INTERNAL AUDIT

INTRODUCTION
Internal audit is established by management to assist in corporate governance by assessing
internal controls and helping in risk management. The ethical requirements differ from those
of external auditors due to the nature of the function. Techniques used by internal auditors
are similar to those used by external auditors. There are usually no statutory requirements in
relation to internal audit

DEFINITION OF INTERNAL AUDIT

Internal audit is defined as an appraisal or monitoring activity established within an entity as
a service to the entity.

It functions by, amongst other things, examining, evaluating and reporting to the
management and the directors on the adequacy and effectiveness of the components of the
accounting and internal control systems.

It helps an organization accomplish its objectives by bringing a systematic, disciplined

approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.

Internal audit is generally a feature of large companies. It is a function which is provided

either by employees of the entity or sourced from outside the entity.

Internal Auditors' roles include monitoring, assessing, and analyzing organizational risk and
controls; and reviewing and confirming information and compliance with policies,
procedures, and laws. Working in partnership with management, internal auditors provide
the board, the audit committee, and executive management assurance that risks are mitigated
and that the organization's corporate governance is strong and effective. And, when there is
room for improvement, internal auditors make recommendations for enhancing processes,
policies, and procedures."

DISTINCTION BETWEEN INTERNAL AND EXTERNAL AUDIT

1
 Internal audit External audit
objective Designed to add value and An exercise to enable auditors
improve organisation’s to express an opinion on the
operations financial statements
Responsibility for Improvement is fundamental to None, however there is a duty
improvement the purpose of internal auditing. to report problems.
But it is done by advising,
coaching and facilitating in order
to not undermine the
responsibility of management.
Reporting Reports to the board of directors, Reports are private and for the
or the people charged with directors and management of
governance, such as the audit the company
committee
Scope Work relates to the operations of Work relates to the financial
the organisation statements
Relationship Often employees of the Independent of the company
organisation, although sometimes and its management. Usually
the function is outsourced appointed by the shareholders
Planning and collection of Strategic long term planning Planning carried out to achieve
evidence carried out, to achieve objective objective regarding truth and
of assignments, with no fairness of financial
materiality level being set. statements. Materiality level
set during planning (may be
amended during course of
audit).
Some audit may be procedural, External audit work is risk-
rather than risk-based. based.
Evidence mainly from Evidence collected using a
interviewing staff and inspecting variety of procedures per ISAs
document to obtain sufficient appropriate
audit evidence.
ROLE IN INTERNAL CONTROL
Internal auditing activity is primarily directed at evaluating internal control. Internal control
is broadly defined as a process, affected by an entity's board of directors, management, and

2
other personnel, designed to provide reasonable assurance regarding the achievement of the
following core objectives for which all businesses strive:
 Effectiveness and efficiency of operations.
 Reliability of financial and management reporting.
 Compliance with laws and regulations.
 Safeguarding of Assets

Management is responsible for internal control, which comprises five critical components:
the control environment; risk assessment; risk focused control activities; information and
communication; and monitoring activities (Components of Internal Control). Managers
establish policies, processes, and practices in these five components of management control
to help the organization achieve the four specific objectives listed above. Internal auditors
perform audits to evaluate whether the five components of management control are present
and operating effectively, and if not, provide recommendations for improvement.

ROLE IN RISK MANAGEMENT

Internal auditing professional standards require the function to evaluate the effectiveness of
the organization's Risk management activities. Risk management is the process by which an
organization identifies, analyzes, responds, gathers information about, and monitors strategic
risks that could actually or potentially impact the organization's ability to achieve its mission
and objectives.

Internal auditors have two key roles to play in relation to organization risk management
 Ensuring the company’s risk management system operates effectively
 Ensuring that strategies implemented in respect of business risks operate effectively

BUSINESS RISK
Business risk is the risk inherent to the company in its operations. Business risk is described
as consisting of three types of risks:
 Operational risk

3
 This is the possibility that suppliers will not supply products when needed or the
workforce will strike.
 Financial risk
This is the possibility that exchange rate fluctuations will cause a substantial cost on
imported inventory or interest rates will rise and make the company’s loans too
expensive to maintain
 Compliance risk
This is the possibility that the company will unwillingly break the laws and be fined

Business risk cannot be eliminated, but must be managed by the company. The internal audit
department has a two-fold role in relation to risk management:
 Monitoring the company’s overall risk management policy to ensure it operates
effectively.
 Monitoring the strategies implemented to ensure that they continue to operate
effectively.

ROLE IN CORPORATE GOVERNANCE

Internal auditing activity as it relates to corporate governance has in the past been generally
informal, accomplished primarily through participation in meetings and discussions with
members of the Board of Directors. Governance is the policies, processes and structures used
by the organization’s leadership to direct activities, achieve objectives, and protect the
interests of diverse stakeholder groups in a manner consistent with ethical standards. The
internal auditor is often considered one of the "four pillars" of corporate governance, the
other pillars being the Board of Directors, management, and the external auditor.

A primary focus area of internal auditing as it relates to corporate governance is helping the
Audit Committee of the Board of Directors (or equivalent) perform its responsibilities
effectively.
This may include reporting critical management control issues, suggesting questions or
topics for the Audit Committee's meeting agendas, and coordinating with the external auditor
and management to ensure the Committee receives effective information.

INTERNAL AUDIT ASSIGNMENTS

4
Internal audit can be involved in many different assignments as directed by management.
These can range from value for money projects to operational assignments looking at specific
parts of the business.

VALUE FOR MONEY

The principle of value for money implies that effort must be made to ensure available funds
are spent in the provision of services in a way that maximises the benefit to the users of the
services. The value for money principle focuses on three Es namely, Economy, Efficiency and
Effectiveness in any activity of the organization.
i. Economy
Attaining the appropriate quantity and quality of physical, human and financial
resources at lowest cost. Implies the principle of prudence i.e. the least possible cost
should be incurred to fulfil any need.
ii. Efficiency
This is the relationship between goods or services produced and resources used to
produce them. Implies the maximization of output input ratio i.e the output per unit of
input should be maximised.
iii. Effectiveness
This is concerned with how well an activity is achieving its policy objectives or other
intended effects. It considers what the proper role of the organization should be.

The three measures may sometimes be in conflict with each other and may sometimes
complement each other.

Example;
Purchasing a cheap version of an item (economy) may help maximise the number of units
that may be obtained for a given sum of money (efficiency). This may be at conflict with the
desired objective of high standard of performance from each of the units (effectiveness)
Value for money auditing system should be capable of providing information to management
about value for money. It should focus on the organization’s performance in a given area by
looking at each of the 3Es with the objective of identifying areas where value for money might
be improved. Whether value for money could be achieved or not and the reasons behind it
should be reported to management.

Value for money is important in both profit seeking and not-for-profit organizations. Not –
for-profit organisations and the public sector are currently under tremendous pressure to
justify each of their actions in terms of economy, efficiency and effectiveness. Achieving value

5
for money now assumes central place in every action plan and it is a continuous process of
good governance.

Deficiencies of value for money audit

 There exist no universal measures for outputs. For example, the output of a
customer care executive in a call centre can be measured by the number of calls
attended by him or her. However, each call can be of different difficulty and take
different amounts of time. However, the output of a machine is likely to be uniform and
will be in terms of the units manufactured.
 Objectives of audit and measures of efficiency very with the type of work being
audited. For example, the objective of a customer care executive is to satisfy the
queries of a customer in the minimum time. Hence, their efficiency would be
determined on that basis. However, the objective of a machine is to produce the
maximum output with minimum resources.
 Quality might be sacrificed to achieve economy and efficiency. The objective of
value for money audits is to achieve economy, efficiency and effectiveness. Sometimes
efficiency is sacrificed to achieve economy. For example, the customer care executive
may end the call without giving adequate answers to the queries posed by the
customer. The servicing of the machine may be delayed to avoid the machine’s
downtime.

It is not easy to measure effectiveness. For example, the effectiveness of a customer care
executive will improve if they give detailed replies to the queries of the customers. However,
it would result in low call turnover and other customers would have to wait for a long time
before their phone call is attended. Therefore the measurement of effectiveness of this
function is subjective, and not easy.

INTERNAL AUDITORS AND BEST VALUE

One of the internal auditor’s roles is to provide assurance that internal control systems are
adequate to promote the effective use of resources and that risks are being managed properly.
In relation to best value, this role can be extended to ensure that the authority has
arrangement in place to achieve best value, that risks and impacts of best value are
incorporated into normal audit testing and that the authority keeps abreast of best value
developments.

6
As best value depends on assessing current services and setting strategies for development,
internal audit can take part in the ‘position audit’ as they should have a good understanding
of how services are currently organized and relate to each other.

As assurance providers, the key part internal auditors will play is giving management
assurance that their objectives and strategies in relation to best value are being met.

INFORMATION TECHNOLGY (IT) AUDIT

An IT audit is a test of control in the computer systems. It is likely to be necessary to have an
IT specialist in the internal audit team to undertake an audit of the controls as some of them
will be programmed into the computer system.

FINANCIAL AUDIT
The financial audit is internal audit’s traditional role. It involves reviewing all the available
evidence (usually the company records) to substantiate information in management and
financial reporting.

Essentially, this is the role of the external auditor. Increasingly, it is a minor part of the
function of internal audit.

FRAUD
Internal auditors may have a role in preventing and detecting fraud. Fraud is a key business
risk. Directors have the responsibility to prevent and detect fraud. As the internal auditor has
a role in risk management, he is involved in the process of managing the risk of fraud. The
existence of an internal audit department may act as a deterrent to fraud. The internal
auditors might also be called upon to undertake special projects to investigate a suspect
fraud.

OPERATIONAL INTERNAL AUDIT ASSIGNMENTS

Operational audits are audits of the operational processes of the organization. There are two
aspects of an operational assignment:
a) Ensuring that policies are adequate, and
b) Ensuring that polices work effectively

a) Adequacy of policies
The internal auditor will have to review the policies of a particular department by:
 Reading them
 Discussing with members of the department
7
The auditor will have to assess whether the policies are adequate, and possibly advise the
board for improvement.

b) Effectiveness of controls
The internal auditor will have to examine the effectiveness of controls by:
 Observing them in operation, and
 Testing them

REGULATION
There are no legal requirements associated with becoming an internal auditor. The scope and
nature of the internal auditor’s work is more likely to be set by the company policy than by
external guidelines. The International Audit and Assurance Standards Board does not issue
detailed auditing standards in relation to internal audit work.

OUTSOURCING THE INTERNAL AUDIT FUNCTION

It may be expensive to maintain an internal audit unit in an organization. Directors should
consider the need for having internal auditors in an organization annually. The directors may
conclude that the cost is prohibitive. Internal audit may be outsourced from external service
providers.

Advantages of outsourcing internal audit function

 Provision of good quality services
 Speed in provision of services
 Less costly
 Tailored answer to internal audit requirement
 Specialized skills from the service provider
 Can lay the basis of permanent internal audit function, by setting policies and
functions

Internal audit reports

Internal auditors typically issue reports at the end of each audit that summarize their
findings, recommendations, and any responses or action plans from management. An internal
audit report may have an executive summary; a body that includes the specific issues or
findings identified and related recommendations or action plans; and appendix information
such as detailed graphs and charts or process information. Each audit finding within the body
of the report may contain five elements, sometimes called the "5 C's":
8
 i. Condition: What is the particular problem identified?
ii. Criteria: What is the standard that was not met? The standard may be a company
policy or other benchmark.
iii. Cause: Why did the problem occur?
iv. Consequence: What is the risk/negative outcome (or opportunity foregone) because
of the finding?
v. Corrective action: What should management do about the finding? What have they
agreed to do and by when?
The recommendations in an internal audit report are designed to help the organization
achieve effective and efficient governance, risk and control processes associated with
operations objectives, financial and management reporting objectives; and legal/regulatory
compliance objectives.

Audit findings and recommendations may also relate to particular assertions about
transactions, such as whether the transactions audited were valid or authorized, completely
processed, accurately valued, processed in the correct time period, and properly disclosed in
financial or operational reporting, among other elements.
Under the IIA standards, a critical component of the audit process is the preparation of a
balanced report that provides executives and the board with the opportunity to evaluate and
weigh the issues being reported in the proper context and perspective. In providing
perspective, analysis and workable recommendations for business improvements in critical
areas, auditors help the organization meet its objectives.

Limitations of the internal audit function

 Although the presence of an internal audit department within an organisation is
indicative of good internal control, by its very nature, there are some limitations of the
internal audit function.
 Internal auditors are employed by the organisation and this can impair their
independence and objectivity and ability to report fraud/error to senior management
because of perceived threats to their continued employment within the company.
 To ensure transparency, best practice indicates that the internal audit function should
have a dual reporting relationship, i.e. report both to management and those charged
with governance (the audit committee). If this reporting structure is not in place,
management may be able to unduly influence the internal audit plan, scope, and

9
 whether issues are reported appropriately. This results in a serious conflict, limits the
scope and compromises the effectiveness of the internal audit function.
 Internal auditors are not required to be professionally qualified (as external auditors
are) and so there may be limitations in their knowledge and technical expertise.

10