OVERVIEW
Objective
¾
To describe the role, scope and functions of internal audit and the nature and extent of internal review assignments.RISK MANAGEMENT INTERNAL AUDIT
¾ Value for money ¾ Best value ¾ IT audit
¾ Financial process audit ¾ Operational audit ¾ Procurement ¾ Marketing ¾ Treasury
¾ HR
¾ Overall approach ¾ Definition
¾ Relationship between external and internal auditors ¾ Scope of work
¾ Approach to assignments ¾ Assessing need for function ¾ Outsourcing
ASSIGNMENTS
¾ Internal audit’s role
CORPORATE GOVERNANCE
¾ Session 3
REPORTS
¾ Primary purposes ¾ Reporting arrangements ¾ Structure
¾ Timing ¾ Example
BUSINESS RISK, INTERNAL
1
INTERNAL AUDIT
1.1
Definition
An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. (Institute of Internal Auditors IIA)
¾
This definition usefully outlines the relationship between internal audit and themanagement of an entity. Key elements that have not be covered elsewhere within the study system are:
Add value – Organizations exist to create value or benefit to their owners, other stakeholders, customers, and clients. Value is provided through:
−
the development of products and services; and−
the use of resources to promote those products and services.When gathering data to understand and assess risk, internal auditors gain insight into operations and opportunities for improvement that can be beneficial to the organization.
Control is any action taken by management, the board, etc to enhance risk
management and increase the likelihood that established objectives and goals will be achieved.
Adequate control is present if management provides reasonable assurance that:
−
risks have been managed effectively; and−
goals and objectives will be achieved efficiently and economically.1.2
Relationship Between External And Internal Auditors
1.2.1 External
1.2.2 Internal
Role
¾
To provide an independent opinion (in areport) on financial statements (see Sessions 1 and 30).
¾
To appraise, examine and evaluate organisational activities and assist management in discharging its responsibilities.Required by
¾
Statute (typically).¾
Management, usually in larger organizations, will beurged/required by best practice (e.g. governance codes) to continually review need for internal audit.
Appointed by
¾
Shareholders (usually at an Annual GeneralMeeting) or directors.
¾
Highest level of management charged with responsibility for internal audit (e.g. audit committee under corporate governance codes)Reports to
¾
Shareholders (primary statutory duty) andmanagement (professional responsibility).
¾
For listed companies, usually the audit committee under corporate governance codes. For other companies, the highest level of management charged with governance (e.g. the board).Reports on
¾
Financial statements. Primary responsibilityis of a financial focus.
¾
Organisational risk management, internal control and quality of performance. Focus is operational as well as financial.Forms opinions on
¾
“True and fair view” (or similar) of financialExternal
Internal
Status
¾
Independent of client company¾
Employee (therefore potentially less objective)Qualification
¾
Usually ACCA, ICAEW, ICAI or ICAS¾
May also be members of other professional bodies (e.g.IIA) or unqualified
Scope of assignment
¾
Unlimited, to fulfil statutory obligation.Usually defined by legislation as well as ISA.
¾
Prescribed by management, those charged with governance or audit committee (see 1.3 below).Conduct of audit
¾
In accordance with ISAs, for example.¾
Similar, Standards for the Professional Practice of Internal1.3
Scope of work
¾
Understand the key business risks (including fraud) and assess the adequacy of the processes by which these risks are identified, evaluated and managed (see Section 2);¾
Review the sufficiency of the information, and the adequacy and operation of controls, used to manage those risks;¾
Assess the reliability and integrity of key financial and operating information, and the means used to identify, measure, classify and report such information;¾
Review the processes and systems to ensure adherence with those policies, plans, procedures, laws and regulations which could have an impact on the company, and determine whether it is in compliance therewith;¾
Review the means of safeguarding assets and other key resources, especiallyinformation in hard copy or on computer systems, including business contingency plans and the security of computer systems;
¾
Review operations or projects (including systems under development) to ascertain whether results are consistent with established objectives and goals and, whether the operation or projects are being carried out as planned;¾
Monitor corrective action plans to ensure that management implement them promptly and effectively;¾
Advise management on cost effective controls for new systems and activities; and¾
Liaise with those charged with governance (eg the audit committee) and the externalauditors (as necessary).
1.4
Approach to assignments
¾
The general framework in which internal auditors will approach their assignments is not that dissimilar to the approach used by external auditors.¾
Both require terms of reference – the external auditor within the letter of engagement, the internal auditor within the scope of instructions given by management/audit committee.¾
Both need to understand the entity, its environment and internal control. In particular, the internal auditor will need to cover all controls (not just financial) that are relevant to their assignment.¾
Both will need to plan and document their work. Materiality, risk assessments, sampling, analytical review, use of CAATs (especially in systems heavily reliant on information technology) are all aspects of the internal auditor’s planning and work procedures.¾
Both will report on their work, although (as noted above) the nature and format of the reports are different.1.5
Assessing the need for an internal audit function
¾
When the board and senior management is sufficiently close to the business and the systems are not so complex, the following sources of assurance about the way the business is operated may prove to be adequate: the views of, and representations from, executive directors and senior managers; the views of other employees through (say) a self-assessment process;
results of management’s internal confirmation procedures; regular information on financial and operational matters; performance indicators;
early warning mechanisms;
external auditors’ management letters; reports of any relevant external regulators;
reports (if any) from relevant internal compliance functions.
In such cases there may be no immediate need for an internal audit function.
¾
However, as organizations grow and: become more geographically diverse;
business is undertaken in new environments (e.g. e-commerce); develop new products and competitive pressures increase; systems become more complex;
change is the norm;
then management’s time and attention can be very stretched.
¾
In particular, when a company becomes listed, the demands placed on management for transparency and effective running of the business by the stakeholders are significantly increased.1.5.1
Key issues
¾
As many stock exchanges require listed companies to operate internal control functions (or explain why they do not in their annual reports) the key issues to consider may mainly relate to larger, unlisted entities. Are the existing management processes adequate to:
−
identify and monitor the significant risks facing the company; and−
confirm the effective operation of the established internal control systems? With ever increasing pressures on management at all levels, can those who areresponsible for managing risks and operating controls always take a wholly objective and systematic view of their own performance?
Example 1
Suggest additional matters that directors might consider when assessing the need for an internal audit function.
Solution
¾
¾
¾
¾
¾
¾
¾
¾
¾
¾
¾
1.5.2
Needs of the Board
Board – A board of directors, audit committee of such boards, head of an agency or legislative body to whom internal auditors report, board of governors or trustees of a non-profit organization, or any other designated governing bodies of organizations.
¾
The board needs to obtain assurances that its risk and control processes are effective. Management, internal audit and others may provide such assurance. Objective assurance and advice is provided by an internal audit function, thereby assisting the board and senior management with their stewardship responsibilities.¾
Boards, audit committees and senior management now recognise that what is of relevant value to their business is the internal auditors’: knowledge of the organisation, its systems and its processes; and
1.6
Outsourcing
¾
Outsourcing internal audit has increased as the need for internal audit has increased (e.g. to better meet requirements of corporate governance): Small companies may outsource because the do not have the resources to set up their own department.
Larger companies may decide that resources are best used elsewhere and not invest in this non-core (though essential) area.
¾
Such services are offered by specialised internal audit providers as well as the “global” and other accounting firms.1.6.1
Factors to be considered
¾
What to outsource? The whole of internal audit services; or
Specific functions (e.g. environmental auditing).
¾
What (and/or who) to retain? The head of internal audit may be retained as an employee (to keep a high level responsibility within the company).¾
Terms of reference: What services will be provided?
Who does the service provider report to? What form will reports take?
What action will be taken if problems occur? How will fees be determined and charged?
1.6.2
Benefits to the company
¾
Costs – A company with an in-house internal audit service must pay salaries, training and overheads. Whilst the contractors’ fees will also be set to cover these there may be economies of scale. The company would only pay for resources when required and so overall the total cost may be cheaper.¾
Consistency with external audit – There may be greater consistency in approach between the internal and external auditors. This may mean external audit can place more reliance on internal audit work (see Session 34) and hence the company would benefit from a lower external audit fee.¾
Skills – Contracting-out internal audit allows the company to bring in new skills. External providers will have wider experience gained by auditing other companies.¾
Management time – Management time and resources can be freed to concentrate on core areas of the business instead of peripheral ones.¾
Liability – Legal action may be brought against an external service provider if their standards are not acceptable.1.6.3
Disadvantages to the company
¾
Skills – An external contractor may lack the specialist skills relevant to a particular company which an in-house service will possess. Once a contractor is brought in these skills may be lost forever.¾
Constraints on service – The service provider will need to act in accordance with the terms of reference. This may mean they are unable to follow up suspiciouscircumstances outside their duties without first seeking permission from the company and re-negotiating the terms of reference.
¾
Flexibility – An in-house department will provide a permanent presence whilstcontracted out services may only be at the company for discrete periods. In-house staff may have more commitment to the company (e.g. willingness to work overtime, travel, etc). Outsourcing may result in reduced staff availability and flexibility.
¾
Conflicting reporting lines – Internal audit should report to the audit committee or board of directors. However as an employee of the audit firm the auditor may be expected to report to the partner. The audit firm will be responsible for issues such as promotion and training and therefore they need to monitor internal audit staff.¾
Expectation gap – An expectation gap has existed for external audit for many years. If the profession cannot meet public expectations for a narrow role which is defined by statute can they meet management expectations for a wider role? The company may discover too late that they are not getting what they want. If a contract has been agreed it may be difficult to change¾
Standard of service – Once an external provider has secured the contract the level of service provided may fall. The audit committee/board of directors must monitor and ensure that the quality of staff provided is satisfactory and work is completed according to the terms of reference.¾
Corporate culture – Contracting out any service involves a change to corporate culture. Unless managed sensitively, outsourcing may lower employee morale, reduceperformance, generate a negative cultural impact, create permanent job insecurity.
1.6.4
Service provider issues
¾
Skills – The service provider must have the appropriate skills and expertise to undertake the internal audit role. Whilst there are overlaps between internal and external audit, internal audit usually fulfils a wider role.¾
Staff management – Undertaking internal audit functions may improve staff management¾
Effect on external audit – Although there are overlaps, the roles of internal and external audit are different. If both roles are performed by the same firm the distinction could become blurred. This could lead to a reduced level of service overall and a lower level of credibility being attached to the external auditor’s report. (See Session 4 re ethical issues for the external auditor)1.6.5
Independence issues
¾
A benefit to the company – Outsourcing increases independence as an in-housedepartment can never be truly independent. Staff from an external firm will be subject to the same ethical guidelines (see Session 4) as for external audit, and the firm should have mechanisms to ensure compliance. Rotation of staff is more likely, so close relationships do not build up between internal audit staff and the client.
¾
Drawbacks – The external provider could become dependent on client. The risk is perceived to be particularly great where the internal auditor is the external auditor.1.6.6
Restrictions
¾
Although there are no legal restrictions on the outsourcing of internal audit to a third-party service provider, legal and/or ethical standards may restrict this practice toprevent external auditors from acting in client roles. For example, statutory auditors are precluded from serving as internal auditor to clients whose financial statements they certify in many countries (e.g. US, France, India, Italy, New Zealand and Norway).
2
BUSINESS RISK MANAGEMENT
2.1
Internal audit’s role in risk management
¾
Business risk and risk management was discussed in Session 8. Fraud was discussed in Session 11.2.1.1
Assurance role
¾
A proper system of internal control in practice requires a proper system of risk management and organisational control.¾
Internal auditors do not judge the appropriateness of a company’s objectives or the board’s strategies to achieve those objectives. They examine the effectiveness of the processes by which the consequent risks are identified, managed, mitigated and reported. Internal auditors also add value by the identification of opportunities to improve the cost effective management of risk.¾
The assurance role of internal audit is to deliver assessments of the adequacy and effectiveness of the processes by which risks are: identified and prioritised;
managed, controlled and mitigated; and reported,
2.1.2
Contribution to risk management
¾
Risk management is not the responsibility of the internal audit function. Many large organisations have separate risk management functions.¾
Internal audit’s job may be to assist that function or the board by: providing objective assurance on the adequacy and effectiveness of the risk management and internal control framework;
helping improve the processes by which risks are identified and managed; helping strengthen and improve the risk management and internal control
framework.
¾
Internal audit can: provide advice on the design, implementation and operation of control systems; identify opportunities to make control cost savings;
promote a risk and control culture within the organisation;
act as facilitators, guiding managers and staff through a self- assessment process (e.g. by leading workshops);
become a centre of expertise for managing risk by providing enterprise-wide risk management services (ERM).
¾
To be effective, the management of risk requires information which is: relevant;
meaningful; and timely.
¾
Such information is required: to facilitate decision-making;
to monitor business activities, supporting processes and the operational health of the company.
3
OTHER ASSIGNMENTS
3.1
Value for money
VFM auditing is evaluation of management’s achievements in terms of the economy, efficiency and effectiveness (the 3 “Es”) of operations.
3.1.1
The “3 Es”
¾
VFM has been prominent in the public sector (e.g. in the UK) since the 1980s when “audit” was narrowly interpreted as a financial audit. Economyis about obtaining specified resources (inputs, eg material, finance, human, time) at the lowest cost.
Efficiencyis the achievement of either:
−
the maximum output (at a given quality) from a given input; or−
a given output (at a given level of quality) from the minimum input. Effectiveness is the achievement of outputs which meet management’s objectives.
Objectives
Outputs Resources Inputs Process
Effectiveness
Efficiency Economy
¾
VFM audits are carried out to ensure that corporate resources, shareholders funds and taxpayers’ contributions are not wasted. However, the VFM audit process may or may not be empowered to question whether the objectives set were justified.¾
Very often a benchmark is required. VFM can only be judged by comparison (external or internal eg between departments or divisions). Present methods of operation and use of resources must be compared with alternatives to see if value for money is being obtained.3.1.2
Role of internal auditing
¾
Top management is responsible for committing the organisation to a VFM review process.¾
The head of internal audit is responsible for conducting VFM reviews and for unnecessary spending (e.g. overtime guaranteed when work is completed in normal hours);
misdirected spending (e.g. capital expenditure outlay on lower quality assets requiring higher level of revenue expense quality);
over-priced spending (e.g. discounts are unclaimed);
under-recovered revenue (e.g. failure to collect on disposals of assets).
¾
Line management should take responsibility for implementing the VFM review, although very often the responsibility remains with the head of internal audit. They will be responsible for implementing the recommendations from a VFM review.3.1.3
Advantages of VFM
9
Management attention is focused on economy and efficiency but this is tempered by the need for effective performance.9
It promotes the use of performance indicators.9
It should eventually lead to self measurement with audit only used to compare performance between business units on an objective basis.9
Although VFM audit is often used to promote cost savings, it can also be used to identify revenue opportunities.3.1.4
Disadvantages VFM
8
Economy and effectiveness are often opposed, eg saving money may result in the need for lower quality. This is often overcome by treating one element as fixed, eg achieving savings based on an agreed quality level.8
I
t is difficult to create a balance between short term and long term gains and thus savings now may lead to additional costs in future.
8
Savings in one area may create additional costs to another area, eg reducing costs of production but increasing other costs because of quality rejects or warranty repairs.8
Comparisons between business units may be spurious, eg one business unit may excelat a particular process, the costs of which are relatively high compared to other processes carried out by other units. So measuring the cost per process will not be meaningful.
8
VFM targets may be manipulated by managers, eg production is arranged to meet the target rather than what is actually required.3.2
Best value
“Best Value is a duty to deliver services to clear standards – covering both cost and quality – by the most effective, economic and efficient means available.”
“Best Value seeks to secure continuous improvement in the way its functions are exercised, having regard to a combination of economy, efficiency, and effectiveness.”
¾
The “best value” audit has evolved from VFM auditing in the public sector and local and central government. It incorporates the “4 Cs”: Challenge – why and how a service is provided;
Consult – local taxpayers, service users, partners and the wider business community in the setting of new performance targets;
Compare – with the performance of others across a range of relevant indicators to aim to improve;
Compete – consider fair competition as a means of securing efficient and effective services.
¾
Internal audit can ensure that the concept of best value is incorporated into the risk management process of the entity in assessing current services and setting strategies for development.¾
As a service provider (to management) the internal audit function itself must be able to demonstrate best value.3.3
IT audit
¾
Information systems are pervasive through most organisations and would in most cases be considered a significant business risk through, for example: no IS strategy or a strategy that does not fit the business strategy; poor project management;
poor system design (including controls) development and implementation; acceptance of inappropriate system;
significant expenditure for a system that does not deliver; poor security, transaction integrity and process alignment; corruption of data used by management for decision making; access to sensitive information by unauthorised personnel; unexpected (non-scheduled) downtime;
breaches of laws and regulations;
3.3.1
Information systems auditing
¾
Session 12 covered CIS, CIS controls and electronic commerce. The primary role of internal audit will be to review and report on all aspects of IS within the organisation, eg ensure that the controls and systems operate as intended. Application controls (i.e. controls to ensure completeness, accuracy, security and effectiveness of processing) exercised over input, output, processing, computer files and master files; and
General installation controls (i.e. controls over the acquisition, development maintenance and operation of computer-based systems).
3.3.2
System development project audit
¾
The deliverable of a systems development project is a new information system. The primary purpose of auditing a system under development is to ensure that: adequate, effective controls are built into the system;
complementary manual controls are designed to ensure adequate and effective internal controls over the business system as a whole;
the most efficient combination of manual and automated, preventative and detective controls are designed and implemented.
¾
In addition internal audit can: provide assurance that IS projects are being effectively and efficiently managed; and carry out appropriate testing (eg static, dynamic, unit, system, performance) at each
stage of the system’s development process to ensure that the deliverable from each stage meets the specifications of that stage (eg review the systems analyst notes of meetings with a user and agree that these have been reviewed and approved by the user; test the design and programming of the application controls that they – internal audit - initiated).
3.4
Financial processes audit
¾
The financial process audit is effectively internal audit’s traditional role. Accounting and financial processes include: receiving value from sales transactions, disposals of assets, investments (interest income);
“bought ledger” processing (of invoices for goods and services before suppliers are paid);
treasury functions (see later);
supplying financial and management information (e.g. to stakeholders); appraising new business
¾
The purpose of the accounting and financial process audit is to review all available evidence to substantiate information in management and financial reporting (such that it is not inappropriate and inaccurate). That is, to minimise risk by ensuring: the completeness and accuracy of recorded transactions; that assets are safeguarded;
that complete, accurate and relevant information is provided on a timely basis; and that accounting and finance functions are managed efficiently.
3.5
Operational audit
¾
An audit of the operational processes of an organisation (its primary activities and support activities) to ensure that management has: adequate controls and other risk management measures in place to achieve business objectives (risk management) economically and efficiently; and adequate routine assurances which inform them that their controls and risk
management measures are effective.
¾
Also called “process-based” auditing.¾
Operational audits may be wholly performance-based or compliance-based or include elements of both approaches. Performance-basedaudit – Processes or activities are evaluated in order to draw conclusions about the adequacy of the products, and the adequacy and effectiveness of the processes associated with those products.
Compliance-basedaudit – Uses investigation, discussion, observation, examination, or evaluation to determine the adequacy of and compliance with established
procedures, and the effectiveness of their implementation (similar to the standard systems based audit approach, but applied to all controls).
3.6
Procurement
¾
Procurement is the process by which materials, goods and services are obtained by an organisation. It includes: specifying requirements (e.g. parts for production, maintenance support) tendering and open competition;
order placement/contracts (only with approved suppliers) receipt of goods/services and quality checking
¾
The purpose of a procurement audit is to ensure that risk is minimised in that: goods/services of appropriate quality are available when needed; the required quality is obtained at minimum cost;
the correct price is paid for the goods and services received; appropriate laws and regulations are followed;
the procurement procedures are followed; and procurement processes are managed effectively.
¾
The basic audit approach would be to: understand the procurement process and the controls that should be operating; test the operating effectiveness of those controls (including dealing with exception
reports);
trace transactions through the system; and
ensure that the process is operating as intended and laid down within the organisation’s procedures.
3.7
Marketing
¾
Marketing is the process by which demand for goods is measured and enhanced. It is often closely linked to sales. Marketing and sales involves: research advertising
promotion and image management
order acceptance (including creditworthiness and inventory level checks) deliveries
payments
after sales service customer returns.
¾
The purpose of a marketing audit is to ensure that, for example: marketing processes are authorised, conducted in accordance with written company policy and apply relevant laws and regulations;
complete, accurate, relevant and timely information is obtained from internal and external sources (eg market research) and is freely available to all involved; and advertising, campaigns, promotion and unit pricing is planned, budgeted,
cost-benefit analysed, monitored and controlled;
3.8
Treasury
¾
The treasury function has evolved from cash management. Treasury processes include: funding requirements (for financing working capital, organic growth and acquisitions);
investing surplus funds;
managing interest rate risks and foreign exchange exposure.
¾
In most entities, the treasury function is a “cost” function in that its aim is not to make a profit, but to manage and minimise costs of cash flow and investment (eg to avoid paying higher costs in a foreign currency, should that currency move against the entity, through hedging). In other entities it has a specific trading function with the aim of making profits for the entity.¾
The basic purpose of a treasury audit is to ensure that: funds are available when needed;
financial assets are safeguarded and not put at unnecessary risk; treasury functions are managed efficiently.
strong controls (eg policies, procedures, segregation of duties, authorisation, limits on trading, oversight, organisational framework and culture) are in place and effectively operate;
¾
Because of the nature of treasury management in those areas involving hedging and derivative functions, it is often a challenge to have sufficiently technically competent and experienced individuals within the internal audit function. None the less, it is essential that there are.¾
There have been many instances of companies (and banks) who have lost significant value and (in one notorious case, Barings Bank) faced collapse through poor controls and a lack of understanding by management and internal audit of the financial trading being carried out.3.9
HR
¾
Human resources processes support: the procurement and employment of individuals; and the development of the organisation.
¾
Operations include: job analysis and personnel specifications; recruitment and selection;
pay and reward mechanisms; training and development; disciplinary and grievance; termination of employment;
¾
The purpose of a human resources audit is to ensure that: procedures and policies are followed and applied;
personnel are available when needed (eg succession planning);
the future development of the organisation is planned, controlled and monitored; relevant legislation (e.g. equal opportunities) is complied with;
accurate management information is available on a timely basis; and human resource processes are managed efficiently.
3.10 Overall approach
¾
Note that in considering the above areas, whilst specific points have been made, the overall approach is always to understand the business element, the risks and controls in place and to carry out tests accordingly (see Section 1.3 above). In addition manyelements overlap, eg VFM, best value, IS can be applied to marketing and HR.
4
INTERNAL AUDIT REPORTS
4.1
Primary purposes
¾
The purpose of internal audit reports will be driven by the terms of reference of the assignment. Mostly they: provide management with an opinion (eg on the adequacy of the internal control system); and
inform management of significant findings, conclusions and recommendations arising from the work carried out.
¾
Depending on the type of report issued, the aim of the report would be: to provide appropriate assurance to management or recommendations to enhance business performance;
to prompt management action to implement recommendations for change leading to improvement in performance and control; and
to provide a formal record of points arising from the assignment and, where appropriate, of agreements reached with management.
Example 2
Solution
¾
¾
¾
¾
4.2
Reporting arrangements
¾
The format and distribution of internal audit reports should be agreed with management. The head of internal audit should ensure that reports are sent to managers who have a direct responsibility for the unit or function being audited and who have the authority to take action on the internal audit recommendations.¾
Internal audit reports are confidential documents and their distribution should be restricted to those managers who need to know, to the audit committee and to the external auditor.¾
While the internal auditor may clear minor matters which do not indicate a consistent or systematic weakness with members of staff directly involved, matters of consequence should be reported formally in writing to management.4.3
Structure of the report
¾
There are no formal structures, unlike the external auditor’s report, for an internal auditor’s report. As with any business report, the structure of the report suites its purpose be it formal, informal, a discussion paper, a presentation (eg with PowerPoint hardcopies) or a monthly summary.¾
A typical business report would have the following elements: Terms of reference Executive summary Body of report:
−
key findings and recommendations−
detailed findings and agreed action Appendices¾
The reports should be clear, constructive and concise based on sufficient, relevant and reliable evidence, which should: state the scope, purpose, extent and conclusions of the assignment;
make recommendations which are appropriate and relevant, and which flow from the conclusions; and
acknowledge the action taken, or proposed, by management.
4.4
Timing
¾
An interim report, orally or in writing, should be made where: it is necessary to alert management to the need to take immediate action to correct a serious weakness in performance or control; or
where there are reasonable grounds for suspicion of malpractice.
¾
Consideration should also be given to interim reporting where there is a significant change in the scope of the assignment or where it is desirable to inform management of progress.¾
The internal auditor should normally meet with management to discuss the audit findings at the completion of fieldwork for each internal audit assignment and the formal written report should be presented to management as soon as possible thereafter.¾
Before issuing the final report, the internal auditor would discuss its contents with the appropriate levels of management. In addition, it may usually be necessary to include management comment within the body of the report. A draft report for management comment and confirmation of factual accuracy may also be issued prior to finalising the formal report.¾
If the internal auditor and management disagree about the relevance of the factual content of the draft audit report, the internal auditor should consider whether reference should be made to this in the final report.¾
It is management’s responsibility to ensure that proper consideration is given to internal audit reports. The internal auditor should ensure that: appropriate arrangements are made to determine whether action has been taken on internal audit recommendations; or
management has understood and assumed the risk of not taking action.
4.5
Example
INTERNAL AUDIT REPORT
Private and confidential
The contents of this report are confidential and may include comments of a sensitive nature. Care should be taken to ensure that unauthorised personnel do not have access to the report and that if it is circulated further, this is done with discretion.
23 November 20X6
SCOPE
The systems review at … took place from 17 September to 5th October 20X6. The objectives of the assignment were:
i) To assess the adequacy of internal controls.
ii) To ensure adherence to statutory legislation and company policies.
iii) To review the efficiency and effectiveness of operations.
iv) To assess the quality of management reporting and information.
CONCLUSION
The branch has been operationally and financially poorly controlled. Branch management have reacted positively to the draft report and are actively addressing the issues raised. All the points raised in this report and subsequent
recommendation made need to be implemented.
MAIN FINDINGS (References in brackets are to Appendix I)
Inventory
1) There is no investigation of “no stocks”1. No stocks have been very high –
up to 20%. This has led to considerable customer dissatisfaction
Formal investigation of no stocks should be introduced to improve the service level to clients. (1.1)
2) There is insufficient control over the warehouse systems. Before further
liability for inventory loss is assumed, the access of staff to the systems must be restricted.
A report of adjustments cannot be produced by the inventory system to ensure all adjustments are legitimate. The production of this report should be prioritised to stop this aspect of the operation running blind.
Payroll
1) Not reproduced.
2) There has beer an apparent lack of supervision and review of the work of
the payroll clerk who left the company at the end of August. There is a risk that unauthorised amounts may have been paid. A full reconciliation to assess the situation further will be performed at the beginning of December. (2.2)
Etc …
Security
1) It remains possible to gain unauthorised access into the warehouse on
account of the lack of security presence on the route between the car park and the warehouse. This should be addressed immediately following the audit. (3.1)
Etc …
Purchases
1) Purchases have been poorly controlled at the branch. Typically, invoices
have arrived within the accounts department and have been authorised for payment by the former finance manager without reference to the operational management to confirm the legitimacy of the expense. The temporary Finance staff has now addressed this situation. (6.1)
APPENDIX I (EXTRACT)
1.1 Observations There is currently no investigation or recording of
no stocks.
Inventory department are not aware of any no stock report available from the system.
Effect Stores orders are no fulfilled.
Recommendation The level of no stocks should be traced using
either the “issues not confirmed report" or, more crudely, the number of issues physically returned to the office.
Management’s comments Agreed
Target date Immediate
2.2 Observations There appears to have been little or no independent
review of the payroll function by senior
management. The former finance manager may have performed some checks, however, this has not been evidenced.
19 payslips on the payroll of 29/09/06 have been checked in detail. 5 employees’ overtime was overpaid because the total hours had been incorrectly summed in input sheets.
The payroll clerk has left the company, despite an enhanced offer to stay and with new employment to go to.
Effect The payroll does not appear to have been adequately
supervised. There is a possibility that, in addition to processing errors, irregularity has occurred.
Recommendation Duties and controls should be segregated as
described in point 2.1 above (not reproduced). There should be full reconciliation between the schedule of employees who have worked at the branch prepared by the human resources department and the payrolls processed to date to ensure persons paid
are bona fide and that they have worked the weeks
paid.
Management’s comments The reconciliation will be performed in November by Mrs Motley.
The accountant will review the standing data expense report every month.
Payroll personnel will check the addition of hours.
Target date Immediate.
3.1 Observations The security of the site is currently being
reviewed by Shield Consultants who are addressing fencing, CCTV coverage and recording and the level of searches (personnel and vehicle) conducted. There is still a problem with the ease with which unauthorised persons may gain access to the
warehouse without being challenged. Also, there is uncontrolled access from the warehouse to the staff car park.
Effect Inadequate security measures give rise to an
increased risk of damage to premises and inventory and to an increased risk of inventory pilferage.
Recommendation All IDs should be checked when staff enter the
warehouse.
Visitor access should not be permitted until
management authorisation is obtained or if visitors have been pre-notified to the gatehouse and the visitor’s Ids have been checked.
Management’s comments Agreed. In the short-term the warehouse access
store will be manned full-time across all shifts and locked at night. There will be 100% ID checks.
6.1 Observations Invoices 1129 – 1746 were checked for adequate
authorisation and supporting documentation. All invoices were authorised. The majority, the former finance manager. Only 6 invoices were supported by POs.
POs in this sample were generally inadequately completed, priced and dated.
GRNs were not received from the warehouse to confirm receipts of goods.
Effect The managers initiating purchases are often not
involved in the checking or authorisation of invoices. Accruals are being understated.
Recommendation Non-administration invoices should be checked by
operational managers.
Authorised GRNs should be received from managers who have raised requisitions.
All purchase requisitions should be costed. POs may not be priced unless requisitions are priced.
Management’s comments Agreed. Invoices may be authorised by the
FOCUS
You should now be able to:
¾
discuss the factors to be taken into account when assessing the need for internal audit;¾
discuss the elements of best practice in the structure and operations of internal auditwith reference to appropriate international codes of corporate governance;
¾
compare and contrast the role of external and internal audit regarding planning and the collection of audit evidence;¾
compare and contrast the types of report provided by internal and external audit;¾
discuss the scope of internal audit and the limitations of the internal audit function;¾
explain the types of report provided in internal audit assignments;¾
discuss the responsibilities of internal and external auditors for the prevention and detection of fraud and error;¾
explain the advantages and disadvantages of outsourcing internal audit;¾
discuss the nature and purpose of internal audit assignments including value for money, IT, best value and financial;EXAMPLE SOLUTION
Solution 1 — Assessing need for internal audit function
¾
Corporate structure and the degree of autonomy of each of the business units.¾
Overall corporate culture and management’s philosophy.¾
The company’s appetite for risk or its ability to tolerate risk.¾
Overall control environment.¾
Changes in organisational structure (including delayering), reporting processes and/or underlying information systems.¾
Changes in key risks arising from: changes in internal processes (e.g. product or service lines or entry into new markets);
alterations in external factors such as regulatory requirements.
¾
Complexity of the company’s systems, especially IT systems.¾
The number of moderate to high risk areas which are not appropriately controlled.¾
Deteriorating trends in internal control systems evident from the existing monitoringsystems.
¾
Concerns about the level of “risk and control awareness” and the need to educate senior or middle management, or staff.¾
An increased incidence of unexpected or unacceptable results or occurrences.¾
The views of the company’s external auditors.Solution 2 — Business performance reports
¾
Are effectively consultancy in nature, style and approach;¾
Greater focus on performance, objectives and processes rather than risks and controls;¾
Deal with improvements to be made rather than mistakes already made;