INTERNAL AUDIT AND OUTSOURCING
All businesses, where appropriate, should consider setting up an internal audit function. Internal audit plays a key role in good corporate governance. There are costs associated with setting up internal audit so having your own internal audit dept. may not be cost beneficial. One solution to this is outsourcing.
Internal audit provides objective assurance on risk management particularly control risk.
An internal auditor is an employee of or engaged by the company. Therefore, under company law in certain jurisdictions, the internal auditor is precluded from acting as the external auditor of a company. External auditors are required by law to belong to a recognised body, which guarantees their appropriate qualification, adherence to technical standards and overall competence. The internal auditor on the other hand requires no formal training.
Unlike the external auditors, who are appointed at the Annual Meeting by the shareholders of a company, the internal auditor is hired by the management of the company. In turn this means he can be dismissed by the directors or other senior managers, subject only to normal employment rights.
The primary objective of the external auditor is laid down by the companies’ acts in the relevant jurisdiction, whereas the internal auditor’s objectives are dictated by the management of the company. As a result, management can place limitations on the scope of the internal auditor’s work. While some of his work may be similar to that of the external auditor, more of it could relate to areas such as value for money.
Use by an external auditor of internal audit
Before an external auditor uses the work of an internal auditor he should consider:
- The technical training and proficiency of the internal auditor
- The quality control procedures over the review and supervision of internal audit staff members and appropriate planning and direction
- Whether the internal auditor has gathered sufficient appropriate evidence
- The conclusions reached by the internal auditor based on evidence gathered
- Whether exceptions noted are properly resolved by the internal auditor
The role of internal audit in corporate governance
The traditional role of internal audit was to review controls. For example, “The Turnbull Report” which was drawn up by the London Stock Exchange for listed companies required that all risk needed to be managed and this gave internal audit an extended role. Now internal audit monitors the integrated risk management within a company and reports to the Board.
Key Turnbull guidelines:
- Need for a formal review of the effectiveness of internal control
- Regular review of internal control reports
- Consider key risks and how they should be managed
- Follow up on the adequacy of remedial action taken
- Assess the monitoring systems
- Conduct an annual assessment of risks and internal control
- Make formal report in company annual report.
The responsibility to manage risk in a company rests with the management. They must identify, control and monitor this risk. The internal auditor is ideally placed to monitor this risk. He can on a continual process:
- Advise on the optimum design of systems and monitor their operation,
- Advise on improvements required to existing systems,
- Provide assurance on systems set up for various departments.
Types of internal audits
Internal audit can be described as an independent appraisal function established within an entity for the examination and evaluation of an entities own activities.
In many ways it is an example of an assurance engagement, in that the internal auditor evaluates and measures specific aspects against set criteria. On the other hand, it can be also compared to an agreed procedures engagement as the work of the internal auditor is often set by management.
Compliance audits determine whether employees operate in accordance with the company’s policies or within relevant laws and regulations. The internal auditor will have a good knowledge of the company’s policies. This type of audit falls within the definition of an assurance engagement.
Operational audits look at the processes of the business and check compliance with controls and also their effectiveness as part of the overall risk management strategy.
The scope of the work is more extensive than that of a compliance audit, although you could undertake a compliance audit as part of an operational audit. The internal auditor will draw his own conclusions from the work he does and as such this type of audit falls under the category of an agreed upon procedures engagement.
Multi site operations
Some organisations such as retail giants have operations in multiple locations. The objective of an internal audit on any of the sites would be the same but as results will vary from site to site a different audit approach may be necessary.
Possible approaches include:
• Compliance based audit approach
The locations are checked for compliance with the set procedures and the results are compared across the locations. You can visit all the locations within a given timeframe (cyclical approach) or select locations based on the risk attaching to them (risk approach).
• Process based audit approach
Specific key business processes are selected and audited. For example in the case of retail giants, the auditor may look at the cash handling process. Again, the auditor could either audit all the processes within a given time frame or examine those business processes which have a higher risk attaching to them.
Practical considerations for the internal auditor
These include which sites to visit and how often. Should they be a surprise visit or a routine one or should there be a mix.
When deciding on a site to visit, the internal auditor should consider:
- The size of the operation,
- Systems compliance past history,
- Experience of staff at the site,
- Test results past history,
- Management interest in specific sites.
Evaluation of risk
- Probability of undetected material error or fraud occurring
This is influenced by the assessment of the system of internal control (organisation, segregation, physical controls, authorisation & approval, arithmetic & accounting, personnel, supervision and management), experience derived from previous audits and the existence of high risk processes such as cash handling.
- Potential size of error or fraud.
This will be influenced by the relative size of each location in such terms as revenue, transactions, stock levels and internally generated statistics showing stock losses.
This is the contracting out of certain functions within an organisation, the extensiveness of which will vary from organisation to organisation.
Why do companies outsource:
Outsourcing can reduce costs. In addition, by considering outsourcing, you should assess the process and quantify the cost of your in-house operations. This can lead to better efficiency through budgeting and cost control over a function or may help to reduce the number of employees while still maintaining a quality service. Also, outsourcing can have an effect on the financial statements. For example, by outsourcing the IT function, high capital costs may be averted thus affecting the face of the balance sheet.
Change can have a huge impact on staff. Outsourcing helps to reduce the risk of disruption to work flows. Examples include outsourcing software provision where staff training is included in the service, and outsourcing the finance function during mergers where different accounting systems exist.
Outsourcing can help an organisation focus on its core competency. It can also be that boost to a new technical change or a low risk approach to a new business venture. For example, outsourcing website development and maintenance when entering into an e-commerce venture.
What can you outsource
Companies only tend to outsource those functions which are not key competencies and the extent to how far you want to outsource will affect what you can actually outsource.
Some functions which may not be considered core competencies include accounting, human resources, facilities management, asset management, IT and cleaning. Within the accounting function you could break this down to payroll, invoicing, credit control and management/financial accounts. Within human resources, it can be subdivided into welfare, health & safety and recruitment. IT can be split between maintenance, project management and the network management.
The extent to how far you will outsource will depend on the risk involved and the control which you want to maintain. There are less risk and control issues in outsourcing cleaning that the entire accounting functions, unless you run a hospital!!
Advantages and disadvantages of outsourcing
- Cost savings and better cost control,
- Availability of specialist services which may not exist in-house,
- Indemnity in the event of problems,
- Cash flow timing in that services are generally a flat fee.
- Loss of control over the function,
- Initial cost may be substantial especially in the case of closing a dept.,
- Potential employee problems where there may be redundancies,
- Contracts need to be managed ,
- Problems with contract may lead to costs outweighing the benefits.
Outsourcing Internal audit
You might outsource internal audit as it is rarely seen as a core competency. In addition, there are problems in setting up an internal audit function:
- Cost of recruiting staff with sufficient skill and qualification,
- Managing a specialist group without the appropriate quality of management,
- Time frame between set up and effective results can be wide,
- Organisation may not warrant a complete division or persons with skills varieties.
- No need to recruit, service provider will have appropriate staff with specialist skill.
- Internal audit function up and running immediately.
- Flexible with regard to duration of specific projects or team size.
- Using the same firm as that of the external auditor may cause problems.
- The cost may be high and could result in no internal audit function at all.
Outsourcing finance functions
- Specialist skills and expertise in the pensions, IT, due diligence and taxation areas.
- Quality service with redress to legal compensation.
- IT can keep pace with on-going technological advances.
- Can provide a safety net for the IT function in the event of a disaster.
- Logistical difficulties for data processing of large volumes
- Loss of control of key accounting documentation and records although responsibility remains with management
- Sharing of sensitive personal data such as pensions and payroll.
- IMPACT OF OUTSOURCING ON AN AUDIT
The impact of outsourcing is dealt with in ISA 402, audit considerations relating to entities using service organisations.
Some outsourced activities are directly relevant to an audit such as the keeping of accounting records. Therefore, the auditor should consider his approach to work that is done by the service organisation.
When a service organisation executes a company’s transactions and maintains accountability, the company may need to rely on policies and procedures at the service organisation unlike a situation where a service organisation is limited to recording and processing transactions and the company retains authorisation and accountability.
In obtaining an understanding of an entity and its environment the auditor should determine the significance of a service organisation’s activities to the client company and its relevance to the audit. The auditor needs to consider:
- The nature of the services provided,
- The terms of contract and relationship between the client and the service organisation,
- Client’s controls applied to the transactions processed by the service organisation,
- Client’s controls over identifying and managing risk relating to the service organisation,
- The service organisation’s financial stability and the possible effect of failure of the service organisation on the client company,
- Third party reports from service organisations auditors, internal auditors or regulatory agencies providing information about accounting and internal control systems of the service organisation and its operations and effectiveness.
If the auditor concludes that the activities of the service organisation are significant to the entity and relevant to the audit, the auditor should obtain a sufficient understanding of the entity and its environment to identify and assess the risk of material misstatements and design further audit procedures in response to the assessed risk.
Service organisation auditor’s reports
If the client auditor uses the report of a service organisation auditor, he should consider making inquiries concerning the auditor’s professional competence in the context of the specific assignment undertaken. When making use of the report, the auditor should consider the nature and content of that report. He also needs to consider the scope of the work performed by the service organisation auditor and should assess the usefulness and appropriateness of reports issued by the service organisation auditor.
The report may be a report on the suitability of design or a more extensive report on suitability of design and operating effectiveness. The former report will give the auditor some basic understanding of controls but it would not reduce his assessment of control risk. The latter report may support a lower risk assessment but the auditor would need to consider whether the controls tested by the service organisation auditor are relevant to the client’s transactions and whether the tests of controls and the results are adequate.
The service organisation auditor may be engaged to perform substantive procedures that are of use to the client auditor. This engagement may take the form of an ‘agreed upon procedures’ engagement.
When the client auditor uses such a report, no references should be made in the audit report to the service organisation’s auditor’s report.
Impact on internal audit
The external auditor will be affected by outsourced functions in relation to the financial statements whereas the internal auditor will be affected by any outsourced function.
Audit practitioners have recently begun to initiate changes in the audit approach. The strategy seems to be moving away from the traditional audit of financial statements and more to the provision of assurances on financial data, systems and related controls. Auditors are reviewing the business processes utilising benchmarking, performance measurements such as value for money and best control practices. The audit is moving toward the analysis of business risk and of being seen to be more of a benefit for management.
Risk assessment services are now part of the audit service of which clients can avail themselves. The provision of internal audit is becoming a larger part of the business assurance service offered by auditing firms. The audit is becoming a management consultancy exercise with internal audit, external audit and consultancy assignments being seen as complimentary services.
Discuss the implications of the external auditor providing an internal audit service to a client, explaining the current ethical guidance on the provision of other services to clients. Explain the principal effects of the external auditor providing wider assurance to the client. In addition, critically evaluate the move by large auditing firms to providing business risk and assurance services rather than the traditional audit assurance for investors and creditors.