Internal audit:

An appraisal activity established or provided as a service to the entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control. Internal auditing is a catalyst for improving an organizations effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. Professionals called internal auditors are employed by organizations to perform the internal auditing activity or sourced from an external organization. The scope of internal auditing within an organization is broad and may involve topics such as y y y y y the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations.

Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors regarding how to better execute their responsibilities.

Internal auditors help organisations to succeed - and success looks different depending on the aims of each organisation. They do this by telling the managers whether the systems and processes that make sure the organisation is on track are themselves working well.

That is assurance! y But, they do more than that: they also help the managers to improve those systems and processes where necessary.

That is consulting!

Assessing the need for internal audit:

The factors an entity might consider when assessing the need for an internal audit function include: y y y y y Internal audit can assist an entity in providing effective corporate governance. The cost of setting up an internal audit department versus the predicted benefit. The complexity and scale of the organisations activities and the systems supporting those activities. The ability of existing managers and employees to carry out assignments that internal audit may be asked to carry out. Managements perceived need for assessing risk and internal control.

Distinction between internal and external audit:

The external audit is focused on the financial statements, whereas the internal audit is focused on the operations of the entire business.

OBJECTIVE

REPORTS TO

SCOPE RELATIONSHIP

PLANNING

Internal audit Designed to add value and improve an organisations operations. Reports to the BODs, or other people charged with governance, such as the audit committee. Reports are private and for the directors and management of the company. Work relates to the operations of the organization. Often employees of the organization, although sometimes the function is outsourced. Strategic long term planning carried out, to achieve objective of assignments, with no materiality level being set.

External audit An exercise to enable auditors to express an opinion on the FSs. Reports to SHs or members of a company on the T and fairness of the accounts. Audit report is publically available to the SHs and other interested parties. Work relates to the FSs. Independent of the company and its management. Usually appointed by the SHs. Planning carried out to achieve objective regarding T and fairness of FSs. Materiality level set during planning (may be amended during course of audit). External audit work is risk based. Evidence collected using a variety of procedures per ISAs to obtain sufficient appropriate audit evidence.

PROCEDURAL vs. RISK BASED COLLECTION OF EVIDENCE

Some audits may be procedural, rather risk based. Evidence mainly from interviewing staff and inspecting documents.

Scope of the internal audit function:

Business Risk:
Business risk is a risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entitys ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies. Business risk cannot be eliminated, but it must be managed by the company.

IDENTIFY RISK

DETERMINE COMPANY POLICY

IMPLEMENT STRATEGY

Risk Management:
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures (at any phase in development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary or events of uncertain root-cause. The strategies to manage risk include y y y y transferring the risk to another party, avoiding the risk, reducing the negative effect or probability of the risk, or even accepting some or all of the consequences of a particular risk.

Regulation of internal auditors

y y y y Internal auditing is not regulated in the same way as statutory external auditing. There are no legal requirements associated with becoming an internal auditor. The scope and nature of internal audits work is more likely to be set by company policy than by any external guidelines. Unlike external auditors, internal auditors are not required to be members of a professional body.

The Role of Internal Audit:

The internal audit department has a two-fold role in relation to risk management. 1. It monitors the companys overall risk management policy to ensure it operates effectively. 2. It monitors the strategies implemented to ensure that they continue to operate effectively. Internal audit may assist in the development of systems. However, its key role will be in monitoring the overall process and in providing assurance that the systems which the departments have designed meet objectives and operate effectively.

Responsibility of Fraud and Error:

Fraud is a key business risk. It is the responsibility of the directors to prevent and detect fraud. As the internal auditor has a role in risk management he is involved in the process of managing the risk of fraud. It is NOT the responsibility of the external auditors to prevent and detect fraud, although they may unearth fraud as a part of their audit of the FSs, and they shall be aware of the risks of fraud while carrying out the audit. The internal auditor can help to prevent fraud by carrying out work on assessing the adequacy and effectiveness of control systems. The internal auditor can help to detect fraud by being mindful when carrying out his work and reporting any suspicions. The very existence of an internal audit department may act as a deterrent to fraud. The internal auditors might also be called upon to undertake special projects to investigate a suspected fraud.

Limitations of the Internal Audit Function:

1. Internal auditors are employed by the organization and this can impair their independence and objectivity and ability to report fraud/error to senior management because of perceived threats to their continued employment within the company. 2. To ensure transparency, best practice indicates that the internal audit function should have a dual reporting relationship, i.e. report both to management and those charged with governance (the audit committee). If this reporting structure is not in place, management may be able to unduly influence the internal audit plan, scope, and whether issues are reported appropriately. This results in a serious conflict, limits the scope and compromises the effectiveness of the internal audit function. 3. The limitation of internal audit is that audit staff may be incompetent. There may be lack of experience and training on the part of internal audit staff. If audit staff is competent there is less chance of errors. In case of poor audit staff there is no guarantee that audited accounts are free from errors.

4. The limitation of internal audit starts when there is time lag between recording and checking of entries. The accounting and internal audit must go side by side with minimum time gap.

Objectives of Internal Audit:

The purpose of internal audit is to keep proper control over business activities. When there is proper control there is maximum efficiency. The internal auditor determines the degrees of control over work. The purpose of internal audit is to evaluate the accounting system. It is concerned with checking proper authority for transactions like purchase, retirement and disposal of fixed assets. The vouchers can be compared with entries in order to determine that figures are facts. The purpose of internal audit is to help the management. Internal auditor can point out the weakness. The internal audit can be used as a tool to correct the situation. The management functions can be performed properly. The purpose of internal audit is to review the working of business. The working of current year can be reviewed in detail just to note the successful area of working. There is a need to locate the weak points. The corrective measures can be taken for proper working. The purpose of internal audit is to protect the assets. The proper record of assets must be there. The valuation, verification and possession can be examined by internal auditor. The purchases and sale of assets must be made under proper authority.

Essentials of Internal Audit:

Planning is an essential feature of internal audit. The auditor can plan to check the accounting system. The plan may relate to accounting functions like purchase, sales, income, expenses and shares. The planning includes degrees of risk and extent of audit. It also states the nature of audit work. Controlling is an essential feature of internal audit. Auditor can examine the operations of accounting system. He can control audit work through audit program. The whole audit work is distributed among audit staff. Recording is an essential feature of internal audit. The audit can record the facts and figures in order to express his views in the business activities. The audit note book and audit working papers are used to record the information. Independence is essential element of internal audit. The work of internal audit is done by an employee of the company. He must not be influenced by management. He must be free in developing audit program, audit investigation and audit reporting. They have a professional duty to provide an unbiased and objective view. They must be independent from the operations we evaluate and report to the highest level in an organisation, the senior managers and the governors, i.e. the board of directors or the board of trustees, the accounting officer or the audit committee.

Staffing is an essential part of the internal audit. The trained staff is needed to conduct internal audit. The reasonable number of persons can perform the work of examination. The inadequate and untrained staff cannot serve the purpose of checking efficiency of managers. To be effective the internal audit activity must have qualified and skilled people who have the experience to do things in the right way, following the Code of Ethics and the International Standards.

Advantages of Internal Audit:

There are many advantages of the internal audit. y y y First of all the main advantage of the internal audit is to eliminate the chances of the frauds. Many companies appoint the internal auditor for their accounts who can help them to make the true and clear view of the financial statements of the business. The internal auditor is appointed by the many companies to keep an eye on the staff like clerks and accounts so that they cannot make any fraud in the accounts of the company so the benefits of the internal audit is that the account are audited on the regular basis so there are less chances of frauds for the clerks and accountants.

The Difference between Internal Audit and External Audit:

y y o o         o o y y The internal audit is conducted to help the management. The weakness of the management is disclosed. The external audit is conducted to help the shareholder. The rights of owners are protected. The appointment of internal audit is made by the management. The appointment in external audit is made by the shareholders. Internal audit is the part of internal control. External audit is the not the part of internal control. The internal audit can suggest improvement in internal check system. The external audit cannot suggest improvement in internal check system. The internal audit can perform his duties under the terms of appointment. The management can limit the scope of work at any time. The external auditor can perform his work to terms of appointment and other prescribed law. The scope is very wide. Internal audit is an employee of the company. He is not an independent person. External auditor is not an employee of the company. He is an independent person. The internal audit can check the material and substantive accuracy of business records. The external auditor can check the true and faire view of earning capacity and financial position. The management has power to remove the internal auditor. The shareholders have power to remove the external auditor.

What internal auditors do:

The process of internal auditing consists of four stages. The diagram below briefly explains what happens during each stage and the questions and actions the internal auditor needs to address for completion.

Internal Audit Assignments:

A Value for Money Audit is a financial analysis looking into whether resources are used in an economic, efficient and effective way. These are known as the three Es of VFM audits. The three Es can be defined as follows.
a) Economy:

VFMs:

Attaining the appropriate quantity and quality of physical, human and financial resources (inputs) at lowest cost. An activity would not be economic, if for example, there was over-staffing or failure to purchase materials of requisite quality at the lowest available price. Economy relates to all types of resources such as physical, financial, human and information. The question of economy is relevant to the acquisition of resources. Auditors try to determine whether the resources have been acquired in the right amount, at the right place, and the right time, of right kind and at the right cost.
b) Efficiency:

This is the relationship between goods or services produces (outputs) and the resources used to produce them. An efficient operation produces the maximum output for any given set of resource inputs, or it has minimum inputs for any given quantity and quality of product or service provided.

Efficiency refers to the relationship of inputs and outputs. It is relevant to the use of resources. Examples of efficiency is: machine-hours to output ratio in a factory. An increase in output without a corresponding increase in input or getting the same output as before with a reduced input indicates an increase in efficiency. It is relatively easier to measure efficiency in cases where the inputs and outputs are of a repetitive or mechanical nature. We can devise standards for measuring efficiency in such situations. As compared to this, it is quite difficult to measure efficiency where the inputs and outputs are non-repetitive. For example, it is easier to determine the efficiency of a power house in producing electricity as compared to measuring the efficiency of a doctor who is examining patients, each of whom may be unique.

c)

Effectiveness:

This is concerned with how well an activity is achieving its policy objectives or other intended effects.

Effectiveness has been defined as an ends oriented concept that measures the degree to which predetermined goals and objectives for a particular activity or program are achieved. Of all the meanings attached to the word effectiveness, probably the most common is related to the achievement of goals.
Also known as Comprehensive Auditing. Abbreviated as VFM auditing.

Value for money can often only be judged by comparison. In searching for value for money, present methods of operation and uses of resources must be compared with alternatives. The following list identifies areas of an organization, process or activity where there might be scope for significant value for money improvements. Each of these should be reviewed within individual organizations. y y y Service delivery Management process Environment

An alternative approach is to look at areas of spending. A value for money assessment of economy, efficiency, and effectiveness would look at whether: y y y Too much money is being spent on certain items or activities, to achieve the targets or objectives of the overall operation Money is being spent to no purpose, because the spending is not helping to achieve objectives Changes could be made to improve performance

An illustrative list is shown below of the sort of spending areas that might be looked at, and the aspects of spending where value for money might be improved. y y y y y Employee expenses Premises expenses Suppliers and services Establishment expenses Capital expenditure

Problems with VFM auditing:

1) 2) 3) 4) 5) 6) Measuring outputs Defining objectives Sacrifice of quality Measuring effectiveness Over-emphasis in cost control Measuring efficiency

Information technology audit:

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. It is likely to be necessary to have an IT specialist in the internal audit team to undertake an audit of the controls, as some of them will be programmed into the computer system. An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Various areas of IT in the business which might be subject to a test of controls by the auditors are listed below y y y y y y y y y y y E business Database management system System development process Problem management Change management Networks Asset management Desktop audit Capacity management Access control Operational system

Information Systems (IS) Audit

There are three basic kinds of IS Audits that may be performed: 1. General Controls Review A review of the controls which govern the development, operation, maintenance, and security of application systems in a particular environment. This type of audit might involve reviewing a data center, an operating system, a security software tool, or processes and procedures (such as the procedure for controlling production program changes), etc. 2. Application Controls Review A review of controls for a specific application system. This would involve an examination of the controls over the input, processing, and output of system data. Data communications issues, program and data security, system change control, and data quality issues are also considered. 3. System Development Review A review of the development of a new application system. This involves an evaluation of the development process as well as the product. Consideration is also given to the general controls over a new application, particularly if a new operating environment or technical platform will be used.

Best value audit:

Best value is a performance framework introduced into local authorities by the UK government. They are required to publish annual best value performance plans and review all of their functions over a five year period. As part of best value authorities are required to strive for continuous improvement by implementing the 4 Cs: Challenge: How and why is a service provided? Compare: Make comparisons with other local authorities and the private sector. Consult: Talk to local taxpayers and services users and the wider business community in setting performance targets. Compete: Embrace fair competition as a means of securing efficient and effective services.

One of internal audits standard roles in a competition is to provide assurance that internal control systems are adequate to promote the effective use of resources and that risks are being managed properly. This role can be extended to ensure that the local authority has arrangements in place to achieve best value, that the risks and impacts of best value are incorporated into normal audit testing and that the authority keeps abreast of best value developments. As best value depends on assessing current services and setting strategies for development, internal audit can take part in the position audit, as they should have a good understanding of how services are currently organized and relate to each other. As assurance providers, internal audit will play a key part in giving management assurance that its objectives and strategies in relation to best value are being met.

Financial audit:
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion. The audit opinion is a reasonable assurance that the financial statements are presented fairly, in all material respects, or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to enhance the degree of confidence of intended users in the financial statements. Financial audits are typically performed by firms of practising accountants who are experts in financial reporting. The financial audit is one of many assurance functions provided by accounting firms. Many organisations separately employ or hire internal auditors, who do not attest to financial reports but focus mainly on the internal controls of the organization. External auditors may choose to place limited reliance on the work of internal auditors. Internationally, the International Standards on Auditing (ISA) issued by the International Auditing and Assurance Standards Board (IAASB) is considered as the benchmark for audit process. Almost all jurisdictions require auditors to follow the ISA or a local variation of the ISA.

Financial audits exist to add credibility to the implied assertion by an organization's management that its financial statements fairly represent the organization's position and performance to the firm's stakeholders. The principal stakeholders of a company are typically its shareholders, but other parties such as tax authorities, banks, regulators, suppliers, customers and employees may also have an interest in ensuring that the financial statements are accurate. The audit is designed to increase the possibility that a material misstatement is detected by audit procedures. A misstatement is defined as false or missing information, whether caused by fraud (including deliberate misstatement) or error. "Material" is very broadly defined as being large enough or important enough to cause stakeholders to alter their decisions. The financial audit is internal audits traditional role. It involves reviewing all the available evidence to substantiate information in management and financial reporting. The substantive procedures and tests of controls employed by external audit are also used by internal audit. The importance of controls in preventing financial reporting errors mean that it is necessary to review certain areas regularly to ensure the relevant controls continue to be in place. Many internal audit functions with therefore adopt a cycle approach to financial internal audit engagements to ensure each area is reviewed on a regular basis.

The below diagram shows a cycle that could be followed along with some examples of areas that may be considered as part of the reviews of those areas.

Revenue and cash collections: C C C C Order processing Recording of sales and receivables Billing procedures Returns procedures

Acquisitions and expenditures: C C C Processes surrounding purchase orders Invoice processing How are receipts, liabilities, cash expenditure, and accrued expenses accounted for?

External financial reporting: _ _ _ _ How the FSs are prepared? Controls over financial reporting How the accounting policies are selected? Unusual items

Production or conversion: C Inventory planning and storage of goods

Financial capital and payment: C C C Paying interest and dividends Purchases/sales of investments Recording stock options and treasury stock

Personnel and payroll: _ _ Starters and leavers Authorization of payroll rates, additions & deductions

_ Running the payroll and paying employees _ Tax returns and payments

Operational audits:
Operational audits are audits of the operational processes of the organization. They are also known as management or efficiency audits. Their prime objective is the monitoring of managements performance, ensuring company policy is adhered to. Approaching operational internal audit assignments: There are two aspects of an operational assignment: y y Ensure policies are adequate Ensure policies work effectively

In terms of adequacy, the internal auditor will have to review the policies of a particular department by: y y Reading them Discussion with the members of the department

Then the auditor will have to assess whether the policies are adequate, and possibly advise the board of improvement. The auditor will then have to examine the effectiveness of the controls by: y y Observing them in operation Testing them

Procurement audits: Procurement is the process of purchasing for the business. A procurement audit will therefore concentrate on the systems of the purchasing departments(s). the internal auditor will be checking that the system achieves key objectives and that it operates according to company guidelines.

Examples include: Audits of purchasing, marketing, selling and distribution expenses, production.
Internal auditors perform an operational audit as part of their assurance services they render to oganisations.

Operational Audit
A future-oriented, systematic, and independent evaluation of organizational activities. Financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Internal controls and efficiencies may be evaluated during this type of review.

Audits
Types of Audits and Reviews: 1. Financial Audits or Reviews 2. Operational Audits 3. Department Reviews 4. Information Systems Audits 5. Integrated Audits 6. Investigative Audits or Reviews 7. Follow-up Audits Department Review A current period analysis of administrative functions, to evaluate the adequacy of controls, safeguarding of assets, efficient use of resources, compliance with related laws, regulations and University policy and integrity of financial information. Integrated Audit This is a combination of an operational audit, department review, and IS audit application controls review. This type of review allows for a very comprehensive examination of a functional operation within the University. Investigative Audit This is an audit that takes place as a result of a report of unusual or suspicious activity on the part of an individual or a department. It is usually focused on specific aspects of the work of a department or individual. All members of the campus community are invited to report suspicions of improper activity to the Director of Internal Auditing Services on a confidential basis. Her direct number is 562-985-4818. Follow-up Audit These are audits conducted approximately six months after an internal or external audit report has been issued. They are designed to evaluate corrective action that has been taken on the audit issues reported in the original report. When these follow-up audits are done on external auditors' reports, the results of the follow-up may be reported to those external auditors.

Scope and Purpose of Internal Audit

Internal audit is an independent appraisal function established within an organisation to examine and evaluate its activities as a service to the organization. Thus, the internal auditor is employed by management to assist them in co-ordinating the performance of the organisation. Today, the size of many organizations makes it impossible for top management to exercise direct control and supervision of operations. As remoteness increases, so the factors of misinterpretation, misunderstanding and misjudgement operate in such a way as to hamper the achievement of the set goals. The internal auditor may therefore be used to bridge the gap between management and the shop floor and can assure management that the policies and systems laid down are being adhered to. Equally, the internal auditor will be able to provide an independent check on the accounting records and other operations of the organization.

Scope of internal audit and the role of the internal auditor

The scope of an internal audit department is by definition set by management since it is designed purely as a management tool. Maximum benefit is therefore obtained from the employment of an internal auditor department if the scope of its duties is extended beyond mere checking of the accuracy of the fundamental records. The auditors should not be restricted by functional boundaries within the organisation as their work should cover all aspects of financial and non-financial matters. In order to do this, they must be completely divorced from executive responsibility and allowed to investigate any area of the organisations activities. They must be fully conversant with all clerical systems and methods of production and distribution. They should be responsible directly to the board of directors or very senior management, or, if the organisations size will permit, an audit committee of the board made up of non-executive directors.

Purposes of internal audit

The major purposes of an internal audit are as follows:
y

Verification of the accuracy of the financial records and of related reports and statistics

This is a continuous process and is important not only for the annual accounts but for periodic costing statements which are used by management for decision-making. In order to ensure the accuracy of the.se records, the internal auditor must ascertain that an adequate and effective system of accounting is being maintained and that an adequate system of authorisation for entries in records is also being kept.
y

To ensure that the standard accounting practices of the organisation are being adhered to

For this purpose, it is vital that the internal auditor be kept fully aware of any changes in standard practice.
y

To review and improve the system of internal check

The internal auditor should be fully acquainted with every system of internal check in the organisation; no change should be made without his agreement. It has been argued that the internal auditor should not be the instigator of a system of internal check in an organisation, as this may deter him or her later from taking an objective view of the system. However, this is a difficult point as the internal auditor is usually the best equipped person in the organization, in terms of knowledge of existing systems and their weaknesses, to design a new system.

To ascertain that proper authority is given for the purchase and disposal of the assets of the organisation, and that there is adequate protection afforded to, and efficient use of, those assets

The internal auditor must satisfy himself not only that assets are purchased and disposed of according to authorizations given by management but also that while owned by the organisation they are adequately safeguarded eg, insurance, safe custody of stock. Furthermore, he must be satisfied that assets are used efficiently so that, for example, wastage is kept to a minimum and scrap is disposed of or recycled whenever possible.
y

To confirm that liabilities have only been incurred in respect of the legitimate operations of the organization

The internal auditor must be aware of all the types of operation carried on by the organization so that he can recognise immediately if a liability has been incurred which is not relevant to any of the operations. He must be given access to all types of information, including minutes which may authorise unusual transactions.
y

The prevention and early detection of fraud

The internal auditor must satisfy himself that the system of internal controls will prevent and detect fraud.
y

To undertake special investigations at the request of the management

If irregularities within the organization are discovered it is important that they are reported to and investigated by the internal audit department. It is undesirable that the senior management in the relevant department where the irregularities have occurred conduct their own investigation, as the problem could be due to poor supervision or poor instruction. In addition, the view taken would not be totally unbiased.

Internal audit reports

Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary; a body that includes the specific issues or findings identified and related recommendations or action plans; and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's": 1. Condition: What is the particular problem identified? 2. Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark. 3. Cause: Why did the problem occur? 4. Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding? 5. Corrective action: What should management do about the finding? What have they agreed to do and by when? The recommendations in an internal audit report are designed to help the organization achieve its goals, which may relate to operations, financial reporting or legal/regulatory compliance. They may relate to effectiveness (i.e., whether goals were met or compliance with standards was achieved) or efficiency (i.e., whether the outputs were generated with minimum inputs). Audit findings and recommendations also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.

Internal auditors produce reports for directors and management as a result of work performed. These reports are internal to the business and are unlikely to be shared with third parties other than the external auditors. Regardless of the nature of the assignment, however, all internal audits are likely to result in a formal report. The report is the end result of the general internal audit process. Step 1: plan the assignment and agree objectives Step2: collect data Step3: analyse and interpret data Step4: develop workpapers Step5: review workpapers Step6: draw conclusions Step7: develop recommendations Step8: report results At the end of the audit engagement, the results have to be communicated to relevant staff. The results will be made up of a number of findings and recommendations and their aim is to get management to implement measures to solve the problems identified. Internal audit reports are most likely to be received favourably if there are no surprises i.e. the finding should already have been discussed with key personnel and their views incorporated to ensure the recommendations in the report are suitable, feasible, likely to work and likely to be accepted by management. Usually at the end of the fieldwork, the internal auditors produce a draft report which is sent out for consideration by the relevant management. The internal auditors will meet with management to discuss the work and the findings and recommendations. This is known as exit meeting. After the meeting, the internal auditors then produce a formal report which, once approved by the relevant people, is used to produce the final report for distribution.

Exit meetings:
An exit meeting is held at the end of the internal audit engagement after a draft report has been produced. The people at this meeting are likely to include both operational staff who understand the workings of the operation that has been reviewed, and staff with suitable levels of authorization to authorize the implementation of the corrective actions identified. The objectives of this meeting are to: y y y Discuss the findings and associated recommendations Provide management with the opportunity to give their views on, and ask for clarification of, the observations and recommendations allowing any misunderstandings to be resolved. Agree on possible solutions to the problems the internal audit assignment has identified.

Final report:
Depending on the organization in question, the final report may take the form of a written report or take a different format, such as a powerpoint presentation. One format is laid out below. This format makes report useful to readers as it highlights the conclusions drawn and gives easy reference to the user.

Standard report format: TERMS OF REFERENCE EXECUTIVE SUMMARY BODY OF THE REPORT APPENDICES FOR ANY ADDITIONAL INFORMATION

The executive summary is likely to be condensed version of the full report and an executive summary in an internal audit report will usually include:
y y y y y y Background to the assignment Objectives of the assignment Major outcomes of the work Key risks identified Key action points Summary of the work left to do

Although the content and format of the final internal report will vary, somewhere the report should, as a minimum, describe the purpose, scope and results of the engagement. Minimum contents Purpose

The objective of the audit engagement should be clearly stated. This makes the report easier to read and helps the reader to interpret it. Findings should be linked back to this objective Scope The scope defines what specifically is audited. It identifies which activities are audited and also highlights any activities that are excluded from the audit. Results This should include: y Observations y Conclusions y Opinions y Recommendations y Action plans In addition, the final internal audit report may include the following, optional, sections. Additional Contents Background Information Summaries Accomplishments Opinions

This could include information such as details of the organization and the activities reviewed, and the outcome of previous audits of the same areas. An executive summary may be included to present the main findings of the report for those who do not have time to read the entire report. Improvements in relation to the past audit of the area may be acknowledged. The opinions of management or other staff on the findings and recommendations may be incorporated into either the main body of the report, an appendix or as a covering letter. Executives may need to intervene if there is a disagreement between management and internal audit.

High quality internal audit reports will have the following attributes: Attributes Accurate Objective Clear Concise Complete timely

The report should be free from error. It should be fair, impartial and unbiased. It should be based on facts. The report should be logical, easily understood and free from jargon. It should be to the point and free from unnecessary detail. No information essential to the intended audience should be omitted. The report should convey a sense of urgency.

Distribution of the final report:

The full report should be provided to those people who can take corrective action on the issues raised in the report. Summary reports should be provided to more senior managers. Communication may also go to: y y y External auditors The board Others who are affected by, or interested in, the results.

Amendments: If any amendments are made to the report after it has been issued, a new report should be issued which highlights any changes. This should be distributed to everyone who received the original report.

Releasing the report: If the report is to be released to parties outside the organization, the risks to the organization of doing so should be assessed. Approval to release should be gained from senior management, legal counsel or both.

Management response:
After the issue of the final report, management will be given the opportunity to provide their formal response to the report. This formally communicates back what is going to be done about the recommendations raised.

Outsourcing the Internal Audit Function:

Outsourcing is the use of external suppliers as a source of finished products, components or services. It is also known as sub-contracting. It can be expensive to maintain an internal audit function consisting of employees of the company. It is possible that the monitoring and review required by a certain company could be done in a small amount of time and full-time employees cannot be justified. It is possible that a number of internal audit staff are required, but the cost of recruitment is prohibitive, or the directors are aware that the need for internal audit is only short-term. In such circumstances, it is possible to outsource the internal audit function, that is, purchase the service from outside. In this respect, many of the larger accountancy firms offer internal audit services. It is likely that the same firm might offer one client both internal and external audit services. In such circumstances the firm would have to be aware of the independence issues this would raise for the external audit team and implement safeguards to ensure that its independence and objectivity were not impaired.

Advantages y Staff do not need to be recruited, as the service provider has good quality staff. y The service provider has different specialist skills and can assess what management require them to do. Outsourcing can provide an immediate internal audit department. Associated costs, such as staff training, are eliminated. The service contract can be for the appropriate time scale. Because the time scale is flexible, a team of staff can be provided if required. It can be used as a short-term basis.

Disadvantages y There will be independence and objectivity issues if the company uses the same firm to provide both internal and external audit services. y The cost of outsourcing the internal audit function might be high enough to make the directors choose not to have an internal audit function at all. Company staff may oppose outsourcing if it results in redundancies. There might be a high staff turnover of internal audit staff. The outsourced staff may only have a limited knowledge of the company. The company will lose in-house skills.

y y

Managing an outsourced department:

A company will need to establish controls over the outsourced internal audit department. These would include: 1. Setting performance measures in terms of cost and areas of the business reviewed and investigating any variances. 2. Ensuring appropriate audit methodology (working papers/ reviews) is maintained. 3. Reviewing working papers on a sample basis to ensure they meet internal standards/ guidelines. 4. Agreeing internal audit work plans in advance of work being performed. 5. If external auditor is used, ensuring the firm has suitable controls to keep the two functions separate so that independence and objectivity is not impaired.