Pre-payment checks, compliance audit or risk-based audit what is the most effective role for internal audit?

Andy Wynne Internal audit comes in all sorts of shapes and sizes. A wide variety of approaches may be adopted and the particular one which is used will differ from organisation to organisation and country to country. These approaches form a continuum from pre-audit, through regularity or compliance audit, to risk-based audit. This article introduces these three main approaches to internal audit, considers the relative merits of pre-audit and compliance audit and introduces risk-based audit. Future articles will provide a more detailed outline of the risk-based approach to internal audit. The origins of internal audit are as an internal check on the accuracy and validity of all payments made by an organisation. No payments could be made without them first being reviewed and stamped for payment by the staff of the internal audit section. Internal audit practice now forms a spectrum from this, original role of internal audit, to risk-based audit. The latter consists of internal audit reviewing the organisation's risk management and internal control systems and processes with only limited testing of internal controls to ensure that they are actually applied as required. The Combined Code of the London Stock Exchange requires the boards of all its listed companies to "maintain a sound system of internal control to safeguard shareholders' investment" and that "the directors should conduct a review of the effectiveness of the group's system of internal controls". In most companies the directors will rely on the company's internal audit function to directly undertake this review of internal control. Many people would agree that the objective of internal audit should be to help to ensure that the internal control system of an entity is adequate and effective. Adequate can be construed as meaning fit for purpose, so in the context of internal controls, that the controls are appropriate for the risks which the organisation faces and that they are actually implemented on a routine basis. The term effectiveness demands more than this and infers an interest in the actual outcome of the controls, for example ensuring that the transactions are actually appropriate, accurate and valid. As a result, if internal audit is to conclude on whether the risk management and internal control systems are effective, it should undertake at least some substantive testing to confirm whether or not the internal controls have operated as expected and thus ensured that the transactions are accurate and valid. In addition, external audit will often rely on internal audit and as part of this reliance, may expect internal audit to undertake a degree of substantive testing of at least a sample of transactions that have been processed by the main financial systems.

Pre-payment audit checks (or pre-audit for short) are examinations of payment vouchers and other documents before the associated payments are made. The objective of pre-audit is to ensure that payments made are: valid necessary and accurate; and expenditure is in line with the approved budget.

The advantages of pre-audit are said to be that it can help to: ensure that all expenditure is necessary and appropriate ensure that all payments are properly authorised before being made ensure that expenditure is in accordance with relevant laws and regulations prevent management fraud reduce the incidence of fraud or irregularity confirm the accuracy of the classification and the coding of expenditure and ensure arithmetical accuracy of the transactions which are checked.

The pre-audit approach to internal audit is found in many African governments, but also in France, Portugal, Spain and many other continental European countries with a legal tradition based on the Napoleonic Code. In these countries, an emphasis is put on the controls that are exercised by a third party entity, at the centre of government, often an agency of the ministry of finance or that ministry itself. This entity undertakes pre-audit checks on all, or a sample of, payments to be made by the relevant public sector organisations. It may often be combined with the internal audit function. Until recently this was the approach adopted by the European Commission. Pre-audit, or what the European Commission terms financial control (or ex ante checking), was undertaken by the Commission's internal audit service. Following criticism by the European Parliament of financial management practices within the European Commission, which led to the resignation of the entire Commission in March 1999, a Committee of Independent Experts was established. This Committee concluded that the existence of a procedure whereby all transactions must receive the explicit prior approval

of a separate financial control service has been a major factor in relieving Commission managers of a sense of personal responsibility for the operations they authorise while doing little or nothing to prevent serious irregularities. It went on to say that: whatever the (im)practicalities of these options, the Committee continues to have strong reservations about them on two points of principle. First, ex ante checking, whether it be universal or on the basis of sampling, is unlikely to be a cost-effective process: the effort put in to checking all transactions is clearly disproportionate, while sampling is unlikely to have sufficient dissuasive effect. The second, and fundamental, principle is that any retention of ex ante control runs up against the crucial objection that, de facto if not de jure, it displaces responsibility for financial regularity from the person actually managing expenditure onto the person approving it. This displacement of responsibility, meaning in effect that no-one is ultimately responsible. The Committee also recommended that a professional and independent Internal Audit Service should be set up reporting directly to the President of the Commission, that the existing centralised pre-audit function should be dispensed with, and that financial control as an integrated part of line management should be decentralised to the Directorates-General in the Commission. The Commission announced in January 2000 that it would accept this recommendation, and a reorganisation of the Commission services began later that year including the establishment of an Internal Audit Service which was independent of the pre-audit or financial control function. In Nigeria there has been a debate over the approach which should be adopted by internal audit for many years. In September 1974, for example the Public Service Review Commission issued the Udoji Report. The Commission found that: checking in the civil service is excessive, and indeed is almost carried to a point regardless of cost. A case in point is the situation in "self accounting" ministries - that is, ministries which are themselves responsible for maintaining detailed record of revenue and expenditure. Payrolls once prepared are immediately checked by staff, independent of the preparation function, drawn from within the payroll area. The internal audit division of the ministry then undertakes a further 100 per cent prepayment check and some months later external audit carry out a test check on the payrolls. The Udoji Commission went on to recommend that: internal check, provided from within the payroll area be strengthened and that a move beg made towards eliminating the prepayment or 'internal check' function of internal audit to comply with Financial Instruction. Secondly, if this were done, internal audit would have more time to pursue its intended functions, which should not be part of the day-to-day control system but rather an independent review of the day-to-day controls, so as

to be able to advice management on their effectiveness and means of improvement. Many managers, and even some internal auditors, who have accepted the disadvantages of pre-audit, see the main role of internal audit as a check that staff are complying with financial regulations and other procedures or instructions. Most internal auditors now believe, however, that internal auditors should actually be undertaking the more sophisticated task of assessing whether all significant risks to the achievement of the organisation's objectives are being adequately managed. Where this is not the case, internal auditors should be advising managers on the appropriate controls that could be introduced to manage the particular risks involved. Managers themselves should become more involved in the day to day process of ensuring compliance by checking and authorising individual transactions. Figure 1: Compliance or risk-based audit? compliance audit Financial Regs & Procedures Actual Practice

risk-based audit Risks Actual Control Procedures

Managers often expect internal auditors to identify breaches in financial regulations and to inform them when staff are not following established practice. This can be a relatively minor outcome of an internal audit assignment, however, and this approach overlooks the wider benefits that can be achieved when internal auditors take on the more important role of assessing the whole control environment and its adequacy and reliability in managing risk. Under this latter approach (the risk-based approach), internal auditors have to determine whether compliance with financial regulations and other instructions will be sufficient to adequately mitigate the risks which the organisation faces to the achievement of the organisation's objectives. If not, internal audit may make recommendations to amend financial regulations or other financial instructions. There may also be circumstances, where staff are not complying with financial regulations or other official instructions, but where the revised practices that they have adopted are actually more cost effective at reducing risks to an acceptable level. In this case internal audit may recommend that financial regulations etc are amended to require these revised practices to be adopted. However, in the short-term, until these amendments are introduced, staff should follow the standing regulations or instructions unless they are given official permission otherwise. Figure 2: Compliance checking and risk-based audit

compliance audit actual practice official instruction s amendme nts cost effective risk management

risk-based audit

Effective internal control systems should not only include suitable checks and other control procedures, but they should also include review processes to ensure that the checks and controls are actually implemented and complied with. Managers who see internal audit's role in compliance terms believe that they can rely on internal audit to ensure that controls are actually reliably followed in all circumstances. For example, bank reconciliations are a fundamental control in almost all financial systems, but an effective internal control system will also include a review of each bank reconciliation by a supervisor or manager to ensure that it has been properly undertaken and completed promptly. Payment systems will include authorisation processes; they should also include checks that these have been completed for each payment by authorised signatories. These reviews involve line management in the internal control process independent of any internal audit presence. Managers should be responsible for implementing effective control systems. They should also be responsible for ensuring that these control systems are routinely complied with. Compliance audit may be an appropriate activity in an unchanging world. A comprehensive set of instructors and regulations are developed and reviewed by internal audit to ensure all existing risks will be avoided. All that is then required is for a regular check that these instructions are followed by all staff at all times. But the problem with this approach is that we live in a fast changing world. Personnel changes, changes in the regulatory or external environment and the introduction of new processes, all mean that regulations that were suitable at the time they were developed may now not be appropriate. Effective internal control systems will not only include checks that regulations are complied with, but also periodic review of these regulations to ensure that they remain valid. The Federal Government of Nigeria introduced revised Financial Regulations which were applicable from 1st January 2000. Internal auditors have a professional responsibility to ensure that these regulations are regularly reviewed and amended as appropriate. In contrast, systems audit involves the internal auditors reviewing the adequacy of the system of control and making comments on this rather than on the accuracy or validity of the actual outputs from the system. This systems approach does not necessarily mean that direct substantive testing of transactions is abandoned. However, the 1996 edition of the UK's Government Internal Audit Manual stated that substantive testing is "usually uneconomic" and "has a limited role to play in systems auditing". In the aftermath of the collapse of the international accounting firm, Arthur Andersen, resulting from its external audit work at Enron it may be that there will be increased emphasis on the role of substantive audit work in an external audit. Similarly there has been some talk of a greater role for internal audit and there may be comparable pressure for internal audit to move back to more direct testing of transactions rather than concentrating its efforts on the internal controls, their adequacy and reliability.

The full benefits of internal audit can only be achieved if managers and internal auditors share the same perception of their mutual responsibilities. The view of internal auditors as only compliance auditors may indicate a limited understanding of the roles of internal audit and also a lack of understanding of the full range of responsibilities that managers themselves should have. Internal auditors should work with managers to facilitate the introduction of effective control systems. These systems will include: first order controls to address all significant risks second order controls involving regular checks that all the first order controls are actually implemented as required and third order controls involving periodic reviews of official instructions and other internal control procedures to ensue they are revised and adapted as required in response to the changing risk environment.

Internal auditors should also help to educate managers to ensure that they accept, and understand, the full range of their responsibilities for internal control. These managerial responsibilities should include: designing adequate controls ensuring compliance with required controls and regular reviews and revision of internal control procedures.

The task of internal audit is then to review these internal control systems to ensure that managers have adequately fulfilled each of these three sets of responsibilities. Internal auditors should also advise managers on the appropriate controls, compliance checks and review procedures that they should adopt. Where the organisation has adopted formal risk management procedures, internal audit should review this process and use the results of this work to plan the remainder of its work. This is risk-based audit. An organisation with effective risk-based audit is more likely to have an effective control system; is less likely to suffer from the range of risks it is exposed to; and is more likely to be successful.

Future articles will provide a more detailed outline of the methodology of risk-based internal audit.