TOPIC 4

INTERNAL AUDIT

Internal audit and corporate governance

Internal audit function: A function of an entity that performs assurance and consulting activities

designed to evaluate and improve the effectiveness of the entity’s governance, risk management and

internal control processes.

The link between internal audit and corporate governance

Overall
responsibility for
the analysis of risk
and implementation
of internal controls

Board Monitor
management's
responsiveness to
Audit
committee IA findings and
recommendations

• Monitor and • Regular report

Meet
review on results of IA
Head of IA
effectiveness of work
at least
IA • Direct access to
once
• Approve appointment/ a year board chairman
termination of without and audit
appointment of Head of managemen committee
IA

Internal audit
function

Management letter (generated by the auditor)

Observations/ Risks Recommendations Comments

findings (likelihood)

There is a relationship between the board, the audit committee and corporate governance as
follows:

Assessing the need for internal audit

When considering the need for an internal audit function, the board should consider:

• The cost of setting up an internal audit department versus the predicted benefit (cost benefit

analysis)

• Predicted savings in external fees where work carried out by consultants will be

carried out by the new internal audit department

• The complexity and scale of the organization’s activities and the systems

supporting those activities

• Management’s perceived need for assessing risk and internal control

• The pressure from external stakeholders to establish an internal audit department

• Whether it is more cost effective or desirable to outsource the work

Nature and purpose of internal audit assignments

The role of the internal audit function is to provide independent assurance that a

company’s risk management, governance and internal control processes are

operating effectively.

Unlike external auditors, the internal audit function looks beyond the financial

statements and considers wider issues such as the company’s reputation, compliance

with laws and regulations, growth, its impact on the environment and employee

satisfaction levels.

This is because the key to a company’s success is often managing such risks effectively.

Scope of internal audit

There are many types of work that the internal auditor performs. Those listed in the syllabus are:

The assignments internal auditors will carry out will depend on the particular
circumstances of the company involved and its objectives.

A brief summary of the examples of internal audit assignments is:

• IT audits: Internal auditors may be asked to look specifically at controls over the

accounting system, or, instead, over other computer systems that supply data to the

accounting system.

For example, a travel company’s reservation system will usually link to the accounting

system and is an important element in determining when the revenue on a flight or

holiday is recorded. Or for companies with retail stores, assignments may include

reviewing controls over computer systems linking tills to head office.

• Financial audits and operational audits: This may include testing controls

operating centrally (at head office) or at branches. One example is the testing of

controls over inventory counting or cash counting. This would include observation of

controls in operation at warehouses or retail stores during attendance at counts.

• Compliance audits: Internal auditors may assist with or review compliance with laws

and regulations. For example, if a company has an overseas branch, the internal audit

department may review compliance with laws/regulations specific to that country

(such as filing adequate financial or non-financial returns).

• Fraud investigations: Fraud can range from theft of assets (Misappropriation) to

fraudulent financial reporting. Internal audit may be asked to investigate specific

instances of suspected fraud or, more generally, to review and test controls to

prevent or detect fraud.

• Customer experience audits: Internal auditors may be asked to assess the level of

customer service. They could do this by phoning in or visiting stores/outlets and

pretending to be customers. Alternatively, they could review and analyse the results

of customer surveys.
 Value for money audits

Value for money (VFM) audits may be performed by the internal audit function and try

to determine whether the optimal combination of goods/services have been obtained for

the lowest level of resources.

VFM audits tend to focus on three areas: economy, efficiency and effectiveness.

These are commonly known as ‘the three Es’:

Economy Buying the resources needed at the cheapest cost

Efficiency Using the resources purchased as wisely as possible

Effectiveness Doing the right things and meeting the organization’s objectives

Management will need to set objectives for each of the three areas, the objectives will

detail the goals/aims they hope to achieve in terms of the company’s economic purchase

of resources, efficient use of resources and the effectiveness of achieving the company’s

objectives.

Once the objectives have been set, they will then need to put controls in place to ensure

each objective is met.

Limitations of internal audit

Qualities

If the internal audit function is to be effective, then both they and their work need to

possess certain qualities.

These qualities include independence, objectivity and due skill and care:

Qualities Description

Independence • Internal auditors should be independent of the activities

they audit. For example, internal auditors should not

 generally be involved in designing, installing and

operating systems. Rather their role is to review the

effectiveness of them.

• Internal audit departments should be granted sufficient

status to achieve independence from the various company

functions.

• Internal auditor’s reports should be considered

appropriately by directors and recommendations acted

upon.

Internal auditors must have a reporting line that is

independent of the function they are auditing – highest level

of management/audit committee.

Objectivity Objectivity is all about maintaining an independent mental

attitude. When they conduct their work, the internal auditors

should consider the facts in front of them without having

any pre-conceived ideas.

Due skill and care • Need for internal auditors to have wide-ranging

skills (accounting, auditing, business and

management skills)

• Need for a multi-disciplinary internal audit team

• Need for ongoing training

• Adherence to internal audit quality control

manuals/procedures

• Work should be planned, documented, supervised and

 reviewed (Systematically)

Note that internal auditors are not normally subject to any regulatory authority.

Outsourcing internal audit

External and internal auditors

Comparison

External auditor: Internal auditor:

Statutory duty to give an Assist the board in
opinion as to whether the achieving its corporate
financial statements 'present objectives
fairly' the activities of the
business.
Conducted in accordance with

External auditor Internal auditor

Objectives Give an opinion as to Varied and wide ranging

whether: Determined by
• The financial statements management/board but may
‘present fairly’ the include:
activities of the business; • Review of
and accounting/internal
• Proper accounting records control systems
have been kept. • Examination of
financial/operating
information
• Value for money (VFM) reviews
• Review of
implementation of
corporate policies,
laws and regulations
• Special investigations, eg
suspected fraud
• Procurement, marketing,
treasury and HR reviews
Reports to Shareholders of the company Board of directors/audit
committee

Status Independent of/external to Company employee/outsourced to

company they are auditing a third party
Qualifications Audit partner will be qualified No formal qualifications required
and hold a practicing certificate
as a registered auditor
Not all team members will be
qualified
Responsibilities for fraud and error (ISA 240)

Prevention and

detection of fraud

and error

External auditor’s Internal auditors

• No responsibility for • Directors responsible for

prevention prevention and detection

• Responsibility to consider the • Internal audit can assist

risk of material misstatement directors with the prevention of
in the financial statements due fraud and error by assessing
to fraud and error the effectiveness of internal

• Provide reasonable control systems

assurance that financial • Existence of IA department may act as

statements are free from deterrent
material misstatement
• Can contribute to detection by
• Responsibility to detect fraud reporting suspicions
and error which has a
• May be called on to
material impact on the
investigate suspected
financial statements
fraud
(Secondary)
 Using the work of internal auditors (ISA 610)

Relying on the work of the internal auditor

It is possible that the objectives of some of the work performed by the internal audit

department may overlap with those of the external auditor. In these cases, it may

be possible for the external auditor to rely on the work of the internal auditor.

ISA 610 Using the Work of Internal Auditors provides guidance for the external

auditor when the external auditor expects to use the work of the internal audit

function to modify the nature or timing, or reduce the extent, of audit

procedures to be performed directly by the external auditor.

The objectives of the auditor are:

i. To determine whether the work of the internal audit function or direct

assistance from internal auditors can be used and, if so, in which areas and

to what extent

ii. If using the work of the internal audit function, to determine whether

that work is appropriate for the purposes of the audit

iii. If using internal auditors to provide direct assistance, to appropriately

direct, supervise and review their work.

An effective internal audit function may reduce, modify or alter the timing

of external audit procedures, but it can never eliminate them entirely. Even

where the internal audit function is deemed ineffective, it may still be useful

to be aware of the conclusions formed. The effectiveness of internal audit

will have a great impact on how the external auditors assess the whole control
system and the assessment of audit risk.

The external auditor will need to determine whether the work of the internal

audit function can be used for the audit and, if so, establish the nature and

extent of work that can be used.

The following criteria must first be considered by the external auditors when

determining whether the work of the internal audit function can be used.

Criteria Considerations

The extent to which its objectivity is Consider the status of the internal audit

supported by its organizational status, function, to whom it reports, any

relevant policies and procedures conflicting responsibilities, any

constraints or restrictions, whether

those charged with governance oversee

employment decisions regarding internal

auditors, whether management acts on

recommendations made, whether internal

auditors are members of professional

bodies and obligated to comply with

their requirements for objectivity. (ISA

610 (Revised): paras. A5–A7)

The level of competence of the function Consider whether the internal audit

function is adequately resourced,

whether internal auditors are members of

relevant professional bodies, have

adequate technical training and

proficiency, whether there are established

 policies for hiring and training, whether

internal auditors possess the required

knowledge of financial reporting/the

applicable financial reporting

framework(ISA 610 )

Whether the internal audit function applies Consider whether internal audit activities

a systematic and disciplined approach include a systematic and disciplined

(including quality control) approach to planning, supervising,

reviewing and documenting

assignments, whether the function has

appropriate quality control procedures,

the

existence of audit manuals, work

programmes and internal audit

documentation. (ISA 610)

These can be remembered using the mnemonic ‘SODIT’:

• Scope of work

• Organisational status

• Due skill and care

• Independent

• Technical competence

When determining the areas and the extent to which the work of the internal audit

function can be used, the auditor must consider:

 • The nature and scope of specific work performed or to be performed

• The relevance of that work to the audit strategy and audit plan·

• The degree of judgement involved in evaluation of audit evidence

gathered by internal auditors

The external auditor is responsible for the audit opinion and must make all significant

judgements in the audit. Therefore, the external auditor must plan to use the work of the

internal audit function less (and therefore perform more of the work directly) in any

areas which might involve significant judgements being made.

These will be areas where:

(a) More judgement is needed in planning/performing procedures and evaluating

evidence

(b) The risk of material misstatement is high, including where risks are assessed

as significant

(c) The internal audit function’s organizational status and relevant

policies/procedures are not as robust in supporting the internal audit

function’s objectivity

(d) The internal audit function is less competent

The external auditor must also take a ‘step back’ and consider whether the

planned extent of internal auditors’ involvement will still result in the

external auditor being involved enough, in light of the fact that the external

auditor is solely responsible for the audit opinion.

Direct assistance

It is also possible that the external auditors may use the internal auditors to provide

direct assistance to them.

Direct assistance refers to the use of the internal auditors to perform audit

procedures under the direction, supervision and review of the external auditor.

When deciding whether the internal auditors should provide direct assistance the

external auditor should consider:

 The amount of judgement involved in planning and performing the relevant

audit procedures, and in evaluating the audit evidence gathered

 assessed risk of material misstatement (High and Low)

 The existence and significance of threats to the objectivity and the level of

competence of the internal auditors.

Where the external auditors have used direct assistance from the internal auditors

they should document:

(a) The evaluation of the existence and significance of threats to the

objectivity of the internal auditors, and the level of competence of

the internal auditors used

(b) The basis for the decision regarding the nature and extent of the

work performed by the internal auditors

(c) Who reviewed the work performed and the date and extent of the review

ISA 610 prohibits the use of internal auditors to provide direct assistance to perform

procedures that:

(a) Involve making significant judgements in the audit

(b) Relate to higher assessed risks of material misstatement where more

than a limited degree of judgement is required: for example, in assessing

the valuation of accounts receivable, internal auditors may be assigned to

check the accuracy of receivables ageing, but they must not be involved
 in evaluating the adequacy of the provision for irrecoverable receivables

(c) Relate to work with which the internal auditors have been involved

(d) Relate to decisions the external auditor makes regarding the

internal audit function and the use of its work or direct assistance