Auditing 1 Lecture 15 Internal audit Introduction The

Auditing 1 Lecture 15 Internal audit

Introduction The field of internal auditing is a dynamic and rapidly expanding one. It is a significant component of the internal control system. Its significance and expansion has been greatly enhanced with the formation of the Institute of Internal Auditors (IIA) in 1941 in the United States of America, coupled with the growth in size and complexity of many organizations in recent years, and the need to institute proper and efficient control systems.

Introduction Internal audit is generally a feature of large companies. It is a function, provided either by employees of the entity or sourced from an external organization, to assist management in achieving corporate company’s mission statement and strategic plan.

Internal audit and corporate governance Established codes of corporate governance such as the UK Corporate Governance Code highlight the need for businesses to maintain good systems of internal control to manage the risks the company faces. Internal audit can play a key role in assessing and monitoring internal control policies and procedures. The board should establish formal and transparent arrangement for considering how they should apply the corporate reporting and risk management and internal control principles, and maintaining an appropriate relationship with the company’s auditors. The role of the internal auditor is anchored on three main pillars: (i) Risk Management (ii) Internal Control and (iii) Governance

Assessing the need for internal audit Internal audit can assist an entity in providing effective corporate governance thus a corporate governance requirement. The cost of setting up an internal audit department versus the predicted benefit Predicted savings in external fees where work carried out by consultants will be carried out by the new internal audit department The complexity and scale of the organization’s activities and the systems supporting those activities. The abilities of existing managers and employees to carry out assignments that internal audit may be asked to carry out Management’s perceived need for assessing risk and internal control Whether it is more cost effective or desirable to outsource the work The pressure from external stakeholders to establish an internal audit department

Definition of internal audit In the standard for the professional practice of Internal Auditing, the Institute of Internal Auditors, in 1978, defined internal auditing as; “An independent appraisal function established within an organisation to examine and evaluate its activities as a service to the organization”.

Definition of internal audit The 21 st Century definition of internal auditing as contained in the International Standards for the Professional Practice of Internal Auditing issued in January 2004 re-inforces the core role of the internal auditor as: An independent objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organization accomplish its objectives by bringing systematic disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance process.

Definition of internal audit Internal auditing is an appraisal or monitoring activity established within an entity as a service to the entity. It functions by, amongst other things, examining, evaluating and reporting and to management and the directors on the adequacy and effectiveness of components of the accounting and internal control systems.

The Changing Role of the Internal Auditor CHARACTERISTI CS i) Internal Audit focus OLD PARADIGM NEW PARADIGM Internal Control Business Risk ii) Internal audit response Reactive, after-the-fact, discontinuous, observers of strategic planning initiatives Proactive, real-time continuous, participants in strategic planning initiatives iii)Risk assessment Searching for risk factors Scenario planning iv)Internal audit test Concerned with important Controls Concerned with important business risk

The Changing Role of the Internal Auditor v)Internal audit methods Emphasis on the Completeness of detail, Controls testing Emphasis on significance Of broad business risks covered vi)Internal audit recommendation Internal control: -Strengthened -Cost-benefit -Efficient/effective Risk management: -Avoid/diversity risk -Share/transfer risk -Control/accept risk vii)Internal audit reports Addressing functional controls Addressing process risk viii)Internal audit role in the organization Independent appraisal function Integrated risk Management and corporate governance

Code of Ethics The Institute of Internal Auditors (IIA) ha promulgated a code of ethics to promote an ethical culture in the global profession of internal auditing: Integrity Objectivity Confidentiality Competency

Distinction between internal and external auditor Internal audit External audit Objective Designed to add An exercise to value and improve enable auditors to an orgn’s operations express an opinion on the FS. Reporting Reports to the BOD, or other ppl charged with governance, such as the audit comm. Reports are private and for the directors & mgt of the co. Reports to the s’holders or mbrs of a co. on the T&F of the accts. Audit report is publicly available to the s’holders and other interested parties Scope Work relates to the operations of the Work relates to the financial statements

Distinction between internal and external auditor Relationship Often employees of the orgn, although s’times the function is outsourced Independent of the co. and its mgt usually appointed by the shareholders. Planning and collection of evidence -Strategic L-T planning carried out to achieve objective of assignments with no materiality level being set. -Some audit may be procedural, rather than riskbased -Evidence mainly -Planning carried out to achieve objective regarding truth and fairness of financial statement. -Materiality level set during planning (may be amended ). -Evidence collected using a variety of procedures to obtain

Functions of Internal Audit: To review the control system and to identify weaknesses, breakdown and to report to management with recommendations. To design checks to reveal the existence of frauds or to prevent frauds. To rationalize accounting policies within a group and to design and implement new accounting systems. To conduct management efficiency audits and post implementation audits of capital projects.

Relationship with External Auditor: The Internal Auditor and the External Auditor have similar audit aims on accounting matters; i. e, ascertain the reliability of records/effectiveness of the control system so as to safeguard the assets of the company. Both use similar means or methods to achieve the above, e. g. , testing controls, physical inspection, confirmation from third parties, sampling techniques.

Qualities/skills of Internal Auditor Technical Skills Data collection and analysts Financial analysis Forensic skill/fraud awareness Identifying types of controls Interviewing Negotiating Use of ICT Risks analysis Statistical sampling Research skills

Qualities/skills of Internal Auditor Behavioral Confidentiality Governance and ethics sensitivity Interpersonal skills Staff management Leadership Objectivity Team Building Facilitating Working independently Work with all levels of management

Reliance on the Internal Auditor by the External Auditor In order to rely on the work of the internal auditor, the external auditor needs to assess the relevance, competence and objectivity of the internal auditing department. Such assessment will be focused on the following areas: Position – The degree of independence or how independent are people whose work are being reviewed Staff – The number of qualified staff in the department as well as their relevant experience/expertise

Reliance on the Internal Auditor by the External Auditor Scope of Work/Evidence of Work Done – A critical examination of scope of work of the internal auditing department including the examination of the working papers and the appropriate management action taken on internal audit reports and recommendations. Executive Functions – The extent to which internal audit is involved in the implementation of new accounting systems.

Internal audit assignments Internal audit can be involved in many different assignments as directed by management. These can range from value for money projects to operational assignments looking at specific parts of the business.

Value for money audits Value for money (VFM) audits examines the economy, efficiency and effectiveness of activities and processes. These are known as the three Es of VFM audits. The three E’s which form the basis of the VFM audit are very important for assessing the performance of not-for-profit organizations, because their performance cannot be properly assessed using conventional accounting ratios.

Information technology audits An information technology (IT) audit is a test of controls in a specific area of the business, the computer systems. Increasingly in modem business, computers are vital to the functioning of the business, and therefore the controls over them are keys to the business. It is likely to be necessary to have an IT specialist in the internal audit team to undertake an audit of the controls, as some of them will be programmed into the computer system.

Best value audits “Best value” is a performance framework introduced into local authorities by the UK government. They are required to publish annual best value performance plans and review all of their functions over a five year period. As part of best value authorities are required to strive for continuous improvement by implementing the “ 4 Cs”: Challenge. How and why is a service provided? Compare. Make comparisons with other local authorities and the private sector. Consult. Talk to local taxpayers and service users and the wider business community in setting performance targets. Compete. Embrace fair competition as an means of securing efficient and effective service

Financial audit The financial audit is internal audit’s traditional role. It involves reviewing all the available evidence to substantiate information in management and financial reporting. The substantive procedures and tests of controls employed by external audit are also used by internal audit.

Operational audits are audits of the operational processes of the organization. They are also known as management of efficiency audits. Their prime objective is the monitoring of management’s performance ensuring company policy is adhered to. There are two aspects of operational assignments: Ensure policies are adequate Ensure policies work effectively

Procurement audits Procurements is the process of purchasing for the business. A procurement audit will therefore concentrate on the systems of the purchasing department(s). the internal auditor will be checking that the system achieves key objectives and that it operates according to company guidelines.

Internal audit reports Internal auditors produce reports for directors and management as a result of work performed. These reports are internal to the business and are unlikely to be shared with third other than the external auditors. The report is in a similar format to that used in the ‘report to management’ by the external auditor when reporting significant deficiencies. The internal auditor’s report could state deficiencies found during the operational audit along with the related implications and recommendations.

Exit meeting An exit meeting is held at end of the internal audit engagement after a draft report has been produced. The people at the meeting are likely to include both the operational staff who understands the workings of the implementations of the corrective actions identified. The objectives of the meeting are to : Discuss the findings and associated recommendations. Provide management with the opportunity to give their views on, and ask for clarification of, the observations and recommendations allowing any misunderstandings to be resolved. Agree to the possible solutions to the problems the audit assignment has identified

Final reports Depending on the organization in question, the final report may take the form of a written report or take a different format, such as a Power. Point presentation. Standard report format TERMS OF REFERENCE EXECUTIVE SUMMARY BODY OF THE REPORT APPENDICES FOR ANY ADDITIONAL INFORMATION

EXECUTIVE SUMMARY The executive summit is like a condensed version of the full report and an executive summary in an internal audit report will usually include: Background to the assignment Objectives of the assignment Major outcomes of the work Key risks identified Key action points Summary of the left to do

Minimum contents Although the content and format of the final internal audit report will vary, somewhere the report should, as a minimum, describe the purpose, scope and result of the engagement. Purpose: The objectives of the audit engagement should be clearly stated This makes the report easier to read and helps the reader to interpret it. Findings should be linked back to this objective.

Minimum contents Scope: The scope defines what specially is audited. It identifies which activities are audited and also highlights any activities that are excluded from the audit. Results: This should include: . observations . conclusions . opinions . Recommendations . Action plans

Addition contents In addition, the final internal audit report may include the following, optional, sections. Background Information: This could include information such as details of the organization and the activities reviewed, and the outcome of previous audit of the same areas. Summaries: An executive summary (as described earlier) may be included to present the main findings of the report for those who do not have time to read the entire report.

Addition contents Accomplishments: Improvements in relation to the past audit of the area may be acknowledged. Opinions: The opinions of management or other staff on the findings and recommendations may be incorporated into either the main body of the report, an appendix or as a covering letter. Executives may need to intervene if there is a disagreement between management and internal audit

Attributes High quality internal audit report will have the following attributes: Accurate: The report should be free from error. Objective: It should be fair, impartial and unbiased. It should be based on facts Clear: The report should be logical, easily understood and free from jargon Concise: It should be to the point and free from unnecessary detail Complete: No information essential to the intended audience should be omitted. Timely: The report should convey a sense of urgency.

Distribution of the final report The full report should be provided to those people who can take corrective action on the issues raised in the report. Summary reports should be provided to more senior managers. Communication may also go to: External auditors The board Others who are affected by, or interested in, the results

Amendments If any amendments are made to the report after it has been issued, a new report should be issued which highlights any changes. This should be distributed to everyone who received the original report.

Releasing the report If the report is to be released to parties outside the organization, the risks to the organization of doing so should be assessed. Approval to release should be gained from senior management, legal counsel or both.

Management response After the issue of the final report, management will be given the opportunity to provide their formal response to the report. This formally communicates back what is going to be done about the recommendations raised.

Outsourcing the internal audit function Internal audit departments may consist of employees of the company, or may be outsourced to external service providers. The advantages of outsourcing the internal audit function include speed, cost and a tailored answer to internal audit requirements. One of the main disadvantages may include threats to independence and objectivity if the external audit service is provided by the same firm.

What is outsourcing Outsourcing is the use of external suppliers as a source of finished products Components or services. It is also known as sub contracting.

Advantages of outsourcing Staff does not need to be recruited, as the service provider has good quality staff. The service provider has different specialist skills and can assess what management requires them to do. Outsourcing can provide an immediate internal audit department. Associated costs, such as staff training, are eliminated. The service contract can be for the appropriate time scale. Because the time scale is flexible, a team of staff can be provided if required. It can be used on a short-term basis

Disadvantages of outsourcing There will be independence and objectivity issues if the company uses the same firm to provide both internal and external audit services. The cost of outsourcing the internal audit function might be high enough to make the directors choose not to have an internal audit function at all. Company staff may oppose outsourcing if it results in redundancies. There may be a high staff turnover of internal audit staff The outsourced staff may only have a limited knowledge of the company The company will lose in-house skills

Managing an outsourced department A company will need to establish controls over the outsourced internal audit department. These would include: Setting performance measures in terms of cost and areas of the business reviewed and investigating and variances Ensuring appropriate audit methodology (working paper/reviews) is maintained. Reviewing working papers on a sample basis to ensure they meet internal standards /guidelines Agreeing internal audit work plans in advance of work being performed. If external auditor is used, ensuring the firm has suitable controls to keep the two functions separate so that independence and objectivity is not impaired.

Quiz 1. What is an internal audit? 2. Name three key differences between internal and external audit. 3. link the value for money E with its definition Economy Efficiency Effectiveness 4. The relationship between the goods and services produced (outputs) and the resources used to produce them. . The concern with how well an activity is achieving its policy objectives or other intended effect. Attaining the appropriate quantity and quality of physical, human and financial resources (output) at lowest cost. 5. Name five areal of the computer system which might benefit from an IT audit. 6. . There are formal statutory rules governing the format of internal audit reports. True False It is possible to buy in an internal audit services from an external organization