It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance pr
Trang 1¾ Session 8
Trang 21 INTERNAL AUDIT
1.1 Definition
An independent, objective assurance and consulting activity designed to add
value and improve an organization’s operations It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and
governance processes (Institute of Internal Auditors IIA)
¾ This definition usefully outlines the relationship between internal audit and the
management of an entity Key elements that have not be covered elsewhere within the study system are:
Add value – Organizations exist to create value or benefit to their owners, other stakeholders, customers, and clients Value is provided through:
− the development of products and services; and
− the use of resources to promote those products and services
When gathering data to understand and assess risk, internal auditors gain insight into operations and opportunities for improvement that can be beneficial to the organization
Control is any action taken by management, the board, etc to enhance risk
management and increase the likelihood that established objectives and goals will
be achieved
Adequate control is present if management provides reasonable assurance that:
− risks have been managed effectively; and
− goals and objectives will be achieved efficiently and economically
Governance process is the procedures utilized by the representatives of the entity’s
stakeholders to provide oversight of risk and control processes administered by management
Trang 31.2 Relationship Between External And Internal Auditors
Role ¾ To provide an independent opinion (in a
report) on financial statements (see Sessions
1 and 30)
¾ To appraise, examine and evaluate organisational activities and assist management in discharging its responsibilities
Required by ¾ Statute (typically) ¾ Management, usually in larger organizations, will be
urged/required by best practice (e.g governance codes)
to continually review need for internal audit
Appointed by ¾ Shareholders (usually at an Annual General
Meeting) or directors
¾ Highest level of management charged with responsibility for internal audit (e.g audit committee under corporate governance codes)
Reports to ¾ Shareholders (primary statutory duty) and
management (professional responsibility)
¾ For listed companies, usually the audit committee under corporate governance codes For other companies, the highest level of management charged with governance (e.g the board)
Reports on ¾ Financial statements Primary responsibility
is of a financial focus
¾ Organisational risk management, internal control and quality of performance Focus is operational as well as financial
Forms opinions on ¾ “True and fair view” (or similar) of financial
statements
¾ Effectiveness of risk management strategy and operations, operation of corporate governance, adequacy and effectiveness of internal control and other business functions as a contribution to the economic, efficient and
effective use of resources (See section 3)
Trang 4External Internal
Status ¾ Independent of client company ¾ Employee (therefore potentially less objective)
Qualification ¾ Usually ACCA, ICAEW, ICAI or ICAS ¾ May also be members of other professional bodies (e.g
IIA) or unqualified
Scope of assignment ¾ Unlimited, to fulfil statutory obligation
Usually defined by legislation as well as ISA
¾ Prescribed by management, those charged with
governance or audit committee (see 1.3 below)
Conduct of audit ¾ In accordance with ISAs, for example ¾ Similar, Standards for the Professional Practice of Internal
Auditing including ethics
Trang 5¾ Review the processes and systems to ensure adherence with those policies, plans,
procedures, laws and regulations which could have an impact on the company, and determine whether it is in compliance therewith;
¾ Review the means of safeguarding assets and other key resources, especially
information in hard copy or on computer systems, including business contingency plans and the security of computer systems;
¾ Review operations or projects (including systems under development) to ascertain whether results are consistent with established objectives and goals and, whether the operation or projects are being carried out as planned;
¾ Monitor corrective action plans to ensure that management implement them promptly and effectively;
¾ Advise management on cost effective controls for new systems and activities; and
¾ Liaise with those charged with governance (eg the audit committee) and the external auditors (as necessary)
¾ Both will need to plan and document their work Materiality, risk assessments,
sampling, analytical review, use of CAATs (especially in systems heavily reliant on information technology) are all aspects of the internal auditor’s planning and work procedures
¾ Both apply strong quality control procedures (e.g IAASB and IIA requirements)
Trang 6¾ Both will report on their work, although (as noted above) the nature and format of the reports are different
1.5 Assessing the need for an internal audit function
¾ When the board and senior management is sufficiently close to the business and the systems are not so complex, the following sources of assurance about the way the business is operated may prove to be adequate:
the views of, and representations from, executive directors and senior managers;
the views of other employees through (say) a self-assessment process;
results of management’s internal confirmation procedures;
regular information on financial and operational matters;
performance indicators;
early warning mechanisms;
external auditors’ management letters;
reports of any relevant external regulators;
reports (if any) from relevant internal compliance functions
In such cases there may be no immediate need for an internal audit function
¾ However, as organizations grow and:
become more geographically diverse;
business is undertaken in new environments (e.g e-commerce);
develop new products and competitive pressures increase;
systems become more complex;
change is the norm;
then management’s time and attention can be very stretched
¾ In particular, when a company becomes listed, the demands placed on management for transparency and effective running of the business by the stakeholders are significantly increased
1.5.1 Key issues
¾ As many stock exchanges require listed companies to operate internal control functions (or explain why they do not in their annual reports) the key issues to consider may mainly relate to larger, unlisted entities
Are the existing management processes adequate to:
− identify and monitor the significant risks facing the company; and
− confirm the effective operation of the established internal control systems?
With ever increasing pressures on management at all levels, can those who are responsible for managing risks and operating controls always take a wholly
objective and systematic view of their own performance?
Does the board receive the right quality of assurance and information from
management and is it reliable?
Trang 7Example 1
Suggest additional matters that directors might consider when assessing the
need for an internal audit function
1.5.2 Needs of the Board
Board – A board of directors, audit committee of such boards, head of an agency or
legislative body to whom internal auditors report, board of governors or trustees of a profit organization, or any other designated governing bodies of organizations
non-¾ The board needs to obtain assurances that its risk and control processes are effective Management, internal audit and others may provide such assurance Objective
assurance and advice is provided by an internal audit function, thereby assisting the board and senior management with their stewardship responsibilities
¾ Boards, audit committees and senior management now recognise that what is of
relevant value to their business is the internal auditors’:
knowledge of the organisation, its systems and its processes; and
skills and experience (e.g in independently reporting on their findings and making recommendations to improve effectiveness of the processes)
Trang 8 Larger companies may decide that resources are best used elsewhere and not invest
in this non-core (though essential) area
¾ Such services are offered by specialised internal audit providers as well as the “global” and other accounting firms
1.6.1 Factors to be considered
¾ What to outsource?
The whole of internal audit services; or
Specific functions (e.g environmental auditing)
¾ What (and/or who) to retain? The head of internal audit may be retained as an
employee (to keep a high level responsibility within the company)
¾ Terms of reference:
What services will be provided?
Who does the service provider report to?
What form will reports take?
What action will be taken if problems occur?
How will fees be determined and charged?
1.6.2 Benefits to the company
¾ Costs – A company with an in-house internal audit service must pay salaries, training
and overheads Whilst the contractors’ fees will also be set to cover these there may be economies of scale The company would only pay for resources when required and so overall the total cost may be cheaper
¾ Consistency with external audit – There may be greater consistency in approach between
the internal and external auditors This may mean external audit can place more
reliance on internal audit work (see Session 34) and hence the company would benefit
from a lower external audit fee
¾ Skills – Contracting-out internal audit allows the company to bring in new skills
External providers will have wider experience gained by auditing other companies
¾ New techniques – Both the internal and external audit markets are very competitive This
encourages firms to develop new techniques which are more efficient and effective Contracting out gives the company access to these techniques without a high level of investment
Trang 9¾ Management time – Management time and resources can be freed to concentrate on core
areas of the business instead of peripheral ones
¾ Liability – Legal action may be brought against an external service provider if their
standards are not acceptable
1.6.3 Disadvantages to the company
¾ Skills – An external contractor may lack the specialist skills relevant to a particular
company which an in-house service will possess Once a contractor is brought in these skills may be lost forever
¾ Constraints on service – The service provider will need to act in accordance with the
terms of reference This may mean they are unable to follow up suspicious
circumstances outside their duties without first seeking permission from the company and re-negotiating the terms of reference
¾ Flexibility – An in-house department will provide a permanent presence whilst
contracted out services may only be at the company for discrete periods In-house staff may have more commitment to the company (e.g willingness to work overtime, travel, etc) Outsourcing may result in reduced staff availability and flexibility
¾ Conflicting reporting lines – Internal audit should report to the audit committee or board
of directors However as an employee of the audit firm the auditor may be expected to report to the partner The audit firm will be responsible for issues such as promotion and training and therefore they need to monitor internal audit staff
¾ Expectation gap – An expectation gap has existed for external audit for many years If
the profession cannot meet public expectations for a narrow role which is defined by statute can they meet management expectations for a wider role? The company may discover too late that they are not getting what they want If a contract has been agreed
it may be difficult to change
¾ Standard of service – Once an external provider has secured the contract the level of
service provided may fall The audit committee/board of directors must monitor and ensure that the quality of staff provided is satisfactory and work is completed according
to the terms of reference
¾ Corporate culture – Contracting out any service involves a change to corporate culture
Unless managed sensitively, outsourcing may lower employee morale, reduce
performance, generate a negative cultural impact, create permanent job insecurity
1.6.4 Service provider issues
¾ Skills – The service provider must have the appropriate skills and expertise to undertake
the internal audit role Whilst there are overlaps between internal and external audit, internal audit usually fulfils a wider role
¾ Staff management – Undertaking internal audit functions may improve staff management
where the service provider is an audit/accountancy practice Internal audit work may
be conducted during slacker times when there are fewer external audit engagements However internal audit must not be a lower priority
Trang 10¾ Effect on external audit – Although there are overlaps, the roles of internal and external
audit are different If both roles are performed by the same firm the distinction could become blurred This could lead to a reduced level of service overall and a lower level
of credibility being attached to the external auditor’s report (See Session 4 re ethical
issues for the external auditor)
1.6.5 Independence issues
¾ A benefit to the company – Outsourcing increases independence as an in-house
department can never be truly independent Staff from an external firm will be subject
to the same ethical guidelines (see Session 4) as for external audit, and the firm should
have mechanisms to ensure compliance Rotation of staff is more likely, so close
relationships do not build up between internal audit staff and the client
¾ Drawbacks – The external provider could become dependent on client The risk is perceived to be particularly great where the internal auditor is the external auditor
2.1 Internal audit’s role in risk management
¾ Business risk and risk management was discussed in Session 8 Fraud was discussed in Session 11
2.1.1 Assurance role
¾ A proper system of internal control in practice requires a proper system of risk
management and organisational control
¾ Internal auditors do not judge the appropriateness of a company’s objectives or the board’s strategies to achieve those objectives They examine the effectiveness of the processes by which the consequent risks are identified, managed, mitigated and
reported Internal auditors also add value by the identification of opportunities to improve the cost effective management of risk
¾ The assurance role of internal audit is to deliver assessments of the adequacy and
effectiveness of the processes by which risks are:
identified and prioritised;
managed, controlled and mitigated; and
reported,
such that the residual risks are recognised by, and are clearly acceptable to, the board
Trang 112.1.2 Contribution to risk management
¾ Risk management is not the responsibility of the internal audit function Many large organisations have separate risk management functions
¾ Internal audit’s job may be to assist that function or the board by:
providing objective assurance on the adequacy and effectiveness of the risk
management and internal control framework;
helping improve the processes by which risks are identified and managed;
helping strengthen and improve the risk management and internal control
framework
¾ Internal audit can:
provide advice on the design, implementation and operation of control systems;
identify opportunities to make control cost savings;
promote a risk and control culture within the organisation;
act as facilitators, guiding managers and staff through a self- assessment process (e.g by leading workshops);
become a centre of expertise for managing risk by providing enterprise-wide risk management services (ERM)
¾ To be effective, the management of risk requires information which is:
Trang 123 OTHER ASSIGNMENTS
3.1 Value for money
VFM auditing is evaluation of management’s achievements in terms of the economy,
efficiency and effectiveness (the 3 “Es”) of operations
3.1.1 The “3 Es”
¾ VFM has been prominent in the public sector (e.g in the UK) since the 1980s when
“audit” was narrowly interpreted as a financial audit
Economy is about obtaining specified resources (inputs, eg material, finance, human,
time) at the lowest cost
Efficiency is the achievement of either:
− the maximum output (at a given quality) from a given input; or
− a given output (at a given level of quality) from the minimum input
Effectiveness is the achievement of outputs which meet management’s objectives
Objectives
Outputs Resources Inputs Process
Effectiveness
Efficiency Economy
¾ VFM audits are carried out to ensure that corporate resources, shareholders funds and taxpayers’ contributions are not wasted However, the VFM audit process may or may not be empowered to question whether the objectives set were justified
¾ Very often a benchmark is required VFM can only be judged by comparison (external
or internal eg between departments or divisions) Present methods of operation and use
of resources must be compared with alternatives to see if value for money is being obtained
3.1.2 Role of internal auditing
¾ Top management is responsible for committing the organisation to a VFM review process
¾ The head of internal audit is responsible for conducting VFM reviews and for
comparisons between functions and across time Internal audit can report (for example) on:
Trang 13 unnecessary spending (e.g overtime guaranteed when work is completed in
normal hours);
misdirected spending (e.g capital expenditure outlay on lower quality assets
requiring higher level of revenue expense quality);
over-priced spending (e.g discounts are unclaimed);
under-recovered revenue (e.g failure to collect on disposals of assets)
¾ Line management should take responsibility for implementing the VFM review,
although very often the responsibility remains with the head of internal audit They will be responsible for implementing the recommendations from a VFM review
3.1.3 Advantages of VFM
9 Management attention is focused on economy and efficiency but this is tempered by the need for effective performance
9 It promotes the use of performance indicators
9 It should eventually lead to self measurement with audit only used to compare
performance between business units on an objective basis
9 Although VFM audit is often used to promote cost savings, it can also be used to
identify revenue opportunities
3.1.4 Disadvantages VFM
8 Economy and effectiveness are often opposed, eg saving money may result in the need for lower quality This is often overcome by treating one element as fixed, eg achieving savings based on an agreed quality level
8 It is difficult to create a balance between short term and long term gains and thus
savings now may lead to additional costs in future.
8 Savings in one area may create additional costs to another area, eg reducing costs of production but increasing other costs because of quality rejects or warranty repairs
8 Comparisons between business units may be spurious, eg one business unit may excel
at a particular process, the costs of which are relatively high compared to other
processes carried out by other units So measuring the cost per process will not be meaningful
8 VFM targets may be manipulated by managers, eg production is arranged to meet the target rather than what is actually required
8 Once performance indicators have been established the audit work is routine and not especially challenging