Chapter 9: Audit and compliance

Chapter learning objectives

Upon completion of this chapter you will be able to:

  • describe the function and importance of internal audit
  • explain, and discuss the importance of auditor independence in all client-auditor situations (including internal audit)
  • explain and assess the nature and sources of risks to audit independence and assess the hazard of auditor capture
  • explain and evaluate the importance of compliance and the role of the internal audit committee in internal control
  • describe and analyse the work of the internal audit committee in overseeing the internal audit function
  • explain and explore the importance and characteristics of the audit committee's relationship with external auditors
  • describe and assess the need to report on internal controls to shareholders
  • describe the content of a report on internal control and audit.

1 Function and importance of internal audit

  • Internal audit is a management control. The department reviews the effectiveness of other controls within a company.
  • It is part of the control systems of a company, with the aim of ensuring that other controls are working correctly.
  • In some regimes, it is a statutory requirement to have internal audit. In others, codes of corporate governance strongly suggest that an internal audit department is necessary.
  • The work of internal audit is varied – from reviewing financial controls through to checking compliance with legislation.
  • The department is normally under the control of a chief internal auditor who reports to the audit committee.

Roles of internal audit

Roles of internal audit department

Types of audit work

The internal audit department will carry out many different typesof audit, as highlighted by the department's varied roles. The detail ofthese has been covered in Paper F8 (Audit and Assurance).

Examples of audit types are:

  • financial audit
  • operational audit
  • project audit
  • value for money audit
  • social and environmental audit
  • management audit.

Types of audit

Financial audit

Financial auditing is traditionally the main area of work for the internal audit department. It embraces:

  • the conventional tasks of examining records and evidence to support financial and management reporting in order to detect errors and prevent fraud
  • analysing information, identifying trends and potentially significant variations from the norm.

Operational auditing covers:

  • examination and review of a business operation
  • the effectiveness of controls
  • identification of areas for improvement in efficiency and performance including improving operational economy, efficiency and effectiveness – the three Es of value for money auditing.

There are four main areas where such an approach is commonly used 

  • procurement
  • marketing
  • treasury
  • human resources.

Project auditing

Best value and IT assignments are really about looking at processes within the organisation and asking:

  • were things done well?
  • did the organisation achieve value for money?

Project auditing is about looking at a specific project:

  • commissioning a new factory
  • implementing new IT systems

and asking whether these were done well. So the focus is different and has more to do with:

  • were the objectives achieved?
  • was the project implemented efficiently.
  • what lessons can be learned from any mistakes made?

A number of projects when taken together can become a programme.

Value for money audit

An area that internal auditors have been getting increasinglyinvolved in is the value for money audits. These have been replaced interminology more recently by "best value" audits, but many of theprinciples remain the same.

In a value for money audit the auditor assesses three main areas.

  • Economy

The economy of a business is assessed by looking at the inputs tothe business (or process), and deciding whether these are the mosteconomical that are available at an acceptable quality level. Forexample, if assessing the economy of a commercial company the inputswould be capital (plant and machinery, buildings, etc.), raw materials,the workforce and any administrative function required to run thebusiness.

  • Efficiency

The efficiency of an operation is assessed by considering howwell the operation converts inputs to outputs. In a manufacturingcompany this might involve looking at wastage in production or qualitycontrol failures for example.

  • Effectiveness

The effectiveness of an organisation is assessed by examiningwhether the organisation is achieving its objectives. To assesseffectiveness there must be clear objectives for the organisation thatcan be examined. In some organisations, particularly not for profit andpublic service organisations, deciding suitable objectives can be one ofthe most difficult parts of the value for money exercise.

Social and environment audit

An environment audit is defined as:

'A management tool comprising a systematic, documented, periodic,and objective evaluation of how well organisations, management, andequipment are performing, with the aim of contributing to safeguardingthe environment by facilitating management control of environmentalpractices, and assessing compliance with company policies, which wouldinclude meeting regulatory requirements and standards applicable.'

The social audit would look at the company's contribution to society and the community. The contributions made could be through:

  • Donations.
  • Sponsorship.
  • Employment practices.
  • Education.
  • Health and safety.
  • Ethical investments, etc.

A social audit could either confirm statements made by thedirectors, or make recommendations for social policies that the companyshould perform.

More on social and environmental audit will be seen in the chapter on social and environmental issues.

Management audit

A management audit is defined as 'an objective and independentappraisal of the effectiveness of managers and the corporate structurein the achievement of the entities' objectives and policies. Its aim isto identify existing and potential management weaknesses and recommendways to rectify them.'

Audit of internal controls

Internal controls were explained in the previous chapter. A basiccategorisation is provided here as a reminder, but now with specificexamples of the controls that would normally be expected in a company.To ensure that the company's control system is effective, the internalauditor will be looking for controls similar to these for each riskidentified.

Test your understanding 1 - Features of internal audit

Using your existing knowledge, and common sense, suggest somepractical features of a good internal audit department, structuring youranswer in the areas of:

  • Organisational status.
  • Scope of function.
  • Technical competence.
  • Due professional care.

Organisational structure of internal audit

  • The basic structure is a chief internal auditor, responsible to the audit committee with an internal audit team reporting to that person.
  • In large organisations the internal audit function will be a separate department.
  • In a small company it might be the responsibility of individuals to perform specific tasks even though there will not be a full-time position.
  • Some companies outsource their internal audit function, often to one of the large accountancy firms (but note the independence requirements of SOX in this respect).

2 Factors affecting the need for internal audit

There are a number of factors that affect the need for internal audit.

  • The scale, diversity and complexity of the company's activities.
  • The number of employees.
  • Cost/benefit considerations.
  • Changes in the organisational structures, reporting processes or underlying information systems.
  • Changes in key risks (could be internal or external in nature).
  • Problems with existing internal control systems.
  • An increased number of unexplained or unacceptable events.

Factors affecting the need for internal audit

Why is internal audit important?


  • in some situations it is required by statute (SOX)
  • in some situations it is required by codes of good practice (codes of corporate governance)
  • it provides an independence check on the control systems in a company (see below for more detail)
  • it is a management control.

What factors affect the need for internal audit?

Apart from the obvious comment that companies which are listed arerequired to have an internal audit department, other factors will affectthe decision to have an internal audit in non-listed companies.

Where there is no internal audit department, as the Turnbull Report notes 'inthe absence of an internal audit function, management needs to applyother monitoring processes in order to assure itself and the board thatthe system of internal control is functioning as intended. In thesecircumstances, the board will need to assess whether such proceduresprovide sufficient and objective assurance'.

3 Auditor independence

  • Internal audit is an independent objective assurance activity.
  • To ensure that the activity is carried out objectively, the internal auditor must have his/her independence protected.
  • Independence is assured in part by having an appropriate structure within which internal auditors work.
  • Independence is also assured in part by the internal auditor following acceptable ethical and work standards.

Risks if auditors are not independent

4 Potential ethical threats

  • Auditor independence will be compromised where ethical threats are faced.
  • A threat to independence is anything that means that the opinion of an auditor could be doubted.
  • Threats can be real or perceived.
  • The conceptual framework in the ACCA code of ethics provides examples of generic threats that affect auditors, which can be viewed as affecting both external and internal auditors.
  • The code of ethics also provides examples of other threats that (normally) affect external auditors.

Ethical threats: ACCA conceptual framework

The following analyses of threats are included in the ethics codesof the UK professional accountancy bodies. They are can be applied toboth external auditors and internal audit engagements.

Self-interest threat

Occurs when the audit firm or a member of the audit team couldbenefit from a financial interest in, or other self-interest conflictwith, an audit client.

For example, in an external audit context:

  • direct financial interest or material indirect financial interest in an audit client
  • loan or guarantee to or from an audit client or any of its directors or officers
  • undue dependence on total fees from an audit client
  • concern about the possibility of losing the engagement
  • having a close business relationship with an audit client
  • potential employment with an audit client, and
  • contingent fees relating to audit engagements.

In an internal audit context this could be where the auditor'sbonus is somehow tied up with the performance of the business area underreview, maybe as part of overall business unit performance in meetingtargets for 'clean' audit reports.

Self-review threat

Occurs when the audit firm, or an individual audit team member, isput in a position of reviewing subject matter for which the firm orindividual was previously responsible, and which is significant in thecontext of the audit engagement.

For example, in an external audit context:

  • member of the audit team being, or having recently been, a director, officer or other employee of the audit client in a position to exert direct and significant influence over the subject matter of the audit engagement
  • performing services for an audit client that directly affect the subject matter of the current, or a subsequent, audit engagement and
  • preparing original data used to generate financial statements or preparing other records that are the subject matter of the audit engagement.

In an internal audit context this may occur where someone hasrecently transferred within the company into an audit role, and is foundto be auditing their old department.

Advocacy threat

Occurs when the audit firm, or a member of the audit team,promotes, or may be perceived to promote, an audit client's position oropinion.

For example:

  • dealing in, or being a promoter of, shares or other securities in an audit client and
  • acting as an advocate on behalf of an audit client in litigation or in resolving disputes with third parties.

Familiarity threat

Occurs when, by virtue of a close relationship with an auditclient, its directors, officers or employees, an audit firm or a memberof the audit team becomes too sympathetic to the client's interests.

For example, in an external audit context:

  • a member of the audit team having a close family member who, as a director, officer or other employee of the audit client, is in a position to exert direct and significant influence over the subject matter of the audit engagement
  • a former partner of the firm being a director, officer or other employee of the audit client, in a position to exert direct and significant influence over the subject matter of the audit engagement
  • long association of a senior member of the audit team with the audit client and
  • acceptance of gifts or hospitality, unless the value is clearly insignificant, from the audit client, its directors, officers or employees.

In an internal audit context this is often an issue where auditorshave worked within a company for many years and have long-standingrelationships with employees and management across a number ofdepartments.

Intimidation threat

Occurs when a member of the audit team may be deterred from actingobjectively and exercising professional scepticism by threats, actual orperceived, from the directors, officers or employees of an auditclient.

For example, in an external audit context:

  • threat of replacement over a disagreement regarding the application of an accounting principle
  • pressure to reduce inappropriately the extent of work performed in order to reduce fees and
  • dominant personality in a senior position at the audit client, controlling dealings with the auditor.

In an internal audit context this may occur where the promotionprospects, pay rises or other rewards of the auditor can be influencedby the manager of a department being audited. The auditor may be putunder pressure to provide a clean audit report in return for afavourable appraisal.

External auditor ethical threat examples

External auditors have many specific threats to their independence at audit clients, which are summarised below.

Test your understanding 2

Which of the following are independence issues?

(1)Working as an audit junior on the statutory audit of a major bank with whom you have your mortgage.

(2)Taking on a large new client whose fees will make up 90% of your total revenue.

(3)Taking on a large new client whose fees will make up 10% of your total revenue.

(4)Working as an audit partner and accepting a gold Rolex as a 'gift'.

(5)Performing an internal audit review of controls that you put in place in your previous role.

(6)Working as an external auditor at a companywhere you have a close personal relationship with a person who has ajunior role in the marketing department.

(7)Taking on the audit for a company with which your firm has recently been involved in a share issue.

Ethical conflicts of interest

Situations could occasionally arise in which an auditor, especiallyan internal auditor, might be asked to behave (or might be tempted tobehave) in a way that conflicts with ethical standards and guidelines.

Conflicts of interest could relate to unimportant matters, but theymight also involve fraud or some other illegal activity. The threat ismore severe for internal auditors as the company they are reporting onis also their employer. Threats can therefore be carried out in waysthat will not affect external auditors such as lack of salary increasethrough to termination of employment.

Examples of such ethical conflicts of interest are as follows:

Resolution of ethical conflicts of interest

Conflict resolution is explained in more detail in the ethical decision making chapter.

Protection of independence

  • The internal auditors should be independent of executive management and should not have any involvement in the activities or systems that they audit.
  • The head of internal audit should report directly to a senior director or the audit committee. In addition, however, the head of internal audit should have direct access to the chairman of the board of directors, and to the audit committee, and should be accountable to the audit committee.
  • The audit committee should approve the appointment and termination of appointment of the head of internal audit.

Summary of independence

In summary, independence requires:

  • independence of mind: the state of mind that permits the provision of an opinion without being affected by influences that compromise professional judgement, allowing an individual to act with integrity, and exercise objectivity and professional scepticism.
  • independence in appearance: the avoidance of facts and circumstances that are so significant that a reasonable and informed third party, having knowledge of all relevant information, including safeguards applied, would reasonably conclude a firm's, or a member of the assurance team's, integrity, objectivity or professional scepticism had been compromised.

Further measures to protect independence

The independence of internal audit is enhanced by followingaccepted standards of internal audit work. Internal auditors can followthe same standards as external auditors. However, there are alsoInternational Standards for Internal Audit issued by the InternalAuditing Standards Board (IASB) of the Institute of Internal Auditors.

  • Attribute standards deal with the characteristics of organisations and the parties performing internal auditing activities.
  • Performance standards describe the nature of internal auditing activities and provide quality criteria for evaluating internal auditing services.

Attribute standards for internal audit

Performance standards for internal audit

5 Audit committee

The audit committee is a committee of the board of directorsconsisting entirely of independent non-executive directors (NEDs) (atleast three in larger companies), of whom at least one has had recentand relevant financial experience.

Roles of the audit committee

  • The key roles of the audit committee are 'oversight', 'assessment' and 'review' of other functions and systems in the company.
  • Most of the board objectives relating to internal controls will be delegated to the audit committee.

Smith guidance

The Smith Guidance on audit committees states that:

'While all directors have a duty to act in the interests of thecompany the audit committee has a particular role, acting independentlyfrom the executive, to ensure that the interests of shareholders areproperly protected in relation to financial reporting and internalcontrol.'

Factors affecting the role of the audit committee

The role of the audit committee was considered in the UK CorporateGovernance Code (2010) and Sarbanes-Oxley (SOX). The King Reportcontains similar recommendations.

How effective the audit committee is in checking compliance andinternal controls depends primarily on how it is constituted and thepower vested in that committee. The following factors are relevant:

  • The board should decide how much responsibility it wishes to delegate to the audit committee. The tasks of the committee will differ according to the size, complexity and risk profile of the company.
  • The committee should meet as often as its responsibilities require, and it is recommended that there should be at the very least three meetings each year, to coincide with key dates in the audit cycle. (for example, when the annual audit plans are available for review, when the interim statement is near completion and when the preliminary announcement/full annual report are near completion).
  • The audit committee should meet at least once a year with the external and internal auditors, without management present, to discuss audit-related matters.
  • Formal meetings of the audit committee are at the heart of its work. However, they will rarely be sufficient. The audit committee chairman in particular will probably wish to meet informally with other key people, such as the board chairman, CEO, finance director, senior audit partner and head of internal audit.
  • Any disagreement between audit committee members that cannot be resolved within the committee should be referred to the main board for a resolution.
  • The audit committee should review both its terms of reference and its effectiveness annually, and recommend any necessary changes to the board. (The board should also review the effectiveness of the audit committee annually.)
  • To do its work properly, the audit committee must be kept properly informed by the executive management. Management is under an obligation to keep the audit committee properly informed and should take the initiative in providing information, instead of waiting to be asked.

Obviously, the role of the committee becomes less important wherethe points made above are not dealt with correctly. For example, if thecommittee is denied access to executive management then the committeewill be less effective.

Audit committee and compliance

One of the primary activities of the audit committee, particularlyunder SOX, is to check compliance with external reporting regulations.The audit committee normally has a responsibility to ensure that theexternal reporting obligations of the company are met.

The audit committee should review the significant financialreporting issues and judgements in connection with the preparation ofthe company's financial statements. Management is responsible forpreparing the financial statements and the auditors are responsible forpreparing the audit plan and carrying out the audit.

However, the oversight function can sometimes lead to more detailedanalysis. For example, if the audit committee is not satisfied with theexplanations of the auditors and management about a particularfinancial reporting decision, 'there may be no alternative but tograpple with the detail and perhaps seek independent advice'.

The audit committee needs to satisfy itself that the financialstatements prepared by management and approved by the auditors areacceptable. It should consider:

  • the significant accounting policies that have been used, and whether these are appropriate
  • any significant estimates or judgements that have been made, and whether these are reasonable
  • the method used to account for any significant or unusual transactions, where alternative accounting treatments are possible
  • the clarity and completeness of the disclosures in the financial statements.

The committee should listen to the views of the auditors on thesematters. If it is not satisfied with any aspect of the proposedfinancial reporting, it should inform the board.

The committee should also review the financial-related informationthat accompanies the financial statements, such as the information inthe Business Review and the corporate governance statements relating toaudit and risk management.

6 The audit committee and internal control

The board is responsible for the total process of risk management,which includes ensuring that the system of internal control is adequateand effective.

The board delegates this internal control responsibility to the audit committee.

Audit committee and internal control

In relation to internal controls, the audit committee should:

  • review the company's internal financial controls
  • monitor the adequacy of the internal control systems, with a specific focus on
    • control environment
    • management attitude
    • management controls
  • review compliance with regulations, legislation and ethical practices (such as environmental policies and codes of conduct), and ensure that systems are in place to support such compliant behaviour
  • review the company's fraud risk management policy, ensuring that awareness is promoted and reporting and investigation mechanisms exist
  • give its approval to the statements in the annual report relating to internal control and risk management
  • receive reports on the conclusions of any tests carried out on the controls by the internal or external auditors, and consider the recommendations that are made
  • where necessary, the committee may be required to supervise major transactions for appropriateness and validity.

7 The audit committee and internal audit

As part of their obligation to ensure adequate and effectiveinternal controls, the audit committee is responsible for overseeing thework of the internal audit function.

Audit committee and internal audit

The audit committee should:

  • monitor and assess the role and effectiveness of the internal audit function within the company's overall risk management system
  • check the efficiency of internal audit by, e.g. comparing actual costs and output against a target
  • approve the appointment, or termination of appointment, of the head of internal audit
  • ensure that the internal audit function has direct access to the board chairman and is accountable to the audit committee
  • review and assess the annual internal audit work plan
  • receive periodic reports about the work of the internal audit function
  • review and monitor the response of management to internal audit findings
  • ensure that recommendations made by internal audit are actioned
  • help preserve the independence of the internal audit function from pressure or interference.

The Smith Guidance on audit committees recommends that thecommittee meet with internal auditors at least once a year, withoutmanagement present, to discuss audit-related matters.

If the company does not have an internal audit function:

  • the committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board, and
  • the reasons for the absence of an internal audit function should be explained in the relevant section of the annual report.

Review of internal audit

The audit committee, and the external auditor where they arerelying on the internal audit department, will need to ensure that theinternal audit department is working effectively. Such a review willnormally involve four key areas, as outlined below:

8 The audit committee and external auditors

The audit committee is responsible for oversight of the company'srelations with its external auditors. The audit committee should:

  • have the primary responsibility for making a recommendation to the board on the appointment, re-appointment or removal of the external auditors
  • 'oversee' the selection process when new auditors are being considered
  • approve (though not necessarily negotiate) the terms of engagement of the external auditors and the remuneration for their audit services
  • have annual procedures for ensuring the independence and objectivity of the external auditors
  • review the scope of the audit with the auditor, and satisfy itself that this is sufficient
  • make sure that appropriate plans are in place for the audit at the start of each annual audit
  • carry out a post-completion audit review.

Post-completion audit review

Independence of external auditors

The independence of the external auditors

The audit committee should have annual procedures for ensuring the independence and objectivity of the external auditors.

The Smith Guidance suggests that the audit committee should:

  • seek reassurance that the auditors and their staff have no family, financial, employment, investment or business relationship with the company (other than in the normal course of business)
  • obtain each year from the audit firm information about its policies and processes for:

(1)maintaining its independence and

(2)monitoring compliance with relevant professional requirements, such as rules regarding the rotation of audit partners and staff.

  • agree with the board and then monitor the company's policy on employing former employees of the external auditor. It should monitor how many former employees of the external auditor now hold senior positions in the company, and if appropriate consider whether, in view of the situation, there may be some impairment (or appearance of impairment) of the auditors' independence with regard to the audit
  • develop and recommend to the board the company's policy on the provision of non-audit services by the external auditors. The provision of non-audit services must not impair the independence or objectivity of the auditors.

The audit committee should establish a policy that specifies the types of work:

  • from which the external auditors are excluded.
  • for which the external auditors can be engaged without referral to the audit committee.
  • for which a case-by-case decision is necessary. In these cases, a general pre-approval might be given for certain classes of work, and if the external auditor is engaged to provide any such services, this should then be ratified at the next audit committee meeting.

The policy may also set fee limits generally or for particular classes of non-audit work.

A guiding set of principles is that the external auditor should not be engaged for non-audit work if, as a result:

  • the external auditor audits work done by himself
  • the external auditor makes management decisions for the company
  • a mutuality of interest is created, or
  • the external auditor is put in the role of advocate for the company.

Test your understanding 3

ECG is the world's second largest arms exporter. It serves over 20nations, fulfilling defence system contracts worth billions of dollars.These dealings require consent from its home government to ensurenational security is maintained and that governmental embargos on salesto unfriendly countries are not breached.

ECG is currently serving the needs of a particular regime whosehuman rights record and hostile posturing may lead to such a ban ontrade. ECG has already sold war planes and missile guidance systems tothis country but is yet to receive payment.

ECG's audit committee and external auditors have an unusuallydifficult task performing their duties due to the unique nature of thecompany and the need to maintain high levels of security andconfidentiality over much of the organisation's business. Because ofthis there is no line of communication to the committee other thanthrough the CFO.

The committee and the external auditors work closely together,indeed one former audit partner now sits on the audit committee and ispleased that the firm has decided to retain his old company's servicesfor the 15th year in succession. The committee are content to accept theaudit firm's recommendation on the accounting treatment of allcontracts due to their complexity and need for “hidden costs” to beremoved. These include large payments to provide hospitality to would beclients.

There is also a high degree of informality between externalauditors and internal auditors due to the complexity of large non-auditcontracts served by the audit firm. These are so large the externalauditor appears to discount its audit costs as a way of ensuring theseservices are retained. National security is always an issue and auditsare time-pressured due to limited staff resource allocation, so theexternal audit firm is guided by internal auditors in terms of itsproposed risk assessment and work plan. This seems appropriate sincemany ex-audit firm staff now work for the company and so understandaudit issues from both viewpoints.

The audit committee will make no recommendations for change thisyear, especially since the internal audit manager assured them therewere no real problems during their annual hourly meeting.


(a)Describe the role of the audit committee and discuss potential problems in its operation.

(b)Consider the threats to auditor independence and propose actions to deal with these.

9 Reporting on internal controls to shareholders

The UK Corporate Governance Code (2010) states that a company'sboard of directors should maintain a sound system of internal control tosafeguard shareholders' investment and the company's assets.

  • Shareholders, as owners of the company, are entitled to know whether the internal control system is sufficient to safeguard their investment.
  • To provide shareholders with the assurance they require, the board should, at least annually, conduct a review of the effectiveness of the group's system of internal controls and report to shareholders that they have done so.
  • The review should cover all material controls, including financial, operational and compliance controls and risk management systems.
  • This review should be conducted against COSO's elements of an effective internal control system, as discussed in the previous chapter.
  • The annual report should also inform members of the work of the audit committee.
  • The chair of the audit committee should be available at the AGM to answer queries from shareholders regarding their work.
  • Additional reporting requirements apply under SOX.

Test your understanding 4

Suggest two reasons why a company may choose to report on internal controls to its shareholders.

Audit committee reporting

The section in the annual report on the work of the audit committee should include:

  • a summary of the role of the audit committee
  • the names and qualifications of the audit committee members during the period
  • the number of audit committee meetings held during the year
  • a report on the way the audit committee has discharged its responsibilities
  • if the external auditors provide non-audit services, an explanation of how auditor objectivity and independence are safeguarded.

Internal audit reporting

Internal audit reporting

Once an internal control audit (or any other kind of audit) hasbeen completed, the final stage of the assignment is the audit report.

  • The audit report does not have a prescribed format, however it would be expected to feature a number of different parts.
  • How much depth the report goes into will depend on the nature of the engagement.

Internal audit recommendations

When making recommendations auditors must always ensure that the recommendations:

  • are practical and cost effective, and
  • will reduce risk to a tolerable level.

The internal auditor should have a process of post-implementationreview to ensure that recommendations have been actioned by management.

SOX reporting on internal controls (s404)

One of the requirements of SOX is that the company's managementmust make a report on the internal controls in force in their company.This report is provided in the form 10K, the company's annual return,which is available to shareholders and other interested parties on thecompany's website. Management cannot carry out all the review workthemselves, so this is delegated to the audit committee and internalaudit department. In summary, the audit and reporting work involves:

10 Chapter summary

Test your understanding answers

Test your understanding 1 - Features of internal audit

Organisational status – Direct access to the highest level of management.

  • Free of operating responsibility.
  • Few constraints (e.g. reporting to external auditor).

Internal audit is a key reviewing and monitoring activity that isundertaken by management. In large organisations the internal auditfunction will be a separate department, whereas in a small company itmight be the responsibility of individuals to perform specific taskseven though there will not be a full-time position.

When establishing the internal audit function it is important that it is structured and operated in an appropriate way.

Scope of function – Nature/extent of assignments.

  • Evidence of recommendations being actioned.

The internal audit department will typically have the followingscope and objectives as prescribed by the management of the business. Donot treat this as a comprehensive list of all the areas that theinternal auditor considers, as management may prescribe differentfunctions to meet the needs of their company.

  • Review of the accounting and internal control system.
  • Detailed testing of transactions and balances.
  • Review of the economy, efficiency and effectiveness of operations (value for money and best practice audits).
  • Review of the implementation of corporate policies.
  • Special investigations.
  • Assisting in carrying out external audit procedures

Technical competence – Technical training/proficiency.

  • Recruitment policy.
  • Professional qualifications.

Due professional care – Evidence of planning, supervision, review and documentation.

  • Existence of audit manuals and WPs.

It would be expected that:

  • There is a formal plan of all audit work that is reviewed by the head of the audit and the board/audit committee.
  • The audit plans should be reviewed at least annually.
  • Each engagement should be conducted appropriately:
    • Planning should be performed.
    • Objectives should be set for the engagement.
    • The work should be documented, reviewed, and supervised.
    • The results should be communicated to management.
    • Recommendations for action should be made.

The progress of the audit should be monitored by the head of theinternal audit, and if recommendations that the head feels areappropriate are not acted on, the matters should be brought to theattention of the board.

Test your understanding 2

(1)No – not a material financial interest, unlikely that you could influence the outcome of the audit.

(2)Yes – self-interest threat – pressure to keep this client may reduce levels of objectivity.

(3)No – less pressure to keep important client. Losing them would not be the end of the world.

(4)Yes – familiarity threat – difficult to tackle formidable issues and maintain independence if you feel beholden to a client.

(5)Yes – self-review threat – difficult to independently review something you were responsible for.

(6)No – they are not in a position to 'exertdirect and significant influence over the subject matter of the auditengagement', therefore no familiarity threat.

(7)Yes – advocacy threat – it would bedifficult to maintain independence in the face of any 'bad news' arisingduring the audit.

Test your understanding 3

(a) Audit committee

The role of the audit committee can be viewed with reference tothe UK Corporate Governance Code (2010) where explicit mention is madeof its operation and need for independence. ECG has major problems inrelation to these issues which are dealt with in context of each codeprovision relating to the audit committee.

Monitor the integrity of financial statements and announcements

Emphasis is placed on the need to monitor as opposed to beingdirectly involved in the preparation of financial statements,preparation being the responsibility of the CFO. Integrity is thecentral point, to ensure the records give a truthful reflection ofcompany operations and adhere to appropriate GAAP or compliancerequirements.

There must be some concern over the accounting treatment ofcontracts and hidden costs. Accepting the recommendation of the externalauditor is not sufficient as a monitoring tool. Independent adviceshould be sought since the board as a whole is legally liable for errorsand omissions in this area. The lack of control in this area can leadto a culture of secrecy that increases the risk of fraudulent activity.

Review financial and internal controls

The evaluation of the existence and worth of internal controlswill have direct bearing on the quality of financial reporting. Internalcontrols may be evaluated using the COSO framework that includesconsideration of the effectiveness of the control environment as well ascontrol activities. The control environment is not supported by theinherent culture of secrecy and the presumed lack of communicationacross the organisation.

A specific failure is in relation to the direct exclusion of awhistleblower clause whereby concerns over internal control can bereported directly to the committee. The CFO's insistence of the need toexclude this on security grounds should be very carefully consideredwith regard to the cost of such a measure in terms of a loss of internalcontrol within the company.

Review the effectiveness of the internal audit function

The UK Corporate Governance Code (2010) makes a number ofrecommendations in this area, highlighting its importance in committeeoperation. These include the need for direct accountability of theinternal auditor to the committee and the need to review annual workplans and managements responsiveness to internal audit findings andrecommendations.

The hour long meeting carried out on an annual basis would seeminsufficient to consider these issues in depth unless the auditcommittee carries out a number of functions independent of the auditmanagers involvement. In particular no mention is made of the need toassess the effectiveness of internal audit as a tool of internalcontrol.

In a general sense there is an impression of a lack of concernover this critical issue raising the risk profile of this organisation.The internal auditor does not mention anything concerning the huge risksinvolved in potential misstatement of accounting results and the riskof exposure to non payment of contracts due to the company's involvementwith the country under investigation by the government. This risk mayleave the company with substantial debts that remain unpaid and this inturn can affect shareholder wealth and risk. These are certainly issuesthat should be reported to the board.

External auditor engagement

The role of the committee is to review and recommend externalauditor engagement for the company. This includes an assessment of thequalification, expertise, resources, effectiveness and independence ofthe external auditor.

There appear to be failings in relation to most of these roles inthis scenario. The issue of independence will be discussed below inmore detail. The existence of an ex-employee on the audit committee mayseem inappropriate and does little to support the need for independencein committee operation for the benefit of shareholders.

Implement policy regarding external auditor non audit services.

The audit committee should consider whether, taken as a wholewith regard to the views of the external auditor, management and theinternal audit function, these relationships impair the auditorsjudgement and independence.  

It is very likely that in this case the existence of largecontracts for non-audit services do impair the judgement and integrityof the audit firm. In particular, the appearance of discounting auditcosts because of these contracts is completely inappropriate since thisthreatens the integrity of the audit and the subsequent information uponwhich shareholders rely.

The lack of independence is the most serious issue raised andmust be dealt with as a matter of urgency by the committee. Theex-employee should resign his position as non-executive director and aformal review of the role and responsibilities of the committee shouldtake place as soon as possible.

(b) Independence

Auditor independence is important in maintaining the agencyrelationship between the shareholders and their company. The auditorswork independently of the organisation in order to provide shareholderswith information as to the financial position and level of control thatexists within the company.

This independence is initially threatened due to the companyselecting, recommending and paying the fees of the auditor. Theexistence of an audit committee filled with non executive directors whotake over these responsibilities is an attempt to create separationbetween the company and the auditors and so improve the level ofindependence that exists.

The fact that the ex-audit firm director sits on the auditcommittee does not necessarily impact on independence if it is assumedthe non-executive directors operate independently of the board. However,the risk is that the audit committee are not truly independent, beingemployed by the company, and so in this sense it creates a problem. Theaudit firm non-executive should resign for this reason.

All audit firms must work closely with their customers. Thisoutside/inside relationship creates the independence dilemma and it is athin line between working with rather than for a client. The existenceof large numbers of ex-employees within ECG does not assist inmaintaining an air of independence and the audit committee shouldconsider both its recruitment policy and replacing the audit firm withanother for this reason.

The length of contract seems very high and beyond anyrecommendation likely to be made by governing bodies. Long relationshipsinevitably threaten the perception of independence if not independenceitself and this should be understood by the audit committee and actedupon.

Specific threats are mentioned in relation to the undue influencethe internal audit function has over external audit risk identificationand audit focus. This is entirely inappropriate. A key aspect to therole of the external auditor must be independence in action, organisingtheir own work without influence from the client. The lack ofprofessionalism suggests a need for the external audit firm tore-evaluate its working procedures and the audit committee to considerthe need for change in engagement.

Other concerns relate to volume of non-audit work and its impacton audit integrity and the lack of sufficient manpower devoted to theaudit. These were mentioned above.  

Test your understanding 4

Some answers might include:

  • Companies that are more open with their disclosures regarding internal controls may benefit from increased shareholder satisfaction as they know their assets are being well looked after.
  • By reporting on their internal controls, a company opens itself to additional scrutiny by shareholders (and other interested parties) which may improve corporate governance.
  • The knowledge that their work will be reported on externally may help regulate the work of the audit committee.
  • By making the chair of the audit committee available for questions at the AGM, the company demonstrates that it has nothing to hide, therefore increasing shareholder confidence.

Created at 5/24/2012 12:32 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 5/25/2012 12:55 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Recent Discussions

There are no items to show in this view.