Professional Documents
Culture Documents
INTRODUCTION
Internal audit is established by management to assist in corporate governance by assessing
internal controls and helping in risk management. The ethical requirements differ from those
of external auditors due to the nature of the function. Techniques used by internal auditors
are similar to those used by external auditors. There are usually no statutory requirements in
relation to internal audit
It functions by, amongst other things, examining, evaluating and reporting to the
management and the directors on the adequacy and effectiveness of the components of the
accounting and internal control systems.
Internal Auditors' roles include monitoring, assessing, and analyzing organizational risk and
controls; and reviewing and confirming information and compliance with policies,
procedures, and laws. Working in partnership with management, internal auditors provide
the board, the audit committee, and executive management assurance that risks are mitigated
and that the organization's corporate governance is strong and effective. And, when there is
room for improvement, internal auditors make recommendations for enhancing processes,
policies, and procedures."
1
Internal audit External audit
objective Designed to add value and An exercise to enable auditors
improve organisation’s to express an opinion on the
operations financial statements
Responsibility for Improvement is fundamental to None, however there is a duty
improvement the purpose of internal auditing. to report problems.
But it is done by advising,
coaching and facilitating in order
to not undermine the
responsibility of management.
Reporting Reports to the board of directors, Reports are private and for the
or the people charged with directors and management of
governance, such as the audit the company
committee
Scope Work relates to the operations of Work relates to the financial
the organisation statements
Relationship Often employees of the Independent of the company
organisation, although sometimes and its management. Usually
the function is outsourced appointed by the shareholders
Planning and collection of Strategic long term planning Planning carried out to achieve
evidence carried out, to achieve objective objective regarding truth and
of assignments, with no fairness of financial
materiality level being set. statements. Materiality level
set during planning (may be
amended during course of
audit).
Some audit may be procedural, External audit work is risk-
rather than risk-based. based.
Evidence mainly from Evidence collected using a
interviewing staff and inspecting variety of procedures per ISAs
document to obtain sufficient appropriate
audit evidence.
ROLE IN INTERNAL CONTROL
Internal auditing activity is primarily directed at evaluating internal control. Internal control
is broadly defined as a process, affected by an entity's board of directors, management, and
2
other personnel, designed to provide reasonable assurance regarding the achievement of the
following core objectives for which all businesses strive:
Effectiveness and efficiency of operations.
Reliability of financial and management reporting.
Compliance with laws and regulations.
Safeguarding of Assets
Management is responsible for internal control, which comprises five critical components:
the control environment; risk assessment; risk focused control activities; information and
communication; and monitoring activities (Components of Internal Control). Managers
establish policies, processes, and practices in these five components of management control
to help the organization achieve the four specific objectives listed above. Internal auditors
perform audits to evaluate whether the five components of management control are present
and operating effectively, and if not, provide recommendations for improvement.
Internal auditors have two key roles to play in relation to organization risk management
Ensuring the company’s risk management system operates effectively
Ensuring that strategies implemented in respect of business risks operate effectively
BUSINESS RISK
Business risk is the risk inherent to the company in its operations. Business risk is described
as consisting of three types of risks:
Operational risk
3
This is the possibility that suppliers will not supply products when needed or the
workforce will strike.
Financial risk
This is the possibility that exchange rate fluctuations will cause a substantial cost on
imported inventory or interest rates will rise and make the company’s loans too
expensive to maintain
Compliance risk
This is the possibility that the company will unwillingly break the laws and be fined
Business risk cannot be eliminated, but must be managed by the company. The internal audit
department has a two-fold role in relation to risk management:
Monitoring the company’s overall risk management policy to ensure it operates
effectively.
Monitoring the strategies implemented to ensure that they continue to operate
effectively.
A primary focus area of internal auditing as it relates to corporate governance is helping the
Audit Committee of the Board of Directors (or equivalent) perform its responsibilities
effectively.
This may include reporting critical management control issues, suggesting questions or
topics for the Audit Committee's meeting agendas, and coordinating with the external auditor
and management to ensure the Committee receives effective information.
4
Internal audit can be involved in many different assignments as directed by management.
These can range from value for money projects to operational assignments looking at specific
parts of the business.
The three measures may sometimes be in conflict with each other and may sometimes
complement each other.
Example;
Purchasing a cheap version of an item (economy) may help maximise the number of units
that may be obtained for a given sum of money (efficiency). This may be at conflict with the
desired objective of high standard of performance from each of the units (effectiveness)
Value for money auditing system should be capable of providing information to management
about value for money. It should focus on the organization’s performance in a given area by
looking at each of the 3Es with the objective of identifying areas where value for money might
be improved. Whether value for money could be achieved or not and the reasons behind it
should be reported to management.
Value for money is important in both profit seeking and not-for-profit organizations. Not –
for-profit organisations and the public sector are currently under tremendous pressure to
justify each of their actions in terms of economy, efficiency and effectiveness. Achieving value
5
for money now assumes central place in every action plan and it is a continuous process of
good governance.
It is not easy to measure effectiveness. For example, the effectiveness of a customer care
executive will improve if they give detailed replies to the queries of the customers. However,
it would result in low call turnover and other customers would have to wait for a long time
before their phone call is attended. Therefore the measurement of effectiveness of this
function is subjective, and not easy.
6
As best value depends on assessing current services and setting strategies for development,
internal audit can take part in the ‘position audit’ as they should have a good understanding
of how services are currently organized and relate to each other.
As assurance providers, the key part internal auditors will play is giving management
assurance that their objectives and strategies in relation to best value are being met.
FINANCIAL AUDIT
The financial audit is internal audit’s traditional role. It involves reviewing all the available
evidence (usually the company records) to substantiate information in management and
financial reporting.
Essentially, this is the role of the external auditor. Increasingly, it is a minor part of the
function of internal audit.
FRAUD
Internal auditors may have a role in preventing and detecting fraud. Fraud is a key business
risk. Directors have the responsibility to prevent and detect fraud. As the internal auditor has
a role in risk management, he is involved in the process of managing the risk of fraud. The
existence of an internal audit department may act as a deterrent to fraud. The internal
auditors might also be called upon to undertake special projects to investigate a suspect
fraud.
a) Adequacy of policies
The internal auditor will have to review the policies of a particular department by:
Reading them
Discussing with members of the department
7
The auditor will have to assess whether the policies are adequate, and possibly advise the
board for improvement.
b) Effectiveness of controls
The internal auditor will have to examine the effectiveness of controls by:
Observing them in operation, and
Testing them
REGULATION
There are no legal requirements associated with becoming an internal auditor. The scope and
nature of the internal auditor’s work is more likely to be set by the company policy than by
external guidelines. The International Audit and Assurance Standards Board does not issue
detailed auditing standards in relation to internal audit work.
Audit findings and recommendations may also relate to particular assertions about
transactions, such as whether the transactions audited were valid or authorized, completely
processed, accurately valued, processed in the correct time period, and properly disclosed in
financial or operational reporting, among other elements.
Under the IIA standards, a critical component of the audit process is the preparation of a
balanced report that provides executives and the board with the opportunity to evaluate and
weigh the issues being reported in the proper context and perspective. In providing
perspective, analysis and workable recommendations for business improvements in critical
areas, auditors help the organization meet its objectives.
9
whether issues are reported appropriately. This results in a serious conflict, limits the
scope and compromises the effectiveness of the internal audit function.
Internal auditors are not required to be professionally qualified (as external auditors
are) and so there may be limitations in their knowledge and technical expertise.
10