organisations with connections to the auditor. Auditors will therefore need to apply careful judgement in assessing whether a particular individual, partner- ship, body corporate or other entity falls within the new definition.
audit function is to assist management in identifying potential risk and to pro- vide assurance that the company’s system of internal control is effective in reducing business risk to an acceptable level. It also acts as a useful source of information for management on what is actually happening in practice within the business, and provides support and advice by identifying needs and recom- mending policies, procedures and controls to resolve potential problems as they are identified. In the case of a public company, the work of internal audit will usually be a significant factor in enabling the directors to report on internal con- trol as required by the Combined Code (see 6 CORPORATE GOVERNANCE). The Code also recommends that companies that do not have an internal audit function should consider annually whether there is a need for one.
1.113 Distinction Between External Audit and Internal Audit
There are significant differences between the roles of external auditors and internal auditors. External auditors are appointed by the shareholders and report to them by expressing an independent opinion on whether the com- pany’s annual accounts show a true and fair view of the state of affairs of the company at the balance sheet date and of its profit or loss for the financial year.
The work of the external auditors is therefore directed towards identifying any potentially material misstatement in the annual accounts, and confirming that the accounting treatments and disclosures required by the legislation and by accounting standards have been properly dealt with. Internal audit is a service function of the company, focusing its efforts on the effectiveness of the com- pany’s systems of internal control and reporting any weaknesses and concerns to management. Companies’ legislation generally requires every UK company to appoint external auditors (the only exceptions being dormant companies and certain small companies as explained at 1.1–1.17 above), but management can choose whether or not to establish an internal audit function.
The principal distinctions between external and internal audit can there- fore be summarised as follows:
Audit
External auditors Internal auditors
Appointed by Shareholders Management
Report to Shareholders Management
Role defined by Statute Management
Primary function Independent opinion on the Assisting management with the annual accounts identification and control of
business risk
Although the roles of external auditors and internal auditors are quite distinct, good liaison between the two can help both to operate more efficiently.
1.114 How Not to Use Internal Audit
Historically, there has been a considerable degree of confusion over the precise role of internal audit. It is important to recognise that internal auditors are not responsible for designing and implementing systems and procedures, nor are they responsible for the prevention and detection of fraud and irregularity.
These are, and must always remain, the responsibility of management. Internal auditors have an important role to play in assisting management to fulfil their responsibilities, and they will frequently recommend changes to systems and procedures, or new controls that should be introduced. However, if they were to become directly involved in designing and implementing systems and pro- cedures, their independence from the operating functions could be seriously impaired. For the same reason, it is essential that internal auditors are not seen as a floating resource who can be used to cover for the unexpected departure or long-term absence of accounting and other staff.
1.115 Benefits of Internal Audit
The heightened profile of corporate governance issues, and public reporting on aspects such as internal control under the Combined Code (and its predecessor Codes), has generally increased management’s awareness of their responsibil- ities and encouraged them to reconsider how these responsibilities can best be fulfilled in practice. Internal audit has had a relatively high profile within the public sector for some years, but has generally been slower to develop within the private sector, except in the largest organisations. In the past, internal audit departments tended to be given a low status within the organisation, but the benefits of a well-organised and high calibre internal audit function are now becoming clearer to companies of all sizes. Management always retains the responsibility for identifying business risk and introducing procedures and controls to reduce risk to an acceptable level. However, establishing a strong internal audit function to assist with this can enable management to demon- strate clearly that they have paid due attention to the relevant issues, and that the procedures and controls that have been put in place are being subjected to continual scrutiny. This is particularly important as the business develops – without regular independent scrutiny, the procedures and controls can easily become out of date and fail to provide adequate cover in new areas of operation.
1.116 Areas Usually Covered by Internal Audit
Internal audit will usually provide assurance on:
safeguarding of the company’s assets;
the completeness and accuracy of the company’s accounting and other records;
the adequacy and effectiveness of measures to prevent fraud and other irregu- larity; and
the overall efficiency of the operations.
The internal auditors should develop a strong, in-depth knowledge of the com- pany’s operating systems, coupled with their own professional expertise, and they are therefore in a good position to advise management on the assessment of risk and the implementation of procedures and controls. If there is no internal audit function, the external auditors will usually need to carry out some review and testing of the company’s systems and controls, but as their focus is the material accuracy of the annual accounts, their work will concentrate on finan- cial controls rather than the company’s overall system of internal control. The level and extent of their review and testing will also be lower, as the level of assurance needed for external audit purposes will not be as extensive as that required for effective management of the business.
1.117 Special Assignments
As well as assisting with the assessment and control of business risk, internal auditors often carry out special assignments and investigations to assist man- agement in the achievement of business objectives, such as value for money reviews and more extensive investigations of specific business areas (for instance, a review of the effectiveness and efficiency of an individual part of the business operation, or of a particular service function, such as catering or maintenance). The areas selected for review may have been identified by man- agement as needing investigation, or may have been highlighted by the internal auditors during their other work, or by the external auditors.
1.118 Establishing an Internal Audit Function
An internal audit function is a service department within the organisation, assisting management to fulfil its responsibilities. In larger entities, there will usually be a separate internal audit department, its staffing levels being dependent on the size and complexity of the organisation and the level of work required throughout the year. In the case of a group, one internal audit depart- ment will normally serve all locations and subsidiaries within the group. In a smaller organisation, there may be insufficient work to justify a fully staffed internal audit department, or it may be that the department would be so small (eg requiring only one or two members of staff) that it would be difficult for it to command the necessary authority within the business. However, this does not mean that it is totally impractical for a small company to operate an inter- nal audit function. It should be possible to sub-contract internal audit work to an external organisation with the necessary skills and experience (eg a firm of accountants with internal audit expertise). The fact that the function is an internal one does not prevent it being provided from an outside source, although partic- ular care may be needed in defining the terms and scope of the work.
1.119 Terms of Reference
The purpose, authority and scope of work of the internal audit department should be set out in a formal document. This will help to give the internal auditors the
Audit
high profile within the organisation that is necessary if they are to function effect- ively. It should also clarify the independence of the internal auditors from the other parts of the business and the remit of internal audit, ensuring in particular that this is not restricted in any way and covers all aspects of the business. Where internal audit work is sub-contracted, these matters will normally be dealt with in an engagement letter between the parties. In all cases, the terms of reference for the internal audit function should be regularly reviewed and updated (through the audit committee where appropriate – see 1.135–1.168 below).
1.120 Head of Internal Audit
It is important that the internal audit function, however it is organised, is headed up by an individual who has the necessary professional expertise and carries the respect, confidence and support of other members of the senior management team. He or she should preferably have an appropriate professional qualifica- tion, relevant experience and the personal skills needed to deal with individuals throughout the organisation and to handle potentially difficult and sensitive issues. There needs to be a close working relationship between the head of internal audit and the executive directors and also, where relevant, good communication between the head of internal audit and the audit committee (see 1.135–1.168 below). If the internal audit function is a separate department within the organ- isation, the head of internal audit will be a management appointment. If internal audit work is sub-contracted, the person with overall responsibility for the work (eg a partner in a firm of accountants) is in effect the head of internal audit, and it will be important to ensure that the necessary relationships can be put into place quickly and effectively. Where the company has an audit committee, this committee will usually participate in the appointment. The head of internal audit should have a direct line of communication to the chairman of the audit commit- tee, to enable sensitive issues to be raised and discussed without executive man- agement being present where necessary, and to demonstrate and strengthen the independence of the internal audit function.
1.121 Staffing
If the internal audit department is to achieve the necessary degree of respect and confidence within the organisation, it is essential that it has adequate resources to carry out its work. Wherever possible, internal audit staff should be suitably trained and professionally qualified. This does not necessarily mean that everyone needs to hold the same qualifications. The department should be viewed as a team and the skills and expertise available should be appropriate for the range of work that the department is expected to cover. The skills needed will inevitably vary, depending on the nature and complexity of the business. As well as financial expertise, the internal audit function may need skills in areas such as computing, logistics or environmental issues. On occasions it may be appropriate to second high calibre staff with particular skills from elsewhere in the organisation to assist with specific internal audit projects. This can be valuable in increasing general
awareness and understanding of the internal audit function within the company, and can help to raise the profile of internal audit. It is important to remember that internal audit staff will need to deal with individuals throughout the organisation, and that they may sometimes be required to handle potentially difficult and sen- sitive situations. All internal audit staff need to have strong inter-personal and communication skills and to be confident in dealing with senior management.
1.122 Independence and Objectivity
Internal auditors must be genuinely independent of the systems and operations that they review and report on. Without a high degree of professional independ- ence and objectivity, the internal audit function will not achieve the status and level of authority necessary for it to become a strong and effective management resource, and it will not command the respect and confidence of management and staff. There is also a risk that internal audit staff will not be able to make genu- inely unbiased and impartial judgements if they have a close involvement in the detailed operations. It is essential that the head of internal audit is not given add- itional executive responsibilities within the organisation and that audit staff are not involved in the day-to-day operations of other parts of the business. This does not preclude the secondment of staff from other departments to assist with spe- cific internal audit assignments as explained above, but long-term internal audit staff should not have a regular involvement in other departments. It is particu- larly important that internal auditors are not seen as a floating resource who can be used to cover for the unexpected departure or long-term absence of key mem- bers of staff.
The ability of the head of internal audit to communicate directly with the chairman of the audit committee (see 1.135–1.168 below) whenever he or she considers it necessary helps to demonstrate the independence of the internal audit function from the executive management. The audit committee (or man- agement where there is no audit committee) should satisfy themselves each year that appropriate procedures are operating to safeguard the independence and objectivity of the internal audit function.
1.123 Scope of Internal Audit Work
The scope of the internal auditors’ work should generally be unrestricted and should cover the full spectrum of the company’s system of internal control. The scope of the work undertaken by the internal auditors will vary depending on the circumstances of the company and should be discussed and agreed by the board. Where appropriate, this will be dealt with initially by the audit commit- tee (see 1.135–1.168 below), who will then submit detailed proposals to the board for consideration and formal approval. The scope of internal audit work will usually include:
understanding and assessing the key business risks and reviewing the proced- ures used to identify and manage these;
Audit
reviewing the adequacy and effectiveness of controls over financial and other operational information;
reviewing the adequacy and effectiveness of the procedures established by man- agement to safeguard the company’s assets and resources, and to prevent fraud and irregularity;
reviewing the adequacy and effectiveness of procedures designed to ensure compliance with law and regulations that are central to the business;
reviewing the adequacy and effectiveness of procedures designed to ensure that the policies and plans agreed by management are brought into effect; and
reviewing the efficiency and effectiveness of particular aspects of the business.
1.124 Internal Audit Needs Assessment and Strategic Plan
The initial stage in planning internal audit work will usually be to develop an internal audit needs assessment. This will identify all the aspects of the company’s operations that will be subject to review by the internal auditors. In most organi- sations it will not be practical for all areas to be covered by internal audit in one year. It is normal practice for internal auditors to operate on a three- or four-year cycle, ensuring that all systems and operations are covered during the three- or four-year period. In some cases, all the work on a particular system or operational area may be carried out in one year – in other cases, work on an individual system or operation may be spread over the full audit period, so that some aspects are cov- ered in each year of the cycle. Where a system or operational area is considered to be particularly critical to the business, it may be deemed necessary for it to be cov- ered by internal audit each year. The overall audit needs assessment must there- fore be developed into a strategic audit plan to demonstrate how full coverage will be achieved over the audit cycle (ie the three- or four-year period). In order to pre- pare a strategic audit plan, there will need to be some prioritisation of internal audit work over the audit cycle. Areas that are identified as high risk will gener- ally be covered earlier in the audit cycle, and may be covered on more than one occasion during the cycle; areas that are deemed medium or low risk will gener- ally be covered later in the audit cycle. Both the internal audit needs assessment and the strategic audit plan should be developed by the internal auditors in dis- cussion with management and should be formally approved by the board (through the audit committee where appropriate – see 1.135–1.168 below).
1.125 Annual Review
The internal audit needs assessment and strategic audit plan must be reviewed and updated annually. There are very few situations where the needs assessment and strategic plan developed at the beginning of an audit cycle will not need to be adapted during the course of the cycle. Changes may be needed to:
incorporate new systems and operations as the business develops;
amend priorities because changes in circumstance have increased or reduced the risk associated with a particular aspect of the business; and/or
amend priorities on the basis of the results of internal audit work already completed.
Both the internal auditors and management should be involved in the review and update of the internal audit needs assessment and the strategic audit plan, and the revised documents should be approved by the board (through the audit committee where appropriate – see 1.135–1.168 below).
1.126 Detailed Internal Audit Plan
Once the internal audit needs assessment and strategic audit plan have been approved, the internal audit department must develop a detailed audit plan for the current year, setting out the areas to be covered, the proposed timing of the work and the proposed reporting timetable. The plan should include adequate time for following up points raised in the reports on previous audits to confirm that the agreed action has in fact been taken and that the problem originally identified has been resolved as far as is practicable. The detailed audit plan for the year should also be approved by the board (through the audit committee, where appropriate – see 1.135–1.168 below).
1.127 Monitoring Work as the Year Progresses
The head of internal audit should report regularly to management on the progress of audit work against the plan for the year and explain any significant variations.
Reporting will be dealt with through the audit committee where appropriate (see 1.135–1.168 below).
1.128 Reports on Individual Systems and Operations
Internal audit will issue individual reports on each system or operational area that has been subject to audit. Their reports will normally draw an overall con- clusion in respect of that system or area, and will concentrate on highlighting any potentially serious weaknesses or concerns identified during the audit, along with the internal auditors’ recommendations for changes and improve- ments. The recommendations will normally be discussed with management and the agreed action noted for each item. It is usually helpful to agree a stand- ard structure for internal audit reports – for instance:
executive summary;
the overall conclusions drawn by the auditors; and
the detailed findings and recommendations for improvement, divided into:
major weaknesses and concerns, and
other issues.
It is important that weaknesses and concerns are rigorously followed up by internal audit later in the year (or, where appropriate, later in the audit cycle), to confirm that the agreed action has actually been taken and that the potential problem originally identified has been satisfactorily resolved.
Audit