CHAPTER-1 General Introduction

General Introduction

1.1 Introduction
Internal auditors generally directly report to the top management of the company. As employees of the organization, they may have an inside track on noticing fraud or certain other occurrences. External auditors come from an outside accounting firm in order to evaluate the company's financial statements. Many external audits done fall into the category of the "big four," the mid-tier range, or affiliates of the big four. Auditing of financial statements of companies registered under the companies’ act 1994 is compulsory in Bangladesh. According to Sec 213(3), the auditor is to make a report to be presented in the annual general meeting of the company on accounts examined by him. Well-planned, properly structured auditing programs are essential to strong risk management and comprehensive internal control systems. Effective internal and external audit programs are also a critical defence against fraud and provide vital information to the board of directors about the effectiveness of internal control systems Auditors are the cornerstones of the foundation upon which effective corporate governance must be built, (Bishop, 2002). Ensuring that these entities perform their roles effectively is therefore pivotal for the survival of the organization. The financial catastrophes of the last decade revealed the extent to which ineffectiveness in any of these entities can adversely affect the business. These corporate upheavals have driven external regulators to find ways of promoting greater accountability, disclosure and transparency – key components of corporate governance, in an effort to restore the trust and confidence of stakeholders and in particular shareholders. Establishing and ensuring coordination among the audit committee, executive managers, external auditors and internal auditors is therefore critical since sound corporate governance hinges on the successful interaction between these entities (Bishop, 2002). With a mandate to add value and improve an organization s operations, the internal audit function needs to take a proactive role in establishing and maintaining such coordination (Pickett, 2003). Herein is an opportunity for adding greater corporate value, through synergy at the very top, among those with tremendous potential to impact on the sustainability of the organization. This dissertation report will examine the role of the internal and External audit function in establishing and ensuring coordination between the audit committee of the board of directors, external auditors, executive management and the internal audit function. In general, coordination within an organization refers to the quality of collaboration across departments (Daft, 2000). It has the idea of organizational networking which allows for direct contact between individuals, and shared effort both internally and externally in order to achieve objectives, find solutions to problems and meet the needs of all stakeholders in a more timely and efficient manner (Hastings, 1993). It also involves the strategic use of two important organizational assets intellectual capital and information. The following discourse

will consider whether coordination is necessary for the audit committee, executive management, external auditors and internal auditors.

1.2 Origin of the report: The BBA Dissertation Program of the Stamford University
Bangladesh is a required course for the students who are graduating from the school of Business of the university. It is a 12 credit-hour course with 12 weeks. Students who have completed all the required courses (at least 116 credit hours) are eligible for this course. In this Dissertation program, the author collected various primary and secondary data and conducted vast research to reach the goal of the report preparation.

1.3 Objectives of the Study: The basic focus of the study is to identify the relationship
between the workings of the internal and the external auditor appointed in an organization. To clarify the relationship, various aspects affecting the workings of the both internal and the external auditor has been identified. These identified aspects will fairly clarify the relationship as well as provide the in depth knowledge about the workings of both auditors. However, the specified objectives of the report areGeneral Objective: To maximize the analytical ability and apply the theoretical knowledge in the analysis. Specific Objectives: The specific objectives are the following: • • • To know about the working procedures of the Internal Auditor and the External Auditor To Trace out the overlapping working areas of the internal auditor and the external auditor To know about the coordination process between the workings of the internal and the external auditors.

1.4 Scope of the Study:
Within the limited range of the pages, This report attempts to present a snapshot of the Relationship between the Workings of the Internal Auditor and the External Auditor of an Organization. The scope of this study is broad and attempts to address the issues relevant to the workings of the both the Internal and the External Auditors. Therefore it will address issues such as general introduction to the Internal and the External Auditor, the reliance of the external auditor on the internal auditor, required coordination between the workings of the internal and external auditors, need for coordination and doings to increase the coordination.


1.5 Methodology: This Dissertation Report generally starts with the collection of data from internet as well as books regarding the Dissertation topic. 1.6 Limitations: It is not an easy job to trace the actual relationship between the workings of the internal and the external auditor within this limited time. thus time limitation was one of the most important factors that languished the present study. Vast research and brainstorming analysis has been done to reach to the goal of this dissertation report preparation. 4|Page . many aspects could not be discussed in the present study. Due to time limitation.


size.1. Definition: “Internal auditing is an independent. complexity.Chapter-2 2. disciplined approach to evaluate and improve the effectiveness of risk management. It helps an organisation accomplish its objectives by bringing a systematic.1.2 Legal Status: Internal audit activities are performed in diverse legal and cultural environments. and structure. objective assurance and consulting activity designed to add value and improve an organisation’s operations. control. and governance processes. within organizations that vary in purpose. the internal audit function is one to ensure that the internal controls are adequate enough to maintain compliance with the policies. procedures and guidelines while being ethical 2. If internal 6|Page . compliance with the International Standards for the Professional Practice of Internal Auditing (Standards) is essential if the responsibilities of internal auditors are to be met.1 Internal Auditor: 2.1. In other words. While differences may affect the practice of internal auditing in each environment.” An internal auditor seeks to advise management on whether its major operations have sound systems of risk management and internal controls.

and diligence in the performance of their duties and responsibilities. Achieving the credential as a certified internal auditor is tangible evidence of meeting professional qualifications established by the IIA. Requirements relate to education. and  Exercise due professional care in the performance of all duties and in the fulfilment of all responsibilities.auditors are prohibited by laws or regulations from complying with certain parts of the Standards.  Only engage in activities that do not conflict with the interests of the City. A master's degree can be substituted for one year of experience. Internal auditors shall respect and contribute to legitimate and ethical objectives of the organization. An internal auditor shall:  Have adequate technical training and proficiency. 2. PERSONAL STANDARDS AND ETHICS: The following personal standards apply to all auditors assigned to Internal Auditing. and successful completion of an examination.1. there is an experience requirement of twenty-four months of internal auditing or its equivalent. internal control assessment. Internal auditors. 7|Page . Internal auditors shall have an obligation to exercise honesty. shall exhibit loyalty in all matters pertaining to the affairs of the organization.3 Eligibility: A certified internal auditor (CIA) is an individual who has met the requirements for certification as established by the Institute of Internal Auditors (IIA). in holding the trust of their employers. 4. The following ethical standards which were derived from the Code of Ethics of the Institute of Internal Auditors shall be adhered to by Internal Auditing: 1. 3. an internal auditor shall not knowingly be a party to any illegal or improper activity.  Respect the confidentiality of information acquired while performing the audit function. The Board of Regents determines the acceptability of equivalent work experience. Experience Requirement: In order to become a CIA.  Maintain a sufficiently independent state of mind to clearly demonstrate objectivity in matters affecting audit conclusions. they should comply with all other parts of the Standards and make appropriate disclosures.  Adhere to conduct that enhances the professional stature of internal auditing. However. 2. or external auditing. Representative equivalent experience can include quality assurance. experience. objectivity.

An internal auditor of organization is appointed by the organizations’ 2.5 Organizational Status: The internal auditor is a vital part of an organization and functions in accordance with the policies established by the President. the internal auditors may not receive the cooperation necessary to perform their tasks.5. could either distort the report of the results of operations under review or conceal unlawful practice. 7. 10.1. In their reporting. system administration and the Board of Directors. 11. 2. Without the support of the board of directors and senior management. Internal auditors shall not accept a fee or a gift from an employee. 6. Internal auditors shall be provided a copy of the Institute of Internal Auditors Code of Ethics upon employment. The 8|Page . Proper organizational status enhances the independence and objectivity of internal audit.1.1. a customer. in expressing an opinion. which would be detrimental to the welfare of the organization. an internal auditor shall reveal such material facts known to them which. 8. The organizational status and the support accorded to the internal auditor by the President and senior management are major determinants of the scope and value of the internal audit function to the organization. authority and responsibility within the organization to address board of director oversight and corporate governance. Internal auditors. The organizational status of internal audit must be sufficient to permit accomplishment of the objectives. Internal auditors shall continually strive for improvement in the proficiency and effectiveness of their service. or a business associate of the organization without the knowledge and consent of their senior management. 9. shall use all reasonable care to obtain sufficient factual evidence to warrant such expression.4 Appointment: HRM department. The internal auditor reports to the President. and to ensure the internal auditor’s independence and objectivity.6 Reporting Relationship: IIA Standards on Reporting Relationship: The Internal Audit Standards Board and the Professional Issue Committee have anticipated potential conflicts associated with the audit reporting relationships. Internal auditors shall be prudent in the use of information acquired in the course of their duties. if not revealed. Organizational status relates to the internal audit department’s purpose. 2. Internal auditors shall refrain from entering into any activity which may be in conflict with the interest of the organization or which would prejudice their ability to carry out objectively their duties and responsibilities. They shall not use confidential information for any personal gain nor in a manner.

CAE reporting line also critical to ensuring the appropriate flow of information and access to key executives and managers that are the foundations of risk assessment and reporting of results of auditing activities. The Standards are clarified by Practice Advisories. Conversely.The Institute believes strongly that to achieve necessary independence.Appropriate reporting lines are critical to achieve the independence.1. 1110. consistent with the standards and approved by the board.. authority. and the free and unfettered communication to any level within the organization needed to ensure adequate attention to the findings and appropriate follow-up action.scope of work is addressed in Standards for the Professional Practice of Internal Auditing (Standards) 1000: 1000 Purpose. which should be brought to the attention of the audit committee and its equivalent. the CAE should report directly to the Chief Executive Officer of the Organization. free from any interference in meeting the mandate stated in the internal audit charter including the scope of work. in most circumstances. but do not explicitly prohibit other reporting relationship such as CFO. The Standards suggest a reporting relationship that includes the CEO and the Board.. any other relationship must meet the overall criterion of the ensuring board audit coverage.7 Reporting Lines: The reporting line for an internal auditor is as follow: 9|Page . 2.. and organizational stature for an internal audit function necessary to effectively fulfil its obligations. performing work. Authority. the choice of audit procedures. . objectivity.. The Practice Advisory on Organizational Independence is more explicit: 1. the CAE should report functionally to the audit committee and its equivalent. and responsibility of the internal activity should be formally defined in a charter. The standards clearly indicate that the board must have a prominent role in setting the scope of the internal audit activities.. 1110 Organizational Independence: The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfil its responsibilities.A. For Administrative purposes.1 The internal audit activity should be free from interference in determining the scope of internal auditing. any reporting relationship that impedes the independence and effective operations of the internal audit function should be viewed by the CAE as a serious scope limitation. . However. and Responsibility: The purpose. 2. and communicating results.

Management of the audited area should be made aware that the Internal Auditor has those files. Requesting any files that may be needed.8 The Responsibilities: Internal Audit activities will be carried out in a professional manner. Disagreements should be reported to the Director of Internal Audit. Acquainting oneself with the premises. accurate and well-documented manner. Conducting work so as to minimize disruption of the audited area’s workflow or ability to service their customers. Safeguarding all files / records that have been entrusted to the Auditor’s possession. Internal Auditor: The Internal Auditor is generally responsible for the following: • • • • • • • • • • • • • • Disclosing or declaring any impairment to independence or objectivity that may exist. or by the general public. and according to accepted standards of practice within the internal audit industry. Completing assigned tasks in a timely. responsible employees. Returning all files / records to the person or area they were obtained from. Maintaining all records in the same or better condition than that in which they were found. In order to ensure this level of performance. Submitting all completed work papers to the Director of Internal Audit for final review and approval. Performing assigned tasks in an independent and self-directed fashion. and the location of records early in the audit. all personnel assigned to the department must share responsibility for the completion of all assigned tasks in a professional manner. Assuming a friendly and cooperative demeanor with the audited area’s staff. Conducting oneself in a professional manner at all times.    Board of directors Chief executive officer Chief operating officer Chief financial officer 2. thorough. avoiding those situations that would lead to criticism by the area being audited. 10 | P a g e . Completing other tasks as assigned.1.

As work papers are completed. and ensuring that all supporting documentation is properly retained. Ensuring that all Worksheets issued are properly constructed. and communicated. Performing follow-up work as necessary subsequent to the audit. ensuring that all objectives have been accomplished and all conclusions are properly supported. Ensuring that the audit or review is conducted with the least amount of disruption to the audited area as is possible. Ensuring that audit findings and recommendations made during the course of the audit are promptly communicated to management. Conducting an “Exit Review” or briefing at the culmination of field work.• • Retaining all records on premises . Additional Responsibilities: The Internal Auditor also bears the following.9 The scope and Nature of the work: STANDARD 300 . Managing the audit in relation to time and resource budgets. Drafting and seeking approval for a formal Audit Report. 2. or forms the basis of all audit work planned and performed. Returning all documents taken to the Internal Auditor’s work area to the records custodian by the end of the day if such return is requested. Finalizing the audit file(s). Pre-planning the audit in accordance with the scope and complexity of the area under review. higher-level responsibilities: • • • • • • • • • • • • • Developing a familiarity with the organization and functions of the unit to be audited.1.SCOPE OF WORK 11 | P a g e . Accepting responsibility and accountability for the audit work performed on assigned projects. supported. Ensuring that an assessment of risks is incorporated into.never removing vital documents from the premises.

. . Rotation of sensitive duties among employees. . . and related to specific operating plans and budgets. classify the scope of the audit: -. 12 | P a g e . . determine whether the auditors obtained sufficient background information and legal or other expert advice to identify and interpret these items. procedures.The scope of internal auditing should encompass the examination and evaluation of the adequacy and effectiveness of the organization’s system of internal control and the quality of performance in carrying out assigned responsibilities. determine if the audit program included appropriate procedures to detect that: . Records were adequate and current.If the scope of the audit included a review of the means to safeguard assets. • Review and evaluate the internal audit department’s plans and confirm that the plans are defined. timely and relevant. . regulations. laws.If the scope did not include “compliance” control objectives. laws or regulations (Standard 320) -.If the scope did not include “reliability and integrity of information” control objectives. • Determine if each of the five objectives included in the Standards were included as part of the audit work performed. -.If the scope of the audit included a review of the reliability and integrity of information.Reliability and Integrity of Information -.Safeguarding assets (Standard 330) -. . . . . Adequacy of reconciliation procedures. . Adequacy of the separation of duties.Reliability and integrity of information (Standard 310) -. Information systems produced data that were accurate. . . .Determine if the auditors tested key controls designed to ensure compliance or indicated why controls were not tested. and Regulations -. determine the audit program contained adequate procedures to determine the: . procedures. Adequacy of the physical protection of assets and records. Review and approval of transactions by authorized individuals. . Adequacy of management’s periodic surprise reviews. Transactions had been properly reviewed and approved. and other items that could have a significant impact on operations.Economic and efficient use of resources (Standard 340) -. . approved by management and the board. • Assess progress toward achieving the audit plan. . determine if this omission was appropriate. Laws. Procedures. . . .Compliance with policies. plans. .Determine if the auditors tested the key controls identified or said why the controls were not tested. . .If the scope of the audit included a review of systems established to ensure compliance with policies. -. . Standard 330 . Based on the objectives and the procedures performed. . measurable. -.Compliance with Policies.Accomplishment of established goals and objectives for programs or operations (Standard 350) Standard 310 . -.Safeguard Assets -. . Standard 320 . Adequate controls existed to detect or prevent errors and irregularities. . determine if this omission was appropriate. .

Based on a risk assessment of the organization. → Assessed techniques and data that the auditee used to measure effectiveness and the action taken in response to these measurements. -.Determine if the auditors tested key controls designed to ensure compliance with the safeguard of assets or stated why the controls were not tested. → Determined whether objectives and goals were met. → Determine if the auditors tested key controls designed to ensure the appraisal of the economic controls were not tested. Internal auditing activity is generally conducted as one or more discrete projects. management and oversight Boards determine where to focus internal auditing efforts. Establish and communicate the scope and objectives for the audit to appropriate management. → If the scope did not include “economy and efficiency” control objectives. Standard 350 . → Identified inefficient or non-economic uses of resources. determine if the auditors: → Identified relevant objectives and goals and the systems for measuring how well these were met.If the scope of the audit included an appraisal of the economy and efficiency with which resources were employed. → Identified and analyzed deviations from the standards. → Determined if the standards were appropriate in keeping with the entity’s goals and objectives.Economy and Efficiency -.If the scope did not include “safeguarding assets” control objectives. → Estimated the costs and benefits of not meeting goals. -. → Determined whether standards were met. A typical internal audit project involves the following steps: 1.Determine if the auditors tested the key controls designed to ensure programs were meeting established objectives and goals. -. determine whether this omission was appropriate. internal auditors. → Discussed deviations with proper individuals. determine if the omission was appropriate. Standard 340 .Goals and Objectives -. determine if this omission was appropriate. 13 | P a g e . → Reviewed for evidence that the auditee was looking for cost-effective ways to accomplish objectives and goals. → Determined if auditees understood these standards.If the scope did not include “accomplishment of goals and objectives” controls objectives. determine if the auditors: → Identified operating standards.-. → Established criteria for evaluating the program’s effectiveness.If the scope of the audit included a review to detect whether programs were meeting established objectives and goals.

Develop and execute a risk-based sampling and testing approach to determine whether the most important controls are operating as intended.1. (3) The other person or entity relies on the internal auditor to perform his or her task up to the standards of the profession. and key transaction types. Flowcharts and narratives may be created if necessary. Describe the key risks facing the business activities within the scope of the audit. Follow-up on reported findings at appropriate intervals. 4. (2) The internal auditor performs his or her task below the standards of care of other internal auditors in the profession. Report problems identified and negotiate action plans with management to address the problems. and 14 | P a g e . 2. 6. the potential for liability could be created if (1) The internal auditor undertakes to perform a task as an internal auditor for some person or entity.2. specialists called Information Technology (IT) Auditors review information technology controls. This involves review of documents and interviews.10 Legal Liability: • Basically. Many of the above steps are iterative and may not all occur in the sequence indicated. and (4) As a result of performing below the standards the other person or entity suffers damages (such as when the internal auditor fails to discover a problem that would have been discovered if he or she performed in accordance with internal auditor standards). • If the internal auditor is solely an employee of the company for which he or she is performing internal auditing services (the typical situation). Internal audit departments maintain a follow-up database for this purpose. 7. 3. This includes objectives. In addition to assessing business processes. By analyzing and recommending business improvements in critical areas. Develop an understanding of the business area under review. measurements. Identify control procedures used to ensure each key risk and transaction type is properly controlled and monitored. 5. Project length varies based on the complexity of the activity being audited and Internal Audit resources available. auditors help the organization meet its objectives.

an annual plan approved by the deputy head. gets sued. In this situation (situation (2)) you get into a lot of discussion about whether the internal auditor knew or should have known that his or her opinion.1. it may be possible for the outside auditor. The situation could be a little more difficult if the internal auditor produces an opinion. (2) If the internal auditor is an outside entity hired by the company and the internal auditor's opinion. or the shareholders to sue the internal auditor. 2. the creditor. In this study we examined how departments carried out the processes of planning. or a report that can reasonably be expected to be relied on by outside entities (such as creditors or shareholders). and governance processes. work product or report is relied on by the company's outside auditor. • (1) If the internal auditor is an employee of the company. In theory it may be possible to also sue the employee internal auditor but that would seem to be a stretch of the law. the internal auditor typically gets fired. If the internal auditor is an outside entity hired by the company to perform internal auditor services. if any. or a report that is relied on by someone outside of the company. For example. it may be possible for the company to sue the internal auditor for negligent performance of services.11 Planning and Performance of auditing: Audit Planning Planning is also required for managing audit activities and evaluating the performance of the audit group. not the internal auditor. then most likely the company. and proper assignment plans. if the opinion. work product or report is given to the outside auditor. or shareholders.• • If the internal auditor performs below the standard of care in the profession. Planning Process The audit plan is developed by identifying the audit universe. work product. and if the opinion. would probably be limited to just the company. creditor. and not to outside people or entities. performing a risk analysis. and obtaining input from management relative to risks. or shareholders. work product. The 1982 Standards for Internal Audit require that departments have a long-term plan (covering three to five years). controls. or to a creditor of the company. or a creditor. but not sued for negligence by the company. The internal control framework established by management is an integral part of audit review. liability. If the internal auditor is an outside entity that the company hires to perform the internal audit function of the company. or to shareholders. work product or report is reasonably relied on by the outside auditor. or if it is given to and relied on by creditors of the company. 15 | P a g e . assuming that the internal auditor is not expressing or producing an opinion. work product or report would be provided to and relied on by the outside auditor.

internal auditors should consider the objectives of the activity being reviewed and the means by which the activity controls it performance. respective responsibilities. and opportunities for making significant improvements to the activity’s risk management and control systems. reducing the overall effectiveness of the audit. Assignment Planning After selecting an area for audit. and details of the time and costs of the project. Flexibility of the plan is necessary in order to respond to the changing needs of the organization. scope. The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model. While audit groups do develop assignment plans. and before beginning the audit. The assignment plan is intended to identify the issues to be emphasized. iii. Planning Considerations The internal auditor is responsible for the planning and conducting the internal audit. this understanding should be documented. The result of not conducting such in-depth analysis is that minor areas may be over-audited while key areas are under-audited. During the course of the audit. Performance of the Audit work An evaluation of the effectiveness and efficiency of internal audit work includes the following attributes: a. Long-range and Annual Planning Internal Audit require audit groups to sub-divide their total audit responsibility or audit universe into specific auditable units and to assess the importance of these units in terms of such factors as materiality. but not limited. and other client expectations.Risk or control concerns identified by audit staff or external auditors are also evaluated as the plan is developed. internal audit groups prepare specific audit assignment plans. the audit techniques to be used. ii. In planning the engagement. It points out that this is a particularly important step. The internal auditor’s identification and assessment of the significant risks and controls relevant to the activity under review and the means by which the potential impact of the risks is kept to an acceptable level. For significant engagements. to the following: i. Internal auditors should establish an understanding with engagement clients that address objectives. or opportunities for improvement. Engagement Objectives 16 | P a g e . The preplanning process includes an evaluation of various attributes that include. as it forces audit managers to focus their attention on areas where use of available resources would best achieve the departmental audit objectives. adjustments are made as additional information is obtained. b. importance to management and previous audit coverage. This is normally done in a preliminary survey phase prior to committing audit resources for the entire audit. risk of loss. weaknesses in controls. they should generally have more interaction with senior management and carry out more rigorous and systematic analysis of potential audit areas to identify the major issues. subject to supervisory review and approval.

informed person would reach the same conclusions as the auditor. Staffing should be based on the complexity of the engagement. including those under the control of third parties. scope. Work programs for engagements may vary in form and content depending upon the nature of the engagement. The audit programs should be recorded and establish the procedures for identifying. Specific information or evidence includes the following: i. Competent information-is reliable and attainable through the use of appropriate audit techniques. these reservations should be discussed with the client to determine whether to continue with the engagement. and convincing so that a prudent. In performing consulting engagements.Objectives should be established for each engagement. Engagement Work Programs Internal auditors should develop work programs that achieve the engagement objectives. e. respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards. and results. If internal auditors develop reservations about the scope during the engagement. and available resources. Engagement objectives should reflect the results of the risk assessment. a specific written understanding as to the objectives. Approval should be obtained from senior management and/or legal counsel prior to the releasing such records to external 17 | P a g e . The scope of the engagement should include consideration of relevant systems. evaluating. controls and governance processes to the extent agreed upon by the client. Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review. Performing the Engagement Internal auditors should identify and record information or produce evidence that achieves the engagement’s objectives and supports the auditors’ analyses. sampling. and iv. The audit program should be approved prior to its implementation. Engagement Scope The established scope should be sufficient to satisfy the objectives of the engagement. internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. c. personnel. time constraints. Sufficient information-is factual. conclusions. and recording information during the engagement. d. If significant consulting opportunities arise during an assurance engagement. iii. The engagement objectives should address risks. Useful information-helps the organization meet its goals. adequate. The internal auditor should consider the probability of significant errors. irregularities. Engagement Resource Allocation A determination of staffing resources necessary to achieve the engagement objectives should be performed. noncompliance and other exposures when developing the engagement objectives. records. The audit director should control access to the workpapers. and any adjustments approved in a timely manner. ii. f. analyzing. and physical properties. Relevant information-supports audit findings and recommendations and is consistent with the objectives for the engagement.

risk management. there are several types of reports that could be utilized. these issues are significant to the organization. Engagement Supervision The engagement should be supervised to ensure the objectives are achieved. Objective reports are factual. satisfactory performance should be acknowledged. and recommendations should be included without prejudice. Concise reports are those which. Reason(s) for noncompliance. Evidence of supervisory review should be documented in the work papers. h. clear. communication of the results should disclose the: i. Impact of noncompliance on the engagement. Standard(s) with which full compliance was not achieved. complete. In addition.parties. and where appropriate. The audit director or designee is responsible to review and approve the final audit report before issuance and should decide to whom the report will be distributed. and free from distortion. and. Although audit reports do not have a prescribed format. which include: i. as appropriate. iii. 2. quality is assured. On-going monitoring and key business activities The audit director should implement a process to monitor critical business activities and key performance indicators continuously such as exception reports and interim reviews. and timely. action plans. iii. recommendations. Communication of the progress and results of engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. g. Whenever. they should be communicated to senior management and the board. conclusions. unbiased. as a result of their content and tone. Formal-with carefully structured formats. help the 18 | P a g e . coordinating with other risk management functions. When noncompliance with the Standards impacts a specific engagement. control and governance issues may be identified. clear. ii. constructive. developing the audit plan based on risk priorities and being involved in technology projects. Interim-with brief statements of conditions requiring immediate action. Clear reports are easily understood. and the experience and competency of the internal audit staff is developed. the internal audit director should communicate corrected information to all parties who received the original information.12 Audit Report: Audit reports are a culmination of the work that was performed. Clarity can be improved by avoiding unnecessary technical language and providing sufficient supportive information. concise. Informal-in letters or memoranda to operating management.1. ii. and. Nature of the Audit Report: Reports will be objective. constructive. Record retention procedures should be established that are consistent with the organization’s and industry guidelines and regulatory requirements. If a final communication contains a significant error or omission. The audit report should be accurate. The report should include the engagement’s objectives and scope as well as applicable conclusions. contain the internal auditor’s overall opinion. concise. objective. Findings. If appropriate. and timely.

and performance relative to its plan. personnel. and recommendations. Contents of the Audit Report: The audit director should report periodically to the audit committee and senior management on the internal audit’s purpose. Findings are pertinent statements of fact. Purpose statements should describe the audit objectives and may. Background information may identify the organizational units and functions reviewed and provide relevant explanatory information. and financial budgets. and External auditor’s reports. v. inform the reader why the audit was conducted and what was expected to be achieved. supportive information such as the time period audited. and results of the audit. iii. The status of the current audit plan and other audit matters such as audit department performance. employee related issues. conclusions (opinions). and contingent litigation. and other matters needed or requested by the board and senior management. Tracking of previous reported findings and management’s response. where appropriate. Summaries of significant risk exposures and control issues. responsibility. authority. Those findings which are necessary to support or prevent misunderstanding of the Internal Auditor's conclusions and recommendations should be included in the final audit report. Audit findings emerge by a process of comparing "what should be" with "what is. They may also include the status of findings. third-party examination reports and presentations. There may also be an indication of whether the report covers a scheduled audit or is in response to a request. Results may include findings. ii. Timely reports are those which are issued without undue delay and enable prompt effective action. The following are examples of attributes to be included and subjects to be addressed in the report: i. Reports should contain the purpose. if included. Summaries. scope." Whether or not there is a difference. and recommendations from prior reports. should be balanced representations of the audit report content. the Internal Auditor has a foundation on which to build the report. training. The nature and extent of auditing steps performed should also be described. 19 | P a g e . where necessary. Scope statements should identify the audited activities and include. corporate governance issues. iv. Related activities not audited should be identified if necessary to delineate the boundaries of the audit. corporate governance issues. Reporting should also include significant risk exposures and control issues. conclusions. and other matters needed or requested by the board and senior management such as new regulatory and/or accounting requirements. Less significant information or findings may be communicated orally through informal correspondence.auditee and the organization and lead to improvements where needed. and SAS 70 reviews on key/critical outside service providers. Audit reports include background information and summaries. Prior audit reports and management’s responses.

it may be desirable to recommend a general course of action and specific suggestions for implementation. Condition: The factual evidence which the Internal Auditor found in the course of the examination (what does exist). They may cover. then: • • Cause: The reason for the difference between the expected and actual conditions (why the difference exists). Effect: The risk or exposure the auditee organization and/or others encounter because the condition is not the same as the criteria (the impact of the difference). Auditee accomplishments. They usually put the findings in perspective based upon their overall implications. Recommendations may suggest approaches to correcting or enhancing performance as a guide for management in achieving desired results. acknowledgment in the audit report of satisfactory performance is appropriate. the Internal Auditor should try to obtain agreement on the results of the audit and on a plan of action to improve operations. or expectations used in making an evaluation and/or verification (what should exist). Audit conclusions. If the Internal Auditor and auditee disagree about the audit results. As part of the Internal Auditor's discussions with the auditee. The reported findings may also include recommendations. if included in the audit report. the audit report will state both positions and the reasons for the disagreement. and supportive information if not included elsewhere. auditee accomplishments. In other circumstances. as needed. whether operating or program goals and objectives conform to those of the organization. The auditee's views about audit conclusions or recommendations will be included in the audit report. should be clearly identified as such. This information may be necessary to fairly represent the existing conditions and to provide a proper perspective and appropriate balance to the audit report. If there is a difference between the expected and actual conditions. Findings should be based on the following attributes: • • Criteria: The standards. Conclusions (opinions) are the Internal Auditor's evaluations of the effects of the findings on the activities reviewed. measures. should be included in the audit report. Recommendations are based on the Internal Auditor's findings and conclusions. Recommendations may be general or specific. For example.When conditions meet the criteria. under some circumstances. They call for action to correct existing conditions or improve operations. in terms of improvements since the last audit or the establishment of a well-controlled operation. but are not limited to determining. Conclusions may encompass the entire scope of an audit or specific aspects. it may be appropriate only to suggest further investigation or study. Reports may include recommendations for potential improvements and acknowledge satisfactory performance and corrective action. whether the organization's goals and objectives are being met. and whether the activity under review is functioning as intended. Any disagreement 20 | P a g e .

Management is responsible for deciding the appropriate action to be taken in response to reported audit findings. The Internal Auditor is responsible for assessing such management action for timely resolution of the matters reported as audit findings. In deciding the extent of follow-up. proprietary.of a material nature should be clearly followed up with senior auditee management and possibly the Vice Chancellor's level. The auditee's written response will be incorporated into the audit report. The Chancellor will be informed of senior management's decision on all significant audit findings. effectiveness. may be disclosed in a separate document such as a management letter. Internal Audit will maintain files containing issued audit reports. A draft of the audit report will be distributed to the manager responsible for the area audited a week before the exit conference. The final report (including the manager's comments) will be sent within 30 days of the exit conference to the Vice Chancellor for Administrative Affairs. Such follow-ups also include relevant findings made by external auditors and others. The final audit report must address significant findings and recommendations. Insignificant findings may be reported to lower level auditee management verbally or in a separate report. or related to improper or illegal acts. The Internal Auditor will review and approve the final audit report before issuance. Certain information may not be appropriate for disclosure to all report recipients because it is privileged. Internal Audit will determine whether senior management has assumed the risk of not taking corrective action on reported findings. The auditee's response must specify a time frame for implementing the audit recommendations. Responsibility for follow-up is defined in Internal Audit's charter. and timeliness of actions taken by management on reported audit findings. Follow-Up The Internal Audit reports will be followed up to ascertain whether appropriate action has been taken on reported audit findings. The nature. If the conditions being reported involve senior management. Factors which should be considered in determining appropriate follow-up procedures are: 21 | P a g e . however. Follow-up is defined as a process by which the Internal Auditor determines the adequacy. timing and extent of follow-up should be determined by the Internal Auditor. Such information. report distribution will be to the Chancellor and to the UW System Administration Internal Audit Department only. The Chancellor will be informed of senior management's decision on all significant audit findings. Senior management may decide to assume the risk of not correcting the reported condition because of cost or other considerations. internal auditors should consider procedures of a follow-up nature performed by others in the organization.

as well as on the degree of difficulty and the significance of timing in implementing corrective action. 22 | P a g e • • • • . 3. The response will then be evaluated by the Internal Auditor. follow-up may be performed as part of the next audit. including the assumption of risk. Verification of the response (if appropriate) will be done immediately. There may also be instances where the Internal Auditor judges that management's oral and written response shows that action already taken is sufficient when weighed against the relative importance of the audit finding. The Internal Auditor is responsible for scheduling follow-up activities as part of developing audit work schedules. The degree of effort and cost needed to correct the reported condition. 3. and The time period involved. A follow-up audit will be performed within one year. and Unsatisfactory responses/actions. Scheduling of follow-up should be based on the risk and exposure involved. 4. 5. 2. Reporting to senior management or the Vice Chancellor for Administrative Affairs on the status of responses to audit findings.1. Receiving periodic updates from management in order to evaluate the status of management's efforts to correct previously reported conditions. The Internal Auditor should ascertain whether actions taken on audit findings remedy the underlying conditions. 5. 4. will be reported to the appropriate levels of management upon completion of the follow-up audit. Responses are more useful if they include sufficient information for Internal Audit to evaluate the adequacy and timeliness of corrective action. 2. Certain reported findings may be so significant as to require immediate action by management. Receiving and evaluating reports from other organizational units assigned responsibility for procedures of a follow-up nature. Receiving and evaluating management responses to audit findings during the audit or within a reasonable time period after the report is issued. The complexity of the corrective action. Techniques used to effectively accomplish follow-up include: • Addressing audit report findings in the appropriate levels of management responsible for taking corrective action. The significance of the reported finding. The risks which may occur should the corrective action fail. These conditions should be monitored by internal auditors until corrected because of the effect they may have on the organization. On such occasions. Specific follow-up procedures may include the following: 1. Management will respond to the audit findings within 30 days.

who may be relatively junior in the organization. They provide an opinion on the adequacy of the company’s financial statements. and application of sound audit and consulting principles. the introductory paragraph is written to indicate that an audit has been conducted and then identifies the financial statements that the auditors examined during the audit. risk management. First. and this individual.1 Definition: An external auditor seeks to test the underlying transactions that form the basis of the financial statements. Some organizations assign internal auditing on a part-time basis to an existing staff member who has other responsibilities. the person does not have the professional internal audit training or experience necessary for optimal effectiveness.2. External auditor’s primary purpose is to give a company feedback on the effectiveness of the internal control system by giving an opinion with four main paragraphs. highrisk processes may not be identified for reviews and serious internal control deficiencies may be overlooked. In this environment. independent. they are also running the risk of relying on management who may not be in the best position to provide skilled. The second paragraph is the scope paragraph which describes the character of the work in the audit and stating that they abided by Generally Accepted Auditing Standards (GAAS). indepth organizational knowledge. exercised due professional care. depending on the company. independent. planned and supervised the work.2. This paragraph explains that the auditors were trained and proficient. In other words. an external auditor reviews the control procedures and many other operations as their overall evaluation of internal controls. Such organizations run the risk of poorly performed audits and reviews.1. 2. fully resourced and independent internal audit activity is well positioned to provide valuable support and assurance to an organization and its oversight entities. obtained a sufficient understanding of the business 23 | P a g e . and internal controls are essential to corporate success and longevity.2 External Auditor 2. a well functioning. and objective opinions on internal controls. In addition. A primary lesson from the financial failure and collapse of numerous organizations is that good governance. When this occurs.13 Common purposes and uses of audit report: Organizations which do not have an internal audit function are therefore missing out on the valuable benefits that professional internal auditors provide. may lack the organizational status and stature to achieve positive results. It is expected that the auditor would identify significant weaknesses that exist and make sure that anything material in nature be reported to management and possibly to higher authority. They review the general controls as well as the overall financial statement preparation and reporting. Because of its unique and objective perspective.

and its internal control system and gathered sufficient evidence. Dishonesty of the Auditor. These are the general standards and standards of field work which make up GAAS. 4. or refused to accept the appointment. 2. The Companies Act Every Auditor appointed so . shall be re appointed unless: He is not qualified for re appointment.2.2 Legal Status: Appointment & Remuneration Section 210 – Companies Act 1994 Every company shall. 2. Death of the Auditor. shall within 30 days of the receipt from the company shall notify the Registrar of Joint Stock Companies & Firms ( RJSCF) . Disqualification of the Auditor. 3. at each AGM appoint an auditor or auditors to hold office from the conclusion of that meeting till next AGM. A resolution has been passed at the meeting appointing somebody else. Provided that no person can be appointed as an Auditor of any company unless his written consent prior to appointment or re appointment have been obtained. The Companies Act 1994 states…. • • • • At any AGM . Incapacity of the Auditor. a retiring Auditor by whatsoever authority appointed . He has given notice in writing of his unwillingness to be re appointed. Qualification & Disqualification of Auditors 24 | P a g e . Exception for such Resolution A resolution can be passed to change Auditor ONLY under the following circumstances: 1. in writing that he has accepted.

4 Appointment: The Board is responsible for appointing the external auditor. A person who is a partner/director/agent. 3. Powers & Duties of Auditors • • Section 213 : Every auditor of a company shall have a right of access at all times to the books and accounts and vouchers of the company whether kept at head office of the company or branch and shall be entitled to require from the officers of the company such information and explanations as the auditor may think necessary for the performance of his duty as an auditor. Moreover.3 Eligibility: To be eligible as an External Auditor one needs to accomplish the CA (Chartered Accountant) course having honours degree completed major in accounting or commerce and having the CA firm with the partnership of the person having the same educational qualification. 2. 1973 . Any shareholder holding more than 5% of shares in FV. Any person who provided guarantee/ security to any third person to the company exceeding taka one thousand. The Audit and Risk Management Committee is responsible for implementing a selection process for appointment of the auditor and making a recommendation to the Board based on their assessment of the responses received from potential external auditors. 2. 2.2.• • • Qualification of Auditor : Section 212: No person shall be appointed as an Auditor unless he is a Chartered Accountant – within the meaning of Bangladesh Chartered Accountants Order . 4.2. In making any recommendation. they should be eligible according to the rules and requirements mentioned in BAS. the Audit and Risk Management Committee confers with senior 25 | P a g e . Disqualification of Auditors None of the following person to be appointed as auditors: 1. 5. An officer or employee of the company. subject to confirmation by shareholders at the Company's Annual General Meeting. A person who is indebted to the company for an amount exceeding one thousand taka.

including audit approach and methodology. internal governance processes. 2. key personnel and cost.7 Reporting Lines: The reporting line for an external auditor is as follow: Board of Directors Audit Committee Management Internal auditor Regulators 26 | P a g e .5 Organizational Status: The External Auditor is not employed by the organization to be audited but by the shareholders of the company. the external auditor ensures this by drawing an opinion regarding the truth and fairness about the reporting by the management. The assessment of responses from potential external auditors takes into account a number of key criteria. Once the review process has taken place the Audit and Risk Management Committee provides the Board with information concerning the process adopted in undertaking the review. The external auditor is appointed by the Shareholders in AGM meeting and he or she works in the interest of the shareholders i.e.2.executives on the responses received.ssssss 2. it is not necessarily mean that the shareholders cannot be the board of director. ensures whether the management of the organization are providing the true and fair financial report to the shareholders.2. Thus it is clear that there is a build up reporting-relationship between the external auditor and the shareholders of the organization. the external auditor is not an employee of the company being audited having the organizational status of as an outsider who cannot influence the decision taken by the management rather the external auditor just draw an opinion regarding the truth and fairness of the books of records in favour of the shareholders.6 Reporting Relationship: The organization to be audited run its operation with the finance provided by the shareholders and the Board of directors represent the management. 2. the recommended external auditor and the reasons for final recommendation. global resources.2. thus.

2. have a general understanding of internal controls to appropriately determine the nature. existence. properly supervise the audit and the work of assistants.2. speak out on the fairness of the presentation of the financial statements. taken as a whole. effectiveness and management’s monitoring of those controls. inquiries and confirmation to form an opinion on the financial statements.8 The External Auditor’s Responsibilities: The external auditor’s responsibilities under professional standards are to: • • • • • • • be independent of the bank in fact and appearance. obtain sufficient evidence through inspection.2. obtain an understanding of the bank’s system of internal controls. examine management’s documentation and evidence supporting the system of internal controls that underlie management’s assertion regarding the design.2.9 Common purposes and uses of audit report: The external audit report is prepared for the organizations shareholders to ensure the fairness and truthfulness of the financial reports issued by the company management for the shareholders and for the purpose of checking whether the control activities are in a right track and the control environment is free of biasness.10 The scope and Nature of the work: 27 | P a g e . timing. exercise due care in auditing and preparing the report. and extent of any tests to perform. exercise professional skepticism. consider potential for fraud when planning and executing the audit of the financial statement and the audit of internal controls. and report the audit results in accordance with GAAS. plan. conduct. 2. existence and effectiveness of the internal controls. observation. • • • • • • 2. have adequate technical training and proficiency as an auditor. and speak out on management’s assertion regarding the internal controls system that governs financial reporting and disclosure. in terms of its design.

system designs. inquiry. confirmation. and issuing a report. coupled with the joint and several liabilities. Auditing and accounting are more complex because of factors such as the increasing size of business. inspection. There is an increased consciousness on the part of the Securities and Exchange Commission (SEC) regarding its responsibility for protecting investors’ interests. Many CPA firms are willing to settle their legal problems out of court in attempt to avoid costly legal fees and adverse publicly rather than resolving them through the judicial process. Evidencegathering procedures include observation. Legal Environment: Professionals have always had a duty to provide a reasonable level of care while performing work for those they serve. 2. Large civil court judgements against CPA have been awarded in a few cases. gathering evidence. In planning the audit. Audit evidence is proof obtained to support the audit's conclusions. regardless of who was at fault. This arrangement offers the injured party a potential gain when the suit is successful. and the intricacies of business operations. which have encouraged attorneys to provide legal services on a contingentfee basis. and company policies and procedures.The independent auditor generally proceeds with an audit according to a set process with three steps: planning. The audit trail enables an auditor to evaluate the strengths and weaknesses of internal controls.2. Despite efforts to address legal liability of CPAs. the globalization of business. Society accepts law suits by injured parties against anyone who might be able to provide compensation. calculations. analysis. but the major factors are the following: • • There is growing awareness of the responsibilities of public accountants by users of financial statements. including suits involving third parties under both common law and federal securities acts. but minimal loss when it is unsuccessful. Audit procedures include those activities undertaken by the auditor to obtain the evidence. and comparison. An audit trail is a chronological record of economic events or transactions that have been experienced by an organization. • • • • 28 | P a g e . There is no simple reason for this trend. both the number of lawsuits and size of awards to plaintiffs remain high.11 Legal Liability: A. the auditor develops an audit program that identifies and schedules audit procedures that are to be performed to obtain the evidence.

When he is appointed by a Joint Stock Company under the Companies act 1984. meaningful and well covered reporting with a sense of time. Contents of Audit Planning: The audit plan should cover the following areas: i.2. When he is appointed by a private concern. ii. ii. audit programming and scheduling Man power planning and quality control plan 29 | P a g e . 2. The liabilities of an auditor from the legal point of view may be under two head. v.• Courts have difficulty in understanding and interpreting technical accounting and auditing matters.12 Planning and control of auditing: The external auditor has to conduct the audit in a planned manner. viz. Legal Position of an Auditor: The present company law imposes a wide responsibility upon the practising auditor not only to his client but also to third parties whom he never or who had never employed him. Charges are often. iii. viii. what the objectives and scope of the audit are. a. vi. cost and above all quality. but he or she does control to his or her plan and quality. iii. Clear fixing of what the audit engagement is about. and b. For not detecting the misappropriation of money by the employees of the client because of incorrect accounting procedures. B. levelled against them for the following: i. Gaining knowledge of client’s business Gaining knowledge of client’s internal control system Considering of laws governing the entity of the client Considerations as to initial engagement Obtaining terms of engagement Planning for nature and extent of audit procedures. An external auditor not only plans the areas of his or her workings. a planned performance. vii. Errors in preparing the final accounts Dishonesty and carelessness on the part of the auditor. iv. It is with a mission.

timing for submission Legal and statutory milieu Accounting policies followed by the entity. therefore. iii. Developing an overall audit plan-guiding the matters of audit objectives. iv. modify his plan to make his planning conform to the situations of exigencies that emerge. Benefits of audit planning: The followings are the identified benefits of audit planning: i. vii. Coordinating the work to be performed by others Documentation Audit Planning Audit Planning – a continuous and permeating exercise: An auditor plans and performs and as he performs. Factors affecting audit planning: The overall audit plan takes into consideration the following aspects: i. An audit is. any change effected thereon The effect of new accounting or auditing pronouncements by the governing body Identification of significant and special audit areas 30 | P a g e . The terms of engagement Statutory duties connected with audit The nature of the report. vi. ii. ii. And b. x. iv. scope. time-framework. reporting requirements etc. iii. timing and extent of audit procedures. v. Appropriate attention to important areas Potential problems promptly identified Time bound progress and completion Man power utilization Coordination of work of auditor and experts. v. Essentially it comprise of two dimensions: a. Developing an audit programme showing the nature. a continuous exercise.ix.

Creditors’ ledger. . xii. Sequencing: Audit programming also fixes up the time values in such a way that the overall completion of audit is not hampered for want of performance of initial and routine audit procedures. Scrutiny of journals. Staff Positioning: The staff who would do the specific procedures are also specified. Timing built in: The audit programme specifies the time and date by which the work should have been completed. ii. iii. ix. the deviation in performance are promptly signalled out the corrective measures are taken for conforming. The element of surprise. that the audit plan is appropriately modified and adopted to meet appropriately the real life situation. joint auditors. xiii. shift contemplated in matters and areas of audit. Audit Programming Contents of the Audit Programming: Audit programme is a plan of action translated into specific areas of audit works with check list of actions to be performed. Debtors’ ledger. Sales day book. An audit programme thus entails the following: i. Vouching of cashbook. x. xi. General ledger. v. iv. supervision and review required of the auditor are duly forthcoming. An audit programmes become well knit when time units and personal responsibility are embroidered on to the specific areas of work assigned. Purchase day book. direction. Audit Control An audit control is an Exercise to ensure that the audit plan is actually carried out in the line it is thought out to be.viii. etc. Bank book.internal auditor. In token of their having their done the job. 31 | P a g e . The setting of materiality level for audit purposes The probability of misstatements appearing in the financial statements due to fraud or errors Related party transactions-the transactions of the entity with those persons who are intimately related to the management The nature and the veracity of audit evidences obtainable The extant of participation in audit work by other people. they are required to sign the plan paper against the work area allotted to them with dates. the overall audit procedure of an entity may consist of the following. experts. Specific listing of audit area components in terms of related procedures: For example. Responsibility fixing: The auditor assigns duty to different staff.

Quality control policy and procedures of an audit firm regarding audit work generally Quality control procedures regarding the work delegated to assistants on an individual audit. supervision and review of the work delegated to ensure quality standards. 6. The standard deals with: i. Skills and competence: The staff must be adequately attained the professional competence and skills required of them to perform the duty of the auditor. Quality Control Policy for an Audit Firm: The audit firm should implement the quality control policies and procedures designed to ensure that all audits are concerned in accordance with auditing and Assurance standards in relation to the audit generally The relevant quality control objectives are1. coordinates the work by his interaction with the client. 4. Delegation: A delegation must be spirited in the sense that there must be sufficient direction. objectivity. a. The professional behaviour is a word of wider significance and it would require personnel to maintain a high degree of moral. whether in or about or away the work. Assignment: Audit work is to be assigned to the personnel who have the required technical training and proficiency required in the circumstances. Simultaneously. Acceptance and retention of a client: Decision as to accept a prospective client or retain an existing client should be based on the 32 | P a g e . Professional Requirements: This is quality objective that insist that all personnel adhere to the principles of independence. 5. Quality Control for Audit work: AAS 17 establishes audit standards on the quality control policies and procedures. confidentiality and professional behaviour. integrity. Consultation: Then auditor should have arrangements for access for consultation within and outside the firm with those who have appropriate expertise.The auditor exercise the control over his assistants. other experts involved in the business of the client in so far as they may relate to his audit work and subsequently taking note of the progress of the work. ii. ethical and work standards. the auditor builds up proper files of the audit matters and events to create the documentation for his plan and action. 2. 3.

Monitoring: The audit firm should ensure that quality control policy. procedures should be adequately communicated to the audit staff so that they can understand them properly and attempt to conform to them in their practice. accounting system Vulnerable areas of slip. The quality objectives. procedures are continued to be monitored for their accuracy and effectiveness in their implementation. policy. What possible problems or audit issues in such area they may encounter. What objectives the procedures seek to attain.time of start sequence of doing and elements of surprise 33 | P a g e . A standard solution if possible to them or if not. pitfall in internal control system. Staff Deployment: The auditor should ensure that the delegation of work to the assistants is done after considering the professional skills of the audit people to be at work. inter alia. Nature of audit situation in the light of uniqueness of business. the reference level to solve issues. Quality Control in an Individual Audit: The total quality policy of the firm specifies. a. b. Direction of work delegated: Direction involves in leading mentally the audit assistants to the work situations with a prior sense of how and when to do audit procedures. Direction involves• • • • • • • • Informing audit assistants about the what procedures (nature) they are to perform. 7. Timing of the audit procedure. that the quality control is to be implemented in relation to the individual audit work. What their responsibility are in relation to them.considerations like the firm’s independence and the ability of the firm to serve the client properly.

Review of work of junior audit clerks is done by another employee or the principle auditor as the case may be. The person who should review the work should be the person who has competence at least equal to the competence of the person who performed the work. d. Supervision involves: • Monitoring the progress of the work to ensure that the skills set of the audit staffs is appropriate to the requirements of real work. The direction is conveyed to the audit people at work through audit programme. providing appropriate further direction or modification of programme to suit them appropriately. analysing their significance. It is a tool to ensure that the audit programming is followed in substance over form.• Extent of audit procedure and so on. Supervision: Supervision by the auditor is a link exercise between direction and review. Review involves considering that • • • • • Work had completed as per audit programme Work performed and the results obtained have been adequately documented The significant audit matters have been resolved Where significant matters remain not resolved or they otherwise require of disclosure they are reflected in an audit conclusion The objective of the audit procedures have been achieved 34 | P a g e . c. • Monitoring the work to ensure that the work is carried out in accordance with overall audit plan and programming. overall audit plan and time budget. • Getting to know about accounting and audit questions raised during the audit. • Resolving the differences of professional judgement between personnel and considering the level of consultation where differences in judgement are sharp and require of deeper insights. That is peer or higher-ups are competent to perform review. • Monitoring the work to ensure that direction has reached the audit staff in correct sense. Review: The review is the final stage of quality testing process of audit work.

obtain loans. The audit report communicates the results of the audit work. The report is subsequently provided to a “user” (such as an individual. Writing an effective audit report starts with a clear understanding of how the report will be used. the review seeks to ensure that the links between audit opinion expressed and the audit performance and planning have been consistently and appropriately operated. among others) as an assurance service in order for the user to make decisions based on the results of the audit. issued by either an internal auditor or an independent external auditor as a result of an internal or external audit or evaluation performed on a legal entity or subdivision thereof (called an “auditee”). viewed. it can act as a positive change agent prompting management to take corrective action. It is important because it is what the department and senior management sees. or disclaimer thereof. and in some cases may be the only product of our work that management receives.13 Audit Report: The Auditor's report is a formal opinion. particularly in business. If written and communicated well. or even the general public. In short. An auditor’s report is considered an essential tool when reporting financial information to users. acted upon by department management. Audit reports have three major objectives: • • • Inform: To make department management aware of a situation by communicating the results of our audit work. Since many third-party users prefer. a company.2. 2. For that reason alone it is perhaps one of the most important parts of the audit process. a group of persons. Types of Audit Report: The audit report of an External Auditor can be of the following category: 35 | P a g e . and improve public appearance. or even require financial information to be certified by an independent external auditor. Some have even stated that financial information without an auditor’s report is “essentially worthless” for investing purposes. many auditees rely on auditor reports to certify their information in order to attract investors. a government. Results: To convince department managers to take appropriate action. Persuade: To convince department management that our comments are valid and worthwhile.• The audit conclusion are based on results of the work performed and there is no inconsistency between the two.

he or she is unable to form an opinion as to whether the financial statements are fairly presented (disclaimer). The scope paragraph is modified accordingly and an explanatory paragraph is added to explain the reason for the adverse opinion after the scope paragraph but before the 36 | P a g e . an adverse opinion is only given if the financial statements pervasively differ from GAAP. Generally. statement of retained earnings. 3. The three general standards have been followed in all respects on the engagement. income statement. but the scope of the audit has been materially restricted or generally accepted accounting principles were not followed in preparing the financial statements. Qualified: The auditor concludes that the overall financial statements are fairly presented. The financial statements are presented in accordance with generally accepted accounting principles. and the auditor has conducted the engagement in a manner that enables him or her to conclude that the three standards of field work have been met. The wording of the adverse report is similar to the qualified report. 4. • • • • 2. Sufficient evidence has been accumulated.1. Unqualified with Explanatory Paragraph: The following are the most important causes of an addition of an explanatory paragraph or a modification in the wording of the standard unqualified report: • Lack of consistent application of Generally Accepted Accounting Principles • Substantial doubt about going concern • Auditor agrees with a departure from promulgated accounting principles • Emphasis in a matter • Reports involving other auditors. An example of such a situation would be failure of a company to consolidate a material subsidiary. Adverse or Disclaimer: The auditor concludes that the financial statements are not fairly presented (Adverse). and statement of cash flows—are included in the financial statements. or he or she is not independent (Disclaimer). There are no circumstances requiring the addition of an explanatory paragraph or modification of the wording of the report. Standard Unqualified: An external auditor draws the Standard Unqualified Audit report if the following conditions are met: • All statements—balance sheet.

inaccurate. which hinder the auditor’s work in obtaining evidence and performing procedures (SAS No. “In our opinion. continue operating (SAS No. which means that they. because of the situations mentioned above (in the explanatory paragraph). Both internal and external auditors are based in a professional discipline and operate to professional standards. the most significant change in the adverse report from the qualified report is in the opinion paragraph. and do not present a fair view of the auditee’s position and operations. Some of the main similarities are that both internal and external auditors carry out testing routines which may involve examining many transactions. the financial position of…” Statements on Auditing Standards (SAS) provide certain situations where a disclaimer of opinion may be appropriate: • A lack of independence. or material conflict(s) of interest.3 Similarities & Dissimilarities between Internal and External Auditors Similarities between internal and external auditors There are many similarities between internal and external auditors. 58). where the auditor clearly states that the financial statements are not in accordance with GAAP. in other words. • • • 2. 26) There are significant scope limitations. in all material respects. The most important thing that internal and external auditors both do is produce formal audit reports on their activities and are both concerned with the occurrence and effect that errors have on misstating the final accounts. Some of these testing routines are testing the internal controls of the company and a test of reasonableness for bad debts. Another similarity between the two is that they both will be worried if procedures were very poor and there was a basic ignorance of the importance of following them. However. whether intentional or not. are unreliable. as a whole. 59) There are significant uncertainties within the auditee (SAS No. exist between the auditor and the auditee (SAS No. seek active co-operation between the two functions and are tied up during an audit with a company’s internal control system. There is a substantial doubt about the auditee’s ability to continue as a going concern or. A company creates controls for a reason and they should not be ignored. 37 | P a g e . 79).opinion paragraph. the financial statements referred to in the first paragraph do not present fairly.

Internal auditors are mainly concerned with overall risk management and external auditors are concerned with the “final” accounts and how data is presented in those accounts. unrestricted access to the company’s records. the independence of the auditor is very important. documents. Both functions are interested in the cooperation between internal and external auditors. etc. however. An internal audit forms an opinion on the adequacy and effectiveness of systems of risk management and internal control. are typically employed at the organization but there are an increasing number of internal auditors from an external source. internal auditors should have full and free access to the company’s audit committee. compliance. 38 | P a g e . the results of their activity are presented through audit reports. property and personnel and authority to discuss initiatives. This set of international standards includes the professional standards and the ethical code. policies and procedures regarding risk assessment. For both professions. External auditors can have the same privileges of access as internal auditors except that external auditors need to have proper authority to do so. Internal auditors. debts. a significant difference between internal and external auditors is that an external auditor is and external contract and not an employee of the organization being audited. internal controls. Internal and external audit are both concerned over the internal control system of the organization.Dissimilarities between internal and external auditors Besides the differences that were previously stated. Risk is a very important element the planning process for both internal and external auditors. One other difference between internal and external auditors is that unlike external auditors. The main similarities that could be identified between internal and external audit: • • • • • • Both internal audit and external audit profession are governed by one set of international standards issued by the professional organism specific for each profession. Another main difference between the two is that external auditors look to provide an opinion on whether or not the accounts are presented fairly and show legitimate assets. it is also required to know about the similarities and dissimilarities between the internal audit and the external audit. To be knowledge about the similarities and dissimilarities between the internal auditors and the external auditors. financial reporting and governance. For both functions.

The main differences between internal and external audit functions: No. Criterions Internal Audit 1. Position inside the organization The internal auditors' are part of the organization. Their objectives are determined by professional standards, the board, and management. Their primary clients are management and the board.

External audit

External auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and their primary client - the board of directors.





The internal auditor’s scope of work is comprehensive. It serves the organization by helping it accomplish its objectives, and improving operations, risk management, internal controls, and governance processes. Concerned with all aspects of the organization - both financial and nonfinancial - the internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes. Internal audit must be independent from the audited activities. Internal audit regards all the aspects regarding the organization’s internal control system.

The primary mission of the external auditors is to provide an independent opinion on the organization's financial statements, annually.


Approach of internal control

External audit is independent from its client, the organization, its independence being specific to liberal professions. External audit regards the internal control system only from the materiality perspective, which permits them to eliminate those errors that aren’t significant, because they don’t have influences over the financial results.
39 | P a g e


Applying of the audit

Internal audit covers all the organization’ transactions.


Frequency of the audit


Approach of risk

Internal audit performs during the entire year, having specific missions established in according with the level of risks identified for each auditable entity. The importance of risk for the planning of internal audit activity is very high, the assessment of risk being combined with other types of information like financial and operational.

External audit covers only those operations that have a contribution at the financial results and the performances of the organization. External audit is an activity with a yearly frequency, as a rule, at the end of the year. External audit uses the information of risks for the determination of nature, period of time and necessary audit procedures that should be performed in the auditable area, taking into consideration only financial aspects.


Consideration Internal audit takes into consideration of risk factors at least next risk factors: (Colbert, J.L., 1995): • Ethical climate and pressure on management to meet objectives; • Competency, adequacy, and integrity of personnel; • Asset size, liquidity, or transaction volume; • Financial and economic conditions; • Competitive conditions; • Impact of customers, suppliers, and government regulations; • Date and result of previous audits; • Degree of computerization; • Geographic dispersion of operations; • Adequacy and effectiveness of the system of internal control; • Organizational, operational, technological, or economic changes;

External audit takes into consideration next risk factors: (Colbert, J.L., 1995): • Management operating and financial decisions are dominated by a single person; • Management's attitude toward financial reporting is unduly aggressive; • Management, particularly senior accounting personnel, turnover is high; • Management places undue emphasis on meeting earnings projections; • Management's reputation in the business community is poor; • Profitability of entity relative to its industry is inadequate or inconsistent; • Sensitivity of operating results to economic factors is high; • Rate of change in entity's
40 | P a g e

• •

Management judgments and accounting estimates; Acceptance of audit findings and corrective action taken;


Approach of fraud

Internal audit is concerned about the frauds from all activities from the organization.

industry is rapid; • Entity's industry is declining with many business failures; • Organization is decentralized without adequate monitoring; • Internal or external matter raises substantial doubt about the entity's ability to continue as a going concern; • Contentious or difficult accounting issues are prevalent; • There are significant and unusual related party transactions not in the ordinary course business; • The nature, cause (if known), or amount of known and likely misstatements detected in the audit of prior period's financial statements is significant; • Client is new with no prior audit history or sufficient information is not available from the predecessor auditor. External audit is concerned only about the fraud from financial areas.

41 | P a g e


exist to alert management of wrongdoing. The penalties for fraudulent financial reporting have significantly increased to reflect society’s view on this type of behaviour. imprisonment . the red flags or indicators. Based on the above definitions. Fraud Detection: Due to the number of high profile corporate failures in recent years. Only the symptoms of fraud. internal auditors serving to the organizations: The word “responsible” as (1) Liable to be called upon to answer for one’s acts or decisions: answerable (2) Able to fulfil one’s obligations: reliable. corporate fraud has been of significant public and regulatory interest. ethics . in some cases. Unfortunately. signals that are recognized are not vigorously pursued. involvement in corporate scandals . misfeasance. for one to accept responsibility is a serious and Herculean task otherwise he/she will have to lose their business goodwill by facing penalties . Fraud is seldom witnessed firsthand.e. negligence etc. and. It's a crime that is often shrouded in ambiguity. and it's sometimes difficult even to determine whether or not a crime has actually been committed. Therefore. many such fraud symptoms go unnoticed. reliability . trustworthy (3) Able to choose for oneself between right and wrong and (4) Involving accountability or important duties. loss of trust. Role of Internal Auditing 43 | P a g e . Hence the word “responsibilities” is defined as something for which one is responsible.Chapter-3 Role of the Internal Auditor & the External Auditor in Different Aspects: The Roles & Responsibility of Internal auditing i. liability . one should not take such responsibilities lightly and carelessly and unless one has the physical and mental prowess to bear this heavy load and competence to accomplish the given assignment as the word “responsibilities” encompasses more tasks and duties within this word such as answerable . accountability and many more. justice . trust .

in some cases. 44 | P a g e . Proper fraud handling builds the credibility of the staff and can dramatically increase acceptance of control recommendations. proper. control weaknesses. While it is true that auditors can indeed lose credibility if they become obsessed by looking for fraud. However. A commonly heard comment is. Internal auditors and public accountants using these techniques are carrying out audit work intended to identify problems. resistance to acceptance of these responsibilities. at least in part. and Reporting of Fraud in 1985. In many organizations. Yet many internal auditors hesitate to be identified with fraud. resident experts. In addition. Detection. The challenge for the internal auditor is to discuss fraud. and educators. auditors have always had some responsibility for fraud detection. these internal auditors are echoing refrains from the public accountants. detect fraud. and raise management awareness about fraud. Investigation. Deterrence. 3. at fraud. The Internal Auditing Standards Board of The IIA issued Statement on Internal Auditing Standards No. These controls are aimed. THE INTERNAL AUDITOR'S RESPONSIBILITY FOR DETECTION Some internal auditors believe they have no responsibility for detection. or fraud. Actually.Internal auditors' roles with regard to fraud might be as identifiers. internal auditors must be knowledgeable about fraud if they are to evaluate controls or design and perform audit program steps. Program steps designed to verify financial statements (such as inventory counts and confirmations) are intended to identify either errors or irregularities. investigators. such as errors. internal auditors should accept reasonable responsibility while resisting actions that would hold them unreasonably accountable for detection. there is still confusion and. appreciated. Rather than deny responsibility for detection." In claiming no responsibility for fraud detection. but fraud detection is not the reason for our audits. the professional auditor does play a significant role in the control system. apparently because they believe that participating in investigations will somehow damage the image and effectiveness of the internal audit department. or acted upon past control recommendations may embrace suggestions based on fraud findings. and participate in investigations without appearing to be obsessed with fraud. some internal auditors conduct routine monitoring activity (such as reviewing employee accounts in financial institutions) aimed at fraud. the internal audit function will be better suited than any other to bring fraud to the surface. Operating managers who may never have understood. conduct or participate in investigations. Although this Statement clarified the intended role of the internal auditor with regard to fraud detection. professional response to fraud can enhance and expand the role of the internal auditor. Internal control recommendations presented by the person who investigated on behalf of management carry the weight of practical experience. "We should be able to recognize fraud if we come across it in our audits.

recognizing that fraud or error may materially affect the financial statements. whether caused by error or fraud.1] In planning and conducting their work. However. Unusual external or internal pressure on entities. to maintain a company’s share price or to disguise its losses). • • • • • • Weaknesses in the design of the accounting and internal control system. Require that all fraud investigative activity be reported to the audit committee. Develop and implement a fraud policy. the question may arise as to how any loss should be allocated as between the company. perform and evaluate their audit work in order to have a reasonable expectation of detecting material misstatements in the financial statements arising from error or fraud. Develop computer audit retrieval applications designed to identify symptoms of fraud.Fighting Fraud: Practical Suggestions for Internal Auditors: 1. Unusual transactions. its auditors and its directors. a director or an employee) or is carried out by management with the specific intention of misleading financial statements being issued (e. Improve communication between the internal auditors and those responsible for investigative activity. if such a fraud is not detected by the company’s auditors. Under SAS 110. Require audit involvement in all fraud investigations to determine the control implications of the fraud and consider the implications for future audit plans and programs. an audit cannot be expected to detect all 45 | P a g e . auditors seek to obtain reasonable assurance that financial statements are free from material misstatement. “Auditors plan.” [SAS 110. The specific standards that auditors are required to observe in relation to their responsibilities to consider fraud in the audit of financial statements are set out in SAS 110. 4. 2. 5.g. attention is likely to focus on whether sufficient appropriate audit evidence was obtained to enable the auditors reasonably to form that opinion. auditors are required to “plan and perform their audit procedures and evaluate and report the results thereof. Questions with respect to management's integrity and competence. By taking the following factors into account possible fraud and errors might be detected. Difficulty to obtain sufficient appropriate audit evidence. Non-compliance with internal controls. Commit to increasing audit effectiveness in fraud detection. When an unqualified audit opinion has been given. 3. The role of External Auditing Whether a fraud is designed to directly divert assets from a company (carried out by a third party. 6.

delays or vague representations/unusual accounting judgments. para. The auditors should as soon as practicable communicate their findings to the appropriate level of management. 46 | P a g e . The likelihood of detecting errors is higher than that of detecting fraud. material error is found to exist [SAS 110. particularly the reliability of management representations [SAS 110. an explanatory paragraph concerning the matter should be included in the report [SAS 110.3] In complying with this procedure. auditors should perform modified or additional procedures [SAS 110.12 applies (see note 17). On becoming aware of information indicative of fraud or error. auditors should obtain an understanding of the nature of the event and circumstances in which it has occurred.errors or instances of fraudulent or dishonest conduct. SAS 110 notes amongst other things the need: • • to be alert to audit evidence indicating unusual events or actions such as control overrides/unusual transactions/insubstantial responses to audit inquiries. When auditors become aware of. since fraud is usually accompanied by acts specifically designed to conceal its existence…” [SAS 110.6]. The auditors should consider the implications of suspected or actual error or fraudulent conduct in relation to other aspects of the audit. 14 and 18] Having assessed the risk that fraud or error may cause material misstatements in the financial statements.5 and 110. to obtain sufficient reliable audit evidence that puts appropriate emphasis on external evidence that puts appropriate emphasis on external evidence or evidence created by the auditors [SAS 110. and sufficient other information to evaluate the possible effect on the financial statements.8]. they should document their findings and discuss them with the appropriate level of management unless a suspected or actual instance of fraud casts doubt on the integrity of the directors in which case the auditors should make a report to the proper authority in the public interest without delay and without informing the directors in advance [SAS 110. the board or the audit committee if: • • they discover fraud. If this effect is believed to be material.7]. auditors are required to design their procedures so as to have a reasonable expectation of detecting such material misstatements. [SAS 110.12]. or suspect.2 and 110.4]. 26]. even if the potential effect on the financial statements is immaterial – except where SAS 110. SAS 110 sets out how suspected or actual fraud should be addressed in the auditor’s report: • if the level of uncertainty concerning the error or fraud is fundamental. paras. instances of error or fraudulent conduct.

Finally.9]. 47 | P a g e . plans. internal control is broadly defined as a process. Management’s philosophy and operating style. Effectiveness and efficiency of operations.10]. and 4. Detect and correct errors and irregularities in a timely manner. 4. Human resource policies and procedures. detective (to detect and correct undesirable events which have occurred). and 6. they should issue a disclaimer or qualified opinion [SAS 110. 3. Provide reasonable assurance that assets are safeguarded. 2. Organizational structure. contingency planning and the withdrawal from unacceptably risky activities. Ensure compliance with policies. designed to provide reasonable assurance regarding the achievement of objectives in the following internal control categories: 1. 2. 3. Promote the economical and efficient use of resources. internal control is a process that and encompasses all activities of the Organization. 5. effected by an entity's board of directors. Under the COSO Framework. sharing risks. Internal control: Internal control is one of the principal means by which risk is managed. and is designed to: 1. Other devices used to manage risk include the transfer of risk to third parties. Role of Internal Auditing: Internal auditing activity is primarily directed at improving internal control. procedures. Specific examples of internal control are as follows: 1. Assignment of authority and responsibility. and other personnel. reflects the attitude of the board of directors and senior management. Reliability of financial reporting. Those actions may be either preventive (to deter undesirable events from occurring). Integrity and ethical values. Control is an integral part of managing operations. auditors should consider whether a suspected or actual fraud should be reported to a proper authority in the public interest [SAS 110. and is any action taken by a manager to enhance the probability that established goals and/or objectives will be achieved. Broadly defined.• • if it has a material effect on the financial statements and the auditors disagree with the accounting treatment or with the level of disclosure in the financial statements concerning the fraud. laws and regulations. management. 2. if they are unable to determine whether fraud or error has occurred because of a limitation in the scope of their work. and financial and operational information is timely and reliable. or directive (to cause or encourage a desirable event to occur).9]. they should issue an adverse or qualified opinion [SAS 110. Competence of personnel.

the system of internal control will not be effective. For example. The organization's top executive. Compliance with laws and regulations. ensures the functionality and fit of the internal control mechanisms of the organization and produces reliable information for the Board of Directors and its Audit Committee. an individual's position in the organization determines the extent of that person's involvement in internal control. to provide employees with appropriate supervision. it guides people.3. The Internal Control Act provides that. 48 | P a g e . the internal auditor identifies and monitors the most important operational risks of the organization. Management is responsible for internal control." To avoid these kinds of situations. the greatest amount of responsibility rests with the managers of the organization. While everyone in an organization has responsibility for ensuring the system of internal control is effective. People can also deliberately defeat the system of internal control. Individual roles in the system of internal control vary greatly throughout an organization. the organization should continually monitor employee activity and emphasize the value of internal control. Internal auditors perform audits to evaluate whether the policies and processes are designed and operating effectively and provide recommendations for improvement. Executive management needs to set the organization’s "tone” regarding internal control. or two or more employees can act together in collusion to circumvent control and "beat the system. Internal control is people-dependent. has the ultimate responsibility. (2) Making management policies and guidelines available to all employees. For this purpose. Similarly. as the lead manager. The purpose of the internal audit is to assist the Board of Directors in supervising and controlling the organization. and people carry it out. If executive management does not establish strong. the organization as a whole will most likely not practice good internal control. if individuals responsible for control activities are not attentive to their duties. a manager can override a control activity because of time constraints. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. the top executive is responsible for establishing the organization’s system of internal control. monitoring. clearly stated support for internal control. Very often. Organizational Roles: Every member of an organization has a role in the system of internal control. It is developed by people. and. The strength of the system of internal control is dependent on people's attitude toward internal control and their attention to it. and is also responsible for (1) Establishing a system of internal control review. it provides people with a means of accountability. and training to reasonably assure that the organization has the capability to carry out its work. and (3)Implementing education and training about internal control and internal control evaluations. Management has a role in making sure that the individuals performing the work have the skills and capacity to do so.

While the internal control officer has responsibility for both implementing and reviewing the organization’s internal control efforts. This individual must be independent of the activities that are audited. accomplished primarily through participation in meetings and discussions with members of the Board of Directors. 49 | P a g e . in most instances. Corporate governance: Broad Definitions of Corporate Governance: “Corporate governance is the system by which business corporations are directed and controlled. thus. those managers become responsible for those portions of the organization’s system of internal control. the internal auditor cannot properly perform the role of internal control officer. the board. The purpose of appointing an internal auditor is to have a sound and strong internal control system which will intern reduce the time and effort of the external auditor given by during the course of audit work. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform. The law further requires the head of the organization to designate an internal control officer who reports to him or her. Drawing on knowledge and experience with internal control matters. transparency and accountability. The corporate governance structure specifies the distribution of rights and responsibilities among different participants in the corporation. the effectiveness of these procedures and requirements must be audited by someone who was not involved in the process of putting them into place. such as. manage.To the extent that the top executive authorizes other managers to perform certain activities. the internal control officer is a critical member of the management team who assists the agency head and other management officials by evaluating and improving the effectiveness of the internal control system. direct. For this reason.”Two major players in corporate governance Role of Internal Auditing Internal auditing activity as it relates to corporate governance is generally informal. managers. the organization’s internal auditor is responsible for evaluating the effectiveness of the system of internal control. finally informs that the organization has a weak internal control system. shareholders and other stakeholders. but if the external auditor find the work of the internal auditors as erroneous to an unacceptable limit it inform that the internal auditor is providing inefficient services to the organization.” Focused definition: “Corporate governance is about promoting corporate fairness. and spells out the rules and procedures for making decisions on corporate affairs. Role of External Auditing: As the work of an external auditing is simply to draw an opinion regarding the truth and fairness of the books of records of the organization. External Auditing does not directly have impact on the internal control of the organization being audited by an external auditor. this will save the audit fees that the organization would have to give to the external auditor. the organization’s managers are still responsible for the appropriateness of the internal control system in their areas of operation. The internal control officer helps establish specific procedures and requirements. In contrast.

and the external auditor. ERM (Enterprise Risk Management): Enterprise risk management deals with risks and opportunities affecting value creation or preservation. defined as follows: Enterprise risk management is a process. The definition reflects certain fundamental concepts. designed to identify potential events that may affect the entity. This may include reporting critical internal control problems. suggesting questions or topics for the Audit Committee's meeting agendas. applied in strategy setting and across the enterprise. A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. the other pillars being the Board of Directors. informing the Committee privately on the capabilities of key managers. management. • • • • • • Review of general control environment Process evaluation and performance auditing Risk assessment. and manage risk to be within its risk appetite. to provide reasonable assurance regarding the achievement of entity objectives. risk based audits and business monitoring Performance auditing Due diligence on internal and external reporting Financial control. The internal auditor is often considered one of the "four pillars" of corporate governance. Specifically. but it is true that the opinion drawn by the external auditor do have impact on the corporate governance of the organization. effected by an entity’s board of directors. performance auditing and self-assessment Corporate Governance set a yardstick by which all companies should seek to be measured. Enterprise risk management is: 50 | P a g e . thus the external auditor has no impact on the corporate governance of the organization.and monitor the organization's resources. Internal Audit is thus there to assist the company in measuring their compliance to governance issues. health. management and other personnel. integrity and accountability. The Code of Corporate Practices and Conduct is based on the principles of openness. Role of External Auditing An external auditor is an outsider of the organization being audited who remains only for a few days required to collect evidences and information to draw an audit opinion. and coordinating carefully with the external auditor and management to ensure the Committee receives effective information. strategies and policies towards the achievement of the organizations objectives.

at every level and unit. The Role of Internal Auditing: Figure: Internal auditing roles in regard to ERM Core internal auditing roles in regard to ERM: • Giving assurance on risk management processes. • Evaluating the reporting of key risks. It captures key concepts fundamental to how companies and other organizations manage risk. 51 | P a g e . providing a basis for application across organizations. ongoing and flowing through an entity • Effected by people at every level of an organization • Applied in strategy setting • Applied across the enterprise. • Giving assurance that risks are correctly evaluated. and includes taking an entity level portfolio view of risk • Designed to identify potential events that. if they occur. • Evaluating risk management processes. will affect the entity and to manage risk within its risk appetite • Able to provide reasonable assurance to an entity’s management and board of directors • Geared to achievement of objectives in one or more separate but overlapping categories This definition is purposefully broad. • Reviewing the management of key risks.• A process. industries. and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness.

internal auditors typically are part of the project team in an advisory role. In larger organizations. As a member of senior management. Management performs risk assessment activities as part of the ordinary course of business in each of these categories. incentive payout structure. internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board. • Management assurance on risks.Legitimate internal auditing roles with safeguards: • Facilitating identification and evaluation of risks. to help identify emerging risks. major strategic initiatives are implemented to achieve objectives and drive changes. • Coaching management in responding to risks. Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization's Risk management processes. or ensure management's reporting is effective for that purpose. and legal/regulatory categories. • Maintaining and developing the ERM framework. analyzes. capital planning. the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. hedging. Internal auditors may evaluate each of these activities. In these latter two areas. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee. • Accountability for risk management. financial reporting. or focus on the processes used by management to report and monitor the risks identified. For example. budgeting. 52 | P a g e . and credit/lending practices. • Coordinating ERM activities. Examples include: strategic planning. and responds to those risks that could potentially impact its ability to realize its objectives. • Consolidating the reporting on risks. • Implementing risk responses on management's behalf. Roles internal auditing should NOT undertake. then identifies. risks fall under strategic. marketing planning. • Championing establishment of ERM. • Imposing risk management processes. operational. Internal auditors may help companies establish and maintain Enterprise Risk Management processes. • Setting the risk appetite. Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Under the COSO enterprise risk management (ERM) Framework. Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment. • Taking decisions on risk responses. Risk management relates to how an organization sets objectives.

This typically involves review of the various risk assessments performed by the enterprise (e. 2120. operations. and interviews with a variety of senior management. Standards • 2010. consideration of prior audits. “THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION” 53 | P a g e . the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance. and SOX top-down risk assessment).A1 – Based on the results of the risk assessment. As external auditor involves him or herself for a very short time for the course of audit work. Internal auditors typically perform an annual risk assessment of the enterprise. and manage risks directly for the enterprise. This plan is updated at various frequencies in practice. Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk management function. It is designed for identifying audit projects.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment. not to identify. to preserve its organizational independence and objective judgment. The engagement objectives should reflect the results of the risk assessment..A1 – When planning the engagement. prioritize. The external auditor generally uses the work of internal auditor in which his or her entry is restricted. strategic plans. he or she does not directly play role in ERM of the organization. to develop a plan of audit engagements for the upcoming year. However. competitive benchmarking. the internal auditor should identify and assess risks relevant to the activity under review. undertaken at least annually.Internal auditors play an important role in evaluating the risk management processes of an organization and advocating their continued improvement. • • The role of External Auditing: ERM is one of the major factors of the Internal Control of the organization. 2210.g. and information systems.

CHAPTER-4 Audit Process & Associated Risks Chapter-4 Audit Process & Associated Risks 54 | P a g e .

and plans the remaining audit steps. Announcement Letter The client is informed of the audit through an announcement or engagement letter from the Internal Audit Director. Preliminary Survey In this phase the auditor gathers relevant information about the unit in order to obtain a general overview of operations. This letter communicates the scope and objectives of the audit. equipment. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section. the auditor uses a variety of tools and techniques to gather and analyze information about the operation. It is important that the client identify issues or areas of special concern that should be addressed. facilities. and other relevant information. funds). and other sources of information.1 The Internal Audit Process: The internal audit process contains the following steps: Planning During the planning portion of the audit. available resources (personnel. S/He talks with key personnel and reviews reports. 1.4. a process which is usually timeconsuming. the organization. gathers information on important processes. 55 | P a g e . the auditor notifies the client of the audit. Internal Control Review The auditor will review the unit's internal control structure. evaluates existing controls. Audit Program Preparation of the audit program concludes the preliminary review phase. discusses the scope and objectives of the examination in a formal meeting with organization management. Initial Meeting During this opening conference meeting. the auditors assigned to the project and other relevant information. the client describes the unit or system to be reviewed. files. In doing this. This program outlines the fieldwork necessary to achieve the audit objectives.

Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client 56 | P a g e . Usually these communications are oral. the client can offer insights and work with the auditor to determine the best method of resolving the finding. To facilitate communication and ensure that the recommendations presented in the final report are practical. It is during this phase that the auditor determines whether the controls identified during the preliminary review are operating properly and in the manner described by the client.Fieldwork The fieldwork concentrates on transaction testing and informal communications. memos and/or e-mails are written in order to ensure full understanding by the client and the auditor. Transaction Testing After completing the preliminary review. Working Papers Working papers are a vital tool of the audit profession. Advice & Informal Communications As the fieldwork progresses. They are the support of the audit opinion. the auditor discusses any significant findings with the client. Discussion on Draft At the conclusion of fieldwork. the auditor drafts the report. and recommendations necessary for the audit report discussion draft. They are comprehensive and serve many functions. the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions. The fieldwork stage concludes with a list of significant findings from which the auditor will prepare a draft of the audit report. in more complex situations. Various techniques including sampling are used during the fieldwork phase. Hopefully. the auditor summarizes the audit findings. Our goal: No surprises. Audit Report Our principal product is the final report in which we express our opinions. conclusions. Internal Audit discusses the rough draft with the client prior to issuing the final report. Audit Summary Upon completion of the fieldwork. and discuss recommendations for improvements. However. present the audit findings. They connect the client’s accounting records and financials to the auditor’s opinion.

managers may choose to respond with a decision not to implement an audit recommendation and to accept the risks associated with an audit finding. Formal Draft The auditor then prepares a formal draft. Internal Audit meets with the unit's management team to discuss the findings. the first page of the final report is a letter requesting the client's written response to the report recommendations. At this meeting. the University Chief Accountant. Final Report Internal Audit prints and distributes the final report to the unit's operating management. Client Response The client has the opportunity to respond to the audit findings prior to issuance of the final report which can be included or attached to our final report. and other appropriate members of senior University management. the Vice President for Administration. This report is primarily for internal University management use. This discussion draft is prepared for the unit's operating management and is submitted for the client's review before the exit conference. the client should explain how report findings will be resolved and include an implementation timetable.for comment. as part of Internal Audit's self-evaluation program. we ask clients to comment on Internal Audit's performance. 57 | P a g e . However. In some cases. In the response. and we have made changes in our procedures as a result of clients' suggestions. and text of the draft. Client Comments Finally. if the client decides to respond after we issue the report. This feedback has proven to be very beneficial to us. When the changes have been reviewed by audit management and the client. The client should copy the response to all recipients of the final report if s/he decides not to have their response included/attached to Internal Audit's final report. recommendations. the unit's reporting supervisor. the final report is issued. the client comment on the draft and the group works to reach an agreement on the audit findings. Exit Conference When audit management has approved the discussion draft. The approval of the Internal Audit Director is required for release of the report outside of the University. taking into account any revisions resulting from the exit conference and other discussions.

The audit staff will review any past audit work. However. A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. All unresolved findings will be discussed in the follow-up report. will include the following five steps: STEP 1: PLANNING The audit is begun with a Planning phase which does not usually require departmental involvement. look over available literature on the department. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding. the auditors will also tentatively formulate their scope and audit plan. Follow-up Review The client response letter is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. if possible. the current condition. Internal Audit Annual Report to the Board In addition to the distribution discussed earlier. on which they will base the fieldwork. Internal Audit will perform a follow-up review to verify the resolution of the report findings. During this time. The follow-up review results will be circulated to the original report recipients and other University officials as deemed appropriate. except for the most basic. each portion of the audit will take more or less time. At this time the client have the opportunity to meet the audit staff and ask questions about the upcoming audit work and the audit process. 4.Audit Follow-Up Within approximately one year of the final report. client response. auditor will call the client to schedule an Introductory Meeting. and make a preliminary review of departmental income and expense. The audit farm encourages the client to discuss any concerns he or she may 58 | P a g e . These meetings typically last no longer than an hour and take place at the clients’ office. and follow-up report may also communicated to the Audit Committee of the Board as part of the Internal Audit Annual Report. the original audit recommendation. and the continued exposure to Indiana University. STEP 2: INTRO MEETING After the client receive his or her introductory letter announcing the audit. the contents of the audit report. Follow-up Report The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings.2 The External Audit Process: Based on the type of review. all audits. the client response.

and literature describing the department. In either case. critical departmental functions. The client will be given the opportunity to review the final report before the distribution is completed. 59 | P a g e . and the timeline to complete the process. a contact list. all of which will be discussed with the client before or at the conclusion of the fieldwork. gaining an understanding of departmental functions. the report is ready to be finalized.if available. the audit objectives. Responses typically include corrective action plans. and the Final Report is delivered to the client. and periodically review the audit progress with the department heads and personnel. the audit staff will first prepare a Draft Report. STEP 4: REPORTING After the fieldwork is completed and auditors’ findings and concerns have been reviewed with the client. to monitor the status of the department's progress.a departmental organization chart. and identifying areas of weakness and concern (as well as strengths). The audit staff will conduct interviews with key personnel. At this time. availability of personnel. During the meeting. administrative and business procedures. The draft report is transmitted to the client for his or her review and in order for him or her to prepare his or her response. the parties responsible for the action. the auditee will be contacted regarding the departmental progress with the corrective actions identified in the audit. This work includes reviewing financial and budgeting activity. the Follow-Up procedure may formal or informal. During the fieldwork. STEP 5: FOLLOW-UP Depending on the nature of the audit or the audit findings. Once the clients’ response is received and the audit firm agree on the report text.). information technology.have and any areas or business functions that he or she would like auditors to review. The audit staff begins the Fieldwork by gathering information about the auditee's operations. and the audit logistics (facilities. the auditee is only contacted informally. STEP 3: FIELDWORK In this step. The clients’ response is incorporated or attached where appropriate. and other activities specific to each auditee. etc. the client may also provide the staff with the few pieces of information the audit firm requests before each audit begins. At this time. primary contacts. observe departmental procedures. after a reasonable period of time. the audit staff identifies areas of risk and concern within the department's internal controls and procedures. In most cases. possibly several times. the auditors will discuss the potential timeframe for the review. The client may contact the audit-firm at anytime throughout the audit with his or her questions or concerns regarding the audit process or audit findings. which is typically the lengthiest part of the audit. the auditor may perform a follow-up review concluding with a follow-up report. the actual work of the audit is performed.

The meeting also enables feedback from the learning environments and organisation on the audit process. Audit start up meeting. strategy and operational documents.2 days dependent on the size of the organisation or number of learning environments.Stages in the Audit Process: 1. Feedback meeting and final action plan. the capability of the organisation and learning environment to support practice based learning will be assessed collaboratively. 2. Prepare draft audit results and action plan The draft audit results and action plan will be prepared by the auditors and submitted to the organisation and to the relevant learning environment(s). 5. On completion of the start up meeting the audit team and organisation or learning environment will have outlined a timetable for the audit visit and have identified the persons who will need to contribute to the audit process. The time taken to complete the audit can also be reduced if the organisation and / or learning environment has adopted a self assessment approach using the audit tool to collect evidence for continuous improvement purposes. and through dialogue with practice staff and with students. Documentation review and audit visit. At a pre-arranged feedback meeting the results and action plan will be discussed and any amendments agreed by the organisation or learning environment and the audit team. Using the relevant audit tool.5 . How well the standards have been met will be determined through review of relevant policy. Copies of the audit tool and handbook for the audit process will have been circulated via the link person prior to the start up meeting. (link). 3. Implementing action plan. 4. The audit visit will last from 0. The action plan component of the audit identifies the persons or committees that will be charged with taking the actions forward and the timelines for 60 | P a g e . Following the audit visit preliminary feedback will be given to the local audit link and other staff that are available to receive feedback. On an agreed date an audit team will visit the organisation or learning environment. This meeting will enable the audit process to be discussed and planned in detail. The draft audit results will be submitted within three weeks of the audit visit.

1 illustrates these changes in practice. which initiated changes in both internal and external auditing standards: 61 | P a g e . and demands for value-added audits. M.implementing the actions.W. Examples of action plans and those identified to take actions forward can be seen in the pilot audit results Generally. 2003). Figure no. The main factors that prompted these changes included the globalization of business. advances in technology.& Tatum K.W.. the following steps are involved in an audit cycle: Figure: Steps in an Audit Cycle Auditing processes for both internal auditors and external auditors have changed in the past eight to ten years (Lemon.

On the contrary.Figure: Convergence of Internal Audit and External Audit Functions 4. and provide an annual opinion on the financial statements. internal auditors are integral to the organization and provide ongoing monitoring and assessment of all activities. external auditors are independent of the organization. Both professions adhere to codes of ethics and professional standards set 62 | P a g e .3 The reliance of external auditors on internal auditors. The work of the internal and external auditors should be coordinated for optimal effectiveness and efficiency. Internal and external auditors have mutual interests regarding the effectiveness of internal financial controls. Although they are independent of the activities they audit.

areas of expertise. provide access to reports. The primary mission of the external auditors is to provide an independent opinion on the organization's financial statements. the board should require coordination of internal and external audit work to increase economy. The similarities stop with planning. "Audit Risk and Materiality in Conducting an Audit" (AICPA. The internal and external auditors should meet periodically to discuss common interests. It serves the organization by helping it accomplish its objectives. annually. the board. Their approach is historical in nature. as they assess whether the statements conform with generally accepted accounting principles. but are engaged by it. 1983) and SAS 53. and jointly assess areas of risk.by their respective professional associations. "Risk Assessment" (The IIA. External auditors are not part of the organization. There are. 1991). however. efficiency. Their objectives are determined by professional standards. programs and working papers.the board of directors. Their primary clients are management and the board. as the external auditor plans the engagement. 4. "The 63 | P a g e . risk management. and improving operations. Their objectives are set primarily by statute and their primary client . internal and external auditors each consult their own guides as they contemplate risk. and whether the financial statements have been materially affected.4 Internal and external audit Risks: For both external and internal auditors. benefit from their complementary skills. major differences with regard to their relationships to the organization. areas that may prove particularly susceptible to material misstatement are evaluated. and to their scope of work and objectives. risk plays an important role in the planning process. Concerned with all aspects of the organization . however. They also are concerned with the prevention of fraud in any form. whether the results of operations for a given period of time are accurately represented. and effectiveness of the overall audit process. while external auditors look to Statement on Auditing Standards (SAS) 47. gain understanding of each other's scope of work and methods. whether they fairly present the financial position of the organization. discuss audit coverage and scheduling to minimize redundancies.both financial and non-financial . In fulfilling its oversight responsibilities for assurance. The internal auditors’ scope of work is comprehensive. Similarly. As the director of internal audit considers the work schedule for the year. and governance processes. Although they are attacking the same animal. Internal auditors turn to Statement on Internal Auditing Standards (SIAS) 9. and management. and perspectives. the risks present in the various audit units are considered.the internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes. The internal auditors' are part of the organization. internal controls.

or fraudulent financial reporting. Once auditable activities are identified. An external audit is concerned only with financial aspects of the entity." For internal auditors. and financial work and involves assessments of the effectiveness. The objective of internal auditing is to aid members of the organization in effectively discharging their duties. Risk is then assessed for components of audit risk at the individual level. normally. risk exists as a threat to the likelihood that an entity will achieve its established objectives. for example. External auditing's focus and its use of risk is much narrower. the utilization of risk in the two types of engagement also varies. 1988). Since internal and external auditors often coordinate their work and exchange work papers. environmental liabilities. Definitions Internal and external auditors also define risk according to their own terms. The effects of not addressing objectives may be lost market share. product pricing. environmental concerns. 64 | P a g e . and economy of operations. customer satisfaction. The concept of risk thus takes on a different character. audit risk is also set for management's assertions at the individual class of transactions or account balance level. In an external audit. or a myriad of other areas. timing. financial position and results. efficiency. In order to establish the nature. employee relations. Objectives may relate to market share. failure to comply with relevant laws and regulations. Audit risk is limited to an appropriately low level so that at the conclusion of the engagement. risk assessment serves to delineate the scope of the work to be performed in each area. inappropriate pricing. and extent of work within the financial statements. Not only do external and internal auditors utilize and define risk differently. but the processes and factors involved in risk assessment also differ. compliance. risk functions as an aid for determining which activities to examine. Shareholders and others with a financial interest in the entity utilize the opinion and published financial statements in making economic decisions. the practitioner establishes the overall level of audit risk for the engagement. customer dissatisfaction. and the audit work is planned. SIAS 9 describes risk as "the probability that an event or action may adversely affect the organization. The broad scope of the internal auditing department encompasses operational. compliance and operational issues are not examined. it is critical that each understand the perspective of the other. the external auditor has sufficient assurance of the fairness of the financial statements.Auditor's Responsibility to Detect and Report Errors and Irregularities" (AICPA. Utilization of Risk Because the objectives of internal and external audits differ. The external audit process culminates in an opinion on the fair presentation of the financial statements. compliance with laws and regulations. For internal auditors. low employee morale.

laws. control risk. Risk Assessment: Internal Auditing Risk assessment entails evaluating and combining judgments about risk factors and adverse conditions. and marketing. For the external auditor. industry and economic trends. audit risk is composed of inherent risk. units. The definition of audit risk provided to external auditors by SAS 47 is more detailed than that of risk given to internal auditors in SIAS 9. payroll. procedures. Besides risk factors. production. the internal auditor considers discussions with the board and management. The internal auditor may therefore elect to weigh the risk factors according to their importance. At the financial statement level. The internal auditor begins the process of assessing risk by identifying the systems. 65 | P a g e . or subjects that are capable of being evaluated.Management develops controls to address the risks of not achieving such objectives. audit risk exists at two levels: the financial statement level and the level of the individual account or class of transactions. operating and financial data. According to SIAS 9. the internal auditor considers factors that might bear on the riskiness of the isolated auditable activities. If the auditor had been aware of the material misstatement. human resources. and an unqualified opinion may be unwittingly issued. the internal auditor ascertains both the entity's objectives and risk. Inherent risk is the risk that an account or class of transactions may contain material misstatement. Also. the internal auditor evaluates other sources of information in the process of determining the work schedule. The end product of the internal auditor's risk assessment is the audit work schedule. In turn. Detection risk is the risk that the external auditor's detection procedures do not locate material misstatement. although the external auditor performs an engagement according to generally accepted auditing standards (GAAS). major contracts and programs. and relevant policies. communications with external auditors. Control risk is the risk that controls do not prevent or detect material misstatement on a timely basis. For example. and regulations are reviewed. assuming that controls do not address the situation. At the individual balance or class of transactions level. Auditable activities might include such areas as information systems. Controls can then be assessed to determine if they appropriately address the risks." In other words. and financial statements and reports. the unqualified opinion would have been appropriately modified. audit risk is "the risk that the (external) auditor may unknowingly fail to appropriately modify the opinion on financial statements that are materially misstated. and results of prior internal audits. Each risk factor may not be equally significant. and detection risk. material misstatement existing in the financial statements may not be located. functions such as purchasing. however.

and extent of procedures to achieve a high level of confidence. IR is inherent risk. The external auditor sets audit risk at the individual level by considering the previously established audit risk at the financial statement level. and detection risk. the planned low level of audit risk at the financial statement level is achieved. and extent of audit procedures that will be performed at the individual level. To determine the nature. timing. control risk. timing. Conversely. DR is detection risk. CR is control risk. timing. To assess control risk. Risk Assessment: External Auditing The external auditor uses the risk assessment process to outline the nature. Recall that audit risk at the individual level is composed of inherent risk. "Consideration of the Internal Controls Structure in a Financial Statement Audit" (1988). The auditor assesses inherent risk by studying the nature of the account or class of transactions and factors suggested by SAS 47 that may impact inherent risk. when particular audits will be performed. Taking into account management requests and work that may be coordinated with the external auditors. The schedule includes what activities will be examined during the period. a higher level of planned detection risk allows the external auditor to relax procedures. the relationship of the four risks is: AR = IR x CR x DR.The internal auditor integrates the information gathered and uses it to develop audit priorities. where AR is audit risk at the individual level. In equation form. the external auditor solves the audit risk equation for detection risk: DR = AR/IR x CR A lower level of planned detection risk requires that the external auditor plan the nature. The low level of audit risk at the financial statement level is apportioned to the individual balances and classes of transactions so that when the results of tests at the individual level are combined. Risk assessment begins with the establishment of an acceptably low level of audit risk at the financial statement level. the internal auditor establishes the audit work schedule. and the approximate time required for the engagement. the external auditor studies and evaluates the internal control structure. and extent of audit procedures to be performed. 66 | P a g e . as the low level of audit risk is achieved through means other than detection procedures. Extensive guidance is provided by SAS 55.

the factors considered should be sufficient to ensure that a comprehensive risk assessment is performed. which is the final classification. shown in Exhibit 1. Although SAS 47 does not provide the external auditor with a list of factors to study in evaluating risk. The activities may encompass compliance. which supplies guidance on locating material financial misstatements. Because the purposes and uses of risks by the two auditing disciplines differ. external auditors concentrate on the financial statements and providing an opinion on their fair presentation. are to be considered as the external auditor contemplates risk at both the financial statement level and the level of the individual account balance or class of transactions. For internal auditors. includes factors specific to the particular client within a specific industry. deals with management decision-making and the business environment that management establishes. results in an audit work schedule cataloging the activities to be examined. operational. Still. and extent of procedures to apply in each audit area. shown in Exhibit 2. operating and industry characteristics.Risk Factors Both internal and external auditing standards suggest factors that should be considered by auditors when assessing risk. In addition. Engagement characteristics. as do the risk factors to be considered. when combined with other information. SAS 53. SIAS 9 notes that the number of risk factors evaluated for the purpose of establishing the audit work schedule should be limited. The first classification. fills the void. the official definitions of risk offered by the respective professional organizations are disparate. SIAS 9 suggests general factors. The SAS's risk factors are grouped into three classifications. the processes of assessing risk vary. The factors suggested by SAS 53. Utilizing risk in planning the audit assures that the more significant areas are given proportionately more audit resources “THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION” 67 | P a g e . Although the professional standards for internal and external auditors indicate many differences in risk. timing. In contrast to the broad focus of internal audit work. covers auditor concerns and relations. management characteristics. Risk is the driving force behind auditors' approaches to their work. risk. or financial aspects of the organization. Risk is utilized to determine the nature. The second. that are applied at the organizational level to determine the activities to be selected for audit. For internal auditors. one significant aspect is the same: both types of auditors use risk in an attempt to achieve appropriate audit coverage.

CHAPTER-5 Audit Coordination Chapter-5: Audit Coordination: 5.1 Effect of the Internal Auditors’ Work & the Extent of the Effect of the Internal Auditors’ Work on the External Audit 68 | P a g e .

timing. timing. For example. Financial-Statement Level At the financial-statement level. The results of internal auditors' tests may provide appropriate information about the effectiveness of controls and change the nature. timing. The entity's internal audit function may influence this overall assessment of risk as well as the auditor's resulting decisions concerning the nature. the auditor may consider the results of procedures planned or performed by the internal auditors. For example. Since a primary objective of many internal audit functions is to review. the procedures performed by the internal auditors in this area may provide useful information to the auditor. the auditor performs procedures to obtain and evaluate audit evidence concerning management's assertions. including— • Procedures the auditor performs when obtaining an understanding of the entity's internal control • Procedures the auditor performs when assessing risk • Substantive procedures the auditor performs Understanding of Internal Control The auditor obtains a sufficient understanding of the design of controls relevant to the audit of financial statements to plan the audit and to determine whether they have been placed in operation. the auditor makes an overall assessment of the risk of material misstatement. if the internal auditors' plan includes relevant audit work at various locations. and extent of the audit. For example. the auditor may consider the results of procedures performed by the internal auditors on related controls to obtain information about whether the controls have been placed in operation. the internal auditors' scope may include tests of controls for the completeness of accounts payable. In addition.The internal auditors' work may affect the nature. When making this assessment. The auditor's assessment of risk at the financial-statement level often affects the overall audit strategy. The auditor may review the flowchart to obtain information about the design of the related controls. assess. and extent of testing the auditor would otherwise need to perform. The auditor assesses control risk for each of the significant assertions and performs tests of controls to support assessments below the maximum. and extent of auditing procedures to be performed. the auditor may coordinate work with the internal auditors and reduce the number of the entity's locations at which the auditor would otherwise need to perform auditing procedures. Substantive Procedures 69 | P a g e . Risk Assessment The auditor assesses the risk of material misstatement at both the financial-statement level and the account-balance or class-of-transaction level. The control environment and accounting system often have a pervasive effect on a number of account balances and transaction classes and therefore can affect many assertions. and monitor controls. When planning and performing tests of controls. the auditor should recognize that certain controls may have a pervasive effect on many financial statement assertions. internal auditors may develop a flowchart of a new computerized sales and receivables system. Account-Balance or Class-of-Transaction Level At the account-balance or class-of-transaction level.

In determining these procedures. account balances or classes of transactions. Assertions about the valuation of assets and liabilities involving significant accounting estimates. the auditor may be able to change the timing of the confirmation procedures. observation. or the number of locations of physical inventories to be observed. the materiality of misstatements. the evaluation of significant accounting estimates. The responsibility to report on the financial statements rests solely with the auditor. the auditor gives consideration to the results of work (either tests of controls or substantive tests) performed by internal auditors on those particular assertions. the auditor should perform sufficient procedures to fulfill the responsibilities. the auditor considers— a. The risk (consisting of inherent risk and control risk) of material misstatement of the assertions related to these financial statement amounts. judgments about assessments of inherent and control risks. The materialities of financial statement amounts—that is. as part of their work. is generally more persuasive than information obtained indirectly. computation. the need for the auditor to perform his or her own tests of the assertions decreases. Unlike the situation in which the auditor uses the work of other independent auditors. Evidence obtained through the auditor's direct personal knowledge. For example. The degree of subjectivity involved in the evaluation of the audit evidence gathered in support of the assertions. the number of accounts receivable to be confirmed. Extent of the Effect of the Internal Auditors’ Work Even though the internal auditors' work may affect the auditor's procedures.Some procedures performed by the internal auditors may provide direct evidence about material misstatements in assertions about specific account balances or classes of transactions. uncertainties. the consideration of internal auditors' work cannot alone reduce audit risk to an acceptable level to eliminate the necessity to perform tests of those assertions directly by the auditor. are examples of 70 | P a g e . c. and subsequent events. contingencies. the auditor should perform procedures to obtain sufficient appropriate audit evidence to support the auditor's report. As these factors decrease. As the materiality of the financial statement amounts increases and either the risk of material misstatement or the degree of subjectivity increases. However. the need for the auditor to perform his or her own tests of the assertions increases. b. In making judgments about the extent of the effect of the internal auditors' work on the auditor's procedures. including physical examination. and inspection. for such assertions. and other matters affecting the auditor's report should always be those of the auditor. For assertions related to material financial statement amounts where the risk of material misstatement or the degree of subjectivity involved in the evaluation of the audit evidence is high.6 this responsibility cannot be shared with the internal auditors. Because the auditor has the ultimate responsibility to express an opinion on the financial statements. may confirm certain accounts receivable and observe certain physical inventories. the internal auditors. the sufficiency of tests performed. The results of these procedures can provide evidence the auditor may consider in restricting detection risk for the related assertions. Consequently. and about the existence and disclosure of relatedparty transactions.

the auditor may decide. it may be efficient for the auditor and the internal auditors to coordinate their work by— Holding periodic meetings. Providing access to internal auditors' working papers Reviewing audit reports. and fixed-asset additions are examples of assertions that might have a low risk of material misstatement or involve a low degree of subjectivity in the evaluation of audit evidence.assertions that might have a high risk of material misstatement or involve a high degree of subjectivity in the evaluation of audit evidence. Scheduling audit work. prepaid assets.2 Coordination of the Audit Work with Internal Auditors • • • • • • If the work of the internal auditors is expected to have an effect on the auditor's procedures. Discussing possible accounting and auditing issues. On the other hand. Assertions about the existence of cash. after considering the circumstances and the results of work (either tests of controls or substantive tests) performed by internal auditors on those particular assertions. 5. “THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION” 71 | P a g e . for certain assertions related to less material financial statement amounts where the risk of material misstatement or the degree of subjectivity involved in the evaluation of the audit evidence is low. that audit risk has been reduced to an acceptable level and that testing of the assertions directly by the auditor may not be necessary.

1 The Coordination from the External Auditors’ Viewpoint: Relationship between Internal Auditing and the External Auditor The role of internal auditing is determined by management. The internal audit function's objectives vary according to management's 72 | P a g e . and its objectives differ from those of the external auditor who is appointed to report independently on the financial statements.CHAPTER-6 Audit Coordination from the Viewpoint of the Both Auditor Chapter-6: 6.

for example. 1. 3. and a reduction in the extent of procedures performed by the external auditor but cannot eliminate them entirely. the internal auditors will need to be free to communicate fully with the external auditor. Irrespective of the degree of autonomy and objectivity of internal auditing. The external auditor may. 2. Any constraints or restrictions placed on internal auditing by management would need to be carefully considered. and that responsibility is not reduced by any use made of internal auditing. internal auditing will report to the highest level of management and be free of any other operating responsibility. All judgments relating to the audit of the financial statements are those of the external auditor. timing and extent of external audit procedures. 73 | P a g e . it cannot achieve the same degree of independence as required of the external auditor when expressing an opinion on the financial statements. 2. the external auditor should perform a preliminary assessment of the internal audit function when it appears that internal auditing is relevant to the external audit of the financial statements in specific audit areas. Internal auditing is part of the entity. In particular. b. having considered the activities of internal auditing. Technical Competence: whether internal auditing is performed by persons having adequate technical training and proficiency as internal auditors. c. In some cases. however. timing and extent of external audit procedures. Understanding and Preliminary Assessment of Internal Auditing The external auditor should obtain a sufficient understanding of internal audit activities to assist in planning the audit and developing an effective audit approach. the important criteria are: a. When obtaining an understanding and performing a preliminary assessment of the internal audit function. Organizational Status: specific status of internal auditing in the entity and the effect this has on its ability to be objective. Scope of Function: the nature and extent of internal auditing assignments performed. The external auditor's primary concern is whether the financial statements are free of material misstatements. The external auditor would also need to consider whether management acts on internal audit recommendations and how this is evidenced. review the policies for hiring and training the internal auditing staff and their experience and professional qualifications.requirements. 1. The external auditor has sole responsibility for the audit opinion expressed. In the ideal situation. Effective internal auditing will often allow a modification in the nature and timing. Nevertheless some of the means of achieving their respective objectives are often similar and thus certain aspects of internal auditing may be useful in determining the nature. During the course of planning the audit. the external auditor may decide that internal auditing will have no effect on external audit procedures. The external auditor's preliminary assessment of the internal audit function will influence the external auditor's judgment about the use which may be made of internal auditing in modifying the nature.

documentation of the work performed and review and reporting procedures. b. a. Sufficient appropriate audit evidence is obtained to afford a reasonable basis for the conclusions reached. the external auditor would ordinarily inform the internal auditor of any significant matters which may affect internal auditing. Any exceptions or unusual matters disclosed by internal auditing are properly resolved. Evaluating and Testing the Work of Internal Auditing When the external auditor intends to use specific work of internal auditing. The work is performed by persons having adequate technical training and proficiency as internal auditors and the work of assistants is properly supervised. the preliminary assessment of internal auditing and the evaluation of the specific work by internal auditing. Liaison with internal auditing is more effective when meetings are held at appropriate intervals during the period. the extent of audit coverage. work programs and working papers would be considered. 74 | P a g e . The existence of adequate audit manuals. Due Professional Care: whether internal auditing is properly planned. test levels and proposed methods of sample selection. the external auditor will need to consider internal auditing tentative plan for the period and discuss it at as early a stage as possible. it is desirable to agree in advance the timing of such work. The nature. The external auditor would need to be advised of and have access to relevant internal auditing reports and be kept informed of any significant matter that comes to the internal auditor's attention which may affect the work of the external auditor. supervised. reviewed and documented. Such tests may include examination of items already examined by 2. This evaluation may include consideration of whether: 1. the external auditor should evaluate and test that work to confirm its adequacy for the external auditor's purposes. timing and extent of the testing of the specific work of internal auditing will depend on the external auditor's judgment as to the risk and materiality of the area concerned. are consistent with the results of the work performed. The evaluation of specific work of internal auditing involves consideration of the adequacy of the scope of work and related programs and whether the preliminary assessment of the internal auditing remains appropriate. Timing of Liaison and Coordination When planning to use the work of internal auditing. Conclusions reached are appropriate in the circumstances and any reports prepared d. Where the work of internal auditing is to be a factor in determining the nature.d. timing and extent of the external auditor's procedures. Similarly. reviewed and documented. and c.

In the case of coordination. internal auditors are missing an additional opportunity to add value to their organization. 7. 3. 6.2 Coordination from the Internal Auditors’ Viewpoint: Although coordination can add value to an organization. In 75 | P a g e . 1. Take the Initiative The goal of external auditors is to verify that the company they audit complies with accounting standards. Select appropriate targets. It helps an organization accomplish its objectives by bringing a systematic. their scope is much larger. consequently. Increase communication. the internal auditor should seek to improve the company more than the external auditor does. objective assurance and consulting activity designed to add value and improve an organization s operations. The IIA s definition of internal auditing illustrates this difference. Internal audit department should: 1. and governance processes. 4. Internal auditing is an independent. Following seven steps will help internal auditing departments to start moving in the right direction. many internal auditors struggle with improving their coordination efforts. Because the internal auditor is concerned with meeting the objectives of the company and not just satisfying accounting standards. [Emphasis added] The objectives of the internal auditor should be the same as the objectives of the company. Start from the top. The external auditor would record conclusions regarding the specific internal auditing work that has been evaluated and tested.internal auditing. The internal auditing function needs to reverse this trend and take responsibility for coordinating with the external auditor. research indicates that internal auditors are not seeking to improve coordination more than external auditors. 6. control. 2. Take the initiative. Instigate training. Dispel myths. While internal auditors are concerned with accounting rule compliance. examination of other similar items and observation of internal auditing procedures. Assigning responsibility to an individual will help focus the efforts of the company and make sure that the company continues to work to improve its coordination efforts. The audit committee can encourage coordination by appointing a specific person in the internal auditing department to be in charge of coordinating efforts with the external auditor. Learn professional standards. 5. 3. disciplined approach to evaluate and improve the effectiveness of risk management.

the internal auditing function should take the first step. the work has to meet standards set by accounting regulators. including: • • • • • • • Educational level and professional experience of internal auditors. Statement on Auditing Standard 65 (SAS) explains the evaluation process external auditors must follow before relying on internal auditors work. 76 | P a g e . the individual should be given sufficient time and resources to convert ideas into actions.addition. they can create value through taking the initiative to improve relationships with the external auditor. Policies to maintain internal auditors objectivity about the areas audited. The organizational status of the internal auditor responsible for the internal audit function. external auditors are to search for factors under two general headings: 1. this standard dictates that external auditors must assess the competence and objectivity of the internal auditors. Quality of working-paper documentation. reports. Internal auditors are vital and major stakeholders in the companies they work for. Practices regarding assignment of internal auditors. Professional Standards In order for external auditors to rely on the work performed by internal auditors. and as such. If companies want to improve coordination levels. SAS 65 requires auditors to look at seven factors relating to competence. 2. The audit committee may choose to suggest ideas and to request feedback directly from the individual in charge of coordination to make sure the coordination efforts move forward. Evaluation of internal auditors performance. otherwise the individual will become frustrated and the entire coordination process will break down. Audit policies. When evaluating the objectivity of internal auditors. Supervision and review of internal auditors activities. Specifically. the audit committee will be able to easily follow up and monitor the progress made in coordination efforts. and recommendations. and procedures. The individual assigned to improve coordination must have authority to examine different ways to coordinate even if at first glance there are no apparent benefits. Professional certification and continuing education. programs. In addition.

The time savings from relying on work performed by the external auditors can meet or exceed the time 77 | P a g e .The internal auditors must comply with these standards if the external auditor is to rely on the internal auditors work. Internal auditors who understand the internal and the external auditing standards will be able to make sure the work they perform meets the necessary regulatory requirements so the external auditors can rely on their work. The wording is so similar to what external auditors look for that by complying with the IIA standards. The IIA encourages the internal auditors to comply with these standards through The International Standards for the Professional Practice of Internal Auditing. Two particularly damaging myths are the idea that the internal audit staffs do not have the time or the resources to coordinate with the external auditors. In a survey performed by Felix et al. Dispel Myths Corporate myths destroy many coordination efforts before they begin. all that is required is for the internal auditor to consider how external auditors could use test work and to document properly the test work performed so that the external auditor can rely on the internal audit function s work. the internal auditors will also be complying with external auditing requirements. Working with the external auditors may even increase the time available to the internal audit department. Internal audit did not have resources available to complete work which could be used by the external auditors as part of the financial statement audit. Then. the Standards state that internal auditors should use a systematic and disciplined approach to perform all internal auditing work. Understanding the standards will help to lessen duplicated work and thereby increase efficiencies. Often. Following this endorsement of coordination. the majority of internal auditors surveyed disagreed with the statements: • Internal audit did not have time available at the end of the year to provide assistance to the external auditors during the financial statement audit. • Most internal auditors recognize that the additional time and money required to perform tasks in a manner that external auditors can rely on is minimal. which states: The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts. Respondents in organizations with exceptionally high coordination efforts indicated that internal auditors extensively relied on work performed by external auditors. in similar language to external auditor standards. the internal auditing standards explain what a systematic and disciplined approach is.

the organization can seek to find an auditor who is willing to work together to provide superior audit effectiveness and greater cost savings for both parties. In addition. cost savings result from coordination. limiting the areas to start 78 | P a g e . The most powerful ally the audit committee must be on board to advance coordination significantly. There are several specific benefits that are likely to cause the committee to act. internal and external auditors can exert greater pressure on management to keep them from using over-aggressive accounting principles than each party can exert independently. The audit committee should understand the potential cost savings and could be encouraged to ask management to funnel these cost savings back into the internal auditors’ budget. the internal auditors can encourage the audit committee to approach the external auditors with a plan on the potential changes the organization would like to see. the internal auditing function should show that coordination increases audit effectiveness for the company and efficiency for the internal auditors. resulting in additional time to focus on other areas. it needs to recruit allies. • • • Once the audit committee accepts the strategy of coordination. however. If the auditor does not wish to participate. thus. The internal audit department needs to take the initiative to educate the committee on the benefits of a cooperative working relationship between external and internal auditors. By working together. While not as critical as improving audit quality. The audit committee can exert a tremendous influence on external auditors. • The audit committee should understand that increased audit coverage through coordination lowers the risk of misstatement and fraud. Start from the Top Once the internal audit function has decided to take responsibility to improve coordination and has dispelled any myths in its organization. however. To inform members of the audit committee of the potential benefits to coordination. they often do not realize the importance of auditor coordination. improved coordination can enable internal auditors to follow-up more closely on control deficiencies found by the external auditors and increase the rate at which improvements are implemented. Select Appropriate Targets Initiating a coordination effort can be an overwhelming process. Identifying potential areas for coordination is usually not the problem. decreasing the risk of personal and corporate litigation.spent helping the external auditors perform their duties.

the internal auditor can also work in some areas of the second category always making sure the external auditor can rely on the 79 | P a g e . This proposed standard separates testing work performed by third parties. In order to maximize coordination. including controls specifically established to prevent and detect fraud that is reasonably likely to result in material misstatement of the financial statements. and reclassifications).Walkthroughs. including controls over procedures used to enter transaction totals into the general ledger. - The First Category includes areas where the external auditor cannot rely on any work performed by a third party. report combinations. - The Second Category in the proposed standard stipulates areas that auditors should only rely on procedures performed by a third party to a limited degree. The internal audit department can focus their work on the third category of tests and thereby reduce the fee charged by the external auditor. These areas include: Controls over significant nonroutine and nonsystematic transactions (such as accounts involving significant judgments and estimates). i. When deciding where to focus. Controls that have a pervasive effect on the financial statements. Controls over significant accounts. - The Third Category includes all other work performed by third parties. or disclosures where the auditor has assessed the risk of failure of the controls to operate effectively as high. iii. i.on usually is a problem. Controls over the period-end financial reporting process. including the internal auditor. External auditors have to perform the work regarding these areas and the internal audit should rely on the work performed by the external auditors. such as certain information technology general controls on which the operating effectiveness of other controls depend. the internal auditors should consider the Public Company Accounting Oversight Board s (PCAOB) proposed audit standard concerning section 404 of Sarbanes Oxley. and to record recurring and nonrecurring adjustments to the financial statements (for example. consolidating adjustments. the internal audit group should not focus their time on the first category of test work stipulated by this proposed standard. Work in this area includes: Controls that are part of the control environment. record. to initiate. ii. processes. ii. and the standard specifies that external auditors can rely on this work without specific limitation. If time permits. into three categories. and process journal entries in the general ledger. Internal auditors should first focus on targeting areas that will provide the greatest benefits.

work and will not have to duplicate the internal auditors’ effort. In addition. Instigate Training Research indicates that internal and external auditors differ significantly on their appraisal of internal auditors understanding of the external audit. The frequency of communication between internal and external auditors depends upon the size of the organization and the amount of coordination that is currently taking place. In order to change this perception. the internal auditing department should be proactive and initiate communication on a regular basis. and other competencies through continuing professional development. phone calls. communications during the early part of the year and the financial quarter will result in greater external auditor reliance when they perform the audit. Formal meeting times should be established throughout the year where goals can be set and reviewed. internal auditors should seek to follow IIA standards by honing their professional skills. Internal auditors might inquire about the 80 | P a g e . Internal auditors can focus efforts to improve their competencies in external auditor methods. communication becomes critical. External auditors do not believe internal auditors understand the work of the external auditor as much as internal auditors believe they understand the work. Often overlooked. this perception must be improved before the external auditors will place significant reliance on the internal auditors work. Internal auditors should enhance their knowledge. Although formal meetings are important. Proper communication encompasses more than meetings. internal auditors will develop more skill in the areas they are auditing and will perform audits that are more effective. Whether warranted or not. and procedures. The perceived competence of the internal auditors will grow if internal auditors communicate using the same language as the external auditors. the International Standards for the Professional Practice of Internal Auditing states. simple differences in vocabulary could account for the external auditors lower perceived understanding levels of the internal audit function. By understanding accounting standards and choosing a specific area of focus. The success of the entire effort hinges on the communication level established. Increase Communication Once the internal and the external auditors have agreed to improve coordination. internal auditors will improve the auditing process in their companies. Training should help educate internal auditors on the vocabulary and the procedures used by external auditors. emails. relatively constant communication throughout the year should ensure both parties stay focused on improving the audit coverage in the organization. and other forms of communication are necessary to work together on a continuous basis. Specifically. In addition. vocabulary. informal meetings. Internal auditors should request to meet with key members of the external auditing team early in the financial year to coordinate a yearlong effort. Again. duplicated work will be eliminated. skills. As both groups successfully carry out targeted coordination. While many of the procedures are the same.

Seven steps will help the internal auditing department improve coordination efforts: -Taking the initiative. Neither internal nor external auditors want to duplicate work unnecessarily. Most large CPA firms provide excellent training to their employees and adding a few internal auditors at several meetings would enable them to learn along with the external auditors. -Dispelling myths. The Certified Internal Auditor (CIA) and Certified Public Accountant (CPA) designations prove that the internal auditor has attained to a high level of professional competency. waste time needlessly. -Learning professional standards. Through a focused training effort. -Increasing communication. The best way to improve the external auditors perception of the internal auditors competency is by gaining professional certifications. -Selecting appropriate targets. The Sarbanes Oxley Act requires companies to disclose more information and to increase the testing to make sure the disseminated information is accurate. they can also enhance the efficiency and effectiveness of both professional groups. These steps become a cycle of continuous improvement when an organization dedicates itself to improving audit quality. A step to help quicken the restoration of confidence is for internal auditors to improve audit effectiveness and efficiency by coordinating their efforts with external auditors. The passing of the Sarbanes Oxley Act offers an excellent opportunity for internal auditors to improve coordination efforts. External auditors will feel more comfortable relying on the work performed by individuals who have demonstrated their professionalism by acquiring professional certifications. 81 | P a g e . Coordinated efforts are not only encouraged by IIA and AICPA standards. Although individuals will continue to commit fraud. As internal auditors communicate with external auditors on their level. the external auditors will be more likely to rely on work performed by the internal auditors resulting in improved audit efficiency and effectiveness. or spend money fruitlessly. and -Instigating training. companies will increase both the perceived and the actual competency of their internal auditors. organization can consistently follow these seven steps to improve coordination between internal and external auditors. Attending external auditor training would improve the competency of the internal audit staff and increase external auditors’ confidence in the abilities of the internal auditors. the internal auditors can team with external auditors to improve shareholders trust in the information companies’ release. Through coordination.possibility of attending training sessions sponsored by their external auditor. A coordinated audit approach will improve stakeholders trust in the organization and decrease costs thus adding long-term value to an organization. -Starting from the top.


regulators are specifying newer requirements to increase the accuracy of financial reports. 83 | P a g e .CHAPTER-7 Why & How to Coordinate? Chapter-7 Why & How Coordinate? 7.1 The Need for Coordination: Proper coordination can lead to efficient and effective audits as there is no unnecessary duplication of efforts and auditors can focus on other tasks. With the increasing scandals and frauds. In this environment. coordination between auditors is one of the methods by which companies can improve their perceived trustworthiness.

This redundancy causes higher audit fees but does not increase the effectiveness of the audit. External auditors may therefore discover and solve issues that internal auditors have not dealt with before. which results in wasted internal audit time.Varied strengths increase effectiveness By the nature of their responsibilities. the savings from co-ordination are greater than the cost incurred by the internal audit function to perform the work on which the external auditors rely. 84 | P a g e . When the audit is not properly coordinated. In most cases. internal auditors may duplicate external auditors work. This will lead to clearer understanding of respective audit roles and requirements and a better understanding by each group of auditors. Increase in efficiency Coordination increases efficiency. They notice things and come across instances. Combined. the synergies realized through improved coordination add value to a company’s shareholders. which the external auditor is unable to see during his visits. Similarly. Cost reduction Coordination reduces the time and efforts which the external auditor would expend on redundant work thus. external auditors may duplicate work already performed by the internal auditors. internal auditors spend a lot of time working for the same company. This gives them a better understanding of the culture and working of the organization. Better understanding of each other’s work Coordination would imply that the auditors communicate and consult with each other their plans and findings. Better audit coverage It is expected that elimination of redundant work will leave time and resources for better audit coverage. The external auditors on the other hand have exposure to wider variety of financial issues as they have multiple clients. reducing the audit fees. Coordination increases the probability that the information companies release is accurate.

However due to status and power differences managers may be unwilling to share problems as they may fear how such issues will be perceived. Internal audit may be unable to get the required support whether budgetary or otherwise to make coordination successful. there may not be commitment to the coordination effort on the part of all the entities involved. Some of these challenges or barriers to effective coordination are as follows Lack of Openness For the coordination effort to bring maximum benefit to the organization there must be a willingness to be open about weaknesses and problems as well as strengths.2 CHALLENGES AND BARRIERS TO EFFECTIVE COORDINATION As with any effort there are challenges which internal audit will face in pursuing effective coordination. it must on the other hand. Focus on the Entity s Own Needs and Goals In particular. Internal audit can overcome this challenge by educating each entity on the potential benefits of coordination and its importance to organizational performance. Unwillingness to Coordinate While the internal audit function can do all in its power to coordinate and facilitate coordination between itself and the other entities discussed it will be a challenge to ensure that the entities coordinate with each other. executive Managers. ensure that the it considers all entities in the coordination effort. coordination is more likely to be successful. Once there is commitment from the very top. For various reasons. According to Powell and Yager (2004): A key defining aspect of coordination is how to efficiently bring together two or more diverse groups so their interactions with each other are favorable and outcomes are improved. internal audit can overcome this barrier by carrying out a cost benefit analysis to demonstrate that coordination is worth the investment. the external auditors and the audit committee to consider the corporate value to be added through coordination. commitment from the board is necessary. the audit committee and external auditors may be inward looking being focused on their immediate needs and goals and may fail to be interested in coordinating beyond the basic requirements. the achievement of organizational goals and objectives and the maximization of the interests of all stakeholders.7. A climate of trust will create the conditions for sharing both strengths and weaknesses (Daft. While internal audit has to encourage management. ensuring coordination will take persistence on the part of the internal audit function. 85 | P a g e . Lack of Commitment from the Board Given the scope of the coordination effort pursued by internal audit. However. Effective coordination should result in the enhanced performance of each role. to that of thinking corporate value. The challenge is to find innovative ways to change the philosophy. As with any effort. which yields value. it may require significant changes and as such. 2000).


internal auditors can enhance coordination efforts with external auditors and develop a more effective strategy for collaboration. Internal auditors may want to emphasize and initiate action in three key areas: 1.CHAPTER-8 Responsible Persons & Entities for a Maximum Coordination Chapter-8: For ensuring the maximum coordination. Promoting internal auditor competence and objectivity. The Role of Internal Auditor: Internal auditors should take a proactive role in exploring how the work of internal and external auditors can be coordinated and productively utilized. A full understanding of respective professional responsibilities and concerns can help build a mutually beneficial relationship. INITIATIVES TO MAXIMIZE BENEFITS By combining the advice framed by The IIA and the AICPA. 87 | P a g e .

External auditors will be able to rely on internal auditors' work. fewer disagreements may occur between management and the external auditors over the application of accounting principles. This issue should be proactively and creatively 88 | P a g e . and significant reductions in external audit fees may be possible. this enhanced understanding can lead to more valuable recommendations from the external audit." directors can make external auditors aware of planned internal audit activity that is relevant to the external audit. MAXIMIZING EXTERNAL AUDIT RELIANCE Directors of internal auditing should work aggressively with external auditors to maximize their reliance on internal auditors. Such benefits justify a considerable organizational commitment to internal auditor competence and objectivity. As a result. 3. The staff will produce meaningful audits that significantly contribute to the achievement of organizational objectives in a wide variety of areas. During this "marketing effort. 1. UTILIZING EXTERNAL AUDIT WORK Internal auditors should seek ways to take advantage of their many opportunities to use the work of external auditors to achieve internal audit objectives. Internal audit directors can also increase the extent of internal auditor usage by considering the needs of external auditors when they are developing the internal audit programs. Also. Equipped with an understanding of the relevant professional responsibilities of external auditors. Likewise. Section 100 of the Standards is devoted to auditor independence and Section 200 contains valuable guidance on the acquisition and maintenance of professional proficiency. The IIA Standards are an excellent source that responsible officials can turn to while developing and implementing programs designed to instill these attributes in internal auditors. 2. Utilizing to a greater degree the work of external auditors.2. directors can clearly demonstrate that their staff members can be used in a wide variety of areas. Working with external auditors to maximize their reliance on internal auditors. and 3. PROMOTING COMPETENCE AND OBJECTIVITY Maximizing internal auditor competence and objectivity should be a top priority for any organization seeking to enhance the value it receives from its internal and external audits. c. At least three important benefits will be realized from a competent. objective internal audit staff: a. b. Internal auditors who are intimately familiar with the organization under review are in an ideal position to provide information about the "business" behind the financial statements. human resources allocations that enable "direct assistance" by internal auditors encourage the external auditors' reliance.

Internal auditors should ensure that this situation works to their advantage. Throughout this process. As long as the external auditors can achieve their goals. the director should look for situations where the external audit programs could be modified to maximize benefits to the internal audit function while still allowing the external auditors to accomplish their objectives. and an inventory of audit procedures that are relevant to the internal audit agenda can be prepared. * Evaluating systems established to ensure compliance with laws and regulations impacting the financial statements. How Internal and External Auditor Activities Overlap Both external and internal auditors are responsible for: * Evaluating the reliability and integrity of financial information. During the planning process. the internal controls that affect elements of the financial statements. and the accounting information system that ultimately generates the statements. Areas of greatest opportunity will likely include the planned internal audit activity relating to the organization's financial statements.addressed during internal audit planning and before the external auditors begin their fieldwork. Evaluating internal controls affecting the financial statements. efficient and informed management of all subsets of their function becomes more and more important. As internal audit roles continue to expand. Maximizing the relationship with external auditors can be a vital link in the operation and structure of successful internal auditing. nothing in the AICPA standards prevents them from modifying their audit programs to accommodate internal audit requests. TAKING CHARGE The professional rule-making bodies of the internal and external audit professions encourage cooperation in a wide variety of areas. A convincing argument on the part of the director of internal auditing is totally appropriate and may result in added benefits for the internal audit staff. This review of planned internal audit activity can then be combined with a careful study of the projected external audit programs. * Evaluating methods for safeguarding assets and verifying the existence of assets. directors of internal auditing can scrutinize the subset of internal audit activity that is likely to overlap the activities of the external auditors. 89 | P a g e .

In some instances. This can greatly assist in the planning and execution of the audit. if reported on at all lacked detail (Moeller. * Provide the external auditors with the information they need to properly evaluate internal audit work. 1999). They are not themselves required to evaluate internal control effectiveness (SOA. Before the act. * Provide reasonable access to the audit programs and workpapers. alternative 90 | P a g e . and terminology used by the external auditors. methods. there was limited communication between external auditors and the audit committee. One of the concerns addressed by SOA was the need for more regular reports of external auditors to the audit committee. * Exchange audit reports and management letters. Being convinced that internal audit is sufficiently competent and independent the external auditors can place reliance on internal audit work carried out and as such need to coordinate with them (Engle. and other matters that external auditors are required to communicate to the board of directors. 2002). * Provide external auditors with management responses to internal audit reports and subsequent internal audit follow-up. Therefore. Management is responsible for financial reporting and the implementation of all internal controls. Role of External Auditor: External auditors are responsible for expressing an independent objective opinion on the financial statements. external auditors are now restricted to providing attestation of management internal controls report. disagreements with management. * Obtain an understanding of the audit techniques. 2002). * Attempt to use similar audit methods and terminology.from Section 550 of the IIA Standards .to promote coordination with external auditors: * Call frequent meetings to discuss matters of mutual interest. it is necessary that the external auditors coordinate with managers and internal auditors.Coordination Initiatives Internal auditors can take the following actions . * Request information about known or suspected illegal acts. With SOA Section 404. SOA Section 204 now requires that auditors report regularly to the audit committee on accounting policies and practices used. reports on pertinent issues such as changes in accounting methods used.

dean of Dartmouth's business school. such as transitions to public ownership or expansion into new markets. In order to accomplish this. It needs access to 91 | P a g e .treatments presented to management for consideration and the auditors preferred method (SOA. companies should make sure that they: • • • • • • • • Select an auditing firm with expertise in their industry and a proven track record. their responsibilities overlap in some areas. and Hermanson. grow. Three of the five major sections that comprise the scope of internal auditing defined in IIA Standards overlap with the responsibilities of external auditors following GAAS. "Aggressively seek its advice. but while the roles of internal and external auditors are distinct." Paul Danos. as defined in Section 300 of the IIA Standards for the Professional Practice of Internal Auditing (Standards). and provide relevant and reliable data for it to review. viewing it as an asset rather than a liability. A comparison of the scope of internal auditing. as it would foster compliance to this reporting requirement of SOA by strengthening communication links between the audit committee and external auditors. Carcello. such as inventory levels Focus on periods of change and expansion. Establish effective lines of communication and work processes between external auditors and internal auditors (if any). Working with External Auditors Experts urge business owners to establish proactive working relationships with external auditors. to the professional responsibilities of external auditors under the AICPA's Generally Accepted Auditing Standards (GAAS). Coordination is necessary in this regard. auditors have seen many businesses and know how they survive. The audit committee's effectiveness is restricted by the quality and extent of information it receives. dearly demonstrates this common ground. and prosper. 2002). "Managers tend to dismiss auditors as bean counters. Make sure that owners. "However. Establish and maintain efficient recordkeeping systems to ease the task of the auditor. and managers know the basics of financial reporting requirements." Focus on high-risk areas of operations. Build an effective audit committee that can provide cogent financial and operational analysis based on audit results. Recognize the value that external auditors can have as an objective reviewer of existing and proposed operational processes. told Business Week. Role of the Organization itself: Organizations utilize internal and external auditors to achieve several important objectives. executives. "Enlist the committee's help when you review financial reporting related matters." counseled Beasley. Internal audit derives credibility and authority for its functions directly from its mandate and indirectly by virtue of its close relationships with the chief executive and other senior management of an organisation.

the charter serves to help both the full 92 | P a g e . Another concern. Kroll notes is that "when auditors also act as consultants. at least on an annual basis. The Audit Committee Charter Policies and procedures should be established to facilitate communications between audit committee members and auditors." But other analysts contend that auditing firms are instituting operational practices to ensure that their auditing function remains uncompromised.reliable financial and nonfinancial information." "Some question whether auditors can take on more of a consulting role and still maintain the independence required to effectively perform their auditing responsibilities. By elaborating on the basic duties of the audit committee. It should be reviewed. including the overall internal audit plan. In summary." wrote Karen Kroll in Industry Week. Requirements for approval of both audit and non-audit services. an audit committee is an operating committee of the Board of Directors. the risk exists that they could end up reviewing a system or process they helped to implement. Relationship with internal and external auditors and management. Identification of the operating guidelines of the committee relative to committee composition. with a Chairperson selected from among the members. Committee members are drawn from members of the Company's board of directors. and for evaluating the independence of external auditors. • The Audit Committee: In a publicly-held company. the audit committee charter should contain the following: • • • • Key components such as the purpose. and other benchmarking data and other comparative information that's prepared on a consistent basis. A properly developed audit committee charter should establish appropriate requirements to facilitate communications and evaluations of auditor independence. and responsibilities of the audit committee. typically charged with oversight of financial reporting and disclosure. industry. An audit committee of a publicly-traded company in the United States is composed of independent and outside directors referred to as non-executive directors. The audit committee charter should set out guidelines for the duties of the audit committee versus those of the full board. meeting frequency and overall guidelines. authority. She notes that some observers question whether audit firms that fulfill consulting roles might compromise their auditing functions if they become financially dependent on certain clients. at least one of which is typically a financial expert.

subject to the ultimate authority of the board of directors. monitor. Incorporate new legal and exchange requirements. Assert the committee's authority to hire and fire internal auditors and external advisors to the audit committee. and safeguard the overall objectivity of the financial reporting and internal controls process. the new challenge for audit committees will be to fulfill all of the new duties and responsibilities assigned it under legislation and stock exchange rules and to shift to a more proactive oversight role. A carefully-constructed audit committee charter will: • • • • • • Delineate responsibilities of the board and those of the audit committee. and outside experts when needed. make certain all groups involved in the financial reporting and internal controls process understand their roles. gain input from the internal auditors. usually on an annual basis. But in the wake of highprofile corporate scandals. and advise company management and outside auditors in conducting audits and preparing financial statements. 93 | P a g e . Be regularly refreshed. the role of the Audit Committee has been to oversee. Questions for the Audit Committee How detailed was our planning for our internal control documentation and evaluation? Have any weaknesses been identified? Have we dedicated sufficient resources? What role do our internal auditors play? Are we providing adequate training? How does internal audit report to the audit committee? What is the role of internal audit in evaluating internal control? Have any weaknesses been identified? Traditionally. and Be disclosed to shareholders to promote transparency. Cover important areas such as structure. process. Audit committees therefore need to ensure accountability on the part of management and internal and external auditors.board and committee members understand their obligations and the general boundaries in which they will operate and will ensure compliance with new legal and exchange requirements. and membership. external auditors.

Sarbanes-Oxley: Major Changes in How Audit Committees Operate Under Sarbanes-Oxley, the relationship between management and outside auditors is largely replaced by one between the Audit Committee and outside auditors. The Audit Committee now is directly responsible for appointment, compensation, retention, and oversight of independent auditors, who report directly to the Audit Committee. In addition, by vesting responsibility and authority for certain audit-related actions in the Audit Committee—to the exclusion of the full board, management, and shareholders—the Act appears to alter the traditional delegation, under state law, of board power to a committee. The Audit Committee must establish specific procedures for handling complaints received by the company regarding accounting, internal accounting controls, or auditing matters including confidential submission by company employees of concerns regarding questionable accounting or auditing matters. All audit services and permitted non-audit services provided by outside accounting firms must be pre-approved by the Audit Committee, subject to a narrow de minimis exception. All approvals of non-audit services must also be disclosed in the company's periodic reports. Certain non-audit services by firms that perform audits are expressly prohibited.

Auditors are required to provide timely reports to the Audit Committee, including:
• •

All critical accounting policies and practices to be used; All alternative treatments of financial information within generally accepted accounting principles that have been discussed with management, ramifications of the use of such alternative disclosures and treatments, and the treatment preferred by the accounting firm; and Other material such as written communication between the accounting firm and the management of the issue, or any management letter or schedule or unadjusted differences.

Ensure open communication among management, internal auditors, external auditors, and the audit committee. The BRC recommended that the audit committee meet separately with management, internal auditors, and external auditors. The NYSE proposal requires that the audit committee meet separately with all three groups. As stated by the BRC: “Since the audit committee is largely dependent on the information provided to it by management, the internal auditor, and the outside auditors, it is imperative that the committee cultivate frank dialogue with each.” It is critical that the audit committee meet in private with each group, both on a regular schedule and on an as-needed basis.
94 | P a g e

Eighty-two percent of the audit committees in the study indicated that they met in private with external auditors, 61% with management, and only 46% with internal auditors. This last result may be related to the low percentage of audit committees that took responsibility for overseeing the internal audit function. These findings lend support to the contention that audit committees have underutilized the internal audit resource.

In this twenty first century, opportunities are opening for the internal audit function to be a truly revolutionary function within the organization. It is in a position to add value like never before. Coordination among the audit committee to the board of directors, executive management, external auditors and the internal audit function is yet another chance for the department to demonstrate its true worth to the organization. Despite the challenges, all the entities involved will benefit from coordination. In view of the fact that these entities are the cornerstones of the foundation for building a sound corporate governance structure, the internal audit function should do all in its power to both establish and ensure effective coordination among them, as this would enhance corporate sustainability. According to IIA’s recommendations, the ideal situation is when the internal and external auditors meet periodically to discuss common interests; benefit from their complementary skills, areas of expertise, and perspectives; gain understanding of each other's scope of work and methods; discuss audit coverage and scheduling to minimize redundancies; provide access to reports, programs and working papers; and jointly assess areas of risk. In fulfilling its oversight responsibilities for assurance, the board should require coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process.

95 | P a g e

• Books of References:

A Handbook of Practical Auditing-B.N. Tandon, S. Sudharsanam, S. Sundharabahu Principles of Auditing-Prof. Dr. Khawaja Amjad Saeed. Auditing-Alvin A. Arens, James K. Loebecke.

• •

• Websites URL:

http://www.aicpa.org/Audcommctr/guidance_resources/ia_and_audit_cmte/homepage .htm

• • •

http://www.aicpa.org/Audcommctr/guidance_resources/ia_and_audit_cmte/15.htm http://www.aicpa.org/Audcommctr/guidance_resources/ia_and_audit_cmte/24.htm http://www.theiia.org/download.cfm?file=1763
96 | P a g e

wa.taxguru.html www.pdf www.gov./AuditCoordinationandReports.journalofaccountancy.auditnet.ci.ppt www.html www.com/tradejournals/pub/4153..htm www.carajkumarradukia.za/uploads/internal_audit_charter..theiia.pdf www.doc • • • • • www.pdf www..cfm?file=283 www..ca.state./HowSarbanesOxleyWillChangeTheAuditProcess www.comptrollerofthecurrency.osbm.gov/.• http://www.com/audit-objectives.com/..nc..com/articles/Coordination%20between %20auditors260707.html 97 | P a g e .knowledgeleader..ffiec.gov/policy/20.rustenburg..berkeley.auditing101.ofm.htm www.rustenburg.za/uploads/internal_audit_charter.in/audit/role-of-internal-auditor-in-enterprise-wide-risk-managementerm.gov.org/download..doc www./LinkBetweenInternalControlandInternalAudit./booklets/audit/audit_02_internal_prog.us/.entrepreneur.us/.org/process..theiia..com/..html • • • • • • • • • • www.org/guidance/standards-and-guidance/ippf/standards/ www./SRIARebalancing4!OpenDocument&Splash www./Auditor/.gov/ftp/bb/92-42a.

Sign up to vote on this title
UsefulNot useful