The need for internal audit
Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.
Companies must create a strong system of internal control in order to fulfil their responsibilities.
However, it is not sufficient to simply have mechanisms in place to manage a business, their effectiveness must be regularly evaluated. All systems need some form of monitoring and feedback. This is the role of internal audit.
Having an internal audit department is generally considered to be best practice, but is not required by law. This allows flexibility in the way internal audit is established to suit the needs of a business.
In small, or owner managed businesses there is unlikely to be a need for internal audit because the owners are able to exercise more direct control over operations, and are accountable to fewer stakeholders.
The need for internal audit (IA) therefore will depend on:
- Scale and diversity of activities. In a larger, diversified organisation there is a risk that controls don’t work as effectively because of the delegation of responsibility down the organisation. Internal audit can report back to the audit committee if controls are not as effective as they should be.
- Complexity of operations. The more complex the organisation is, the greater the benefit obtained from having an IA function as there is greater risk of things going wrong. With larger organisations the consequences of poor controls/risk management/corporate governance practices are likely to be greater.
- Number of employees. The greater the number of employees the greater the risk of fraud.
- Cost/benefit considerations. It will only be worth establishing an IA function if the benefits outweigh the costs. For example a company might be losing money as a result of fraud, not using the most cost effective or reliable suppliers, or incurring fines for non-compliance with laws and regulations. If these costs outweigh the cost of employing an IA function it will be beneficial to the company to establish a department.
- The desire of senior management to have assurance and advice on risk and control. The directors may wish to have the comfort that there is ongoing monitoring of the organisation to help them discharge their responsibilities.
- The current control environment and whether there is a history of fraud or control deficiencies. If so it will be beneficial for the company to establish an internal audit function to prevent and detect fraud.
2 The difference between internal and external auditors
|External audit||Internal audit|
|Objective||Express an opinion on the||Improve the company’s|
|truth and fairness of the||operations by reviewing the|
|financial statements in a||efficiency and effectiveness|
|written report.||of internal controls.|
|Reporting||Reports to shareholders.||Reports to management or|
|those charged with|
|Availability of||Publicly available.||Not publicly available. Usually|
|report||only seen by management or|
|those charged with|
|Scope of work||Verifying the truth and||Wide in scope and dependent|
|fairness of the financial||on management’s|
|Appointment||By the shareholders of the||By the audit committee or|
|and removal||company.||board of directors.|
|Relationship||Must be independent of the||May be employees (which|
|with company||company.||limits independence) or an|
|outsourced function (which|
3 The role of the internal audit function
The role of internal audit can vary depending on the requirements of the business.
Key activities of the internal audit function
- Assessing whether the company is demonstrating best practice in corporate governance.
- Evaluating the company’s risk identification and management processes.
- Testing the effectiveness of internal controls.
- Assessing the reliability of financial and operating information.
- Assessing the economy, efficiency and effectiveness of operating activities (value for money).
- Assessing compliance with laws and regulations.
- Providing recommendations on the prevention and detection of fraud.
Most of these activities can be seen as helping management comply with corporate governance requirements.
In addition to the above, internal audit will carry out ad hoc assignments, as required by management. For example:
- Fraud investigations – this may involve detecting fraud, identifying the perpetrator of a fraud and quantifying the loss to the company as a result of a fraud.
- IT systems reviews – performing a review of the computer environment and controls.
- Mystery shopper visits – for retail and service companies the internal audit staff can pose as customers to ensure that customer service is at the required level.
- Contract audits – making sure that where material or long term contracts are entered into by the organisation, the contract is written to protect the organisation appropriately and contractual terms are being adhered to by the supplier in line with the service level agreement.
- Asset verification – such as performing cash counts and physical inspection of non-current assets to verify existence.
- Providing direct assistance to the external auditor –internal audit staff can help the external auditor with their procedures under their supervision, in accordance with ISA 610. This is covered in the ‘Evidence’ .
Qualities of an effective internal audit function
- Sufficiently resourced, both financially and in terms of qualified, experienced staff.
- Well organised, so that it has well developed work practices.
- Independent and objective to provide an unbiased view of the organisation’s operations.
- Chief internal auditor appointed by the audit committee to reduce management bias.
- No operational responsibilities to reduce the threat of self-review.
- Work plan agreed by the audit committee.
- No limitation on the scope of their work i.e. full access to every part of the organisation.
Limitations of internal audit
- Internal auditors may be employees of the company they are reporting on and therefore may not wish to raise issues in case they lose their job.
- In smaller organisations in particular, internal audit may be managed as part of the finance function. They will therefore have to report on the effectiveness of financial systems of which they form a part and may be reluctant to say their department (and manager) has deficiencies.
- If the internal audit staff have worked in the organisation for a long time, possibly in different departments, there may be a familiarity threat as they will be auditing the work of long standing colleagues and friends.
It is therefore difficult for internal audit to remain truly objective. However, acceptable levels of independence can be achieved through one, or more, of the following strategies:
- Reporting channels separate from the management of the main financial reporting function.
- Reviews of internal audit work by managers independent of the function under scrutiny.
- Outsourcing the internal audit function to a professional third party.
4 Outsourcing the internal audit function
In common with other areas of a company’s operations, the directors may consider that outsourcing the internal audit function represents better value than an in-house department.
Outsourcing is where the company uses an external company to perform its internal audit service instead of employing its own staff.
- Professional firms follow an ethical code of conduct and should therefore be independent of the client and their management.
- Professional firms should have qualified, competent staff who receive regular development and have a broader range of expertise.
- An outsourcing firm will have specialist skills readily available therefore outsourcing can be used to overcome a skills shortage.
- Professional firms can be employed on a flexible basis, i.e. on an individual engagement basis rather than full time employment which may prove more cost effective.
- Employment costs of permanent staff are avoided.
- The risk of staff turnover is passed to the outsourcing firm.
- Professional firms are responsible for their activities and hold insurance.
- There is likely to be greater focus on cost and efficiency of the internal audit work as this will affect profitability of the assignment.
- The company will obtain access to new market place technologies without the associated costs, e.g. audit methodology software.
- Management time in administering an in-house department will be reduced.
- Professional firms lack the intimate knowledge and understanding of the organisation that employees have.
- The decision may be based on cost with the effectiveness of the function being reduced.
- Engagements with professional firms are constrained by contractual terms. Flexibility and availability may not be as high as with an in-house function.
- Fees charged by professional firms may be high.
- An ethical threat may arise if the service is provided by the external audit firm. E.g. the ACCA Code of Ethics prohibits external auditors of a listed company from providing internal audit services for the same client where the service relates to internal controls over financial reporting.
- Pressure on the independence of the outsourced function, for example, if management threaten not to renew contract.
- Lack of control over the quality of service.
5 Internal audit assignments
Internal auditors perform many different types of assignment. Common examples include:
- Value for money assignments
- Operational audits
- The audit of IT systems
- Financial audit.
Value for money
Value for money (VFM) is concerned with obtaining the best possible combination of services for the least resources. It is often referred to as a review of the three Es:
- Economy – obtaining the best quality of resources for the minimum cost.
- Efficiency – obtaining the maximum departmental/organisational outputs with the minimum use of resources.
- Effectiveness – achievement of goals and targets (departmental/organisational etc).
Comparisons of value for money achieved by different organisations
(or branches of the same organisation) are often made using performance indicators that provide a measure of economy, efficiency or effectiveness. This is particularly common in the not -for-profit sector (i.e. public services and charities), but it can apply to any company.
For example, a company chooses the cheapest supplier for the materials it needs. The supplier has a lead time for delivery of 6 weeks. If the company needs a supplier that can deliver at short notice on a regular basis this will not be effective.
If a company sources lower quality materials at a price 10% cheaper than their current supplier but uses 50% more as a result of the lower quality, this is not efficient.
Value for money: hospital
Examples of value for money indicators for a hospital might include:
- Economy – cost of medical supplies per annum.
- Efficiency – number of patients treated per year, utilisation rate of beds/operating theatre.
- Effectiveness – recovery rates, number of deaths.
An operational audit is a systematic review of the efficiency and effectiveness of operations within the organisation. The focus of the audit is on the processes which take place within the organisation to identify if they can be streamlined and performed more efficiently. The more efficient a process is the more profitable the organisation should be.
For example during an operational audit the internal auditor may find that orders are manually entered into a sales system to record an order. A copy of the order is passed to the despatch department who manually enter the details into the despatch system. A copy of the goods despatch note is sent to the finance department for invoicing and the details are manually entered into the invoice.
In addition to the risk of error that arises each time the details are manually entered, this is a time consuming and inefficient process.
The internal auditor may recommend that an integrated system is introduced to remove the need for the data to be entered by each department. If the order system links to the despatch system and the despatch system links to the finance system, no manual entry will be required after the order has been entered in the first instance.
The audit of IT systems
The external auditor considers IT systems from the perspective of whether they provide a reliable basis for the preparation of financial statements, and whether there are internal controls which are effective in reducing the risk of misstatement.
Internal audit will also consider this. However, their role is much wider in scope and will also consider whether:
- The company is getting value for money from their IT system.
- The procurement process for the IT system was effective.
- The ongoing management/maintenance of the system is appropriate.
Whilst this is an ongoing role, project auditing can be used to look at whether the objectives of a specific project, such as implementing new IT systems, were achieved.
The main aim of a financial reporting system is to create accurate, complete and timely information which can be used for decision making and business planning. This information is also needed to satisfy the requirements of actual and potential investors and trading partners.
Typical examples of financial information include:
- Financial statements
- Monthly management accounts
- Forecasts and projections.
The main aim of internal financial audits is to ensure that the information produced is reliable and produced in an efficient and timely manner. If not, executive decisions may be based on unreliable information.
The other aim of a financial audit is to assess the financial health of a business. More importantly it is about ensuring there are mechanisms in place for the early identification of financial risk, such as:
- Adverse currency fluctuations
- Adverse interest rate fluctuations
- Cost price inflation.
In both cases the focus of internal audit will be on the processes and controls that underpin the creation of the various financial reports to ensure they are as effective as possible for assisting decision making and the risk management processes of the company.
Unlike an independent external auditor’s report, the internal audit report does not have a formal reporting structure. It is likely that the format is agreed with the audit committee or board of directors prior to commencing the assignment.
These reports will generally be for internal use only. The external auditors may inspect them if they are intending to place reliance on the work of internal audit.
A typical report will include:
- Terms of reference – the requirements of the assignment.
- Executive summary – the key risks and recommendations that are described more fully in the body of the report.
- Body of the report – a detailed description of the work performed and the results of that work.
- Appendix – containing any additional information that doesn’t belong in the body of the report but which is relevant to the assignment.
In the exam you may be asked to take the role of an internal auditor performing an audit assignment to test controls or identify improvements in efficiency that can be made.
The internal audit report can be set out in the same way as the report to management that has been seen in the ‘ ‘ , describing the deficiencies identified, consequences of those deficiencies and recommendations for improvement.
Test your understanding 1
Murray Co’s internal audit function
The internal audit function at Murray Co consists of a head of internal audit, two senior internal audit managers, four internal audit managers, seven internal auditors and an internal audit assistant. The head of internal audit has been in post for twelve years, and the other members of the team have varying lengths of service from two to fifteen years.
The head of internal audit is responsible for recruiting staff into the internal audit team. The head of internal audit was appointed by the audit committee.
The head of internal audit reports to the audit committee and agrees the scope of work for the internal audit function with the audit committee.
The internal audit staff have no operational responsibility. Where the staff have previously transferred from another department within Murray Co, the head of internal audit ensures that another member of the team carries out the audit of that system.
Murray Co’s internal audit function follows the International Standards for the Professional Practice of Internal Auditing issued by the Global Institute of Internal Auditors.
Barker Co’s internal audit function
The internal audit function at Barker Co consists of a chief internal auditor, one senior internal audit manager, one audit manager, one auditor and an audit assistant. The chief internal auditor has been in post for ten years, and the other members of the team have varying lengths of service from five to nine years.
The finance director is responsible for recruiting all staff into the internal audit function. The chief internal auditor reports to the finance director and agrees the scope of work for the internal audit function with him.
The internal audit team spend 50% of their time carrying out internal audit assignments and 50% of their time working in the finance department. Due to the limited number of staff in the team, this has resulted in the internal auditors reviewing their own work.
Barker Co’s internal audit team follow a variety of standards, in accordance with their own professional training.
Compare and contrast the effectiveness of Murray Co and Barker Co’s internal audit functions.
Test your understanding 2
You are the senior manager in the internal audit department of Octball, a limited liability company. You report to the chief internal auditor and have a staff of six junior auditors to supervise, although the budget allows for up to ten junior staff.
In a recent meeting with the chief internal auditor, the difficulty of staff recruitment and retention was discussed. Over the past year, five junior internal audit staff have left the company, but only two have been recruited. Recruitment problems identified include the location of Octball’s head office in a small town over 150 kilometres from the nearest major city and extensive foreign travel, often to cold climates.
Together with the chief internal auditor you believe that outsourcing the internal audit department may be a way of alleviating the staffing problems. You would monitor the new outsourced department in a part-time role taking on additional responsibilities in other departments, and the chief internal auditor would accept the post of finance director (FD) on the board, replacing the retiring FD.
Two firms have been identified as being able to provide the internal audit service:
- The NFA Partnership, a large local firm specialising in the provision of accountancy and internal audit services. NFA does not audit financial statements or report to members.
- T&M, Octball’s external auditors, who have offices in 75 countries and employ in excess of 65,000 staff.
- Discuss the advantages and disadvantages of appointing NFA as internal auditors for Octball.
- Discuss the matters T&M need to consider before they could accept appointment as internal auditors for Octball.
- Assume that an outsourcing company has been chosen to provide internal audit services. Describe the control activities that Octball should apply to ensure that the internal audit service is being maintained to a high standard.
(Total: 20 marks)
Test your understanding 3
You are an audit senior working at Monkey, Mia & Co. You have been seconded to your firm’s internal audit department to broaden your experience. You have been assigned to an internal audit assignment to test the effectiveness of the computer systems at a large company. Your firm won the contract to provide internal audit services to the company after the company took the decision to outsource its internal audit function and make the existing internal audit staff redundant.
- With which of the following should the internal auditor not be involved?
A Identifying deficiencies in internal controls
B Providing recommendations to management on how to overcome the deficiencies identified
C Implementing the new controls recommended
D Evaluating the effectiveness of the new controls implemented
- Which TWO of the following statements are correct?
- Internal auditors always report directly to shareholders.
- The format of the independent external auditor’s report is determined by management.
- The internal auditor’s work may be determined by management.
- All external audits must be planned and performed in accordance with International Auditing Standards and other regulatory requirements.
- (i) and (iv)
- (i) and (iii)
- (ii) and (iii)
- (iii) and (iv)
- Which of the following is NOT part of the role of internal audit?
- Risk identification and monitoring
- Expression of opinion to the shareholders on whether the annual financial statements give a true and fair view
- Fraud investigations
- Assessing compliance with laws and regulations
- Which of the following is NOT a valid reason to outsource the internal audit function?
A The external audit will be more efficient as the external audit staff will have a good understanding of the company if they are also involved with the internal audit work
B Outsourcing may be more cost effective as compared with employing staff and providing training and other employment benefits
C A professional firm is likely to be more experienced and able to provide better recommendations for improvements
D Greater independence of an external service provider
- Identify whether the following statements are true or false
Internal audit reports must be produced in a
standardised format as set out by the financial
Internal audit reports are issued to shareholders
There is no legal requirement for companies to
have an internal audit department
The presence of an internal audit function may act
as a deterrent for fraud
Test your understanding 1
The chief internal auditor at Barker Co reports to the finance director. This limits the effectiveness of the internal audit reports as the finance director will also be responsible for some of the financial systems that the internal audit function is reporting on. Similarly, the chief internal auditor may soften or limit criticism in reports to avoid confrontation with the finance director.
To ensure independence, the chief internal auditor should report to the audit committee, as the head of internal audit at Murray Co does.
Recruitment of staff
All of the internal audit team at Barker Co are recruited by the finance director. The finance director may appoint personnel who are less likely to criticise his work. To ensure independence, the head of internal audit should be appointed by the audit committee, and they should then recruit and appoint the rest of the team, as at Murray Co.
Scope of work
The scope of work of internal audit at Barker Co is decided by the finance director in discussion with the chief internal auditor. This means that the finance director may try and influence the chief internal auditor regarding the areas that the internal audit department is auditing, possibly directing attention away from any contentious areas that the director does not want auditing.
To ensure independence, the scope of work of the internal audit department should be decided by the chief internal auditor, perhaps with the assistance of an audit committee, as at Murray Co.
The internal audit team at Barker Co review their own work. This limits independence as the auditor may overlook or fail to identify errors or deficiencies in those areas. This is a self-review threat.
If possible, the internal audit team should not have operational responsibility. However, if this is not possible, the internal audit work should be arranged so that no member of the team reviews areas where they have operational responsibility, as Murray Co does.
Lengths of service of internal audit staff
The internal audit team staff of both companies have been employed for a long time. This may limit their effectiveness as they will be very familiar with the systems being reviewed and therefore may not be sufficiently objective to identify errors in those systems.
However, there are sufficient staff at Murray Co to ensure that the team can be rotated into different areas of internal audit work, and their work can be independently reviewed. Due to the small number of staff in the internal audit team, Barker Co may not be able to achieve this.
Given the extent of limitations, it may be appropriate for Barker Co to outsource its internal audit function.
Variation of standards
Staff at Barker Co follow the auditing standards with which they are familiar. Standards of internal audit are not uniform across the profession. This could lead to inconsistency in the way each internal audit assignment is performed. This can lead to manipulation of internal audit aims and measurement. Barker Co should follow an agreed, recognised set of professional internal audit standards, such as those followed by Murray Co.
Test your understanding 2
- Benefits of outsourcing to NFA Expertise available
The NFA partnership will be able to provide the necessary expertise for internal audit work. They may be able to provide a broader range of expertise as they serve many different clients therefore staff may be available for specialist work that Octball could not afford to employ.
Obtain skills as and when required
If internal audit is only required for specific functions or particular jobs each year then the expertise can be purchased as required. Taking this approach will minimise in-house costs.
As an independent firm which does not perform the audit of the financial statements it is likely that they can provide a high level of service with appropriate objectivity. In particular, there will be no self-review threats.
Audit techniques – training
Outsourcing will remove the need for training internal staff. The outsourcing firm will be responsible for providing training for their staff and keeping them up-to-date with new auditing techniques and processes.
Continuity of service – staffing
As provision of internal audit services is the NFA partnership’s main activity, they should also be able to budget for client requirements. As a larger internal auditing firm, they may be able to offer staff better career progression which should assist staff retention.
Problems with outsourcing to NFA
NFA may experience some fee pressure, but only in respect of maintaining cost effectiveness of the internal audit department. The relationship needs to be managed carefully to ensure that NFA do not decrease the quality of their work due to insufficient fees.
The NFA partnership will not have any prior knowledge of Octball. This is a disadvantage as it will mean the partnership will need time to ascertain the accounting in Octball before commencing work. However, provision of an independent view may identify control deficiencies that the current internal audit department have missed.
The NFA partnership may not be able to provide this service to Octball as they are a local firm and therefore the issue of travel and working away from home would remain.
- Matters to be considered by T&M Independence
T&M need to ensure that independence can be maintained in a number of areas:
– Independence regarding recommending systems or preparing working papers and subsequent checking of those systems or working papers. While the internal audit department may need to carry out these functions, T&M must ensure that separate staff are used to provide the internal and external audit functions.
– Staff from T&M will be expected to follow the ethical guidance of ACCA which means that steps will be taken to avoid conflicts of interest or other independence issues such as close personal relationships building up with staff in Octball. Any real or perceived threats to independence will lower the overall trust that can be placed on the internal audit reports produced by T&M.
T&M must ensure that they have staff with the necessary skills and sufficient time to undertake the internal audit work in Octball. As a firm of auditors, T&M will automatically provide training for its staff as part of the in-house compliance with association regulations (e.g. compulsory CPD). T&M will need to ensure that staff providing the internal audit function to Octball are aware of relevant guidance for internal auditors.
There may be fee pressure on T&M, either to maintain the cost effectiveness of the internal audit department, or to maintain the competitiveness of the audit fee itself in order to keep the internal audit work.
As external auditors, T&M will already have knowledge of Octball. This will assist in establishing the internal audit department as systems documentation will already be available and the audit firm will already be aware of potential deficiencies in the control systems.
- Controls to maintain the standard of the internal audit department
– If T&M are appointed, the internal and external audits should be performed by different departments within the firm.
– Performance measures such as cost, areas reviewed, etc. should be set and reviewed. Explanations should be obtained for any significant variances.
– Appropriate audit methodology should be used, including clear documentation of audit work carried out, adequate review, and appropriate conclusions drawn.
– Working papers should be reviewed, ensuring adherence to International Standards on Auditing where appropriate and any in-house standards on auditing.
– The work plan for internal audit should be agreed prior to the work commencing and this should be followed by the outsourcing company.
Test your understanding 3
|(1)||C||Internal auditors should not implement new controls as this|
|would create a self-review threat when the controls are|
|tested at a later date.|
|(2)||D||Internal audit work may be determined by management or|
|the audit committee if there is one. External audits must be|
|conducted in accordance with ISAs.|
|(3)||B||An audit opinion presented to the shareholders must be|
|expressed by an independent external auditor.|
|(4)||A||Ethical guidance issued to external auditors requires|
|separate teams to provide internal and external services.|
|Therefore the internal audit staff assigned will not have|
|existing knowledge gained from the external audit.|
|Internal audit reports must be produced in a||ü|
|standardised format as set out by the financial|
|Internal audit reports are issued to shareholders||ü|
|There is no legal requirement for companies to||ü|
|have an internal audit department|
|The presence of an internal audit function may||ü|
|act as a deterrent for fraud|