what is internal audit? an internal audit is an ... · pdf fileconsiderations in an initial...

WHAT IS INTERNAL AUDIT?An internal audit is an independent assurance and consulting activity designed to add value to an organisation’s operations and help it to achieve its objectives by evaluating and improving the effectiveness of risk management, control and governance.

CIMA. The future of business.1

WHAT IS RISK-BASED INTERNAL AUDITING?

Risk-based internal auditing provides assurance to the board that risk management processes are operating as they should be, that management responses to risks are adequate and that controls are in place to mitigate risks. Internal audit focuses not only on financial risks, controls and reports, but also on the main business risks and theeffectiveness of controls to manage them.

Transaction based auditing refers to the checking of a sample of transactions against documentary evidence.

Systems- based audit focuses on the functioning of the control systems rather than the individual records. Weaknesses would include the fact that it is time consuming, can have problems if sample is biased, based on specific transactions that may not be representative of whole, unable to test 'what ifs' and may not be enough if the controls are weak or where transactions are high risk.


• Major tools available to assist with a review and audit process (e.g. audit planning, documenting systems, internal control questionnaires, sampling and testing).

An Audit Framework

Audit PlanningDocumenting SystemAudit ProcedureAudit samplingDocumentation the Audit Evidence


Audit PlanningISA 300, Planning an Audit of Financial Statements. This International Standard on Auditing (ISA) deals with the auditor’s responsibility to plan an audit of financial statements. This ISA is written in the context of recurring audits. Additional considerations in an initial audit engagement are separately identified.


Planning an audit involves establishing the overall audit strategy for the engagement and developing an audit plan. Adequate planning benefits the audit of financial statements in several ways, including the following:

• Helping the auditor to devote appropriate attention to important areas of the audit.• Helping the auditor identify and resolve potential problems on a timely basis.• Helping the auditor properly organize and manage the audit engagement so that it is performed in an effective and efficient manner.• Assisting in the selection of engagement team members with appropriate levels of capabilities and competence to respond to anticipated risks, and the proper assignment of work to them.• Facilitating the direction and supervision of engagement team members and the review of their work.• Assisting, where applicable, in coordination of work done by auditors of components and experts.

The objective of the auditor is to plan the audit so that it will be performed in an effective manner.


The audit plan is more detailed than the overall audit strategy in that it includes the nature, timing and extent of audit procedures to be performed by engagement team members. Planning for these audit procedures takes place over the course of the audit as the audit plan for the engagement develops.

For example, planning of the auditor’s risk assessment procedures occurs early in the audit process. However, planning the nature, timing and extent of specific further audit procedures depends on the outcome of those risk assessment procedures. In addition, the auditor may begin the execution of further audit procedures for some classes of transactions, account balances and disclosures before planning all remaining further audit procedures.


Documenting SystemsAudit evidence is necessary to support the auditor’s opinion and report. Most of the auditor’s work in forming the auditor’s opinion consists of obtaining and evaluating audit evidence.

It is cumulative in nature and is primarily obtained from audit procedures performed during the course of the audit. It may, however, also include information obtained from other sources such as previous audits (provided the auditor has determined whether changes have occurred since the previous audit that may affect its relevance to the current audit6) or a firm’s quality control procedures for client acceptance and continuance.

In addition to other sources inside and outside the entity, the entity’s accounting records are an important source of audit evidence. Information that may be used as audit evidence may have been prepared using the work of a management’s expert.

Audit evidence comprises both information that supports and corroborates management’s assertions, and any information that contradicts such assertions. In addition, in some cases the absence of information (for example, management’s refusal to provide a requested representation) is used by the auditor, and therefore, also constitutes audit evidence.


Audit ProceduresAudit Procedures for Obtaining Audit EvidenceAudit evidence to draw reasonable conclusions on which to base the auditor’s opinion is obtained by performing:(a) Risk assessment procedures; and(b) Further audit procedures, which comprise:(i) Tests of controls, when required by the ISAs or when theauditor has chosen to do so; and(ii) Substantive procedures, including tests of details andsubstantive analytical procedures.


The audit procedures applied may be used as risk assessment procedures, tests of controls or substantive procedures, depending on the context in which they are applied by the auditor.

As explained in ISA 330, audit evidence obtained from previous audits may, in certain circumstances, provide appropriate audit evidence where the auditor performs audit procedures to establish its continuing relevance.

The nature and timing of the audit procedures to be used may be affected by the fact that some of the accounting data and other information may be available only in electronic form or only at certain points or periods in time.

Audit procedures to obtain audit evidence can include:1. inspection, 2. observation, 3. confirmation, 4. recalculation, 5. reperformance and 6. analytical procedures, often in some combination, in addition to inquiry.


Audit samplingAudit sampling is designed to enable conclusions to be drawn about an entire population on the basis of testing a sample drawn from it. Audit sampling enables the auditor to obtain and evaluate audit evidence about some characteristic of the items selected in order to form or assist in forming a conclusion concerning the population from which the sample is drawn.

Audit sampling can be applied using either non-statistical or statistical sampling approaches. When designing an audit sample, the auditor’s consideration includes the specific purpose to be achieved and the combination of audit procedures that is likely to best achieve that purpose.


Documentation the Audit EvidenceAudit documentation may be recorded on paper or on electronic or other media. Examples of audit documentation include: • Audit programs.• Analyses.• Issues memoranda.• Summaries of significant matters.• Letters of confirmation and representation.• Checklists.• Correspondence (including e-mail) concerning significant matters.

The auditor may include abstracts or copies of the entity’s records (for example, significant and specific contracts and agreements) as part of audit documentation. Audit documentation, however, is not a substitute for the entity’s accounting records.

The auditor need not include in audit documentation superseded drafts of working papers and financial statements, notes that reflect incomplete or preliminary thinking, previous copies of documents corrected for typographical or other errors, and duplicates of documents.

Oral explanations by the auditor, on their own, do not represent adequate support for the work the auditor performed or conclusions the auditor reached, but may be used to explain or clarify information contained in the audit documentation. 11

• Role of the internal auditor and relationship of the internal audit to the external audit.

WHAT DO EXTERNAL AUDITORS DO?The main function of the external auditors is to form an opinion on a company’s financial statements, focusing particularly on whether they give a true and fair view of the affairs of the business and have been properly prepared in accordance with the Companies Act.


Describe the different roles of the internal and external auditors

External auditor reports to management deal in substance with, inter alia, issues relating to the design and implementation of internal controls that have come to the external auditors’ attention during the course of the statutory audit. They generally deal with weaknesses in systems, the potential consequences and provide recommendations to management. Whilst internal audit reports may appear to be similar, they are different in substance.

Internal audit engagements are usually undertaken as part of a pre-planned program of work with a variety of objectives as part of an entity’s overall corporate governance arrangements. These objectives can relate to the risks faced by the business, internally and externally, and / or they can deal with the enhancement of performance.


Internal audit reports are different to statutory auditors’ reports produced by external auditors because statutory reports are governed by legislation and either national auditing standards, or International Standards on Auditing.

Statutory auditors’ reports are highly codified, and usually fairly brief by comparison with internal audit reports, and they are often available for public inspection.

Statutory auditors’ reports are produced for the benefit of shareholders and other stakeholders whereas internal audit reports are produced for the benefit of management; they are generally private documents and are not normally available for public inspection.


On the other hand, internal audit reports are similar, in some respects, to reports to management on the design and implementation of controls provided by external auditors to management during the course of, and at the end of, statutory audits.

The method of production of such reports is similar, for example. Both internal and external auditors draft these sorts of reports on the basis of the findings of their work and there will usually be a split between significant and insignificant matters, and a summary or overall evaluation of the more important matters.

Draft reports will often be discussed with management to confirm the findings and to establish management’s likely response. Responses are often incorporated into the report. Reports will often be redrafted several times, particularly in large organisations, after which the report will be issued. If management have not commented at an earlier stage, a formal response may be expected later.

It is normal to follow up on recommendations or agreed action points in order to establish how the issues have been dealt with.


16

When an organization creates corporate objectives and goals, it must follow the appropriate procedures to make sure those goals are reached. Internal auditors review operations closely, confirming that the correct protocol is being followed and the goals are being met. This is vital to the organization’s health and well-being.

The internal auditors must•be well versed in the objectives of their organization•have the ability to examine•analyze to make sure operations are effective•report their findings and •recommend appropriate courses of action. (They may also have to establish criteria, based on their objective opinion, for meeting their organization’s goals.)

Competent professional internal auditors accurately interpret facts and figures of the organizational process quickly and strive for continuous improvement. Through a strong commitment to the organization’s corporate values and goals, their understanding of the “big picture” plays a crucial role in the overall success of the organization.


Risk assessment, as defined is a systematic process, for assessing and integrating professional judgments about probable adverse conditions or events. Risk impacts an organization’s ability to compete and to maintain its financial strength and the quality of its products and services. It’s the internal auditor’s job to identify all auditable activities and relevant risk factors and to assess their significance.

The polished skills internal auditors possess assist them in accurately identifying the risks an organization faces, put a relative value on each, and keep the lines of communication open in the process. This not only fosters a close and invaluable relationship with management but also enables the auditor to anticipate emerging issues and opportunities.

Changing trends impact the way an internal auditor assesses risk. Today’s internal auditing has changed from a reactive, control-based form to one that is risk-based and proactive.

This means that greater emphasis is placed on the internal auditor’s role in mitigating risk.

18Source: Risk and management accounting: best practice guidelines for enterprise-wide internal control procedures. Paul M Collier, Anthony J Berry & Gary T Burke Aston Business School

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

• The principles of good corporate governance for listed companies, for the review of the internal control system and reporting on compliance.


REVIEWING COMPLIANCE

Compliance – conformity to fulfill obligations in the audit world – ensures that organizations adhere to rules and regulations. When those in an organization ignore guidelines, the structure can crumble. Part of an internal auditor’s job is to review compliance and ensure that the structure stays solid.

Management’s role is to implement policies and maintain extensive knowledge of the compliance requirements of all applicable laws, regulations, and contracts.

The internal auditors provide a valuable service to management and the Board by staying fully educated about the intricacies of, implementation strategies for, and compliance with all current regulations and such legislation as the Sarbanes-Oxley Act.



In reviewing compliance, the realm of responsibility over which internal auditors preside is large. Specifically, internal auditors are responsible for reviewing objectives, providing insight into the impact that noncompliance would have on an organization, and informing senior management of indications of significant noncompliance. In short, they make sure the base structure of an organization is strong so that it can hold steady during potentially turbulent times.



Compliance issues are always changing. As organizations alter policies, internal auditors have to be prepared to deal with the onset of new challenges. They not only need to identify areas that do not comply with policies and guidelines but also see that objectives set by management adhere to the organization’s overall mission, culture, and climate.

Whether determining if an organization fulfills its legal and ethical obligations or its members comply with the proper guidelines, internal auditors’ areas of expertise are constantly growing. By ensuring that an organization’s structure is strong and can withstand the tests of negative weathering from outside and inside, it is the internal auditors who help senior management sleep well at night.


what is internal audit? an internal audit is an ... · pdf fileconsiderations in an initial...

Documents