Audit and compliance

All businesses face risks which need to be managed and controlled. The internal and external auditors are employed to test that the controls are working and that risk is reduced to an acceptable level.

Function and importance of internal audit

Internal audit is a management control. The department reviews the effectiveness of other controls within a company.

  • It is part of the control systems of a company, with the aim of ensuring that other controls are working correctly.
  • In some regimes, it is a statutory requirement to have internal audit. In others, codes of corporate governance strongly suggest that an internal audit department is necessary.
  • The work of internal audit is varied - from reviewing financial controls through to checking compliance with legislation.
  • The department is normally under the control of a chief internal auditor who reports to the audit committee.

Roles of internal audit

Types of audit work

The internal audit department will carry out many different types of audit, as highlighted by the department's varied roles. Examples of audit types are:

Financial audit

Financial auditing is traditionally the main area of work for the internal audit department. It embraces:

  • the conventional tasks of examining records and evidence to support financial and management reporting in order to detect errors and prevent fraud
  • analysing information, identifying trends and potentially significant variations from the norm.

Operational audit

examination and review of a business operation

  • the effectiveness of controls
  • identification of areas for improvement in efficiency and performance including improving operational economy, efficiency and effectiveness - the three Es of value for money auditing.

There are four main areas where such an approach is commonly used 

  • procurement
  • marketing
  • treasury
  • human resources.

Project auditing

Best value and IT assignments are really about looking at processes within the organisation and asking:

  • were things done well?
  • did the organisation achieve value for money?

Project auditing is about looking at a specific project:

  • commissioning a new factory
  • implementing new IT systems

and asking whether these were done well. So the focus is different and has more to do with:

  • were the objectives achieved?
  • was the project implemented efficiently.
  • what lessons can be learned from any mistakes made?

A number of projects when taken together can become a programme.

Value for money audit

An area that internal auditors have been getting increasingly involved in is the value for money audits. These have been replaced in terminology more recently by "best value" audits, but many of the principles remain the same.

In a value for money audit the auditor assesses three main areas.

  • Economy

The economy of a business is assessed by looking at the inputs to the business (or process), and deciding whether these are the most economical that are available at an acceptable quality level. For example, if assessing the economy of a commercial company the inputs would be capital (plant and machinery, buildings, etc.), raw materials, the workforce and any administrative function required to run the business.

  • Efficiency

The efficiency of an operation is assessed by considering how well the operation converts inputs to outputs. In a manufacturing company this might involve looking at wastage in production or quality control failures for example.

  • Effectiveness

The effectiveness of an organisation is assessed by examining whether the organisation is achieving its objectives. To assess effectiveness there must be clear objectives for the organisation that can be examined. In some organisations, particularly not for profit and public service organisations, deciding suitable objectives can be one of the most difficult parts of the value for money exercise.

Social and environment audit

An environment audit is defined as:

'A management tool comprising a systematic, documented, periodic, and objective evaluation of how well organisations, management, and equipment are performing, with the aim of contributing to safeguarding the environment by facilitating management control of environmental practices, and assessing compliance with company policies, which would include meeting regulatory requirements and standards applicable.'

The social audit would look at the company's contribution to society and the community. The contributions made could be through:

  • Donations.
  • Sponsorship.
  • Employment practices.
  • Education.
  • Health and safety.
  • Ethical investments, etc.

A social audit could either confirm statements made by the directors, or make recommendations for social policies that the company should perform.

Management audit

A management audit is defined as 'an objective and independent appraisal of the effectiveness of managers and the corporate structure in the achievement of the entities' objectives and policies. Its aim is to identify existing and potential management weaknesses and recommend ways to rectify them.'

Audit of internal controls

 To ensure that the company's control system is effective, the internal auditor will be looking for controls similar to these for each risk identified.

Organisational structure of internal audit

The basic structure is a chief internal auditor, responsible to the audit committee with an internal audit team reporting to that person.

  • In large organisations the internal audit function will be a separate department.
  • In a small company it might be the responsibility of individuals to perform specific tasks even though there will not be a full-time position.
  • Some companies outsource their internal audit function, often to one of the large accountancy firms (but note the independence requirements of SOX in this respect).

Factors affecting the need for internal audit

Why is internal audit important?


  • in some situations it is required by statute (SOX)
  • in some situations it is required by codes of good practice (codes of corporate governance)
  • it provides an independence check on the control systems in a company (see below for more detail)
  • it is a management control.

What factors affect the need for internal audit?

Apart from the obvious comment that companies which are listed are required to have an internal audit department, other factors will affect the decision to have an internal audit in non-listed companies.

Where there is no internal audit department, as the Turnbull Report notes 'in the absence of an internal audit function, management needs to apply other monitoring processes in order to assure itself and the board that the system of internal control is functioning as intended. In these circumstances, the board will need to assess whether such procedures provide sufficient and objective assurance'.

Auditor independence

Internal audit is an independent objective assurance activity.

  • To ensure that the activity is carried out objectively, the internal auditor must have his/her independence protected.
  • Independence is assured in part by having an appropriate structure within which internal auditors work.
  • Independence is also assured in part by the internal auditor following acceptable ethical and work standards.

Risks if auditors are not independent

Potential ethical threats

Auditor independence will be compromised where ethical threats are faced.

  • A threat to independence is anything that means that the opinion of an auditor could be doubted.
  • Threats can be real or perceived.
  • Codes of ethics typically provide examples of generic threats that affect auditors, which can be viewed as affecting both external and internal auditors.
  • The ACCA code of ethics, for example, also provides examples of other threats that (normally) affect external auditors.

 The following analyses of threats are included in the ethics codes of the UK professional accountancy bodies. They are can be applied to both external auditors and internal audit engagements.

Self-interest threat

Occurs when the audit firm or a member of the audit team could benefit from a financial interest in, or other self-interest conflict with, an audit client.

For example, in an external audit context:

  • direct financial interest or material indirect financial interest in an audit client
  • loan or guarantee to or from an audit client or any of its directors or officers
  • undue dependence on total fees from an audit client
  • concern about the possibility of losing the engagement
  • having a close business relationship with an audit client
  • potential employment with an audit client, and
  • contingent fees relating to audit engagements.

In an internal audit context this could be where the auditor's bonus is somehow tied up with the performance of the business area under review, maybe as part of overall business unit performance in meeting targets for 'clean' audit reports.

Self-review threat

Occurs when the audit firm, or an individual audit team member, is put in a position of reviewing subject matter for which the firm or individual was previously responsible, and which is significant in the context of the audit engagement.

For example, in an external audit context:

  • member of the audit team being, or having recently been, a director, officer or other employee of the audit client in a position to exert direct and significant influence over the subject matter of the audit engagement
  • performing services for an audit client that directly affect the subject matter of the current, or a subsequent, audit engagement and
  • preparing original data used to generate financial statements or preparing other records that are the subject matter of the audit engagement.

In an internal audit context this may occur where someone has recently transferred within the company into an audit role, and is found to be auditing their old department.

Advocacy threat

Occurs when the audit firm, or a member of the audit team, promotes, or may be perceived to promote, an audit client's position or opinion.

For example:

  • dealing in, or being a promoter of, shares or other securities in an audit client and
  • acting as an advocate on behalf of an audit client in litigation or in resolving disputes with third parties.

Familiarity threat

Occurs when, by virtue of a close relationship with an audit client, its directors, officers or employees, an audit firm or a member of the audit team becomes too sympathetic to the client's interests.

For example, in an external audit context:

  • a member of the audit team having a close family member who, as a director, officer or other employee of the audit client, is in a position to exert direct and significant influence over the subject matter of the audit engagement
  • a former partner of the firm being a director, officer or other employee of the audit client, in a position to exert direct and significant influence over the subject matter of the audit engagement
  • long association of a senior member of the audit team with the audit client and
  • acceptance of gifts or hospitality, unless the value is clearly insignificant, from the audit client, its directors, officers or employees.

In an internal audit context this is often an issue where auditors have worked within a company for many years and have long-standing relationships with employees and management across a number of departments.

Intimidation threat

Occurs when a member of the audit team may be deterred from acting objectively and exercising professional scepticism by threats, actual or perceived, from the directors, officers or employees of an audit client.

For example, in an external audit context:

  • threat of replacement over a disagreement regarding the application of an accounting principle
  • pressure to reduce inappropriately the extent of work performed in order to reduce fees and
  • dominant personality in a senior position at the audit client, controlling dealings with the auditor.

In an internal audit context this may occur where the promotion prospects, pay rises or other rewards of the auditor can be influenced by the manager of a department being audited. The auditor may be put under pressure to provide a clean audit report in return for a favourable appraisal.

Ethical conflicts of interest

Situations could occasionally arise in which an auditor, especially an internal auditor, might be asked to behave (or might be tempted to behave) in a way that conflicts with ethical standards and guidelines.

Conflicts of interest could relate to unimportant matters, but they might also involve fraud or some other illegal activity. The threat is more severe for internal auditors as the company they are reporting on is also their employer. Threats can therefore be carried out in ways that will not affect external auditors such as lack of salary increase through to termination of employment.

Examples of such ethical conflicts of interest are as follows:

Resolution of ethical conflicts of interest

Protection of independence

  • The internal auditors should be independent of executive management and should not have any involvement in the activities or systems that they audit.
  • The head of internal audit should report directly to a senior director or the audit committee. In addition, however, the head of internal audit should have direct access to the chairman of the board of directors, and to the audit committee, and should be accountable to the audit committee.
  • The audit committee should approve the appointment and termination of appointment of the head of internal audit.

The independence of internal audit is enhanced by following accepted standards of internal audit work. Internal auditors can follow the same standards as external auditors. However, there are also International Standards for Internal Audit issued by the Internal Auditing Standards Board (IASB) of the Institute of Internal Auditors.

  • Attribute standards deal with the characteristics of organisations and the parties performing internal auditing activities.
  • Performance standards describe the nature of internal auditing activities and provide quality criteria for evaluating internal auditing services.

Attribute standards for internal audit

Performance standards for internal audit

Created at 8/14/2012 10:39 AM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 9/27/2013 2:57 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Audit;Compliance;Internal audit;External audit;Audit committee;Fianacial audit;Operational audit;VFM audit;Social audit;Environmental audit;Management audit;Internal control;Ethical threats

Recent Discussions

There are no items to show in this view.