUSSION OF INTERNAL CONTROLS

MEANING OF THE WORD “AUDITOR”

A good place to start to obtain understanding of what the internal or external auditors (CPAs) and bank
examiners do would be to review the meaning of the word “auditor” and see if any of the dictionary
definitions would apply to the different types of auditors we will be meeting this week. According to
Webster’s dictionary, an auditor is one who hears or listens, or is authorized to examine and verify
accounts or “audits” a course of study or hears (as in a court case) in the capacity of a judge. It is
possible that all four definitions fit our current idea of an auditor in the following ways:

 “one that hears or listens” – one technique used to gather valuable information by internal and
external auditors

 “One authorized to examine and verify accounts” – important auditing technique, especially in
periodic examinations of a department or division, or during interim audits to determine with a
reasonable degree of assurance balances in a bank’s accounts.

 “One that audits a course of study” – substitute the words “functions, services, systems, and
procedures” because the auditor must be exceptionally knowledgeable in the subject matter of
banking.

 “One that hears (as a court case) in the capacity of a judge” – an auditor reviews, analyzes and
weighs the facts (hearing evidence), renders an opinion (makes a judgment, and recommends
corrective action where necessary (passes sentence).

INTERNAL AUDIT (INCLUDING INFORMATION TECHNOLOGY [IT] AUDIT)

We will be looking at the internal audit function, the external audit function (also identified as the CPA),
and the bank examiner activity from the perspectives of definition, purpose, and responsibilities. We will
then focus on the relationships among the three groups of auditors.

Internal audit is defined as an independent appraisal activity within an organization that reviews
accounting, financial and other operations as a basis for service to management by functioning as a
managerial control, which measures and evaluates other controls. Internal audit also encompasses the
examination and evaluation of the adequacy and effectiveness of the organization’s system of internal
control and the quality of management’s performance in carrying out its assigned responsibilities. To
function effectively, the internal audit activity must have an independent reporting relationship to
management or the Board of Directors.

 The purpose of the internal audit function is to prevent and detect loss and to provide
management with assurance that it (management) can rely on accounting information to draw
conclusions about past performance and to make plans for future actions.
The responsibilities of the internal auditor (outlined by the Institute for Internal Auditors) include the
following:

 Review the reliability and integrity of financial and operational information and the means used
to identify, measure, classify and report such information

 Review the systems established to ensure compliance with those policies, plans, procedures,
laws, regulations, and contracts, which could have a significant impact on operations and
reports and should determine whether the organization is in compliance with laws and
regulations

 Review the means of safeguarding assets and, as appropriate, verify the existence of such assets

 Appraise the economy and efficiency with which resources are employed

 Review operations or programs to ascertain whether results are consistent with established
objectives and goals and whether the operations or programs are being carried out as planned

Internal auditors follow particular standards such as the following:

 Accountability – accordance to the board of directors and executive management

 Organizational Standards – organization to have an internal audit function and maintain an

environment in which the auditor has freedom to act and can perform audits in accordance with
internal auditing standards; the function should have an audit department charter and a
working relationship with management and should be managed effectively with good planning,
time budgeting, and reporting and an effective staffing strategy coupled with personal
administration and career development for staff members

 Personal Standards – the auditor should be sufficiently trained and should maintain and
independent state of mind and exercise due care and respect the confidentiality of information
and not engage in activities that conflict with the interest of the organization and exercise due
professional care in the performance of duties and fulfillment of responsibilities

 Performance Standards – the auditors should prepare formal audit plans covering all significant
organization activities over an appropriate cycle of time and that plan should include an
evaluation of controls within the system, and procedures should provide sufficient competent
evidential mater to support conclusions and proper supervision and review of the word should be
performed.

 Communication Standards – the auditors should prepare a formal report in a timely fashion as to
the scope and results of each audit performed with an opinion on the adequacy, effectiveness
and efficiency of systems of control and quality of ongoing operations with periodic
summarizations of the audit activities to the board of directors and senior management and
external auditors and regulators
Based on these standards and to achieve its objectives, the internal auditors follow detailed audit plans
and programs and test data and interview employees. They then produce a report to be directed to the
examined area and the management unit to which the internal auditor reports (which should usually be
the audit committee of the board of directors) with an opinion as to the effectiveness and efficiency of
the operations reviewed, the reliability of the financial reporting, and compliance with applicable laws
and regulations.

As to Information Technology (IT) auditing, certain principles and standards are applicable as follows:

Proficiency – audits of banking activities or functions that are affected directly or indirectly by IT are to
be performed by a person with appropriate IT technical knowledge and proficiency as an auditor

Independence – able to perform required audit tests without the assistance of personal actually
engaged in the IT activity that is being reviewed

Performance – discharge responsibility with thoroughness, competency and objectivity

Scheduling – timeliness and orderliness of IT auditing procedures should be synchronized with normal
operations of the IT department

Internal control – evaluate existing internal controls and use the results as the basis for determining the
extent of other audit procedures and for recommending improved controls, if necessary

Documentation – obtain adequate documentation to provide a reasonable basis for an opinion

regarding the activity of functional reviews

Reporting – findings and recommendation to be presented in writing along with any material variations
in the usual scope of the audit

EXTERNAL AUDIT (CPA)

The external audit function is an independent examination and appraisal activity of a set of financial
statements of the bank performed by qualified experts external to the organization.

The purpose of engaging the external auditor is to provide management with a report that contains an
independent opinion (unqualified or qualified or adverse or disclaimer) of the fairness of the bank’s
financial statements taken as a whole, prepared in accordance with generally accepted accounting
principles, after following generally accepted auditing standards. The external auditor or CPA is
interested in the financial soundness of the bank, the competence of its management, compliance with
applicable statutory laws and regulations, adequacy and effectiveness of the internal audit program, and
competency of the internal auditors.

The external auditor is responsible to the financial users who rely on the external auditor or CPA to add
credibility to the financial statements of the bank.
The procedures used by the external auditor to examine banks and savings institutions are detailed in
the AICPA Audit and Accounting Guide Depository and Lending Institutions: Banks and Saving
Institutions, Credit Unions, Finance Companies and Mortgage Companies. Essentially, the four phases of
the audit of the financial statements consists of the following:

 Plan and design an audit approach

 Perform tests of controls and substantive tests of transactions

 Perform analytical procedures and test of details of balances

 Complete the audit and issue the audit report

Examples of the audit reports issued by the external auditors are found in Chapter 22 (Reporting
Considerations of the AICPA Audit and Accounting Guide Depository and Lending Institutions: banks and
Saving Institutions, Credit Unions, Finance Companies and Mortgage Companies). The reports can be an
unqualified opinion, unqualified opinion with explanatory language added to the auditor’s standard
report, unqualified opinion with explanatory language added to the auditor’s standard report,
unqualified opinion with emphasis of a matter, qualified opinion, adverse opinion, or disclaimer of
opinion.

Essentially, the CPA is forming an opinion, based on the evidence gathered and evaluated, as to the
assertions of management relative to the financial statements of the entity. These implied or expressed
management assertions are the following:

 Existence (whether assets, obligations, and equities included in the balance sheet actually
existed on the balance sheet date)

 Completeness (all transactions and accounts that should be presented in balance sheet actually
existed on the balance sheet date)

 Completeness (all transactions and accounts that should be presented in the financial
statements are included)

 Valuation or allocation (whether asset, liability, equity, revenue, and expense accounts have
been included in the financial statement at appropriate amounts)

 Rights and obligations (whether components of the financial statements are properly combined
or separated, described, and disclosed)

For the CPA, there are six transaction-related audit objectives that are closely related to the
management assertions; and this is not surprising because the auditor’s primary responsibility is to
determine whether management’s assertions about financial statements are justified. The transaction-
related audit objectives are the following:

 Existence (recorded transactions exist and actually occurred)

  Completeness (existing transactions are recorded)

 Accuracy (recorded transactions included in the client’s journals are properly classified)

 Timing (transactions are recorded on the correct dates)

 Posting and summarization (recorded transactions are properly included in the master files and
are correctly summarized)

In addition, there are balance-related audit objectives, similar to the transaction-related objectives. They
too follow from the management assertions, and they provide a framework to help the auditor
accumulate sufficient competent evidence. These nine balance-related objectives are the following:

 Existence (amounts included exist – whether the amounts included in the financial statements
should actually be included)

 Completeness (existing amounts are included – whether all amounts that should be included
have actually been included)

 Accuracy (amounts included are stated at the correct amounts)

 Classification (amounts included in the client’s listing are properly classified)

 Cutoff (transactions near the balance sheet date are recorded in proper period)

 Detail tie-in (details in the account balance agree with related master file amounts, foot to the
total in the account balance, and agree with the total in the general ledger)

 Realizable value (assets are included at the amounts estimated to be realized)

 Rights and obligations (in addition to existing, assets must be owned by the entity being
examined before it is acceptable to include them in the financial statements, and liabilities must
the responsibility of the entity being examined)

 Presentation and disclosure (account balances and related disclosure requirements are properly
presented in the financial statements)

 Here too, these objectives must be met before the auditor can conclude that any given account
balance is fairly stated.

 The ability of the client’s internal controls to generate reliable financial information and
safeguard assets and records is one of the most important and widely accepted concepts in the
theory and practice of auditing. To adequately plan how to obtain and evaluate the appropriate
audit evidence, generally accepted auditing standards require the auditor to gain an
understanding of the internal control in place at the entity being examined. After gaining an
understanding of internal control is in preventing and detecting errors and fraud. The audit
 procedures the auditor puts in place to test the effectiveness of controls in order to support a
reduced assessed control risk are called tests of controls.

The auditors also evaluate the client’s recording of transactions by verifying the monetary amounts of
transactions. These substantive tests of transactions are audit procedures testing for monetary
misstatements to determine whether the six transaction-related audit objectives (outlined above) have
been satisfied for each class of transactions. Test of details of balances are audit procedures testing for
monetary misstatements to determine whether the nine balance-related audit objectives (outlined in
preceding paragraphs) have been satisfied for each significant account balance. The use of comparisons
and relationships to assess whether account balances or other data appear reasonable constitute
analytical procedures.

BANK EXAMINATIONS

Bank examinations are appraisal activities performed by regulatory experts external to the organization.
The regulatory organization in Ghana is the Bank of Ghana. Part VII of the Ghana Banking Act 2004
provides information on Bank supervision. The purpose of the regulators’ examination of a bank’s
operations is to provide an objective evaluation of a bank’s soundness and its compliance with banking
laws and regulations. In addition, the regulators appraise the quality of management and the Board of
Directors, and identify those areas where corrective action needs to be taken to strengthen the bank, to
improve the quality of its performance, and to enable the bank to comply with applicable laws, rules and
regulations.

The bank regulators have a responsibility to the public to ensure that the institution is being operated in
a safe and sound manner and in accordance with the applicable laws and regulations and to ensure that
risks taken by the institution have been properly evaluated. Some of the procedures used by the
regulators included the following: evaluation of the prudence of practices; adherence to laws and
regulations; adequacy of liquidity and capital; quality of assets and earnings; nature of operations;
adequacy of financial reports, internal controls, and audit programs. For more detailed information, you
can assess the websites of the regulatory agencies to view the examination and supervisory guidelines
followed by these regulators as they review the balance sheets and income statements of the banks.

RELATIONSHIPS AMONG INTERNAL AUDITORS, EXTERNAL AUDITORS, AND BANK EXAMINERS

There are definite similarities among internal auditors, external auditors, and bank examiners, and these
include the following: competency, objectivity in performing work and reporting results, use of a
methodology in performing the audit or examination (including planning and performing tests of
controls and substantive tests), use of a model, and materiality in deciding the extent of the tests and
evaluating results.

At the same time, there are differences among these three groups of auditors/examiners, namely
decisions as to risks and materiality may differ because external users, regulators, and management may
have different needs. In addition, the objectives of the internal auditors are usually broader than that of
the external auditors or bank examiners in order to provide flexibility for internal auditors to meet
company needs. 

There is a definite need for close communication among internal and external auditors and bank
examiners as the work of the internal auditors impacts the extent of testing by the external auditors and
bank examiners, depending on the effectiveness or ineffectiveness of the internal auditors. The internal
auditors’ effectiveness can be measured by their independence of the operating units being evaluated,
their competency and training, and their actual performance of relevant audit tests of the internal
controls and the financial statements.

INTERNAL CONTROLS

To understand the role of auditors and what type of controls and audit tests need to be performed to
ensure the reliability of financial information, we need to have some idea as to what internal controls is
and why it is important in the auditing and accounting process. Internal control is especially important in
the banking industry because banking is not comparable to other industries since bank’s assets are not
totally its own. Banks use depositor’s funds to create assets, pay dividends to stockholders, and
reimburse suppliers.

A definition of internal control is that it is a process, effected by an entity’s board of directors,

management and other personnel, designed to provide reasonable assurance regarding the entity’s
achievement and objectives in the following categories:

 Effectiveness and efficiency of operations

 Reliability of financial reporting

 Compliance with applicable laws and regulations

The objectives of internal control are to keep the company on course toward profitability goals and
achievement of its mission and to minimize surprises along the way by enabling management to deal
with rapidly changing economic and competitive environments, shifting customer demands and
priorities, and restricting for the future. The five components of internal control are the following:

1. Control environment – sets the tone of the organization

2. Risk assessment – enables the entity to face various external and internal sources of risk and to
safeguard assets

3. Control activities – policies and procedures to ensure management directives are carried out

4. Information and communication – pertinent information to be identified, captured and

communicated effectively

5. Monitoring – assessment of quality of internal control systems’ performance over time

Several key concepts provide a basis for assessing internal controls and the control risks. First, it is
important to note that it is management’s responsibility to establish and maintain the controls for the
organization. Management must establish the “tone at the top” by indicating to employees the
importance of internal controls in their daily work. Second, the internal controls that are established and
followed by employees must be evaluated from a cost/benefit perspective, and here the standard of
reasonable assurance is used as the measure. Third, there are inherent limitations to any system of
internal controls because of the need to rely on the competency and dependability of the people using
the controls.

In your readings and discussions, you will be coming across the phrase “control activities.” Control
activities are defined as the policies and procedures (including those in the five components of control
outlined in one of the preceding paragraphs) that help ensure that necessary actions are taken to
address risks in the achievement of the entity’s objectives.

The following is a list of basic control activities that can be used to set up the internal control
environment. Of course, not all of the activities are applicable to each type of operations. Use of the
activities is dependent upon the particular operations being performed.

 Adequate separation of duties

 Proper authorization of transactions and activities

 Adequate records and documents

 Physical control over assets and records

 Independent checks on performance

These control activities, in turn, can be crafted for inclusion into any one of the following types or groups
of internal controls;

 Accounting controls: general ledger design, closely related to organizational structure; control of
the debts and credits from all areas of the bank to the asset, liability, and capital accounts
(income and expense); data accurate and up-to-date so the data can be relied upon by users;
consisting of series of checks and balances between sending and receiving areas of the bank and
these areas to the general ledger with procedures spelled out in detail

 Financial controls: products or end results of the bank’s accounting and control systems that are
used by management and others to monitor a bank’s progress in the market place and its
financial position, e.g. to know what the bank is earning on loans and profitability of various
bank services

 Operating controls: dependent upon the nature and complexity of the system they are designed
to protect usually a mixture of accounting controls, managerial controls, and checks and
balances in an operating system designed to promote safe, accurate, and timely processing of
 transactions, e.g., segregation of duties, dual control, joint custody, rotation of employees,
mandatory vacations, accrual accounting information technology (IT) controls: general controls
(relating to all aspects of the IT function, such as, segregation of IT duties, systems development
testing, physical and on-line security, back-up and contingency planning and hardware controls);
applications controls (relating to processing of individual transactions and specific to certain
software applications, such as, input controls, processing controls, and output controls)

Some of the risks specific to IT environments are the following:

 Reliance on the functioning capabilities of hardware and software, such as the need for proper
physical protection from inappropriate use, sabotage, or environmental damage (such as fire,
heat, humidity, water)

 Visibility of audit trail in that IT often reduces or eliminates source documents and controls need
to be in place to replace the traditional ability to compare output information with hard copy

 Reduced human involvement in that employees who deal with initial processing of transactions
never see final results and there is a tendency to regard output generated though IT as “correct”
because computer produced it

 Systematic versus random errors as the uniformity of computer processing increases risk of
systematic errors and risk heightened if system is not programmed to recognize unusual
transactions unusual transactions or when transaction audit trails are inadequate

 Unauthorized access as without proper on-line restrictions (such as passwords, user IDs, etc.)
unauthorized access and activity may be initiated, resulting in improper changes to software
programs and master files

 Loss of data because of the severe ramifications resulting from centralized storage of data lost
or destroyed

 Reduced segregation of duties as computers perform many duties that were traditionally
segregated (authorization and recordkeeping) as key duties need to be appropriately segregated
in the IT environment

 Lack of traditional authorization as common for certain types of transactions to be initiated

automatically in the computer environment, proper authorization depends on software
procedures and the accuracy of master files used in making the authorization decision

 Need for IT expertise because the reliability of IT system and information generated depends on
the ability of the organization to employ personnel or hire consultants with appropriate
technology knowledge and experience.