You are on page 1of 24


Internal Audit
 Recent events including global financial crises have emphasised need for internal
auditing within corporate governance structures

 Internal audit function is now mandatory by most stock exchanges

 Donors increasingly demand improved accountability & financial transparency in
development projects

 IFAD procedures do not specifically require internal audit, however, IFAD
Operational Procedures for Project Audits (for use by IFAD & CIs) require that “as
part of the assessment of the borrower’s capacity to implement and manage the
project effectively, the appraisal mission will evaluate any internal audit (IA)
mechanism for the project/ PMU”

 Furthermore, internal audit is considered good practice & advisable as part of
underlying control framework & financial management capacity of a project,
particularly if complex &/ or decentralised


“Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations. It
helps an organisation accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes. ”
The Institute of Internal Auditors

IA – Code of Ethics
Internal auditors are expected to apply & uphold the following principles:

The integrity of internal auditors establishes trust & so provides
the basis for reliance on their judgment

Internal auditors exhibit the highest professional objectivity in
gathering, evaluating & communicating information. Internal
Objectivity auditors make a balanced assessment of all relevant
circumstances & are not unduly influenced by their own
interests or others in forming judgments
Internal auditors respect the value and ownership of information
Confidentialit they receive & do not disclose information without appropriate
y authority unless there is a legal or professional obligation to do

Competency Internal auditors apply knowledge, skills, & experience needed

What is Internal Audit?
Internal Audit is a professional activity which helps organisations to achieve their
stated objectives by:
 Analysis of key processes, procedures & operations
 Identification of key controls in every process, procedure & operation

 Evaluation of the adequacy of these controls
 Testing of the compliance of sample transactions against the controls
 Reporting of the results of the compliance testing of transactions and
evaluation of controls

 Recommendation of stronger controls
 Suggestions of methods for improvement of compliance with key controls

 Follow up of action taken on recommendations made in previous reports

What are Internal Controls?

Important checks instituted by the management to have reasonable
assurance that:

 Operations are carried out in an effective & efficient manner

 Transactions are recorded completely & accurately

 Assets are properly safeguarded & recorded

 Laws are complied with

 Reliable reports are generated

Some examples of Internal Control

► Budgetary Control

► Fixed Assets Register

► Bank & Special Account Reconciliations

► Reconciliation of Financial & Physical Monitoring & Evaluation


How are Internal Audit & External Audit different?
Internal audit is focused at internal management support and improving systems,
procedures and processes

⇉ External audit (EA): normally statutory requirement, unlike internal audit (IA)

⇉ EA reports are addressed to stakeholders: IA reports are addressed to Management

⇉ EA reports express an opinion on the financial statements prepared by the entity for a
specified period: IA reports evaluate and check compliance against key internal

⇉ EA reports are usually public documents which are available to all stakeholders. IA
reports are for use only by Management

⇉ EA reports do not make recommendations, although may have a Management Letter:
IA reports are incomplete without

⇉ EA is basically a review of financial statements for compliance: IA seeks to ensure
value for money to Management

Why should IFAD funded projects be subject to IA?

IFAD funded projects may be subject to Internal Audit because:

 External audit checks overall compliance to internal controls related
to financial transactions.

 Supervision Missions conduct only spot checks.

 Internal audit is inherent in government structures in most developing

 Sample IA Terms of Reference enclosed

 IA has a key role in Risk management of IFAD Projects

What are key concerns from a FM viewpoint?

► Is the accounting system capable of
recording financial transactions in an accurate & timely manner?
tracking the expenditure of the project by component & category?
► comparing actual expenditure to budget on a real time basis?
► Are withdrawal applications properly prepared? project assets properly recorded &
safeguarded? Special Accounts & Project Accounts properly and timely operated &
reconciled? audit arrangements proper and in place? audit reports properly followed
► Does the project generate reliable & accurate financial statements & reports?
project funds flowing timely and smoothly to the intended beneficiaries?

Internal Audit (IA) Mandate
Compliance & Advisory roles

What does it do?
 improves accuracy, reliability, internal control & integrity of information
including operational and financial reporting
 Monitors & evaluates the effectiveness of the processes
 Formulates corporate’s oversight, safeguards the assets, helps in
economical & efficient usage of the resources, maintains compliance with
laws & regulations, deters fraud

What does it not do?

 Perform management’s activities/ responsibilities (these include
establishing internal controls)

Internal Control Myths and Facts
Internal control not only has a
Internal control doesn’t have
strong set of policies and
strong set of policies and
procedures but also starts with the
procedures Internal auditors play an
We have internal auditors for important role in controlling the
managing the entire Internal system. The responsibility of the
control! internal control lies with the
Internal control is important for
Internal control is related to the
every aspect of the
finance of the company
Internal controls are necessarily
Internal control is responsible for
negative, like a list of “thou-shalt-
making the right things happen
Internal controls built “into,” the
Internal controls do not make the
business processes does make the
business processes change
business processes change

Internal Control Practices
 Internal control is a process. It's a means to an end, not an end in itself

 Internal control is effected by people as a team, not by internal
auditor. It's not merely policy manuals & forms, but people at every
level of an organization

 Internal control can be expected to provide only reasonable
assurance, not absolute assurance, to an entity's management and
governing bodies/ committees

 Uses systematic methodology for analysing business processes,
procedures & activities

 The cost of IA should not exceed expected benefits to be derived

Internal Control Structure
An internal control structure is simply a different way of viewing operations – a
perspective that focuses on doing the right things in the right way
• Reporting
• Monthly reviews of
• Corporate
performance reports MONITORING communications
• Supervisory activities
(e-mail, meetings)
• Purchasing limits COMMUNICATION
COMMUNICATION • Based on identification
• Approvals/ segregations & analysis of risks to
• Reconciliations objectives
• Proper operating &
accounting procedures
• Corporate Policies
CONTROL • Tone at the top, ethics
ENVIRONMENT • Organisational authority
• Skilled personnel
In many cases, you perform controls and
interact with the control structure every
day, perhaps without even realising it

Role in Risk Management
 Focuses on risks that can prevent the project from attaining
the goals

 There are many types of risks – credibility, human capital,
ineffective usage of resources, strategic, operational, fraud,
financial reporting, legal/regulatory, etc.

 Focuses on areas where there is high risk & high probability
of controls not being in place or being weak

 Let’s not forget the positive risks – opportunities!

Adds value through elimination of unnecessary

Role in Internal Control
1. Compliance audit: review of financial & operating controls & transactions for
conformity with laws, regulations & procedures, e.g.,
• Access to IT system appropriate to user’s role
• Segregation of duties in high risk areas
• Balancing & reconciliation between systems
• Systems back up & recovery
• Physical safeguard & access restriction controls
• Reconciliations, comparison budget of actual

2. Operational audit: review of various functions within project to evaluate efficiency,
effectiveness, & economy

IA Role in Corporate Oversight
 Four pillars – internal audit, executive management, external audit, &
Board of directors/ steering committee

 Combination of processes & organisational structures implemented by
management to inform, direct, manage and monitor the project’s
resources, strategies & policies towards the achievement of its objectives

 Public sector governance Principles

transparency, integrity, accountability

 May include review of sufficiency of human resources,
training needs, policies, etc.

Nature of Internal Audit Activity
 Establish Scope & activities for audit to Management
 Describe key risks facing the business activities within scope of audit
 Identify control procedures used to ensure each key risk is properly
controlled & monitored
 Develop & execute risk based sampling & testing approach to determine
whether most important controls are operating as intended (NB: input from
Management required – e.g. 100% sampling of WA review)
 Report issues/make recommendations/negotiate action plans with
Management to address issues
 Follow up on reported findings periodically

Contents of Audit Plan
 Updated annually

 Risk based audit plan developed with input from project staff
including Management

 Summary of key goals, risks & corresponding major audits, to illustrate

 Based on risk assessment & available resources

 Appendix materials, such as planning approach, assumptions & brief
descriptions of all planned audits & related prioritization

 Approved by management/ appropriate oversight Committee

Contents of Audit Report
 Observations

 Narration/ description

 Remedial action

 Consequences/ fall out

 Recommendation for improvement (prioritized between “high” and

 Response (action plan) – who, when and how

IA’s Proactive Role

 Identify Risks

 Find Better Ways and Best Practices

 Partner With Management to Find Solutions

 Prevent Problems

 Provide training

 Respond to policy & technical accounting questions

 Offer suggestions for improvement

 Advisory role

Additional Resources

Why all this trouble?
 Additional comfort and “tightness” that the project is doing the right thing, the first time,
communicating right information internally, to external auditors, donors, ministries, etc.
 More formal control structures reduce possibility that risks become real issues
 External Auditor may receive additional assurance to provide unqualified report on
 Donor & government confidence increased, affecting financing flows

What are the next steps?
 Identify areas of high risk & opportunities
 Validation of process documentation & controls
 Communication, with PCs & project staff


AKGVG & Associates
Corporate Head Office
307 Pearl Corporate, Mangalam Place,
Sector-3, Rohini, New Delhi, India - 110085
Contact No - +91- 9811118031
Email ID -
Website -