Chapter 14

Internal auditing

Learning objectives
14.1 Understand the evolving nature of internal auditing.
14.2 Appreciate the professional standards developed for internal auditing.
14.3 Understand what internal auditors do in practice.
14.4 Gain an appreciation of the evolving relationship with external audit.
14.5 Appreciate the approaches to assessing risk management, control and governance processes.

Major chapter sections

The evolving nature of internal auditing
Current standards for internal auditors
The practice of internal audit
Future relationship with external audit
Approaches to assessing risk management, control and governance processes

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 1
Lecture plan
Internal audit has for the last decade been in a state of transition, with a general move away from a
traditional view of service to management (primarily on the basis of controls review) to a view of
adding value to the client. This shift has given internal audit much more of a business risk assessment
focus (which we call the new internal audit), consistent with the move that we have seen with
external audit. We first examine the traditional view of internal auditing, and then look at how
internal auditing has evolved, and what is involved in the new internal auditing.

You should outline the learning objectives for this chapter, and walk students through how this
chapter outlines the services provided by internal audit.

[Use slides 14-1 to 14-3]

LO 14.1: The evolving nature of internal auditing

The traditional view of internal auditing is that it is an independent appraisal function, established
within an entity as a service to the organisation. This view, however, is evolving. This section helps
students contrast the traditional view of internal auditing with the more current or ‘new’ view as
defined by the Institute of Internal Auditors (IIA). The ‘new’ definition of internal auditing is
provided on slide 14-5. Terms to emphasise in this new definition are assurance and consulting, and
adding value.

Students are also guided through a brief history of the IIA, while gaining some insights into its
current roles. They can also be stepped through the CIA qualification, and what needs to be done to
gain this qualification.

[Use slides 14-4 to 14-10]

LO 14.2: Current standards for internal auditors

The first slide provided for this section outlines the purposes of the IIA standards, while slides 14-12
and 14-13 outline the IIA’s International Professional Practices Framework (IPPF). It is advisable for
instructors to elaborate using subsequent slides that distinguish between attribute standards and
performance standards.

The four categories of attribute standards are outlined in the textbook. The slides, however, only
cover two major categories; independence and proficiency and due professional care.

[Use slides 14-11 to 14-19]

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 2
LO 14.3: The practice of internal audit
This covers the scope of internal audit work as identified from surveys undertaken by Institute of
Internal Auditors–Australia, along with the consulting company Protiviti. It includes information on
IA and data analytics.

[Use slide 14-20 to 14-21]

LO 14.4: Future relationship with external audit

This section looks at the future of the internal and external auditor relationships. It must be
emphasised that sometimes the work of internal auditors can be used by the external auditor, although
it is not a substitute for the external auditor’s work in a financial report audit.

[Use slide 14-22]

LO 14.5: Approaches to assessing risk management, control and governance processes

These slides gives an overview of the Australian/New Zealand risk management standard AS/NZ ISO
31000, and the COSO Enterprise Risk Management (ERM) 2013 and 2017 frameworks.Both the
standard and the frameworks are commonly used in practice.

[Use slides 14-23 to 14-28]

Summary
We provide a summary slide of the main learning takeaways in this chapter.

[Use slide 14-29]

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 3
 SOLUTIONS
REVIEW QUESTIONS
14.1 Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organisation’s operations. It helps an entity achieve its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control and governance processes.

This objective was introduced by IIA several years ago. Before this time, the objective of internal
auditing was broadly stated as assisting members of the organisation in the effective discharge of
their responsibilities.

14.2 In the past, to obtain the Certified Internal Auditor (CIA) qualification, a candidate needed to:

 be a member of IIA–Australia or of another relevant IIA chapter

 hold a Bachelor’s degree or equivalent (in any discipline) from an accredited university-level
institution

 exhibit high moral and professional character

 complete 24 months of internal audit experience or experience in audit/assessment disciplines,

including external auditing and quality assurance

 pass the CIA exam and keep the contents of the exam confidential.

However, the Global Board of Directors has recently approved an alternate path to eligibility for the
CIA for those candidates who do not possess a Bachelor’s degree from an accredited
university. Candidates may now become eligible for the CIA, subject to approval, who possess two
years’ post-secondary education and five years’ verified experience in internal audit or its equivalent,
or seven years’ verified experience in internal audit or its equivalent.

14.3 In accordance with IIA Standard 1110, to maintain organisational independence, the internal audit
department should report to a level within the organisation that allows internal audit to fulfil its
responsibilities. Best practice indicates that this will be the board of directors or the audit committee.
The head of internal audit should also have direct access to the board (audit committee) to help ensure
independence, as well as to keep the board informed.

In addition, the board (audit committee) should concur with the appointment or removal of the head of
internal audit.

14.4 In accordance with IIA Standard 1130, internal auditors should refrain from assessing operations for
which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor
provides assurance services for an activity for which the internal auditor had responsibility within the
previous year.

14.5 In accordance with IIA Standard 1220, elements that the internal auditor should consider when
exercising due professional care include:

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 4
  extent of work needed to achieve the engagement’s objectives

 relative complexity, materiality or significance of matters to which assurance procedures are

applied

 adequacy and effectiveness of risk management, control and governance processes

 probability of significant errors, irregularities or noncompliance

 cost of assurance in relation to potential benefits.

14.6 In accordance with IIA Standard 2010, internal audit must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the entity’s goals. As a result, in planning the
engagement, matters internal auditors should consider include:

 the objectives of the activity being reviewed and the means by which the activity controls its
performance

 the significant risks to the activity, its objectives, resources and operations, and the means
by which the potential impact of risk is kept to an acceptable level

 the adequacy and effectiveness of the activity’s risk management and control systems
compared to a relevant control framework or model

 the opportunities for making significant improvements to the activity’s risk management and
control systems.

14.7 The ASX Corporate Governance Principles and Recommendations (Recommendation 4.1) state that if
a listed entity does not have an internal audit function, they need to explain the reason for this.
Additionally, they should explain how risk management and internal control processes are managed,
evaluated and continually improved in the absence of an internal audit function.

14.8 Key findings from the 2017 Protiviti survey were:

 Data analytics was gaining a foothold in internal auditing, with two out of three departments
utilising analytics as part of the audit process.

 A significant majority of internal audit functions judge their analytics capabilities to be at

the lower end of the maturity spectrum.

 Organisations with more mature analytics capabilities in the internal audit function are
realising greater organisational value from data analytics.

 Cybersecurity, cloud, mobile tech and big data dominate the priority list for internal
auditors.

 Business and digital transformation is drawing more attention than in prior years.

14.9 The level of reliance placed on internal audit by external audit in this area will be very much
determined by what type of work the internal auditor undertakes.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 5
 Therefore, it is likely that a much wider scope of function will be considered than has been previously
considered by the external auditor, including work performed by the internal auditor in evaluating
business risk. In determining reliance on internal audit, the external auditor will still have to assess the
objectivity, technical competence, due professional care of the internal auditor, and the
communications between the internal auditor and the external auditor. However, it also must be
remembered that ASA 610.Aus 25.1 prohibits the use of internal auditors to provide direct assistance to
an external auditor by performing audit procedures under the direction, supervision and review of
external audit.

14.10 There are concerns about the independence of the external auditor when they also provide internal
audit services. There is also a concern that the large accounting firms that are providing internal audit
services are seen to be competing with in-house internal auditing functions. A benefit of outsourcing is
the greater availability of internal auditing expertise that might possibly come from ‘contracting in’ the
required areas of expertise. Also, there is the general benefit of outsourcing, which is that it allows an
organisation to concentrate their resources on their core competencies.

14.11 Matters that internal audit should evaluate in relation to risk exposures include whether:

 an appropriate risk management framework exists that will identify and assess significant
risks

 appropriate risk responses are selected by management and the board that will align risks
with the entity’s risk profile

 relevant risk information is communicated across the entity.

14.12 Areas in which internal audit should evaluate the adequacy and effectiveness of internal controls
include:

 effectiveness and efficiency of operations

 reliability and integrity of financial and operational information

 safeguarding of assets

 compliance with laws, regulations and contracts.

14.13 The COSO ERM Framework outlines the importance of enterprise risk management in strategic
planning. It emphasises that it is important to embed ERM throughout an entity, as risk both influences
and aligns strategy and performance across all parts of the entity.

DISCUSSION PROBLEMS AND CASE STUDIES

14.14 (Easy)

In her report to the board, Michaela should explain that the internal audit activities can add value to
Express Solutions’ risk management and corporate governance areas by:

 assessing risk management, control and governance processes using business risk models
such as SWOT analysis, PEST analysis and value-chain analysis

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 6
  undertaking activities that are consultative (providing advice) in nature—that is, by
providing expert advice—about:

o risk exposures and their management

o control strategies, structures and systems

 raising awareness about risk exposures and related controls

 contributing to the improvement of risk identification, management and control systems

 providing ongoing assurance about the efficiency and effectiveness of risk-identification and
management systems, control strategies, structures and systems

 contributing towards enhanced understandings of different types of control that can be used
in organisations

 focusing on the risk exposures associated with the achievement of an organisation’s

objectives

 focusing on control as a facet of risk management.

14.15 (Medium)

The role of Supported Living’s internal auditors with regard to the system switch-over processes at
Serenity would be to consider areas for business improvement and business risks. Given the objective
to ‘make sure the switch-over worked without any problems’, the role of the internal audit team would
have been to make sure that all steps of the system switch-over processes were followed in accordance
with the agreed plans, methods and resources. If the steps were not adhered to, then the internal audit
team would have had to increase the business risk that Serenity would not be able to correctly process
its patient revenue, affecting cash flow and so on. Some of the procedures involved would include
checking all the steps to ensure that all the data was complete (e.g. by undertaking a record count to
ensure that all records in each file were transferred, with none lost or duplicated) and accurately
transferred to the new system (e.g. ensuring the key fields ad correctly after the switch-over).
14.16 (Medium)

Issues of concern to the head of internal audit:

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 7
 Issue
Issue 1: There were numerous
occasions during the year when three
major accounts receivable,
representing 35% of gross revenues,
settled their accounts 30 days after
the due date. These accounts
receivable have been long-standing
and reliable customers.
Issue 4: Failure to carry out machine
maintenance in accordance with the
required maintenance cycle, leading
to warranties being invalidated.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
Justification
Although there does not appear to be any risk of bad
debts in relation to these customers, the head of internal
audit will be concerned about the possible adverse
impact on the company’s cash flows of the slow
collections leading to potential inability to meet its
financial commitments on a timely basis.
The head of internal audit will be concerned about the
breakdown in internal controls over the maintenance of
machinery under warranty. This results in the invalida-
tion of warranties, causing the company to incur repair
costs within the warranty period. This would have been
avoided had the machines been maintained in accordance
with the manufacturer’s maintenance cycle.
8
 Issues of concern to both external auditor and the head of internal audit:
Issue
Issue 2: The company has an
accounts receivable insurance
policy, which allows the company to
claim for bad debts of up to $25 000
per annum. The amount covered
under the policy has remained the
same since 2015 (when the accounts
receivable averaged $1 million).
Since 2015, the average accounts
receivable balance has increased to
$2 million.
Issue 3: Lack of supervision over
the accounts payable clerk relating
to the accuracy of the cost of the
imported inventories acquired in the
last two months of the year ended
30 June 2018.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
Justification
Both the external auditor and the head of internal audit
will be concerned that potential losses, incurred on
possible bad debts, will have a material impact on the
company’s financial results and consequently on its
financial position, given that the amount insured has not
increased in accordance with the increase in the amounts
of accounts receivable outstanding.
Both the external auditor and the head of internal audit
will be concerned about the breakdown in internal
control over the correct costing of imported inventory
during the two-month period leading to year-end. The
lack of supervision of the accounts payable clerk could
result in the incorrect valuation of inventory on hand at
year-end and the recognition of an incorrect amount of
cost of goods sold in respect of the inventory sold during
the year.
9
14.17 (Hard)
Issues of concern to the head of internal audit:
Issue
Issue 3: Employees have reacted unfavourably
to an amended annual leave policy. The
amended annual leave policy requires
employees to book their annual leave in blocks
of two weeks. It also requires employees to
take their full 20 days’ annual leave
entitlement each year. Many employees are not
following the annual leave policy and are
booking annual leave in blocks of one week.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
Justification
The amendment of the annual leave policy has
no bearing on the impact on the annual financial
report, but it is of interest to internal audit as
there has been a lack of compliance with
management policy.
Internal audit would also consider the impact on
the wellbeing of staff. Taking two weeks’ leave
in one block, rather than the old policy of one
week, will go further in enabling employees to
reduce stress by winding down.
10
 Issues of concern to both external auditor and the head of internal audit:
Issues
Issue 1: Many employees have complained
that their payslips do not accurately reflect
their leave entitlements.
Issue 2: Employees’ annual leave balances
have increased by more than 15% over the
past year.
Issue 4: As demand for courier services in
the Sydney area has recently declined,
Speedy Delivery has laid off many employ-
ees, resulting in the remaining employees
taking on additional tasks. This has in-
creased employee stress levels.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
Justification
External auditors would be concerned about the
accuracy of leave reflected on the payslips, as this
might cause a material error in the financial report.
Internal auditors would be concerned about the
accuracy of leave reflected on the payslips, as this
might cause errors in the financial report, operational
forecasts, resource planning and also impact on staff
morale. The inaccuracy may also be the symptom of a
significant system issue.
External auditors would be concerned that annual
leave balances have increased by more than 15%, as
this would have a material impact on the financial
report.
External auditors would need to establish whether the
increase is the result of employees not taking as much
leave this year or due to a breakdown in the controls.
Employees may be taking leave and not filling in
timesheets, or the system may be reflecting the
incorrect leave balances due to calculation errors.
Internal auditors would also be concerned at the
significant increase in annual leave balances, as this
may create the opportunity to conceal any
weaknesses/breakdowns in internal control. They
would also be concerned about the impact on the
financial report.
Employees taking on additional tasks may have an
impact on the approach to the audit, as a controls-
based audit may be impacted by a lack of segregation
of duties.
Internal auditors will be concerned about employees
taking on additional tasks and the increased stress
levels, as this presents the following risks.
 There may be a lack of segregation of key duties
and staff may perform incompatible tasks.
11
  Increased staff stress and reduced morale may
reduce compliance with controls, efficiency of
operations and the quality with which controls are
performed. Stressed staff may also take short-cuts
when performing their duties.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 12
14.18 (Easy)

As the internal audit department (IAD) has not had responsibility for the design or implementation of
the current stocktaking procedures, there is unlikely to be an independence problem. The only area of
concern would be the training provided to the managers. If adequacy of training was a part of the
review, the IAD might have some concerns about the perceived independence of their report, given
some involvement in training by IAD staff.

14.19 (Easy)

(a) Assessment of the reporting structure of the internal audit department (IAD) reveals that it does
not appear to be independent, in accordance with IIA Standard 1110, for the following reasons:

 The head of IAD reports to the CFO. One responsibility of IAD is to review the work of the
accounting department—it is doubtful that they could remain unbiased with respect to the
accounting department.

 The audit programs are designed by the CFO. This impairs the independence of the IAD, as
they are reporting on areas under the CFO’s control.

 Roslyn and Brendan perform accounting tasks, so are potentially in a position of evaluating
their own work.

(b) Realignment of the reporting structure should include the following changes.

 The IAD should report to the board of directors or the audit committee.

 Responsibility of coordinating IAD staff should pass to Frank, and he should have
responsibility for designing and implementing the internal audit programs.

 IAD staff should be removed from any operating responsibilities.

14.20 (Easy)

(a) Yes. Internal auditor A is required to undertake continuing professional development. (Refer to
IIA Standard 1230.)

(b) Yes. Internal auditor B should reveal all material facts known to them that, if not revealed, could
either distort reports of operations under review or conceal unlawful practices. Internal auditor B
should report this matter to the audit committee. (Refer to IIA Standards 1110 and 1111.)

14.21 (Medium)

(a) Having the director of IAD report to the CFO will tend to restrict the scope of the internal audit
department’s work to accounting and financial matters. It is also possible that the CFO may
direct the work of IAD away from areas of interest. This reporting line is contrary to IIA
Standard 1110. The director of IAD should report to the board of directors (or to the audit
committee if there is one).

(b) Making the IAD responsible for the adequacy of the internal control system is contrary to IIA
Standards 1120 and 1130. The IAD should have no direct responsibilities or authority over
activities that they audit. The IAD should only review the adequacy of such systems.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 13
 (c) Limiting full access to accounting records only and thus restricting the scope of the IAD is
contrary to IIA Standard 1130, which requires full access to all records, properties and personnel
relevant to the subject under review.
(d) This is not in conflict with IIA standards.
(e) Participation in the design and implementation of internal control is contrary to IIA Standard
1120 and should be prohibited.
(f) This is not in conflict with IIA standards.
14.22 (Hard)
Issue (a) Effect on Explanation
independence
(i) No effect on The CEO is not changing the
independence content of the report as
presented by the internal
auditors, just adding to the
management comments. As
long as these comments are
clearly defined as ‘management
comments’, these do not affect
internal audit independence.
(ii) Weakens Because of the presence of the
independence CEO, who is Steven’s boss, at
these meetings, it is highly
likely that Steven will not be
able to openly discuss internal
audit issues. As such, it will
weaken internal audit
independence. (Refer to IIA
Standard 1110.)
(iii) Weakens If Steven’s future career success
independence is directly linked to the
outcomes of the audits, there is
a risk that Steven will reduce
his audit findings in order to
avoid controversy with
management. (Refer to IIA
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
(b) Action Steven could take
Steven should ensure that the
CEO understands the need for
the management comments to
be clearly separated from the
internal auditor’s report.
In order to further strengthen
his independence, Steven
should request that the
meetings with the audit
committee take place without
senior management
representation. Steven should
also raise the issue that
independence can be
compromised by his reporting
to the CEO rather than the
audit committee.
Steven could explain to
management why his
independence could be
compromised, and that he will
not be softening his approach
in order to obtain future
employment within the
14
 Standard 1120.)
(iv) No effect on Steven is doing his job as long
independence as he reports issues as they are
uncovered, without letting the
potential for a negative review
affect his judgment.
(v) Weakens Steven should not be part of
independence internal control, as internal
audit is required to assess its
adequacy. This creates a self-
review threat. (Refer to IIA
Standard 1130.)
(vi) No effect on The discount is available to all
independence staff, and so is not something
that could be used by
management to try to influence
internal audit.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
business. He may also wish to
discuss the matter with the
audit committee.
Steven could discuss his
concerns with the audit
committee chair and request
that his performance be
evaluated by the audit
committee, rather than the
CEO.
Steven should highlight his
concerns to the CEO, asking to
be removed from the list of
signatories.
Steven should ensure that the
discounts he receives are
limited to those discounts that
are available to all staff. He
may also maintain a record of
all discounts received and
disclose these to the chair of
the audit committee.
15
14.23 (Hard)

(a) The charter limits document and personnel access to only those approved by operating
management, thus limiting the scope of internal audit’s work.

The charter should authorise access to all records, personnel and physical properties relevant to
the performance of audits, in accordance with IIA Standard 1110.

(b) Management establishes the audit schedule and several subsidiary operations have not been
audited since acquisition, even though the director of internal audit believes that audit coverage
of the subsidiary operations is crucial to the group. Therefore, the scope of internal audit work
has been limited.

The audit schedule of internal audit should be developed by the director of internal audit after
consideration of the areas for potential audit and the risks inherent in all areas for potential audit
and approved by the board or audit committee, in accordance with IIA Standard 1110.

(c) The director of internal audit does not report to an individual at a high enough level to ensure
independence and appropriate authority. Internal audit staff members do not have access to the
board either directly or through the director of internal audit. The CEO forwards to the board
only the audit information he considers important. There is a possible deficiency should the
CEO and the internal audit director fail to agree on the importance of information.

The director of internal audit and members of the internal audit staff should have direct access,
as needed, to the board, in accordance with IIA Standard 1110.

(d) Individuals in the internal audit department are assigned to operating responsibilities; to design,
install or operate systems; and to draft procedures for systems. Internal auditors also may be
assigned to audit areas in which they had operational or design and implementation
responsibilities, thus adversely impacting their independence.

Internal auditors should not be assigned to operating responsibilities; to design, install or operate
systems; or to draft procedures for systems. Internal auditors cannot be objective when they are
auditing procedures they wrote or systems they designed or installed. Upon returning to the
internal audit department, internal auditors should not audit functions over which they
previously had operating responsibilities until sufficient time has elapsed, in accordance with
IIA Standard 1130.

14.24 (Easy)

The purpose of internal auditing is to provide a service and/or to add value to the organisation.
Therefore, there is nothing to indicate that the service should be confined to accounting-related
information, or that all recruits should be well versed in traditional financial report auditing and its
procedures. In some cases, such as in environmentally sensitive industries where environmental
auditing is an important internal audit activity, it might be inappropriate to require that all internal
auditors have accounting qualifications.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 16
 Given the range of activities now conducted by internal audit departments, the qualifications held by
the members of the department should be determined by reference to its core activities. A
qualification such as ‘certified internal auditor’ might have value if the internal audit department’s
education and other member-assistance programs assist internal auditors in their new diverse roles, so
that members of the IIA are, and are seen to be, superior internal auditors. Only when a professional
body can demonstrate its relevance in this manner will it become essential for internal auditors.

Why, then, has the accounting designation of CA/CPA been the most commonly achieved
designation by internal auditors in the past? The answer to this might be that, traditionally, internal
audit activities have focused on reviewing internal controls and associated accounting information
systems—areas in which people holding the CA/CPA designation are recognised experts. It may also
be that one of the logical career paths of accountants who hold the CA/CPA designation is into the IA
departments of major organisations. Once such a designation has been earned, it is in many cases not
relinquished, even when career paths may have changed. As the activities of internal audit continue
to broaden, this designation might lose some of its relevance, unless the accounting bodies also
broaden the scope of activities they support through education and other member assistance
programs.

14.25 (Medium)

As internal audit will be a service to CFL, the directors will need to consider the types of services
they wish to avail themselves of. Once this has been determined, they can determine the type of
person they require. There is, however, some general advice regarding the activities and role of
internal audit that may be given.

Internal audit activities encompass:

 strategic business review—assisting with the development of key business strategy and
identification of key business risks, and considering key performance indicators and related
controls

 financial auditing—reviewing the reliability and integrity of financial information

 compliance auditing—reviewing the systems designed to ensure compliance, as well as

compliance with stated policies and procedures, laws and regulations affecting the entity

 reviewing means of safeguarding assets

 operational auditing—reviewing the economy, efficiency and effectiveness of operations

 assisting with the financial report audits.

In terms of the role of the internal auditor, there are a number of important points that should be
considered to ensure that the internal auditor remains effective, as follows:

 Independence must be ensured. The auditor must not have responsibility for the area that they
are responsible for reviewing, and must be given sufficient organisational status to accomplish
their objectives. In an organisation the size of CFL, this would mean direct access and reporting
to the board of directors (or audit committee if applicable).

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 17
  A charter should be established indicating the purpose, authority and responsibility of the
internal auditor.

 Management and the board of directors should be kept informed of work schedules, budgets, the
scope of work conducted and the results of any activities undertaken. In most cases, the internal
auditor will determine the work schedule and the scope of activities, subject to the approval of
the board of directors; however, the board of directors may direct the internal auditor to review
any particular area it considers necessary.

Once the board of directors has determined the activities on which they wish to focus, advice can be
given regarding appropriate qualifications for the internal auditor. Heads of internal audit
departments have traditionally been members of the Institute of Internal Auditors, CPA Australia or
Chartered Accountants ANZ, and this might be appropriate for CFL. If, however, CFL wishes to
focus on operational auditing, consideration should be given to including someone in the internal
audit team with more diverse qualifications relevant to the fashion industry.

14.26 (Medium)

(a) Internal audit is not merely a service checking that internal controls are operating successfully,
although this of itself can be valuable in the detection and prevention of fraud and in the correct
operation of key areas of the business. It is an independent appraiser of what is happening,
reviewing systems and activities in a value-for-money sense. It may also be employed to
undertake special investigations of problem areas that are currently not being adequately
tackled.

The contributions made by internal audit might include:

 elimination of waste, especially where this results from poor or non-existent control

 establishment and maintenance of standards to reduce error and increase efficiency

 assessment of reliability and monitoring of processes and decisions

 ensuring compliance with the law, especially in an increasingly complex environment of

reporting requirements.

(b) Advantages of in-house internal audit may include:

 confidentiality being maintained

 internal auditors having in-depth knowledge of the entity

 internal auditors and staff having better working relationships, if internal auditors are not
seen as outsiders

 shared commitment to achieving the aims of the entity

 fixed costs, with no hidden extras

 a service to the entity that is not dependent or reliant on the selling of additional work

 retention of skills and knowledge within the entity.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 18
 Disadvantages of in-house internal audit may include:

 lack of flexibility

 staff career progression being limited

 costs of regular training/updating of staff

 small numbers leading to the range of skills being restricted

 quality of service deteriorating without fresh input

 difficulty in achieving complete independence

 lack of available resources for small entities.

Advantages of buying in internal audit services from an external provider such as Peterson &
Associates may include:

 independence from the entity

 no staff administration and training requirements falling on the entity

 cross-fertilisation of ideas being gained from other sources and sectors

 flexible resource availability

 full access to technical expertise and ancillary services

 flexible contractual arrangements—you only pay for what you get.

Disadvantages of buying in internal audit services from an external provider such as Peterson &
Associates may include:

 costs being relatively high

 staff not always being available on site

 continuity of staff at junior level being less certain

 loss of control of quality of staff provision

 contract restraints—you only get what you have specified and agreed to pay for

 potential conflicts of interest, especially in situations where the external audit provider is
also involved in the provision of an internal audit service.
14.27 (Medium)

(a) There is no formalised control over leases at Shops Galore and the leases were negotiated and
approved by the Ballarat shopping centre manager without any oversight or independent review
and approval. This manager is therefore able to report artificially low lease revenue, as long as
the revenue numbers are greater than budget, as Amanda only follows up negative budget
variances.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 19
 (b) While it is the responsibility of the board to ensure that the internal control environment is set
up with adequate controls, the internal audit function can assist in preventing fraud by
confirming the effectiveness of the controls that have been set up by the board of directors as
well as suggesting improvements through the audit process. For example, at Shops Galore, the
lack of sufficient oversight regarding lease revenue would be identified as a control gap. Internal
audit would recommend that a control is implemented whereby on a regular basis a
reconciliation is performed between actual lease revenue and the market value of leases for the
shops that are available for lease. Other benefits provided by internal audit include independent
assurance that:

 Shops Galore’s assets are properly safeguarded

 the standards, policies, business practices, procedures and regulatory requirements which
could have a significant impact on Shops Galore’s operations are duly complied with

 transactions are properly classified, recorded and reported, and key accounting and
management information, including the related processes and systems, are reliable and
accurate

 decisions are based on accurate and timely information and at the appropriate levels of
authority

 economic and efficient use is made of Shops Galore’s resources and that the operations are
conducted in an efficient and proper manner

 Shops Galore’s established objectives are achieved

 Shops Galore’s working environment is maintained free from operational, environmental,

health and safety hazards.
14.28 (Hard)
Risks and suggested improvements include:

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 20
 (a) Risks
There is no management agreement in place to man-
age the arrangement with Ultimate Managers. As a
result, the outsourcer may fail to perform according
to expectations. This could be classified as severe as
the management of the buildings is a key source of
revenue. This could also cause reputation damage.
Current KPIs do not address complaints. This is
likely to have severe consequences in the medium to
longer term, as investors will not renew their invest-
ments.
The current level of distributions is impacting on the
viability of the fund. This may lead to inadequate li-
quidity.
Thirty-five per cent of their debt is due for repay-
ment two months after the year end. This may create
going concern problems, if they are unable to roll-
over their current debt financing.
High vacancy rates within one of the major proper-
ties. This is deemed severe as this asset makes up
25% of revenue.
Lack of segregation of duties, as the head of opera-
tions at Investment is also performing the duties of
company secretary and fund manager. Therefore, the
head of operations may be able to cover up a fraud if
they committed it, as there is a lack of independent
oversight of their activities.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
(b) Improvements
Implement a management agreement to
manage the arrangement with Ultimate
Managers.
Review other current contracts in place and
amend accordingly.
Introduce KPIs around customer complaints.
Produce a communications plan for in-
vestors to manage investor relations and ex-
pectations.
Review and reconsider the current level of
distributions.
Difficult to control in the short term. Negoti-
ate with financiers and, if necessary, con-
sider refinancing. In future, consider longer-
term financing and spread out repayment
dates, so that not more than, say, 20% of
debt needs to be repaid or refinanced in any
one year.
Offer incentives such as free fit-outs or rent-
free periods to attract tenants to the centre.
Obtain bank guarantees and appropriate
rental bonds to protect against a tenant leav-
ing before expiry of their lease.
Segregate duties between the operations and
fund managers.
21
 SOLUTIONS
REVIEW QUESTIONS
14.1 Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organisation’s operations. It helps an entity achieve its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control and governance processes.

This objective was introduced by IIA several years ago. Before this time, the objective of internal
auditing was broadly stated as assisting members of the organisation in the effective discharge of
their responsibilities.

14.2 In the past, to obtain the Certified Internal Auditor (CIA) qualification, a candidate needed to:

 be a member of IIA–Australia or of another relevant IIA chapter

 hold a Bachelor’s degree or equivalent (in any discipline) from an accredited university-level
institution

 exhibit high moral and professional character

 complete 24 months of internal audit experience or experience in audit/assessment disciplines,

including external auditing and quality assurance

 pass the CIA exam and keep the contents of the exam confidential.

However, the Global Board of Directors has recently approved an alternate path to eligibility for the
CIA for those candidates who do not possess a Bachelor’s degree from an accredited
university. Candidates may now become eligible for the CIA, subject to approval, who possess two
years’ post-secondary education and five years’ verified experience in internal audit or its equivalent,
or seven years’ verified experience in internal audit or its equivalent.

14.3 In accordance with IIA Standard 1110, to maintain organisational independence, the internal audit
department should report to a level within the organisation that allows internal audit to fulfil its
responsibilities. Best practice indicates that this will be the board of directors or the audit committee.
The head of internal audit should also have direct access to the board (audit committee) to help ensure
independence, as well as to keep the board informed.

In addition, the board (audit committee) should concur with the appointment or removal of the head of
internal audit.

14.4 In accordance with IIA Standard 1130, internal auditors should refrain from assessing operations for
which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor
provides assurance services for an activity for which the internal auditor had responsibility within the
previous year.

14.5 In accordance with IIA Standard 1220, elements that the internal auditor should consider when
exercising due professional care include:

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 22
  extent of work needed to achieve the engagement’s objectives

 relative complexity, materiality or significance of matters to which assurance procedures are

applied

 adequacy and effectiveness of risk management, control and governance processes

 probability of significant errors, irregularities or noncompliance

 cost of assurance in relation to potential benefits.

14.6 In accordance with IIA Standard 2010, internal audit must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the entity’s goals. As a result, in planning the
engagement, matters internal auditors should consider include:

 the objectives of the activity being reviewed and the means by which the activity controls its
performance

 the significant risks to the activity, its objectives, resources and operations, and the means
by which the potential impact of risk is kept to an acceptable level

 the adequacy and effectiveness of the activity’s risk management and control systems
compared to a relevant control framework or model

 the opportunities for making significant improvements to the activity’s risk management and
control systems.

14.7 The ASX Corporate Governance Principles and Recommendations (Recommendation 4.1) state that if
a listed entity does not have an internal audit function, they need to explain the reason for this.
Additionally, they should explain how risk management and internal control processes are managed,
evaluated and continually improved in the absence of an internal audit function.

14.8 Key findings from the 2017 Protiviti survey were:

 Data analytics was gaining a foothold in internal auditing, with two out of three departments
utilising analytics as part of the audit process.

 A significant majority of internal audit functions judge their analytics capabilities to be at

the lower end of the maturity spectrum.

 Organisations with more mature analytics capabilities in the internal audit function are
realising greater organisational value from data analytics.

 Cybersecurity, cloud, mobile tech and big data dominate the priority list for internal
auditors.

 Business and digital transformation is drawing more attention than in prior years.

14.9 The level of reliance placed on internal audit by external audit in this area will be very much
determined by what type of work the internal auditor undertakes.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 23
 Therefore, it is likely that a much wider scope of function will be considered than has been previously
considered by the external auditor, including work performed by the internal auditor in evaluating
business risk. In determining reliance on internal audit, the external auditor will still have to assess the
objectivity, technical competence, due professional care of the internal auditor, and the
communications between the internal auditor and the external auditor. However, it also must be
remembered that ASA 610.Aus 25.1 prohibits the use of internal auditors to provide direct assistance to
an external auditor by performing audit procedures under the direction, supervision and review of
external audit.

14.10 There are concerns about the independence of the external auditor when they also provide internal
audit services. There is also a concern that the large accounting firms that are providing internal audit
services are seen to be competing with in-house internal auditing functions. A benefit of outsourcing is
the greater availability of internal auditing expertise that might possibly come from ‘contracting in’ the
required areas of expertise. Also, there is the general benefit of outsourcing, which is that it allows an
organisation to concentrate their resources on their core competencies.

14.11 Matters that internal audit should evaluate in relation to risk exposures include whether:

 an appropriate risk management framework exists that will identify and assess significant
risks

 appropriate risk responses are selected by management and the board that will align risks
with the entity’s risk profile

 relevant risk information is communicated across the entity.

14.12 Areas in which internal audit should evaluate the adequacy and effectiveness of internal controls
include:

 effectiveness and efficiency of operations

 reliability and integrity of financial and operational information

 safeguarding of assets

 compliance with laws, regulations and contracts.

14.13 The COSO ERM Framework outlines the importance of enterprise risk management in strategic
planning. It emphasises that it is important to embed ERM throughout an entity, as risk both influences
and aligns strategy and performance across all parts of the entity.

DISCUSSION PROBLEMS AND CASE STUDIES

14.14 (Easy)

In her report to the board, Michaela should explain that the internal audit activities can add value to
Express Solutions’ risk management and corporate governance areas by:

 assessing risk management, control and governance processes using business risk models
such as SWOT analysis, PEST analysis and value-chain analysis

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 24
  undertaking activities that are consultative (providing advice) in nature—that is, by
providing expert advice—about:

o risk exposures and their management

o control strategies, structures and systems

 raising awareness about risk exposures and related controls

 contributing to the improvement of risk identification, management and control systems

 providing ongoing assurance about the efficiency and effectiveness of risk-identification and
management systems, control strategies, structures and systems

 contributing towards enhanced understandings of different types of control that can be used
in organisations

 focusing on the risk exposures associated with the achievement of an organisation’s

objectives

 focusing on control as a facet of risk management.

14.15 (Medium)

The role of Supported Living’s internal auditors with regard to the system switch-over processes at
Serenity would be to consider areas for business improvement and business risks. Given the objective
to ‘make sure the switch-over worked without any problems’, the role of the internal audit team would
have been to make sure that all steps of the system switch-over processes were followed in accordance
with the agreed plans, methods and resources. If the steps were not adhered to, then the internal audit
team would have had to increase the business risk that Serenity would not be able to correctly process
its patient revenue, affecting cash flow and so on. Some of the procedures involved would include
checking all the steps to ensure that all the data was complete (e.g. by undertaking a record count to
ensure that all records in each file were transferred, with none lost or duplicated) and accurately
transferred to the new system (e.g. ensuring the key fields ad correctly after the switch-over).
14.16 (Medium)

Issues of concern to the head of internal audit:

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 25
 Issue
Issue 1: There were numerous
occasions during the year when three
major accounts receivable,
representing 35% of gross revenues,
settled their accounts 30 days after
the due date. These accounts
receivable have been long-standing
and reliable customers.
Issue 4: Failure to carry out machine
maintenance in accordance with the
required maintenance cycle, leading
to warranties being invalidated.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
Justification
Although there does not appear to be any risk of bad
debts in relation to these customers, the head of internal
audit will be concerned about the possible adverse
impact on the company’s cash flows of the slow
collections leading to potential inability to meet its
financial commitments on a timely basis.
The head of internal audit will be concerned about the
breakdown in internal controls over the maintenance of
machinery under warranty. This results in the invalida-
tion of warranties, causing the company to incur repair
costs within the warranty period. This would have been
avoided had the machines been maintained in accordance
with the manufacturer’s maintenance cycle.
26
 Issues of concern to both external auditor and the head of internal audit:
Issue
Issue 2: The company has an
accounts receivable insurance
policy, which allows the company to
claim for bad debts of up to $25 000
per annum. The amount covered
under the policy has remained the
same since 2015 (when the accounts
receivable averaged $1 million).
Since 2015, the average accounts
receivable balance has increased to
$2 million.
Issue 3: Lack of supervision over
the accounts payable clerk relating
to the accuracy of the cost of the
imported inventories acquired in the
last two months of the year ended
30 June 2018.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
Justification
Both the external auditor and the head of internal audit
will be concerned that potential losses, incurred on
possible bad debts, will have a material impact on the
company’s financial results and consequently on its
financial position, given that the amount insured has not
increased in accordance with the increase in the amounts
of accounts receivable outstanding.
Both the external auditor and the head of internal audit
will be concerned about the breakdown in internal
control over the correct costing of imported inventory
during the two-month period leading to year-end. The
lack of supervision of the accounts payable clerk could
result in the incorrect valuation of inventory on hand at
year-end and the recognition of an incorrect amount of
cost of goods sold in respect of the inventory sold during
the year.
27
14.17 (Hard)
Issues of concern to the head of internal audit:
Issue
Issue 3: Employees have reacted unfavourably
to an amended annual leave policy. The
amended annual leave policy requires
employees to book their annual leave in blocks
of two weeks. It also requires employees to
take their full 20 days’ annual leave
entitlement each year. Many employees are not
following the annual leave policy and are
booking annual leave in blocks of one week.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
Justification
The amendment of the annual leave policy has
no bearing on the impact on the annual financial
report, but it is of interest to internal audit as
there has been a lack of compliance with
management policy.
Internal audit would also consider the impact on
the wellbeing of staff. Taking two weeks’ leave
in one block, rather than the old policy of one
week, will go further in enabling employees to
reduce stress by winding down.
28
 Issues of concern to both external auditor and the head of internal audit:
Issues
Issue 1: Many employees have complained
that their payslips do not accurately reflect
their leave entitlements.
Issue 2: Employees’ annual leave balances
have increased by more than 15% over the
past year.
Issue 4: As demand for courier services in
the Sydney area has recently declined,
Speedy Delivery has laid off many employ-
ees, resulting in the remaining employees
taking on additional tasks. This has in-
creased employee stress levels.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
Justification
External auditors would be concerned about the
accuracy of leave reflected on the payslips, as this
might cause a material error in the financial report.
Internal auditors would be concerned about the
accuracy of leave reflected on the payslips, as this
might cause errors in the financial report, operational
forecasts, resource planning and also impact on staff
morale. The inaccuracy may also be the symptom of a
significant system issue.
External auditors would be concerned that annual
leave balances have increased by more than 15%, as
this would have a material impact on the financial
report.
External auditors would need to establish whether the
increase is the result of employees not taking as much
leave this year or due to a breakdown in the controls.
Employees may be taking leave and not filling in
timesheets, or the system may be reflecting the
incorrect leave balances due to calculation errors.
Internal auditors would also be concerned at the
significant increase in annual leave balances, as this
may create the opportunity to conceal any
weaknesses/breakdowns in internal control. They
would also be concerned about the impact on the
financial report.
Employees taking on additional tasks may have an
impact on the approach to the audit, as a controls-
based audit may be impacted by a lack of segregation
of duties.
Internal auditors will be concerned about employees
taking on additional tasks and the increased stress
levels, as this presents the following risks.
 There may be a lack of segregation of key duties
and staff may perform incompatible tasks.
29
  Increased staff stress and reduced morale may
reduce compliance with controls, efficiency of
operations and the quality with which controls are
performed. Stressed staff may also take short-cuts
when performing their duties.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 30
14.18 (Easy)

As the internal audit department (IAD) has not had responsibility for the design or implementation of
the current stocktaking procedures, there is unlikely to be an independence problem. The only area of
concern would be the training provided to the managers. If adequacy of training was a part of the
review, the IAD might have some concerns about the perceived independence of their report, given
some involvement in training by IAD staff.

14.19 (Easy)

(c) Assessment of the reporting structure of the internal audit department (IAD) reveals that it does
not appear to be independent, in accordance with IIA Standard 1110, for the following reasons:

 The head of IAD reports to the CFO. One responsibility of IAD is to review the work of the
accounting department—it is doubtful that they could remain unbiased with respect to the
accounting department.

 The audit programs are designed by the CFO. This impairs the independence of the IAD, as
they are reporting on areas under the CFO’s control.

 Roslyn and Brendan perform accounting tasks, so are potentially in a position of evaluating
their own work.

(d) Realignment of the reporting structure should include the following changes.

 The IAD should report to the board of directors or the audit committee.

 Responsibility of coordinating IAD staff should pass to Frank, and he should have
responsibility for designing and implementing the internal audit programs.

 IAD staff should be removed from any operating responsibilities.

14.20 (Easy)

(c) Yes. Internal auditor A is required to undertake continuing professional development. (Refer to
IIA Standard 1230.)

(d) Yes. Internal auditor B should reveal all material facts known to them that, if not revealed, could
either distort reports of operations under review or conceal unlawful practices. Internal auditor B
should report this matter to the audit committee. (Refer to IIA Standards 1110 and 1111.)

14.21 (Medium)

(a) Having the director of IAD report to the CFO will tend to restrict the scope of the internal audit
department’s work to accounting and financial matters. It is also possible that the CFO may
direct the work of IAD away from areas of interest. This reporting line is contrary to IIA
Standard 1110. The director of IAD should report to the board of directors (or to the audit
committee if there is one).

(b) Making the IAD responsible for the adequacy of the internal control system is contrary to IIA
Standards 1120 and 1130. The IAD should have no direct responsibilities or authority over
activities that they audit. The IAD should only review the adequacy of such systems.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 31
 (c) Limiting full access to accounting records only and thus restricting the scope of the IAD is
contrary to IIA Standard 1130, which requires full access to all records, properties and personnel
relevant to the subject under review.
(d) This is not in conflict with IIA standards.
(e) Participation in the design and implementation of internal control is contrary to IIA Standard
1120 and should be prohibited.
(f) This is not in conflict with IIA standards.
14.22 (Hard)
Issue (a) Effect on Explanation
independence
(i) No effect on The CEO is not changing the
independence content of the report as
presented by the internal
auditors, just adding to the
management comments. As
long as these comments are
clearly defined as ‘management
comments’, these do not affect
internal audit independence.
(ii) Weakens Because of the presence of the
independence CEO, who is Steven’s boss, at
these meetings, it is highly
likely that Steven will not be
able to openly discuss internal
audit issues. As such, it will
weaken internal audit
independence. (Refer to IIA
Standard 1110.)
(iii) Weakens If Steven’s future career success
independence is directly linked to the
outcomes of the audits, there is
a risk that Steven will reduce
his audit findings in order to
avoid controversy with
management. (Refer to IIA
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
(b) Action Steven could take
Steven should ensure that the
CEO understands the need for
the management comments to
be clearly separated from the
internal auditor’s report.
In order to further strengthen
his independence, Steven
should request that the
meetings with the audit
committee take place without
senior management
representation. Steven should
also raise the issue that
independence can be
compromised by his reporting
to the CEO rather than the
audit committee.
Steven could explain to
management why his
independence could be
compromised, and that he will
not be softening his approach
in order to obtain future
employment within the
32
 Standard 1120.)
(iv) No effect on Steven is doing his job as long
independence as he reports issues as they are
uncovered, without letting the
potential for a negative review
affect his judgment.
(v) Weakens Steven should not be part of
independence internal control, as internal
audit is required to assess its
adequacy. This creates a self-
review threat. (Refer to IIA
Standard 1130.)
(vi) No effect on The discount is available to all
independence staff, and so is not something
that could be used by
management to try to influence
internal audit.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
business. He may also wish to
discuss the matter with the
audit committee.
Steven could discuss his
concerns with the audit
committee chair and request
that his performance be
evaluated by the audit
committee, rather than the
CEO.
Steven should highlight his
concerns to the CEO, asking to
be removed from the list of
signatories.
Steven should ensure that the
discounts he receives are
limited to those discounts that
are available to all staff. He
may also maintain a record of
all discounts received and
disclose these to the chair of
the audit committee.
33
14.23 (Hard)

(a) The charter limits document and personnel access to only those approved by operating
management, thus limiting the scope of internal audit’s work.

The charter should authorise access to all records, personnel and physical properties relevant to
the performance of audits, in accordance with IIA Standard 1110.

(b) Management establishes the audit schedule and several subsidiary operations have not been
audited since acquisition, even though the director of internal audit believes that audit coverage
of the subsidiary operations is crucial to the group. Therefore, the scope of internal audit work
has been limited.

The audit schedule of internal audit should be developed by the director of internal audit after
consideration of the areas for potential audit and the risks inherent in all areas for potential audit
and approved by the board or audit committee, in accordance with IIA Standard 1110.

(c) The director of internal audit does not report to an individual at a high enough level to ensure
independence and appropriate authority. Internal audit staff members do not have access to the
board either directly or through the director of internal audit. The CEO forwards to the board
only the audit information he considers important. There is a possible deficiency should the
CEO and the internal audit director fail to agree on the importance of information.

The director of internal audit and members of the internal audit staff should have direct access,
as needed, to the board, in accordance with IIA Standard 1110.

(d) Individuals in the internal audit department are assigned to operating responsibilities; to design,
install or operate systems; and to draft procedures for systems. Internal auditors also may be
assigned to audit areas in which they had operational or design and implementation
responsibilities, thus adversely impacting their independence.

Internal auditors should not be assigned to operating responsibilities; to design, install or operate
systems; or to draft procedures for systems. Internal auditors cannot be objective when they are
auditing procedures they wrote or systems they designed or installed. Upon returning to the
internal audit department, internal auditors should not audit functions over which they
previously had operating responsibilities until sufficient time has elapsed, in accordance with
IIA Standard 1130.

14.24 (Easy)

The purpose of internal auditing is to provide a service and/or to add value to the organisation.
Therefore, there is nothing to indicate that the service should be confined to accounting-related
information, or that all recruits should be well versed in traditional financial report auditing and its
procedures. In some cases, such as in environmentally sensitive industries where environmental
auditing is an important internal audit activity, it might be inappropriate to require that all internal
auditors have accounting qualifications.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 34
 Given the range of activities now conducted by internal audit departments, the qualifications held by
the members of the department should be determined by reference to its core activities. A
qualification such as ‘certified internal auditor’ might have value if the internal audit department’s
education and other member-assistance programs assist internal auditors in their new diverse roles, so
that members of the IIA are, and are seen to be, superior internal auditors. Only when a professional
body can demonstrate its relevance in this manner will it become essential for internal auditors.

Why, then, has the accounting designation of CA/CPA been the most commonly achieved
designation by internal auditors in the past? The answer to this might be that, traditionally, internal
audit activities have focused on reviewing internal controls and associated accounting information
systems—areas in which people holding the CA/CPA designation are recognised experts. It may also
be that one of the logical career paths of accountants who hold the CA/CPA designation is into the IA
departments of major organisations. Once such a designation has been earned, it is in many cases not
relinquished, even when career paths may have changed. As the activities of internal audit continue
to broaden, this designation might lose some of its relevance, unless the accounting bodies also
broaden the scope of activities they support through education and other member assistance
programs.

14.25 (Medium)

As internal audit will be a service to CFL, the directors will need to consider the types of services
they wish to avail themselves of. Once this has been determined, they can determine the type of
person they require. There is, however, some general advice regarding the activities and role of
internal audit that may be given.

Internal audit activities encompass:

 strategic business review—assisting with the development of key business strategy and
identification of key business risks, and considering key performance indicators and related
controls

 financial auditing—reviewing the reliability and integrity of financial information

 compliance auditing—reviewing the systems designed to ensure compliance, as well as

compliance with stated policies and procedures, laws and regulations affecting the entity

 reviewing means of safeguarding assets

 operational auditing—reviewing the economy, efficiency and effectiveness of operations

 assisting with the financial report audits.

In terms of the role of the internal auditor, there are a number of important points that should be
considered to ensure that the internal auditor remains effective, as follows:

 Independence must be ensured. The auditor must not have responsibility for the area that they
are responsible for reviewing, and must be given sufficient organisational status to accomplish
their objectives. In an organisation the size of CFL, this would mean direct access and reporting
to the board of directors (or audit committee if applicable).

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 35
  A charter should be established indicating the purpose, authority and responsibility of the
internal auditor.

 Management and the board of directors should be kept informed of work schedules, budgets, the
scope of work conducted and the results of any activities undertaken. In most cases, the internal
auditor will determine the work schedule and the scope of activities, subject to the approval of
the board of directors; however, the board of directors may direct the internal auditor to review
any particular area it considers necessary.

Once the board of directors has determined the activities on which they wish to focus, advice can be
given regarding appropriate qualifications for the internal auditor. Heads of internal audit
departments have traditionally been members of the Institute of Internal Auditors, CPA Australia or
Chartered Accountants ANZ, and this might be appropriate for CFL. If, however, CFL wishes to
focus on operational auditing, consideration should be given to including someone in the internal
audit team with more diverse qualifications relevant to the fashion industry.

14.26 (Medium)

(c) Internal audit is not merely a service checking that internal controls are operating successfully,
although this of itself can be valuable in the detection and prevention of fraud and in the correct
operation of key areas of the business. It is an independent appraiser of what is happening,
reviewing systems and activities in a value-for-money sense. It may also be employed to
undertake special investigations of problem areas that are currently not being adequately
tackled.

The contributions made by internal audit might include:

 elimination of waste, especially where this results from poor or non-existent control

 establishment and maintenance of standards to reduce error and increase efficiency

 assessment of reliability and monitoring of processes and decisions

 ensuring compliance with the law, especially in an increasingly complex environment of

reporting requirements.

(d) Advantages of in-house internal audit may include:

 confidentiality being maintained

 internal auditors having in-depth knowledge of the entity

 internal auditors and staff having better working relationships, if internal auditors are not
seen as outsiders

 shared commitment to achieving the aims of the entity

 fixed costs, with no hidden extras

 a service to the entity that is not dependent or reliant on the selling of additional work

 retention of skills and knowledge within the entity.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 36
 Disadvantages of in-house internal audit may include:

 lack of flexibility

 staff career progression being limited

 costs of regular training/updating of staff

 small numbers leading to the range of skills being restricted

 quality of service deteriorating without fresh input

 difficulty in achieving complete independence

 lack of available resources for small entities.

Advantages of buying in internal audit services from an external provider such as Peterson &
Associates may include:

 independence from the entity

 no staff administration and training requirements falling on the entity

 cross-fertilisation of ideas being gained from other sources and sectors

 flexible resource availability

 full access to technical expertise and ancillary services

 flexible contractual arrangements—you only pay for what you get.

Disadvantages of buying in internal audit services from an external provider such as Peterson &
Associates may include:

 costs being relatively high

 staff not always being available on site

 continuity of staff at junior level being less certain

 loss of control of quality of staff provision

 contract restraints—you only get what you have specified and agreed to pay for

 potential conflicts of interest, especially in situations where the external audit provider is
also involved in the provision of an internal audit service.
14.27 (Medium)

(a) There is no formalised control over leases at Shops Galore and the leases were negotiated and
approved by the Ballarat shopping centre manager without any oversight or independent review
and approval. This manager is therefore able to report artificially low lease revenue, as long as
the revenue numbers are greater than budget, as Amanda only follows up negative budget
variances.

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 37
 (b) While it is the responsibility of the board to ensure that the internal control environment is set
up with adequate controls, the internal audit function can assist in preventing fraud by
confirming the effectiveness of the controls that have been set up by the board of directors as
well as suggesting improvements through the audit process. For example, at Shops Galore, the
lack of sufficient oversight regarding lease revenue would be identified as a control gap. Internal
audit would recommend that a control is implemented whereby on a regular basis a
reconciliation is performed between actual lease revenue and the market value of leases for the
shops that are available for lease. Other benefits provided by internal audit include independent
assurance that:

 Shops Galore’s assets are properly safeguarded

 the standards, policies, business practices, procedures and regulatory requirements which
could have a significant impact on Shops Galore’s operations are duly complied with

 transactions are properly classified, recorded and reported, and key accounting and
management information, including the related processes and systems, are reliable and
accurate

 decisions are based on accurate and timely information and at the appropriate levels of
authority

 economic and efficient use is made of Shops Galore’s resources and that the operations are
conducted in an efficient and proper manner

 Shops Galore’s established objectives are achieved

 Shops Galore’s working environment is maintained free from operational, environmental,

health and safety hazards.
14.28 (Hard)
Risks and suggested improvements include:

Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14 38
 (a) Risks
There is no management agreement in place to man-
age the arrangement with Ultimate Managers. As a
result, the outsourcer may fail to perform according
to expectations. This could be classified as severe as
the management of the buildings is a key source of
revenue. This could also cause reputation damage.
Current KPIs do not address complaints. This is
likely to have severe consequences in the medium to
longer term, as investors will not renew their invest-
ments.
The current level of distributions is impacting on the
viability of the fund. This may lead to inadequate li-
quidity.
Thirty-five per cent of their debt is due for repay-
ment two months after the year end. This may create
going concern problems, if they are unable to roll-
over their current debt financing.
High vacancy rates within one of the major proper-
ties. This is deemed severe as this asset makes up
25% of revenue.
Lack of segregation of duties, as the head of opera-
tions at Investment is also performing the duties of
company secretary and fund manager. Therefore, the
head of operations may be able to cover up a fraud if
they committed it, as there is a lack of independent
oversight of their activities.
Instructor Resource Manual t/a Auditing and Assurance Services in Australia 7e by Gay & Simnett
© McGraw-Hill Education (Australia) 2018
Chapter 14
(b) Improvements
Implement a management agreement to
manage the arrangement with Ultimate
Managers.
Review other current contracts in place and
amend accordingly.
Introduce KPIs around customer complaints.
Produce a communications plan for in-
vestors to manage investor relations and ex-
pectations.
Review and reconsider the current level of
distributions.
Difficult to control in the short term. Negoti-
ate with financiers and, if necessary, con-
sider refinancing. In future, consider longer-
term financing and spread out repayment
dates, so that not more than, say, 20% of
debt needs to be repaid or refinanced in any
one year.
Offer incentives such as free fit-outs or rent-
free periods to attract tenants to the centre.
Obtain bank guarantees and appropriate
rental bonds to protect against a tenant leav-
ing before expiry of their lease.
Segregate duties between the operations and
fund managers.
39