Chapter 12: Internal audit

Chapter learning objectives

Upon completion of this chapter you will be able to:

• Discuss the factors to be taken into account when assessing the need for internal audit;
• Discuss the elements of best practice in the structure and operations of internal audit;
• Compare and contrast the role of external and internal audit;
• Discuss the scope and the limitations of the internal audit function;
• Explain the advantages and disadvantages of outsourcing internal audit;
• Discuss the nature and purpose of internal audit assignments including value for money, IT, best value and financial; and
• Discuss the nature and purpose of operational internal audit assignments including procurement.

1 The need for internal audit

We have seen that Corporate Governance is about ensuring that companies are run well in the interest of all stakeholders. In order to achieve this companies must create a strong board of directors, structured according to the principles discussed on the preceding pages, who have clearly defined responsibilities for risk management.

However, it is not sufficient to simply have mechanisms in place to manage a business; their effectiveness must be regularly assessed. All systems need some form of monitoring and feedback. This is the role of internal audit.

Further discussion of the need for internal audit

Having an internal audit department is generally considered to be 'best practice,' rather than being required by law. This allows flexibility in the way internal audit is established to suit the needs of a business.

In small, or owner managed businesses there is unlikely to be a need for internal audit because the owners are able to exercise more direct control over operations, and are accountable to fewer stakeholders.

The need for internal audit, therefore will depend on:

• scale, diversity and complexity of activities;
• number of employees;
• cost/benefit considerations; and  
• the desire of senior management to have assurance and advice on risk and control.

Regulatory guidance

The UK Corporate Governance Code

This sets out the requirements relating to the composition and functions of the audit committee (or equivalent body). As a minimum, they must:

• monitor the financial reporting process;
• monitor the effectiveness of the company’s internal control, internal audit, and risk management systems.

Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board.

Where there is no internal audit function, the reasons for the absence of such a function should be explained in the relevant section of the annual report

The Sarbanes-Oxley Act (2002)

Section 404 of the Act requires companies to document, evaluate, test and monitor their internal controls over financial reporting. This requires the senior management of a company to assess the design, operating effectiveness and adequacy of internal controls over financial reporting. Management often turns to internal audit to support compliance with these requirements.

Management are required to issue an annual report that addresses any material deficiencies in the company’s internal controls. Section 404 also requires that the external auditor attests to assertions made by management about the effectiveness of the systems and controls.

2 The scope of the internal audit function

In chapter 1 we explored the role of the external auditor, namely to provide assurance in the form of an opinion regarding the financial statements.

The role of internal audit can be much more varied, depending on the requirements of the business. However, the internal audit function may also provide assurance. They would provide this assurance to internal management on issues such as:

• the effectiveness of systems (financial, legal and operational);
• the effectiveness of internal controls;
• whether company procedures/manuals are being followed
• whether internally produced information is reliable; and
• whether the company is compliant with the OECD.

In addition to the above, internal audit will carry out ad hoc assignments, as required by management, e.g.: internal fraud investigations.

If the internal audit department is to be effective in providing assurance it needs to be:

• sufficiently resourced, both financially and in terms of qualified, experienced staff;
• well organised, so that it has well developed work practices; and
• independent and objective.

This last point needs some explanation. Internal auditors are (generally) employed by the company they are reporting on and are often managed as part of the finance function. They will therefore have to report upon the effectiveness of financial systems that they form a part of.

It is therefore difficult for internal audit to remain truly objective. However, acceptable levels of independence can be achieved through one, or more, of the following strategies:

• Reporting channels separate from the management of the main financial reporting function;
• Reviews of internal audit work by managers independent of the function under scrutiny; and
• Outsourcing the internal audit function to a professional third party.

Organisation

How internal audit is organised will depend upon the scale of the organisation employing them, but usually it is necessary that:

• The head of internal audit has sufficient seniority within the organisation.
• Lines of communication ensure that internal audit reports, or at least a summary of them, are reviewed by the audit committee or some other body which is independent of management.
• There should be ‘whistleblowing’ arrangements so that, where circumstances demand - e.g. fraud, internal auditors can report directly to the company’s chairman or the chair of the audit committee.

3 Limitations of the internal audit function

Reporting system

The chief internal auditor reports to the finance director. This limits the effectiveness of the internal audit reports as the finance director will also be responsible for some of the financial systems that the internal auditor is reporting on. Similarly, the chief internal auditor may soften or limit criticism in reports to avoid confrontation with the finance director.

To ensure independence, the internal audit should report to an audit committee.

Scope of work

The scope of work of internal audit is decided by the finance director in discussion with the chief internal auditor. This means that the finance director may try and influence the chief internal auditor regarding the areas that the internal audit department is auditing, possibly directing attention away from any contentious areas that the director does not want auditing.

To ensure independence, the scope of work of the internal audit department should be decided by the chief internal auditor, perhaps with the assistance of an audit committee.

Audit work

The chief internal auditor may audit their own work. This limits independence as the auditor is effectively auditing their own work, and may not therefore identify any mistakes. This is known as self review threat.

To ensure independence, the chief internal auditor should not establish control systems in the company. However, where controls have already been established, another member of internal audit should carry out the audit of that system to provide some limited independence.

Lengths of service of internal audit staff

Internal audit staff may be employed for a long period of time. This may limit their effectiveness as they will be very familiar with the systems being reviewed and therefore may not be sufficiently objective to identify errors in those systems.

To ensure independence, the existing staff should be rotated into different areas of internal audit work and the chief internal auditor should independently review the work carried out.

Appointment of chief internal auditor

The chief internal auditor is appointed by an executive director/CEO. Given that the CEO is responsible for the running of the company, it is possible that there will be bias in the appointment of the chief internal auditor; the CEO may appoint someone who he knows will not criticise his work or the company.

To ensure independence, the chief internal auditor should be appointed by an audit committee or at least the appointment agreed by the whole board.

Variation of standards

Standards of audit are not uniform across the profession. This could lead to inconsistency in the way internal audit is performed (both on a year-to-year basis and amongst different companies) and it can lead to manipulation of internal audit aims and measurement criteria by companies.

4 Outsourcing the internal audit function

In common with other areas of a company’s operations, the directors may consider that outsourcing the internal audit function represents better value than an in-house provision. Local government authorities are under particular pressure to ensure that all their services represent ‘best value’ and this may prompt them to decide to adopt a competitive tender approach.

Advantages

• Greater focus on cost and efficiency of the internal audit function.
• Staff may be drawn from a broader range of expertise.
• Risk of staff turnover is passed to the outsourcing firm.
• Specialist skills may be more readily available.
• Costs of employing permanent staff are avoided.
• May improve independence.
• Access to new market place technologies, e.g. audit methodology software without associated costs.
• Reduced management time in administering an in-house department.

Disadvantages

• Possible conflict of interest if provided by the external auditors (In some jurisdictions – e.g. the UK, the ethics rules specifically prohibit the external auditors from providing internal audit services).
• Pressure on the independence of the outsourced function due to, e.g. threat by management not to renew contract.
• Risk of lack of knowledge and understanding of the organisation’s objectives, culture or business.
• The decision may be based on cost with the effectiveness of the function being reduced.
• Flexibility and availability may not be as high as with an in-house function.
• Lack of control over standard of service.
• Risk of blurring of roles between internal and external audit, losing credibility for both.

5 Internal audit assignments

Internal auditors perform many different types of assignment. Common examples include:

• Value for money assignments;
• The audit of IT systems;
• Financial audit; and
• Operational audit.

6 Value for money

Value for money (VFM) is concerned with obtaining the best possible combination of services for the least resources. It is often referred to as a review of the three "E's":

• Economy – obtaining the best quality of resources for the minimum cost;  
• Efficiency – obtaining the maximum departmental/organisational outputs with the minimum use of resources; and
• Effectiveness – achievement of goals and targets (departmental/organisational etc).

Comparisons of value for money achieved by different organisations (or branches of the same organisation) are often made using performance indicators that provide a measure of economy, efficiency or effectiveness. This is particularly common in the 'not-for-profit' sector (i.e. public services and charities)

Examples of health authority indicators might include:

• Economy – cost of medical supplies in a hospital;
• Efficiency – cost per patient on a hospital ward, average length of stay per patient;  
• Effectiveness – absolute number of patients treated.

7 The audit of IT systems

The external auditor considers IT systems from the perspective of whether they provide a reliable basis for the preparation of financial statements, and whether there are internal controls which are effective in reducing the risk of misstatement.

Internal audit will also consider this. However, their role is much wider in scope and will also consider whether:

• the company is getting value for money;
• the procurement process was effective; and
• the ongoing management/maintenance of the system is appropriate.

Whilst this is an ongoing role project auditing can be used to look at whether the objectives of a specific project, such as commissioning a new factory or implementing new IT systems, were achieved.

8 Financial audit

The main aim of a financial reporting system, from a business' perspective; is to create accurate, complete and timely information to be used as a basis for internal decision making and business planning. This information is also needed to satisfy the requirements of actual and potential investors and trading partners.

Typical examples of financial information include:

• annual financial statements;
• interim financial statements;
• monthly management accounts; and
• forecasts and projections,

The main aim of internal financial audit is to ensure that the information produced is reliable and produced in an efficient timely manner. If not then executive decisions may be based upon unreliable information or, may not be possible at all.

The other aim of financial audit is to assess the financial health of a business. More importantly it is about ensuring there are mechanisms in place for the early identification of financial risk, such as:

• adverse currency fluctuations;
• adverse interest rate fluctuations; and
• inflation.

In both cases the focus of internal audit will be on the processes and controls that underpin the creation of the various financial reports to ensure that they are as effective as possible for assisting the various decisions and risk management processes of the company.

9 Operational internal audit assignments

Operational auditing covers:

• Examination and review of the whole, or part of, a business' operations;
• The effectiveness of operational controls; and  
• Identification of areas for improvement in efficiency and performance.

General approach

In operational audit a risk based approach should be used that:

• identifies the principal business risks involved which may prevent the organisation achieving its objectives; and
• assesses the extent to which controls are in place and are operating effectively in order to manage these risks.

The outcome of each assignment should be a report to management which appraises the control systems which are currently in place and which makes appropriate recommendations for improvement.

10 Internal auditors and the statutory audit

ISA 610 Using the Work of Internal Auditors lists the main activities of the internal audit function as:

• Monitoring of internal control;
• Examination of financial and operating information;
• Review of the operating activities;
• Review of compliance with laws and regulations;
• Risk management; and
• Governance.

Whilst some of the work performed by internal and external auditors may be similar it must be remembered that the external auditor is solely responsible for the audit opinion. This responsibility can never be reduced by the use of the work of the internal auditors and can never be delegated to internal audit.

Internal auditors, by their very nature as employees of the organisation, will always be less objective than an external practitioner. Therefore their involvement in the statutory audit must be approached with great care. If the external auditor wishes, at any point, to use the work of internal audit to assist with their procedures, they must firstly determine:

• Whether the work of internal audit is adequate for the purposes of the audit;
• The effect of the work of internal auditors on the nature, timing and extent of the external auditor's own procedures;
• The objectivity of internal audit;
• The technical competence of internal audit;
• Whether the work of internal audit is carried out with due professional care; and
• Whether there is likely to be effective communication between the internal and external auditors.

Contrasting internal and external auditors

As assurance practitioners, both external and internal auditors will need to plan their work so that they gather sufficient appropriate audit evidence, in keeping with the objectives of the assignment.

External audit

The focus of external audit is on ensuring that the financial statements are: free from material misstatement; and properly prepared in accordance with a relevant reporting framework. Therefore the planning of external audit work will be done to achieve this objective.

All statutory audits must be planned in accordance with ISAs and other regulatory requirements.

Internal audit

Internal auditors plan their work so that they achieve the objectives of their assignments, as dictated by management.

Who does the planning?

As we know, external auditors are independent so they must be in control of planning their own work, in accordance with the objectives above.

Internal auditors’ work may be programmed for them by management so that they focus on the areas thought to be most important by the board and those charged with governance.

However, it adds to the strength of corporate governance if the internal audit function has a degree of independence in the selection and objectives of its assignments.

Evidence

The general rule for assurance engagements is that the practitioner should gather sufficient appropriate evidence to support the opinion in the report which is the outcome of the assignment.

ISA 330 states that under ISAs the auditor gathers evidence which addresses the risk of misstatement as assessed during the planning process and in the light of evidence gathered subsequently.

The external auditor, therefore is always governed by this when deciding what evidence is appropriate.

As we have seen above, the internal auditor may have different objectives, depending on the nature of the assignment. For example, consider the auditor's approach to non-current assets:

• The external auditor is concerned with whether the figures for non current assets are materially misstated. So the auditor may check purchase prices against invoices, check depreciation is applied properly and physically inspect some assets, all on a test basis, and may therefore conclude that the figure for non current assets is materially correct.
• The internal auditor may have an assignment to ensure that the plant register at a particular factory is up to date, and so will need to check that every item recorded exists and that all machines on the factory floor are recorded. The auditor may or may not be concerned with values, depending on the nature of the assignment.

Reporting

The report produced by the internal auditor, is determined by the nature of the assignment.

The external auditor’s report on financial statements is determined by statute and by ISAs (700, 705 & 706). The external auditor must also communicate to those charged with governance, as discussed earlier in the text.

Procurement

Key question: Is the organisation achieving value for money in its purchases of goods and services?

Is it paying:

• the right people?
• the right amount?
• for the right goods and services?

This is one area where the interests of internal and external auditors are very similar and the detail of the work to be done and the issues to be considered were dealt with in depth in the chapters 'Systems and Controls', 'Audit Evidence' and 'Audit Procedures'.

Types of report provided in internal audit assignments

Formal reports

A formal written report is the traditional outcome from an internal audit assignment. A recommended structure for the report is set out in the following section.

Shorter memorandum reports

For:

• smaller scale assignments
• assignments where less depth is required
• assignments where results are required urgently
• a shorter, less formal report may be required.

Nevertheless, the same care needs to be taken with the contents of the report:

• Addressees – make sure it goes to the right people (especially reports delivered by email).
• Subject matter – make sure the purpose of the report is clear and that the objective is addressed by the content of the report.
• Structure – make sure the report is laid out well so that its message is communicated efficiently. Surprisingly, although this type of report is less formal, it still needs to be properly structured and lack of formality should not be taken as an excuse for sloppy drafting.

Presentations

• An oral presentation can have a greater impact than a written document.
• Usually, however, a presentation will be delivered as well as the main report and used to highlight the key findings.
• Although the delivery methods are clearly different, the structure of a presentation has much in common with the structure of a formal written report.

Structure of a formal report

Cover of report

• Subject
• Distribution list
• Date of issue
• Any rating/evaluation.

The cover (or header for a shorter memorandum report) is surprisingly important:

• It makes sure the report goes to the right people.
• It can make the difference between the report being read or not – so the subject needs to be expressed carefully.

Detailed findings and agreed action

Setting out agreed actions, timescale for action and responsibilities for resolution will be the meat of the report for line management.

• Recommendations for solving the problem.
• Who is to carry out the necessary actions.
• Deadlines and timescales.

Executive Summary

The executive summary is like the whole report in miniature:

• It needs to grab the reader’s attention to make sure they read the whole report.
• If the readers were only able to read the executive summary rather than all the detail of the whole report, they should still be able to come to the same conclusion and make the same decisions.

In a memorandum report, because it should be quite short to start with, there will usually be a summary of findings rather than a full executive summary.

In a presentation, a very early slide should give the equivalent of the executive summary.

If a question is asking you to demonstrate how a report should be structured always mention the executive summary, but it will probably be sufficient to state that its content would be a summary of the rest of the report.

Key findings and recommendations

Summary of key findings and recommendations

Short, clear summaries of the key findings and recommendations from the review.

• The main problems found.
• Breaches in procedures.
• Ineffective procedures.

Assessment gradings or ratings

In some organisations, internal auditors provide ‘ratings’ of the area under review, indicating the extent of concern over control or the level of risk, or the standard of performance in the area being reviewed.

This can be in various forms:

• colours – red/amber/green
• numbers/letters – A, B, C or 1, 2, 3
• wording such as ‘acceptable’ or ‘satisfactory’ and ‘unacceptable’ or ‘unsatisfactory’
• star ratings ×, ××, ×××.

Such ratings can help senior management:

• form an overall opinion of the organisation
• identify trends
• facilitate high level reporting.

However, they can also be seen negatively if they result in management responding defensively to a report on their area that will result in a poor rating.

The most important consideration for rating a report is the basis on which any evaluation or measure will be carried out. This needs to be consistent and clear to ensure credibility of the ratings. The rating may be against a formal control or risk model that drives out the decision or opinion.

Alternative formats

The report can be set out either in:

• Paragraph format
• Tabular format.

Tabular format

Appendices

• Explanations/further detail.
• Appropriate analysis to back up the matters referred to in the main body of the report.

Process for producing an internal audit report

As we have seen, the report is the culmination of the assignment and without the report the assignment might as well never have happened.

However, it is equally true to say that if the assignment was not properly planned and executed, there could be no report.

So the production process for the report begins with the planning of the assignment itself:

• At the planning stage ensure that the work to be done:
  • will fulfil the objective of the assignment
  • will dovetail with the requirements for the report.

After all the work has been done the report needs to be drafted:

• It needs to be well structured.
• It needs to be clear and concise.
• Wherever possible, discuss it with those who will be affected by it so that there are no surprises.
• Check back with the original objectives/terms of reference of the assignment to make sure that the report delivers what it was supposed to.

Test your understanding 1

(1)What is the role of internal audit in maintaining standards of corporate governance?

(2)List the types of activities normally carried out by internal audit departments.

(3)List and explain the limitations of internal audit.

(4)List two types of internal audit report.

11 Chapter summary

Test your understanding answers

Test your understanding 1

Rating :	Ratings & Comments  (Click the stars to rate the page)

Tags: