SESSION 33 – INTERNAL AUDIT OVERVIEW Objective To describe the role, scope and functions of internal audit and the nature and extent of internal review assignments INTERNAL AUDIT RISK MANAGEMENT Definition Relationship between external and internal auditors Scope of work Approach to assignments Assessing need for function Outsourcing Internal audit’s role CORPORATE GOVERNANCE Session BUSINESS RISK, INTERNAL CONTROL Session ASSIGNMENTS REPORTS Value for money Best value IT audit Financial process audit Operational audit Procurement Marketing Treasury HR Overall approach Primary purposes Reporting arrangements Structure Timing Example 3301 SESSION 33 – INTERNAL AUDIT INTERNAL AUDIT 1.1 Definition An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (Institute of Internal Auditors IIA) This definition usefully outlines the relationship between internal audit and the management of an entity Key elements that have not be covered elsewhere within the study system are: Add value – Organizations exist to create value or benefit to their owners, other stakeholders, customers, and clients Value is provided through: − − the development of products and services; and the use of resources to promote those products and services When gathering data to understand and assess risk, internal auditors gain insight into operations and opportunities for improvement that can be beneficial to the organization Control is any action taken by management, the board, etc to enhance risk management and increase the likelihood that established objectives and goals will be achieved Adequate control is present if management provides reasonable assurance that: − − risks have been managed effectively; and goals and objectives will be achieved efficiently and economically Governance process is the procedures utilized by the representatives of the entity’s stakeholders to provide oversight of risk and control processes administered by management 3302 SESSION 33 – INTERNAL AUDIT 1.2 Relationship Between External And Internal Auditors 1.2.1 External 1.2.2 Internal Role To provide an independent opinion (in a report) on financial statements (see Sessions and 30) To appraise, examine and evaluate organisational activities and assist management in discharging its responsibilities Required by Statute (typically) Management, usually in larger organizations, will be urged/required by best practice (e.g governance codes) to continually review need for internal audit Appointed by Shareholders (usually at an Annual General Meeting) or directors Highest level of management charged with responsibility for internal audit (e.g audit committee under corporate governance codes) Reports to Shareholders (primary statutory duty) and management (professional responsibility) For listed companies, usually the audit committee under corporate governance codes For other companies, the highest level of management charged with governance (e.g the board) Reports on Financial statements Primary responsibility is of a financial focus Organisational risk management, internal control and quality of performance Focus is operational as well as financial Forms opinions on “True and fair view” (or similar) of financial statements Effectiveness of risk management strategy and operations, operation of corporate governance, adequacy and effectiveness of internal control and other business functions as a contribution to the economic, efficient and effective use of resources (See section 3) 3303 SESSION 33 – INTERNAL AUDIT External Internal Status Independent of client company Employee (therefore potentially less objective) Qualification Usually ACCA, ICAEW, ICAI or ICAS May also be members of other professional bodies (e.g IIA) or unqualified Scope of assignment Unlimited, to fulfil statutory obligation Usually defined by legislation as well as ISA Prescribed by management, those charged with governance or audit committee (see 1.3 below) Conduct of audit In accordance with ISAs, for example Similar, Standards for the Professional Practice of Internal Auditing including ethics 3304 SESSION 33 – INTERNAL AUDIT 1.3 Scope of work Understand the key business risks (including fraud) and assess the adequacy of the processes by which these risks are identified, evaluated and managed (see Section 2); Review the sufficiency of the information, and the adequacy and operation of controls, used to manage those risks; Assess the reliability and integrity of key financial and operating information, and the means used to identify, measure, classify and report such information; Review the processes and systems to ensure adherence with those policies, plans, procedures, laws and regulations which could have an impact on the company, and determine whether it is in compliance therewith; Review the means of safeguarding assets and other key resources, especially information in hard copy or on computer systems, including business contingency plans and the security of computer systems; Review operations or projects (including systems under development) to ascertain whether results are consistent with established objectives and goals and, whether the operation or projects are being carried out as planned; Monitor corrective action plans to ensure that management implement them promptly and effectively; Advise management on cost effective controls for new systems and activities; and Liaise with those charged with governance (eg the audit committee) and the external auditors (as necessary) 1.4 Approach to assignments The general framework in which internal auditors will approach their assignments is not that dissimilar to the approach used by external auditors Both require terms of reference – the external auditor within the letter of engagement, the internal auditor within the scope of instructions given by management/audit committee Both need to understand the entity, its environment and internal control In particular, the internal auditor will need to cover all controls (not just financial) that are relevant to their assignment Both will need to plan and document their work Materiality, risk assessments, sampling, analytical review, use of CAATs (especially in systems heavily reliant on information technology) are all aspects of the internal auditor’s planning and work procedures Both apply strong quality control procedures (e.g IAASB and IIA requirements) 3305 SESSION 33 – INTERNAL AUDIT Both will report on their work, although (as noted above) the nature and format of the reports are different 1.5 Assessing the need for an internal audit function When the board and senior management is sufficiently close to the business and the systems are not so complex, the following sources of assurance about the way the business is operated may prove to be adequate: the views of, and representations from, executive directors and senior managers; the views of other employees through (say) a self-assessment process; results of management’s internal confirmation procedures; regular information on financial and operational matters; performance indicators; early warning mechanisms; external auditors’ management letters; reports of any relevant external regulators; reports (if any) from relevant internal compliance functions In such cases there may be no immediate need for an internal audit function However, as organizations grow and: become more geographically diverse; business is undertaken in new environments (e.g e-commerce); develop new products and competitive pressures increase; systems become more complex; change is the norm; then management’s time and attention can be very stretched In particular, when a company becomes listed, the demands placed on management for transparency and effective running of the business by the stakeholders are significantly increased 1.5.1 Key issues As many stock exchanges require listed companies to operate internal control functions (or explain why they not in their annual reports) the key issues to consider may mainly relate to larger, unlisted entities Are the existing management processes adequate to: − − identify and monitor the significant risks facing the company; and confirm the effective operation of the established internal control systems? With ever increasing pressures on management at all levels, can those who are responsible for managing risks and operating controls always take a wholly objective and systematic view of their own performance? Does the board receive the right quality of assurance and information from management and is it reliable? 3306 SESSION 33 – INTERNAL AUDIT Example Suggest additional matters that directors might consider when assessing the need for an internal audit function Solution 1.5.2 Needs of the Board Board – A board of directors, audit committee of such boards, head of an agency or legislative body to whom internal auditors report, board of governors or trustees of a nonprofit organization, or any other designated governing bodies of organizations The board needs to obtain assurances that its risk and control processes are effective Management, internal audit and others may provide such assurance Objective assurance and advice is provided by an internal audit function, thereby assisting the board and senior management with their stewardship responsibilities Boards, audit committees and senior management now recognise that what is of relevant value to their business is the internal auditors’: knowledge of the organisation, its systems and its processes; and skills and experience (e.g in independently reporting on their findings and making recommendations to improve effectiveness of the processes) 3307 SESSION 33 – INTERNAL AUDIT 1.6 Outsourcing Outsourcing internal audit has increased as the need for internal audit has increased (e.g to better meet requirements of corporate governance): Small companies may outsource because the not have the resources to set up their own department Larger companies may decide that resources are best used elsewhere and not invest in this non-core (though essential) area Such services are offered by specialised internal audit providers as well as the “global” and other accounting firms 1.6.1 Factors to be considered What to outsource? The whole of internal audit services; or Specific functions (e.g environmental auditing) What (and/or who) to retain? The head of internal audit may be retained as an employee (to keep a high level responsibility within the company) Terms of reference: What services will be provided? Who does the service provider report to? What form will reports take? What action will be taken if problems occur? How will fees be determined and charged? 1.6.2 Benefits to the company Costs – A company with an in-house internal audit service must pay salaries, training and overheads Whilst the contractors’ fees will also be set to cover these there may be economies of scale The company would only pay for resources when required and so overall the total cost may be cheaper Consistency with external audit – There may be greater consistency in approach between the internal and external auditors This may mean external audit can place more reliance on internal audit work (see Session 34) and hence the company would benefit from a lower external audit fee Skills – Contracting-out internal audit allows the company to bring in new skills External providers will have wider experience gained by auditing other companies New techniques – Both the internal and external audit markets are very competitive This encourages firms to develop new techniques which are more efficient and effective Contracting out gives the company access to these techniques without a high level of investment 3308 SESSION 33 – INTERNAL AUDIT Management time – Management time and resources can be freed to concentrate on core areas of the business instead of peripheral ones Liability – Legal action may be brought against an external service provider if their standards are not acceptable 1.6.3 Disadvantages to the company Skills – An external contractor may lack the specialist skills relevant to a particular company which an in-house service will possess Once a contractor is brought in these skills may be lost forever Constraints on service – The service provider will need to act in accordance with the terms of reference This may mean they are unable to follow up suspicious circumstances outside their duties without first seeking permission from the company and re-negotiating the terms of reference Flexibility – An in-house department will provide a permanent presence whilst contracted out services may only be at the company for discrete periods In-house staff may have more commitment to the company (e.g willingness to work overtime, travel, etc) Outsourcing may result in reduced staff availability and flexibility Conflicting reporting lines – Internal audit should report to the audit committee or board of directors However as an employee of the audit firm the auditor may be expected to report to the partner The audit firm will be responsible for issues such as promotion and training and therefore they need to monitor internal audit staff Expectation gap – An expectation gap has existed for external audit for many years If the profession cannot meet public expectations for a narrow role which is defined by statute can they meet management expectations for a wider role? The company may discover too late that they are not getting what they want If a contract has been agreed it may be difficult to change Standard of service – Once an external provider has secured the contract the level of service provided may fall The audit committee/board of directors must monitor and ensure that the quality of staff provided is satisfactory and work is completed according to the terms of reference Corporate culture – Contracting out any service involves a change to corporate culture Unless managed sensitively, outsourcing may lower employee morale, reduce performance, generate a negative cultural impact, create permanent job insecurity 1.6.4 Service provider issues Skills – The service provider must have the appropriate skills and expertise to undertake the internal audit role Whilst there are overlaps between internal and external audit, internal audit usually fulfils a wider role Staff management – Undertaking internal audit functions may improve staff management where the service provider is an audit/accountancy practice Internal audit work may be conducted during slacker times when there are fewer external audit engagements However internal audit must not be a lower priority 3309 SESSION 33 – INTERNAL AUDIT Effect on external audit – Although there are overlaps, the roles of internal and external audit are different If both roles are performed by the same firm the distinction could become blurred This could lead to a reduced level of service overall and a lower level of credibility being attached to the external auditor’s report (See Session re ethical issues for the external auditor) 1.6.5 Independence issues A benefit to the company – Outsourcing increases independence as an in-house department can never be truly independent Staff from an external firm will be subject to the same ethical guidelines (see Session 4) as for external audit, and the firm should have mechanisms to ensure compliance Rotation of staff is more likely, so close relationships not build up between internal audit staff and the client Drawbacks – The external provider could become dependent on client The risk is perceived to be particularly great where the internal auditor is the external auditor 1.6.6 Restrictions Although there are no legal restrictions on the outsourcing of internal audit to a thirdparty service provider, legal and/or ethical standards may restrict this practice to prevent external auditors from acting in client roles For example, statutory auditors are precluded from serving as internal auditor to clients whose financial statements they certify in many countries (e.g US, France, India, Italy, New Zealand and Norway) BUSINESS RISK MANAGEMENT 2.1 Internal audit’s role in risk management Business risk and risk management was discussed in Session Fraud was discussed in Session 11 2.1.1 Assurance role A proper system of internal control in practice requires a proper system of risk management and organisational control Internal auditors not judge the appropriateness of a company’s objectives or the board’s strategies to achieve those objectives They examine the effectiveness of the processes by which the consequent risks are identified, managed, mitigated and reported Internal auditors also add value by the identification of opportunities to improve the cost effective management of risk The assurance role of internal audit is to deliver assessments of the adequacy and effectiveness of the processes by which risks are: identified and prioritised; managed, controlled and mitigated; and reported, such that the residual risks are recognised by, and are clearly acceptable to, the board 3310 SESSION 33 – INTERNAL AUDIT OTHER ASSIGNMENTS 3.1 Value for money VFM auditing is evaluation of management’s achievements in terms of the economy, efficiency and effectiveness (the “Es”) of operations 3.1.1 The “3 Es” VFM has been prominent in the public sector (e.g in the UK) since the 1980s when “audit” was narrowly interpreted as a financial audit Economy is about obtaining specified resources (inputs, eg material, finance, human, time) at the lowest cost Efficiency is the achievement of either: − − the maximum output (at a given quality) from a given input; or a given output (at a given level of quality) from the minimum input Effectiveness is the achievement of outputs which meet management’s objectives Objectives Effectiveness Economy Resources Inputs Process Outputs Efficiency VFM audits are carried out to ensure that corporate resources, shareholders funds and taxpayers’ contributions are not wasted However, the VFM audit process may or may not be empowered to question whether the objectives set were justified Very often a benchmark is required VFM can only be judged by comparison (external or internal eg between departments or divisions) Present methods of operation and use of resources must be compared with alternatives to see if value for money is being obtained 3.1.2 Role of internal auditing Top management is responsible for committing the organisation to a VFM review process The head of internal audit is responsible for conducting VFM reviews and for comparisons between functions and across time Internal audit can report (for example) on: 3312 SESSION 33 – INTERNAL AUDIT unnecessary spending (e.g overtime guaranteed when work is completed in normal hours); misdirected spending (e.g capital expenditure outlay on lower quality assets requiring higher level of revenue expense quality); over-priced spending (e.g discounts are unclaimed); under-recovered revenue (e.g failure to collect on disposals of assets) Line management should take responsibility for implementing the VFM review, although very often the responsibility remains with the head of internal audit They will be responsible for implementing the recommendations from a VFM review 3.1.3 Advantages of VFM Management attention is focused on economy and efficiency but this is tempered by the need for effective performance It promotes the use of performance indicators It should eventually lead to self measurement with audit only used to compare performance between business units on an objective basis Although VFM audit is often used to promote cost savings, it can also be used to identify revenue opportunities 3.1.4 Disadvantages VFM Economy and effectiveness are often opposed, eg saving money may result in the need for lower quality This is often overcome by treating one element as fixed, eg achieving savings based on an agreed quality level It is difficult to create a balance between short term and long term gains and thus savings now may lead to additional costs in future Savings in one area may create additional costs to another area, eg reducing costs of production but increasing other costs because of quality rejects or warranty repairs Comparisons between business units may be spurious, eg one business unit may excel at a particular process, the costs of which are relatively high compared to other processes carried out by other units So measuring the cost per process will not be meaningful VFM targets may be manipulated by managers, eg production is arranged to meet the target rather than what is actually required Once performance indicators have been established the audit work is routine and not especially challenging 3313 SESSION 33 – INTERNAL AUDIT 3.2 Best value “Best Value is a duty to deliver services to clear standards – covering both cost and quality – by the most effective, economic and efficient means available.” “Best Value seeks to secure continuous improvement in the way its functions are exercised, having regard to a combination of economy, efficiency, and effectiveness.” The “best value” audit has evolved from VFM auditing in the public sector and local and central government It incorporates the “4 Cs”: Challenge – why and how a service is provided; Consult – local taxpayers, service users, partners and the wider business community in the setting of new performance targets; Compare – with the performance of others across a range of relevant indicators to aim to improve; Compete – consider fair competition as a means of securing efficient and effective services Internal audit can ensure that the concept of best value is incorporated into the risk management process of the entity in assessing current services and setting strategies for development As a service provider (to management) the internal audit function itself must be able to demonstrate best value 3.3 IT audit Information systems are pervasive through most organisations and would in most cases be considered a significant business risk through, for example: no IS strategy or a strategy that does not fit the business strategy; poor project management; poor system design (including controls) development and implementation; acceptance of inappropriate system; significant expenditure for a system that does not deliver; poor security, transaction integrity and process alignment; corruption of data used by management for decision making; access to sensitive information by unauthorised personnel; unexpected (non-scheduled) downtime; breaches of laws and regulations; no or inappropriate disaster recovery procedures 3314 SESSION 33 – INTERNAL AUDIT 3.3.1 Information systems auditing Session 12 covered CIS, CIS controls and electronic commerce The primary role of internal audit will be to review and report on all aspects of IS within the organisation, eg ensure that the controls and systems operate as intended Application controls (i.e controls to ensure completeness, accuracy, security and effectiveness of processing) exercised over input, output, processing, computer files and master files; and General installation controls (i.e controls over the acquisition, development maintenance and operation of computer-based systems) 3.3.2 System development project audit The deliverable of a systems development project is a new information system The primary purpose of auditing a system under development is to ensure that: adequate, effective controls are built into the system; complementary manual controls are designed to ensure adequate and effective internal controls over the business system as a whole; the most efficient combination of manual and automated, preventative and detective controls are designed and implemented In addition internal audit can: provide assurance that IS projects are being effectively and efficiently managed; and carry out appropriate testing (eg static, dynamic, unit, system, performance) at each stage of the system’s development process to ensure that the deliverable from each stage meets the specifications of that stage (eg review the systems analyst notes of meetings with a user and agree that these have been reviewed and approved by the user; test the design and programming of the application controls that they – internal audit - initiated) 3.4 Financial processes audit The financial process audit is effectively internal audit’s traditional role Accounting and financial processes include: receiving value from sales transactions, disposals of assets, investments (interest income); “bought ledger” processing (of invoices for goods and services before suppliers are paid); treasury functions (see later); supplying financial and management information (e.g to stakeholders); appraising new business developing and maintaining accounting systems and financial controls 3315 SESSION 33 – INTERNAL AUDIT The purpose of the accounting and financial process audit is to review all available evidence to substantiate information in management and financial reporting (such that it is not inappropriate and inaccurate) That is, to minimise risk by ensuring: the completeness and accuracy of recorded transactions; that assets are safeguarded; that complete, accurate and relevant information is provided on a timely basis; and that accounting and finance functions are managed efficiently 3.5 Operational audit An audit of the operational processes of an organisation (its primary activities and support activities) to ensure that management has: adequate controls and other risk management measures in place to achieve business objectives (risk management) economically and efficiently; and adequate routine assurances which inform them that their controls and risk management measures are effective Also called “process-based” auditing Operational audits may be wholly performance-based or compliance-based or include elements of both approaches Performance-based audit – Processes or activities are evaluated in order to draw conclusions about the adequacy of the products, and the adequacy and effectiveness of the processes associated with those products Compliance-based audit – Uses investigation, discussion, observation, examination, or evaluation to determine the adequacy of and compliance with established procedures, and the effectiveness of their implementation (similar to the standard systems based audit approach, but applied to all controls) 3.6 Procurement Procurement is the process by which materials, goods and services are obtained by an organisation It includes: specifying requirements (e.g parts for production, maintenance support) tendering and open competition; order placement/contracts (only with approved suppliers) receipt of goods/services and quality checking correct and prompt payment including obtaining discounts updating books of account, asset registers, etc 3316 SESSION 33 – INTERNAL AUDIT The purpose of a procurement audit is to ensure that risk is minimised in that: goods/services of appropriate quality are available when needed; the required quality is obtained at minimum cost; the correct price is paid for the goods and services received; appropriate laws and regulations are followed; the procurement procedures are followed; and procurement processes are managed effectively The basic audit approach would be to: understand the procurement process and the controls that should be operating; test the operating effectiveness of those controls (including dealing with exception reports); trace transactions through the system; and ensure that the process is operating as intended and laid down within the organisation’s procedures 3.7 Marketing Marketing is the process by which demand for goods is measured and enhanced It is often closely linked to sales Marketing and sales involves: research advertising promotion and image management order acceptance (including creditworthiness and inventory level checks) deliveries payments after sales service customer returns The purpose of a marketing audit is to ensure that, for example: marketing processes are authorised, conducted in accordance with written company policy and apply relevant laws and regulations; complete, accurate, relevant and timely information is obtained from internal and external sources (eg market research) and is freely available to all involved; and advertising, campaigns, promotion and unit pricing is planned, budgeted, costbenefit analysed, monitored and controlled; contingency plans are in place to limit potential image and reputation risk 3317 SESSION 33 – INTERNAL AUDIT 3.8 Treasury The treasury function has evolved from cash management Treasury processes include: funding requirements (for financing working capital, organic growth and acquisitions); investing surplus funds; managing interest rate risks and foreign exchange exposure In most entities, the treasury function is a “cost” function in that its aim is not to make a profit, but to manage and minimise costs of cash flow and investment (eg to avoid paying higher costs in a foreign currency, should that currency move against the entity, through hedging) In other entities it has a specific trading function with the aim of making profits for the entity The basic purpose of a treasury audit is to ensure that: funds are available when needed; financial assets are safeguarded and not put at unnecessary risk; treasury functions are managed efficiently strong controls (eg policies, procedures, segregation of duties, authorisation, limits on trading, oversight, organisational framework and culture) are in place and effectively operate; Because of the nature of treasury management in those areas involving hedging and derivative functions, it is often a challenge to have sufficiently technically competent and experienced individuals within the internal audit function None the less, it is essential that there are There have been many instances of companies (and banks) who have lost significant value and (in one notorious case, Barings Bank) faced collapse through poor controls and a lack of understanding by management and internal audit of the financial trading being carried out 3.9 HR Human resources processes support: the procurement and employment of individuals; and the development of the organisation Operations include: job analysis and personnel specifications; recruitment and selection; pay and reward mechanisms; training and development; disciplinary and grievance; termination of employment; application of laws and regulations 3318 SESSION 33 – INTERNAL AUDIT The purpose of a human resources audit is to ensure that: procedures and policies are followed and applied; personnel are available when needed (eg succession planning); the future development of the organisation is planned, controlled and monitored; relevant legislation (e.g equal opportunities) is complied with; accurate management information is available on a timely basis; and human resource processes are managed efficiently 3.10 Overall approach Note that in considering the above areas, whilst specific points have been made, the overall approach is always to understand the business element, the risks and controls in place and to carry out tests accordingly (see Section 1.3 above) In addition many elements overlap, eg VFM, best value, IS can be applied to marketing and HR INTERNAL AUDIT REPORTS 4.1 Primary purposes The purpose of internal audit reports will be driven by the terms of reference of the assignment Mostly they: provide management with an opinion (eg on the adequacy of the internal control system); and inform management of significant findings, conclusions and recommendations arising from the work carried out Depending on the type of report issued, the aim of the report would be: to provide appropriate assurance to management or recommendations to enhance business performance; to prompt management action to implement recommendations for change leading to improvement in performance and control; and to provide a formal record of points arising from the assignment and, where appropriate, of agreements reached with management Example Suggest FOUR differences between a review report of business performance and a report on a systems compliance review 3319 SESSION 33 – INTERNAL AUDIT Solution 4.2 Reporting arrangements The format and distribution of internal audit reports should be agreed with management The head of internal audit should ensure that reports are sent to managers who have a direct responsibility for the unit or function being audited and who have the authority to take action on the internal audit recommendations Internal audit reports are confidential documents and their distribution should be restricted to those managers who need to know, to the audit committee and to the external auditor While the internal auditor may clear minor matters which not indicate a consistent or systematic weakness with members of staff directly involved, matters of consequence should be reported formally in writing to management 4.3 Structure of the report There are no formal structures, unlike the external auditor’s report, for an internal auditor’s report As with any business report, the structure of the report suites its purpose be it formal, informal, a discussion paper, a presentation (eg with PowerPoint hardcopies) or a monthly summary A typical business report would have the following elements: Terms of reference Executive summary Body of report: − key findings and recommendations − detailed findings and agreed action Appendices The body of the report will depend on the terms of reference For example, for a report on controls the structure may be very similar to management reports produced by the external auditor (see Session 13) However, the content will be very different where the internal auditor is concerned with operational matters of economy, efficiency and effectiveness 3320 SESSION 33 – INTERNAL AUDIT The reports should be clear, constructive and concise based on sufficient, relevant and reliable evidence, which should: state the scope, purpose, extent and conclusions of the assignment; make recommendations which are appropriate and relevant, and which flow from the conclusions; and acknowledge the action taken, or proposed, by management 4.4 Timing An interim report, orally or in writing, should be made where: it is necessary to alert management to the need to take immediate action to correct a serious weakness in performance or control; or where there are reasonable grounds for suspicion of malpractice Consideration should also be given to interim reporting where there is a significant change in the scope of the assignment or where it is desirable to inform management of progress The internal auditor should normally meet with management to discuss the audit findings at the completion of fieldwork for each internal audit assignment and the formal written report should be presented to management as soon as possible thereafter Before issuing the final report, the internal auditor would discuss its contents with the appropriate levels of management In addition, it may usually be necessary to include management comment within the body of the report A draft report for management comment and confirmation of factual accuracy may also be issued prior to finalising the formal report If the internal auditor and management disagree about the relevance of the factual content of the draft audit report, the internal auditor should consider whether reference should be made to this in the final report It is management’s responsibility to ensure that proper consideration is given to internal audit reports The internal auditor should ensure that: appropriate arrangements are made to determine whether action has been taken on internal audit recommendations; or management has understood and assumed the risk of not taking action See Session to review the role of the Audit Committee in relation to internal audit reports 3321 SESSION 33 – INTERNAL AUDIT 4.5 Example INTERNAL AUDIT REPORT Private and confidential The contents of this report are confidential and may include comments of a sensitive nature Care should be taken to ensure that unauthorised personnel not have access to the report and that if it is circulated further, this is done with discretion 23 November 20X6 SCOPE The systems review at … took place from 17 September to 5th October 20X6 objectives of the assignment were: i) ii) iii) iv) To To To To assess ensure review assess The the adequacy of internal controls adherence to statutory legislation and company policies the efficiency and effectiveness of operations the quality of management reporting and information CONCLUSION The branch has been operationally and financially poorly controlled Branch management have reacted positively to the draft report and are actively addressing the issues raised All the points raised in this report and subsequent recommendation made need to be implemented MAIN FINDINGS (References in brackets are to Appendix I) Inventory 1) There is no investigation of “no stocks”1 No stocks have been very high – up to 20% This has led to considerable customer dissatisfaction Formal investigation of no stocks should be introduced to improve the service level to clients (1.1) 2) There is insufficient control over the warehouse systems Before further liability for inventory loss is assumed, the access of staff to the systems must be restricted A report of adjustments cannot be produced by the inventory system to ensure all adjustments are legitimate The production of this report should be prioritised to stop this aspect of the operation running blind Payroll 1) Not reproduced 2) There has beer an apparent lack of supervision and review of the work of the payroll clerk who left the company at the end of August There is a risk that unauthorised amounts may have been paid A full reconciliation to assess the situation further will be performed at the beginning of December (2.2) Etc … 3322 Also called “stock outs” SESSION 33 – INTERNAL AUDIT Security 1) It remains possible to gain unauthorised access into the warehouse on account of the lack of security presence on the route between the car park and the warehouse This should be addressed immediately following the audit (3.1) Etc … Purchases 1) Purchases have been poorly controlled at the branch Typically, invoices have arrived within the accounts department and have been authorised for payment by the former finance manager without reference to the operational management to confirm the legitimacy of the expense The temporary Finance staff has now addressed this situation (6.1) APPENDIX I (EXTRACT) 1.1 Observations There is currently no investigation or recording of no stocks Inventory department are not aware of any no stock report available from the system 2.2 Effect Stores orders are no fulfilled Recommendation The level of no stocks should be traced using either the “issues not confirmed report" or, more crudely, the number of issues physically returned to the office Management’s comments Agreed Target date Immediate Observations There appears to have been little or no independent review of the payroll function by senior management The former finance manager may have performed some checks, however, this has not been evidenced 19 payslips on the payroll of 29/09/06 have been checked in detail employees’ overtime was overpaid because the total hours had been incorrectly summed in input sheets The payroll clerk has left the company, despite an enhanced offer to stay and with new employment to go to Effect The payroll does not appear to have been adequately supervised There is a possibility that, in addition to processing errors, irregularity has occurred Recommendation Duties and controls should be segregated as described in point 2.1 above (not reproduced) There should be full reconciliation between the schedule of employees who have worked at the branch prepared by the human resources department and the payrolls processed to date to ensure persons paid are bona fide and that they have worked the weeks paid The casting of basic and overtime hours by authorising managers should be checked by payroll staff 3323 SESSION 33 – INTERNAL AUDIT Management’s comments The reconciliation will be performed in November by Mrs Motley The accountant will review the standing data expense report every month Payroll personnel will check the addition of hours 3.1 Target date Immediate Observations The security of the site is currently being reviewed by Shield Consultants who are addressing fencing, CCTV coverage and recording and the level of searches (personnel and vehicle) conducted There is still a problem with the ease with which unauthorised persons may gain access to the warehouse without being challenged Also, there is uncontrolled access from the warehouse to the staff car park Effect Inadequate security measures give rise to an increased risk of damage to premises and inventory and to an increased risk of inventory pilferage Recommendation All IDs should be checked when staff enter the warehouse Visitor access should not be permitted until management authorisation is obtained or if visitors have been pre-notified to the gatehouse and the visitor’s Ids have been checked 6.1 Management’s comments Agreed In the short-term the warehouse access store will be manned full-time across all shifts and locked at night There will be 100% ID checks Observations Invoices 1129 – 1746 were checked for adequate authorisation and supporting documentation All invoices were authorised The majority, the former finance manager Only invoices were supported by POs POs in this sample were generally inadequately completed, priced and dated GRNs were not received from the warehouse to confirm receipts of goods Effect The managers initiating purchases are often not involved in the checking or authorisation of invoices Accruals are being understated Recommendation Non-administration invoices should be checked by operational managers Authorised GRNs should be received from managers who have raised requisitions All purchase requisitions should be costed POs may not be priced unless requisitions are priced Management’s comments 3324 Agreed Invoices may be authorised by the financial manger if they have been checked by the requisitioning manager SESSION 33 – INTERNAL AUDIT FOCUS You should now be able to: discuss the factors to be taken into account when assessing the need for internal audit; discuss the elements of best practice in the structure and operations of internal audit with reference to appropriate international codes of corporate governance; compare and contrast the role of external and internal audit regarding planning and the collection of audit evidence; compare and contrast the types of report provided by internal and external audit; discuss the scope of internal audit and the limitations of the internal audit function; explain the types of report provided in internal audit assignments; discuss the responsibilities of internal and external auditors for the prevention and detection of fraud and error; explain the advantages and disadvantages of outsourcing internal audit; discuss the nature and purpose of internal audit assignments including value for money, IT, best value and financial; discuss the nature and purpose of operational internal audit assignments including procurement, marketing, treasury and human resources management 3325 SESSION 33 – INTERNAL AUDIT EXAMPLE SOLUTION Solution — Assessing need for internal audit function Corporate structure and the degree of autonomy of each of the business units Overall corporate culture and management’s philosophy The company’s appetite for risk or its ability to tolerate risk Overall control environment Changes in organisational structure (including delayering), reporting processes and/or underlying information systems Changes in key risks arising from: changes in internal processes (e.g product or service lines or entry into new markets); alterations in external factors such as regulatory requirements Complexity of the company’s systems, especially IT systems The number of moderate to high risk areas which are not appropriately controlled Deteriorating trends in internal control systems evident from the existing monitoring systems Concerns about the level of “risk and control awareness” and the need to educate senior or middle management, or staff An increased incidence of unexpected or unacceptable results or occurrences The views of the company’s external auditors Solution — Business performance reports Are effectively consultancy in nature, style and approach; Greater focus on performance, objectives and processes rather than risks and controls; Deal with improvements to be made rather than mistakes already made; Recommendations based on improvements rather than on actions to address mistakes found 3326 ... plan and document their work Materiality, risk assessments, sampling, analytical review, use of CAATs (especially in systems heavily reliant on information technology) are all aspects of the internal... internal auditor’s planning and work procedures Both apply strong quality control procedures (e.g IAASB and IIA requirements) 3305 SESSION 33 – INTERNAL AUDIT Both will report on their work, although... audit approach, but applied to all controls) 3.6 Procurement Procurement is the process by which materials, goods and services are obtained by an organisation It includes: specifying requirements